Privacy Law Newsletter August 2017

The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.

Notable Developments

  • The FBI issued a notice warning consumers to consider potential privacy and security risks when purchasing Internet-connected toys with features such as voice recognition and GPS capabilities. The FBI noted that although smart toys have the ability to learn and change depending on users’ interactions with them, they also collect personal information, so consumers should research the toy company’s privacy practices and known security issues before buying.

  • Lloyds of London, the world’s biggest specialty insurance provider, issued a report warning that a major global cyberattack could cause $53 billion of damage. The report, which examined possible scenarios for an attack, called on insurers to keep abreast of the changing threats and view online threats in the same way as they would a natural disaster.

  • Virgin America disclosed in a letter posted on the California Attorney General's website that its computer systems were hacked, and login credentials for 3,000 employees and contractors who had access to its corporate network were stolen. The letter stressed that no customer data had been exposed.

  • The Administrative Office of the U.S. Courts fixed a vulnerability in its online PACER/ECF system that might have granted unlimited access to website owners whose visitors to their sites were also logged into PACER. It would have allowed rogue website operators to make purchases using the PACER account of more than 1.6 million registered users, jeopardizing the $150 million of annual PACER.ECF revenue.

  • The General Services Administration (GSA) has chosen AT&T, Verizon and eight other companies to participate in a $50 billion Enterprise Solutions contract which will allow them to compete for task orders to provide federal agencies with telecommunications and information technology services, including cybersecurity services. Each of the companies is guaranteed at least $75 million in revenue under the contract.

  • The Treasury Inspector General for Tax Administration released a report finding that the IRS has continued to hire former employees who had either been terminated or were “separated” while under investigation for accessing taxpayer information without the requisite authority.

  • The SEC’s Office of Compliance Inspections and Examinations published a report on its second cybersecurity survey of the finance industry’s cybersecurity compliance, finding that financial companies have improved in their ability to implement cybersecurity policies. The survey found that more broker-dealers than funds and advisers did well on all cybersecurity measures, but enforcement of policies was still lacking.

  • The U.K. announced it has allocated 14.5 million pounds ($18.9 million) for a new cyberdefense innovation center in London, to be built over the next three years. The center will give U.K. firms access to the latest cybertechnology and allow startups to get technical monitoring and business advice.

  • U.K. Information Commissioner Elizabeth Denham issued her first annual report of accomplishments, including programs to improve the public’s trust in those who process their data and to help the public better understand the requirements of the EU data protection reform package. According to the report, the Commissioner’s office issued 23 civil monetary penalties for a total of 1,9 million pounds ($2.5 million) for breaches of their Privacy and Electronic Communications Regulations.

  • International health insurance provider Bupa Global alerted the U.K. Financial Conduct Authority after an employee copied and removed information relating to 547,000 customers and affecting 108,000 policies. The company reported no financial or medical data was taken, but it was introducing additional safety measures.

  • The U.K. Solicitors Disciplinary Tribunal fined law firm White & Case and David Goldberg, a partner in the firm, a total of 300,000 pounds ($390,720) for failing to take the necessary steps to ensure client confidentiality and prevent conflicts of interest. Goldberg admitted to passing on confidential information regarding work done for a client to a colleague.

  • The U.K. government revealed its new Data Protection Bill, to be published later this year, that will authorize large fines against financial services firms if they fail to delete customer information on request. Banks will also have to justify any data they have collected on their customers.

Recent Court Decisions/Settlements

  • The Ninth Circuit Court of Appeals affirmed a district court order denying petitions brought by phone network operator Credo Mobile and cloud distribution provider CloudFlare to set aside information requests and nondisclosure requirements in national security letters that the FBI issued to them. The court concluded that the nondisclosure requirement, which bars service providers from telling users about the government request, is a content-based restriction on speech that is both subject to and withstands strict scrutiny, and therefore does not violate the Constitution. Under Seal v. Sessions.

  • The U.S. District Court for the Middle District of Alabama held that 15 government search warrants seeking information from Microsoft, Google, Yahoo and 1&1 Media were constitutionally overbroad and an intrusion on users’ privacy. The requests sought all data, including the contents of emails, related to accounts thought to be involved in an identity theft scheme, without any limitations on how far back the government could search nor on what information it could collect.

  • The California Supreme Court ruled that the Medical Board of California did not violate patients’ privacy rights when it obtained records from the state’s prescription drug monitoring database because the public interest in regulating potent prescription drugs and protecting patients from negligent doctors outweighed any invasion of privacy. Lewis v. Superior Court of Los Angeles County.

  • Florida Governor Rick Scott approved an agreement under which the State will pay $1.1 million in legal fees to doctors who successfully challenged the constitutionality of the state Firearm Owners Privacy Act, which barred physicians from asking about personal gun ownership. The statute was struck down by the Eleventh Circuit Court of Appeals.

  • The Ninth Circuit also reversed a preliminary injunction issued by the U.S. District Court for the Western District of Washington preventing an anti-abortion organization from obtaining identifying information for University of Washington fetal tissue researchers, finding more information was needed on how the disclosure would violate the researchers’ constitutional rights. However, the court allowed the preliminary injunction to remain in place for up to 120 days to allow time for the district court to potentially issue a new injunction order with additional justification. Jane Does 1-10 v. Daleiden.

  • A Kentucky Court of Appeals unanimously upheld a summary judgment ruling in favor of Norton Audubon Hospital, which had been accused of wrongfully terminating a nurse for violating HIPAA by disclosing a patient’s confidential health information. The court rejected the nurse’s argument that her “incidential disclosure” was not actionable under HIPAA. Hereford v. Norton Healthcare Inc.

  • A Tennessee Court of Appeals affirmed a lower court’s dismissal, ruling that medical malpractice defendant Spine Surgery Associates and its counsel did not violate a woman’s privacy by disclosing her name, address and contact information in affidavits filed in court to prove they provided the plaintiff with medical records. The court found the information was already disclosed by the plaintiff herself. Graham v. Archer.

  • The U.S. District Court for the Northern District of California has again been asked to approve a settlement in which Google agreed to pay $2.2 million to a proposed class of non-Gmail users who accused it of unlawfully scanning their emails. The court rejected a previous proposal because it was unclear whether the changes Google proposed would bring it into compliance with the California Invasion of Privacy Act or the ECPA.

  • The U.S. District Court for the Northern District of California also ruled that LinkedIn will have to allow job search tool hiQ Labs to continue scraping information off LinkedIn’s public profiles, finding hiQ had demonstrated substantial issues, including whether LinkedIn’s efforts were aimed at limiting competition and raising doubts that LinkedIn could invoke the Computer Fraud and Abuse Act to punish hiQ for accessing publicly available data. hiQ Labs, Inc. v. LinkedIn Corp.

  • The U.S. District Court for the Northern District of Indiana granted summary judgment to data analytics company Appriss in a proposed class action brought by drivers over the company’s sale of their personal information taken from vehicle crash reports to other businesses, finding the company did not violate the Driver’s Privacy Protection Act because it only applies to information given to the Department of Motor Vehicles, not to personal information given to police. Whitaker v. Appriss Inc.

  • A U.S. Department of Labor administrative law judge narrowed an Office of Federal Contract Compliance request for Google’s records in an audit of anti-discrimination rules for federal contractors. Although finding the request relevant and enforceable, the judge denied the request for salary history and some employee contact data. In the Matter of Office of Federal Contract Compliance Programs v. Google Inc.

  • The U.S. District Court for the Eastern District of Missouri gave preliminary approval to a settlement in which Ruby Life Inc., the parent company of adultery website Ashley Madison, agreed to pay $11.2 million following a data breach of the network that exposed customers’ personal information. In re Ashley Madison Customer Data Security Breach Litigation.

  • The U.S. District Court for the Northern District of California has been asked to approve a settlement in which data storage company Seagate Technology agreed to provide services valued at $5.75 million to resolve proposed class action brought by 12,000 employees and their relatives related to a data phishing incident. Every employee and their relatives whose W-2 forms were stolen by hackers will get two years of identity theft protection and be eligible for up to $3,500 in out of pocket costs. Castillo v. Seagate Technology LLC.

  • A New York Supreme Court enjoined Gary Sinderbrand, a former Wells Fargo financial advisor, from further disseminating any information, which included personal identifying information of thousands of Wells Fargo customers, that Wells Fargo inadvertently turned over in response to a subpoena. Sinderbrand received the information in response to a third party discovery request and purportedly leaked it to the New York Times.

  • A settlement was reached on the second day of trial in a suit over a wife’s alleged use of an auto-forwarding rule to read her husband’s work and personal email. At issue were claims the wife violated the Wiretap Act, the Stored Communications Act and other statutes. Epstein v. Epstein.

  • Theo Feldstein, who was denied a job at Amazon.com because of an allegedly inaccurate background check, and Amazon.com filed a joint stipulation that the suit has been resolved in the U.S. District Court for the District of New Jersey. Feldstein had claimed Amazon.com withdrew its employment offer without warning him in advance, providing him a copy of the background report or allowing him to dispute the information. The stipulation did not disclose the terms of the settlement. Feldstein v. Amazon.com LLC

  • The U.S. District Court for the Northern District of Georgia sentenced Russian hacker Mark Vartanyan, aka Kolypto, to five years in prison for participating in the development and distribution of Citadel, a banking Trojan designed to steal banking credentials, credit cards and personal information. The Citadel malware infected 11 million computers and caused $500 million in losses.

  • Soler Nodarse, a Venezuelan citizen who was extradicted to the U.S., pled guilty to one count of conspiracy to defraud the U.S. for her part in hacking a University of Pittsburgh Medical Center database for employee information and then using the data to file false tax returns. Nodarse entered the plea in exchange for a sentence of time served. U.S. v. Nodarse.

  • Taylor Huddleston pled guilty in the U.S. District Court for the Eastern District of Virginia to aiding and abetting computer intrusions, admitting he developed and sold malware that allowed hackers to take control of a victim’s computer. Huddleston sold a type of malicious software called a remote access Trojan, which he called NanoCore RAT.

  • The U.S. District Court for the Southern District of New York ordered investment fund Royal Park Investments, which is suing HSBC Holdings over failed mortgage-backed securities, to turn over 1,400 emails and other documents without redacting personal information contained therein, despite the find’s concerns over potential privacy violations. Royal Park Investments SA/NA v. HSBC Bank USA NA.

  • The U.S. District Court for the Eastern District of New York sentenced Fabio Gasperini, an Italian, to one year in prison for obtaining unauthorized information. Prosecutors had accused Gasperini of running an auto-click scheme that defrauded online advertisers. Gasparini was also fined $100,000 and will be subject to one year of supervision upon release. U.S. v. Gasperini.

Legislative Update

  • New Jersey enacted S.1913, which restricts retailers’ ability to collect and use personal information from drivers’ licenses and other identification cards. Under the new law, codified as PL 2017, chapter 124, retailers can only scan customers’ identification cards for certain purposes, including to verify the authenticity of the card or a consumer’s identity or age,

Privacy Initiatives in the Attorney General Community

  • Thirty-three Attorneys General reached a $5.5 million settlement with Nationwide Mutual Insurance Co, and its subsidiary, Allied Property & Casualty Insurance Co., resolving issues arising from a 2012 data breach. The settlement requires Nationwide to strengthen its security practices and ensure the timely application of patches and updates.

  • Vermont Attorney General T.J. Donovan determined that the state Department of Motor Vehicles (DMV) should not again use facial recognition technology, after ceasing the practice in late May, because it would violate Section 634(c) of Title 23 of the Vermont Statutes, which requires the DMV to issue photo identification but bars the use of biometric technology.

Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail hlitwin@naag.org.

Faculty Spotlight

NAGTRI's faculty are top-rated experts in their field. Read about them.

Course Schedule

NAGTRI offers high-quality, responsive and innovative trainings.

Research & Newsletters

NAGTRI produces comprehensive research and newsletters on topical legal issues.