The National Attorneys General Training & Research Institute

The National Attorneys General Training & Research Institute The National Attorneys General Training & Research Institute

Privacy Law Newsletter June 2017

The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.

June 2017

Recent Developments in Privacy Law

Twitter announced it will abandon its policy of honoring the “do not track” browser option, a mechanism that automatically disables cookies, and will begin to keep web browsing data for up to 30 days in order to improve and personalize its service. It also rolled out a new “personalization and data” setting that lets users control whether their information will be shared with some of Twitter’s partnerships.

A group of more than 30 technology companies, including Amazon, Facebook and Uber, urged the U.S. House Judiciary Committee to bolster privacy protections and transparency in reforming the NSA’s surveillance practices under Section 702 of the Foreign Intelligence Surveillance Act, which covers surveillance conducted outside of the U.S. The act is set to expire at the end of the year unless reauthorized.

The Health Care Industry Cybersecurity Task Force sent a report to Congress on improving the industry’s data protection methods, finding that health care cybersecurity is in “critical condition,” and the industry has to take immediate action to update antiquated operating systems and increase collaboration to prevent threats from hackers.

Electronic signature service DocuSign confirmed that hackers had temporarily accessed a system containing customer email addresses, noting that other personal information was not compromised. The company is working with law enforcement and recommended that customers delete any suspicious emails.

The Consumer Financial Protection Bureau (CFPB) failed to restrict access to sensitive enforcement data by former employees, putting that information at risk, according to a report by the Federal Reserve's inspector general. The report also cited the CFPB for having an inconsistent system for labeling enforcement information, increasing the likelihood that files could be accessed by unauthorized personnel.

The SEC’s Office of Compliance Inspections and Examinations issued a risk alert urging broker-dealers, investment advisors and investment companies to ensure they are conducting vulnerability scans and implementing system upgrades in light of the recent massive cyberattack.

The Italian Competition Authority fined Facebook subsidiary WhatsApp three million euros ($3.29 million) after two investigations revealed the messaging service had effectively forced users to accept a new “terms of use” policy that included a provision allowing Facebook to collect users’ personal information. The new policy also gave WhatsApp the right to terminate a user’s account for any reason and to change the terms of use contract without any mechanisms for informing the consumer.

The South Korean government officially joined the Asia-Pacific Economic Cooperation’s voluntary cross-border privacy rules system, which is aimed at facilitating e-commerce and the transfer of personal information safely. The U.S., Canada, Mexico and Japan are also participants.

The European Union Agency for Network and Information Security and several semiconductor manufacturers issued a position paper calling upon the European Commission to establish baseline requirements for the privacy and cybersecurity of connected devices.

Court Decisions/Settlements on Privacy Law Issues

The U.S. Supreme Court agreed to review Carpenter v. U.S., a case that questions whether the government needs a warrant to access a person’s cell phone location history. The Sixth Circuit Court of Appeals had found that cell phone location data revealed nothing about the actual content of the cell phone communication and was instead a routinely collected business record, thus holding that defendants had no reasonable expectation of privacy protection under the Fourth Amendment.

Bank of America will pay $1.9 million to resolve allegations from five southern California counties that it violated state phone call recording laws by failing to timely disclose its automatic recording of calls. The settlement amount includes $1.6 million in civil penalties; $240,000 in costs to be divided among Los Angeles, San Diego, Alameda, Riverside and Ventura counties; and $100,000 for the Consumer Protection Prosecution Fund.

St. Luke’s-Roosevelt Hospital Center in New York will pay $387,000 and institute a corrective action plan to resolve HHS allegations that it faxed a patient’s federally protected health information to the patients’ employer and faxed another patient’s information to a place where the patient volunteered.

The U.S. Supreme Court declined to review the Second Circuit Court of Appeals decision in El-Nahal v. Lassky in which taxi driver El-Nahal asserted a Fourth Amendment challenge to the New York City mandate requiring the installation of GPS tracking technology in taxis. The Second Circuit decided El-Nahal did not have a reasonable expectation of privacy in the GPS-tracked data because there was no proof he had a property interest in the taxi where the GPS was installed.

Southern Baptist Hospital of Florida has petitioned the U.S. Supreme Court to overturn Charles v. Southern Baptist Hospital of Florida, Inc., a Florida Supreme Court decision requiring the hospital to comply, pursuant to a Florida constitutional amendment, with discovery orders requesting adverse medical incident reports in a medical malpractice case. The hospital argues that the state amendment should not override the federal Patient Safety Act that made this type of data confidential.

The U.S. District Court for the Southern District of New York granted the Sloan- Kettering Institute for Cancer Research’s motion for sanctions against biopharmaceutical company Errant Gene Therapeutics and its counsel, Vitale Vickrey Niro & Gasey LLP, for violating a protective order by using protected information from its now-dismissed lawsuit. Errant Gene Therapeutics, LLC v. Sloan-Kettering Institute for Cancer Research.

The U.S. District Court for the Northern District of Texas ordered The Source for Public Data, a company that compiles personal public records and operates, to turn over records sought by the Consumer Financial Protection Bureau as part of an investigation into possible violations of the Fair Credit Reporting Act. Consumer Financial Protection Bureau v. The Source for Public Data, LP.

The Ireland Supreme Court unanimously agreed to reject the Competition and Consumer Protection Commission’s appeal of an injunction which prevents the Commission from looking at emails from a former managing director of an Irish Cement Ltd unit which the Commission had raided, acceding to claims that such an email search violated the director’s privacy. The case is CRH PLC v. the Competition and Consumer Protection Commission in the Ireland Supreme Court.

Privacy Law Legislation Update

The U.S. House passed H.R. 1616, a bill that would officially approve the Secret Service’s National Computer Forensics Institute, which is responsible for coordinating investigations into cyberattacks and hacks, as well as providing training and equipment for state and local agencies dealing with electronic crimes. The companion Senate bill, S. 904, has been introduced.

The U.S. House also passed H.R. 2052, a bill that would make the nonconsensual sharing of explicit photos a crime in the military.

Privacy Law Initiatives in the Attorney General Community

Forty-eight Attorneys General reached an $18.5 million settlement with Target resolving their investigation into the company’s 2013 data breach, under which Target will be required to adopt advanced measures to secure customer information and to update and maintain appropriate data encryption policies. Target will also be required to segment its cardholder data from its remaining computer network and take steps to control network access.

Florida Attorney General Pam Bondi’s office secured a consent order under which car dealership Beach Blvd. Automotive, its financing arm Beach Blvd. Auto Finance and its president John King, Sr. agreed to provide more than $5 million in debt forgiveness to consumers to resolve claims of misleading business practices, including using GPS devices to track cars without the purchaser’s knowledge. The company must also change its business practices, cover $2500 in deposits consumers were forced to make and pay $280,000 in attorneys’ fees and costs.

Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail

Faculty Spotlight

NAGTRI's faculty are top-rated experts in their field. Read about them.

Course Schedule

NAGTRI offers high-quality, responsive and innovative trainings.

Research & Newsletters

NAGTRI produces comprehensive research and newsletters on topical legal issues.