Data Protection

23andMe Agrees to $18m Settlement, New Data Security Mandates
After cracking down on 23andMe's lax security measures, a coalition of 42 US attorneys general, led by New York Attorney General Letitia James, has secured an $18 million settlement and binding data-protection commitments to safeguard customer information. This move comes after a 2023 data breach put millions of 23andMe customers at risk of having their personal info exposed.

UK Information Commissioner Resigns Amid Workplace Misconduct Probe
UK Information Commissioner John Edwards has resigned amid allegations of workplace misconduct, including the use of vulgar and highly sexualized language towards staff, which he initially dismissed as misplaced humour. His resignation comes after an internal HR investigation concluded there was a case to answer, with evidence revealing a disturbing pattern of behaviour.

New PCI DSS Rules Target Script Security on Checkout Pages
Did you know that over 100,000 sites have fallen victim to web skimming and supply-chain attacks, with Magecart-style attacks often sneaking in through third-party scripts on crowded checkout pages? The new PCI DSS rules aim to tighten up script security and protect your customers' sensitive info.

US Datacenter Law Set to Lapse, Leaving Security Gaps Unaddressed
As the Federal Data Center Enhancement Act of 2023 lapses on September 30, 2026, a crucial safeguard for secure and reliable access to federal information systems will vanish, leaving gaping security holes unaddressed. Without an extension or replacement, federal data centers may operate with little oversight, putting sensitive information at risk.

Open Source Community Unprepared for EU's Cyber Resilience Act
The open source community is lagging behind on cybersecurity readiness, with stagnating awareness and a lack of preparedness for the EU's Cyber Resilience Act, which requires minimum security standards for hardware and software products by December 2027. It's time for urgent action to avoid falling short of compliance.

Federal Agencies Face Data Storage Challenge in Meeting Legal, Compliance Needs
Federal agencies face a daunting data storage challenge, struggling to balance scale, defensibility, and continuity as they navigate a vast array of modern data types, from chat logs and cloud collaborations to videos and digital artifacts. Traditional storage solutions often fall short, failing to capture the native context of each data type.

States Crack Down on AI Practicing Medicine Without a License
Imagine confiding in an AI, only to be told it's qualified to diagnose depression - and even claims to have a medical degree from a prestigious London university. Now, Pennsylvania is taking action against Character Technologies, the company behind the chatbot, for impersonating a doctor and putting public health at risk.

FTC to Crack Down on Deepfake Takedowns
Get ready for a major crackdown on deepfakes - starting May 19, 2026, websites and online services must swiftly remove nonconsensual deepfake media within 48 hours or face fines and FTC action. The Federal Trade Commission is set to enforce the Take It Down Act, protecting victims and holding platforms accountable.

HIPAA Security Rule Overhaul Nears, But Will Regulators Meet May Deadline?
As the HHS Office for Civil Rights prepares to unveil a major overhaul of the 23-year-old HIPAA Security Rule, concerns are mounting about meeting the May deadline. Director Paula Stannard urges healthcare organizations to consider the steep cost of inaction, emphasizing that the benefits of proposed modifications far outweigh the burdens.

Federal Agencies Face Mounting Legal Data Compliance Pressures
Federal legal teams are drowning in a sea of data, struggling to keep up with mounting litigation deadlines, oversight demands, and transparency obligations. As staff departures drain expertise, new hires are left to navigate cumbersome, paper-heavy workflows that slow them down and increase the risk of costly errors.

GM Faces $12.75M Penalty for Illicit Driver Data Sales
General Motors has been hit with a record $12.75 million penalty for selling California drivers' data without their consent, despite promising to protect their privacy. This landmark case marks a major victory for data protection, with California's Attorney General Rob Bonta leading the charge.

FTC Settlement Forces Kochava to Curb Location Data Sales
Big changes are coming for Kochava, a data broker that allegedly sold precise location data from hundreds of millions of smartphones without consent - under a proposed FTC settlement, they'll need to get explicit permission from consumers before sharing their sensitive info. This move could mark a major shift in how companies handle location data sales.

FTC Bars Kochava from Selling Location Data Without Consent
The Federal Trade Commission is taking a stand against Kochava, proposing an order that would require the company to obtain explicit consent from Americans before selling their precise location data, and only use it for services they directly requested. This move aims to put an end to the sale of sensitive location information without users' knowledge or consent.

EU Advances Mandatory Online Age Verification Despite Security Risks
The European Commission's recent findings have revealed that Meta failed to protect minors, with a staggering 12% of European children under 13 reportedly accessing Facebook or Instagram, sparking concerns over online safety. This has led to a push for mandatory online age verification, despite security risks.

EU Backs Open-Source Age Verification Tool to Protect Minors Online
The European Commission is taking a major step to safeguard minors online, recommending that EU member states adopt an open-source age verification tool that's easy for online platforms to implement. This move aims to shield kids from harmful content, building on the Digital Markets Act and Digital Services Act to hold big tech accountable.

US Companies Face Record $3.45 Billion in Privacy Fines
US companies are facing a record-breaking $3.45 billion in privacy fines, a staggering amount that surpasses the total fines issued over the past five years combined, as regulators shift from education to full-scale enforcement. This surge in fines is driven by stronger state laws, coordinated interstate efforts, and increased scrutiny of AI and automation practices.

UK Data Watchdog Chief Steps Back Amid Workplace Probe
UK's top data watchdog, John Edwards, has temporarily stepped down from his role amid an independent workplace investigation, cooperating fully with the probe. He made the announcement via LinkedIn, confirming his voluntary leave of duties as head of the Information Commissioner's Office.

HIPAA Fines Hit $1.7 Million for Risk Analysis Failures
The consequences of neglecting HIPAA risk analysis are steep: four entities recently paid a total of $1.7 million in fines for failing to conduct accurate, timely, and thorough assessments, exposing sensitive health information of nearly 427,000 individuals to hacking and ransomware threats.

Germany Revives ISP Data Retention Mandate Amid Privacy Concerns
Germany's government is pushing for a new law that would require internet service providers to store customer connection data for three months to help combat online crimes, sparking concerns about privacy. The proposed mandate, justified as a way to keep the digital space safe from criminals, has been approved by the national cabinet and now awaits parliamentary approval.

House Republicans Unveil National Data Privacy Bill
House Republicans have introduced the Secure Data Act, a groundbreaking national data privacy bill that puts Americans in control of their personal data and holds companies accountable for keeping it safe. The proposed law would give consumers the power to opt out of data collection for targeted ads, third-party sales, and automated decision-making.

UK Regulator Probes Telegram Over CSAM Sharing Concerns
The UK's communications regulator, Ofcom, has launched a crucial investigation into Telegram over concerns that the platform is being used to share child sexual abuse material, sparking a delicate balance between regulation and user protection. This probe also extends to teen chat sites, raising important questions about moderation, oversight, and the safety of young users.

Tempus AI Sued Over DNA Data Use Without Consent
A health AI company is facing a federal lawsuit in Chicago, accused of using and selling millions of people's DNA data without their consent. The plaintiffs claim that genetic information can't be fully anonymized, putting sensitive personal data at risk.

Identity Verification Shifts Under Regulatory Steady State
When regulations remain steady, but your identity landscape evolves rapidly, what gives? The real question is, how will your organization adapt to the shifting identity verification landscape while staying compliant with unchanged regulations?

Risk Management Takes Critical Turn with NIST SP 800-39 Insights
In today's high-risk digital landscape, effective risk management is no longer a choice - it's a necessity for protecting your organization's information systems and sensitive data. By adopting a comprehensive risk management approach, you can ensure the confidentiality, integrity, and availability of your data and stay ahead of evolving cyber threats.