Privacy Law Newsletter Jan - Feb 2016
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Privacy Law News
U.S. to Freeze Assets of Cyberattack Abettors
The federal government adopted the Cyber-Related Sanctions Regulations, which allow government officials to consider “null and void” any money transfers by people suspected of playing a part in significant cyberattacks targeting national security, foreign policy or economic interests. The rules instruct people subject to the sanctions to hold their assets in, or transfer their money into, accounts located in the U.S. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) is also allowed to deny any type of license to those covered in the order. The OFAC maintains a list on its website of people subject to the sanctions. The rules implement Executive Order 13694, in which President Obama declared cyberterrorism to be a national emergency. The regulations may be accessed at http://www.federalregister.gov/articles/2015/12/31/15-32881/cyber-related-sanctions-regulation.
IRS: No Requirement to Report Value of Pre-Breach ID Protection
The Internal Revenue Service (IRS) issued Announcement 2016-02, stating that companies providing identity protection services at no cost to their employees before a breach occurs will not have to report the value of the services for tax purposes. The announcement was prompted by a previous IRS ruling that the value of such services to data breach victims need not be reported. Both announcements do not apply to cash that companies may offer victims in lieu of identity theft services. Announcement 2016-02 may be accessed at https://www.irs.gov/pub/irs-drop/a-16-02.pdf.
IRS Withdraws Proposed Regs on Contribution Reporting
The IRS withdrew proposed regulations which would have expanded the ways in which charitable organizations could acknowledge donations by giving donors the option of reporting charitable contributions directly to the IRS. There was widespread criticism of the proposed regulations, particularly from those expressing cybersecurity concerns and apprehension about the confidentiality of taxpayer identification information. The withdrawal notice in the Federal Register may be accessed at https://www.federalregister.gov/articles/2016-189-substantiation-requirement-for-certain-contributions-withdrawal.
DoD Extends Time for Contractor Cybersecurity Compliance
The U.S. Department of Defense (DoD) extended the time for contractors and subcontractors to comply with new cybersecurity requirements governing sensitive but nonclassified government information stored on their computers, giving them until December 31, 2017 to comply. The extension also included a new obligation for companies to notify the Department’s chief information officer of any security requirements not yet implemented within 30 days of the time a contract is awarded. The Federal Register announcement may be accessed at https://www.gpo.gov/fdsys/pkg/FR-2015-12-30/pdf/2015-32869.pdf.
FOIA Lawsuits Reach All Time High
There were 498 Freedom of Information Act (FOIA) lawsuits filed in fiscal year 2015, 77 more than the previous year, according to Syracuse University’s Transactional Records Access Clearinghouse (TRAC). The study also found the U.S. Justice Department has been the most frequent FOIA defendant for the past 15 years. The study data can be accessed at http://foiaproject.org/lawsuit/.
FTC Reports on Risks of “Big Data”
The Federal Trade Commission (FTC) issued Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, a report on the risk of discriminatory practices by companies that store and use massive amounts of consumer information, often referred to as “big data.” The FTC noted that although “big data” analytics can let companies more accurately match customers with products and services, it cautioned companies against using “big data” to exclude low-income and other underserved consumers. The report may be accessed at https://www.ftc.gov/system/files/documents/reports/big-data-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf.
And other FTC news…
FTC Revamps Identity Theft Website
The FTC unveiled a revamped IdentityTheft.gov, their website allowing consumers and other victims of identity theft to report an incident. The enhanced site hopes to enable consumers to more quickly file complaints and receive a personalized recovery plan. Consumers can download a guide which includes steps on how to gather the information needed to file police reports as well as notify the IRS and credit bureaus.
FCC Clarifies Standards for Fax and Text Messages Under TCPA
The Federal Communications Commission (FCC) clarified that it will maintain separate standards for fax and text messaging senders in the investigation and enforcement of violations of the Telephone Consumer Protection Act (TCPA). The clarification was made in an order denying a petition from Club Texting, Inc., a company offering bulk marketing texts for businesses, asking the FCC to treat “text broadcasters” the same as fax broadcasters for purposes of TCPA liability. The FCC said in the order that the process to establish the actual sender of an illegal and unwanted text was sufficient. The FCC order may be accessed at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0111/DA-16-25A1.pdf.
And more FCC news…
FCC Warns Carriers to Certify Compliance With Data Privacy Rules
The FCC’s Enforcement Bureau issued Enforcement Advisory No. 2016-01, reminding telecommunications carriers and interconnected VoIP providers of their obligation to file annual reports certifying their compliance with the FCC’s rules protecting customer proprietary network information (CPNI) by March 1, 2016. The Advisory states that failure to do so could result in an enforcement action, including monetary forfeitures of up to $160,000 for each violation or each day of a continuing violation, up to a maximum of $1,575,000. The Advisory may be accessed at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0205/DA-16-127A1.pdf.
SEC Lists Cybersecurity Compliance as Top 2016 Focus
The Securities and Exchange Commission’s (SEC’s) Office of Compliance Inspection and Examinations (OCIE), which conducts examinations of registered investment advisors, released its annual top exam priorities for 2016, listing cybersecurity as a main focus. The OCIE noted that it will focus on the testing and assessment of a firm’s policies and controls as they relate to information security. The priority list can be accessed at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf.
US-China Business Council Lists Cybersecurity as Top 2016 Priority
The U.S.-China Business Council’s (USCBC’s) board of directors issued their list of top economic priorities for 2016, focusing heavily on improving collaboration on cybersecurity and intellectual property protection. The statement supports their respective countries’ commitment to ensure cybersecurity and pledges to prohibit cyber-enabled commercial espionage. The priorities statement can be accessed at https://www.uschina.org/reports/priorities-january-19-2016.
Privacy Groups Urge FCC to Accelerate Broadband Privacy Rules
Several consumer and privacy groups sent a letter to the FCC, calling on it to begin a rulemaking process that would bar broadband providers from sharing data collected from their customers’ online activities with other companies or organizations without the customers’ consent. They also urge the FCC to establish rules to hold providers responsible if customers’ data is compromised due to a preventable data breach. More than 50 organizations signed the letter, including Public Citizen, the Privacy Rights Clearinghouse, the World Privacy Forum and several state consumer organizations. The letter may be accessed at https://www.freepress.net/sites/default/files/resources/broadband_privacy_letter_to_fcc.pdf.
Report: US Privacy Protections Equal to Those in Europe
Privacy protections in the U.S. are equal to or greater than those offered in the European Union, according to Essentially Equivalent, a report from the Sidney Austin LLP law firm. The report was commissioned by several U.S. business groups in response to the European Court of Justice’s decision in Schrems v. Data Protection Commissioner, as reported in this newsletter’s September-October 2015 issue. The report may be accessed at http://datamatters.sidley.com/wp-content/uploads/2016/01/Essentially-Equivalent-Final-01-25-16-9AM3.pdf.
FDA Issues Cybersecurity Guidance for Medical Device Manufacturers
The Food and Drug Administration (FDA) issued draft cybersecurity recommendations for manufacturers of medical devices containing software of programmable logic. The guidance focuses on the cybersecurity risks to patient safety rather than on risks to personal information protection. The draft urges manufacturers to follow the voluntary Framework for Improving Critical Infrastructure developed by the National Institute of Standards (NIST). The draft may be accessed at http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/NCM482022.pdf.
DOT, Automakers Agree to Share Safety Data
The U.S. Department of Transportation (DOT) entered into an agreement with General Motors Co., Ford Motor Co. and 16 other automakers to share and analyze safety data. The effort is aimed at identifying safety defects in cars before they go into production and on minimizing the risks of cyber attacks on automotive technologies. The agreement preamble may be accessed at https://www.transportation.gov/briefing-room/proactive-safety-principles-2016.
Survey: Privacy Concerns Affect Consumer Buying
Well-educated, high-earning consumers are more likely to stop buying from a business because of a data breach, according to an online survey by law firm Morrison & Foerster’s Privacy & Data Security Group. The survey of more than 300 consumers in the U.S. also revealed that identity theft is the biggest privacy concern among consumers and that privacy concerns have an effect on consumer purchases. The survey report may be accessed at http://www.mofo.com/generalcontent/resources/mofoprivacyinsights. Note that although the report is free, contact information must be entered before access.
OPM Forms New Agency for Background Checks
The Office of Personnel and Management (OPM) announced that it will form a new agency, the National Background Investigations Bureau, to handle background checks, and that its information systems will be controlled by DOD, all of which is in response to its massive data breach of last year. OPM conducts more than 600,000 security clearance investigations and 400,000 suitability investigations each year. The head of the new Bureau will be appointed by the President and will receive policy direction and guidance from the Performance Accountability Council, which is chaired by OPM.
GAO Issues Report on DHS Cybersecurity
The Government Accountability office has issued a congressional report on the Department of Homeland Security’s (DHS’s) cybersecurity system. While finding that the National Cybersecurity Protection System is helping to protect federal government information from email-based intrusion and other computer-based threats, the GAO finds that DHS must expand its intrusion detection and prevention efforts to address a wider range of potential threats to information security. The report may be accessed at http://gao.gov/assets/680/674829.pdf.
Recent Court Decisions/Settlements on Privacy Issues
Ninth Circuit Overturns Denial of CA AG’s Request for Tax Forms
The Ninth Circuit vacated an order from the U.S. District Court for the Central District of California which enjoined the California Attorney General from collecting Schedule B forms from the Americans for Prosperity Foundation and the Thomas More Law Center for law enforcement use. The court ruled the organizations had failed to show that the demand for nonpublic disclosure of the forms had actually chilled protected conduct or was likely to do so. The Americans for Prosperity is a non-profit founded by conservative billionaires Charles and David Koch. The case is Americans for Prosperity Foundation v. Harris, 809 F.3d 536 (9th Cir. Dec. 9, 2015). Deputy Attorney Generals Alexandra Gordon and Kim Nguyen of the California Department of Justice argued the case before the court.
Veterans’ Settlement for TCPA Violations Approved
The U.S. District Court for the District of Oregon approved a $7.4 million settlement resolving a class action accusing the Mortgage Investors Corporation of placing millions of unsolicited telemarketing calls to veterans, exhorting them to refinance their home loans, in violation of the Telephone Consumer Protection Act (TCPA). The settlement also provides for any unclaimed funds to be distributed to the Veterans Airlift Command and the Consumer Federation of America. The case is Ott v. Mortgage Investors Corp. of Ohio, Inc., 2016 U.S. Dist. LEXIS 892 (D. Ore. Jan. 5, 2016).
Divided Court Upholds Privacy Settlement Against Facebook
A divided Ninth Circuit Court of Appeals ruled that the U.S. District Court for the Northern District of California did not abuse its discretion in approving a consumer $20 million controversial settlement against Facebook, which involved Facebook’s use of young children’s names and images for advertising without consent. Consumers had claimed that Facebook’s use of the names and images in their now-discontinued “Sponsored Stories,” which was based on the premise that consumers are more likely to purchase a product or service their friends recommend, violated their privacy. Under the settlement, Facebook agreed to pay $15 to each class member, notwithstanding payment to pertinent consumer protection groups, and make changes to their terms and policies. The case is Fraley v. Facebook, Inc., 2016 U.S. App. LEXIS 518 (9th Cir. Jan. 6, 2016).
Supermarket Data Breach Suit Dismissed
The U.S. District Court for the District of Minnesota granted supermarket chain SuperValu’s motion to dismiss, without prejudice, a multidistrict suit brought by a proposed class of shoppers who alleged harm arising from the hacking of the chain’s payment systems. The court found that although the breach affected more than 1,000 of SuperValu’s markets, the shoppers’ claims of potential future injuries was too speculative to award standing. The case is In re: SuperValu, Inc., 2016 U.S. Dist. LEXIS 2592 (D. Minn. Jan. 7, 2016).
Louisiana High Court: Public Official’s Private Emails Subject to Disclosure
The Louisiana Supreme Court unanimously reversed the state Court of Appeals, holding that the private emails of the executive director of JEDCO, a Jefferson Parish government agency, which were sent on JEDCO’s computer, are subject to disclosure under the Louisiana Public Records Act when those emails have been used in audits of JEDCO. The court concluded that those emails fell within the broad definition of “public records” because they were used in JEDCO’s work or functions in that they were used to perform the audit of JEDCO’s operations. The case is Shane v. Jefferson Parish, 2015 La. LEXIS 2549 (Dec. 8, 2015).
NY Court Denies Access to Plaintiff’s Facebook Postings
A New York appellate court modified a lower court order in a personal injury suit, holding that Kelly Forman, who was injured riding one of Mark Henkin’s horses, was not required to produce private photographs taken after the accident from her Facebook account, nor was she required to provide an authorization for records of her private messages posted after the accident. The court stated that the mere fact that Forman used her Facebook account was an insufficient basis to provide Henkin with access to the account. The case is Forman v. Henkin, 22 N.Y.S. 3d 178 (Dec. 17, 2015).
6th Circuit: Providing Cell Phone No. Expressly Consented to Calls
The Sixth Circuit Court of Appeals affirmed the judgment of the U.S. District Court for the Southern District of Ohio, finding that providing a cell phone number to a hospital, which then gave the number to an affiliated physicians’ group that provided medical services to patients arising out of the same occurrence, could constitute prior express consent to receipt of calls under the TCPA. In the instant case, Zachary Baisden and Brenda Sissoko sought medical treatment from the hospital, gave the hospital their cell phone numbers and authorized the hospital to disclose their cell phone numbers to others. The court found they gave prior express consent to calls made to their cell phones by a debt collector seeking to collect amounts they owed to the physicians’ group. The case is Baisden v. Credit Adjustments, Inc., 2016 U.S. App. LEXIS 2465 (6th Cir. Feb. 12, 2016).
State Legislative News
A bill banning online posting pictures of injury-causing events was introduced in Kentucky. HR 170 would prohibit such posting for at least one hour if the posting would enable identifying the victims. Violators would face fines of $20 to $100 per incident. The news media, victims of the event and emergency responders would be exempted. The bill was referred to the Judiciary Committee.
A new Oregon data breach notification law became effective on January 1, 2016, requiring businesses and government agencies to notify the state attorney general of a data breach that affects more than 250 residents. The new Oregon Consumer Identity Theft Protection Act is only applicable to unencrypted information, and the compromised information must “be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.”
Federal Legislative News
U.S. House Passes Bill to Make Asbestos Claimants’ Details Public. H.R. 1927, which passed 211-188, would amend the federal judicial code to prohibit federal courts from certifying any proposed class seeking monetary relief for personal injury or economic loss unless each proposed class member suffered an injury of the same type and scope as that of the proposed class representatives. The bill further would require asbestos bankruptcy trusts to make claimants’ details public, including their names, exposure histories and basis for payment from the trust. The bill has been forwarded to the Senate Judiciary Committee.
U.S..Senate, House Pass Bill Allowing Privacy Suits by European Union. The Senate and House each passed H.R. 1428, legislation that would allow European Union citizens of countries that allow the flow of commercial data with the U.S. to file a civil action against a U.S. government agency for intentional or willful violation of conditions for disclosing records without consent.
New Resources on Privacy Issues
Data Privacy and Your Wearable Fitness Device. Sarah Kellogg. 30 Wash. Law 22 (No. 4, Dec. 2015). This article can be accessed at https://www.dcbar.org/bar-resources/publications/washington-lawyer/articles/december-2015-data-privacy.cfm.
Privacy Initiatives in the Attorney General Community
Idaho Attorney General Lawrence Wasden reached a settlement with Vurv, LLC and its fulfillment partner, Drug Testing Group, LLC, resolving allegations the two companies, operating as the DTC Group, made unsolicited calls selling drug testing and other compliance services to newly registered commercial drivers. Attorney General Wasden received complaints from consumers who had been told they had to buy the services or face federal penalties. When some consumers tried to cancel their purchases within three business days, as allowed by law, DTC Group refused full reimbursement. The settlement requires DTC Group to provide refunds to eligible consumers, as well as $1,500 to Attorney General Wasden’s Office for the costs of the investigation.
Missouri Attorney General Chris Koster’s Office filed suit against Delaware-based TRG Holdings, LLC, d/b/a TRG Philippines, Inc., and its COO Mohammed Khaisghi, as well as its subsidiary IBEX Global Solutions, d/b/a E-Telequote of Missouri Inc.. and its president and director Anthony Solazzo, alleging the companies made unwanted solicitation calls to sell health insurance to consumers on the Missouri No-Call List. The suit also alleges the companies continued to call consumers after they requested not to be contacted and called them at all hours of day, including after 9 p.m. Attorney General Koster is asking the court to prohibit the companies from making further solicitations, as well as for penalties of up to $5,000 per violation of the No-Call law, penalties of up to $1,000 per violation of the Telemarketing law and recovery of the costs of the investigation and prosecution of the case.
Acting New Jersey Attorney General John Hoffman announced that Christopher McKenna, a suspended sheriff’s officer, was indicted by a state grand jury on charges of second-degree official misconduct and second-degree wrongful access and disclosure of information for unlawfully providing a newspaper with three arrest photos of a juvenile. McKenna allegedly accessed a restricted law enforcement database to obtain the photos, which were published along with the juvenile’s name and details about the case. New Jersey law prohibits public disclosure of juvenile court records. Second-degree crimes carry a sentence of five to 10 years in prison and a fine of up to $150,000; the official misconduct charge carries a mandatory five-year period of parole ineligibility; and the wrongful access and disclosure of information charge carries a mandatory period of parole ineligibility equal to one-third to one-half of the sentence imposed. Deputy Attorney Generals Mallory Shanahan of the Corruption Bureau and Veronica Allende, Deputy Chief of the Financial & Computer Crimes Bureau, presented the indictment to the grand jury and will prosecute the case.
Rhode Island Attorney General Peter Kilmartin proposed two bills addressing privacy concerns. The “Revenge Porn” legislation would prohibit the posting of “revenge porn” without the consent of the individual depicted in the images. The “Unauthorized Access” bill would prohibit individuals, without authorization or in excess of one’s authorization, from intentionally accessing another’s computer with the intent to view confidential information.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail email@example.com.