Financial regulators including the Securities and Exchange Commission (“SEC”) continued to focus on data protection and cybersecurity issues throughout 2025. With the amendments to the Safeguards Rule and Disposal Rule of Regulation S-P officially taking effect, the SEC is continuing to assert a more prominent role in data protection, a trend that will undoubtedly continue and likely expand throughout 2026.
Continue Reading On the Seventh Day of Data… The Growing Pains of Regulation S-P in 2025
This holiday season—following a year of headline breaches, surging supply-chain attacks, and major regulatory changes—cyber resilience tops every corporate wish list.
The Cybersecurity and Infrastructure Security Agency (“CISA”) remains at the forefront of U.S. cybersecurity amid a turbulent year of leadership change and policy realignment. With the long‑awaited Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) rules slated for May 2026 and a continuing focus on international cyber strategies, the agency is poised to shape the future of critical infrastructure security. CIRCIA will introduce mandatory cyber incident and ransomware payment reporting for covered critical infrastructure, driving faster federal response and shaping compliance programs, contractual obligations, and risk governance across sectors. At the same time, CISA’s 2025–2026 International Strategic Plan outlines the federal government’s purported approach to cross‑border cyber defense—prioritizing partnerships, information sharing, and supply‑chain risk mitigation—with direct implications for transnational firms. Yet CISA faces major challenges, including leadership gaps, workforce constraints, and increased political scrutiny, that may threaten its ability to fulfill its mission in the year ahead.
Continue Reading On the Sixth Day of Data… CISA, CIRCIA, and the Future of Critical Infrastructure Security
As compliance professionals reflect upon the past year, many will look back with frustration on efforts taken to comply with the Department of Justice’s Data Security Program (the “DSP” or “Rule”). Not because the efforts taken were in vain, but because the DSP is one of the most complicated, amorphous, far-reaching, yet impactful U.S. government regulations in recent memory. Any organization that collects or has access to U.S. sensitive personal data—regardless of whether that data is anonymized, pseudonymized, de-identified, or encrypted—should be assessing its compliance with the DSP. In other words, nearly every organization in the U.S. and many outside the U.S. fall under the Rule.
Continue Reading On the Fifth Day of Data… Reflections and Compliance Advice on the DOJ’s Data Security Program
As 2025 draws to a close and some organizations slip into a quieter holiday rhythm, their AI systems continue humming in the background—summarizing customer inquiries, triaging security alerts, generating code, and synchronizing records across critical systems. Within that uninterrupted activity, however, lies a less festive truth: agentic AI introduces cyber risks of unprecedented complexity and novelty, beyond what conventional architectures were designed to manage.
Agentic AI—the class of systems that can reason, plan, act, and adapt toward goals with reduced human oversight—promises measurable gains across legal services, finance, healthcare, and supply chain operations. But the same autonomy that drives new efficiencies also creates a distinctly complex cybersecurity risk profile. By initiating actions, calling tools, exchanging data with other agents, and escalating privileges to meet objectives, autonomous systems expand the attack surface and introduce “digital insiders” that can err at scale, leak data silently, and even be co-opted by threat actors. For those advising on governance, cyber preparedness, and emerging-tech strategy, the takeaway is clear: companies need a practical, defensible program tailored to agentic environments—one that reduces the likelihood and blast radius of failures before a single misaligned step turns out all the lights.
Continue Reading On the Fourth Day of Data… All is Calm, All is Bright? Securing Agentic AI Before the Lights Go Out
The publication of the EU Digital Omnibus Proposal (“Omnibus”) on 19 November set out a two-part package of simplifications to its data protection rulebook. Pitched as a means to reduce regulatory friction and foster innovation, the initiative represents the EU’s ambition to reap the benefits of the digital revolution.
Following the Draghi report’s warning that the EU was trailing behind US and Chinese markets due to overregulation, the EU has course corrected its approach to digital regulation, overhauling its flagship data legislation to strengthen its position in the global market. The Omnibus thus forms part of the Commission’s wider promise to reduce administrative burdens by at least 25% for all businesses—and at least 35% for small and medium-sized enterprises (“SMEs”)—by 2029.
Continue Reading On the Third Day of Data… This Omnibus Is on a Diversion: Highlights of the EU’s Digital Omnibus Proposal
Following several unsuccessful attempts to secure federal preemption of state artificial intelligence regulations through Congress, President Trump turned to executive action, signing a sweeping executive order last Thursday night, entitled “Ensuring a National Policy Framework for Artificial Intelligence”. The Executive Order directs federal agencies to challenge state laws regulating AI, with the stated goals of establishing a “minimally burdensome national standard” for AI and preempting conflicting state regulations.
In a Client Alert published Friday, Ropes & Gray partners Jamie E. Darch, Fran Faircloth, Regina Sam Penti, Stephanie A. Webster, counsel Chetan A. Patil, and associates Joanne J. Hyun and Kate Kaplan summarize the Executive Order’s key provisions and analyze its potential impact on existing and proposed state laws.
To read the full Ropes & Gray alert, click here.
As firms face rising data volumes, competitive pressure, and regulatory scrutiny, asset managers are increasingly turning to tools driven by artificial intelligence for everything from investment research and portfolio construction to risk modeling and operational efficiency.
In a recent whitepaper, Ropes & Gray partners Melissa Bender, Amy Jane Longo, Fran Faircloth, Megan Bisk, Colleen Meyer, and associate Michaela Powers outline the principal legal and regulatory considerations for asset managers adopting AI. Providing a high-level framework for managing legal, regulatory, operational, and reputational risks associated with AI adoption, the whitepaper also offers practical steps to implement responsible, compliant use.
To read the full Ropes & Gray alert, click here.
December is upon is, which means it is time for the Data, Privacy, and Cybersecurity team at Ropes & Gray to kick off the 12 Days of Data, our annual blog series looking back at 2025 and ahead to what 2026 is likely to bring in the world of data protection. As regulators, courts, and policymakers continue to reshape the data protection landscape at a rapid pace, this series will highlight the trends, inflection points, and open questions that should be on every organization’s radar heading into the new year. Each post will focus on a discrete set of legal developments or a particular regulated sector, offering practical takeaways rather than year-end lists for their own sake.
The 12 Days of Data will be scattered between now and the end of the year, so be sure to subscribe to www.RopesDataPhiles.com to receive alerts as each post in the series goes live and to stay up to date on the latest insights from our team.
Recently, major media reported that a key financial services provider, SitusAMC, suffered a substantial data security incident. This Alert summarizes what we know so far, the possible legal implications, and some action items for the corporate clients of SitusAMC.
Continue Reading Responding to the SitusAMC Data Breach
An increasingly aggressive plaintiffs’ bar has brought purported class action suits based on the nearly ubiquitous use of tracking technologies used for website analytics. Although any actual harm to the plaintiffs is difficult to articulate, the health care industry has been plagued by a series of these cases. Now the plaintiffs may be moving to financial services with the potential for statutory penalties of hundreds of dollars per user when a duty of confidentiality can be credibly implicated.
The tracking tags, pixels and similar website analytics technologies are nothing new. Rather, the technologies at issue in such complaints are widely used on websites and mobile applications across industries, including by government entities, to collect information about user behaviors and interactions with the online platform where they are embedded. That information is then sent to a third party for analytics used to enhance user experience on the platform. Many of these technologies are integral to an organization’s ability to ensure its websites and applications are functioning properly, among other things providing crash reports when users encounter issues. Additionally, many consumer-facing businesses contract with third parties to provide session replay scripts, a software that monitors and records web-user activity such as keystrokes, clicks, and scrolling. Despite the pervasiveness of these technologies, plaintiffs have seized on ambiguities in the California state wiretap act, known as the California Information Privacy Act, as well as federal wiretap law as the basis for exceptionally large damage demands.
Continue Reading Pixel Litigation Risk at Financial Institutions