United States

Former President Trump has appointed a Department of Labor workers' compensation official to the National Labor Relations Board (NLRB), potentially affecting the board's quorum and decision-making. This could lead to changes in NLRB precedents and enforcement of labor laws, impacting employer compliance with union activities, collective bargaining, and unfair labor practices.

OSHA has immediately updated and extended its National Emphasis Program on heat-related hazards for five years, directing increased inspections and outreach to high-risk industries. This regulatory change requires employers to enhance heat illness prevention measures and prepare for targeted enforcement actions.

The EEOC has settled a lawsuit against PepsiCo for $270,000 over ADA violations, requiring the company to develop software to accommodate visually impaired employees. This enforcement action reinforces the legal obligations under the Americans with Disabilities Act and signals increased scrutiny of disability accommodation practices in employment.

The U.S. Equal Employment Opportunity Commission (EEOC) settled with Carlstar Group over allegations of discrimination against workers with opioid prescriptions, resulting in a $300,000 payment and mandatory supervisor training. This enforcement action reinforces ADA protections for employees with substance use disorder treatments and signals increased regulatory scrutiny of employer policies regarding prescription medication use.

The House passed a 10-day extension of Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows warrantless surveillance of foreign targets but also collects data on Americans. This short-term extension provides time for negotiations over potential reforms including warrant requirements and limits on government use of data brokers, though the intelligence court has already renewed the program through March 2027.

The FTC has outlined new enforcement priorities targeting hidden fees, misleading pricing, and digital market harms like dark patterns and subscription traps. This signals increased regulatory scrutiny and potential enforcement actions, particularly affecting online platforms and rental housing sectors. The agency is adapting its approach within existing authority while seeking Congressional support for stronger consumer redress tools.

The U.S. Department of Justice sentenced two individuals for operating a 'laptop farm' scheme that facilitated North Korean IT workers gaining employment at over 100 U.S. companies, including Fortune 500 firms. This enforcement action highlights increased scrutiny on sanctions evasion, identity theft, and cybersecurity risks, with the scheme generating over $5 million for North Korea and compromising sensitive defense data.

CISA has added CVE-2026-34197, a high-severity vulnerability in Apache ActiveMQ Classic under active exploitation, to its Known Exploited Vulnerabilities (KEV) catalog. This action requires Federal Civilian Executive Branch agencies to apply patches or mitigations by specified deadlines, signaling heightened enforcement of cybersecurity compliance under U.S. regulatory frameworks.

Alabama has enacted the Personal Data Protection Act (APDPA), establishing comprehensive consumer privacy requirements with notably low applicability thresholds. The law applies to entities with over 25,000 Alabama consumers or deriving over 25% of revenue from data sales, and takes effect on May 1, 2027.

NIST has implemented changes to its National Vulnerability Database (NVD) handling of cybersecurity vulnerabilities and exposures (CVEs) due to a 263% surge in submissions. Only CVEs meeting specific criteria will now receive enrichment, while others remain listed without it, impacting organizations relying on NVD for compliance with cybersecurity frameworks and regulations.

The US Justice Department has sentenced Kamerin Stokes to 30 months in prison and ordered $1.3 million in restitution for a credential-stuffing attack on DraftKings. This enforcement action signals increased regulatory scrutiny of cybersecurity practices in the online betting industry and demonstrates legal consequences for cybercriminals. Companies should review their authentication and account security measures to prevent similar attacks.

The U.S. Department of the Treasury sanctioned cryptocurrency exchange Grinex in August 2025 for facilitating illicit transactions, enabling sanctions evasion via a Russian ruble-backed stablecoin, and continuing the alleged money laundering activities of its predecessor Garantex. This enforcement action signals increased regulatory scrutiny of cryptocurrency exchanges involved in sanctions evasion and highlights the need for enhanced AML/KYC compliance in the crypto sector.

The Satellite Cybersecurity Act of 2025 has advanced through the US Senate, which would require the Department of Commerce to establish security best practices for satellite operators and mandate a GAO study on satellite cybersecurity protections. This represents new legislative action that could impose compliance requirements on satellite operators and related technology companies.

NIST has implemented significant changes to its Common Vulnerabilities and Exposures (CVE) framework, shifting focus toward prioritizing high-impact vulnerabilities to enhance remediation processes. This amendment aims to improve cybersecurity risk management and support regulatory compliance by providing more targeted guidance for vulnerability assessment and mitigation.

A Tennessee man was sentenced to 30 months in prison and ordered to pay $1.3 million in restitution for selling access to tens of thousands of hacked DraftKings accounts via credential-stuffing attacks. This enforcement action signals increased regulatory scrutiny and prosecution of cybercrime targeting online platforms, particularly in the fintech and gaming sectors. Companies should strengthen authentication and monitoring to prevent similar attacks.

CISA has added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog under Binding Operational Directive 22-01, requiring federal agencies to patch Apache ActiveMQ Classic by April 30, 2026. This vulnerability is being actively exploited in the wild and can lead to remote code execution, particularly when chained with other vulnerabilities or default credentials.

Two US nationals were sentenced to prison for facilitating North Korean IT worker schemes that used stolen identities and shell companies to secure jobs at over 100 US companies, generating $5+ million for North Korea and causing $3+ million in losses. This enforcement action highlights increased regulatory scrutiny on sanctions evasion, financial crime, and cybersecurity vulnerabilities in hiring processes. Companies should review their third-party hiring and identity verification procedures to mitigate similar risks.

The U.S. Coast Guard has issued new cybersecurity rules under the Maritime Transportation Security Act (MTSA), requiring maritime operators to develop comprehensive security plans for operational technology (OT) systems and undergo independent third-party audits. These regulations establish a hybrid OT-security role and aim to protect critical maritime infrastructure from growing cyber threats.

CISA has added CVE-2026-34197, a high-severity Apache ActiveMQ vulnerability, to its Known Exploited Vulnerabilities Catalog and mandated Federal Civilian Executive Branch agencies to patch within two weeks under Binding Operational Directive 22-01. This represents an enforcement action requiring immediate compliance for federal agencies, while private-sector organizations are urged to prioritize remediation due to active exploitation.

Virginia has enacted S.B. 338, amending the Virginia Consumer Data Protection Act to prohibit businesses from selling consumers' precise location data for monetary compensation. This creates new compliance obligations for companies operating in Virginia, expanding state-level privacy protections with specific exemptions for fraud prevention and security activities.