Insights

On May 5, 2026, CISA announced CI Fortify — an initiative directing critical infrastructure owners and operators to prepare for geopolitical conflict in which OT networks are actively targeted while communications infrastructure is simultaneously degraded.

The EU AI Act defines ‘AI literacy’ as the skills, knowledge and understanding to enable the informed use and operation of AI systems and increase awareness of the opportunities, risks and possible harm that AI systems may present — with the ultimate purpose being to ensure that staff (and other relevant individuals) are able to take informed decisions in relation to AI, such as how to interpret AI output and decision-making processes and their impact on natural persons.

Several recent class actions filed against Tempus AI, Inc., a health care technology company that combines AI with molecular and clinical data to develop precision medicine services, are the latest in a series of cases illustrating a fast-growing legal risk: the repurposing of genetic and clinical data — collected for diagnostic or treatment purposes — for artificial intelligence (AI) model training, analytics, and downstream commercialization following corporate acquisitions. At the same time, state genetic privacy regulation is expanding rapidly, with Utah and South Dakota being the most recent states to enact new statutes, and legislation advancing in several additional states. Organizations holding genetic datasets need to treat data governance as a core enterprise risk issue, not a downstream compliance matter.

On March 19, 2026, President Donald Trump and Japanese Prime Minister Sanae Takaichi met at the White House and announced a series of initiatives to strengthen the U.S.-Japan alliance. Among the defense cooperation announcements, the White House fact sheet noted that “[t]he United States welcomed Japan’s commitment to develop a secure and sovereign cloud platform for government data to enhance bilateral information sharing, planning, and coordination.”[1] While it is a single sentence in a wide-ranging Summit document, the commitment represents a step in the growing architecture of allied sovereign cloud infrastructure. If this is operationalized, it will have important implications for defense, intelligence, and cloud services markets. This announcement follows the October 2025 Trump-Takaichi Summit in Tokyo, where the two governments agreed to launch a bilateral working group to deepen mutual understanding on cloud security technical standards and requirements—explicitly including U.S. experience with secure and sovereign cloud development—and to invite Japanese and American firms to participate.[2]

In March 2026, the UK Information Commissioner (ICO) published guidance on the new lawful basis for processing personal data introduced by the Data (Use and Access) Act 2025 (DUAA): the recognised legitimate interest (RLI) lawful basis. Controllers may now rely upon one of five pre-approved conditions, each focused on specific public-interest justifications, for personal data processing.

The recent $285 million theft from Drift Protocol serves as a high-stakes reminder that the human element remains one of the biggest cybersecurity gaps in any organization. This was not a “hack” in the traditional sense of breaking through a digital wallet. North Korean actors used sophisticated social engineering to exploit human trust ―  highlighting what looks like a “hacking” risk into valuable lessons learned for cybersecurity oversight.

As companies and individuals increasingly embed AI tools in legal practice, courts are grappling with how to treat communications with, and information generated by, these tools. Chief among these questions is whether and in what circumstances attorney-client privilege and work-product protections as they are applied in different jurisdictions extend to AI-generated content or communications with an AI tool.

On April 16, 2026, a complaint alleging a putative class and collective action was filed in the U.S. District Court for the Northern District of Illinois, alleging that a property management company violated Illinois’ biometric privacy law through the use of its biometric timekeeping software. The complaint, which begins with the statement that “[t]his is a wage theft and privacy case,” emphasizes the legal risks that may arise when employers deploy biometric timekeeping technology without adequate compliance measures, particularly in Illinois, one of the most employee-protective states for biometric privacy claims.

Meta continues to face lawsuits around the country alleging that its platforms are designed to induce compulsive use by children. In March 2026, a California jury delivered a landmark verdict that Meta and YouTube were liable for allegedly addictive platform features that resulted in a child’s mental health distress.  

On April 7, 2026, six federal agencies (FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command – Cyber National Mission Force) published a joint advisory warning that Iranian-affiliated threat actors are targeting internet-facing OT devices, particularly PLCs.  In some cases, the threat actors have caused operational disruptions and financial losses at U.S. critical infrastructure organizations by manipulating software files that contain configuration settings as well as showing false data on hardware and software dashboards and displays.

At the International Association of Privacy Professionals’ (IAPP) annual conference March 30-31, 2026, enforcement officials from California, Connecticut, Indiana, and Delaware shared their current and upcoming enforcement priorities under U.S. state consumer privacy laws. This alert summarizes the key themes from the panel and offers practical guidance for companies navigating the evolving enforcement landscape.

Last month, in a ruling that may carry significant implications for the artificial intelligence industry, a California federal court held that state tort and contract claims related to the training of AI models were not preempted by federal law and could proceed in state court. Because many AI models were trained in a similar fashion---by scraping data from online posts and repositories---the decision suggests other plaintiffs may bring such claims in state courts, in addition to federal claims of copyright infringement.

Organizations facing cyber incidents increasingly encounter follow-on civil litigation alleging failures to implement reasonable security measures. In response, a growing number of states — the most recent being Oklahoma this year — have enacted safe harbor laws designed to both protect consumers and reward organizations that take a proactive, documented, and structured approach to cyber threats.

In two recent pathbreaking judgments, juries in California and New Mexico held social media companies civilly liable for harming minors who used their products.

In its latest attempt to establish a national AI regulatory standard and quash “cumbersome” state AI laws, the White House on Friday, March 20, 2026, released legislative recommendations for a National Policy Framework on Artificial Intelligence. 

In a significant ruling on the application of data protection law in the United Kingdom, on 19 February 2026, the UK’s Court of Appeal (CA) ruled in favour of the UK Information Commissioner (ICO) in its appeal against the decision of the Upper Tribunal (UT) in the case of DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140. This ruling clarifies the scope of data controllers’ security obligations with pseudonymised personal data and confirms that a controller’s duty to safeguard personal data is not diminished merely because a cyber attacker who exfiltrates that data would be unable to re-identify the individuals concerned.

On February 26, 2026, the Senate Health, Education, Labor, and Pensions (HELP) Committee voted 22-1 to advance the Health Care Cybersecurity and Resiliency Act of 2026. Sponsored by a bipartisan group — led by HELP Committee Chair Senator Bill Cassidy (R-LA); and Senators Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX) — the bill represents perhaps the most significant federal legislative effort to overhaul health care cybersecurity since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and would compel health care companies to make major investments in cybersecurity.

On March 6, 2026, the White House released its National Cyber Strategy (Strategy) and issued an accompanying Executive Order, “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens” (EO). These documents outline the administration’s priorities for combating cybercrime and call for coordination across the federal government and the private sector to invest in new technologies, continue innovation, and prioritize the United States’ cyber capabilities. Key sectors of concern include energy, financial services, telecommunications, data centers, water, and health care. The Strategy and EO encourage increased public-private coordination, signal greater latitude for private sector offensive cyber operations, prioritize securing critical infrastructure, elevate cybercrime as a national security priority, outline a path for victim compensation, and promote streamlining cyber regulations.

AI tools have significantly transformed how companies operate, but they come with serious legal risks that are only now taking shape. A recent ruling by a federal judge in the U.S. District Court for the Southern District of New York highlights one such risk: certain inputs and outputs from commercial AI models may not be considered privileged attorney-client communications or protected by the work-product doctrine.

California Attorney General Rob Bonta announced an unprecedented investigative sweep into “surveillance pricing” practices by grocers, hotels, and retailers, marking the first state-level inquiry targeting personalized pricing under data privacy laws.