The National Attorneys General Training & Research Institute
Privacy Law Newsletter July 2018
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Recent Developments of Note
Equifax agreed to take corrective actions following the company’s massive 2017 data breach under a consent order with eight state banking commissioners. The order includes requirements that Equifax develop a proper risk assessment, submit a list of all planned projects to the multi-state regulatory agencies and submit written progress reports to them on its progress towards complying with each provision of the order.
The Treasury Department’s Office of Foreign Assets Control sanctioned five Russian entities and three Russian individuals who are accused of working with Russian counterintelligence to jeopardize U.S. cybersecurity. The businesses named are Digital Security, ERPScan, Embedi, Krant Scientific Research Institute and Divetechnoservices. As a result, all property and interests in property are blocked, and U.S. citizens are prohibited from engaging in transactions with those businesses and individuals.
The FTC’s Bureau of Consumer Protection drafted comments on the Consumer Product Safety Commission’s effort to determine the potential safety issues associated with Internet-connected devices, advising that any standards the Commission develops should be flexible and available to the public. The Bureau further cautioned the Commission to take note of the link between poor security practices and safety risks.
The Financial Stability Board, a global forum of central bankers, published a cyber lexicon, a vocabulary of cyber terms that it hopes will encourage cross border cooperation on cybersecurity. The lexicon is comprised of 50 “core terms” related to cybersecurity in the financial sector.
The International Association of Privacy Professionals (IAPP) issued an analysis of the new California Consumer Privacy Act, finding that more than 500,000 businesses may be subject to the new law. The analysis addresses what data is protected, who must comply and how to comply.
The U.K. Information Commissioner’s Office has issued a monetary penalty notice to Yahoo! of a 250,000 pound ($334,000) fine for lax security measures leading to a 2014 data breach that exposed the personal data of 500 million user accounts worldwide. The Commissioner’s Office investigation focused on the 515,121 user accounts located in the U.K.
The EU’s Transport, Telecommunications and Energy Council agreed to create a common cybersecurity certification framework for information and communication technology products and services with the goal of establishing a standard level of data security for products such as connected cars and smart medical devices. The Council also agreed to establish a permanent EU agency for cybersecurity.
The EU Court of Justice announced that due to the new GDPR and the resulting large number of cases brought over data protection, it has decided to anonymize all persons mentioned in public documents. The court said it would replace the names of all persons mentioned in requests for preliminary rulings filed after July 1, 2018 with initials.
Members of the European Parliament called on the EU Commission to suspend the EU-US Privacy Shield unless the U.S. complies with EU data protection rules by September 1, 2018. Their non-binding resolution also insists that, if necessary, the U.S. should act to remove companies that have misused personal data from the Privacy Shield list.
The Bank of England revealed plans to test the ability of financial services firms to meet a defined set of minimum standards for recovery from a cyberattack. The test addresses the Bank’s concerns that disruption to one bank’s payments could have a direct impact on the economy by preventing its customers from paying for goods and services.
Current Privacy Law Decisions/Settlements
The Eighth Circuit affirmed a $10 million settlement brought against Target over its massive 2013 data breach. The court had previously sent the case back to the district court for further proceedings. In re: Target Corporation Customer Data Security Breach Litigation.
The Second Circuit affirmed the conviction of an Italian citizen for misdemeanor computer intrusion related to an alleged global “click fraud” scheme. The court left in place a federal jury’s finding that he violated the Computer Fraud and Abuse Act with his intent to defraud online advertisers. U.S. v. Gasperini.
The U.S. District Court for the Eastern District of Michigan granted preliminary approval to a class action settlement in which media company Time agreed to pay $7.4 million to resolve claims it violated the Michigan Video Rental Privacy Act by disclosing subscribers’ personal data. The settlement involves a class of 719,000 state residents who bought a Time publication subscription. Perlin v. Time Inc.
An HHS administrative law judge ordered the University of Texas MD Anderson Cancer Center to pay a $4.3 million penalty for three data breaches that exposed the personal information of more than 33,000 patients. The judge found that although the Center had used encryption technology, it had failed to adequately protect patient data. Director of the Office for Civil Rights v. The University of Texas MD Anderson Cancer Center.
Sudhakar Reddy Bonthu, a former Equifax manager charged with insider trading in advance of the company's disclosure of a massive data breach, settled a parallel law suit brought by the SEC. Bonthu agreed to forfeit the $75,000 gained through the selling of put options, according to a consent agreement filed in the U.S. District Court for the Northern District of Georgia.
California Governor Jerry Brown signed AB 375 into law, giving consumers the right to request a business to disclose what personal information it collects and the purposes for which it is used, as well as to request deletion of personal information collected. The bill provides for enforcement by the Attorney General, as well as providing for a private right of action for unauthorized access or disclosure.
Colorado Governor John Hickenlooper signed HB 1128 into law, which requires covered government entities that maintain documents containing personal identifying information to develop and maintain a written policy for the destruction and proper disposal of the documents, as well as maintain reasonable security procedures.
Connecticut Governor Dannel Malloy signed HB 5444 into law, which requires the Department of Education to provide written guidance on the laws governing student data privacy and authorizes the retention of student records required by state and federal law and for purposes of disaster recovery systems. The Governor also signed SB 472 into law, which prohibits credit rating agencies from charging a fee for consumers to place on or remove a security freeze from their account and also increases the amount of identity theft prevention or mitigation services provided after a security breach.
The Ohio Legislature passed SB 220, which would provide a legal safe harbor for entities that implement a cybersecurity program. It would also allow transactions recorded by blockchain technology under the Uniform Electronic Transactions Act.
The U.S. House passed H.R. 6082 on opioid prevention, which includes a measure allowing medical professionals to share information about patients with opioid use disorder.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.