The National Attorneys General Training & Research Institute
Privacy Law Newsletter January 2017
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Recent Developments in Privacy Law
OMB Updates Federal Data Breach Response Policies
The Office of Management and Budget (OMB) issued revised parameters for federal agencies’ response to data breaches and for the disclosure of personal information. The revisions require federal agencies to develop training for all personnel with access to their information systems on identifying and responding to a breach. The guidance also mandates that breaches should be reported to the agency “without reasonable delay” and without waiting for confirmation. The memo on the new parameters may be accessed at https://www.whitehouse.gov/sites/default/files/omb/memoranda/2017/m-17-12.pdf.
Report Warns of Privacy Risks of Consumer Wearables
Wearable consumer devices, such as smart watches and fitness bands that collect health data, are exposing consumers to huge privacy and security risks and need stronger safeguards, according to a report issued by researchers at American University and the Center for Digital Democracy. The report, Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security and Consumer Protection, calls for the creation of enforceable standards for the collection and use of such data. The report may be accessed at https://www.democraticmedia.org/CDD-Wearable-Devices-Big-Data-Report.
NY Grants Extra Time for Cybersecurity Compliance
The New York State Department of Financial Services announced it will give banks and insurance companies an additional two months to comply with its new cybersecurity regulations. Those regulations, which mandate detailed cybersecurity requirements and also apply to money services businesses and registered virtual currency firms, must now by implemented by March 1, 2017. New York is the first state to promulgate cybersecurity regulations, which can be accessed at http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.
FTC to Award $$ for Best IoT Security Tool
The Federal Trade Commission (FTC) launched its Internet of Things (IoT) Home Inspector Challenge in which it will award as much as $25,000 to the person who develops the best tool for consumers to minimize security risks associated with out-of-date connected devices for the home. Contest applicants should submit a written explanation of their tool as well as a video demonstrating it efficacy by May 22, 2017. Additional information may be accessed at https://www.ftc.gov/iot-home-inspector-challenge.
EU Clarifies Provisions of Data Protection Regs
The European Union (EU) released a series of documents aimed at providing insight into how they intend to enforce their upcoming data protection regulations. Their collective of national data protection authorities, known as the Article 29 Working Party, plans to urge companies to appoint data collection officers; develop tools that will allow consumers to easily transfer their data to another service provider under the “right to data portability;” and implement a “one-stop shop” enforcement mechanism that will allow one regulator to take the lead in supervising cross-border data processing activities.
EU Privacy Regs to Include Whats App, Gmail, Others
In addition to the above, the EU is expanding its privacy rules for electronic communications, which currently apply only to traditional telecoms, to include companies that provide electronic communication services, such as Facebook Messenger, WhatsApp, Gmail and Skype. The new proposed rules would also allow users to have better control of their settings and make it easier to refuse tracking cookies and other identifiers.
Marketer Settles with FTC Over Claims of Tracking Wireless Users
Digital marketing company Turn Inc. agreed to a settlement with the FTC under which it will revise its privacy practices to resolve claims it continued to track Verizon Wireless customers after falsely promising them they could block targeted ads through their browser’s settings. The company agreed to stop misrepresenting its tracking of data usage, to provide an opt-out and to place a prominent hyperlink on its site explaining what it tracks. The agreement is subject to a 30-day public comment period. The case is In the Matter of Turn Inc., no. 152 3099, before the FTC.
Court Decisions/Settlements on Privacy Issues
7th Circuit: Secretly Forwarding Email Could be Wiretap Act Violation
The Seventh Circuit Court of Appeals affirmed in part, but reversed and remanded in part a husband’s amended complaint, saying that a wife’s secret setting of her husband’s email account to forward messages it receives and sends could be the basis of a violation of the federal Wiretap Act. Although acknowledging their decision could expand the use of the Act beyond Congress’ original intent, the court said its current understanding of the Act would cover the wife’s efforts to uncover evidence of adultery in her husband’s email. The case is Epstein v. Epstein, no. 15-2076 (7th Cir. Dec. 14, 2016).
Indiana Robocall Statute Found to Be Constitutional
The Seventh Circuit Court of Appeals affirmed the judgment of the U.S. District Court for the Southern District of Indiana, rejecting nonprofit Patriotic Veterans’ challenge to Indiana’s statute banning robocalls. The court found the statute does not explicitly target political speech to entail content discrimination, but merely prohibits cold calls without the recipient’s consent, regardless of the message. The State was represented by Solicitor General Thomas Fisher of the Indiana Attorney General’s Office. The case is Patriotic Veterans Inc. v. State of Indiana, no. 16-2059 (7th Cir. Jan. 3, 2017).
Federal Court Finds Use of IP Address in Search Justified
The U.S. District Court for the District of Minnesota adopted a magistrate’s recommendation denying a motion to suppress, ruling that local law enforcement agents were justified in using an Internet protocol (IP) address to track down Michael Granley, who was suspected of having sexually explicit conversations with minors. The court found that the lack of precise detail about how the IP address was acquired did not undermine the officers’ warrant application because they had adequately described learning of the IP address through a detective’s investigation. The case is U.S. v. Granley, no. 0:16-cr-00196 (D. Minn. Jan. 5, 2017).
Europe High Ct Says Government Can’t Require ISPs to Keep Electronic Records
The European Court of Justice, Europe’s highest court, ruled that national governments cannot require service providers to keep users’ electronic communications records en masse. The court found that indiscriminate mass collection and retention of Internet traffic and location data is unlawful, and national law enforcement entities can only obtain such access without judicial review when it is part of a targeted retention effort aimed at fighting serious crime. The consolidated cases are Tele2 Svenge AB v. Post-Och Telestyrelsen and Secretary of State for the Home Department v. Watson, nos. C-203/15 and C-698/15 (Dec. 21, 2016).
American Eagle Agrees to Settle TCPA Claims
The U.S. District Court for the Southern District of New York was asked for preliminary approval of a settlement in which American Eagle Outfitters, a clothing retailer, agreed to pay $14.5 million to resolve claims it violated the Telephone Consumer Protection Act (TCPA) by sending unsolicited text ads to more than 600,000 proposed class members. The case is Melito v. American Eagle Outfitters, no. 1:14-cv-02440 (S.D.N.Y. Dec. 21, 2016).
Ninth Circuit Reverses FOIA Order for Defense Contractor’s Docs
A three-judge panel of the Ninth Circuit Court of Appeals reversed a Freedom of Information Act (FOIA) order issued by U.S. District Court for the Northern District of California that required aircraft manufacturer Sikorsky to give defense contracting documents to the American Small Business League. The court ruled that some of the requested information was privileged information shielded from disclosure under FOIA exemptions. The case is American Small Business League v. Department of Defense, no. 15-15120 (9th Cir. Jan. 6, 2017).
Illinois Hospital Chain Settles Data Breach Enforcement Action
Presence Health, an Illinois-based hospital chain, entered into a settlement with the U.S. Department of Health and Human Services Office of Civil Rights, resolving claims it failed to properly notify more than 800 patients about the theft of their personal information. Under the settlement, Presence Health agreed to pay $475,000 and revise its policies on the privacy of patient information.
State Legislative Action on Privacy Issues
The New Jersey Legislature passed A-756, a bill that would require automobile lenders to notify borrowers before activating any type of payment assurance device that could remotely disable their vehicles when they do not make a loan payment, and would also prevent the companies for charging for installing the device. Borrowers would have to be notified in writing of the device; would have to be at least seven days in default on their loan before their car is disabled; and the lender could not disable the vehicle while it was in operation.
Federal Legislative Action on Privacy Issues
The Email Privacy Act, H.R. 699, was reintroduced in the House by Representatives Kevin Yoder (R-Kan) and Jared Polis (D-CO), which would amend the Electronic Communications Privacy Act and bar the government from accessing stored electronic communications held by service providers without a warrant. The bill stalled in the Senate last year.
Recent Privacy Law Initiatives in the Attorney General Community
New Jersey Attorney General Christopher Porrino entered into a settlement with Fertility Bridges Inc., a California fertility clinic, in which the clinic has agreed to remove a clause from its contracts that barred its customers from posting negative commentary about the facility and its personnel on crowd-sourced websites, with threats of libel fines of up to $10,000 for each day the content remained online. Deputy Attorney General David Reap of the New Jersey Attorney Generals Office represented the State. The case is In the Matter of Fertility Bridges Inc., before the New Jersey Division of Consumer Affairs on Jan. 4, 2017.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail email@example.com.