Right To Know - June 2026, Vol. 42

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

Litigation & Enforcement: 

• $1.5 billion Settlement in Bartz v. Anthropic Final Approval Remains Pending: Presiding Judge Araceli Martínez-Olguín declined, for now, to approve to the $1.5 billion settlement in the Bartz v. Anthropic copyright infringement lawsuit. In a supplemental filing ordered after the fairness hearing, Anthropic urged the court not to permit five untimely opt-outs from the proposed $1.5 billion settlement in Bartz v. Anthropic, arguing that the two objectors who sought relief failed to show “excusable neglect” and that the remaining three late opt-out requests should also be denied for lack of any record supporting relief and because other rightsholders have not consented. Final approval remains pending. If approved, the settlement would rank among the largest copyright class action settlements on record and could become an early benchmark for how courts value mass claims against AI companies over the use of copyrighted books.
• Illuminate Scores a Pleading-Stage Victory, With Caution Flags for Future Defendants: M. v. Illuminate Education, Inc., the California Supreme Court substantially narrowed a student-plaintiff data-breach suit, holding that an ed-tech vendor serving school districts was not adequately alleged to be a CMIA “provider of health care” and that the student was not the vendor’s “customer” under the CRA, defeating both statutory claims at the pleading stage. However, the Court simultaneously adopted a plaintiff-favorable CMIA interpretation by rejecting the notion that a claimant must allege unauthorized third parties actually viewed the compromised medical information and instead that confidentiality may be breached where the medical information is exposed to a “significant risk of unauthorized access.”
• TX Lawsuit Claims Netflix Data Sharing Practices Violate Texas Law: In this lawsuit, the State of Texas alleges that Netflix misled consumers by promising an ad-free, privacy-focused, and child-safe streaming platform while allegedly building a large-scale system to collect and monetize user data. The petition claims Netflix used “dark patterns,” such as autoplay features, to increase screen time and gather detailed behavioral information about users and children, including viewing habits, device data, and engagement metrics. Texas further alleges that Netflix shared or integrated this data with advertisers, data brokers, and ad-tech companies despite public statements from executives suggesting the company did not engage in extensive data collection or advertising-based practices. The state argues these actions violated the Texas Deceptive Trade Practices Act and seeks civil penalties and injunctive relief against Netflix.
• Law Firm Sued Over Cyber Incident: Wiley Rein LLP was sued in federal court over an alleged data breach committed by a group that may have been affiliated with the Chinese government. According to the complaint, the intrusion into certain employees’ email accounts occurred between July 2024 and June 2025, and included information in emails about plaintiffs and other individuals whose information was obtained through subpoenas. The plaintiff seeks to represent a nationwide class of impacted individuals and asserts claims of negligence, breach of third-party contract, unjust enrichment, and invasion of privacy.
• California Sues 23andMe Over 2023 Data Breach Affecting 6.9 Million Customers: California Attorney General Rob Bonta announced that he filed a lawsuit against 23andMe over a 2023 data breach that exposed the genetic and personal information of approximately 7 million U.S. customers, including over 855,000 Californians. The complaint alleges that the company ignored warnings that its systems had been compromised and downplayed the severity of the breach, which occurred between April and October 2023 and exposed information related to customers’ health, ancestry, ethnicity, genetic predispositions, and biological relatives. California is seeking civil penalties for alleged violations of the state’s Genetic Information Privacy Act and consumer protection laws. The lawsuit follows 23andMe’s 2025 bankruptcy filing, which the company attributed in part to the data breach and related litigation, and comes after a federal court approved a $30 million to $50 million settlement fund to resolve most customer claims arising from the incident.
• California Hits General Motors with Record $12.75M Privacy Penalty: On May 8th, California Attorney General Rob Bonta and state partners announced a $12.75 million settlement with General Motors (GM), the largest penalty under the California Consumer Privacy Act (CCPA) to date. The settlement resolves allegations that GM sold Californians’ geolocation location and driving behavior data to two data brokers, Verisk Analytics, Inc. (Verisk) and LexisNexis Risk Solutions (Lexis), without notice or consent, violating CCPA requirements for transparency, purpose limitation, and data minimization. Under the agreement, GM must stop selling driving data to data brokers for five years, delete improperly retained driving data (and request that Lexis and Verisk also delete this data), strengthen its privacy compliance program and document risks related to data collection, and submit compliance reports to state regulators. The case sets a significant precedent, signaling heightened enforcement of California’s privacy laws and expectations for data use by companies operating connected technologies.
• Ransomware Group Negotiator Sentenced to 8.5 Years in Prison: A federal court in the Southern District of Ohio sentenced a Latvian national to 8.5 years in prison for his role as a negotiator in a major international ransomware operation known as Karakurt, TommyLeaks, and SchoolBoys Ransomware. Although he did not carry out the technical hacks himself, prosecutors said he played a key role in extorting victims by analyzing stolen data, communicating ransom demands, and strategizing pressure tactics against companies that had been hacked. Between 2021 and 2023, the group targeted at least 53 organizations and caused more than $56 million in losses, including attacks that exposed sensitive personal and healthcare information and even disrupted a government 911 system. Court documents highlighted especially disturbing conduct involving a pediatric healthcare company, where Zolotarjovs allegedly used stolen children’s medical information to pressure the victim into paying and suggested publishing patient data on the dark web when payment was delayed. Arrested in Georgia in 2023 and extradited to the U.S. in 2024, he pleaded guilty to conspiracy to commit money laundering and wire fraud in 2025.
• Texas AG Targets Meta and WhatsApp Over Alleged False Encryption and Privacy Claims: Texas Attorney General Ken Paxton has filed a lawsuit against Meta and WhatsApp alleging the companies misled consumers about the privacy and security of WhatsApp’s messaging platform. The lawsuit centers on WhatsApp’s repeated representations that its service provides end-to-end encryption, meaning only the sender and intended recipient can access message contents. According to the complaint, internal reports, investigations, and insider accounts allegedly demonstrate that WhatsApp employees and systems were capable of accessing user communications despite those public assurances. Paxton claims these representations created a false impression that user communications were completely inaccessible to Meta, WhatsApp, or third parties. The suit alleges this conduct violates the Texas Deceptive Trade Practices Act by misleading Texans about the true nature of WhatsApp’s privacy protections. The action reflects a broader trend of state-level privacy enforcement focused not only on data breaches, but also on allegedly deceptive statements regarding encryption, access controls, and platform security practices. The lawsuit also continues Texas’s increasingly aggressive approach toward Big Tech privacy and consumer protection enforcement.

Industry Updates: 

• Report from Visa says AI and Social Engineering Drive Rise in Payment Scams: Visa’s Spring 2026 Biannual Threats Report highlights a significant shift in the fraud landscape, with scams becoming the fastest-growing source of consumer harm as criminals increasingly use artificial intelligence and social engineering to manipulate individuals into authorizing payments themselves. According to Visa, nearly $1 billion in scam-related activity was identified between July and December 2025, making scams the largest category of consumer payment fraud. While network-level payment security continues to improve, with fraud involving device tokens declining 9.6% compared to the same period in 2024, cybercriminals are increasingly targeting human trust rather than technical vulnerabilities. The report also found that AI is simultaneously enabling criminals to create more convincing scams while also helping organizations detect and prevent attacks earlier. Additionally, while global ransomware activity increased 26% during the reporting period, only 23% of victims reported paying ransoms, reflecting stronger resilience and recovery capabilities across organizations.
• FIDO Alliance Publishes The State of Passkeys 2026 Report: On May 7th, the FIDO Alliance, made up of many technology, financial services, security, online retail companies, and government agencies, published “The State of Passkeys 2026: Global Consumer and Workforce Report.” The Alliance has published FIDO and FIDO2 standards to replace passwords with passkeys for authentication. Passkey technology replaces passwords with a pair of cryptographic keys, a private key on the user’s device and a public key on the network, website or service. When a user logs on, he or she uses the credential they use to sign onto the device (fingerprint, faceprint, or PIN) to allow a “handshake” between the keys. The credential and private key remain on the user’s device. Passkeys are considered to be easier to use, faster, and more secure than passwords. Based on a global survey, the Report notes that “90% of consumers are familiar with passkeys, and 75% have enabled them on at least some accounts…” and “workforce deployment is approaching mainstream levels, with 68% of organizations deploying, piloting, or rolling out passkeys for employee authentication.” Participating companies are now regularly prompting users to set up passkeys to replace passwords.
• FBI Warns of Spoofed FIFA Websites Ahead of 2026 World Cup: As excitement builds for the 2026 FIFA World Cup, the FBI is urging fans to stay vigilant against a rise in cyber scams targeting soccer enthusiasts. In a May 27 public advisory, officials highlighted a surge in spoofed FIFA websites designed to trick users into sharing personal and financial information. These sites closely mimic the official FIFA website, often using slight misspellings or alternative domain endings (like “.org” instead of “.com”) to deceive users. Cybercriminals are leveraging these tactics to collect sensitive data, sell fake tickets and other products, and facilitate additional fraudulent schemes. The FBI warns that victims who unknowingly provide their personal details could face identity theft, account fraud, or financial loss. Several suspicious domains have already been identified, and more are expected to surface as the tournament approaches. To stay safe, users are encouraged to, among other things:
  • Type “fifa.com” directly into their browser instead of relying on search results;
  • Avoid clicking on sponsored or unfamiliar links;
  • Double-check URLs for accuracy before entering any information; and
  • Use bookmarks for trusted sites and use caution when clicking on online ads.

Anyone who encounters or falls victim to these scams is encouraged to report the incident to the FBI’s Internet Crime Complaint Center (IC3).

• FBI Warns of AI Powered Microsoft 365 Phishing Campaign: FBI officials are warning organizations about a new phishing-as-a-service platform known as “Kali365,” which is being used to compromise Microsoft 365 accounts by stealing OAuth access tokens and bypassing multi-factor authentication protections. The platform allegedly uses AI generated phishing lures, automated attack templates, and real time tracking dashboards that lower the technical barrier for threat actors conducting credential theft campaigns. According to the warning, attackers send phishing emails impersonating trusted cloud or document sharing services and direct victims to legitimate Microsoft verification pages where they are instructed to enter a device code. By completing the process, victims unknowingly authorize the attacker’s device, allowing access to services such as Outlook, Teams, and OneDrive. The FBI suggests a number of technical methods to limit these risks.
• Cyber Security Model “Mythos” Finds Thousands of Vulnerabilities: Anthropic announced that its cybersecurity model “Mythos” successfully identified thousands of previously unknown software vulnerabilities during internal testing and research exercises. According to the company, the AI system demonstrated the ability to analyze source code, identify insecure logic patterns, and detect exploitable weaknesses that had not previously been flagged through conventional security review processes. The announcement came as part of an update to “Project Glasswing,” a program designed to help organizations identify and respond to cyber threats using generative AI. Participants in Project Glasswing have reported increases in the identification and fixes and patches resulting from the use of Mythos. The findings highlight how rapidly advancing AI systems are beginning to transform vulnerability discovery and could significantly accelerate both defensive security research and offensive cyber capabilities.
• CISA Adds One Known Exploited Vulnerability (BerriAI LiteLLM SQL Injection Vulnerability) To Catalog: On May 8th, CISA added a new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, meaning there is evidence that attackers are actively exploiting it in the wild. The vulnerability added was CVE-2026-6973, an improper input validation flaw affecting Ivanti’s Endpoint Manager Mobile (EPMM) platform. CISA warned that vulnerabilities like this are commonly used by malicious actors and pose a serious risk to government and enterprise systems. Federal agencies were directed to prioritize remediation under existing cybersecurity requirements, and organizations using affected Ivanti software are encouraged to patch or mitigate the issue as soon as possible.

Regulatory: 

• FTC Announces $930K Settlement Over Deceptive “Active Listening” AI Marketing Claims: On May 21st, the Federal Trade Commission announced proposed settlements with Cox Media Group, MindSift LLC, and 1010 Digital Works LLC, alleging violations of Section 5 of the Federal Trade Commission Act based on deceptive marketing of an “Active Listening” artificial intelligence advertising service. The FTC alleged the companies falsely claimed the service used voice data from consumers’ smart devices and that consumers had provided “opt‑in consent,” when in fact the service did not use voice data and instead relied on purchased data such as email lists. Under the proposed consent orders, the companies must pay $930,000 collectively and are prohibited from making misrepresentations regarding (i) the qualities or features of their advertising or marketing services, (ii) the collection and use of voice data and whether consumers have provided consent, and (iii) the geographic targeting capabilities of their services.
• TAKE IT DOWN Act Enforcement Begins: On May 19th, the Federal Trade Commission (FTC) began enforcement of the TAKE IT DOWN Act, which requires covered platforms to remove intimate photos or videos shared online without victims’ consent when requested to do so by the victim. Covered platforms are required to provide a mechanism for victims to request removal of the images within 48 hours of a valid request. Violation can result in civil fines of up to $53,088 per violation.
• Illinois Passes Historic AI Bill: Illinois legislature has passed an historic AI bill that is awaiting the governor’s signature. The bill would mandate annual independent third-party audits of AI companies on safety issues. The bill also requires covered companies to create and publish a framework outlining how a company applies industry standards, measures model capabilities and chance of catastrophic risk, and identifies and responds to safety incidents.
• Long Saga of CO AI Law Appears to Have Come to Close with Revised Law: Ever since it originally passed in 2024, the CO AI Act has been the subject of multiple attempts from everyone involved to amend the law to allow for the protection of CO consumers while not unnecessarily stifling AI technology development. After two years of attempts, all sides agreed on amendments to the CO AI Act. Among other changes, the new law’s enactment is pushed back to January 1, 2027, does not require developers or deployers of AI technology to certify that such technology is bias free, but does require deployers to indicate when AI technology is being used in connection with consequential decisions and to allow for appeals of negative determinations. The law was signed by Governor Jared Polis on May 14th.
• FTC’s Kochava Settlement Signals Escalating Scrutiny of Sensitive Location Data Practices: The FTC’s proposed settlement with data broker Kochava marks one of the agency’s most aggressive actions to date involving the collection and sale of precise mobile location data. The FTC alleged that Kochava sold sensitive geolocation information capable of revealing visits to healthcare facilities, places of worship, schools, domestic violence shelters, and government installations without meaningful consumer consent. The settlement imposes sweeping operational requirements, including prohibitions on selling sensitive location data absent affirmative express consent obtained through standalone disclosures separate from standard privacy policies or terms of service. The order also requires comprehensive supplier diligence, consumer deletion and consent withdrawal rights, board-level privacy oversight, detailed retention schedules, and rapid deletion obligations for improperly collected data. Importantly, the settlement reflects the FTC’s growing expectation that businesses remain accountable not only for their own data practices, but also for the consent practices of downstream vendors and data suppliers. Businesses involved in digital advertising, mobile analytics, healthcare, adtech, or consumer profiling should view the Kochava matter as a significant signal that sensitive location data remains a major enforcement priority for federal regulators.
• Internet Crime Complaint Center Issues 2025 Internet Crime Report: During May, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), issued its 2025 Internet Crime Report, its 25th Anniversary Report. IC3 is the primary hub for (1) public reporting of cyber-enabled crime and fraud, (2) analysis and referral to law enforcement, (3) recovery of funds, and (4) information on scams and cyber threats. IC3 reports that it received 1,008,597 complaints during 2025, with $20.877 billion in total losses, a 26% increase in losses from 2024. The report includes analysis by crime type, state, and age of victims. 85% of the losses in 2025 were from cyber-enabled fraud, which includes complaints where criminals use the Internet or other technology to commit fraudulent activities. The information in the report can help businesses and individuals to understand and guard against internet crimes. The IC3 Recovery Asset Team facilities communications with financial institutions and FBI field offices to assist in the freezing of funds for victims of fraudulent domestic and international transactions via the Financial Fraud Kill Chain. IC3 recommends that victims of fraudulent financial transactions immediately file an online report with IC3. During 2025, the Kill Chain was successful in freezing $679,013,183, a 58% success rate.
• FBI Issues Alert on Silent Ransom Group Impersonating IT Personnel: On May 25th, the Federal Bureau of Investigation issued an alert, “Silent Ransom Group Impersonating IT Personnel.” The Silent Ransomware Group (SRG) has used phone calls and phishing emails, and sometimes in person visits, to pose as IT support to get access to victim computers and exfiltrate data. It then seeks extortion payments to prevent disclosure or sale of the exfiltrated data. SRG has consistently targeted US-based law firms since Spring of 2023 and has targeted other sectors including insurance, finance, and healthcare. The Alert includes indicators of compromise and preventive measures, including verifying the credentials of all individuals accessing company spaces, limiting access to sensitive data from less secure networks, such as home or public internet, policies on when and how IT support will communicate and authenticate themselves, conducting staff training on phishing, and more. The FBI issued an alert to law firms on the same threat two years ago, yet the attacks and victims caught by them have continued.

International Updates: 

• Pope Leo XIV Addresses the Ethics of Artificial Intelligence: The current leader of the Catholic Church (and well known White Sox fan), Pope Leo XIV, addressed the ethics surrounding Artificial Intelligence and how it intertwines with the Catholic faith. In his Encyclical Letter entitled “Magifica Humanitas,” he stresses that technology shouldn’t be used to try and achieve something that makes you “more than human” and that technology should be used in a way to protect truth, democracy, the dignity of work and education.
• UK and Australia Formalize AI Security Cooperation Through Memorandum of Understanding: On May 25th, the United Kingdom and Australia announced a Memorandum of Understanding (MoU) between the United Kingdom AI Security Institute and the Australian AI Safety Institute to coordinate on artificial intelligence security and safety. The agreement focuses on “frontier AI”, i.e., the most advanced systems at the cutting edge of current capabilities, and provides for information sharing, joint research, and development of testing and evaluation practices for advanced systems. It also addresses cybersecurity risks, including the misuse of AI in cyber attacks and its defensive applications, and contemplates staff exchanges between the institutes. The MoU reflects increased cross‑border coordination as governments respond to evolving risks associated with advanced AI systems.

State Actions: 

• Connecticut Enacts Omnibus Privacy Law: Connecticut governor, Ned Lamont, signed Senate Bill 4 (SB4) into law on May 27th. Among other things, the law amends the Connecticut Data Privacy Act (CTDPA) by establishing a data broker registry and an accessible deletion mechanism, new restrictions on the use of price setting devices and surveillance pricing, and new requirements for direct-to-consumer genetic testing companies. Additionally updates to the CTDPA made include updates to the definition of “publicly available information” to exclude certain information, and establishes new requirements for the use of facial recognition technology for controllers of consumer health data.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.