Executive Summary
Our Privacy, Cyber & Data Strategy Team highlights the shift in priorities for privacy and cybersecurity regulation and enforcement across U.S. agencies under the second Trump Administration.
- Enforcement actions appear likely to decrease due to staffing reductions and efforts by Trump appointees to limit enforcement priorities to more traditional areas
- Efforts to remove regulation and barriers to competition may result in changes to a wide range of privacy regulations
- Agencies may be less likely to engage in regulation and enforcement based on novel theories outside clear statutory authority
With the first 100 days of the second Trump Administration now completed, changes to regulatory and enforcement priorities related to privacy and cybersecurity across a number of key agencies have begun to take shape. This includes leadership changes and announcements at the Federal Trade Commission (FTC), the Department of Health and Human Services (HHS), the Securities and Exchange Commission (SEC), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Communications Commission (FCC). While much uncertainty remains, early efforts have aligned with the Trump agenda to reduce the size of the federal workforce, eliminate regulations that may hamper U.S. companies' ability to compete, and refocus agencies on traditional (versus novel) enforcement priorities. This will likely result in a substantial shift from the regulatory landscape under the Biden Administration. However, federal enforcement will continue, and the Trump Administration's desire to rein in the influence of Big Tech may lead to increased scrutiny in particular areas.
Federal Trade Commission
Substantial changes in enforcement and regulation are expected at the FTC following the departure of former Chair Lina Khan. In a leaked two-page document sent to the incoming Trump Administration, then-Commissioner Andrew Ferguson emphasized several key areas of focus in his bid to become chair. These included repealing “burdensome regulations,” fostering American innovation, ending the FTC's attempts to regulate artificial intelligence (AI), fighting “wokeness,” and stopping “unlawful censorship” by Big Tech through consumer protection or antitrust enforcement. He also positioned himself as a “Trump-aligned Chairman” willing to terminate uncooperative bureaucrats within the agency and take on “entrenched left-wing idealogues at the FTC.” The pitch was successful. Ferguson, who previously served as an FTC commissioner (since April 2024), the solicitor general for the commonwealth of Virginia, and a clerk for Justice Clarence Thomas, took over as chair on January 20, 2025.
While Ferguson voted in favor of numerous privacy-related enforcements since joining the FTC, his memo to President Trump indicates that he intends to “[s]top abusing FTC enforcement authorities as a substitute for comprehensive federal privacy legislation” and end “novel and legally dubious consumer protection cases,” instead focusing on demanding “honesty and fairness to consumers.” In a statement about an enforcement action against location data brokers prior to becoming chair, Ferguson criticized the other commissioners for erroneously viewing the FTC Act, which bans unfair or deceptive business practices, as “a comprehensive privacy law.” “Comprehensive privacy regulation involves difficult choices and expensive tradeoffs. Congress alone can make those choices and tradeoffs,” he wrote.
Regarding Big Tech, Ferguson has stated: “I think all of Big Tech is going to remain under the microscope. I can at least speak for the Federal Trade Commission. We've got cases involving Amazon and Meta, I care deeply about these cases. They're very important. I intend to continue prosecuting them to continue holding Big Tech's feet to the fire.” In the FTC's Amazon Prime deceptive-practices case, Ferguson stepped in hours after the FTC attorney requested a delay due to resource constraints. “I have made it clear since Day One that we will commit the resources necessary for this case,” Ferguson told CNBC. On April 21, 2025, the commission announced that it was filing a similar deceptive-practices case against Uber, alleging that the rideshare and delivery company charged consumers for its Uber One subscription service without their consent, failed to deliver promised savings, and made it difficult for users to cancel the service despite its “cancel anytime” promises.
Ferguson has also launched a public inquiry into “censorship” by Big Tech, explaining that the inquiry will “help the FTC better understand how these firms may have violated the law by silencing and intimidating Americans for speaking their minds.” Ferguson has indicated subsequently that he believes that censorship by dominant platforms could fall under the commission's antitrust or consumer protection purview.
Given the statements of Ferguson, and those of Commissioners Melissa Holyoak and Mark Meador, FTC privacy enforcement as a whole is likely to tick down. However, enforcement related to fraud and misrepresentations about how an entity handles, protects, or sells data is likely to continue. At an ABA privacy conference in February, Holyoak stated that we should expect to see a “back to the basics” approach from the FTC in fraud enforcement, which will likely impact regulation of data privacy and cybersecurity. Companies need to “do what you say and say what you do.” For example, there are some indications that online data brokers may be able to transfer location privacy data as long as the consumer was provided meaningfully informed consent to the collection and sale of that data.
Additionally, children's privacy continues to be a bipartisan issue, not just at the FTC but also in both blue states and red states. Enforcement actions related to children's privacy have been filed by cross-ideological coalitions of state attorneys general and in individual cases filed in California, Texas, New York, and New Jersey. The FTC's Children's Online Privacy Protection Rule (COPPA Rule) is specifically supported by statute, so it is less controversial than other FTC privacy rules that some believe lack a statutory basis. At the recent IAPP Global Privacy Summit, Holyoak reemphasized that enforcement of the COPPA Rule will continue to be a priority for the agency.
On April 22, 2025, the FTC finalized amendments to the COPPA Rule, which will start to take effect in June. Ferguson, who voted in favor of the amendments as a commissioner before Trump took office, had voiced concerns on the amendments' lack of clarity and risk of inadvertent hostile outcomes. Despite these concerns, Ferguson opted to approve the amendments' publication in the Federal Register. Among other things, the amendments will (1) expand the scope of personal information protected under the COPPA Rule to include biometric identifiers; (2) require operators to obtain separate verifiable parental consent before disclosing personal information collected from children for purposes that are not “integral” to operators' websites or online services; and (3) mandate operators to establish, implement, and maintain a written information security program and written data retention policy.
Based on past bipartisan consensus, enforcement related to failure to maintain proper safeguards for the collection, retention, and disclosure of personal information is also likely to continue, though it remains to be seen how much of a priority this will be in the Ferguson FTC. However, we may see a decrease in enforcement actions that result in prescriptive cybersecurity controls, such as phishing-resistant multifactor authentication (MFA), asset inventory and end-of-life management, and information security programs informed by periodic risk assessments, which we saw frequently under Khan. Additionally, at least for now, the breach notification requirements under the Gramm–Leach–Bliley Act Safeguards Rule remain in effect. Under that rule, financial institutions subject to FTC jurisdiction are required to report data breaches that impact 500 or more individuals to the FTC.
Despite these areas of agreement with past practice, other significant shifts in enforcement and regulation are likely under Ferguson. The FTC is unlikely to regulate AI as strictly, with enforcement and regulation limited to misrepresentations regarding the capabilities of AI tools or the use of AI tools to act deceptively, as seen with Sitejabber and Operation AI Comply. The commission has also launched a public inquiry into the impact of federal regulations on competition, with the goal of identifying and reducing anticompetitive regulatory barriers. Based on public comments, the FTC may reconsider existing data privacy regulations as a potential barrier to competition. However, it remains unclear how the FTC will handle personalized algorithmic pricing (also referred to as surveillance pricing). The outgoing FTC released a preliminary Section 6(b) staff study on surveillance pricing in January, indicating that retailers frequently use people's personal information to set targeted, tailored prices for goods and services. Ferguson and Holyoak dissented from the survey's preliminary release but noted that they had joined the decision to launch the Section 6(b) inquiry six months prior. This suggests that the Ferguson FTC may be willing to take action on surveillance pricing in the future, especially as it relates to the Trump Administration's enforcement priorities involving Big Tech.
Health and Human Services
On January 6, 2025, the outgoing HHS issued a notice of proposed rulemaking to the security standards for the protection of electronic protected health information (ePHI) under HIPAA (the Security Rule). The Proposed Rule marks the first significant changes to the regulations since their inception over 20 years ago and eliminates the distinction between “addressable” and “required” standards. While the “addressable” classification enabled flexibility in meeting the safeguards, HIPAA-regulated entities are now required to comply with all security standards (with limited exceptions).
Among other changes, the Proposed Rule would require enhanced administrative safeguards, including the creation and maintenance of written inventory of technology assets and a network map that must be updated at least once every 12 months. Covered entities would have to conduct full risk assessments, including conducting both gap assessments and risk analyses and assigning categories of the potential impact of the identified risk. The Proposed Rule would also require entities to review patch management processes at least once every 12 months; verify timely installation of patches, updates, and upgrades to information systems; and implement a contingency plan that meets certain requirements.
The Proposed Rule would also impose new requirements for both technical and physical safeguards. On the technical side, entities would have to implement network segmentation, employ MFA for systems containing ePHI, use a secure encryption algorithm for all ePHI (with limited exceptions), and conduct vulnerability testing every six months and penetration testing every 12 months. Additionally, the Proposed Rule would clarify the definition of “workstation” to include mobile devices (such as tablets and smartphones). Entities would now be required to address the physical characteristics of workstations that can access ePHI in their procedures and policies, including the movement and removal of such workstations within and outside the facility.
For business associates, the Proposed Rule would require that they notify a covered entity within 24 hours when a workforce member's access to ePHI or certain electronic information systems is changed or terminated. Business associate agreements would also have to include a provision stating that a business associate must notify a covered entity of activation of its contingency plan without unreasonable delay but no later than 24 hours after activation.
It is unclear whether the Proposed Rule will be finalized in 2025 since the rule was proposed under the prior Administration. On January 2025, President Trump signed an Executive Order directing agencies to refrain from proposing or issuing any rule until a Trump appointee reviews and approves the rule. The order also directs agencies to consider postponing the effective date of any rules that have been issued but not yet taken effect, which includes notices of proposed rulemaking. This would likely delay the finalization of the Proposed Rule.
Despite this uncertainty related to the Proposed Rule, it appears that the new Administration is continuing the risk analysis initiative that was launched by the HHS Office for Civil Rights last year to investigate covered entities' compliance with the risk assessment requirements under the current Security Rule. Under HHS's guidance on risk analysis, organizations should focus their risk assessments on identifying (1) the ePHI created, received, maintained, or transmitted; (2) any external sources of ePHI received; and (3) the human, environmental, and natural threats that present a risk to ePHI. To date, there have been at least seven enforcement actions and settlements through the risk analysis initiative, including two in 2025. Based on the available information for the settlements with several entities – Bryan County Ambulance Authority, Elgon Inc., Virtual Private Network Solutions, Northeast Surgical Group P.C., Health Fitness Corporation, Northeast Radiology P.C., Guam Memorial Hospital Authority – an organization that is found to have failed to conduct an accurate and thorough risk analysis in compliance with the Security Rule can expect to (1) be monitored by HHS for one to three years; and (2) implement a corrective action plan, in addition to a monetary penalty to be determined by HHS.
In 2025, HHS will likely continue pursuing enforcement actions through the HIPAA Security risk analysis initiative, with the failure to conduct a comprehensive and accurate risk analysis likely to be the common HIPAA violation to result in a financial penalty. However, under Secretary Robert Kennedy, Jr., HHS has seen significant cuts to both staffing and spending, with thousands of employees laid off in recent months. Additionally, Congress and the Trump Administration are considering budget cuts to HHS of more than 30%. Together, these decreases in resources across HHS may impact the agency's ability to pursue enforcement actions related to the Security Rule.
Securities and Exchange Commission
During fiscal year 2024, the SEC filed 583 enforcement actions. While this represented a 26% decline in the number of actions compared with the previous year, the commission obtained a record $8.2 billion in financial remedies. This included a record $6.1 billion in disgorgement and prejudgment interest and $2.1 billion in civil penalties, the second-highest figure on record.
Substantial changes in organization and enforcement policy are already underway at the SEC under the second Trump Administration. On March 10, 2025, the SEC issued a Final Rule revoking the previous delegation of authority to the director of the Division of Enforcement to issue formal orders of investigation in order to “increase effectiveness by more closely aligning the Commission's use of its investigative resources with Commission priorities.” As a practical effect, the commission will now control when SEC staff are authorized to issue subpoenas in connection with investigations.
Reports also suggest that the General Services Administration has terminated the leases for the SEC's larger regional offices in Philadelphia and Los Angeles (though the reported termination of the lease on the SEC's Chicago office was subsequently reversed). Then-Acting Chair Mark Uyeda also notified employees that the SEC will revise its enforcement organization, with enforcement staff now reporting to deputy directors for the West, Northeast, or Southeast, as well as a deputy director for specialized units. Additionally, exam staff in regional offices will report to new associate directors, with the apparent goal of streamlining the reporting structure and address management challenges.
In February 2025, the commission announced the creation of the creation of the Cyber and Emerging Technologies Unit (CETU) to “focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space.” Replacing the Crypto Assets and Cyber Unit, the CETU will comprise approximately 30 fraud specialists and attorneys across multiple SEC offices and be led by SEC veteran Laura D'Allaird. In introducing the new unit, the SEC indicated the CETU will focus on seven key priority areas related to securities transactions: (1) fraud committed using emerging technologies, such as AI and machine learning; (2) the use of social media, the dark web, or false websites to perpetrate fraud; (3) hacking to obtain material nonpublic information; (4) takeovers of retail brokerage accounts; (5) fraud involving blockchain technology and crypto assets; (6) regulated entities' compliance with cybersecurity rules and regulations; and (7) fraudulent disclosure by public issuers relating to cybersecurity.
These priorities suggests that the SEC will continue to pursue enforcement actions like those previously instituted for AI washing claims, defrauding investors in a social media startup, and hacking to obtain material nonpublic information about corporate earnings. Additionally, the CETU priorities indicate that the SEC is still likely to enforce requirements such as Regulation S-P and Regulation S-ID. Companies should maintain updated policies and procedures addressing these and other rules since there will still be examinations relating to them.
Following the swearing in of Chair Paul Atkins on April 21, 2025, further changes in enforcement priorities are likely. Atkins is expected to steer the commission's enforcement priorities away from supervisory failures (such as the off-channel communications settlements) and toward situations involving documented investor harm. Further, based on Atkins's Senate testimony, we can expect the SEC to be focused on reducing regulatory burdens – especially on digital-asset issuers – and engaged in a broader deregulation of digital assets and financial technology.
Despite these shifts in priorities, the SEC has made clear that it still intends to conduct routine enforcement actions and examinations. Nevertheless, there has been a notable shift in tone from SEC commissioners. For example, Uyeda has noted that the enforcement division will “facilitate capital formation and market efficiency by clearing the way for innovation to grow.” So, although there will be regulatory shifts that align more broadly with the overall goals of the current Administration, it is unlikely that we will see dramatic non-enforcement of SEC priorities.
Cybersecurity and Infrastructure Security Agency
There is also significant uncertainty around the future of CISA. The Trump Administration has let go more than 130 CISA employees as part of broader cuts to staff across the Department of Homeland Security. It is also expected that 30%–40% of CISA employees will be let go or subject to deferred retirement in the near future. The impacts of these cuts is not yet clear, though some, including Representative Eric Swalwell (D-CA), ranking member of the House Subcommittee on Cybersecurity and Infrastructure Protection, have expressed concern that these cuts may impact CISA's threat hunting, vulnerability management activities, and election security work.
During this time of upheaval at and surrounding the agency, CISA is also facing the impending sunset of the Cybersecurity Information Sharing Act of 2015 (CISA Act). Unless Congress acts, the statute is set to expire on September 30, 2025. Currently, the Act provides companies with incentives to share information about ongoing cybersecurity threats with the federal government, with the goal of strengthening U.S. cybersecurity defenses. The statute also protects companies from legal or regulatory punishment when voluntarily sharing certain information with the government. In recent years, these protections have been used to share information regarding the SolarWinds cyberattack, the Volt Typhoon and Salt Typhoon operations, and other state-sponsored attacks from threat actors in Russia and North Korea, for example. This information can also be shared through CISA's Information Sharing and Analysis Centers. Without the protections currently afforded to companies sharing this type of information, the risk of backlash increases, and we would anticipate fewer companies will be as open to sharing without an extension of the CISA Act.
While Congress has not yet taken action, there is growing awareness of the need to act before the current authorization expires. The House Committee on Homeland Security discussed the renewal of the CISA Act during a January 22, 2025 hearing on assessing global cyber-threats to the United States. More recently, Senators Gary Peters (D-MI) and Mike Rounds (R-SD) introduced a bipartisan bill to extend provisions of the CISA Act for an additional 10 years. Organizations such as the American Bankers Association have submitted comment letters, urging Congress to extend the CISA Act because the “voluntary information sharing framework has been instrumental in strengthening our collective defense against cybersecurity threats.”
At the same time, the agency is also facing an October 4, 2025 deadline to issue a final rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Former President Joe Biden signed CIRCIA into law in March 2022. On March 27, 2024, CISA published a notice of proposed rulemaking implementing CIRCIA. The Proposed Rule requires covered entities to report “substantial cyber incidents” within 72 hours and ransomware payments within 24 hours. Covered entities under the Proposed Rule include entities in a critical infrastructure sector that either exceed the small-business-size standard (as defined by the Small Business Administration) or meet one or more of the specific sector-based criteria in the rule. CISA estimates more than 300,000 entities will be covered by CIRCIA.
If a covered entity fails to comply with the proposed CIRCIA reporting requirements, CISA can pursue administrative penalties, separate and apart from any penalties assessed by state and local governments. If CISA believes the entity has experienced a covered event that was not reported, it can issue a request for information. If a covered entity fails to respond to a request for information, CISA may follow with a subpoena as necessary to compel disclosure. CISA can also refer matters to the Attorney General for civil proceedings if a company disregards a subpoena. The issuance of a subpoena is appealable to the director of CISA. CISA may provide information submitted in response to a subpoena to the Attorney General or the head of a federal regulatory agency if CISA determines that the facts relating to the cyber-incident or ransom payment may constitute grounds for criminal prosecution or regulatory enforcement action.
While the second Trump Administration has not yet indicated its position on the proposed CIRCIA rule, a group of financial institutions sent a letter to Secretary of Homeland Security Kristi Noem and Office of Management and Budget Director Russell Vought in February urging them to rescind and reissue the Proposed Rule. If the Proposed Rule under CIRCIA is adopted by the Trump Administration, the reporting requirements will likely not take effect until 2026.
Federal Communications Commission
FCC Chair Brendan Carr has signaled that the agency remains focused on responding to threats posed by “foreign adversaries,” including the People's Republic of China (PRC) and the Chinese Communist Party (CCP). In late October 2024, a group of PRC-sponsored hackers, dubbed “Salt Typhoon” by security researchers, infiltrated numerous U.S. telecommunications companies, including systems involved in court-authorized network wiretapping requests and monitoring of internet traffic. On March 13, 2025, Carr announced a new Council on National Security within the FCC, with Carr's national security counsel, Adam Chan, serving as its first director. The council will focus on (1) reducing trade and supply chain dependencies on foreign adversaries within the U.S. technology and telecommunications sectors; (2) mitigating U.S. vulnerabilities to cyberattacks, espionage, and surveillance by foreign adversaries; and (3) ensuring strategic competition with the PRC over critical technologies, such as 5G and 6G, AI, satellites and space, quantum computing, robotics and autonomous systems, and the Internet of Things. Carr subsequently announced that the council is spearheading an investigation into the “U.S. operations of CCP-aligned businesses whose equipment or services the FCC previously placed on its Covered List based on determinations that those equipment or services pose unacceptable risks to America's national security.”
Practical Considerations for Companies
Companies should continue to closely assess their privacy and cybersecurity posture to ensure it meets the cybersecurity requirements of their primary federal regulator(s). Although we are seeing workload reductions, as evidenced by recent HHS, FTC, SEC, and CISA activity, enforcement has not yet slowed.
Even with a potential shift in enforcement priorities, as related to the FTC for example, companies should take steps to make sure their statements on cybersecurity and privacy are aligned with their practices. Even if, for example, the FTC stops bringing novel consumer protection actions to regulate privacy and cyber-activity, having security protections and controls that do not align with stated practices is a clear avenue for the FTC to seek enforcement as a deceptive practice. This type of enforcement is likely to remain within the bounds of the agency's stated priorities, and we certainly expect state regulators to step in and fill any voids left by a reduction in federal enforcement.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
