Right To Know - February 2026, Vol. 38

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

Litigation & Enforcement: 

• Supreme Court To Provide Some Clarity On VPAA: The Video Privacy Protection Act prohibits a video tape service provider from disclosing the personal information of any of its consumers. One question that has been lingering in the courts is whether to be a “consumer” an individual needs to be a consumer of the audiovisual products of the provider, or whether being a consumer of any of the provider’s goods and services is sufficient. On Jan. 26th, the Supreme Court granted review in Salazar v. Paramount Global.  The case is not expected to be heard until the Court’s next term, which starts in October 2026.
• Seventh Circuit Hears Argument On Clearview.AI BIPA Settlement Objections: On Jan. 28th, the United States Court of Appeals for the Seventh Circuit heard oral argument in an appeal of the settlement approval in the Clearview.AI BIPA privacy class action. The unique settlement provides for a settlement fund to be created if or when certain events — Clearview filing for an initial public offering, or entering into a merger or sale of certain assets — occur. The objectors to the settlement claim, among other things, that the settlement was not fair, reasonable and adequate as required under the applicable Federal Rules of Civil Procedure, and that the class representatives did not adequately represent the class and all subclasses.
• CalPrivacy Penalizes Data Brokers for Failing to Register: The California Privacy Protection Agency Board fined two unregistered data brokers a total of $107,600 for violating the Delete Act, which requires annual registration with the California Data Broker Registry. S&P Global, Inc., a New York–based data and technology company, will pay $62,600 for failing to register due to an administrative error and must implement formal procedures to ensure future registration and compliance audits. Datamasters, a Texas-based targeted advertising data broker, will pay $45,000 and must “stop selling all Californians’ personal information.” These actions reflect California’s broader push to give consumers greater transparency and control over their data, including through the new DROP system, which allows residents to delete their personal information across all registered data brokers with a single request.
• Former Google Software Engineer Convicted of Stealing Information on Artificial Intelligence for the PRC: On Jan. 29th, a former Google engineer was convicted on seven counts of economic espionage and seven counts of theft of trade secrets for his theft of Google trade secrets related to artificial intelligence. While employed at Google, the engineer stole two thousand pages of confidential information and uploaded it to his personal Google Cloud account. The trade secrets related to Google’s custom Tensor Processing Unit chips, Google’s Graphics Processing Unit systems and its SmartNIC. During this time the former employee was discussing taking lead roles in PRC based artificial intelligence companies. He also intended to use the stolen documents to benefit PRC controlled companies.
• Illinois Man Charged in Snapchat Hacking Investigation: A federal grand jury in Massachusetts charged an Illinois man with running a Snapchat hacking scheme in which he allegedly impersonated Snapchat support to trick users into sharing security codes, allowing him to access their accounts. Prosecutors say that between 2020 and 2021 he targeted thousands of users, gained unauthorized access to dozens of accounts primarily belonging to women and downloaded private, often intimate photos and videos, which he then kept, traded, or sold online. The man faces multiple federal charges, including wire fraud, computer fraud, and aggravated identity theft.
• Are CA CIPA Claims Toast?: A recent CA court ruling could provide the basis for arguing that California’s CIPA law does not cover websites collecting IP addresses. In the case, the plaintiff argued that the defendant’s website collected users’ IP addresses and installed beacon software that allowed third parties to gather extensive identifying information, and that such technology constituted unlawful use of a “pen register” or “trap and trace device” under the California Invasion of Privacy Act (CIPA). The defendant moved for a judgment on the pleadings, arguing the complaint failed to state a viable claim under CIPA’s definitions. The court agreed, finding that CIPA’s statutes were ambiguous when applied to modern website analytics and were clearly intended for traditional telephonic surveillance, not ordinary web tracking tools. As a result, the court granted judgment on the pleadings in favor of the defendant and dismissed the CIPA claim without leave to amend. While not binding precedent on other CA state courts, the analysis does provide a potential argument for challenging what some have characterized as a dubious reading of the CA statute.
• Google Avoids Multi-Billion Dollar Disgorgement in U.S. Privacy Data Lawsuit: A U.S. federal judge has rejected a bid by consumers to force Google to pay more than $2 billion in penalties over its past collection of user data, dealing a significant win to the tech giant. While a jury last year found Google liable for secretly collecting app activity data from users who had disabled a key privacy setting — awarding $425 million in damages — the court ruled that consumers failed to justify disgorgement of alleged profits or a permanent injunction on Google’s data practices. Judge Richard Seeborg said the claims of future harm were insufficient and that estimates of Google’s profits were not adequately supported. Google, which denies wrongdoing and plans to appeal the verdict, failed in its attempt to decertify the class over alleged individualized issues.

Industry Updates: 

• FBI’s Operation Winter SHIELD Aims to Strengthen Cyber Defense Through Shared Responsibility: The FBI launched Operation Winter SHIELD, a cyber resilience campaign that considers private industry an active partner in defending the nation’s digital infrastructure against cyber threats. Led by the FBI’s Cyber Division, the initiative outlines 10 actions organizations can take to reduce cyber risk, based on real-world investigations and adversary tactics. These include adopting phish resistant authentication, managing vulnerabilities and end of life systems, reducing administrator privileges, securing backups and logs, managing third party risk, strengthening email security, protecting internet facing systems, and regularly exercising incident response plans. The campaign provides a roadmap to harden IT and operational technology environments, shrink attack surfaces, and improve overall resilience by helping organizations understand where attackers focus and what concrete steps they can take now and over time. Operation Winter SHIELD positions cybersecurity as a shared responsibility and aims to empower organizations to take proactive, practical steps that collectively make exploitation harder and the nation’s digital infrastructure more resilient.
• Homeland Security Bureau and FCC Warn Telecom Companies of Increasing Ransomware Threat: The Public Safety and Homeland Security Bureau and the Federal Communications Commission have issued a joint alert warning telecom providers of a rise in ransomware attacks. The increase is of particular concern for small and midsize companies, but the alert is urging all telecom companies to ensure their cyber operations are following best practices, including by patching systems, enabling multi-factor authentication, backing up data, and monitoring for supply chain vulnerabilities and threats. The alert provides detailed guidance on how to protect critical communications networks from attack to help protect against the disruption of services, information exposure, and being locked out of critical files and systems.
• Claude Tricked into Deploying Ransomware: Researchers at Cato Networks demonstrated that a plug-in framework in Anthropic’s Claude AI, called “Skills,” can be manipulated to deploy ransomware by modifying a widely shared open-source module. In the experiment, a benign-looking GIF Creator Skill was altered to include a function that fetched and ran external code containing MedusaLocker ransomware. Because Claude reviews only the visible code in the Skill and cannot inspect code downloaded at runtime, the ransomware executed without being flagged. Anthropic responded by saying users should install and run only trusted Skills, but the finding highlights how AI automation tools and plug-in ecosystems may be repurposed as malware delivery mechanisms.
• FinCEN Reports Drop in Ransomware Payments in 2024 Following Law Enforcement Disruptions: FinCEN has reported a modest decline in ransomware activity during 2024, following record-setting levels in 2023. Based on Bank Secrecy Act filings, FinCEN identified 1,476 ransomware-related incidents in 2024, a slight decrease from the prior year. Reported ransomware payments also declined significantly, totaling approximately $734 million, down from more than $1.1 billion in 2023. FinCEN attributed the downturn in both incidents and payments in part to coordinated law enforcement actions that disrupted several major ransomware groups and their supporting infrastructure.
• CISA Releases Press Release Urging Critical Infrastructure Organizations to Build Multi-Disciplinary Threat Management Teams to Combat Insider Threats: CISA is urging organizations that operate critical infrastructure, along with state, local, tribal, and territorial governments, to take stronger action against insider threats by using a new resource designed to help them assemble multi-disciplinary insider threat management teams. The guidance emphasizes that insider threats pose serious risks to organizational security and resilience, and that proactive strategies to prevent, detect, mitigate, and respond to these threats are essential. CISA’s resource – “Assembling a Multi-Disciplinary Insider Threat Management Team” – outlines steps for building and maintaining effective teams that draw expertise from across an organization to reduce vulnerabilities, reinforce defenses, and ensure potential concerns can be reported and addressed early.

Regulatory: 

• New York Enacts Law Regulating the Use of AI Generated “Synthetic Performers” in Advertising: In December, the New York Governor signed into law an act regulating the use of AI generated “synthetic performers” in advertising. AI generated “synthetic performers” are digital, non-human entities created using AI that appear as a real person. Any business advertising a product or service must clearly disclose when an advertisement uses a synthetic performer, subject to some exceptions. The law imposes a $1,000 penalty for a first violation and a $5,000 penalty for subsequent violations.

State Action: 

• CA DROP Platform Goes Live — Allowing Residents to Delete Data With Data Brokers: Since 2020, CA residents have been able to request that companies stop collecting and selling their data. But that process could require multiple requests to every company collecting data about the resident. In 2023, CA passed the Delete Act to simplify that process–allowing residents to request deletion from more than 500 registered data brokers. But now, CA has launched its Delete Requests and Opt-Out Platform (DROP), which is a single state-provided resource online where residents can make the request to all registered data brokers to delete their data. Brokers are supposed to start processing requests from the DROP platform in August of 2026 and have 90 days to comply with requests and report back to requestors. Failure to comply with a request through the DROP platform could result in fines of $200 per day plus enforcement costs.
• California Attorney General Launches Investigation into “Surveillance Pricing”: California Attorney General Rob Bonta announced the beginning of an investigative sweep looking at the use of personal information to set targeted individualized prices for products and services. This use of personal information for “surveillance pricing” may trigger obligations under the California Consumer Privacy Act (“CCPA”) including the purpose limitation principle that requires businesses to only use personal information for purposes that are consistent with the reasonable expectations of the consumer when the data is collected. The sweep will look at businesses with a significant online presence across multiple industries and sectors.
• New York Attorney General James Wins $500,000 Settlement Requiring OrthopedicsNY to Strengthen Patient Data Security: New York Attorney General Letitia James announced a $500,000 settlement with OrthopedicsNY, LLP, an orthopedic practice operating clinics and surgery centers across the Capital Region, after her office found the provider failed to adequately protect patients’ private information. In 2023, cyberattackers allegedly used compromised credentials to gain remote access to OrthopedicsNY’s network and downloaded unencrypted files, exposing data for approximately 656,000 patients and employees. The exposed information included sensitive personal and health-related data and, for about 110,000 individuals, government identifiers such as Social Security numbers and driver’s license or passport numbers. Under the agreement, OrthopedicsNY will pay penalties and costs, fund credit monitoring for affected individuals, and implement enhanced safeguards. Required measures include a comprehensive information security program, written access controls, multi-factor authentication for remote access, encryption of data, ongoing monitoring for anomalous activity, and annual risk assessments. The settlement reflects the Attorney General’s broader enforcement focus on preventable cybersecurity lapses.

International Updates: 

• Russia Launches Cyber Attack on Poland’s Power Grid: On Jan. 15th, the government of Poland acknowledged a cyber attack against its energy infrastructure had occurred in December 2025, and was successful in damaging some equipment. In acknowledging the attack, the Polish Prime Minister said “Everything indicates that these attacks were prepared by groups directly linked to the Russian services…”. In sperate analysis from various threat research groups, the attack has been linked to the Russian group called Sandworm. The attack targeted two heat and power plants and a system responsible for managing the electricity generated from renewable sources.
• NIS2 (National Information and Security Directive 2) – Status Update: The NIS2 (National Information and Security Directive 2) was due to be implemented by EU member states in October 2024. It is a law targeting increased cybersecurity resilience across key infrastructures, including areas such as transport, communications, energy, waste management, chemical and food production and over a dozen others. It covers risk management, reporting and transnational cooperation. Most countries have missed this deadline and at the time of writing, 19 out of the EU 27 states have implemented its regulations into national law. Others (including Ireland) are at an advanced stage of drafting but have yet to formally introduce a Bill to their national parliament.  Enforcement proceedings have begun by the EU Commission. In the meantime, on Jan. 20th, the EU Commission announced there will be revisions made at EU level to the NIS2 requirements to aid understanding and harmonisation across the EU in respect of the cybersecurity resilience measures required as a result of NIS2. This will impact over 28,000 companies across the scope of NIS2 within the EU. It is to take the form of a revised Cybersecurity Act, focusing on the EU’s ICT supply chains.
• UK Privacy Watchdog Launches Investigation into Musk’s Grok AI: Britain’s privacy watchdog, the Information Commissioner’s Office (ICO), has launched a formal investigation into Elon Musk’s xAI chatbot Grok and X Internet Unlimited Company over concerns about how personal data is processed and the system’s potential to generate harmful sexualized images and videos. The probe follows reports that Grok has been used to create non-consensual sexual imagery, including of children, raising serious concerns under UK data protection law and of risks of significant public harm. The ICO said it will assess whether adequate safeguards were built into Grok’s design and deployment to protect individuals’ data rights. Separately, media regulator Ofcom confirmed it is continuing its own investigation into X, as governments and regulators worldwide intensify scrutiny of sexually explicit AI-generated content.
• Ireland’s Data Watchdog Owed Over €4bn in Fines: According to a report in the Irish Times, while Ireland’s Data Protection Commission leads the league table of EU GDPR enforcers, having dished out fines of €4.04bn in the last six years, just €20m of that has been collected. The low collection rate results from various court challenges and appeals, which while live preclude the DPC from enforcing those fines. The next nearest country in terms of enforcers of GDPR is France, the only other European country to have issued more than €1bn in cumulative fines since 2018. The appeals are largely comprised of actions by big-tech companies such as Meta and Tiktok.
• UK ICO Issues Updated Guidance on International Data Transfers: On Jan. 15th, the UK Information Commissioner’s office (the “ICO”) published updated guidance updated guidance intended to facilitate the international transfers of cross-border data. The guidance provides a three-part test to help organizations understand whether the international data transfer is “restricted” under the UK GDPR, includes a series of FAQs, and includes examples to assist with the analysis.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.