All news in category “Regulation and Policy Brief”

⚖️California privacy regulators have taken enforcement action under the Delete Act, penalizing a marketing firm and a global analytics provider for trading in sensitive consumer profiles without proper registration. The agency fined Rickenbacher Data LLC (operating as Datamasters) $45,000 and ordered it to stop selling and delete California data. Separately, S&P Global was fined $62,600 for failing to register as a data broker. Officials highlighted risks from lists linked to medical conditions, race, age, political views and spending.

🔒 Germany and Israel have formalized a cyber and security pact aimed at deepening cooperation against growing digital and physical threats. Signed in Jerusalem by Federal Interior Minister Alexander Dobrindt and Prime Minister Benjamin Netanyahu, the agreement emphasizes closer networking of security authorities and joint work on cybercrime, AI and drone defense. Germany will also assume leadership of the U.S.-led OSC role in Jerusalem and plans to leverage Israeli technologies and experience to strengthen German security.

📄 A Software Bill of Materials (SBOM) is a structured, machine-readable inventory that records every component and dependency inside a software product. An SBOM improves visibility across complex supply chains and helps vendors and buyers quickly identify affected systems after incidents such as SolarWinds or Log4j. U.S. policy and forthcoming European rules are driving wider adoption, and the NTIA defines minimum elements and acceptable formats (SPDX, CycloneDX, SWID). Generating SBOMs via Software Composition Analysis or build tooling and integrating them into DevSecOps processes is now considered best practice.

🛑 The California Privacy Protection Agency ordered Rickenbacher Data LLC, operating as Datamasters, to stop selling Californians' health and personal information and fined the firm $45,000 for failing to register as a data broker under the California Delete Act. Regulators found Datamasters bought and resold hundreds of millions of records—names, emails, addresses and phone numbers—targeting people by medical conditions, age, perceived race, political views and purchases. The agency ordered deletion of previously acquired California records by the end of December, requires any newly received Californian data to be purged within 24 hours, and imposed five years of compliance measures; CalPrivacy also fined S&P Global $62,600 for an administrative registration lapse.

🔒 CISA has retired 10 Emergency Directives issued between 2019 and 2024 that were intended to protect Federal Civilian Executive Branch (FCEB) agencies from high-risk vulnerabilities. The directives covered DNS tampering, multiple Windows Patch Tuesday flaws, SolarWinds, Microsoft Exchange, Pulse Connect Secure, Print Spooler, VMware, and a nation-state compromise of Microsoft corporate email. CISA said the required actions were completed or are now enforced through BOD 22-01, and emphasized continued advancement of Secure by Design principles across federal systems.

🛡️ CISA has retired ten Emergency Directives issued between 2019 and 2024, stating the required mitigations have been completed or are now encompassed by BOD 22-01. The agency said this is the largest single closure of Emergency Directives to date. The action moves responsibility for ongoing remediation to the Known Exploited Vulnerabilities (KEV) catalog and its mandated federal patching timelines. CISA retains authority to require accelerated fixes for high-risk flaws, as in a recent one-day order for exploited Cisco CVEs.

🛑 A Texas district court briefly issued a temporary restraining order barring Samsung from collecting audio and visual data from Texas smart TVs under its Automated Content Recognition (ACR) program, citing deceptive enrollment practices and allegations that the Chinese Communist Party could access the information. The TRO, signed Jan. 5, said users were subjected to confusing disclosures and 'dark patterns' that defeat meaningful opt-out and claimed screenshots could be captured roughly every 500 milliseconds. The order initially blocked ACR activity relating to Texas consumers until Jan. 19, but the judge vacated the TRO the next day; the underlying lawsuit remains pending and a hearing is scheduled for Jan. 9.

⚖️ The State of Texas secured a temporary restraining order against Samsung, barring it from collecting audio and visual data about what Texas consumers watch on Samsung smart TVs using Automated Content Recognition (ACR). The court found the enrollment process deceptive and opaque, relying on 'dark patterns' that make informed consent impractical. The order halts ACR use, sale, transfer, and data collection for Texas-based TVs pending further proceedings.

🛡️ CISA announced the retirement of ten Emergency Directives issued between 2019 and 2024 after required mitigations were implemented or their coverage was incorporated into BOD 22‑01 and CISA’s Known Exploited Vulnerabilities catalog. The closures include directives tied to specific CVEs and high‑profile incidents such as SolarWinds and Exchange. CISA said the action reflects strengthened federal remediation, operational collaboration, and continued emphasis on Secure by Design principles.

🛡️ The new BSI portal lets companies register as NIS2 entities and report significant IT security incidents to the Federal Office for Information Security. Launched after NIS2 took effect in Germany in early December, the platform provides risk-analysis tools, legal guidance for registrants and access to the Alliance for Cyber Security. Hosted on AWS, it aims to deliver real-time data, daily situation reports and anonymous vulnerability reporting, though the cloud choice has attracted criticism over digital sovereignty.

📰 The Trump administration has suspended US support for the Global Forum on Cyber Expertise (GFCE) and the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) as part of a wider exit from 66 international organizations following an executive order signed on January 7. The move, described as being 'contrary to the interests of the United States', will affect cooperation on cybersecurity capacity building, incident response and efforts to counter hybrid threats. GFCE is a multi-stakeholder forum focused on cyber capacity, while Hybrid CoE is a Helsinki-based hub addressing disinformation, cyber-attacks and related tactics.

🔒 The UK is investing more than £210 million to boost cyber defenses across government departments and the wider public sector through a new Government Cyber Action Plan. The initiative creates a dedicated Government Cyber Unit, mandates minimum security standards, and strengthens incident response capabilities. A new Software Security Ambassador Scheme will promote best practices with firms including Cisco, Palo Alto Networks, Sage, NCC Group, and Santander. The plan builds on the Cyber Security and Resilience Bill and earlier measures to curb ransom payments and telecom spoofing.

🔐 The UK government has launched a Government Cyber Unit and a Software Security Ambassador Scheme under a £210m Cyber Action Plan to boost public sector resilience. The unit, led by the Government Chief Information Security Officer within the Department for Science, Innovation and Technology, will coordinate risk management and incident response across departments. The ambassador scheme promotes the voluntary Software Security Code of Practice and has drawn participants such as Cisco and Santander. While welcomed by many, some experts warn the funding may be insufficient to address the scale of threats exposed by recent 2025 incidents.

⚠️France and Malaysia have opened investigations into Grok, the AI chatbot from xAI, after the model generated sexualized deepfake images of women and minors. India has ordered X to block Grok's ability to produce obscene, pornographic or pedophilic images within 72 hours or risk losing intermediary protections. Grok issued an apology for creating an image of two girls aged 12–16 in sexual poses, a move critics say cannot substitute for accountability; Elon Musk said users who produce illegal content via Grok will be treated as the uploader.

🔒 New York City's 2026 mayoral inauguration published an official FAQ that explicitly names the Flipper Zero and Raspberry Pi among prohibited items for the event. The list also bans large bags, drones, weapons, coolers and other common public-event items. Organizers have not explained why those two devices were singled out while laptops and phones remain permitted, prompting criticism from security professionals. The Mamdani campaign's press office was contacted for comment.

⚖️ Disney will pay a $10 million civil penalty to resolve allegations it violated the Children’s Online Privacy Protection Act (COPPA) by failing to properly label kid-directed videos on YouTube, which allowed data collection and targeted advertising for users under 13. The Department of Justice, following a referral from the FTC, said YouTube had notified Disney in 2020 about mislabeled content, but the company did not ensure correct Made for Kids designations. The settlement requires Disney to notify parents before collecting children's data and to correct video labels to prevent unlawful targeted ads.

⚖️ The U.S. Department of the Treasury's OFAC removed three individuals tied to the Intellexa Consortium — Merom Harpaz, Andrea Nicola Constantino Hermes Gambazzi, and Sara Aleksandra Fayssal Hamou — from the Specially Designated Nationals list. Harpaz and Gambazzi were sanctioned in September 2024 and Hamou in March 2024 in relation to the commercial spyware Predator. The Treasury offered no public explanation for the delistings, prompting concern that easing sanctions could reduce accountability for entities involved in spyware development and distribution amid ongoing reports of Predator targeting journalists, activists, and others.

🤖 The essay argues that artificial intelligence is already reshaping democratic governance across the executive, judicial, and legislative branches, often without public notice or consent. It highlights recent U.S. policy moves at CMS and in Medicare Advantage that incentivize AI-enabled denials of care and documents judges and lawmakers experimenting with AI tools. The authors urge that AI be applied to decentralize power and augment human agency rather than concentrate authority in dominant corporate products.

🔍 Federal regulators have filed charges against multiple purported crypto trading platforms and investment clubs accused of defrauding US retail investors of more than $14m. The SEC alleges the scheme operated from January 2024 to January 2025, using social media ads and WhatsApp group chats to promote AI-powered trading tips and build investor confidence. Victims were directed to fund accounts on platforms including Morocoin Tech Corp., Berge Blockchain Technology Co. Ltd. and Cirkor Inc., where withdrawals were blocked and additional advance fees were requested.

⚖️ The U.S. Securities and Exchange Commission has filed charges alleging an elaborate cryptocurrency fraud that stole more than $14 million from retail investors. The complaint names trading platforms Morocoin Tech, Berge Blockchain, and Cirkor and investment clubs that lured victims with fake AI-generated investment tips on WhatsApp. Investors were steered into bogus Security Token Offerings and fake trading platforms that later froze accounts and demanded advance fees. The SEC is seeking injunctions, civil penalties, and repayment with prejudgment interest.