Data Privacy
D.C. Court of Appeals Requires Search Warrant for Cell Site Simulator Tracking
By Ed McAndrew, Ballard Spahr
The District of Columbia Court of Appeals recently reversed the robbery and sexual assault convictions of a man whose location was tracked through the use of a cell site simulator, or Stingray device, without a warrant. Jones v. U.S., No. 15-CF-322, (D.C. App. Sept. 21, 2017).
The court held that a law enforcement agency’s tracking of the location of a particular person by using a simulator that attracts the cellular signals of the person’s cellphone violates that person’s reasonable expectation of locational privacy. The government generally must obtain a search warrant before using a cell site simulator to determine a person’s location. The D.C. Court of Appeals joins state and federal courts in Maryland, New York. These courts have rejected the government’s argument that individuals have no reasonable expectation of privacy in digital signals that their devices emit to third parties, an argument that the Supreme Court will take up in U.S. v. Carpenter.
FTC and Dept. of Education Announce December Ed Tech Workshop
By Heidi Kuffel, Skarzynski Black LLC
The U.S. Federal Trade Commission and the U.S. Department of Education will host a December 1, 2017, workshop addressing the intersection of Ed Tech, COPPA and FERPA. Educational technology (Ed Tech) affords students access to personal technology issued by schools. However, with access to technology comes privacy issues. For example, the Children’s Online Privacy Protection Act (COPPA) requires parental consent before owners or operators of websites can collect, disclose, or use personal information of children aged 13 and under, and the Family Educational Rights and Privacy Act (FERPA) also serves to protect student record privacy.
FTC Announces December Workshop on Informational Injury
By Heidi Kuffel, Skarzynski Black LLC
To date, the U.S. Federal Trade Commission has brought over 500 privacy and data security-related cases involving unfair or deceptive business practices relating to consumer injury. The FTC will host a workshop on December 12, 2017, to assist in understanding the risks associated with misuse of consumer information. The workshop will focus on identifying the various types of injuries that stem from misuse of consumer information, analysis on how best to categorize the injuries, and a review of the way in which both consumers and businesses perform cost/benefit analyses in sharing or collecting information with regard to the potential for misuse.
Washington Constitution Protects State Employees’ Privacy
By Sherri Marie Carr, The S.M. Carr Law Firm, Ltd. Co.
The Washington Court of Appeals recently held there is a “protected expectation of privacy” in state employees’ birthdates accompanying their full names based on the Washington State Constitution. Wash. Pub. Emps. Ass’n, UFCW Local 365 v. Wash. State Ctr. for Childhood Deafness & Hearing Loss, No. 49224-5-II (Wash. App. Oct. 31, 2017). The Freedom Foundation sought such information through a public records request from several agencies to further their “worker education project to inform eligible state employees that they have a constitutional right to opt-out of paying union dues.” Multiple unions fought to protect their state employees’ information from disclosure in response to the request. The court determined it is not in the public interest to reveal publicly such information and that revealing such information would irreparably harm those state employees.
Cyber-Security
NIST Releases Revised Discussion Draft
By James R. Steel III, Skarzynski Black LLC
On September 28, 2017, the National Institute for Standards announced the release of a discussion draft of Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. One of the major focuses of the updated draft is providing processes for integrating C-suite-level executives into the Risk Management Framework (RMF) and institutionalizing risk management preparatory activities at the organizational level. The updated draft also integrates key privacy concepts into the RMF in an effort to promote a holistic application of security, privacy, and risk management concepts.
Vermont Attorney General Imposes Fine for Data Breach
By Michael Silvestro, Skarzynski Black LLC
Following an investigation by Vermont’s attorney general, a North Carolina–based technology company will pay a $264,000 fine following a data breach. In July 2016, the company allowed a spreadsheet containing 660 Social Security numbers to be viewed publicly without authentication. The publication of this data was reported by a consumer. The fine amount corresponds to $400 per published Social Security number.
Hilton Data-Breach Settlement Reached
By Sherri Marie Carr, The S.M. Carr Law Firm, Ltd. Co.
On October 31, 2017, the attorneys general for New York and Vermont announced a settlement with Hilton Domestic Operating Company, Inc., formerly Hilton Worldwide, Inc. (Hilton) concerning two data breaches that exposed more than 350,000 credit card numbers. Because Hilton waited over nine months to disclose the first breach to their customers after learning of it on February 10, 2015, and waited over three months the second time after learning of the breach on July 10, 2015, the $700,000 settlement necessitates that Hilton must reveal breaches in a much more timely manner and abide by applicable standards governing data security. New York General Business Law § 899-aa(2) mandates that the type of data breaches Hilton faced needed to be disclosed without unreasonable delay and within the “most expedient time possible.”