David Stauss of Stauss Law writes: Key point: Our new chart compares the data broker laws of California, Connecticut, Nevada, Oregon, Texas, and Vermont, covering applicability standards, registration and disclosure obligations, consumer rights, and penalties. State data broker laws are proliferating, and they vary widely in scope and structure. Connecticut recently passed a data broker...

Paige Collings and Jillian C. York write: This week, politicians in the UK pushed forward with plans to eviscerate privacy and free speech on the internet by announcing a ban on social media for users under 16 that is set to take effect in Spring 2027. The UK government continues to falsely characterize this policy as a necessary response...

IAPP reports: Vermont became the 23rd state to enact a comprehensive state privacy law. Gov. Phil Scott, R-Vt., signed Senate Bill 71, the Vermont Data Privacy and Online Surveillance Act into law 16 June. With Scott’s signature, Vermont becomes the fourth state to pass a comprehensive privacy law this year, joining Alabama, Louisiana and Oklahoma. The law...

James Mann and David Saunders of McDermott Will & Schulte write: Readers may recall that last year, New York attempted to enact a health privacy law that was ultimately vetoed by the governor. Now, New York is back with another attempt that, after some modification from last year’s version, stands a chance of being signed by Governor Kathy Hochul. Like...

Canadian privacy law professor Michael Geist writes: The government is set to introduce its long-promised privacy reform legislation early this week, with the recognition of a fundamental right to privacy expected to serve as a foundational element of the bill. Establishing privacy as a fundamental right would be a welcome and long-overdue development, one that many have...

On June 12, Jon Brodkin reported: Title VII of the Foreign Intelligence Surveillance Act (FISA) is set to expire at midnight tonight after Congress failed to pass an extension of the controversial spying law. But that doesn’t mean the government’s spying powers will disappear. Surveillance under Section 702 of FISA “operates under yearlong certifications approved...

From Hunton Andrews Kurth: Louisiana recently enacted Senate Bill 386, the Louisiana Data Privacy Act (“LDPA”), becoming the 22nd U.S. state to adopt a comprehensive consumer data privacy law. The LDPA follows the now-familiar controller/processor and consumer-rights framework seen in many state comprehensive data privacy laws, with certain distinctions. Scope The LDPA applies to any person...

Lindsey Tonsager, Laura Kim, Bryan Ramirez & Clare Mathias of Covington and Burling write: On May 27, 2026, the Connecticut governor signed SB 4, an omnibus privacy law, which among other things, amends the Connecticut Data Privacy Act (“CTDPA”), establishes a data broker registry and accessible deletion mechanism, imposes restrictions on the use of price setting devices and...

Margaret Attridge reports: The Nevada Supreme Court granted a victory to reproductive health advocates and abortion providers Thursday, blocking enforcement of a 1985 state law restricting abortion for minors. Reversing a lower court’s denial of a preliminary injunction, an en banc panel of justices ruled Nevada Senate Bill 510 — passed in 1985, never enforced and...

Dark patterns force patients to share their data with big healthcare networks, even when the privacy form they’re signing explicitly says they can opt-out. By: Alex Rosenblat When Paula Stannard, one of the federal government’s top healthcare privacy officials, visited her eye doctor this year, she was asked to sign a form, acknowledging she’d received...

Suzanne Smalley reports: The Supreme Court is currently weighing a case that could reshape how law enforcement works with technology firms to identify potential suspects. In the next few weeks, the court is expected to rule on whether or not so-called geofence warrants are legal under the Fourth Amendment, which prohibits unreasonable searches and seizures...

From the Illinois Senate Democrats:  State Senator Laura Murphy is leading a comprehensive measure to protect consumers’ data and shield them from targeted advertisements. “By placing guardrails around consumers’ personal information, we eliminate companies’ ability to collect and sell the most sensitive data of Illinoisans,” said Murphy (D-Des Plaines). “We then put the power in...

Matthew Pencek reports: Two bills aimed at strengthening Delaware’s data privacy protections and improving transparency around data breaches passed the Delaware House on Thursday and now move to the Senate for consideration. The measures, House Bill 380 and House Bill 381, were developed in partnership with the Delaware Department of Justice. …  House Bill 380 would expand Delaware’s...

Joseph Lazzarotti of JacksonLewis writes: State breach-notification laws continue to evolve, and legislatures are using 2026 sessions to tighten consumer protections and shift the civil liability landscape that often follows a cyber event. For businesses, the practical takeaway is that incident response planning increasingly needs to account not only for “whether notice is required,” but...

Source

Congress wants answers from the Cybersecurity and Infrastructure Security Agency about the reported public exposure of sensitive agency credential data on GitHub in an incident that the security researcher who discovered it called one of the worst leaks he’s ever seen.

Other security professionals also voiced concern Tuesday about the leak and the potential for abuse by any malicious parties who got a hold of the information.

Security firm GitGuardian said it discovered a public GitHub repository last week that exposed credentials for privileged AWS GovCloud accounts and internal CISA systems dating back to November. The repository, apparently maintained by a contractor, was named “Private-CISA.” 

Krebs on Security first reported the incident.

“My main fear … is that a state actor will get the data and might be able to do bad stuff,” GitGuardian security researcher Guillaume Valadon told CyberScoop that he thought to himself upon discovering the leak, after concluding it was real; he initially thought it looked fake.

State-based attackers who obtained the credentials “might be able to gain persistence,” Valadon said, “so for me it’s even worse than an attacker destroying everything, having someone in a governmental system — it’s really, really bad.”

A House Homeland Security Committee aide said the panel is seeking a staff-level briefing from CISA on the matter.

Mississippi Rep. Bennie Thompson, the top Democrat on the Homeland Security Committee, and Delia Ramirez, the top Democrat on the panel’s cyber subcommittee, had separately demanded a briefing Tuesday in a letter to CISA’s acting director, Nick Andersen. 

They said they wanted to learn “how this serious security lapse occurred, any potential security consequences, remediation activities, corrective actions related to the contractor personnel involved, and efforts to monitor for and prevent similar activity from occurring in the future.”

Sen. Maggie Hassan, D-N.H., also sent a letter Tuesday to Andersen, seeking a classified briefing to answer questions about which systems were exposed, what forensic work CISA did to evaluate potential damage and what corrective action it has taken.

“This reported incident raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches,” Hassan wrote in the missive first reported by Axios, particularly “regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure.”

Both letters pointed to personnel and budget cutbacks at the agency as a potential contributor to the incident.

CISA said it was looking into what happened.

“The Cybersecurity and Infrastructure Security Agency is aware of the reported exposure and is continuing to investigate the situation,” a spokesperson said. “Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.” 

The repository was reportedly maintained by a contractor at Nightwing. A Nightwing spokesperson referred questions to CISA.

The kind of exposure that happened for CISA “is an unfortunately painful, but common and repeated, if not relentless, way that we see organizations inadvertently leak very sensitive credentials to the wider web,” said Ben Harris, founder of WatchTowr, a company that helps organizations detect such exposures.

Harris told CyberScoop he didn’t want to speculate on what attackers who obtained the credentials might be able to do with it, but he said that it would be “terrifying” if the contractor was transferring information from work to home, as one researcher theorized.

Dave Mitchell, senior director of threat intelligence at Infoblox, told CyberScoop the incident showed the importance of teams having controls and audits in place across their repositories.

“Of all the things that keep me up at night, misconfigurations in GitHub are a recurring nightmare. It’s critical for so many organizations — all it takes is one accidental upload or misconfiguration and you’ve signed yourself up for a major incident,” he said in a written statement. “No need for a threat actor to use advanced techniques to compromise you if the keys are already sitting on the counter.”

Travis Rosiek, public sector chief technology officer at Rubrik, noted that the timing of the issue aligned with the government shutdown that only recently resolved for DHS. He said the incident showed the federal government needs to prioritize resilience.

“A persistent shortage of cybersecurity talent, combined with funding lapses, high workforce turnover, and an increasingly complex threat landscape, created the perfect storm for this scenario,” he said in a written statement to CyberScoop. “No organization is immune, and we must ensure that the federal government, which is responsible for helping protect the nation’s critical infrastructure and enhancing our cybersecurity posture, remains fully operational 24-7, 365 days a year.”

Without minimizing the severity of the incident, some researchers who have looked at the leak said there are mitigating circumstances that make elements of it defensible or, at least, understandable.

CISA acted very swiftly to remove the repository, Valadon said, once he alerted them to the leak.

And even if CISA has the right policies in place, human error still can make it difficult to entirely avoid incidents like this, Harris said.

“The reality is this happens every single day to different organizations, including cybersecurity companies,” he said, noting it would be different if it was a pattern. “This is not exclusive to CISA. I don’t really think it reflects well if we saw this every single day with CISA. … It’s not ideal that it’s even happened once, but the reality is that cybersecurity is people, process, technology.”

CISA has had other security incidents in the past, including recently. The former acting director of the agency endured criticism for uploading sensitive contract data to ChatGPT last year. In 2024 the agency notified Congress of a breach of a chemical plant security tool.

Updated 5/20/26: to include more information on a House Homeland Security Committee briefing request.

The post CISA credential leak raises alarms, and Capitol Hill demands answers appeared first on CyberScoop.

U.S. states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, according to research and advisory firm Gartner.

The increase is driven in part by stronger, more established privacy laws in states like California, new interstate partnerships built around enforcing laws across state lines, and a renewed focus to how AI and automation affect privacy.

The data indicates that “regulators are shifting their efforts away from awareness to full scale enforcement,” marking a significant shift from even the last few years in how aggressively states are investigating and penalizing companies for privacy law violations.

“This is increasingly becoming the standard in 2026 and for the coming two years,” Gartner’s analysis concludes.

The California Consumer Privacy Act had consumer privacy provisions go live in 2023, but for years enforcement was largely dormant. According to Nader Heinen, a data protection and AI analyst at Gartner and co-author of the research, that enforcement lag mirrors the way other major privacy laws, like Europe’s Global Data Protection Regulation, have been carried out in order to “lead with a bit of guidance” for companies while using enforcement sparingly.

But that era appears to be over. In 2025, the California Privacy Protection Agency has used the law to pursue violators across a wide range of industries— not just large conglomerates, but smaller and mid-sized companies in tech, the auto industry, and consumer products, including off-the-shelf goods and apparel.

Heinen said some businesses “weren’t paying attention” and may have been lulled into a false sense of complacency as regulators spun up their enforcement teams, leading to a harsh 2025.

“Unfortunately what happens when so much time passes between the legislation and starting enforcement regularly, is a lot of organizations let their privacy program atrophy,” he said.

States have also sought to combine their resources to target and penalize privacy violators across state lines. Last year, ten states came together to form the Consortium of Privacy Regulators, pledging to coordinate investigations and enforcement of common privacy laws around accessing, deleting and preventing the sale of personal information.

Beyond laws like the CCPA, states have been updating existing privacy and data-protection laws to more directly address harms from automated decision-making technologies, including AI. State privacy regulators are especially focused on how personal or private data is used to train AI systems and  help it make inferences.

Gartner expects privacy fines to further increase in the coming years and Heinen said states will likely again lead the way on building the legal infrastructure to enforce data privacy in the AI age as they become the main conduit for lingering anxiety about the potential negative impacts of the technology.

“You have to put yourself in the position of these state legislatures,” Heinen said. “Their constituencies – the voting public – is telling them we’re worried about AI. AI anxiety is a thing. Everybody’s worried about whether AI is going to take their job or impact their capacity to find a job, so they want to see legislation in place to protect them.”

This past month, House Republicans unveiled their latest attempt to pass comprehensive federal privacy legislation with a bill that would preempt tougher state laws like those in California. In particular, the CCPA gives residents a private right of action – the legal right to sue companies directly – for violation of privacy laws.

On Monday, Tom Kemp, executive director of the California Privacy Protection Agency, wrote to House Energy and Commerce Chair Brett Guthrie, R-Ky., to oppose the bill, arguing it would provide “a ceiling” for Americans’ data privacy protections rather than a “floor” to build on.

“Preemption would strip away important existing state privacy provisions that protect tens of millions of Americans now,” Kemp wrote. “That would be a significant step backward in privacy protection at a time when individuals are increasingly concerned about their privacy and security online, and when challenges from data-intensive new technologies such as AI are developing quickly.”

The post U.S. companies hit with record fines for privacy in 2025 appeared first on CyberScoop.

Jared Perlo reports: The long-running fight to rein in the government’s power to search Americans’ phone calls, emails and text messages without a warrant has gained new urgency on Capitol Hill over concerns that AI will supercharge state surveillance. Lawmakers are currently jockeying over reforms to a key law that enables warrantless monitoring of Americans’...

Hunton Andrews Kurth writes: On April 22, 2026, the House Energy & Commerce Committee announced the introduction of and intention to advance the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the “SECURE Data Act”). The SECURE Data Act, which was crafted by the majority committee members’ Privacy Working Group, would replace the...

Tech companies like Google, Facebook and Microsoft are ignoring data controls mandated under California law, researchers say. By: Colin Lecher A new audit has found that websites across the internet may be failing to abide by California privacy law, ignoring a requirement to not track visitors who set a privacy control. The report, from researchers...

Hunton Andrews Kurth writes: On April 17, 2026, Alabama Governor Kay Ivey signed into law the Alabama Personal Data Protection Act (HB 351) (“APDPA” or “the Act”), making Alabama the twenty-first state to enact a comprehensive consumer privacy law. The law goes into effect on May 1, 2027. Alabama enacted the APDPA within an already maturing ecosystem...