Week of Sunday, June 7, 2026

On June 4 and 5, the Supreme Court issued two rulings that changed how federal agencies can come after companies.

In the first case, AT&T and Verizon were fined a combined $104 million by the FCC (Federal Communications Commission) for selling customers' real-time phone location data to third parties without consent. The carriers argued they had a constitutional right to a jury trial before paying. The Court disagreed, 8-1. Chief Justice Roberts held that the FCC can impose penalties through its own administrative process. A jury only enters the picture if the government later sues to collect in federal court, and that step is not guaranteed to happen.

In the second case, the SEC (Securities and Exchange Commission) went after a stock trader for running a pump-and-dump scheme and demanded he surrender his profits. He argued the SEC had to prove that specific investors actually lost money before it could take anything. The Court disagreed unanimously, 9-0. Justice Gorsuch wrote that the SEC can order you to give back profits based solely on the fact that you broke the rules. No identified victim required. No specific dollar of loss required.

These two rulings work together. The first means agencies can fine you without a jury. The second means they can take your profits without proving anyone was harmed. For any federal agency that operates a similar enforcement structure, and most do, the path from investigation to penalty just got shorter and less expensive to travel.

The timing is pointed. The SEC's expanded breach notification rule, Regulation S-P (which requires financial firms to notify customers within 30 days of a data breach), took full effect for smaller firms on June 3. The SEC has been quiet about enforcement so far. But the Court just removed two of the procedural barriers that made enforcement slow and costly to pursue.

On May 26, the FBI issued a flash alert warning that the Silent Ransom Group, an extortion operation also tracked as Luna Moth, has begun sending operatives into US law firm offices posing as IT support technicians. They walk past reception, plug USB drives into workstations, and copy files. No malware. No ransomware encryption. No locked screens. The systems keep running while the data walks out the door. According to BleepingComputer, 38 firms have already had client data leaked, with demands ranging from $1 million to $8 million.

This is not a phishing campaign that a spam filter catches. It is a person standing at a workstation in a building where they were never verified. The technical controls your security team spent years building were designed for remote attackers. They were not designed for someone who walked through the front door.

The target is not the law firm. It is the law firm's clients. Your outside counsel holds your M&A strategy, your litigation exposure, your employment disputes, your board minutes, your regulatory correspondence. When that firm is compromised, your most sensitive information is compromised with it, and you may not find out for weeks.

On June 4, the Five Eyes intelligence alliance published its first-ever joint bulletin titled "Safeguarding Our Secrets," warning that China's military intelligence services are systematically impersonating headhunters on LinkedIn to recruit sources inside government, defense, media, and any organization with access to trade secrets or sensitive technology. The fake recruiters operate through front companies with storefronts in Singapore and New York. They offer cash for "articles" and "market insights," requests that sound like consulting work until the questions narrow to classified programs, proprietary processes, or deal timelines. Payments arrive through PayPal, Wise, Zelle, and cryptocurrency.

The International Consortium of Investigative Journalists (ICIJ) published a parallel investigation confirming the operational details. ICIJ reporters covering China were personally targeted during the investigation, validating that the recruitment pipeline is active and indiscriminate. The FBI's contribution to the bulletin was blunt: "Applicants beware! The threat is real." Beijing's UK Embassy formally denied the allegations, calling them "purely false" and "malicious slander."

The pitch is designed to feel normal. A LinkedIn message from a recruiter at a firm you have never heard of, offering a paid research engagement. The first assignment is harmless. The second asks for something slightly more specific. By the third, the target is providing material they would not hand to a stranger on the street but will share with someone who has been paying them for two months.

The FIFA World Cup kicks off June 11, with matches across 11 US cities and additional venues in Mexico and Canada. The fraud is not coming with it. It is already here. More than 4,300 fraudulent domains spoofing FIFA ticketing, hotels, and merchandise are already live. Banking malware is being distributed through pirate streaming apps promising free match access. A Chinese-speaking threat group tracked as Ghost Stadium has been identified running credential-harvesting campaigns against tournament infrastructure. The FBI issued a public service announcement on May 27 warning of spoofed FIFA websites. Recorded Future published a threat assessment flagging state-sponsored espionage targeting executives at matches and influence operations using the event as a platform.

The fraud will look like a travel booking confirmation from a hotel your assistant found online. It will look like an invoice from the hospitality vendor your sales team hired for a client event in Dallas. It will look like a last-minute request to wire funds for a suite upgrade that came from a spoofed email address one character off from your event coordinator's. These are the same patterns from the 2022 Qatar tournament and the 2024 Paris Olympics, now scaled across three countries over six weeks.

The European Commission published the Cloud and AI Development Act (CADA), a framework that divides cloud providers into four tiers based on how much sovereignty they offer. The higher the tier, the more sensitive the government contracts you can compete for. The catch: American cloud providers cannot reach the top two tiers without fundamentally restructuring how they operate. EU Vice President Henna Virkkunen framed the rationale directly: "We want to be sure nobody has a kill switch."

At level one, your data sits in the EU. Any provider can do this. It qualifies you for routine government work like event management and general administration. At level two, you must also demonstrate independence from non-EU legal jurisdictions, meaning the US CLOUD Act (which lets American courts compel US companies to hand over data stored abroad) cannot reach you. That is a structural problem for AWS, Azure, and Google Cloud, not a configuration setting. Level two opens critical infrastructure contracts in energy, healthcare, and digital services. At level three, the provider must be EU-owned and EU-controlled, with no third-country entity in the ownership chain. American hyperscalers are structurally excluded. This tier covers sensitive civilian government systems. Level four adds full supply-chain sovereignty down to the hardware and firmware layer, and opens defense, intelligence, and law enforcement contracts.

The providers that qualify for the top tiers today, OVHcloud, Deutsche Telekom's T-Systems, and a handful of smaller European firms, do not match the scale or feature set of the American platforms they would replace. The EU is betting that procurement rules will create the market that does not yet exist.

The law is not final. It was proposed June 3 and is unlikely to take binding effect before 2027. But the signal is clear: the EU is building a procurement wall where your cloud vendor determines which contracts you can bid on.

In the past month, three African countries enacted restrictions on raw mineral exports, and a regional bloc launched an initiative to spread the model across sixteen more. Mozambique passed a new mining law requiring 15 percent free state equity in all mining ventures and banning the export of unprocessed minerals. Mozambique is the world's third-largest graphite producer, a critical input for EV battery anodes. Zimbabwe banned all raw mineral and lithium concentrate exports in February, then in April granted conditional export quotas to six mines that committed to building domestic processing plants by January 2027 and paying a 10 percent export tax. The Democratic Republic of Congo, which produces more than 70 percent of the world's cobalt, reclassified lithium as a strategic mineral and raised royalties from 3.5 to 10 percent of gross revenue. The Southern African Development Community (SADC, the regional bloc covering 16 nations) launched a five-year, EU-funded initiative to build critical minerals processing capacity across six member states.

This is not one country making a political statement. It is a coordinated shift in how an entire continent intends to do business. The model is straightforward: if you want the minerals, build the processing plant here or do not get them at all.

For years, companies importing goods from China have used a simple workaround to avoid the tariffs designed to stop foreign manufacturers from undercutting American competitors by selling below cost. Ship the product to a third country like Vietnam, Malaysia, or Mexico. Relabel it. Import it into the US under the new country of origin. The duties that were designed to protect American manufacturers never get paid. The practice is so widespread that trade lawyers have a name for it: transshipment.

On May 13, Perfectus Aluminum agreed to pay $549.5 million to settle False Claims Act allegations that it evaded customs duties on Chinese aluminum extrusions. The company had spot-welded the extrusions into fake pallets that no customer ever purchased, then declared them as finished merchandise exempt from duties. The settlement is ten times larger than any prior customs fraud case in US history. Two weeks later, the government filed a $286 million claim against First Brands Group, a bankrupt auto parts supplier, for undervaluing Chinese brake-part imports to reduce tariff exposure. Canadian steel firms Farjess and Royal Canadian Steel settled for $19 million on similar charges. Three enforcement actions in three weeks, totaling more than $850 million.

Then on June 3, President Trump signed an executive order titled "Strengthening Customs Enforcement." It sets a minimum penalty floor of 50 percent of the assessed duty on any customs violation and eliminates mitigation for repeat offenders. It bars foreign importers from using informal entry processes for low-value shipments and requires disclosure of beneficial ownership. CBP (Customs and Border Protection) is directed to assign risk-based compliance tiers to every importer on its registry.

The old math was simple: the duty savings outweighed the slim chance of getting caught. The new math is different. The settlements prove the government is looking. The executive order proves they intend to keep looking. And the penalty floor means the cost of getting caught just doubled.