Privacy Law Newsletter May 2018
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Privacy Developments of Note
Twitter issued a blog post and several tweets urging its 330 million users to change their passwords after a software glitch resulted in some passwords being stored in readable text on its internal computer system. Twitter said that it had resolved the problem and found no indication that passwords had been stolen or misused.
Equifax issued an SEC filing about its 2017 data breach, revealing that 3.6 million more customers than originally reported had their personal data compromised for a total of 146.6 million people affected. The filing also revealed that 56,200 passports, drivers’ licenses, security cards and taxpayer IDs were among the documents breached.
The Consumer Financial Protection Bureau (CFPB) received more than 20,000 complaints regarding Equifax in the six months after the company disclosed its massive data breach, according to a report released by Senators Elizabeth Warren (D-MA), Robert Menendez (D-NJ) and Brian Schatz (D-HI) in a letter to Acting CFPB Director Leandra English and Office of Management and Budget (OMB) Director Mick Mulvaney. The senators state that the report provides strong evidence that the CFPB must hold Equifax accountable and act quickly to protect consumers.
Facebook announced it will move responsibility for all of its users outside of the U.S. from its international headquarters in Ireland to its main offices in California, which means that those users will then be on a site governed by U.S., rather than Irish, law. The move is expected to occur before the GDPR data protection regulations take effect in Europe on May 25, 2018.
In more Facebook news, the company announced a new "Clear History" privacy feature that will allow users to view and delete identifying information that Facebook has collected about them from apps and other websites they have interacted with. The announcement, made in a blog post, said the feature will be available in a few months.
Cambridge Analytica and its affiliates filed applications to commence bankruptcy proceedings in the U.K. The company, tied to the Facebook data harvesting situation, announced it is immediately ceasing all operations.
FCC Chairman Ajit Pai said the FCC does not plan to investigate reports that Cambridge Analytica has been given subscribers’ specific viewing habits by Dish, Tivo and ComScore. Pai’s statement was made in response to Representative Debbie Dingell (D-MI), who had asked for an investigation.
The Chair of the U.K. House of Commons Digital, Culture, Media and Sport Committee wrote a letter to Facebook following the committee’s questioning of Mike Schroepfer, Facebook’s Chief Technology Officer. The letter states it found Schroepfer’s evidence unsatisfactory and called again for Facebook CEO Mark Zuckerberg to appear before the committee.
Thirty-four digital companies, including Microsoft and Facebook, signed a Cybersecurity Tech Accord in which they agreed not to assist any government in mounting cyberattacks against innocent civilians and enterprises. The Accord also commits them to come to the aid of any nation on the receiving end of such attacks, whether the motive is “criminal or geopolitical.”
Uber updated the legal terms of its "bug bounty" program of rewards for cybersecurity researchers who report software flaws in order to provide more specific guidance on what is “good faith” vulnerability research. The terms also provide clearer guidance on what steps to take if they come across user data during their investigations.
The FTC sent letters to China-based app developer Gator Group and Sweden-based app developer Tinitell putting them on notice that they may be in violation of COPPA by collecting geolocation data from children without their parents’ permission. Gator Group still advertises an app and device called the Kids GPS Gator Watch, although Tinitell has stopped selling like devices.
The FTC is seeking public comment to its proposed modification to its system of records notices under the Privacy Act to ensure it can disclose records to another agency in the event of a data breach. Comment forms must be submitted by May 25, 2018.
The Sedona Conference Working Group 11 on Data Security and Privacy published the public comment version of its Commentary on Data Security and Privacy Issues in Mergers & Acquisitions. The Commentary approaches issues from the perspective of the buyer and includes an appendix with sample representations and warranties. It can be accessed at https://thesedonaconference.com/publications.
A working group consisting of the New York Bar Association, the International Institute for Conflict Resolution and the International Council for Commercial Arbitration released a draft cybersecurity protocol that offers guidelines for international arbitration. It is intended to provide a framework that arbitrators can use to ensure compliance with best practices to reduce cybersecurity risk.
SunTrust Banks revealed that a former employee may have stolen the personal data of 1.5 million clients, including client names, addresses, phone numbers and account numbers. SunTrust said it will offer free identity protection for all affected clients on an ongoing basis.
Portable oxygen device manufacturer Inogen disclosed it experienced a data breach and is notifying 30,000 current and former customers about the incident. The company advised the SEC that outsiders had gained unauthorized access to an Inogen employee’s email account, and those emails may have contained personal information about its customers.
Online messaging service WhatsApp announced it is raising its minimum age requirement from 13 to 16 years in the European Union (EU) in advance of the EU’s new data protection rule taking effect. Users will be required to verify their age under their new terms of service.
The FCC issued a Notice of Proposed Rulemaking seeking comment on a rule that, going forward, no Universal Service Fund subsidies may be used to purchase equipment or services from any company posing a national security threat to the integrity of communications networks or supply chains. Comments are sought on the types of equipment and services to be covered; how the FCC should identify, and then notify Fund recipients of, which suppliers are covered; and the costs and benefits of the Rule.
DOD issued a directive that military exchanges will no longer sell Huawei and ZTE cellphones and telecommunications equipment. The directive to the exchanges, which sell goods to service members and their families, cited “potential security concerns.”
In other DOD news, the DOD Inspector General issued a report on the protection of patient health information at Navy and Air Force military treatment facilities, finding that some of the facilities do not reliably ensure that sensitive patient information is protected from intrusion and inadvertent disclosure.
IBM Security published its third annual Study on the Cyber Resilient Organization, which includes insights from more than 2,800 security and IT professionals on the cybersecurity readiness of worldwide businesses. Among its findings, 77 percent of respondents admitted they do not have a formal cybersecurity incident response plan that is applied consistently across their organization.
Data breach insurance company Beazley released a breach briefing report in which it warned companies using cloud-based business products of the rise in the number of hacks and attempted intrusions on such products. The report said many such intrusions are through phishing emails about help desk alerts or surveys.
Security firm Positive Technologies released a report on social engineering, which posits that employees are the weak link in any organization’s cybersecurity plan. It found that phishing was the most effective form of social engineering attack, as 27 percent of its study recipients clicked on a phishing link. The report highlights the need for organizations to implement continuous employee security training.
Microsoft released its latest biannual Law Enforcement Requests Transparency Report which shows that the company received 23,000 requests from law enforcement agencies worldwide for access to its customers’ data during the second half of 2017. That represents the lowest number of requests since Microsoft began issuing its transparency reports.
The National Institute of Standards and Technology (NIST) released Version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity with a focus on industries vital to national and economic security. Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure.
The partnership between the Retail Cyber Intelligence Sharing Center (R-CISC) and cybersecurity software firm Symantec announced it will host a series of workshops across the country on practical strategies to protect against cyberattacks. Workshops have been scheduled in Columbus, Ohio; Lakeland, Florida; Brooklyn Park, Minnesota; and Dallas, Texas.
The Government Accountability Office (GAO) issued a report finding that DHS has improved its ability to resist cyberattacks on its computers and networks but still needs to take “significant actions” to safeguard the nation’s critical infrastructure.
The City of London Police launched Cyber Griffin, a new initiative to make businesses more secure from cyberattacks. Under the initiative, specially trained officers will lead a series of community-focused exercises which will include threat briefings and incident response training.
Recent Court Decisions/Settlements
The U.S. Supreme Court granted certiorari in Frank v. Gaos, No. 17-961, which addresses the fairness of an $8.5 million settlement in which class members, who are Google users alleging that Google shared their search histories, would receive none of the settlement funds while the attorneys would receive $3.2 million in fees. The Ninth Circuit had approved the settlement under which the balance of the funds would go to organizations promoting public awareness and research of privacy on the Internet.
The Irish High Court issued a judgment denying Facebook’s request for a stay in a privacy case before the European Union (EU) Court of Justice over the way it transfers data from the EU to the US. The court also criticized Facebook for trying to stall the case until Europe’s new data protection law becomes effective.
The New York Department of Financial Services announced that Goldman Sachs Group has agreed to pay a $54,750,000 fine as part of a consent order for allegedly failing to implement effective controls over its foreign exchange business and thereby allowing traders to exchange private client information with competitors in online chat rooms to inflate their profits. The consent order also requires Goldman Sachs to implement more stringent internal controls.
Medical debt collection company Medicredit entered into a class action settlement in which it agreed to pay five million dollars to resolve claims it violated the California Invasion of Privacy Act by not notifying consumers that their calls were being recorded. Raffin v. Medicredit, Inc.
The First District Court of Appeal in Florida reversed a trial court decision, ruling that a public records exemption protecting certain personal information held by the Florida Department of Financial Services for participants in two real estate insurance programs is constitutional. State of Florida, Department of Financial Services vs. Danahy & Murray, P.A.
The U.S. District Court for the District of New Jersey ordered Russian national Dmitriy Smilianets to pay $302 million to five corporate victims after he pleaded guilty in a massive data breach case targeting the NASDAQ, Dow Jones and several other companies. U.S. v. Drinkman.
The U.S. District Court for the District of Arizona held that grocery distributor McLane must give the EEOC employees’ personally identifiable information that it requested as part of an investigation into a bias charge, finding that McLane did not prove the request was overly burdensome. The case, McLane Co. v. EEOC, had previously been heard before the U.S. Supreme Court.
The U.S. District Court for the District of Massachusetts found gynecologist Rita Luthra guilty of violating HIPPA for disclosing her patients’ personal medical information to a sales representative for an Allergen subsidiary. The subsidiary planned to use the information to identify customers for its osteoporosis drug. U.S. v. Luthra.
The FTC entered into a settlement and consent order with Florida-based cellphone reseller Blu Products and its president, Samuel Ohev-Zion, resolving complaints that the company allowed China-based ADUPS Security to collect user data when it made security updates. The FTC had alleged Blu Products misrepresented to consumers that it safeguarded their data.
The SEC issued an order instituting a $35 million fine on Altaba, formerly d/b/a Yahoo!, for misleading investors by waiting two years before disclosing a massive data breach. This is the first time a penalty has been ordered against a publicly traded firm for failure to disclose a breach.
The U.S. District Court for the Southern District of Ohio has been asked to approve a settlement in a shareholder derivative suit brought by Wendy’s shareholders over claims that Wendy’s board and executives failed to uphold their fiduciary duties by making poor cybersecurity decisions following a 2015 data breach. The settlement would create a board-level technology committee with oversight of the company’s infrastructure protections. Graham v. Peltz.
Arizona Governor Doug Ducey signed HB 2154 into law which updates the State’s data breach notification law by requiring notification of a breach to the Attorney General and persons affected within 30 days. It also specifies the information to be included in the notification.
The Colorado Legislature passed HB 1128 which would require entities maintaining documents that contain personal identifying information to develop a written policy for the destruction or proper disposal of those documents when no longer needed. It also requires those entities to implement and maintain reasonable security procedures and practices.
Massachusetts Governor Charlie Baker signed S 2296 into law which seeks to protect access to confidential healthcare through use of a common payments summary form to be used by all carriers and by giving patients the right to request suppression of their summaries.
The Massachusetts legislature passed H. 4241 which eliminates consumer fees for security freezes and credit report disclosures.
Privacy Law Initiatives in the Attorney General Community
New Jersey Attorney General Gurbir Grewal and his Division of Consumer Affairs announced that Meitu, a Chinese software and consumer electronics company, has agreed to pay $100,000 and change its business practices to resolve the Division’s investigation into allegations it violated COPPA and state law in collecting personal information from children who downloaded its app. Deputy AGs Russell Smith, Jr. and Carla Pereira represented the Division on the case, which was investigated by Investigators Aziza Salikhova, Chris Spaldo, Elizabeth Perry and Walter Kaminski.
West Virginia Attorney General Patrick Morrisey filed suit against Equifax for failing to safeguard consumer information and for delaying notification to the public of a data breach that exposed their personal information.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail email@example.com.