Privacy & Information Security Law Blog

On October 14, 2025, the European Data Protection Board announced that its fifth coordinated enforcement action will focus on compliance with the transparency and information requirements under the GDPR.

On October 15, 2025, the UK Information Commissioner’s Office announced a £14 million fine against Capita plc and Capita Pension Solutions Limited following a significant data breach.

On October 14, 2025, the UK government announced a coordinated effort by senior ministers and security officials to urge top UK businesses to improve their cybersecurity defenses.

Ace American Insurance Company (“Ace”) recently filed a subrogation lawsuit against two technology and cybersecurity providers, following a cybersecurity incident suffered by an insured policyholder that had engaged the providers. This case highlights the growing risk of subrogation lawsuits following a cybersecurity incident.

On September 30, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with five affiliated health care providers collectively known as Cadia Healthcare Facilities for potential violations of the HIPAA Privacy and Breach Notification Rules.

The Federal Trade Commission announced that Citizens Disability and its subsidiary CD Media agreed to pay $1 million to resolve allegations that the companies violated Section 5 of the FTC Act and the Telemarketing Sales Rule in connection with tens of millions of telemarketing calls.

On October 8, 2025, California Governor Newsom signed into law the Opt Me Out Act, which amends the CCPA to require web browsers to provide California consumers with the ability to send a single opt-out preference signal to all businesses with which the consumer interacts through the browser.

On September 26, 2025, California Governor Newsom signed into law Assembly Bill 45, which amends existing California law to strengthen privacy protections for health and location data of individuals seeking health care services, including reproductive health care.

The U.S. Department of Health and Human Services’ Office for Civil Rights and the Assistant Secretary for Technology Policy have released a new version of their Security Risk Assessment Tool, along with an updated SRA Tool User Guide.

On September 29, 2025, California Governor Newsom signed into law the Transparency in Frontier Artificial Intelligence Act. The Act sets new transparency and safety requirements, and whistleblower protections, for companies developing “frontier” artificial intelligence models.