On May 20, 2025, the Senate cleared procedural obstacles to consider the GENIUS Act on the Senate floor. Originally introduced on Feb. 4, by Senator Bill Hagerty, R-TN, along with Senate Banking Committee Chairman Tim Scott, R-SC, Kirsten Gillibrand, D-NY, and Cynthia Lummis, R-WY, the Guiding and Establishing National Innovation for U.S. Stablecoins of 2025 (GENIUS) Act would define and regulate payment stablecoins. Payment stablecoins are digital assets designed to maintain a stable value relative to another asset. More than 99% of stablecoins tie their value to the U.S. dollar.
Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations
On June 3, 2025, the California Senate unanimously voted to amend the California Invasion of Privacy Act (“CIPA”) to exclude cookies and other commonly used internet tracking technologies from CIPA under certain circumstances. The bill, Senate Bill 690, if passed by the other chamber and signed by the governor, will exempt companies who use tracking technologies for a “commercial business purpose” from the wiretapping provisions of CIPA.
Continue Reading Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical LimitationsBroad Interpretation of CCPA’s Private Right of Action Increases Business Risk to Tracking Technologies Lawsuits
In a recent decision, the U.S. District Court for the Northern District of California has construed the private right of action provision under the California Consumer Privacy Act (CCPA) broadly, which increases business risk to tracking technologies lawsuits that are already rampant.
Continue Reading Broad Interpretation of CCPA’s Private Right of Action Increases Business Risk to Tracking Technologies LawsuitsBusinesses Beware: The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-Compliance
On March 7, 2025, the California Privacy Protection Agency (“CPPA”), which is tasked with enforcing the California Consumer Privacy Act (“CCPA”) entered a Stipulated Final Order (“Order”) with American Honda Motor Co., Inc. (“Honda”), fining Honda $632,500. This Order is instructive as to CPPA’s views on various topics covered by the CCPA. Among other things, the Order makes clear that:
Continue Reading Businesses Beware: The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-ComplianceCFPB Explores the Need for Greater Financial Privacy
On January 10, 2025, in the waning days of the Biden Administration, the Consumer Financial Protection Bureau issued a Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data. The Request signals the Bureau’s strong concern with the ways financial institutions, and particularly new financial tools like widespread use of mobile banking, collect and use sensitive consumer-financial data. The Request was motivated by the results from the data that the Bureau collected in developing its Personal Financial Data Rights Rule, finding that “actual business practices show significant deviation from longstanding consumer expectations when it comes to the collection, use, and monetization of data harvested from payment transactions.” Among the Bureau’s chief concerns was consumers’ general ignorance about financial data that Americans believe “is kept private just because it is sensitive.” On the contrary, the Bureau found that not only is consumers’ sensitive financial information monetized, but also that it is commingled with consumer attributes like geographic location, social-media habits, and even individual voices. Such advancements, the Bureau worries, could lead to “dynamic pricing algorithms” that show different pricing for different users, based on their harvested personal data.
Continue Reading CFPB Explores the Need for Greater Financial PrivacyDelayed One-to-One Consent Rule Gives Companies Reprieve, Plus Other TCPA Updates
The Federal Communications Commission (FCC) announced on Jan. 24, 2025, that its highly anticipated one-to-one consent rule was postponed by at least one year. This is big news for companies that were gearing up for the implementation of the rule, which would have significantly altered the requirements for obtaining consent to place calls or text messages under the Telephone Consumer Protection Act (TCPA).
Companies should keep an eye on another FCC rule that will change the requirements regarding consumers’ ability to revoke consent, scheduled to take effect on April 11, 2025. Meanwhile the U.S. Supreme Court will decide to what extent courts must defer to the FCC’s interpretation of the TCPA.
Read on to learn how ongoing changes in the regulatory landscape for the TCPA stress the importance of reviewing and prioritizing TCPA compliance in 2025.
HHS Proposed Rule May Enhance HIPAA Security but Leaves AI Questions Open
In response to increased cybersecurity threats and significant regulatory enforcement actions, on Dec. 27, 2024, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking seeking to enhance cybersecurity protections under the Security Rule implemented pursuant to the Health Insurance Portability and Accountability Act of 1996. While the proposed rule is an important component of HHS’ ongoing effort to enhance cybersecurity requirements, many of the proposals raise new questions regarding HHS’ expectations. If adopted, the sweeping changes could have a major impact on the way covered entities and business associates conduct business, including with each other.
Read on for further details on the proposed rule and its implications for regulated entities.
The SEC’s Cybersecurity Incident, Governance, and Management Reporting Requirements: What you Need to Know to Avoid Cyber and D&O Coverage Gaps
As public companies’ reliance on remote work, cloud computing and digital payments increases, so too does the cybersecurity risk. Recognizing this, the SEC finalized rules and regulations in September 2023 requiring new cybersecurity-related disclosures from public companies. In prior efforts to improve consistency and accuracy of public company cybersecurity risk disclosures, the SEC issued interpretive guidance explaining how cybersecurity risk and incidents should be communicated based on longstanding requirements to disclose material information periodically to shareholders. But in the SEC’s view, corporate disclosure practices were inconsistent. Under-disclosure persisted and investors lacked consistent information by which they could evaluate public companies’ cybersecurity risk.
The SEC now requires enhanced and standardized cybersecurity risk disclosures for all periodic SEC filers, including foreign private issuers and smaller reporting companies. Public companies must disclose certain cybersecurity incidents, as well as information about cybersecurity risk management, strategy and governance.
Read on to learn about the potential exposure public companies face and how this exposure risk fits within the framework of a company’s D&O and cyber insurance programs. How can a company ensure its insurance policies will appropriately protect its balance sheet and its directors and officers from potential SEC investigations and shareholder litigation?
SEC Settles Charges for Alleged Misleading Disclosures, Shedding Light on Materiality in Cyber Context
On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack. This wave of enforcement actions signals the SEC’s continued focus on the content and completeness of public disclosures following cyber incidents. In a press release, the SEC summarized its position that the settling issuers each “negligently minimized its [SolarWinds] cybersecurity incident,” which served to “further victimize their shareholders or other members of the investing public” and left “investors in the dark about the true scope of the incidents.”
Read on to learn more about the settlements and the takeaways worth considering.
DoD Issues Final CMMC Framework for Defense Contractors
After a nearly five-year rulemaking process, the U.S. Department of Defense (DoD) published the Final Cybersecurity Maturity Model Certification 2.0 (CMMC) program rule in the Federal Register on Oct. 15, 2024, codified at 32 CFR Part 170. Contract clauses implementing the CMMC program rule will be issued as part of the Defense Federal Acquisition Supplement, and DoD expects to require CMMC certifications as a condition of award beginning in 2025 as part of a phased-in approach.
The final CMMC program rule is the culmination of a lengthy rulemaking process to implement third-party certified cybersecurity program standards for the Defense Industrial Base. The DoD significantly revised CMMC program requirements since the inception of CMMC 1.0 in 2020. At its most basic level, the CMMC program is a transition from a self-certification model for cybersecurity compliance, to a third-party verification process contemplated by the CMMC program rule.
Read on to learn more about the final rule and its implications for contractors and subcontractors.