Right To Know - November 2025, Vol. 35

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

Litigation & Enforcement: 

• LinkedIn Use for Juror Research Results in Fine: On Oct. 28th, a judge in the Northern District of California issued a sanction against Alston & Bird for violating his standing order on performing social media research on jurors.  Judge William Orrick stated that he “believes strongly in the right to privacy,” and fined the law firm $10,000 because one of its consultants used LinkedIn to gather information about prospective jurors. While the judge recognized the public nature of such information, his concern focused on the automatic notification a prospective juror would receive from LinkedIn that his or her information was searched. The judge did recognize that he “may be one of only a few judges who consider automatic notifications on LinkedIn to be juror contact. “You can view the Judge’s relevant standing order on Juror Questionnaires and Social Media Research here.

Industry Updates: 

• The Rate of Ransomware Ransom Payments Plummets: According to Coveware (a firm that specializes in ransomware negotiations and payments), “ransom payment rates across all impact scenarios — encryption, data exfiltration, and other extortion — fell to a historical low of 23% in Q3 2025.” While this data only reflects the entities that engage with Coveware, its reflective of the experience of the cybersecurity attorneys at Clark Hill as well — not making a ransom payment in the wake of a ransomware attack is now the norm. Making a ransom payment does not absolve an organization of its legal obligations that result from a ransomware incident and the organization should at least have a preliminary discussion with an attorney specializing in ransomware incidents. To do so, please contact Rick Halm at rhalm@clarkhill.com or your Clark Hill cybersecurity attorney.
• ISO Updates Standard for Privacy Information Management Systems: During October, the International Organization for Standardization (ISO) released an updated edition of ISO/IEC 27701:2025 that specifies international consensus requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). A major change is that it provides for a standalone PIMS. The 2019 edition required businesses and organizations to have an ISO/IEC 27001 Information Security Management System (ISMS) in order to have a PIMS that complies with the standard. Under the updated requirements, businesses can now have a compliant PIMS, ISMS, or both. As with other ISO/IEC security and privacy standards, businesses and organizations can either use the standards as guides or obtain third-party certification of compliance. The updated standard includes controls objectives and controls for PII controllers and PII processors and security considerations for both.
• ShinyHunters Hacking Group Launch Global Corporate Extortion Spree, Targeting Hundreds of Firms: Krebs on Security reported that the hacking group ShinyHunters has launched a wide-ranging corporate extortion campaign, targeting hundreds of organizations worldwide. The group is demanding payment to prevent the release of stolen data obtained through prior intrusions and breaches, in what appears to be one of the most coordinated data-leak threats seen in recent years. Victims reportedly include major corporations across sectors such as finance, retail, and healthcare. ShinyHunters is known for selling or leaking data on dark-web markets and has previously been linked to several high-profile breaches. This recent wave suggests a shift toward mass-scale ransomless extortion, where the attackers threaten exposure without encrypting systems.

Regulatory:

• FCC Announces Vote to Undo Cybersecurity Declaration: In a Halloween blog post, Brendan Carr, the Chairman of the Federal Communications Commission (the “FCC”), announced his plan to hold a vote at November’s meeting to eliminate a declaration that telecom companies have a responsibility “to secure their networks from unlawful access or interception of communications.” This declaration was passed in the waning hours of the Biden administration in response to Chinese hackers gaining unprecedented access to every major telecom company’s internal network for months.
• New NYDFS Cybersecurity Rules Effective November 1: Mandatory MFA and Written Policy Requirements: Effective Nov. 1st, the amended NYDFS Cybersecurity Regulation (23 NYCRR Part 500) requires covered entities to fully implement multi-factor authentication (MFA) across all information systems. In addition, all covered entities are now required to implement written policies and procedures to maintain a complete and accurate asset inventory of their information systems that includes, among other things, tracking ownership and location.
• CISA, NSA and International Partners Publish Best Practices for Securing Microsoft Exchange Servers: On Oct. 30th, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and international partners published “Microsoft Exchange Server Security Best Practices” to provide guidance on hardening on-premises Exchange servers against exploitation. The recommended best practices include hardening user authentication and access controls (including multifactor authentication), ensuring strong network encryption, and minimizing application attack surfaces. They also include adopting a Zero Trust architecture, applying Microsoft’s Exchange Emergency Mitigation service, and migrating from unsupported, end-of-life server versions to either a supported on-premises version or a cloud-based alternative.
• AppLovin Faces SEC Scrutiny Over Data Practices and AI Ad Engine: AppLovin’s shares plunged after a Bloomberg report revealed that the SEC is investigating the mobile advertising company’s data-collection practices. The probe reportedly stems from a whistleblower complaint and several short-seller reports alleging that AppLovin may have violated agreements by pushing targeted ads without proper consent. While the SEC has not accused the company or its executives of wrongdoing, the news caused AppLovin’s stock to fall 14% in regular trading and another 5% after hours. The company stated it regularly engages with regulators and would disclose any material developments publicly. The investigation follows months of criticism from short-sellers who have accused AppLovin of using its AI-driven AXON software to improperly collect user data. Despite these controversies, AppLovin’s stock had surged over 700% in 2024 and 80% this year, leading to its recent addition to the S&P 500.
• Joint Operational Technology Guidance Issued by US and UK: The United States’ Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the United Kingdom’s National Cyber Security Centre, the Australian Signals Directorate Australian Cyber Security Centre, the Canadian Centre for Cyber Security, New Zealand’s National Cyber Secuity Centre, the Neterhlands National Cyber Security Centre, and Germany’s Federal Office for Information Security, have issued a new joint guidance on how to better secure operational technology (OT) systems. The guidance provides a framework for OT system owners and operators to better understand the increasingly complex and integrated systems and helps address asset transparency, third party risk, and operational resilience across interconnected digital and physical systems. This demonstrates a continued international focus on critical infrastructure and operational resilience in critical industries.

State Action:

• California’s New Law Imposes 30-Day Breach Notification Deadline Starting January 2026: California has enacted Senate Bill 446, signed by Governor Gavin Newsom, which amends the state’s data breach notification law to establish strict new reporting timelines. Beginning Jan. 1st, 2026, businesses must notify affected California residents within 30 calendar days of discovering a security incident involving personal information. For incidents affecting more than 500 residents, notice to the California Attorney General must be provided within 15 calendar days of the consumer notice. The amendment allows limited exceptions for law enforcement needs or when necessary to determine the scope of the incident and restore system integrity.
• California AG Bonta Reaches $530,000 CCPA Settlement with Sling TV in First Streaming-Sweep Enforcement: California Attorney General Rob Bonta announced a $530,000 settlement with Sling TV LLC and Dish Media Sales LLC for alleged violations of the California Consumer Privacy Act (CCPA). Following a 2024 California DOJ sweep of streaming services, investigators found Sling TV misdirected consumers seeking to opt out of sale or sharing—by conflating cookie settings with CCPA rights, burying an embedded webform, requiring duplicative identity fields from logged-in users, and omitting in-app opt-out tools on living-room devices. Under the proposed settlement, Sling TV must make opt-outs easy and minimally burdensome, provide in-app opt-out mechanisms, stop routing users to cookie preferences, and stop requiring logged-in consumers to complete webforms. The company must also improve children’s privacy: enable parent-designated kids’ profiles that default off sale/sharing and targeted ads; and provide disclosures and parental tools. The action, part of Bonta’s CCPA enforcement, is the first result from the streaming-services sweep and the fifth CCPA settlement.
• Amended CCPA Requires Browsers to Allow Consumers to Opt-Out of Personal Data Use/Sharing: Starting Jan. 1st, 2027, California will require web browsers to include a setting a consumer can use to send an “opt-out preference signal” to communicate their decision not to have their personal data sold or shared. The browser must make this opt-out signal functionality easy to find and configure and disclose publicly how it works and its effect. A browser developer or maintainer that implements this functionality is immune from liability if another business fails to honor the signal. The California Privacy Protection Agency is authorized to adopt regulations to implement and enforce these requirements.
• FL AG Files Complaint Against Roku Over Privacy Misuse: On Oct. 13th, Florida’s Attorney General filed a civil complaint against Roku, alleging it violated the Florida Digital Bill of Rights and the Florida Deceptive and Unfair Trade Practices Act. The complaint alleges Roku collected, sold, and enabled reidentification of children’s sensitive personal data (including viewing habits and voice recordings) without parental consent or adequate notice. The complaint further claims Roku misrepresented the strength of its privacy controls and opt-out tools and failed to perform reasonable age verification to prevent children’s data from being processed unlawfully. The Attorney General seeks civil penalties, injunctive relief, and orders compelling Roku to provide clearer disclosures, implement lawful parental control mechanisms, and cease the unauthorized processing or sale of children’s data. In support of its claims, the state points to Roku’s relationships with data brokers (such as Kochava) and argues that Roku’s failure to isolate or prevent linkage of de-identified data enables children’s personal information to be re-identified and monetized. The action again emphasizes the importance of ensuring compliance with the law when collecting consumer data, particularly that of children.

International Updates:

• Ontario Court Denies Class Certification in Facebook Privacy Case: On Oct. 24th, the Ontario Superior Court of Justice denied class certification to claims alleging Facebook improperly shared users’ data with third parties. Among other reasons, the Court found that the class definition was not workable, individual issues precluded the finding that a claim for nominal damages supplied the necessary common issue, and a class action was not the preferable procedure under applicable law. The Court also awarded Facebook its costs.
• EU Cybersecurity Month: The European Commission has used October as Cybersecurity Month to promote its ProtectEU internal security strategy, with a focus on cybersecurity and resilience. Within this strategy are included the implementation of the Cybersecurity Act and the NIS2 Directive, strengthening ENISA (the EU’s cybersecurity agency), quantum communication infrastructure, and promoting the European Cybercrime Centre (EC3) based in the Hague.
• New Zealand Enacts IPP3A: Notice for Indirect Data Collection: New Zealand’s Privacy Amendment Act 2025 is now law. It amends the Privacy Act 2020 by adding Information Privacy Principle 3A (IPP3A). Beginning May 1st, 2026, organizations must take reasonable steps to notify individuals when their personal information is collected indirectly, including the purpose, intended recipients, the collecting and holding agencies, any legal authority, and rights to access/correct. No notice is required if the person already knows, if skipping notice won’t prejudice them, if data won’t be used in identifiable form, if the data is sourced publicly, if notice isn’t reasonably practicable, if notice would undermine the purpose (e.g., a fraud inquiry), or if notice would pose a serious health/safety threat. Collection by a service provider acting solely as your agent is treated as direct collection, so IPP3A doesn’t apply. The OPC will issue guidance in 2025 and review Codes of Practice. The reform advances transparency and aligns with Australia, the UK, and Europe.
• EU Court Sets Out When Pseudonymized Data is not Personal Data Under the GDPR: In European Data Protection Supervisor v Single Resolution Board (C-41/23 P), the Court of Justice of the European Union (ECJ) clarified, among other issues, when pseudonymized data is considered “personal data” under the General Data Protection Regulation (GDPR). The ECJ found that:

1. Personal opinions relate to the person expressing the opinion and can be considered personal data.
2. Pseudonymised data, once effective to prevent identification of the data subject, will not be regarded as personal data unless the recipient of the data can reasonably reidentify the individuals with the information available, including the pseudonymized data or other available data sources, and the technology on hand, among other factors.
3. For notice provisions under GDPR, identifiability of the data subject has to be assessed at the time of data collection.

 While this narrowing of what is and is not personal data can provide organizations additional options for the creation and sharing of pseudonymized data, questions remain as to intra-group or controller to processor sharing of pseudonymised data, bearing in mind that the recipient may in those circumstances be in a position to render the pseudonymisation ineffective. Put another way, personal data can be established as protected data under GDPR even if it is not all in the hands of one party.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.