The National Attorneys General Training & Research Institute
Privacy Law Newsletter February 2018
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
New Developments of Note
The New York Department of Financial Services issued guidance reminding all virtual currency entities licensed by New York State that they are required to implement measures to detect, prevent and respond to fraud. The guidance also reminded those companies they must be equally vigilant against efforts at market manipulation.
Facebook published online a set of privacy principles widely seen as preparation for the European Union’s stringent data protection law in May. The principles advise users on a range of issues, including how to manage the data the site uses to show them adverts, how to delete old posts and what happens when they delete an account.
The Government Accountability Office (GAO) put the federal personnel security clearance process on its High Risk List of federal areas needing specific reforms. The GAO identified: 1) a significant backlog; 2) a lack of plans to address the backlog; 3) delays in timely processing of security clearances; 4) a need to establish measures for the quality of background investigations; 5) delays in completing the security clearance reform effort; and 6) DOD concerns about using new technology with the OPM legacy systems.
DHS awarded Booz Allen Hamilton a $621 million contract to assist efforts to secure federal government networks from cyberattacks. The work builds on the Continuous Diagnostics and Mitigation program which was launched in 2012 to better monitor government agencies from cyber threats.
Insurance company Lloyds of London issued a report, Cloud Down, which found that a major cyberattack on a U.S. cloud provider could result in $15 billion worth of economic losses, the majority of which would be uninsured. The report analyzed losses for 12.4 million U.S. organizations, finding that companies outside the Fortune 1000 were more likely to use cloud services and would carry a larger share of the losses.
The Second Circuit vacated the U.S. District Court for the Northern District of New York’s dismissal of privacy claims brought by corrections officers who alleged their supervisor pried into their medical records, ruling that people have a right to keep their health data confidential, even if their files contained no information that could be used against them. Hancock v. County of Rensselaer.
Health care insurer Aetna has agreed to pay $17 million to resolve a class action lawsuit accusing the company of negligently revealing the HIV status of 12,000 customers through window envelopes in a mailing. Settlement of the suit, Beckett v. Aetna, Inc., is subject to approval by the U.S. District Court for the Eastern District of Pennsylvania.
The U.S. District Court for the Middle District of North Carolina granted preliminary approval to a settlement between aircraft maintenance firm Haeco Americas and its employees who alleged the company fell victim to a phishing scheme and emailed sensitive tax information for 3,000 employees to cybercriminals. Linnins v. Haeco Americas, LLC.
The HHS Office of Civil Rights announced that Fresenius Medical Care will pay $3.5 million to settle alleged HIPAA privacy rules violations stemming from five separate incidents where sensitive health information was either stolen or disappeared, The company has also agreed to adopt a corrective action plan that includes completion of a risk analysis.
The court-appointed receiver for insolvent Illinois-based firm Filefax, which left sensitive medical data in an unsecured dumpster, agreed to pay a fine of $100,000 to HHS for breaching medical privacy laws. The Resolution Agreement also includes a corrective action plan.
The Virginia Senate passed SB 271, which would require income tax return preparers to notify the Department of Taxation if they discover that an unauthorized person accessed a person’s tax return information.
The U.S. House passed HR 3776, which would create an Office of Cyber Issues within the State Department, with the head of that office having the rank and status of an ambassador responsible for leading the department’s diplomatic cyberspace efforts. The bill also requires the president to work with technology companies, security researchers and other stakeholders to clarify the steps countries can take in retaliation for cyberattacks.
Privacy Initiatives in the Attorney General Community
Sixteen Attorneys General filed a brief urging the U.S. Supreme Court to review the Google Referrer Header Privacy class action settlement in which Google settled for $8.5 million, but class members will receive none of the money,
Arizona Attorney General Mark Brnovich partnered with State Representative T.J. Shope to introduce HB 2154, legislation that would amend the State’s data breach notification law by strengthening notification requirements and increasing consumer protection after a breach.
Massachusetts Attorney General Maura Healey launched a Data Breach Reporting Online Portal, available through her website, which businesses and organizations can use to provide notice as required by State law.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail email@example.com.