Privacy Law Newsletter July - August 2016
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Developments in Privacy Law
IRS Committee Urges Digitized Tax Returns
The Internal Revenue Service (IRS) Electronic Tax Administration Advisory Committee, established by the IRS Restructuring and Reform Act of 1998, issued an annual report to Congress that urges the agency to move toward establishing online taxpayer accounts. The report argues that doing so would increase the use of electronic returns, currently accounting for 80 percent of filings, and would also allow the IRS to provide taxpayers with an online forum to register their identities and thereby cut down on Internet tax identity theft, attempted at an estimated four million times in 2015. Steps suggested in the report include outreach to the tax preparation industry and rule changes to reduce taxpayers’ compliance burdens. The report may be accessed at https://www.irs.gov/pub/irs-pdf/p3415.pdf.
Debt Collector Robocalls Limited to 3/Month
The Federal Communications Commission (FCC) ruled that collectors of federally backed debts, such as some mortgages and student loans, cannot call or text consumers more than three times a month, even though such calls are exempt from the Telephone Consumer Protection Act (TCPA). Only consumers at risk of delinquency can be called under rules promulgated by the FCC, and callers cannot bother the debtor’s family or friends. The FCC rule can be accessed at https://www.fcc.gov/document/rules-and-regulations-implementing-tcpa-act-1991.
Cybersecurity Guidance for International Finance Industry Released
The Bank of International Settlements (BIS) issued a final report on internationally agreed but non-binding guidance on cybersecurity for the financial industry, motivated in part by increasingly sophisticated cyber attacks. The BIS urges consistency in the way financial institutions worldwide approach cybersecurity, stressing that a cyber attack in one region can cause significant disruptions to the entire financial system. The report guidance recommends a two-hour timeframe for restoration of services in order to minimize repercussions to worldwide systems, suggesting that institutions should update their systems to meet that restoration guideline within one year from the report. The report may be accessed at https://www.bis.org/cpmi/publ/d146.pdf.
FCC: Federal Government Robocalls Exempt From TCPA
The FCC ruled that robocalls made either by the federal government or on its behalf are exempt from the TCPA because the government is not a “person” under the Act. The FCC based its ruling on the U.S. Supreme Court’s decision in Campbell-Ewald Co. v. Gomez, no. 14-857, in which the Court held that the U.S. and its agencies are immune from suit for violations of the TCPA. The ruling was in response to petitions filed by three government contractors seeking a declaration that federal, state and local governments, as well as officers acting on official government business, are not included under the Act. The FCC stated that the ruling does not address calls made by state and local governments or their agents.
Report: Encryption a Balance Between Privacy and Law Enforcement Needs
The U.S. House Homeland Security Committee released a report on data encryption that concluded the federal government is striving to balance consumers’ privacy demands with law enforcement’s need to obtain information about terrorism and other dangers. The committee agreed to establish a commission to study how encryption is being used by both the government and private companies to determine the best way for law enforcement to intercept crucial information during an investigation without accessing unrelated private information. The report, “Going Dark, Going Forward,” may be accessed at https://homeland.house.gov/wp-content/uploads/2016/07/Staff-Report-Going-Dark-Going-Forward.pdf.
Europe Oks Final Cybersecurity Rules
After three years of discussion, the European Parliament gave final approval to the Network and Information Security Directive, establishing the first cybersecurity and data breach reporting requirements in the European Union for companies providing essential services, such as banking, healthcare, energy and transportation, in addition to digital services, such as search engines and cloud providers. The directive will obligate such providers to significantly increase their data security measures and report major data breaches. Under the directive, each
member state can decide which entities are essential providers subject to the directive rules. The directive can be accessed from https://ec.europa.eu/digital-single-market/en/cybersecurity.
EU Approves Privacy Shield Data Transfer Pact
The Article 31 committee of European Union member states approved the Trans-Atlantic Privacy Shield, which would replace the safe harbor data transfer arrangement struck down by the European Court of Justice. The pact imposes stronger requirements for U.S. companies to protect the personal data of European citizens and mandates stronger monitoring and enforcement by the Federal Trade Commission (FTC) and the U.S. Department of Commerce. It also requires written assurance from the U.S. that access by law enforcement and the intelligence community to transferred data will be subject to limitations and oversight to prevent indiscriminate surveillance.
FCC’s Proposed Privacy Rules for ISPs Draws Praise and Criticism
The FCC’s proposed framework aimed at giving broadband consumers more privacy and security for their personal data continues to garner both praise and criticism in filings before the Commission. Below are such comments filed since the last issue of this newsletter.
The FBI, the U.S. Department of Justice and the U.S. Secret Service advised the FCC in a filing of their support for its plan to expand data breach notification rules to broadband providers as part of the FCC’s proposal to develop privacy regulations for ISPs. The filing noted that if agencies are quickly notified of a breach, they can effectively assess important evidence and coordinate a response, as well as approve a potential delay of customer notice. However, the agencies noted that ISPs should not be required to notify law enforcement of conduct that could lead to a breach.
The Small Business Administration’s (SBA’s) advocacy office filed a notice with the FCC urging it to establish alternatives to the proposed privacy rules for broadband providers and cautioning that small broadband service providers would be disproportionately burdened by the current proposal. The filing expressed particular concern about the FCC’s failure to consider economic harm to small businesses and urged the FCC to institute longer compliance schedules for small providers.
PA Revenue Dept. Notifying Taxpayers of Breach
The Pennsylvania Department of Revenue revealed it was notifying 865 taxpayers by mail whose personal identifying information was stored on an auditor’s laptop that was stolen. The Department said it was a cautionary measure, but would
offer free credit monitoring and fraud protections. The laptop theft resulted from a vehicle break-in and was quickly reported to law enforcement.
FTC Sends Warnings re APEC Privacy Compliance Boasters
The FTC sent letters to 28 companies that publicize their compliance with the Asia-Pacific Economic Cooperation’s (APEC’s) voluntary cross-border privacy rules on their websites, warning them that they seem to fall short of the requirements and that falsely claiming to comply could result in an enforcement action under the Federal Trade Commission Act. Companies must be reviewed and certified by an APEC-recognized accountability agent, which the 28 companies cited have not done, and the FTC asked the companies to remove such claims from their websites.
U.S. Made 135,000 Requests for Verizon Customer Data
Verizon Communications issued a transparency report that found U.S law enforcement made 135,000 requests for subscriber mobile information during the first half of 2016, compared with 149,810 requests made during the same period last year. The report outlines the types of requests received and the kinds of data Verizon discloses. The report may be accessed at http://www.verizon.com/about/portal/transparency-report/.
France Directs Microsoft to Curtail Intrusive Data Collection
France’s Commission Nationale de l”Informatique et des Libertes (CNL) issued a directive to Microsoft to stop “excessive data collection and monitoring of user navigation without users’ consent” within 90 days. CNL’s directive accuses the company’s Windows 10 operating system of enabling an ad-tracking system by default, allowing Windows and third-party applications to track user navigation and offer users targeted advertisements without their consent.
FCC Clarifies Exceptions to Ban on Robocalls
The FCC clarified that schools who make robocalls and send automated text messages to student cell phones without consent during emergencies will not violate the TCPA, even if they also send information related to the school’s mission. Similarly, utility companies are allowed to inform customers of service outages or send warnings about potential service disruptions during severe weather without running afoul of the law. The clarification comes in response to petitions filed by Blackboard Inc., Edison Electric Institute and the American Gas Association asking the FCC to relax its requirements on the kind of automated communications that violate the TCPA. The ruling may be accessed at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0804/FCC-16-88A1.pdf.
AT&T to Lead Industry Task Force on Robocalls
AT&T announced an agreement with the telecommunications industry to lead an effort to increase the availability of robocall-blocking technologies. The effort is also aimed at helping to develop new caller ID standards, a “Do Not Call” list for suspicious calls from outside and U>S. and other measures to prevent robocalls.
Banner Health Warns 3.7 Million of Cyberattack
Banner Health, a nonprofit hospital system, sent letters to 3.7 million patients advising them it had been the victim of a cyberattack targeting patients’ health care and credit card information. Banner, which operates 29 hospitals in the U.S., said the attack originated on computer systems at their locations selling food and beverages and spread to include patient information. Banner will provide a free one-year membership in credit monitoring services to those affected by the breach.
Recent Court Decisions/Settlements on Privacy Issues
Court Finds No Warrant Needed by FBI to Deploy Malware
The U.S. District Court for the Eastern District of Virginia ruled that FBI agents do not need a warrant before deploying malware that takes information from a computer. Joseph Matish was arrested after an FBI investigation into Playpen, a website on the Tor network focusing on child pornography which requires special software to access the site, and is thus part of the “deep web.” Although the court ruled no warrant was required, a magistrate judge had approved a warrant authorizing the FBI to use a network investigative technique (NIT) to extract an IP address which identified Matish. The case is U.S. v. Matish, no. 4:16-cr-00016 (E.D. Va. June 3, 2016).
N.J. High Court Removes Warrant Requirement for Phone Billing Records
The New Jersey Supreme Court affirmed a lower court ruling, overturning precedent by finding that police do not need a warrant to access telephone billing records in a criminal probe, and ruling that a lower standard of seeking a court order would protect privacy concerns and expedite investigations. The warrant requirement for such records was established in State v. Hunt, 91 N.J. 338 (1982). The case is State v. Lunsford, no. 075691 (N.J. Aug. 1., 2016).
3rd Circuit: VPPA Not Applicable to Google’s Tracking of Kid’s Internet Activity
In a case of first impression, a three-judge panel of the Third Circuit Court of Appeals affirmed the U.S. District Court for the District of New Jersey’s dismissal of claims that Google and Viacom violated the Video Privacy Protection Act (VPPA) by tracking children’s Internet activity. The court concluded that the VPPA, which prohibits videotape service providers from knowingly disclosing consumers’ personally identifiable information, was not intended to apply to other than video-watching habits. As to the claims against Viacom for information allegedly provided to Google, the court concluded that the information could not be considered as personally identifiable information. The court did, however, uphold a state invasion of privacy claim against Viacom. The case is In re Nickelodeon Consumer Privacy Litigation, no. 15-1441 (3rd Cir. Jun. 27, 2016).
Minnesota to Pay $1 Million for DMV Database Access by County Employee
The U.S. District Court for the District of Minnesota has been asked to approve a settlement of a proposed federal class action in which the State of Minnesota will pay $1 million to resolve claims that a former county employee illegally accessed information from 269 individual driver’s licenses for her own personal use. The invasion of privacy suit had alleged that the State failed to put in place systems and procedures to ensure the data would be protected. The case is Gutsvig v. Peterick, no. 0:13-cv-1309 (D. Minn. July 1, 2016).
Court Rules Warrantless Use of Cell Site Simulator Violates 4th Amendment
The U.S. District Court for the Southern District of New York suppressed evidence in a narcotics case because the Drug Enforcement Agency’s (DEA’s) warrantless use of a cell site simulator, known as a stingray, violated the suspect’s Fourth Amendment rights. DEA agents had used the stingray to track the exact location of the suspect. Although the Department of Justice changed its policy after the search to require warrants for stingray use, it had defended the search by arguing that even if the stingray’s warrantless use was illegal, it was too attenuated from the search itself. The case is U.S. v. Lambis, no. 1:15-cr-734-WHP (S.D.N.Y. July 12, 2016).
Court Rules Gov’t Can’t Use Search Warrants to Get Data Stored Overseas
A three-judge panel of the Second Circuit Court of Appeals unanimously decided that the U.S. government cannot use search warrants to access consumer data stored overseas by service providers. The ruling reverses a decision by the U.S. District Court for the Southern District of New York which upheld a search warrant issued under the Stored Communications Act (SCA) that required Microsoft to produce customer email content data stored on a server in Ireland. The panel concluded that Congress did not intend the SCA’s warrant provisions to apply extraterritorially. The case is In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corp., no. 14-2985 (2nd Cir. July 12, 2016).
J.P. Morgan Settles Autodialing Class Action for $3.75 Million
The U.S. District Court for the Middle District of Florida has been asked to approve a settlement under which JPMorgan Chase Bank NA will pay $3.75 million to resolve a proposed class action alleging it autodialed cellphone numbers that were reassigned from former customers to new customers who had not agreed to receive such calls. According to the preliminary approval motion, if all 675,000 potential class members file claims, each will receive approximately $5.55. The case is James v. JPMorgan Chase Bank NA, no. 8:15-cv-2424 (M.D. Fla. Jun. 24, 2016).
Wells Fargo Settles Autodialing Class Action for $16.3 Million
In another bank autodialing class action, the U.S. District Court for the Northern District of Georgia has been asked to approve a settlement under which Wells Fargo Bank will pay $16.7 million to resolve a proposed class action alleging it illegally used an automatic telephone dialing system to call customers’ cellphones regarding home equity and residential mortgage loans without their consent. The plaintiffs had argued they had to provide a cellphone number at the start of their banking transaction, but if the court had found the TCPA allows prior express consent to be given any time a customer provides a cellphone number, it would have resulted in reduced or no damages. The case is Markos v. Wells Fargo Bank NA, no. 1:15-cv-1156 (N.D. Ga. Jun. 29, 2016).
Citizens Bank to Settle 1-Million Member TCPA Suit for $4.5 Million
In yet a third bank autodialing class action, the U.S. District Court for the Southern District of California gave preliminary approval to a proposed settlement of a class action with more than one million members in which Citizens Bank agreed to pay $4.5 million to resolve claims it violated the TCPA by calling customers’ cellphones without their permission using an automated dialing system. Potential class members were identified from outbound calling list records obtained from the bank and its third party vendors. The case is Sanders v. RBS Citizens NA, no. 3:13-cv-3136 (S.D. Cal. July 5, 2016).
Court Oks $9 Million Settlement in TCPA Suit Against American Express
The U.S. District Court for the Northern District of Illinois gave preliminary approval in a putative class action to a $9.25 million settlement resolving claims that American Express made numerous debt collection calls through the use of an automatic telephone dialing system in violation of the TCPA. The case is Ossola v. American Express Co., no. 1:13-cv-4836 (N.D. Ill. July 6, 2016).
Allstate Workers Awarded $27 Million in Defamation Suit
A federal jury found for four Allstate employees, awarding them a total of $27.1 million, including $10 million in punitive damages, on claims that the company defamed them, resulting in their termination for alleged violations of Allstate’s ethics code, during an investigation into allegations they were timing trades to inflate their bonuses. The employees also claimed Allstate violated the Fair Credit Reporting Act by failing to give them copies of the investigation report and accused the chief investments officer of tortious interference with a prospective economic advantage. The case is Rivera v. Allstate Insurance Co., no. 1:10-cv-1733 (N.D. Ill. Jun. 24, 2016).
Zions Bancorp to Pay $37 Million for Role in Telemarketing Scheme
The U.S. District Court for the Eastern District of Pennsylvania has been asked to approve a settlement in which Zions Bancorp will pay $37.5 million to resolve claims that its subsidiary collaborated in several schemes by telemarketers to gain access to customers’ bank accounts and charge excessive fees. The suit had alleged that the subsidiary contracted with telemarketers to establish accounts in order to deposit fees fraudulently collected from customers’ checking accounts. The case is Reyes v. Zions First National Bank, no. 2:10-cv-345 (E.D. Pa. July 5, 2016).
Ex-Recruiter’s Conviction for Stealing Trade Secrets Affirmed
The Ninth Circuit Court of Appeals upheld the conviction of David Nosal, a former Korn/Ferry International recruiter, for stealing trade secrets from his former employer in violation of the Computer Fraud and Abuse Act (CFAA). The CFAA makes it a felony to access classified information in a private, government or financial computer without authorization. Nosal had argued that gaining access to a computer via a willingly supplied password does not constitute hacking, but the court disagreed. The case is U.S. v. Nosal, no. 14-10037 (9th Cir. July 5, 2016).
Russian Criminal in StubHub Scam Sentenced to 4-12 Years
A New York Supreme Court sentenced Vadim Polyakov, a Russian national, to four to 12 years in prison for stealing personal data from StubHub, the online ticket marketer. Polyakov, who was arrested in Spain and extradited, obtained e-tickets to popular events purchased with stolen credit card and account information from StubHub users, then gave the “hot” tickets to cronies who resold them for a profit and funneled the proceeds through Paypal accounts to hide their source. The case is People v. Polyakov, no. 3200-2014 (N.Y. Sup. Ct. July 6, 2016).
Bankruptcy Won’t Shield Convicted Stalker
The U.S. Bankruptcy Court for the District of Oregon ruled that the $28 million verdict against Michael Barrett for stalking and secretly filming sportscaster Erin Andrews is nondischargeable in bankruptcy. Barrett had filed for Chapter 7 bankruptcy after his release from the 30-month prison sentence. The case is In re Michael Barrett, no. 12-33461 (Bankr. D. Ore. July 11, 2016).
Chinese Hacker Sentenced for Stealing Boeing Data
The U.S. District Court for the Central District of California sentenced Su Bin, a Chinese national, to four years in prison after he pled guilty to trying to hack into The Boeing Co.’s computers to send military data to China. Bin had been indicted for stealing computer data on the C-17 military cargo plane. The case is U.S. v. Bin, no. 8:14-cr-131 (C.D. Cal. July 13, 2016).
Data Breach Class Action Against Brokerage Dismissed
The U.S. District Court for the Eastern District of Missouri granted discount brokerage firm Scottrade Inc.’s motion to dismiss a putative class action over a data breach, agreeing with defendants that the plaintiffs failed to adequately show actual resulting injury. The hackers allegedly stole users’ Social Security numbers for a competing customer database. The case is Martin v. Scottrade Inc., no. 4:10-cv-124 (E.D. Mo. July 12, 2016).
Pandora User Can’t Bring Class Action Under State Video Privacy Law
The Michigan Supreme Court unanimously ruled that a Pandora user could not bring a putative class action because he did not “rent” or “borrow” and was therefore not a customer under the meaning of the state Preservation of Personal Privacy Act, aka the Video Rental Privacy Act. The decision significantly narrows the scope of streaming media services that fall under the statute. The case is Deacon v. Pandora Media Inc., no. 151104 (Mich. July 6, 2016).
NY Court Upholds Denial of Access to Tax Documents Under FOIA
A New York appellate court upheld a lower court’s ruling that supported the taxation and finance department’s withholding of tax records relating to the source of credit rating receipts that were requested by credit rating agency Moody’s under the Freedom of Information Act (FOIA). The court found the documents were exempt under laws covering the disclosure of taxpayer and government agency information. Assistant Attorney General Robert Goldfarb of the New York Attorney General’s Office represented the State. The case is Matter of Moody’s Corp. & Subsidiaries v. New York State Dept. of Taxation & Finance, no. 522169 (N.Y. App. Div. Jul. 21, 2016).
FACTA Settlement Against Spirit Airlines Get Final OK
The U.S. District Court for the Southern District of Florida gave final approval to a settlement in which Spirit Airlines agreed to pay $7.5 million to resolve claims of violating the Fair and Accurate Credit Transactions Act (FACTA) for revealing too many credit card account digits on its receipts. The class action suit covered every Spirit passenger who paid via debit or credit card with too many digits revealed on the receipt. The case is Legg v. Spirit Airlines Inc., no. 0:14-cv-61978 (S.D. Fla. Aug. 2, 2016).
Court Strikes Down Arkansas Law Banning Political Robocalls
The U.S. District Court for the Eastern District of Arkansas found a state law banning political robocalls to be unconstitutional, finding it did not meet the “strict” test for bypassing First Amendment protections because the relevant privacy and safety concerns could have been met in a less restrictive way. The law, Ark. Code Ann. § 5-63-204(a)(1), prohibits using an automated calling system in connection with a political campaign. Assistant Attorneys General KaTina Hodge and Mindy Pipkin of the Arkansas Attorney General’s Office represented the State. The case is Gresham v. Rutledge, no. 4:16-cv-241 (E.D. Ark. Jul. 27, 2016).
Privacy Initiatives in the Attorney General Community
Maryland Attorney General Brian Frosh, Chair of the state Cybersecurity Council, and the Council itself, released their Initial Activities Report, outlining the Council’s activities and preliminary recommendations. It recommends the State create a cyber first responders reserve to enable an appropriate state agency to synchronize with cyber experts in a cyber emergency, to be coordinated by the State Emergency Management Agency. The Council also recommends the State have access to a reserve of digital expertise in case of a disaster. The report may be accessed at https://www.oag.state.md.us/Press/MD_Cyber_Council_Interim_Report.pdf.
New Jersey Attorney General Christopher Perrino announced that Anthony Ferrer was indicted on charges that he used stolen identities to obtain official identification documents from the Motor Vehicle Commission (MVC). He allegedly used the stolen identities and documents to fraudulently obtain new titles for vehicles and conceal more than $239,000 in liens held by lenders who financed the cars. The 43-count grand jury indictment includes charges of conspiracy, official misconduct, computer theft, theft by deception, bribery and use of personal identifying information of another, all second degree carrying a sentence of five to 10 years in prison.
New York Attorney General Eric Schneiderman announced that Provision Supply LLC, the operator of EZContactUSA.com, an e-tailer of contact lenses and eyewear, has agreed to pay a $100,000 penalty for failing to notify customers that its website had been the target of a data breach potentially exposing 25,000 credit card numbers. Provision Supply also agreed to enhance its data security practices.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail email@example.com.