On June 22, the leaders of the cybersecurity agencies in Australia, Canada, New Zealand, the UK, and the U.S. issued a joint statement calling for an “urgent” focus on cyber resilience in anticipation of “frontier AI models . . . exceed[ing] current industry expectations” and “fundamentally transforming both offensive and defensive cyber capabilities” within a timeline of “months.” The frontier AI models referenced in the statement are the latest generation of advanced AI models that are capable of identifying and exploiting security vulnerabilities, which may result in an increased cadence of cybersecurity intrusions and data loss. In light of the growing capabilities of these models, the statement encourages organizations to avoid treating cyber risk “as a purely technical issue” or an “IT issue” and instead take a “whole-of-organization” approach to cyber resilience that treats it as a “core business risk and leadership responsibility” that is “central to operational continuity and market trust.” The statement also proposes several “urgent” practical actions that organizations can take to reduce risk, many of which were also discussed in our recent client alert regarding key considerations for lawyers addressing cyber risks posed by frontier models.
Continue Reading Five Eyes Cybersecurity Agencies Issue Statement Regarding AI-Related Shifts in Cybersecurity Risks, Urging Organizational Leaders to “Act Now”Vermont Enacts Privacy Legislation to Regulate Health-Related Information
By Libbie Canter, Elizabeth Brim & Clare Mathias on
Posted in Data Privacy
Vermont recently enacted two privacy bills to regulate health-related information. These include H.639, a genetic privacy bill regulating direct-to-consumer genetic testing companies, and the Vermont Data Privacy and Online Surveillance Act (S.71), a comprehensive privacy law that extends heightened protections to “consumer health data.” You can read our full…
Continue Reading Vermont Enacts Privacy Legislation to Regulate Health-Related InformationCNIL Updates Two Standards For Health Research (MR-001 and MR-003)
On May 26, 2026, the French data protection authority (“CNIL”) published updated versions of its Reference Methodology 001 (“MR-001”, available here in French) and Reference Methodology 003 (“MR-003”, available here in French), two key frameworks governing the processing of personal data in the context of health research.
Continue Reading CNIL Updates Two Standards For Health Research (MR-001 and MR-003)CISA Releases Binding Operational Directive on Prioritizing Security Updates Based on Risk
Posted in Cybersecurity
On June 10, the Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 26-04 on Prioritizing Security Updates Based on Risk and the accompanying Implementation Guidance. In releasing the BOD and Implementation Guidance, CISA noted that the documents are “part of CISA’s response to the current threat…
Continue Reading CISA Releases Binding Operational Directive on Prioritizing Security Updates Based on RiskVermont Data Privacy Bill Signed into Law
By Libbie Canter, Jayne Ponder, Bryan Ramirez & Rosie Moss on
Posted in State Privacy
On June 16, 2026, the Vermont Governor signed into law the Vermont Data Privacy and Online Surveillance Act, making Vermont the fourth state to enact a comprehensive data privacy law this year. The law will take effect on January 1, 2028.
Continue Reading Vermont Data Privacy Bill Signed into LawAmadeus IT Group Receives GDPR Fine
By Joshua Gray, Nigel Howard & Will Capstick on
Posted in EU Data Protection, European Union
On May 26, 2026, the Spanish Data Protection Agency (“AEPD”) published details of its decision to fine Amadeus IT Group, S.A. (“Amadeus”), a Madrid-headquartered technology provider for the global travel and tourism industry, EUR 18 million in connection with GDPR violations involving Amadeus’s Global Distribution System (“GDS”). Amadeus voluntarily paid the fine, less a 20% reduction, on May 29, 2025, thereby terminating the proceedings without admitting liability. The fine, one of the largest the AEPD has imposed, highlights the enforcement risks associated with repurposing personal data such as passenger data without appropriate transparency or a valid legal basis under the GDPR.
Continue Reading Amadeus IT Group Receives GDPR FineThe TAKE IT DOWN Act’s Notice and Removal Requirements Enter Into Effect
Posted in Federal Trade Commission
On May 19, 2026, the notice and removal requirements set forth in Section 3 of the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (“TAKE IT DOWN Act” or “TIDA”) entered into effect. Under this section, covered platforms must establish a process for individuals to notify the platform of certain intimate visual depictions that were shared without their consent and to request their removal. Covered platforms that receive valid requests must remove the visual depictions and identical copies within 48 hours. The FTC, which enforces the TIDA, intends to do so “vigorously.” The FTC has launched a website where individuals can submit complaints about platforms that fail to comply with these requirements and has sent warning letters advising companies of their obligations under the law.
Continue Reading The TAKE IT DOWN Act’s Notice and Removal Requirements Enter Into EffectWashington Anti-Spam Law Decision Addresses Article III Standing in CEMA Cases
By Jehan Patterson & Irene Kim on
Posted in Advertising & Marketing, Consumer Protection
A federal court recently addressed whether plaintiffs alleging misleading commercial email practices in violation of Washington’s Commercial Electronic Mail Act (“CEMA”) have Article III standing to pursue claims. The ruling suggests that alleged violations of CEMA, standing alone, could constitute a concrete injury for Article III standing, where the asserted harm aligns with the statute’s purpose.
Continue Reading Washington Anti-Spam Law Decision Addresses Article III Standing in CEMA CasesENISA’s NIS360 2026 report highlights both the criticality of the European space sector, and flags a persistent cybersecurity maturity gap
By Paul Maynard on
Posted in Cybersecurity, European Union
On May 28, 2026, the European Union Agency for Cybersecurity (“ENISA”) published the third edition of its NIS360 report, an annual benchmarking tool that assesses the cybersecurity maturity of entities in the sectors set out in Annex I of the NIS2 Directive (which includes certain entities in the energy, transport, healthcare, digital infrastructure, and space sectors), as well as the relative criticality of the relevant sectors. The NIS360 is designed to support national authorities, policymakers, and other stakeholders in understanding where sectors stand in terms of cybersecurity readiness, including where more support or oversight might be needed.
Continue Reading ENISA’s NIS360 2026 report highlights both the criticality of the European space sector, and flags a persistent cybersecurity maturity gapBrazil Steps Up Regulation of Violence Against Women in the Digital Environment
Posted in International, Uncategorized
On 20 May 2026, Brazil adopted Presidential Decree No. 12,976, establishing a comprehensive framework to address violence against women online. Adopted alongside a parallel decree (No. 12,975) reforming intermediary liability, it reflects a more assertive approach to regulating online harms, including those driven or amplified by AI. Together, these measures will require companies to reassess internal processes to ensure rapid content removal and more proactive monitoring, including for AI‑enabled services.
Continue Reading Brazil Steps Up Regulation of Violence Against Women in the Digital Environment