The National Attorneys General Training & Research Institute
Privacy Law Newsletter August 2018
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Recent Developments to Note
DOJ released a report of its Cyber Digital Task Force and announced that it will start notifying the public and businesses when it finds foreign influence operations in the U.S., such as the Russian involvement in U.S. elections. The report outlines how DOJ will work to expose the foreign efforts without damaging counter-intelligence efforts or wading into U.S. politics.
The U.S. Treasury Department and the IRS announced that the IRS will no longer require certain tax exempt organizations to file personally identifiable information about their donors as part of their annual return. The decision affects tax exempt organizations described by section 501(c) other than section 501 (c)(3) organizations.
U.K.-based phone and electronics retail chain Dixons Carphone admitted that the data breach it announced in June exposed 10 million records containing personal data, 10 times more than originally reported. The breach is currently under investigation by U.K. watchdog agencies.
The U.K. Information Commissioner’s Office issued a Notice of Intent to fine Facebook 500,000 pounds ($660,000) for two breaches of their Data Protection Act by allowing political consulting firm Cambridge Analytica to access citizens’ personal data. The Office noted that Facebook has an opportunity to respond to the Notice of Intent, after which a final decision will be made.
In other Facebook news, the company announced it had suspended analytics firm Crimson Hexagon from accessing user data while it investigates the firm’s potential violations of Facebook policy against surveillance. The concerns centered around Crimson Hexagon’s contracts with a Russian not-for-profit company and with the Turkish government.
The Singapore government revealed it had suffered a massive cyberattack on its health database which affected the personal information of 1.5 million people who visited outpatient clinics, including top government officials. Officials said that the patient information was not amended or deleted, and the hackers did not have access to other records, such as diagnosis documents and test results.
The Government Accountability Office (GAO) issued a report warning that government agencies and providers of critical infrastructure services need to take immediate action to address cybersecurity threats. The GAO reported that federal agencies have failed to implement one-third of the 3,000 recommendations made by the GAO.
The SEC issued an administrative order under which investment bank Mizuho Securities USA will pay $1.25 million to resolve allegations that it failed to maintain and enforce policies to prevent the misuse of customer information related to stock repurchases. The order stated that as a result, Mizuho’s traders received confidential customer trade information.
The National Institute of Standards and Technology (NIST) released a draft guidebook, Cybersecurity is Everyone's Job, as part of a broad security awareness campaign. Among its recommendations are: 1) understanding cybersecurity enough to make sound decisions; 2) including cyber risks in the risk management process; 3) developing security policies and standards; 4) using cross-functional teams to address cybersecurity; and 5) protecting strategic financial and legal information.
The European Data Protection Board sent a letter to the U.S.-based Internet Corporation for Assigned Names and Numbers (ICANN) to provide guidance on developing a GDPR-compliant model for access to personal data. The Board expects ICANN to develop and implement a WHOIS model that will enable legitimate uses, such as by law enforcement, of personal data without leading to an unlimited publication of the data.
The European Commission and Japan entered into a Strategic Partnership Agreement to ensure that European citizens will have European Union-level protection of their personal data when it is transferred to Japan, and vice versa. Under the agreement, Japan committed to data protection rules as well as a complaint-handling mechanism to address complaints from Europeans regarding access to their data.
The European Insurance and Occupational Pensions Authority issued a report, "Understanding Cyber Insurance," finding that insurance firms need to have a deeper understanding of cyber risk. It noted that the EU accounts for as much as nine percent of the global market for cyber insurance, although the U.S. accounts for 90 percent.
Recent Court Decisions/Settlements
Hearst Communications agreed to pay $50 million to resolve a class action filed in the U.S. District Court for the Southern District of New York alleging the media conglomerate violated the Michigan Video Privacy Act by selling subscriber information. If approved, the settlement would be three times more than the largest previous settlement amount under the Act. Boelter v. Hearst Communications, Inc.
The U.S. District Court for the Northern District of California has been asked to approve a class action settlement in which computer manufacturer Lenovo agreed to pay $7.3 million to resolve allegations it pre-installed a computer program called VisualDiscovery on laptops that caused privacy, security and performance issues. If approved, the 500,000 class members would receive $40 or recover up to $750 in costs associated with the software. In re: Lenovo Adware Litigation.
In other court rulings, the U.S. District Court for the Northern District of California declined to grant preliminary approval to a proposed settlement of claims pursuant to a data breach at Kimpton Hotels.. The court found the settlement was “seriously deficient” in determining the maximum size of the class and the potential exposure of Kimpton Hotels.
The U.S. District Court for the District of Delaware has been asked to approve a settlement in which video game retailer GameStop has agreed to pay up to $235 to each plaintiff as a result of a data breach which exposed customers’ credit and debit card numbers. In exchange, GameStop would be released from all claims relating to the breach. Bray v. GameStop Corp.
The New Jersey appeals court ruled that safety concerns justified the Belleville Board of Education’s implementation of an audio-video surveillance system, although the court cautioned that the Board had a duty to address a teachers’ union’s privacy concerns. In the Matter of Belleville Education Assn. and Belleville Board of Education.
A Pennsylvania appeals court affirmed a lower court ruling that a school bus surveillance video of a teacher roughly disciplining a student on a school bus is a public record. The school had argued the video was exempt under the state Privacy Act because its disclosure could lead to a loss of federal funding and provide information on discipline of an agency employee. Easton Area School District v. Miller.
Vitaly Korchevsky, a former hedge fund manager, and Vladislav Khalupsky, a securities trader, were convicted on all counts of wire fraud, computer intrusion and securities fraud in the U.S. District Court for the Eastern District of New York. The defendants had participated in a scheme to hack into businesses and steal non-public financial information, then using that information to make trades generating $30 million in illegal profits.
Martin Gottesfeld, who hacked into Boston Children's Hospital and the Wayside Youth & Family Support Network, was convicted by a jury in the U.S. District Court for the District of Massachusetts of damaging protected computers. The attack had flooded 65,000 IP addresses used by the hospitals with junk data intended to make those computers unavailable for legitimate communications.
The European Court of Justice, Europe’s highest court, ruled that religious communities must adhere to data protection rules when collecting personal information as part of their door-to-door solicitations. The case was brought by Finland’s privacy regulator to force Jehovah’s Witnesses to comply with Finland’s data protection rules.
The Ohio Legislature passed SB 220, which would provide a legal safe harbor for entities that implement a cybersecurity program.
Privacy Initiatives in the Attorney General Community
Twenty-two Attorneys General sent a letter to Congressional leaders urging them to improve cybersecurity and protect the integrity of the 2018 midterm elections as well as future elections. They urged three steps: 1) acting on election security; 2) increasing funding for election security improvements; and 3) supporting development of cybersecurity standards for voting systems.
Nineteen Attorneys General filed an amicus brief in the U.S. Supreme Court over the fairness of an $8.5 million privacy settlement in Frank v. Gaos that requires Google to pay millions to third parties but nothing to class members.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.