The National Attorneys General Training & Research Institute

The National Attorneys General Training & Research Institute The National Attorneys General Training & Research Institute

Privacy Law Newsletter October 2018

The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.

Noteworthy Developments

Facebook disclosed that hackers had gained access to 50 million user accounts by exploiting a vulnerability related to its profile preview feature. Facebook subsequently has claimed to have fixed the vulnerability, reset the access tokens of the affected accounts and temporarily turned off the preview feature. The Irish Data Protection Commission subsequently commenced an investigation into the breach and will examine Facebook’s compliance with its obligation under the GDPR to implement measures to ensure the security and safeguarding of the personal information it processes.

A report issued by the Government Accountability Office (GAO) finds that Equifax was aware of major vulnerabilities in its systems, but failed to fix them, leading to the 2017 data breach that compromised the personal information of 145 million U.S. citizens. The report identifies the flows that enabled the breach: a known software vulnerability, an expired authentication tool and the failure to separate databases. Subsequently, the U.K Information Commissioner’s Office, Great Britain’s privacy watchdog, fined Equifax 500,000 pounds ($656,000) for failing to protect the personal information of 15 million UK citizens during the 2017 cyberattack.

The U.S. District Court for the Northern District of California gave preliminary approval to a settlement resolving claims that the Bay Area Rapid Transit's (BART's) mobile app collected information about its users without their consent, including mobile device ID and location. Under the settlement, BART agreed to injunctive relief, including agreeing not to collect user information, and also agreed not to oppose a request for an incentive award to the plaintiffs.

The U.S. District Court for the Northern District of Ohio has been asked to approve a settlement in which fast food company Sonic Drive-in agreed to pay $4.3 million to resolve claims it failed to properly protect customer data exposed in a data breach.

Another report released by the GAO to the Senate Armed Services Committee finds that the Defense Department is only just beginning to understand the scale of cyber vulnerabilities in weapons systems as those systems become more computerized.

The U.K. Information Commissioner’s Office also fined Bupa Insurance Services 175,000 pounds ($228.000) for failing to have effective security measures after an employee was able to extract thousands of patients’ files to sell on the Dark Web.

Five senators sent a letter to Secretary of State Mike Pompeo amid reports from federal auditors at the General Services Administration (GSA) that the State Department was failing to meet federal cybersecurity standards. The GSA report found that the Department deployed “enhanced access controls” on only 11 percent of its devices.

The Department of Defense proposed an update to its privacy regulation in the Federal Register which would create a single privacy rule instead of 21 separate regulations. The proposed rule would ensure the Department follows the Privacy Act and would incorporate Office of Management and Budget guidance. The Department also issued a new cyber strategy that allows for the increased use of offensive cyberattacks.

The MITRE Corporation, with support from the FDA, released the Medical Device Cyberesecurity Regional Incident Preparedness and Response Playbook which outlines a framework for health delivery organizations to plan for and respond to cybersecurity incidents around medical devices.

Great Britain’s Financial Conduct Authority fined Tesco Bank 16.4 million pounds ($21.4 million) for failing to protect its account holders from a 2016 cyber attack. The Authority found that deficiencies in the Bank’s design of its debit card and its financial crime controls left account holders vulnerable.

The U.K. government awarded the Information Commissioner’s Office, the U.K.’s data watchdog, 537,000 pounds ($703,000) to establish a Regulators' Business and Privacy Innovation Hub to provide expert support to businesses about information privacy and data protection.

Recent Court Decisions/Settlements

The FTC gave final approval to a settlement with mobile phone manufacturer BLU Products and its owner over allegations that they deceived consumers about the disclosure of their personal information and about the company’s data security practices. Under the settlement, BLU Products and its owner are barred from misrepresenting the extent to which they protect privacy and must implement and maintain a comprehensive security program.

A Third Circuit panel affirmed a lower court’s dismissal of a suit alleging two state investigators illegally obtained a Penn State University employee’s work emails, finding that the investigators had qualified immunity. The court also vacated in part the lower court’s denial of the employee’s leave to file a second amended complaint. Walker v. Coffey.

The U.S, District Court for the Northern District of California denied for the second time Kimpton Hotel & Restaurant Group's proposed settlement with consumers suing over a 2016 data breach, expressing concerns of whether the settlement’s cap of $600,000 would fully compensate those injured.

The U.S. District Court for the Central District of California has been asked to approve a proposed settlement in which smart TV manufacturer Vizio has agreed to pay $17 million to resolve claims brought on behalf of 16 million smart TV owners that the company collected and shared data about their viewing habits without their consent.

The U.S. District Court for the District of Massachusetts sentenced gynecologist Rita Luthra to one year of probation for disclosing her patients’ medical information to a sales representative and then lying about it to federal agents. Prosecutors had recommended she serve at least two years in prison.

The U.S. District Court for the Northern District of California ruled that app maker Profile Technology breached its 2014 settlement with Facebook by improperly retaining customer data, finding that its donation of thousands of redacted user profiles to a digital library was not a good faith interpretation of the agreement. Facebook, Inc. v. Profile Technology, Ltd.

Iowa-based broker-dealer and investment advisor Voya Financial Advisors agreed to pay the SEC $1 million to settle claims it violated the SEC’s cybersecurity rules after a cyber intrusion compromised the personal information of thousands of its customers. In the Matter of Voya Financial Advisors, Inc.

The European Court of Human Rights ruled that the U.K.’s former regime for the bulk interception and collection of Internet communications violated Article 8 of the European Convention on Human Rights by failing to provide oversight of surveillance requests. Case of Big Brother Watch v. The United Kingdom.

The European Court of Justice, Europe’s highest court, ruled that law enforcement can access an individual’s personal information held by an ISP even when investigating a minor crime, as long as the data collection does not seriously intrude on that individual’s privacy. Case C-207/16.

Legislative Update

California Governor Jerry Brown signed SB 321 into law, which requires a manufacturer of a connected device to equip that device with reasonable security features to protect the device and any information it contains from unauthorized access, modification or disclosure.

Privacy Law Initiatives in the Attorney General Community

Fifty-one Attorneys General reached a $148 million settlement with Uber to address the ride-sharing company’s failure to promptly report a data breach affecting the personal information of its drivers and passengers. Uber had tried to cover up the breach by paying the hackers $100,000 in exchange for a non-disclosure agreement.

Four Attorneys General entered into a settlement agreement with Aetna to resolve allegations that the company improperly disclosed protected health information to thousands of Americans. The settlement resulted from a multistate investigation of two privacy breaches exposing patients’ HIV/AIDS status and their involvement in an AFib study.

Massachusetts Attorney General Maura Healey filed a consent judgment under which the UMass Memorial Medical Group and the UMass Memorial Medical Center will pay $230,000 and have agreed to conduct proper employee discipline and training to resolve claims that two separate data breaches exposed the personal and health information of 15,000 state residents. The case was handled by AAG Michael Wong and Legal Analyst Elizabeth Flynn.

New Jersey Attorney General Gurbir Grewal and the Division of Consumer Affairs announced a settlement with data management software developer Lightyear Dealer Technologies over a cyber security breach affecting the personal information of customers and employees of more than 100 auto dealerships nationwide. The investigation was conducted by Investigator Christopher Spaldo and former Investigator Brian Morgenstern, and Deputy Attorneys General Zachary Klein and Russell Smith, Jr. represented the State.

New Mexico Attorney General Hector Baldares sued a group of tech companies for illegally tracking children online. The suit, filed against Google, Twitter, Tiny Lab Productions, MoPub, AerServ, InMobiPTE, AppLovin and IronSource, alleges the apps designed by Tiny Lab Productions and marketed by Google in its Play Store are targeted at children and contain illegal tracking software.

North Carolina Attorney General Josh Stein sent a letter to Facebook CEO Mark Zuckerberg demanding answers about the company’s security and safety in the wake of its announcement that 50 million accounts were hacked.

Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail

Faculty Spotlight

NAGTRI's faculty are top-rated experts in their field. Read about them.

Course Schedule

NAGTRI offers high-quality, responsive and innovative trainings.

Research & Newsletters

NAGTRI produces comprehensive research and newsletters on topical legal issues.