Access Legal & IG Quarterly Update – Q4 2025

This quarter, we’re looking at two forces shaping the information governance landscape: a surprisingly calm year in privacy legislation, and the rising need to balance cloud convenience with the very real compliance risks that surface when an outage occurs. Continue reading for a clear breakdown of what these shifts mean and how to respond.

Throughout the update, we’ve included links to relevant legislation and documents where applicable.

2025 U.S. Privacy Law Developments

From my perspective, 2025 felt like a letdown. While anxiously waiting for signs of life from one of many states pursuing new consumer and data privacy legislation this year, I was unfortunately met with a wave of stalled bills and underwhelming incremental amendments. No state passed a brand-new comprehensive privacy law this year. However, amendments to existing laws and sector-specific regulations introduced changes that records managers must address.

Nine states amended their existing statutes, tightening requirements for sensitive data and expanding the scope of applicability of the regulations, including:

• Colorado enacted SB 276 on May 23, 2025, expanding the definition of “sensitive data” to include precise geolocation information, defined as GPS coordinates within an 1,850-foot radius. This amendment also strengthened consent requirements, prohibiting the sale of sensitive data without prior explicit consent; a meaningful shift from the previous opt-out framework.
• Connecticut enacted SB 1295 in June 2025, set to take effect July 1, 2026, which reduces the applicability threshold from 100,000 to 35,000 consumers, meaning smaller organizations will now fall within scope.
• Montana’s SB 297, signed May 8, 2025, and effective October 1, 2025, lowered applicability thresholds for businesses controlling or processing personal data of at least 25,000 consumers (previously 50,000).
• Oregon’s Consumer Privacy Act dropped blanket exemptions for nonprofit organizations as of July 1, 2025, significantly expanding compliance obligations beyond the commercial sector.
• Virginia amended its Consumer Protection Act, effective July 1, 2025, focusing on safeguarding reproductive and sexual health information. This amendment extends compliance obligations beyond HIPAA-covered entities to a broader range of “suppliers” who handle health-related data.

For records managers, this means revisiting retention schedules to add precise geolocation to the “sensitive data” category and ensure systems flag this data for special handling, implementing workflows to capture and store explicit consent for sensitive data, including geolocation, and maintain audit trails for compliance verification.

The states continue filling the regulatory void with their own privacy frameworks, each crafted with different jurisdictional scopes, applicability thresholds, consumer rights, and enforcement mechanisms. The patchwork of state requirements is a direct result of Congress’ legislative paralysis persisting even as privacy advocacy grows larger and louder for federal standards—warning that state-by-state regulation creates an unsustainable compliance environment. Despite bipartisan consensus that Americans deserve federal privacy protections, Congress has once again failed to enact comprehensive privacy legislation in 2025.

Real-Life Compliance Lessons on Cloud Reliability

Cloud reliability has become the backbone of modern business operations. But a single outage can reveal just how fragile that foundation really is. Recent events showed how quickly downtime can ripple across systems, disrupt access, and expose compliance weaknesses. Understanding what happened, and what it means for records managers, is the first step toward building a stronger, more resilient strategy.

The AWS Outage and Its Ripple Effect

On October 20, 2025, Amazon Web Services experienced what could be described as a domino effect in the digital world. That morning, a critical part of AWS’s “phone book,” the Domain Name System (DNS), stopped working properly and left many systems unable to locate the address of the location they wanted to reach. As a result, apps and websites couldn’t locate the servers and systems they needed to continue functioning.

The outage lasted about 15 hours, and during that time, the impact rippled across the United States and many other countries. Several popular apps and services were hit hard by the AWS outage, and the impact was felt across social media, gaming, finance, and everyday utilities. Social platforms like Snapchat and Reddit went dark, leaving users unable to send messages or refresh feeds. Gaming giants, such as Fortnite and Roblox, also went offline, frustrating millions of players who suddenly found themselves locked out. Financial apps like Robinhood, Coinbase, and Venmo were disrupted, causing panic for traders and consumers during peak hours. Even Amazon’s own ecosystem wasn’t spared. Amazon.com, Prime Video, and Alexa all experienced major failures.

But while headlines focused on the most popular apps and platforms, a more serious issue lurked in the background. Companies were being exposed to the risks of cloud-based records management.

The inability to retrieve critical documents during an outage isn’t just inconvenient, it’s a potential nightmare—regulators don’t pause their demands when the cloud is down. For 15 hours in October, this waking nightmare had companies questioning over-dependance on cloud services.

Compliance in the Cloud Era: Navigating the Accessibility Mandate

A failure like the AWS outage can put records managers at significant compliance and operational risk because cloud storage systems are often the backbone of electronic records programs. This creates two major problems.

First, many U.S. regulations require that records be readily accessible and promptly produced upon request. Some examples include:

17 C.F.R. § 1.31 (Title 17—Commodity and Securities Exchanges)

(b)(4) … A records entity shall keep electronic regulatory records readily accessible for the duration of the required record keeping period.

10 C.F.R. § 745.115 (Title 10—Energy)

(b) The institution or IRB may maintain the records in printed form, or electronically. All records shall be accessible for inspection and copying by authorized representatives of the Federal department or agency at reasonable times and in a reasonable manner.

21 C.F.R. § 1.360(h) (Title 21—Food and Drugs)

(h) The maintenance of electronic records is acceptable. Electronic records are considered to be onsite if they are accessible from an onsite location.

If your cloud provider is offline, you cannot meet those obligations, even if the records are technically “retained.”

Second, outages often cascade beyond storage to authentication and indexing services. That means even if the data is intact, you might not be able to search, retrieve, or export it in a “reasonably usable” format, which is a legal requirement under rules like the Federal Rule of Civil Procedure 34(a)(1)(A).

(a) A party may serve on any other party a request within the scope of Rule 26(b):

(1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control:

(A) any designated documents or electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form;

The AWS outage revealed how relying solely on cloud-based storage can increase the risk of losing access to essential compliance records. .

How Records Managers Should Approach Cloud Storage

Cloud storage offers convenience, scalability, and instant access to operational documents. For most organizations, it appears to be a perfect solution… until the cloud goes dark. The recent AWS outage was a stark reminder that even the most reliable providers can fail. Regulators are not empowered with the discretion to accept “our cloud was down” as an excuse, so it’s important to have redundancy or offline contingency plans in place.

First of all, relying on one cloud region or provider is like putting all your valuables in a single vault with one key; you’re completely locked out if that key breaks. Instead, you should build redundancy into the plan with multi-region storage from your cloud provider to ensure that if one data center fails, another can step in. For critical compliance records, consider maintaining an offline or secondary copy in a neutral format that regulators can accept even if the primary system is inaccessible.

Next, plan for production under pressure. Regulators want records, and they want them in a usable format complete with metadata. Therefore, it’s essential to have export procedures that function during outages. Documented instructions and the tools to execute them should be kept outside the main cloud environment so they remain accessible if the system goes down. A clear, documented, and practiced plan will save time, frustration, and reduce risk of compliance failure.

Finally, practice makes perfect. Conduct exercises simulating a cloud outage during a regulatory request. Walk through activating failover systems, exporting records, and logging actions. These drills reveal gaps and build confidence across compliance, IT, and legal teams.

Cloud outages are inevitable, but they don’t need to become a compliance disaster. With thoughtful preparation, you can keep business moving and regulators satisfied, even when the cloud goes silent.

To learn more about how to address records retention, data privacy and security requirements more efficiently, request a call with a member of our information governance team.