The National Attorneys General Training & Research Institute
Privacy Law Newsletter May 2017
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Recent Developments in Privacy Law Issues
The ABA called for a review and modification of DHS rules permitting the search of lawyers’ laptop computers, cellphones and other electronic devices at U.S. border crossings, citing confidentiality and privilege concerns. The ABA letter wants front line agents to be given clear standards before demanding a search of lawyers’ seized files, to know the protocol when a lawyer asserts the information is protected by attorney-client privilege and to be required to consult with the government counsel whenever a lawyer asserts that privilege.
The FDA sent a letter to Abbott Laboratories, the new owner of St. Jude Medical, giving it 15 days to explain how cybersecurity concerns about its cardiac implant transmitter devices are being addressed or face potential penalties. It requires Abbott to provide specific steps it has taken to address past violations and explanations on how they will be prevented in the future.
The National Security Agency announced and end to its controversial surveillance method allowing it to collect Internet communications that merely mentioned a foreign intelligence target, including messages from U.S. citizens who were not under investigation. The policy change resulted from a review of its activities under Section 702 of the Foreign Intelligence Surveillance Act, which will expire at the end of the year.
The ABA issued Formal Opinion 477 that says under professional rules of conduct attorneys have a confidentiality obligation to take reasonable measures to ensure that unencrypted emails containing client information are safe from cyberthreats. The opinion urges lawyers to develop a process to address their cybersecurity needs on a case-by-case basis and outlines some elements to consider when creating their plan.
DHS issued new policy guidance pursuant to an executive order limiting the privacy rights of immigrants and nonimmigrant foreigners. According to the memorandum, immigrants and nonimmigrant foreigners can obtain access to their records only through FOIA, and they may not be granted amendment of their records upon request. The policy also permits the sharing of their information with federal, state and local law enforcement.
The FTC issued a notice in the Federal Register seeking public comment on changes that TRUSTe, a compliance and security company operating a certified COPPA safe harbor, proposes to modify its program. The proposed changes relate to how TRUSTe polices third-party tracking technologies that may be collecting information on child-directed sites and services, as well as the timing for stripping seals from companies that fail to complete their annual review and remediation.
The fiscal year 2017 omnibus appropriations bill, which is designed to keep the federal government operating through September 2017, contains increased funding for cybersecurity and privacy initiatives at DHS and the FTC, including $1 billion to help fortify public sector networks against cyberattacks. In addition, the bill provides $11 million to help finance cybersecurity needs at the Office of Personnel Management, which suffered a major breach in 2015.
Mobile devices used by federal employees are vulnerable to a wide range of security threats that can be mitigated, according to the DHS Study on Mobile Device Security. Specifically, DHS advised the government to develop cooperative arrangements with mobile device operators to detect and respond to threats, participate in mobile standards bodies, establish a program to facilitate sharing of mobile malware threat data and adopt a mobile device security framework based on current standards.
The ABA’s international and antitrust sections urged the European Union (EU) to avoid restricting data storage, movement and processing to specific geographies or jurisdictions through localized laws and rules to maintain data security. The comments came in response to an EU request for input on their future policy agenda on the European data economy.
Chipotle Mexican Grill detected a data security breach in its electronic processing and transmission of confidential customer and employee information, according to its quarterly report filed with the U.S. Security and Exchange Commission.
The Foreign Intelligence Surveillance Court (FISC) received 1,752 requests for surveillance warrants in 2016, of which 1,378 were approved in full and 339 were approved after modification, according to a report issued by the Administrative Office of the U.S. Courts.
OneTeam Collective, a business accelerator launched by the NFL Players Association, signed an agreement with Whoop to provide players with wearable fitness tracking devices. The players will own and control all the data collected by the sensors. The Collective and Whoop also agreed to use the devices to study the effects of travel, sleep, scheduling and injuries on an athlete’s recovery time.
A mandatory update to Hyundai Motor America’s Blue Link app, which allows Hyundai owners to locate, unlock and start their vehicles remotely, corrected a vulnerability that potentially left exposed sensitive information about registered users and their vehicles.
Illinois Board of Elections officials testified before a bipartisan state Senate panel that they have taken all possible steps to secure the state’s voter registration database after last year’s hack. They testified that the breach affected between 70,000 and 80,000 voters, which is less than half of their original estimate.
The Seattle Information Technology Department issued Rule 2017-01, which requires cable operators to obtain opt-in consent before sharing a customer’s web browsing history or otherwise using such information. Exceptions would be if the information were necessary to render a service the consumer had ordered or if the information was requested under a subpoena or court order.
Court Decisions/Settlements on Privacy Issues
Google.’s motion to quash a search warrant for user content stored overseas was denied by the U.S. District Court for the Northern District of California, holding that the request is a domestic application of the SCA and Google must produce all responsive information that is retrievable in the U.S., regardless of where it is stored. In the Matter of the Search of Content Stored at Premises Controlled by Google Inc. and as Further Described in Attachment A, no. 3:16-mc-80263 (N.D. Cal. Apr. 19, 2017).
A New Jersey appeals court, citing the privacy concerns of other potential victims, decided that a trial court judge must review and redact sexual harassment complaints against New Jersey Transit before providing them to Katrina Osborne, a former assistant bus operations supervisor who claims she was fired because she complained about her supervisor's advances. Osborne v. New Jersey Transit, no. A-0217-16T4 (N.J. Super. Ct. App. Div. Apr. 20, 2017).
Home Depot investors agreed to dismiss their shareholder derivative suit against the Home Depot board of directors, after alleging they breached their duty of loyalty to the company by not preventing or immediately remedying the data breach. In re The Home Depot, Inc. Shareholder Derivative Litigation, no. 1:15-cv-2999 (N.D. Ga. Apr. 28, 2017).
A California appeals court ruled that a psychiatrist under investigation for her drug prescribing practices must comply with a subpoena from the Medical Board of California for a portion of her patient medical records. The court decided that the psychotherapist-patient privilege and the individual privacy rights of the patients did not preclude the records from being released. Cross v SCLA, no. B277600 (Cal. Ct. App. May 1, 2017).
The Metro Community Provider Network entered into a settlement with HHS in which the health care provider agreed to pay $400,000 and implement a corrective action plan to resolve claims it failed to adequately assess its security risks before its systems were hacked in violation of HIPPA. The provider will have to submit and complete a risk analysis plan within 90 days.
The Center for Children’s Digestive Health, an Illinois-based pediatric digestive health practice, also entered into a settlement with HHS over disclosure of 10,000 patient health records sent to a document storage company without obtaining a written business associate agreement that the data would be safeguarded. The Center agreed to pay $31,000 and take corrective actions.
In still another HHS settlement over HIPPA violations, CardioNet, a provider of wireless health services for heart patients, agreed to pay $2.5 million and implement a corrective action plan for not properly protecting patients’ electronic health information after an employee’s laptop with 1400 patients’ protected health information was stolen.
Roman Seleznev, the son of a Russian legislator, was sentenced to 27 years in prison for hacking into retail point of sale computers to steal consumers’ credit card numbers, subsequently offering them for sale in a widespread scheme that affected 500 businesses. Seleznev was also ordered to pay back the $169 million he stole. U.S. v. Seleznev, no. 2:11-cr-00070 (W.D. Wash. Apr. 21, 2017).
State Legislative Action
Arizona SB 1314, a bill to protect student data privacy, was signed into law.
The Illinois Senate passed SB 1502, known as the Right to Know Act, that would require websites and apps to notify consumers about what data they collect and to whom they sell the data.
Tennessee SB 547, signed by the Governor and enrolled as Public Chapter 91, amended the State’s data breach notification law by no longer requiring personal notification if the data was encrypted.
Washington HB 1717, a bill addressing the collection of biometric data, passed both houses and has been sent to the Governor for signature. The bill provides that such data may not be collected without notice and consent.
Privacy Law Initiatives in the Attorney General Community
Kansas Attorney General Derek Schmidt sued Alta Care Corporation, d/b/a Pinecrest Nursing Home, for failing to secure patient records containing patient information. The court issued a temporary order requiring the company to follow state law governing handling of personal records and authorized Attorney General Schmidt to take possession of all personal records to prevent further risk.
New Jersey Attorney General Christopher Porrino announced that Tierra Slade, a former case worker for the Rutgers University Regional Child Care Resource and Referral Agency, was sentenced to 364 days in jail as a condition of 12 months of probation after pleading guilty to stealing the identity of a client to open a credit card account. .
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.