Meta Hit with $375M Child Safety Verdict; Landmark Addiction Trial Loss Follows
A New Mexico jury ordered Meta to pay $375 million in civil penalties after finding the company misled consumers about the safety of its platforms and endangered children. The verdict, finding 75,000 violations of state consumer protection law, marks the first jury verdict against Meta over harm to young people. One day later, a California jury found Meta and YouTube liable in a landmark social media addiction trial, awarding $3 million in damages.
The New Mexico case grew out of a 2023 undercover investigation in which state investigators created a decoy profile of a 13 year old girl on Facebook and Instagram. Unredacted internal documents revealed what prosecutors described as a historical reluctance to implement child safety measures. Meta said it plans to appeal both verdicts. Bloomberg analysts noted the rulings could trigger a cascade of similar lawsuits across jurisdictions, drawing comparisons to the Big Tobacco litigation era.
- New Mexico jury found 75,000 violations of consumer protection law, awarding $5,000 per violation for a total of $375 million
- California jury found Meta and YouTube negligent in a separate addiction trial, awarding $3 million with Meta responsible for approximately 70%
- Analysts compare the trajectory to Big Tobacco litigation, with dozens of state attorneys general pursuing similar cases
Implications
These verdicts fundamentally shift the legal risk landscape for technology platforms. Organizations deploying AI driven content recommendation systems should evaluate whether their algorithms create similar liability exposure. The rulings signal that consumer protection frameworks can be applied to platform design decisions, not just data handling. Governance teams should assess whether their AI systems could face comparable scrutiny under provincial or federal consumer protection statutes in Canada.
CCCS Issues Critical Alert on Actively Exploited SharePoint Vulnerability
The Canadian Centre for Cyber Security issued alert AL26 005 warning of active exploitation of a critical vulnerability in Microsoft SharePoint Server (CVE 2026 20963). The deserialization of untrusted data flaw allows unauthenticated remote attackers to execute code over the network, and CISA has added it to its Known Exploited Vulnerabilities catalogue.
The vulnerability affects multiple versions of Microsoft SharePoint Server and has been confirmed as actively exploited in the wild. The CCCS updated its advisory on March 27 to include additional exploitation details. Organizations running SharePoint Server are urged to apply patches immediately and review network access controls.
- CVE 2026 20963 is a critical deserialization vulnerability allowing unauthenticated remote code execution
- Added to CISA’s Known Exploited Vulnerabilities catalogue, confirming active exploitation
- Affects multiple versions of Microsoft SharePoint Server deployed across Canadian organizations
Implications
SharePoint is widely deployed across Canadian government, defence, and enterprise environments. Organizations should treat this as an emergency patching priority. Defence contractors preparing for CPCSC certification should ensure this CVE is addressed in their vulnerability management programs. The active exploitation status means organizations face immediate risk, not theoretical exposure.
Loblaw Companies Discloses Customer Data Breach
Canada’s largest food and pharmacy retailer disclosed unauthorized access to customer information including names, phone numbers, and email addresses. Loblaw characterized it as a low level breach in a contained, non critical section of its IT infrastructure, though a threat actor subsequently claimed access to 75 million Salesforce records.
PC Financial was not impacted. Loblaw forced logouts for all affected customers as a precautionary measure. The primary risk to customers is phishing and social engineering using exposed personally identifiable information. The discrepancy between Loblaw’s characterization and the threat actor’s claims remains unresolved.
- Customer names, phone numbers, and email addresses were accessed; passwords, health data, and credit cards were not compromised
- A threat actor claimed access to 75 million records, though Loblaw characterized the breach as low level
- This follows the Telus Digital breach weeks earlier, marking a pattern of major Canadian enterprise breaches in early 2026
Implications
Multiple major Canadian corporate breaches in quick succession highlight the accelerating threat landscape. Organizations must ensure PIPEDA mandatory breach reporting obligations are met within required timelines and that CRM platforms like Salesforce are included in security assessments. The pattern suggests Canadian enterprises are being systematically targeted.
FCC Bans Import of Foreign Consumer Routers Citing National Security Risks
The US Federal Communications Commission ordered a ban on the import of new consumer routers manufactured overseas, citing unacceptable risks to national security. China commands approximately 60% of the global consumer router market. The ban responds directly to the Salt Typhoon, Volt Typhoon, and Flax Typhoon campaigns that compromised telecommunications infrastructure.
The ban does not affect existing devices, and new imports may be granted exceptions if approved by the Departments of Defense or Homeland Security. An interagency committee found that reliance on foreign made routers introduces supply chain vulnerabilities threatening critical infrastructure and the US economy.
- All new foreign manufactured consumer routers banned from import unless granted DoD or DHS exception
- Existing devices are not affected by the order
- Directly responds to Chinese state sponsored campaigns that compromised telecommunications in the US and Canada
Implications
This signals technology supply chain controls expanding into consumer infrastructure. Canadian organizations should monitor whether similar measures emerge domestically, particularly given CCCS assessments of PRC cyber threats to Canadian critical infrastructure. The Salt Typhoon connection is directly relevant to Canadian telecom security.
European Commission Confirms Cyberattack on AWS Cloud Infrastructure
The European Commission confirmed a cyberattack affecting its cloud infrastructure hosted on Amazon Web Services. Hackers allegedly accessed at least one AWS account and claimed to have stolen hundreds of gigabytes of data including multiple databases from the Europa.eu platform. Internal systems were not affected.
This is the second cyberattack disclosed by the Commission in 2026, following a January incident that exposed some staff details. The Commission stated it discovered the breach, took immediate containment steps, and implemented risk mitigation measures.
- The breach targeted AWS hosted cloud infrastructure supporting the Commission’s public web presence
- Internal Commission systems were not affected by the cyberattack
- Second Commission breach disclosed in 2026, following a January incident
Implications
A breach of a major government institution’s cloud environment reinforces the shared responsibility model of cloud security. Organizations should review their own cloud IAM configurations, ensure least privilege access, and enable comprehensive audit logging. The incident strengthens the case for sovereign cloud deployments for government and regulated industries.
CPCSC Level 1 Deadline Arrives: Defence Suppliers Face Compliance Crunch
The CPCSC Level 1 self assessment deadline is now upon Canadian defence suppliers. Starting April 2026, new RFPs initiated in support of National Defence will require mandatory CPCSC cyber security certification. Suppliers without completed Level 1 self assessments in their BuyingCanada profiles risk exclusion from defence procurement.
Level 1 requires a self assessment against 97 controls drawn from ITSP.10.171, based on NIST 800 171 Rev 3. No equivalence exists between CPCSC and the US CMMC program due to a NIST revision gap (Canada uses Rev 3, the US uses Rev 2), creating a delta of 20 to 30 requirements. Level 2 third party assessments begin April 2027.
- New DND RFPs will require CPCSC Level 1 certification starting April 2026
- Suppliers must complete self assessment against 97 controls and register in BuyingCanada
- No reciprocity with US CMMC means Canadian suppliers serving both countries need dual certifications
- Level 2 third party assessment requirements begin April 2027
Implications
Defence supply chain contractors who have not completed Level 1 self assessment face immediate exclusion from new DND contracts. The lack of CMMC reciprocity means cross border defence contractors must budget for maintaining dual certification programs. Certification bodies and assessor organizations should be preparing for Level 2 assessment demand beginning in 2027.
EU Parliament Approves AI Act Digital Omnibus Changes, Opens Trilogue
The European Parliament approved changes to the EU AI Act under the Digital Omnibus package on March 26, following the Council’s agreement on its negotiating position on March 13. The package delays high risk AI system obligations and extends SME regulatory exemptions to small mid cap companies. Trilogue negotiations are now open.
Annex III high risk AI system obligations are delayed to December 2027 and Annex I obligations to August 2028. Expanded permissions for processing sensitive personal data for bias detection and mitigation were included. The AI Office’s enforcement powers are reinforced.
- High risk AI system obligations for Annex III delayed to December 2027; Annex I to August 2028
- SME exemptions extended to small mid cap companies
- Expanded permissions for sensitive data processing in bias detection and mitigation
Implications
The timeline extensions give organizations more runway to prepare for EU AI Act high risk obligations, but the regulatory direction is clear. Canadian organizations with EU market exposure should use this window to establish ISO 42001 aligned AI management systems before the delayed deadlines arrive.
AI Generated Code Reaches Critical Mass as Governance Questions Intensify
Anthropic CEO Dario Amodei’s March 2025 prediction that AI would write 90% of code within six months is being tested against reality. Anthropic reports that 70% to 90% of its code is now AI generated, with some engineers no longer writing code themselves and instead focusing entirely on reviewing and editing AI output. The shift raises fundamental questions about software liability, quality assurance, and workforce governance.
The trend extends beyond Anthropic. Industry reports indicate that AI coding tools are now embedded across the software development lifecycle, from code generation to testing and deployment. However, not everyone is convinced that AI generated code meets the quality and security standards required for production systems, particularly in regulated industries.
- Anthropic reports 70% to 90% of its code is now AI generated; some engineers focus entirely on review
- The shift raises questions about software liability: who is accountable when AI generated code causes failures?
- Regulated industries face particular scrutiny around audit trails and quality assurance for AI generated software
Implications
Organizations deploying AI coding tools should establish governance frameworks addressing code provenance, liability, and quality assurance. Audit and compliance teams need updated controls for software development processes that rely heavily on AI generation. The rapid adoption rate means organizations that delay governance frameworks risk accumulating unmanaged technical and legal risk.
White House Releases National AI Legislative Framework
The White House published its National Policy Framework for Artificial Intelligence, a legislative blueprint calling for federal preemption of state AI laws and a sector specific regulatory approach using existing agencies. White House AI adviser David Sacks indicated Congress could pass bipartisan AI legislation within months.
The framework outlines seven pillars including protecting children, safeguarding communities, respecting intellectual property, and enabling innovation. It recommends Congress preempt state AI laws that impose undue burdens while preserving states’ traditional police powers, and calls for regulatory sandboxes for AI applications.
- Calls for federal preemption of state AI laws that impose undue burdens on AI development
- Relies on existing sector specific regulators rather than creating a new federal AI authority
- White House AI adviser indicated bipartisan legislation could pass within months
Implications
The framework will shape the global AI regulatory landscape. For Canadian organizations, the contrast with Canada’s current federal AI regulatory gap is significant. Companies serving US clients may need to align with this framework’s principles even before legislation passes. The preemption approach could simplify cross border compliance if adopted.
Cohere and Bell Canada Partner on Sovereign AI Infrastructure for Government
Toronto based AI company Cohere announced a partnership with Bell Canada to deploy sovereign AI infrastructure for Canadian government and enterprise clients. Cohere’s large language models and North agentic AI platform will be integrated into Bell’s AI services, with all models trained and hosted on Canadian soil to maintain data residency compliance.
Bell will become Cohere’s preferred Canadian AI infrastructure provider through its Bell AI Fabric project. Separately, Bell announced a $1.7 billion investment in a purpose built AI data centre in Regina, Saskatchewan. Cohere also released Transcribe, an open source automatic speech recognition model supporting 14 languages, and surpassed $240 million USD in annual recurring revenue.
- Cohere models will be trained and hosted on Canadian soil, maintaining data sovereignty and residency compliance
- Bell investing $1.7 billion in a purpose built AI data centre in Regina, Saskatchewan
- Cohere surpassed $240 million USD ARR, signaling a maturing Canadian enterprise AI supply chain
Implications
This partnership addresses one of the key gaps identified in Canada’s AI landscape: domestic compute capacity and data sovereignty. Organizations subject to Canadian data residency requirements now have a domestic AI infrastructure pathway. For government procurement, the Bell and Cohere partnership creates an alternative to US hyperscaler dependencies for AI workloads requiring Canadian data residency.