Privacy Law Newsletter March 2018

The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.

Announcements and Updates to Note

DOJ announced it will form a Cyber-Digital Task Force to address the global cybersecurity threat which will be chaired by a senior DOJ official to be appointed by the Deputy Attorney General. The announcement memo specifies the DOJ entities to be represented on the Task Force, and sets out a requirement for a Task Force report by June 2018.

The ABA House of Delegates approved a privacy law specialty certification program for lawyers proposed by the International Association of Privacy Professionals (IAPP) for a five-year term. The ABA’s Standing Committee on Specialization had reviewed the IAPP's proposal and reported that the IAPP had met the requirements to administer a specialization program.

Equifax disclosed that an additional 2.4 million consumers were affected by last year’s data breach, but said that the additional consumers only had their names and partial driver’s license numbers stolen. This now brings the total number of people affected by the breach to 147.9 million Americans.

RMH Holdings, which operates Applebee’s franchises in 15 states, posted a notice of data incident on its website disclosing that customers using payment cards at their restaurants may have had their personal information compromised due to a data breach. The notice confirmed the company had discovered malware on its point of sale system.

Members of the U.S. House Oversight Committee sent a letter to Thomas Honan, U.S. ICE Acting Director, asking for detailed information on the agency’s plan to access a private nationwide driver’s license database that tethers an automobile to a specific location. The committee says it seeks to ensure that the personal information of millions of Americans is adequately protected by the company storing the information.

Google released its latest Transparency Report, stating that it had removed 43 percent of the 2.43 million links flagged for removal under the European Court of Justice’s 2014 “right to be forgotten” ruling. The company disclosed that it had received more than 650,000 requests to delist certain search results, primarily from private individuals such as celebrities and politicians,

The FTC granted Sears' petition to update the definition of tracking applications under a 2009 settlement order, which means that Sears will be allowed to track more user data. In the 2009 settlement, Sears was restricted from using mobile tracking apps without express consumer consent and clear notice of the types of information it collects.

The SEC voted unanimously to approve guidance for public companies on how and when they should disclose cybersecurity risks and breaches, including potential weaknesses that have not yet been targeted by hackers. It included warnings that company executives should not trade in a firm’s securities while in possession of nonpublic information on cybersecurity attacks.

The U.K. Information Commissioner's Office announced that WhatsApp has signed an "undertaking" pledging not to share personal data with parent company Facebook until they can do so in compliance with the upcoming General Data Protection Regulation coming into effect this May. As a result, the Office has ended its investigation into the smartphone messaging service.

In other U.K. privacy regulator news, the U.K. information and data privacy regulator launched an ad campaign targeting small businesses to ensure they understand new rules requiring companies to be more transparent in how their data is used, shared and stored. The ads, sponsored by the Information Commissioner's Office, are directed primarily at companies with 10 or less employees.

The Office of the Privacy Commissioner of Canada disclosed it has requested information from grocery chain Loblaw's about privacy concerns raised by customers over the grocer’s requirement for personal information in order to secure a gift card offered as a result of an alleged bread price-fixing. Commission guidelines state that individuals should be advised of the reason the information is being collected and it should only be used for those purposes.

The U.K. government issued a Secure by Design report that would require manufacturers of Internet-connected devices to take steps to protect their products from cybersecurity threats. The report outlines practical steps for manufacturers, such as automatic software updates and encryption of sensitive data.

Recent Court Decisions/Settlements

The Second Circuit upheld a New York state law requiring tax-exempt non-profit organizations to disclose their donors, saying it was unconvinced by conservative advocacy group Citizens United’s claims that revealing donors to the Attorney General’s Office breached First Amendment protections because it would scare people away from donations to controversial causes. Citizens United v. Schneiderman. Barbara Underwood, Solicitor General, and Matthew Grieco, Deputy Solicitor General, represented the New York Attorney General’s Office on the brief.

The New Jersey Superior Court Appellate Division affirmed a $27,000 judgment against a former technology company worker who accessed the company’s system without authorization and destroyed data. eMazzanti Technologies, Inc. v. Singer.

The FTC reached a settlement with PayPal over allegations that the company misled users of its mobile payment service app Venmo about the availability of their balances and the privacy of their transactions. The settlement, which does not involve a fine, prohibits Venmo from misrepresenting any material restrictions on the use of its service, the extent of control provided by any privacy settings and the extent to which Venmo implements or adheres to a particular level of security.

A New Hampshire state court ruled that a woman who won a $560 million Powerball lottery can remain anonymous, finding that disclosing her name would be an invasion of privacy and dismissing the state’s claim that disclosing her name would satisfy the public that prizes are distributed fairly. The court did allow that the woman’s home town could be disclosed, as that alone would not reveal her identity.

A Belgian court ordered Facebook to cease tracking its citizens online and delete all data it had gathered, including information on people who were not Facebook users themselves, or face up to 100 million euros ($125 million) in fines. The case was brought by the Belgian privacy watchdog.

The European Court of Human Rights dismissed a claim by a French rail worker that his privacy rights were violated when his employer found pornography in his personal files on his work computer. The court held that an employer could consult files on an employee’s work computer which had not been duly identified as being private. Libert v. France.

Legislative Update

The Alabama Senate passed SB 318 which would require entities doing business in the state to notify consumers if their personal data has been compromised in a data breach.

The New Mexico Senate passed SM 12 which requests that the Attorney General analyze compliance with the notification requirements of the state Data Breach Notification Act stemming from the Equifax data breach and the methods used by some states to eliminate charges to consumers for credit freezes on the reports.

Virginia Governor Ralph Northam signed HB 183 into law, which requires income tax preparers to notify the Department of Taxation if they discover that an unauthorized person has accessed a taxpayer’s return. It is codified as Chapter 283 and effective on July 1, 2018.

Privacy Law Initiatives in the Attorney General Community

Arizona Attorney General Mark Brnovich announced his 2018 CWAG Chair’s initiative which will focus on cyber security, data privacy and digital piracy. The program will take place on May 3-4, 2018 in Scottsdale.

New York Attorney General Eric Schneiderman announced a settlement with healthcare provider Emblem Health and its subsidiary Group Health over a mailing error that exposed 81,122 Social Security numbers. The company will pay a $575,000 penalty and undertake a corrective plan. Bureau of Internet and Technology Deputy Bureau Chief Clark Russell is handling the case.

Pennsylvania Attorney General Josh Shapiro filed suit against Uber for violating the state’s data breach notification law. The case is being handled by Deputy Attorney General Timothy Murphy.

Washington Attorney General Bob Ferguson filed updates to the Public Records Act, including a confirmation that the public is entitled to request public records stored on personal devices if those records concern agency business.


Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail hlitwin@naag.org.

Faculty Spotlight

NAGTRI's faculty are top-rated experts in their field. Read about them.

Course Schedule

NAGTRI offers high-quality, responsive and innovative trainings.

Research & Newsletters

NAGTRI produces comprehensive research and newsletters on topical legal issues.