Key Takeaways

• The SEC’s agreement with defendants to dismiss, with prejudice, its case against SolarWinds Corporation (SolarWinds) and its chief information security officer (CISO) signals a retreat from aggressive, novel enforcement theories in cybersecurity disclosure cases.
• Although technical cybersecurity violations without investor harm

Congress included in the appropriations bill of November 12, 2025, an extension of the Cybersecurity Information Sharing Act of 2015 (CISA 2015), 6 U.S.C. §§ 1501–10, through January 30, 2026. 

Congress members have proposed legislation that would introduce new measures to enhance the United States’ cybersecurity resilience in the face of advancing quantum computing capabilities.

On September 23, 2025, the California Privacy Protection Agency confirmed that their cyber audit regulations will at long last go into effect on January 1, 2026. 

You can be forgiven for losing track since these were first proposed in September 2023, but now is the time to start considering how they will apply to your company and budgeting for that impact. 

State Updates, Security Mandates, and the Federal Regulatory Horizon

150 consumer complaints per week. A consortium of privacy regulators. “Hundreds of open investigations.” 

The U.S. Department of Justice (DOJ) “Data Security Program” (DSP), also known as the “Sensitive Data Rule” or “Bulk Data Rule,” has prompted numerous questions about its scope and application. 

In a major move signaling the growing power of multi-state cooperation on privacy enforcement, the California Privacy Protection Agency (CPPA), alongside the Attorneys General of California, Colorado, and Connecticut (collectively, the “Coalition”), announced an investigative sweep targeting businesses that fail to honor

California’s legislature has once again taken center stage in the national privacy conversation, passing a flurry of privacy bills during a marathon session that stretched into the night of September 12. 

Key Takeaways

• Multiple agencies of the U.S.

Can buying a video game on a website using pixel technology make you a Video Privacy Protection Act (VPPA) plaintiff? 

Texas has enacted amendments to its state version of the federal Telephone Consumer Protection Act (Tex. Bus. & Comm.

After years of drafting, discussions, and debates, the California Privacy Protection Agency (CPPA) Board reached a significant milestone in its efforts to bring to fruition regulations that have been in discussion by the CPPA Board for several years. 

As the 2025 summer heat continues and as state privacy laws continue to mature, enforcement actions are beginning to shape the compliance landscape for businesses nationwide—from the coast of California to the shores of Connecticut. 

On June 27, 2025, the United States Supreme Court weighed in on the ongoing debate about age verification requirements for websites, holding that it is constitutional for a state to require websites that have a significant portion of adult content to implement commercial age verification systems.