Creating deepfakes and accessing stolen data on the dark net is surprisingly easy, delegates learned at the ITWeb Security Summit, when keynote speaker Tobias Schroedel took them on a guided tour through the dark net.

The IT security expert known as ‘comedyhacker’, Schroedel used AI to clone MC and journalist Clement Manyathela during his session.

He demonstrated how quickly and easily he accessed various ransomware groups’ dark net pages, where ‘menus’ of stolen data were on display. The pages showed which companies were still negotiating ransoms and how much time they had left to pay. Data from non-paying companies was available for sale.

You are never really prepared for a ransomware attack, while cyber criminals have done this hundreds of times.

Tobias Schroedel

He highlighted common techniques for phishing attacks, like using deliberate typos in e-mail sender addresses and content that appeared to be from legitimate companies, for example, Sienens, Faceboook, Mircosoft and Arnazon.com. He also guided the audience through simulated ransomware negotiations and demonstrated how he could clone Manyathela’s voice and create a deepfake video in a matter of minutes.

“You are never really prepared for a ransomware attack, while cyber criminals have done this hundreds of times,” Schroedel said.

He stressed the importance of preparation: “Be ready – have offline backups and test them regularly. Make sure executives have offline emergency plans and printed contact details of key staff in case attackers take your systems down. You should also have professionals on your side to help you through negotiations and the ransom payment process – most companies prefer not to have ransom payments go through their own books.”

Should You Turn Off Bluetooth? The FCC Says Yes. I’m Not So Sure.

The Federal Communications Commission recently reminded Americans that turning off Bluetooth when you’re not using it can help protect your devices from hackers. It’s one of those warnings that sounds alarming at first. After all, Bluetooth is everywhere. It’s how we connect our earbuds, smartwatches, fitness trackers, speakers, and even our cars. But how much risk is there really? If you open your Bluetooth settings in a crowded coffee shop or airport, you’ll probably see a long list of nearby devices. Earbuds, speakers, laptops, smartwatches, and phones. According to the FCC, leaving Bluetooth enabled could allow hackers to exploit vulnerabilities and gain access to your device. The concern isn’t completely unfounded.

Bluetooth attacks are real. Security researchers have demonstrated attacks with names like Bluejacking and Bluebugging for years. But most of these attacks require a hacker to be physically nearby, target a vulnerable device, and exploit a security flaw that often has already been patched through software updates. In most cases, simply seeing a Bluetooth device doesn’t mean someone has access to it. If someone attempts to connect to your device, you’ll typically receive a notification or be asked to approve the connection. That doesn’t mean you should ignore Bluetooth security. Keeping your phone, tablet, and computer updated is one of the best ways to protect yourself.

If you use a personal hotspot, it’s also a good idea to turn it off when you’re finished using it. But for most people, there are bigger cybersecurity risks than Bluetooth hackers sitting nearby. Phishing text messages, scam websites, fake customer service calls, and weak passwords are responsible for far more security problems than Bluetooth attacks. In fact, while researching this story, I was reminded of a mistake I made myself.

 A few weeks ago, while on vacation, I signed into my YouTube account on a smart TV and forgot to sign out before leaving. That’s probably a more common privacy risk than Bluetooth hacking. The next guest wouldn’t have access to my Gmail account or Google password. But they could have access to my YouTube profile, watch history, playlists, subscriptions, and recommendations. The same thing can happen if you forget to sign out of Netflix or other streaming services on a hotel, Airbnb, or vacation rental television.

 Fortunately, both Google and Netflix make it easy to check. In your account settings, look for Security or Manage Devices. You’ll see a list of devices connected to your account. If you spot a TV, streaming device, or computer you no longer use, you can sign it out remotely with just a few clicks.

So, should you turn off Bluetooth when you’re not using it? Sure. It won’t hurt unless you mind turning it back on again for the car stereo, or if you have a smart watch connected to it. But rather than worrying about things that could happen, we should probably spend more time worrying about the things that do happen. And if you’ve traveled recently, it might be worth taking a minute to see what devices are still logged into your accounts. For example, if you connect your phone to a rental car, you’ll want to remove it from the Bluetooth options. Some vehicles save contacts and account information.

Treasury Secretary Scott Bessent on Wednesday defended a new artificial intelligence executive order from the White House that recommends — but does not mandate — cooperation between the federal government and industry on a key cybersecurity measure.

The order, released Tuesday, directs the Treasury secretary to form an AI cybersecurity clearinghouse within 30 days, following consultation with the national cyber director, the Homeland Security and Defense secretaries, and the NSA and CISA directors.

The function of the clearinghouse, per the order, would be to coordinate and deconflict scanning for software vulnerabilities, discover and validate those vulnerabilities, and coordinate and prioritize remediation and distribution of patches.

However, the EO only calls for “voluntary collaboration with the AI industry and operators of critical infrastructure” on the clearinghouse. During a Senate Finance Committee hearing Wednesday, Sen. Mark Warner, D-Va., pressed Bessent on the issue. 

“The idea that we’re going to have only a voluntary regime, I believe, will put our banking system at risk, [and] clearly our national security at risk,” said Warner, who called the delayed order a “watered-down” version of a draft he’d seen.

Bessent maintained that the only difference between Tuesday’s order and a previous draft from President Donald Trump was a tighter deadline for the creation of the clearinghouse, going from 90 days initially down to 30. Warner reiterated that the draft he’d seen was “stronger than strictly voluntary” on cyber participation from industry, before moving on to another line of questioning. 

The cyber concerns raised by Warner were the tip of a tech-focused iceberg for the Virginia Democrat, who sent a letter to Bessent ahead of Wednesday’s hearing about the Treasury Department’s policies around agentic AI.

In the letter, Warner asked Bessent to work with stakeholders to “develop clarity around the use and deployment” of agentic AI in the financial services sector. 

“Agentic AI is a rapidly evolving area of technology, and a lack of regulatory clarity stifles innovation, puts financial institutions and their customers at risk, and increases the potential of American financial institutions and technology companies from being at a global market disadvantage,” Warner wrote. 

“Treasury should take the necessary steps to develop an understanding of the state of AI agent development, the complete range of use cases and associated benefits and risks, and to develop rules that allow for innovation among financial institutions of all sizes while robustly protecting consumers,” he added.

During the Senate Finance Committee hearing, Warner expanded on those thoughts, noting the “great promise” and “also downsides” of agentic AI and the need for “a strong fiduciary regime around those agents.” He asked Bessent if he agreed with that take. 

The Treasury secretary said the White House’s order “strikes a very good balance between innovation and safety.” He’s connected with “all the large language model labs” and convened those executives and leaders from the country’s largest banks in an effort to try “to optimize” that aforementioned balance.

“They are working diligently on their standards, because by their nature they have the strongest cybersecurity departments,” Bessent said of the banks. “I think that the rest of industry can learn from them.”

Bessent and former Federal Reserve Chair Jerome Powell met with major U.S. banks in April to discuss Anthropic’s new Mythos model, which has been touted for its ability to autonomously uncover cyber vulnerabilities and drawn concern for its hacking capabilities. 

Ilona Cohen, chief legal and policy officer at HackerOne, wrote in a blog post Tuesday that the suggested vulnerability clearinghouse in Trump’s order “mirrors” a recommendation in the White House’s AI Action Plan to create an AI Information Sharing and Analysis Center.

“Together, they suggest the Administration is trying to build a durable coordination architecture for AI-related cyber risk,” she wrote, “not just a one-time disclosure program.”

Privacy and data security have become central considerations in mergers and acquisitions, reflecting both regulatory expansion and the growing role of data as a core business asset. What was once a niche diligence topic now routinely sits alongside intellectual property and employment as a key risk area. Failures in this space can expose buyers to regulatory investigations, class actions, and operational disruption, while restrictions on data use can undermine the commercial rationale for a transaction. At the same time, the act of sharing data during diligence and integration can itself raise compliance issues.

Against this backdrop, deal teams increasingly need a structured approach to identifying and addressing privacy and cybersecurity risks. This Insight outlines five core legal requirements that should frame diligence and transaction planning, followed by practical considerations for implementing privacy and security protections in deal execution.

1. SECTOR-SPECIFIC PRIVACY LAWS DRIVE THRESHOLD RISK ASSESSMENT

The US privacy framework remains fragmented, relying on sector-specific regulation rather than a single comprehensive statute. This creates both flexibility and complexity for dealmakers evaluating compliance risk.

At a high level, privacy exposure in transactions often concentrates in the following key categories:

• Financial services data, governed by statutes such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act
• Healthcare information subject to HIPAA and related laws
• Children’s data regulated under the Children’s Online Privacy Protection Act and education records under the Family Educational Rights and Privacy Act
• Consumer data subject to state-level privacy regimes, most notably California’s Consumer Privacy Act and analogous statutes in other states
• Consumer marketing activities, including telemarketing and text messaging
• Biometric data, which can carry heightened statutory liability in certain jurisdictions

California’s framework has become particularly influential, applying broadly to businesses meeting certain thresholds while granting individuals rights over their personal information and imposing notice and contractual obligations on companies. Other states have adopted similar laws, though typically with a narrower scope, contributing to a patchwork regulatory environment that can be difficult to map in multijurisdictional deals.

For acquirers, early identification of these sectoral triggers is critical. The presence of regulated data sets can materially affect valuation, integration strategy, and ongoing compliance obligations.

2. PRIVACY POLICIES FUNCTION AS BINDING COMMITMENTS

Privacy policies serve as more than disclosure documents. They operate as enforceable representations about how a company collects, uses, and shares personal information. Regulators have consistently treated deviations from stated practices as potential unfair or deceptive conduct.

In diligence, privacy policies provide a window into both compliance maturity and potential risk. Key considerations include:

• Whether the policy is current and reflects recent regulatory developments
• The scope of data collection and stated purposes for use
• Commitments regarding data sharing, sales, or restrictions
• Representations about security practices
• The presence of “transfer of assets” language permitting data transfers in connection with corporate transactions

The absence of transaction-related transfer language can create legal constraints on sharing personal data with a buyer, potentially requiring additional notices or consent mechanisms.

Deal teams should also review broader public-facing statements, including website disclosures and marketing materials, which may create additional commitments beyond the formal privacy policy.

3. DATA SECURITY REQUIREMENTS ESTABLISH THE BASELINE FOR OPERATIONAL RISK

Most US privacy laws impose a general obligation to implement reasonable security measures. While the standard is not prescriptive, it is informed by regulatory expectations, contractual commitments, and widely recognized industry frameworks such as NIST, CIS, and ISO.

In practice, diligence focuses on whether the target has implemented core security controls, including:

• Written information security and incident response plans
• Strong authentication and access controls
• Encryption of sensitive data in transit and at rest
• Monitoring, logging, vulnerability testing, and patch management
• Employee training and awareness programs
• Vendor management processes governing third-party access to data

These elements serve as indicators of overall cybersecurity maturity. Deficiencies may not preclude a transaction but can inform pricing adjustments, indemnity provisions, or post-closing remediation plans.

4. BREACH NOTIFICATION OBLIGATIONS SHAPE LIABILITY EXPOSURE

All 50 states and the District of Columbia impose breach notification requirements, typically triggered by unauthorized access to certain categories of personal information. These laws vary in scope, timing, and regulatory reporting obligations but collectively establish a baseline expectation for incident response.

From a transactional perspective, the key issues are not simply whether breaches have occurred but how they were handled. Relevant diligence questions include the following:

• Whether incidents were identified and investigated promptly
• Whether notifications were made to affected individuals and regulators as required
• Whether remediation steps were implemented to address root causes
• Whether any related litigation or regulatory inquiries are pending

A history of incidents is not uncommon and does not necessarily derail a transaction. However, inadequate detection, delayed response, or incomplete disclosure may signal broader governance and control failures.

5. CROSS-BORDER DATA TRANSFERS INTRODUCE STRUCTURAL CONSTRAINTS

International data flows can present significant legal barriers in cross-border transactions. The EU General Data Protection Regulation and similar laws in other jurisdictions restrict transfers of personal data to countries that lack adequate protection unless specific safeguards are in place.

Common transfer mechanisms include the following:

• Standard contractual clauses and related risk assessments
• Participation in approved data transfer frameworks
• Binding corporate rules for intra-group transfers
• Limited reliance on consent or necessity-based exceptions

Restrictions may also arise in other jurisdictions, including China, where outbound transfers can be subject to regulatory approval or limitations.
These considerations affect both pre-closing diligence, where data may need to be shared across borders, and post-closing integration, where data consolidation is often a key objective.

IMPLEMENTING PRIVACY AND SECURITY IN M&A TRANSACTIONS

Translating these legal requirements into deal execution requires coordination across diligence, contractual protections, and post-closing planning.

Diligence: Prioritizing Risk-Based Review

Buyers typically begin with a risk-based assessment, focusing on the following:

• Whether the target operates in regulated sectors or handles sensitive data
• The adequacy of privacy policies and contractual commitments
• The maturity of security controls and governance frameworks
• The history and handling of data breaches
• The presence of cross-border data flows and transfer mechanisms

This assessment informs the scope of deeper diligence and helps identify issues that may require remediation or negotiation.

Representations and Warranties: Allocating Risk

Transaction documents increasingly include dedicated privacy and cybersecurity representations addressing the following:

• Compliance with applicable privacy and data protection laws
• Absence of undisclosed data breaches or security incidents
• Lack of pending claims or investigations related to data practices
• Implementation of reasonable security measures
• Compliance of the transaction itself with applicable data protection requirements

In certain cases, parties may also negotiate specific indemnities for identified risks or vulnerabilities.

Transition Services and Integration Planning

Post-closing integration often involves ongoing data sharing between buyer and seller, particularly where systems and personnel are not immediately consolidated. Transition services agreements can govern these arrangements, but they must be structured with privacy compliance considerations in mind, including the following:

• Identifying sensitive data sets that will be shared during the transition
• Implementing appropriate data transfer agreements or processing terms
• Applying technical safeguards such as encryption or access controls
• Aligning practices with applicable cross-border transfer requirements

Early planning can reduce the risk of delays or compliance gaps during integration.

KEY TAKEAWAYS FOR DEALMAKERS

Privacy and data security risks are now integral to M&A strategy rather than ancillary considerations. Deal teams should approach these issues with the same rigor applied to other core diligence areas. The following practical points emerge:

• Early issue spotting is critical. Sector-specific laws and data types can quickly elevate risk profiles.
• Privacy policies and public statements can create binding commitments that affect deal structure and integration.
• Security maturity and incident response capabilities often matter more than the mere existence of past breaches.
• Cross-border data restrictions can constrain both diligence and post-closing operations if not addressed upfront.
• Contractual protections should reflect identified risks, but operational planning remains essential to managing exposure.

LOOKING AHEAD

As data continues to underpin business models across industries, regulatory expectations around privacy and cybersecurity are likely to expand. At the same time, enforcement activity at both federal and state levels continues to increase, particularly in the absence of a unified US privacy regime.

For dealmakers, the trajectory is clear. Privacy and data security will remain a central component of transaction risk assessment and execution, requiring closer integration between legal, compliance, and business teams throughout the deal lifecycle.