12 Days of Data

Subscribe to 12 Days of Data via RSS
12

The past year was a busy one for privacy litigation: Website tracking litigation gained momentum.  Plaintiffs repurposed legacy wiretap and video privacy statutes to target pixels, chat bots, and other AI-enabled user tools.  Courts issued decisions that altered liability theories and deepened splits over statutory terms and defenses.  Regulators remained active and staked out positions that stand to adjust private-plaintiff approaches to routine commercial website tracking.

In this post, we distill the year’s most consequential developments and what they mean for 2026.Continue Reading On the Twelfth Day of Data… Privacy Litigation: Four Notable Developments From 2025

11

As the year draws to a close, reform of the data subject access request (DSAR) regime in the EU and the UK may turn out to be a welcome gift for organisations grappling with complex access requests. Regulators in both jurisdictions are signalling a more flexible, pragmatic approach to compliance, recognising that DSARs have often been exploited for tactical or disruptive ends.Continue Reading On the Eleventh Day of Data… Unwrapping DSARs in 2026

day10

While 2025 may have brought questions about the level of enforcement we would see from federal regulators, there was no question that state regulators would continue to be active, especially in the financial privacy space. In 2025, we saw the New York Department of Financial Services (NYDFS) implement the final phases of amendments to its NYDFS Cybersecurity Regulation (23 NYCRR Part 500) that originally passed back in 2023 (see our earlier post on the amendments here). The final implementation phases milestones came as scheduled in May and November 2025, and just days before the final set of requirements took effect on November 1, NYDFS also issued new industry guidance on managing third-party risks. Taken together, the guidance and final amendments underscore what NYDFS will be scrutinizing in upcoming investigations and examinations: leadership oversight and documentation, complete asset inventories governed by clear policies, strict access controls and privilege management, universal multi-factor authentication coverage or well‑justified compensating controls, and credible third‑party risk management evidence.Continue Reading On the Tenth Day of Data… Looking Back at 2025 and Ahead to NYDFS Enforcement Priorities in 2026

day9

The continued absence of a comprehensive federal privacy law once again positioned state legislatures as the primary forces behind data privacy developments in the U.S. this year. In 2025, eight new comprehensive state privacy laws took effect, adding to a growing patchwork of regulations that now spans 20 states. These laws generally reinforce established standards but introduce some important differences in applicability, exemptions, and sensitive data protections, making multi-state compliance increasingly complex.

States also continued to refine their data breach notification requirements, with notable amendments in New York, California, and Oklahoma aimed at strengthening consumer protections and reporting standards. Meanwhile, the rapid proliferation of state-level AI legislation—alongside a controversial new executive order directing federal agencies to challenge such laws—added a new layer of considerations for businesses leveraging artificial intelligence. With additional privacy laws set to take effect in 2026 and even stricter proposals on the horizon, organizations should remain proactive in adapting to this dynamic and increasingly fragmented regulatory environment.Continue Reading On the Ninth Day of Data… State of the States: This Year’s Key Privacy Law Developments Across the U.S. States

day8

In 1950, reflecting on the future of machine intelligence, Alan Turing observed: “We can only see a short distance ahead, but we can see plenty there that needs to be done.” With several large language models, most notably OpenAI’s GPT-4.5, passing the Turing Test in 2025, some governments have taken steps towards stricter regulation this year, with others still working to determine what “needs to be done” for AI regulation in the year ahead.

Most notably, this year saw key provisions of the EU AI Act—the world’s first comprehensive AI-dedicated law—take effect. However, instead of seeing the “Brussels effect” with AI regulation, going into 2026, the global approach appears to be leaning towards that of the UK and U.S., which have led the charge for a looser regulatory environment in recent years.Continue Reading On the Eighth Day of Data… AI Regulation – A 2025 Recap and a Look Ahead to 2026

Day 7

Financial regulators including the Securities and Exchange Commission (“SEC”) continued to focus on data protection and cybersecurity issues throughout 2025. With the amendments to the Safeguards Rule and Disposal Rule of Regulation S-P officially taking effect, the SEC is continuing to assert a more prominent role in data protection, a trend that will undoubtedly continue and likely expand throughout 2026.Continue Reading On the Seventh Day of Data… The Growing Pains of Regulation S-P in 2025

day6

This holiday season—following a year of headline breaches, surging supply-chain attacks, and major regulatory changes—cyber resilience tops every corporate wish list.

The Cybersecurity and Infrastructure Security Agency (“CISA”) remains at the forefront of U.S. cybersecurity amid a turbulent year of leadership change and policy realignment. With the long‑awaited Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) rules slated for May 2026 and a continuing focus on international cyber strategies, the agency is poised to shape the future of critical infrastructure security. CIRCIA will introduce mandatory cyber incident and ransomware payment reporting for covered critical infrastructure, driving faster federal response and shaping compliance programs, contractual obligations, and risk governance across sectors. At the same time, CISA’s 2025–2026 International Strategic Plan outlines the federal government’s purported approach to cross‑border cyber defense—prioritizing partnerships, information sharing, and supply‑chain risk mitigation—with direct implications for transnational firms. Yet CISA faces major challenges, including leadership gaps, workforce constraints, and increased political scrutiny, that may threaten its ability to fulfill its mission in the year ahead.Continue Reading On the Sixth Day of Data… CISA, CIRCIA, and the Future of Critical Infrastructure Security

day5

As compliance professionals reflect upon the past year, many will look back with frustration on efforts taken to comply with the Department of Justice’s Data Security Program (the “DSP” or “Rule”). Not because the efforts taken were in vain, but because the DSP is one of the most complicated, amorphous, far-reaching, yet impactful U.S. government regulations in recent memory. Any organization that collects or has access to U.S. sensitive personal data—regardless of whether that data is anonymized, pseudonymized, de-identified, or encrypted—should be assessing its compliance with the DSP. In other words, nearly every organization in the U.S. and many outside the U.S. fall under the Rule.Continue Reading On the Fifth Day of Data… Reflections and Compliance Advice on the DOJ’s Data Security Program

day4

As 2025 draws to a close and some organizations slip into a quieter holiday rhythm, their AI systems continue humming in the background—summarizing customer inquiries, triaging security alerts, generating code, and synchronizing records across critical systems. Within that uninterrupted activity, however, lies a less festive truth: agentic AI introduces cyber risks of unprecedented complexity and novelty, beyond what conventional architectures were designed to manage.

Agentic AI—the class of systems that can reason, plan, act, and adapt toward goals with reduced human oversight—promises measurable gains across legal services, finance, healthcare, and supply chain operations. But the same autonomy that drives new efficiencies also creates a distinctly complex cybersecurity risk profile. By initiating actions, calling tools, exchanging data with other agents, and escalating privileges to meet objectives, autonomous systems expand the attack surface and introduce “digital insiders” that can err at scale, leak data silently, and even be co-opted by threat actors. For those advising on governance, cyber preparedness, and emerging-tech strategy, the takeaway is clear: companies need a practical, defensible program tailored to agentic environments—one that reduces the likelihood and blast radius of failures before a single misaligned step turns out all the lights.Continue Reading On the Fourth Day of Data… All is Calm, All is Bright? Securing Agentic AI Before the Lights Go Out

The Third Day of Data

The publication of the EU Digital Omnibus Proposal (“Omnibus”) on 19 November set out a two-part package of simplifications to its data protection rulebook. Pitched as a means to reduce regulatory friction and foster innovation, the initiative represents the EU’s ambition to reap the benefits of the digital revolution.

Following the Draghi report’s warning that the EU was trailing behind US and Chinese markets due to overregulation, the EU has course corrected its approach to digital regulation, overhauling its flagship data legislation to strengthen its position in the global market. The Omnibus thus forms part of the Commission’s wider promise to reduce administrative burdens by at least 25% for all businesses—and at least 35% for small and medium-sized enterprises (“SMEs”)—by 2029.Continue Reading On the Third Day of Data… This Omnibus Is on a Diversion: Highlights of the EU’s Digital Omnibus Proposal