The National Attorneys General Training & Research Institute
Privacy Law Newsletter Nov - Dec 2015
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Privacy Law News Updates
FAA Issues Small Drone Registration Process
The Federal Aviation Administration (FAA) issued its registration process for small unmanned aircraft, which provides that current drone users have until February 19, 2016 to register. The mandatory registration fee is $5, but the fee will be waived through January 20, 2016 to encourage quick registration. When the rule takes effect on December 21, 2015, new drone users will have to register before their first outdoor flight. Registration can be completed online at http://www.faa.gov/uas/registration/ or on paper
Comments Sought on Draft Mobile Security Guide
The National Cybersecurity Center of Excellence (NCCoE) is seeking comments on a draft guide intended to help organizations better manage and secure their mobile devices. The draft, “Mobile Device Security: Cloud & Hybrid Builds,” details best practices and provides instructions for integrating mobile device security solutions into existing information technology infrastructures. The comment period ends on January 8, 2016. The draft guide may be accessed at https://nccoe.nist.gov/projects/building_blocks/mobile_device_security.
FCC Denies Petition Forcing Websites to Honor Do Not Track Requests
The Federal Communications Commission (FCC) denied a petition filed by Consumer Watchdog that would have required websites to honor Do Not Track requests by consumers. The petition proposed a rule whereby a provider offering a first-party online service that received a Do Not Track request would be prohibited from selling, sharing or otherwise transferring the requestor’s personal information to any other entity, including a third party online service. A copy of the FCC’s order may be accessed at https://news.fcc.gov/document/bureau-dismisses-petition-regulate-edge-provider-privacy-practices.
FCC Fines Cox Communications for Failure to Secure Data
The FCC fined Cox Communications $595,000 for its alleged failure to secure data resulting in a data breach incident in 2014. A third party pretending to be from Cox’s IT department convinced a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake website, thereby gaining access to the personal information of Cox customers. The order may be accessed at http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db1105/DA-15-1241A1.pdf.
Verizon Releases Findings on Data Breaches of Health Data
Verizon Enterprise Solutions released findings from its first Protected Health Information (PHI) Data Breach Report, revealing that 90 percent of industries have experienced a PHI data breach. For this report, PHI is defined as personally identifiable health information on an individual covered by a data breach disclosure law. Of the 20 sectors studied, only the utilities and management industries had no reported PHI breaches. The report examined incidents from 25 countries and analyzed 1,931 incidents. One area of difference between PHI data breaches and other breaches is that the number of internal and external attackers is nearly equal, meaning there is a great deal of insider misuse of PHI. The report may be accessed at http://www.verizonenterprise.com/info/optin.
Survey: State CIOs Release Top 10 Priorities
The National Association of Chief State Information Officers (NASCIO) released the results of its top 10 priority and technology survey of its members, noting that security again tops the list of priorities. Notably, members listed business intelligence and data analytics, as well as enterprise vision and a roadmap for IT, among their top 10 priorities, with broadband and mobility no longer among their most important issues. The survey results may be accessed at http://www.nascio.org/topten.
Study: Delete the Ghost Data
In an examination of 122 pieces of used equipment (mobile devices, hard drives and solid state drives) purchased online from Amazon, eBay and Gazelle.com, 48 percent of the hard drives and solid state drives contained residual data, while thousands of emails, call logs, texts/SMS/IMs, photos and videos from previous users were retrieved from 35 percent of the mobile devices, according to a study conducted by the Blanco Technology Group and Kroll Ontrack. The study further found that 57 percent of used mobile devices and 75 percent of used hard drives had unsuccessful deletion attempts previously made on them before their sale. The study may be accessed at http://www.krollontrack.com/information-management/data-erasure-solutions/data-security-study.
FTC Approves Facial Technology System Under COPPA
The Federal Trade Commission (FTC) approved a new facial recognition -based technology to comply with the Children’s Online Privacy Protection Act (COPPA), under which parents using the technology may consent by submitting a picture of their government -issued ID and a picture of themselves (a selfie). The technology was developed by Jest8 Ltd, trading as Riyo. The application approval may be accessed at https://www.ftc.gov/system/files/documents/public_statement/881633/151119riy ocoppaletter.pdf.
HHS OIG Unveils 2016 Investigation Plans
The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) unveiled its investigative plans for 2016, describing more than 40 new inquiries, including cybersecurity of medical devices. In particular, the OIG will be looking into whether the Food and Drug Administration’s oversight of network-connected medical devices at hospitals is sufficient to effectively protect associated electronic protected health information and ensure beneficiary safety. The OIG is also planning a broad inquiry into protection of electronic protected health information by the HHS Office for Civil Rights, which enforces privacy and security provisions of HIPPA. The plan may be accessed at http://oig.hhs.gov/reports-and-publications/archives/budget/files/FY2016_HHSOIG_Congressional_Justification.pdf.
European Union Members Agree on Cybersecurity Law
European Union members agreed to their first broad cybersecurity law that will require online companies, such as Google and Amazon, to report serious data breaches or face sanctions. The new Network and Information Security Directive sets out security and reporting obligations for companies in critical sectors, such as transport, energy, health and finance. Those companies will have to ensure that the digital infrastructure they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber attacks. Within these sectors, each member state will identify the operators providing essential services, based on criteria set forth in the directive. The regulations will subject multinational companies to fines of up to four percent of their annual global revenue. The law will replace a patchwork of 28 differing sets of privacy laws, but must be definitively approved by the European Parliament and European Union governments before becoming effective in two years.
Recent Court Decisions/Settlements on Privacy Issues
Ninth Circuit: Facebook Can Use Minors’ Likenesses in Ads
The Ninth Circuit Court of Appeals affirmed that Facebook can use the likenesses of minor users in ads, finding that the terms and conditions the minors accepted when they signed up to use Facebook’s services did not involve any personal property rights, which would be required to invalidate a contract under California Family Code. The minors had sued Facebook, claiming they had an intellectual property right in their names and likenesses and that their contract with the company was void. The case is C.M.D. v. Facebook, Inc., 2015 U.S. App. LEXIS 18939 (9th Cir. Oct. 30, 2015).
Wyndam Settles FTC Suit Over Data Breaches
The Federal Trade Commission (FTC) entered into a settlement with Wyndam Worldwide Corp., resolving its lawsuit in the U.S. District Court for the District of New Jersey accusing the company of maintaining lax data security practices that led to three separate data breaches. Under the settlement, Wyndam will establish a comprehensive information security program designed to protect cardholder data and undergo annual audits.
NLRB: Installing GPS on Employee’s Co. Truck Doesn’t Violate Labor Laws
The National Labor Relations Board (NLRB) found that Shore Point Distribution Co., a New Jersey-based alcoholic beverage distributor that fired a unionized employee for stealing time, did not violate labor laws by installing a GPS tracking device on the employee’s company truck to assist a private investigator following him. The NLRB advisory letter in the case may be accessed at https://www.nlrb.gov/case/22-CA-351053.
High Court Declines to Hear Cell Phone Search Appeal
The U.S. Supreme Court declined to hear a Fourth Amendment challenge to the use of cell phone records to track the location of a man convicted of armed robbery. The petitioner is Quartavious Davis, who was sentenced to 162 years in prison for 2010 armed robberies in Miami when he was in his teens. Davis had argued that the Fourth Amendment protection against unreasonable searches and seizures should require the government to obtain a warrant before tracking cell phone location data. The government had countered that the Fourth Amendment protects against warrantless searches only when the defendant has an expectation of privacy, which Davis lacked as he allowed his cell phone provider access to the data. The case is Davis v. U.S., no. 15-146 in the Supreme Court.
Supreme Court Declines to Hear Appeal Over Negative Yelp Review
The Supreme Court declined to hear a petition by Westlake Legal Group, appealing a ruling by the Fourth Circuit upholding the dismissal of their defamation suit against Yelp and an online reviewer. The Fourth Circuit had affirmed a ruling by a Virginia federal court finding that Westlake’s claims were barred by the Communications Decency Act. West alleged that Yelp had recklessly published a critical review without regard for whether the statements made were true. The case is Westlake Legal Group v. Yelp Inc., case no. 15-358 in the Supreme Court.
Damages Awarded Under State Law for Unwanted Taxi Service Texts
The U.S. District Court for the Western District of Washington ruled that Torrey Gragg, who accused the Orange Cab Co. and its ride-hailing app, RideCharge Inc., of sending unwanted commercial text messages, is entitled to $500 in statutory damages. The court determined that the companies violated Washington’s Commercial Electronic Mail Act (CEMA) by soliciting Gragg to sign up for RideCharge’s TaxiMagic app instead of just simply notifying him about his ride. The CEMA violation made Gragg eligible for a $500-per-violation claim under the state Consumer Protection Act, since CEMA only provides injunctive relief. The case is Gragg v. Orange Cab Co., 2015 U.S. Dist. LEXIS 151850 (W.D. Wash. Nov. 9, 2015).
Panel Vacates Dismissal of Privacy Claims Against Google
A Third Circuit Court of Appeals panel vacated a portion of the dismissal of a multi-district privacy lawsuit against Google Inc., rejecting the finding by the U.S. District Court for the District of Delaware that Google’s practices did not constitute an egregious breach of social norms needed to establish an invasion of privacy case. The lawsuit accuses Google of unlawfully bypassing browser privacy settings to track Internet usage. While the panel’s ruling upheld the dismissal of most of the claims, including those under the Wiretap Act, the Computer Fraud and Abuse Act, ECPA and the California Invasion of Privacy Act, the Third Circuit panel’s decision revives the claims under the California Constitution and tort law. The case is In re Google Inc. Cookie Placement Consumer Privacy Litigation, 2015 U.S. App. LEXIS 19581 (3rd Cir. Nov. 10, 2015).
Ed. Note: On December 10, 2015, the Third Circuit denied a request for an en banc rehearing.
FTC Data Security Suit Against LabMD Dismissed
An administrative law judge dismissed the Federal Trade Commission’s (FTC’s) data security suit against LabMD, ruling that the FTC failed to show that LabMD’s alleged conduct had caused harm to consumers. The FTC had alleged that LabMD’s failure to institute reasonable data security constituted an unfair trade practice because it was likely to cause substantial injury to consumers, focusing on two specific security incidents. The first incident involved an insurance aging report found to be publicly available on peer-to-peer file-sharing site Limewire. The second incident involved patient day sheets found in the hands of suspected identity thieves. The case is In the Matter of LabMD Inc., docket no. 9357 at the Office of Administrative Law Judges at the FTC.
Car-Hacking Claims Against Auto Makers Dismissed
The U.S. District Court for the Northern District of California granted motions to dismiss filed by Toyota, General Motors and Ford in a suit accusing the auto manufacturers of leaving their vehicles’ computers vulnerable to hackers, ruling that the speculative risk of being hacked in the future could not be considered an injury in fact. The 227-count complaint had alleged fraud, false advertising and violations of consumer protection laws. The case is Cahen v. Toyota Motor Corp., 2015 U.S. Dist. LEXIS 159595 (N.D. Cal. Nov. 25, 2015).
U of Washington Medical School Settles Data Breach Allegations
The University of Washington School of Medicine has agreed to pay $750,000 to the U.S. Department of Health and Human Services (HHS) to resolve allegations that the school failed to adequately protect electronic patient records, in violation of HIPAA. The agreement resulted from HHS’ investigation into an October 2013 incident where a medical school employee opened an email attachment containing malware and exposed the private information of 20,000 patients. The resolution agreement and corrective action plan may be accessed at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html.
Appeals Court Declines Reconsideration of Video Privacy Protection Act Case
The Eleventh Circuit Court of Appeals declined to reconsider en banc its decision finding that the Cartoon Network did not violate the Video Privacy Protection Act by disclosing information about users of its mobile app without their consent. The court ruled that a person who uses a free app cannot be considered a subscriber within the meaning of the Act. The original case is Ellis v. The Cartoon Network, Inc., 803 F.3d 1251 (11thCir. Oct. 9, 2015).
Privacy Legislation Update
New Jersey Governor Chris Christie signed A3636 into law, a bill which creates an exemption to the marital and civil union partnership privilege when both partners are accused of jointly participating in an alleged crime. The bill has been codified as Chapter 138 and was effective upon signing on November 9, 2015.
The U.S. House of Representatives passed HR 3361, the DHS Insider Threat and Mitigation Act, on November 2. 2015. The bill directs the U.S. Department of Homeland Security to establish an insider threat program to provide training to its personnel, provide investigative support for threats and conduct mitigation activities for threats. The bill has been referred to the Senate Committee on Homeland Security and Governmental Affairs.
House Passes Cybersecurity Assistance to States Bill
The House also passed HR 3869, the State and Local Cyber Protection Act, which would require the U.S. Department of Homeland Security (DHS) to provide information on system vulnerabilities to state or local governments upon request. DHS would also be required to provide training on cybersecurity and respond to requests for technical assistance on the use of technology to investigate cyber threats. The bill has been forwarded to the Senate Committee on Homeland Security and Governmental Affairs.
Initiatives from the Attorney General Community
Nine Attorneys General wrote a letter to the leadership of the largest credit card issuers, urging them to expedite the implementation of full chip and PIN technology, which is widely considered a more secure means of processing credit card transactions. The letter, sent to the chief executives of MasterCard, Visa, Discover Financial Services, Bank of America, Capital One, Citigroup, American Express and JP Morgan Chase, advocated that chip-enabled cards be reinforced with the requirement that consumers enter a PIN to verify the transaction. The signatories to the letter were the Attorneys General of Connecticut, the District of Columbia, Illinois, Maine, Massachusetts, New York, Rhode Island, Vermont and Washington.
California Attorney General Kamala Harris joined Alameda County District Attorney Nancy O’Malley to announce a settlement with Comcast Data Communications LLC, resolving allegations that Comcast both discarded records without first omitting or redacting private customer information and also disposed of hazardous waste. Under the final judgment, Comcast must pay $19.85 million in civil penalties and costs, as well as an additional $3 million which will fund projects furthering environmental and consumer protection and enforcement. Comcast will also provide CalRecycle with $2.26 million in airtime over a four-year period, as well as $150,000 to develop and produce public service announcements to educate the public on the proper handling and disposal of hazardous waste. Lastly, Comcast will spend $700,000 to enhance environmental compliance and will be prohibited from violating these laws under the terms of a permanent injunction. The Department of Toxic Substances Control and the State Highway Patrol assisted with the investigation.
Connecticut Attorney General George Jepsen announced that Hartford Hospital and the EMC Corporation will pay $90,000 and have agreed to institute additional training and controls to resolve an investigation into the 2012 theft of a laptop containing encrypted patient information. Under the assurance of voluntary compliance, the hospital and EMC are required to submit a report in one year to demonstrate its implementation of the corrective measures. Assistant Attorneys General Thomas Ryan and Matthew Fitzsimmons, head of the Privacy and Security Department, handled the matter.
Hawaii Attorney General Doug Chin announced that Kawika Figueroa, a former Hawaii Airlines ramp agent, was sentenced for violation of privacy in the first degree. Figueroa placed a cell phone in the ceiling of the women’s locker room to record female employees in the shower. An investigation by Attorney General Chin’s Office and the Sheriff’s Division led to the discovery of the recorded video on Figueroa’s cell phone. Figueroa was placed in the Hawaii Opportunity Probation and Enforcement (HOPE) program for four years and ordered to serve 30 days in jail, perform 100 hours of community service, enter a sex offender treatment program and pay restitution.
Illinois Attorney General Lisa Madigan announced that Donella Watkins and herhusband, Sammie Watkins, both former Chicago Transit Authority (CTA) employees, were sentenced for a scheme to steal from the CTA’s deferred compensation program by submitting fake death certificates for their living children to create an “emergency need” for funeral expenses. They also stole the identities of former co-workers and submitted false withdrawal forms on their behalf without the employees’ knowledge. The cases were referred to Attorney General Madigan’s Office by the Office of the Executive Inspector General. The investigation was conducted by Attorney General Madigan’s Public Integrity Bureau with assistance from the Illinois Department of Revenue’s Criminal Investigation Division. Bureau Chief David Navarro, Assistant Attorney General Christina Chojnacki and Associate Director James Forger handled the cases.
Indiana Attorney General Greg Zoeller launched the “Freeze Identity Thieves” public awareness effort, encouraging consumers to sign up for a credit freeze to prevent any new lines of credit from being opened unless the credit freeze is lifted. The campaign is financed with settlement funds received by Attorney General Zoeller’s Office for violations of state consumer protection laws and required by the court to be used for consumer education.
Missouri Attorney General Chris Koster’s Office filed a lawsuit in federal court against Illinois-based Automated Professional Marketing, LLC; Safety Publications, Inc.; and co-owners Adam Hardman and Arthur Olivera, for calling consumers after they requested not to be contacted and making calls to cell phones using an automated dialing system. According to the suit, calls were made to residents on the No-Call list to solicit charitable donations and, despite telling consumers that the donations would go directly to the charity, the telemarketing company retained 80-86 percent of the donations.
New York Attorney General Eric Schneiderman announced a settlement under HIPAA with the University of Rochester Medical Center (URMC) in response to a data breach, which occurred when a URMC nurse practitioner gave a list containing the personal information of 3,403 patients to her future employer, Greater Rochester Neurology. The settlement requires URMC to train its workforce on policies and procedures related to protected health information, notify the Attorney General of future breaches and pay a $15,000 penalty. The investigation was conducted by Assistant Attorney General Brant Campbell and Volunteer Assistant Attorney General Laura Puhala of Attorney General Schneiderman’s Health Care Bureau and Assistant Attorney General Herbert Israel and Volunteer Assistant Attorney General Stephen Mindell of Attorney General Schneiderman’s Consumer Frauds Bureau.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.