2025: what to expect in privacy, security and AI
Good: more AI laws. Bad: more AI-enabled hacks.
Subscribe to FILED Newsletter
Hi there,
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- Texas’ attorney general is suing insurance giant Allstate for alleged breaches of customers’ privacy
- Addiction treatment firm Baymark confirmed patients’ personal information was compromised
- What you need to know about the Space Bears ransomware.
But first, what does 2025 have in store for privacy and security?
If you only read one thing:
2025: what to expect in privacy, security and AI
Happy new year and welcome to 2025, the most futuristic sounding year yet. When we were last in your inbox, we were covering all the biggest news from 2024 and confirming the accuracy of our predictions. In the meantime, while enjoying the holidays we’ve formulated a collection of new predictions for 2025, and now it’s time to share them so we can repeat the process in 11 months, hopefully with the same level of accuracy.
In the US, the patchwork of privacy laws continues its expansion
In the United States, the incoming Trump administration is likely to loosen restrictions and enforcement at federal agencies such as the Federal Trade Commission and the Federal Communications Commission.
He will have help in the courts, with the Sixth Circuit’s decision to strike down the Federal Communications Commission’s net neutrality rule a bad omen for the FCC's data breach reporting rules, which could also be gutted in a similar decision.
And in the legislative branch, don’t expect a federal privacy law to be passed. The American Privacy Rights Act (APRA) Bill briefly looked like it had the support it needed to become law, but it won’t get far in a new Senate. The exception to this rule is the bipartisan support for a children’s online privacy law. The Kids Online Safety and Privacy Act – which passed in the Senate last year – is due to be reintroduced in the next Congress.
All of this deregulation at the federal level will coincide with increased activity at the state level. Eight more states have privacy laws coming into effect: Delaware, Iowa, Maryland, Minnesota, Nebraska, New Jersey, New Hampshire, and Tennessee. With an absence of federal privacy regulations, more states will look to fill the gap by enacting comprehensive privacy laws, with a particular focus on protecting consumer health information.
In Australia, more Privacy Act amendments may be made, just don’t call it “Tranche 2”
After a first batch of amendments to the country’s privacy laws received Royal Assent in December, everyone is waiting for “Tranche 2” which will incorporate the remainder of those amendments agreed to or agreed to in principle.
Remember, there will be a federal election this year, on or before May 17. While privacy issues have enjoyed increasing relevance lately, it’s far from certain they will be a key election issue. Whatever the outcome, it’s not a certainty that "Tranche 2” will be brought forward. More likely, some of the recommendations approved by the government will be passed, including a “fair and reasonable” test.
Finally, the statutory tort for serious invasions of privacy, a key amendment from Tranche 1, is due to go into effect this year. The cause of action will commence on June 10, so expect a flurry of claims around that date.
Increased AI regulation – and enforcement – and a new Brussels Effect
The EU’s AI Act went into force last year, but penalties will begin to bite in August. Most organizations will focus on compliance with the GDPR as a first step.
AI might offer the latest example of the “Brussels Effect”, where countries around the world take their cue from the EU in drafting their own AI regulations. South Korea became the second nation to enact comprehensive AI law (Brazil has an AI law awaiting approval) at the end of 2024 and clearly drew a lot of inspiration from the EU’s approach. Its law, the “Basic Law on AI Development and Trust-Based Establishment“ offers a risk-based approach, a focus on ethical guidelines and trustworthy AI, and a protection of fundamental rights, among other features.
For more on what to expect in global AI regulation in 2025, check out our article.
As with privacy, we should expect a flurry of US states to enact their own AI laws, joining the (as of writing) six states that have AI regulations in effect, and three other states with regulations in the works. At the federal level, expect President-elect Donald Trump to repeal President Biden’s executive order on AI, and wider AI policy, early in his term (maybe not Day One). Moving forward, expect federal AI policy to be addressed more through the lens of competition with China on innovation and national security.
AI becomes a key ingredient in cyberattacks
Speaking of AI, this year AI will be increasingly used in ransomware attacks and phishing, but also in devising zero-day vulnerabilities. And speaking of national security, the rate of state-sponsored attacks shows no sign of slowing.
Meanwhile, despite what Jensen Huang says, more companies will start to worry about the threat to strong encryption standards posed by quantum technology and begin investing in deploying post-quantum cryptography.
🕵️ Privacy & governance
Google can question Texas officials in privacy lawsuit, appeals court rules.
More 2025 crystal ball gazing: Five Trends To Watch: 2025 EU Data Privacy & Cybersecurity.
When it comes to implementing AI, data privacy is the biggest concern, a new survey reveals.
Is your (US) business ready for 2025's privacy law developments? Learn what you need to do.
🔐 Security
Fortinet firewall users were told to patch their devices against active attacks targeting a zero-day vulnerability, following a leak of configuration data pertaining to 15,000 devices.
What you need to know about the Space Bears ransomware.
Researchers at Microsoft say "red teaming" is a job only a human can do well.
What happens to malicious infrastructure created by attackers, after they stop maintaining it?
The PowerSchools data breach was close to a worst-case scenario, according to one cybersecurity expert.
The latest from RecordPoint
📖 Read:
Understanding where data is and what it’s used for will improve your business outcomes. Learn why data lineage matters and how to use it in your organization.
What is a data catalog? Examples from Airbnb + GE Aviation
🎧 Listen:
In the finale of FILED Season 2, Anthony and Kris take a walk down memory lane, reviewing their favorite clips and discussing themes and events from a busy year in privacy, cybersecurity, governance and records (and AI).
