Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in privacy and cybersecurity.

Plaintiffs Ask the Court to Order CareFirst to Implement Particular Data Security Protocols

The relief sought by Plaintiffs in a recent data breach class action against CareFirst of Maryland includes a declaratory judgment finding that CareFirst’s current security measures do not meet its contractual obligations and its duty of care.  If Plaintiffs’ judgment is granted, it would require CareFirst to “implement and maintain reasonable security measures” by, among other things, engaging third-party security auditors/penetration testers to test its system, segmenting consumer data by creating firewalls and access controls, and purging, deleting, and destroying consumer data not necessary for services in a reasonably secure manner.

Inter-Agency Report Advocates Support for International Cybersecurity Standards

A draft report by an interagency working group sets out objectives and recommendations for the development of international cybersecurity standards.  According to the report, the U.S. government should encourage federal agency participation in standards development and should collaborate with  private industry, academic, organizations, and consumers.  The report also provides guidance for agencies to participate more actively in international cybersecurity standards development.

Delaware Governor Signs Student Privacy Bill

Delaware Governor Jack Markell signed the Student Data Privacy Protection Act into law this week.  The Act, which will become effective August 1, 2016, limits the use of data obtained by educational technology providers.  It prohibits providers from selling student data, creating profiles of students, and using data to target advertising to students or their families.

FCC issues $ 2.96 Million TCPA Robocall Fine

On Friday, the Federal Communications Commission (FCC) imposed a $2.96 million penalty against a group of related companies and their individual owners for making robocalls in violation of the Telephone Consumer Protection Act (TCPA).  According to the Forfeiture Order, the group violated the Act by making or initiating “185 unsolicited, prerecorded advertising messages (a form of robocalls) to cell phones and residential telephone lines.”  This is the largest FCC fine related to TCPA violations issued to-date and highlights the significant liability that companies can face for violating the law.

9th Circuit Denies Yahoo’s Appeal of Class Certification in Email Scanning Case

On Tuesday, August 11, the Ninth Circuit denied Yahoo’s appeal of the Northern District of California’s decision to certify a class in a Stored Communications Act (SCA) case.  The plaintiffs are a class of email users who are not Yahoo subscribers, but who have sent e-mails to Yahoo addresses.  According to the complaint, Yahoo scans and analyzes messages for content to share with third parties, who then target advertising to Yahoo subscribers.  Because the members of the class are not subscribers, and thus have not given Yahoo consent for this activity, they allege that Yahoo violated the SCA.