Researchers at cybersecurity firm Proofpoint have discovered that a “suspected China-aligned threat cluster named UNK_MassTraction” is attacking mailservers belonging to physics and engineering departments of U.S. and Canadian based universities. They have been tracking the activity since May 2026.

The threat actors are exploiting multiple n-day cross-site scripting vulnerabilities in Roundcube mailservers to “steal credentials and either install a webshell for follow-on access or deploy the VShell backdoor into the server’s memory.” The threat actors are targeting administrators and professors that have national security ties or are focusing on astrophysics and particle physics. According to Proofpoint, “the exploit only requires that the email is opened in the mail client to achieve access to the mailserver.” The messages sent to the administrators and professors were generic and innocuous, including resembling marketing or spam messages, so when the targets open the message, they overlook it and fail to report it to IT. However, the mere opening of the email (without having to interact with it) was enough for the threat actors to gain access to the content.

The scheme is quite elaborate, and if you want to learn more about its technicalities, read Proofpoint’s blog outlining the scheme in detail. Proofpoint reminds universities that “email delivery can facilitate compromise of mailservers, and that Chinese operators will continue to treat them like any other edge device. Defenders should prioritize defending the mailservers of their networks as thoroughly as they do their VPN concentrators and other remote access nodes on their networks.”

I would add that universities conducting research related to national security, physics, astrophysics, particle physics, and engineering recognize that adversaries are very interested in stealing the vital and valuable information they maintain. Therefore, they should consider implementing strong cybersecurity measures to protect that information, including training all administrators and professors in those departments about how they are specifically targeted by adversaries, and their crucial role in protecting the information from disclosure for national security.

This post was authored by William S. Fallon, Associate in Robinson+Cole’s Business Litigation group.

In Chatrie v. United States, No. 25-112 (U.S. June 29, 2026), the Supreme Court took another step in redefining digital privacy under the Fourth Amendment, building directly on its landmark decision in Carpenter v. United States, 585 U.S. 296 (2018). These cases signal that businesses holding customer data face an evolving legal landscape worth understanding.

The Fourth Amendment protects “persons, houses, papers, and effects” against unreasonable government searches, and thus generally requires a warrant based on probable cause before the government can search people, their homes, or their belongings. Under the long-standing “third-party doctrine,” however, information voluntarily shared with a third-party company, like a bank or phone company, historically lost that protection. In Carpenter, 585 U.S. at 310 n.3, 316, though, the Court carved out a “narrow” exception, holding that police need a warrant to obtain seven days of a cellphone user’s location data from a wireless carrier, even though the carrier held that location data , not the cellphone user. 

Chatrie went even further—the Court held that police need a warrant to access a user’s Google location history, even if the data covers only two hours, is held by a third-party company, and is voluntarily shared by the user. The Court again refused to apply the third-party doctrine, reasoning that such location data is “not truly ‘shared’” simply because a user enables Google to track his or her location.

Chatrie’s reasoning matters for any business that holds customer data. The Supreme Court now treats information on a company’s servers—emails, photographs, location logs, etc.—as information a user might “reasonably view[] as his own,” even when that information has been voluntarily conveyed to the company. Custodians of that data increasingly find themselves positioned between their customers and the government, fielding law enforcement demands for the customers’ data. As courts continue to recognize strong privacy interests in hosted data, those protections influence a custodian’s legal exposure, shape its obligations when responding to law enforcement and government demands, and inform customer expectations regarding the security and privacy of their data.

The third-party doctrine may continue to change—and erode. Justice Gorsuch’s separate opinions in Carpenter and Chatrie illustrate where this could lead. In both Carpenter and Chatrie, the Court sought to find an escape hatch from its third-party doctrine without expressly overruling the doctrine—an approach that detractors view as confusing—but Justice Gorsuch believes he has identified a workable route forward. Building off his separate opinion in Carpenter, where he urged an approach to Fourth Amendment protections grounded in property law and statutes, Justice Gorsuch’s Chatrie concurrence applied those theories, treating location history as Chatrie’s personal property under state digital-property statutes and finding “hints” of the same reasoning in the majority’s acknowledgement that users regard such data as their own.

In practice, this approach would look to what statutes, traditional property law, and a company’s own contracts say about who owns and controls customer data, and it would use those sources to decide whether the data stays protected once a customer hands it over. For companies that hold customer data, that makes the terms of their privacy policies, terms of service, and consent forms all the more important, because those documents may increasingly bear on how customer data is treated constitutionally. Whatever direction the doctrine takes, Chatrie is a useful signal that courts are willing to recognize privacy interests in third party data , and that businesses should account for that trend as they design their data practices.

A proposed class action accusing Kenneth Cole Productions, Inc., of unlawfully sharing website visitor data with Meta, Google, and other third parties was voluntarily dismissed in the Northern District of California. The plaintiffs alleged that Kenneth Cole used third-party tracking tools on its website that allowed those companies to collect data about consumers’ interactions with the site, including after users had opted out through the site’s cookie-consent banner. The complaint asserted invasion of privacy, intrusion upon seclusion, unjust enrichment, and common-law fraud claims, and alleged violations of the wiretapping and pen-register provisions of the California Invasion of Privacy Act. 

Last week, the named plaintiffs filed a notice voluntarily dismissing all of their claims with prejudice, while preserving the ability of putative class members to bring their own claims. The court acknowledged the dismissal the same day, ordered that each side bear their own attorneys’ fees and costs, and directed the clerk to terminate the case. The reason for the dismissal, or whether the parties reached any settlement, is unknown.

For companies, the takeaway is not that website tracking litigation risk has faded. It is that cookie banners, consent tools, pixels, tags, session replay, analytics tools, and advertising integrations need to work exactly as represented to users. Companies should regularly test whether opt-out signals actually stop the data flows they are supposed to stop, map which thirdparties receive website event data, review vendor configurations, and align privacy disclosures with the site’s technical reality. This is especially important where plaintiffs continue to plead website tracking claims under privacy, wiretapping, pen-register, fraud, and unjust enrichment theories.

On June 30, 2026, New Jersey’s Governor Mikie Sherrill signed a new data broker law, largely effective immediately, that adds significant new obligations for businesses involved in personal data sales. The law reaches traditional data brokers that collect or purchase personal data about consumers with whom they do not have a direct relationship and then sell or license that information to third parties. It also creates obligations for “data collectors,” meaning businesses or business units that collect personal data directly from consumers and then sell or license that information to data brokers.

A central feature of the law is an annual registration requirement for covered data brokers and data collectors engaged in selling or licensing New Jersey consumers’ personal data . The state’s Division of Consumer Affairs will establish and maintain a public registry that includes contact information, privacy policy information, website information, and relevant opt-out information for each registrant. Registration fees are based on volume, starting at $5,000 for 100,000 or fewer New Jersey consumers and increasing to $1.5 million for entities involving personal data of more than 4.5 million New Jersey consumers. Registration submissions must address opt-out rights, deletion rights, activities from which individuals may not opt out, purchaser credentialing, cybersecurity event history, information concerning individuals under 18, and processors handling personal data on the entity’s behalf.

The law also prohibits data brokers and data collectors from selling or licensing sensitive data, and it separately amends New Jersey’s privacy law to prohibit controllers from selling sensitive data regardless of processing volume. Sensitive data includes categories such as health information, certain financial account information, citizenship or immigration status, genetic or biometric data used for identification, personal data collected from a known child, and precise geolocation data. The statute includes exclusions for certain regulated data and entities, including specified health, financial, insurance, consumer reporting, government, research, and securities-related contexts. Civil penalties include $2,500 per day for registration or update failures and $50,000 per record for certain sensitive data violations. Although most of the law took effect immediately, the registry provision remains inoperative for 270 days following enactment.

For businesses holding data about New Jersey residents, the new law reinforces the need for accurate data inventories, clear data sale and licensing arrangement oversight, and careful review of any sensitive data practices. As state privacy laws become more specific, companies should be prepared to show not only what their policies say, but how their data practices actually work.

The Federal Trade Commission’s (FTC) proposed policy statement puts a new consumer-protection frame around AI model behavior: if an AI company represents that its system is designed to deliver accurate, objective, or user-directed outputs, the company may create a reasonable consumer expectation that the system is trying to provide the best answer it can within its technical limits. The FTC’s concern is that an AI provider could secretly steer outputs toward undisclosed objectives, including ideological objectives, while still marketing the system as accurate, useful, or fit for the user’s task. In the FTC’s view, that kind of hidden steering may be deceptive under Section 5 of the FTC Act, even if the company says it is doing so to comply with state law. 

The proposed statement is especially notable because it connects AI accuracy, disclosures, and state AI regulation in one enforcement theory. The FTC says AI products are not exempt from Section 5, and points to prior enforcement involving deceptive AI-related claims about performance, efficacy, and product capabilities. The proposal also aims at state AI laws that the FTC believes could pressure companies to alter model outputs, including Colorado’s revised AI law, which the statement says may create incentives for companies to suppress accuracy or prioritize other objectives without telling users. The FTC further notes that state law may be impliedly preempted where it is inconsistent with or otherwise conflicts with the federal consumer protection framework.

For AI developers and enterprise customers, the practical takeaway is that disclosures, product claims, and governance controls around model behavior are going to matter. The FTC acknowledges that companies can shape user expectations through truthful, non-misleading disclosures, but warns that those disclosures must be clear, conspicuous, prominent, and strong enough to counter any contrary impression created by marketing or product design. Comments on the proposed policy statement are due July 31, 2026, giving AI companies, customers, and other stakeholders a short window to weigh in on how the FTC should draw the line between permissible model governance and deceptive manipulation of AI outputs. Read the full statement here.

Threat group ShinyHunters continues its incessant campaign to torture companies trying to provide products and services to consumers, with no indication of letting up.

One of its latest victims, Medtronic, the manufacturer of medical devices, healthcare technologies, and therapies, confirmed that it was the victim of an April cyberattack where over nine million records from the company were stolen. ShinyHunters claimed responsibility. Medtronic recently notified affected customers, informing them that the data exposed during the attack included some customers’ names, contact information, dates of birth, Social Security numbers, and health-related information.

Although the data was compromised during the attack, Medtronic has confirmed that the attack did not impact its medical devices, and they remain safe to use.

Medtronic is offering affected customers 24 months of credit monitoring and identity theft protection services. If you receive a letter from Medtronic, it is important to follow the instructions provided.

While recent arrests and extraditions of individuals linked to Scattered Spider (another notoriously active threat actor group) are a positive development, I’m hopeful that similar law enforcement progress against ShinyHunters associates will follow soon.

The FBI and the Internet Crime Complaint Center (IC3) has issued a public service announcement warning the public about a surge in malicious spoofed websites related to the FIFA games. Cybercriminals are using these fake sites to impersonate FIFA, tricking fans into giving up personal information, credit card numbers, or buying counterfeit tickets and fake travel packages.

“The malicious domains employ typosquatting and alternative top-level domains (TLDs) to impersonate the official FIFA domain (fifa.com), deceiving users into divulging sensitive information or purchasing counterfeit tickets and hospitality packages. The sophistication of these sites is such that even experienced users may be fooled, especially as attackers leverage HTTPS certificates and cloned branding.”

Two cybersecurity research firms have identified over 1400 malicious spoofed websites. These websites include operating fake visa and travel portals, and fraudulent hospitality and ticketing sites. In addition, “the scale of credential theft is staggering, with more than 1.5 million compromised accounts and 7,300+ leaked credentials related to FIFA and its partners being traded on the dark web.”

Enjoy watching the games, but don’t let these fake domains fool or scam you. Here are some tips to avoid becoming a victim:

Access FIFA resources only via https://www.fifa.com and official subdomains. Block and monitor the IOCs listed above at the network perimeter. Educate staff and fans about the risks of fake ticketing and job sites. Monitor for phishing campaigns using World Cup themes. Coordinate with law enforcement and FIFA’s official cybersecurity partners for incident response.

On June 17, 2026, the U.S. District Court for the Eastern District of Pennsylvania denied Brown-Daub Chevrolet of Nazareth’s motion to dismiss a putative class action alleging violations of the Telephone Consumer Protection Act’s (TCPA) National Do Not Call Registry (DNCR) provisions. In Pero v. Brown-Daub Chevrolet of Nazareth (E.D. Pa. June 17, 2026), the court considered whether a text message is a “telephone call” under Section 227(c) of the TCPA, and concluded that it is.

The TCPA restricts certain telemarketing communications and, through Section 227(c), provides a private right of action to a person who receives more than one prohibited telephone call within a 12-month period. The plaintiff alleged that she registered her number on the DNCR in 2021, gave the dealership her number in October 2024 to receive truck sales information, later opted out of texts, and then received six unwanted texts between January 8 and March 28, 2025.

The court’s analysis is notable in the current  environment. The Supreme Court recognized that Chevron deference has been abolished and that courts must exercise independent judgment rather than defer automatically to agency interpretations. At the same time, it emphasized that agency interpretations may still deserve respect as the product of “a body of experience and informed judgment,” particularly where Congress delegated implementation authority to the FCC.

Turning to the statutory text, the court focused on Section 227(a)(4), which defines “telephone solicitation” as the initiation of a “telephone call or message” for telemarketing purposes. Although texts did not exist when Congress enacted the TCPA, the court found that Congress “intended to prohibit more than solicitations by telephone” because it also used the phrase “by message.” Applying ordinary meaning, the court concluded that a text message is “a communication (message) transmitted by a telephone,” and therefore falls within the statute.

The court also gave “considerable weight” to the FCC’s interpretation and noted the FCC’s 2024 clarification that DNCR protections extend to text messages. Considering the statutory language, FCC rules, and the “overwhelming majority of courts,” the court held that texts are calls under Section 227(c). For companies using SMS campaigns, they should treat texts to DNCR-listed numbers as regulated telemarketing contacts, confirm the required consent, and make opt-outs durable across systems and personnel. The decision also suggests that post-Loper Bright challenges to FCC TCPA interpretations may face headwinds where the agency’s position aligns with statutory text and the weight of judicial authority.

DraftKings is the latest target in California’s wave of California Invasion of Privacy Act (CIPA) website-tracking litigation. In Hughes v. DraftKings Inc., filed in the Central District of California, plaintiff Dana Hughes alleges that DraftKings operated its website with data broker software from NextRoll, The Trade Desk, and Comscore that secretly collected data about website visitors, their devices, locations, page views, and browser characteristics to identify and track users for marketing and profiling purposes. The complaint alleges that Hughes visited the DraftKings website and that data reasonably likely to identify her was transmitted to at least three third parties through code running on the site. 

The core CIPA theory is familiar but still high stakes: the complaint claims the tracking code operated as an unlawful “trap and trace device” under California Penal Code section 638.51 because it captured electronic signals and identifying information from visitors’ devices without a court order or consent. Hughes seeks class certification, statutory damages under CIPA, punitive damages, restitution, disgorgement, injunctive relief, attorneys’ fees, and other relief. For companies, the warning is straightforward: plaintiffs are continuing to scrutinize routine website advertising and analytics tools through the lens of California’s wiretap and trap-and-trace laws. The DraftKings complaint targets third-party tags that many businesses may view as standard marketing infrastructure, including retargeting pixels, cookie-based identifiers, browser fingerprinting, cookie matching, and cross-site tracking tools. Businesses that receive CIPA demands or complaints should quickly map which third-party scripts run on their sites, what data those scripts collect or transmit, whether the vendors are data brokers or advertising technology providers, and what consent, disclosure, and vendor controls are in place before responding.

The leaders of the Five Eyes cyber security agencies, representing Australia, New Zealand, Canada, the United Kingdom, and the United States, issued an alert on June 22, 2026, entitled “The AI Shift in Cyber Risk: Why Leaders Must Act Now” urging organizations to a “call to action” to protect against cyber threats both for organizations and society as a whole. The Five Eyes are expressing urgency because artificial intelligence (AI) is quickly changing cyber risk, and organizations need to act fast to keep up. The call to action is informed by the fact that AI can improve cyber defense, but it also makes cyber-attacks faster, larger, and more advanced, including how attacks happen and how organizations can defend against them.

Because of this, the Five Eyes urge that cyber resilience is critical for business continuity, market confidence, and long-term success.

The Five Eyes encourage leaders to:

  • understand and assess risks, readiness, and accountability 
  • focus on basic cybersecurity practices and controls 
  • give cyber leaders the authority and resources they need 
  • stay involved as threats and guidance change 

The alert emphasizes how “success for organizations depends on getting the basics right, acting quickly, and making cybersecurity part of the core business strategy.” It stresses that cyber risk is not just a technical issue—it is a business risk and a leadership responsibility.

Boards and executives must ensure systems are resilient and work under pressure. It is not enough to have controls; leaders must know those controls will work during a real incident. This may require rethinking past decisions and using AI carefully to strengthen defenses, not just improve efficiency.

The alert outlines key actions for leaders, including:

  • Build systems to be secure from the start and by default 
  • Do not rely on a single solution—use multiple layers of defense 
  • Expect new and unknown vulnerabilities as AI evolves, including zero-day risks

It also lists “urgent” practical actions:

  1. Reduce your attack surface: Limit unnecessary access and external connections. Only expose systems when truly needed. 
  2. Speed up patching: AI is reducing the time between finding and exploiting vulnerabilities. Delays increase risk, especially for older systems. 
  3. Fix legacy systems: Unsupported systems are easy targets and create serious risk. 
  4. Strengthen access controls: Limit who can access critical systems. Use strong authentication and regularly review permissions. 
  5. Prepare for incidents: Test response plans, train teams, and assume breaches will happen. Focus on quick containment and recovery.

It also suggests that leaders use AI to strengthen defense against cyber-attacks. Getting ahead of cyber-attacks when threat actors are using AI requires continued preparedness and the ability to use tools to detect, monitor, and defend against them, including AI tools developed for defense purposes. If ever there was digital warfare, it is now with the proliferation of AI enhanced tools. Leaders of all organizations should review the recommendations by the Five Eyes and implement them for the preparedness of the organization and society.