Right To Know - April 2026, Vol. 40

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

Litigation & Enforcement: 

• Senator Scott Sues Over Leaked Tax Returns: In a lawsuit filed in Federal Court in Florida, Senator Rick Scott of Florida sued Booz Allen Hamilton and one of its employees over alleged “unlawful access, theft and public dissemination of confidential tax information,” both his and “more than four hundred thousand” others. Senator Scott claims that the employee used his credentials at Booz Allen to steal hundreds of thousands of tax records and disclose them, including to media outlets. The complaint alleges claims of negligence, vicarious liability, and invasion of privacy against Booz Allen, and invasion of privacy and intentional infliction of emotional distress against the employee.
• Russian Manager of Ransomware Botnet Sentenced: The Department of Justice announced that Ilya Angelov was sentenced to twenty-four months in prison, a $100,000 fine, and a money judgment of $1.6 million. The United States claimed that Angelov co-managed a Russian cybercriminal group that utilized a botnet to deploy malware and selling access to compromised computers. According to the FBI, over 70 U.S. businesses were impacted by the group’s actions, resulting in over $14 million in ransom payments.
• Meta and YouTube Found Liable for Creating Products That Are Harmful and Addictive for Children: On Mar. 25th, a jury in California Superior Court awarded $3 million in compensatory damages and $3 million in punitive damages to the lead Plaintiff in the case. The allegations centered around the claim that the lead Plaintiff’s use of Instagram and YouTube at a young age contributed to her mental health issues, including suicidal ideations, body dysmorphia and depression.
• DOJ and International Partners Seize LeakBase Cybercrime Forum: The U.S. Department of Justice announced the seizure of LeakBase, described as one of the world’s largest online forums for buying and selling stolen data and cybercrime tools. According to the unsealed affidavit, LeakBase had more than 142,000 members, over 215,000 messages, and hosted a large archive of hacked databases containing account credentials, banking information, usernames, passwords, and other sensitive personal and business data. On Mar. 3rd and 4th, law enforcement agencies in 14 countries carried out coordinated actions hosted by Europol in The Hague, shutting down the forum, seizing its data and domains, posting seizure notices, contacting members, and gathering additional evidence. Authorities also executed search warrants, made arrests, and conducted interviews in multiple countries. DOJ officials framed the operation as a major international disruption of infrastructure used to profit from stolen information and facilitate further cybercrime.
• Meta Ordered to Pay $375M Over Children’s Online Safety Claim: A New Mexico jury found Meta liable for misleading consumers about the safety of its platforms and endangering children, in violation of the New Mexico Unfair Practices Act. The State alleged that Meta misrepresented the safety of Facebook, Instagram, and WhatsApp while enabling child sexual exploitation. The jury awarded the State $5,000 per violation equaling a total of in $375 million in civil penalties. The verdict follows more than two years of litigation by the New Mexico Department of Justice focused on alleged deceptive practices and harmful platform design impacting minors. The State’s remaining public nuisance claim will proceed to bench trial on May 4, where it will seek additional damages and injunctive relief, including requirements to enact age verification, remove predators from the platform, and protect minors from encrypted communications that shield bad actors.
• Yonder Media Mobile Inc. To Pay $60K For Breaking FCC International Carrier Rules: The Federal Communications Commission’s Enforcement Bureau has entered into a settlement with Yonder Media Mobile Inc. The settlement resolves an investigation into whether the company violated federal telecommunications law by providing international communications services without the required FCC authorization. Under Section 214 of the Communications Act and related rules, carriers must obtain prior approval before offering international telecom services, and the FCC found sufficient basis to investigate potential noncompliance. The company entered into a consent decree agreeing to implement a detailed compliance plan, including appointing a compliance officer, training employees, and establishing internal procedures to ensure adherence to FCC regulations. Additionally, Yonder Media Mobile agreed to make a $60,000 voluntary payment to the U.S. Treasury, and in exchange, the FCC terminated its investigation without further penalties or questioning the company’s qualifications to hold licenses.

Industry Updates:

• FBI, CISA Warn of Russian Phishing Campaigns Targeting Signal and Other Messaging Apps: The FBI and CISA issued a joint alert warning that Russian Intelligence Services are carrying out phishing campaigns aimed at compromising accounts on commercial messaging apps such as Signal. While the apps’ encryption remains intact, attackers are successfully gaining access to individual user accounts—particularly those belonging to high value targets like government officials, military personnel, political figures, and journalists. Once inside an account, the threat actors can read messages, access contacts, and launch additional phishing attempts, resulting in global unauthorized access to thousands of accounts. The campaign relies heavily on social engineering: attackers impersonate official support teams, urging users to click malicious links or share verification codes, enabling device linking or full account takeover. The alert stresses that even strong encryption can be rendered useless if a user is tricked into granting access. Users are urged to pause when something feels suspicious, avoid sharing PINs or two-factor authentication codes, scrutinize links, monitor group chats for imposters, and stay familiar with their app’s security tools.
• Deepfake Vishing and AI-Driven Social Engineering on the Rise: Security researchers and threat intelligence firms are reporting a sharp acceleration in the use of deepfake audio and video in social engineering attacks. Attackers are using AI-generated voice clones to impersonate executives and IT staff in live phone calls, bypassing the verbal confirmation checks organizations have historically relied upon. Cloudflare’s inaugural 2026 Threat Report observed that threat actors are moving away from brute-force technical intrusions toward high-trust exploitation, where compromised identities and convincing impersonation achieve the same result with far less effort. CrowdStrike has similarly noted that approximately 75 percent of intrusions in recent investigations involved compromised credentials or valid accounts rather than software vulnerabilities.
• FBI Warns of Privacy Risks Posed by Chines Applications: In a PSA posted to its IC3 complaint center, the FBI warned of the privacy and cybersecurity risks posed by applications developed in China. The FBI pointed out that several of the most downloaded and top grossing applications were developed and maintained from foreign countries, including China. The FBI goes on to point out that under Chinese national security law, China is able to access this application data without serious impediment.
• North Korean Threat Actors Suspected in Supply Chain Attack Affecting Axios: CNN reported that a threat actor group connected with North Korea have been identified as potentially behind a supply chain attack targeting an open source software known as Axios. Axios is used by companies in many industries to build and manage websites. The threat actors gained access to a software developer account which they were able to leverage to send malicious updates to organizations that downloaded the software during the period of compromise, which is suspected to have only lasted for three hours. The malicious code could allow the unauthorized exfiltration of data and account credentials and facilitating the spread of the attack. Cybersecurity experts anticipate that it will take months for potentially impacted organizations to assess the full impact of the attack.

Regulatory:  

• White House Offers AI Regulatory Framework for Congressional Action: The White House issued a National Policy Framework for Artificial Intelligence: Legislative Recommendations in an effort to urge Congress to preempt various state AI regulations that are in the works. The framework outlines a federal strategy urging Congress to establish a unified national approach to AI governance. It emphasizes promoting innovation and U.S. global competitiveness while adopting a relatively “light-touch” regulatory model that relies on existing laws and avoids creating new centralized AI agencies. The framework highlights key policy areas including child safety, intellectual property, free speech, workforce development, and the economic and energy impacts of AI systems. It also recommends that Congress defer many unresolved legal questions—such as copyright disputes—to the courts rather than legislating them directly. Overall, the document serves as a non-binding roadmap intended to guide future legislation, balancing technological advancement with targeted protections for consumers and society.
• White House Releases National Cyber Strategy and Signs Executive Order on Cybercrime: On Mar. 6th, President Trump released President Trump’s Cyber Strategy for America, a seven-page policy framework, and simultaneously signed Executive Order 14390, Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens. The Strategy is organized around six pillars: shaping adversary behavior through offensive and defensive operations; securing critical infrastructure; modernizing federal networks using AI-powered tools; promoting common-sense regulation; protecting American technology; and building a resilient cyber workforce. The Strategy signals a notable departure from the prior administration’s approach of imposing mandatory compliance requirements on critical infrastructure and shifting liability onto software developers; the Trump approach favors streamlined regulation and greater private sector partnership. The Executive Order directs a 60-day interagency review and 120-day action plan to identify transnational criminal organizations responsible for cyber-enabled fraud, ransomware, scam centers, and sextortion schemes. It establishes a dedicated coordination cell within the National Coordination Center, directs the Attorney General to prioritize prosecutions of cyber-enabled fraud, and requires a recommendation within 90 days for a Victims Restoration Program to return seized funds to crime victims. Critical infrastructure sectors should expect greater regulatory scrutiny of technology supply chains and expanded engagement from federal agencies in the event of cybersecurity incidents.
• HHS OCR Announces HIPAA Settlement with MMG Fusion, LLC Following Breach Affecting Approximately 15 Million Individuals: On Mar. 5th, HHS’s Office for Civil Rights announced a settlement with MMG Fusion, LLC concerning potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. OCR’s investigation stemmed from a December 2020 incident in which an unauthorized actor accessed MMG’s information system and obtained PHI, including contact information, dates of birth, and appointment information, affecting approximately 15 million individuals, and that information was made available on the Dark Web. OCR found potential failures relating to risk analysis, breach notification to covered entities, and impermissible disclosure of PHI. Under the resolution agreement, MMG agreed to pay $10,000 and comply with a three-year corrective action plan that includes risk analysis, risk management, policy development, workforce training, and a breach risk assessment.
• FTC Issues COPPA Policy Statement Encouraging Adoption of Age-Verification Technologies: On Febr. 25th, the Federal Trade Commission issued an enforcement policy statement describing how companies directed to children that do not target children as their primary audience can use age-verification mechanisms “without subjecting themselves to the risk of enforcement” under the Children’s Online Privacy Protection Act (“COPPA”). The policy notes that technology has advanced where there are more reliable methods to determine a user’s age other than having the user verify the information themselves.  To support wider adoption of these technologies, the policy statement indicates that the FTC will not bring a COPAA enforcement action against a company that collects, uses, or discloses a child’s personal information for the single purpose of determining the user’s age without COPAA-compliant parent consent, subject to some qualifiers and limitations.
• FCC Bans New Foreign-Made Routers for Consumer Use: On Mar. 26th, the Federal Communications Commission (FCC) banned new foreign-made routers for sale for consumer use. “Routers are the boxes in every home that connect computers, phones, and smart devices to the internet.”  The ban was implemented by updating the FCC’s Covered List to include all consumer-grade routers produced in foreign countries. The List includes communications equipment and services that are deemed to pose an unacceptable risk to the national security of the U.S. or the security and safety of U.S. persons. An interagency body convened by the White House made the determination that the routers pose such a risk. The ban is on the sale of new routers that have not been granted “conditional approval” by the Department of Defense or Department of Homeland Security; it does not prohibit use of routers that have already been sold.

International Updates:

• CJEU Clarifies Limits on GDPR Access Requests and Damages in Brillen Rottler Ruling: The Court of Justice of the European Union’s March 2026 ruling in Brillen Rottler (C-526/24) clarifies key limits on GDPR access rights and damages. The Court held that even a first access request can be deemed “excessive,” but only in narrow cases where a company proves the request was made for abusive purposes—such as trying to manufacture a compensation claim. At the same time, the Court confirmed that individuals may seek damages for violations of the right of access, even without direct data processing harm. However, compensation requires proof of real damage and causation. Claims will fail where the individual’s own conduct—like deliberately creating the situation—caused the harm. Overall, the ruling balances strong data rights with safeguards against misuse.

State Actions:

• Oklahoma Enacts Sweeping Data Privacy Law Giving Residents Control Over Personal Information: Oklahoma has taken a major step toward stronger digital privacy with the enactment of Senate Bill 546, a comprehensive new law giving residents greater control over their personal data. The legislation grants Oklahomans the right to access, correct, delete, and obtain copies of their information, as well as opt out of data sales and targeted advertising. It also sets requirements for businesses handling large volumes of consumer data, including transparency, security practices, and consent for sensitive information. Enforcement will fall to the state attorney general, with certain exemptions for regulated entities. The new protections are set to take effect on Jan. 1st, 2027.
• Ford Hit with $375K Penalty for Violating CCPA Opt‑Out Rules: On Mar. 5th, the California Privacy Protection Agency (CalPrivacy) fined Ford Motor Company (Ford) $375,703 for violating the CCPA by adding “unnecessary friction” to its opt‑out process for the sale or sharing of personal information. Ford required consumers to complete an email‑verification step, and if the step was not completed, Ford treated the opt‑out request as expired. CalPrivacy found that requiring consumers to verify email access effectively forced them to submit a verifiable consumer request—an impermissible requirement for exercising the right to opt out. Each time Ford imposed this step, it violated section 7026(d) of the CCPA regulations. The agency also determined that Ford failed to timely process dozens of opt‑out requests, resulting in continued selling or sharing of personal information in violation of Civil Code § 1798.120(d). In addition to the monetary penalty, Ford must revise its opt‑out procedures to comply with the CCPA by: providing simple, low‑friction methods for consumers to opt out of sale or sharing; eliminating any requirement that consumers submit verifiable consumer requests to opt out; and honoring opt‑out requests within the timeframes mandated by the CCPA. CalPrivacy emphasized that businesses must make opting out as easy as possible, comparing unnecessary friction to adding excessive steps to an online checkout process. The action reflects California’s continued aggressive enforcement of privacy rights, particularly in the connected‑vehicle sector.
• Governor Newsom of California Issues Executive Order Establishing New AI Guardrails: California Governor Gavin Newsome has issued Executive Order N-5-26 establishing new requirements for firms seeking contracts with the State of California that use or provide AI. State contractors will now be required to provide safeguards against the misuse of AI, including the generation of illegal content, harmful bias, and violations of civil rights. The EO also requires the Department of General Services and the Department of Technology to provide recommendations for new AI certifications that can be included in state contracting processes, reforms to contractor responsibilities, processes for water marking any AI generated images, and reforms to suspension and ineligibility authorities for state contractors.
• Colorado Working Group Reaches Agreement on AI Act Amendments: After the failure of the legislative special session called by Colorado Governor Jared Polis last August to reach agreement on changes to the controversial CO AI Act, Gov. Polis created a working group to come up with a solution. That group, comprised of industry and privacy experts, worked behind the scenes to hammer out solutions to disagreements about the law and to come up with revisions to the CO AI Act that were more palatable to business and consumer rights. Gov. Polis announced on Mar.17th that the group had unanimously agreed on the framework for changes to the AI Act that were less onerous and more acceptable to business while still protecting consumers. The proposal must still be adopted by the legislature and signed into law, but it appears to have the support necessary to be signed into law.
• South Dakota Enacts Genetic Data Privacy Act: On Mar. 23rd, South Dakota enacted Senate Bill 49, effective Jul. 1st, 2026, applying to companies that offer direct-to-consumer genetic testing or analyze genetic data derived from those services. The Act requires covered entities to publish a privacy policy addressing the collection, use, disclosure, retention, and security of genetic data, and to obtain “express consent” (an affirmative written response) for specified activities, including initial data use disclosures, third-party transfers, secondary uses, retention of biological samples, and certain marketing initiatives. It also requires companies to honor consent revocations and destroy biological samples within 30 days, and grants residents the right to access or delete their genetic data, delete accounts, and request destruction of samples. The Attorney General may seek civil penalties of up to $5,000 per violation, and the Act excludes certain categories, including protected health information collected by HIPAA covered entities, biological samples collected for diagnosis or treatment, higher education institutions, law enforcement forensic labs, and entities conducting certain research activities.
• Connecticut AG Issues Memorandum on AI Compliance Obligations under CTDPA: On Feb. 25rd, the Connecticut Attorney General issued a memorandum addressing the application of existing Connecticut law to the use of artificial intelligence (“AI”). The memorandum is broken into three main sections addressing the primary Connecticut statues available to the AG in enforcing state laws governing AI: (1) civil rights laws; (2) ; and (3) consumer protection laws. Particularly as it pertains to the Connecticut Data Privacy Act, the memorandum points to the responsibilities imposed on companies and the privacy protections afforded consumers, particularly minors.
• Court Rules That BIPA Amendment Applies Retroactively: The U.S. Court of Appeals for the Seventh Circuit ruled that recent changes to Illinois’ Biometric Information Privacy Act (BIPA) damages provisions apply retroactively, significantly reducing potential liability for defendants in ongoing and future cases. Previously, plaintiffs argued that each individual biometric scan could count as a separate violation—leading to potentially massive, cumulative damages. However, the amended law clarifies that damages should be assessed per person rather than per scan, and the Seventh Circuit held that this amendment applies retroactively, rather than just to conduct and cases brought after the amendment. As a result, companies facing BIPA lawsuits may see their financial exposure substantially limited, since claims that once could have resulted in exponentially large penalties (due to a per scan calculation) are now capped on a per-individual basis.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.