{ "meta": { "generated": "2026-03-13", "previousCrawl": "2026-02-17", "currentCrawl": "2026-03-13", "totalTracked": 1485, "newCount": 25, "risingCount": 22, "stableCount": 1428, "decliningCount": 10 }, "enforcement": [ { "entity": "Reddit", "fine": "GBP 14.47M", "dpa": "UK ICO", "reason": "Children's data, no age verification", "date": "2026-02-24" }, { "entity": "Free Mobile", "fine": "EUR 27M", "dpa": "CNIL", "reason": "Data breach failures", "date": "2026-02" }, { "entity": "Free (fixed-line)", "fine": "EUR 15M", "dpa": "CNIL", "reason": "Data breach failures", "date": "2026-02" }, { "entity": "Imgur/MediaLab", "fine": "GBP 247,590", "dpa": "UK ICO", "reason": "No age verification, no parental consent", "date": "2026-02" } ], "deadlines": [ { "regulation": "HIPAA NPP Revision", "deadline": "2026-02-16", "sector": "Healthcare" }, { "regulation": "CFPB Data Rights Rule", "deadline": "2026-04-01", "sector": "Financial" }, { "regulation": "COPPA Rule", "deadline": "2026-04-22", "sector": "Children" }, { "regulation": "Colorado AI Act", "deadline": "2026-06-30", "sector": "AI/Technology" }, { "regulation": "CA DROP Enforcement", "deadline": "2026-08-01", "sector": "Data Brokers" }, { "regulation": "EU AI Act High-Risk", "deadline": "2026-08-02", "sector": "AI/Technology" } ], "competitors": [ { "name": "Nightfall AI", "update": "Browser DLP v8.6.0", "threat": "HIGH", "date": "2026-03-05" }, { "name": "A5 PII Anonymizer", "update": "New Electron desktop app", "threat": "LOW", "date": "2026-03" }, { "name": "Strac", "update": "SaaS DLP positioning", "threat": "MEDIUM", "date": "2026-03" }, { "name": "Microsoft Fabric AI", "update": "Native PII detection functions", "threat": "MEDIUM", "date": "2026-03" }, { "name": "Cloudflare WAF", "update": "PII detection capability", "threat": "LOW", "date": "2026-03" } ], "trends": [ { "trackId": 1, "categoryId": 10, "pointId": 11, "title": "Chrome Extension AI Chat Theft at Scale", "direction": "new", "score": 0.95, "previousScore": 0, "evidence": "900K users compromised, 300+ malicious extensions, 20K enterprise tenants affected (Microsoft Defender March 5, 2026). Prompt poaching — new attack category.", "sources": [ { "name": "The Hacker News", "url": "https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html" }, { "name": "Microsoft Security Blog", "url": "https://www.microsoft.com/en-us/security/blog/2026/03/05/malicious-ai-assistant-extensions-harvest-llm-chat-histories/" } ] }, { "trackId": 1, "categoryId": 9, "pointId": 11, "title": "Discord DAVE E2EE Text Gap", "direction": "new", "score": 0.72, "previousScore": 0, "evidence": "DAVE protocol mandatory March 2, 2026 for voice/video. Text messages remain unencrypted — the primary PII exposure vector.", "sources": [ { "name": "Discord Blog", "url": "https://discord.com/blog/bringing-dave-to-all-discord-platforms" } ] }, { "trackId": 1, "categoryId": 11, "pointId": 11, "title": "SaaS Credential Abuse as Defining 2026 Threat", "direction": "new", "score": 0.88, "previousScore": 0, "evidence": "Attackers exploit valid credentials, not zero-days. MFA impersonation surging. 2026 identified as Year of SaaS Breaches.", "sources": [ { "name": "Cyber Defense Magazine", "url": "https://www.cyberdefensemagazine.com/why-2026-will-be-the-year-of-saas-breaches/" } ] }, { "trackId": 2, "categoryId": 7, "pointId": 11, "title": "MCP Server Security Crisis", "direction": "new", "score": 0.92, "previousScore": 0, "evidence": "8,000+ MCP servers publicly exposed. 492 with zero auth. 36.7% vulnerable to SSRF. CVE-2026-25253 CVSS 8.8.", "sources": [ { "name": "Red Hat", "url": "https://www.redhat.com/en/blog/model-context-protocol-mcp-understanding-security-risks-and-controls" }, { "name": "PointGuard AI", "url": "https://www.pointguardai.com/blog/the-mcp-security-crisis-why-your-ai-agents-are-an-open-door" } ] }, { "trackId": 2, "categoryId": 10, "pointId": 11, "title": "Cursor IDE Vulnerabilities — Privacy Mode Insufficient", "direction": "new", "score": 0.85, "previousScore": 0, "evidence": "CVE-2026-22708 (March 2026), 5 prior CVEs, MCP auto-start RCE, Privacy Mode gaps.", "sources": [ { "name": "SentinelOne", "url": "https://www.sentinelone.com/vulnerability-database/cve-2026-22708/" } ] }, { "trackId": 2, "categoryId": 1, "pointId": 11, "title": "Multi-Language PII Detection 22.7% Precision", "direction": "rising", "score": 0.88, "previousScore": 0.65, "evidence": "22.7% precision in mixed-language enterprise datasets. 3.4 false positives per real PII. February 2026 benchmark.", "sources": [ { "name": "Advancing Analytics", "url": "https://www.advancinganalytics.co.uk/blog/building-pii-redaction-that-reasons-not-just-recognises" } ] }, { "trackId": 2, "categoryId": 7, "pointId": 12, "title": "Prompt Injection via MCP Auto-Start", "direction": "rising", "score": 0.9, "previousScore": 0.6, "evidence": "MCP auto-start attack vector confirmed in Cursor. Prompt injection via repo files. New prompt poaching category.", "sources": [ { "name": "AIM Security", "url": "https://www.aim.security/post/when-public-prompts-turn-into-local-shells-rce-in-cursor-via-mcp-auto-start" } ] }, { "trackId": 3, "categoryId": 4, "pointId": 11, "title": "dbt/Snowflake Pipeline Masking Ingestion Gap", "direction": "new", "score": 0.75, "previousScore": 0, "evidence": "Raw PII enters Snowflake unmasked before tag-based policies apply. dbt masking only at query time, not ingestion.", "sources": [ { "name": "Cloudyard", "url": "https://cloudyard.in/2025/12/data-masking-with-snowflake-tags-and-dbt-post-hooks/" } ] }, { "trackId": 3, "categoryId": 1, "pointId": 11, "title": "A5 PII Anonymizer — New Desktop Competitor", "direction": "new", "score": 0.55, "previousScore": 0, "evidence": "Electron desktop app with ONNX LLM. ~10 entity types vs anonym.legal's 285+. MIT licensed.", "sources": [ { "name": "GitHub", "url": "https://github.com/AgenticA5/A5-PII-Anonymizer" } ] }, { "trackId": 3, "categoryId": 1, "pointId": 12, "title": "Nightfall AI Browser DLP v8.6.0", "direction": "new", "score": 0.9, "previousScore": 0, "evidence": "Chrome/Edge/Firefox/Safari. Monitors ChatGPT/Claude/Gemini/DeepSeek in real-time. Launched Jan 21, 2026.", "sources": [ { "name": "PR Newswire", "url": "https://www.prnewswire.com/news-releases/nightfall-unveils-ai-browser-security-solution-to-stop-data-exfiltration-in-real-time-302666771.html" } ] }, { "trackId": 3, "categoryId": 8, "pointId": 11, "title": "Discord eDiscovery and Legal Preservation", "direction": "new", "score": 0.58, "previousScore": 0, "evidence": "Discord messages subject to legal preservation orders. PII redaction needed before court production.", "sources": [ { "name": "Dordulian Law Group", "url": "https://dlawgroup.com/preserve-discord-evidence-legal-cases/" } ] }, { "trackId": 3, "categoryId": 10, "pointId": 11, "title": "Reversible Anonymization for LLM Usage Validated", "direction": "new", "score": 0.72, "previousScore": 0, "evidence": "DZone published guide validating reversible data anonymization for LLM usage — exact anonym.legal approach.", "sources": [ { "name": "DZone", "url": "https://dzone.com/articles/llm-pii-anonymization-guide" } ] }, { "trackId": 5, "categoryId": 3, "pointId": 11, "title": "Microsoft Copilot DLP Bypass", "direction": "new", "score": 0.92, "previousScore": 0, "evidence": "Copilot summarized confidential emails despite DLP sensitivity labels. Second bypass in 8 months. Detected Jan 21, fixed Feb 2026.", "sources": [ { "name": "The Register", "url": "https://www.theregister.com/2026/02/18/microsoft_copilot_data_loss_prevention/" } ] }, { "trackId": 5, "categoryId": 1, "pointId": 11, "title": "GDPR Enforcement Fines Feb-March 2026", "direction": "rising", "score": 0.85, "previousScore": 0.7, "evidence": "Reddit GBP 14.47M, Free/Free Mobile EUR 42M, Imgur GBP 247,590. Cumulative: EUR 5.88B across 2,245 penalties.", "sources": [ { "name": "Brabners", "url": "https://www.brabners.com/insights/data-protection/reddits-14-47m-ico-fine-what-uk-businesses-need-to-do-as-child-protection-enforcement-ramps-up" } ] }, { "trackId": 6, "categoryId": 5, "pointId": 11, "title": "Shadow AI Governance Crisis", "direction": "new", "score": 0.9, "previousScore": 0, "evidence": "77% employees paste company data to AI. 223 policy violations/month. 50% lack enforceable AI policies.", "sources": [ { "name": "Kiteworks", "url": "https://www.kiteworks.com/cybersecurity-risk-management/ai-data-security-crisis-shadow-ai-governance-strategies-2026/" }, { "name": "Endpoint Protector", "url": "https://www.endpointprotector.com/blog/the-new-insider-risk-copy-paste-into-ai-tools/" } ] }, { "trackId": 6, "categoryId": 5, "pointId": 12, "title": "Privacy Fatigue Exceeds Concern in Impact", "direction": "rising", "score": 0.72, "previousScore": 0.55, "evidence": "Privacy fatigue has stronger impact on behavior than privacy concerns. Users prefer simple controls, clear explanations, visible boundaries.", "sources": [ { "name": "Digital Privacy 2026", "url": "https://www.cccam2.net/digital-privacy-in-2026-why-users-are-paying/" } ] }, { "trackId": 7, "categoryId": 7, "pointId": 11, "title": "California DROP Platform and Data Broker Penalties", "direction": "rising", "score": 0.72, "previousScore": 0.5, "evidence": "DELETE Act DROP platform live Jan 1, 2026. $200/request/day penalty Aug 2026. Florida CHINA Unit launched Feb 5.", "sources": [ { "name": "Clark Hill LLP", "url": "https://www.clarkhill.com/news-events/news/is-your-business-a-data-broker-californias-drop-goes-live-and-calprivacy-continues-to-enforce-delete-act/" } ] }, { "trackId": 8, "categoryId": 5, "pointId": 11, "title": "EU AI Act High-Risk System Requirements August 2026", "direction": "new", "score": 0.88, "previousScore": 0, "evidence": "Penalties up to EUR 35M or 7% turnover. Texas TRAIGA Jan 2026. Colorado AI Act Jun 30, 2026.", "sources": [ { "name": "SecurePrivacy", "url": "https://secureprivacy.ai/blog/eu-ai-act-2026-compliance" } ] }, { "trackId": 9, "categoryId": 10, "pointId": 11, "title": "FTC PADFAA Cross-Border Transfer Enforcement", "direction": "rising", "score": 0.7, "previousScore": 0.5, "evidence": "FTC warning letters to 13 data brokers Feb 9, 2026. US bilateral trade agreements with Indonesia/Malaysia/Thailand. 80%+ cite data sovereignty as strategic priority.", "sources": [ { "name": "Mayer Brown", "url": "https://www.mayerbrown.com/en/insights/publications/2026/03/cross-border-transfers-of-american-personal-information-carry-heightened-regulatory-litigation-risks" } ] }, { "trackId": 10, "categoryId": 6, "pointId": 11, "title": "LangChain CVE-2025-68664 CVSS 9.3 Secret Extraction", "direction": "new", "score": 0.9, "previousScore": 0, "evidence": "Serialization injection in dumps()/dumpd(). Attacker-controlled LLM responses extract env vars. 12 vulnerable flows.", "sources": [ { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68664" }, { "name": "Cyata", "url": "https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/" } ] }, { "trackId": 10, "categoryId": 7, "pointId": 11, "title": "California AB 2013 AI Training Data Disclosure", "direction": "new", "score": 0.78, "previousScore": 0, "evidence": "Developers must publicly disclose training data details. PIAs must examine provenance, explainability, cross-border flows.", "sources": [ { "name": "Wilson Sonsini", "url": "https://www.wsgr.com/en/insights/2026-year-in-preview-ai-regulatory-developments-for-companies-to-watch-out-for.html" } ] }, { "trackId": 10, "categoryId": 1, "pointId": 11, "title": "AI Training Data Deletion Technically Impossible", "direction": "rising", "score": 0.82, "previousScore": 0.65, "evidence": "Removing data from trained models is impossible without complete retraining. Healthcare AI re-identifies patients from anonymized scans.", "sources": [ { "name": "DEV Community", "url": "https://dev.to/tiamatenity/fine-tuned-models-remember-everything-the-training-data-privacy-problem-4a9e" } ] }, { "trackId": 11, "categoryId": 2, "pointId": 11, "title": "Healthcare PHI Fines 11.6x Increase", "direction": "rising", "score": 0.85, "previousScore": 0.65, "evidence": "Average EUR 203K/violation (up from EUR 17.5K). Highest-penalty GDPR sector. HIPAA most significant changes in decades.", "sources": [ { "name": "Skillcast", "url": "https://www.skillcast.com/blog/biggest-gdpr-fines-2026" }, { "name": "HIPAA Journal", "url": "https://www.hipaajournal.com/new-hipaa-regulations/" } ] }, { "trackId": 12, "categoryId": 7, "pointId": 11, "title": "Discord Persona Breach — 70K Government IDs Leaked", "direction": "new", "score": 0.92, "previousScore": 0, "evidence": "70K government IDs leaked via Persona vendor. Discord cut ties. 10,000% search spike for Discord alternatives.", "sources": [ { "name": "PC Gamer", "url": "https://www.pcgamer.com/hardware/discord-says-70-000-age-verification-id-photos-may-have-been-leaked-in-recent-security-breach/" }, { "name": "EFF", "url": "https://www.eff.org/deeplinks/2026/02/discord-voluntarily-pushes-mandatory-age-verification-despite-recent-data-breach" } ] }, { "trackId": 12, "categoryId": 10, "pointId": 11, "title": "Biometric Regulation Expansion — Colorado CPA, US Privacy Act", "direction": "rising", "score": 0.7, "previousScore": 0.55, "evidence": "Colorado CPA amendments: written retention policies, 24-month max, annual review. US lawmaker plan for sweeping Privacy Act overhaul.", "sources": [ { "name": "Baird Holm", "url": "https://www.bairdholm.com/blog/expanded-regulation-of-biometric-data/" }, { "name": "Biometric Update", "url": "https://www.biometricupdate.com/202602/us-lawmaker-unveils-plan-for-sweeping-overhaul-of-privacy-act" } ] }, { "trackId": 13, "categoryId": 3, "pointId": 11, "title": "Discord Age Verification Backlash", "direction": "new", "score": 0.88, "previousScore": 0, "evidence": "Discord delayed to H2 2026 after EFF criticism. 10,000% search spike for alternatives. Stoat/Matrix/Session gaining.", "sources": [ { "name": "Windows Central", "url": "https://www.windowscentral.com/software-apps/discord-alternative-search-10000-percent-stoat" }, { "name": "EFF", "url": "https://www.eff.org/deeplinks/2026/02/discord-voluntarily-pushes-mandatory-age-verification-despite-recent-data-breach" } ] }, { "trackId": 13, "categoryId": 2, "pointId": 11, "title": "COPPA Rule April 2026 Compliance Deadline", "direction": "rising", "score": 0.82, "previousScore": 0.6, "evidence": "COPPA Rule most provisions deadline April 22, 2026. Reddit GBP 14.47M fine for children's data. SchoolAI FERPA+COPPA compliance.", "sources": [ { "name": "Federal Register", "url": "https://www.federalregister.gov/documents/2025/04/22/2025-05904/childrens-online-privacy-protection-rule" } ] }, { "trackId": 14, "categoryId": 9, "pointId": 11, "title": "CFPB Financial Data Rights Rule — April 2026", "direction": "new", "score": 0.72, "previousScore": 0, "evidence": "Largest financial institutions must unlock/transfer consumer financial data on request by April 1, 2026.", "sources": [ { "name": "CFPB", "url": "https://www.consumerfinance.gov/about-us/newsroom/cfpb-finalizes-personal-financial-data-rights-rule-to-boost-competition-protect-privacy-and-give-families-more-choice-in-financial-services/" } ] }, { "trackId": 4, "categoryId": 9, "pointId": 11, "title": "Re-identification Risk Now Dynamic, Not Static", "direction": "rising", "score": 0.75, "previousScore": 0.6, "evidence": "Feb 2026 research: anonymization is dynamic. AI facilitates re-identification where traditional safeguards were adequate.", "sources": [ { "name": "Testing Branch", "url": "https://www.testingbranch.com/re_identification/" }, { "name": "Nature", "url": "https://www.nature.com/articles/s41598-025-04907-3" } ] }, { "trackId": 4, "categoryId": 1, "pointId": 11, "title": "GDPR Anonymization vs Pseudonymization Distinction Critical", "direction": "stable", "score": 0.65, "previousScore": 0.6, "evidence": "IAPP: Anonymization the Unicorn of Privacy Engineering. Reversible encryption = pseudonymization = GDPR-covered but operationally superior.", "sources": [ { "name": "IAPP", "url": "https://iapp.org/news/a/anonymization-the-unicorn-of-privacy-engineering" } ] }, { "trackId": 3, "categoryId": 3, "pointId": 20, "title": "Nextcloud PII Anonymization Demand", "direction": "new", "score": 0.72, "previousScore": 0, "evidence": "First native Nextcloud app for PII anonymization. cloak.business Nextcloud Anonymizer v2.0.0 + Files v1.0.0 with sidebar and right-click integration for NC 28-31.", "sources": [ { "name": "cloak.business", "url": "https://cloak.business" } ] }, { "trackId": 2, "categoryId": 5, "pointId": 20, "title": "Cloud Storage PII Anonymization", "direction": "new", "score": 0.78, "previousScore": 0, "evidence": "4 cloud storage providers (OneDrive, SharePoint, Google Drive, Dropbox) with browse-anonymize-save-back workflow. No file download required.", "sources": [ { "name": "cloak.business", "url": "https://cloak.business" } ] }, { "trackId": 5, "categoryId": 7, "pointId": 20, "title": "AI Coding Tool PII Protection via MCP", "direction": "new", "score": 0.85, "previousScore": 0, "evidence": "MCP Server adoption in Cursor, Claude Desktop, VS Code. anonym.legal 7 tools, cloak.business 10 tools including image analysis.", "sources": [ { "name": "anonym.legal", "url": "https://anonym.legal" }, { "name": "cloak.business", "url": "https://cloak.business" } ] }, { "trackId": 1, "categoryId": 4, "pointId": 20, "title": "Technical Secret Detection in AI Contexts", "direction": "new", "score": 0.8, "previousScore": 0, "evidence": "68 technical secret patterns detected: AWS, GCP, Azure, OpenAI, Anthropic, Stripe API keys, database URIs, JWT tokens, SSH keys.", "sources": [ { "name": "cloak.business", "url": "https://cloak.business" } ] }, { "trackId": 3, "categoryId": 6, "pointId": 20, "title": "Open-Source Office Suite PII Tools", "direction": "new", "score": 0.68, "previousScore": 0, "evidence": "anonym.legal LibreOffice Extension v1.0.0: Writer, Calc, Impress with format preservation, ZK auth, 285+ entity types.", "sources": [ { "name": "anonym.legal", "url": "https://anonym.legal" } ] }, { "trackId": 4, "categoryId": 8, "pointId": 20, "title": "Desktop PII Batch Processing at Scale", "direction": "new", "score": 0.75, "previousScore": 0, "evidence": "cloak.business Desktop v7.5.0 processes up to 5,000 files per batch. Offline NLP models, XChaCha20-Poly1305 vault, no internet required.", "sources": [ { "name": "cloak.business", "url": "https://cloak.business" } ] }, { "trackId": 7, "categoryId": 9, "pointId": 20, "title": "Multi-Party Encryption for Legal Workflows", "direction": "new", "score": 0.82, "previousScore": 0, "evidence": "RSA-4096 asymmetric encryption for multi-party workflows. Different keys for auditors, counsel, regulators. Adopted in legal discovery.", "sources": [ { "name": "cloak.business", "url": "https://cloak.business" } ] } ] }