Dechert Cyber Bits

New Rules to Strengthen Cross-Border Enforcement of the GDPR

In response to ongoing challenges with consistent and timely cross-border enforcement of the GDPR, the European Parliament has approved additional procedural rules to accelerate and clarify cross-border enforcement. The additional rules aim to make cooperation and dispute resolution between national data protection authorities more effective and efficient.

The new rules set strict deadlines for complaints to be handled promptly. Once a lead supervisory authority begins an investigation, it must complete and issue a draft decision within 15 months, with a possible 12-month extension in exceptionally complex cases. A simplified 12-month cooperation process will apply when cases are clear and uncontested. Authorities are also encouraged to reach early-stage consensus and may close cases early if the infringement has ceased and no objection is raised within four weeks.

The rules also enhance complainants’ rights, including their right to be heard before a decision is made and to access case information, ensuring greater transparency. Member states may choose to grant broader access if they wish.

The rules must still be formally adopted by the Council of the EU, expected in mid-November. Once adopted, the rules will enter into force 20 days after publication in the EU Official Journal and apply 15 months later.

Takeaway: The reform marks a significant step forward in improving the speed, fairness, and consistency of GDPR enforcement across the EU. By setting clearer timelines, encouraging early cooperation, and strengthening complainants’ rights, the EU is reinforcing its commitment to enforcement of the GDPR. The practical impact remains to be seen, but it is possible that the new rules will lead to more cross-border enforcement. Businesses operating in multiple EU member states will want to reassess their exposure to enforcement and ensure that they are clear on their main establishment and corresponding lead supervisory authority.  

New York AG Holds Accounting Firm Responsible Following “Two” Data Breaches

On October 20, 2025, New York Attorney General (“NY AG”), Letitia James, announced a settlement with Wojeski & Co. (“Wojeski”), a Certified Public Accounting firm, in connection with what the NY AG claims are two separate data breaches less than one year apart. In a July 2023 breach, Wojeski experienced a ransomware attack triggered by a phishing email sent to an employee. Wojeski subsequently discovered a second breach—a vendor breach—in May 2024, when an employee of the forensics firm hired to investigate the ransomware attack improperly accessed customer data and employees of that firm emailed data to unauthorized recipients.

According to the NY AG, Wojeski did not have adequate cybersecurity measures in place to protect its clients’ personal information. In addition, Wojeski did not notify customers of either data incident until November 2024, more than a year and a half after the initial breach.

The settlement requires Wojeski to pay $60,000 in penalties, as well as to implement a comprehensive information security program, which includes, among other mandates, the requirement to establish a personal data inventory, authentication processes to limit employees’ access to sensitive information, a program to identify and remediate security vulnerabilities, and an employee cybersecurity training program.

Takeaway: This matter and its characterization as “two breaches” appears unfair and harkens back to the old regulator mentality of “blame the victim,” which had appeared to be receding. The Wojeski settlement signals an unforgiving posture toward victims of criminal acts. So long as the forensics firm that investigated the breach was reputable and had good cyber hygiene (as most do), it is unclear why Wojeski would be tagged for that breach as well. It is also unclear what steps Wojeski could have taken to “prevent” the subsequent vendor breach. What is clear though, is that companies need good cyber hygiene not just to fend off threat actors, but also to protect themselves from the regulators who often assess these matters with 20/20 hindsight and seemingly impose a strict liability standard, even as many of them fall victim to these same attacks.

EDPB Adopts Opinions on Draft UK Adequacy Decisions for Cross-Border Data Transfers

The European Data Protection Board (“EDPB”) has adopted opinions on the European Commission’s draft decision to renew the UK’s data protection adequacy status under both the GDPR and Law Enforcement Directive until December 2031. This renewal would preserve the existing framework that allows cross-border data transfers between the EU and the UK.

The original adequacy decisions, adopted after the UK’s withdrawal from the EU, were due to expire in June 2025. However, recent UK legal reforms designed to clarify and facilitate compliance with the GDPR led the Commission to extend those decisions until December 2025.

The EDPB is broadly supportive of the renewal decisions but has urged the European Commission to closely monitor key legal developments in the UK. It raised concerns over the UK Secretary of State’s new powers to amend data protection rules through secondary legislation with limited parliamentary oversight and called for close scrutiny of potential risks of divergence, particularly regarding government access to data, independent oversight, and international data transfers.

Regarding the Law Enforcement Directive, the EDPB acknowledged that the UK remains aligned with EU standards but recommended further assessment of the UK’s exemptions for law enforcement data processing and transfer rules to third countries. The EDPB also reiterated the importance of human oversight in automated decision-making and called on the Commission to ensure the UK maintains strong redress mechanisms and independent supervision.

Takeaway: The EDPB’s support for renewing the UK’s adequacy decisions reflects confidence in the UK’s data protection framework but should also serve as a cautionary signal to the UK government regarding any potential further changes as the EU will be watching closely. Nevertheless, it’s clear that for now the EU sees maintaining adequacy as important to the relationship between the UK and the EU. For businesses operating in the UK and the EU, the EDPB’s support is another step forward to keeping personal data transfers free and simple. It will also be interesting to see how transfers to the U.S. are treated going forward.  

“Stream” of Consciousness: Florida AG Targets Roku in First Enforcement Action Under New Florida Law

Florida Attorney General, James Uthmeier, (“FL AG”) announced, on October 14, 2025, that the Office of Parental Rights (“OPR”) had filed a complaint against Roku, Inc. and its Florida subsidiary for violations of the Florida Digital Bill of Rights (“FDBOR”) and the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”). This is the first enforcement action brought under the FDBOR, which went into effect in July 2024. This is also the second state Attorney General action targeting Roku this year, after another complaint was filed in April by Michigan’s Attorney General.

According to the Florida complaint, Roku failed to obtain parental consent before collecting and selling children’s voice recordings, viewing history, and other personal data, and misrepresented the effectiveness of its privacy controls and opt-out tools. The complaint also alleges that Roku shared data with “intrusive” third-party data brokers, to which Roku provided data that could be used to re-identify consumers.

While Roku claimed it did not have knowledge that it is collecting or selling children’s data, the FL AG asserts that Roku is “willfully disregarding” the age of users and has “consciously decided not to implement industry-standard user profiles to identify which of its users are children.”

The FL AG is seeking civil penalties of up to $150,000 per violation of the FDBOR and up to $10,000 per violation of the FDUTPA. The complaint also requests injunctive relief to have Roku provide clear disclosures, implement parental-control mechanisms and restrict unauthorized sale or processing of children’s data. “Florida families deserve to know what is happening with their children’s personal information,” Attorney General Uthmeier said in a statement. “Parents — not technology companies — direct the upbringing of their children. We will hold any company that conceals or exploits that information accountable.”

Takeaway: Florida’s first enforcement under the FDBOR signals an aggressive children’s‑privacy agenda that can trigger high per‑violation penalties and injunctions given that “per violation” could mean per user, or worse, per use of the site. In particular, the asserted “willful disregard” standard raises the bar: companies cannot sidestep regulatory attention by claiming they lack actual knowledge if they avoid reasonable age‑assurance measures or user profiling while collecting children’s voice data, viewing history, or other sensitive data.

Capita Fined £14m for 2023 Cyberattack Exposing Data of Over 6m People 

Capita, a UK-based professional and outsourcing services firm, has been fined £14m by the UK Information Commissioner's Office (“ICO”) for its failure to provide adequate security related to a breach in March 2023 that compromised the personal data of 6.6 million people, including pension and financial data and criminal records information.

The breach occurred after a malicious file was unintentionally downloaded onto an employee’s device, allowing hackers to infiltrate Capita’s systems, deploy ransomware, and exfiltrate nearly one terabyte of data. The ICO found that Capita failed to implement adequate measures, leaving data at significant risk. The noted failures included:

• Although a high-priority security alert was raised within 10 minutes of the breach, Capita failed to quarantine the device for 58 hours, enabling the attacker to exploit its systems;
• No tiering model for administrative accounts, which allowed the attacker to escalate privileges, move laterally, and compromise critical systems. These failings had been flagged as vulnerabilities at least three times but were not remedied;
• Lack of further penetration testing following system commission and findings from the tests conducted being siloed within business units.

Capita initially faced a potential fine of £45m which was reduced following mitigation efforts and cooperation with regulators. Capita has since accepted liability, agreed to pay the £14m fine, and offered 12 months of credit monitoring to affected individuals.

The attack on Capita is one of many recent cyberattacks on high-profile UK companies such as Co-op, M&S, and Harrods. The increasing frequency of such attacks is a reminder of the importance of robust security and timely response, as highlighted in the ICO’s statement about the fine, where Information Commissioner John Edwards, said “With so many cyberattacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure.”

Takeaway: The ICO’s statement about the fine makes it clear that it expects businesses to be taking proactive steps to reduce security risks. The Capita fine is another example of the ICO baring its teeth over failures to deal with breaches; this, together with the increasing frequency of cyberattacks, means businesses would be well advised to take heed of the ICO’s warnings and to be sure that they not only assess their security posture but that they take steps to address any deficiencies. The fine is quite high, especially where this company was the victim of a criminal act; this is likely because of the alleged failure to follow up on flagged vulnerabilities. Businesses would benefit from reviewing their security measures in place and considering if they have taken some of the key steps identified by the ICO, such as the principle of least privilege, suspicious activity monitoring, regular penetration testing and prioritizing investment in key security controls. This matter also highlights why businesses would be wise to conduct their cyber assessments under attorney-client privilege.

Dechert Tidbits

California Governor Newsom’s New Playbook for Online Children’s Privacy

In October 2025, California Governor Gavin Newsom signed a package of children’s online‑safety and AI laws that set new guardrails for minors’ online experiences, including regarding app‑store age‑verification (A.B. 1043), social‑media warning labels (A.B. 56), safeguards for AI companion chatbots (S.B. 243), deepfake remedies (A.B. 621) and autonomous vehicle liability (A.B. 316).

ISO Updates Standard for Managing Privacy Compliance Programs

For the first time since 2019, the International Organization for Standardization has updated its international standard for managing privacy compliance programs. The updated ISO 27701 closely aligns with global data protection regulations such as the GDPR, and outlines requirements across key areas including leadership, planning, support, operation, performance evaluation, and continual improvement — providing valuable guidance for multinational organizations seeking a unified framework for privacy management.