Right To Know - July 2025, Vol. 31

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

State Action: 

• Texas Limits Punitive Damage Liability For Data Security Breach Actions: Texas enacted a law barring punitive damages in data breach actions against certain companies if they implement a compliant cybersecurity program. The law applies to companies with less than 250 employees and own or license sensitive personal information. Among other things, a compliant cybersecurity program must conform to “an industry-recognized cybersecurity framework,” which include various NIST publications, as well as frameworks published by the Center for Internet Security, the International Organization for Standardization, and others, as well as various federal law requirements. The law is effective September 1st.
• Texas Governor Signs Texas Responsible Artificial Intelligence Governance Act into Law: Texas has forged forward with the enactment of legislation that looks to regulate and provide guardrails for the use of AI even with a looming moratorium on such state activity from the federal government. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA) requires state agencies to disclose when a citizen interacts with AI, prohibits use of AI to manipulate human behavior, make discriminatory decisions, or to be used to make deep fakes that exploit children. TRAIGA allows for per violation penalties up to $100k for misuses of AI, with some potential for lower fines for organizations have made a good faith effort to comply with the law. The Texas Attorney General has exclusive enforcement authority. The new Texas law will go into force on January 1st.
• Vermont Governor signs Vermont Kids Code into Law: On Jun. 13th, Vermont Governor Phil Scott signed Senate Bill 69- also known as the Vermont Kids Code- into law, aiming to protect kids from “abusive” practices of social media companies. Among other things, the law prohibits companies from selling children’s data, prohibits parents and other adults from secretly tracking kids with apps, and prohibits adults from messaging children without their explicit and unambiguous permission. It also provides that social media companies must have push notifications disabled by default on children’s accounts. Several other states have passed similar laws, many of which are currently tied up in legal challenges over free speech concerns. Courts have temporarily blocked enforcement of some of these laws while litigation proceeds. Acknowledging these challenges, Governor Scott noted, “With ongoing lawsuits in other states, I recognize this new law will likely face a legal challenge. But I’m hopeful with the enactment of this law delayed until January 1, 2027, it will allow enough time to provide clarity and change the law if necessary.”

Regulatory: 

• CISA and FBI Issue Updated Guidance on Play Ransomware: On Jun. 4th, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre issued Updated Guidance on Play Ransomware, also known as Playcrypt. The FBI identified approximately 900 entities allegedly exploited by these ransomware actors from June 2022 through May 2025. This update includes recently and historically observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommended mitigations to help protect against this ransomware.
• DOJ Alters Its Approach Towards Criminal Enforcement Involving Digital Assets: In accordance with the President’s Executive Order 14178 promoting the use of digital currency/crypto currency, the DOJ issued a memo memorializing a change in DOJ enforcement actions involving these digital assets. Under the new DOJ policy, instead of focusing on the imposition of existing regulations on crypto currency providers, DOJ enforcement will instead focus on “prosecuting individuals who victimize digital asset investors, or those who use digital assets in furtherance of criminal offenses such as terrorism, narcotics and human trafficking, organized crime, hacking, and cartel and gang financing.”
• CISA and NSA Publish Joint Guide on Memory Safe Language: On Jun. 24th, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) published a joint guide, Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development, part of CISA’s Secure by Design Initiative. The Guide follows earlier publications on Software Memory Safety that are intended to identify risks and decrease memory-related vulnerabilities in software. The guide calls for reduction of these vulnerabilities through “understanding when MSLs [memory safe languages] are appropriate, knowing how to adopt them effectively, and recognizing where non-MSLs remain practical necessities.”
• U.S. International Trade Administration Launches Global Cross-Border Privacy Rules and Global Privacy Recognition for Processors Systems: The U.S. International Trade Administration (“ITA”) launched international privacy certifications that are intended to provide a simple and transparent mechanism for companies to protect personal information when moving across jurisdictions. Companies seeking the certification undergo assessments by approved accountability agents. Once certified, they can display a seal on their website that they are certified under the Global CBPR and/or Global PRP Systems. A list of companies certified to date can be found here.

Litigation & Enforcement: 

• Illinois Appellate Court Affirms BIPA Class Certification: On Jun. 24th, the Illinois Appellate Court affirmed certification of an Illinois Biometric Information Privacy Act (BIPA) class action. The plaintiff alleged that the defendant improperly collected biometric information from employees through a timeclock system.  The defendant argued that the class certification should be reversed because common issues did not predominate over individual issues — including what biometric information was collected, when the collection occurred, and preemption based on the existence of collective bargaining agreements. The court disagreed and allowed the class certification to stand.
• Federal Court Vacates 2024 HIPAA Reproductive Health Privacy Rule: A U.S. District Court for the Northern District of Texas has vacated most of the 2024 amendments to the HIPAA Privacy Rule, which provided special protections for reproductive health care information. The court ruled that the Department of Health and Human Services (HHS) exceeded its statutory authority by limiting state child abuse reporting laws and redefining key statutory terms. The court also cited the “major questions doctrine” for intruding into a politically significant domain, such as abortion and gender-transition procedures. As a result, HIPAA-covered entities must reassess policies, procedures, and training programs related to reproductive health information.
• Proposed Class Action Against Abbott Laboratories for Allegedly Violating GIPA: A plaintiff brought a proposed class action lawsuit against Abbott Laboratories in the U.S. District Court for the Northern District of Illinois. The complaint alleges that Abbott violated the Illinois Genetic Information Privacy Act (GIPA), which prohibits employers from requesting or collecting genetic information during the hiring process. The plaintiff alleged that when he applied for jobs with Abbott, and during the application process, he was required to answer questions about his family medical history. The plaintiff asserts that such inquiries constitute a direct violation of GIPA. The lawsuit seeks to represent a class of similarly affected job applicants and demands statutory relief, including damages.
• AT&T Settles Multiple Data Breach Class Actions for $177 Million: A U.S. District Judge in Dallas has given preliminary approval to AT&T’s $177 million settlement, resolving multiple class-action lawsuits over data breaches in 2024 that exposed personal information of tens of millions of users. Under the deal, affected customers may receive up to $2,500 or $5,000, with any remaining funds redistributed to others whose data was accessed. The settlement covers a 2022 leak of around 109 million customer call and text logs from Snowflake’s cloud platform, plus a separate incident from March 2024 affecting about 7.6 million active and 65.4 million former customers.

Industry Updates: 

• S. Department of Homeland Security Issues Bulletin Regarding Potential Iranian Cyber Attacks: On Jun. 22nd, the U.S. Department of Homeland Security (“DHS”) issued a National Terrorism Advisory Bulletin that highlights the possibility of Iran launching attacks inside the United States in retaliation for the United States’ military action. Along with a discussion of Iran’s previous attempted terrorist attacks inside the United States, it notes that Iran and Iranian aligned hacktivist groups have a history of cyberattacks against the United States and that these are likely to continue.
• Qilin Ransomware Adds Fake Legal Support to Platform: According to recent reports, the Qilin ransomware-as-a-service (RaaS) group has added a new “Call a Lawyer” feature to its affiliate dashboard, allowing cybercriminals to introduce supposed legal counsel during ransom negotiations. The intent appears to be to pressure victims by outlining potential regulatory penalties and legal exposure tied to the stolen data. The “lawyers” can then step in to help negotiate by explaining how Qilin can inflict the maximum damage if a ransom is not paid. While the feature is unlikely to involve real legal professionals, it appears to be more of a marketing tactic aimed at affiliates than a genuine offer of legal support.
• FTC Has Issued FAQs for Auto Dealers to Comply with the Safeguards Rule: The FTC recently published FAQs to guide automobile dealers in complying with the FTC’s amended Safeguards Rule. This rule applies to most auto dealers that finance or lease vehicles, categorizing them as financial institutions The rule requires dealers to implement a comprehensive written information security program that includes conducting thorough risk assessments, designing and monitoring robust security controls, implementing multi-factor authentication, or similar risk mitigation measures, and continuously testing safeguards through vulnerability assessments or continuous monitoring. Dealers must also appoint a qualified individual responsible for overseeing the program and reporting annually to senior leadership or the company’s board of directors. The FTC Safeguards Rule also requires dealers to notify the FTC within 30 days of a breach affecting 500 or more consumers, even if the information wasn’t misused. Dealers are also responsible for third-party vendor security, requiring contracts ensuring vendor safeguards and periodic vendor assessments. Finally, the rule requires a detailed incident response plan and ongoing employee training to ensure staff and service providers can recognize and report security issue.
• Ransomware Attack at NHS Linked to Patient’s Death: A ransomware attack on NHS blood services and GP surgeries in London, which occurred on Jun. 3rd, has reportedly been linked to the death of a patient at King’s College Hospital. The cyberattack disrupted more than 10,000 appointments and caused delays in critical services, including pathology tests. The affected blood test results, managed by Synnovis, a laboratory services agency for NHS trusts and GPs in southeast London, were stolen during the attack. A spokesperson for King’s College Hospital confirmed that the patient’s death was “unexpected” and that several factors contributed to the incident, including a prolonged wait for a blood test result, which was impacted by the cyberattack.
• DOJ Announces Actions to Disrupt North Korea IT Worker Scheme:The Department of Justice (DOJ) has taken actions against the Democratic People’s Republic of North Korea (DPRK) government for its scheme to use stolen identities to obtain remote information technology work from U.S. companies. The actions taken include two indictments, an arrest, and multiple searches and seizures across sixteen states, including the take down of multiple laptop farms, websites, and financial accounts that were used to further the scheme and launder the money obtained. The DOJ further alleged that the North Korea actors were aided by individuals in the United States, China, UAE, and Taiwan.

International Updates: 

• EU Adopts Revised Cybersecurity Incident Blueprint: The Counsel of the European Union has adopted a revised guidance framework on how the EU and its members states and associated entities will handle large-scale cybersecurity incidents. It marks a shift towards operational alignment, co-ordination and harmonisation across the EU as it faces into a rapidly developing threat landscape. The framework reflects the fact that most incidents do not readily recognise national borders and having a go-to guide for best practice on communication, roles and responsibilities and co-ordination is a necessary evolution in the EU’s threat posture.  Included in the Blueprint is a workflow from detection to recovery and a series of stages of escalation from levels 0 (normal) to 4 (crisis) a form of reversed “Defcon” setup.  Elements of the Blueprint build on transnational co-ordination infrastructure established under the NIS2 Directive (Article 16 for example).
• Ireland’s Cyber Security Centre joins Cyber Fundamentals Framework: Building on the work initiated and developed by the Centre for Cybersecurity Belgium, the National Cyber Security Centre (Ireland) has joined the Cyber Fundamentals Framework (CyFun), designed to act as a certification or self-assessment regime to assist entities seeking to build their cybersecurity stance to comply with the EU’s NIS2 Directive (Network and Information Security Directive 2022/2555). It is based on NIST CSF 2.0 (due September this year) and is a voluntary tool and framework.  Given the likely path of enforcement actions in respect of NIS2, having a documented and active compliance regime is key; adherence by in-scope entities to an international framework will be a useful enabler for business particularly in a supply-chain context and given the additional vendor due diligence we are likely to see in the coming months and years.
• International updates: Israel/Iranian Cyber War Heats Up- Israeli Linked Cyber Group “Destroys” $90 Million in Crypto Held by Iranian Crypto Exchange: Predatory Sparrow, an Israeli linked cyber group, infiltrated Iranian crypto exchange Nobitex and “destroyed” approximately $90 million worth of crypto assets by sending them to non-recoverable crypto wallets. In its reasoning for this attack, Predatory Sparrow accused the exchange of enabling sanctions violations and assisting in financing Iranian sponsored terror groups. Predatory Sparrow has also claimed to have taken Bank Sepah, one of Iran’s largest state run banks, offline.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.