Privacy Law Newsletter December 2016
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Developments in Privacy Law
F.R.Crim.Pro. Rule Change Allowing Broader Warrants Takes Effect
The highly contested Rule 41(b) of the Federal Rules of Criminal Procedure became effective on December 1, 2016, allowing courts to issue warrants for remote access to electronic data outside their jurisdiction if the location of the information has been “concealed through technological means” or when the data is in five or more districts. Under the new rule, prosecutors will be able to obtain a warrant from a court in a district with a nexus to the investigation to remotely search, copy and seize information from a device involved in the investigation, but whose location is unknown and may not be in the issuing jurisdiction.
FCC: Robotexts Subject to TCPA
The Federal Communications Commission (FCC) issued an enforcement advisory warning that autodialed text messages, known as robotexts, are subject to the Telephone Consumer Protection Act (TCPA), which bars autodialed calls or texts, as well as calls using prerecorded messages, to mobile devices without prior express consent. Violators will face penalties of up to $18,936 per violation. The advisory may be accessed at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1118/DA-16-1299A1.pdf.
Federal Government Debt Collection Robocalls Not Subject to TCPA
The FCC also issued a final rule exempting autodialed, prerecorded debt collection calls made to collect a debt owed to the federal government from the TCPA’s prior express consent requirement. However, making more than three such calls to the same wireless number within 30 days is prohibited, and call recipients have the right to request a stop.
IG Report Finds IRS Forwarded Unencrypted Tax Returns
Internal Revenue Service (IRS) employees occasionally sent tax returns in unencrypted emails to accounts both within and outside the agency, according to a report issued by the Treasury Inspector General for Tax Administration. The report found the IRS has not been enforcing penalties on those who violate its security rules, and millions of taxpayers’ sensitive information could have been compromised.
NIST Issues Guidance for Safe IoT Devices
The National Institute of Standards and Technology (NIST) finalized Special Publication 800-160, providing guidance to manufacturers of Internet of Things (IoT) devices and cautioning them to incorporate strong security protections. The guidance includes 30 technical standards and other security principles for IoT engineers to consider implementing during a product’s life cycle.
Lincoln Financial Fined Again for Lax Security Leading to Hack
Lincoln Financial Securities Corp., with more than 500 branches nationwide, agreed to accept a $650,000 fine levied by the Financial Industry Regulatory Authority (FINRA) and implement tighter security controls after hackers accessed its cloud server and obtained the confidential records of 5,400 customers. The company had paid a $450,000 FINRA fine for lax security measures after the hacking incident, but since that time had failed to establish sound security procedures.
US Navy Reveals Breach of Sailors’ Personal Data
The U.S. Navy announced that more than 130,000 current and former sailors’ names and Social Security numbers were breached after a Hewlett Packard Enterprise Services employee’s computer was compromised. The Navy is in the process of notifying affected individuals, although no misuse of the data has been reported to date.
Wisconsin U. Law School Applicants’ Data Breached
The University of Wisconsin Law School notified applicants from the 2005-2006 time period that their names and Social Security numbers were breached as a result of a hack originating inside the U.S. but outside of the State. Applicants will receive free credit monitoring for one year.
Mobile Health App Hack Exposes 34,000 Patients’ Data
Quest Diagnostics notified 34,000 patients that an unauthorized third party had accessed the MyQuest app containing their names, birthdays, lab results and telephone numbers. Quest announced it is working with a cybersecurity firm on investigating the intrusion and evaluating its systems.
San Francisco’s Transit System Hit by Ransomware Attack
The internal email system of San Francisco’s Municipal Transportation Agency, which operates the Muni public transit system and oversees streets and taxis, was crippled by a ransomware attack over the Thanksgiving weekend. Ransomware is malicious software designed to block a company’s access to its computer systems and data until a ransom is paid. The agency later reported that the attack was contained by the following Monday and an investigation is pending.
Auditor Tells Commodity Traders Group to Review Dealers’ Cybersecurity
The auditors of the U.S. Commodity Futures Trading Commission (CFTC) advised the agency to begin independently verifying whether its futures and swaps dealers are prepared for cyberattacks. Brown & Company CPA and Management Consultants PLLC, the auditors, found the agency had not tested whether its members’ security policies were effective.
Recent Privacy Law Court Decisions/Settlements
7th Circuit: Police Justified in Using Cell-Site Simulators
A divided Seventh Circuit Court of Appeals affirmed, 2-1, Damian Patrick’s 57-month sentence handed down by the U.S. District Court for the Eastern District of Wisconsin, finding that Milwaukee police officers were justified in using cell-site simulators to pinpoint his location as a suspected parole violator. The case is U.S. v. Patrick, no. 15-2443 (7th Cir. Nov. 23, 2016).
Salons Illegally Obtaining Fingerprints Under Illinois Law Pay Up
An Illinois circuit court granted final approval to a class action settlement in which tanning salon chain L.A. Tan will pay $1.5 million to resolve claims it obtained customer fingerprints without consent and without revealing how the data would be stored in violation of the Illinois Biometric Privacy Act. The Act requires that individuals give written permission before biometric identifiers, such as fingerprints or DNA, are collected by a private party. It also requires that they receive information about how the data will be stored, used and destroyed and prohibits the collecting party from selling the information. The case is Sekura v. L.A. Tan Enterprises, no. 2015-CH-16694 (Ill. Cir. Ct. Dec. 1, 2016).
Junk Fax Class Action Settled for $9.25 Million
The U.S. District Court for the Eastern District of Louisiana gave final approval to a class action settlement in which medical group Advanced Care Scripts Inc. agreed to pay $9.25 million to resolve claims it engaged in a huge junk fax campaign in violation of the TCPA. The certified class includes anyone who received a fax between 2011 and 2016 from the company or its vendors promoting its medical services without the inclusion of an opt-out notice. The case is Jefferson Radiation Oncology LLC v. Advanced Care Scripts Inc., no. 2:15-cv-01399 (E.D. La. Dec. 6, 2016).
American Express Settles Debt Collection Call Claims
The U.S. District Court for the Northern District of Illinois gave final approval to a class action settlement in which American Express agreed to pay $9.25 million to resolve accusations it made numerous debt collection and telemarketing calls using automated dialing machines in violation of the TCPA. The class includes those who received calls from third party vendors West Asset Management Inc. and Alorica Inc. The case is Ossola v. American Express Co., no. 1:13-cv-04836 (N.D. Ill. Nov. 30, 2016).
Privacy Law Initiatives in the Attorney General Community
Arizona Attorney General Mark Brnovich announced a settlement with Lamore Auto Glass, LLC under which the company agreed to a six-year ban on telemarketing calls to consumers. The company will also pay $50,000 in penalties to the State.
South Dakota Attorney General Marty Jackley issued an Official Opinion on the implementation of Marsy’s Law as it relates to release of accident reports, street addresses where crimes occur and the names of victims in crime report logs.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.