Hard to believe, but 2025 will be here before you know it. And what goes best with a new year? A countdown list!
Last week, I spoke at the Dayton Bar Association’s Corporate Counsel Section on the topic of the Top 10 legal technology issues that in-house counsel should have on its radar for 2025.
This list is comprised of issues I am seeing in my practice, reading about in the news, and seeing emphasized at conferences and symposiums I have attended. Without further ado, here are the top ten issues that are likely to have an impact over the coming year.
10: Increase in Data Processing Agreements. To begin with, expect to see an increase in the number of data processing agreements or information sharing agreements that come across your desk. This uptick will likely be driven by two factors. First, the European Union is poised to update its Standard Contractual Clauses (SCCs) during the second quarter of 2025. These SCCs form a standardized agreement issued by the European Commission and are a heavily relied on tool when transferring personal data outside the European Economic Area (EEA) to countries the Commission determines lack adequate data protection laws, such as the United States. These SCCs are often a vehicle to renegotiate Master Service Agreements and Saas Agreements – which means that you will likely see more of them in 2025. Second, by January of 2025, at least 14 states will have effective data privacy laws regulating how data may be processed and by whom. These states include: California, Colorado, Connecticut, Delaware, Florida, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia. This increase in legislation will no doubt lead more companies to get serious about revising or instituting data processing agreements to address domestic transfers of information.
9: Changes in Text Message Marketing. Effective January 27, 2025, the FCC will the “lead generator loophole.” Essentially, businesses seeking to market through automated text messages must obtain consent from the consumer for one identified seller at a time and ensure its marketing messages to that consumer are “logically and topically related” to that platform where the consent was obtained. For business engaged in this marketing practice, it will be crucial to abide by the FCC’s latest restrictions in this space.
8: Work from Home/Hybrid. In 2024, approximately 22 million workers in the United States work from home full-time. By 2025, this number is expected to increase to 32.6 million. An additional 53% of workers in the United States have reported working in a hybrid manner, splitting time between the office and working remotely. These numbers make one thing clear: remote work isn’t going away, even as we move into the post-COVID era. Issues arise from this work arrangement, however. For example, the real or perceived decrease in productivity associated with employees who work from home has led some employers to turn to “bossware” – software programs designed to track employee output and focus. Before instituting such software, however, employers should ensure that they are not inadvertently violating any of their state’s wiretap laws or other restrictions on digital surveillance. The continued prevalence of employees being permitted to work from home will give rise to other issues, too, such as virtual harassment and bullying, and the need to provide employees with home-office set ups and to reimburse them for the same. Additionally, employers should be aware of the unique information security challenges that arise from a remote or hybrid work environment.
7: Regulatory Technology. Moving into 2025, there is likely to be a sharp increase in the offerings of RegTech solutions for in-house counsel. “RegTech” – short for “Regulatory Technology” – refers to software which is utilized to improve the way businesses manage regulatory compliance. Although this technology can often make life easier for in-house counsel, it is not without its pitfalls. For example, the integration of these technologies with existing systems often presents challenges with compatibility and security. Additionally, reliance upon RegTech for audit and record-keeping requirements presents both value and risk. Before acquiring new RegTech solutions, it will be crucial for in-house counsel to review and negotiate the warranty and indemnification provisions of agreements in this space very carefully.
6: Cookies and Pixel Tracking Technology. Businesses utilizing “cookies” and similar online tracking technologies should be aware of new regulations in this space that will be having an outsized impact in 2025. Website tracking tools are facing scrutiny at state and federal levels. At the state level, many jurisdictions such as Washington, Connecticut, Maryland, and Nevada are enacting consumer health data laws that require explicit disclosure of these technologies. Additionally, the Federal Trade Commission issued a circular on website tracking disclosures, reminding of the privacy and security risks related to the use of online tracking technologies integrated into their websites. And to make this landscape even riskier for businesses, there has been an increase in Plaintiff’s Bar activity with respect to pursuing claims under wire-tapping statutes, profiting off of businesses for non-compliance.
5: ACH/Wire Fraud. Unfortunately, certain perennial risks are likely to continue to rear their heads as we move into 2025. One of these evergreen issues is wire fraud. In 2023 alone, business losses due to fraud topped a whopping $10 billion, up 14% over 2022. This increase is alarming, but unsurprising considering the increased sophistication of threat actors. Additionally, instances are often not detected for 90-120 days, when businesses begin taking a close look at their aged A/R. But by then, it is often too late to recover funds which were diverted to threat actors. As a result, in-house counsel should make sure that their organizations have strong training programs and policies in place to make employees aware of these threats. Employees should never authorize wire instruction changes through email alone, and should scrutinize any changes in banking information.
4: Biometric Fraud. Biometric technologies – security systems relying on biological markers such as fingerprints, facial features or retinal patterns – are usually considered the gold standard for security. However, these biometric systems are increasingly easier to spoof by using masks or false copies of fingerprints. These spoofs can lead to serious security issues in the workplace, from unauthorized access to a company’s most sensitive information to fraud at the timeclock. It should also be noted that Biometrics are directly regulated in a limited number of locations, including Illinois, Texas, Washington, and New York City. For companies utilizing this technology should be aware of all applicable regulations in this space.
3: Ransomware. Unfortunately, ransomware will continue to be a problem moving into 2025. In fact, several trends conspire to make ransomware an even larger threat than it has been in recent years. For example, many threat actors are shifting their focus from IT departments to OT (Operational Technology) segments of an organization. They do this to cause on-the-ground, real-world disruption to a company’s physical operation to exert maximum pressure on a company to give in to a ransom demand. In this way, hackers are able to not only lock a company out of its data – but to also grind its processes to a halt. These attacks can significantly impact operations for 15-30 days, causing enormous harm. Companies in the manufacturing and construction sectors are the largest targets for this attacks.
2: Deepfakes & Shallowfakes. You may think that deepfakes (digital content augmented to make it appear as though a celebrity or politician is saying something outrageous) or shallowfakes (digital content slightly altered to achieve a more subtle, yet still misleading, effect) are only a problem in the entertainment space or in our political environment. Unfortunately, these technologies are presenting an elevated security threat at both a corporate and personal level. For example, audio spoofs of high-level executives could be used to convince lower-level employees to divert company funds to a threat actor’s bank account. These technologies are developing at a rapid pace, and enable threat actors to prey on a target’s familiarity with the voice on the other line. But despite the enormous issues posed by deepfakes, the solution can be relatively simple. Companies can institute a “passphrase” that must be used before major decisions are made or funds are expended. This way, your organization can minimize the risk of being tricked by a deep- or shallow-fake.
1: Generative AI in the Workplace. It should come as no surprise that artificial intelligence in the workplace has made an appearance on this list. Generative artificial intelligence technologies have proliferated and become more sophisticated at a pace that even many experts failed to anticipate. While these tools can enhance employee productivity, there are several pitfalls that in-house counsel, in particular, should be wary of. To begin, an Acceptable AI Use policy is essential for any business organization – whether the organization wants to promote use of generative AI or not. The threats that this technology may pose – the threat of leaked data, IP risks, and bias in employment decisions – are too severe to ignore. Instituting an Acceptable AI Use policy is a great first step towards guarding against some of these dangers. Additionally, these policies will likely only become more necessary as jurisdictions such as the European Union, Colorado, and Utah adopt AI laws – with many more jurisdictions likely to join them in the coming years.
For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.