Unlike Europe’s comprehensive General Data Protection Regulation framework, the United States still lacks an all-encompassing data privacy statute. Instead, data centers operating in the United States must navigate a complex web of overlapping federal, state, and industry-specific rules. For data centers, which serve as the backbone of digital infrastructure and often house vast amounts of sensitive personal and proprietary information, this patchwork legal landscape requires close attention.
Understanding and complying with privacy, cybersecurity, and national security regulations is now both good business practice and also legally essential. From incident response planning to cross-border data transfers and evolving SEC disclosure rules, this Insight covers some of the top legal considerations data centers must keep in mind in 2025.
In the United States, data privacy obligations arise from a myriad of laws, including the Federal Trade Commission Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, and state-level consumer privacy statutes like the California Consumer Privacy Act and the Texas Data Privacy and Security Act. Nineteen states have already passed their own privacy laws, which vary somewhat as to definitions and compliance requirements.
Thus, in addition to contractual and procedural safeguards, data centers must also be mindful of the varying data security requirements imposed by these laws. The legal obligations often extend to contractual requirements, meaning security standards must be embedded in data processing agreements or other governing contracts. As such, data centers must ensure their security infrastructure and documentation align not only with client expectations but also with the jurisdictional standards triggered by the location of the data and the individuals to whom it pertains.
For data centers, which process personal data on behalf of their clients, the data owners, this means:
Cybersecurity preparedness remains critical for data centers as threat actors increasingly target infrastructure providers. Preparedness starts with a clear, operational incident response plan (IRP). Key elements of an effective IRP include the following:
When preparing for or responding to a cybersecurity incident, data centers must address several critical legal questions, many of which hinge on the specific terms of their contracts with clients. These questions include the following:
Additionally, with 50+ state breach notification laws, determining whether an incident triggers disclosure obligations is no small task. Some states require notice only if there is a risk of harm; others mandate it for any unauthorized access to personal data. These can be tricky legal questions, so it is important to identify breach counsel in advance in order to respond quickly.
The US Securities and Exchange Commission has significantly increased cybersecurity disclosure expectations for all public companies, which includes those operating data centers or materially relying on them. The SEC’s focus on cybersecurity disclosures by public companies began with the Division of Corporation Finance’s 2011 interpretive guidance, which advised companies on how cybersecurity risks and cyber events might be addressed under existing disclosure rules.
Additional guidance followed in 2018, with an introduction of the Commission’s views regarding the importance of cybersecurity policies and procedures and the applicability of insider trading prohibitions in the cybersecurity context. In 2019, the Division of Corporation provided additional guidance tailored to disclosure practices for technology and intellectual property risks, particularly in the context of international operations. However, the most consequential changes arrived in July 2023, when the SEC adopted new rules designed to standardize and expand cybersecurity-related disclosures.
Forms 8-K and 10-K Disclosure Updates
These 2023 rules introduced two major requirements. First, public companies must now file a Form 8-K within four business days to disclose a material cybersecurity incident. The disclosure must detail the incident’s nature, scope, timing, and its material or reasonably likely material impact, including to the company’s financial condition and results of operations.
Second, public companies must include expanded cybersecurity disclosures in their annual report on Form 10-K, covering the company’s policies and procedures related to assessing, identifying and managing material risk from cybersecurity threats, including the oversight by boards and management, the engagement of third parties in connection with such processes, and whether cybersecurity threats have materially affected or are likely to materially affect the company’s business strategy or financial condition.
Defining Materiality
In a pivot from the proposed rule, the final rule that requires the Form 8-K disclosure is triggered by the determination that the cybersecurity event is material and not simply upon the occurrence of any cybersecurity event. In determining whether a cybersecurity incident is material for the purposes of SEC disclosure, companies must conduct a nuanced assessment that considers both quantitative and qualitative factors.
Under the federal securities laws, courts have determined that information is “material” if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available to investors.
This means companies must not only consider the financial and quantitative metrics, but also qualitative factors, such as reputational damage, competitive harm, litigation risks and regulatory scrutiny, and harm to client or vendor relationships. For public companies that own and/or operate data centers, cybersecurity considerations are fundamental to the business, requiring complex and nuanced analysis.
Additional SEC Guidance
Following the adoption of the 2023 rules, the Division of Corporation Finance issued additional guidance to clarify expectations, particularly around the use of Item 1.05 of Form 8-K, which is reserved for material cybersecurity incidents.
The SEC emphasized that premature filings—before a materiality determination has been made—are inappropriate under this item, but did not discourage public companies from voluntarily disclosing cybersecurity events that have not been deemed material under a different item of Form 8-K, such as Item 8.01 K. It also highlighted the importance of disclosing the role of third-party providers in cybersecurity risk management and noted that early staff comment letters on companies’ cybersecurity disclosures have focused on issues like material noncompliance and the adequacy of board and management oversight.
Most recently, in March 2025, the SEC created a Cyber and Emerging Technologies Unit to focus on key “priority areas” in this space, such as fraudulent cybersecurity disclosures, in addition to the use of artificial intelligence (AI) and social media to perpetuate fraud.
Finally, the House Committee on Financial Services subsequently sent a letter to the SEC requesting it consider the withdrawal of 14 specific rules, including the 2023 cybersecurity rules. The SEC’s response to that specific request remains uncertain; however, in early June 2025, it did formerly withdraw a number of proposed rulemakings from its agenda, including a March 2022 rulemaking proposal that related to cybersecurity risk management for investment advisers, registered investment companies and business development companies, which could be interpreted as the current SEC administration’s desire to move away from prescriptive rulemaking.
Federal authorities are increasingly treating data centers as strategic infrastructure with implications for national security, especially when foreign ownership or cross-border data flow is involved. Executive Order 14117, signed in February 2024, highlighted concerns that adversarial nations may gain access to US data via submarine cables and foreign data centers. The order emphasized the risk of transmitting sensitive data to countries of concern and directed the US Department of Justice’s (DOJ’s) Team Telecom to scrutinize telecom licenses more aggressively.
Recently, new rules from DOJ took effect that restrict certain data-related transactions involving entities tied to countries of concern. These rules apply to vendor, investment, employment, and data brokerage agreements that involve the transfer of bulk sensitive personal data or US government–related data.
Even US-based data centers can fall under the scope of these regulations if they are owned by or affiliated with foreign parent companies in high-risk jurisdictions. As a result, data centers must now carefully evaluate ownership structures and contractual arrangements to avoid inadvertently triggering compliance obligations under these national security–focused rules.
Supply Chain Security
Federal agencies are also expanding oversight of the technology supply chain through existing regulatory frameworks. The regulatory foundation for addressing supply chain security risks stems from Executive Order 13873, issued in 2019, which empowered the US Department of Commerce, through the Office of Information and Communications Technology and Services (ICTS), to regulate transactions involving foreign ICTS providers.
In March 2025, this authority was expanded to include connected autonomous vehicles, and similar rulemaking is expected to extend to data centers in the near future. Separately, the Bureau of Industry and Security recently updated its Validated End-User (VEU) program to streamline the export of advanced computing technologies, such as AI and supercomputing components, to qualified overseas data centers. The VEU expansion is specifically aimed at addressing data centers that house advanced AI systems, facilitating exports to these high-security environments through a more efficient, pre-approved framework. Participation in the VEU program requires parties to meet stringent security and compliance standards, offering operational efficiencies in exchange for front-end diligence and ongoing oversight.
These trends point to a future in which operating a data center, especially one with global clients or ownership, will require a detailed understanding of export controls, beneficial ownership rules, and national security policies.
As regulators and policymakers evolve their approach to cybersecurity, privacy, and national security, data centers are increasingly in the legal crosshairs. Operators must not only keep pace with contractual and technical compliance obligations but also prepare for regulatory scrutiny from an alphabet soup of agencies as diverse as the SEC, DOJ, FTC, and BIS.
All this signals that the days of treating cybersecurity and privacy as purely operational concerns are over. In today’s regulatory climate, these are now legal and strategic imperatives for the data centers powering our digital economy.