By Daniel J. Solove
Co-authored by Professor Paul Schwartz
This post is part of a post series where we round up some of the interesting news and resources we’re finding. This post includes developments from the first part of 2015. For a PDF version of this post, and for archived issues of previous posts, click here.
NOTE: Health privacy and security issues will now be covered in a separate update post.
97% of people are concerned about the misuse of their data — Harvard Business Review (May 2015) [Link]
Doctors and payment card companies are the most trusted with personal data; governments, media/entertainment and social media companies are the least trusted — Harvard Business Review (May 2015) [Link]
Privacy + Security Forum (October 21-23, 2015) – Washington, DC [Link]
— Goals are to unite privacy and security professionals, as well as practitioners, academics, technologists, and regulators. Educational sessions with rigor and practical takeaways.
— 100+ speakers
— Organized by Daniel Solove and Paul Schwartz
— PDF Guide to Planned Sessions and Speakers
Privacy Law Scholars Conference (June 4-5, 2015) – Berkeley, CA [Link]
— Organized by Chris Hoofnagle and Daniel Solove
— 250+ participants workshopping about 80 papers
— PLSC assembles privacy law scholars and practitioners from around the world to discuss current issues and foster greater connections between academia and practice.
Security & Human Behavior Workshop (June 8-9, 2015) – Washington, DC [Link]
— Program chairs are Alessandro Acquisti, Ross Anderson, and Bruce Schneier
— Daniel Solove will be participating
— “The Workshop’s goal is to discuss, in an informal and interdisciplinary setting, issues where security, psychological, and behavioral sciences interact.”
IoT Privacy Summit 2015 (June 17, 2015) – Menlo Park, CA [Link]
— Organized by TRUSTe
— 30+ speakers from GM, Cisco, FTC, Merck, among other organizations
— Sessions on automobile industry, healthcare, smart cities, global privacy
Symposium On Usable Privacy and Security (July 22-24, 2015 in Ottawa, Canada) [Link]
— Brings together “an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy.”
Jon L. Mills, Privacy in the New Media Age (2015) [Link]
— “Mills explores possible modernization of the intrusion tort, calls for greater weight to be placed on human dignity interests, suggests redefining personal space to fit our times, and offers multiple approaches for recalibrating the delicate balance between press freedom and privacy rights.”–Clay Calvert, coauthor of Mass Media Law
Increasing demands on Twitter by governments — Twitter Transparency Report (July-Dec 2014) [Link]
— 84% increase in requests for content removal
— 40% increase in government requests for account information
Ronald Goldfarb (editor), After Snowden: Privacy, Secrecy, and Security in the Information Age (May 2105) [Link]
— collection of essays by David Cole, John Mills, and others
Court Cases re NSA Surveillance
2nd Circuit holds that NSA phone record collection is not authorized by USA Patriot Act §215 — ACLU v. Clapper (2d. Cir. May 7, 2015) [Link]
— Panel consisted of Judges Sack, Lynch, and Broderick
— Decision based on statutory interpretation and doesn’t reach the constitutional issues
— “We hold that the text of section 215 cannot bear the weight the government asks us to assign to it, and that it does not authorize the telephone metadata program.”
— “The telephone metadata program requires that the phone companies turn over records on an ‘ongoing daily basis’ – with no foreseeable end point, no requirement of relevance to any particular set of facts, and no limitations as to subject matter or individuals covered.”
Suit challenging NSA surveillance partially dismissed due to the State Secrets Doctrine — Jewel v. NSA, C 08-04373 JSW (N.D. Cal. 2014) [Link]
— The case involves the Electronic Frontier Foundation’s long-running lawsuit against the NSA, which alleges that the government conducted “dragnet surveillance” of ordinary Americans by requiring AT&T to send Internet traffic records to the NSA.
National Security Letters
FBI relaxes gag order rules on National Security Letters [Link]
— Companies can disclose to the public that a national security letter was received “at the earlier of three years after the opening of a fully predicated investigation or the investigation’s close.”
— Previously, gag orders could last indefinitely
The Right to Be Forgotten
Court holds that erasure statute doesn’t require that criminal arrest be erased from newspapers — Martin v. Hearst Corp., 777 F.3d 546 (2d Cir. 2015) [Link]
— Erasure statute could not be re-purposed to create a de facto right to be forgotten.
— Erasure statute merely creates a legal fiction that an arrest never occurred for purposes of future proceedings. Statute does not provide a right to erase arrest from newspapers or other publications
— Stories about the arrest do not become false and defamatory by virtue of having been “erased.”
White House announces new cyber division for dot-gov security (Feb. 2015) [Link]
— The White House will spend approximately $20 million on a new cyber division to manage dot-gov network security, which includes ensuring federal agencies inform victims of breaches according to a specific timeline. The “E-gov Cyber” unit, a part of the Office of Management and Budget (OMB), will coordinate with the National Security Council, the Department of Homeland Security, and the Commerce Department to oversee agency security programs.
Jeb Bush releases hundreds of thousands of emails including SSNs (Feb. 2015) [Link]
— Jeb Bush released hundreds of thousands of emails claiming that Florida law makes them public records under Florida law. The letters, however, contained unredacted sensitive data such Social Security Numbers.
James B. Jacobs, The Eternal Criminal Record (Feb. 2015) [Link]
— Franklin Zimring of U.C. Berkeley: “This is the first sustained and analytic look at profoundly important policy on criminal records. In accessible prose, Jacobs provides a guide for legal and criminal justice scholars, practitioners and advocates, and anyone concerned with privacy, employment policy, and race relations. A very important book.”
Securities and Exchange Commission
SEC issues report on broker-dealer and investment adviser cybersecurity (Feb. 9, 2015) [Link]
— The SEC’s Office of Compliance Inspections and Examinations examined 57 broker-dealers and 49 investment advisers. Most firms reported being the subject of a cyber-incident, usually involving malware and fraudulent emails.
— Most broker-dealers include a cybersecurity policy in their vendor contracts, while only one-quarter of advisers did the same.
— Broker-dealers also surpass advisers in cyberinsurance, with over half of broker-dealers having some form of cyberinsurance.
Fair Credit Reporting Act (FCRA)
Sweet v. LinkedIn Corp., No. 14-04531 (N.D. Cal. Apr. 14, 2015) [Link]
— Holding that LinkedIn’s “Reference Search” function is not a “consumer report” bringing it within the purview of the Fair Credit Reporting Act’s prohibitions.
FTC Act Section 5
FTC action against revenge porn site operator — In re Craig Brittain (Jan. 2015) [Link]
— FTC settled case against Craig Brittain, who the FTC alleges deceptively acquired and posted nude images of women and would demand they pay hundreds of dollars to have them removed.
— Brittain banned from publicly sharing any nude videos or photos of people without their affirmative express consent. Everything he published during operation of his site must be detstroyed.
— Brittain’s apology and disagreement with facts stated by the FTC [Link]
FTC action on deceptive gathering of health data — In re PaymentsMD (Feb. 2015) [Link]
— FTC alleges that PaymentsMD deceptively collected consumer health information by contacting various health insurance companies, pharmacies, medical offices, and labs without informing consumers.
— The order requires PaymentsMD to destroy all of the information they collected and prohibits them from deceiving users regarding the collection and use of the user’s personal information.
FTC requests that bankruptcy court protect RadioShack customers’ personal data (May 2015) [Link]
— FTC’s Jessica Rich sends a letter to the court- appointed consumer privacy ombudsman in the RadioShack bankruptcy case.
— Referencing the Toysmart case, the letter urges that consumer data be sold only to another entity in the same line of business and that the entity agree to abide by RadioShack’s privacy promises made regarding that data.
Electronic Communication Privacy Act (ECPA)
LaRocca v. LaRocca, No. 1304748, 2015 WL 349315 (E.D. La. Jan. 23, 2015)
A federal court denied a defendant’s motion for summary judgment in a dispute between ex-spouses over spyware, installed by the former husband, to monitor his ex-wife’s computer communications. The court held that, under the ECPA, software can be considered a “device,” and recording the information contemporaneously but only transmitting it to the eavesdropper hourly qualified as an “interception.”
Children’s Online Privacy Protection Act (COPPA)
FTC Clarifies COPPA Doesn’t Usually Apply To Schools [Link]
The FTC published a blog post explaining that parents provide pass through consent to schools that knowingly collect information that would otherwise be in violation of COPPA. The blog post explained that the law is targeted at commercial operators and not schools.
AT&T settles with FTC for $25 million related to data security issues – In the Matter of AT&T Services, Inc., DA 15-399 (FCC Enf. Bur. Apr. 8, 2015) [Link]
— AT&T agreed to pay $25 million to settle charges related to overseas workers stealing 280,000 customers’ personal information.
— The Order explained that “[t]he failure to reasonably secure customers’ proprietary information violates a carrier’s statutory duty under the Communications Act to protect that information, and also constitutes an unjust and unreasonable practice in violation of the Act.”
Profile of Travis LeBlanc, the “FCC’s 365 Million Dollar Man” (Apr. 26, 2015) [Link]
— “In total, the FCC, working with other agencies, has collected more than $365 million in fines, settlements, and refunds for consumers since LeBlanc took office last March, according to a National Journal review of agency records.”
Computer Fraud and Abuse Act (CFAA)
CFAA doesn’t prohibit merely using information for an unauthorized purpose — Enhanced Recovery Co. v. Frady, 2015 WL 1470852 (M.D. Fla. Mar. 31, 2015) [Link]
Holding that the CFAA does not prohibit merely using information for a purpose that is not authorized; rejecting the broad interpretation of the CFAA.
Direct marketing company settles with Vermont over misleading letters — In re Main Street Power Mail, Inc., Vt. Super. Ct., No. 56-1-15WNCV (Jan. 26, 2015) [Link]
A direct marketing company has agreed to pay the state of Vermont $90,000 to settle claims that the company sent letters to Vermonters purporting to collect data for a free life insurance quote but instead sold the data to insurance companies that used it for marketing.
Privacy After Death
Jonathan J. Rikoon, Estate Planning for Your Digital Assets (Apr. 13, 2015) [Link]
— Good overview of the privacy, access, and control issues regarding digital assets after death
White House, Big Data and Differential Pricing (Feb. 2015) [Link]
— Notes that methods to personalize pricing are being developed
— Existing antidiscrimination, privacy, and consumer protection laws can be used to mitigate the treats.
— Recommends greater transparency and by increased individual control over personal data.
Articles and Scholarship
Woodrow Hartzog: Unfair and Deceptive Robots, 74 Maryland Law Review 785 (2015) [Link]
— why and how the FTC should regulate robotics
Popular mainstream websites vulnerable to malware (March 2014) [Link]
— “In fact, one in four of the most trusted sites — education and government domains — were found to be vulnerable.”
— 90% of malware infections come from Web surfing
— “Forbes.com was hacked at the end of last year, redirecting users to an outside site where malware was surreptitiously downloaded onto their computers. And readers of Huffington Post, LA Weekly and other sites were hit with ransomware from infected advertisements in January. Users didn’t have to click on the malicious ads to be affected.”
Fridge used by hackers to send out spam (Jan. 2015) [Link]
Phishing – By the Numbers (May 2015) [Link]
— “So, if 97 per cent of phishing attempts are unsuccessful, why is it such a large issue? Because there are 156 million phishing emails sent worldwide daily. . . . Of the 156 million phishing emails sent daily, 16 million get through filters. Another eight million are opened by recipients. 800,000 click on the link provided, and 80,000 provide the information requested.”
Spear phishing is on the rise – and it fools quite a lot of people (May 2015) [Link]
Calculating the average cost of a data breach is quite contentious and subject to dispute (May 2015) [Link]
Anthem Healthcare loses 80 million names, SSNs to hackers (Feb. 2015) [Link]
— Anthem Healthcare, the parent company of Blue Cross / Blue Shield lost 80 million names and social security numbers in a hack.
Anthem customers targeted by opportunistic phishing attacks (Feb. 2015) [Link]
— Many Anthem customers are now receiving emails purporting to offer credit monitoring services.
11th Circuit holds that insurance policy’s provision for losses from fraud doesn’t extend to hacking and malicious code — Metro Brokers, Inc. v. Transportation Insurance Company, No. 14-12969 (11th Cir. 2015) [Link]
Reports, Guides, and Studies
Bryan Cave Data Breach Litigation Report (May 2015) [Link no longer available]
— “4% of publicly reported data breaches led to class action litigation”
— Only 14.5% of publicly-reported data breaches involved retail industry, but 80% of class actions were against retailers
— Data breach suits alleged 24 different legal theories. Most common were negligence and contract theories.
National Institute of Standards and Technology Releases Mobile App Security Guide (Jan. 2015) [Link]
— Designed to help organizations vet whether to deploy mobile apps
— Includes charts outlining vulnerabilities of Android and iOS architectures and the consequences of exploiting a vulnerability.
DOJ Cybersecurity Unit, Best Practices for Victim Response and Reporting of Cyber Incidents (April 2015) [Link]
DOJ guidance on best practices for data breach response.
Jon Neiditz, SEC: Confidentiality, Privilege Agreements Can’t Chill Whistleblowers, LinkedIn (April 7, 2015) [Link]
— SEC holds that SEC Rule 21-F (pursuant to the Dodd-Frank Act of 2010) prohibits language in confidentiality agreements that has a “potential chilling effect” on whistleblowers.
— SEC objected to language banning employees from “from discussing internal investigations with ‘outside parties’ without first getting approval from the company legal department.”
— Company settled for $130,000 and will revise confidentiality agreement to allow employees to report violations of federal law to the SEC or other agencies.
NLRB Issues complaints over USPS data breaches (Mar. 31, 2015) [Link 1] [Link 2]
— A regional NLRB director has issued complaints against the United States Postal Service for refusing to bargain with the union, despite its demands to do so, over the impact of its cyber breach.
South Korea Cracks Down on Retailers’ Sale of Impermissibly Collected Consumer Data [Link]
The South Korean government has announced it will increase criminal enforcement against retailers selling customer data obtained in violation of the country’s Personal Information Protection Act. So far, prosecutors have indicted several employees of a Tesco subsidiary, who they allege created fake giveaways to obtain consumers’ data and then sold 24 million pieces of customer information to insurance marketers without consent.
Germany’s extensive phone record metadata collection and sharing with NSA [Link]
German newspaper, Zeit Online, reported that the country’s foreign intelligence agency, BND, collects 220 million metadata from phone records on a daily basis. The data is then stored anywhere from one week to six months. The German parliament, the Bundestag, discovered through its investigation of NSA surveillance that the BND intercepts communications from both satellites and Internet cables. Germany’s former commissioner for data protection and freedom of information Peter Schaar advocates for metadata to be covered and thus safeguarded under Article 10 of Germany’s Basic Law.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.