The National Attorneys General Training & Research Institute
Privacy Law Newsletter September 2018
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Cloud-based video service company Animoto issued a service announcement of a security breach involving customer usernames, email addresses, passwords and birthdates. The company said it is reviewing its policies and procedures and urges users to change their passwords.
Augusta University revealed that a breach of its email accounts at Augusta University Health may have exposed the health information of 417,000 patients. The breach also may affect patients at Augusta University Medical Center, Children’s Hospital of Georgia and 80 clinics around the state.
The FTC approved modifications proposed by the Entertainment Software Rating Board to COPPA's safe harbor rule, including changes to the definition of “personal information and data,” in light of recent FTC guidance on collection of audio recordings. The COPPA rule includes a “safe harbor” provision allowing industry groups to ask the FTC to approve self-regulatory guidelines that implement the rule’s protections.
DHS, in partnership with the General Services Administration, awarded a six-year $1.03 billion contract to Booz Allen Hamilton to serve as the main cybersecurity contractor for six federal agencies. Booz Allen has supported DHS security efforts for the previous five years.
Almost three-quarters (73) percent of U.S. households who use the Internet had significant concerns about online privacy and security risks in 2017, according to a survey commissioned by the National Telecommunications and Information Administration and conducted by the Census Bureau. One-third of those households said those concerns caused them to refrain from certain online activities, and 20 percent had experienced an online security breach.
Research firm MITRE Corporation released "Deliver Uncompromised," a report to the Department of Defense that makes recommendations on how the government and the private sector can address cyber threats to supply chain security. The report recommends changes to contracting, monitoring and program protection and calls for a long term commitment to private sector participation.
The Australian government banned Chinese telecommunications equipment manufacturers Huawei and ZTE from supplying its next generation 5G mobile networks because of security concerns, following a similar move by the U.S. government several months ago.
Recent Privacy Court Decisions/Settlements
A California Court of Appeal affirmed a lower court decision, ruling that the California State Bar does not have to release data on individual members and applicants, such as bar applicants’ LSAT scores, to a UCLA researcher. The court found that state law does not require an agency to create new records to satisfy a public records request. Sander v. State Bar of California.
The U.S, District Court for the Northern District of California granted final approval to a settlement in which Anthem agreed to pay $115 million to resolve claims it put the personal information of 70 million customers at risk in a 2015 data breach. In re: Anthem, Inc. Data Breach Litigation.
The U.S. District Court for the Northern District of California was also asked to grant preliminary approval to a settlement of claims that the San Francisco Bay Area Rapid Transit (BART) system secretly collected personal information about BART train riders. The suit centered around a mobile app that BART promoted as a safety measure. Moreno v. San Francisco Bay Area Rapid Transit District.
The U.S. District Court for the Southern District of New York has been asked to grant preliminary approval to a settlement in which Conde Nast has agreed to pay $13.75 million to resolve claims it violated the Michigan Preservation of Personal Privacy Act when it sold consumers’ data without their consent. Ruppel v. Consumers Union of United States, Inc.
The U.S. District Court for the Northern District of California has again been asked to approve a revised settlement in a class action against Kimpton Hotels over a security breach. The court had denied the motion for preliminary approval in July as insufficient to cover all parties. Parsons v. Kimpton Hotel & Restaurant Group, LLC.
Ruslan Yeliseyev, a Ukrainian national, was sentenced to six years in prison in the U.S. District Court for the Eastern District of Virginia for trafficking in financial information obtained from approximately 40,000 hacked computers.
The California legislature passed SB 1121, which would amend the recently enacted Consumer Privacy Act by extending the date by which the Attorney General is required to adopt regulations to implement the Act from June 2019 to June 2020. It would also delay enforcement until June 2020 or six months after the regulations are final, whichever comes first, and would remove the requirement that a consumer bring an action notify the Attorney General.
Ohio Governor John Kasich signed SB 220 into law, which provides a legal safe harbor for organizations that implement a recognized written cybersecurity program.
On the federal side, S. 770 was signed into law, requiring the National Institute of Standards and Technology (NIST) to disseminate resources to help small businesses identify, assess, manage and reduce their cybersecurity risks.
Privacy Law Initiatives in the Attorney General Community
New York Attorney General Barbara Underwood announced a settlement with The Arc of Erie County, a nonprofit providing services to people with developmental disabilities, after an investigation found that the organization exposed clients’ sensitive information for years. The settlement requires The Arc to conduct a risk analysis of security risks and vulnerabilities of all electronics and data systems, review its policies and procedures and pay a $200,000 penalty. Bureau of Internet and Technology Deputy Bureau Chief Clark Russell handled the case.
Ohio Attorney General Mike DeWine announced a new collaboration with the Air Force Association to increase cybersecurity education to state students.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.