|
Welcome
Welcome to our fourth issue of 2025 of Decoded - our technology law insights e-newsletter.
You are cordially invited to our 2025 SuperVision Labor & Employment Symposium - Working Hard or Hardly Compliant: Strategies, Solutions and Surprises in the New World of Labor and Employment Law. Join Spilman attorneys for our full-day SuperVision Symposium, designed to inspire your confidence in navigating complex employment decisions! This complimentary symposium is tailored for business owners, C-suite executives, HR professionals, and anyone who manages employees. Dive into a day of valuable insights on employment topics such as HR impacts from the new administration; employee relations; changes at the NLRB; free speech in the workplace and much more. Spend the day with us and leave armed with strategies and solutions to tackle the ever changing world of labor and employment law! Click here to learn more and register.
We hope you enjoy this issue and thank you for reading.
Nicholas P. Mooney II, Co-Editor of Decoded; Chair of Spilman's Technology Practice Group; Co-Chair of the Cybersecurity & Data Protection Practice Group; and Co-Chair of the Artificial Intelligence Law Practice Group
and
Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group
| | |
“Data breaches are rising across industries, hitting healthcare, finance, and retail especially hard.”
Why this is important: Data breaches impact all aspects of a business. The most significant impact data breaches have on every industry is the rise in costs associated with a data breach. The contributing factors to the rise in costs include the cost of the business disruption that results from a data breach, regulatory fines imposed by regulators, the post-breach response, and the reputational damage that may carry on far into the future. Data breaches can also increase the cost of borrowing money, which is the case with the healthcare industry in the form of credit downgrades as a result of cyberattacks. With this continual rise of costs associated with a data breach, preparedness in advance is required. This includes extensive employee training to recognize the risk of an outside attack, installing all software patches to close known vulnerabilities, implementing multi-factor authentication, creating and testing incident response plans, auditing your data and discarding data your organization no longer needs, and obtaining cybersecurity insurance. However, not all cybersecurity insurance policies are created equal. Many cybersecurity policies lack sufficient coverage in the event of a data breach or exclude common avenues of attack from coverage. It is important that you work closely with your insurance broker and counsel to get adequate insurance coverage. Unfortunately, obtaining sufficient coverage comes at an increased cost, thereby perpetuating the cycle of increasing costs caused by data breaches. --- Alexander L. Turner
| | |
“The Harrisburg-based organization launched an investigation that concluded on February 18, 2025, that the cyber incident enabled a threat actor to access certain files containing personal information.”
Why this is important: A data breach at the Pennsylvania State Education Association (PSEA), Pennsylvania’s largest workers and teachers’ union, exposed the personal, financial, and health data of over 517,000 individuals. The breach occurred in July 2024 and was confirmed after an investigation concluded in February 2025. Leaked data included Social Security numbers, driver’s license and passport numbers, account and payment card information, and health insurance and medical records.
The Rhysida ransomware gang claimed responsibility, demanding a $1.1 million ransom (in the form of 20 Bitcoin) and briefly listed the stolen data online, indicating the ransom may have been paid.
In response, PSEA first notified the authorities and victims and has offered 12 months of credit and cyber-attack monitoring. They have also urged individuals to monitor financial activity and consider credit freezes.
Rhysida, a hacker group active since May 2023, has been linked to multiple high-profile breaches and is believed to have ties to Vice Society. U.S. agencies, including the FBI and CISA, have issued warnings about its growing threat, especially to sectors like education and healthcare.
Ransomware hacks are an ever-growing problem and no organization, small or large, public or private, is truly safe. Savvy business leaders will be prepared with a plan and able to jump into action as soon as the bad actors strike. Reach out to Spilman today to discuss strengthening your cybersecurity plan and response protocols. --- Shane P. Riley
| | |
“The National Cryptocurrency Enforcement Team (NCET) was created to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services (tools that obscure the origins and destinations of crypto transactions), and money laundering infrastructure providers.”
Why this is important: The National Cryptocurrency Enforcement Team (NCET) is dead, but that doesn’t mean an end to crypto regulation or enforcement. The NCET was created in October 2021 as part of the Department of Justice and was charged with investigating and prosecuting criminal misuses of cryptocurrency. In July 2023, it was merged into the DOJ’s Computer Crime and Intellectual Property Section. Earlier this year, President Trump issued an executive order titled “Strengthening American Leadership in Digital Financial Technology.” Consistent with the purposes of that order, Deputy Attorney-General Todd Blanche recently sent a memo to all DOJ employees. The memo, titled “Ending Regulation by Prosecution,” stated that the DOJ “is not a digital assets regulator” and the Trump administration was putting an end to the prior administration’s “strategy of regulation by prosecution.” Thus, Blanche ordered the NCET to be disbanded immediately. In its place, U.S. Attorney’s Offices are to “use long-recognized criminal justice tools” to lead criminal prosecutions. The DOJ’s focus will shift to investigating and prosecuting those who use digital assets to victimize investors, or those who use digital assets in furtherance of terrorism, narcotics and human trafficking, organized crime, hacking, and cartel and gang financing. Further, the Securities & Exchange Commission’s recently created “Cyber and Emerging Technologies Unit” will also fill the space with its focus on addressing cyber-related misconduct and protecting retail investors from bad actors in the emerging technologies market. The full effect of these changes is not yet known. However, it isn’t a stretch to predict fewer prosecutions in the crypto space. While the Trump administration is making these regulatory and enforcement changes, the President also signed an executive order to create a Strategic Bitcoin Reserve and a Digital Asset Stockpile, created a working group on digital asset markets, chaired by the White House AI and crypto czar, and hosted a White House crypto summit. Is President Trump going to be the crypto President? Hard to say. Although the value of cryptocurrencies generally has been rising in the past weeks, this year has seen a sell-off and drop in prices fueled by other policies by the Trump administration. If you’d like to talk more about these issues or have questions about the law surrounding cryptocurrencies, contact Spilman’s Technology Law Practice Group. --- Nicholas P. Mooney II
| | |
“The Chinese firm’s highly efficient chatbot won’t slow the need for U.S. data centers or the energy projects to power them, experts say.”
Why this is important: The rise of DeepSeek AI and its ability to operate at a lower cost than other artificial intelligence models have many worried about the growth of data center power. Those fears should be put aside as DeepSeek will be one of the factors that facilitate data center power growth. DeepSeek lowers the cost of computing which can potentially increase the number of companies that use the AI model. With the reduced costs, new potential applications for the AI model may emerge.
One major legal consideration is compliance with environmental laws and energy regulations. Governments worldwide are implementing stricter carbon reduction policies, and data centers—historically known for their high energy usage—must adhere to these standards. By integrating energy-efficient designs, companies like DeepSeek AI can mitigate regulatory risks while positioning themselves favorably under green energy incentives and tax credits.
The demand for power construction is rising rapidly alongside data center projects as contractors strive to keep pace with increasing needs. The current U.S. grid was not meant to handle the current level of demand and growth. In addition to the new building of "power islands" designed to house gas energy, solar energy, batteries, and a data center, older power plants once slated for retirement are now being renovated into data power centers. A significant challenge for both new data center construction and the renovation of older power plants is the demand for skilled labor required to build and maintain these facilities. As data center construction increases, competition is not just for projects but also for experienced teams to build them. Contractors must compete for both clients and skilled labor, posing challenges for both developers and builders.
The lack of capacity in the current power grid and the need for more data centers have caught the attention of the Oval Office. President Trump recently issued an executive order declaring an energy emergency aimed at expediting the development of new power generation and transmission infrastructure. As power consumption continues to rise, there may be changes in state and federal regulations to promote or restrict the expansion of data centers and AI usage. --- Nicholas A. Muto
| | |
“Adding to the general confusion is the fact that this new data leak was merged with the information from the prior 2023 data scraping breach by a different threat actor, which contained different information including account email addresses.”
Why this is important: When Elon Musk acquired X/Twitter, he laid off 80 percent of the workforce. Subsequently, X/Twitter experienced a major data breach that exposed users’ personal data back to the inception of Twitter. The breach in question occurred in January 2025, but has not been publicized. It is believed that a disgruntled employee who was purged by Elon Musk is responsible for the data breach, but that has not been confirmed. Employees are the weakest link in any organization’s data security chain. While you should not treat your employees as potential Trojan horses, there are steps that an organization can take to protect its data. The first is extensive employee training to teach them how to recognize and avoid outside threats. The second is compartmentalization of data to limit employees’ access to just the information they require to perform their job duties. Third, is monitoring by the organization’s IT department and immediate notification to employees if they attempt to access data they are not authorized to access. Finally, upon the departure of an employee, the organization must terminate all access the employee has to the organization’s network. These steps will go a long way to prevent employee-related data breaches like the one experienced by X/Twitter. --- Alexander L. Turner
| | |
“The company has already been in business selling consumer data to pharmaceutical and biotech industries for some time, and the data it holds would remain protected under relevant laws pertaining to sensitive health information.”
Why this is important: 23andMe, once a leader in consumer genomics and at-home DNA testing, has filed for Chapter 11 bankruptcy, sparking major privacy concerns for its 15 million customers. The company, which reached a peak valuation of $6 billion in 2021, saw its value plummet to just $12 million by 2024 following a series of financial challenges, including a massive data breach in 2023 that exposed the records of seven million users and a failed attempt to take the company private. As the company prepares to wind down operations, there is growing anxiety over what will happen to the vast amounts of sensitive genetic and health data it has collected over nearly two decades. Although the data is legally protected, potential buyers of the company’s assets may not be required to allow users to opt out or delete their data, raising serious concerns about consent, transparency, and long-term security.
Most customers were automatically opted in to data sharing with third parties, and 23andMe has had partnerships with at least 30 companies, including pharmaceutical giant GlaxoSmithKline, often under confidential agreements. While users have the ability to request deletion of their data and destruction of their DNA samples by closing their accounts, these options have become more urgent as the company edges closer to closure. Some U.S. states, such as California, offer limited legal protections under laws like the California Consumer Privacy Act (CCPA), which allows consumers to request full data deletion. However, federal laws provide little recourse, and protections vary widely by state.
Privacy experts warn that 23andMe's situation is a reminder of how vulnerable consumers are when companies built on personal data fail. Genetic data, unlike passwords or credit card numbers, cannot be changed, making its exposure particularly risky. Critics argue that companies dealing with such intimate information must embed privacy protections into their operations from the start, including clear plans for what happens to data in the event of a shutdown, acquisition, or restructuring. They call for a shift from reactive privacy measures to proactive data governance, including the implementation of robust security protocols, strict access controls, and adherence to internationally recognized standards such as SOC 2 and ISO certifications. Ultimately, the 23andMe case underscores the broader industry realization that if user data is the foundation of a business, then protecting it must remain a priority, even beyond the life of the company itself. --- Shane P. Riley
| | |
“But cyberattacks can be especially problematic for smaller providers that don’t have the resources of some larger health systems.”
Why this is important: The healthcare industry is one of the leading targets for cyberattacks. Such attacks can lead to the disruption of services, the loss of critical data, loss of reputation in the community, and loss of revenue. Those are all the risks that people commonly associate with a cyberattack. However, there is a new one that is not often considered -- damage to the facility’s credit rating. Recently, two smaller facilities that were already experiencing financial pressure had their credit ratings lowered following a cyberattack. Specifically, it was the slower rebound from a recent cyberattack that caused the lowering of their credit ratings due to an already weak financial situation. This new consequence of a cyberattack will disproportionally impact rural hospitals that lack the resources to sufficiently protect their systems. This is why it is so important for even small healthcare facilities to prioritize cybersecurity as much as possible. --- Alexander L. Turner
| | |
“Attackers are already using AI to automate reconnaissance, generate sophisticated phishing lures, and exploit vulnerabilities before security teams can react.”
Why this is important: This article was written by SANS Institute and promotes their SANSFIRE 2025 event at which its faculty teaches, among other things, its course on Applied Data Science & Machine Learning for Cybersecurity. Despite the initial temptation to dismiss this article as a sales pitch for the course, the article makes an important point. We’ve discussed in many prior issues of Decoded, and continue to discuss, the relentless cyberattacks every industry faces. We’ve discussed attacks on financial institutions, healthcare facilities, educational institutions, critical infrastructure, and others. We’ve talked about emerging threats, phishing attacks, and other schemes. We’ve discussed the devastating aftermath of the attacks. And, we’ve discussed how all companies, regardless of size or industry, must take steps to protect themselves against attacks. Recently, we’ve started reporting on the gaining popularity of Artificial Intelligence, its promises, and its challenges. The SANS Institute article discusses what happens when AI and cybersecurity merge.
“Attackers are already using AI to automate reconnaissance, generate sophisticated phishing lures, and exploit vulnerabilities before security teams can react.” The inclusion of AI into a cyber attacker’s arsenal gives them an enhanced ability to launch new attacks faster. Companies trying to defend against these attacks are finding it hard to keep up. They can become overwhelmed and unable to process the massive amounts of data quickly enough to identify and defend against real threats. The article argues that AI must be implemented into cyber defenses as it provides a way to level the playing field with the attacker. AI can be used to identify vulnerabilities and potential threats. The speed of AI can be leveraged to conduct investigations faster than humans can. At bottom, the answer may be that companies will be forced to learn AI and forced to implement it into their cybersecurity defenses if they want to stay up to date. Without it, they may be left even more vulnerable than before. If you’d like to talk more about these issues or have questions about cybersecurity or AI, contact Spilman’s Technology Law or Artificial Intelligence Law Practice Groups. --- Nicholas P. Mooney II
| | The Data Center Boom Continues, but Pitfalls and Questions Remain | | |
By Carrie H. Grundmann
The energy needs of data centers continue to grow, seemingly unabated. According to this Utility Dive Article, a report from the National Electrical Manufacturers Association (NEMA) estimates that data center demand (and transportation electrification) will cause U.S. electricity demand to rise two percent year-over-year for the next quarter century. In the near term (the next decade), data center demand is projected to grow 300 percent. The Trump administration has been playing an active role in facilitating the growth of data centers and the global race for AI dominance. Following on President Trump’s Executive Orders from January 2025 on AI and U.S. energy security, the Department of Energy (DOE) recently announced plans to make its DOE-owned land at 16 locations available for data center development. They have since issued a request for information (RFI) to gather feedback from industry experts on how to use this land to further data center development, advocating in favor of a public-private partnership model.
Click here to read the entire article.
| | |
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251
| | | | |
