Privacy Law Newsletter February 2017
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Recent Developments in Privacy Law
FCC Releases White Paper on IoT, Cybersecurity
The Public Safety & Homeland Security Bureau of the Federal Communications Commission (FCC) released a white paper on reducing cybersecurity risks, which included collaboration with stakeholder groups, more cooperation among agencies and regulatory solutions where the market fails. The white paper may be accessed at http://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0118/DOC-343096A1.pdf.
Privacy Guide for Connected Cars Now Available
The Future of Privacy Forum and the National Automobile Dealers Association released “Personal Data in Your Car,” a guide addressing privacy concerns about personal information collected by connected vehicles. The guide details the kind of information that could be collected, how that data is used and what options drivers have. The guide can be accessed at https://fpf.org/wp-content/uploads/2017/01/consumerguide.pdf.
Healthcare Co. Vendor Breach Exposes Patient Data
A third-party vendor used by Virginia-based Santara Healthcare suffered a security breach exposing more than 5,000 patients’ personal data. The company has 12 hospitals in Virginia and North Carolina, as well as medical groups, ambulatory campuses and post-acute care services. Santara directed those affected to activate a free one-year subscription to a credit monitoring and identity theft protection service, as well as urged them to use a toll-free number established to respond to questions.
Court Decisions & Settlements on Privacy Law Issues
2nd Circuit Won’t Rehear Microsoft Overseas Data Warrant Case
The full Second Circuit Court of Appeals denied rehearing en banc of its ruling by a three-judge panel that found service providers such as Microsoft cannot be forced to turn over user data stored overseas. The decision was 4-4, with three judges recused. The case is In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corp., no. 14-2985 (2nd Cir. Jan. 24, 2017).
PA Court Orders Google to Turn Over Data on Overseas Servers
Despite the decision reported above, the U.S. District Court for the Eastern District of Pennsylvania ordered Google to comply with search warrants in two criminal investigations for data stored on overseas servers. The court said that electronically transferring data from a server in a foreign country to Google’s data center in the U.S. would not amount to a “seizure” because there would be no meaningful interference with the account holder’s possessory interest in the data. The case is U.S. v. Information Associated With Google Accounts More Fully Described in Attachment A, nos. 2:16-mj-00960and 2:16-mj-01061 (E.D. Pa. Feb. 3, 2017).
NJ Court Allows Access to Twitter Posts With Warrant
In a case of first impression, a New Jersey appellate court ruled that state prosecutors can access privately stored videos on two unidentified Twitter accounts with a communications data warrant instead of a wiretap order, which is more difficult to obtain, finding that the audio portions of the videos could be considered “electronic communications.” The case is In the Matter of the Application of the State of New Jersey for Communications Data Warrants to Obtain the Contents of Stored Communications From Twitter Inc., no. A-3651-15T4 (N.J. Super. Ct. App. Div. Feb. 2, 2017).
Court Oks Google Settlement For Alleged Bypass of Privacy Settings
The U.S. District Court for the District of Delaware gave final approval to a settlement in which Google agreed to pay $5.5 million to resolve allegations it bypassed Internet browser privacy settings to look at user communications and track usage. Google will make the payments to the Berkeley Centers for Internet & Society and for Internet & Society at Harvard University and other privacy organizations who agree to use the funds to promote public awareness, education and research. The case is In re Google Inc. Cookie Placement Consumer Privacy Litigation, no. 1:12-md-02358 (D. Del. Feb. 2, 2017).
Fla. High Court: Access to Incident Reports Not Preempted
The Florida Supreme Court reversed a lower court decision, instead finding that Amendment 7, which gives individuals the right to access incident reports from a health care facility regarding adverse medical events, is not preempted by the federal Patient Safety and Quality Improvement Act covering confidential reporting requirements. The case is Charles v. Southern Baptist Hospital of Florida, no. SC15-2180 (Fla. Jan. 31, 2017).
Mapco Express Data Breach Settlement Approved by Court
The U.S. District Court for the Middle District of Tennessee gave final approval to a settlement in which retailer Mapco Express agreed to pay $1.9 million to resolve claims over data security breaches at several of its stores. The suit was brought by two financial institutions claiming their losses were caused by the company’s inadequate security systems. The case is Winsouth Credit Union v. Mapco Express Inc., no. 3:14-cv-01573 (M.D. Tenn. Jan. 12, 2017).
Jury Awards $20 Million Against Dish in TCPA Class Action
In a class action alleging violation of the Telephone Consumer Protection Act (TCPA), a jury awarded $20.5 million against Dish Network. The verdict amount represents $400 for each unwanted phone call placed by Satellite Systems Network, an authorized Dish dealer. The case is Krakauer v. Dish Network LLC, no. 1:14-cv-00333 (M.D.N.C. Jan. 18, 2017).
Luxury Brand Jimmy Choo Settles Case Over Data on Receipts
Luxury shoe company Jimmy Choo has agreed to pay $2.5 million to settle claims it printed sensitive data on credit card receipts in violation of the Fair Credit Reporting Act (FACTA). In arriving at the settlement amount, Jimmy Choo’s ability to survive the judgment was a key factor. The case is Wood v. J. Choo USA Inc., no. 9:15-cv-81487 (S.D. Fla. Jan. 20, 2017).
Court Asked to OK Settlement Over Data Hack
The U.S. District Court for the Northern District of California was asked to approve a settlement in which payment processor Yapstone agreed to pay $4.9 million to resolve claims it failed to secure personal information and exposed personally identifiable information resulting from a data breach. The suit alleged violations of California and New Jersey state laws. The case is In re Yapstone Data Breach, no. 4:15-cv-04429 (N.D. Cal. Jan. 20, 2017).
Communications Firm Settles Claims Over Unwanted Marketing Calls
Frontier Communications Corp. agreed to pay $11 million to resolve a proposed class action over claims it violated the TCPA by placing thousands of illegal telemarketing calls. The case is Mey v. Frontier Communications Corp., no. 3:13-cv-01191 (D. Conn. Jan. 25, 2017).
Recent State Legislative Action on Privacy Issues
HB 3737, the Government Cybersecurity Review Act, was introduced in the Illinois House, a bill that would create the Division of Cybersecurity Inspection that would review all websites operated by State agencies to determine whether data breach risks or cybersecurity flaws exist. That Division would have the authority to order the agency to cease website operation until a flaw is resolved. The bill has been referred to the Rules Committee.
Recent Federal Legislative Action on Privacy Issues
The House passed HR 387, the Email Privacy Act, a bill sponsored by Representative Kevin Yoder (R-KS), which would require law enforcement to obtain a search warrant to access electronic communications, such as emails, Facebook messages and Dropbox files. It would remove a distinction made in the Electronic Communications Privacy Act (ECPA) for a lower bar to access electronic communications stored for more than 180 days. The bill has been sent to the Senate Committee on the Judiciary.
The House passed HR 666, a bill sponsored by Representative Peter King (R-NY), that would increase the Department of Homeland Security’s ability to monitor internal threats, including deploying workplace monitoring technologies; employee awareness campaigns; and training programs relating to identifying, preventing and responding to insider threats. It has been forwarded to the Senate Committee on Homeland Security and Governmental Affairs.
Privacy Law Initiatives in the Attorney General Community
Mississippi Attorney General Jim Hood filed suit against Google, accusing the Internet giant of using the personal information and search history of public school students who have G Suite for Education accounts in order to build a profile that is useful for advertising purposes. Attorney General Hood seeks an order enjoining Google’s data collection practices, as well as civil penalties of $10,000 for each G Suite account opened in the State.
New Jersey Attorney General Christopher Porino’s Division of Consumer Affairs entered into a settlement with Vizio, Inc. in which the Smart TV manufacturer agreed to pay the State and the Federal Trade Commission $2.5 million and change their business practices to resolve allegations they surreptitiously tracked consumers’ TV viewing habits and sold the information to marketers and data brokers. Deputy Attorneys General Kent Anderson, Elliott Siebers and Russell Smith and Assistant Attorney General John Falcone III, as well as Investigators Brian Morgenstern and Christopher Spaldo, handled the case.
New York Attorney General Eric Schneiderman entered into a settlement with Acer Service Corp. in which the computer manufacturer agreed to pay $115,000 and implement strong cybersecurity practices and training resulting from the exposure of more than 35,000 credit card numbers after an ongoing data breach.
The case was handled by Clark Russell, Deputy Chief of the Attorney General’s Bureau of Internet and Technology and Assistant Attorney General Aaron Chase.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail email@example.com.