Key developments
Washington police begin ALPR law compliance
Washington law enforcement agencies have 180 days from March 30 to comply with the state's first law regulating automated license plate readers. The day after the Driver Privacy Act was signed, Bellingham Police ended agreements with Lowe's and Home Depot for access to Flock Safety cameras, while Mount Vernon said it is updating policies and training for its six ALPR units. The law limits use to felonies and gross misdemeanors, shortens retention, blocks public-record requests, requires warrants for private ALPR data, and orders cameras removed from sensitive locations.
Why it matters
The law is already changing how police and private-camera networks can collect, retain, and query location data.
Sources & driving stories
CASCADIA DAILY
Cascadia Daily coverageLiteLLM supply-chain attack hits Mercor
A March 27 supply-chain attack on LiteLLM reportedly began with a compromise of Trivy in the project's CI/CD pipeline, followed by theft of a maintainer PyPI token and malicious releases of LiteLLM 1.82.7 and 1.82.8. Mercor says about four terabytes were exfiltrated, including video interviews, passport and driver's license images, facial biometric data, source code, resumes, contact records, and Social Security numbers. The fallout already includes Meta pausing a major data contract and OpenAI and Anthropic opening internal investigations.
Why it matters
The incident shows how a single open-source dependency compromise can expose highly sensitive identity and training-data assets across the AI ecosystem.
Sources & driving stories
RUH AI
Ruh AI coverageADT reports customer data access incident
ADT said it detected unauthorized access on April 20 affecting a limited set of customer and prospective-customer data. The exposed information included names, phone numbers, and addresses, with dates of birth and the last four digits of Social Security numbers or Tax IDs in a smaller subset. ADT said payment data and customer security systems were not accessed and that it launched forensic work and notification efforts.
Why it matters
A major alarm-monitoring provider has now disclosed another consumer-data incident that could drive fraud and identity-theft risk.
Sources & driving stories
HELP NET SECURITY · Sinisa Markovic
Help Net Security coverageWorth noting
WORTH NOTING
Otter.ai faces privacy class action
The suit adds fresh legal pressure on AI meeting notetakers and could test wiretap, biometric, and state privacy claims in court.
WORTH NOTING
Itron discloses internal IT intrusion
The utility giant says it removed unauthorized activity from corporate systems, but the scope of any data exposure remains unclear.
Still unclear
OPEN QUESTION
Can Washington agencies meet the ALPR deadline?
The 180-day compliance clock will determine how much private-camera access and plate-data retention survives in practice.
OPEN QUESTION
Will AI firms harden dependency controls now?
The Mercor incident suggests that open-source package and CI/CD security may need to be treated as a direct privacy risk, not just an engineering issue.