Privacy Law Newsletter October 2017

The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.

Notable Developments

· Yahoo announced that a 2013 data breach thought to have impacted more than one billion user accounts actually affected every account, which was approximately three billion accounts at that time. Yahoo said the stolen information may have included names, email addresses, phone numbers, dates of birth, passwords and security questions and answers.

· The IRS suspended a $7.25 million contract with Equifax involving taxpayer identity verifications, following questioning from Congress as to why the company gat a contract after it suffered a massive security breach that impacted 145 million people. The contract was a sole-source order, so other bidders were not considered. In other IRS news, the agency launched a cybersecurity campaign to assist tax professionals comply with their obligation to protective sensitive taxpayer information. The campaign consists of a series of news releases, each of which addresses a topic such as ransomware or phishing emails, as part of the Protect Your Clients, Protect Yourself partnership between the IRS, state tax agencies and the private sector

· Global accounting firm Deloitte confirmed it was the victim of a cyberattack believed to have compromised emails and sensitive business data, although the firm claimed “very few’ clients were impacted. The company said the hackers gained access through an email platform, but it had implemented a comprehensive security protocol after discovering the intrusion.

· The personal data of more than 1100 pro football players and agents has been exposed as the result of a misconfigured online database operated by the NFL, according to a post from cybersecurity company Kromtech Alliance. Kromtech notified the domain operators of the breach, and the database has since been secured.

· The SEC announced the creation of a unit to combat cyber-related offenses as well as a task force to protect investors from fraud, such as pump-and-dump schemes. The announcement comes just days after the SEC revealed that its electronic filing system for company disclosures had been hacked and that the perpetrators may have traded on the information they gleaned. In other SEC news, the agency’s inspector general issued a report finding the Commission overpays for IT work and faces ongoing security vulnerabilities.

· Piriform, a U.K.-based software company, said it is working with U.S. law enforcement after hackers compromised its computer cleaning software used by more than two million people. A company statement said the problem had been resolved and it believed that none of its users were harmed.

· The Defense Department’s Defense Security Service issued a memo ordering federal contractors who participate in the National Industrial Security Program and use classified information systems to stop using products made by AO Kaspersky Lab because of potential security risks.

· Fast food restaurant chain Sonic Drive-In’s operating company confirmed a data breach at its burger eateries potentially affecting millions of consumers’ data and credit cards. The company has about 3,500 restaurants in 45 states, but is in the process of determining how many or which of them are affected.

· The Consumer Financial Protection Bureau (CFPB) proposed limiting the information that lenders will have to disclose under the Home Mortgage Disclosure Act in an effort to protect the identities of borrowers. Under the proposal, the Bureau would eliminate certain data fields that banks report, including property addresses and borrowers’ credit scores, from the information that is disclosed publicly under the Act. In other CFPB news, the CFPB inspector general issued a report that concluded the agency needs to improve its handling of consumers’ personal data and confidential investigation information, as current data protection practices could put sensitive details at risk.

· Apple issued its semi-annual report on legal requests for customer information made by governments and private parties in the first half of 2017, saying it had received its largest number ever of national security requests. Those requests, numbering between 9,000 and 9,249, include both national security letters and court orders.

· The U.K. presented a white paper of its proposals for a new security treaty with the European Union (EU) following its exit from the organization. It proposes to stay within Europol, the EU’s police force, where it has played a central role. The paper also identifies other areas in which the U.K. would like to remain active, including the Financial Intelligence Units (FIUs) which aid in the analysis of suspicious transaction reports.

· The European Commission released a package of policies designed to enhance their cybersecurity capabilities, including plans for a new EU-level cybersecurity agency to assist member states in dealing with cyberattacks. The plans also include the implementation of a more standardized criminal law response to such attacks.

Recent Court Decisions/Settlements

· The U.S. Supreme Court granted certiorari in Byrd v. U.S., a rental car driver’s challenge to a warrantless search of the vehicle which police justified on grounds that he wasn’t on the rental agreement. Federal circuit courts and state courts are deeply divided on the issues in the case.

· The Supreme Court also denied a petition challenging a Florida constitutional amendment that gives individuals the right to access incident reports from health care facilities regarding adverse medical events. Petitioner Southern Baptist Hospital of Florida had argued the federal Patient Safety Act preempted the state law. Southern Baptist Hospital of Florida, Inc. v. Charles.

· The D.C. Court of Appeals reversed the conviction of Prince Jones for robbery and sexual abuse, ruling that law enforcement must obtain a search warrant before deploying cellphone tracking devices known as Stingrays. The court agreed with defendant’s argument that cellphone users have a reasonable expectation of privacy in their location data. Jones v. U.S.

· The U.S. District Court for the District of Columbia dismissed multidistrict litigation brought against the U.S. Office of Personnel Management and contractor Keypoint Government Solutions over a massive data breach that compromised the personal data of 21.5 million current, former and prospective government employees. The court concluded that the plaintiffs had not pled an actual injury beyond the theft of the data that would allow them to establish Article III standing. In re: U.S. Office of Personnel management Data Security Breach Litigation.

Legislative Update

· The D.C. Council, at the request of Attorney General Karl Racine, forwarded B22 473 to the Mayor, legislation that would restrict, on an emergency basis, a credit reporting agency’s authority to charge consumers for security freezes.

· The U.S. Senate passed S. 770, a bill sponsored by Senator Brian Schatz (D-HI) that would require the National Institute of Standards and Technology (NIST) to consider small businesses when it develops guidelines and procedures to reduce cyber risks. The House passed a similar bill, HR 2105, sponsored by Representative Daniel Webster (R-FL).

Privacy Initiatives in the Attorney General Community

· Thirty-eight Attorneys General sent letters to credit reporting agencies Experian and TransUnion urging them to immediately stop charging fees for credit freezes on consumer accounts in light of the Equifax data breach.

· Nebraska Attorney General Doug Peterson announced his office will partner with the DHS “Stop, Think. Connect” public awareness campaign to increase the understanding of cyber threats and encourage the public to be more secure online.

· Vermont Attorney General T.J. Donovan reached a settlement with technology company SAManage USA regarding a security breach involving the Social Security numbers of 660 state Health Connect users. The company agreed to a penalty of $264,000, composed of $400 per Social Security number compromised, and will alter its information security and legal compliance programs to prevent a recurrence.

· Washington Attorney General Bob Ferguson released his second annual Data Breach Report, which found that data breaches affected nearly three million state residents for the year ending June 2017 – more than six times the number impacted during the previous year.


Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail hlitwin@naag.org.

Faculty Spotlight

NAGTRI's faculty are top-rated experts in their field. Read about them.

Course Schedule

NAGTRI offers high-quality, responsive and innovative trainings.

Research & Newsletters

NAGTRI produces comprehensive research and newsletters on topical legal issues.