The National Attorneys General Training & Research Institute
Privacy Law Newsletter November 2016
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Developments in Privacy Law
FTC Issues Guide on Responding to Data Breaches
The Federal Trade Commission (FTC) released a 16-page guide for businesses, which includes a three-minute video and blog post, on how to handle a data breach. The recommendations include taking all affected equipment offline immediately, monitoring all access points to the system and potentially changing affected credentials. The guide may be accessed at https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business.
DOT Issues Best Practices Against Car Cyber Attacks
The National Highway Traffic Safety Administration of the U.S. Department of Transportation (DOT) released a list of best practices for automobile and automobile software manufacturers to ensure cars that will be connected to the Internet and other vehicles are designed to protect against cyberthreats. The agency recommended the industry adhere to the cybersecurity framework protocol released by the National Institute of Standards, including identifying top risks, protecting vehicle control systems and ensuring hacks are detected and addressed.
FCC Approves Privacy Rules for ISPs
The Federal Communications Commission (FCC) approved by a vote of 3-2 rules for Internet service providers for the sharing of customer data. The new rules require providers to obtain opt-in consent to use and share sensitive customer information, including financial data and geolocation. The FCC also banned “take it or leave it” offers forcing consumers to choose between providing their data and receiving service or being denied service.
FinCEN: Banks Required to Report Cyber Attacks
The Financial Crimes Enforcement Network (FinCEN) issued an advisory reminding financial institutions they are required to submit suspicious activity reports about unauthorized attempts to access their electronic systems and other resources, whether or not such attempts are successful. According to FinCEN, a report is necessary if the bank determines that the activity was meant to affect any potential or completed transaction over the $5,000 threshold.
New OCC Office to Help Develop Financial Technology
The Office of the Comptroller of the Currency (OCC) will create an Office of Innovation aimed at assisting financial institutions and related companies develop financial technology products and services in compliance with federal law. Set to open in the first quarter of 2017, the office will have open hours where banks and technology firms can come in to discuss new products and can also partner with banks on pilot projects.
Report: Ransomware Attacks Hit Retail, Financial Industries Hard
Ransomware attacks against the financial services, retail and hospitality industries have been much higher this year than previously, according to a report by data breach response insurance firm Beazley. The Beazley Breach Insights Report further revealed that of the nearly 1,500 data breaches the insurer has handled during the first three quarters of this year, one-third were the result of hacking or malware attacks. The report may be accessed at https://www.beazley.com/documents/Insights/201610-ransomware-attacks-set-to-quadruple-in-2016.pdf.
St. Jude to Convene Advisors on Medical Device Cybersecuity
St. Jude Medical is finalizing an advisory board to assist its efforts to improve the cybersecurity technology necessary to protect users of its medical devices. The board will provide feedback from physicians and medical experts on how best to minimize cybersecurity risks. The formation of the board is in response to a report discussed in last month’s issue of the NAGTRI Privacy Law Newsletter that outlined cybersecurity weaknesses in St. Jude’s heart-regulating devices.
EU Warns Facebook, Yahoo Over Data Sharing
European Union data protection regulators, known as the 29 Working Party, sent separate letters to Facebook and Yahoo, warning Facebook to address serious concerns over WhatsApp’s plan to share user data with its parent company, and warning Yahoo about its handling of a 2014 data breach, stressing the need to devote significant resources to understanding all aspects of the breach and the need to notify affected parties quickly.
Recent Privacy Law Court Decisions/Settlements
Court Holds Backpage Lacks Standing to Challenge SAVE Act
The U.S. District Court for the District of Columbia granted the government’s motion to dismiss Backpage.com, LLC’s challenge to the Stop Advertising Victims of Exploitation (SAVE) Act of 2015, ruling that it lacked standing to challenge the constitutionality of the Act, which bars the advertising of sex with minors or those forced into sex, because the website failed to alleged a sufficient injury in fact. Backpage had sued the U.S. Attorney General alleging that portions of the Act were unconstitutionally vague and overbroad. The case is Backpage.com LLC v. Loretta E. Lynch in her official capacity, no. 1:15-cv-2155 (D.D.C. Oct. 24, 2016).
Pa. High Court Upholds State Employees’ Privacy Rights
The Pennsylvania Supreme Court reversed a lower court decision, siding with the State Education Association, a union representing public schoolteachers in the State, that teachers’ home addresses were exempt from release under the Right to Know Act. The case is Pennsylvania State Education Association v. Commonwealth of Pennsylvania, nos. 11 MAP 2015 and 22 MAP 2015 (Pa. Oct. 18, 2016). The team representing the Commonwealth included Chief Deputy James Barker of the Pennsylvania Attorney General’s Office.
Banks in Kmart Data Breach Suit Ask Again for Settlement Approval
The U.S. District Court for the Northern District of Illinois was asked for a second time by a proposed class of banks headed by Greater Chautauqua Federal Credit Union to approve a settlement in which Kmart agreed to pay $5.2 million to resolve accusations that Kmart was using outdated security measures when it was hacked in 2014. The case is Greater Chautauqua Federal Credit Union v. Kmart Corp., no. 1:15-cv-2228 (N.D. Ill. Oct. 24, 2016).
Court of Justice: EU Privacy Law Governs IP Addresses
The European Court of Justice, Europe’s highest court, ruled that dynamic Internet protocol addresses requiring help from service providers to link to individuals are considered personal information under the European Union’s data protection laws, but also found that websites can collect such data to prevent cyberattacks. The case is Breyer v. Bundesrepublik Deutschland, no. C-582/14 in the Court of Justice, Oct. 19, 2016.
Privacy Law Initiatives in the Attorney General Community
Fifteen Attorneys General entered into a multistate settlement in which Adobe Systems Inc. agreed to pay $1 million to resolve an investigation into a hack of the software company’s servers in 2013 that put at risk the personal information of half a million people. The agreement requires Adobe to implement new policies and procedures to prevent future breaches.
Washington Attorney General Bob Ferguson released a report detailing the sources and impacts of data breaches reported to the Attorney General’s Office, as mandated under new requirements adopted by the legislature. According to the report, 39 data breaches met the reporting threshold of 500 affected citizens.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail email@example.com.