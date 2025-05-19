Publications & Advisories

Selected U.S. Privacy & Cyber Updates

DOJ Settles False Claims Act Case with MORSECORP over Cybersecurity Program

On March 26, 2025, the U.S. Department of Justice (DOJ) announced that it had reached an agreement with MORSECORP Inc. to settle alleged violations of the False Claims Act, specifically involving MORSE's cybersecurity program. The DOJ and MORSE—a government contractor that provides services to the Departments of the Army and Air Force—agreed to a settlement of $4.6 million, with 18.5% ($851,000) of the settlement agreement provided to the whistleblower who brought the FCA case.

Additional Cybersecurity Requirements of NYDFS Part 500 Take Effect Today

On May 1, 2025, additional enhanced cybersecurity controls required by the Second Amendment to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) take effect. Although the Second Amendment was originally adopted in November 2023, the NYDFS established a multiyear rollout of the Second Amendment's requirements, implementing several tranches from November 2023 through November 2025.

Arkansas Enacts Children and Teens' Online Privacy Protection Act

On April 21, 2025, Arkansas Governor Sarah Huckabee Sanders signed into law the Arkansas Children and Teens' Online Privacy Protection Act, which will become effective on July 1, 2026. It draws inspiration from the federal Children and Teens' Online Privacy Protection Act (COPPA 2.0) and provides stronger privacy protections for Arkansas children under 13 and those aged 13 to 16. This Act continues the trend of state-level efforts to extend online privacy protections, which have been traditionally offered to children under 13 by the federal COPPA, to older teens.

FTC Publishes Amendments to COPPA Rule

On April 22, 2025, the FTC published the finalized amendments to the Children's Online Privacy Protection Rule that would impose additional restrictions on website and online service operators that collect personal information from children under the age of 13. The amendments will become effective on June 23, 2025. Operators subject to the COPPA Rule will have until April 22, 2026 to comply with additional requirements. The new requirements for organizations offering safe harbor programs will have earlier compliance deadlines ranging from 90 days to six months from the amendments' publication.

State Regulators Form Privacy Law Implementation and Enforcement Group

On April 16, 2025, the California Privacy Protection Agency (CPPA) announced that eight state regulators have established a coalition called the Consortium of Privacy Regulators to collaborate on the implementation and enforcement of their privacy laws. According to announcements from the CPPA and California Attorney General Rob Bonta, the consortium aims to coordinate enforcement efforts, share priorities, and discuss developments in privacy law.

Court Enjoins Enforcement of California Age-Appropriate Design Code Act

On March 13, 2025, the Northern District of California granted a preliminary injunction preventing the California attorney general (AG) from enforcing the California Age-Appropriate Design Code Act (CAADCA). The decision followed the California AG's agreement to delay the enforcement of CAADCA until April 5, 2025. As of now, the California AG has not announced whether his office will appeal the injunction.

FCC Announces New National Security Unit Focusing on State-Sponsored Cyber Threats

On March 13, 2025, the FCC Chairman Brendan Carr announced the creation of a Council on National Security with Adam Chan serving as the director. This new council will be composed of eight bureaus and offices within the FCC and will "leverage the full range of the Commission's regulatory, investigatory, and enforcement authorities to promote America's national security and counter foreign adversaries." Notably, the FCC specifically indicated that this council would focus "particularly [on] the threats posed by the People's Republic of China and the Chinese Communist Party."

California Attorney General Targets Location Data in New Investigative Sweep

On March 10, 2025, the California AG Rob Bonta announced a new investigative sweep under the California Consumer Privacy Act. We have anticipated this sweep for some time based on the focus and the direction of a number of inquiries, investigations, and enforcement proceedings initiated by Bonta's office over the past 12–24 months.

California Attorney General Delays Enforcement of CAADCA Amid Legal Challenge

On March 4, 2025, the California AG announced a further delay in the enforcement of CAADCA until April 5, 2025. Initially operative on July 1, 2024, CAADCA's enforcement had already been postponed to March 6, 2025 due to a trade association's challenge to the statute's validity. This second postponement comes as businesses await the district court's decision on the trade association's motion for a preliminary injunction to prevent the AG from enforcing CAADCA.

New York Passes Health Privacy Law – Your Questions Answered

The New York state legislature passed the Health Information Privacy Act on January 22, 2025, marking the second state to introduce a comprehensive consumer health data law. If signed into law, the NYHIPA imposes more stringent obligations on organizations that handle "regulated health information."

Congress Seeks Comments on Comprehensive Federal Data Privacy Law

Since the first comprehensive state data privacy law went into effect in California in 2020, 18 other states have enacted comprehensive data privacy laws, with 14 others currently moving through their state legislative process. These state laws are proliferating at a breakneck pace and leaving in their wake regulated entities grappling with a complex web of disparate requirements. While there is currently no federal standard to override this patchwork of state laws, on February 12, 2025, the House Committee on Energy and Commerce announced the creation of a Privacy Working Group. The Privacy Working Group is now seeking stakeholder input on its efforts through a request for information published on February 21, 2025.

Ghost (Cring) Ransomware: Understanding the Threat & How Enterprises Can Defend Themselves

On February 19, 2025, the Cybersecurity and Infrastructure Security Agency, in collaboration with the FBI and the Multi-State Information Sharing and Analysis Center, issued a joint cybersecurity advisory on the growing threat of Ghost (Cring) ransomware. Active since early 2021, this ransomware group has targeted organizations in over 70 countries, exploiting unpatched software, weak credentials, and outdated security configurations to infiltrate enterprise networks.

Ransom Payments at a Historic Low According to Report

On February 4, 2025, Coveware Inc. released its quarterly ransomware report for the fourth quarter of 2024 and identified that the percentage of victims paying ransoms fell to a historic low of 25%. While the average amount of a payment in Q4 2024 rose 16% quarter over quarter to $553,959, the median amount dropped a significant 45% to $110,890. The median is generally a better indicator of the market because it is not skewed by very high or low payments.

Selected Global Privacy & Cybersecurity Updates

UK Data Protection Regulator Fines UK Law Firm ~$80,000 Following Ransomware Incident

On April 14, 2025, the UK data protection regulator, the Information Commissioner's Office (ICO), fined DPP Law £60,000 (approximately $80,000) following a ransomware incident. For the first time, the ICO has commented on the issue of a delay in notifying a personal data breach. The ICO considered that DPP's failure to notify the ICO of the personal data breach within 72 hours was an aggravating factor and increased its fine.

UK Government Publishes Cyber Governance Code of Practice for Boards and Directors

On April 8, 2025, the UK government published the Cyber Code of Practice to support board directors in governing cybersecurity risks. The code is available online. The ICO is actively investigating and, in some instances, fining companies for personal data breaches caused by cybersecurity issues. It is therefore more important than ever for board directors to both engage with and mitigate against cyber risks.

UK's Data Protection Regulator Fines a UK SaaS Provider ~$4 Million Following a Ransomware Incident

On March 26, 2025, the ICO fined Advanced Computer Software Group Ltd £3.07 million (approximately $4 million). In its penalty notice, the ICO found that Advanced failed to implement appropriate technical and organisational measures required by the UK GDPR.

European Commission Moves to Extend Free Flows of Personal Data to the UK

On March 18, 2025, the European Commission proposed to extend its adequacy decision in favor of the UK for an additional six-month period. This would allow free flows of personal data from the EU to the UK to continue until December 2025. The existing adequacy decision – which was adopted in 2021 in light of the UK's departure from the European Union – is currently due to expire on June 27, 2025.

Belgian Data Protection Authority Issues Updated Guidance on Direct Marketing Rules

On March 10, 2025, the Belgian Data Protection Authority (BDPA) updated its 2020 guidance on the processing of personal data for direct marketing purposes. The BDPA reviewed its original guidance to help companies from all sectors navigate applicable EU privacy and data protection law requirements in view of recent technological and legal developments.

