Privacy Law Recap 2025—Data Security

The financial toll of cyberattacks is continuing to rise, with global cybercrime costs projected to hit $10.8 trillion annually by the end of 2026, up from $3 trillion a decade ago. This upward trajectory is likely a forecast for the years ahead. Amid the rise of cybercrime costs and the growing potential for AI-driven attacks, federal regulators and state legislators alike are imposing additional security requirements on organizations across industries that add compliance complexity and potential fines. Staying apprised of these legal and regulatory updates is critical both for compliance reasons and also for organizations to avoid the already rising costs of cyberattacks. The highlights from 2025 include:

• Rise of AI-driven attacks. AI-driven cyberattacks are reshaping the threat landscape, with a shift toward automated campaigns able to strike at scale and speed. Threat actors can now use generative AI to craft phishing emails, create convincing audio and video deepfakes to impersonate executives, and most recently, conduct cyber operations with minimal human involvement. The same tools that organizations use to detect anomalies are now being weaponized by threat actors to launch more sophisticated campaigns. Anthropic’s report of an AI-orchestrated cyber-espionage campaign highlights this shift. In September 2025, Anthropic detected that a Chinese state-sponsored group manipulated its Claude model into automating up to 90% of a cyber-espionage campaign, scanning networks and testing credentials without human oversight, which is a first. The demands for incident responders and their advisers—and their regulators—grow exponentially in this environment.
• Federal legal reforms across key sectors. Several major legal updates are reshaping how organizations must prepare for and respond to cyber threats. In January, the U.S. Department of Health and Human Services proposed an amendment to the HIPAA Security Rule, with a final rule anticipated in May 2026. Regulated entities will face stricter requirements around risk analysis, encryption, and audit controls. Also in January 2025, the Federal Trade Commission finalized amendments to the Children’s Online Privacy Protection Act Rule to require organizations handling children’s data to implement a formal information security program. As of April 22, 2026, these companies must not only safeguard sensitive information but also, at least annually, evaluate internal and external risks to the security of children’s personal information; implement safeguards to address these risks; regularly test and monitor the effectiveness of these safeguards; and evaluate and adjust the information security program related to any of the above. The SEC’s revised Regulation S-P went into effect in December 2025 for larger entities and most broker-dealers, expanding security and notice obligations; smaller entities have a compliance deadline in June 2026. In April 2025, the U.S. Department of Justice’s new rule on bulk data collection and handling took effect, tightening restrictions on how U.S. companies give “countries of concern” access to bulk U.S. sensitive personal data. Meanwhile, regulations implementing breach notifications for a broad swath of companies under the Cyber Incident Reporting for Critical Infrastructure Act have remained stalled since they were initially proposed (and heavily criticized) last year, with the final rule now expected in May 2026.
• Embedding security into privacy laws. As states begin embedding security requirements into their privacy laws, compliance challenges will expand in 2026. Most notably, after years in development, the California Privacy Protection Agency unanimously approved regulations for cybersecurity audits and risk assessments that will require a wide range of businesses subject to the California Consumer Privacy Act (CCPA) to document and evaluate their safeguards in a structured, regulator‑ready format. The first CCPA audits are not due until 2028, but, in the meantime, Minnesota’s new privacy law (effective in July 2025), as well as similar provisions in proposed New Jersey regulations, expressly mandate that businesses incorporate data mapping into their compliance programs and include security safeguards in their written policies.
• Revisions to breach notification requirements. As covered in our annual summary, there were three notable changes in state breach notification laws. Oklahoma, in its first major changes since 2008, now covers an expanded list of “personal information” and requires attorney general notice for incidents involving more than 500 individuals. In addition, New York and California both added 30-day deadlines to their breach notification statutes.

This post is part of a series recapping privacy law developments in 2025. Please see the following posts for additional recaps of developments in 2025:

Privacy and Data Security Recap 2025—National Security