• |

    Nov. 5, 2025

Steps to Address the New California Audit Rule That Seeks to Reset Reasonable Security

A new California Privacy Protection Agency rule requires many companies to complete an annual cybersecurity audit that would evaluate two dozen components. For each company that completes the requisite audit, the auditors’ resulting nonpublic report must detail gaps found in the company’s cyber program along with needed remediations, and a company executive is obligated to certify compliance publicly. While the deadline for audit reporting begins in 2028, practitioners recommend that companies complete a robust internal audit in 2026 to give ample time to improve on weak points in their cyber programs. With insights from Blank Rome, Perkins Coie, Polsinelli, and Shook Hardy & Bacon, this article sets out steps for companies to consider while conducting the recommended preparatory audits. It also examines less-standard cyber controls among California’s required measures, cost and timing concerns, and risks tied to the ultimate audit report. See “Show Me the Data: How to Conduct Audits for Data Minimization” (Nov. 18, 2020).

California’s Landmark AI Transparency Law: Compliance Considerations

Developers of frontier AI models face new obligations with the introduction of California’s Transparency in Frontier Artificial Intelligence Act (TFAIA), the first law in the nation to establish transparency, disclosure and governance requirements for developers of high-compute AI models. TFAIA’s mandates warrant prompt attention. Although not many companies have exceeded the high technical threshold to be a frontier developer, that number is expected to rapidly increase, bringing far more companies into scope in the near future. Downstream businesses and users will be impacted as well. This second installment in a two-part article series, with commentary from AI law practitioners and former regulators at Crowell & Moring, Jones Walker, Mayer Brown, Skadden and Womble Bond Dickinson, provides practical compliance considerations for companies as they prepare to fulfill the new law’s obligations. Part one discussed to whom the TFAIA applies and examined the law’s reporting requirements, protections, exceptions and penalties. See “How to Address the Colorado AI Act’s ‘Complex Compliance Regime’” (Jun. 5, 2024).

What CISOs Are Saying About Their Role in 2025

As cyber threats become increasingly sophisticated, the responsibilities of the CISO are evolving. Despite rising confidence, many leaders still feel unprepared for a major attack. People remain the top cybersecurity risk, now intensified by AI disruption and mounting boardroom expectations, according to the latest findings from Proofpoint’s 2025 Voice of the CISO Report. During a recent program, a panel of CISOs from Air New Zealand, Cox Enterprises, Proofpoint, SLB, Solventum, Surescripts and Zurich American Insurance Company discussed key takeaways from the report, including managing insider risk, challenges of AI and executive pressure. This article distills their insights. See “Challenges, Risks and Future of the CISO Role” (Jul. 31, 2024).

AI Governance and Compliance Leader Joins Steptoe As Partner in D.C.

Steptoe has welcomed Carl Hahn as a partner in the firm’s investigations, white-collar and compliance practice in Washington, D.C. He joins the firm after co-founding legal technology company Gentic Global Advisors, which specializes in designing operational and compliance programs to help organizations manage risks related to AI and emerging technologies. For commentary from Hahn, see “In‑House Perspectives on Compliance’s Role in Managing New and Emerging Risks” (Jun. 5, 2024). For insights from Steptoe, see our two-part series “AI Meets GDPR”: EDPB Weighs In on AI Models (Feb. 5, 2025), and Mitigating Risks and Scaling Compliance in the Development and Deployment of AI Models (Feb. 19, 2025).

Most-Read Articles

Women to Watch: Contributions, Achievements and Observations of Outstanding Female Professionals

To mark International Women’s Day, women editors and reporters at ION Analytics interviewed outstanding women in the industries and jurisdictions we cover. In this part, Law Report Group editors Jill Abitbol, Robin L. Barton and Megan Zwiebel profile notable women in data privacy, cybersecurity, private funds and anti-corruption law, including Anne-Gabrielle Haie, Jessica Lee, Micaela McMurrough, Laura Perkins, Amanda Raad, Madelyn Calabrese, Ranah Esmaili and Genna Garver. Enjoy reading their inspiring remarks here.

Celebrating Data Privacy Day 2025

Read the full brief here.

Cybersecurity Awareness Month

Read the full brief here.