Insights

In two recent pathbreaking judgments, juries in California and New Mexico held social media companies civilly liable for harming minors who used their products.

In its latest attempt to establish a national AI regulatory standard and quash “cumbersome” state AI laws, the White House on Friday, March 20, 2026, released legislative recommendations for a National Policy Framework on Artificial Intelligence. 

In a significant ruling on the application of data protection law in the United Kingdom, on 19 February 2026, the UK’s Court of Appeal (CA) ruled in favour of the UK Information Commissioner (ICO) in its appeal against the decision of the Upper Tribunal (UT) in the case of DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140. This ruling clarifies the scope of data controllers’ security obligations with pseudonymised personal data and confirms that a controller’s duty to safeguard personal data is not diminished merely because a cyber attacker who exfiltrates that data would be unable to re-identify the individuals concerned.

On February 26, 2026, the Senate Health, Education, Labor, and Pensions (HELP) Committee voted 22-1 to advance the Health Care Cybersecurity and Resiliency Act of 2026. Sponsored by a bipartisan group — led by HELP Committee Chair Senator Bill Cassidy (R-LA); and Senators Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX) — the bill represents perhaps the most significant federal legislative effort to overhaul health care cybersecurity since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and would compel health care companies to make major investments in cybersecurity.

On March 6, 2026, the White House released its National Cyber Strategy (Strategy) and issued an accompanying Executive Order, “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens” (EO). These documents outline the administration’s priorities for combating cybercrime and call for coordination across the federal government and the private sector to invest in new technologies, continue innovation, and prioritize the United States’ cyber capabilities. Key sectors of concern include energy, financial services, telecommunications, data centers, water, and health care. The Strategy and EO encourage increased public-private coordination, signal greater latitude for private sector offensive cyber operations, prioritize securing critical infrastructure, elevate cybercrime as a national security priority, outline a path for victim compensation, and promote streamlining cyber regulations.

AI tools have significantly transformed how companies operate, but they come with serious legal risks that are only now taking shape. A recent ruling by a federal judge in the U.S. District Court for the Southern District of New York highlights one such risk: certain inputs and outputs from commercial AI models may not be considered privileged attorney-client communications or protected by the work-product doctrine.

California Attorney General Rob Bonta announced an unprecedented investigative sweep into “surveillance pricing” practices by grocers, hotels, and retailers, marking the first state-level inquiry targeting personalized pricing under data privacy laws.

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide initiative established to standardize the security assessment, authorization, and continuous monitoring of cloud products and services used by federal agencies. FedRAMP’s primary objective is to ensure that cloud service providers (CSPs) implement robust security controls to protect federal information in cloud environments. By leveraging a consistent framework for security assessment and authorization, FedRAMP is intended to reduce duplication of effort, cost, and time for both agencies and vendors.

The National Institute of Standards and Technology (“NIST”) recently released draft guidelines for applying NIST’s Cybersecurity Framework to organizations adopting artificial intelligence. NIST requests public comments on its “Initial Preliminary Draft” Cybersecurity Framework Profile for Artificial Intelligence (the “Cyber AI Profile”) by midnight on January 30, 2026. 

The California Privacy Protection Agency (“CPPA”) is intensifying its oversight of data brokers with a new dedicated Data Broker Enforcement Strike Force within its Enforcement Division. The strike force will monitor and investigate data brokers’ compliance with their legal obligations under California’s Delete Act and the California Consumer Privacy Act (“CCPA”).

On December 4, 2025, an advisory committee of the U.S. Securities and Exchange Commission (SEC or Commission) voted to advance a recommendation that the agency issue guidance requiring issuers to disclose information about the impact of artificial intelligence (AI) on their companies.

In July 2025, President Trump signed Executive Order (EO) 14319, Preventing Woke AI in the Federal Government, to preclude the federal government from procuring artificial intelligence (AI) models that incorporate “ideological biases or social agendas,” including “diversity, equity, and inclusion.” The EO mandates that the federal government purchase only large language models (LLMs) developed according to two “Unbiased AI Principles” — that they be “truth-seeking” and show “ideological neutrality.” To implement these principles, the EO directed the Office of Management and Budget (OMB) to issue guidance.

On December 11, 2025, President Trump signed a much-anticipated Executive Order that seeks to forestall state regulation of artificial intelligence (AI) by threatening federal lawsuits and the withholding of some federal funds and calls for a national policy framework on AI. The Executive Order, Ensuring a National Policy Framework for Artificial Intelligence (EO), declares it the policy of the administration “to sustain and enhance the United States’ global AI dominance through a minimally burdensome national policy framework for AI.”

Major changes have been proposed to EU AI, data and wider digital laws. On 19th November 2025, the European Union Commission issued its much anticipated Digital Omnibus Regulation Proposal, (the “Digital Omnibus”) and also its Digital Omnibus on AI Regulation Proposal, (the “AI Omnibus”). The mooted changes potentially impact the “Brussels effect” seen post GDPR and add potential complexities to the compliance efforts of businesses.

President Trump is preparing to sign an Executive Order that would seek to forestall state regulation of artificial intelligence (AI) by threatening federal lawsuits and the withholding of some federal funds. The draft, unsigned six-page Executive Order, “Eliminating State Law Obstruction of National AI Policy” (EO), the text of which has been circulating publicly since November 19, would declare it the policy of the Administration “to sustain and enhance America’s global AI dominance through a minimally burdensome, uniform national policy framework for AI.”

On November 14, 2025, the U.S. Department of Justice (DOJ) announced a sweeping series of enforcement actions, including four guilty pleas and more than $15 million in civil forfeitures against the  Democratic People’s Republic of Korea (DPRK or North Korea) for remote information technology (IT) worker schemes. These actions underscore the federal government’s escalating focus on the exposure of U.S. companies to North Korean IT worker infiltration, following a series of U.S. Government action against the DPRK.

On 12 November, the highly anticipated Cyber Security and Resilience (Network and Information Systems) Bill (“Bill”) was introduced to Parliament, representing a significant expansion and modernisation of the UK’s cyber security rules. Building on the foundation set by the Network & Information Systems Regulations 2018 (“NIS”), the Bill aims to enhance national security and safeguard essential services. The Department for Science, Innovation and Technology (“DSIT”) has published a policy paper detailing the Bill’s objectives.

In a stunning revelation following last month’s jewel heist at the Louvre Museum in Paris, France, a 2014 audit resurfaced, spreading rumors that the password to the museum’s video surveillance system was still “Louvre.”

In the first few years following the public launch of generative artificial intelligence (AI) in the autumn of 2022, litigation related to AI focused primarily on claims of copyright infringement. Suits revolved around allegations that the data on which AI models train, and/or the output they produce, infringe upon the intellectual property rights of others. (While some of these cases have settled or reached preliminary judgments, many remain ongoing.)

The UK’s cyber threat landscape continues to evolve, with the rapid emergence of new technologies introducing novel risks across all sectors and attacks escalating in frequency and sophistication. Regulatory bodies and the UK Government have intensified their focus on cyber security and resilience, as evidenced by the latest National Cyber Security Centre (NCSC) 2025 annual review (Review) and the proposed UK Cyber Security and Resilience Bill (Bill), alongside recent developments in ransomware regulation.