Privacy and Cybersecurity in 2025: What You Need to Know

As we enter 2025, the privacy and cyber security landscape is transforming significantly. Organizations face new challenges and responsibilities in protecting sensitive data from state-level privacy laws to international enforcement actions.

State Privacy Laws Expand Their Reach

The beginning of 2025 marks an important shift in U.S. privacy regulations, with five states—Delaware, Iowa, Nebraska, New Hampshire, and New Jersey—introducing comprehensive privacy laws. These regulations, effective January 1 for most states and January 15 for New Jersey, emphasize regulatory enforcement rather than allowing individuals to file lawsuits for data breaches.

Businesses operating in these states must now comply with stricter data protection rules, ensuring better security practices and more transparency. Although there are no direct avenues for individuals to sue companies under these laws, they set a strong precedent for privacy protections across the country.

Regulatory:

1. OCR Proposes Amendments to HIPAA Security Rule: 

Healthcare organizations are facing stricter regulations as the U.S. Department of Health and Human Services (HHS) proposes significant updates to the HIPAA Security Rule, aimed at strengthening safeguards against cyber threats.

Key proposed changes include:

• Mandatory implementation of all security measures specified under the rule.
• Regular and comprehensive documentation of security practices.
• Detailed risk assessments to identify and address vulnerabilities.
• Annual compliance audits to ensure continued adherence to security protocols.
• Development of technology asset inventories and network maps.
• Rapid incident response plans to restore lost systems or data within 72 hours of a cyberattack.

These changes aim to protect sensitive health information and help organizations respond swiftly to cyber threats, ensuring patients’ data remains secure.

2. CISA Releases Best Practice Guidance for Mobile Communications: On December 18, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued  “Mobile Communications Best Practice Guidance” for “highly targeted” individuals in response to cyber espionage by China targeting commercial telecommunications carriers.

Federal Agencies Take Bold Steps Against Modern Threats

Federal regulators are actively responding to evolving digital threats. the Cybersecurity and Infrastructure Security Agency (CISA) released best practice guidelines for mobile communications, particularly aimed at individuals who are highly targeted by cyber espionage activities. This comes in response to reports of cyberattacks, including those allegedly linked to state actors.

Additionally, the FBI has issued warnings about the growing misuse of Artificial Intelligence (AI) by cybercriminals. Fraudsters are now using AI-generated content—such as realistic-looking images, voices, and videos—to conduct financial scams and identity theft.

To counter these threats, businesses and individuals are encouraged to adopt end-to-end encryption and phishing-resistant authentication methods to protect their sensitive information.

Major Legal Battles Shape Digital Privacy

Several high-profile legal cases in 2025 will influence how digital privacy is regulated and enforced. Some of the most noteworthy developments include:

• TikTok’s Future in the U.S.: TikTok temporarily suspended its services in the U.S. on January 18, 2025. However, following an executive order signed by President Donald Trump on January 20, 2025, enforcement of the ban has been delayed by 75 days to explore potential resolutions, including the possibility of a joint venture with U.S. ownership. This decision could have major implications for social media platforms handling user data.
• Marriott International Case: The Federal Trade Commission (FTC) has ordered Marriott to implement a rigorous Information Security Program after a major data breach exposed sensitive customer information, setting a precedent for accountability in the hospitality industry.
• NSO Group and Spyware Violations: A U.S. District Court has found the surveillance technology company NSO Group liable for installing spyware on WhatsApp users’ devices without consent. This ruling underscores the importance of ethical data usage and protection.
• Healthcare Data Breaches: Gulf Coast Pain Consultants received a $1.19 million penalty for failing to prevent a data breach that exposed the health information of 34,000 individuals, highlighting the severe consequences of inadequate data protection.
• FTC Action Against Location Data Misuse: The agency has also banned analytics firm Mobilewalla from collecting and selling sensitive location data, signaling increased regulatory scrutiny over how companies handle personal information.

Global Privacy Enforcement Intensifies

On the international front, privacy enforcement is becoming stricter. Some key global actions include:

• Italy’s privacy regulator fined OpenAI €15 million for violations related to ChatGPT and imposed a public awareness campaign to educate users on their data rights.
• The European Data Protection Board has issued new guidelines to regulate data transfers between countries and ensure compliance with AI model developments.
• Netflix was fined €4.75 million by Dutch authorities for failing to be transparent in how they collect and use customer data.

These international efforts reflect a growing demand for greater accountability and transparency in data handling practices worldwide.

Recent Cyber Security Incidents

Here are some recent cybersecurity incidents that highlight the evolving nature of cyber threats:

1. In 2024, the Chinese hacking group known as Salt Typhoon infiltrated major U.S. telecommunications companies, including AT&T and Verizon. This breach allowed them to access private communications and geolocate millions of Americans, including high-profile political figures.
2. In December 2024, the U.S. Department of the Treasury disclosed a significant security breach attributed to Chinese state-sponsored actors. Hackers accessed unclassified documents by exploiting vulnerabilities in a remote support platform, highlighting the risks associated with third-party software.
3. In 2024, the U.S. healthcare sector faced a staggering number of data breaches, with 720 reported incidents compromising a total of 186 million user records, according to data from the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR). These breaches exposed sensitive personal information such as names, Social Security numbers, medical and financial details, and insurance information. The most significant breach involved Change Healthcare, where a ransomware attack compromised the data of nearly 100 million individuals.
4. The Clop ransomware group has exploited vulnerabilities in widely used file transfer software, affecting thousands of organizations and compromising sensitive data.
5. Rhode Island’s social services system fell victim to a ransomware attack by the Brain Cipher group, potentially impacting over 650,000 residents, demonstrating the increasing risks faced by public sector institutions.
6. An alarming insider threat was uncovered when a U.S. Army soldier was arrested in connection with a major data breach involving the Snowflake cloud platform, revealing the complexity of modern cybersecurity challenges.

These events serve as a reminder for businesses and governments to stay proactive in their cybersecurity strategies.

As we progress through 2025, organizations must navigate this complex landscape by strengthening their privacy and security measures, staying informed about regulatory changes, and preparing for increased scrutiny from both domestic and international authorities. The convergence of state privacy laws, AI-enabled threats, and aggressive enforcement actions create a challenging but necessary environment for protecting personal data in our increasingly connected world.

–Tishya Sharma, Lawyer, Content Developer