Escalating cybersecurity threats and growing privacy concerns lurk around every corner these days. Evolving technology and mounting regulations continue to present both the perils and solutions. All players — public and private, organizations and individuals alike — are to conquer the next quest in this realm.
In the most recent Annual Litigation Trends Survey by Norton Rose Fulbright, nearly four in 10 corporate counsel respondents stated that their business’s exposure to cybersecurity and privacy disputes deepened in 2025. The actual increase in exposure also surpassed the already high expectations from the year before. Cybersecurity and privacy even claimed the fastest-rising class action hotspot.
Treading such treacherous waters requires constant education and setting appropriate priorities. Here are the key drivers of cybersecurity and privacy legal exposure that deserve the utmost attention:
State-sponsored actors emboldened by sophisticated technology
Heading into 2026, rising geopolitical tensions across the globe further intensify conflicts in the digital space. The latest developments in the Middle East have only added fuel to the long-standing cyber battlegrounds. The pressure to defend against state-sponsored threat actors had already reached its peak in recent years, especially for the critical infrastructure sector. Given the additional tensions and interconnected nature of today’s digital systems through supply chains and data-sharing relationships, it will be difficult to find a sanctuary anytime soon no matter the industry.
The state-sponsored threat actors operate with high sophistication, leveraging the latest technology including AI, to launch attacks and maximize potential impact. Their malicious activities often result in disruption of essential services, data theft and/or illicit revenue generation. The quick adoption of the latest tools embolden the attacker moves whereas defenders pursue a more measured approach in adoption and thus take more time.
Furthermore, preparing for and responding to these threats are demanding not only in and of themselves, but also for the additional legal obstacles thereafter as various types of cybersecurity and privacy disputes may ensue and those may expose additional compliance gaps.
Continued federal interest in cybersecurity and privacy, especially in connection with national security concerns
The evident connection between cybersecurity and privacy and national security have led to a number of federal initiatives in recent years. Most recently in March 2026, the White House announced the current administration’s Cyber Strategy for America, renewing a commitment to strengthening the country’s cybersecurity posture.
In 2025, the U.S. Department of Justice Data Security Program went into effect to govern certain categories of data transactions with countries of concern and covered persons as defined. Although there have been delays in the rulemaking following the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), [CISA originally planned to hold town hall meetings this spring regarding the CIRCIA proposed rules from 2024.]
When it comes to enforcement, the Department of Justice has indicated that its focus on cybersecurity remains strong, especially with respect to the Civil Cyber-Fraud Initiative, which utilizes the False Claims Act to pursue fraud related to cybersecurity by government contractors and grant recipients.
Although the U.S. Securities and Exchange Commission has been less active in this space lately, the Federal Trade Commission has shown some signs of interest. In February 2026 alone, it warned data brokers of noncompliance with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA) and held a Workshop on Consumer Injuries and Benefits in the Data-Driven Economy, exploring potential implications of empirical evidence of injuries and benefits to enforcement decisions and judicial review outcomes.
Despite the remaining uncertainties around specific guidance and direction, it is fair to conclude that the federal pressure is still on especially for organizations with dealings with the federal government as a service provider or partner receiving sensitive information belonging to the government and/or American individuals.
Coordinated efforts from state government agencies
As organizations hustle to keep up with the rapidly developing cybersecurity threat landscape and the federal government agencies prioritize a subset of issues, state government agencies are diversifying the options to fill in any regulatory and enforcement gaps.
California leads the way with the newly in effect regulations under the California Consumer Privacy Act (CCPA), including the requirement on certain businesses to conduct comprehensive annual cybersecurity audits spanning across 18 components ranging from multi-factor authentication (MFA) to incident response management. The New York Department of Financial Services also bolstered its cybersecurity requirements for financial services companies under 23 NYCRR 500 earlier, with its most recent MFA guidance announced in February 2026.
On the privacy front, state regulators are finding ways to collaborate despite the challenges stemming from the ever-expanding web of federal and state laws. In 2025, several state regulators formed a bipartisan “Consortium of Privacy Regulators to share expertise and resources, as well as coordinate efforts to investigate potential violations of applicable laws.” The Consortium members including the California Privacy Protection Agency is investing in resources to implement and enforce the laws and regulations, poised to continue addressing consumer privacy rights ranging from opt-outs to data broker oversight. Looking ahead, state regulators and enforcers are expected to solidify and expand the exchange across state and national borders and seek to address common privacy concerns such as children’s privacy and surrounding dynamic pricing, also referred to as algorithmic or “surveillance pricing”, as part of consumer protection initiatives. As threat actors become more sophisticated, so will the defenses, governing laws and their enforcers.
Heightened risk associated with third-party service providers
Notably, state regulators recognize the importance of third-party risk management as many incident occur in the third-party service provider or vendor environment. Management of third parties is also a key component of the CCPA regulations. Prior federal regulations and guidance, too, reflect this emphasis. For example, the Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure requirements include a managing risks posed by third-party service providers. The Federal Communications Commission named third-party risk evaluation as one of the eight core best practices for preventing and mitigating ransomware attacks in its January 2026 Public Notice.
In the age of endless supply chain attacks, a strong cybersecurity program involves an established process for identifying and managing risks from third-party service providers. Demonstrating an effective third-party risk management in this context is not limited to preparing the paperwork alone. It also means understanding and monitoring the actual practices of the third-party service providers at hand and continuing to seek further improvements.
Growing seeds of conflict — whistleblowers and creative litigants
The days of only widely publicized data breaches leading to relatively simple class action lawsuits are far behind us. There has been a proliferation of cybersecurity and privacy claims due to the increasing number of laws and regulations alongside creative arguments manifested in government enforcement initiatives, strike forces and lawsuits making use of broad interpretation of old laws.
The False Claims Act, originally of the Civil War era, illustrates this point. Federal government (and state governments with their corresponding laws), may rely on private whistleblowers who make qui tam filings on behalf of the government under this law. In fact, the Department of Justice is looking to rely on whistleblowers as key sources for detecting potential noncompliance related to cybersecurity. State regulators are evaluating how this approach may be replicated not only under the state False Claims Act, but in other state laws. Many state regulators rely heavily on consumer complaints in forming the agenda. As the world becomes more cybersecurity and privacy-conscious, inaccurate statements around cybersecurity and privacy are projected to have greater impact.
It is no longer a surprise to see organizations simultaneously face cybersecurity attacks, immediately filed class action lawsuits and investigations based on whistleblower allegations. Without strategic development and refinement of processes to identify, escalate and investigate cybersecurity and privacy concerns as appropriateffganizations may easily get swept into a whirlwind of legal troubles.
These trends call for organizations to take a moment and assess where they stand in their cybersecurity and privacy journey. Consider going back to the basics and asking some fundamental questions:
What information does the organization handle?
How is the information used? With whom is it shared?
What measures are in place to safeguard that information?
What cybersecurity and privacy obligations does the organization carry?
Who is responsible for identifying and performing these obligations?
How does the organization raise awareness and train appropriate personnel?
What statements does the organization make regarding its cybersecurity and privacy practices?
How are cybersecurity and privacy concerns raised and investigated?
How does the organization identify and implement areas for improvement?
Who oversees cybersecurity and risk management? How?
If an answer to any of these questions is unclear, it is time to roll up the sleeves and prioritize the to-do list.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses