The National Attorneys General Training & Research Institute
Privacy Law Newsletter November 2018
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
The ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483 on lawyers’ obligations after an electronic data breach or cyberattack of client data. The opinion sets forth that when a breach of protected client information is detected, the lawyer has a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations.
The FDA issued Draft Guidance on cybersecurity management for medical devices, including the suggestion that medical device manufacturers should list all the components of a medical device that could be susceptible to vulnerabilities.
The Employees Retirement System of Texas discovered a flaw in its online portal that allowed certain individuals to view information of other members after logging on, affecting the privacy of more than 1, 248,000 members. The affected members were notified by mail and enrolled in identity restoration services.
Hong-Kong based Cathay Pacific Airlines acknowledged that the personal information and travel histories of 9.4 million passengers has been compromised. The breach involved phone numbers, dates of birth, frequent flier numbers and passport and government ID numbers. The Hong Kong Privacy Commissioner for Personal Data announced it will conduct an investigation into the breach.
The Radisson Hotel Group confirmed it had suffered a data breach that exposed the personal information of Radisson Reward members, but did not compromise credit card or password information. An investigation by the company found that the information accessed included member name, address, email address and, in some cases, Rewards number.
HSBC Bank has acknowledged it suffered a data breach affecting account numbers and transaction histories at its U.S. location. The bank reported that the breach involved only one percent of its U.S. customers, who were notified, and the bank has taken steps to shore up its security.
A national campaign to assist small businesses with cybersecurity was launched by the FTC, DHS, the National Institute of Standards and Technology (NIST) and the Small Business Administration (SBA). Materials include fact sheets, videos and quizzes covering cybersecurity topics.
HHS launched its Health Sector Cybersecurity Coordination Center, the agency’s second attempt to prevent cyberattacks and increase information sharing across the health sector. The new effort replaces last year’s initiative.
In another cybersecurity initiative, the Secretary of Defense issued a memo creating the Protecting Critical Technology Task Force, which has as its mission the securing of intellectual property and data from cyber threats.
The Portuguese Data Protection Authority fined the Barreiro Hospital 400,000 euros ($454, 476) for failing to comply with the GDPR by granting access to patients’ clinical data to persons who were non-medical professionals. The Authority also discovered that 985 users with an access role for medical doctors were registered, but there were only 296 physicians working at the hospital.
Canada’s new data breach reporting requirements became effective on November 1, 2018, requiring organizations to report certain breaches of security safeguards to the Office of the Privacy Commissioner and to notify those affected. The Office of the Privacy Commissioner issued guidance to help businesses comply with the new requirements.
The U.K. Information Commissioner’s Office released a report to Parliament on its investigation into the use of data analytics in political campaigns, finding a disregard for voters’ personal privacy among campaign entities and political parties.
CNIL, the French data authority, has issued guidance on the compatibility of blockchain technologies with the GDPR. The guidance seeks to provide solutions for stakeholders who wish to use blockchain as part of their data processing operations.
Recent Court Decisions/Settlements
The U.S. District Court for the Northern District of California has been asked to approve a settlement in which Yahoo has agreed to pay $50 million and provide credit monitoring services to the 200 million customers whose personal information was compromised in a massive data breach. The hearing for preliminary approval is scheduled for November 29, 2018.
The U.S. District Court for the District of Arizona has been asked to approve a
settlement in which Motel 6 has agreed to pay $8.9 million to resolve claims in a class action lawsuit alleging its employees provided the personal information of several Latino guests to federal immigration officials, leading to their detainment.
Anthem has agreed to pay the HHS Office of Civil Rights a record $16 million and take corrective action to resolve potential HIPPA violations resulting from the largest health data breach in history. That breach exposed the protected health information of 79 million people.
The FTC gave final approval to a settlement with Uber Technologies over allegations the ride-sharing company failed to monitor employee access to consumers’ personal information and to reasonably secure consumer personal information stored in the cloud. The FTC also gave final approval to a settlement with ReadyTech over allegations that it falsely claimed to be in the process of certifying its compliance under the EU-US Privacy Shield framework.
Former Equifax manager Sudhakar Bonthu was sentenced for insider trading after pleading guilty to buying and selling stock options before the Equifax data breach was publicly announced. Bonthu was sentenced to eight months of house arrest and ordered to forfeit $75,979.
The U.S. District Court for the District of New Jersey sentenced Paras Jha, who launched a cyberattack on the Rutgers University computer network, to six months of home incarceration and ordered him to pay $8.6 million in restitution.
An Eleventh Circuit panel affirmed the seven-year sentence of Jonathan Eubanks, a former Navarro Security road officer, for hacking into his supervisor’s computer after he was fired, deleting payroll information on the company’s server and stealing the identities of three employees. The panel found the sentence to be reasonable.
Privacy Law Initiatives in the Attorney General Community
New Jersey Attorney General Gurbir Grewal and the Division of Consumer Affairs announced a $200,000 settlement with now-defunct medical transcription company ATA Consulting d/b/a Best Medical Transcription over a security breach that allowed the public to view online more than 1,650 patient records. Investigator Aziza Salikhova worked on the case, and DAGs Carla Pereira and Elliott Siebers represented the State.
Washington Attorney General Bob Ferguson released his third annual Data Breach Report, finding an increase of 26 percent in the number of residents affected by a data breach.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.