Data Privacy and Cybersecurity: 2024 Trends and Developments

Data privacy and cybersecurity practitioners have grown accustomed in recent years to a constantly growing and shifting set of federal, state, and global obligations. This trend continued in 2024, but the rapid growth and widespread use of AI added new challenges. Organizations increasingly recognized that responsible AI use demands heightened attention to data ethics and governance. Enlisting data privacy and cybersecurity practitioners to integrate these broader risk management activities into their already expanding programs became more common.

Many organizations, including critical infrastructure entities, also continued to grapple with unaddressed cybersecurity gaps and other technology debt. Q4 brought reports of nation-state hackers exploiting known vulnerabilities to compromise major US telecom carriers. High-profile 2024 incidents like the Change Healthcare and Snowflake cyberattacks and the widespread Crowdstrike outage following a faulty software update reemphasized service provider and supply chain risk management.

Understanding current trends helps practitioners build skills and identify opportunities to harmonize often overlapping requirements. This article reviews important 2024 data privacy and cybersecurity developments, including related AI topics, and highlights risks and trends to watch in 2025.

(For the complete version of this resource, which includes information on global data security trends and cross-border data transfers, see Trends in Data Privacy and Cybersecurity: 2024 on Practical Law; for more on the current patchwork of US laws regulating data privacy and cybersecurity, see US Privacy and Data Security Law: Overview on Practical Law.)

Federal Regulation, Guidance, and Enforcement

Data privacy, cybersecurity, and related issues continued to garner increased attention from a varied group of federal agencies, including:

(For the complete version of this resource, which includes more on federal agency developments and industry self-regulation efforts, see Trends in Data Privacy and Cybersecurity: 2024 on Practical Law.)

FTC

The FTC is the primary federal agency regulating consumer data privacy and cybersecurity. It derives its authority to protect consumers against unfair or deceptive trade practices from Section 5 of the Federal Trade Commission Act (FTC Act) (15 U.S.C. § 45). In 2024, the FTC engaged in formal rulemaking activities, released guidance, and announced data privacy and cybersecurity-related enforcement actions.

FTC Regulations and Guidance

In September, the FTC staff issued a report:

(For more information, see FTC Releases Staff Report Analyzing and Providing Recommendations for Large Social Media Companies’ Data Practices on Practical Law.)

Formal FTC data privacy and cybersecurity-related rulemaking activities in 2024 addressed:

(For the complete version of this resource, which includes more on FTC rulemaking and guidance on topics such as biometric, genetic, and health information, cybersecurity, privacy policies and data collection and use practices, AI, and vehicle-related data practices, see Trends in Data Privacy and Cybersecurity: 2024 on Practical Law.)

FTC Enforcement

The FTC’s 2024 data privacy and cybersecurity enforcement actions provide crucial guidance in the absence of comprehensive federal laws or additional regulations. Notable actions highlighted:

The FTC also continued its collaboration with other federal, state, and global regulators. (For more on the FTC’s evolving expectations regarding reasonable data security practices and appropriate comprehensive information security programs, see FTC Data Security Actions Tracker on Practical Law; for more on data broker obligations and current regulatory efforts, see US Data Broker Registration Laws: Overview on Practical Law.)

CFPB

The CFPB increasingly focuses on data privacy risks and issues in its work to ensure that financial institutions and consumer reporting agencies treat consumers fairly. Some notable 2024 actions addressed:

The CFPB also addressed in guidance and reports video gaming markets, worker surveillance, and what it characterized as gaps or insufficient consumer protections in recent state consumer privacy laws.

Department of Commerce and NIST

In February, NIST released version 2.0 of its widely used Cybersecurity Framework, broadening its scope beyond critical infrastructure and adding an overarching governance function (for more information, see NIST Releases Cybersecurity Framework 2.0 on Practical Law). NIST also released a concept paper and engaged in public outreach on a potential update to its Privacy Framework (NIST: NIST Privacy Framework Version 1.1 Concept Paper (Jun. 18, 2024)). The Department of Commerce engaged in various AI-related efforts in 2024, including:

Some other NIST activities and guidance addressed health information cybersecurity, protecting controlled unclassified information, post-quantum computing encryption standards, information security program metrics guidance, and other technical standards and detailed practice resources.

DHS and CISA

High-impact cyber incidents highlighted DHS and CISA public-private work in 2024. For example:

In April, CISA published proposed implementing rules for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) that:

CISA expects to finalize the rules in late 2025 and reporting to begin in 2026. (89 Fed. Reg. 23644-01, 23743 (Apr. 4, 2024).) CISA currently offers a voluntary reporting portal to encourage information sharing (CISA: Voluntary Cyber Incident Reporting). (For more on critical infrastructure cybersecurity, see Critical Infrastructure Cybersecurity and Cyber Incident Reporting: Overview on Practical Law.)

Some DHS-level critical infrastructure cybersecurity activities in 2024 addressed AI risk management, maritime security, and pipeline and surface transportation security. The CISA-administered Cyber Safety Review Board released a report on the July 2023-reported Microsoft Exchange Online intrusions, with broadly applicable recommendations for cloud service providers (DHS Press Release: Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023 (Apr. 2, 2024)).

CISA also offered guidance and resources on cloud security, critical infrastructure resilience and incident response, ransomware risk mitigation, including results of its ongoing Ransomware Vulnerability Warning Pilot, secure by design principles, single sign-on barriers and solutions, and vulnerability disclosure management.

FCC

In late 2024, CISA and the FBI announced that the group Salt Typhoon, allegedly sponsored by the People’s Republic of China, had compromised at least eight US telecom carriers’ networks. The hackers reportedly exploited known infrastructure vulnerabilities, gaining access to sensitive call data. Officials later increased the number of affected companies to nine. The FCC reacted by:

Other cybersecurity and network resilience activities, including enforcement settlements, highlighted increased expectations, especially for protecting customer proprietary network information. The FCC further focused on consumer data privacy and cybersecurity by implementing its voluntary smart device labeling program and continuing its anti-robocall efforts with the FTC under the Telephone Consumer Protection Act.

The FCC also reopened the net neutrality debate, with its potential implications for data privacy and cybersecurity obligations, when it reclassified broadband internet providers as common carriers (In re Safeguarding and Securing the Open Internet, 2024 WL 2109860 (F.C.C. May 7, 2024)). However, the Sixth Circuit stayed the ruling (In re MCP No. 185, 2024 WL 3650468 (6th Cir. Aug. 1, 2024)).

HHS and HHS OCR

The HHS continued its focus on cyber resilience, releasing its voluntary health care and public health sector-specific cybersecurity performance goals (CPGs) through its Administration for Strategic Preparedness and Response (ASPR) (ASPR Press Release: HHS Releases New Voluntary Performance Goals to Enhance Cybersecurity Across the Health Sector and Gateway for Cybersecurity Resources (Jan. 24, 2024)). In a late December action, the HHS OCR announced a proposed update to the HIPAA Security Rule aligned with the CPGs and other widely recognized standards and practices. The proposed rule was published in the Federal Register on January 6, 2025 (OCR Press Release: HHS Office for Civil Rights Proposes Measures to Strengthen Cybersecurity in Health Care Under HIPAA (Dec. 27, 2024)).

In a long-awaited February rulemaking action, the HHS better aligned patient data privacy protections under HIPAA and its Substance Abuse and Mental Health Services Administration 42 C.F.R. Part 2 rules (for more information, see HHS Final Rules Align Federal Substance Use Disorder Protections and HIPAA Rules (February 2026 Compliance Date); Rules Addressing HIPAA Privacy Notices to Follow on Practical Law).

(For more on HHS’s health IT-related actions, see Health Information Sharing Scenarios and Issues: Overview on Practical Law.)

HHS OCR Guidance and Enforcement Activity

The HHS OCR promulgates rules, provides guidance, and conducts enforcement actions under HIPAA (for more information, see HIPAA and Health Information Privacy Compliance Toolkit on Practical Law).

In 2024, the OCR focused on the cyberattack against Change Healthcare, Inc., which processes claims and payments for a large segment of US providers (for more information, see Provider Impacts from Recent Health Care Cyberattacks in the June 2024 issue of Practical Law The Journal). Characterizing the attack and resulting lengthy outage as unprecedented, the OCR offered extensive guidance and support to providers (OCR: Change Healthcare Cybersecurity Incident Frequently Asked Questions).

Other OCR 2024 rulemaking, guidance, and enforcement actions addressed malicious insiders, phishing and ransomware incidents, physical security, reproductive health care privacy, and HIPAA Security Rule compliance. The OCR also focused on patients’ rights to their data under its continued right of access initiative, currently exceeding 50 total actions, and launching its new risk analysis initiative.

SEC

In late 2023, publicly traded reporting companies began disclosing cybersecurity incidents and key aspects of their cybersecurity risk management programs under the SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules (17 C.F.R. § 229.106 (Item 106) and 17 C.F.R. § 249.308 (Item 1.05)). Some exceptions allowed smaller reporting companies to delay incident reporting until mid-2024.

Variations in early disclosures regarding incident materiality and companies’ reported concerns, especially under the short four business day Form 8-K disclosure deadline, led the SEC to issue a series of mid-year guidance statements addressing:

(For more on SEC cybersecurity disclosure rules, examples, and current guidance, see SEC Cybersecurity Disclosure Rules and Enforcement on Practical Law.)

SEC enforcement actions proceeded following 2020’s high-profile Solarwinds cyberattack. The SEC also amended Regulation S-P to require broker-dealers, including funding portals, and investment advisers to adopt written incident response program policies and procedures. Compliance timelines vary according to an entity’s size (for more information, see SEC Adopts Amendments to Regulation S-P on Practical Law).

Other SEC cyber-related enforcement actions alleged companies failed to implement effective controls and timely or accurately notify management, shareholders, and the SEC of cyber incidents.

State Regulation, Guidance, and Enforcement

State authorities continued to fill the gaps left in the absence of a comprehensive federal data privacy law to protect their residents’ personal information. Like federal regulators, state agencies focused their efforts on protecting sensitive data and children’s data privacy and online safety. California, Colorado, and New York continued to play prominent roles in consumer data protection, with Texas announcing new initiatives and becoming a more visible authority in 2024. Some cities have also joined in, a trend practitioners should note for 2025.

(For the complete version of this resource, which includes more on state enforcement activities and multistate actions, see Trends in Data Privacy and Cybersecurity: 2024 on Practical Law; for a collection of resources to assist counsel in advising clients on US state-specific privacy, data protection, and cybersecurity requirements, see State Data Privacy Laws Toolkit on Practical Law.)

California

On February 9, after a state appellate court vacated a lower court’s stay order, the California Privacy Protection Agency (CPPA) began enforcing its implementing regulations under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA) (for more information, see California Appellate Court Overturns Lower Court Ruling Delaying CPRA Regulations Enforcement on Practical Law). Also in 2024, the CPPA released a CCPA/CPRA resources website for businesses and residents, a new strategic plan, and enforcement advisories on data minimization and dark patterns (digital design practices to disguise ads and hidden fees, manipulate consumers’ privacy choices, trick consumers into buying products or services, or make it difficult to cancel orders or reverse charges). The CPPA showed particular interest in regulating data brokers under California’s recently enacted Delete Act.

The California attorney general (CAG) brought and settled claims with several companies for alleged data privacy law violations, in some cases, partnering with city and county district attorneys. The CAG also conducted an enforcement sweep of streaming services’ CCPA/CPRA compliance, specifically, its sales and sharing opt-out requirements.

(For more on California’s extensive data privacy laws and enforcement model, see California Privacy and Data Security Law: Overview on Practical Law.)

Colorado

The Colorado Privacy Act (CPA) requirement for controllers to support consumers exercising their opt-out rights using a universal opt-out mechanism took effect on July 1.

Additionally, the Colorado Department of Law adopted updated CPA rules on December 6 that create processes for the Colorado attorney general to issue guidance and opinion letters and reflect recent CPA amendments. The amended rules went into effect on January 30, 2025.

(For more on developments in Colorado data privacy law, see Colorado Privacy Act Regulation Tracker on Practical Law.)

New York

Sector-specific regulators continued to play an important role in New York, including the New York Department of Financial Services (NYDFS), and the New York Department of Health (NYDOH), as well as New York Attorney General (NYAG). New York agencies paid particular attention to securing residents’ sensitive personal information, such as health and financial data.

The NYDFS offered further guidance on complying with its cybersecurity regulations, including updates that required compliance by April 29, with additional requirements taking effect in 2025 (for more information, see The NYDFS Cybersecurity Regulations on Practical Law). The NYDFS publishes alerts, guidance, and FAQs on its Cybersecurity Resource Center.

The NYDOH adopted its Hospital Cybersecurity Requirements Regulation on October 2. Requirements to report certain cybersecurity incidents within 72 hours took effect on adoption, but covered entities have until October 2, 2025, to comply with most other provisions, including those on implementing a specified cybersecurity program (for more information, see New York Adopts Cybersecurity Requirements for Hospitals on Practical Law).

The NYAG released online tracking technologies and website privacy controls guidance and issued an Advanced Notice of Proposed Rulemaking under New York’s recently enacted Child Data Protection Act and Stop Addictive Feeds Exploitation (SAFE) for Kids Act for public comment. The NYAG also continued to bring actions alleging lax data security practices resulting in data breaches and exposing residents’ sensitive data, including partnering with the NYDFS for some actions. The NYAG also collaborated with the New York Education Department to protect student privacy.

(For more on state student data processing restrictions, see Student Privacy State Laws for Education Service Providers Chart: Overview on Practical Law.)

Texas

Texas gained more data privacy visibility in 2024 after the Texas attorney general (TAG) announced a new initiative to aggressively enforce its laws (TAG: Attorney General Ken Paxton Launches Data Privacy and Security Initiative to Protect Texans’ Sensitive Data from Illegal Exploitation by Tech, AI, and Other Companies (June 4, 2024)).

In addition to the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code Ann. § 503.001) and state consumer protection laws, the TAG took on enforcing recently enacted statutes, including:

(For more information, see Texas Enacts Data Privacy and Security Act and Laws on Data Brokers and Genetic Data Privacy and Texas Data Privacy and Security Act (TDPSA) Quick Facts: Overview on Practical Law.)

Federal Legislation

Congress has yet to pass a general consumer data privacy law or an updated children’s privacy law. Notable legislation such as the proposed American Privacy Rights Act of 2024 (HR 8818) and the Kids Online Safety and Privacy Act (S 2073) garnered support but fell short of enactment.

One exception is the Protecting Americans’ Data from Foreign Adversaries Act of 2024, which was enacted in April and took effect on June 23 (for more information, see President Biden Signs the Protecting Americans’ Data from Foreign Adversaries Act of 2024 on Practical Law). The law, which broadly defines personally identifiable sensitive data, prohibits data brokers from transferring or otherwise making available US individuals’ personally identifiable sensitive data to:

(For the complete version of this resource, which includes information on related executive and rulemaking actions, see Trends in Data Privacy and Cybersecurity: 2024 on Practical Law; for more on federal data privacy bills, see Federal Privacy-Related Legislation Tracker and US Children’s Privacy Legislation Tracker: Federal Children’s Privacy Bills on Practical Law.)

State Legislation

States enacted or amended an extraordinary number of data privacy and cybersecurity laws in 2024, including seven new broad consumer privacy laws. Alaska, Oklahoma, and Rhode Island continued the long-standing trend of introducing state insurance data security laws by enacting National Association of Insurance Commissioners model law-based statutes. Several states also followed trends of:

As of the 2024 legislative season, 20 states have enacted broad consumer privacy laws. Some previously enacted laws:

Seven 2024-enacted laws take effect in 2025 and 2026, including:

Additionally, some states updated existing consumer privacy laws in 2024, including California, Colorado, and Virginia.

(For more on state consumer privacy laws, see US State Consumer Privacy Laws Toolkit and State Consumer Privacy Legislation Tracker on Practical Law.)

Litigation

Data privacy and cybersecurity litigation continued apace in 2024. Common suits and trends included those seeking consumer and shareholder relief for data breaches and cyberattacks as well as class actions involving web tracking technology and biometrics and genetic information. (For the complete version of this resource, which includes more on notable data privacy-related actions, see Trends in Data Privacy and Cybersecurity: 2024 on Practical Law).

Several 2024 US Supreme Court decisions expanded plaintiffs’ ability to contest certain administrative actions, likely increasing future data privacy and cybersecurity-related rules and enforcement challenges. Specifically, in:

Data Breach Actions

Continuing the story of one of 2023’s biggest cyber incidents, a consolidated class action against Progress Software Corporation and its MOVEit file transfer software and service mostly survived a motion to dismiss (In re MOVEit Customer Data Sec. Breach Litig., 2024 WL 5092276 (D. Mass. Dec. 12, 2024) (finding Article III standing for most plaintiffs)).

Large-scale 2024 attacks and fast-ensuing data breach litigation activities included:

2024 data breach class actions highlighted several emerging and continuing themes, including:

Multimillion dollar settlements following data breaches resulting from various cyber incident types remained common.

(For more on data breach litigation developments, see Key Issues in Consumer Data Breach Litigation and Attorneys’ Duties to Protect Client Data on Practical Law.)

Web Tracking Actions

A notable body of web tracking-related class actions, often filed against health care and online retailers alleging disclosure of sensitive personal information, encountered mixed results at the motion to dismiss stage. The cases typically made claims under:

The California Invasion of Privacy Act trap and trace provisions garnered more attention following a 2023 district court decision holding that Cal. Penal Code § 638.50 defines pen registers and trap and trace devices broadly to include tracking software (Greenley v. Kochava, Inc., 684 F.Supp.3d 1024, 1050-51 (S.D. Cal. 2023); Complaint, Lesh v. Cable News Network, Inc., No. 24CV061464 (Cal. Sup. Ct. Jan. 25, 2024); Moody v. C2 Educ. Sys. Inc., 2024 WL 3561367 (C.D. Cal. July 25, 2024) (preserving trap and trace claims at motion to dismiss stage)).

Additionally, a California federal court held that data disclosed using web tracking technologies could qualify as a data breach under the CCPA’s private right of action (In re BetterHelp, Inc. Data Disclosure Cases, 2024 WL 3416511 (N.D. Cal. July 15, 2024); for more information, see Understanding the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) on Practical Law).

2025 Risks and Trends

The seemingly continuous growth curve in data privacy and cybersecurity risks and obligations shows no signs of slowing in 2025. Data privacy and cybersecurity practitioners who adopt a more expansive data ethics and governance approach will be better positioned to:

Recent Supreme Court rulings like Loper have restrained federal regulatory authority, and the new administration is generally focused on deregulation. Dissenting FTC and SEC commissioners’ statements in recent actions and announced nominations make narrower regulation readings and fewer novel enforcement actions more likely. However, data privacy and cybersecurity actions increasingly garner bipartisan support, especially those aimed at protecting children, sensitive consumer data, and critical infrastructure.

As these tensions and the 2025 state legislative season play out, organizations must prepare for an already increasing compliance burden as more state data privacy laws come into force. For example, eight state consumer privacy laws take effect in 2025, as well as other state laws to protect children’s privacy and limit social media risks (see State Legislation above).

Other risks and trends to track and consider in 2025 include: