The National Attorneys General Training & Research Institute
Privacy Law Newsletter November 2017
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
- Hyatt Hotels announced that malware had infiltrated its systems and accessed the credit card information of customers who paid at the front desks of 41 of its hotel locations in 11 countries. Hyatt’s cybersecurity team was unable to produce a list of affected guests, and advised customers who stayed in the compromised hotels to review their credit card statements.
- Pizza Hut issued a notice that a "temporary security intrusion" compromised the payment card information and other personal data of customers who placed orders through its website or mobile app. The chain is offering impacted customers one free year of credit monitoring services.
- The FTC issued an enforcement policy statement that would allow manufacturers of voice-activated devices, such as interactive virtual assistants, toys and smartwatches, to collect audio commands from children without parental consent, as long as the child is speaking solely “as a replacement for written words,” such as performing a search, and the file is immediately deleted. The FTC further specified that the devices cannot respond to requests by asking children under 13 years of age for personal information, and that companies cannot use the files for behavioral targeting or to make a marketing profile before deleting them.
- The Government Accountability Office (GAO) denied Equifax's protest of a yearlong contract the IRS awarded to its competitor Experian for taxpayer identity and verification services. Equifax had been awarded the contract originally, but it had been rescinded following intense questioning by Congress. The GAO also rejected Northrop Grumman Systems' protest challenging a $1.15 billion DHS cybersecurity contract awarded to Raytheon.
- The Consumer Financial Protection Bureau released principles on how financial services companies can access and share sensitive data, with a goal of helping them balance their information needs without putting customers at risk. The guidelines resulted from a Bureau study on ways consumers could safely share their digital financial records held by banks and other institutions.
- The DOD announced it is reviewing its systems in order to remove any AO Kaspersky Lab products pursuant to a DHS directive to civilian agencies. Although the directive was not binding on the DOD, the department will “follow the intent” of the directive to ensure the security of its systems.
- The Financial Stability Board, which coordinates the work of national and international financial authorities, published a summary report of current cybersecurity regulations governing the global financial services sector and revealed plans to implement a new set of rules to counter the rise of hacking and digital crime. The publication noted that the Basel Committee for Banking Supervision will produce a new cyber risk policy within the next two years.
- The Financial Conduct Authority, Britain’s financial regulator, announced it is investigating the circumstances surrounding the massive Equifax cyberattack. Equifax had revealed that the data of 15.2 million U.K. consumers was stolen in the attack. In addition, Britain’s Treasury Select Committee, which oversees financial services regulators, has written to Equifax to demand answers over multiple problems with the website and hotline it set up to help victims of the breach.
- The Reserve Bank of India, India’s central bank, imposed a one million dollar fine on Yes Bank, one of the country’s largest banks, for violating its timeline rules for reporting data breaches. It found that Yes Bank failed to alert authorities within its stringent six-hour timeframe of a breach last summer when the data of 3.2 million debit card holders was compromised.
Recent Court Decisions/Settlements
- The U.S. Supreme Court agreed to review the Second Circuit’s decision quashing a search warrant issued under the SCA that would have required Microsoft to produce customer email content data housed on a server in Ireland. The Second Circuit held that the location of the data, rather than the point of disclosure, should govern the review of warrants under the SCA. In re: a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation v. US.
- The Massachusetts Supreme Court held that the SCA permits Yahoo to disclose the contents of a deceased man’s email account to the personal representatives of his estate, vacating a probate and family court ruling. The court specified that the ruling does not require Yahoo to disclose the contents, but only that the SCA does not prevent Yahoo from doing so. Ajemian v. Yahoo!, Inc.
- A Washington State Court of Appeals held that the state’s constitutional right to privacy shields state employees’ full names and corresponding birthdates from disclosure under the state’s Public Records Act. The court found that the trial court incorrectly denied motions by seven unions representing state employees for a permanent injunction prohibiting state agencies from turning the information over to the nonprofit Freedom Foundation. Washington Public Employees Assn., UFCW Local 365 v. Washington State Center for Childhood Deafness & Hearing Loss
- A Massachusetts Appeals Court reversed a lower court order requiring the Department of State Police to provide state troopers’ birthdates to the Boston Globe for an investigative story, finding that the Department should have the opportunity to offer evidence to meet the standards set out by the Massachusetts Supreme Court in People for the Ethical Treatment of Animals Inc. v. Department of Agricultural Resources regarding when records can be withheld for public safety. Assistant Attorney General Daniel Hammond represented the Department. Boston Globe Media Partners, LLC v. Department of State Police.
- The Ninth Circuit affirmed a lower court decision requiring workplace review site Glassdoor to reveal the identities of eight users who posted anonymous reviews about a Veterans Affairs contractor under investigation by a federal grand jury. The appeals court rejected Glassdoor’s argument that complying would violate its users’ First Amendment rights to associational privacy and anonymous speech, saying the right to speak anonymously is not unlimited. In re Grand Jury Subpoena, No. 16-03-217.
- The U.S. District Court for the Northern District of Illinois granted summary judgment to Combined Insurance Co, of America against claims brought by a Dillard’s employee accusing the insurance company of exposing her private information. Plaintiff Anne Dolmage argued that a “privacy pledge” in her insurance welcome packet promised her information would be protected, but the court found the privacy pledge did not create a legally enforceable promise. Dolmage v. Combined Insurance Co. of America.
- Dwayne Hans pled guilty pursuant to a plea agreement to wire fraud and computer intrusion in the U.S. District Court for the Eastern District of New York. Hans admitted to hacking into GSA payment systems and creating phony companies to obtain government contracts.
- A Russian court in Moscow fined the Telegram instant messaging app 800,000 rubles ($14,000) for refusing to give the Russian Federal Security Service encryption keys that would allow it to decrypt users’ communications. Telegram’s CEO said the company would challenge the ruling.
- The District of Columbia enacted B22-473 which restricts, on an emergency basis, a credit reporting agency’s authority to charge consumers for security freezes on their accounts. It is codified as Act A22-155.
- The Michigan House passed HB 4973, a bill which would amend their Freedom of Information Act to exempt businesses’ cybersecurity plans and assessments from disclosure. It has been forwarded to the Senate Committee on Elections and Government Reform.
- Vermont enacted S. 72, which requires telemarketers to provide accurate caller identification information. It is codified as Act 66.
- The U.S. House passed HR 3973, which would increase security requirements for market data held by the SEC and the Financial Industry Regulatory Authority. It has been forwarded to the Senate Committee on Banking, Housing and Urban Affairs.
Privacy Law Initiatives in the Attorneys General Community
- Massachusetts Attorney General Maura Healey and New York Attorney General Eric Schneiderman announced that representatives from their offices appeared before the U.S. House Financial Services Committee to urge lawmakers to refrain from preempting state laws on data breaches in the wake of the Equifax breach. Those appearing were Sara Cable, Assistant Attorney General, representing Massachusetts, and Kathleen McGee, Chief of the Bureau of Internet and Technology, representing New York.
- New York Attorney General Eric Schneiderman and Vermont Attorney General T.J. Donovan entered into a $700,000 settlement with Hilton Domestic Operating Company over their delayed notification of two security breach incidents that exposed more than 350,000 credit card numbers. Bureau of Internet and Technology Deputy Chief Clark Russell and Assistant Attorney General Noah Stein handled the case for New York; Assistant Attorney General Ryan Kriger handled the case for Vermont.
- Missouri Attorney General Josh Hawley’s office issued an investigative subpoena to Google as part of a larger investigation into whether its alleged collection of user data, use of competitors’ content and manipulation of search results violates consumer protection laws.
- Vermont Attorney General T.J. Donovan announced that the trial court ruled in favor of his office by denying the Energy and Environmental Legal Institute’s request to depose three assistant attorneys general about their private email accounts. The court also set specific, narrow limits on a proposed deposition of former Attorney General William Sorrell.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.