At a Glance

In this final edition for 2023, the number and breadth of data privacy and security enforcement actions demonstrate that state AGs are flexing their muscles and playing a significant regulatory role in this area. Some of the trends that are emerging and are likely to continue include:

• Increased Emphasis on Consumer Privacy: State AGs have been placing greater emphasis on protecting consumer privacy. Laws like the California Consumer Privacy Act (CCPA) and similar measures in other states may continue to drive this trend.
• Stricter Data Breach Notification Requirements: Many states have been enhancing their data breach notification laws to include more stringent requirements for organizations to promptly inform individuals affected by a data breach, and some states require regulatory notification as well.
• State-Specific Privacy Legislation: To date, 12 states having enacted comprehensive privacy laws, some of which also contain data security provisions, although only a small number have gone into effect at this time. Eight more states have active bills pending. All 50 states have data breach notification laws. The regulatory patchwork impacts companies operating across multiple jurisdictions.
• Focus on Cybersecurity Measures: State AGs may increasingly emphasize the importance of robust cybersecurity measures. Encouraging businesses to implement proactive security measures can help prevent data breaches and protect consumer information. This is evident in the specificity of the security measures included in the settlements reported on in this edition.
• Growing Role of Technology: The use of technology, including artificial intelligence and machine learning, in identifying and addressing privacy violations and data breaches may become more prevalent. States may leverage advanced technologies to enhance their enforcement capabilities.
• Increased Enforcement Actions: State AGs may continue to actively pursue enforcement actions against organizations that violate data privacy laws. This could involve penalties, fines and settlements, with a focus on holding companies accountable for protecting consumer data.
• Collaboration and Information Sharing: States may collaborate more closely with each other and with federal agencies to share information and coordinate efforts in addressing cross-border data privacy issues, a trend that has picked up in 2023.

Data Privacy & Security

The New York AG Secures $450,000 From Medical Company for Failing to Protect Patient Data

The New York AG secured $450,000 from U.S. Radiology Specialists, Inc., for allegedly failing to protect patient data. An investigation by the AG determined that U.S. Radiology “did not prioritize upgrading its hardware, which left its network exposed to a known vulnerability, leading to a ransomware attack that affected more than 92,000 New Yorkers.” In addition to paying $450,000 in penalties, U.S. Radiology also agreed to “adopt additional data security practices to strengthen its network, including:

• Enhancing and maintaining its existing written information security program that ensures the security, integrity, and confidentiality of patients’ personal information;
• Creating and implementing an IT asset management program for identifying, reporting, and prioritizing replacement or updates of IT assets;
• Encrypting patients’ personal information that it collects, stores, transmits, and/or maintains;
• Developing and maintaining a penetration testing program that regularly identifies and remediates any and all security vulnerabilities found during testing; and
• Implementing policies and procedures that seek to permanently delete their patients’ personal data when there is no reasonable business purpose to retain it.”

The full press release is available here.

The New York AG Secures $350,000 From Home Health Care Company for Failing to Protect Patient and Employee Data

The New York AG secured $350,000 from Personal Touch Holding Corporation for allegedly failing to protect patient and employee data. An investigation by the AG found “that Personal Touch failed to maintain reasonable data security safeguards to protect patient and employee data,” and that there was “inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data.” In addition to paying $350,000 in penalties, Personal Touch also agreed “to enhance its information security program and implement safeguards to better protect its employees’ and patients’ personal and health information, including:

• Maintaining a comprehensive information security program that includes regular risk assessments, regular testing and monitoring of existing safeguards, and regular updates to the information security program;
• Maintaining reasonable access control and authentication procedures;
• Encrypting personal and health information;
• Implementing a continuous logging and monitoring system, anti-malware protections, an intrusion detection and prevention solution, and an email filtering and phishing solution; 
• Developing a vulnerability management program that includes regular vulnerability scanning and penetration testing;
• Updating its data collection, retention, and disposal practices to ensure that personal and health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes;
• Conducting annual employee security training; and
• Establishing reasonable vendor management procedures.”

The full press release is available here.

Fifty State AGs Announce a $49.5 Million Multistate Settlement With Blackbaud for Data Breach

Fifty state AGs announced that they reached a settlement with software company Blackbaud concerning its data security practices, including its response to a 2020 data breach that allegedly exposed millions of consumers’ personal information. In addition to paying $49.5 million to the states, Blackbaud agreed to “strengthen its data security and breach notification practices going forward by implementing:

• Personal information safeguards and controls requiring total database encryption and dark web monitoring.
• Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
• Breach response plans to prepare for and more appropriately respond to future security incidents and breaches, including adhering to breach notification requirements under state law and HIPAA.
• Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
• Security incident reporting to the CEO and board, enhanced employee training, and appropriate resources and support for cybersecurity.
• Third-party assessments of Blackbaud’s compliance with the settlement for seven years.”

A copy of the settlement agreement is available here.

The Pennsylvania AG Announced a $1 Million Settlement With Rutter’s After Data Breach

The Pennsylvania AG announced a $1 million settlement with the convenience store chain Rutter’s in connection with a series of cybersecurity attacks that allegedly exposed information from more than a million customer payment cards. An investigation by the AGO determined that Rutter’s “failed to properly employ reasonable data security measures in protecting consumers’ sensitive personal information in violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law.” In addition to the $1 million payment, Rutter’s agreed to “conduct and document a risk assessment, undergo an independent settlement compliance assessment, and implement security improvements,” including:

• Maintaining a comprehensive information security program that is appropriately designed to protect the security, confidentiality and integrity of personal information that it collects, receives or processes
• Implementing appropriate password management
• Implementing and maintaining logging and log monitoring policies and procedures
• Maintaining, keeping updated and supporting the software on its network
• Disabling service accounts that are no longer used for any legitimate business purpose
• Detecting and responding to suspicious network activity within its network within reasonable means

The full press release is available here.

Coalition of AGs Led by Indiana Secures $1.4 Million Settlement From Health Care Clearinghouse for Exposing Patient Information Online

A coalition of 33 state AGs secured a settlement with health care clearinghouse Immediata Technologies, LLC, over the alleged online exposure of 1.5 million patients’ sensitive private health information due to a coding issue. 

As a health care clearinghouse, Immediata is a HIPAA-covered entity required to comply with the HIPAA Privacy and Security Rules. In January 2019, the U.S. Department of Health and Human Services’ Office of Civil Rights notified Immediata of the breach, but Immediata allegedly did not notify consumers for over three months, and then sent notices that lacked sufficient information or were not properly addressed. The state AGs also alleged noncompliance with applicable state consumer protection and data breach notification laws.

Immediata agreed to pay a total of $1.4 million to be divided between the investigating states, and agreed to develop, implement and maintain an information security program including:

• Appointing a chief information security officer
• Developing an incident response plan
• Implementing a list of specific information security safeguards
• Providing annual third-party information security program assessments to the AG for five years

The full press release is available here.

Coalition of Six State AGs Reaches $6.3 Million Settlement With Morgan Stanley Over Data Security Incidents

The AGs of Connecticut, Florida, Indiana, New Jersey, New York and Vermont settled an investigation into allegedly lax data security practices by Morgan Stanley Smith Barney LLC. According to the AGs, Morgan Stanley failed to employ basic data security measures when decommissioning old devices, which allegedly resulted in devices that contained unencrypted consumer data being sold in online auctions. The firm allegedly failed to maintain vendor controls or to maintain hardware inventories, measures the AGs assert could have prevented the data security incident.

In addition to the fine, Morgan Stanley agreed to develop a comprehensive information security program, including policies to encrypt and protect sensitive data whether in transit or at rest, and to improve its vendor risk assessment practices.

The full press release is available here.

New York AG Settles Data Breach Investigation With Marymount Manhattan College

The New York AG opened an investigation into Marymount Manhattan College’s (MMC) privacy and data security practices after a 2021 cyberattack in which a hacker allegedly infiltrated MMC’s systems and accessed data of nearly 100,000 New Yorkers, including sensitive personal and financial information. The investigation concluded that MMC’s data security practices were inadequate in many respects, including failure to use two-factor authentication, failure to update security policies and firmware, and failure to encrypt sensitive data.

MMC agreed to invest $3.5 million in improved data security infrastructure and practices and will be required to publicly share its plan on the collection, retention and deletion of personal information that it collects. 

The full press release is available here.

Consumer Protection

Colorado and Pennsylvania AGs Announce Settlements Related to “Drip Pricing” in Online Hospitality Reservation Systems

“Drip pricing” refers to an online booking practice in the hospitality industry alleged to disclose fees gradually as consumers progress through the online booking process and to not reveal the total price until the end of the online booking process or upon actual check in. State AGs allege that “drip pricing” is a deceptive practice that violates state consumer protection laws, and have begun to take action to prevent the practice.

Recently, the Colorado AG announced a settlement with Choice Hotels International, Inc., owner of national hotel brands that include Radisson, Country Inn & Suites, and Comfort Suites; and the Pennsylvania AG announced a settlement with Texas-based Omni Hotels Management Corporation. Both settlements require the companies to:

• “Clearly and conspicuously” display all mandatory fees and the total price in any advertisement or offer that includes a room rate
• When displaying rooms sorted by price, sort by the total price including all fees
• List mandatory hotel fees separately from taxes or other government-imposed fees
• Conspicuously disclose the goods or services covered by any mandatory fee
• Require third parties such as franchisees and licensees to comply with the terms of the settlement agreement

Pennsylvania’s settlement with Omni Hotels follows on prior settlements with Marriot in 2021 and with Choice Hotels International in October of this year.

The Colorado press release is available here, and the Pennsylvania release is available here.

Wage and Employment

The Massachusetts AG Issues Over $1.3 Million in Citations Against Quick Temp., Inc., for Wage, Sick Time and Records Violations

The Massachusetts AG announced a series of citations against Quick Temp., Inc., and its owners, totaling more than $1.3 million in restitution and civil fines. The alleged violations were for “failure to pay a prevailing wage, failure to pay minimum wage, failure to pay overtime, non-payment of wages, failure to accrue earned sick leave, failure to keep true and accurate records, and failure to furnish employment notices to temporary agency employees.” The investigation also determined that the company had violated the Massachusetts Temporary Workers Right to Know Law that provides specific, additional protections for employees of staffing agencies. Notably, in 2019 the AG’s office issued citations against Quick Temp totaling $82,000 for many of the same violations. 

The full press release is available here.

The Massachusetts AG Announced a $6.8 Million Settlement With MGM Springfield for Wage and Hour Violations

The Massachusetts AG announced a settlement with MGM Springfield totaling $6,839,287 in the form of restitution and penalties for wage and hours violations. After a multiyear investigation, the AG determined that the “full range of wage and hour violations by MGM Springfield include[d] failure to pay minimum wage to tipped employees, failure to pay overtime wages, unlawful tip retention by management, failure to make timely payments of wages, and failure to provide paid earned sick time.” The investigation began in 2018 after the Fair Labor Division began receiving complaints from MGM employees about managers allegedly engaging in illegal wait staff tip-pooling, allegedly underpaying for overtime hours, and allegedly requiring certain employees to work through their meal breaks without compensation. In addition to the $6.8 million payment, the agreement also requires MGM Springfield to implement a compliance program, which will include regular trainings of relevant staff on wage and hour compliance as well as two annual wage and hour audits to be conducted by a third party. 

The full press release is available here. 

Massachusetts AG Resolves Investigations of Child Labor Abuses at Dunkin’ Franchises for Over $1 Million

The Massachusetts AG resolved another in a series of investigations involving independent Dunkin’ franchises, in which store management allegedly required employees as young as 16 to work more than nine hours in a day, in violation of child employment protections. 

The most recent enforcement action involved franchisees who collectively own and operate 25 Dunkin’ locations in Massachusetts. The franchisees agreed to pay citations of $500,000 and to contribute another $500,000 into a fund to support the AG’s work in enforcement and education initiatives around wage and hour laws.

This action follows on the heels of multiple enforcement actions in Massachusetts against Dunkin’ franchises over the previous two years with aggregate penalties of nearly $1.75 million.

The full press release is available here.

Unfair and Deceptive Practices

The California AG and FTC Announced a Settlement With CRI Genetics Over Deceptive Marketing and Business Practices

The California AG and the FTC announced a settlement with CRI Genetics, a company offering DNA testing and ancestry services to consumers, resolving “allegations that CRI misled consumers about the purported superiority of its genetic testing services, presented false and misleading consumer testimonials and reviews, and engaged in deceptive billing practices.” Specifically, the complaint alleged that CRI “engaged in a number of misleading marketing practices, including misrepresenting that its DNA testing services are more accurate and detailed than those of its competitors, and that its ancestry reports show exactly where a consumer’s ancestors are from with over 90% accuracy.” The complaint also alleged that CRI created a fake genetics testing review website, which was designed to look independent, and that CRI used that website to provide “inflated reviews of its genetic testing services.” The complaint also alleged that the company presented false consumer testimonials on its own website and on social media platforms like Facebook. Finally, the complaint further alleged that CRI “manipulated consumers into purchasing unwanted add-on services, forcing consumers to go through a time-consuming and confusing refund process.”

Under the settlement, CRI must pay the state $700,000 in civil penalties. The settlement also “restricts CRI and its founder from engaging in future deceptive conduct,” and it requires CRI to comply with the California Consumer Privacy Act and the Genetic Information Privacy Act. 

The full press release is available here.

Health Care Fraud and False Claims 

Massachusetts AG Settles With Two Autism Service Providers for $2.5 Million for Allegedly Submitting False Claims to MassHealth

Two providers of behavioral health services to children with autistic spectrum disorder, Ubuntu Autism Consultants, LLC, and Autism Resources and Therapy Center, along with their owners, will pay an aggregate of $2.5 million for allegedly billing MassHealth managed-care entities for services that were either not provided, were provided by individuals who lacked appropriate credentials, were not rendered or documented properly, or were improperly supervised.

In addition to the financial settlement, the two companies will implement three-year compliance monitoring programs with periodic audits.

The full press release is available here.

New Jersey, New York and Georgia AGs File Civil Complaint Against Fresenius Vascular Care for Performing Unnecessary Invasive Procedures

The AGs of New Jersey, New York and Georgia filed a complaint in the Eastern District of New York against New York-based Fresenius Vascular Care and one of its executives alleging multiple counts of fraud, and state False Claims Act violations. The AGs allege that Fresenius regularly performed unnecessary and risky medical procedures such as angioplasties on patients with end-stage renal disease, and forced patients to undergo excessive evaluations that subjected them to increased medical risk, in a scheme to defraud state Medicare and Medicaid programs. The lawsuit is a result of a joint investigation between the AGs and the National Association of Medicaid Fraud Control Units.

The states seek treble damages and civil penalties. The full press release is available here.

Cryptocurrency

New York AG Sues Cryptocurrency Companies for Alleged $1.1 Billion Crypto Fraud

The New York AG filed a high-profile lawsuit against cryptocurrency companies Gemini Trust Company (Gemini), Genesis Global Capital, LLC, (Genesis) and Genesis’ parent company Digital Currency Group, Inc., (DCG), alleging that they defrauded more than 230,000 investors by misrepresenting the risks of their investment vehicle, Gemini Earn. According to the AG, Gemini, which was founded by Tyler and Cameron Winklevoss, assured investors that it had vetted Gemini Earn through a risk-management framework, but knew through its own internal analyses that Gemini Earn’s assets — third-party loans — were unsecured and risky. The AG also alleged that Gemini concealed the fact that its assets were highly concentrated, and that at one point nearly 60% of its third-party loans were to Sam Bankman-Fried’s crypto trading firm Alameda Research. Gemini allegedly revised its estimate of Genesis’s credit rating to junk grade in February 2022, but never revealed the downgrade to investors. The lawsuit also alleges that Genesis and DCG hid over $1 billion in losses from investors and failed to adequately audit one of the fund’s largest borrowers, which ultimately defaulted on billions of dollars in loans.

The lawsuit seeks restitution and disgorgement of gains; and the AG seeks to ban Gemini, Genesis and DCG from operating in New York.

The Securities Exchange Commission had previously sued DCG, Genesis and Gemini for the unregistered offer and sale of securities; and former partners Genesis and Gemini are currently in litigation against one another.

The full press release is available here.