Publications & Advisories
- January 31, 2025 – Kathleen Benway, Maki DePalo, Jennifer Everett, and Hyun Jai Oh published “Privacy, Cyber & Data Strategy Advisory | FTC Finalizes Amendments to COPPA Rule.”
- January 16, 2025 – Kate Hanniford, Brian Frey, Eileen Scofield, Nilofer Dowden, and Andrew Rice published “Privacy, Cyber & Data Strategy / Immigration Advisory | North Korean IT Remote Worker Fraud Scheme Data Security and Employment Law Impact.”
- January 15, 2025 – Kim Peretti, Cara Peterman, and Lance Taubin published “Five Steps for Effective Board Oversight on Cybersecurity Breach Response” in Cybersecurity Law Report.
- December 10, 2024 – Wim Nauwelaerts, Kelly Hagedorn, and Alice Portnoy published “Privacy, Cyber & Data Strategy Advisory | D-Day for the EU Cyber Resilience Act.”
Selected U.S. Privacy & Cyber Updates
State AGs Publish Guidance on How State Laws Apply to AI
On December 24, 2024 and January 13, 2025, the Oregon Attorney General’s (AG’s) Office and the California AG’s Office published advisories explaining how existing statutes may be used to regulate, investigate, and enforce against artificial intelligence (AI). These advisories serve to remind AI developers, suppliers, and users of heightened regulatory scrutiny of AI and of potential regulatory enforcement tools. This blog post briefly summarizes the authorities that the Oregon and California AGs have identified as potential vehicles for AI regulation and enforcement and provides key takeaways for each.
On January 14, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released the AI Cybersecurity Collaboration Playbook to provide guidance to organizations within the AI community (including AI providers, developers, and adopters) to voluntarily share AI-related cybersecurity information with CISA and its partners through the Joint Cyber Defense Collaborative. To combat AI-related cybersecurity threats and enhance the cybersecurity resilience of AI systems, the playbook encourages organizations to incorporate its recommendations into their existing practices.
In January 2025, a new generative AI large language model called DeepSeek was publicly launched by two Chinese entities, the Hangzhou and Beijing DeepSeek Artificial Intelligence Basic Technology Research Cos. Ltd. DeepSeek is currently driving headlines claiming it represents a “Sputnik moment” in AI development. As companies evaluate DeepSeek, it remains prudent to consider potential obstacles that could arise from recent data-related regulations passed in the United States that are designed to broadly restrict the availability of U.S.-person data to Chinese organizations.
In the final week of the Biden Administration’s term in office, former President Biden issued two high-profile Executive Orders that could have significant ramifications for the cybersecurity and technology industries. The first, issued on January 14, 2025, is Advancing United States Leadership in Artificial Intelligence Infrastructure. The second, issued on January 16, 2025, is Strengthening and Promoting Innovation in the Nation’s Cybersecurity.
Texas AG Files Complaint Against Major Insurance Company Regarding Data Practices
On January 13, 2025, Ken Paxton, the Texas AG, filed a complaint against a large insurance entity and its subsidiary company. The complaint outlines alleged violations of the Texas Data Privacy and Security Act.
FTC Announces Proposed Settlement with GoDaddy Incorporating Prescriptive Cybersecurity Requirements
On January 15, 2025, the Federal Trade Commission (FTC) announced a proposed settlement with GoDaddy Inc. for making false or misleading representations about its security practices in violation of Section 5 of the FTC Act.
FTC Finalizes COPPA Rule Amendments
On January 16, 2025, the FTC voted 5–0 to approve the finalized amendments to the Children’s Online Privacy Protection Rule that would offer additional privacy safeguards for children under the age of 13.
Top 10 Takeaways from California AG’s Health Care AI Advisory
On January 13, 2025, California AG Rob Bonda issued an advisory describing providers’ and businesses’ obligations for the development, sale, and use of AI and automated decision systems in the health care industry. The advisory puts health care providers, insurers, and businesses serving the health care industry on notice of the AG’s heightened scrutiny of AI and the variety of potential enforcement options available to the AG related to AI systems.
Key Points for DHS Playbook for Public Sector GenAI Deployment
On January 7, 2025, the Department of Homeland Security (DHS) released its first “Playbook for Public Sector Generative Artificial Intelligence Deployment” to serve as a comprehensive guide for DHS and other public sector organizations to responsibly integrate GenAI into their operations. The playbook emphasizes the importance of deploying AI technologies in a manner that is responsible, trustworthy, and effective.
OFAC Announces Sanctions Against Chinese-Based Cybersecurity Company
On January 3, 2025, the Department of the Treasury’s Office of Foreign Assets Control announced sanctions on a China-based cybersecurity company, Integrity Technology Group Inc. These sanctions were in response to Integrity Tech’s “role in multiple computer intrusion incidents against U.S. victims.”
New York Amends Data Breach Notification Law with Immediate Implications
In late December 2024, the New York governor signed two bills (S2659B and S2376B) amending the state’s data breach notification law to expand the definition of “reportable personal information” and impose new covered entity reporting obligations in the event of a data breach.
The D.C. Circuit’s TikTok Decision Could Portend Greater Regulation of Chinese-Owned Apps
On December 6, 2024, the U.S. Court of Appeals for the D.C. Circuit upheld the constitutionality of the Protecting Americans from Foreign Adversary Controlled Applications Act. The Act, signed into law by President Biden on April 24, 2024, prohibits the “distribution or maintenance” in the U.S. of applications controlled by ByteDance, TikTok’s China-based parent. The Act also allows the President to subject other applications to the prohibition if he determines the company that owns the application is “controlled by a foreign adversary” and “presents a significant threat to … national security.”
CPPA Opens Formal Public Comment Period for CCPA Proposed Regulations
On November 22, 2024, the California Privacy Protection Agency issued a notice of proposed rulemaking and opened the formal comment period for its proposed regulations on updates to existing California Consumer Privacy Act (CCPA) regulations, cybersecurity audits, risk assessments, automated decision-making technology, and the applicability of the CCPA to insurance companies.
Department of Homeland Security Releases Recommended Framework for AI in Critical Infrastructure
On November 14, 2024, DHS announced a set of voluntary recommendations called the “Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure.” Recognizing the severe consequences associated with disruption to the nation’s critical infrastructure, DHS released the framework to address certain risks associated with the use of AI across critical infrastructure sectors.
Selected Global Privacy & Cybersecurity Updates
First Milestone in the Implementation of the EU AI Act
The AI Act is the European Union’s comprehensive legal framework on AI that aims to promote the responsible development and use of artificial intelligence in the EU. The timeline for implementation of the AI Act follows a staggered approach: while the AI Act entered into force on August 1, 2024, most of its provisions will apply from August 2, 2026. However, the AI Act’s requirements relating to prohibited AI practices and AI literacy are effective as of February 2, 2025.
UK’s National Cyber Security Centre Releases 2024 Annual Review
The United Kingdom’s National Cyber Security Centre has released its annual review for 2024. As in prior years, the report covers the UK’s cybersecurity position, both in terms of threats to the public and private sectors and the country’s readiness to deal with those threats.
Chile Passes New Data Protection Law
On November 14, and after many years of negotiations, Chile adopted a new Data Protection Act (DPA). This new DPA aims to provide Chile with an updated regulatory framework for the protection of personal data by replacing the law that had been in force since 1999. The DPA is also expected to align with international privacy and data protection standards, such as the General Data Protection Regulation in Europe (GDPR), General Data Protection Law in Brazil (LGPD), and Personal Data Protection Law in Argentina (LPDP).
Events
- February 12, 2025 – Peter Swire, Jennifer Everett, Kelly Hagedorn, David Keating, Wim Nauwelaerts, and Kim Peretti presented “A Look Ahead: Privacy and AI in 2025.”
- February 6, 2025 – Kathleen Benway spoke on the panel “The Future of Federal Privacy Legislation” at the American Bar Association’s 2025 Antitrust Data Privacy Conference.
- February 5, 2025 – Kate Hanniford, Jennifer Everett, and Kelly Hagedorn presented “A New Frontier: The Cybersecurity Horizon 2025 and Beyond.”
- January 29–30, 2025 – Kim Peretti spoke on the panel “Communicating in a Crisis: Executing a Comprehensive Communication Plan and Controlling the Message to the Board, Employees, Media and Beyond” and Kate Hanniford spoke on the panel “Special Update on the Evolving Threat Actor Landscape, National Security Risks and Ransomware” at ACI’s Cybersecurity Law & Compliance ’25 Conference.
- January 28, 2025 – Jennifer Everett and Jennifer Pike presented “AI Tech in Health Care: What to Expect in Legislation and Enforcement in 2025 and How to Prepare.”
- January 26–29, 2025 – Kate Hanniford spoke on the panel “Stories from the Front Lines of Cyber Investigations” at the 2025 Insurance Risk Management Forum.
- January 16, 2025 – Scott Hilsen spoke at the webinar “Minimizing Cybersecurity Legal Risk: What’s ‘Reasonable’?” presented by UGA CyberArch.
- December 11, 2024 – Kim Peretti and Kelly Hagedorn presented “Alston & Bird Webinar – 2024 and Beyond: Trends in Global Breach Response.”
- December 11, 2024 – Alex Brown spoke on the panel “2024 US Privacy Law Year in Review” hosted by the American Bar Association.
- December 4, 2024 – Cara Peterman and Bhanu Mathur presented “Alston & Bird Webinar – Navigating AI-Related Disclosure Challenges: Securities Filing, SEC Enforcement, and Shareholder Litigation Trends.”
In the News
- January 24, 2025 – Alica Portnoy is quoted on the EU-U.S. framework governing data transfers in Bloomberg Law.
- January 23, 2025 – Jennifer Everett is quoted on President Trump’s revoking President Biden’s Executive Order on AI in American Banker.
- January 21, 2025 – Jennifer Everett is quoted on the potential for greater artificial intelligence regulation by states in the wake of reduced federal regulatory oversight in CIO Dive.
- January 16, 2025 – Jennifer Everett is quoted on the potential regulation of AI used in the health care industry in The American Lawyer.
- December 16, 2024 – Alice Portnoy is quoted on the need for EU companies to be aware of collective redress when they are complying with European digital privacy laws in Bloomberg Law.
- October 28, 2024 – Jennifer Everett is quoted on the future of AI regulation in the United States in CIO Dive.
Press Releases
Alston & Bird Increases Rankings in Chambers Global 2025
Alston & Bird has been recognized in the 2025 edition of Chambers Global, with 12 practices, including Privacy & Data Security and Privacy & Data Security: Healthcare, and 24 lawyers, including Kim Peretti and Kristy Brown, cited for excellence.
Alston & Bird Offers Direct, On-Demand Access to Ransomware Fusion Center
Led by partner Kim Peretti, the Center recognizes there is no one-size-fits-all approach to ransomware readiness. The Center offers a variety of resources to inform and facilitate a thoughtful, bespoke approach to a range of challenges faced by companies as they prepare for and respond to sophisticated cyberattacks involving ransomware and multifaceted extortion.
Alston & Bird Earns 126 Tier-1 Rankings in 2025 Best Law Firms
Alston & Bird has been honored as one of the nation’s top law firms in the 2025 edition of Best Law Firms®, ranked by Best Lawyers. The firm received rankings in Privacy and Data Security Law and Technology Law.
"The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Yin Tydir.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice