In a recent article in the New York Times discussed the "growing tension between communications companies and governments over how to balance privacy with national security."  This tension is not limited to that context, however.  Nearly every workplace that uses email faces a similar tension between open access and secure communications.  And this debate splits people.  An ongoing informal survey by The Economist suggests that the number of people who want more control and restrictions over communication are nearly equally balanced by those who chafe at such restrictions.  

So, what's the right answer?  It would seem that continual balancing and re-balancing between too much/too little privacy and too much/too little security is the necessary (if not quick or easy) solution.  In the workplace, that means not always siding with one faction or the other on these issues, but addressing issues pragmatically as they arise.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

I shared some of my initial thoughts about the new HITECH/HIPAA regulations with Melissa Klein Aguilar for her blog, "The Filing Cabinet," in today's on-line edition of Compliance Week.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, the Department of Health and Human Services announced proposed modifications to the HIPAA Privacy Rules, calling them the most significant changes in HIPAA since 2003, when the HIPAA Security Rules were adopted.  The propose changes include:

• provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities;
   
• establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
   
• prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans; and
   
• expanding HIPAA’s enforcement provisions to business associates.

HHS intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s standards (but apparently that additional time does not extend to its proposed enforcement provisions).

The public is invited to comment on the provisions of the proposed rule for 60 days following publication in the Federal Register at Regulations.gov.

We are still reviewing the 234 pages of proposed regulations and will have more to say about them shortly.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.

The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health ("HITECH") Act authorized state attorneys general to enforce HIPAA.  The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:

· A “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.

· A $250,000 payment to the state representing statutory damages.

· An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a report in the Boston Globe, TJX has settled a lawsuit brought by the Louisiana Municipal Police Employees’ Retirement System, a TJX stockholder, which had alleged that the TJX board of directors failed to protect customers’ personal data, apparently in connection with Alberto Gonzalez breach.  Bloomberg News has reported the case was settled for $595,000 in legal fees and an agreement regarding enhanced oversight of customer files.   There is no reference to this suit in TJX's most recent Form 10-Q. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In late June, the Centers for Medicare & Medicaid Services (“CMS”) proposed new rules for hospitals that would entitle  patients to choose their own visitors during a hospital stay, including visitors who are same-sex domestic partners. These proposed rules stem from the April 15, 2010 Presidential Memorandum on Hospital Visitation issued to the Secretary of Health and Human Services. 

The proposed rules would require every hospital to have written policies and procedures detailing patients’ visitation rights, as well as instances when the hospital may restrict patient access to visitors based on reasonable clinical needs. A key provision of the proposed rules specifies that visitors chosen by the patient (or his or her representative) must be able to enjoy visitation privileges that are no more restrictive than those for immediate family members:

    (h) Standard: Patient visitation rights. A hospital must have written policies and procedures regarding the visitation rights of patients, including those setting forth any clinically necessary or reasonable restriction or limitation that the hospital may need to place on such rights and the reasons for the clinical restriction or limitation. A hospital must--

(1) Inform each patient (or representative, where appropriate) of his or her visitation rights, including any clinical restriction or limitation on such rights, when he or she is informed of his or her other rights under this section.

(2) Inform each patient (or representative, where appropriate) of the right, subject to his or her consent, to receive the visitors whom he or she designates, including, but not limited to, a spouse, a domestic partner (including a same-sex domestic partner), another family member, or a friend, and his or her right to withdraw or deny such consent at any time.

(3) Not restrict, limit, or otherwise deny visitation privileges on the basis of race, color, national origin, religion, sex, sexual orientation, gender identity, or disability.

(4) Ensure that all visitors designated by the patient (or representative, where appropriate) enjoy visitation privileges that are no more restrictive than those that immediate family members would enjoy.

Comments on these proposed regulations are due by August 27, 2010.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a federal court case decided earlier this year, United States v. Ahrndt, the court held that an individual had no reasonable expectation of privacy in the use of an unsecured wireless network.  The details of this decision are instructive for those still looking at questions of network privacy and security.

This case had its start in 2007, when a woman referred to as JH was using her personal computer at her home in Oregon. She was connected to the internet via her own wireless network, but when her wireless network malfunctioned, her computer automatically picked up another nearby wireless network.  JH opened the shared library and found a subfolder called "Dad's Limewire Tunes." JH opened "Dad's Limewire Tunes" and observed files with names that indicated they were child pornography.  That shared library was traced back to the defendant, Mr. Ahrndt, a convicted sex offender.   

Ahrndt moved to surpress much of the evidence that was found on his computer, arguing that the Fourth Amendment provides a reasonable, subjective expectation of privacy in the contents of a shared iTunes library on a personal computer connected to an unsecured home wireless network.  The court held that society recognizes a "lower expectation of privacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network."  The opinion went on to note that "[s]ociety's recognition of a lower expectation of privacy in unsecured wireless networks, however, does not alone eliminate defendant's right to privacy under the Fourth Amendment. In order to hold that defendant had no right to privacy, it is also
necessary to find that society would not recognize as reasonable an expectation of privacy in the contents of a shared iTunes library available for streaming on an unsecured wireless network."  And that is precisely what the Court concluded:  "When a person shares files on LimeWire, it is like leaving one's documents in a box marked 'free' on a busy city street."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent article in the Wall Street Journal suggests that "top-tier venture-capital firms" have invested in start-up businesses in the privacy space in recent months.  This could be a sign that the so-called "smart money" sees data privacy and security as a viable long-term industry, and not this decade's version of Y2K.   It seems likely that  were are due for a long-term presence of privacy and security protection in our business and private lives.  While Y2K was a one-time event and and the huge amounts spent (waste?) on it left investors with a New Year's Day hangover, the digitization of commerce grows day by day, resulting in concomitant needs for information privacy and security, which may justify the faith of investors. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC's Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association.  The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application of the Red Flags Rule. 

The key issue in the case is whether medical practices should be considered "creditors" under the Red Flags Rule and the Fair and Accurate Credit Reporting Act (FACTA or the FACT Act).  The case follows lawsuits filed beginning in 2009 by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA) to exclude lawyers and accountants from the scope of the new rules.  In October 2009, Judge Walton ruled that lawyers were not "creditors" subject to the Red Flags Rule.  The FTC has appealed the order and the Unites States Court of Appeals for the District of Columbia Circuit is expected to issue a decision clarifying the scope of the law.

In the recently approved stipulation, the AMA and the FTC have agreed to stay their dispute until the Court of Appeals issues its opinion.  The FTC has also agreed to delay enforcement of the Red Flags Rule for 90 days after the Appeals Court issues its ruling.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers.  Spokeo is a website that bills itself as a search engine that allows users the ability to look up "people-related information from phone books, social networks, marketing lists, business sites, and other public sources." 

According the CDT's complaint, Spokeo is in violation of the Fair Credit Reporting Act, which requires "consumer reporting agencies" to take certain actions to protect consumer privacy, including allowing consumers the right to access information about themselves, to correct mistakes and to be advised of adverse decisions made based on Spokeo's data.  The FCRA also strictly limits the disclosure of consumer data to a limited number of "permissible purposes," yet the CDT complaint does not appear to raise claims regarding Spokeo's disclosure of consumer data to its users.  The complaint does allege that Spokeo's actions amount to unfair and deceptive acts in violation of the FTC Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Federal Trade Commission (FTC) and Twitter announced that Twitter has agreed to settle FTC charges that the company failed to take sufficient security measures to protect user privacy settings.  

The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access the Twitter accounts of high-profile users, including Barack Obama.  (Under hacker control, President Elect Obama's Twitter account apparently "offered his more than 150,000 followers a chance to win $500 in free gasoline.")  Twitter candidly announced the first security incident in January 2009 and blogged about a second incident in April 2009.

The FTC Complaint (.pdf) lists the following security flaws among Twitter's failings:

• Twitter allegedly did not have policies that required their administrators to select hard-to-guess passwords and instead, administrators were permitted to use "weak, lowercase, letter-only, common dictionary word[s]" as administrative passwords.
   
• Twitter employees were allowed to store administrative passwords in plaint text form, so that once hackers broke into their accounts, the hackers had full administrative access to other users' accounts.
   
• Twitter did not disable administrative accounts after a number of unsuccessful attempts, allowing hackers easily run automated tools to break into the accounts.
   
• Twitter administrators were not required to change their passwords regularly.
• Twitter did not limit administrative access to user accounts to those employees that needed such access.
   
• Twitter did not do enough to restrict administrative access to authorized individuals, including by requiring administrators to log into a separate employee website or restrict administrator access to specific IP addresses.

What may be a key issue for many online businesses developing social networking sites is that, according to the FTC, users' privacy settings may impose an implicit duty on the website operator to take certain security precautions in order to preserve the user's settings. In Twitter's case, the site allowed users to make some "tweets" (short user messages/postings) private and the alleged lack of security allowed hackers to access those private messages.  The FTC Complaint (.pdf) claims that "Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic."  According to the FTC, the lack of security was so severe that Twitter's claim that user's privacy was protected amounted to a deceptive act under the FTC Act. 

In its Agreement (.pdf) with the FTC, Twitter consented to adopt a comprehensive information security program and submit independent security assessments to the FTC every other year for the next 10 years.  In today's blog posting, Twitter indicated that "[e]ven before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

22-year old U.S. Army intelligence analyst Bradley Manning is reportedly in custody in Kuwait after claiming that he sent 260,000 classified documents to the WikiLeaks website. According to WIRED, Manning, who served at Forward Operating Base Hammer near Baghdad in Iraq, made the admission after reaching out to former hacker Adrian Lamo in a series of Internet chats beginning on May 21st.  Manning ominously began the conversation with the following:

(1:41:12 PM) Bradley Manning: hi
(1:44:04 PM) Manning: how are you?
(1:47:01 PM) Manning: im an army intelligence analyst, deployed to eastern baghdad, pending discharge for “adjustment disorder” [. . .]
(1:56:24 PM) Manning: im sure you’re pretty busy…
(1:58:31 PM) Manning: if you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week was an unusually optimistic one for hundreds of thousands of Facebook users who found that their accounts were automatically endorsing numerous oddly entitled websites.  If you have been avoiding Facebook, your closest Facebook user (anyone under the age of 30 is a safe guess) can explain that one way users have to share things with their friends, including websites, musicians, television shows, ideas and other users, is to click the ever-present "Like" button.  Some have begun to call this new exploit "likejacking."

The culprit for this unintentional optimism appears to be a "clickjacking" worm that exploited a vulnerability in web browsers used to access the victim's Facebook account.  While the victim is logged in to Facebook, his or her account will spontaneously "Like" web links with titles such as "LOL This girl gets OWNED after POLICE OFFICER reads her STATUS MESSAGE."  As a result, a user's Facebook friends are encouraged to visit the sites.  Clicking the link will take users to a website that states "Click here to continue" and clicking the message apparently causes subsequent users' accounts to begin the same automatic referrals to their friends. 

If you have begun to notice that you are "Like"-ing websites more than usual, Sophos makes the following recommendation to users who have been infected:

If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your "Likes and interests" section.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This Tuesday, June 1, 2010, marks the official deadline for compliance with the Federal Trade Commission's Red Flags Rule.  The deadline for enforcement of the Red Flags Rule has been delayed repeatedly since its original deadline in November 2008, but the FTC has remained silent on further delays since it announced the current deadline in October of last year.  

The FTC's Red Flags Rule is a set of regulations that require financial institutions and creditors to adopt written identity theft prevention programs.  The FTC sparked considerable controversy when it announced that the Rule applies broadly to a range of businesses unused to being subjected to financial industry regulation (i.e., any individual or company that bills its customers after it provides goods or services).  As a result, a number of industry groups have filed lawsuits to challenge the FTC's application of the Red Flags Rules to lawyers, accountants and, most recently, medical professionals.

As Tuesday approaches, we look to the FTC to announce whether the agency is ready to begin enforcement of the Red Flags Rule.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this month, Congressmen Rick Boucher and Cliff Stearns released a discussion draft of comprehensive federal privacy legislation (.pdf). 

Among the many provisions of the draft bill is the requirement that any entity that collects information on individuals such as name, address, email address and telephone number, maintain "appropriate administrative, technical, and physical safeguards" to secure the personal information.  The draft bill would also require the FTC to implement new privacy rules and police the new safeguards. 

The bill is also available from Rep. Boucher's website.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, the American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a complaint that seeks to block the application of the Federal Trade Commission's Red Flags Rule to their members.  

According to its press release, the AMA filed this suit because it unfairly treats physician practices like "banks, credit card companies and mortgage lenders,” according to AMA President-elect Cecil B. Wilson, M.D. He added, “The extensive bureaucratic burden of complying with the red flags rule outweighs any benefit to the public.”

Given the impending June 1 deadline, it is somewhat curious that these groups have not sought an injunction to stop the FTC from applying the rule to their members (as it is unlikely their complaint will be resolved by June 1).  It would appear that these groups are going to let the American Bar Association and its earlier challenge do the heavy lifting here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Many digital copiers are now able to store the scanned documents on flash memory or hard drives.  This could pose a privacy/security risk, if the drives are improperly accessed, or if they are lost or resold without being scrubbed first.

Even the simple act of making a photocopy now poses privacy risks.  In response to a letter from Massachusetts Congressman Edward Markey, the FTC has responded and agreed to investigate the privacy risks posed by digital copiers that store information on internal hard drives. 

If you have photocopiers, you should investigate what type of storage devices they have.  And if you or your staff use public photocopiers, you should establish policies about what type of information cannot be copied on a public machine.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, Facebook took down their Chat services to patch a flaw in Facebook's new privacy settings that allowed users to listen in on private chat conversations.  This apparently came hours after  TechCrunch EU blogger Steve O'Hear  taught the world how to exploit the flaw in his TechCrunch post and video.  O'Hear was "tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their 'friends'." 

Facebook rolled out its Facebook Chat feature in February of this year.  The service allowed users to send live text messages to other Facebook users on their "Friends" list.  The flaw apparently allowed users to listen in on these conversations, as well as see other private information about friends' Facebook accounts.

Once Facebook was informed of the exploit, Chat services quickly became unavailable.  A few hours later, Facebook provided the following statement:

For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.

This is an ironic twist in Facebook's recent efforts to combat criticism of the service by adding more advanced privacy features; however, the problem appears to have been resolved. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link