Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players, but numerous athletes from other sports whose drug test results were seized by government investigators in 2004. Yet the entire story might never have existed had good OPSEC practices been in place. 

OPSEC – an acronym for Operations Security – is one of the cornerstones of counterintelligence strategy. The Department of Defense definition of OPSEC (.pdf) is “a process of identifying critical information and analyzing friendly actions . . . and other activities to (1) identify actions that can be observed by adversary intelligence systems, (2) determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries, and (3) selecting and executing measures that eliminate or reduce… the vulnerabilities of friendly actions to adversary exploitation.” But OPSEC does not just apply to military organizations. It should be a foundational principle for all security architecture. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As state data breach reporting regimes develop, we are going to be seeing more reporting of breaches to law enforcement authorities. If you want to see what this abstract concept of “reporting” looks like (and how your own reports might be listed for the public to see), go to the web site of the New Hampshire Attorney General. On that site, you can read about 20 New Hampshire breaches that have been reported thus far in 2009 for that modestly sized state. And if you want to get a feel for the national scope of data breaches, check out the Identify Theft Resource Center. As of last week, they list 121 breaches and some 1,552,273 exposed records.  That's more than a breach per day (and over 17,000 exposed records per day).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers, phone numbers, emergency contact information, and photographs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers "[t]o allow the FTC to perform a greater and more effective role in protecting consumers." The prepared text of his testimony is available here (.pdf). Of particular note, the FTC is asking Congress to:

1. Permit the FTC to use "notice and comment" rulemaking to declare business practices used in the financial industry to be unfair and deceptive acts in violation of the FTC Act -- a process that, according to Chairman Liebowitz, could shorten the time taken to put new regulations in place from 3-10 years under the current system to 1 year under a "notice and comment" system; and
    
2. Authorize the FTC to bring civil lawsuits in federal court and to obtain civil penalties for unfair and deceptive practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports.  The proposed legislation would also

• require intelligence and Homeland Security officials to perform vulnerability assessments;
• create a clearinghouse for information sharing between the government and private sector; and
• fund scholarships for those interested in cybersecurity.

The proposed legislation follows on the heels of three incidents where computers in Senator Nelson's office were hacked .  The current draft legislation contains provisions similar to those recommended by the Commission on Cybersecurity for the 44th Presidency, which released a report in December 2008.

Links:

• The post on Senator Nelson's website can be found here.
• The March 23, 2009 CNET News article, "A bill to shift cybersecurity to the White House" can be found here.
• The December 2008 report from the Commission on Cybersecurity for the 44th Presidency is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” -- the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you -- then they probably do.  In this post, we will recap the FTC's recent guidance on who should be complying with the Rules.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

As discussed by Mike Rosen on Foley Hoag's Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company information also admitted that they used that information to leverage a new job.

As I posted back in early February, another recent report, this one from McAfee, concluded that the shrinking economy and growing ranks of unemployed were increasing incentives for insiders to steal confidential information.  The Ponemon report seems to bear this out.

What's troubling is that the Ponemon report found that only "15% of respondents' companies review or perform an audit of the paper and/or electronic documents employees are taking.  If they conduct a review, 45% say it was not complete and 29% say it was superficial."  According to the McAfee report, however, 68% of the senior IT decision-makers surveyed cited insider threats as the top threat to essential information.  Taking these two reports together, it appears that companies understand that their (and their customers') confidential information is vulnerable to insider threats, yet they are not taking the necessary steps to secure that information from departing employees.  In this current climate, where data breaches are expanding (both in terms of numbers and size), it is imperative for companies to adopt and implement comprehensive approaches to ensure the security of proprietary information accessible to a departing employee and to minimize the accessibility of such information.

Links:

• The Washington Post Article "Data Theft Common by Departing Employees" can be found here.
• The cnn.com article can be found here.
• The Ponemon report is available for download here (requires registration). 
• The post on the Ponemon report at the Massachusetts Noncompete Law Blog can be found here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

For all their problems, Veterans Affairs medical centers across the country are at the vanguard of the implementation of electronic health records. As such, there is a lot to learn from the problems that the VA system has experienced in this area. According to an article in the March 4, 2009 Journal of the American Medical Association, the problems experienced by the VA include mixed-up patient names and missing medication orders. These types of problems are probably endemic in any EHR system.  (This very point was made by Drs. Jerome Groopman and Pamela Hartzband in their March 12, 2009 Wall Street Journal op-ed.) Given these built-in weaknesses, frequent auditing of records, with strong and persistent audit trails, are a vital component to any EHR system.  Also, communications between all levels of workers in the care setting are important, to provide similar feedback.  The VA has adopted these mechanisms as part of its EHR systems. VA health care workers are encouraged to report problems with the electronic medical record systems, and those reports are closely monitored. Ironically, this may be why we hear so much about the VA’s issues – they are finding problems that others have in their data systems, but do not yet know about.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, February 11, 2009, the Data Protection Working Party, an independent European advisory body on data protection and privacy, released its Working Document 1-2009 (.pdf) on pre-trial discovery for cross border civil litigation.  The Working Document attempts to reconcile the tension between U.S. discovery rules and the European Union’s Directive 95/46/EC (.pdf), which outlines the EU’s privacy requirements.  What follows is a summary of the Working Document and an analysis of how it begins to bridge the gap between U.S. discovery rules and the European privacy framework.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Thursday, March 5, 2009, Congresswoman Mary Bono Mack (R-CA), Congressman John Barrow (D-GA) and Congressman Joe Barton (R-TX) introduced the Informed P2P User Act (H.R. 1319) which requires peer-to-peer ("P2P") software makers to make certain changes to their software to prevent users from inadvertently sharing files from their computers.  The proposed law would require both "clear and conspicuous notice" of what files the P2P software would being sharing and "informed consent" from the user, both before installation of the software and initial activation of file sharing functions.  The Federal Trade Commission (FTC) would be empowered under the new law to enforce violations as unfair or deceptive trade practices.

Links:

• H.R. 1319, the Informed P2P User Act is available here (.pdf) or from Rep. Mack's website here (.pdf)
• Rep. Mack's press release

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday the Department of Justice released a previously classified opinion entitled “Authority for Use of Military Force To Combat Terrorist Activities Within the United States” (.pdf), which concluded, among other things, that “the Fourth Amendment [of the U.S. Constitution] does not apply to domestic military operations designed to deter and prevent further terrorist attacks.” This may come as a shock to some because the Fourth Amendment expressly prohibits the government from searching or seizing individuals or their property absent a warrant and probable cause, without any special carve out for domestic military operations. The DOJ opinion, written by Deputy Assistant Attorney General John C. Yoo and Special Counsel Robert J. Delahunty, also concluded that these constitutionally exempt counter-terrorism operations would include “making arrests, seizing documents or other property, searching persons or places or keeping them under surveillance, intercepting electronic or wireless communications, setting up roadblocks, interviewing witnesses, and searching for suspects.” The evidence recovered from these operations could then be used “for criminal investigations or prosecutions.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S. privacy legislation” and is instead “now focused on crafting an industry-wide self-regulatory framework that can be tested over time with a broad range of organizations.” The group has also changed its name to the Business Forum for Consumer Privacy, although it “is still working out legal issues involved with officially becoming a new organization.”

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers' proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information.  FCC Chairman Michael J. Copps issued a public statement addressing the enforcement action and highlighting that the FCC "continued to mconsumer privacy protection a top priority.  The FCC seeks a $20,000 fine from each of the carriers (around $13 million in total) and has stated that it moderated the amount of the fines because the carriers were small companies and because this was the first year of the certification requirement (certifications were due March 1, 2008).  As the FCC warns in its official Notice, "[t]o the extent that we determine that the proposed forfeiture adpoted herein does not have the intended deterrent effect, future noncompliance will face more severe penalties." 

If you've been looking for signs of how the Obama administration intends to enforce privacy and information security regulations, here is one of a few early signs that federal regulators are under orders to step up enforcement efforts and are begining with the backlog of violations from 2008. 

Links:

• The FCC wesbite and a link to the Enforcement Bureau's page
• The FCC's Omnibus Notice of Apparent Liability is availabe here (.pdf) or from the FCC's website here (.pdf)
• The FCC's press release is available here (.pdf) or from the FCC's website here (.pdf)
• The Electronic Privacy Information Center (EPIC) website and a link to its CPNI page

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This settlement is particularly interesting, given that it appears to stem from a voluntary disclosure, without any prejudice to any of the physicians whose information was disclosed.  Despite those mitigating factors, the disclosure still resulted in a six-figure penalty. As such, this is another suggestion that the days of soft enforcement of health-related information confidentiality are over.

The Queen's Medical Center ("QMC") of Hawaii recently agreed to pay $150,500 in civil money penalties for allegedly violating the confidentiality requirements applicable to National Practitioner Data Bank ("NPDB") information. OIG alleged that QMC improperly disclosed confidential information.

<>According to the settlement documents, QMC obtained the NPDB information and disclosed it to QMC’s captive insurance carrier, which in turn disclosed to its insurance broker.

• Email This
• Print
• Comments
• Trackbacks
• Share Link