Dechert Cyber Bits

FTC Reports to Congress on its Efforts to Counter Ransomware and Cyberattacks 

On January 30, 2026, the FTC issued its second report to Congress on the FTC’s activities on ransomware and cyber-attacks from July 1, 2023 through June 30, 2025. The report is required by the Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware (“RANSOMWARE”) Act. The report summarizes FTC enforcement activities, including FTC enforcement actions involving China and Russia; provides consumer complaint data and trends related to ransomware and other attacks; and offers legislative recommendations and best practice recommendations for U.S. businesses and consumers dealing with ransomware threats.

Following 90 data security investigations brought by the FTC to date, the report summarizes  settlements the FTC made with companies such as GoDaddy (a web-hosting company), Verkada (a security cameras company), and Blackbaud (a cloud software provider), among others, where the FTC deemed that the companies engaged in unreasonable data security practices that later involved a cyber-related attack or breach. According to the report, the FTC’s primary tool in this space is its data security enforcement program, which is grounded in its reasonableness standard. The report contends, for example, that companies that collect or handle personal information must adopt safeguards appropriate to the sensitivity and volume of the data they maintain, the scale and complexity of their operations, and available security tools. The agency then evaluates whether a company failed to take precautions such as encrypting sensitive data, implementing multi-factor authentication, segmenting networks, monitoring for intrusions, maintaining updated software, or training employees to recognize phishing attempts. When companies overstate their security practices or fail to implement reasonable protections, the FTC may challenge those failures as deceptive or unfair under Section 5 of the FTC Act, 15 U.S.C. § 45.

Takeaway: The report appears to be a continuation of the “blame the victim” mentality that too many regulators have relied upon for years.  It isn’t working.  By definition, the government for the most part is going after companies that have reported these attacks—and often they are companies with robust information security programs. This is especially true when you consider that many government agencies have themselves been victims of these type of attacks. While the FTC appears to be of the view that ransomware incidents are a result of systemic rather than isolated technical failures, this perspective is not consistent with the reality of the breaches we see. Often a breach is due to an isolated event in an otherwise sound program. In the inevitable second guessing that comes after an incident, companies should be prepared to provide evidence that they implemented risk-based, enterprise-wide safeguards, and that the breach was an unusual, isolated, and perhaps even unavoidable exception.  

New Complaints Process Required Under UK Data Protection Law

On January 29, 2026, secondary legislation was passed which brings into force most of the remaining data protection provisions of the UK’s Data (Use and Access) Act 2025 (the “DUAA” – for further information on the DUAA see our OnPoint), and sets a date of June 19, 2026 for the provisions regarding the new required complaints process to come into force.

From June 19, 2026, controller organizations subject to the UK GDPR will be required to have a process for handling data protection complaints. While the UK Information Commissioner’s Office (“ICO”) currently strongly encourages individuals to complain to the organization before escalating such a complaint to the ICO, there is no legal requirement in place for this.

Under the new provisions, a controller must facilitate the making of complaints. How a controller does so is not prescribed, but the ICO suggests that controllers could provide an electronic complaints form or online complaints portal, an email address, or allow phone complaints. As with data subject requests, while a controller can invite people to use the designated process, people can still complain any way they choose so it is important for organizations to ensure that staff are vigilant and trained to recognize and escalate complaints and requests. Whatever method is developed by the controller, they must tell people about it, for example, in their privacy notice.

Controllers are further required to acknowledge receipt of the complaint within thirty days, and to take appropriate steps to respond to it and inform the complainant of the outcome without undue delay.

Takeaway: Controller organizations subject to the UK GDPR will want to review their existing processes, policies and privacy notices and take steps to update or implement a complaints process as needed ahead of the June 19, 2026 deadline. Organizations will want to take into account time to roll out any new processes required, testing them appropriately, and training relevant staff on triaging and assessing complaints.

EU Regulators Issue Joint Opinion on EU Proposal for Simplification of Digital Rulebook 

The European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) have adopted a joint opinion on the European Commission’s proposed Digital Omnibus, a sweeping package intended to simplify and streamline the EU digital rulebook with the aim of reducing administrative burdens and enhancing competitiveness of European organizations. The Digital Omnibus is intended to amend a wide range of EU digital laws, including the GDPR, the Data Act, the ePrivacy Directive, and cybersecurity laws. The joint opinion supports simplification and harmonization in principle, but stresses that legal certainty must not come at the expense of core data protection guarantees.

On the GDPR proposals, the joint opinion welcomes targeted changes such as harmonization of the notion of ‘scientific research’, introducing common templates for data protection impact assessments, creating a limited exemption for biometric authentication where the verification means remain under the individual’s sole control, and raising data breach notification thresholds and extending deadlines for notification. However, the EDPB and EDPS raise significant concerns about proposed changes to the definition of personal data, warning that the proposals do not accurately reflect EU case law and would result in significantly narrowing the concept of personal data, thereby reducing the scope of EU data protection law and generating legal uncertainty.

While generally supportive of the proposal to introduce an exemption allowing some processing of sensitive data in the context of the development and operation of AI systems or models, the opinion recommends improvements such as clarifying its scope and ensuring whole lifecycle safeguards. On ePrivacy reforms, the EDPB and EDPS strongly support efforts to tackle consent fatigue and cookie banner proliferation but caution that fragmenting rules across instruments (personal data under the GDPR, and non-personal data under the ePrivacy Directive) could undermine legal clarity.

Takeaway: As we reported in Issue 90, the EU continues to make efforts to ease the very high burden of compliance, this time across the EU’s broader digital framework. Many of these laws have involved extensive and complex negotiations, even resulting in the once proposed new ePrivacy Regulation being abandoned. The joint opinion shows the reticence of EU regulators about promoting a business friendly simplification at the expense of individuals’ rights and core data protection guarantees. It remains to be seen whether the EU legislator will find the political will to push through more business-friendly regulation.

Texas Attorney General Ken Paxton Announces Civil Investigative Demands to BCBS and Conduent Following Data Breach

On February 12, 2026, Texas Attorney General Ken Paxton (“TX AG”) took the extraordinary step of announcing that it had issued Civil Investigative Demands to Blue Cross Blue Shield of Texas, a health insurer, and Conduent Business Services, LLC, a business services and technology contractor, as part of an investigation into a data breach of Conduent’s systems that allegedly exposed the sensitive health and personal information of approximately 15.49 million Texans, and 192.7 million individuals nationwide.

The breach occurred after cyber criminals hacked Conduent’s systems between October 21, 2024, and January 13, 2025, gaining access to files containing protected health information (PHI). Conduent discovered the breach on January 13, 2025, and reported that it immediately secured its network and launched an investigation with outside cybersecurity experts. The compromised data included names, social security numbers, medical information, and health insurance details belonging to current and former health plan members, including Medicaid recipients in Texas. Although Blue Cross Blue Shield of Texas stated that its own internal systems “were not impacted by this incident,” it acknowledged that member data was affected because Conduent provides third-party services such as mailroom operations, payment processing, and other back-office support. Conduent stated, “From the outset of this incident, we acted promptly and in alignment with incident-response protocols to contain and investigate the issue,” and further asserted that, to date, there is no evidence the data has been misused or publicly released.

Takeaway: While this is only the beginning of an investigation, and there has been no finding of fault, the TX AG inquiry highlights intensifying state scrutiny of data breaches involving PHI. The TX AG took the unusual (outrageous?) step of publicizing the investigation at an early stage, which seems profoundly unfair to the company.  We’d prefer that victims of a criminal attack such as this be given a presumption of innocence by regulators during an investigation, certainly during the “fact finding” stage.  Nonetheless, it certainly underscores the need for covered entities and their vendors to tighten vendor oversight, security controls, and incident response around outsourced operations. 

Dechert Tidbits

EU Court Finds EDPB Binding Decision Open to Challenge in WhatsApp Ireland Ltd v EDPB

In a recent judgment, the Court of Justice of the European Union (“CJEU”) ruled that WhatsApp had standing in the EU courts to challenge a decision of the European Data Protection Board requiring the Irish supervisory authority to amend certain corrective measures, including the amount of fines, in respect of alleged breaches of the GDPR by WhatsApp. Although the EDPB’s decision was directed at the Irish supervisory authority, the CJEU held that WhatsApp had the right to challenge the decision, noting that the decision was of direct concern to WhatsApp.

Imgur Owner MediaLab Fined by UK Data Regulator Over Children’s Privacy Failures

The UK ICO reports that it has fined MediaLab.AI, Inc., owner of image sharing and hosting platform Imgur, £247,590 for unlawfully processing children’s personal data, citing failures to implement age checks, obtain parental consent for users under 13, or conduct a data protection impact assessment under UK GDPR. The ICO found that between September 2021 and September 2025, children were allowed to use the platform without effective age assurance measures, exposing them to potentially harmful content. MediaLab accepted the regulator’s provisional findings and committed to addressing the infringements if UK access to the platform is restored in the future.

FTC Sends Warning Letters to Data Brokers Following Potential Violations of the PADFAA

The FTC issued warning letters to 13 data brokers for potential violations of the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”), which prohibits brokers from disclosing personally identifiable sensitive data about Americans to specified foreign entities, including North Korea, Russia, China, Iran, or any entity controlled by those countries. According to the FTC, it had identified instances in which data brokers offered information regarding the status of American individuals as members of the Armed Forces. Christopher Mufarrige, director of FTC’s Bureau of Consumer Protection stated that the letters are intended to put data brokers on notice that the commission is “monitoring the marketplace for potentially violative acts or practices relating to making available personally identifiable sensitive data of a United States individual to any foreign adversary country.”