The National Attorneys General Training & Research Institute
Privacy Law Newsletter September 2016
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Developments in Privacy Law
WhatsApp to Share Customer Data With Facebook
Mobile messaging service WhatsApp changed its terms and conditions policy to start sharing customer phone numbers and other data with parent company Facebook in order to better target ads. The policy change brought strong criticism from privacy groups, as many of the groups had opposed Facebook’s acquisition of the messaging service in 2014.
U.S. Spent Millions Fighting FOIA Suits, Per GAO
The U.S. spent $1.3 million fighting 57 of the 112 Freedom of Information Act (FOIA) suits litigated from 2009 to 2014, according to a Government Accountability Office (GAO) report, although the exact amount could not be determined as some federal agencies, including the Department of Justice, do not track litigation costs. The study reported a 57 percent rise in FOIA suits from 2006 to 2015. It also noted that decisions were issued in 1,672 FOIA suits between 2009 and 2014, with plaintiffs “substantially prevailing” in 112 suits. The report may be accessed at http://www.gao.gov/products/GAO-16-667.
France, Germany Push For Access to Encrypted Messages in EU
French and German Interior Ministers announced a joint initiative to increase government access to encrypted messaging services by enacting laws in the European Union that would give law enforcement better tools to investigate terrorist attacks. The initiative urges the European Union (EU) to consider laws that would compel companies to cooperate with investigations and allow access to encrypted messages. Their plan calls for a single interface through which law enforcement could share intelligence, leads and other information.
Eddie Bauer Notifies Customers of Data Breach
Eddie Bauer notified its customers that the retailer has suffered a malware intrusion enabling hackers to access store customers’ payment card information covering the first half of 2016. The retailer is offering identity protection services to all customers who made purchases during that period. Customers who made online purchases were not affected by the breach.
Caltrans Pushes FCC on Auto Technology
The California Department of Transportation (Caltrans) filed comments with the Federal Communications Commission (FCC) urging it to deny a petition for an emergency stay on plans by automobile manufacturers to produce cars equipped with technology allowing communications among vehicles over a shared wireless spectrum. Caltran argued that the applications under development, including intersection crash avoidance, curve speed warning, highway rail crossing warning and highway work zone warning, have the potential to minimize vehicular collisions.
DHS Plan to Collect Social Media Info Raises Concerns
More than 20 immigration and civil liberties organizations, including the American Immigration Lawyers Association, ACLU and the Electronic Frontier Foundation, sent a letter to the U.S. Department of Homeland Security (DHS) over privacy concerns about its proposal to collect social media information from visa waiver program travelers. The DHS proposal would add a question about applicants’ “online presence” to the Electronic System for Travel Authorization (ESTA) application form.
Treasury IG: IRS Failed to Notify Taxpayers of ID Theft
The U.S. Department of the Treasury Inspector General for Tax Administration issued an audit report which found that Internal Revenue Service (IRS) processes were insufficient to assist taxpayer victims of employment-related identify theft. According to the report, the IRS identified 1.1 million taxpayers over the course of five years as victims of employment-related identity theft, which occurs when someone uses another’s identity to obtain a job, but its pilot program initiative to notify victims failed to alert a representative sample and was abandoned. The report may be accessed at https://www.treasury.gov/tigta/auditreports/2016reports/201640065fr.pdf.
IRS Warns of ID Thieves Filing False Returns
The IRS warned tax professionals it has seen a surge of attacks by identity thieves who take over computers remotely and file fraudulent tax returns. The agency said there have been about 25 recent cases in which thieves have taken control of tax professionals’ computers and directed refunds to their own accounts. Tax professionals were advised to ensure that their tax preparation software had all security updates installed.
Airbnb Issues First Transparency Report
Airbnb Inc. received 188 requests from law enforcement worldwide for user data in the first half of 2016, and disclosed data in 82 cases, according to the company’s first transparency report. Airbnb, which operates in more than 350,000 cities in 191 countries, reported that the requests came from 21 different countries, with France making the most requests. The report may be accessed at http://transparency.airbnb.com/.
Recent Court Decisions/Settlements on Privacy Issues
6th Circuit: Surveillance Cos. Liable for Spying by Customers
The Sixth Circuit Court of Appeals reversed, 2-1, the U.S. District Court for the Southern District of Ohio’s dismissal of a suit against Awareness Technologies Inc., finding that manufacturers of surveillance software can be held liable under federal wiretap law for spying by a customer who purchased their software. The court reasoned that Awareness could be considered to be complicit in the interception of the plaintiff’s communications because it marketed the software for such purposes and its software captures and reroutes the communications to its own servers without any active input from the user. The case is Luis v. Zang, no. 14-3601 (6th Cir. Aug. 16, 2016).
2nd Circuit Oks GPS Tracking of NYC Cabs
A divided three-judge panel of the Second Circuit Court of Appeals affirmed the summary judgment issued by the U.S. District Court for the Southern District of New York, ruling that New York City’s requirement that all taxis be equipped with GPS tracking devices does not violate the Fourth Amendment because the taxi drivers do not have a protected privacy or property interest in a particular taxi. The suit, brought by a taxi driver, had alleged the requirement amounted to an unreasonable search. The tracking requirement, instituted in 2004, was intended to prevent drivers from overcharging passengers by using out-of-city rates within city limits. The case is El-Nahal v. Yassky, no. 14-405 (2nd Cir. Aug. 26, 2016).
NJ Court Rules Agency Can Refuse to Disclose Existence of Public Records
In a case of first impression, a New Jersey appeals court affirmed a lower court’s dismissal, ruling that, despite the State’s Open Public Records Act, a public agency could “neither confirm nor deny” the existence of public records about a person not arrested or criminally charged. The case originated from the denial of a North Jersey Media Group reporter’s public records request to the Bergen County Prosecutor’s Office for records about a purported criminal investigation of a priest on sexual abuse allegations. The case is North Jersey Media Group v. Bergen County Prosecutor’s Office, no. A-2393-1313 (N.J. Super. Ct. App. Div. Aug. 31, 2016).
Maryland Client Protection Fund Can Collect Lawyers’ SSNs
A split Fourth Circuit Court of Appeals affirmed the U.S. District Court for the District of Maryland’s judgment, ruling that the Maryland Client Protection Fund can compel even out of state attorneys to provide their Social Security numbers.
Michael Tankersley, a Federal Trade Commission (FTC) lawyer, refused to do so for privacy reasons, and his Maryland Bar membership was suspended. The appeals court found Maryland laws require applicants for licenses in the State to provide their Social Security numbers, and the Client Protection Fund was tasked with collecting those numbers from attorneys. The case is Tankersley v. Almand, no. 15-1081 (4th Cir. Sept. 13, 2016). Assistant Attorneys General Alexis Rohde and Michele McDonald of the Maryland Attorney General’s Office represented the Fund on the brief and argument, respectively.
Uber Drivers Lose in Suit Over Background Checks
A three-judge panel of the Ninth Circuit Court of Appeals reversed an order of the U.S. District Court for the Northern District of California that denied Uber’s motion to compel arbitration. The appeals court ruled that the majority of independent driver contractors who sued Uber over background checks must individually arbitrate their claims rather than sue as a class, as Uber’s arbitration agreement with the drivers clearly delegates the question of arbitrability to the arbitrator. The cases are Mohammed v. Uber Technologies Inc., nos. 15-16178 and 15-16250 and Gillette v. Uber Technologies Inc., no. 15-16181 (9th Cir. Sept. 7, 2016).
Court Oks Wells Fargo TCPA Settlement
The U.S. District Court for the Northern District of Georgia gave preliminary approval to a class action settlement in which Wells Fargo Bank NA agreed to pay $30.4 million to resolve claims it violated the Telephone Consumer Protection Act (TCPA) by using an autodialer to call cellphones about account overdrafts. A settlement fund will be set up to compensate an estimated 6.4 million class members, with each member receiving approximately $4.75. The case is Cross v. Wells Fargo Bank NA, no. 1:15-cv-1270 (N.D. Ga. Aug. 18, 2016).
Home Depot Data Breach Settlement Approved, Fees Cut
The U.S. District Court for the Northern District of Georgia also gave final approval to a settlement in which Home Deport agreed to pay $13 million to a class of consumers who sued pursuant to a massive 2014 data breach. The court reduced attorneys’ fees awarded in the case by $1 million to $7.5 million. Claims brought by financial institutions over the breach are being litigated separately. The case is In re The Home Depot Inc. Customer Data Security Breach Litigation, no. 1:14-md-2583 (N.D. Ga. Aug. 23, 2016).
Cellphone Makers Settle Suit Over User Data Collection
The U.S. District Court for the Northern District of California gave final approval to a settlement in which Samsung, HTC and other cellphone manufacturers agreed to pay $9 million to resolve allegations that the company used software to illegally collect user data by recording keystrokes and message content. According to court documents, only 14 percent of the 30 million potential class members submitted valid claims. The case is In re Carrier IQ Inc. Consumer Privacy Litigation, no. 3:12-md-2330 (N.D. Cal. Aug. 25, 2016).
HSBC Agrees to Settlement Over Recorded Debt Collection Calls
The U.S. District Court for the Central District of California was asked to grant preliminary approval to a settlement in which HSBC Card Services Inc. agreed to pay $13 million in a proposed class action to resolve allegations it illegally recorded debt collection calls without consent. HSBC is accused of violating the California Invasion of Privacy Act by recording the conversations with account holders in the State. The case is Fanning v. HSBC Card Services Inc., no. 8:12-cv-885 (C.D. Cal. Aug. 26, 2016).
Hacker Pleads Guilty to “Sextortion”
Ryan Vallee of New Hampshire pled guilty to hacking the online accounts of several women and threatened to disseminate sexually explicit photos of them unless he received additional photos. Federal charges against him, brought by the U.S. Attorney’s Office for the District of New Hampshire, included computer hacking, extortion, aggravated identity theft and cyberstalking. The case is U.S. v. Vallee, no. 1:15-cr-115 (D.N.H. Aug. 25, 2016).
“Guccifer” Hacker Sentenced to 52 Months
The U.S. District Court for the Eastern District of Virginia sentenced Marcel Lazar, a Romanian hacker known as “Guccifer,” to consecutive terms of 28 months in prison for computer hacking and a mandatory 24 months for aggravated identity theft. Lazar admitted to hacking the accounts of 100 people, including former Secretary of State Colin Powell, and publishing their private information online. The case is U.S. v. Lazar, no. 1:14-cr-213 (E.D. Va. Sept. 1, 2016).
Yahoo to Stop Early Scanning of Users’ Emails
The U.S. District Court for the Northern District of California approved a settlement in a class action in which Yahoo Inc. agreed to stop scanning emails for advertising purposes in transit before users receive them, in violation of the California Invasion of Privacy Act. The settlement terms provide that Yahoo will only scan the content of emails after they have been sent or received and have appeared in users’ inboxes. Yahoo will also pay $4 million in attorney’s fees. The case is Holland v. Yahoo Inc., no. 5:13-cv-4980 (N.D. Cal. Aug. 25, 2016).
Google Settles Claims of Bypassing Privacy Settings
The U.S. District Court for the District of Delaware has been asked to give preliminary approval to a multidistrict settlement in which Google has agreed to pay $5.5 million to resolve litigation over its alleged practice of bypassing Internet browser privacy settings to view users’ communications and track usage. The settlement terms call for Google to make cy pres payments to the Berkeley Center for Law & Technology, the Berkeley Center for Internet & Society and other privacy groups who agree to use the funds to boost public awareness. The case is In re Google Inc. Cookie Placement Consumer Privacy Litigation, no. 1:12-md-2358 (D.Del. Aug. 29, 2016).
Dish Network Seeks to Settle Non-Disclosure of Background Checks Claims
The U.S. District Court for the Southern Region of New York has been asked to approve a proposed class action settlement in which Dish Network LLC will pay $1.75 million to contractor technicians for alleged violations of the Fair Credit Reporting Act (FCRA) for failing to disclose background checks on them. The case is Ernst v. Dish Network LLC, no. 1:12-cv-8794 (S.D.N.Y. Sept. 7, 2016).
Cruise Marketers Reach Settlement in Robocall Class Action
The U.S. District Court for the Northern District of Illinois has been asked to approve a proposed class action settlement in which cruise marketing company Caribbean Cruise Line Inc. and its subsidiaries, The Berkley Group Inc. and Vacation Marketing Tours Inc., will pay up to $76 million to resolve claims they used robocalling machines to call one million people on their cell phones and landlines in violation of the TCPA. The settlement was reached two days before the beginning of trial. The case is Birchmeier v. Caribbean Cruise Line Inc., no. 1:12-cv-4069 (N.D. Ill. Sept. 8, 2016).
D&B to Settle Robocalling Class Action
The U.S. District Court for the Central District of California has been asked to give preliminary approval to a class action settlement in which business credit report firm Dun & Bradstreet Credibility Corp. has agreed to pay $10.5 million to resolve claims it conducted a robocalling campaign in violation of the TCPA. Requested attorneys’ fees are up to 30 percent of the settlement fund, capped at $3.15 million. The case is Thomas v. Dun & Bradstreet Credibility Corp., no. 2:15-cv-3194 (C. D. Cal. Sept. 8, 2016).
Godiva Class Seeks Settlement Approval
The U.S. District Court for the Southern District of Florida has been asked to approve a proposed class action settlement in which Godiva Chocolatier Inc. has agreed to pay $6.3 million for allegedly publishing more than the last five digits of consumers’ credit card numbers in violation of the Fair and Accurate Credit Transaction Act. If approved, the settlement would be the third largest under the Act. The case is Muransky v. Godiva Chocolatier Inc., no. 0:15-cv-716 (S.D. Fla. Sept. 13, 2016).
California Court Approves Citibank Settlement for Recording Calls
A California superior court gave final approval to a settlement in which Citibank agreed to pay $1.55 million to more than 400 customers for allegedly recording account services phone calls without permission, in violation of the State’s Invasion of Privacy Act. The settlement includes attorneys’ fees and costs. The case is Edery v. Citibank N.A., no. CGC 13 532035 (Cal. Super. Ct. Sept. 15, 2016).
State Legislation on Privacy Issues
A bill that would broaden the scope of “personal information” for which organizations must implement reasonable security procedures to prevent data breaches failed to pass the California Assembly. AB 83 would have added geolocation and biometric information to the data requiring privacy protections.
Privacy Initiatives in the Attorney General Community
California Attorney General Kamala Harris’ Bureau of Children’s Justice, the California Department of Education and the California Department of Social Services have jointly developed statewide guidelines to assist schools and child welfare agencies in the secure sharing of data and information of students in foster care. The guidelines are aimed at providing clarity on the scope of information that can be shared and encouraging collaboration in creating data systems for the continued sharing of information.
Missouri Attorney General Chris Koster’s Office filed suit against USA Security Promotions, a North Carolina-based telemarketer, and its manager, William Waller, for violating the State’s no-call laws. More than 70 complaints were received about the company, formerly operating as Power Home Technologies. The company made thousands of calls to residents on the no-call list, attempting to solicit home security systems. Attorney General Koster’s Office had filed a lawsuit for similar violations against Waller and another company in 2014.
New York Attorney General Eric Schneiderman’s Office reached settlements with Viacom, Inc., Mattel, Inc., Hasbro, Inc. and JumpStart Games, Inc., resolving investigations into the companies’ violations of the Children’s Online Privacy Protection Act (COPPA). The two-year investigation, “Operation Child Tracker,” found that the companies’ websites used tracking technology that illegally enabled third-party vendors to track children’s online activity. The companies have agreed to pay a combined $835,000 in penalties and implement reforms, including regular electronic scans to monitor for third party tracking technologies, adoption of procedures for vetting third party data collection practices and notices to third parties operating in COPPA-covered websites.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail email@example.com.