A joint cybersecurity advisory from the United States and 12 allied nations was released this week warning critical infrastructure operators that Russian state-sponsored hackers from Federal Security Service (FSB) Center 16 are actively exploiting poorly configured and vulnerable networking devices to break into systems.

The threat group, also known as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra, has been scanning the internet for routers with default or weak passwords, or unpatched old Cisco vulnerabilities.

The agencies “strongly urge device owners and network defenders to take mitigation and remediation actions against Russian government-sponsored exploitation of vulnerable routers.”

The industries that have been targeted include: “communications, defense industrial base, energy, financial services, government services and facilities, especially organizations at the state and local level, and healthcare and public health.” The advisory provides details of techniques used, and mitigation actions to deploy. Tracking these techniques and applying the mitigation actions should be a priority for critical infrastructure organizations.

Last week, we wrote about the newly enacted New Jersey data broker law. On July 10, 2026, the New Jersey Attorney General’s Division of Consumer Affairs published an alert clarifying that covered data brokers and data collectors will not need to register or pay registration fees until the Division launches the required public registry, which is expected in spring 2027. The first registration period is anticipated to run from April 1, 2027, through June 30, 2027, with additional guidance to come before then. The alert also notes that the Division plans to issue further guidance on other aspects of the law, including its restrictions on the sale or licensing of sensitive data.

Although some enforcement activity may be delayed while the registry and guidance are developed, businesses that collect, sell, license, or otherwise handle New Jersey consumer data should consider using this period to assess whether the law applies and what compliance steps may be needed.

On July 8, 2026, the Federal Communications Commission (FCC) Enforcement Bureau entered into a consent decree with Voximplant, Inc., a voice and video call platform, to resolve an investigation into whether the company failed to comply with the FCC’s robocall mitigation rules. The FCC’s robocall mitigation framework is designed to make the voice calling ecosystem more transparent and help law enforcement identify and stop illegal robocall traffic more efficiently.

A central part of that framework is the Robocall Mitigation Database (RMD), where covered voice service providers must file certifications and robocall mitigation plans describing how they address illegal robocall traffic, such as spoofed and spam calls. The FCC’s rules also require providers to submit information about their business identity, responsible contacts, role in the call chain, caller ID authentication practices, enforcement history, and commitment to respond within 24 hours to traceback requests seeking to identify the source and path of suspected illegal calls.

Under the consent decree, Voximplant admitted that its RMD certification was noncompliant and agreed to implement a compliance plan. The FCC found that Voximplant had not updated its RMD certification and robocall mitigation plan after amended requirements took effect. The consent decree also notes that, after Voximplant was removed from the RMD, it was identified in 20 tracebacks as the originating provider for suspected illegal robocalls. For the FCC, the issue was not only that Voximplant’s RMD filing was deficient, but that the suspected illegal robocall traffic was being traced back to Voximplant’s network, and the missing RMD information concerned the safeguards providers must document to show how they prevent that kind of traffic.

The consent decree requires Voximplant to operationalize robocall compliance through a senior compliance officer, written procedures, employee training, periodic reporting, and prompt updates to its RMD certification. It also requires 24-hour traceback responses and enhanced diligence on customers and upstream providers, including verifying customer identity and confirming that upstream providers have active RMD certifications. These obligations underscore that providers should treat robocall mitigation as an ongoing compliance function.

The FCC’s consent decree came one day after 49 State Attorneys General urged the FCC to tighten oversight of the numbering practices that help bad actors disguise illegal robocalls. Their concern was that, as caller ID protections have made basic spoofing harder, scammers have adapted by using real or easily obtained phone numbers to make fraudulent calls look legitimate. The Attorneys General supported stronger certification, reporting, tracing, and diligence requirements for companies that obtain, assign, or resell numbers, with a particular focus on practices that let callers rotate through numbers or use trial numbers to evade detection.

Together, the FCC consent decree and the Attorneys General letter point to a broader enforcement shift: regulators are scrutinizing not only what providers certify, but how they police the traffic moving through their networks. For voice providers, robocall compliance now turns on whether they can show active controls, including accurate filings, documented mitigation practices, prompt traceback responses, and diligence on customers and counterparties. When illegal traffic starts ringing alarms, regulators expect providers to pick up.

Threat actors are spoofing big brand logos in recruiting scams to dupe individuals into believing they are working with real companies and to divulge their Google credentials.

The scam was first identified by a Team Cymru researcher, who discovered that threat actors were impersonating recruiters from big brands to target marketing professionals. The fraudulent emails were highly personalized, addressing recipients by name, referencing their professional field, and demonstrating that the threat actors conducted research on their backgrounds before making contact.

One example included a convincing phishing email from a well-known consulting firm “which contains a ‘view calendar & schedule call’ link for a fake job interview.” The email is sent from a legitimate human resources management platform, which lends to its credibility. When the targeted victim clicks the link, they are sent to what looks like a legitimate domain, which is actually a spoofed domain that looks like the legitimate company, but is “an attacker-controlled phishing link.” The victim doesn’t know they have been redirected several times to the phishing host site.

Once the victim lands on the fake site, they are presented with a fake Google sign-in window and they sign in with their real credentials, which are then stolen by the threat actor.

Once threat actors have access to your credentials, they have access to everything in your Google account without your knowledge. As with all accounts, it is recommended that you change your passwords frequently. If you believe you have given your credentials to an unauthorized individual, change your passwords immediately. For assistance with changing your Google password, consult Google’s questions and answers section.

In the meantime, be wary of unsolicited recruiting emails and be vigilant about confirming their legitimacy.

Researchers at cybersecurity firm Proofpoint have discovered that a “suspected China-aligned threat cluster named UNK_MassTraction” is attacking mailservers belonging to physics and engineering departments of U.S. and Canadian based universities. They have been tracking the activity since May 2026.

The threat actors are exploiting multiple n-day cross-site scripting vulnerabilities in Roundcube mailservers to “steal credentials and either install a webshell for follow-on access or deploy the VShell backdoor into the server’s memory.” The threat actors are targeting administrators and professors that have national security ties or are focusing on astrophysics and particle physics. According to Proofpoint, “the exploit only requires that the email is opened in the mail client to achieve access to the mailserver.” The messages sent to the administrators and professors were generic and innocuous, including resembling marketing or spam messages, so when the targets open the message, they overlook it and fail to report it to IT. However, the mere opening of the email (without having to interact with it) was enough for the threat actors to gain access to the content.

The scheme is quite elaborate, and if you want to learn more about its technicalities, read Proofpoint’s blog outlining the scheme in detail. Proofpoint reminds universities that “email delivery can facilitate compromise of mailservers, and that Chinese operators will continue to treat them like any other edge device. Defenders should prioritize defending the mailservers of their networks as thoroughly as they do their VPN concentrators and other remote access nodes on their networks.”

I would add that universities conducting research related to national security, physics, astrophysics, particle physics, and engineering recognize that adversaries are very interested in stealing the vital and valuable information they maintain. Therefore, they should consider implementing strong cybersecurity measures to protect that information, including training all administrators and professors in those departments about how they are specifically targeted by adversaries, and their crucial role in protecting the information from disclosure for national security.

This post was authored by William S. Fallon, Associate in Robinson+Cole’s Business Litigation group.

In Chatrie v. United States, No. 25-112 (U.S. June 29, 2026), the Supreme Court took another step in redefining digital privacy under the Fourth Amendment, building directly on its landmark decision in Carpenter v. United States, 585 U.S. 296 (2018). These cases signal that businesses holding customer data face an evolving legal landscape worth understanding.

The Fourth Amendment protects “persons, houses, papers, and effects” against unreasonable government searches, and thus generally requires a warrant based on probable cause before the government can search people, their homes, or their belongings. Under the long-standing “third-party doctrine,” however, information voluntarily shared with a third-party company, like a bank or phone company, historically lost that protection. In Carpenter, 585 U.S. at 310 n.3, 316, though, the Court carved out a “narrow” exception, holding that police need a warrant to obtain seven days of a cellphone user’s location data from a wireless carrier, even though the carrier held that location data , not the cellphone user. 

Chatrie went even further—the Court held that police need a warrant to access a user’s Google location history, even if the data covers only two hours, is held by a third-party company, and is voluntarily shared by the user. The Court again refused to apply the third-party doctrine, reasoning that such location data is “not truly ‘shared’” simply because a user enables Google to track his or her location.

Chatrie’s reasoning matters for any business that holds customer data. The Supreme Court now treats information on a company’s servers—emails, photographs, location logs, etc.—as information a user might “reasonably view[] as his own,” even when that information has been voluntarily conveyed to the company. Custodians of that data increasingly find themselves positioned between their customers and the government, fielding law enforcement demands for the customers’ data. As courts continue to recognize strong privacy interests in hosted data, those protections influence a custodian’s legal exposure, shape its obligations when responding to law enforcement and government demands, and inform customer expectations regarding the security and privacy of their data.

The third-party doctrine may continue to change—and erode. Justice Gorsuch’s separate opinions in Carpenter and Chatrie illustrate where this could lead. In both Carpenter and Chatrie, the Court sought to find an escape hatch from its third-party doctrine without expressly overruling the doctrine—an approach that detractors view as confusing—but Justice Gorsuch believes he has identified a workable route forward. Building off his separate opinion in Carpenter, where he urged an approach to Fourth Amendment protections grounded in property law and statutes, Justice Gorsuch’s Chatrie concurrence applied those theories, treating location history as Chatrie’s personal property under state digital-property statutes and finding “hints” of the same reasoning in the majority’s acknowledgement that users regard such data as their own.

In practice, this approach would look to what statutes, traditional property law, and a company’s own contracts say about who owns and controls customer data, and it would use those sources to decide whether the data stays protected once a customer hands it over. For companies that hold customer data, that makes the terms of their privacy policies, terms of service, and consent forms all the more important, because those documents may increasingly bear on how customer data is treated constitutionally. Whatever direction the doctrine takes, Chatrie is a useful signal that courts are willing to recognize privacy interests in third party data , and that businesses should account for that trend as they design their data practices.

A proposed class action accusing Kenneth Cole Productions, Inc., of unlawfully sharing website visitor data with Meta, Google, and other third parties was voluntarily dismissed in the Northern District of California. The plaintiffs alleged that Kenneth Cole used third-party tracking tools on its website that allowed those companies to collect data about consumers’ interactions with the site, including after users had opted out through the site’s cookie-consent banner. The complaint asserted invasion of privacy, intrusion upon seclusion, unjust enrichment, and common-law fraud claims, and alleged violations of the wiretapping and pen-register provisions of the California Invasion of Privacy Act. 

Last week, the named plaintiffs filed a notice voluntarily dismissing all of their claims with prejudice, while preserving the ability of putative class members to bring their own claims. The court acknowledged the dismissal the same day, ordered that each side bear their own attorneys’ fees and costs, and directed the clerk to terminate the case. The reason for the dismissal, or whether the parties reached any settlement, is unknown.

For companies, the takeaway is not that website tracking litigation risk has faded. It is that cookie banners, consent tools, pixels, tags, session replay, analytics tools, and advertising integrations need to work exactly as represented to users. Companies should regularly test whether opt-out signals actually stop the data flows they are supposed to stop, map which thirdparties receive website event data, review vendor configurations, and align privacy disclosures with the site’s technical reality. This is especially important where plaintiffs continue to plead website tracking claims under privacy, wiretapping, pen-register, fraud, and unjust enrichment theories.

On June 30, 2026, New Jersey’s Governor Mikie Sherrill signed a new data broker law, largely effective immediately, that adds significant new obligations for businesses involved in personal data sales. The law reaches traditional data brokers that collect or purchase personal data about consumers with whom they do not have a direct relationship and then sell or license that information to third parties. It also creates obligations for “data collectors,” meaning businesses or business units that collect personal data directly from consumers and then sell or license that information to data brokers.

A central feature of the law is an annual registration requirement for covered data brokers and data collectors engaged in selling or licensing New Jersey consumers’ personal data . The state’s Division of Consumer Affairs will establish and maintain a public registry that includes contact information, privacy policy information, website information, and relevant opt-out information for each registrant. Registration fees are based on volume, starting at $5,000 for 100,000 or fewer New Jersey consumers and increasing to $1.5 million for entities involving personal data of more than 4.5 million New Jersey consumers. Registration submissions must address opt-out rights, deletion rights, activities from which individuals may not opt out, purchaser credentialing, cybersecurity event history, information concerning individuals under 18, and processors handling personal data on the entity’s behalf.

The law also prohibits data brokers and data collectors from selling or licensing sensitive data, and it separately amends New Jersey’s privacy law to prohibit controllers from selling sensitive data regardless of processing volume. Sensitive data includes categories such as health information, certain financial account information, citizenship or immigration status, genetic or biometric data used for identification, personal data collected from a known child, and precise geolocation data. The statute includes exclusions for certain regulated data and entities, including specified health, financial, insurance, consumer reporting, government, research, and securities-related contexts. Civil penalties include $2,500 per day for registration or update failures and $50,000 per record for certain sensitive data violations. Although most of the law took effect immediately, the registry provision remains inoperative for 270 days following enactment.

For businesses holding data about New Jersey residents, the new law reinforces the need for accurate data inventories, clear data sale and licensing arrangement oversight, and careful review of any sensitive data practices. As state privacy laws become more specific, companies should be prepared to show not only what their policies say, but how their data practices actually work.

The Federal Trade Commission’s (FTC) proposed policy statement puts a new consumer-protection frame around AI model behavior: if an AI company represents that its system is designed to deliver accurate, objective, or user-directed outputs, the company may create a reasonable consumer expectation that the system is trying to provide the best answer it can within its technical limits. The FTC’s concern is that an AI provider could secretly steer outputs toward undisclosed objectives, including ideological objectives, while still marketing the system as accurate, useful, or fit for the user’s task. In the FTC’s view, that kind of hidden steering may be deceptive under Section 5 of the FTC Act, even if the company says it is doing so to comply with state law. 

The proposed statement is especially notable because it connects AI accuracy, disclosures, and state AI regulation in one enforcement theory. The FTC says AI products are not exempt from Section 5, and points to prior enforcement involving deceptive AI-related claims about performance, efficacy, and product capabilities. The proposal also aims at state AI laws that the FTC believes could pressure companies to alter model outputs, including Colorado’s revised AI law, which the statement says may create incentives for companies to suppress accuracy or prioritize other objectives without telling users. The FTC further notes that state law may be impliedly preempted where it is inconsistent with or otherwise conflicts with the federal consumer protection framework.

For AI developers and enterprise customers, the practical takeaway is that disclosures, product claims, and governance controls around model behavior are going to matter. The FTC acknowledges that companies can shape user expectations through truthful, non-misleading disclosures, but warns that those disclosures must be clear, conspicuous, prominent, and strong enough to counter any contrary impression created by marketing or product design. Comments on the proposed policy statement are due July 31, 2026, giving AI companies, customers, and other stakeholders a short window to weigh in on how the FTC should draw the line between permissible model governance and deceptive manipulation of AI outputs. Read the full statement here.

Threat group ShinyHunters continues its incessant campaign to torture companies trying to provide products and services to consumers, with no indication of letting up.

One of its latest victims, Medtronic, the manufacturer of medical devices, healthcare technologies, and therapies, confirmed that it was the victim of an April cyberattack where over nine million records from the company were stolen. ShinyHunters claimed responsibility. Medtronic recently notified affected customers, informing them that the data exposed during the attack included some customers’ names, contact information, dates of birth, Social Security numbers, and health-related information.

Although the data was compromised during the attack, Medtronic has confirmed that the attack did not impact its medical devices, and they remain safe to use.

Medtronic is offering affected customers 24 months of credit monitoring and identity theft protection services. If you receive a letter from Medtronic, it is important to follow the instructions provided.

While recent arrests and extraditions of individuals linked to Scattered Spider (another notoriously active threat actor group) are a positive development, I’m hopeful that similar law enforcement progress against ShinyHunters associates will follow soon.