Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb:

"From a legal perspective, I'm not seeing anything that's much different in what's being proposed to take effect on March 1 and what's in place right now," Zick says. "In particular, the language about sharing across services has been in [Google's policies] for a long time."

Zick points out that all the past versions of Google's privacy policies are on the website, and the last two versions offer line-by-line comparisons to the previous version. Zick expects that Google will do the same with the new policy once it's officially issued.

"What we have is not a reaction to a change in legal language," Zick says, "but it's a change in perception. ... People are just reflexively reacting to the idea that Google is big."

The entire article can be viewed here, and our earlier post here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As many of you have probably seen already, Google is changing its privacy policies, effective March 1, 2012.  These changes will be effective across all of Google's platforms, and users will not be able to opt out.  A user's only choice to avoid these changes will be to leave Google's search engine, Gmail, Calendar, Search, and YouTube; there is no "opt out" or selective acceptance/rejection of these new policies.  In this regard, Google noted that it remains committed to data liberation, "so if you want to take your information elsewhere you can."

These changes are likely to draw FTC scrutiny, especially in light of the recent decision by Google to incorporate data from its social network, Google+, into search results, which has already resulted in a FTC antitrust investigation. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients.  The individual made this improper access in order to send marketing materials to patients at the other practice.

The individual worked as an information technology specialist for a perinatal medical practice in Atlanta.  He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building.  He then used his home computer to hack into his former employer's patient database.  He downloaded the names, telephone numbers, and addresses of his former employer's patients and then deleted all the patient information from their system. He subsequently used the patient names and contact information to launch a direct-mail marketing campaign for the benefit of his new employer.  Even so, there was no evidence that patient medical information was accessed or misused.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Supreme Court today issued an opinion holding that police cannot track a suspect using GPS without first getting a warrant.

Justice Scalia wrote the opinion, for a unanimous court, and concluded:  "We hold that the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a 'search.'  It is important to be clear about what occurred in this case: The Government physically occupied private property for the purpose of obtaining information."

This statement about the government occupying private property is going to be used in many future arguments.  Justice Sotomayor's concurrence foresees this future:

With increasing regularity, the Government will be capable of duplicating the monitoring undertaken in this case by enlisting factory- or owner-installed vehicle tracking devices or GPS-enabled smartphones. See United States v. Pineda-Moreno, 617 F. 3d 1120, 1125 (CA9 2010) (Kozinski, C. J., dissenting from denial of rehearing enbanc). In cases of electronic or other novel modes of surveillance that do not depend upon a physical invasion on property, the majority opinion’s trespassory test may provide little guidance. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In its recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the Office of Civil Rights of the Department of Health and Human Services, we see confirmation of certain trends-- bigger breaches and breaches involving theft of electronic media:

Between January 1, 2010 and December 31, 2010, breaches involving 500 or more individuals also made up less than one percent of reports, yet accounted for more than 99 percent of the more than 5.4 million individuals who were affected by a breach of their protected health information. The largest breaches in 2010, like 2009, occurred as a result of theft. However, in comparison to 2009, in 2010, the number of individuals affected by the loss of electronic media or paper records containing protected health information was greater than the number of individuals affected by unauthorized access or human error.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This report from the Office of the Inspector General for the Department of Health and Human Services reveals significant holes in Medicare contractor security.  Here's a notable excerpt:

Security Awareness Training
The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally, Federal regulations (5 C.F.R. § 930.301(a)) require that role-specific training be provided based on each user’s security responsibilities and require agencies to provide training for employees with significant information security responsibilities. The CMS Business Partners Systems Security Manual requires Medicare contractors to document and monitor information security training activities.

Sixteen of the twenty-one Medicare contractors had no identified gaps in security awareness training, while the remaining 5 had 3 to 4 gaps each. In total, 16 gaps were identified in this area, with no gaps assigned to a high-impact subcategory. Following are examples of gaps in security awareness training:

• The contractor did not formally track and monitor job-specific security training to ensure that employees received the minimal requirements stated in the policy.
• Employees did not complete security awareness refresher training.

Employees who are unaware of their security responsibilities or have not received adequate training may be at increased risk of causing or exacerbating a computer security incident. If security personnel are not provided specific job-related training, management has no assurance that these employees can effectively perform their job responsibilities. Inadequately trained employees could cause the loss, destruction, or misuse of sensitive information and information technology (IT) assets.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Interesting Wall Street Journal article about rival banks joining forces to beat cyber crime.   Sounds a lot like the Advanced Cyber Security Center.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.

The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

My colleagues Jen Audeh and Jeff Collins have analyzed the SEC's guidance on the use of social media by investment advisors.  Because of the overlap this issue has with data privacy and security, we are providing this except and a link to their summary:

On January 4, 2012 the SEC’s Office of Compliance Inspections and Examinations issued an exam alert to registered investment advisers which included guidance on the use of social media. The alert is not meant to be a comprehensive summary of all compliance matters related to the use of social media, but rather is intended to cover measures that may assist advisers in developing procedures to prevent violations of the Advisers Act and other federal securities law with respect to the use of social media such as the antifraud, compliance and record keeping provisions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Until yesterday, I did not know there was a Congressional Cyber Security Caucus.  It is not clear what it has been up to, as it hasn't had a media release in eleven months.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."

                                                                     *  *  *

No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall -- in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud. 

General areas of concern surrounding the cloud are similar to those of traditional IT:

• Data security during transmission and storage;
• Data privacy and confidentiality;
• Rights of access in general as well as access for local governments and e-discovery;
• Data ownership;
• Suspension and termination of service;
• Forming and negotiating service-level agreements (SLAs) with cloud providers.
   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Interesting article in Friday's Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government.  Perhaps the best part of the article is the citation of statistics from Symantec's annual Internet Security Threat Report:  Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:

• 2002:  20,254 updates
• 2003:  19,159 updates
• 2004:  74,981 updates
• 2005:  113,081 updates
• 2006:  167,069 updates
• 2007:  708,742 updates
• 2008:  1,691,323 updates
• 2009:  2,895,802 updates
• 2010:  10,000,000 updates

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Interesting article in Friday's Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government.  Perhaps the best part of the article is the citation of statistics from Symantec's annual Internet Security Threat Report:  Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:

• 2002:  20,254 updates
• 2003:  19,159 updates
• 2004:  74,981 updates
• 2005:  113,081 updates
• 2006:  167,069 updates
• 2007:  708,742 updates
• 2008:  1,691,323 updates
• 2009:  2,895,802 updates
• 2010:  10,000,000 updates

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an article in today's New York Times, we get some real-life insight into the difficulties in responding to a data breach.  Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.

The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee's car was broken into and a company laptop stolen.  The ramifications included:

• spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees;
• devoting 600 person-hours of staff time to the breach;
• hiring a crisis team of lawyers and customers and a chief security officer;
• hiring a private investigator to scour local pawnshops and Craigslist for the stolen laptop; and
• notifying some of the affected patients and offering them free credit monitoring.

The eHealth Collaborative's Executive Director, Micky Tripathi, first outlined the breach and critiques the article in his blog. 
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

by Brian P. Bialas

At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number.  But if you ever have been to a Legal Sea Foods restaurant, you will notice that the waiter brings a handheld electronic device to your table to swipe your credit card when you are ready to pay the bill. The credit card never leaves the customer’s sight.

The recent experiences of customers at certain high-end steakhouses show why all restaurants should consider adopting the table-side charge method.  Seven waiters at Smith & Wollensky’s, the Capital Grille, and other high-end restaurants were arrested along with many other co-conspirators, for copying the credit card numbers of restaurant customers with handheld, high-tech “skimmers” and then using those numbers to buy luxury goods that they resold. The waiters targeted credit cards with high or no spending limits so that big purchases would not be flagged. 

The Payment Card Industry Data Security Standard (PCI-DSS) quick reference guide for merchants does not provide any clear guidelines for card handling.  Nevertheless, this incident should serve as a wakeup call for all restaurants to adopt table-side systems to reduce the potention for misuse of customer credit cards.  It also serves as a reminder to anyone dealing with sensitive information to continually review handling procedures and processes and look for ways transmissions can be made more secure.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle "charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC's press release.

In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook's representations that users could impose such restrictions on their accounts.

In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:

• set forth the specific privacy controls that [Facebook] has implemented and maintained during the reporting period;
   
• explain how such privacy controls are appropriate to [Facebook's] size and complexity, the nature and scope of [Facebook's] activities, and the sensitivity of the covered information;
   
• explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of this order; and
   
• certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.

This consent order will last for an astoundingly long time:  20 years.  (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.) 

Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role:  Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel, will become Facebook's Chief Privacy Officer, Products.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

My colleague Dayle Cristinzio, former Legislative Director for Senator Harry Reid, has provided me with the amendments to Senate Bill1867, the Department of Defense Authorization Act.  Among these amendments is one from Sen. McCain, amendment #1229, which could provide greater cybersecurity collaboration between the Department of Defense and the Department of Homeland Security.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a November 16, 2011 letter from Senate Majority Leader Harry Reid to his Republican counterpart, Minority Leader Mitch McConnell, it is his "intent to bring comprehensive cyber security legislation to the Senate floor for consideration during the first Senate work period next year." 

This is by no means a guarantee of legislative action, but it is the latest sign that cybersecurity will be a priority in Congress come 2012.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With an inflammatory title like "Foreign Spies Stealing US Economic Secrets in Cyberspace," the Office of the National Counterintelligence Executive's "Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011" is tough to ignore.

The Report's conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments:

• "Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible."
   
• "Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets."

The NCIX predictions for the future are sobering:

• "Over the next several years, the proliferation of portable devices that connect to the Internet and other networks will continue to create new opportunities for malicious actors to conduct espionage. The trend in both commercial and government organizations toward the pooling of information processing and storage will present even greater challenges to preserving the security and integrity of sensitive information."
   
• "The US workforce will experience a cultural shift that places greater value on access to information and less emphasis on privacy or data protection. At the same time, deepening globalization of economic activities will make national boundaries less of a deterrent to economic espionage than ever."

This last prediction is particularly disturbing, but visible, as users migrate from the relatively secure Blackberry platform to iPhones and other smartphones, trading security for an increased sense of utility.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This article, "Cyber Bombs: Data-Security Sector Hopes Adoption Won’t Require a ‘Pearl Harbor’ Moment," in last week's Mass High Tech suggests that even without a watershed event (i.e., a "Pearl Harbor") the cyber-security business will continue to grow robustly.  Interestingly, the article cited the launch of the Advanced Cyber Security Center as proof that the Pearl Harbor isn't necessary.

• Email This
• Print
• Comments
• Trackbacks
• Share Link