The National Attorneys General Training & Research Institute
Privacy Law Newsletter May - June 2016
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Privacy Law Developments
GAO Reports Tracking Apps Are “Wolves in Sheep’s Clothing”
Responding to a request from the Senate Judiciary Committee, a report by the General Accounting Office (GAO) analyzes the role of smartphone tracking apps in facilitating stalking, as well as the potential responses the federal government may take against their developers. Of the 40 apps examined, the report notes that most are “wolves in sheep’s clothing,” with marketing materials billing them as tools for tracking children and elderly patients, although one-third of them are openly sold as spying tools. According to the report, most of the developers seek to avoid liability with disclaimers in their terms of service. The report further identifies four federal statutes of potential applicability to the developers, three of which have not been used in the smartphone tracking context. The report may be accessed at http://www.gao.gov/assets/680/676738.pdf.
High Court Rule Allows Issuance of Warrants Outside Court Jurisdiction
The U.S. Supreme Court adopted an amendment to Rule 41(b) of the Federal Rules of Criminal Procedure which would authorize courts to issue warrants for remote access to electronic data outside of their jurisdiction in situations where the location of the data has been “concealed through technologic means” or when the data is located in five or more districts. The current rule limits warrant requests to the search and seizure of property located within the court’s district. Congress has until December 1, 2016 to change the amendment or it will become effective.
Data Breach Report: Hackers Winning
Businesses are not able to keep up with hackers, according to a 2016 data breach investigations report by Verizon Enterprise Solutions. The report found it took hackers mere minutes to compromise systems in 93 percent of the 2,260 breaches that Verizon analyzed, and the hackers were able to extract the data from the system within days in more than 98 percent of the incidents. Perhaps even more alarming is the report’s finding that the hackers’ targets did not discover the breaches for weeks in more than 83 percent of the cases, with the notification being received from law enforcement or another external source. The report can be downloaded at http://www.verizonenterprise.com/verizon-insights-lab/dbir/ at no cost after entering contact information.
Federal Regulators Investigate Mobile Device Security Updates
The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) separately sent letters to Apple, Verizon, Google, AT&T and other carriers and mobile device manufacturers regarding security updates, seeking information on patching vulnerabilities and patch distribution methods. The FCC letter asked about the hurdles to releasing updates, the existence of data on whether customers install them and data on devices sold and their vulnerabilities. The FTC also requested information on the factors in the decision to patch a vulnerability.
Payment Card Security Rules Updated
The Payment Card Industry (PCI) Security Standards Council published new data security standards that would require card administrators to use additional security other than a password when accessing sensitive cardholder data. The update, which will take precedence in October 2016, also added criteria to help firms apply the standards as a daily practice. The PCI executive committee, which is composed of representatives from American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc., historically has updated its rules every three years.
FTCSeeks Privacy Modification to Set-Top Box Unlock Proposal
The FTC sent a letter to the FCC asking for a modification to its proposal to “unlock” set-top boxes in order to ensure the FTC can enforce privacy promises made by third-party manufacturers of the boxes that fall under its jurisdiction. The current proposal requires manufacturers to certify to cable and satellite providers only that they are complying with the privacy requirements applicable to providers, but the FTC wants the certification to include consumers. The FCC’s proposal would allow consumers to access their cable or satellite programming on the same interface as their online streaming content.
FAA Finalizes Rule for Small Commercial Drones
The Federal Aviation Administration (FAA) issued its long-awaited rule governing the commercial use of small drones, categorized as those weighing less than 55 pounds. The rule framework sets forth that such drones can be flown up to a maximum speed of 100 miles per hour, at a maximum height of 400 feet and only flown between 30 minutes before official sunrise and 30 minutes after official sunset, as long as there is appropriate anti-collision lighting. The drones must also remain within the drone operator’s line of sight. Flights above people who are not involved in the drone operation are prohibited. As to drone operators, they must be at least 16 years of age and have a remote pilot airman certificate with a small unmanned aircraft systems rating or be directly supervised by someone with such a certificate. Qualifying for the certificate requires the applicant to pass an aeronautical knowledge test at an FAA-approved center or have a “Part 61” pilot certificate other than student pilot, have completed a flight review within the previous 24 months and complete an FAA-provided online training course. The complete rule may be accessed at https://www.faa.gov/regulations_policies/rulemaking/recently_published/.
Drone Stakeholders Release Best Practices Guidelines
A stakeholder group assembled by the National Telecommunications and Information Administration (NTIA) finalized a compendium of voluntary best practices guidelines for the use of unmanned aircraft systems (UAS), or drones. The guidelines address privacy, transparency and accountability issues related to both commercial and private use of UAS, with a preamble contending its growing use will have a positive impact in the U.S. The guidelines suggest that UAS operators should try to avoid collecting personally identifiable information when the subject has a reasonable expectation of privacy, and that any data that is collected should be secured against theft or loss and should not be retained longer than necessary to fulfill its intended purpose. The guidelines may be accessed at https://www.ntia.doc.gov/files/ntia/publications/voluntary_best_practices_for_uas_privacy_transparency_and_accountability.pdf.
US-CERT Warns of Old Software System Vulnerability
The U.S. Computer Emergency Readiness Team (CERT) issued a public alert of a security gap in Java platforms of outdated business software developed by SAP SE. Although the vulnerability was addressed in a 2010 update, it still affects systems that were not updated since that time or were incorrectly updated. The alert noted that cyberattackers have already targeted this vulnerability in attempted breaches of the systems of 36 companies. SAP software is used by 44 militaries and all but two of the world’s 100 most valuable brands. The alert may be accessed at https://www.us-cert.gov/ncas/alerts/TA16-132A.
Privacy Rules for White House Health Initiative Released
The Administration released privacy rules to protect health data collected through President Obama’s Precision Medicine Initiative to make health care more individualized through the use of research. The rules focus on having a flexible plan to prevent, detect and address data breaches that will be updated as data security evolves. They provide for names, birth dates, Social Security numbers and other identifiers to be encrypted, with encryption keys stored in a different location than the data. Contractors and other third parties would be required to have the same level of data safeguarding. The rules may be accessed at https://www.whitehouse.gov/sites/whitehouse.gov/files/documents/PMI_Security_Principles_Framework_v2.pdf.
European Bankers Seek Global Cybersecurity Standards
The European Banking Federation, the Global Financial Markets Association and the International Swaps and Derivatives Association issued a white paper on their proposed principles for ensuring effective global policy measures on cybersecurity. The principles are intended to outline the considerations to be taken into account when a governmental body creates any legislation or regulation that would affect the technology infrastructure of financial services. Principles highlighted include the need for regulators to focus on establishing policies and procedures rather than compliance, the recognition that cybersecurity is a shared responsibility and the acknowledgement that cyber risks are just one component of enterprise risk management.
FTC Staff Wants Tweaks to FCC Privacy Regs for Broadband Providers
The FTC Bureau of Consumer Protection staff filed a statement suggesting tweaks to the FCC’s plan to establish privacy regulations for broadband providers, noting that ISPs and other services should also be subject to the same rules. The statement generally supported the FCC plan and its core principles of transparency, consumer choice and data security, but said the proposal could be strengthened. As an example, the FTC favors using opt-in for sensitive information, as the FCC plan would let providers use the content of communications for marketing without opt-in consent and should be adjusted. The FTC also recommended changes to the definition of personally identifiable information, the structuring of privacy notices and breach notification. The comments may be accessed at https://www.ftc.gov/system/files/documents/advocacy_documents/comment-staff-bureau-consumer-protection-federal-trade-commission-federal-communications-commission/160527fcccomment.pdf.
GAO Report Finds SEC Cybersecurity Weaknesses
The GAO issued a report finding that the Securities and Exchange Commission (SEC) still has cybersecurity weaknesses that could affect the financial and personal information of investors and businesses. The report examined how the SEC controls its networks and protects sensitive information, finding that while the SEC has addressed some of the flaws found in the GAO’s 2014 report, there are still four key areas of weakness in the SEC’s information security. The report cited such problems as a lack of segmentation between the SEC’s three computing environments and a failure to review and update plans for how systems could be recovered after a disaster. In particular, the report detailed the SEC’s failure to control access to its network, finding it did not always restrict traffic passing through firewalls and did not ensure that only authorized individuals could access its filing systems. The report may be accessed at http://www.gao.gov/assets/670/662612.pdf.
Recent Court Decisions/Settlements on Privacy Issues
Federal Court Rules Robocalls Unlawful Under TCPA
The U.S. District Court for the Northern District of Illinois granted partial summary judgment against tax-exempt non-profit Economic Strategy Group and its founder, Jacob DeJongh, ruling that calls with prerecorded messages to cell phones, known as robocalls, are unlawful under the Telephone Consumer Protection Act (TCPA) without prior express consent. The class, which could be comprised of as many as one million people, allegedly received such calls offering a free cruise for participating in a political opinion survey. The court declined to find Caribbean Cruise Line Inc., Vacation Ownership Marketing Tours Inc. and the Berkley Group Inc. liable for using the Group as marketers. A status conference has been set. The case is Aranda v. Caribbean Cruise Line Inc., no. 1:12-cv-04069 (N.D. Ill. May 24, 2016).
NJ Appeals Court Limits Disclosure of Workers’ Comp Medical Records
A New Jersey appeals court reversed a lower court’s refusal to tailor a protective order to limit dissemination of workers’ comp medical records to the case at bar. Defendant Union Carbide Corp. (UCC) had asked for the protective order after the plaintiff was granted a discovery request to obtain medical records of other former UCC employees who filed workers’ comp claims. The appeals court found that the alternative protective order issued by the court, which required notification to the other employees and, upon their failure to respond, were deemed to have waived their privacy interests, failed to adequately protect the employees’ privacy interests. The case is Seymoure v. A.O. Smith Water Products Co., no. A-3967-14T3 (N.J. Sup. Ct. App. Div. May 11, 2016).
Amazon to Pay Up for Unauthorized In-App Purchases By Kids
The U.S. District Court for the Western District of Washington granted the FTC’s motion for summary judgment as to financial relief against Amazon.com in a suit claiming Amazon failed to gain proper consent before allowing kids to run up millions of dollars of in-app purchases without their parents’ knowledge. The court found that Amazon’s customers, even those who asked for and received refunds, were injured. The case is FTC v. Amazon.com, Inc., no. 2:14-cv-01038 (W.D. Wash. Apr. 26, 2016).
Circuit Split on Video Privacy Act Liability
A three-judge panel of the First Circuit Court of Appeals reversed a decision of the U.S. District Court for the District of Massachusetts that dismissed a class action alleging the Gannett Company violated the Video Privacy Protection Act (VPPA) by recording what videos USA Today app users watched and providing the information to Adobe for analysis. While the panel agreed that the title of the video viewed and the device’s unique identifier and GPS coordinates constituted personally identifiable information, it disagreed with the district court’s finding that plaintiff Alexander Yershov was not a “subscriber” of USA Today and thus not a “consumer” under the Act. The VPPA decisions of the Seventh and Ninth Circuits have ruled in favor of defendants. The case is Yershov v. Gannett Satellite Information Network Inc., no. 15-1719 (1st Cir. Apr. 29, 2016).
Call “Spoofing” Provider Not Liable for Harassing Calls
The First Circuit Court of Appeals affirmed a ruling by the U.S. District Court for the District of Massachusetts granting summary judgment to TelTech on claims that someone allegedly used the company’s SpoofCard service to harass plaintiff Siobhan Walsh. The court agreed that Walsh, who claimed violations of the Massachusetts consumer protection statute, had not shown TelTech was responsible for the caller’s actions. The case is Walsh v. TelTech Systems Inc., no. 15-1987 (1st Cir. May 2, 2016).
ATM-Skimming Gang Member Gets 7+ Years
The U.S. District Court for the District of New Jersey sentenced Diru Horvat, who was convicted of aggravated identity theft, conspiracy to commit bank fraud, conspiracy to possess 15 or more counterfeit access devices and conspiracy to possess equipment to make such devices to 89 months in prison and five years of supervised release. Horvat was a member of a scheme that installed hidden card-reading devices on ATMs and stole more than $5 million. The case is U.S. v. Horvat, no. 2:14-cr-00067 (D.N.J. May 3, 2016).
Experian Data Breach Suit Dismissed for Lack of Injury-in-Fact
The U.S. District Court for the Central District of California dismissed and remanded to state court a class action suit against Experian Data Corp. and Infosearch LLC for a data breach that allegedly allowed identity thieves access to personal information. The court ruled that plaintiffs failed to establish an injury-in-fact. Plaintiffs had claimed that after Experian discovered its recently purchased Court Ventures had been illegally obtaining public record information through web scraping, it failed to alert potential fraud victims. The case is Patton v. Experian Data Corp, no. 8:15-cv-01871 (C.D. Cal. May 6, 2016).
Driver’s Privacy Protection Act Suit Time-Barred
A three-judge panel of the Eleventh Circuit Court of Appeals affirmed the U.S. District Court for the Southern District of Florida’s dismissal of claims against Miami-Dade County for alleged violations of the Driver’s Privacy Protection Act. The court ruled that the statute of limitations ran from the date of the alleged violation, not from the date it was discovered. A Florida couple had sued, claiming their personal information had been accessed through the state’s Driver and Vehicle Information Database without authorization and with intent to harass. The case is Foudy v. Miami-Dade County, Florida, no. 15-12233 (11th Cir. May 19, 2016).
SEC Settles With Alleged Corporate News Hacker
The SEC entered into a settlement with Oleksandr Makarov, who was part of a $100 million scheme that allegedly traded on hacked newswire information. The SEC claimed the hackers stole hundreds of corporate earnings announcements before they were released and transmitted them to foreign traders. Under the settlement, Makarov must pay $100,000 and agree not to violate the Securities Exchange Act. The SEC has recovered more than $52 million. The case is SEC v. Dubovoy, no. 2:15-cv-06076 (D. N.J. May 4, 2016).
Hospital Data Breach Suit Back to State Court Per Spokeo Ruling
The U.S. District Court for the District of Maryland remanded a class action data breach suit against a hospital back to state court, relying on the recent U.S. Supreme Court ruling in Spokeo Inc. v. Robins to hold that Fardoes Khan, a patient at Children’s National Health System whose personal information was released during a data breach, did not have standing in federal court because of a lack of concrete injury. The case is Khan v. Children’s National Health System, no. 8:15-cv-02125 (D. Md. May 19, 2016).
Insurance Co. Still Liable Despite Employee’s Failure to Secure Network
A panel of the Eighth Circuit Court of Appeals affirmed the U.S. District Court for the District of Minnesota’s ruling that BancInsure Inc. must still cover State Bank of Bellingham’s loss after its computer network was hacked, even though a bank employee failed to secure the network. The court ruled that even if employee negligence was a contributing factor to the loss, the loss would still be covered because the hacker’s illegal activities were the primary cause. The case is State Bank of Bellingham v. BancInsure Inc., no. 14-3432 (8th Cir. May 20, 2016).
$2.75 Million Settlement Rejected as Exceeding Scope of TCPA Claims
The U.S. District Court for the Central District of California rejected a proposed $2.75 million class action settlement with Navy Federal Credit Union over its practice of using an automated phone dialing system to call cell phone users without their prior consent, in violation of the TCPA. The court found that the release of claims to be signed by each class member exceeded the claims and facts alleged in the suit. The case is Munday v. Navy Federal Credit Union, no. 8:15-cv-01629 (C.D. Cal. May 26, 2016).
No Warrant Required to Obtain Users’ Past Cell Site Locations
The Fourth Circuit Court of Appeals affirmed, 12-3, the U.S. District Court for the District of Maryland’s ruling that the government does not violate the Fourth Amendment when it obtains historical cell site location information from an ISP without a warrant. The court found that the third party doctrine applied, reasoning that Aaron Graham and Eric Jordan, who were convicted of armed robberies, had voluntarily turned over non-content-related location information to a third party, so all that the government needed to obtain the information was a court order under the Stored Communications Act. The case is U.S. v. Graham, no. 12-4659 (4th Cir. May 31, 2016).
Settlement Reached in TCPA Violations Case Against Payday Lenders
The U.S. District Court for the District of Nevada gave preliminary approval to a proposed $8 million settlement between payday lenders and class members contacted on their cell phones by the companies using an automatic dialing system and without prior consent, in violation of the TCPA. Under the settlement, which would dismiss claims against Clark County Collection Service LLC, Dollar Loan Center LLC and DLC Empire LLC, each class member would receive pro rate awards ranging from $200 to $1500. The case is Grider v. Clark County Collection Service LLC, no. 2:13-cv-01731 (D. Nev. May 31, 2016).
State Legislative Action
Tennessee Amends Data Breach Statute to Expand Notification Requirement.
Governor Bill Haslam signed SB 2005 into law, which would require that notification of a breach be provided to any affected resident within 45 days of discovery. The existing statute required notification only in a breach of unencrypted personal information. The bill, codified as Pub. Ch. 692, becomes effective on July 1, 2016.
Connecticut Enacts Student Data Privacy Law.
Governor Dannel Malloy signed HB 5469, a bill which restricts how student information may be used, into law. The new law, codified as Public Act no. 16-189, requires businesses that collect and maintain educational records to take steps to safeguard the data and refrain from using it for advertising purposes. Software and electronic information services contractors are banned from using student records in advertising or for any purpose other than that authorized under their contract.
Rhode Island Legislature Criminalizes Revenge Porn, Sextortion.
On June 14, 2016, the Senate passed H7537, a bill that would prohibit the posting of sexually explicit photos of an individual without his or her consent, known as “revenge porn.” The bill previously passed the House. A first offense would be a misdemeanor subject to one year in prison, a $1,000 fine or both. Subsequent offenses would be felonies subject to up to three years in prison and a fine of up to $3,000 or both. The bill would also create criminal penalties for “sextortion,” a crime of sending personal images of an individual to force the individual to send more sexually explicit photos under threats of making the images public, or to exhort the victims to pay money or provide personal information for them not to be made public. The bill has been forwarded to the Governor.
Ed. Note: As this newsletter went into publication, Governor Gina Raimondo vetoed the bill, saying it was potentially chilling to free speech.
Missouri Bill Would Block Access to Body Camera Footage.
The Missouri Legislature passed HB 1936, a bill which would restrict public access to footage collected by body cameras and cameras mounted inside patrol vehicles during the course of the investigation. Once an investigation is completed, footage would remain restricted if recorded at locations where one would have a reasonable expectation of privacy. The bill has been sent to the governor.
Kansas Enacts Law Requiring Safeguarding of Personal Information.
On May 17, 2016, Governor Sam Brownback signed HB 2460 into law, a bill requiring entities that collect personal information to have procedures and policies in place to safeguard the data from unauthorized disclosure. The bill also requires that personal information be securely destroyed when no longer to be retained so that personal information cannot be retrieved. The new law is effective on July 1, 2016.
California Bill Would Allow State Copyrights.
On June 2, 2016, the California Assembly passed AB 2880, a bill which would allow a state entity to own, license and register intellectual property it creates or otherwise acquires. The bill would also block public agencies from denying requests for public records on grounds that the information is protected by the federal Copyright Act. The bill has been sent to the Senate Judiciary Committee.
Federal Legislative News
House Passes Bill Banning IRS From Requiring Disclosure of Non-Profit Donors.
HR 5053, sponsored by Representative Peter Roskam (R-IL) would except disclosures regarding tax shelter transactions and contributions by the organization’s officers. It has been forwarded to the Senate.
Congress Passes Bill to Provide Tax Info in Missing Children Cases.
On June 16, 2016, the Senate passed HR 3209, a bill sponsored by Representative Erik Paulsen (R-MN) and previously passed by the House, which would allow disclosure of tax returns to state and local law enforcement agencies who are partnering with a federal agency in investigations of missing or exploited children cases. The bill has been forwarded to President Obama.
Privacy Initiatives in the Attorney General Community
Fifteen Attorneys General sent a letter to the FCC telling the Commission that its plan to “unlock” TV set-top boxes must require privacy statements from third-party manufacturers so that states and the FTC can enforce consumer privacy protections. Further, the letter said the FCC must also ensure that any action will not preempt states or hinder their ability to enforce their laws.
Indiana Attorney General Greg Zoeller testified before the U.S. Senate Committee on Commerce, Science and Transportation on protecting consumers from unwanted calls, scams and robocalls and the impact of the TCPA. Attorney General Zoeller has urged the committee to pass the Help Americans Never Get Unwanted Phone calls (“HANGUP”) Act, which would repeal a TCPA amendment allowing debt collection robocalls to cell phones if the debt is owned or guaranteed by the U.S.
Kansas Attorney General Derek Schmidt announced that HB 2460, a bill he proposed, has been signed into law, requiring entities that collect and hold personal information to exercise reasonable care to prevent the information from being improperly disclosed. The new law requires that when such records are no longer to be retained, they must be properly and securely destroyed.
Ohio Attorney General Mike DeWine filed suit against Kevin Calvin, d/b/a Rocket Marketing Network Solutions and Made in America Cleaning and Restoration, accusing him and his companies of placing about 1.6 million illegal robocalls to consumers. Calvin allegedly used 60 different originating telephone numbers, so consumers were unable to block the calls. The suit seeks an injunction, consumer damages and civil penalties.
Rhode Island Attorney General Peter Kilmartin announced that the House of Representatives passed legislation filed at his request that would prohibit the posting of “revenge porn” and would also create criminal penalties for those engaging in “sextortion.”
Texas Attorney General Ken Paxton entered into a settlement with PayPal Inc. resolving allegations concerning the safety and security of its Venmo mobile phone app. Venmo allegedly used consumers’ phone contacts without clearly disclosing how the contacts would be used, did not clearly disclose how consumers’ transactions and interactions with other consumers would be shared and misrepresented that communications from Venmo were actually from other consumers. Under the settlement terms, venom has agreed to improve disclosures to consumers regarding privacy and security, better inform them of the available safeguards on its app and ensure they know they can view their transaction data. Venmo will also pay $175,000 to the State.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.