Data Breach Response

State of play.

• The state privacy patchwork has reached 20 active regimes, with Indiana, Kentucky, and Rhode Island activating January 1, 2026, and California's DELETE Act DROP platform operationalizing ahead of an August 1 deadline carrying $200-per-day penalties — enforcement is accelerating without cure periods across most jurisdictions .
• Private equity cyber liability has broken new ground: a federal judge in California has allowed data breach claims against Bain Capital to proceed for a breach at PowerSchool that predated Bain's acquisition close, with the court examining pre-closing veto rights and post-closing offshoring of cybersecurity functions as the liability hook .
• Law firms remain high-value targets with active litigation: GrayRobinson faces multiple class actions after a 2025 breach affecting 65,113 individuals, with complaints citing outdated technology and reckless security practices — filed within days of breach notifications going out .
• CIRCIA finalization is imminent: CISA is expected to finalize rules in May 2026 triggering 72-hour incident reporting and 24-hour ransomware payment reporting obligations across 16 critical infrastructure sectors, with commercial real estate now flagged as potentially covered .
• For counsel advising corporate clients, PE sponsors, or professional service firms, the practical baseline is a multi-front exposure: state privacy enforcement without cure periods, novel PE-level breach liability, and federal incident-reporting obligations that may arrive before clients have mapped their covered-entity status.

Where things stand.

• Unsanctioned AI use is a structural breach surface. A 2025 Gartner survey found 69% of organizations suspect or have confirmed prohibited generative AI tool use; research puts the figure at 98% when accounting for all unsanctioned applications, with 33% of workers admitting to sharing enterprise research and 27% exposing employee data through these tools . This is a workforce-governance problem, not a perimeter-security problem.
• "Silent ransom" attacks on law firms are active and documented. The Silent Ransom Group has confirmed breaches at Jones Day and Orrick Herrington & Sutcliffe, using vishing and social engineering that bypass traditional endpoint detection — no malware, no lockup, direct extortion under threat of dark-web publication .
• C-suite social engineering has escalated. Former Black Basta affiliates ran a coordinated campaign in March 2026 targeting senior leadership in manufacturing and professional services, compressing the full compromise cycle to approximately 12 minutes; 77% of incidents that month targeted C-suite .
• SEC and FINRA enforcement against RIAs is active. Amended Regulation S-P requirements for larger advisers are in effect in 2026; the SEC settled with an RIA and broker-dealer in November 2025 for Reg S-P and S-ID violations; FINRA's 2026 Oversight Report flags voice-spoofing MFA fatigue and AI-enabled fraud as primary vectors .
• CalPrivacy DROP platform is live and audit rulemaking is underway. Over 242,000 deletion requests have been submitted since January 2026; mandatory broker audits begin January 2028; the comment period on audit standards closed May 7, 2026 .
• Stolen credentials are the dominant initial-access vector. Reporting synthesizing Verizon, IBM, and Darktrace data indicates 49-70% of breaches now begin with compromised logins; the average breach cost involving credential theft reached $4.44 million in 2026 .
• Nation-state supply chain attacks are targeting software dependencies. North Korea-affiliated actors breached the Axios npm package in a supply chain attack that exposed OpenAI's macOS app signing workflow; Russia-linked actors compromised 170+ Ukrainian prosecutors' email accounts .
• Local government ransomware incidents are escalating. Winona County, Minnesota experienced its second ransomware attack in four months, prompting gubernatorial National Guard deployment — a rare state-level response that signals the ceiling on local incident-response capacity .
• Quantum computing is an emerging encryption threat. Practitioner commentary flags the accelerating timeline for post-quantum cryptography migration as a compliance planning issue .

Latest developments.

• Three new state privacy laws activated January 1, 2026 (Indiana, Kentucky, Rhode Island), bringing active regimes to 20; California DELETE Act DROP platform live with August 1 broker-processing deadline and $200/day penalties
• Federal judge allows data breach claims against Bain Capital to proceed for pre-acquisition PowerSchool breach — first ruling of its kind extending PE liability to portfolio company cyber failures
• GrayRobinson faces multiple class actions over 2025 breach affecting 65,113 individuals; first suit filed four days after breach notifications issued
• Stryker Q1 2026 earnings miss attributed directly to March 11 Iran-linked cyberattack disrupting operations across 61 countries; six employee lawsuits filed over stolen personal data
• Mercor AI startup defending seven class actions after breach exposed contractor biometric data, recorded interviews, and background checks; Meta has paused its relationship with the company
• CIRCIA finalization expected May 2026; Clark Hill flags commercial real estate as potentially covered under 16-sector critical infrastructure framework
• RIA cybersecurity enforcement active: amended Reg S-P in effect for larger advisers; SEC exam priorities include governance, data loss prevention, and ransomware preparedness
• Nelson Mullins publishes playbook framing viral social media posts as cyber incidents requiring tabletop-exercise preparation and designated response teams
• HaystackID's EU expansion highlights EU e-Evidence Regulation compliance pressure on multinational eDiscovery workflows
• IRS-ICE tax data sharing injunctions remain in effect after court finds approximately 42,695 disclosures violated federal law; IRS Chief Privacy Officer resigned

Active questions and open splits.

• PE-level breach liability standard. The Bain/PowerSchool ruling has not yet detailed its reasoning for piercing the corporate structure or the standard for when post-closing cost-cutting decisions retroactively expose a PE firm to predecessor-breach liability — the doctrine is unsettled and the decision will be closely watched for its reasoning .
• AI training data and contractor privacy rights. The Mercor litigation tests whether biometric data collection, worker monitoring, and use of contractor-generated materials for model training without explicit consent constitute actionable privacy violations — no settled federal standard governs this in the AI training context .
• Shadow AI as a reportable breach vector. Whether regulators will treat unsanctioned AI use — where employees share enterprise data with third-party platforms — as a notice-required event or as a contributing factor in enforcement is unresolved; no agency has yet named it as a standalone trigger .
• "Silent ransom" notification timing. When extortion occurs without traditional ransomware indicators — no encryption, no system lockup — the point at which the notification clock starts and what constitutes a reportable "incident" under state and federal frameworks remains contested .
• CIRCIA covered-entity scope. The final rule has not yet defined which commercial real estate operations, professional service firms, or technology companies fall within the 16 critical infrastructure sectors — clients in adjacent industries cannot yet determine their reporting obligations .
• Geopolitically motivated breach liability. Stryker's Iran-linked attack and the Mercor breach both raise the question of whether courts will apply a different liability standard when the threat actor is a state-affiliated hacktivist group versus a commercial ransomware operator — particularly for healthcare infrastructure .
• VPPA circuit split on Meta Pixel claims. Federal courts continue to diverge on whether Facebook User IDs transmitted via Meta Pixel constitute personally identifiable information under the Video Privacy Protection Act, creating inconsistent exposure for media and e-commerce clients .

What to watch.

• CISA CIRCIA final rule publication — expected May 2026 — which will define covered entities, penalty structures, and the operative meaning of "substantial" cybersecurity incident across 16 sectors .
• Further proceedings in the Bain/PowerSchool case, particularly the court's written reasoning on the PE liability standard and what due-diligence or post-closing governance practices would have broken the chain .
• California DROP platform enforcement actions and the first audit standards published by CalPrivacy — the comment period closed May 7, 2026, making rulemaking the next milestone .
• Whether any state AG or the FTC names unsanctioned AI tool use as a contributing factor in a breach enforcement action, which would crystallize the shadow-AI notification question .
• Discovery in the Mercor class actions — specifically what contractual language governed data use between Mercor and its AI-company clients, and whether those agreements disclosed the scope of monitoring and model training to workers .
• GrayRobinson litigation motions practice — the case will produce early rulings on the duty-of-care standard for law firms handling sensitive client data, with direct precedential implications for the profession .