Data Privacy and Cybersecurity

Looking Ahead to 2026

In 2026, both federal and state enforcement agencies will likely maintain aggressive stances and continue to impose significant penalties for cybersecurity lapses. To stay ahead of these regulatory expectations, organizations should prioritize integrated compliance strategies, cross-functional risk assessments, and proactive engagement with emerging artificial intelligence (AI) and cybersecurity standards.

Key Trends From 2025

2025 marked a pivotal year for regulatory and enforcement activity in cybersecurity, privacy, and AI governance. Regulators such as the U.S. Securities and Exchange Commission (SEC) and California Privacy Protection Agency (CPPA) introduced new requirements for third-party risk management and incident reporting. Meanwhile, the New York Department of Financial Services (DFS) had a busy year enforcing its Part 500 cybersecurity regulation. AI governance also emerged as a dominant theme, with the adoption of the CPPA’s long-anticipated regulations governing the use of automated decision-making technology (ADMT), the release of the White House’s AI Action Plan, and the introduction and passage of several state laws governing the use of AI, signaling increased interest in the space.

On the litigation front, web tracking wiretap class action and individual lawsuits were filed at a record-setting rate, most commonly under the California Invasion of Privacy Act (CIPA), with new and expanded theories of liability. Notably, consumers frequently alleged that any website with third-party tracking software, such as cookies or pixels, constitutes a “pen register” and/or “trap and trace device” that violates CIPA section 638.51 because such software allegedly collects information like IP addresses and discloses that information to third parties. Courts remain split as to whether these claims may proceed past the pleading stage and continue to grapple with applying CIPA to the internet age, perpetuating the uncertainty facing companies employing such technologies on their websites. Some federal courts declined to dismiss such claims at the pleadings stage, holding that the plaintiffs plausibly alleged that web tracking technologies are either a pen register or trap and trace device.¹ In contrast, state court decisions, such as Sanchez v. Cars.com Inc. and Aviles v. LiveRamp, Inc., have interpreted CIPA section 638.51 as inapplicable to web browsing.

In the News

AI Action Plan

In July 2025, the Executive Office of the President released its AI Action Plan, a long-anticipated road map for the federal government’s approach to AI governance that presents a number of implications for businesses globally. The AI Action Plan identifies more than 90 federal policy actions across the three pillars the Trump administration plans to address: (i) accelerating AI innovation, (ii) building American AI infrastructure, and (iii) leading international AI diplomacy and security. Under the second pillar, bolstering “critical infrastructure cybersecurity,” promoting “secure-by-design AI technologies and applications,” and promoting “mature federal capacity for AI incident response” are identified as recommended policy actions.

New York AI Act

In January 2025, the New York AI Act (Senate Bill S1169A) was introduced in the New York Senate. The act focuses on addressing algorithmic discrimination by regulating and restricting the use of certain AI systems and provides consumers with the right to opt out of automated decision-making or appeal its results. Further, “high-risk AI systems” would be required to undergo independent audits. Enforcement will be permitted by the New York attorney general, with a civil money penalty of up to $20,000 per violation. It also contains a private right of action. After the bill died in the Assembly, it was returned to the Senate and referred to the Senate Internet and Technology Committee, where it is now pending.

Regulation S-P Amendments

In December 2025, amendments to the SEC’s Regulation S-P took effect. Under these amendments, larger covered entities must establish a written incident response plan, notify customers of data breaches, implement additional service provider oversight, and meet new recordkeeping requirements. All other covered institutions must be in compliance by June 3, 2026.

CPPA ADMT Regulations

In September 2025, the CPPA adopted updates to its regulations, which added requirements for regulated businesses to complete annual cybersecurity audits as well as conduct risk assessments for certain data processing activities, including targeted advertising and processing sensitive personal information. The updated regulations also grant consumers new rights affecting businesses’ use of ADMT to make certain “significant” decisions affecting a consumer — including rights to receive pre-use notices, opt-out options, and explanations of the logic of decisions. ADMT includes “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” The portions of the updated regulations addressing risk assessments came into force on January 1, 2026, with the remaining updates coming into force on various dates in 2027 and 2028.

Texas AI Law

In June 2025, Texas enacted the Texas Responsible Artificial Intelligence Governance Act (TRAIGA). The act broadly defines an AI system as “the use of machine learning and related technologies that use data to train statistical models for the purpose of enabling computer systems to perform tasks normally associated with human intelligence or perception” and includes provisions aimed at consumer protection, such as guardrails against using biometric data to identify an individual without consent. TRAIGA also establishes the Texas AI Council, a seven-member body comprised of experts in AI systems, privacy and data security, and technology ethics. The AI Council is charged with identifying barriers to AI innovation and advising on future legislation. TRAIGA enforcement authority is allocated exclusively to the Texas attorney general, and civil money penalties range from $10,000 to $200,000 per violation.

2025 Enforcement Highlights

New York DFS Settles With PayPal Inc.

The New York DFS announced in January 2025 that it entered into a consent order with PayPal Inc., in which PayPal agreed to pay a $2 million penalty to resolve allegations that it failed to use qualified personnel to manage key cybersecurity functions, ensure proper implementation of its cybersecurity policies and procedures, and use effective controls to protect against unauthorized access, resulting in the exposure of sensitive customer information to cybercriminals in 2022.

New York DFS Settles With Healthplex Inc.

The New York DFS announced in August 2025 that it entered into a consent order with Healthplex Inc., a licensed insurance agent and independent adjuster, to pay a $2 million civil money penalty. As part of the settlement, Healthplex has agreed to hire an independent auditor to examine the adequacy of its multi-factor authentication (MFA) controls.

New York DFS Settles With Eight Auto Insurers

The New York DFS announced in October 2025 that it will secure more than $19 million in penalties from eight auto insurance companies over “inadequate cybersecurity controls” that allowed hackers to extract nonpublic personal information (NPI). The consent orders require comprehensive audits of information systems that store or provide access to NPI and continued use of MFA.

FTC Settles With GoDaddy Inc.

The Federal Trade Commission (FTC) announced in May 2025 that it finalized an order with GoDaddy Inc., settling allegations that the web hosting provider misled consumers by failing to implement data security protections, which led to several data breaches. Under the order, GoDaddy is prohibited from making misrepresentations about its security and the extent to which it complies with various privacy or security programs; required to establish and implement a comprehensive information security program; and required to hire an independent third-party assessor to conduct reviews of the program.

SEC Dismisses Cyber Disclosure Case Against SolarWinds and CISO

In November 2025, the SEC announced an agreement to dismiss, with prejudice, its case against SolarWinds Corporation and its chief information security officer (CISO) for allegedly defrauding investors by making materially misleading statements and omissions about the strength of the company’s cybersecurity practices and risks while knowing of serious vulnerabilities and internal security weaknesses. Notably, the SEC offered no explanation for the dismissal. The case — which began in October 2023 — was unique because it directly targeted the CISO, expanded disclosure liability to include cybersecurity risk disclosures, and used internal communications as evidence that SolarWinds and the CISO were aware of the security weaknesses.

  *  *  *

Read the next chapter, “Cards, Payments, and Consumer Banking.”