Privacy Law Newsletter April 2018
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Data Breaches Disclosures/Updates This Month
Canadian retail conglomerate Hudson’s Bay, the parent company of Saks Fifth Avenue, Saks OFF 5th and Lord & Taylor, disclosed that the credit and debit card numbers from more than five million customers of the stores have been compromised. In a notice posted on the stores’ websites, the company revealed that the data appeared to have been stolen using software implanted into the cash register systems at the stores.
Delta Airlines and Sears Holding Corp. disclosed that some of their customers’ credit card information may have been compromised during online chat support provided by software company 7.ai. Delta launched a website to provide information about the cyber incident.
Bakery-café chain Panera Bread revealed that customers who created online accounts may have had their personal information compromised in a data breach, including their names, addresses, email addresses, phone numbers, birthdays and the last four digits of their credit cards. According to media reports, the data may have been accessed several months ago, but the company only just acknowledged the breach.
Facebook increased the estimate of the number of people whose data was shared with Cambridge Analytica to 87 million users, an increase of 37 million people from earlier estimates. The company announced it would inform affected users, 70 million of whom are in the U.S. The company issued a follow-on announcement of new disclosure measures for all issue and politically-oriented ads, and users will now see on-screen indicators identifying the posting as a political ad as well as identifying the ad’s funder.
Fitness apparel company Under Armour announced it is notifying users of MyFitnessPal, its food and fitness tracking app, of a data breach compromising user names, email addresses and passwords. According to the company’s investigation, the breach affects approximately 150 million user accounts.
Boeing confirmed a report that it had sustained a “limited” malware intrusion, but called media articles about a WannaCry ransomware attack as inaccurate. Boeing said the intrusion was contained and did not affect production or delivery of products.
The FTC announced that Uber Technologies had agreed to an expanded settlement of charges that it failed to disclose a data breach that exposed the personal data of 57 million users, instead paying two hackers $100,000 to cover up the incident. In so doing, the FTC ended its investigation of the company without imposing a fine.
Other Privacy Law Developments
Short term rental service Airbnb will start sharing Chinese host information with China’s government in order to comply with Chinese regulations. China’s strict regulations on residency require both citizens and tourists to register their addresses with the police when they arrive or stay at a hotel within 24 hours.
The Department of Defense Office of Operational Test and Evaluation issued a memo updating its procedures on how department testers should evaluate cybersecurity in its acquisition programs. The new procedures call for a two-step test for locating vulnerabilities and replaces the previous set of procedures issued in 2014.
The Inspector Generals of DHS and the VA each issued reports finding that their respective agencies fell short in keeping their systems safe from cyberattacks. The DHS Inspector General's report and the VA Inspector General's report both identified deficiencies in training, access controls and intrusion monitoring, as mandated under the Federal Information Security Modernization Act.
Insurance Europe, an insurance federation, developed a template to help companies report cyberattacks to regulators within 72 hours when Europe’s General Data Protection Regulation (GDPR) takes effect. The template is designed so that information can be shared without the need to be anonymous or aggregated, and will not identify a company through the information it provides.
The Saudi Arabia Federation for Cyber Security and Programming signed a memorandum of Understanding (MOU) with Booz Allen Hamilton to provide educational and training content for national competitions on cybersecurity. Booz Allan will also provide programs to strengthen cybersecurity skills.
Recent Court Decisions/Settlements
The New Jersey appellate division affirmed a lower court decision that wiretap conversations from law enforcement investigations can be unsealed for use in civil litigation if good cause is shown. The case involved the estate of mobster-turned-government-informant Frank Lagano. Estate of Frank P. Lagano v. Bergen County Prosecutor's Office.
The U.S. District Court for the Southern District of Texas sentenced Azeez Balogun, a Nigerian citizen, to 75 months in prison for stealing personally identifiable information through the mail and opening bank accounts to receive illicit funds gained through the information. Balogun must also pay $54,000 in partial restitution.
Alabama Governor Kay Ivey signed into law SB 318, the Alabama Data Breach Law. It would require entities doing business in the state to disclose to consumers if their personal information has been compromised by a data breach.
The Massachusetts Legislature passed SB 2296, which would protect access to confidential healthcare information by requiring carriers to permit an insured to choose his or her preferred method of receiving payment summaries and provide an insured with the right to request suppression of summary of payments forms.
South Dakota Governor Dennis Daugaard signed SB 62 into law, the state’s data breach notification law. It requires notification within 60 days of discovery of a breach and authorizes the Attorney General to seek a civil penalty of up to $10,000 per day per violation for failure to disclose a breach. The law will become effective on July 1, 2018.
Utah Governor Gary Herbert signed SB 74 into law, which allows any individual to request that his or her voter registration be classified as a private record and specifies that a government entity may only share a protected voter registration record with another government entity for a purpose related to voter registration or an election.
Virginia Governor Ralph Northam signed SB 271 into law, which requires income tax return preparers to notify the Department of Taxation within a reasonable time if they discover an unauthorized person has accessed a taxpayer’s return information.
Privacy Law Initiatives in the Attorney General Community
Forty-one Attorneys General wrote a letter to Mark Zuckerberg of Facebook seeking answers to questions concerning reports that personal user information from Facebook profiles was provided to Cambridge Analytica without user consent and requesting an update on how Facebook will more easily allow users to control the privacy of their accounts.
Thirty-two Attorneys General wrote a letter to Congressional leaders urging them not to preempt state data breach and data security laws. The letter also pointed out concerns with proposed federal legislation on data breach notification.
New Jersey Attorney General Gurbir Grewal and the Division of Consumer Affairs announced that physicians’ network Virtua Medical Group has agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable online as a result of a private vendor’s server misconfiguration. Investigator Aziza Salikhova conducted the investigation and Deputy Attorneys General Russell Smith, Jr. and Carla Pereira represented the State on the case.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.