Dechert Cyber Bits

Ten Predictions for 2026

1. AI-enabled cyber threats increased exponentially in 2025; vishing and deep fakes abounded. Companies fought to keep up by adopting AI tools to thwart these attacks. We expect this dynamic to proliferate in spades in 2026, with AI-generated fakes improving to the point of being indistinguishable from reality. Defense largely will rely on other means of detection rather than “tells,” such as grainy or unsynced videos. In short, the decades-long “arms race” between threat actors and industry is alive and well, with AI simply being the next frontier.
2. We will continue to see plaintiffs’ firms trying to capitalize on the threat of large statutory damages with SDK, pixel and similar types of litigation to try to force settlements with their unfortunate targets. We will see more high-profile litigation regarding who is responsible for AI generated content, both in terms of copyright law and in terms of liability for allegedly unlawful AI-generated content (a la Section 230). Also on the AI front, we’ll continue to see suits related to AI psychosis–in the U.S., this will manifest in lawsuits stemming from people who are mentally unwell interacting with AI.
3. We’ll see U.S. regulatory enforcement increase at the state level with multi-state investigations and/or one-off AG actions by offices hoping to make a name for themselves by becoming leaders in this space. We expect that Texas, Florida, California, Colorado, Oregon, and Connecticut will take the lead. Actions related to information security and children's privacy will continue to be popular. We will not be surprised if the Texas AG’s office becomes one of the most important and active U.S. privacy regulators in 2026.
4. At the federal level, we’ll continue to see a different FTC than which we have become accustomed. We expect to see FTC efforts focused on children’s privacy. The FTC and SEC are unlikely to aggressively target companies that have been the victim of cyberattacks as they have in the past, nor will they go after individual executives, which previously was a popular (and often unfair) tactic.
5. EU/UK regulators will be more active in 2026, but not necessarily specifically targeting U.S. companies. We likely will see higher fines under GDPR.
6. The SEC's amended Regulation S-P went into effect on December 3 for larger in scope financial services firms, and it is critical that such companies comply. A consumer notification regime that adds on to, but does not replace, state data breach notification requirements means impacted consumers will receive many more data breach notifications, but often it will be unclear what, if any, of their information has been compromised (since the forensic exams may not be completed by the time notices need to go out). This will result in more “useless notices” being put out into the ether that will have the effect of further desensitizing consumers to these types of notices and to data breaches more generally. Nonetheless, the SEC and OCIE will prioritize compliance with the new Reg. S-P obligations (particularly those related to policies and procedures and service provider contracts) in its examinations.
7. On the heels of Australia’s ban on social media for children under 16, and with the U.S. states passing age verification requirements for certain apps, we expect to see even more jurisdictions limiting aspects of the internet globally. In general, we’ll see increased limits and gatekeeping on how children use the internet.
8. We’ll continue to see clients moving fast to install AI governance programs and policies and incorporate AI-enabled information security defense tools. The Brazilian Supreme Court has already ruled that platforms can be held responsible for AI. As of August 2026, the EU AI Act will become fully applicable for General-Purpose AI models and High-Risk AI systems. We expect the number of compliance checks and regulatory actions by regulators to increase as well. Regulators have only just started to provide guidance, and we’ve seen only the first court rulings. We expect much more to come in this area.
9. As GDPR enforcement measures mature, we expect more cross-border collaboration of EU national regulators and more vigorous enforcement in the form of higher fines, among other things. Privacy compliance in cross-border transfers is an area to watch as regulators request robust impact assessments, audits and technical safeguards, such as encryption and pseudonymization.
10. Given the longstanding lack of Congress’s ability to pass federal laws in this space (e.g., we’ve been waiting more than two decades for a federal privacy law), and this administration’s actions on AI so far (rescinding the former administration's Executive Order on AI and the recent Executive Order banning states from passing AI laws), we are going to go out on a limb and predict that no federal AI law gets passed in 2026.
    
    -The Cyber Bits Partner Committee