Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in privacy and cybersecurity this week.

Largest Cyberattack of U.S. Government; OPM Director Resigns

In what appears to be the largest hack of U.S. government systems, the personal information of essentially every current, former, and potential federal employee who has undergone a background check through the U.S. Office of Personnel Management (OPM) since 2000 was stolen. Some 1.1 million fingerprints were also stolen, according to the agency. News of the latest incident comes only a few weeks after news broke of a different OPM cyberattack that affected 18 million people. Katherine Archuleta resigned as director of OPM on Friday. In addition, a second class action suit has been filed against OPM regarding the breaches.

FCC Fines Telecom Companies $3.5 Million for Insecure Storage of Personal Data

Phone companies, TerrCom, Inc., and YourTel American, Inc. resolved an investigation with the U.S. Federal Communications Commission (FCC) by agreeing to a $3.5M civil penalty and oversight requiring comprehensive compliance programs. The investigation found that the companies’ vendor had stored personal information of customers in plain text on the internet.

State Attorneys General Do Not Want Federal Preemption of Data Breach Laws

There is bipartisan support for data breach legislation in the U.S. Congress, but attorneys general from all 47 states with data breach notification laws do not necessarily think federal legislation should preempt state data breach notification laws. Many companies favor a federal data breach notification law that preempts state law, arguing that the patchwork of state laws makes compliance unreasonably burdensome.

Time Warner Ordered to Pay $229,500 to One Person for Violation of TCPA

A federal judge ordered Time Warner Cable to pay $229,500 for violating the Telephone Consumer Protection Act (TCPA) by placing 153 automated calls to the same woman in Texas – 74 of which were placed after she sued Time Warner Cable to stop the calls. The calls were meant for a previous owner of the cellphone number who was late paying his cable bill, but Time Warner Cable did not update its records or stop the calls even when the woman told the company she was not the man they were trying to reach.

NFL Player’s Finger Amputation and the Possible HIPAA Violation

Jason Pierre-Paul of the National Football League’s New York Giants had a finger amputated and had his related medical records displayed on Twitter. Allegedly, an employee of Jackson Memorial Hospital obtained and released the records to a reporter without Pierre-Paul’s consent. Under HIPAA, such violations can and have led to million dollar fines and hospital employee imprisonment.

Zoo Gift Shop Credit Card Breach

Between March 23 and June 25, 2015, customers who used credit or debit cards at zoo gift shops and restaurants may have had their credit card information stolen. Service Systems Associates released a statement acknowledging the point-of-sale malware attack on its debit and credit card processing systems, but declined to state which zoos were affected.

HSBC Settles Call Recording Suit for $6.5 Million

HSBC Card Services Inc. agreed to settle for $6.5M a proposed class action alleging the surreptitious recording of customer calls in California. Plaintiffs alleged that HSBC recorded their phone calls without telling them during the call. HSBC contended that it had disclosed that calls could be recorded in its card member agreements and that card members had no reasonable expectation of privacy given the relationship.