Privacy Law Newsletter July 2017
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Recent Developments in Privacy/Cybersecurity
· The number of federal wiretaps issued rose by 11 percent in 2016, while state courts received 41 percent fewer wiretap requests, according to the 2016 Wiretap Report issued by the Administrative Office of the U.S. Courts. The report also noted that although the number of wiretap requests declined, the number of people arrested in cases involving wiretaps more than doubled.
· The U.S. Customs and Border Protection announced it will be working with airlines to photograph travelers flying internationally and storing the photos in the cloud in order to verify travelers’ identities and immigration status. The agency published a privacy impact assessment to support their claim that the program will provide safer travel.
· Hard Rock Hotels sent a security notice to affected hotel guests about a data hack at Sabre Hospitality Solutions SynXis Central Reservations System, the third party booking service Hard Rock uses to register some of its guests. The breach affected a subset of guests at 11 of its hotels.
· The Department of Defense Office of Inspector General released a report finding that Defense Health Agency and Army officials are not adequately protecting patient health records at Army military facilities. The audit found basic procedures, such as requirements for microchipped identification cards and password complexity standards, were not being followed.
· Verizon confirmed that the personal data of xix million customers was exposed when an employee of third party vendor Nice Systems mistakenly configured a cloud storage setting to allow external access. However, Verizon insisted that the vendor and the security researcher who notified them of the problem were the only outsiders to access the data.
· Senator Claire McCaskill (D-MO), a ranking member on the Senate Homeland Security and Government Affairs Committee, sent a letter to intelligence and defense contractor Booz Allen Hamilton seeking answers about a report that it left a cache of 60,000 files, including engineers’ passwords and security credentials, on a public unsecured server. The letter asks what the contractor has done to investigate the incident and what preventive measures it has taken..
· The Electronic Frontier Foundation released a report, "Who Has Your Back," analyzing how well companies protect user privacy. Nine technology companies, including Dropbox, Lyft, Adobe and Uber, earned a “star” in all categories in the analysis, but the report found many major telecommunications companies failed to adhere to standard industry practices.
· The Financial Industry Regulatory Authority (FINRA) fined securities investment firm State Street Global Markets and mobile trader Acorns Securities $2 million in total for allegedly failing to maintain their electronic customer records in WORM format that would prevent them from being erased or overwritten. WORM, or “write once, read many” format, is considered by FINRA an essential protocol for protecting financial data from hackers, as stated in FINRA’s 2017 Regulatory and Examination Priorities Letter.
· Germany became the first European Union member to update its national privacy law by enacting the Federal Data Protection Act, which establishes conditions for collection and use of employee, health and biometric data. Although the law does not become effective until May 2018, the provision allowing data protection authorities to challenge decisions of the European Commission takes effect immediately.
Court Decisions/Settlements on Privacy Law Issues
· The U.S. Supreme Court denied a petition for certiorari by six commercial drivers who sued the U.S. Department of Transportation alleging their privacy was violated by the agency’s practice of providing information on minor driving infractions to prospective employers. The First Circuit Court of Appeals had found no violations of the Privacy Act since the drivers had given prior consent, and disclosing the infraction information ensured the Department was promoting highway safety. Flock v. U.S. Department of Transportation
· The U.S. Supreme Court declined to review Jeremy Meyers’ suit against Native-American tribe-owned Nicolet Restaurant of De Pere for allegedly failing to properly truncate credit card expiration dates on customer receipts. The Seventh Circuit Court of Appeals had dismissed the suit, unanimously finding that Meyers failed to show a concrete injury. Meyers v. Nicolet Restaurant of De Pere LLC.
· The U.S. District Court for the District of Alaska granted the state’s motion to intervene in a consumer class action suit in order to defend the constitutionality of the state’s Genetic Privacy Act. Genetic testing company Gene by Gene, accused in the suit of posting consumers’ genetic information on public websites without their informed consent in violation of the Act, had argued the Act was unconstitutional. Cole v. Gene by Gene, Ltd..
· The U.S. District Court for the Northern District of Illinois granted a motion for preliminary approval of a settlement in which the Neiman Marcus Group agreed to pay up tp $1.6 million to a class of customers whose credit or debit card data was exposed during a 2013 data breach. The settlement applies to customers of stores operating under the Neiman Marcus umbrella, including Bergdorf Goodman, Cusp and Last Call. Remijas v. the Neiman Marcus Group, LLC., no. 1:14-cv-01735 (N.D. Ill. June 21, 2017).
· The U.S. District Court for the Northern District of California sentenced former Tesla mechanical engineer Nima Kalbasi to serve five years probation and pay restitution to Tesla for accessing his ex-manager's email account and posting confidential information online. US v. Kalbasi, no. 5:15-cr-00365 (N.D. Cal. June 20, 2017)
· The U.S. District Court for the Northern District of California was asked to approve a $115 million settlement in which Anthem, the second largest health insurer in the U.S., agreed to provide the 80 million victims of a 2013 data breach with two years of credit monitoring,and reimbursement of out-of-pocket expenses stemming from the breach, In re: Anthem, Inc. Data Breach Litigation..
· Blue Global, a payday loan lead generator, and its CEO Christopher Kay agreed to a $104 million settlement with the FTC to resolve allegations the company induced customers to complete online loan applications and then sold their personal information. The money judgment was suspended, but not dischargeable, as both Kay and Blue Global filed bankruptcy. FTC v. Blue Global, LLC.
· A three-judge panel of the Third Circuit Court of Appeals ruled that Daryoush Taha, a former inmate at a Pennsylvania jail, can seek punitive damages as part of a class action despite not having suffered financial harm when information about his arrest was published on a government website after his criminal record was expunged. The court found the state’s Criminal History Record Information Act did not require Taha to obtain a compensatory damage award in order to seek punitive damages. Taha v. County of Bucks.
· The U.S. District Court for the District of New Jersey sentenced Mohammed Qasmani, a Pakistani citizen, to four years in prison for laundering more than $19.6 million on behalf of perpetrators of a massive computer hacking and telecommunications scheme. US v. Qasmani, no. 2:16-cr-00053 (D .N.J. Jun. 28, 2017).
· The U.S. District Court for the Eastern District of Virginia sentenced Andrew Boggs to two years in prison and ordered him to pay restitution for hacking into the personal accounts of two senior U.S. officials as part of a larger scheme that included the U.S. Department of Justice’s Case Information Management System. U.S. v. Boggs, no. 1:16-cr-00314 (E.D. Va. June 30, 2017).
· The U.S. District Court for the Eastern District of Virginia sentenced Russian-born Alexander Tverdokhlebov to nine years in prison for participating in an underground cybercrime ring that trafficked in stolen personal and financial information. U.S. v. Tverdokhlebov.
· The U.S. District Court for the Eastern District of Virginia also revoked Muneeb Akhter’s probation and sent him back to prison for 15 months after he stole online shoppers’ personal information which he used to make online purchases. Akhter had originally been convicted of hacking the U.S. Department of State to collect passport information.
· The U.K. Information Commissioner's Office found that the Royal Free NHS Trust failed to comply with data protection rules by sharing information on 1.6 million patients with an artificial intelligence company owned by Google as part of a medical trial. The trust, a London hospital, must now set out how it will meet its duty of confidence to patients in future trials and complete a privacy impact assessment.
· The Illinois House and Senate passed HB 3449, the Geolocation Privacy Protection Act, which provides that a private entity may not collect, use, store or disclose geolocation data from a mobile device without providing notice and obtaining consent. It also provides for recovery of damages and other relief.
· Pennsylvania enacted SB 560, which expands the use of body cameras by allowing audio and video recording inside a home. It also exempts audio and video recordings by officers from open records law requests.
· Vermont enacted S.72, a bill addressing actions by telemarketers, including requiring telemarketers to give accurate caller id information.
· Washington enacted HB 2213, which provides that a state agency may not collect or otherwise obtain a biometric identifier without first providing notice and obtaining the individual’s consent.
Privacy Law Initiatives in the Attorney General Community
· Fifteen Attorneys General sent a letter to e-commerce hosting company Aptos, warning the company that its assertion to online retailers that they are under no duty to notify customers of a massive data breach unless their CVV number was disclosed, is erroneous. The Attorneys General asserted that the CVV number is not required to trigger data breach notification obligations,
· Maryland Attorney General Brian Frosh, Chair of the MarylandCybersecurity Council, announced the release of its biennial report, which included recommendations for legislation to expand protections for consumers, creation of a portal for best practices and resources to protect the critical infrastructure.
· New York Attorney General Eric Schneiderman announced a settlement with CoPilot Provider Support Services in which the company, which provides insurance support services to the health industry, agreed to pay $130,000 in penalties and revamp its breach notification procedures to resolve claims it violated state law by waiting more than one year to report a data breach exposing more than 220,000 patient records. Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Assistant Attorney General Jordan Adler handled the case.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.