The National Attorneys General Training & Research Institute
Privacy Law Newsletter October 2016
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Developments in Privacy Law
FCC Proposes Revised Privacy Rules for Broadband Providers
The Federal Communications Commission (FCC) proposed revised, less-restrictive privacy rules for broadband providers that take into account comments from the Federal Trade Commission and other stakeholders. The proposal would require customers’ opt-in consent for ISPs to use and share sensitive information, such as Social Security numbers, geo-location and browsing history. ISPs would be required to inform customers about how their data will be used and to take steps to protect it. The five-member Commission is scheduled to vote on the proposal on October 27, 2016.
Yahoo Confirms Breach of 500K Users' Account Data
Yahoo Inc. confirmed that its systems were hacked in 2014, and the personal account information of at least 500,000 users was accessed. The company said that although names, birth dates, hashed passwords, security questions and email and telephone addresses had been vulnerable, payment card data and bank account information were stored in a different system and were not accessed.
FCC: Call List Subscribers Can Request Call Blocking
The FCC issued a clarification notice explaining that subscribers to call lists and databases of consumer telephone numbers that are frequently used in scams, such as those in the name of the IRS, can ask their service provider to prevent their number from “spoofing,” the manipulation of caller ID information, The FCC said that consumers can be assumed to have consented to call blocking when their number’s subscriber has requested it. The notice may be accessed at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0930/DA-16-1121A1.pdf.
Survey Finds Users Don't Know What Personal Info is Being Collected
An annual survey sweep of the privacy communications of Internet-connected devices revealed that users generally do not know what personal information is being collected or how it is being used, according to the Global Privacy Enforcement Network (GPEN). The survey was conducted by 25 global privacy regulators, including the Federal Trade Commission, the Office of the Privacy Commissioner of Canada and the United Kingdom Information Commissioner.
OCC to Require Mega-Banks to Develop Cyberattack Recovery Plans
The Office of the Comptroller of the Currency (OCC) issued guidelines for banks with $50 billion or more in average total consolidated assets that will require them to develop plans for recovery from cyberattacks. The banks will have between six to 18 months, depending on the amount of their assets, to complete their plans, starting in 2017. OCC examiners will assess the adequacy of each bank’s plan as part of their supervisory role. The guidelines can be accessed at https://occ.gov/news-issuances/bulletins/2016/bulletin-2016-30.html.
Facebook Ordered to Stop Collecting German Citizens' Data
The Hamburg Commissioner for Data Protection and Freedom of Information issued an administrative order banning Facebook from collecting and storing German WhatsApp users' data. The order also requires Facebook to delete any data that it had already gathered. The order comes in response to WhatsApp's announced sharing of data with Facebook, its parent company.
Spanish Privacy Agency Concerned Over WhatsApp’s Data Sharing
The Spanish Data Protection Agency announced on its website it will investigate WhatsApp’s plan to begin sharing user data with its parent company, Facebook. The agency will look into whether personal data communications between the two entities, including user contact information that will be used to target ads, comports with Spanish data protection laws. The investigation will focus on the type of user data WhatsApp is collecting and sharing, as well as whether consumers have been given the ability to opt out of the information sharing.
Study Finds European Cos. Not Worried About Hackers Striking Twice
Almost half of the 92 percent of large European companies that reported a data breach are not concerned about future breaches, according to a Lloyd’s of London study of business leaders’ attitudes about cyber risk. Further, the study found only 13 percent of companies believed they would lose customers if their systems were compromised. Lloyd’s surveyed 346 senior executives of companies across Europe that had revenues of more than $280 million.
Northrup Executive Named to Lead New Background Check Agency
The White House named Charles Phalen, former vice president for corporate security at Northrup Grumman and ex-director of security at the CIA before that to head the National Background Investigations Bureau. The role for the new Bureau, which began operations on October 1, 2016, was set out in an executive order issued on September 29, 2016, which can be accessed at https://www.whitehouse.gov/the-press-office/2016/09/29/executive-order-amending-executive-order-13467-establish-roles-and/.
DOD Exempts Insider Threat Records From Disclosure Rules
The U.S. Department of Defense issued a final rule that exempts information collected for the purpose of tracking potential “insider threats” from disclosure requirements under the Privacy Act. The Department will also not be required to allow individuals to access any information held about them within its system, or to notify them when their information is used by another agency or is made available as a matter of legal process, nor to allow any review or civil action in relation to those records.
Court Decisions/Settlements on Privacy Issues
N.H. Ban on Sharing Ballot Photos Struck Down
The First Circuit Court of Appeals affirmed the U.S. District Court for the District of New Hampshire's decision, finding that New Hampshire's law banning voters from sharing photographs of their completed election ballots violated the First Amendment. The court found that prevention of potential vote-buying did not justify the restrictions on free speech the law imposed. The case is Rideout v Gardner, no. 15-2021 (1st Cir. Sept. 28, 2016). Assistant Attorney General Stephen LaBonte of the New Hampshire Department of Justice represented the State on oral argument.
MA High Court Says Union Communications Not Privilege-Protected
The Massachusetts Supreme Court, in an issue of first impression, affirmed a lower court decision and ruled that union members’ communications with their unions are not protected by privilege in civil litigation, thereby denying a retired public school teacher’s attempt to keep confidential communications with her union from discovery in her suit for retaliation and discrimination. The case is Chadwick v. Danbury Public Schools, no. SJC-12054 (Mass. Oct. 4, 2016).
Texas U. Regent Blocked From Access to Unredacted Student Records
A Texas court of appeals affirmed a lower court judgment, finding that it properly dismissed the case against the University of Texas chancellor filed by the board of regents because the chancellor had sovereign immunity. A regent had sued the chancellor, alleging he had been improperly blocked from reviewing student records as part of his investigation into allegedly improper admissions, but it was the board of regents, not the chancellor, who decided only documents with personally identifiable information redacted could be accessed. The case is Hall v. McRaven, no. 3-15-783-CV (Tex. App. Sept. 16, 2016).
Chicago Sun Times Violated Law in Publishing Officers' Personal Info
The U.S. District Court for the Northern District of Illinois granted judgment on the pleadings for police officers, ruling that the Chicago Sun Times violated the Driver's Privacy Protection Act by publishing personal details obtained from state driver's license records about five police officers in the newspaper's story about the alleged cover-up of a murder committed by the mayor's nephew. The Sun Times articles ran in 2011 when Richard Daley was mayor of Chicago, The case is Gallagly v. Sun-Times Media LLC, no. 1:12-cv-658 (N.D. Ill. Sept. 29, 2016).
Court Approves Navy Credit Union TCPA Settlement
The U.S. District Court for the Central District of California gave preliiminary approval to a settlement in which the Navy Federal Credit Union agreed to pay $2.75 million to resolve claims it used an automated telephone dialing system to call consumers’ cell phones without their consent, in violation of the Telephone Consumer Protection Act (TCPA). The court had previously rejected the settlement over concerns about the scope of a release. The case is Munday v. Navy Federal Credit Union, no. 8:15-cv-1629 (C.D. Cal. Sept. 15, 2016).
Illinois Court Finds Neiman Marcus' Employee Credit Checks Violated Law
An Illinois appeals court reversed a lower court ruling, finding that Neiman Marcus violated the State's Employee Credit Privacy Act when it ran credit checks on applicants for employment. The ruling revives a class action brought by an applicant who was turned down because her credit check revealed several judgments and collection attempts against her. The case is Ohle v. The Neiman Marcus Group, no. 1-14-1994 (Ill. App. Sept. 26, 2016).
Hacker in International Scheme Sentenced to Prison
The U.S. District Court for the District of New Jersey sentenced Mircea-Ilie Ispasolu, a Romanian national, to three years in prison for participating in an international scheme in which he used malware with a keylogging function to gain unauthorized access to company systems. He also received an additional three years of supervised release and was ordered to pay $907,204 in restitution. The case is U.S.v. Ispasolu, no. 2:14-cr-500 (D.N.J. Sept. 22, 2016).
Hacker Sentenced for Providing Protected Info to Terrorists
The U.S. District Court for the Eastern District of Virginia sentenced Ardit Fenzi, a Kosovar hacker, to 20 years in prison after he pled guilty to getting unauthorized access to a company's data and leaking information on government personnel to an ISIS-based group. Fenzi was arrested in Malaysia and extradited to the U.S. for trial. The case is U.S. v. Fenzi, no. 1:16-cr-42 (E.D. Va. Sept. 23, 2016).
Art Collector Not Liable for Revealing Rothko Seller’s Identity
The Fifth Circuit Court of Appeals affirmed the decision of the U.S. District Court for the Northern District of Texas that an art collector did not breach the confidentiality clause in his agreement with the seller of a Rothko painting. The court found that the language of the agreement indicated the parties did not intend to keep the details of the sale and the identity of the seller confidential. The case is Hoffman v. Martinez, no. 15-10046 (5th Cir. Sept. 28, 2016).
Court Approves $76 Million Settlement Against Cruise Marketers
The U.S. District Court for the Northern District of Illinois gave preliminary approval to a settlement in which cruise marketing companies Caribbean Cruise Line Inc., Berkley Group Inc. and Vacation Ownership Marketing Tours Inc. agreed to pay up to $76 million to resolve claims they robocalled millions of consumers in violation of the TCPA. Class members are projected to receive $500 per call received, with the named plaintiffs each receiving $10,000. The case is Birchmeier v. Caribbean Cruise Line Inc., no. 1:12-cv-04059 (N.D. Ill. Sept. 29, 2016).
State Legislation on Privacy Issues
California Enacts Privacy Law to Shield Actors' Ages
California Governor Jerry Brown signed AB 1687 into law, a bill that will allow actors and other entertainment industry professionals to remove their ages from online entertainment employer service provider sites. The legislation was aimed at preventing age discrimination in movie and television casting.
Federal Legislation on Privacy Issues
U.S. House Passes Cybersecurity Coordination Bill
The U.S. House of Representatives passed H.R. 5459, the Cyber Preparedness Act of 2016, a bill sponsored by Rep. Dan Donovan (R-NY) that would task the Department of Homeland Security (DHS) with creating a cybersecurity coordination center. The bill would also require DHS to effect coordination between state and regional intelligence fusion centers. The bill has been forwarded to the Senate Committee on Homeland Security and Governmental Affairs.
Bills Designating Elections as Critical Infrastructure Rolled Out
Representative Hank Johnson (D-GA) introduced H.R, 6073 and H.R. 6072, bills addressing concerns over the security of election systems by designating those systems as critical infrastructures. The measures would require DHS to develop a comprehensive plan for protecting the electoral process and establish baseline security standards for voting systems. H.R. 6073 has been referred to the Science, Space and Technology Committee’s Subcommittee on Research and Technology. H.R. 6072 has been referred to the House Judiciary Committee’s Subcommittee on the Constitution and Civil Justice.
Privacy Law Initiatives in the Attorney General Community
Texas Attorney General Ken Paxton entered into an assurance of voluntary compliance with Junta Labs, Inc., maker of the “Jott” massaging app very popular with teens, under which the company agreed to implement age-screening mechanisms and heighten privacy protections for children’s personal information. Under the terms of the assurance, the apps must be in compliance with the Children’s Online Privacy Protection Act before children will be able to use them.
Vermont Attorney General William Sorrell entered into a settlement with software company Entrinsik under which the company agreed to provide better security warnings after a college in the State experienced a security breach that exposed thousands of Social Security numbers due to the ordinary use of its reporting tool, Entrinsic Informer. Entrinsik also agreed to highlight the software vulnerability for consumers through the use of dialogue boxes and warnings.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.