Morrison Foerster is an international law firm with lawyers practicing throughout the United States, Asia, and Europe. Click to discover more.

mofo_share_image.jpg

Morrison Foerster

common-default.jpeg

Terms / Notices

Cookies

Privacy Policy

Reporting Hotline

Attorney Advertising

Alumni

  Linkedin

MoFo LinkedIN

  Facebook

MoFo Facebook

YouTube

MoFo Youtube

Morrison Foerster - Footer

A MoFo Privacy Minute Q&A: Getting Ahead of State AGs’ 2025 Data Security Enforcement Priorities

You have not solved the recaptcha challenge yet or session expired, try again.

Email Disclaimer

Disclaimer

Unsolicited e-mails and information sent to Morrison Foerster will not be considered confidential, may be disclosed to others pursuant to our <a href="https://www.mofo.com/about/privacy-policy.html">Privacy Policy</a>, may not receive a response, and do not create an attorney-client relationship with Morrison Foerster. If you are not already a client of Morrison Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

Feedback

mofo-logo-2022.svg

People

Capabilities

Resources

About

Culture

Offices

Careers

Stay Connected

This is “A MoFo Privacy Minute,” where we will answer the questions our clients are asking us in sixty seconds or less.Question:...

We are Morrison Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger.Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

About Morrison Foerster

people-default-header-desktop.jpg

people-default-header-mobile.jpg

Default Meta Data

This is “A MoFo Privacy Minute,” where we will answer the questions our clients are asking us in sixty seconds or less.Question: In 2024, we saw state attorneys general (State AGs) continue to pursue data security claims against companies. What should we expect from State AGs in 2025, especially with the change of administration, and what should we be doing right now to stay ahead of the curve?Answer:In 2024, data security remained top-of-mind for State AGs as they continued to levy hefty fines and to require the implementation of robust compliance programs for organizations they believed had fallen short. This was especially true where State AGs believed an entity had failed to heed warnings about exploitable vulnerabilities. Even with the upcoming change in administration in the United States, we anticipate this trend in enforcement priorities will continue, with an additional focus on data related to new technologies (such as brain wave data captured from a consumer headset) and data that could be used to further some State AGs’ agendas (such as geolocation data that could be used to indicate an individual received reproductive healthcare). Now is the time for all organizations to take stock of where they are, both by “going back to the basics” and by ensuring they are keeping up with current and anticipated threats. Organizations should:<ul><li>Double check their process to ensure data minimization in terms of what data they capture, store, and share with third parties;</li><li>Validate their information security program, including their incident response plans;</li><li>Revisit their authentication practices, including multi-factor authentication and password hygiene practices;</li><li>Check their logging and monitoring, suspicious activity alerting and threat response procedures, software development lifecycle practices, and password practices; and</li><li>Update or perform appropriate risk assessments, including making sure their documentation of these is refreshed.</li></ul>It is also especially important to ensure you “know your data.” Organizations should:<ul class="li-text-orange"><li>Confirm that their data inventory is up-to-date, including knowing what data is being passed to third parties and how that data is being safeguarded or used by those third parties;</li><li class="li-text-orange">Account for newly enacted laws that expand the definition of “sensitive data” (see, for example, our <a href="/resources/insights/241011-a-mofo-privacy-minute-q-a-california-revises-ccpa" target="_self">Client Alert</a> on California adding neural data to its definition); and</li><li>Think holistically about their data collection and retention practices and review their plan to respond to regulator or law enforcement inquiries seeking access to these data sets (i.e., if an organization holds information regarding gender-affirming medical care, sexual orientation, or gender identity, what steps would be taken in connection with providing the information sought). </li></ul>Hebani Duggal, an associate in our New York Office, contributed to the writing of this article.

A MoFo Privacy Minute Q&A: Getting Ahead of State AGs’ 2025 Data Security Enforcement Priorities

Sign Up

Linda Clark is a partner in Morrison Foerster’s Privacy + Data Security Group. Prior to joining the firm, Linda served as the Chief Data Security Counsel for RELX, where she led the data security legal compliance efforts for RELX in over 40 countries and across their operations in four different market segments worldwide. Prior to that, Linda was a litigator at a large New York law firm. She has over 20 years’ experience advising clients, including on data security best practices and obligations, designing and implementing frameworks for compliance across large multinational organizations, and in complex litigation and regulatory matters.Linda’s practice centers on crafting strategic and comprehensive data security risk management programs, providing business-focused and practical advice, and leveraging her knowledge and deep experience to help organizations and their stakeholders, at all levels, prepare for and respond to incidents on a global and operationally feasible basis. This includes working with clients to proactively prepare for cyber incidents, including by developing incident response programs and risk assessment methodologies and conducting tabletop exercises for global audiences of varying seniority and responsibility. This comprehensive approach to incident readiness helps organizations hone the skills they will need to support critical decision making in high-stakes situations, allowing organizations to implement and leverage an incident response framework that goes beyond legal compliance and supports ethical decision-making.A defining aspect of Linda’s counsel is her ability to translate complex legal issues into actionable advice while accounting for the myriad and diverse concerns of stakeholders at all levels of an organization. She combines an in-depth understanding of technology and cybersecurity with knowledge of the challenges and opportunities clients face when addressing real-world issues. She has a broad command of global privacy and data security laws, having worked on matters in the United Kingdom, the United States, France, Japan, the Netherlands, South Africa, Australia, China, Austria, Brazil, the Philippines, and Germany. She frequently engages with regulators and law enforcement, enabling her to understand and navigate regulatory reviews, third-party audits, and investigations on behalf of her clients around the globe.An industry thought leader, Linda frequently speaks at conferences and educational institutions and is sought out by leading publications and think tanks for her analysis on timely data security and privacy issues, including the American Bar Association (ABA) Cyber Security Institute on topics such as ethical obligations to secure client information, cybersecurity risks, trends in the law relating to data security, and risk management and minimization strategies. Linda also speaks at schools and universities to educate younger generations about safeguarding their digital identities. Additionally, Linda works with leading U.S. nonpartisan, nonprofit law-and-policy think tank, the Sedona Conference, where she has served on the Data Security and Privacy Liability Leadership Council since 2017.Linda graduated cum laude from Barnard College, Columbia University, and is a graduate of the University of Michigan Law School. While at Barnard, Linda was a Research Assistant for the Human Learning and Memory lab, and also focused her studies on human and primate cognition. She is also a Certified Information Privacy Professional (CIPP/US) and a Steering Committee Member, New York City Bar’s Cyrus R. Vance Center for International Justice, Miami Chapter of “Women in the Profession.” She previously served on the Steering Committee for the Cybersecurity Leaders’ Roundtable as well as on the Executive Committee of the Leukemia and Lymphoma Society.

Linda Clark

Partner

Kathryn Taylor is an associate in the firm’s Privacy + Data Security Practice Group and is based in the New York office.Kathryn’s practice focuses on advising clients on privacy and cybersecurity issues, including compliance with U.S. and European privacy and data protection laws and strategies for implementing AI and other emerging technologies. Kathryn received her J.D. from New York University (NYU) School of Law, where she served on the Journal of Legislation & Public Policy. During law school, she completed a U.S. policy internship with Access Now, where she conducted research on dark patterns, facial recognition, AI, and data protection. She externed with the New York Attorney General’s Office in the Bureau of Internet and Technology and spent two semesters engaged in clinical work for the American Civil Liberties Union’s Speech, Privacy & Technology Project via NYU’s Technology Law & Policy Clinic.Before law school, Kathryn served as an associate at Goldman Sachs in Cybersecurity Regulation, Policy & Strategy and previously as a James C. Gaither Junior Fellow in Cyber, Technology, and Nuclear Policy at the Carnegie Endowment for International Peace. She received her B.A. summa cum laude in international studies and computer science from Emory University.

Kathryn Taylor

Associate

Privacy + Data Security