Tech & Sourcing @ Morgan Lewis

The Maryland Online Data Privacy Act (MODPA or the Act) took effect on October 1, 2025, making Maryland the most recent state to join the nationwide network of states with legislation protecting consumer data privacy. As part of our Spotlight series, Ezra Church, the leader of our privacy and cybersecurity litigation practice, and Rimsha Syeda, an associate in the cybersecurity, incident response, and privacy practice, share their insights into the MODPA requirements and nuances that companies should know.

On October 29, Morgan Lewis will be hosting the annual Tech & Sourcing Summit in New York. This full-day event will bring together our lawyers and industry leaders, focusing on this year’s theme: Navigating the Global Landscape through Innovation. A reception will follow the substantive portion of the program.

According to a 2025 report on cyber insurance trends published by Munich Re, the global cyber insurance market totaled $15.3 billion in 2024, and is expected to reach $16.3 billion by the end of 2025. Although these amounts are substantial in an absolute sense, the 2024 market valuation represents less than 1% of the global premium volume for property and casualty insurance in 2024. Cybersecurity’s comparative lack of representation in the global insurance premium market may stem from slower growth in the cybersecurity insurance market in the past few years. However, likely as a result of continued increases in digitization, cyber events occurring more frequently, and the regulatory framework evolving, cybersecurity insurance appears poised to grow at a more sustained pace, with Munich Re predicting the global premium volume for cybersecurity to average an annual growth rate of 10% per year through 2030.

In a recent LawFlash, a team of Morgan Lewis lawyers discussed new regulations concerning automated decision-making technology (ADMT), cybersecurity audits, and risk assessments that were finalized by the board of the California Privacy Protection Agency (CPPA). While the CPPA also revised existing regulations, the new regulations impose additional requirements on businesses operating in California, particularly with respect to those using ADMT to make significant decisions without human involvement.

Published in August 2025, the CrowdStrike Global Threat Report 2025 provides a detailed overview of the evolving cyber threat landscape, drawing on data from millions of endpoints and cloud workloads worldwide.

In an era when data is everything, everywhere, all at once and computation has almost no limit, ensuring privacy while leveraging data analytics is paramount. The US Department of Commerce’s National Institute of Standards and Technology (NIST) recently published NIST Special Publication 800-226 (the Guidelines), a comprehensive guide for evaluating and achieving differential privacy, a cutting edge approach to protecting individual privacy when using and relying on large datasets.

In a recent report, a team of Morgan Lewis lawyers discussed enforcement of the US Department of Justice’s (DOJ’s) Data Security Program (DSP). The report outlines critical considerations for companies and entities that may be affected by the extensive requirements of this national security initiative.

In June 2025, cybersecurity researchers discovered a leak of 16 billion passwords in one of the largest data breaches ever, impacting a wide range of platforms and placing billions of users’ information at risk. This incident underscores the urgent need for companies to adopt proactive cybersecurity measures and remain vigilant in the face of evolving threats.

A new Insight published by our Morgan Lewis colleagues highlights the complex legal landscape data centers face in the United States, particularly concerning cybersecurity, privacy, and national security. Cybersecurity preparedness and data privacy are now a critical focus for data centers. However, unlike Europe, the US lacks a comprehensive data privacy statute, requiring data centers to navigate a patchwork of federal, state, and industry-specific regulations.

Cyber regulations are crucial for the protection of individuals and businesses and aid in risk minimization; failure to comply with these regulations can result in severe consequences such as financial penalties, legal action, reputational damage, and potential breach of sensitive or confidential information. Analysts have identified some key cyber regulations to watch in the coming months.