The National Attorneys General Training & Research Institute
Privacy Law Newsletter January 2018
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
- U.S. Customs and Border Protection announced an updated policy for border searches of electronic devices that supersedes the directive issued in 2009. The previous policy equated the search of electronic devices to searches of items such as briefcases. The new policy allows agents to conduct a “basic” search of electronic devices by requesting access and in some cases bypassing encryption and passwords.
- DHS confirmed a breach of its OIG Case Management System, putting the personal information of more than 247,000 employees and people associated with OIG investigations at risk. DHS said that it had discovered an unauthorized copy of its system in the possession of a former employee. Notification letters were sent to all affected individuals with the offer of 18 months of free credit monitoring services.
- DHS and the Department of Commerce (DOC) released a draft report on cybersecurity threats which summarizes the challenges in reducing the botnet threat and lists actions to be taken by both the government and the private sector to reduce the threat of automated attacks. Comments on the draft report may be submitted to Counter_Botnet@nist.commerce.gov by February 12, 2018.
- CNIL, France’s data protection regulator, warned WhatsApp that its sharing of users’ data with parent company Facebook for “business intelligence” purposes was unlawful, warning that it would take steps to fine the messaging app if it did not address these concerns within a month. CNIL said it decided to make its formal notice to the app public to raise awareness of the issue.
- The U.K. Information Commissioner's Office fined insurance claims adjuster firm Woodgate and Clark and two of its private investigators a total of 185,000 pounds ($250,000) after a jury convicted them of unlawfully disclosing the personal data of a claimant which had been obtained illegally. The claimant had made a claim on an insurance policy in relation to a fire at business premises he owned.
- The U.S. District Court for the District of Maryland denied a skilled nursing facility’s motion to allow ex parte communications with health care providers who treated a deceased man pursuant to a wrongful death suit unless his stepdaughter gave permission or unless her counsel was present. Lynch v. SSC Glen Burnie Operating Co., LLC
- A New Jersey appellate court ruled that a lower court correctly denied finding the Ocean County Prosecutor’s Office in violation of the Open Public Records Act for its response to a request for records about an employee’s resignation. The office disclosed that the employee resigned and provided the effective date, but did not respond to the reason for the resignation. Libertarians for Transparent Government v. The Ocean County Prosecutor Office.
- The Connecticut Supreme Court reversed a lower court decision, reinstating certain claims in a suit alleging a health clinic improperly released a patient’s medical records pursuant to a subpoena. The court said that a duty of confidentiality arises from the physician-patient relationship, and the unauthorized disclosure of confidential information can give rise to a cause of action. Byrne v. Avery Center for Obstetrics and Gynecology, P.C.
- Electronic toy manufacturer VTech Electronics and its U.S. subsidiary agreed to pay $650,000 to resolve charges brought by the FTC stemming from a 2015 data breach that the company violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children without providing direct notice and obtaining parental consent and then failing to secure that data. The complaint, filed by DOJ on behalf of the FTC, alleged that VTech’s KidConnect app, which was used with its toys, collected the personal information of hundreds of thousands of kids.
- The U.S. House of Representative passed HR 2396, which would amend certain provisions of the Gramm-Leach Bliley Act by loosening current requirements for banks to notify customers of their personal information policies. The bill has been forwarded to the Senate Committee on Banking, Housing and Urban Affairs.
Privacy Law Initiatives in the Attorney General Community
- North Carolina Attorney General Josh Stein and state Representative Jason Saine unveiled the Act to Strengthen Identity Theft Protections, legislation aimed at preventing data breaches. Attorney General Stein also released his annual report which showed that the number of data breaches in North Carolina was 15 percent higher in 2017 than in the previous year.
- Washington Attorney General Bob Ferguson filed suit against Motel 6 for voluntarily providing the personal information of at least 9,000 guests to ICE agents on a routine basis, in violation of state laws, and leading to the detention of at least six individuals. The suit further alleges that Motel 6 knew the agents used the information to single out individuals by national origin, in violation of laws against discrimination.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail email@example.com.