Right To Know - October 2025, Vol. 34

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

Litigation & Enforcement: 

• California Privacy Protection Agency Announces $1.35 Million Fine: The California Privacy Protection Agency (“CCPA”) on Sept. 26th, adopted a stipulated final order requiring Tractor Supply Company to, among other things, pay and administrative fine of $1.35 million. The CCPA claimed that, among other things, Tractor Supply’s “Do Not Sell” mechanism was not effective, and Tractor Supply disclosed consumer’s personal information to other entities without proper contracts in place. In addition to the fine, Tractor Supply agreed to implement remedial measures and annually certify compliance for the next four years.

Industry Updates: 

• CISA Tells Federal Agencies to Address CISCO Vulnerabilities Immediately: CISA issued Emergency Directive ED 25-03, titled “Identify and Mitigate Potential Compromise of Cisco Devices” on Sept. 25th. This Emergency Directive directs all Federal agencies to identify all Cisco ASA and Cisco Firepower devices and transmit the logging to CISA by the next day for analysis. This Emergency Directive relates to CVE-2025-20333 and CVE-2025-20362, which are being actively exploited by ArcaneDoor.
• Funding Ends for Key Public Sector Cybersecurity Group: CISA acknowledged that it was ending its agreement to support the Multi-State Information Sharing and Analysis Center (MS-ISAC). The MS-ISAC acted as a key knowledge sharing source for the U.S. public sector, the vast majority of which were at the state, local, tribal and territorial government levels. Funding was not allocated in the most recent government funding bill passed by Congress. CISA’s release highlights support to these areas through CISA directly.

Regulatory: 

• NIST Publishes Revised Guidelines for Media Sanitization: On Sept. 26th, the National Institute for Standards and Technology (NIST) announced the release of Special Publication (SP) 800-88r2 (Revision 2), Guidelines for Media Sanitization. Over the years, various studies have found confidential and sensitive information on sold or discarded computers, servers, hard drives, and other storage media. The studies have included devices from government agencies, financial institutions, healthcare providers, and others. Media sanitization makes the data inaccessible before selling or discarding the device. The publication provides guidance for setting up a media sanitization program with proper methods and controls for sanitization and disposal based on the sensitivity of the information. It aligns media sanitization with cybersecurity standards (e.g., SP 800-53, ISO/IEC 27040), updates certain sanitization methods, and addresses trust in the vendors’ implementation of sanitization techniques. It also addresses sanitization techniques and tools to comply with IEEE 2883, National Security Agency specifications, and organizationally approved standards. Media sanitization is an important consideration for businesses and organizations of all sizes to protect confidentiality and privacy.
• CISA Releases Advisory on Lessons Learned from an Incident Response Engagement: On Sept. 23rd, the Cybersecurity and Infrastructure Security Agency released a cybersecurity advisory discussing lessons learned from an incident response at a federal civil executive branch agency. The response occurred after the agency identified potential malicious activity through security alerts generated by its endpoint detection and response (EDR) tool. CISA discovered that threat actors compromised the agency by exploiting vulnerability in a GeoServer. Based on the lessons from this response, CISA recommends: (1) prioritize patch management: expedite patching of critical vulnerabilities, (2) strengthen Incident response plans, and (3) enhance threat monitoring. The advisory also explains the threat actors’ Tactics, Techniques, and Procedures (TTPs) and indicators of compromise (IOCs).
• HHS OCR Settles HIPAA Investigation Against Cadia Healthcare Facilities for Unauthorized Patient PHI Disclosures: The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Cadia Healthcare Facilities, a group of Delaware-based rehabilitation, skilled nursing, and long-term care providers, for potential violations of the HIPAA Privacy and Breach Notification Rules. The investigation arose after a complaint in September 2021 alleged that Cadia Healthcare posted a patient’s name, photograph, and treatment information as a “success story” on its public website without obtaining valid HIPAA authorization. OCR’s review found that the facility had disclosed the protected health information (PHI) of 150 patients through its website and social media without proper authorizations, failed to implement adequate safeguards, and did not provide breach notifications to affected individuals. Under the settlement, Cadia agreed to a corrective action plan monitored by OCR for two years and paid $182,000. The agreement also requires revising HIPAA policies and procedures, training workforce members, including marketing staff, on HIPAA compliance, and notifying affected patients of the unauthorized disclosures. OCR emphasized that valid written authorization is generally required before posting PHI online.
• HHS OIG and ONC Issue Enforcement Alert to Intensify Action Against Information Blocking: The Department of Health and Human Services Office of Inspector General (HHS-OIG) has issued a joint enforcement alert with the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) to signal heightened efforts against information blocking. Defined under the 21st Century Cures Act, information blocking refers to practices by individuals or entities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information, except as permitted by law or regulatory exceptions. OIG and ATSP emphasized that information blocking undermines patient care, hampers health system efficiency, and threatens taxpayer investments in electronic health records. Enforcement actions may result in civil monetary penalties of up to $1 million per violation for health IT developers, networks, and exchanges; ATSP certification bans or terminations; and Centers for Medicare & Medicaid Services -imposed disincentives for providers participating in federal programs. The alert encourages voluntary compliance to avoid penalties, while providing multiple avenues for reporting suspected violations, including ASTP’s Information Blocking Portal and the OIG Hotline.
• New CA Automated Decision-Making Regulations Added to CCPA: California recently approved updates to its CCPA regulations regarding automated decision-making that will impose significant requirements on businesses employing such technology. The regulations, set to take effect on Jan. 1st, expand definitions and clarify obligations, notably around automated decision-making technology (ADMT) and artificial intelligence, including what counts as human involvement vs. replacement of human decision-making. The regulations strengthen requirements for how businesses collect, use, retain, and share personal information, mandating that such data handling be “reasonably necessary and proportionate” to disclosed purposes and consistent with consumer expectations as well as mandating that notices and disclosures be clearer, accessible (including to people with disabilities), and in languages used by businesses, and they may not hide or obfuscate opt-out or limitation rights. The rules also limit “dark patterns” in user interfaces, prohibit making opt-outs harder, and require that consent be free, specific, informed, and unambiguous. And, there are requirements for businesses using such technology where there is significant risk to conduct annual cybersecurity audits and risk assessments.
• MD Online Data Privacy Act (MODPA) Effective 10/1/2025: Maryland’s Online Data Privacy Act (HB 567 / Chapter 454 of 2024) took effect on Oct. 1st. MODPA requires “controllers” and “processors” of consumers’ personal data who do business in Maryland (or target Maryland residents) and meet certain thresholds (e.g. number of consumers or revenue from data sales) to comply with a list of privacy rules (including notices and consent requirements). Under MODPA, consumers are also granted a set of rights: to know whether their data is being processed; to access and correct their data; to delete data; to obtain a portable copy; to know third-party disclosures; and to opt out of targeted advertising, profiling that has legal/significant effects, or sales of their personal data. And, controllers must provide clear, meaningful privacy notices, implement reasonable security measures (administrative, technical, physical), only collect data that is necessary/proportionate, allow revocation of consent as easily as it was given, and enter into contracts with processors to ensure proper handling. MODPA also places restrictions on using “sensitive data” (which is defined broadly to include health, genetic, biometric, sexual orientation, precise geolocation, etc.), and disallows certain practices (such as dark patterns, discrimination, or selling sensitive data without consent), especially for minors.

State Action: 

• AI Transparency as a Priority in State Laws: As U.S. states prepare for the 2026 legislative session, lawmakers are scaling back ambitions for sweeping AI governance laws and focusing instead on transparency as the central principle. Colorado’s recent special session, which ended only with a delay of the Colorado AI Act to June 2026 after failed negotiations on a compromise, highlighted both the difficulty of passing substantive reforms and the resilience of transparency requirements like notice, disclosure, and data correction rights. Legislators in Connecticut and Virginia, who previously saw AI bills vetoed, are also planning narrower measures centered on giving consumers the “right to know” and meaningful choices, such as opting out of data use for AI training. Across states, transparency is emerging as the minimal but essential safeguard — from informing consumers when AI is used, to disclosing consequences, clarifying data provenance, and enabling explainability — with the potential to build a foundation for stronger protections in the future.

International Updates: 

• Cyberattack Forces Extended Jaguar Shutdown: Jaguar Land Rover, the UK’s largest automaker, suspended production after a cyberattack on Aug. 31st disabled its systems, with operations remaining offline until a gradual restart began on Sept. 25th. Rachel Reeves, Britain’s chancellor of the Exchequer, said that government officials were working closely with Jaguar Land Rover. “There is a wider issue here, of ensuring that foreign states, including Russia, cannot bring down production, or flights, or public services in Britain,” The breach, which hit the company’s retail and manufacturing operations, is part of a broader wave of cyber and ransomware attacks affecting European businesses, from hospitals and charities to airports in Brussels, Berlin, Dublin, and London.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.