As we approach 2026, corporate legal risks are escalating due to increasingly sophisticated cyber threats from state-sponsored actors, tighter federal regulations, and proactive enforcement of privacy laws at the state level.
Today’s landscape is fraught with rising cybersecurity threats and heightened privacy issues. The rapid evolution of technology, alongside increasing regulatory demands, presents both challenges and opportunities. All stakeholders, including public and private entities as well as individuals, must navigate this complex environment.
According to the latest Annual Litigation Trends Survey conducted by Norton Rose Fulbright, almost 40 percent of corporate counsel reported that their organizations faced greater exposure to cybersecurity and privacy disputes in 2025. This increase in exposure exceeded already high expectations from the previous year, with cybersecurity and privacy emerging as the fastest-growing area for class action lawsuits.
Successfully navigating these challenging waters demands continuous education and the establishment of clear priorities. Below are the primary factors contributing to legal exposure in cybersecurity and privacy that warrant significant attention:
State-sponsored actors empowered by advanced technology
As we head into 2026, escalating geopolitical tensions worldwide are intensifying conflicts within the digital domain. Recent events in the Middle East have exacerbated existing cyber battlegrounds. The urgency to protect against state-sponsored threats has surged, particularly for critical infrastructure sectors. With the interconnected nature of digital systems through supply chains and data-sharing practices, finding a safe haven is increasingly difficult across all industries.
State-sponsored threat actors operate with remarkable sophistication, utilizing cutting-edge technologies, including artificial intelligence, to execute attacks and maximize their effects. Their activities often lead to disruptions in vital services, data breaches, and unlawful revenue generation. The swift adoption of new tools by attackers gives them an advantage, while defenders tend to adopt changes more cautiously, resulting in slower responses.
Moreover, both preparing for and responding to these threats are challenging, especially when considering the subsequent legal complexities. Various forms of cybersecurity and privacy disputes may arise, potentially revealing additional compliance vulnerabilities.
Ongoing federal focus on cybersecurity and privacy, particularly regarding national security
The clear link between cybersecurity, privacy, and national security has prompted numerous federal initiatives in recent years. Most recently, in March 2026, the White House unveiled the administration’s Cyber Strategy for America, reaffirming its commitment to enhancing the nation’s cybersecurity framework.
In 2025, the U.S. Department of Justice implemented the Data Security Program to regulate specific categories of data transactions involving designated countries and individuals. Although the rulemaking process has faced delays since the enactment of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) initially planned to host town hall meetings this spring regarding 2024’s proposed CIRCIA regulations.
In terms of enforcement, the Department of Justice has emphasized its ongoing commitment to cybersecurity, particularly through the Civil Cyber-Fraud Initiative, which employs the False Claims Act to address fraud related to cybersecurity perpetrated by government contractors and grant recipients.
While the U.S. Securities and Exchange Commission has been less active in this domain recently, the Federal Trade Commission has shown renewed interest. In February 2026, it cautioned data brokers about potential violations of the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA) and organized a workshop on consumer injuries and benefits in the data-driven economy, examining how empirical evidence of these issues might influence enforcement actions and judicial reviews.
Despite lingering uncertainties regarding specific guidance, it is reasonable to conclude that federal scrutiny remains strong, particularly for organizations engaging with the federal government as service providers or partners handling sensitive government or personal data.
Collaborative initiatives among state government agencies
As organizations strive to keep pace with the rapidly evolving cybersecurity threat landscape, state government agencies are taking proactive measures to address regulatory and enforcement gaps.
California is at the forefront with its newly implemented regulations under the California Consumer Privacy Act (CCPA), which mandates certain businesses to perform comprehensive annual cybersecurity audits covering 18 components, including multi-factor authentication (MFA) and incident response management. Furthermore, the New York Department of Financial Services has strengthened its cybersecurity requirements for financial institutions under 23 NYCRR 500, with updated MFA guidance announced in February 2026.
On the privacy front, state regulators are working to collaborate despite the challenges posed by the growing complexity of federal and state regulations. In 2025, several state regulators formed a bipartisan group known as the “Consortium of Privacy Regulators” to exchange expertise and resources and coordinate investigations into potential legal violations. Consortium members, including the California Privacy Protection Agency, are committing resources to enforce privacy laws and are prepared to address consumer rights regarding opt-outs and data broker monitoring. Moving forward, state regulators are expected to enhance collaboration across state and national borders and tackle common privacy issues, such as children’s privacy and dynamic pricing, also known as algorithmic or surveillance pricing, as part of broader consumer protection efforts. As threat actors grow more sophisticated, so too will defenses, the governing laws, and their enforcement bodies.
Increased risks associated with third-party service providers
Recognizing the significance of managing third-party risks, state regulators are aware that many incidents arise within the third-party service provider or vendor landscape. Effective management of third-party relationships is a crucial aspect of CCPA regulations. Prior federal guidelines have also underscored this emphasis. For instance, the Securities and Exchange Commission's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure requirements stress the importance of managing risks posed by third-party service providers. Additionally, the Cyber Resilience Act identified third-party risk evaluation as one of its eight core best practices for preventing and addressing ransomware attacks in its January 2026 Public Notice.
In an era marked by persistent supply chain attacks, a robust cybersecurity strategy necessitates a well-established process for identifying and mitigating risks associated with third-party service providers. Demonstrating effective third-party risk management involves more than just completing documentation; it requires understanding and monitoring the actual practices of third-party service providers and continually striving for improvements.
Emerging conflicts ; whistleblowers and innovative litigants
The era of only high-profile data breaches leading to straightforward class action lawsuits has long passed. There has been a surge in cybersecurity and privacy claims fueled by an increasing number of laws and regulations, along with innovative arguments stemming from government enforcement actions, strike forces, and lawsuits leveraging broad interpretations of existing laws.
The False Claims Act, originating from the Civil War era, exemplifies this trend. Both federal and state governments can utilize private whistleblowers who file qui tam actions on behalf of the government under this legislation. The Department of Justice is particularly looking to whistleblowers as critical sources for identifying potential cybersecurity noncompliance. State regulators are exploring how to replicate this strategy not only under state False Claims Acts but also in other state laws. Many state regulators heavily rely on consumer complaints to shape their enforcement agendas. As society becomes more attuned to cybersecurity and privacy issues, misleading statements in these areas are anticipated to have greater repercussions.
It is no longer unusual for organizations to simultaneously confront cybersecurity breaches, class action lawsuits, and investigations prompted by whistleblower allegations. Without a strategic approach to developing and refining processes for identifying, escalating, and investigating cybersecurity and privacy concerns, organizations risk being swept into a cascade of legal challenges.
These trends underscore the necessity for organizations to pause and evaluate their current position in the cybersecurity and privacy landscape. It is advisable to revisit foundational principles and ask essential questions:
- What type of information does the organization manage?
- How is this information utilized, and with whom is it shared?
- What protective measures are in place to secure that information?
- What cybersecurity and privacy obligations does the organization have?
- Who is tasked with ensuring these obligations are met?
- How does the organization promote awareness and train relevant staff?
- What claims does the organization make regarding its cybersecurity and privacy practices?
- How are cybersecurity and privacy concerns reported and investigated?
- How does the organization identify and implement improvements?
- Who is responsible for cybersecurity and risk management, and how is this managed?
If any of these questions lack clear answers, it is crucial to take action and prioritize addressing these issues.
