Privacy & Information Security Law Blog

On May 23, 2017, various attorneys general of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date.

On May 22, 2017, New York Attorney General Eric T. Schneiderman announced that the AG’s office has reached a settlement (the “Settlement”) with Safetech Products LLC (“Safetech”) regarding the company’s sale of insecure Bluetooth-enabled wireless doors and padlocks. In a press release, Schneiderman indicated that this “marks the first time an attorneys general’s office has taken legal action against a wireless security company for failing to protect their [customers’] personal and private information.”

On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including businesses, hospitals, utilities and government entities around the world.

Earlier this month, the New York State Department of Financial Services (“NYDFS”) recently published FAQs and key dates for its cybersecurity regulation (the “NYDFS Regulation”) for financial institutions that became effective on March 1, 2017.

On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the two remaining states without such requirements. The Data Breach Notification Act (H.B. 15) goes into effect on June 16, 2017.

On April 4, 2017, the Massachusetts Attorney General’s office announced a settlement with Copley Advertising LLC (“Copley”) in a case involving geofencing.

Recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer. 

On March 9, 2017, AllClear ID will host a webinar with Hunton & Williams partner and chair of the Global Privacy and Cybersecurity practice Lisa J. Sotto on the new cybersecurity regulations from the New York State Department of Financial Services (“NYDFS”).

On December 28, 2016, the New York State Department of Financial Services (“DFS”) announced an updated version of its cybersecurity regulation for financial institutions (the “Updated Regulation”). The Updated Regulation will become effective on March 1, 2017.

On October 14, 2016, California Attorney General Kamala D. Harris announced the release of a publicly available online form that will enable consumers to report potential violations of the California Online Privacy Protection Act (“CalOPPA”). CalOPPA requires website and mobile app operators to post a privacy policy that contains certain specific content.

On October 3, 2016, the Texas Attorney General announced a $30,000 settlement with mobile app developer Juxta Labs, Inc. (“Juxta”) stemming from allegations that the company violated Texas consumer protection law by engaging in false, deceptive or misleading acts or practices regarding the collection of personal information from children.

On September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act, must now be approved by the New Jersey Assembly.

On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require banks, insurance companies and other financial services institutions to establish and maintain a cybersecurity program designed to ensure the safety of New York’s financial services industry and to protect New York State from the threat of cyber attacks. 

As we previously reported, Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, spoke at Bloomberg Law’s Second Annual Big Law Business Summit on changes in the privacy and security legal landscape. In Part 2 of her discussion, Lisa speaks about the evolution of privacy laws over the years. The “hundreds of [privacy laws] at the federal and state level,” as well as data protection laws in countries all over the world, is a far cry from the landscape in 1999 when Lisa started the privacy practice at Hunton & Williams. To keep up ...

On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835 (the “Bill”), which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804. The amendments take effect on July 20, 2016.

On March 24, 2016, Tennessee Governor Bill Haslam signed into law S.B. 2005, as amended by Amendment No. 1 to S.B. 2005 (the “Bill”), which makes a number of changes to the state’s data breach notification statute, Tenn. Code § 47-18-2107. The amendments take effect on July 1, 2016.

On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”) which, among other things, provides (1) an overview of businesses’ responsibilities regarding protecting personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information.

On December 15, 2015, the California Attorney General announced an approximately $25 million settlement with Comcast Cable Communications, LLC (“Comcast”) stemming from allegations that Comcast disposed of electronic equipment (1) without properly deleting customer information from the equipment and (2) in landfills that are not authorized to accept electronic equipment. The settlement must be approved by a California judge before it is finalized.

On November 17, 2015, two plaintiffs filed a putative class action alleging that Georgia’s Secretary of State, Brian Kemp, improperly disclosed the Social Security numbers, driver’s license numbers and birth dates of more than 6.1 million Georgia voters. The lawsuit alleges that the Secretary violated Georgia’s Personal Identity Protection Act by disclosing the voters’ personally identifiable information, failing to provide voters notice of the breach and failing to notify consumer reporting agencies.

The United States District Court for the Northern District of California recently dismissed―without prejudice―a former Uber driver’s class action complaint. The driver, Sasha Antman, was one of roughly 50,000 drivers whose personal information was exposed during a May 2014 data breach. Uber contended the accessed files contained only the affected individuals’ names and drivers’ license numbers.

On October 8, 2015, California Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (“CalECPA”). The law requires police to obtain a warrant before accessing an individual’s private electronic information, such as text messages, emails, GPS data and online documents that are stored in the cloud and on smartphones, tablets, computers and other digital devices. The government also must obtain a warrant before requiring a business to produce an individual’s electronic information.

On October 2, 2015, California Attorney General Kamala D. Harris announced that her office settled a lawsuit against home design website, Houzz Inc. (“Houzz”). Houzz was charged with secretly recording incoming and outgoing telephone calls for training and quality assurance purposes without notifying its customers, employees or call recipients, in violation of California eavesdropping and wiretapping laws. As part of the settlement, the Attorney General required Houzz to destroy the recordings, pay a fine of $175,000 and hire a Chief Privacy Officer to supervise its compliance with privacy laws and conduct privacy risk evaluations to assess Houzz’s privacy practices. This is the first time that the Attorney General has required the hiring of a Chief Privacy Officer as part of a settlement.

On September 15, 2015, Judge Magnuson of the U.S. District Court for the District of Minnesota certified a Federal Rule of Civil Procedure 23(b)(3) class of financial services institutions claiming damages from Target Corporation’s 2013 data breach. The class consists of “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”

Recent class actions filed against Facebook and Shutterfly are the first cases to test an Illinois law that requires consent before biometric information may be captured for commercial purposes. Although the cases focus on biometric capture activities primarily in the social-media realm, these cases and the Illinois law at issue have ramifications for any business that employs biometric-capture technology, including those who use it for security or sale-and-marketing purposes. In a recent article published in Law360, Hunton & Williams partner, Torsten M. Kracht, and associate, Rachel E. Mossman, discuss how businesses already using these technologies need to keep abreast of new legislation that might affect the legality of their practices, and how businesses considering the implementation of these technologies should consult local rules and statutes before implementing biometric imaging.

Legislators in New Hampshire and Oregon recently passed bills designed to protect the online privacy of students in kindergarten through 12th grade.

On June 11, 2015, New Hampshire Governor Maggie Hassan (D-NH) signed H.B. 520, a bipartisan bill that requires operators of websites, online platforms and applications targeting students and their families (“Operators”) to create and maintain “reasonable” security procedures to protect certain covered information about students. H.B. 520 also prohibits Operators from using covered information for targeted advertising. H.B. 520 defines covered information broadly as “personally identifiable information or materials,” including name, address, date of birth, telephone number and educational records, provided to Operators by students, their schools, their parents or legal guardians, or otherwise gathered by the Operators.

On May 13, 2015, Nevada Governor Brian Sandoval (R-NV) signed into law A.B. 179 (the “Bill”), which expands the definition of “personal information” in the state’s data security law. The law takes effect on July 1, 2015. Under the Bill, personal information now includes:

On May 5, 2015, the Financial Crimes Enforcement Network of the U.S. Treasury Department (“FinCEN”), in coordination with the U.S. Attorney’s Office for the Northern District of California (“USAO”), announced a civil monetary penalty of $700,000 against Ripple Labs, Inc. (“Ripple Labs”) and its subsidiary XRP II, LLC (“XRP II”) for violations of the Bank Secrecy Act (“BSA”). This assessment represents the first BSA enforcement action against a virtual currency exchanger by FinCEN. The fine coincides with a settlement agreement between Ripple Labs, XRP II and the USAO to resolve any criminal and civil liability arising out of these activities, the terms of which include a $450,000 forfeiture and full cooperation by Ripple Labs in the ongoing investigation.

On April 28, 2015, the Florida House of Representatives passed a bill (SB 766) that prohibits businesses and government agencies from using drones to conduct surveillance by capturing images of private real property or individuals on such property without valid written consent under circumstances where a reasonable expectation of privacy exists.

On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:

• personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
• a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
• unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).

On April 13, 2015, the Senate of Washington State unanimously passed legislation strengthening the state’s data breach law. The bill (HB 1078) passed the Senate by a 47-0 vote, and as we previously reported, passed the House by a 97-0 vote.

On March 4, 2015, the House of Representatives of Washington passed a bill (HB 1078), which would amend the state’s breach notification law to require notification to the state Attorney General in the event of a breach and impose a 45-day timing requirement for notification provided to affected residents and the state regulator. The bill also mandates content requirements for notices to affected residents, including (1) the name and contact information of the reporting business; (2) a list of the types of personal information subject to the breach; and (3) the toll-free telephone numbers and address of the consumer reporting agencies. In addition, while Washington’s breach notification law currently applies only to “computerized” data, the amended law would cover hard-copy data as well.

On February 27, 2015, the White House released a highly-anticipated draft of the Consumer Privacy Bill of Rights Act of 2015 (the “Act”) that seeks to establish baseline protections for individual privacy in the commercial context and to facilitate the implementation of these protections through enforceable codes of conduct. The Federal Trade Commission is tasked with the primary responsibility for promulgating regulations and enforcing the rights and obligations set forth in the Act.

On February 23, 2015, the Wyoming Senate approved a bill (S.F.36) that adds several data elements to the definition of “personal identifying information” in the state’s data breach notification statute. The amended definition will expand Wyoming’s breach notification law to cover certain online account access credentials, unique biometric data, health insurance information, medical information, birth and marriage certificates, certain shared secrets or security tokens used for authentication purposes, and individual taxpayer identification numbers. The Wyoming Senate also agreed with amendments proposed by the Wyoming House of Representatives to another bill (S.F.35) that adds content requirements to the notice that breached entities must send to affected Wyoming residents. Both bills are now headed to the Wyoming Governor Matt Mead for signing.

Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.

On January 5, 2015, the Alameda County District Attorney’s Office announced that Safeway Inc. (“Safeway”) has agreed to pay $9.87 million to settle claims that the company unlawfully disposed of customer medical information and hazardous waste in violation of California’s Confidentiality of Medical Information Act and Hazardous Waste Control Law. In a series of waste inspections from 2012 to 2013, a group of California district attorneys and environmental regulators found that Safeway was disposing of both its pharmacy customers’ confidential information and various types of hazardous wastes in the company’s dumpsters. Based on the investigation, 42 California district attorneys and two city attorneys brought a complaint on December 31, 2014, alleging, among other things, that more than 500 Safeway stores and distribution centers engaged in the disposal of their customers’ medical information in a manner that did not preserve the confidentiality of the information.

On November 21, 2014, Massachusetts Attorney General Martha Coakley announced that Boston hospital Beth Israel Deaconess Medical Center (“BIDMC”) has agreed to pay a total of $100,000 to settle charges related to a data breach that affected the personal and protected health information of nearly 4,000 patients and employees.

Hunton & Williams Labor & Employment partner Susan Wiltsie reports:

Fears of a worldwide Ebola pandemic appear to have abated, but the tension between workplace safety and employee privacy, thrown into relief by this health emergency, remains an issue relevant to all employers. Any potential health threat created by contagious illness requires employers to plan and put into effect a reasonable response, including policies governing the terms and conditions under which employees may be required to stay away from the workplace, and in which their health care information may be relevant to workplace decisions.

On October 28, 2014, California Attorney General Kamala D. Harris announced the release of the second annual California Data Breach Report. The report provides information on data breaches reported to California’s Attorney General in 2012 and 2013. Overall, 167 breaches were reported by 136 different entities to California’s Attorney General in 2013. According to the report, 18.5 million records of California residents were compromised by these reported breaches, up more than 600 percent from the 2.6 million records compromised in 2012. In addition, the number of reported data breaches increased by 28 percent in 2013, rising from 131 in 2012 to 167 in 2013.

On October 10, 2014, TD Bank, N.A. entered into an assurance of voluntary compliance (“Assurance”) with a multistate group of nine attorneys general to settle allegations that the company violated state consumer protection and personal information safeguards laws in connection with a 2012 data breach. The breach involved the loss of two unencrypted backup tapes containing the personal information of approximately 260,000 customers. The Assurance requires TD Bank to pay $850,000 to the attorneys general.

On October 14, 2014, rent-to-own retailer Aaron’s, Inc. (“Aaron’s”) entered into a $28.4 million settlement with the California Office of the California Attorney General related to charges that the company permitted its franchised stores to unlawfully monitor their customers’ leased laptops.

On September 30, 2014, California Governor Jerry Brown announced the recent signings of several bills that provide increased privacy protections to California residents. The newly-signed bills are aimed at protecting student privacy, increasing consumer protection in the wake of a data breach, and expanding the scope of California’s invasion of privacy and revenge porn laws. Unless otherwise noted, the laws will take effect on January 1, 2015.

On September 8, Vermont Attorney General William Sorrell announced that SEI/Aaron’s, Inc. has entered into an assurance of discontinuance, which includes $51,000 in total fines, to settle charges over the company’s remote monitoring of its customers’ leased laptops. The settlement stems from charges accusing SEI/Aaron’s, an Atlanta-based franchise of the national rent-to-own retailer Aaron’s, Inc., of unlawfully using surveillance software on its leased laptops to assist the company in the collection of its customers’ overdue rental payments. The Vermont Office of the Attorney General claimed that such remote monitoring of the laptop users’ online activities in connection with debt collection constituted an unfair practice in violation of the Vermont Consumer Protection Act.

On August 19, 2014, California state legislators made final amendments to a bill updating the state’s breach notification law. The amended bill, which passed the State Senate on August 21 and the Assembly on August 25, is now headed to California Governor Jerry Brown for signature. If signed, the scope of the existing law would extend to apply to entities that “maintain” personal information about California residents. Currently, only entities that “own” or “license” such personal information are required to implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, modification or disclosure.

As reported in the Hunton Employment & Labor Perspectives Blog:

Illinois recently joined a growing number of states and municipalities that have passed “ban the box” laws regulating when employers can inquire into an applicant’s criminal history.

On July 1, 2014, Delaware Governor Jack Markell signed into law a bill that creates new safe destruction requirements for the disposal of business records containing consumer personal information. The new law requires commercial entities conducting business in Delaware to take reasonable steps to destroy their consumers’ “personal identifying information” prior to the disposal of electronic or paper records. The law will take effect on January 1, 2015.

On June 20, 2014, Florida Governor Rick Scott signed a bill into law that repeals and replaces the state’s existing breach notification statute with a similar law entitled the Florida Information Protection Act (Section 501.171 of the Florida Statutes) (the “Act”).

On June 12, 2014, Connecticut Governor Dannel Malloy signed a bill into law that may require retailers to modify their existing Health Insurance Portability and Accountability Act (“HIPAA”) authorizations for pharmacy reward programs. The law, which will become effective on July 1, 2014, obligates retailers to provide consumers with a “plain language summary of the terms and conditions” of their pharmacy reward programs before the consumers may enroll. It also requires retailers to include specific content in their authorization forms that are required pursuant to the HIPAA. If the consumer is required to sign a HIPAA authorization to participate in a pharmacy reward program, the authorization must include the following items “adjacent to the point where the HIPAA authorization form is to be signed:”

On May 21, 2014, California Attorney General Kamala D. Harris issued guidance for businesses (“Guidance”) on how to comply with recent updates to the California Online Privacy Protection Act (“CalOPPA”). The recent updates to CalOPPA include requirements that online privacy notices disclose how a site responds to “Do Not Track” signals, and whether third parties may collect personal information about consumers who use the site. In an accompanying press release, the Attorney General stated that the Guidance is intended to provide a “tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.” The Guidance is not legally binding; it is intended to encourage companies to draft transparent online privacy notices.

On May 1, 2014, the White House released a report examining how Big Data is affecting government, society and commerce. In addition to questioning longstanding tenets of privacy legislation, such as notice and consent, the report recommends (1) passing national data breach legislation, (2) revising the Electronic Communications Privacy Act (“ECPA”), and (3) advancing the Consumer Privacy Bill of Rights.

On April 10, 2014, Kentucky Governor Steve Beshear signed into law a data breach notification statute requiring persons and entities conducting business in Kentucky to notify individuals whose personally identifiable information was compromised in certain circumstances. The law will take effect on July 14, 2014.

On January 21, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program highlighted some of the key privacy developments that companies will encounter in 2014, including cybersecurity issues in the U.S., California’s Do Not Track legislation, Safe Harbor, the EU General Data Protection Regulation and the CNIL’s new cookie guidance.

As reported in the Hunton Employment & Labor Perspectives Blog, the “ban the box” movement continues to sweep through state legislatures. “Ban the box” laws, which vary in terms of scope and detail, generally prohibit employers from requesting information about job applicants’ criminal histories. Recent legislation in two states applies “ban the box” prohibitions to private employers in those states:

• On December 1, 2013, a new North Carolina law went into effect that prohibits employers from inquiring about job applicants’ arrests, charges or convictions ...

On December 2, 2013, the Federal Trade Commission announced that it will host a series of seminars to examine the privacy implications of three new areas of technology used to track, market to and analyze consumers: mobile device tracking, predictive scoring and consumer-generated health data. The seminars will address (1) businesses tracking consumers using signals from the consumers’ mobile devices, (2) the use of predictive scoring to determine consumers’ access to products and offers, and (3) consumer-generated information provided to non-HIPAA covered websites and apps. The FTC stated that the intention of the seminars is to bring attention to new trends in big data and their impact on consumer privacy.

On November 22, 2013, New Jersey’s Acting Attorney General announced that the State had entered into a settlement agreement with Dokogeo, Inc. (“Dokogeo”), a California-based company that makes mobile device applications, regarding allegations that one of the company’s mobile apps violated the Children’s Online Privacy Protection Act of 1998 (“COPPA”), the recently amended Children’s Online Privacy Protection Rule (the “Rule”) and the New Jersey Consumer Fraud Act.

On November 13, 2013, Google entered into a $17 million settlement agreement with the attorneys general from 37 states and the District of Columbia related to allegations that the company bypassed users’ cookie-blocking settings on Apple’s Safari browser in 2011 and 2012. The settlement requires Google to refrain from bypassing cookie controls in the future and requires Google to maintain a page on its site informing users about cookies and how to manage them. Last year, Google agreed to a $22.5 million settlement with the Federal Trade Commission in connection with similar ...

As reported in the Hunton Employment & Labor Perspectives Blog:

In a lawsuit filed in the United States District Court for the Northern District of Texas on November 4, 2013, Texas Attorney General Greg Abbott sought injunctive and declaratory relief against the Equal Employment Opportunity Commission (“EEOC”) on the grounds that the agency’s April 2012 Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions “purports to preempt the State’s sovereign power to enact and abide by state-law hiring practices.” In particular, the complaint argues against the EEOC’s prohibition against blanket “no felons” hiring policies. The Texas AG’s complaint highlights key failures and shortcomings of the EEOC’s recent investigative actions, and provides detailed examples of the “real world” effect of the guidance on the state’s hiring decisions.

On October 12, 2013, California Governor Jerry Brown vetoed an electronic communications privacy bill. The bill, SB 467, would have compelled law enforcement to obtain a search warrant before seeking to access any email or other electronic communication maintained by service providers. The bill went beyond the scope of the federal Electronic Communications Privacy Act, which obligates law enforcement to obtain search warrants only for electronic communications that are unopened or stored by service providers for fewer than 180 days. The California bill was very similar to a bill signed into law in Texas earlier in 2013 that required law enforcement agencies to obtain warrants before accessing customer electronic data held by email service providers.

On September 27, 2013, California Governor Jerry Brown signed into law a bill amending the California Online Privacy Protection Act (“CalOPPA”) to require website privacy notices to disclose how the site responds to “Do Not Track” signals, and whether third parties may collect personal information when a consumer uses the site. Although the changes to the law do not prohibit online behavioral advertising, this is the first law in the United States to impose disclosure requirements on website operators that track consumers’ online behavior.

On September 23, 2013, California Governor Jerry Brown signed a bill that adds “Privacy Rights for California Minors in the Digital World” to the California Online Privacy Protection Act (“CalOPPA”). The new CalOPPA provisions prohibit online marketing or advertising certain products to anyone under age 18, and require website operators to honor requests made by minors who are registered users to remove content the minor posted on the site. In addition, operators must provide notice and instructions to minors explaining their rights regarding the removal of content they’ve posted.

On September 4, 2013, California state legislators passed an amendment to the state’s breach notification law. The bill, SB 46, would expand notification requirements to include security incidents involving the compromise of personal information that would permit access to an online or email account. Pursuant to SB 46, the definition of “personal information” contained in Sections 1798.29 and 1798.82 of California’s Civil Code would be amended to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Notably, the compromise of these data elements alone  ̶  even when not in conjunction with an individual’s first name or first initial and last name  ̶  would trigger a notification obligation under the amended law. In addition, the bill does not limit the data elements that constitute “personal information” to those that would permit access to an individual’s financial account.

On April 19, 2013, the North Dakota legislature amended the state’s breach notification law (Section 51-30-01 of the North Dakota Century Code) to expand the definition of “personal information” to include “health insurance information” and “medical information.” Pursuant to the amended breach law, “health insurance information” is defined to mean an “individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.” “Medical information” is defined to mean “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” The amendment also carves out an exemption for covered entities, business associates and subcontractors that are subject to the breach notification requirements of 45 C.F.R. 164, Subpart D.

On July 12, 2013, Illinois Attorney General Lisa Madigan announced that she sent letters to operators of eight popular health-related websites requesting information about the websites’ online data collection practices. The Attorney General’s press release underscored how individuals’ health-related information shared online, which would be protected if disclosed in a traditional medical setting, “can be captured, shared and sold when online users enter their information into a website.” The Attorney General also stated that “website disclosure about the extent to which information is captured or shared is buried in privacy policies not found on the websites’ main pages.”

On June 14, 2013, Texas Governor Rick Perry signed a bill requiring law enforcement agencies to obtain warrants before accessing customer electronic data held by email service providers. Introduced on March 4, 2013, the bill passed unanimously in both the Texas House and Senate on May 7 and May 22, respectively. The law takes effect immediately.

A state court has dismissed the California Attorney General’s claims that Delta Air Lines Inc. (“Delta”) violated the California Online Privacy Protection Act by failing to have an appropriately posted privacy policy for its mobile application, Bloomberg reports. The California AG sued Delta in December as part of an enforcement campaign that began with the issuance of warning letters to approximately 100 operators of mobile apps, including Delta. According to the Bloomberg report, a basis for the dismissal was the federal Airline Deregulation Act, under which a state ...

On April 9, 2013, the United States Court of Appeals for the Eleventh Circuit held that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law regarding the disclosure of patient records by nursing homes. The law required nursing homes in Florida to provide the medical records of a deceased nursing home resident to the “spouse, guardian, surrogate, proxy, or attorney in fact,” including “medical and psychiatric records and any records concerning the care and treatment of the resident performed by the facility, except progress notes and consultation report sections of a psychiatric nature.”

As reported in the Hunton Employment & Labor Perspectives Blog:

On March 19, 2013, in Standard Fire Insurance Co .v. Knowles, the United States Supreme Court ruled that stipulations by a named plaintiff on behalf of a proposed class prior to class certification cannot serve as the basis for avoiding federal jurisdiction under the Class Action Fairness Act of 2005 (“CAFA”).

On March 12, 2013, Connecticut Attorney General George Jepsen announced that a coalition of 38 states had entered into a $7 million settlement with Google Inc. (“Google”) regarding its collection of unsecured Wi-Fi data via the company’s Street View vehicles between 2008 and 2010. The settlement is the culmination of a multi-year investigation by the states that we first reported on in 2010.

On March 11, 2013, in Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court effectively reinstated the suit against the retailer by answering favorably for the plaintiff three certified questions from the United States District Court for the District of Massachusetts regarding Massachusetts General Laws Chapter 93, Section 105(a) entitled “Consumer Privacy in Commercial Transactions” (“Section 105(a)”). The court ruled that (1) a ZIP code constitutes personal identification information under the Massachusetts law; (2) a plaintiff may bring an action for a violation of the Massachusetts law absent identity fraud; and (3) the term “credit card transaction form” refers equally to electronic and paper transaction forms. The Massachusetts court’s determination that a ZIP code constitutes personal identification information is similar to the determination in Pineda v. Williams-Sonoma Stores, Inc., in which the California Supreme Court held that ZIP codes are “personal identification information” under California’s Song-Beverly Credit Card Act. More than 15 states, including Massachusetts and California, have statutes limiting the type of information that retailers can collect from customers.

On February 4, 2013, the Supreme Court of California examined whether Section 1747.08 of the Song-Beverly Credit Card Act (“Song-Beverly”) prohibits an online retailer from requesting or requiring personal identification information from a customer as a condition to accepting a credit card as payment for an electronically downloadable product. In a split decision, the majority of the court ruled that Song-Beverly does not apply to online purchases in which the product is downloaded electronically.

As reported in BNA’s Privacy & Security Law Report, on December 14, 2012, a federal district court in California ruled that a retail store’s policy of collecting personal information only after providing customers with receipts does not violate the Song-Beverly Credit Card Act (“Song-Beverly”). Under Section 1747.08(a)(2) of Song-Beverly, a retailer that accepts credit cards for the transaction of business may not “[r]equest, or require as a condition to accepting the credit card as payment … the cardholder to provide personal identification information,” which the entity accepting the credit card then “writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”

On January 7, 2013, Massachusetts Attorney General Martha Coakley announced that several Massachusetts medical practices have agreed to a consent judgment and $140,000 payment to settle charges they improperly disposed of medical information. The defendants, which include several pathology practices and a firm that provided medical billing services to those practices, were accused of dumping hard copy medical records at the Georgetown Transfer Station, a waste management facility open to the public. The records allegedly contained the names, Social Security numbers and medical diagnoses of approximately 67,000 individuals. The illegal dumping allegations were publicized in a Boston Globe article after a photographer for the newspaper discovered medical records at the facility while he was disposing of his own trash.

On December 6, 2012, California Attorney General Kamala D. Harris announced a lawsuit against Delta Air Lines, Inc. (“Delta”) for violations of the California Online Privacy Protection Act (“CalOPPA”). The suit, which the Attorney General filed in the San Francisco Superior Court, alleges that Delta failed to conspicuously post a privacy policy within Delta’s “Fly Delta” mobile application to inform users of what personally identifiable information is collected and how it is being used by the company. CalOPPA requires “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service,” such as a mobile application, to post a privacy policy that contains the elements set out in CalOPPA. According to Attorney General Harris’ complaint, Delta has operated the “Fly Delta” application for smartphones and other electronic devices since at least 2010. The complaint alleges that “[d]espite collecting substantial personally identifiable information (“PII”) such as user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs, and geo-location, the Fly Delta application does not have a privacy policy. It does not have a privacy policy in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.”

In late October 2012, California Attorney General Kamala D. Harris began sending letters to approximately 100 mobile app operators, informing them that they are not in compliance with the California Online Privacy Protection Act (“CalOPPA”). Pursuant to CalOPPA, “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” must post a privacy policy that contains specified elements. A mobile app arguably could be an “online service” under CalOPPA, which provides that an online service operator that collects “personally identifiable information” and “fails to post its policy within 30 days after being notified of noncompliance” is in violation of CalOPPA. The law affects a wide range of mobile app operators because of its very broad definition of “personally identifiable information,” which includes any “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form,” such as a name, an email address or any other identifier “that permits the physical or online contacting of a specific individual.”

On October 30, 2012, the U.S. District Court for the Southern District of California ruled that an opt-out confirmation text sent by Citibank (South Dakota), N.A. (“Citibank”) did not violate the Telephone Consumer Protection Act (“TCPA”). Under a “common sense” interpretation, the court determined that Citibank’s opt-out text does not demonstrate the type of invasion of privacy the TCPA seeks to prevent.

As reported in the Hunton Employment & Labor Perspectives Blog:

Employees use social media extensively in communication for personal and business reasons. Employers are increasingly monitoring this use, and insisting on access to some of the more popular sites. California took notice of this trend and passed legislation to protect employee privacy. On September 27, 2012, Governor Edmund G. Brown Jr. signed AB 1844 making California the third state to limit access to employees’ social media account, joining Maryland and Illinois.

On August 23, 2012, the United States Court of Appeals for the Sixth Circuit held in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co. that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy’s computer fraud endorsement.

As reported in BNA’s Privacy & Security Law Report,on June 25, 2012, a federal district court in California ruled that the California Supreme Court’s 2011 Pineda decision, which held that requesting and recording zip codes during credit card transactions violates the state’s Song-Beverly Credit Card Act, applies retrospectively to OfficeMax’s collection of zip codes from its customers. The Plaintiffs in Dardarian v. OfficeMax had filed a class action lawsuit against OfficeMax over the company’s collection of ZIP code information from customers at the point of sale, a practice that OfficeMax ended the day the Pineda decision was handed down.

On July 19, 2012, California Attorney General Kamala Harris announced the formation of a new Privacy Enforcement and Protection Unit (“Privacy Unit”) within the state’s Department of Justice. The new unit will centralize existing Department of Justice efforts to protect privacy, educate consumers and forge partnerships with relevant industry players. According to the Attorney General’s press release, the broad mission of the Privacy Unit will include enforcing laws on issues such as cyber privacy, health privacy, financial privacy, identity theft, government ...

In recent weeks, both state and federal regulators have considered security breach notification legislation. On June 15, 2012, Connecticut Governor Dannel Malloy signed a budget bill that, among other things, amends the state’s security breach notification law. The changes, which will take effect on October 1, 2012, most notably require businesses to notify the state Attorney General no later than the time when notice of a security breach is provided to state residents. Although the law does not specify when notice must be provided to affected individuals, the law states that such notice must be made “without unreasonable delay,” subject to law enforcement delays and the completion of an investigation by the business to determine the nature and scope of the incident, to identify affected individuals, or to restore the reasonable integrity of the data system. As we previously reported, Vermont also recently amended its breach notification statute to require businesses to notify the state Attorney General within 14 days of discovering a security breach or concurrently when notifying consumers, whichever is sooner.

On May 24, 2012, Massachusetts Attorney General Martha Coakley announced that South Shore Hospital agreed to a consent judgment and $750,000 payment to settle a lawsuit stemming from a data breach that occurred in February 2010. At that time, South Shore Hospital shipped several boxes of unencrypted back-up tapes to a service provider in Texas to erase them. The tapes contained the personal and protected health information of approximately 800,000 individuals, including names, Social Security numbers, financial account numbers and medical diagnoses. Several of the boxes went missing and have yet to be recovered, though there is no evidence that the information on the missing tapes has been misused.

On June 1, 2012, the Attorney General of Vermont announced a series of recent legislative moves to enhance the state’s consumer protection laws, including amendments to Vermont’s security breach notification law. The changes, which were signed into law by Governor Peter Shumlin in early May, include a revised definition of “security breach,” the addition of a 45-day timing requirement for notifying affected consumers, and a requirement to notify the state Attorney General within 14 days of discovering the breach (or when notifying consumers, if sooner).

As reported in BNA’s Privacy & Security Law Report, on May 4, 2012, the United States District Court for the Southern District of California granted plaintiffs’ motion for class certification in an action against IKEA U.S. West, Inc. (“IKEA”) under the Song-Beverly Credit Card Act of 1971 (the “Song-Beverly Act”). The suit alleges that IKEA violated the Song-Beverly Act by requesting that cardholders provide their ZIP codes during credit card transactions, and then recording that information in an electronic database. The Court found that the class definition was not overbroad and that IKEA’s practice of requesting ZIP codes demonstrated common questions of law best resolved through a class action.

On April 9, 2012, Maryland became the first state to pass legislation that would prevent employers from asking or forcing employees and applicants to hand over their social media login credentials. The bill, which passed the state Senate unanimously (Senate Bill 433) and the House of Delegates by a wide margin (House Bill 964), now awaits Maryland Governor Martin O’Malley’s signature.

On April 5, 2012, social media giant Twitter, Inc. (“Twitter”) filed a civil lawsuit against spammers and makers of spamming software claiming violations of Twitter’s user agreement and various California state and common laws. Borrowing from the popular term for unsolicited email messages, Twitter’s complaint describes “spam” on Twitter as “a variety of abusive behaviors” including “posting a Tweet with a harmful link … and abusing the @reply and @mention functions to post unwanted messages to a user.” The suit alleges that certain defendants violated Twitter’s Terms of Service, which prohibit “spam and abuse,” by distributing software tools “designed to facilitate abuse of the Twitter platform and marketed to dupe customers into violating Twitter’s user agreement.” Other defendants allegedly operated large numbers of automated Twitter accounts through which they attempted to “trick Twitter users into clicking on links to illegitimate websites.”

On March 21, 2012, Massachusetts Attorney General Martha Coakley announced that Maloney Properties Inc. (“MPI”), a property management firm, executed an Assurance of Discontinuance and agreed to pay $15,000 in civil penalties following an October 2011 theft of an unencrypted company-issued laptop. The laptop contained personal information of more than 600 Massachusetts residents and was left in an employee’s car overnight. MPI has indicated that it has no evidence of unauthorized access to or use of the personal information in connection with this breach.

The American Bar Association’s (“ABA’s”) House of Delegates adopted a non-binding resolution urging courts to consider foreign data protection and privacy laws when resolving discovery issues. The full text of the resolution is as follows:

“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”

On January 24, 2011, Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein announced that they had reached an Assurance of Voluntary Compliance (“AVC”) with Metropolitan Life Insurance Co. (“MetLife”) in connection with an incident involving the disclosure of customer personal information on the Internet. In November 2009, a MetLife employee posted the personally identifiable information of current and former MetLife customers, including their Social Security numbers, on the Internet. Following the discovery of the posting, MetLife acted to mitigate possible harm by providing credit monitoring and identity theft insurance to the affected customers.

On January 19, 2012, Minnesota Attorney General Lori Swanson announced a lawsuit against Accretive Health, Inc., (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit, which was filed in Federal District Court in Minnesota, alleges that Accretive failed to adequately safeguard patients’ protected health information (“PHI”). This failure contributed to a July 2011 information security breach when an Accretive employee left an unencrypted laptop containing information of approximately 23,500 patients in a rental car. The laptop was stolen and has not yet been recovered.

On January 6, 2012, the United States District Court for the District of Massachusetts granted Michaels Stores, Inc.’s (“Michaels”) a motion to dismiss against a customer-plaintiff who alleged that Michaels’ in-store information collection practices violated Massachusetts law. Although the court ruled in Michaels’ favor, it found that customer ZIP codes do constitute personal information under Massachusetts state law when collected in the context of a credit card transaction. The plaintiff’s class action complaint alleged that “Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation of” Massachusetts General Laws Chapter 93, Section 105(a) (“Section 105(a)”). Specifically, Section 105(a) states that “[n]o person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”

On November 4, 2011, Law360 interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. In a question and answer session, Sotto discussed the challenges of working with multinational companies on compliance with privacy laws, and addressed questions related to her practice and career. Read the full interview.

On October 27, 2011, the United States District Court for the Northern District of California dismissed claims that Facebook misappropriated users’ names and likenesses in promoting its “Friend Finder” feature. Friend Finder identifies potential “friends” for a Facebook user by matching his or her email contacts with users already registered with Facebook, then presenting the user with friend suggestions. Facebook promoted the feature by displaying the names and profile photos of current friends as examples of users who had found friends with Friend Finder.

As reported in the Hunton Employment & Labor Perspectives Blog:

California Governor Jerry Brown recently signed into law Senate Bill No. 559 (SB 559), which prohibits discrimination based on an individual’s genetic information. While SB 559 significantly expands the protections from genetic discrimination provided under the federal Genetic Information Nondiscrimination Act of 2008 (GINA), at this time, its impact on most California employers is thought to be limited to the potential for greater damages to be awarded under it than under its federal counterpart.

As reported in the Hunton Employment & Labor Perspectives Blog, on October 10, 2011, California became the seventh state to enact legislation restricting public and private employers alike from using consumer credit reports in making hiring and other personnel decisions. Assembly Bill No. 22 both adds a new provision to the California Labor Code -- Section 1024.5 -- and amends California’s Consumer Credit Reporting Agencies Act (“CCRAA”). Effective January 1, 2012, California employers will be prohibited from requesting a consumer credit report for employment purposes unless they meet one of the limited statutory exceptions, and those employers meeting an exception, will be subjected to increased disclosure requirements. Connecticut, Illinois, Hawaii, Oregon, Maryland and Washington already have similar laws on the books, and many other states, as well as the federal government, are contemplating similar legislation. This trend creates a potential “credit-centric” minefield for employers that do business in any one or more of these states. In light of the multiple laws affecting their use, employers who utilize consumer credit reports in making personnel decisions should proceed cautiously. Employers must evaluate the need for these reports in making personnel decisions, review and modify their policies to ensure compliance with the myriad of regulations in this area, and monitor any new developments to ensure continued compliance.

Last month, two New Jersey judges issued opposing decisions in class action lawsuits regarding merchants’ point-of-sale ZIP code collection practices. The conflicting orders leave unanswered the question of whether New Jersey retailers are prohibited from requiring and recording customers’ ZIP codes at the point of sale during credit card transactions.

Over the past several weeks, online tracking practices involving the use of Flash cookies and ETags have been the subject of new research studies, class action lawsuits and significant media attention.

On August 31, 2011, California Governor Jerry Brown signed into law amendments to that state’s security breach notification statute.  The revisions establish new content requirements for breach notification letters to California residents, and mandate notification to the state Attorney General when a breach affects more than 500 Californians.  Senate Bill 24 was the third effort by State Senator Joe Simitian to build on the landmark California breach notification law he authored in 2002.  The two previous bills he proposed were passed by the California legislature, but vetoed by former Governor Arnold Schwarzenegger.

On June 9, 2011, Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Privacy and Data Security practice, spoke during the regulatory session on state and federal laws at NetDiligence’s Cyber Risk & Privacy Liability Forum in Philadelphia.  Sotto discussed recent changes to the legal landscape, emphasizing regulatory authorities’ growing interest in policy and enforcement issues and increased legislative activity on the state and federal levels.

View an excerpt from Sotto’s remarks as part of the panel discussion.

On July 29, 2011, Massachusetts Attorney General Martha Coakley announced a $7,500 settlement with Belmont Savings Bank following a May 2011 data breach involving the names, Social Security numbers and account numbers of more than 13,000 Massachusetts residents.  The bank has stated that it has no evidence of unauthorized access to or use of consumers’ personal information in connection with this breach.

As reported in the Hunton Employment & Labor Perspectives Blog, Connecticut recently became the latest state to pass a law regulating employer use of credit reports. The law, which goes into effect on October 1, 2011, prohibits employers from requiring employees or prospective employees to consent to the employer requesting their credit report as a condition of employment.  The full post includes a discussion of the exceptions to this restriction.

Read our previous posts on regulatory scrutiny of employee credit checks and a similar Illinois law that went into effect on January 1 ...

Last month, Texas Governor Rick Perry signed a health privacy bill into law that imposes new obligations exceeding the requirements in the HIPAA Privacy Rule.  The law, which will become effective on September 1, 2012, incorporates the expanded definition of the term “covered entity” in Texas’s existing health privacy law and could have a broad impact on many non-HIPAA covered entities.