CYBERSECURITY
U.S. Retailers Bracing for Scattered Spider Attacks
Google sent out a warning that the cybercriminal group Scattered Spider is targeting U.S.-based retailers. Scattered Spider is believed to have been responsible for the recent attack on Marks & Spencer in the U.K. A security researcher at Google has posited that Scattered Spider concentrates attacks on one industry at a time and predicts that it will continue to target the retail sector. They have warned that “US retailers should take note. These actors are aggressive, creative, and particularly effective at circumventing mature security programs.”
Mandiant issued a threat intelligence report on May 6, 2025, highlighting Scattered Spider’s social engineering methods and “brazen communication with victims.” It has seen Scattered Spider target specific sectors, such as financial services and food services. Recently, Scattered Spider has been seen deploying DragonForce ransomware. The operators of DragonForce have claimed control of RansomHub.
Mandiant has published recommendations on proactive hardening against the tactics used by Scattered Spider, including prioritizing:
- Identity
- Endpoints
- Applications and Resources
- Network Infrastructure
- Monitoring / Detections
Although retailers should be on high alert with these warnings, all industries would do well to review Mandiant’s recommendations, as they are timely and effective.
DATA PRIVACY
Janie & Jack’s Alleged CIPA Violations Consolidated, Thus Avoiding Over 2,000 Individual Arbitration Claims
This week, the U.S. District Court for the Northern District of California ruled in favor of children’s clothing retailer Janie & Jack, which sought to enjoin over 2,400 individual arbitration claims resulting from alleged violations of the California Invasion of Privacy Act (CIPA). Now, Janie & Jack will confront a single privacy class action suit as opposed to the more than 2,400 individual arbitration claims by its website visitors.
The parties notified the court of their agreement not to pursue arbitration but to rather proceed through a consolidated class action. Janie & Jack voluntarily dismissed its lawsuit in an attempt to avert the numerous claims by consumers.
Website visitors accused Janie & Jack of violating CIPA and the federal Wiretap Act through its website’s information gathering and tracking practices (also known as trap and trace claims). Janie & Jack alleges that such claims are inadequate because they lack allegations that the consumers created any accounts or conducted any transactions on the website or that Janie & Jack had breached any of its online terms.
Further, although Janie & Jack’s website terms include an arbitration clause, it claimed that the claimants never assented to the contract.
In its response, the retailer emphasized its intent to prevent the growing use of arbitration agreements as “weapons” by plaintiffs’ attorneys, thwarting their intended use of an efficient, effective, and timely progression of claims.
This case highlights a common practice: thousands of individuals, all represented by the same counsel, simultaneously file, or threaten to file, arbitration demands with nearly identical claims.
These allegations mark yet another instance of the growing trend of the plaintiffs’ bars’ push for “trap and trace” claims because they can leverage existing wiretap laws (particularly in California under CIPA) to argue that common online tracking technologies like cookies, pixels, and website analytics tools essentially function as trap and trace devices, allowing them to file complaints against companies for collecting user data without proper consent, even though these technologies were originally designed for traditional phone lines, not the internet, opening up a large pool of potential plaintiffs and potentially significant damages.
If you haven’t heard it enough, here it is again: NOW is the time to assess your website’s online trackers and update your cookie consent management platform, website privacy policy, and consumer data collection processes.
State Data Minimization Laws Spark Compliance Uncertainty
A new wave of state consumer privacy laws focused on limiting data collection is creating anxiety among businesses—and Maryland is leading the charge. The Maryland Online Data Privacy Act (MODPA), set to take effect in October 2025, requires companies to collect only data that is “reasonably necessary and proportionate” to their stated purposes. However, with no official guidance for compliance from the Maryland Attorney General, businesses are left guessing.
Under MODPA’s data minimization requirement, businesses should avoid collecting or processing more data than is necessary to provide a specific product or service to a consumer. In addition to the limited data collection requirement, MODPA also requires:
- Stricter Data Collection Practices for Sensitive Data: The data minimization requirements are more stringer for sensitive data, such as health information, religious beliefs, and genetic data.
- Ban on the Sale of Sensitive Data: The law prohibits the sale of sensitive data unless it is strictly necessary to provide or maintain a requested product or service.
- Explicit Consent: A business may not process personal information for a purpose other than the purpose(s) disclosed to the consumer at the time of collection unless the consumer provides explicit consent.
- Limited Retention: A business may not retain consumer data for longer than necessary to fulfill the purpose for which it was collected (i.e., now is the time to update or implement your retention program).
This shift towards data minimization marks a departure from the more familiar “notice and choice” model, pushing companies to operationalize data minimization in ways that may significantly alter their data practices. While some businesses, particularly those already operating under stricter global standards like the European Union’s General Data Protection Regulation (GDPR), may be better prepared, others are weighing whether to reduce data collection or even scale back operations in certain states.
Companies developing or utilizing generative artificial intelligence are especially concerned, as these laws may limit access to large, diverse datasets required to train their models. Still, some see this as an opportunity to innovate with privacy-first technologies, such as synthetic data.
States like Maine, Massachusetts, Connecticut, and Minnesota are considering similar laws, signaling a growing trend. But as businesses await clearer definitions and enforcement standards, the central question remains: Can regulators strike the right balance between protecting privacy and supporting innovation?
ARTIFICAL INTELLIGENCE
50% of Professional Services Users Have Utilized AI Tools Not Authorized by Company
A new survey from Intapp, titled “2025 Tech Perceptions Survey Report,” summarizes findings from a survey of fee-earners that there has been a “surge in AI usage.” The professions surveyed included accounting, consulting, finance, and legal sectors. Findings include that “AI usage among professionals has grown substantially, with 72% using AI at work versus 48% in 2024.” AI adoption among firms increased to 56%, with firms utilizing it for data summarization, document generation, research, error-checking, quality control, voice queries, data entry, consultation (decision-making support), and recommendations. That said, the vast majority of AI adoption in the four sectors is in finance, with 89% of professionals using AI at work. Specifically, 73% of accounting professionals, 68% of consulting professionals, and 55% of legal professionals use AI.
A significant conclusion is that when firms do not provide AI tools for professionals to use, they often develop their own. Over 50% of professionals have used unauthorized AI tools in the workplace, which increases risk for companies. They are reallocating the time saved with AI tools by improving work-life balance, focusing on higher-level client work, focusing on strategic initiatives and planning, cultivating relationships with clients, and increasing billable hours.
The survey found that professionals want and need technology to assist with tasks. Only 32% of professionals believe they have the optimal technology to complete their job effectively. The conclusion is that professionals who are given optimal technology to perform their jobs are more satisfied and likely to stay at the firm, optimal tech “powers professional-and firm-success, and AI is becoming non-negotiable for future firm leaders.”
AI tools are rapidly developing and adopted by all industries, including professional sectors. As noted in the Intapp survey, if firms are not providing AI tools for workers to use to enhance their jobs, they will use them anyway. The survey reiterates how important it is to have an AI Governance Program in place to provide sanctioned tools for workers to reduce the risks associated with using unauthorized AI tools. Developing and implementing an AI Governance Program and acceptable use policies should be high on the priority list for all industries, including professional services.
Privacy Tip #445
Apple Users: Update to iOS 18.5
Never underestimate an operating system update from any mobile phone manufacturer. This week, Apple issued iOS 18.5 which provides enhancements to the user experience, but also fixes bugs and flaws.
This update fixes over 30 security bugs. The sooner you update to the new version, the better from a security standpoint. The security flaws that the patch responds to includes known and unknown vulnerabilities and zero-days that may or may not be exploited in the wild.
If you haven’t updated to iOS 18.5, plug your phone in now and install it as soon as possible. Not only for the enhancements, but most importantly, for the bug fixes. If you don’t have your phone set to automatic installation, you may wish to add that feature in your setting, as that is a good way to stay on top of new releases in a timely manner.
[View source.]
