Right To Know - May 2026, Vol. 41

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

Litigation & Enforcement: 

• Court Denies Class Certification In Pixel Tracking Class Action: The United States District Court for the Northern District of California denied class certification in In re Meta Pixel Tax Filing Cases. The plaintiffs claimed that the Meta Pixel installed on various tax filing services’ websites improperly collected their “sensitive financial information” and shared it with Meta. The court found that individual issues proliferated, precluding plaintiffs from meeting the predominance requirement of Federal Rule of Civil Procedure 23. These issues included whether the communications were “confidential,” whether class members consented to the collection, what information was collected, and whether the statute of limitations bars class members’ claims.  
• Federal Appeals Court Affirms Dismissal of VPPA Lawsuit Over Facebook Pixel Tracking: The United States Court of Appeals for the Second Circuit affirmed the Sept. 3rd, 2025 dismissal of the lawsuit accusing NBCUniversal Media LLC of violating the Video Privacy Protection Act (“VPPA”) by using the Facebook tracking pixel to send data to Meta Platforms Inc. The panel stated that the data disclosures the plaintiff in the case alleged did not meet the definition of personally identifiable information under the VPPA. The Court stated that their decision was controlled by its 2025 ruling in Solomon v Flipps Media Inc. that dealt with a similar issue. Here, the Court determined that a video URL in combination with a Facebook ID would not allow an “ordinary person” to identify a user’s viewing habits. The new ruling reaffirms the court’s narrow interpretation of potential liability under VPPA.
• Supreme Court Weighs Constitutionality of Geofence Warrants: On Apr. 27th, the U.S. Supreme Court heard oral arguments in Chatrie v. United States, involving whether geofence warrants, which compel technology companies to hand over location data for devices in a defined area, violate the Fourth Amendment’s protection against unreasonable searches. The case arose after police used a geofence warrant to identify Okello Chatrie as a suspect in a 2019 bank robbery, prompting concerns that such warrants function as unconstitutional general warrants by sweeping up sensitive location data from innocent people without individualized probable cause. While Chatrie’s lawyers argued that individuals have a reasonable expectation of privacy in their detailed location histories, the government maintained that users consent to data collection by enabling location services and that restricting geofence warrants would undermine law enforcement investigations. The Court’s decision, which is expected by July, could significantly reshape digital privacy and police access to location data in the United States.
• Pennsylvania Seeks Preliminary Injunction Against AI Chatbot for Alleged Unlicensed Medical Practice: Pennsylvania has sued Character Technologies Inc., alleging that chatbots on its character.ai platform falsely represented themselves as licensed medical professionals and engaged in the unauthorized practice of medicine. The state is seeking a preliminary injunction and court order barring the company from allowing AI characters to pose as licensed practitioners or provide medical advice in Pennsylvania. Regulators say at least one chatbot claimed to be a licensed psychiatrist and provided a purported Pennsylvania license number, raising consumer protection and public health concerns. The case marks Pennsylvania’s first effort to apply medical licensing laws to AI-generated content.
• FBI and Indonesian Law Enforcement Take Down Phishing Network Responsible for Millions of Fraud Attempts: The FBI Atlanta Field Office and law enforcement in Indonesia teamed up to take down the criminals behind the W3LL phishing kit. This phishing kit is suspected of stealing thousands of credentials and being used to attempt at least $20 million in fraud. The developers of the kit also secretly gathered credentials stolen by their kit and resold the stolen credentials in an attempt to maximize their profits.

Industry Updates: 

• Three New Zero-Day Vulnerabilities Being Exploited By Threat Actors: A recent report has identified three zero-day vulnerabilities affecting Microsoft Defender that are actively being exploited. The vulnerabilities enable attackers to bypass detection mechanisms and deliver malicious payloads through specially crafted files and scripts. Microsoft has since issued patches addressing the vulnerabilities, and organizations are strongly advised to apply updates immediately.
• OpenAI Releases Cybersecurity-Focused AI Model: OpenAI has introduced a new cybersecurity-focused AI model designed to assist with threat analysis and defensive cyber operations. The development comes alongside competing efforts from Anthropic, which is advancing its own AI model called Mythos.  The parallel progression of these models highlights intensifying competition in the space, with both companies working to expand the role of AI in identifying, analyzing, and responding to cyber threats.
• Center for Internet Security Publishes Guides for Applying the CIS Controls to Real World AI Environments: On Apr. 20th, 2025, the Center for Internet Security published three new CIS Companion Guides: the AI Large Language Models (LLM) Companion Guide, the AI Agent Companion Guide, and the Model Context Protocol (MCP) Companion Guide. The Guides extend the CIS Critical Security Controls V8.1 to these areas of AI. The CIS Controls is a set of consensus best practices to strengthen cybersecurity posture. The Guides are intended to help enterprises to apply the security controls that they already use to AI, recognizing that AI systems behave differently than traditional applications.
• Microsoft Enters Into Agreement with Center for AI Standards and Innovation (CAISI) to Test Frontier Models (RH): Microsoft announced that it entered into an agreement with the National Institute of Standards and Technology’s (NIST’s) CAISI to “test Microsoft’s frontier models, assess safeguards, and help mitigate national security and large-scale public safety risks.”

Regulatory: 

• 2025 FBI IC3 Report Highlights Rising Cybercrime Losses: In April, the FBI’s Internet Crime Complaint Center (IC3) published its 2025 Annual Report, summarizing reported cybercrime trends and associated losses. The IC3 recorded more than 1 million complaints in 2025, reflecting almost $20.9 billion in reported losses (a 26% increase from 2024). The most significant losses were attributed to investment crime, which accounted for approximately $8.65 billion in losses. Business email compromise (BEC) schemes caused more than $3 billion in losses. The report also highlighted the vulnerability of the elderly noting that individuals aged 60+ submitted 201,266 complaints and reported $7.75 billion in losses (a 59% YoY increase), with an average loss of $38,500 per victim. The report further notes that IC3 received 3,611 ransomware complaints with $32 million in reported losses, while cautioning that the reported amounts likely understate overall harm by excluding operational downtime, remediation expenses, and reputational impacts, and given the fact that entities may not report any loss to the FBI. Finally, the report highlighted the expanding use of artificial intelligence (AI) to facilitate and scale fraud, reporting 22,364 AI related complaints and $893 million in losses, including AI generated phishing, fabricated investment solicitations, and deepfake enabled impersonation.
• OCR Settles Four HIPAA Ransomware Investigations Affecting Over 427,000 Individuals: HHS OCR announced four HIPAA Security Rule settlements arising from ransomware investigations involving Regional Women’s Health Group, Assured Imaging, Consociate Health, and Star Group’s Health Benefits Plan. The breaches collectively affected more than 427,000 individuals and involved unsecured ePHI, including demographic information, Social Security numbers, financial information, lab results, medications, diagnoses, and health insurance information. OCR found repeated failures to conduct accurate and thorough HIPAA Security Rule risk analyses, and in some cases identified impermissible PHI disclosures and delayed breach notification. The entities paid a combined $1.165 million and agreed to two-year corrective action plans subject to OCR monitoring. The announcement reinforces OCR’s continued focus on ransomware, risk analysis, and proactive Security Rule compliance, with OCR emphasizing that hacking and ransomware remain the most common categories of large breaches reported to the agency.
• OCR Video Emphasizes HIPAA Risk Management as an Active, Documented Compliance Obligation: OCR released an educational video addressing the HIPAA Security Rule’s risk management requirement, reinforcing that covered entities and business associates must do more than conduct a risk analysis. They must use that analysis to develop and implement a risk management plan that reduces identified risks to a reasonable and appropriate level. The video builds on OCR’s recent risk analysis guidance and highlights the related duty to review and update security measures as threats, vulnerabilities, and technology environments change. OCR also provides practical examples from investigations where organizations identified risks but failed to mitigate them until after a breach. OCR specifically flags single-factor authentication for remote access as potentially insufficient and stresses that written policies alone will not satisfy investigators without supporting evidence such as plans, approvals, screenshots, logs, meeting notes, and configuration records.
• CISA and Partners Publish Guide to Accelerate Zero Trust Adoption in Operational Technology: On Apr. 29th, the Cybersecurity and Infrastructure Security Agency (CISA), along with federal partners, published Adapting Zero Trust Principles to Operational Technology. As its name indicates, the guide is intended to assist enterprises in applying Zero Trust principles in operational technology (OT) systems. OT is programmable hardware and software that interacts directly with the physical environment to monitor or control industrial equipment, processes, and events such as power grids, water treatment, and manufacturing. Zero Trust is an adaptive approach to cybersecurity that eliminates implicit trust and continuously validates access based on identity, context, and risk. The Guide notes that the blanket application of traditional information technology focused Zero Trust capabilities to operation technology systems is neither reasonable nor feasible. It provides recommendations for owners and operators to implement Zero Trust principles.

International Updates: 

• UK ICO Issues Guidance on Storage and Access Technologies: The UK Information Commissioner’s Office issued guidance on what it calls storage and access technologies such as cookies, pixels, and similar technologies. The guidance outlines requirements for companies’ use of these types of technologies, including when and how to gain consent, and what information must be provided to users about the technologies. The guidance also discusses new exceptions to the requirement to obtain consent, and provides examples to assist companies with compliance.

State Action: 

• Rhode Island Settles With Deloitte Over Cybersecurity Incident: The Governor of Rhode Island, Dan McKee, announced that the State finalized a settlement with Deloitte Consulting LLP over a December 2024 cybersecurity incident. The incident concerned the RIBRidges system, which Rhode Island implemented as a portal for public benefits. Under the settlement, Deloitte will pay the State $7 million (in addition to a previously paid $5 million). Deloitte also provided system enhancements, support of continuity services.
• Alabama Supreme Court Dismisses Appeal Because of Lawyer AI Hallucinations: The Alabama Supreme Court decision addressed an appeal in which an attorney relied on artificial intelligence–generated legal citations that were inaccurate or entirely fabricated. The court found that the lawyer’s filings violated basic appellate requirements because they contained numerous nonexistent or misrepresented cases, rendering the appeal “frivolous” and preventing meaningful judicial review. As a result, the court dismissed the appeal and imposed sanctions, emphasizing that attorneys have a duty to verify all submitted materials and that uncritical reliance on AI undermines the integrity of the legal system. The ruling highlights growing judicial concern over AI misuse in legal practice and underscores that lawyers remain fully responsible for the accuracy and credibility of their filings.
• Maryland Enacts Ban on Personalized Grocery Pricing Practices: On Apr. 28th, Maryland Governor signed House Bill 895, the Protection From Predatory Pricing Act, a first of its kind state law restricting personalized grocery pricing practices. Effective October 1, 2026, the Act prohibits covered “food retailers” and “third‑party [food] delivery service providers” from engaging in “dynamic pricing,”e. setting grocery prices specific to a consumer based on that consumer’s “personal data,” and separately bars pricing practices that rely on personal data of members of legally protected classes. The Act includes express exceptions for promotional pricing, loyalty or rewards programs, subscription arrangements, pricing tied to objective cost or supply factors, and consumer consent-based pricing. Enforcement authority rests with the Maryland Attorney General, with a mandatory 45‑day cure period and civil penalties for uncured violations.
• Kentucky includes Smart TV Data in Consumer Data Protection Act: Kentucky has amended its Consumer Data Protection Act (the “Act”) to explicitly address Smart TV data , effective Jul. 1st, 2027. More specifically, the Act was amended to define “automated content recognition data,” which includes data about a consumer’s content viewing history collected through a Smart TV. There are certain exceptions as to what qualifies as “automated content recognition data,” such as data collected for the purpose of enforcing terms of service, among others. Companies are prohibited from collecting this data without consumer consent.
• Connecticut Advances Landmark AI and Online Safety Legislation with Bipartisan Support: Connecticut is poised to become a national leader in AI governance with the passage of Senate Bill 5 the newly branded Connecticut Artificial Intelligence Responsibility and Transparency Act. Approved with strong bipartisan support in both chambers of the legislature, the bill now heads to Governor Ned Lamont’s desk, where it is expected to be signed into law. The sweeping legislation establishes guardrails for artificial intelligence systems while also investing in innovation, workforce development, and consumer protections. The bill creates new oversight structures — including an Artificial Intelligence Policy Office, AI Learning Laboratory Program, and Connecticut AI Academy — while requiring transparency from AI providers and safeguards against discriminatory automated hiring practices. It also addresses children’s online safety, AI chatbot interactions, synthetic digital content, and worker protections.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.