The National Attorneys General Training & Research Institute
Privacy Law Newsletter April 2017
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
New Developments on Privacy Law Issues
FCC Will Propose Plan Targeting Robocalls
The Federal Commmunications Commission (FCC) voted unanimously to propose a plan at an active meeting that would allow carriers to block calls from unassigned or invalid phone numbers in order to limit unlawful robocalls. According to the FCC, the rules would let carriers block calls from an originating number if requested by the subscriber, such as calls claiming to be from IRS lines that aren’t used for outgoing calls. The plan would also seek feedback on spoofed calls from overseas.
Illinois State Employment Agency Vendor Hacked
Illinois Governor Bruce Rauner’s office has confirmed that America’s Job Link Alliance (AJLA), a vendor for the state’s Department of Employment Security, suffered a data breach in a hack potentially affecting 1.4 million job applicants. The breach was confirmed only a few days after Governor Rauner announced a new cybersecurity plan for the state. The hack could also have compromised data of job applicants in several other states, namely Alabama, Arizona, Arkansas, Delaware, Idaho, Kansas, Maine, Oklahoma and Vermont.
Report: 1.4 Billion Records Lost or Stolen in 2016 Data Breaches
There were 1.4 billion consumer data records lost or stolen in 2016, an 86 percent increase over the previous year, according to digital security provider Gemalto’s 2016 Breach Level Index Report. Gemalto attributed the increase in large part to hackers targeting and holding for ransom large databases compiled by social media and entertainment websites such as AdultFriendFinder. The report can be accessed from https://safenet.gemalto.com.
95,000 Job Applicants’ Data Stolen in McDonalds Canada Breach
A cyberattack at McDonald’s in Canada has compromised the personal information of 95,000 people who applied for a job during the past three years. The chain said all affected applicants would be contacted by letter or via the information given in their applications.
International Athletes’ Drug Use Records Hacked
The International Association of Athletics Federations was hacked by a group with ties to Russian intelligence known as Fancy Bear, which targets data on athletes’ medical exemptions for drug use. According to the Association, the attack occurred after it banned the Russian track and field team from the Rio 2016 Olympics over allegations of a state-sponsored doping scheme.
UK Fines Honda, Flybe For Marketing Email Blasts
The United Kingdom’s Information Commissioner’s Office levied the European branch of Honda Motor Co. and regional airline Flybe Ltd. with a total of $104,000 in fines for allegedly sending customers marketing emails without their consent in violation of their Privacy and Electronic Communications Regulations. Honda allegedly sent thousands of emails to clarify customers’ choices for receiving marketing, while a third party agent of Flybe sent more than 3.3 million emails.
Microsoft Reports 2X Government Requests for Data
Microsoft Corp. received twice as many U.S. government requests for data under the Foreign Intelligence Surveillance Act (FISA) in the first half of 2016 than in the previous six months, according to its biannual transparency report. However, the report also showed that the number of accounts from which data was requested declined by approximately 5,000 accounts.
IG Issues Scathing Report on IRS Security Failures
The Treasury Inspector General for Tax Administration issued an audit report disclosing that after the 2015 security breach the IRS not only ignored warnings to deactivate a potentially compromised PIN application used to fight identity theft, but failed to implement any effective strategy to mitigate fraudulent tax returns. The report may be accessed at https://www.treasury.gov/tigta/auditreports/2017reports/201740026fr.pdf.
EU Committee Declares Privacy Shield Deficient
The European Parliament’s Civil Liberties, Justice and Home Affairs Committee narrowly approved a resolution expressing concerns and noting “key deficiencies” with the EU-U.S. Privacy Shield data transfer pact. Although the resolution acknowledged that the pact was superior to safe harbor, it stated the pact needs improvements to ensure that EU citizens’ data is being adequately protected. The resolution noted the lack of specific rules on the right to object to data transfers, as well as on how the Privacy Shield principles apply to data processors.
Recent Court Decisions/Settlements on Privacy Issues
DC Circuit Strikes Down FCC Junk Fax Opt-Out Rule
A split DC Circuit Court of Appeals vacated an FCC rule requiring opt-out notices on solicited faxes, finding that the FCC lacks authority under the Telephone Consumer Protection Act (TCPA) to regulate communications sent with the recipient’s consent. The case is Yaakov of Spring Valley v. FCC, no. 14-1234 (D.C. Cir. Mar. 31, 2017).
Florida Court: Warrant Req’d for Car’s Black Box
In a case of first impression, a split Florida District Court of Appeal affirmed a lower court’s order granting a driver’s motion to suppress, ruling that law enforcement needs a warrant before downloading data from a car’s “black box” event recorder. The court concluded that the driver’s Fourth Amendment rights were violated because he had a reasonable expectation of privacy in the data. The case is State of Florida v. Worsham, no. 4D15-2733 (Fla. Dist. Ct. App. Apr. 3, 2017). Assistant Attorney General Mitchell Egber represented the State.
Twitter, Yelp, Others Pay $5.3 Million to Resolve App Privacy Issues
The U.S. District Court for the Northern District of California was asked for preliminary approval of a settlement in which several tech companies, including Twitter Inc., Yelp Inc., Instagram LLC and Foursquare Labs Inc. agreed to pay a total of $5.3 million to resolve a putative class action alleging violations of user privacy through their apps for Apple’s mobile operating system. The apps allegedly were created in a way as to unlawfully upload and disseminate users’ personal information. The other companies in the settlement are Foodspotting Inc., Gowalla Inc., Kik Interactive Inc. and Kong Technologies Inc. (formerly Path Inc.). The case is Opperman v. Path Inc., no. 3:13-cv-00453 (N.D. Cal. Apr. 3, 2017).
Florida High Court: Attorney-Doctor PI Referrals Are Privileged
The Florida Supreme Court ruled, 4-3, that attorneys for defendant Central Florida YMCA cannot ask about the referral relationships between the plaintiff’s attorneys, Morgan & Morgan PA, and the Sea Spine Orthopedic Institute because those relationships are protected by attorney-client privilege. The plaintiff was referred to the Institute after she tripped in the YMCA’s parking lot and sued. The case is Worley v. Central Florida Young Men’s Christian Association Inc., no. SC15-1086 (Fla. Apr. 13, 2017).
Supreme Court Orders Deferential Standard for EEOC Subpoena Reviews
The U.S. Supreme Court vacated a Ninth Circuit Court of Appeals decision, ruling that appellate courts should use a deferential standard to review trial courts’ decisions on whether to enforce Equal Employment Opportunity Commission (EEOC) subpoenas, and ordered the Ninth Circuit to revisit whether grocery distributor McLane Co., Inc. has to turn over an employee’s personally identifiable information. The case is McLane Co. Inc. v. Equal Employment Opportunity Commission, no. 15-1248 (S. Ct. Apr. 3, 2017).
Neiman Marcus Settles Class Action Over Data Breach
The U.S. District Court for the Northern District of Illinois has been asked for preliminary approval of a settlement in which Neiman Marcus agreed to pay $1.6 million to resolve claims resulting from a cyber intrusion into its systems that exposed the credit card data of 150,000 customers. The suit accused the retailer of failing to protect customers’ privacy and waiting 28 days before informing them of the breach. The case is Remijas v. The Neiman Marcus Group LLC, no. 1:14-cv-01735 (N.D. Ill. Mar. 17, 2017).
Court Oks Tampa Bay Buccaneers’ Junk Fax Settlement
The U.S. District Court for the Middle District of Florida gave preliminary approval to a settlement in which the Tampa Bay Buccaneers agreed to pay $19.5 million to resolve claims by a client services firm over unsolicited faxed ads for game tickets in violation of the TCPA. The proposed settlement provides for payments of up to $350 for the first fax received and up to an additional $565 for subsequent faxes to class members. The case is Technology Training Associates Inc. v. Buccaneers Limited Partnership, case no. 8:16-cv-01622 (M.D. Fla. Mar. 31, 2017).
Court Approves Largest FACTA Settlement on Record
The U.S. District Court for the Southern District of Florida gave preliminary approval to the largest monetary settlement in the history of the Fair and Accurate Credit Reporting Act (FACTA), in which Doctor’s Associates Inc., d/b/a Subway, agreed to pay $30.9 million to resolve claims it unlawfully printed full credit card expiration dates on receipts. The class includes Subway patrons who received receipts between January 1, 2016 and the date of preliminary approval. The case is Flaum v. Doctor’s Associates Inc., no. 0:16-cv-61198 (S.D. Fla. Mar. 23, 2017).
ADT to Settle Suits Over Alarm Hackability
The U.S. District Court for the Northern District of California has been asked for preliminary approval of a settlement in which home security company ADT LLC has agreed to pay $16 million to resolve claims in five proposed class actions that it deceived consumers about the efficiency of its devices and their vulnerability to hacking. The case is Edenborough v. ADT LLC, no. 3:16-cv-02233 (N.D. Cal. Mar. 23, 2017).
Power Tool Maker Settles “Fax Blasting” Case
The U.S. District Court for the Northern District of Illinois was asked to certify a proposed class and approve a settlement in which power tool manufacturer Senco Brands Inc. agreed to pay $3 million for its alleged “fax blasting” campaign advertising Senco’s air compressors, nail guns and other tools. All class members would be paid automatically without the need to opt in based on records of those who received faxes. The case is Craftwood Lumber Co. v. Senco Brands Inc., no. 1:14-cv-06866 (N.D. Ill. Apr. 5, 2017).
Chocolatier Seeks to Settle Case Over FACTA Violations
The Eleventh Circuit Court of Appeals was asked to approve a class action settlement in which Godiva Chocolatier agreed to pay $6.3 million to resolve claims it printed too many credit card digits on receipts in violation of the FACTA. Under FACTA, a retailer can print no more than five digits of a credit or debit card, and could face a statutory penalty of between $100 to $1000 per violation if consumers can prove it was willfully negligent. The case is Price v. Godiva Chocolatier Inc., no. 16-16466 (11th Cir. Apr. 7, 2017).
Wells Fargo Seeks to Settle Case Over Junk Faxes
The U.S. District Court for the Northern District of Illinois was asked to grant judgment in favor of Heather McCombs, who lodged a proposed class action against Wells Fargo & Co. and its contractor over junk faxes. The judgment would submit Wells Fargo and its contractor to an injunction barring them from sending future unwanted advertising faxes and would pay McCombs $7,500 and release her from the suit, but would allow other members of the proposed class of fax recipients to file claims for monetary damages. The case is McCombs v. Cayan LLC, no. 1:15-cv-10843 (N.D. Ill. Apr. 10, 2017).
State Legislative Update
The New Jersey Assembly passed A1861, the Reader Privacy Act, which would prohibit a government entity from seeking the personal information of a book service user.
New Mexico enacted HB15, codified as Chapter 36, which requires notification of a security breach involving personal information to all persons affected, as well as notification to consumer reporting agencies and the Attorney General’s Office. New Mexico is the 48th State to pass a data breach notification statute.
The Washington Legislature passed HB1717, a bill which prohibits a state agency from collecting or otherwise obtaining a person’s biometric identifiers without first providing notice and obtaining the individual’s consent.
Federal Legislative Update
The Senate passed S.J.Res.34, a resolution to repeal the broadband privacy rules promulgated by the FCC that required ISPs to obtain opt-in consent before using or sharing web browsing and other private data with advertisers and other companies.
Privacy Initiatives in the Attorney General Community
California Attorney General Xavier Becerra charged anti-abortion activists David Daleiden and Sandra Merritt with 15 felonies for using fake identities to covertly record women’s healthcare providers and supporters.
Kansas Attorney General Derek Schmidt announced that more than 40 tons of personal documents were safely disposed of during a document destruction program at 10 locations throughout the State.
New York Attorney General Eric Schneiderman entered into assurances of discontinuances with app makers Cardio, Runtastic and Matis, who all agreed to pay $30,000 and revise their advertising and privacy policies to resolve claims that they falsely touted their apps’ ability to measure key vital signs and were unclear about what data the apps collected.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.