Privacy Law Newsletter September 2017

The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.

Notable Developments

  • Credit reporting giant Equifax revealed hackers had exploited a website application vulnerability to access the Social Security numbers and other personal information of more than 143 million U.S. consumers. Hackers also accessed the credit card numbers of approximately 209.000 U.S. consumers. The company has set up a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been impacted.

  • DHS issued a directive ordering federal agencies to stop using Kaspersky Lab software and services amid concerns about potential security risks. The directive, BOD 17-01, was issued in response to concerns about ties between Kaspersky executives and Russian intelligence agencies.

  • The National Infrastructure Advisory Council, which advises the White House on security threats, issued a draft report finding that although the government has the resources to proactively combat cyberattacks, those resources are not being deployed effectively. The Council urged coordination between the private sector and the government to effectively respond to cyberthreats.

  • Uber announced that it will disable a controversial feature of its app that allowed customers to be tracked for up to five minutes after they completed a trip. The company will no longer make customers choose between always sharing their location data with the app or never sharing their location data and then having to manually enter their pickup location and destination.

  • The FDA signed off on a firmware update for St. Jude radio frequency-enabled pacemakers developed by Abbott, which acquired St. Jude Medical earlier this year. The FDA advised patients with these devices to contact their doctors for the update to alleviate vulnerabilities that could be exploited by an unauthorized user. The FDA also released final guidance on how electronic medical devices can communicate with each other and information systems safely and securely. It specifically recommends that medical device manufacturers include appropriate verification, validation and risk management procedures and clearly label what information users may need.

  • The personal information from resumes of thousands of former military and intelligence personnel who applied to work at security contractor TigerSwan was inadvertently made publicly accessible on a cloud server controlled by its former recruiting vendor TalentPen. TigerSwan announced it is reevaluating its processes for choosing vendors.

  • The National Institute of Standards and Technology released the fifth draft of Special Publication 800-53,“Security and Privacy Controls for Information Systems and Organizations.” The updated draft further addresses how all types of organizations can maintain the security and privacy of interconnected systems.

  • The Government Accountability Office issued a report on data privacy in connected vehicles, finding that the automobile industry has taken steps to ensure data privacy, including signing on to a set of privacy principles, but the National Highway Traffic Safety Administration’s responsibilities regarding data protection are unclear and must be defined..

  • Danish shipping conglomerate A.P, Moller-Maersk issued a second quarter update estimating that the June cyberattack, which also affected DLA Piper and other multinational companies, will cost $200-300 million. The attack shut down its systems and significantly impacted its container shipping business, Maersk Line, which will most likely affect its third quarter results.

  • The Spanish Data Protection Agency, known as AEPD, fined Facebook 1.2 million euros ($1.4 million) for allegedly violating Spain’s data protection laws by collecting users’ personal information for advertising purposes without their consent. The fine resulted from an investigation by the data protection authorities from Belgium, Spain, France, Germany and the Netherlands.

  • AT&T, Sprint, T-Mobile and Verizon announced they are creating the Mobile Authentication Taskforce to develop a mobile authentication solution in 2018 that will reduce users’ vulnerability to fraud and identity theft. The task force will collaborate with the app community, industry groups and third parties to bring the solution to fruition.

  • The Hong Kong Securities and Futures Commission and the Hong Kong Police Force signed a memorandum of understanding as a basis for joint efforts to address financial crime, following a sharp rise in cybersecurity attacks. The agreement detailed how the two organizations will refer cases to one another and handle joint investigations.

  • Financial research company Consumer Intelligence issued a report finding that no major U.K. insurer has complied with the European Union’s General Data Protection Regulation, which becomes effective on May 25, 2018. If firms fail to comply, they could be forced to delete millions of customer files and face fines of up to 17 million pounds ($22 million).

  • Companies still run a low risk of being sued following a data breach because of the difficulty consumers face in establishing that they were injured by the breach and therefore have standing as a matter of law to bring suit, according to a report by Bryan Cave LLP. The firm found that only 76 federal class action suits were filed in 2016 out of 806 publicly reported breaches.

Recent Court Decisions/Settlements

  • A split panel of the Ninth Circuit Court of Appeals ruled 2-1 that the settlement in a privacy class action against Google, in which $8.5 million would be paid to charities instead of to class members, was an appropriate handling of the funds. The class had accused Google of violating users’ privacy by revealing their Internet search terms to third party websites. Holyoak v. Google, Inc.

  • The U.S. District Court for the Northern District of California granted final approval to a settlement resolving claims that Facebook spied on private messages between users and shared the URLs users sent to each other with third parties. The settlement, which includes $3.9 million in attorneys’ fees, requires Facebook to post language on its website help section saying it “uses tools to identify and store links shared in messages, including a count of the number of times links are shared.” Campbell v. Facebook, Inc.

  • The U.S. District Court for the Northern District of California also granted preliminary approval to a $115 million settlement ending litigation over Anthem’s 2015 data breach. The settlement will provide credit protection and reimbursement to a class of 79 million people and up to $38 million in attorneys’ fees. In re Anthem Inc. Data Breach Litigation.

  • The Eighth Circuit Court of Appeals found the threat of future identity theft resulting from a breach of credit card data was not enough of an injury to give standing to consumers in multidistrict litigation against SuperValu. The court found that the U.S. District Court for the District of Minnesota erred in dismissing the claims of the one plaintiff who actually experienced credit card fraud but correctly dismissed the other plaintiffs’ claims. Alleruzzo v. SuperValu, Inc.

  • The Ninth Circuit Court of Appeals affirmed a summary judgment that dismissed a suit by the treasurer of the National Border Patrol Council seeking the names of 149 noncitizens who were released from detention pending a final removal determination. The court found the privacy rights of the former detainees outweighed the public’s right to access their records. Tuffly v. U.S. Department of Homeland Security.

  • The U,S. District Court for the Northern District of California gave preliminary approval to a revised class action settlement in which Google agreed to pay $2.2 million and change its approach to email scanning to resolve claims it unlawfully scans emails for advertising purposes. The court denied the previous proposed settlement. Matera v. Google Inc.

  • The U.S. District Court for the Northern District of Illinois gave final approval to a class action settlement in which Canada-based Standard Innovation Corp., known as We-Vibe, agreed to pay $3.75 million to resolve claims its toy and accompanying app, We-Connect, collected information on the date and time of its use, the “vibration intensity level” and users’ emails in violation of the Wiretap Act and Illinois privacy law.

  • The U.S. District Court for the Northern District of California ordered tax filer service Intuit to release information on fake tax returns filed by fraud perpetrators to steal customer refunds, finding taxpayers in a proposed class action have shown the documents are necessary to determine the appropriateness of the proposed class. The documents are likely to support consumers' claims that Intuit failed to safeguard sensitive personal data.

  • The FTC reached a non-monetary agreement with Uber over allegations the company misrepresented the access its employees had to consumers’ personal information, as well as the level of security it provided to data it collected from riders and drivers that it stored in the cloud. Uber agreed to implement a comprehensive privacy program designed to protect consumer information.

  • The U.S. District Court for the District of Columbia granted summary judgment to the U.S. Department of Labor (DOL) in Landmark Legal Foundation’s Freedom of Information Act suit accusing DOL of failing to comply with two information requests for records related to the use of private emails and other personal accounts to conduct agency business. The court found the claims precluded by a previous “substantially identical” suit that was deemed unreasonably burdensome. Landmark Legal Foundation v. Department of Labor.

  • The U.S. District Court for the Northern District of New York sentenced Obinna Obioha, a Nigerian citizen, to 51 months in prison for running a scheme in which he instructed hackers to hack into computers and email accounts of individuals using malicious software.

Legislative Update

  • Delaware enacted a law strengthening its data breach notification requirements by expanding the definition of personal information to include biometric data, online account access credentials, medical history and other categories of information. It also requires notice to residents no later than 60 days after the breach, as well as provision of one year of credit monitoring to residents whose Social Security numbers may have been exposed as part of the breach.

  • Illinois Governor Bruce Rauner vetoed HB 3449, a bill that would have required smartphone apps to obtain users’ consent to collect and/or disclose their geolocation data, saying it had the potential to create an unnecessary burden on businesses and cause job loss.

Privacy Initiatives in the Attorney General Community

  • Thirty-three Attorneys General entered into a $3.5 million multi-state settlement with Lenovo to resolve allegations the company illegally preinstalled ad-injecting software that compromised the security of its computers. Lenovo is also required to clearly disclose how pre-installed advertising software will operate, obtain consent before using such software and provide a reasonable and effective means for consumers to opt out or remove the software.

  • Thirty-two Attorneys General sent a letter to Equifax, calling on the company to stop charging for its credit monitoring service and reimburse consumers who were forced to pay for security freezes on their accounts as a result of Equifax’s massive data breach.

  • Massachusetts Attorney General Maura Healey’s office assisted in the drafting of data breach legislation that would eliminate fees for placing credit freezes, mandate encryption of personal information in credit reports and require companies to obtain consent before accessing or using consumer credit information.

Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail hlitwin@naag.org.

Faculty Spotlight

NAGTRI's faculty are top-rated experts in their field. Read about them.

Course Schedule

NAGTRI offers high-quality, responsive and innovative trainings.

Research & Newsletters

NAGTRI produces comprehensive research and newsletters on topical legal issues.