On June 15, 2026, the UK government announced plans to introduce a social media ban for users under 16 (under-16s), alongside restrictions on features deemed harmful to minors, such as livestreaming and messaging functions, for a wider range of online services, including those in the gaming sector. These measures, which may require platforms active in the UK market to significantly alter their operations, are expected to come into force in Spring 2027.
Continue Reading UK Announces Social Media Ban and Broader Online Restrictions for Users Under 16New York Legislature Passes Ban on Personalized Pricing
Posted in Regulatory
Last week, the New York State Legislature passed the One Fair Price Act (S.8623B/A.9349B) (the Act), a bill that prohibits businesses from using personal data—such as purchase history, browsing history, real-time location, income, or inferred…
Continue Reading New York Legislature Passes Ban on Personalized PricingTrump Administration Issues Executive Order on Advanced AI Innovation and Security
By Demian Ahn, Joshua Gruenspecht, Tony Misher & Kara Millard on
Posted in Cybersecurity
Key Takeaways
- The Executive Order, Promoting Advanced Artificial Intelligence Innovation and Security (Order), directs the creation of a framework for developers of advanced frontier models to engage with the federal government for a voluntary pre-release review of the models.
- The Order also directs the Treasury Department, together with the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), to establish a clearinghouse to coordinate cyber vulnerability scanning, discovery, and patch distribution, in collaboration with private sector artificial intelligence (AI) and critical infrastructure companies.
- CISA must issue Binding Operational Directives (BODs) and other guidance to expedite cyber defense of civilian federal systems and expand use of AI-enabled defensive tools.
- The Order directs the Attorney General to prioritize prosecution of AI- and AI agent- facilitated computer crimes, identity theft offenses, and wire fraud schemes.
- Developers considering engagement with the federal government for model pre-release review will need to assess the scope of pre-release access and the safeguards available during the early access window.
- Companies seeking to become trusted partners should engage carefully with the U.S. government; those trusted partners may receive early access to covered frontier models, but also may be asked to disclose sensitive information and agree to continuing collaboration with the government.
European Commission Publishes Proposal for Act to Reduce Reliance on Foreign Cloud and AI
Posted in Privacy
On June 3, 2026, the European Commission (EC) released its first draft of a proposed Cloud and AI Development Act (Proposal or CADA), marking a significant step forward in the EU’s efforts to strengthen its digital infrastructure and reduce strategic dependence on non-EU cloud providers.
Continue Reading European Commission Publishes Proposal for Act to Reduce Reliance on Foreign Cloud and AIYellowKey Zero-Day and the BitLocker Bypass: Compliance and Incident Response Implications
By Demian Ahn, Colin Black, Laura Brodahl & Tony Misher on
Posted in Uncategorized
Key Takeaway
A publicly disclosed and widely unpatched zero-day vulnerability, named YellowKey, permits anyone with physical access to a device running Windows 11 or Windows Server 2022/2025 to bypass BitLocker full-disk encryption (Microsoft’s built-in tool that acts like a digital vault for a computer’s entire hard drive) and read protected data without a password or recovery key. Organizations that rely on BitLocker as a primary or sole data-protection control should reassess their risk posture immediately.
Continue Reading YellowKey Zero-Day and the BitLocker Bypass: Compliance and Incident Response ImplicationsConnecticut Updates Its Data Privacy Act, Imposing Significant New Privacy Requirements
Posted in Privacy
Last month, the Connecticut legislature passed two bills that amend and expand the Connecticut Data Privacy Act (CTDPA): Senate Bill 4 (SB 4) and House Bill 5222 (HB 5222). SB 4 (which was signed into law on May 27, 2026) and HB 5222 (which amends parts of SB 4 and was signed into law on June 2, 2026) contain new requirements for businesses and data brokers operating in the Constitution State.
Continue Reading Connecticut Updates Its Data Privacy Act, Imposing Significant New Privacy Requirements“Shadow AI” Triggers First SEC Form 8-K for Unauthorized AI Use: What Financial Institutions and Public Companies Need to Know
By Demian Ahn & Tony Misher on
Posted in Cybersecurity
Key Takeaways
- CB Financial Services, Inc. filed the first SEC Form 8-K under Item 1.05 triggered by an unauthorized use of an artificial intelligence (AI) tool, not an external cyberattack.
- A cybersecurity incident caused by insider misuse of AI (known as Shadow AI) should be assessed for disclosure under SEC rules.
- The four-business-day disclosure clock under Item 1.05 starts at the materiality determination, not at detection of the incident.
- Shadow AI should be considered as a cybersecurity risk as part of a company’s enterprise risk management framework.
- Financial institutions face layered exposure: federal banking guidance, state breach notification laws, and class action litigation.
- Suggested actions companies could take in reaction to Shadow AI developments are included below.