Data Law Insights

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in data security this week.

Privacy Advocates Quit Facial Recognition Talks with NTIA

After 16 months of working with with the National Telecommunications & Information Administration, nine privacy and consumer groups withdrew from discussions regarding the creation of a voluntary code of conduct for companies using facial recognition technology.  The groups were unable to reach a consensus with the NTIA over the level of consumer approval that should be required for the use of facial recognition technology.
[Talks with NTIA]

LastPass Data Breach

Password management company LastPass revealed on June 15th that unauthorized users hacked into its system and accessed users’ email addresses, password reminders, and other authentication information.  LastPass has assured users that data vaults were not exposed.
[LastPass]

LinkedIn Settles Proposed Email Harvesting Class Action for $13M

LinkedIn agreed to pay $13M to settle a proposed class action suit alleging that the company accessed users’ email contacts without permission to send out LinkedIn invitations.  LinkedIn also agreed to change its disclosure language related to email account access and invitations to connections.
[LinkedIn]

EFF Releases New Data Privacy Report

The Electronic Frontier Foundation released its fifth annual report grading online service providers’ transparency and privacy practices when responding to government requests for user data.  Categories include following industry-accepted best practices; telling users about government data demands; disclosing policies on data retention; disclosing government content removal requests; and pro-user public policy in opposing backdoors.
[Privacy Report]

Illinois Court Requires Comcast to Expose Internet User’s Identity

The Illinois state supreme court ruled unanimously that, under an Illinois procedural rule, Comcast must disclose the identity of an anonymous Internet commenter whose derogatory remarks sparked a County Board Chairman’s defamation suit.  The rule provides that, as long as a complaint can withstand a motion to dismiss, a plaintiff is entitled to discovery of a defendant’s identity before a suit is filed.
[Comcast]

New Hampshire Establishes Privacy Protection for Online Personal Information of Students

As of January 1, 2016, all operators of Internet websites, online services, online applications, and mobile applications designed, marketed, and used for “K-12 school purposes” must implement and maintain reasonably security procedures and practices and refrain from use of targeted advertising.
[New Hampshire]

Houston Astros Data Breach Investigation Continues

The FBI and U.S. Department of Justice are investigating a data breach of the Houston Astros’ internal database, which happened last year, for any signs of criminal wrongdoing within the MLB organization, specifically targeting the St. Louis Cardinals.
[Data Breach]

TCPA Prohibition on Robocalling Expanded

The FCC has voted to expand the scope of the Telephone Consumer Protection Act despite opposition from those concerned that it may increase TCPA litigation and prevent legitimate attempts of companies to reach consumers.  The FCC clarified that companies are prohibiting from using autodialers, which are defined as any device with the capability to dial or sequence random numbers, may not call customer’s after the customer has requested to stop receiving calls, and may only call a number once, regardless of whether it’s been reassigned to different customers.
[TCPA]

Reddit Converts to HTTPS

Reddit has announced that starting June 29 it will  no longer accept plaintext HTTP, following in the footsteps of private sector companies such as Netflix and Wikipedia as well as federal agencies who are embracing the encryption.
[Reddit]