Week of Sunday, May 31, 2026

For over a decade, California companies facing data breach lawsuits could ask one question that usually ended the case: can you prove anyone actually viewed the stolen data? On May 14, the California Supreme Court eliminated that defense.

In J.M. v. Illuminate Education, the court unanimously held that a breach of confidentiality under the Confidentiality of Medical Information Act (CMIA, one of the nation's strongest state medical privacy statutes) occurs when medical information is exposed to a significant risk of unauthorized access or use. Actual viewing is no longer required.

The case involved an ed-tech company that provided data management platforms to school districts. A breach in late 2021 exposed student medical information including diagnoses and treatment plans. The company took five months to notify affected families. Justice Liu, writing for a unanimous court, dismantled the old standard: "A regime that conditions liability on proof of actual viewing is hard to square with a statute that authorizes recovery without proof of actual harm."

The court went further, noting that the prior rule "fits an earlier era of data theft. It doesn't fit how breaches happen in 2026." The opinion specifically flagged that modern breaches may involve artificial intelligence or automated systems that exploit data without anyone ever looking at it.

The practical shift is immediate. The CMIA allows $1,000 in statutory damages per violation with no proof of actual harm. Under the old rule, a stolen laptop that was never opened generated no liability. Under the new standard, if that laptop contained medical information and was exposed to significant risk, every affected individual has a claim. Multiply that across a breach affecting thousands of records and the math changes fast.

The ruling's reach extends beyond hospitals. Any organization holding medical information, whether through employer wellness programs, student health records, fitness apps, or digital health vendors, now faces the lower threshold. Justice Groban's concurrence added a guardrail: the risk must be "realistic and appreciable, not mere theoretical exposure." But the direction is clear.

On April 1, the ShinyHunters extortion group social-engineered a Charter Communications employee into handing over their Microsoft Entra (formerly Azure Active Directory) credentials through a voice phishing call. From that single set of credentials, the attacker pivoted into Charter's Salesforce CRM (customer relationship management system) and extracted customer and employee records before Charter detected the intrusion.

Charter confirmed millions of customer records and tens of thousands of employee records were exposed, including names, addresses, phone numbers, account details, and customer support ticket histories. Charter refused to pay a ransom. ShinyHunters published the data.

Within days of public disclosure, class action lawsuits were filed in federal court in Connecticut. Plaintiff firms are now running automated monitoring on SEC filings and dark web data dumps. The moment a breach goes public, the complaint is already drafted.

California Attorney General Rob Bonta sued Chrome Holding Co., the entity that emerged from 23andMe's bankruptcy, on May 28. The complaint alleges the company failed to protect 6.9 million users' genetic profiles, took five months to detect the breach, paid a ransom to the threat actor while publicly claiming no systems were compromised, and shifted blame to customers for reusing passwords.

The original attack was credential stuffing. Hackers used passwords stolen from other breaches to log into roughly 14,000 accounts. From there, they used the DNA Relatives feature to access genetic data on 6.9 million connected users who never reused a password or failed a security check. Bonta's complaint cites violations of California's Genetic Information Privacy Act, the California Consumer Privacy Act (CCPA), and three other state statutes.

The precedent matters more than the penalty. 23andMe filed for bankruptcy in March 2025. Chrome Holding Co. bought the assets. The AG is now suing the successor entity, and separately challenging the sale of genetic data in federal bankruptcy court. Breach liability followed the data through a corporate restructuring.

Three things happened in May that turned commercial location data from a business asset into a liability.

The Federal Trade Commission (FTC) permanently banned data broker Kochava from selling precise location data linked to health clinics, places of worship, domestic violence shelters, and addiction treatment facilities. The four-year case established that selling location data revealing visits to sensitive locations is an unfair trade practice under Section 5 of the FTC Act. Kochava must implement a comprehensive sensitive location data program, verify consumer consent at the source, and report to the FTC when third parties violate data requirements. The order is long-term and includes ongoing compliance obligations.

Virginia became the third state to ban precise geolocation data sales outright. SB 338, effective July 1, prohibits the sale of precise location data without prior consent. Virginia joins Oregon and Maryland. The bill passed unanimously. This is not an opt-out regime. It is a flat ban.

Then US Central Command (CENTCOM) confirmed in a letter to Senator Ron Wyden that adversaries purchased commercially available location data from brokers to identify where US troops congregate and map their movements for targeting. This is not new. In 2018, Strava fitness tracking data revealed the outlines of secret military bases when soldiers' jogging routes showed up as bright lines in the middle of empty desert. The difference now is scale and intent. Troops carry personal phones with advertising identifiers that broadcast their location through ordinary apps. Military officials warned that commercial tracking data can be used to generate targeting coordinates. Fourteen bipartisan lawmakers demanded the Pentagon disable advertising identifiers on all government devices. The same data pipeline the FTC is shutting down domestically is the one foreign militaries used to target service members in an active combat theater.

Berkshire Hathaway, Chubb, and Travelers began filing AI exclusion endorsements with state insurance regulators in late 2025. Regulators approved more than 80 percent of the applications. In January 2026, ISO (the insurance industry's standards body) issued three new generative AI exclusion forms for commercial general liability policies. The exclusions carve out bodily injury, property damage, defamation, and intellectual property infringement tied to AI-generated outputs.

Berkley Insurance filed the broadest language: an "absolute AI exclusion" for directors and officers (D&O), errors and omissions (E&O), and fiduciary policies that eliminates coverage for "any actual or alleged use, deployment, or development of Artificial Intelligence." The trigger was volume. Generative AI lawsuits increased nearly tenfold between 2020 and 2025 according to Gallagher Re. Chubb CEO Evan Greenberg told analysts that the AI-driven cyber threat amounts to an "arms race."

Think about what falls through this gap. Your HR team used an AI screening tool that filtered out candidates over 40. Discrimination lawsuit. Not covered. Your marketing department published AI-generated copy that lifted phrases from a competitor's copyrighted material. IP infringement claim. Not covered. Your customer-facing chatbot hallucinated medical advice and someone acted on it. Bodily injury claim. Not covered. Your CEO used AI to draft a shareholder letter that contained inaccurate financial projections. Securities claim against the board. Under Berkley's absolute exclusion, not covered. Every one of these scenarios is already happening in courtrooms. The policies are shifting to not cover them.

A standalone AI liability market is forming. Lloyd's of London coverholder Armilla AI offers up to $25 million. Munich Re and several startups offer coverage from $2 million to $50 million. But most mid-market companies do not know the gap exists.

On May 21, the New York Department of Financial Services (NYDFS, the state regulator overseeing banks, insurers, and crypto firms operating in New York) issued two industry letters to its regulated entities. The first, addressed to CISOs, warns specifically about frontier AI risks. The second provides broader guidance for operating in a heightened threat environment. The letters warn that frontier AI models are accelerating vulnerability discovery, exploit development, and social engineering attacks, citing a CrowdStrike finding of an 89 percent year-over-year increase in AI-enabled attacks.

NYDFS does not create new rules through industry letters. It does something more effective: it tells you what it expects, then examines you against those expectations. When NYDFS issued guidance on ransomware payments in 2021, enforcement followed. When it published cybersecurity expectations for third-party vendors, those expectations became examination checkboxes. This is the same pattern.

The letters lay out three categories of action: reduce your attack surface (patch faster, deploy phishing-resistant multi-factor authentication, segment networks), improve threat detection (log anomalous activity, validate third-party code, train employees on AI-enhanced social engineering), and build resilience (test your recovery procedures, verify backup integrity, establish communication plans for when systems go down). The letters also specifically call for human oversight of AI-generated code before it reaches production. If your developers are shipping code written by AI tools without review, NYDFS just told you that is a control failure.

On the Friday before Memorial Day, Microsoft updated its Data Processing Agreement (DPA, the contract governing how Microsoft handles your organization's data) to reduce the notice period for introducing new AI subprocessors from six months to 30 days. A subprocessor is a third-party company Microsoft contracts to process your data. In the AI context, that includes companies like Anthropic powering features inside Copilot and Azure.

If you object within 30 days, your option is to terminate the affected subscription without penalty. But Microsoft bundles products. Rejecting one AI subprocessor could require terminating your entire Microsoft 365 subscription: email, Teams, SharePoint, OneDrive, everything.

For organizations subject to GDPR (the European Union's data protection regulation, which requires controllers to have a meaningful opportunity to object to subprocessor changes under Article 28), HIPAA (the US health data privacy law), or state privacy laws, 30 days may not be enough to complete a data protection impact assessment, update privacy notices, and brief the board.