The National Attorneys General Training & Research Institute
Privacy Law Newsletter March - April 2016
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Privacy Law News
FBI, DOT Issue Warning About Connected Cars
The Federal Bureau of Investigation (FBI) and the Department of Transportation (DOT) released a public service announcement (PSA) warning manufacturers and consumers about the dangers of connected cars. The PSA warns of vulnerabilities within a vehicle’s communication functions, within a mobile device connected to a vehicle or within a third party device connected to a vehicle through a diagnostic port, any of which could become an attack portal for cybercriminals to remotely access vehicle controls and systems. The PSA recommended that consumers ensure their vehicle software is up to date, use caution when making modifications to the software and exercise discretion when connecting third party devices to vehicles. The PSA also included guidelines on what consumers should do if they suspect their vehicles have been hacked. The PSA may be accessed at http://www.ic3.gov/media/2016/160317.aspx#fn1.
FCC Proposes Data Privacy Rules for ISPs
The Federal Communications Commission (FCC) issued a notice of proposed rulemaking that would require Internet service providers (ISPs) to clearly disclose how customer data is being used, take reasonable steps to protect that information and notify affected customers within 10 days of discovering a data breach. The proposed rules, built on the three principles of choice, transparency and security, would require ISPs to obtain affirmative opt-in consent for the use and sharing of data that has not been specifically collected for the purpose of providing communications services. ISPs would be allowed to use customer data to market other communications services and to share customer data with their affiliates for those marketing purposes unless the customer opts out.
More FCC initiatives…
FCC Proposes Limits on Robocalls
The FCC issued a draft Notice of Proposed Rulemaking which would limit robocalls to people who owe money to the government to three calls per month. The proposed rules address concerns in Section 301 of the Bipartisan Budget Act of 2015, which creates an exception to the Telephone Consumer Protection Act requirement that companies get express consent for automated calls to cellular or residential phones by allowing such calls for the purpose of collecting debts owed to or guaranteed by the federal government.
Report: Cameras in the Courtroom Have Positive Effect
A majority of attorneys and judges who participated in recorded federal court proceedings agree the cameras have a positive effect, including motivating attorneys to be better prepared, according to a recent report by the Federal Judicial Conference (FJC). The report is based on a four-year pilot project that put cameras and recording equipment in 14 district courts in order to evaluate their effect on proceedings. The report, Video Recording Courtroom Proceedings in United States District Courts, may be accessed at https://www.ftc.gov/public/pdf.nsf/lookup/elecmediacov.pdf/$file/elecmediacov.pdf.
Survey: Cloud-Based Apps Pose Biggest Security Challenge
The rise of cloud-based applications and the widespread adoption of unsanctioned software by employees has resulted in new security threats, according to a recent survey by e-discovery provider Consilio. The survey, which included law firms, in-house legal departments and government-affiliated entities, found that 65 percent of respondents said the inadvertent disclosure of sensitive information was the biggest risk of using cloud-based applications. Further, 26 percent cited the risk of regulatory compliance failures. The survey results may be accessed at http://www.consilio.com/.
NSA IG Reports on Privacy Protections
The Office of the Inspector General of the National Security Agency (NSA) released three reports outlining the NSA’s compliance with the law and with privacy protections, including safeguards limiting the information it collects. The reports, issued in response to a Freedom of Information Act request, focused on the NSA’s collection authority under Section 702 of the Foreign Intelligence Surveillance Act, which allows the surveillance of non-U.S. individuals thought to be outside the country and believed to have information on terrorist threats, as well as the now defunct collection of bulk telephone metadata. Details of each report may be accessed at https://www.nsa.gov/public_info/_files/3IGReports-Sealed.pdf.
US, EU Release Text of Data Transfer Agreement
A coalition of more than 25 civil liberties advocacy groups sent a letter to several EU officials, including the leader of the Article 29 Working Party, urging them to send the Privacy Shield back to the negotiation table, arguing that “substantial reforms” must be made to U.S. surveillance laws in order for the pact to work. The coalition includes the American Civil Liberties Union, Privacy International and Digital Rights Ireland. The letter also raises questions about what limits are placed on the collection of EU data by the intelligence community and whether the EU and the U.S. have agreed on key surveillance terms, such as “bulk surveillance.” The text of the letter may be accessed at https://www.accessnow.org/cms/assets/uploads/2016/03/Priv-Shield-Coalition-LtrMar2016.pdf.
Tech Companies Form Coalition for Cybersecurity Policy and Law
Microsoft, Oracle and five other tech companies offering security products and services formed the Coalition for Cybersecurity Policy and Law to educate and influence legislators and regulators on cybersecurity and privacy issues. The coalition has already submitted comments to the National Institute of Standards and Technology (NIST) in response to its request for information on the framework for improving critical infrastructure security. Arbor Networks, Cisco Systems, Intel, Rapid7 and Symantec are the other founding members of the coalition, which is being coordinated by Ari Schwartz, managing director for cybersecurity services at Venable.
FAA Seeks Contractor Help in Assessing Cyber Threats
The Federal Aviation Administration (FAA) posted a solicitation asking contractors to outline plans for studying and tracking potential vulnerabilities of airplane communications networks, as part of the development of a strategy for detecting and thwarting potential attacks. With this outreach the FAA seeks to find out more information on the effects of the connection between planes and external networks, such as gate agents, and whether these connections need better security.
Nasdaq to Enhance Monitoring of Trading Platform
Nasdaq entered into a partnership with Digital Reasoning, a “cognitive computing” provider, in its effort to monitor an increasingly digital marketplace. The exchange plans to integrate Digital Reasoning’s speech recognition and comprehension algorithm into its SMARTS platform, which analyzes trade data for potential violations and disruptive behavior. The combined platform will also be offered to companies in the global capital markets, including brokers, regulators and exchanges, allowing them to comb through a greater volume of data to detect insider trading, collusion to manipulate markets and hiding assets.
White House Names Leaders of Commission to Enhance Cybersecurity
The White House appointed Tom Donlon, partner at O’Melveny & Myers and former national security advisor, and Sam Palmisano, former IBM CEO, as Chairman and Vice Chairman, respectively, to lead the new Commission on Enhancing National Cybersecurity. They will issue a report detailing specific findings and recommendations by the end of the year.
Report: Small Data Breaches Fall Below Cyberinsurance Coverage
The most common data breaches are those of 500 data records or fewer, which often fall below the deductibles in many insurance policies, according to a recent survey by insurance analytics company Advisen Ltd. and ID Experts. Of the 203 risk professionals surveyed, 64 percent had cyberinsurance, and of those with coverage who identified breaches in the past year, all of the breaches fell below their deductibles. According to the report, 45 percent of respondents believed their company has adequate resources to detect all breaches. The report, How Organizations Manage Data Breach Exposure, can be accessed at https://www2.idexpertscorp.com/how-organizations-manage-data-breach-exposure.
HHS Taps Privacy Experts for Cybersecurity Task Force
The Department of Health and Human Services (HHS) appointed privacy experts from Anthem, Merck, Stryker, Symantec, FireEye and more than 10 other health industry organizations to a task force that will be charged with developing cybersecurity recommendations for the health care industry. HHS was mandated to create the task force under the Cybersecurity Information Sharing Act of 2015. The task force report is expected to be completed within the next year.
Recent Court Decisions/Settlements on Privacy Issues
NJ Upholds Constitutionality of Roving Wiretap
The New Jersey Supreme Court unanimously upheld the constitutionality of the roving wiretap, which allows law enforcement to wiretap newly discovered phones without obtaining a new warrant pursuant to a court finding that the target has switched phones to avoid detection. The court modified the provision going forward to require that law enforcement notify the warrant judge within 48 hours of the switchover and obtain authorization. The case is State v. Feliciano, no. 074395 (N.J. Mar. 9, 2016).
Request for Data on Children With Lead Levels Denied
The Ohio Supreme Court denied an attorney’s request for the Cuyahoga County Board of Health to turn over any documentation regarding homes where children were found to have elevated levels of lead in their blood, finding that doing so would reveal protected health information. The case is Cuyahoga County Board of Health v. Lipson O’Shea Legal Group, slip op no. 2016-Ohio-556 (Feb. 18, 2016).
Proposed TCPA Suit Against Marketers Dismissed
The U.S. District Court for the Northern District of Illinois dismissed a proposed Telephone Consumer Protection Act (TCPA) class action against VoiceShot LLC and Kale Realty LLC, a Chicago real estate company that used its services to send marketing messages to cell phones. The court found that VoiceShot is a “common carrier” that provides telecommunications services and is therefore immune from the Act. As to Kale, the court found the messages could not be treated as ads, or even telemarketing, because they did not encourage paying for the services. The case is Payton v. Kale Realty LLC, case no. 13-cv-08002 (N.D. Ill. Feb. 22, 2016).
Time Subscriber Suit Over Sold Personal Data Dismissed
The U.S. District Court for the Eastern District of Michigan dismissed a class action in which Time magazine subscribers claimed their personal information was illegally sold to marketing companies after they had purchased their subscriptions from third parties. The court ruled that Michigan’s Video Rental Privacy Act, which bans certain disclosures made without customers’ consent, only applied to the sales of magazines to consumers when the products aren’t intended to be sold by a third party. The case is Fox v. Time Inc., no. 2:12-cv-14390 (E.D. Mich. Feb. 16, 2016).
3rd Circuit Affirms Settlement Over Unsolicited Faxes
The Third Circuit Court of Appeals affirmed a $625,000 class action settlement over legal publisher Skinder-Strauss Associates’ alleged transmission of unsolicited faxes. The court approval resolves a TCPA suit on behalf of a proposed class of consumers who alleged the publisher sent thousands of such faxes. The case is Landsman & Funk PC v. Skinder-Strauss Associates, no. 15-2485 (3rd Cir. Feb. 16, 2016).
Home Depot to Pay $19.5 Million to Resolve Data Breach Suit
Home Depot, Inc. agreed to pay $13 million into a settlement fund to reimburse approximately 40-50 million consumers affected by its massive 2014 data breach, as well as $6.5 million for 18 months of identity protection services for data breach victims. Additionally, Home Depot, which did not admit liability in the settlement, agreed to improve information security over a period of two years. The case is In re: Home Depot Inc. Customer Data Security Breach Litigation, no.14-md-02583 (M.D. Ga. Mar. 7, 2016).
7th Circuit: Business Owner Not Liable for Fax Ads
The Seventh Circuit Court of Appeals affirmed a lower court ruling, declining to hold Jerry Clark, owner of Affordable Digital Hearing, liable for sending nearly 5,000 fax ads in a class action for violation of the TCPA. The court found that Clark never authorized the marketing company to send faxes beyond a 20-mile radius of the company’s headquarters. The case is Bridgeview Health Care Center Ltd. v. Clark, nos. 14-3728 (7th Cir. Mar. 21, 2016).
Illinois Court Upholds Settlement for Ad Fax-Blasts
An Illinois appellate court upheld a $23 million class action settlement resolving claims that a former MetLife financial services representative sent unauthorized advertising fax-blasts in violation of the TCPA and the Junk Fax Protection Act. The case is Fauley v. Metropolitan Life Insurance Co., no. 14-CH-1353 (Ill. App. 2d. Mar. 23, 2016).
TCPA Class Action Against Facebook Dismissed
The U.S. District Court for the Northern District of California granted Facebook’s motion to dismiss without prejudice a proposed class action alleging that it violated the TCPA by sending unwanted automatic text messages about potential account hacks via an autodialer. The court found that the allegations did not support the inference that the text messages were sent using an automatic telephone dialing system (ATDS). The TCPA prohibits automated calls to a cell phone without prior express consent by the person being called, unless it is an emergency. The case is Duguid v. Facebook Inc., no. 3-15-cv-00985 (N.D. Cal. Mar. 24, 2016).
State Legislative News
Virginia Enacts Law to Oversee Consumer Privacy on Fantasy Sports Sites. The Fantasy Contests Act, SB 646, was signed into law by Virginia Governor Terry McAuliffe on March 7, 2016 and codified as Chapter 318. The law requires fantasy sports operators to establish procedures that would, among other provisions, prevent the sharing of confidential information that could affect fantasy sports play.
The New Jersey Senate unanimously passed a bill banning “upskirting.” The bill, AB 156, prohibits secretly photographing or recording underneath another person’s clothing, and had been passed by the Assembly in February. The bill makes the photographing a crime of the third degree punishable by imprisonment for up to 18 months, a fine of up to $10,000, or both; disclosing such a photograph is a crime of the third degree punishable by imprisonment of three to five years, a fine of up to $15,000, or both. It also authorizes civil actions by victims for monetary and equitable relief. The bill, which would become effective on July 1, 2016 if enacted, was previously passed by the Assembly. l
Hawaii Senate Committee Adopts Bill to Prevent Employers From Prying Into Employees’ Social Media Accounts. The state Senate Judicial Committee unanimously approved HB1739, which would prohibit employers from requiring, requesting or coercing current or potential employees to provide access to their social media account. The bill does provide some narrow exceptions, such as when requiring an employee to cooperate in an investigation. The bill was referred to the Ways and Means Committee.
Michigan House Passes Bill Criminalizing Posting Sexually Explicit Images Online without a person’s consent, Known as “Revenge Porn.” The bill, SB 508, previously passed the Senate and has been sent to the Governor.
Federal Legislative News
The U.S. House Judiciary Subcommittee on Crime, Terrorism, Homeland Security and Investigations passed HR 699, a bill sponsored by Representative Kevin Yoder (R-KS), which would amend the Electronic Communications Privacy Act (ECPA) to require the government to obtain a warrant before requiring providers to disclose the content of emails, regardless of how long the communication has been held in electronic storage.
S. 2592, the Medical Debt Relief Act, was introduced in the U.S. Senate and referred to the Committee on Banking, Housing and Urban Affairs. The bill, sponsored by Senator Jeff Markley (D-OR), would amend the Fair Credit Reporting Act to prohibit a consumer reporting agency from making any report containing information on a medical debt. It would also require a debt collector, before informing a consumer reporting agency regarding a medical debt, to notify the consumer in writing 180 days before the notification is sent.
S. 2558, the Spoofing Prevention Act, was introduced in the Senate and referred to the Committee on Commerce, Science and Transportation. The bill, sponsored by Senator Bill Nelson (D-FL), would expand the prohibition against knowingly transmitting misleading or inaccurate caller id information to apply to persons outside the U.S. and to text messages.
Privacy Initiatives in the Attorney General Community
Indiana Attorney General Greg Zoeller and Kentucky Attorney General Andy Beshear urged Congress to reverse a new law allowing debt collection robocalls to cell phones. Both Indiana and Kentucky ban most robocalls.
Kansas Attorney General Derek Schmidt announced that Central Regional Dental Testing Service, a business that dumped more than 900 files containing unredacted personal information of its customers, will pay a large fine to settle claims of violating state consumer privacy laws. The files were discovered in an unsecured dumpster outside the company’s offices, and Attorney General Schmidt’s Consumer Protection Division subsequently secured them.
Massachusetts Attorney General Maura Healey hosted a data privacy forum in collaboration with MIT’s Computer Science and Artificial Intelligence Laboratory, the Internet Policy Research Initiative at MIT and the Berkman Center for Internet & Society at Harvard University. The forum discussed the risks of consumer privacy and the role of states and state attorneys general in addressing those risks without restricting innovations that benefit consumers.
Missouri Attorney General Chris Koster filed separate lawsuits against three companies for violating state telemarketing and No-Call laws. Attorney General Koster sued Lawn Pro Turf Maintenance and its owners for making thousands of calls to state consumers to sell lawn care services. He also sued Delaware-based eDegree Advisors and Nevada-based Courtesy Call for calling consumers who had requested not to be contacted. Attorney General Koster is asking the court to impose up to $5,000 in penalties for each violation of the No-Call Act.
New York Attorney General Eric Schneiderman announced a settlement with Doritex Corp. and its website developer Kallus Opraments over the disclosure of more than 500 Social Security numbers over the Internet. The settlement requires Doritex to pay a $55,000 penalty, provide prompt notice of confirmed data security breaches to affected state residents and to the Attorney General and implement reasonable security policies and procedures to protect private information. Kallus must pay a $40,000 penalty and implement additional data security policies and procedures. The case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Resident Technologist Marc Kowtko.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.