The National Attorneys General Training & Research Institute
Privacy Law Newsletter March 2017
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Recent Developments in Privacy Law
ABA to Offer Cybersecurity Insurance
The American Bar Association (ABA) will add insurance coverage for data breach liability and protection against network threats to its insurance offerings for attorneys and law firms. The policy will be underwritten by Chubb Ltd. and supplements the ABA’s other dental, disability, vision and travel insurance plans.
Report: 30,000 Cybersecurity Attacks on Federal Agencies in 2016
The Office of Budget and Management released its annual report to Congress on federal cyber performance, noting there were 30,000 “cyber incidents” in federal agencies in 2016 that led to the compromise of information or system functionality. The Department of Health and Human Services had 8,121 attacks – the most of all the agencies.
EU Presents Plan for Addressing Consumer Privacy Complaints
European Union (EU) data privacy regulators, known as the Article 29 Working Party, released a plan for handling unresolved Privacy Shield complaints raised by an individual or a U.S. company accused of wrongdoing. Such complaints would be addressed by a panel, with the issue to be decided by a simple majority. Further, if a U.S. company fails to comply with the panel’s advice within 25 days without a satisfactory explanation, the matter will be referred to a U.S. federal or state government entity for enforcement.
Recent Court Decisions/Settlements on Privacy Issues
Facebook Agrees to Stop Sharing Data in Private Messages
The U.S. District Court for the Northern District of California has been asked to approve a non-monetary class action settlement in which Facebook Inc. has agreed to cease the practice of using and sharing data exchanged in private messages in order to increase targeted advertising. Facebook will also be required to post language on its U.S. website Help section that it “uses tools to identify and store links shared in messages, including a count of the number of times links are shared.” The case is Campbell v. Facebook Inc., no. 4:13-cv-05996 (N.D. Cal. Mar. 1, 2017).
CA High Court Rules Official Business on Personal Devices Subject to Scrutiny
The California Supreme Court ruled unanimously that public officials’ communications about government business made from their personal accounts or on their personal devices may be subject to the California Public Records Act. The case originated from a records request for communications from San Jose city officials, and to which the city refused to comply based on privacy concerns and the burden of locating the records. The case is City of San Jose v. The Superior Court of Santa Clara County, no. S218066 (Cal. Mar. 2, 2017).
Home Depot to Pay $25 Million for Data Breach
The U.S. District Court for the Northern District of Georgia has been asked for preliminary approval of a settlement in which Home Depot has agreed to pay $25 million and fortify its data security practices to resolve a class action by financial institutions for losses stemming from a 2014 data breach. The plaintiffs include 50 financial institutions from 44 states as well as 16 state credit unions and the Credit Union National Association. The case is In re: The Home Depot Inc. Customer Data Security Breach Litigation, no. 1:14-md-02583 (N.D. Ga. Mar. 8, 2017).
Ct. Enjoins California Law Shielding Actors’ Ages
The U.S. District Court for the Northern District of California granted a motion by entertainment industry database iMDb for a preliminary injunction barring enforcement of new California Chapter 1798.83.5 preventing commercial entertainment employment providers that offer a paid service for actors to post their profiles from including actors’ ages on their sites. iMDb had argued the law violates their free speech rights. The case is iMDb.com Inc. v. Becerra, no. 3:16-cv-06535 (N.D. Cal. Feb. 22, 2017).
CA Law Shielding Legislators’ Personal Info Temporarily Blocked
The U.S. District Court for the Eastern District of California issued a preliminary injunction halting the enforcement of a California statute prohibiting the publication of a public official’s personal information if the official requests that it not be published. The suit was brought by two blog owners who sought to publish the personal information of state legislators who voted in favor of a recent gun control measure. The case is Publius v. Boyer Vine, no. 1:16-cv-01152 (E.D. Cal. Feb. 27, 2017).
Healthcare Co.Agrees to Settlement for Failure to Protect Patient Data
Florida’s North Memorial Healthcare Systems has agreed to pay $5.5 million to the U.S. Department of Health and Human Services to resolve allegations it failed to properly protect patient data in violation of the Health Insurance Portability and Accountability Act (HIPAA). An investigation found that unauthorized users, including a former employee of an affiliate, had accessed data for 106,000 patients.
Three Workers Sentenced for Sending Spam From Hacked Accounts
The U.S. District Court for the District of New Jersey sentenced one man to four years in prison and two others to probation after they used the personal information of 60 million people that was stolen from corporate databases to send spam emails from hacked accounts, earning $2 million for themselves. Tomasz Chmielarz, a computer programmer, and ex-Comcast Corp. employee Devin McArthur were sentenced to two years of probation, while Timothy Livingston received the prison sentence. The case is U.S. v. Livingston, no. 2:15-cr-000626 (D. N.J. Feb. 16, 2017).
“Darklife” Bank Account Hacker Sentenced
The U.S. District Court for the District of New Jersey also sentenced Sergey Vovnenko, the administrator of two criminal online hacking forums, to 41 months in federal prison. Vovnenko, who used “Darklife” and “Flycracker” as online user names, stole login and payment card data as part of an international hacking conspiracy. The case is U.S. v. Vovnenko, no. 2:14-cr-00237 (D. N.J. Feb. 16, 2017).
3 Tech Companies Settle Privacy Compliance Claims
Software provider Sentinel Labs Inc., private messaging app developer SpyChatter Inc. and cybersecurity software provider Vir2us Inc. signed separate consent agreements to resolve Federal Trade Commission allegations that they falsely claimed participation in the Asia-Pacific Economic Cooperation’s privacy rules system. The cases are In the Matter of Sentinel Labs, no. 162-1250; In the Matter of SpyChatter Inc., no. 162-1251; and In the Matter of Vir2us Inc., no. 162-1248, all before the Commission.
Microsoft to Settle Suit Over Consumer Receipts
The U.S. District Court for the Southern District of Florida has been asked for preliminary approval of a settlement in which Microsoft Corp. agreed to pay $1.2 million to resolve claims its store receipts displayed too many digits of customers’ credit card numbers in violation of the Fair and Accurate Credit Transactions Act (FACTA). The case is Guarisma v. Microsoft Corp., no. 1:15-cv-24326 (S.D. Fla. Feb. 24, 2017).
Ct Oks Taxi Co. and App Settlement Over Spam Texts
The U.S. District Court for the Western District of Washington granted preliminary approval to a class action settlement in which the Orange Cab Co. Inc. and RideCharge Inc. agreed to give each class member a $12 taxi voucher and a $48 payment to resolve claims it sent unsolicited text messages urging them to sign up for the TaxiMagic app. There are an estimated 69,200 people in the class, so the total settlement would amount to about $5.2 million. The case is Gragg v. Orange Cab Co. Inc., no. 2:12-cv-00576 (W.D. Wash. Mar. 1, 2017).
CA Court Rules Doctor Must Provide Patient Records
A California appellate court ruled that Dr. John Chiu, a neurosurgeon, must turn over the medical records of patient “T.S.” in compliance with the Medical Board of California’s subpoena. The court found that the Board’s interest in investigating questions about Dr. Chiu’s quality of care, raised in a separate suit brought by “T.S.,” outweighs any privacy violation. The case is Kidane v. Chiu, no. B275802 (Cal. Ct. App. Mar. 9, 2017).
EU High Court Won’t Allow Prior Bankruptcy Data Erased
The European Court of Justice ruled that the Lecce Chamber of Commerce in Italy can refuse to remove from its public record data linking business owner Salvatore Manni to a former company that filed for bankruptcy. The court relied on an EU personal data law that mandates disclosure of certain business history data for a “sufficient period of time” for the benefit of third parties who may have a special interest in viewing the data. The case is Camera di Commercio, Industria, Artigianato e Agricoltura di Lecca v. Manni, no. C-398/15 in the European Court of Justice.
Recent Legislative Action
The Illinois Senate Judiciary Committee passed S.B.1502, which would require web sites and apps to notify consumers about what data they collect and to whom they sell the data. It has been referred to the Assignments Committee.
The Indiana Senate passed SB 299, which would create a drone voyeurism crime penalizing the inappropriate use of drones by sex offenders. The charge could be elevated to a felony for a similar prior offense. The bill was referred to the House Committee on Courts and Criminal Code.
H.R. 1061, a bill that would ban the tracking of a person using GPS technology without permission or a warrant was passed by the House Judiciary Committee. It specifically includes law enforcement use of stingray technology that tricks phones into transmitting location information. The bill, sponsored by Rep. Jason Chaffetz (R-UT), was referred to the Subcommittee on Crime, Terrorism, Homeland Security and Investigations.
H.R. 1224, a bill that would encourage federal agencies to follow the National Institute of Standards (NIST) cybersecurity framework, was passed by the House Committee on Science, Space and Technology.
Privacy Initiatives in the Attorney General Community
Florida Attorney General Pam Bondi released an Identity Theft Resource Guide providing information about the forms of identity theft and ways consumers can further protect their private information.
Mississippi Attorney General Jim Hood announced that Delvin Young was sentenced to three years in prison for credit card fraud after an investigation revealed he had illegally obtained the personal information of others and used it to apply for credit cards. The case was investigated by Miller Faulk of the Consumer Protection Division and prosecuted by Special Assistant Attorney General Patrick Beasley.
New Jersey Attorney General Christopher Porrino announced a settlement with Horizon Blue Cross Blue Shield of New Jersey in which the healthcare insurer agreed to pay $1.1 million and implement a corrective action plan to resolve allegations it failed to properly protect the privacy of 690,000 policyholders whose personal information was contained on two laptops that were stolen from Horizon’s headquarters. Deputy Attorneys General Elliott Siebers and Russell Smith, Jr. and Assistant Attorneys General John Falzone III and Brian McDonough represented the State.
New York Attorney General Eric Schneiderman announced that Channel Francis was indicted for fraudulent use of credit cards obtained when she allegedly stole the identities of three nursing home residents. The case was investigated by Investigator Zahraa Mojeed and Supervising Investigator Ronald Lynch. Special Assistant Attorneys General Jonathan Reiner and Felicia Berenson are prosecuting the case.
Vermont Attorney General Thomas Donovan, Jr. announced a settlement with the Grand Buffet Restaurant in which the restaurant agreed to pay $30,000 and improve its credit card security practices to resolve allegations that an employee stole credit card numbers and compromised at least 100 customers’ personal data.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.