Dechert Cyber Bits

Congratulations to Brenda Sharton!

Brenda Sharton, global chair of Dechert’s Cyber, Privacy and AI practice group, recently was named a 2025 Law360 MVP for Cybersecurity & Privacy for the third time. Law360 awards this recognition annually to only a handful of lawyers who have “distinguished themselves from their peers by securing hard-earned success in high-stakes litigation, complex global matters or record-breaking deals” in the past year.

SEC Voluntarily Dismisses SolarWinds Cybersecurity Enforcement Action

On November 20, 2025, the Securities and Exchange Commission (“SEC”) announced that it had voluntarily dismissed its enforcement action against software developer SolarWinds Corp. (“SolarWinds”) and its Chief Information Security Officer (“CISO”). SolarWinds, a software developer, suffered a supply-chain cyberattack in 2020 when hackers reportedly connected to the Russian government had exploited vulnerabilities in the company’s virtual private network (“VPN”). The incident impacted numerous clients, notably federal agencies including the U.S. Department of Homeland Security and the Treasury Department. The SEC had alleged that SolarWinds intentionally made misleading statements regarding its cybersecurity standards prior to suffering the data breach.

The lawsuit was initially brought under the Biden administration and marked the first time that the SEC had alleged that a company had defrauded investors by hiding known cybersecurity weaknesses. It was also the first time that the SEC had targeted a corporate executive, SolarWinds’ CISO, for allegedly assisting in the cover-up of cybersecurity vulnerabilities. In 2024, Judge Paul Engelmayer dismissed a majority of the claims made against SolarWinds, finding that the post-breach statements were not ultimately deceptive as the company did not know the disclosed attack may have been linked to previous security incidents. However, the court permitted the SEC to proceed with its theory that a security statement posted on SolarWinds’ website was fraudulent due to misleading claims surrounding the company’s access control and password protection policies.

Recent public remarks by new SEC leadership suggest that the SEC may be recalibrating aspects of its enforcement philosophy. SEC Chairman Atkins emphasized a return to the SEC’s “roots” of promoting—rather than constraining—innovation, along with greater transparency and predictability in how the SEC staff exercise enforcement authority. The SEC has said that it does not intend to second-guess reasonable, good-faith cybersecurity decisions but instead prioritize accurate incident disclosure, remediation, and the pursuit of bad actors.

Takeaway:  While companies should remain vigilant regarding their cybersecurity practices, the SEC’s voluntary dismissal may signal a welcome shift away from the “blame the victim” enforcement mentality that had permeated the SEC in prior years. The dismissal of the case against the CISO should allay concerns among information security professionals that they may be targeted for their good faith actions or, worse, cause them to refrain from raising issues lest they be second-guessed by the SEC making an after-the-fact determination that concerns raised did not quite square entirely with the company’s public disclosures. The reality is that those public disclosures are generally vetted by multiple people at a company, including counsel, and the final language might not be something an information security professional even sees, much less controls. The prior posture likely has made it harder for companies to find people to take those jobs. Of course, companies should continue evaluating public statements and internal policies to seek compliance with cybersecurity rules and regulations as well as vetting for the accuracy of the public statements vis a vis the company’s own assessments.

Mobile App Developer Agrees to $1.4 Million CA AG Settlement and Enhanced In‑App Privacy Controls

On November 21, 2025, California Attorney General Rob Bonta (“CA AG”) settled with mobile gaming developer Jam City Inc. (“Jam City”) for $1.4 million to resolve allegations that Jam City failed to provide consumers with a way to opt out of the sale and sharing of their personal information and improperly shared or sold data belonging to users under the age of 16 without required permissions. This marks the sixth settlement secured by the CA AG under the California Consumer Privacy Act (“CCPA”).

The CA AG alleged that Jam City violated the CCPA by not offering a method in its 21 mobile apps for consumers to opt out of the sale or sharing of their data, even though Jam City allegedly disclosed personal information for personalized advertising purposes. The investigators also alleged that certain Jam City titles shared or sold the data of children ages 13 to 15 without obtaining the affirmative, opt-in consent that the CCPA requires. In addition to the $1.4 million civil penalty, Jam City agreed to injunctive relief requiring it: (1) to implement clear and conspicuous in-app methods for consumers to stop the sale or sharing of their data; and (2) to refrain from disclosing the personal information of users ages 13 to 15 without their affirmative, opt-in consent.

Takeaway: This settlement is the latest in a series of deals reached by the CA AG that underscore the state’s ongoing focus on CCPA compliance. It serves as a reminder that businesses must treat ad-tech exchanges as potential sale or sharing activities, given the breadth of the CCPA’s provisions. Companies offering apps to California consumers will want to provide robust and easy-to-use opt-out controls for the sale and sharing of personal information, including for targeted advertising. Additionally, services or apps that may be used by minors will want to take extra precautions and seek affirmative consent for the sale and sharing of data.

EU Digital Laws Simplification Incoming

On November 19, 2025, the European Commission published its proposed Digital Omnibus simplification package. The proposals are designed to respond to mounting pressure to simplify rules across data, AI, and cybersecurity in order to facilitate innovation among EU businesses while upholding the EU’s commitments to privacy, fairness, and security.

Key elements include:

• revising the definition of “personal data” to clarify that data that is personal in one party’s hands, may not be personal in another’s (i.e. taking into account pseudonymization efforts);
• updated cookie rules requiring one-click refusal mechanisms and no-repeat consent requests and, longer-term, requirements to enable choices through machine-readable signals;
• clarification that processing of personal data for training AI models is a “legitimate interest” for the purposes of Article 6 of the GDPR;
• rights for a controller to reject (or charge a fee for) a data subject access request where a request abuses the right for purposes other than protecting the individual’s data;
• the development of a single reporting interface for IT/data incidents covering GDPR, NIS, DORA and CER reporting requirements, as well as amending the GDPR to only require reporting of high-risk incidents and to allow a longer 96-hour reporting period;
• an extension to the deadline to comply with the provisions of the AI Act applicable to “high-risk AI systems”, with a long stop date of December 2, 2027; and
• removal of the AI literacy obligation from providers and deployers of AI and replacing it with an obligation on the European Commission and Member States to take steps to foster AI literacy.

Stakeholder reactions have been sharply divided. Former European Commissioner Thierry Breton warned against any rollback of the EU’s digital sovereignty, arguing that “simplification” must not dilute the integrity of GDPR, the AI Act, or broader digital-market protections. Similarly, advocacy groups such as NOYB, represented by Max Schrems, argued the proposals would “massively lower protections” and create loopholes. On the other side, industry actors including the Computer & Communications Industry Association deemed the reforms too narrow, calling for further deregulation to improve competitiveness. The proposals now move into trilogue negotiations with the European Parliament and Council, a process expected to take several months and likely to generate further debate as regulators attempt to balance innovation, legal certainty, and fundamental-rights protections.

Takeaway: Generally, the proposed changes are relatively narrow and aligned with recent EU case law, rather than being a complete deregulatory overhaul. Organizations will want to keep an eye on how the Omnibus package develops. However, going by the duration and intensity of negotiations among legislators to get the AI Act passed in the first place, there is a strong likelihood of changes before the reforms are passed. 

Impact of AI in the Financial Sector

The European Parliament recently published its report on the impact of artificial intelligence on the financial sector, highlighting that AI adoption across the EU financial services sector is accelerating. While financial institutions have already been making ample use of classical machine learning, they are now also experimenting with generative AI as support tools. The report notes that the majority of current AI use cases aim to streamline back-office processes. However, the use of AI to evaluate creditworthiness (a high-risk activity under the EU AI Act) is increasing.

The report mirrors themes raised by the UK Financial Conduct Authority’s (“FCA”) Director of Market Oversight, Dominic Holland, in a recent speech. Holland emphasized that AI and advanced analytics are transforming markets and present significant opportunities for innovation, but cannot replace the judgement, contextual awareness, and ethical responsibility of human analysts. While making it clear that the FCA encourages innovation, including the development and deployment of AI-based solutions, Holland cautioned the management of risks associated with such innovation.

Takeaway: Both sources point toward a converging EU–UK regulatory trajectory: encouraging responsible use of AI to improve competitiveness and efficiency, while safeguarding market integrity through strong human oversight, proportionate compliance, and supervisory cooperation. Financial institutions looking to implement AI will be encouraged by the pro-innovation stance of these recent statements, but will want to continue to exercise caution and carry out a thorough review of all AI projects to identify and mitigate risks. 

FTC Reaches Settlement with Illuminate Over Data Breach Impacting 10 Million Students

The Federal Trade Commission (“FTC”) on December 1, 2025, announced a proposed settlement with Illuminate Education, Inc. (“Illuminate”). Illuminate collects and retains student contact information, student records and health information through its education technology products. According to the FTC complaint, Illuminate allegedly assured its clients that it properly safeguarded student information but failed to put reasonable security measures in place, leading to more than 10 million students’ data being exfiltrated during a data breach in 2021. The complaint states that Illuminate stored sensitive student records in plain text, ignored security vulnerability warnings from a third-party vendor, failed to maintain proper access controls or threat detection, and allowed an attacker to log into the system using the credentials of an employee who had left the company over three years prior. The FTC also alleged that Illuminate delayed notifying school districts about the breach and, in some cases, waited almost two years before disclosing that student data had been compromised. Illuminate did not acknowledge any wrongdoing in connection with the settlement.

Under the FTC’s proposed order, as is typical, Illuminate would be prohibited from misrepresenting its data security practices. In addition, the order would require Illuminate to delete personal information that is no longer necessary to provide services, follow a public data retention schedule that explains why data is collected and sets timelines for deletion, and establish an information security program that protects the security and integrity of student data. It would also require Illuminate to notify the FTC when it reports a breach to another government entity.

Takeaway: Given the conclusory nature of the government’s account of the facts, it is unknown how dated the data was and exactly what data was exposed—was it just contact information—which often becomes dated as students move on—or was it actual academic records of a more sensitive nature? Either way, the action against Illuminate underscores the FTC’s continued focus on data protection practices and breach response protocols. Companies that collect student data should expect heightened scrutiny, particularly regarding retention practices and prompt breach notifications. The proposed order points to the FTC’s expectation that companies make their retention schedules public and justify why they hold sensitive data. 

Dechert Tidbits

SEC to Scrutinize Firms’ Readiness for New Data Breach Notification Rule

The Securities and Exchange Commission’s Division of Examinations announced it will begin reviewing broker-dealers and investment advisers for compliance with a new requirement that firms detect data breaches and notify customers when their personal information may be compromised. The rule took effect for larger firms on December 3, 2025, and for smaller firms will take effect in summer 2026.

New UK Cyber Bill Published

The UK has introduced the Cyber Security and Resilience (Network and Information Systems) Bill, which significantly expands the 2018 NIS framework by, among other things: (i) bringing new services (such as data centres, load control and managed services) into scope; (ii) enabling regulators to designate “critical suppliers”; and (iii) updating the incident reporting regime by expanding the scope of what should be reported and introducing a two-stage reporting structure with initial reports required within 24 hours, and a full report to follow within 72 hours. The Bill will now proceed to second reading in the House of Commons where MPs will have the opportunity to debate it.

California Privacy Protection Agency Launches Strike Force to Crack Down on Data Brokers

The California Privacy Protection Agency (“CPPA”) announced a new Data Broker Enforcement Strike Force to increase oversight of data brokers and ensure compliance with the Delete Act and broader CCPA obligations. The Strike Force will focus on registration failures, improper data handling, and risks stemming from large-scale personal data collection. The CPPA also confirmed the January 2026 launch of a new platform called the Delete Request and Opt-Out Platform, which will allow consumers to request the deletion of their data across all brokers at once.

Holyoak Leaves FTC For Interim U.S. Atty in Utah

Former Commissioner Melissa Holyoak is reported to have left the U.S. Federal Trade Commission (“FTC”) to become Utah’s interim U.S. Attorney. This leaves the FTC with only two commissioners, both Republican. The move occurs amid the firings of Democratic commissioners and the U.S. Supreme Court entertaining related litigation.