Tech & Sourcing @ Morgan Lewis

The Maryland Online Data Privacy Act (MODPA or the Act) took effect on October 1, 2025, making Maryland the most recent state to join the nationwide network of states with legislation protecting consumer data privacy. As part of our Spotlight series, Ezra Church, the leader of our privacy and cybersecurity litigation practice shares his insights into the MODPA requirements and nuances that companies should know.

According to a 2025 report on cyber insurance trends published by Munich Re, the global cyber insurance market totaled $15.3 billion in 2024, and is expected to reach $16.3 billion by the end of 2025. Although these amounts are substantial in an absolute sense, the 2024 market valuation represents less than 1% of the global premium volume for property and casualty insurance in 2024. Cybersecurity’s comparative lack of representation in the global insurance premium market may stem from slower growth in the cybersecurity insurance market in the past few years. However, likely as a result of continued increases in digitization, cyber events occurring more frequently, and the regulatory framework evolving, cybersecurity insurance appears poised to grow at a more sustained pace, with Munich Re predicting the global premium volume for cybersecurity to average an annual growth rate of 10% per year through 2030.

In a recent LawFlash, a team of Morgan Lewis lawyers discussed new regulations concerning automated decision-making technology (ADMT), cybersecurity audits, and risk assessments that were finalized by the board of the California Privacy Protection Agency (CPPA). While the CPPA also revised existing regulations, the new regulations impose additional requirements on businesses operating in California, particularly with respect to those using ADMT to make significant decisions without human involvement.

The United Kingdom’s Online Safety Act (OSA or the Act), which received Royal Assent in October 2023, establishes a new statutory framework to address harmful online content, protect children, and promote accountability among digital service providers. For counsel advising platforms, publishers, and other organizations operating in the digital space, the OSA introduces a complex set of compliance considerations, particularly given its extraterritorial scope, risk-based obligations, and substantial enforcement powers.

The UK Information Commissioner’s Office has launched two consultations as part of the transition to the Data User and Access Act framework. These consultations will be of particular interest to organisations operating UK-facing websites, analytics tools, and online advertising services.

On 19 June 2025, the UK Parliament enacted the Data (Use and Access) Act 2025 (DUAA), marking the most significant UK data protection reform since the UK General Data Protection Regulation (UK GDPR). Rather than overhauling the current regime, DUAA introduces targeted amendments to the UK GDPR, the Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR), aiming to support responsible data use while preserving core privacy protections.

In an era when data is everything, everywhere, all at once and computation has almost no limit, ensuring privacy while leveraging data analytics is paramount. The US Department of Commerce’s National Institute of Standards and Technology (NIST) recently published NIST Special Publication 800-226 (the Guidelines), a comprehensive guide for evaluating and achieving differential privacy, a cutting edge approach to protecting individual privacy when using and relying on large datasets.

In a recent report, a team of Morgan Lewis lawyers discussed enforcement of the US Department of Justice’s (DOJ’s) Data Security Program (DSP). The report outlines critical considerations for companies and entities that may be affected by the extensive requirements of this national security initiative.

In June 2025, cybersecurity researchers discovered a leak of 16 billion passwords in one of the largest data breaches ever, impacting a wide range of platforms and placing billions of users’ information at risk. This incident underscores the urgent need for companies to adopt proactive cybersecurity measures and remain vigilant in the face of evolving threats.

In our March 2024 blog post Study Finds Average Cost of Data Breaches Continued to Rise in 2023, we highlighted the key findings of the Ponemon Institute’s Cost of a Data Breach Report 2023. Each year, the report sets forth a vast dataset analyzing data breaches at hundreds of organizations to spot trends and developments in security risks and best practices. The Ponemon Institute recently published its Cost of a Data Breach Report 2024, showing an increase in data breach costs in many areas of business.