Right To Know - September 2025, Vol. 33

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

Litigation & Enforcement: 

• Court Finds SEC Withholding of Information on 2022 Control Deficiency Proper: In 2022, the SEC disclosed a “control deficiency” that allowed SEC lawyers to access files of administrative law judges before whom they appeared. The New Civil Liberties Alliance submitted a FOIA request to obtain information about the “control deficiency.” The SEC denied the request citing the attorney work-product doctrine and employee privacy interests.  New Civil Liberties Alliance sued claiming the withholding was wrongful. On Aug. 29th, the United States District Court for the District of Columbia granted summary judgment in favor of the SEC finding the withholdings were proper.  Among other things, the court found the use of a consultant in connection with the investigation of the control deficiency did not obviate the work-product protection because the consultant was disinterested in the outcome, and that the withholding of employee names involved in the control deficiency was proper to avoid harassment.
• VPPA Parties Seeking Clarity From SCOTUS: After significant briefing, on Sept. 29th, the Supreme Court will consider a request from the NBA to grant review in involving standing under the Video Privacy Protection Act (VPPA). Notably, the Respondent, Salazar, may seek review in another VPPA case out of the Sixth Circuit.  If the court agrees to hear the case, it could render a key decision on this standing issue by June 2026.
• Court Dismisses Proposed Class Action Over Abbott Website Tracking: A proposed class action claiming Abbott Laboratories shared visitors’ health data with Meta and Google via tracking tools on its FreeStyle Libre diabetes website was dismissed in the U.S. District Court for the Northern District of Illinois. Plaintiffs alleged HIPAA, ECPA, and state privacy violations, invoking the ECPA’s “crime-tort” exception. Judge Manish S. Shah held that mere browsing of a public website did not reveal individually identifiable health information and that no HIPAA violation was plausibly alleged. The dismissal was without prejudice, giving plaintiffs until September 5, 2025, to amend their complaint.
• U.S. Court of Appeals for the DC Circuit Upholds T-Mobile/Sprint Fine for Sharing Geolocation Data: The U.S. Court of Appeals for the DC Circuit recently upheld the FCC’s $92 million fine against T-Mobile/Sprint for the telecommunication company’s sharing of customer geolocation data. The companies failed to verify whether they had consent to sell such data from the consumers. They also continued to sell data after it was known that such data was being used illicitly. Arguments that the data at issue was not subject to the Communications Act were rejected by the Court. Similar activities are the subject of fines imposed on telecommunications carriers AT&T and Verizon which have not yet been heard on appeal.
• 6th Circuit Upholds FCC’s Implementation of Stricter Breach Notification Obligations: In 2024, the Federal Communications Commission (“FCC”) issued a new rule revising its data breach notification requirements, broadening the scope of data breaches that required notification and reporting. This was subsequently challenged by various organizations that argued the FCC overstepped its statutory authority when it updated existing rules to, among other items, include consumer PII in data breach reporting requirements. The Sixth Circuit, in a 2-1 ruling, disagreed, holding the FCC did have authority under Section 201(b) of the Communications Act because this section gives the FCC authority to regulate “practices…in connection with communication service,” and reporting and notification of data breaches qualifies as a practice.

Industry Updates: 

• AI Chatbot Maker Breach Allows Threat Actors to Siphon Data from CRM Instances: In a great illustration of the real world cybersecurity risks of 3rd party vendors and the dangers of unmonitored SaaS to SaaS integration, on Aug. 20th, Salesloft disclosed a security incident that impacted an unknown number of companies. Salesloft builds customer facing AI chatbots that integrate with customer data within various CRM tool instances, the most notable of which is Salesloft, Inc. To do this, Salesloft requires a token to access the customer’s Salesforce instance. The threat actors were able to steal these tokens, use them to access the customers’ Salesforce instances and essentially vacuum the data from these instances. Salesloft requested that admins reauthenticate their Salesforce connection.
• NIST Releases Updates to SP 800-53 Targeting Software Development and Deployment: The National Institute of Standards and Technology (“NIST”) has released an update to it Special Publication 800-53 (“SP 800-53”) Security and Privacy Controls for Information Systems and Organizations. The update looks to improve the security and reliability of software updates and patches. The updates come in response to Executive Order 14306, which required measures to help improve the nation’s cybersecurity. Changes include revisions to control standards for the software development and deployment process, including software and system resiliency by design, testing by developers, deploying and managing updates, and software integrity and validation.
• IC3 Warns of Fake Law Firms Exploiting Crypto Scam Victims: The FBI’s Internet Crime Complaint Center (IC3) issued a Public Service Announcement on Aug. 13th warning that fictitious law firms are targeting cryptocurrency scam victims, especially elderly or emotionally vulnerable individuals. These fraudulent actors pose as legitimate attorneys, often creating fake letterhead and insignia, claiming affiliation with government agencies, or referencing nonexistent organizations such as the “International Financial Trading Commission.” Victims are pressured to make payments through cryptocurrency or gift cards, and in some cases are lured into group chats on messaging apps to give the appearance of secure recovery efforts. The FBI advises people to be cautious of unsolicited legal outreach and recommends steps such as requesting video verification, asking for a photo of a bar license, or independently confirming claims with government offices. Victims are encouraged to carefully document all interactions and report suspicious activity to their local FBI field office or through the IC3.gov website.
• CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks: On Aug. 27th, CISA, in coordination with the NSA, the FBI, and international partners, issued a joint cybersecurity advisory warning of a widespread and ongoing cyber campaign by Chinese state-sponsored Advanced Persistent Threat (APT) actors. These actors are actively targeting and gaining long-term access to critical infrastructure networks across multiple sectors, including telecommunications, transportation, lodging, and military systems. The advisory highlights that the attackers are exploiting vulnerabilities in routers and using stealthy tactics to maintain persistent access while evading detection. The campaigns are related to activity attributed to several known Chinese-linked APT groups, such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. The advisory provides a set of recommended mitigations to organizations. These include immediately patching known exploited vulnerabilities, enabling centralized logging, and securing edge infrastructure.

Regulatory: 

• HHS OCR Settles HIPAA Security Rule Investigation with BST & Co. over Ransomware Incident: The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $175,000 settlement with BST & Co. CPAs, LLP following a HIPAA Security Rule investigation linked to a 2019 ransomware attack that compromised ePHI. OCR found that BST, a business associate handling PHI, had failed to conduct a thorough risk analysis to identify vulnerabilities. Aside from the payment, as part of the resolution, BST will implement a corrective action plan over two years, including risk assessments, risk management plans, updated HIPAA policies, and enhanced workforce training to strengthen ePHI security.
• Disney Enters into $10M Settlement with Federal Trade Commission: Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC (“Disney”) has entered into a settlement with the Federal Trade Commission (“FTC”) to settle claims that Disney violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting the information of children under 13 without parental consent. The allegations stated that Disney had uploaded videos YouTube without properly applying the “Made for Kids” label. This allowed Disney to collect the personal information of children, through YouTube, who watched the videos, and potentially exposed those children to features that are designed for adults, such as auto play of videos directed at adults. In addition to the settlement amount, Disney will be required to put measures in place to ensure compliance with COPPA moving forward and to develop a way to audit uploaded videos to ensure the “made for kids” label is applied correctly.
• Property Management Company fined $795,000 By Massachusetts Attorney General for Data Breaches: Peabody Properties, Inc was fined $795,000 by the Massachusetts Attorney General for five data breaches occurring between November 2019 and September 2021 impacting around 14,000 consumers. The fine is for failure to maintain an adequate security program to prevent cyber attacks, and, for two incidents, the delay in notifying the AG. Pending approval by the Court, the company is also required to implement various security controls and undergo an annual security assessment for three years.
• FTC Settlement With Apitor For Violations of COPPA: On Sept. 3rd, the FTC announced action against Apitor, a China-based manufacturer of robot toys aimed at children. According to the FTC’s complaint, Apitor violated the Children’s Online Privacy Protection Act (COPPA) by collecting children’s personal data—specifically geolocation information—without obtaining parental consent. Apitor’s companion mobile app for its robotic toys required Android users to enable location sharing, and it incorporated a third-party software development kit (SDK). This SDK collected precise location data and transmitted it to external servers, including for advertising purposes. The FTC alleged that Apitor did not disclose this data collection to parents, nor did it obtain verifiable parental consent as required under COPPA. Additionally, Apitor falsely claimed in its privacy policy that it complied with COPPA. The FTC is requiring Apitor to implement comprehensive COPPA compliance measures. These include notifying parents about data practices, obtaining verifiable parental consent before collecting or sharing children’s data, deleting any data collected without proper consent, and retaining children’s information only as long as necessary. The settlement also includes a $500,000 civil penalty; but payment is suspended for now due to the company’s claimed inability to pay. If it is determined that Apitor lied about its financial condition, the full penalty must be paid.
• FTC Chairman Warns US Tech Companies Against Weakening Security and Privacy At Behest of Foreign Governments: FTC Chairman Andrew Ferguson recently sent letters to more than a dozen prominent technology companies that pressure from foreign governments to weaken security and privacy of American consumers should be resisted. He also warned the companies against censoring American posts at the behest of such governments as doing so may violate the law. The letters addressed concerns raised in light of foreign laws like the EU’s Digital Services Act and the UK’s Online Safety Act (incentivizing companies to censor worldwide speech) and the UK’s Investigatory Powers Act (calling for companies to weaken encryption protections to allow UK law enforcement access).

State Action: 

• Ohio Law Establishes New Cybersecurity Mandates for Local Governments: Ohio House Bill 96, effective Sept. 30th, establishes new cybersecurity requirements for local government entities, including implementing a cybersecurity program, obtaining approval from their legislative body for ransomware payments, and reporting cyber incidents to Department of Public Safety within 7 days and Ohio Auditor of State within 30 days. There are listed requirements for cybersecurity programs, including consistency with generally accepted best practices like the NIST Cybersecurity Framework and Center for Internet Security Controls.

International Updates: 

• Massive Cybercrime Ring Dismantled Across Africa as Interpol Recovers nearly $97 Million from Scams: Interpol’s Operation Serengeti 2.0, conducted between June and August 2025, led to the arrest of more than 1,200 individuals and recovered over $97 million dollars linked to cybercrime and fraud. Authorities from across 18 African countries and the United Kingdom dismantled more than 11,000 malicious infrastructures tied to phishing, ransomware, and investment scams, while identifying nearly 88,000 victims. The recovery of millions in illicit proceeds also raises the prospect of restitution for victims who suffered significant financial losses.
• Irish Data Protection Commissioner Investigates Children’s Health Ireland: The Irish Data Protection Commissioner has opened an investigation to Children’s Health Ireland, the umbrella body for Irish children’s hospitals. The allegations include that CHI health records regarding children were breached at Tallaght University Hospital. Protected Disclosures from employees were the genesis of this investigation, in conjunction with an unannounced site inspection on 16th July 2025. It is understood that the allegations include that an unauthorized third party was in a position to access a large volume of physical health records including 320 patient charts. These had been stored in an unlocked room at the hospital.
• EU Data Act Applies As Of September 12: The EU Data Act (regulation 2023/2854) will come into force on Sept. 12th. It will apply across all EU member states, granting users (businesses and consumers) the entitlement to access data generated by linked products/services, given the explosion of internet-connected products (including so-called “smart” devices or the IoT (internet of things)). It extends also to prohibiting unfair contract terms in business to business data sharing agreements. Cloud and related service providers are obliged to permit easier switching. Controversially, public bodies may in limited emergency circumstances be able to access non-personal data from private entities.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.