KKR, Instructure Face Lawsuit After Canvas EdTech Tool Data Breach

KKR, Instructure Sued After Canvas EdTech Tool Data Breach

KKR & Co. and its Instructure Inc. unit are facing several federal class actions after cybercriminal group ShinyHunters allegedly breached their education technology tool Canvas, affecting schools worldwide.

ShinyHunters exploited an issue with Instructure’s Free-for-Teacher accounts—a demo program for educators whose schools weren’t Canvas users, the company said. It said names, student ID numbers, and messages among Canvas users were compromised in the breach, but no government identifiers or financial information.

Instructure was hit with at least seven federal suits, six filed in the US District Court for the District of Utah. KKR, which purchased Instructure in 2024 for approximately $4.8 billion, is a named defendant in a case filed in the Southern District of New York.

…

ShinyHunters claims the breach impacted 275 million students, teachers, and staff members worldwide across nearly 9,000 educational institutions. KKR declined to comment.

Insider trading case exposes gaps in law firm security

An insider-trading scheme unveiled this week by federal prosecutors in Boston laid out what looked like the perfect crime of opportunity. Corporate lawyers allegedly mined internal law firm systems for deal secrets and tipped accomplices to earn tens of millions of dollars off well timed trades.

Based on the information in the indictments, the insider tips the lawyers gleaned didn’t require breaking through any doors, physically or metaphorically: they had access by virtue of working at the law firms. The sprawling scheme includes 30 defendants and has ensnared some of the most elite law firms in the country, including Latham & Watkins; Wachtell, Lipton, Rosen & Katz; and Goodwin Procter. The law firms haven't ‌been accused of wrongdoing and are considered victims by prosecutors.

…

Over the last dozen years, several well-known corporate law firms have been embroiled in similar insider-trading scandals involving information employees nabbed from internal databases. Those cases should have served as a wake-up call for law firms that they needed to do more to secure their internal systems.

AI Billing Transparency Tells a Story That’s Good for Law Firms

“But that would just lead clients to ask for cost savings.”

This wasn’t the reaction we were expecting when my head of legal operations and I began making the argument that law firms should report their artificial intelligence use in legal billing.

Our interest wasn’t primarily to identify cost savings. The conventional billing codes weren’t built to track AI use—and in a world where AI deployment is new, diffuse, and evolving, that alone seemed like a gap worth closing.

Our interest was largely technological. We wanted to understand how AI was being used, including the ways it creates value that doesn’t translate into fewer hours billed.

When we raised this with the cohort of our regular, go-to law firms, the response was encouraging. The relationship partners were unabashed: Yes, we’re using AI. We’re still figuring it out, but we’re doing it. Tell us what you want to see.

We were delighted that so many of our firms saw it that way. But once the request moved beyond our relationship partners, we also encountered something else: a preference for opacity while firms “figure it out” and an instinct to give clients the Heisman before they ask too many questions about billing—or worse, ask for savings.

Cyber-Ready Boards: A Guide to Effective Cybersecurity Briefings for Directors

Cybersecurity continues to be a significant risk facing public companies, with different threats constantly emerging. A cyber intrusion may, among other things, be disruptive to business or even bring it to a temporary halt, be extremely expensive to remediate, result in litigation and regulatory exposure and attract media attention.

For domestic public reporting companies, a material cybersecurity incident also generally requires public disclosure of material aspects of the incident on a Form 8-K within four business days after the event is determined to be material, and may require Form 6-K disclosure for foreign private issuers.

Additionally, annual reports on both Form 10-K and 20-F require a description of board or committee oversight of risks from cybersecurity threats and the process by which such body is informed about the applicable risks.

Are You Ready — California Cybersecurity Audits Are Here!

The California Privacy Protection Agency’s (CalPrivacy) Executive Director Tom Kemp recently stated that the agency’s new Audits Division will begin conducting audits assessing companies’ compliance with California data privacy laws this year.

What Is the Role of the New Audits Division?

CalPrivacy was established in 2020 by the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA). The agency is responsible for implementing and enforcing both statutes.

The CPRA required CalPrivacy to “appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance” with the CCPA and CPRA. Accordingly, in February 2026, CalPrivacy formed the new Audits Division, led by Chief Privacy Auditor Sabrina Boyson Ross.

…

The newly formed Audits Division, announced February 3, 2026, has been described by Executive Director Kemp as the “point folks” for cybersecurity audit certifications and is responsible for developing and applying privacy compliance audit procedures and examining businesses’ practices for compliance gaps.

Linklaters Launches New Practice to Build Matter-Specific AI Solutions

On May 5, Linklaters announced the launch of Applied Intelligence, a new practice designed to build bespoke artificial intelligence workflows and tools for individual clients and matters. The practice unites attorneys and data scientists in a front office team to work together directly on live matters.

Applied Intelligence was co-founded by Tom Quoroll, a structured finance partner and chair of the Linklaters’ AI program, and Sarah Barnard, the firm’s director of AI delivery. The team has three attorneys and three data scientists to start, with hopes to expand further.

Quoroll told Law.com that the new practice was created to work on matters involving uncommonly large and complex document and data sets, which require Linklaters to call on resources that have typically sat outside of its individual practice groups.