Tag Archives: settlements

Verizon Settles with FCC for Multi-Year Privacy Violation

The Federal Communications Commission’s Enforcement Bureau has reached a $7.4 million settlement with Verizon to resolve an investigation into the company’s use of personal consumer information for marketing purposes. The investigation uncovered that Verizon failed to notify approximately two million new customers, on their first invoices or in welcome letters, of their privacy rights, including how to opt out from having their personal information used in marketing campaigns.  A phone company is generally prohibited from accessing or using certain personal information except in limited circumstances like marketing, but only after getting the customer’s approval. It can obtain approval through either an “opt-in” or “opt-out” process. When that process is not working properly, the company must report the problem to the FCC within five business days.

During its investigation, the Enforcement Bureau learned that, beginning in 2006 and continuing for several years thereafter, Verizon (a) failed to generate the required opt-out notices to approximately two million customers, (b) failed to discover these problems until September 2012, and (c) failed to notify the FCC of these problems until January 18, 2013, 126 days later.

LinkedIn’s Proposed Breach Settlement Pays Premium Users

According to a report in MediaPost, social networking service LinkedIn has agreed to pay $1.25 million to settle a class-action lawsuit stemming from a 2012 data breach in which hackers accessed and posted 6.4 million users’ passwords online. The proposed settlement calls for LinkedIn to pay up to $50 to qualifying users who purchased premium memberships. If approved, the settlement will resolve a class-action lawsuit brought by Virginia resident Khalilah Gilmore-Wright, a paid LinkedIn subscriber. Wright alleged that she wouldn’t have purchased a premium LinkedIn membership if she had known the company used “obsolete” security measures.

LinkedIn’s paid users can submit a claim if they declare that they read the privacy policy and were influenced by the company’s statements about security. Lawyers for Wright estimate 20,000 to 50,000 subscribers will qualify for payments from the settlement fund.

Rhode Island Hospital to Pay $150,000 to Settle 2011 Breach Allegations

Women & Infants Hospital of Rhode Island (WIH) has agreed to pay $150,000 to resolve allegations that it failed to protect the personal information and protected health information of more than 12,000 patients in Massachusetts (press release). The consent judgment resulted from a data breach reported to the MA Attorney General’s Office in November 2012. Breached information included patients’ names, dates of birth, Social Security numbers, dates of exams, physicians’ names, and ultrasound images.

In April 2012, WIH realized that it was missing 19 unencrypted back-up tapes from two of its Prenatal Diagnostic Centers. In the summer of 2011, these back-up tapes were to be sent to a central data center at WIH’s parent company. Due to an inadequate inventory and tracking system, WIH allegedly did not discover the tapes were missing until the spring of 2012. Because of deficient employee training and internal policies, the breach was not properly reported under the breach notification statute to the AG’s Office and to consumers until the fall of 2012.

Key Takeaways: AGs are increasingly enforcing data protection laws and regulations, sensitive information leaving facilities must be protected (encrypted), employees should be trained to report data privacy and security incidents immediately.

3 Companies Settle FTC Charges of Tossing Sensitive Data Into Trash Dumpsters

Two companies will pay $101,500 to settle Federal Trade Commission charges that they allowed sensitive consumer information to be tossed into trash dumpsters. The FTC charged that PLS Financial Services, Inc. and The Payday Loan Store of Illinois, Inc. failed to take reasonable measures to protect consumer information. Documents containing sensitive personal identifying information – including Social Security numbers, employment information, loan applications, bank account information, and credit reports – were disposed in unsecured dumpsters near several PLS Loan Stores or PLS Check Cashers locations. According to the FTC complaint, these actions violated the FTC’s Disposal Rule and the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule. The FTC further charged violation of the FTC Act by misrepresenting that they had implemented reasonable measures to protect sensitive consumer information.

This is the third time the FTC has charged a violation of the Disposal Rule, which requires that companies dispose of credit reports and information derived from them in a safe and secure manner.

Anthem Settles with California AG over SSN Disclosure

California AG Kamala D. Harris announced a settlement with Anthem Blue Cross regarding allegations of unlawful disclosure of the Social Security numbers of 33,000 Medicare subscribers between April 2011 and March 2012. According to the state, Anthem printed the Social Security numbers on letters to policyholders in a way that could be seen through the envelope window. The state alleged this violated California Business and Professions Code § 1798.85, which restricts disclosure of the numbers. Among other things, the company must pay $150,000 to settle the claim.

FTC Reaches Settlement with Compete – Web Analytics Company

The Federal Trade Commission has reached a settlement with web analytics company Compete, Inc., for allegedly misrepresenting its data collection practices and failing to adequately secure collected data. According to the FTC allegations, Compete committed a deceptive art or practice by failing to appropriately disclose “the full extent of data collected through tracking software.” Once installed, the Compete tracking component operated in the background, automatically collecting information about consumers’ online activity.  It captured information consumers entered into websites, including usernames, passwords, and search terms, as well as credit card and financial account information, security codes and expiration dates, and Social Security Numbers. Upromise, which licensed Compete’s web-tracking software, settled similar FTC charges earlier this year.

COPPA Settlement for Artist Arena Fan Websites

The operator of fan websites for music stars Justin Bieber, Rihanna, Demi Lovato, and Selena Gomez has agreed to settle FTC charges that it violated the Children’s Online Privacy Protection Act (COPPA). According to the FTC’s complaint, Artist Arena collected children’s names, addresses, email addresses, birthdates, gender and other information without properly notifying parents or obtaining their consent. Artist Arena is alleged to have knowingly registered over 25,000 children under age 13 and collected and maintained personal information from almost 75,000 additional children who began, but did not complete the registration process. Among other things, the settlement will impose a $1 million civil penalty.

Equifax Settles FCRA and FTC Act Charges

Equifax Information Services LLC, has agreed to settle Federal Trade Commission charges that it improperly sold lists of consumers who were late on their mortgage payments. According to the FTC, Equifax violated the Fair Credit Reporting Act (FCRA) by providing lists to organizations without a permissible purpose, had inadequate preventative procedures, and failed to properly investigate when it learned of prescreening violations. The FTC alleged that Equifax’s failures also violated of Section 5 of the FTC Act.