Key Takeaway

A publicly disclosed and widely unpatched zero-day vulnerability, named YellowKey, permits anyone with physical access to a device running Windows 11 or Windows Server 2022/2025 to bypass BitLocker full-disk encryption (Microsoft’s built-in tool that acts like a digital vault for a computer’s entire hard drive) and read protected data without a password or recovery key. Organizations that rely on BitLocker as a primary or sole data-protection control should reassess their risk posture immediately.

Continue Reading YellowKey Zero-Day and the BitLocker Bypass: Compliance and Incident Response Implications

Last month, the Connecticut legislature passed two bills that amend and expand the Connecticut Data Privacy Act (CTDPA): Senate Bill 4 (SB 4) and House Bill 5222 (HB 5222). SB 4 (which was signed into law on May 27, 2026) and HB 5222 (which amends parts of SB 4 and was signed into law on June 2, 2026) contain new requirements for businesses and data brokers operating in the Constitution State.

Continue Reading Connecticut Updates Its Data Privacy Act, Imposing Significant New Privacy Requirements

Key Takeaways

  • CB Financial Services, Inc. filed the first SEC Form 8-K under Item 1.05 triggered by an  unauthorized use of an artificial intelligence (AI) tool, not an external cyberattack.
  • A cybersecurity incident caused by insider misuse of AI (known as Shadow AI) should be assessed for disclosure under SEC rules.
  • The four-business-day disclosure clock under Item 1.05 starts at the materiality determination, not at detection of the incident.
  • Shadow AI should be considered as a cybersecurity risk as part of a company’s enterprise risk management framework.
  • Financial institutions face layered exposure: federal banking guidance, state breach notification laws, and class action litigation.
  • Suggested actions companies could take in reaction to Shadow AI developments are included below.
Continue Reading “Shadow AI” Triggers First SEC Form 8-K for Unauthorized AI Use: What Financial Institutions and Public Companies Need to Know

The European Commission has published draft guidelines (Draft Guidelines) to clarify the classification of high-risk AI systems under the European Union’s Artificial Intelligence Act (EU AI Act). This classification is crucial, as it determines whether an AI system will be subject to the EU AI Act’s most burdensome obligations. The Draft Guidelines provide general principles which inform if an AI system is high-risk, as well as a non-exhaustive list of examples of high-risk AI systems across various sectors. Organizations can provide feedback on the Draft Guidelines via this survey until June 23, 2026.

Continue Reading Draft Guidelines Clarify Which AI Systems Are “High-Risk” Under EU AI Act

In its first year under the Trump-Vance administration, the Federal Trade Commission (FTC) has aggressively enforced consumer protection and privacy laws and initiated new rulemakings. Although the new rulemaking activity is somewhat surprising in a Republican administration, the FTC has expressed its intent to conduct a more rigorous economic analysis of the effects of any new regulations. Based on the FTC’s activity over the past year, we have identified the issues below as top FTC priorities and provided takeaways for companies to help steer clear of regulatory scrutiny.

Continue Reading Consumer Protection Update: Insights into the First Year of the Trump-Vance FTC