2025 Data law trends

In February 2024, several international law enforcement agencies scored a major success in the fight against cybercrime by seizing control of infrastructure used by LockBit, one of the world’s most active ransomware groups, while developing decryption keys that could enable the recovery of many LockBit-encrypted systems. However, LockBit has reportedly continued attacking companies using new servers and dark web domains, which demonstrates the persistence of cybercriminals. While law enforcement continues to pursue cybercriminals and companies continue to improve their cybersecurity measures, ransomware remains rampant and attacks are increasing in sophistication and number, not least due to:

• the rise of widely available generative AI; and
• the increasing commoditization of ransomware, particularly through ransomware as a service

In 2024, ransomware demands and payments have continued to climb, reflecting the ongoing evolution and aggressiveness of cybercriminals’ tactics. The first half of 2024 saw ransomware attacks increase in both frequency and scale, with the average ransom demand reaching over $1.5m in the second quarter of 2024 – a 102 percent increase quarter over quarter. This increase is largely driven by the continued success of multiple-extortion schemes, where attackers not only encrypt data but also exfiltrate it, threatening to release sensitive information if ransoms are not paid.

Attackers may also threaten to deploy distributed-denial-of-service attacks or threaten employees and customers of victims to apply additional pressure on companies. A group of cybercriminals has even been known to lodge a complaint with a regulatory authority to denounce the failure of the company that suffered the data breach to disclose it as required by law, thereby using the law as a means of exerting pressure. The emergence of new groups and ransomware variants of cyberattacks, including rebranded ransomware groups, has also contributed to the record-breaking number of incidents and payments. Despite ongoing law enforcement efforts, the overall threat continues to grow, with 2024 potentially becoming the worst year on record for ransomware payments.

Beyond ransomware attacks, supply chain attacks continue to be a significant issue. Companies rely on third-party vendors, which provide systems and services critical to those companies.

Cyberattacks, vulnerabilities or even faulty updates at vendors have resulted in significant losses for numerous customers of those vendors and highlighted the growing importance of integrating cybersecurity into a company’s overall risk management. These incidents underscore the cascading effects that supply chain attacks can have, leading to regulatory penalties, breach of contract claims and potential litigation.

Additionally, supply chain attacks can be more challenging to investigate as an affected customer may have limited visibility into an attack on a third party vendor and limited control over the vendor’s investigation. In fact, supply chain risk has become such a significant issue that the US’ National Institute of Standards and Technology (NIST) released its first major update of its Cybersecurity Framework, since 2014, to incorporate practices to manage cybersecurity risks within and across organizations’ supply chains. Organizations must bolster their cybersecurity measures, ensure their supply chain contracts include robust security provisions and stay compliant with evolving regulations. Legal teams should prepare for complex liability issues and the intricacies of data breach notifications that arise from such multifaceted attacks.

Cybercriminals are increasingly using AI to automate and target their attacks. This allows them to carry out individualized mass phishing attacks tailored to their targets, not only greatly increasing the efficiency of the attacks, but also allowing well-organized threat actors to automatically create fake login pages that are virtually indistinguishable from the legitimate pages. Additionally, research has indicated that the use of AI will significantly improve the capability of threat actors to crack passwords.

AI also allows threat actors to replicate proofs of concept or other types of successful attacks more quickly. For example, if a zero-day vulnerability is identified, the amount of time for threat actors to identify and target companies with such vulnerabilities in their systems is becoming shorter.

The dwell time that threat actors are in a company’s systems is also decreasing, as AI allows threat actors to identify data that appears to be valuable more efficiently and thus extract that data more quickly.

Conversely, AI can also help protect companies. AI can help identify and quarantine suspicious emails that may be phishing campaigns. Additionally, AI can detect vulnerabilities as well as malicious or anomalous activity within a company’s systems sooner.

While AI tools and systems can benefit companies, cybersecurity plays a crucial role in ensuring that AI systems are resilient to attempts by malicious third parties to alter the system’s behavior, performance or security properties by exploiting the system’s vulnerabilities. Cyberattacks against AI systems can exploit AI-specific assets, such as training data sets or trained models, but also vulnerabilities in the AI system’s (underlying) digital assets or the underlying ICT infrastructure. To address these risks, the EU AI Act requires certain high-risk AI systems to meet a specific cybersecurity standard.

The EU Digital Strategy comprises several regulations on cyber strategy (eg the Cyber Resilience Act, the latest Network and Information Security directive (NIS2) and Digital Operational Resilience Act (DORA)). For specific sectors, they impose various obligations including registration obligations, specific governance measures, obligations to take technical, operational and organizational measures to manage security risks and specific reporting obligations for significant incidents. Companies in scope of NIS2 must make such reports within 24 hours.

If a cyber incident affects individuals in several European Economic Area (EEA) countries, global companies engaged in cross-border data processing can often benefit from the so-called one-stop-shop mechanism. This allows them to deal with a single lead supervisory authority, for example when reporting a global data breach. Recently, the EDPB has clarified that under the EU’s GDPR, a legal entity which is the place of central administration of a group in the EEA can be considered as a main establishment only if it:

• takes the decisions on the purposes and means of the processing of personal data in the EEA; and
• has the power to implement these decisions.

In the UK, the trend is also for increasing cyber security regulation. The new government plans to introduce a new Cyber Security and Resilience Bill, which it says, ‘will strengthen the UK’s cyber defences, ensure that critical infrastructure and the digital services that companies rely on are secure.’ The announcement comes after a number of recent high-profile cyberattacks in the UK including on the National Health Service, Transport for London, the Ministry of Defence and the Royal Mail. While the details of the Bill remain to be seen, according to government briefing notes, the Bill will update the UK’s current Network and Information Security (NIS) Regulations 2018, including by:

• expanding their remit to protect more digital services and supply chains, beyond the ‘essential services’ and ‘digital service providers’ that are regulated by the current Regulations;
• giving greater powers to regulators to proactively investigate potential vulnerabilities, and ensuring they are better funded; and
• mandating increased incident reporting to give the government better data on cyberattacks, including specifically ransomware attacks.

The Bill follows the entry into effect of the UK’s Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, which mandates baseline security requirements for manufacturers of consumer connectable products.

In the US, the adoption by Securities and Exchange Commission (SEC) of new cybersecurity disclosure rules marks a significant shift in how public companies must manage and report cybersecurity risks. US domestic issuers are required to disclose material cybersecurity incidents within four business days of determining a cybersecurity incident to be material (and foreign private issuers must do so ‘promptly’ in certain circumstances) and provide annual disclosures on their cybersecurity risk management, strategy and governance. To ensure clarity and consistency in reporting and avoid confusion in the marketplace, the SEC clarified that domestic issuers should only report material cybersecurity incidents under Item 1.05 of Form 8-K, and all others under other sections, such as Item 8.01. US domestic issuers must:

• ensure a process is in place to escalate and carefully assess the materiality of cybersecurity incidents, considering both quantitative and qualitative factors, such as potential reputational harm and the likelihood of regulatory scrutiny; and
• incorporate the new disclosure requirements into their overall risk management strategies, ensuring that they meet regulatory obligations and effectively mitigate potential risks associated with cybersecurity threats.

Additionally, the US Federal Trade Commission (FTC) finalized updates to its Health Breach Notification Rule to expand the definition of breach to include unauthorized disclosures of information and to apply to additional health and wellness apps and technologies, such as apps that track fitness, fertility, sleep or diet. The FTC also amended its Safeguards Rule to incorporate reporting obligations for data breaches and other security events.

In recent months, the Court of Justice of the European Union (CJEU) has dealt extensively with claims for damages under Article 82 of the GDPR in connection with data breaches.

In this context, the CJEU clarified that:

• data breaches do not lead to an irrebuttable presumption of inadequacy of security measures;
• claims for damages require the existence of (material or immaterial) damage, which is a separate requirement from ‘breach of the GDPR’;
• inconsequential losses of control over personal data do not constitute damage. However, non-material damages can arise if a data subject fears that their personal data could be misused by third parties as a result of the breach; and
• while the term ‘damage’ does not provide for a certain threshold, there are two significant restrictions that in practice will impede compensation for fears as non-material damage: (i) fear ‘may,’ but need not, constitute damage; and (ii) the burden of proof to show that the fear can be considered ‘well-founded’ falls on the claimant.

In the UK, the Information Commissioner’s Office (ICO) has published new fining guidance on how it will exercise its fining powers for breaches of the UK GDPR. The guidance replaces the sections concerning penalty notices in the ICO’s Regulatory Action Policy, which was published in November 2018. While much of the guidance reflects existing practice, it includes certain clarifications relevant to UK GDPR breaches, including:

• the ICO will adopt a five-step approach when calculating any fines, which involves: (i) assessing the infringement’s seriousness; (ii) ascertaining the organization’s turnover; (iii) determining a starting point for the fine having regard to seriousness and turnover; (iv) adjusting the amount for any aggravating and mitigating factors; and (v) calibrating the fine to ensure it is effective, proportionate and dissuasive;
• in addition to ‘special category data’ and criminal convictions data, the ICO may consider affected location data, private communications, passport or driving license details and financial data to be sensitive when assessing the seriousness of the infringement, on the basis that these are likely to cause damage or distress to data subjects; and
• among other factors, the ICO may consider the extent to which the organization cooperated with the regulator as an aggravating or mitigating factor. Cooperation that enables the investigation to be concluded significantly more quickly or effectively, or that significantly limits the resulting harms to data subjects may be considered a mitigating factor, although simply performing the legal duty of cooperating with the ICO (for example by responding to requests for information and attending meetings) will be viewed neutrally. On the other hand, persistent and repeated behavior that delays an investigation – including failures to meet deadlines without a reasonable excuse – may be an aggravating factor.