AI, Data, Privacy, and Cybersecurity — Docket Daily's four law pillars

The most thoroughly sourced AI, Data, Privacy, and Cybersecurity legal intelligence available.

Official sources verifiedAll 50 states + D.C. + FederalAttorney-reviewed1,480+ legal developments since Jan. 1, 2026

Tracking new AI, data, privacy, and cybersecurity legal developments for you.

No noise. No gaps. Just the intelligence attorneys need.

Start Free 2-Week Trial

No credit card required.

Built by an Attorney. Reviewed by an Attorney. Built for Attorneys.

Inside your workspace

docketdaily.ai/dashboard
Live data
Proposed Bills323
Statutes63
Regulations112
Cases71
Exec. orders34
Search titles, summaries, citations…
All Dates

Jan. 1, 2026 through today (newest to oldest)

Notable Dockets of the Week

STATUTE

California AB 979 — AI Cybersecurity Integration Act; Cal-CSIC AI Cybersecurity Collaboration Playbook

CaliforniaAI — Government & procurement AIJan 1, 2026
AI lawAB 979 requires the state's cybersecurity playbook to specifically address the integration of AI and automated defense systems within public administration networks, compelling state information security officers to establish safety baselines for utilizing machine learning algorithms to automate th…
AI-drafted · Attorney-reviewed

More from the digest

REGULATIONAttorney Reviewed

Cybersecurity and Infrastructure Security Agency — Alert: CISA Adds Three Known Exploited Vulnerabilities to Catalog (July 7, 2026): CVE-2026-48908 (JoomShaper SP Page Builder), CVE-2026-55255 (Langflow), CVE-2026-56290 (Joomlack Page Builder)

FederalJul 7, 2026

Summary

Cybersecurity lawOn July 7, 2026 CISA added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, giving Federal Civilian Executive Branch agencies until July 10, 2026 to remediate. The three are CVE-2026-48908, an unrestricted upload of a file with a dangerous type in JoomShaper…
AI-drafted · Attorney-reviewed
GOVERNOR EXECUTIVE ORDER

Abbott CCP med-device letter (2026-03-10)

TexasGovernor Executive OrderPrivacy — Health & HIPAA-related privacyJul 11, 2026

Summary

Privacy lawThe executive directive establishes stringent protections over personal health information maintained within state-owned medical infrastructure. It addresses the threat of foreign state-sponsored entities exfiltrating private medical records through network-connected hospital devices. The policy ma…
AI-drafted · Attorney-reviewed
PROPOSED BILLActiveAttorney Reviewed

SB 7044 Public Records/Custodians of Gold Coin and Silver Coin Banking

FloridaData — Financial & banking dataFeb 12, 2026

Summary

Data lawThe bill expands public records exemptions for sensitive financial data held by the Office of Financial Regulation. Specifically, it makes confidential information obtained during investigations and examinations of money transmitters and financial institutions that act as custodians of gold or silv…
AI-drafted · Attorney-reviewed
COURT CASEAttorney Reviewed

Hulse-Gibson v. Hulse

FloridaDistrict Court of Appeal of FloridaAI — OtherJul 8, 2026

Summary

AI lawThe Florida District Court of Appeal's judicial opinion issues an explicit, formal warning establishing strict human-in-the-loop verification duties for litigants deploying generative artificial intelligence tools to draft legal submissions. The court emphasizes that the integration of automated le…
AI-drafted · Attorney-reviewed
docketdaily.ai/dashboard
Live data
Filters & scope
AI
178
Data
141
Privacy
225
Cybersecurity
67

The digests under each category are attorney reviewed and confirmed. You can view results by category as well as by subcategory under each law category.

Jurisdiction

Federal
State

Search

Search titles, summaries, citations…
GOVERNOR EXECUTIVE ORDER

Abbott CCP med-device letter (2026-03-10)

TexasGovernor Executive OrderPrivacy — Health & HIPAA-related privacyJul 11, 2026

Summary

Privacy lawThe executive directive establishes stringent protections over personal health information maintained within state-owned medical infrastructure. It addresses the threat of foreign state-sponsored entities exfiltrating private medical records through network-connected hospital devices. The policy ma…
AI-drafted · Attorney-reviewed
docketdaily.ai/dashboard
Live data
REGULATIONAttorney ReviewedFederal

Cybersecurity and Infrastructure Security Agency — Alert: CISA Adds Three Known Exploited Vulnerabilities to Catalog (July 7, 2026): CVE-2026-48908 (JoomShaper SP Page Builder), CVE-2026-55255 (Langflow), CVE-2026-56290 (Joomlack Page Builder)

Plain English

Cybersecurity law

On July 7, 2026 CISA added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, giving Federal Civilian Executive Branch agencies until July 10, 2026 to remediate. The three are CVE-2026-48908, an unrestricted upload of a file with a dangerous type in JoomShaper SP Page Builder, allowing unauthenticated users to upload arbitrary files and execute PHP code; CVE-2026-55255, an authorization bypass through a user-controlled key in Langflow, allowing an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID; and CVE-2026-56290, an improper access control flaw in Joomlack Page Builder permitting remote code execution via unauthenticated arbitrary file upload. The obligation runs through Binding Operational Directive 26-04, "Prioritizing Security Updates Based on Risk," which replaced BOD 22-01 in June 2026. BOD 26-04 changed the model: instead of a uniform two-week clock, deadlines now vary with severity and evidence of active exploitation, and agencies must prioritize rapid remediation of high-risk vulnerabilities on publicly exposed assets that grant total control post-exploitation, while deferring lower-risk items. Where compromise is suspected, CISA's Forensics Triage Requirements apply — agencies must preserve evidence for incident response rather than immediately patching over a potentially compromised state. CISA also directs that where mitigations are unavailable for cloud services, agencies follow applicable BOD 26-04 cloud guidance or discontinue use of the product. Although BOD 26-04 binds only federal civilian agencies, CISA urges all organizations to prioritize remediation of KEV-listed vulnerabilities.

AI law

The Langflow entry is the significant one. Langflow is an AI agent orchestration platform, and CVE-2026-55255 marks the first time such a platform has appeared in the KEV catalog. The flaw is a cross-tenant insecure direct object reference: any authenticated user can execute another tenant's AI workflows, along with every secret and credential those workflows hold. Sysdig documented a campaign between June 22 and 25, 2026 in which a single operator chained reconnaissance, flow enumeration, the CVE-2026-55255 IDOR, and CVE-2026-33017 remote code execution to steal large language model provider keys and AWS keys. The activity was assessed as opportunistic and financially motivated. Why this matters beyond one CVE: the official CVSS score is comparatively low, which understates the risk. On a single-tenant self-hosted instance the RCE is the easier win. On a managed or multi-tenant deployment where RCE is sandboxed per tenant, the IDOR is the only path that crosses to another customer's credentials, and it does so below the noise threshold of most detection systems, leaving no footprint distinguishable from normal flow execution except an unexpected flow ID in the API logs. This is the seventh distinct Langflow flaw to enter active or recent exploitation within a year. The adjacent development is Sysdig's documentation of the first known fully agentic ransomware operation, in which a human operator deployed an AI agent and provisioned infrastructure to let the agent run an entire extortion operation end to end, using a Langflow instance as the initial access vector. Practitioner guidance emerging from the KEV addition: update Langflow, then rotate every API key, LLM provider credential, and cloud access credential stored in any flow — including on instances showing no evidence of exploitation — and treat any Langflow deployment with access to production systems or cloud services as a privileged workload. For Docket Daily, this is the crossover instrument: an AI development platform is now a federally designated known-exploited attack surface, and the credentials it holds are the target.

Contextual review

Cybersecurity law

Cybersecurity and Infrastructure Security Agency, Alert, "CISA Adds Three Known Exploited Vulnerabilities to Catalog," issued July 7, 2026. Vulnerabilities added to the Known Exploited Vulnerabilities (KEV) Catalog: (1) CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability. JoomShaper SP Page Builder contains an unrestricted upload of file with dangerous type vulnerability that allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. Reported CVSS 10.0. Exploited as a zero-day via HTTP POST to index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon, followed by creation of a Super User account. Vendor reference: extensions.joomla.org/extension/sp-page-builder/. Fixed in SP Page Builder 6.6.2. (2) CVE-2026-55255 — Langflow Authorization Bypass Through User-Controlled Key Vulnerability. Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. Vendor reference: github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2. NVD: nvd.nist.gov/vuln/detail/CVE-2026-55255. (3) CVE-2026-56290 — Joomlack Page Builder Improper Access Control Vulnerability. Joomlack Page Builder contains an improper access control vulnerability that could allow for remote code execution via unauthenticated arbitrary file upload. Reported CVSS 9.8. Exploitation observed from June 27, 2026 delivering web shells. Fixed in Page Builder CK 3.6.0. Vendor reference: joomlack.fr/en/joomla-extensions/page-builder-ck. Required action for all three: "Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 Prioritizing Security Updates Based on Risk guidance and CISA's Forensics Triage Requirements." For CVE-2026-56290 and CVE-2026-48908, CISA adds: "Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable." Remediation deadline for Federal Civilian Executive Branch agencies: July 10, 2026. Authority. Binding Operational Directive 26-04, "Prioritizing Security Updates Based on Risk," which replaced BOD 22-01 in June 2026. BOD 26-04 establishes vulnerability management requirements for FCEB agencies, reinforces the KEV Catalog, and requires agencies to prioritize rapid remediation of high-risk vulnerabilities — specifically CVEs listed in the KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation — while deferring action for lower-risk vulnerabilities. It replaces BOD 22-01's uniform two-week clock with variable deadlines keyed to severity and active exploitation. Implementation guidance and Forensics Triage Requirements at cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk. BOD 26-04 binds FCEB agencies only; CISA strongly urges all organizations to prioritize timely remediation of KEV-listed vulnerabilities. SAME-DAY SEPARATE ALERT. CVE-2026-48282 (Adobe ColdFusion, path traversal permitting arbitrary code execution, CVSS 10.0, affecting ColdFusion 2025.9, 2023.20, and earlier; vendor advisory APSB26-68, July 1, 2026) was added to the KEV Catalog on July 7, 2026 under a separate CISA alert, with the same July 10, 2026 FCEB deadline. Reported exploitation within approximately two hours of public disclosure. NOT covered by this row. Recommend a separate laws row.

AI law

CVE-2026-55255 is the first entry in the KEV Catalog for an AI agent orchestration platform. Technically a cross-tenant insecure direct object reference (IDOR). Sysdig Threat Research Team observed first known active exploitation on June 25, 2026, by an operator (reported as 45.207.216[.]55) who, on an internet-exposed Langflow instance first probed three days earlier, executed application and authentication reconnaissance, flow enumeration, the CVE-2026-55255 IDOR, and a sustained loop of CVE-2026-33017 unauthenticated RCE with outbound connection attempts. Campaign period June 22-25, 2026; assessed as opportunistic and financially motivated, with post-exploitation payloads fetching a second-stage downloader delivering additional malware. Objects of theft: large language model provider API keys and AWS credentials held in tenant flows. Severity-scoring divergence. Public reporting of the CVSS score for CVE-2026-55255 is inconsistent (6.1, 8.4, and 9.9 all appear in secondary sources). CISA does not assign CVSS; the KEV listing turns on evidence of active exploitation, not score. The operational point, uncontested across sources, is that the IDOR is the only path crossing tenant boundaries on managed or multi-tenant deployments where RCE is sandboxed per tenant, and that successful exploitation is not distinguishable from normal flow execution except by an anomalous flow ID in /api/v1/responses access logs. Seventh distinct Langflow flaw in active or recent exploitation within the preceding year, alongside CVE-2025-3248, CVE-2025-34291, CVE-2026-0770, CVE-2026-5027, CVE-2026-21445, and CVE-2026-33017. Adjacent development, reported by Sysdig and relevant to AI governance: the first documented fully agentic ransomware operation (reported designation JADEPUFFER), in which a human operator deployed an AI agent and provisioned infrastructure permitting the agent to conduct an entire extortion operation end to end, using a Langflow instance as the initial access vector via CVE-2025-3248. Sysdig's account and the vendor commentary are secondary sources; only the KEV listing itself and BOD 26-04 are official. URL CORRECTION. Ingested primary_citation_url was cisa.gov/news-events/alerts/2026/07/07/cisa-adds-four-known-exploited-vulnerabilities-catalog. No official CISA alert bearing that slug was located. The official alert containing this CVE set is titled "CISA Adds Three Known Exploited Vulnerabilities to Catalog." The ingested law_name asserting four CVEs conflates two same-day alerts. Corrected. VERIFICATION NOTE. cisa.gov blocks automated fetch (bot detection). Alert title, the three CVE entries, required actions, BOD 26-04 authority, and the Forensics Triage Requirements were confirmed from official cisa.gov alert-page and KEV-catalog content via indexed retrieval, and corroborated across six independent security-press accounts. url_validation_status=verified reflects that chain, not a direct HTTP 200. CORPUS GAP. BOD 26-04, "Prioritizing Security Updates Based on Risk" (issued June 2026, replacing BOD 22-01), is NOT in the Docket Daily corpus. Per established Docket Daily taxonomy, CISA Binding Operational Directives are classified instrument_type=regulation under Cybersecurity Law. This is the operative directive behind every KEV alert now being ingested; every alert row cites an authority the corpus does not contain. Highest-priority ingest.

AI-drafted · Attorney-reviewed

Always verify this source before using it or citing it in legal work

Why law firms and in-house counsel use Docket Daily

  • Answer client and pitch questions faster

    See what legal developments changed without having to research it yourself.

  • One place for federal and state developments

    Follow the jurisdictions you care about in one workspace. Each digest entry is attorney-reviewed.

  • Prioritize what deserves your time

    Surface high-signal items so your team spends less time sorting noise and more time on analysis.

  • Support proactive compliance and risk narratives

    Align technical, privacy, and security teams with a shared view of the legal environment.

Bradley J. Martineau

Founder

Built by an Attorney

Bradley J. Martineau · Pennsylvania Attorney · AI Governance Author

Docket Daily was built by an attorney who lived the problem firsthand. Brad is a Pennsylvania-licensed lawyer, Amazon best-selling AI governance author, and the only person in legal tech who built this platform because no adequate tool existed. Every design decision comes from real legal and AI governance experience — not engineering assumptions.

“You're already paying for the library. Docket Daily is the attorney who researches, reads, and summarizes all of the new AI, Data, Privacy, and Cybersecurity legal developments for you.” — Bradley J. Martineau, Founder & Attorney
  • 📘 The AI-Enabled Executive
  • 📗 Operational AI Governance
  • ⚖️ Pennsylvania Bar licensed

Included with every plan

Weekly Intelligence Brief

A structured Tuesday briefing — Top 5 scored highlights, trending states, and every qualifying federal and state development from the past seven days, organized by instrument type and jurisdiction.

  • Top 5 Laws of the Weekscored using the Docket Daily Relevance Scorecard, with plain-English narrative and direct links
  • Trending States in AI Lawwhich states drove the most activity during the coverage period
  • Federal developmentsproposed bills, enacted statutes, regulations, SCOTUS, circuit and district courts, and presidential/agency actions
  • State developmentsproposed bills, enacted statutes, regulations, appellate and supreme court cases, governor executive orders, and AG actions — organized by state
  • Key takeaways, action items, and watch listweek-at-a-glance analysis, items requiring immediate attention, and developments to monitor in the period ahead

Published each Tuesday by email.

Versus general-purpose AI

Why not just ask an AI chatbot?

General AI tools like ChatGPT and Claude are powerful, but they can't do what Docket Daily does.

  • No real-time awareness. AI chatbots have knowledge cutoffs and no access to new bills, rulings, or executive orders signed this week.

  • No reoccuring source coverage. Replicating Docket Daily manually means checking hundreds of sources on a reocurring basis. All 50 state legislatures, Congress, the Federal Register, federal and state courts, and all 50 governors' offices. Nobody does it as comprehensively.

  • Citation hallucination risk. Studies show leading legal AI tools hallucinate citations up to 33% of the time. Every Docket Daily entry links directly to the verified official government source.

  • No structured intelligence. A chatbot returns a wall of text. Docket Daily gives you a searchable, filterable brief with attorney-confirmed pillar tags, jurisdiction, and quality signals—ready for client briefings.

Docket Daily doesn't compete with AI. It pairs carefully crafted automation with verified government sources and attorney review that confirms how each item maps to AI, Data, Privacy, and Cybersecurity law plus safeguards a general chatbot was never built to offer.

Already have Westlaw? LexisNexis? Harvey?

Those are research tools.Docket Daily is a monitoring platform.

When you run a keyword alert on Westlaw or LexisNexis, you are still doing the work and deciding what to search, building the right query, and reading every result to separate signal from noise. Alerts fire on whatever their crawlers index, which is far weaker for state administrative rulemaking, governor executive orders, and proposed legislation than it is for published case law. The fatal flaw of keyword alerts is unknown unknowns.

Harvey is in a different category entirely. Harvey answers questions you ask. Docket Daily surfaces what you need to know before you know you need it. Reactive research and proactive monitoring are fundamentally different jobs.

  • Westlaw · LexisNexis · Bloomberg

    A library. The best research tools ever built — for looking things up when you have a question. Not built for watching.

  • Harvey · ChatGPT · Perplexity

    AI research assistants. Brilliant at answering questions you ask. Silent on everything you didn't know to ask about.

  • Docket Daily

    Proactive legal intelligence. All 50 states, D.C. & Federal. All attorney-reviewed.

Start Free 2-Week Trial

No credit card required.

What you get

Curated legal coverage

A focused stream of new proposed bills, statutes, regulations, court opinions, and executive orders (all 50 states, D.C., and federal). attorney confirmed.

Federal & state legislation

Proposed bills and laws surfaced through structured and attorney trained AI agents that ingest from official governmental sources and are scoped to the four legal pillars Docket Daily covers.

Regulatory developments

Federal Register final rules, proposed rules, and NPRMs, plus direct monitoring of CISA (KEV, Directives, Advisories), FTC enforcement orders, OMB memoranda, NIST AI and cybersecurity publications, SEC cybersecurity enforcement, HHS/OCR HIPAA settlements, TSA Security Directives, FDA AI/ML medical device guidance, and DOJ data security program publications. State regulatory coverage includes the California Privacy Protection Agency (CPPA), New York DFS, and NAIC alongside 50-state AG enforcement actions.

Court opinions

Recent opinions from the U.S. Supreme Court, every federal circuit, every federal district court, and U.S. Bankruptcy Courts, plus every state supreme and appellate court opinion.

Executive orders

Presidential executive orders and Governor executive orders from all 50 states.

Search, filters & digest views

Find instruments quickly by term search, jurisdiction, and/or law category.

Human attorney confirmation on every entry

Before anything reaches a subscriber's digest, an attorney reviews each entry while automated passes and attorney-written and trained criteria narrow the funnel first.

Summaries & structured fields

After pillar placement is attorney-confirmed, then Plain English and Contextual Summaries are written for each applicable pillar - AI, Data, Privacy, and Cybersecurity.

Export-Ready Intelligence

Professional and Enterprise subscribers can export full PDF summaries by practice area or individual entry.

Team-ready access

Subscription and account tools suitable for small teams through larger groups with shared access models.

AI, Data, Privacy, & Cybersecurity in the News

Headlines and links from a leading news outlet on AI, Data, Privacy, and Cybersecurity giving you the up to date news context to pair with the primary legal sources.

What We Track

  • AI Law

    • Mandatory disclosure and transparency requirements for AI systems used in consequential decisions
    • Algorithmic impact assessment and bias audit obligations
    • Human oversight mandates for AI in healthcare, insurance, employment, and benefits
    • Frontier model safety reporting and incident disclosure requirements
    • Prohibitions on AI-generated deepfakes, synthetic media, and nudification technology
    • Chatbot safety standards, professional service restrictions, and minor protections
  • Privacy Law

    • Comprehensive consumer data privacy frameworks — consumer rights, controller obligations, enforcement
    • Sensitive data protections for health, biometric, geolocation, reproductive, and children's data
    • Age-appropriate design codes and children's online privacy requirements
    • Workplace monitoring disclosure and employee data rights
    • Data broker registration, disclosure, and opt-out obligations
    • Geofence and reverse location warrant prohibitions
  • Data Law

    • Data lifecycle governance — collection minimization, retention limits, mandatory deletion
    • Government data practices and state agency data management standards
    • Cross-border data transfer restrictions and jurisdictional data sovereignty rules
    • Data protection impact assessment requirements for high-risk processing
    • Consumer portability, correction, and deletion rights enforcement frameworks
  • Cybersecurity Law

    • Data breach notification — timing, scope, AG and consumer notification mandates
    • Private sector cybersecurity standards — NIST framework adoption, written security programs
    • State and local government cybersecurity standards and incident response obligations
    • Insurance sector cybersecurity regulation under NAIC model law frameworks
    • Critical infrastructure protection obligations and sector-specific security requirements
    • Vendor and third-party security contracting mandates

Docket Daily tracks governance, compliance, and regulatory law. The rules that determine what organizations must do, disclose, and avoid when building and deploying technology. We monitor proposed legislation, enacted statutes, administrative regulations, executive orders, and court decisions that create legal obligations for businesses, government agencies, and technology developers. We do NOT track general criminal enforcement actions, routine civil litigation, or court decisions where technology appears incidentally in an otherwise unrelated legal matter.

SEE IT IN ACTION

Watch Docket Daily in Action

Preview still from the Docket Daily promotional video.

Ready for your daily briefing?

Start Free 2-Week Trial

No credit card required.