The National Attorneys General Training & Research Institute
Privacy Law Newsletter December 2017
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Recent Developments of Note
- Uber admitted in a post on the company’s website that hackers stole the personal data of 57 million riders worldwide in a breach Uber did not disclose for more than one year. The disclosure was made the same day as Bloomberg reported Uber paid the hackers $100,000 in an attempt to prevent disclosure. The City of Los Angeles has sued Uber, alleging it violated state law requiring companies to report data breaches as soon as discovered or as soon as possible. In Europe, the Article 29 Working Party, an advisory committee composed of data privacy watchdogs from each EU member, established a task force to coordinate investigations into the breach.
- PayPal Holdings announced a potential data breach occurred at TIO Networks, a payment processor it purchased this year, that might compromise the personal information of 1.6 million customers. TIO’s operations have been suspended pending a full investigation, and PayPal said it would communicate directly with affected customers and offer free credit monitoring services to those affected.
- Apparel retailer Forever 21 announced on their website that customers who used their credit cards at certain store locations that weren’t using the company’s encryption and tokenization methods may have had their personal information compromised. Although it has launched an investigation, the company said it is too early to identity how many customers and which stores were impacted.
- The New York City Bar Association, the International Council for Commercial Arbitration and the International Institute for Conflict Prevention & Resolution formed a new group over concerns that international arbitration proceedings are not adequately protected from potential cyberattacks. The new group will try to establish cybersecurity protocols and guidelines that parties and arbitrators could incorporate into their proceedings.
- The National Institute of Standards and Technology (NIST) published the second draft of its Framework for Improving Critical Infrastructure Cybersecurity, which incorporates comments received from a review process and workshop on the original draft. Comments about this draft are due by January 19, 2018 and should be sent to email@example.com.
- The Army's Cyber Command announced a new pilot program under which civilian cybersecurity experts could be directly commissioned into the Army to improve its cyber operations. The experts would be commissioned with a rank commensurate with their experience in the private sector.
- Russian security software manufacturer AO Kaspersky Lab issued a report about its recent admission that it had uploaded purportedly classified information and hacking software from an NSA worker’s personal computer. The company claimed the upload was made after its software detected what appeared to be malware.
- CNIL, France’s data protection agency, issued a formal notice to toy manufacturer Genesis Industries, warning that the privacy and security risks inherent in its two Internet-connected toys, My Friend Cayla and i-Que Robot, could violate the French Data Protection Act. The toys have been banned in Germany, and the FTC has received numerous complaints about them.
- The Article 29 working party, the EU’s data privacy regulators, issued an opinion on the first joint review of the EU-US data transfer pact identifying several unresolved concerns, including the collection and access by the U.S. of personal data for national security purposes. It also called for the appointment of an Ombudsman to the Privacy and Civil Liberties Board.
- Britain’s national terrorism insurer Pool Reinsurance announced it will extend its coverage to include material damage and business interruption losses caused by cyberattacks starting in April 2018. Pool Reinsurance is financed by the insurance industry with government backing.
Recent Court Decisions/Settlements
- The Pennsylvania Supreme Court ruled that privacy rights enshrined in Article 1, Section 1 of the state constitution could be used to block the release of public workers’ personal information sought by a nonprofit union reform group under an open records law. The court said that exceptions to the state’s Right to Know Law that were designed to protect the privacy of public workers could not be used to bar the release of personal information, but the constitution provision could do so. Reese v. Pennsylvanians for Union Reform.
- The Massachusetts Court of Appeals affirmed an order requiring an individual to provide access to his iPhone by entering his PIN pursuant to a child abuse investigation, ruling that the petitioner’s Fifth Amendment rights would not be violated since law enforcement already knew what would be on his phone. In the Matter of a Grand Jury Investigation.
- The Ninth Circuit affirmed the U.S. District Court for the Western District of Washington’s dismissal of an ESPN app user’s claims that the sports network disclosed his personal information to an analytics company, finding that although the user had standing to sue, his information was not personally identifiable under the Video Privacy Protection Act. Eichenberger v. ESPN, Inc.
- The U.S. Bankruptcy Court for the Southern District of New York approved a settlement in which 21st Century Oncology, which operates treatment centers in 17 states and filed for bankruptcy in May, agreed to pay a $2.3 million fine to HHS and comply with a corrective action plan for a 2015 data breach affecting 2.2 million patients. The court also approved a settlement to resolve class action lawsuits filed in Florida pursuant to the breach.
- A U.K. High Court found supermarket chain Morrisons vicariously liable for the data breach involving the payroll data of 100,000 employees by an ex-employee of the company. According to the judgment, the affected employees will be entitled to compensation for emotional distress caused by the breach. Various Claimants v. WM Morrisons Supermarket PLC.
- The U.S. House passed HR 3359, which would centralize authority and responsibility for cybersecurity at DHS.
Privacy Initiatives in the Attorney General Community
- California Attorney General Xavier Becerra reached a settlement with Cottage Health System and its affiliated hospitals to resolve allegations they failed to implement reasonable safeguards to protect patient medical information following two separate data breaches. Under the settlement, Cottage Health is required to pay a $2 million penalty and upgrade its data security practices.
- Massachusetts Attorney General Maura Healey obtained a judgment against Multi-State Billing Services, a Medicaid billing company that provided services for state public school districts, pursuant to a data breach affecting the personal information of more than 2,600 children. The judgment requires the company to pay $100,000 and improve its security practices. The case was handled by AAG Jared Rinehimer and Director of Data Privacy and Security Sara Cable.
- Washington Attorney General Bob Ferguson filed suit against ride-sharing company Uber for failure to report a massive data breach affecting 57 million passengers and drivers worldwide. The suit seeks civil penalties of up to $2000 for each individual affected, as well as recovery of fees and costs. Senior Counsel Shannon Smith and AAGs Tiffany Lee and Andrea Alegrett are handling the case.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.