Data Privacy + Cybersecurity Insider
CYBERSECURITY
CISA Passwords Used to Access DHS Systems Exposed
The Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security, is responsible for cybersecurity and infrastructure security throughout the federal government, to improve cybersecurity protection against private and nation-state hackers.
CISA has been without a director since the beginning of President Trump’s second term, when the then-director resigned. In addition, the Trump administration cut funding to the agency and, through the budget cuts, furloughs, and layoffs, the agency lost about one-third of its workforce. On top of that, in March 2025, Defense Secretary Pete Hegseth ordered U.S. Cyber Command to “halt cyber-offense operations against Russia” and “ordered the unit to stand down panning against Russian cybersecurity threats.” Read more
ENFORCEMENT + LITIGATION
No Easy Walkaway: Skechers Must Face Email Marketing Claims
The latest ruling in Liss v. Skechers USA Inc., No. 3:25-CV-05861-DGE, 2026 WL 1392327 (W.D. Wash. May 19, 2026), keeps alive a proposed Washington class action challenging promotional email subject lines that allegedly used deadline-driven language to create artificial urgency around discounts. The plaintiffs alleged that Skechers sent commercial emails to Washington consumers with subject lines such as “Long Weekend Savings End Tonight,” “Today Only,” and similar “ends tonight” language, while allegedly continuing or extending the same discounts the next day or for several additional days. The complaint asserts a claim under Washington’s Commercial Electronic Mail Act (CEMA), which prohibits sending commercial emails to an address the sender knows or has reason to know is held by a Washington resident if the message’s subject line contains false or misleading information. Plaintiffs also plead a Washington Consumer Protection Act (CPA) claim, relying on the theory that a CEMA violation constitutes a per se CPA violation and can support statutory, treble-damages, injunctive, fee, and cost remedies. Read more
DATA PRIVACY
Texas Sues Netflix Over Alleged Data Privacy and Children’s Safety Practices
The Texas Attorney General has filed a new consumer-protection lawsuit against Netflix, alleging that the company misled Texans by marketing itself as an ad-free, kid-friendly alternative to Big Tech while allegedly building a large-scale system for collecting and monetizing user data. The complaint claims that Netflix repeatedly assured consumers that its paid subscription model separated it from advertising-driven platforms, including statements that Netflix did not sell ads, did not sell data, and operated as a “safe respite” from companies that exploit users through advertising. According to the complaint, Netflix later reversed course by launching and expanding an advertising business that allegedly relies on behavioral data, identity matching, third-party data partners, and ad-tech platforms. Read more
ARTIFICIAL INTELLIGENCE
Why AI Risk Needs Its Own Insurance Conversation
Many insurers, and the businesses they cover, are still treating artificial intelligence (AI) risk as if it were cyber risk cloaked in a costume. That instinct is understandable since AI systems process data, rely on vendors, create operational dependencies, and sit inside digital infrastructures. However, early litigation is showing why that framing is likely incomplete. The claims are not only arising from security hacks, ransomware, or data exfiltration, but from ordinary business activity: a customer call, a chatbot exchange, a healthcare consultation, a meeting transcript, or a vendor system setting that was enabled by default long before anyone examined its legal effect. Read more
Privacy Tip #492
FTC Enforcing the Take It Down Act
On May 19, 2026, the Federal Trade Commission (FTC) announced that it will begin enforcing the Take It Down Act (TIDA) immediately. TIDA was made law in May 2025 and requires platforms to remove non-consensual intimate imagery within 48 hours of being notified. It provides criminal penalties for the publication of non-consensual intimate imagery and deepfakes, particularly of minors.
Learn about the FTC’s immediate enforcement of the Take It Down Act and what businesses and victims need to know in this week’s privacy tip. Read more



