The National Attorneys General Training & Research Institute
Privacy Law Newsletter Sept - Oct 2015
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Initiatives From the Attorney General Community
Fourteen Attorneys General filed an amicus brief in the U.S. Supreme Court in support of the respondent in Spokeo v. Robins, in which the underlying case alleges Spokeo, a people search engine website, willfully violated the Fair Credit Reporting Act by failing to maintain procedures to ensure the accuracy of personal data collected and then shared about the respondent, causing him to lose job opportunities. The brief argues that false personal information within a data profile can be expected to cause negative consequences to consumers.
California Attorney General Kamala Harris entered into a settlement with Houzz, Inc., an online platform for home remodeling and design, resolving allegations the company recorded incoming and outgoing telephone calls without notifying all parties on the call. The stipulated judgment requires Houzz to appoint a chief privacy officer to oversee its compliance with privacy laws and report any concerns. The company must also conduct a privacy risk assessment to evaluate its business processes and use of technology. Houzz is further required to secure and destroy the recordings, as well as pay $175,000 to the State.
Mississippi Attorney General Jim Hood compiled a Cybersecurity Guide that updates existing resources and is designed to help small businesses. The Guide was developed with input from other Attorneys General and builds upon cybersecurity materials from the Federal Trade Commission and other sources. It includes 1) an overview of cybersecurity threats facing small businesses; 2) a summary of practices that help manage risks posed by these threats; and 3) a response plan in the event of a cyber incident.
Missouri Attorney General Chris Koster settled a lawsuit against California-based Farmers Insurance Exchange, Truck Insurance Exchange and Fire Insurance Exchange (collectively, “Farmers”), resolving allegations Farmers agents continued to contact consumers after being instructed not to call. Under the settlement agreement, Farmers will adopt policies and procedures to prevent future No-Call violations, including agent training and annual audits of those agents. Farmers will also pay $575,000 to the State.
Acting New Jersey Attorney General John Hoffman’s Division of Consumer Affairs reached a settlement with DealerApp Vantage, LLC (“DealerApp”), a developer of mobile apps for motor vehicles, pursuant to the Division’s investigation into the company’s collection and dissemination of personal information from users without their knowledge or permission. Under the settlement, DealerApp agreed to pay $48,724.33 to the State for civil penalties and reimbursement of legal and investigative costs, with $26,224.33 to be suspended if no settlement terms are violated. DealerApp further agreed to clearly disclose the types of personal information it collects and provide such disclosures in its privacy policies; clearly disclose its use of third-party data analytics companies; and not sell, rent or transfer personal information to persons other than customers without obtaining their consent. Investigator Brian Morgenstern and Team Leader Aziza Salikhova of the Division conducted the investigation. Deputy Attorneys General Glenn Graham of the Division of Law’s Consumer Fraud Protection Section and Elliott Siebers of the Government and Healthcare Fraud Section represented the State.
Ohio Attorney General Mike DeWine’s Office launched a cybersecurity awareness campaign, which is funded by a $25,000 grant from the Sears Consumer Protection and Education Fund to build public awareness of cybersecurity. As part of the campaign, signs displaying cybersecurity messages will be placed in public transportation vehicles, mainly buses, in major cities and will be made available to libraries and public schools upon request. Additionally, Attorney General DeWine’s consumer staff trained students at seven state law schools to deliver a cybersecurity presentation, “Cybersecurity Help, Information and Protection Program (CHIPP),” focusing on security and privacy, to their communities.
Privacy Law News
IRS Rules on Value of Identity Protection Services
The Internal Revenue Service (IRS) ruled that the value of identity protection services provided at no cost to victims of data breaches need not be included in an individual’s gross income for tax purposes. The ruling is codified in IRS Announcement 2015-22 and may be accessed at http://www.irs.gov/sub/irs-drop/a-15-22.pdf.
DOJ Policy: Warrant Required for Stingrays
The Department of Justice implemented a new policy regarding the use of cell-site simulator technology, known as stingrays or “dirtboxes,” that allows investigators to locate cellular devices. Effective immediately, its law enforcement agencies must obtain a search warrant to deploy cell site simulators in criminal investigations. The Department said the changes were made to enhance transparency and increase privacy protections regarding how data is collected. The policy does not apply to state and local agencies. The policy may be accessed at http://apps.washingtonpost.com/g/documents/world/read-the-justice-departments-cellphone-tracker-policy/1729/.
ABA Survey: 50% of Attorneys’ Firms Have No Data Breach Response Plan
One-half of attorneys surveyed reported that their law firms have no data breach response plan, although 25 percent of law firms with 100 attorneys or more have experienced a data breach, according to the 2015 American Bar Association (ABA) Legal Technology Survey Report. The ABA’s Legal Technology Resource Center surveyed 90,000 attorneys in private practice to compile the report. Of the attorneys whose firms experienced a breach, three percent reported that it led to unauthorized access to sensitive client data, and five percent reported that clients were notified of the breach. The report may be accessed at http://www.americanbar.org/groups/departments_offices/legal_technology_resou rces/publications.htm.
Inspector General: Security Flaws in Healthcare.Gov
The Department of Health and Human Services Office of Inspector General released a report delineating security flaws in a central storage system for HealthCare.gov. Specifically, the Multidimensional Insurance Data Analytics System (MIDAS) was found to be vulnerable to potential breaches because it failed to encrypt some user sessions and to disable unnecessary accounts. The report may be accessed at http://oig.hhs.gov/oei/reports/oei-03-14-002/30.pdf.
AT&T Reports Attack Attempts on Devices Quadrupled
Attempts to search for weaknesses in Internet-connected devices on AT&T’s network have risen 458 percent, according to the company’s Cybersecurity Insights Report released on October 1, 2015. The report also notes that distributed denial- of-service attacks increased by 62 percent during the last two years. The report outlines the major sources of the cyberthreats, as well as ways that orgranizations can address them. It can be accessed at http://about.att.com/story/cybersecurity_insights_report.htm.
Fiat Chrysler Recalls SUVs Over Radio-Hacking Concerns
Fiat Chrysler recalled 8,000 Chrysler Jeeps in order to patch a security flaw that could allow hackers to remotely control the vehicles. The recall affects variants of the 2015 model of their Jeep Renegade sports utility vehicle with a 6.5 inch touchscreen, more than half of which are still in dealer hands, according to the company.
Survey: 75% of State CIOs Have Cybersecurity Strategic Plans
Seventy-five percent of state chief information officers have adopted cybersecurity strategic plans, up from 61 percent in 2014, according to a survey by the National Association of State Chief Information Officers (NASCIO). Of the 47 member states and territories responding to the survey, 51 percent had developed and tested a cybersecurity disruption response plan. Additionally, the survey found that 20 percent of the states have obtained cyber insurance. The annual survey, conducted by NASCIO, Grant Thornton LLP and CompTIA, may be accessed at http://www.nascio.org/StateCIOSurvey.
Defense Department Releases Interim Rule for Cloud Providers
The Department of Defense issued an interim rule which tightens contractor requirements for cloud computing, as well as for reporting cyberhacks. The rule mandates that contracts for cloud computing services be awarded only to providers that have been granted provisional authorization and requires them to maintain government data within the U.S. Contractors must report cyber incidents that result in an actual or potentially adverse effect on a contractor information system within 72 hours of discovery of the incident. The interim rule was reported in the Federal Register and may be accessed at https://federalregister.gov/a/2015-20870.
Study: 81% of Health Care Organizations Hit By Cyberattacks
Eighty-one percent of health care executives admit their organizations have been compromised by at least one cyberattack during the past two years, according to a study by KPMG LLP. Further, the study found only one-half of them feel they are adequately prepared to prevent such attacks. The study, which polled executives at 223 health care providers and health plans, all with revenues of $500 million or more, found that the number of cyberattacks is increasing, and cyberattacks are being discussed at the board level at 90 percent of the organizations. Thirteen percent of respondents reported being targeted by external hack attempts daily, and another 12 percent reported seeing two or more attacks each week. Overall, 16 percent reported that they cannot detect, in real time, if their systems are compromised. Malware accounted for 65 percent of attacks, with botnet attacks and internal attacks cited by 26 percent of respondents. More than 85 percent of the organizations have invested in information security in the past year. The study may be accessed at http://advisory-kpmg.us/content/dam/kpmg-advisory/PDFs/ManagementConsulting/2015/KPMG-15-Cyber-Healthcare-Survey.pdf.
And see other healthcare privacy news…
HHS Unveils Medical App Portal
The Department of Health and Human Services’ Office of Civil Rights unveiled an online portal for questions about compliance with the Health Insurance Portability and Accountability Act (HIPAA) from developers of mobile medical apps. The portal, http://hipaaqsportal.hss.gov/, is an effort to strengthen privacy in the expanding app marketplace. Although those who submit questions or comments on the site will have to sign in with email addresses, their identities and addresses will be anonymous.
Futures Industry Proposes Cybersecurity Rules
The National Futures Association (NFA), the self-regulatory body of the futures industry, proposed new rules on cybersecurity requirements for its members due to recent security breaches. The rules include mandatory implementation of an information systems security program for all members, including a security and risk analysis with descriptions of the safeguards deployed against identified threats. Members also have to describe the process used to evaluate a detected security incident, understand its potential effect and take appropriate measures to contain and mitigate the breach. The programs would also have to include ongoing training for personnel and regular reviews to assess their effectiveness.
OPM Awards Mega-Contract to Handle Security Breach
The Office of Personnel Management (OPM) awarded Identity Theft Guard Solutions LLC, d/b/a ID Experts, based in Portland, Oregon, a $133.26 million contract to provide response services related to OPM’s July data breach, where the personal information of 21.5 million former and current employees was stolen. Under the contract, the company will perform credit and identity monitoring, identity theft insurance and restoration for the next three years for victims and their dependent minor children.
U of Texas Receives Cyberthreat Standards Grant
The University of Texas in San Antonio was awarded a $11 million grant from the Department of Homeland Security to set standards for sharing cyberthreat information between the private sector and the government. The grant stems from a cybersecurity executive order signed by President Obama that laid out the framework for expanded information sharing to more quickly detect and prevent cyberthreats and attacks.
SEC to Inspect Stockbrokers’ Cybersecurity in 2nd Round
The Security and Exchange Commission issued a notice of its plan to launch a second round of examinations of brokerage and advisory firms’ cybersecurity. This time the agency will focus on factors such as access controls, employee training, board involvement and vendor management. The SEC’s Office of Compliance Inspections and Examinations (OCIE) provided an outline of the factors it will consider, including the strength of the firms’ cybersecurity governance and risk assessment processes, the communication to and involvement of senior management and the board of directors and the safeguards in place to control access to systems. The OCIE attached a sample request for information and documents to the notice of questions and requests that examiners are likely to pose. The notice may be accessed at https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative/pdf.
Insurance Commissioners Adopt Cybersecurity Bill of Rights
On October 14, 2015, a task force of the National Association of Insurance Commissioners adopted a cybersecurity “bill of rights” that, if approved by the Association, would tell consumers what they could expect from insurance companies and agents who collect and maintain their personal information. The one-page document contains six enumerated rights, including the right to be notified within 60 days of a data breach and to receive free credit monitoring paid by the affected insurer or agent. The bill of rights may be accessed at http://www.naic.org/documents/committees_ex_cybersecurity_tf_related_cybers ecurity_bill_of_rights.pdf.
Recent Court Decisions
EU Court: U.S. Data Sharing Pact Violates User Privacy
On October 6, 2015, the European Union (EU) Court of Justice ruled that the safe harbor pact establishing transatlantic data transfers between the U.S. and the EU should be struck down, finding that the pact fails to provide an adequate level of protection for EU citizens’ data. The underlying case involved Austrian privacy activist Maximillian Schrens, a Facebook user, who filed a complaint with Irish authorities when he learned that Facebook Europe routinely transfers European Union users’ data to U.S.-based servers. EU law allows for personal data transfers to third nations only where the European Commission finds the third nation’s controls are adequate. Schrens argued that revelations made by National Security Agency whistleblower Edward Snowden showed that U.S. laws and practices meant his data was not safe from unwanted surveillance. Schrens took his case to the High Court of Ireland, which asked the EU Court of Justice to weigh in. The EU judgment can be accessed at http://curia.europa.eu/cms/upload/docs/application/pdf/2015-10/cp150117en.pdf.
9th Circuit: Plaintiff Can’t Sue Under Video Privacy Protection Act
The Ninth Circuit Court of Appeals affirmed a district court decision finding that a plaintiff cannot sue two under the Video Privacy Protection Act because the Act does not provide for a private right of action to enforce its data retention requirements for video service providers. Appellant Daniel Rodriguez had sued two units of Sony for violating the Act by retaining his personal information beyond the Act’s statutory limits and disclosing that information between Sony entities. The case is Rodriguez v. Sony Computer Entertainment America, LLC, 2015 U.S. App. LEXIS 15782 (9th Cir. Sept. 4, 2015).
11th Circuit: Free App User Not a “Subscriber” Under Video Privacy Protection Act
The Eleventh Circuit Court of Appeals affirmed that the Cartoon Network did not violate the Act by disclosing information about users of its mobile app without their consent holding that a person who downloads a free mobile app to his smartphone is not a “subscriber” within the meaning of the Act. Appellant Mark Ellis downloaded the Cartoon Network’s free CN app to watch video clips. The Network kept records of the videos he watched and, without his consent, shared those records with Bargo, a third party data analysis company. Ellis sued the network, alleging it violated the Act by disclosing his personal information without his consent. The U.S. District Court for the Northern District of Georgia dismissed the complaint, which was affirmed by the appeals court on the same grounds. The case is Ellis v. The Cartoon Network, Inc., 2015 U.S. App. LEXIS 17669 (11th Circ. Oct. 9, 2015).
CA Appeals Court: Privacy Rights Under SCA Not Trumped by Pretrial Discovery
A California Court of Appeals granted the motion to quash defendants’ subpoena seeking public and private information from the social media accounts of a murder victim and a witness. Defendants, who are accused of murder, sought the information during pretrial discovery from Facebook, Instagram and Twitter during pretrial discovery. The court found that defendants’ right to pretrial discovery is limited and does not supercede the Stored Communication Act’s protection of private communications. The case is Facebook Inc. v. Superior Court of San Francisco City and County, 240 Cal. App. 4th 203 (Sept. 8, 2015).
Coach Who Demanded Student’s Facebook Profile Immune From Suit
The Fifth Circuit Court of Appeals ruled that a Mississippi high school cheerleading coach who demanded access to a student’s Facebook profile as part of an informal bullying investigation was immune from suit alleging she violated the student’s First and Fourth Amendment rights, reversing a decision by the U.S. District Court for the Southern District of Mississippi. The court found that the coach and other high school officials were entitled to qualified immunity because the coach accessed the student’s profile in 2007, predating relevant U.S. Supreme Court case law that established limits on student searches. The case is Jackson v. Ladner, 2015 U.S. App. LEXIS 16584 (5thCir. Sept. 15, 2015).
DC District Court Chosen for OPM Data Breach Suits
The Judicial Panel on Multidistrict Litigation selected the U.S. District Court for the District of Columbia to handle pretrial proceedings in suits against the Office of Personnel Management (OPM) over a data breach affecting 21.5 million former and current employees. The Judicial Panel’s order consolidates three actions: an action in the District of Columbia brought by the American Federation of Government Employees; an action in the Northern District of California brought by the National Treasury Employees Union; and an action in the District of Kansas brought by plaintiff Woo. The transfer order may be accessed at http://www.jpml.uscourts.gov/sites/pmt/files/MDL-2664-Initial_Transfer-10-15.pdf.
State Legislative News
California Governor Jerry Brown signed AB 998 into law, a bill adding libel protections to Internet publications. It removes the distinctions between print outlets and online versions of daily news sites and gives libel protections to publishers. The legislation was signed on September 28, 2015 and codified as Chapter 343.
California Governor Brown also signed the Electronic Communications Privacy Act into law. Among other provisions, the omnibus law, signed on October 8, 2015, requires police to obtain a warrant before accessing electronic information, such as emails, text messages and online documents. A warrant is also required for tracking or searching electronic devices.
Maine’s Employee Social Media Privacy law became effective on October 15, 2015.
The law prohibits employers from requiring employees and job applicants to provide access to their social media accounts. Social media accounts that are opened at the request of an employer, provided by an employer or intended for use primarily on behalf of an employer are excluded. The law also prohibits “shoulder surfing,” or the practice of requiring an employee or applicant to sign into an account in the presence of the employer; requiring employees or applicants to add individuals to their list of social media contacts; or requiring them to alter account settings. The legislation was passed by the Maine legislature and became law without the governor’s signature.
The Texas Relationship Privacy Act became effective on September 1, 2015.
The statute bans the practice of posting intimate pictures of other persons on the Internet without their consent, known as “revenge porn,” making it a Class A misdemeanor. The statute also provides a civil cause of action allowing a prevailing plaintiff to recover actual damages, including damages for mental anguish, court costs, attorney’s fees and exemplary damages. A court may also impose fine of $1,000 for each willful or intentional violation.
Federal Legislative News
The House of Representatives passed HR 3510, a bill requiring the Department of Homeland Security (DHS) to develop a cybersecurity strategy. The bill, which passed the House on October 6, 2015, prohibits the strategy from being construed as permitting DHS to engage in monitoring, surveillance or other collection activities to track an individual’s personal information. DHS is required to submit the strategy and implementation plan to Congress. The bill was forwarded to the Senate and referred to the Committee on Homeland Security and Governmental Affairs.
The House also passed HR 3510, a bill directing the Transportation Safety Administration (TSA) to establish an intelligence-driven model for the screening of airport employees for access to secure areas at U.S airports. The TSA is also required to 1) establish a program for the use of E-Verify badges at airports; 2) establish a process to transmit applicants’ biometric fingerprint data for vetting; and 3) establish a national database of employees who have had their badges revoked for failure to comply with aviation requirements.
The Senate passed S. 754, after substituting a “managers package” of protections from liability for companies who share information on cybersecurity and security threats. The bill would allow private entities to share and receive information on cybersecurity threats and security vulnerabilities with other entities and the federal government. The bill also permits state and local agencies to use shared information to investigate or prosecute offenses related to threat of death or serious threat of economic harm. The bill has been forwarded to the House.
HR 3669, the Safe Drone Act, was introduced by Senator Barbara Boxer (D-CA) on October 1, 2015. The bill makes it a crime to operate a drone within a two mile radius of a hub airport or an ongoing firefighting operation. Violators would be subject to fines, up to one year in prison, or both. The bill has been referred to the Committee on the Judiciary.
The House passed HR 1428, a bill that would authorize the Department of Justice to designate foreign countries or regional economic integration organizations whose citizens would be given the right to pursue civil remedies under the Privacy Act of 1974 against certain U.S. government agencies related to shared law enforcement data. The legislation has been referred to the Senate Committee on the Judiciary.
Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.