The National Attorneys General Training & Research Institute
Privacy Law Newsletter June 2018
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Privacy Developments of Note
Facebook confirmed a NY Times report that it has data-sharing partnerships with Chinese electronics companies, including telecommunications giant Huawei, which was found to be a national security threat by the House Intelligence Committee and whose devices have been banned from sale at military bases. The company said it is “winding down” those partnerships.
Brinker International, the parent company of Chili’s Grill & Bar restaurants, posted a notice of unauthorized access after learning that the credit and debit card information of customers at Chili’s restaurants had been compromised by hackers. Chili’s customers in Maryland, North Carolina and Rhode Island who suspected they were victimized were advised to contact their Attorney General.
Senator Edward Markey (D-MA) and Representative Joe Barton (R-TX) sent a letter to Amazon CEO Jeffrey Bezos with questions about privacy concerns with Amazon’s new Echo Dot Kids Edition, a voice-activated digital assistant. They sought information about how Amazon plans to protect the privacy of kids who use the device and its associated Free Time subscription.
An article in New Scientist magazine reported that data from Facebook users who used personality quiz app myPersonality, including their answers to intimate questionnaires, was left exposed online. The magazine’s investigation revealed that academics at the University of Cambridge distributed the data from the app to hundreds of researchers via a website with insufficient security provisions, leaving it vulnerable to access for four years.
DHS released a report outlining a new cybersecurity strategy to combat the risks of cyberattacks over the next five years. The strategy focuses on five goals: risk identification, vulnerability reduction, protection of critical infrastructure, prevention and disruption of criminal use of cyberspace and effective response to cyber incidents.
The NASA Inspector General’s Office released an audit of NASA's Security Operations Center, finding weaknesses in both its IT management and cybersecurity programs. It also found that the current contract used to procure Center services limits NASA management’s ability to measure contractor performance and its operational flexibility.
The U.K. Parliament’s Digital, Culture, Media and Sport Committee stated that Facebook failed to fully answer 39 questions from British lawmakers on data privacy and fake news, adding that the committee wants more answers from Facebook CEO Mark Zuckerberg. Rebecca Stinson, who heads Facebook UK’s public policy, had submitted responses to the Committee's questions which the committee found incomplete. The committee also announced that former Cambridge Analytica CEO Alexander Nix accepted a summons to appear before it.
The U.K. Information Commissioner’s Office published its final detailed guidance on consent to process personal data under the EU’s General Data Protection Regulation (GDPR), which applies from May 25, 2018 forward. Under the GDPR, companies cannot require consumers’ consent, and consumers may withdraw their consent at any time.
Recent Case Decisions/Settlements
The U.S. Supreme Court resolved a circuit split and unanimously reversed a Third Circuit decision that a man driving his fiancee’s rental car did not have a reasonable expectation of privacy because he was not on the rental agreement. The Court held that for Fourth Amendment purposes, someone in otherwise lawful possession and control of a rental car has a reasonable expectation of privacy in it even if the rental agreement does not list him or her as an authorized driver. Byrd v. U.S.
The New Jersey Supreme Court ruled that the names and addresses of government property auction bidders are not shielded by the privacy protections of the state public records law because the auctions themselves are public events. Brennan v. Bergen County Prosecutor's Office.
The DC Circuit ruled that two FTC attorneys are entitled to qualified immunity from claims they improperly retaliated against medical testing company LabMD, whose chief executive publicly criticized the agency, because the FTC’s action against the company was based on a different purpose, namely, a breach that exposed a file containing the personal information of more than 10,000 patients. Daugherty v. Sheer. In other news regarding the case, the Eleventh Circuit vacated an FTC order that required the company to overhaul and replace its data security system, finding the order to be unenforceable because it lacked specifics on how the overhaul was to be accomplished. LabMD, Inc. v. Federal Trade Commission.
The U.S. District Court for the Northern District of California gave preliminary approval to a settlement in which Yahoo shareholders will receive $80 million for losses sustained after the company’s massive data breaches. A final approval hearing is set for September 2018.
The U.S. District Court for the Northern District of California was also asked for preliminary approval of a class action settlement with Kimpton Hotels over the theft of payment card data in a 2016 data breach. Walters v. Kimpton Hotel & Restaurant Grp., LLC.
Wendy’s advised the U.S. District Court for the Middle District of Florida that they have settled a consumer class action over alleged lax security practices that vocational school company Wirtled to a 2016 data breach. Torres v. Wendy's International, LLC.
A Texas court of appeals reversed a jury verdict and $24,279 award in favor of a law firm, holding that state law does not recognize a right of privacy for corporations. The law firm had argued that an attorney violated its right to privacy by using the firm’s name without permission. Doggett v. The Travis Law Firm, P.C.
The European Court of Justice, EU’s highest court, affirmed that vocational school company Wirtschaftsakademie Schleswig-Holstein can be considered a “data controller” within the EU’s data protection laws, determining that operators of Facebook fan pages have responsibility, along with Facebook itself, for protecting visitors’ personal data. Case C-210/16.
The California Assembly passed AB 2182, which would require the Department of Consumer Affairs to establish a web portal linked to its Consumer Information Center web page containing links to the personal data privacy policies of online platforms, including social media.
The Colorado Legislature passed HB 1128, which would require covered and government entities that maintain documents containing personal identifying information to develop and maintain a written policy for the destruction and proper disposal of the documents, as well as maintain reasonable security procedures.
The Connecticut Legislature passed HB 5444, which would require the Department of Education to provide written guidance on the laws governing student data privacy and would authorize the retention of student records required by state and federal law and for purposes of disaster recovery systems. The Legislature also passed SB 472, which would prohibit credit rating agencies from charging a fee for consumers to place on or remove a security freeze from their account and would also increase the amount of identity theft prevention or mitigation services provided after a security breach.
Georgia Governor Nathan Deal vetoed SB 315, which would have criminalized accessing a computer or network “without authority” and allowed organizations to take active defensive measures against suspected attackers, citing potential national security consequences.
Maryland Governor Larry Hogan signed HB 568 into law, which would require the Department of Education to develop best practices for certain county boards on data governance policies and procedures, as well as to develop strategies to coordinate and assist staff in implementing those policies.
The Ohio Senate passed SB 220, which would create an affirmative defense to an action against an entity because of a data breach if the entity has a cybersecurity program that meets the bill’s standards.
Vermont Governor Phil Scott signed S. 72 into law, which requires telemarketers to provide accurate caller id information. Vermont also enacted H. 764, which requires data brokers to register with the State, implement standard security measures and notify authorities of security breaches. The new law also makes using their data for criminal purposes, such as fraud, an actionable offense.
Privacy Law Initiatives in the Attorney General Community
California Attorney General Xavier Becerra, working with the Governor’s Office of Emergency Services, uncovered more than 2,000 computers and other electronic devices infected by malicious malware, and his office sent letters to ISPs encouraging them to inform customers with identified IP addresses that their devices may contain malware stemming from a March 2018 cyberattack.
Nevada Attorney General Adam Paul Laxalt’s office is partnering with the FTC for a free publicly available webinar on consumer fraud and identity theft, including how to recover from data breaches. The webinar will also offer tips on avoiding identity theft and other scams.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.