Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

On April 15, 2009, a federal district court issued a decision that keeps alive a woman's suit "against Blockbuster and the way it offers information to the social networking site Facebook."  This was reported in the Dallas Business Journal.  In the ruling (.pdf), the court denied Blockbuster's motion to compel arbitration by holding that an arbitration clause in the "Terms and Conditions" of Blockbuster Online was unenforceable. 

The case is being brought as a class action under the Video Privacy Protection Act, 18 U.S.C. s. 2710, which was enacted after a newspaper published a list of 146 video tapes rented by the family of Supreme Court judge nominee Robert Bork.  According to the court's opinion, Blockbuster entered into an agreement with Facebook which caused the movie rental choices of Blockbuster Online's customers to be sent to Facebook, which would then broadcast those choices to the customer's Facebook friends.  Plaintiffs claimed this violates that Video Privacy Protection Act, which prohibits a videotape service provider from knowingly disclosing personally identifiable information concerning any customer of the provider unless the customer gives informed, written consent at the time the disclosure was sought (the Act provides for certain other exceptions not applicable to the case).  The Act provides for liquidated damages of $2,500.00 for each violation. 

According to the Plaintiffs' complaint, when a Blockbuster Online customer rented a movie or placed a movie into their queue, a notification would pop up in the bottom right hand corner of the screen informing the customer that the information would be sent to the user's Facebook friends.  The customers were allegedly given an opportunity to prevent friends from seeing the information by marking an "x no thanks box," but if they did not respond quickly enough, the pop up went away and a "yes" was sent to Facebook.  The customer's selection was then placed in the customer's news feed on their Facebook profile and in their friends' news feeds, along with a picture of the individual and a Blockbuster ad.  The complaint also alleges that the summary is sent to a user's Facebook profile even before the user has a chance to decline the distribution of his/her personal information (unless the user has marked a privacy feature telling Blockbuster never to send summaries).

Blockbuster has appealed the court's decision to the U.S. Court of Appeals for the Fifth Circuit.  The issue of whether the case is subject to arbitration is a narrow one that has little, if anything, to do with the actual merits.  What will be more interesting is to see how the case plays out if the Fifth Circuit affirms and the case moves forward in the district court.

Links

• Dallas Business Journal, April 22, 2009, "Privacy suit against Blockbuster survives"
• April 15, 2008 Memorandum Opinion Denying Defendant's Motion to Compel Arbitration (.pdf)
• Plaintiffs' Amended Complaint (filed June 3, 2008) (.pdf)
• Text of the Video Privacy Protection Act

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With swine flu on everybody's mind right now (even leading President Obama's news conference this evening), employers and employees should understand what questions can be asked and what information can be obtained from employees in the midst of apparent pandemic.  At the federal government's pandemic flu website, the basic rules are set out.  In general, during a pandemic, employers may require employees to disclose whether they have been exposed to pandemic influenza.  Employers also may ask about exposures of the employee’s family members and associates.  However, once this information is gathered, it has to be used appropriately and maintained securely. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent article from Computerworld reports that, according to a new study conducted by researchers from MIT and the University of Virginia, "EMR [Electronic Medical Record] adoption is often slowest in states with strong regulations for safeguarding the privacy of medical records."   According to the study, in states with "strong privacy laws", the number of hospitals using EMR systems is up to 30% lower than in states with "less stringent privacy requirements."  The study, "which looked at EMR adoption in 19 states over a 10-year period", concludes that the reason for the disparity is that "privacy rules often made it harder and more expensice for hospitals to exchange and transfer patient information, thereby reducing the value of an EMR system."  According to the article, one of the study's authors, Catharine Tucker, stated that "[p]olicy-makers are going to have to choose how much EMR adoption they want and at what cost to patient privacy.

It is worth noting that the study's methodology has been subject to some criticism.  According to the article, Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, said that "the study was based on old data and didn't consider all of the factors that a health care organization would typically look at when deciding whether to adopt an EMR system."  Instead, according to McGraw, the study "looked at whether a state has a medical privacy law and then looked at EMR adoption in that state to draw its conclusions."  Deborah Peel, chair of the Patient Privacy Rights Foundation in Austin, Texas, also criticized the studies conclusions.

Links:

• April 14, 2009 Computerworld article by Jaikumar Vijayan: "Privacy rules hamper adoption of electronic medical records, study says"
• Link to page where the study, "Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records" can be downloaded (Note: you must pay to download the study)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I recently had the chance to sit down with M. Eric Johnson, Director of Tuck’s Glassmeyer/McNamee Center for Digital Strategies and Professor of Operations Management at the Tuck School of Business, Dartmouth College, to talk about his recent paper “Data Hemorrhages in the Health-Care Sector” (.pdf).   The results of Dr. Johnson’s study were startling.  For instance, his finding that a great deal of personal patient information is openly available on Peer-to-Peer (P2P) file sharing networks resulted in a great deal of media attention from publications dealing with privacy like SC Magazine, technology publications like Wired, and general interest publications like USA Today.  We are thrilled that Dr. Johnson agreed to do a full interview with Security, Privacy, and The Law.

Because the interview is long and covers a number of important topics of interest, we will post the interview in three parts.  The first installment of the interview follows below.  In this part of the interview, Dr. Johnson discusses how he came to be interested in information security, how he conducted his research, and his findings about just how much personal health information is available on P2P networks.
 

• Email This
• Print
• Comments
• Trackbacks (2)
• Share Link

Coming on the heels of recent cyberespionage news, the Wall Street Journal reported today on Pentagon plans to create a new military command focused on cyberwarfare.  The new command will coordinate both offensive and defensive cyberwarfare efforts, focusing, in the latter case, on assisting the National Security Agency (NSA) and the Department of Homeland Security's National Cyber Security Division (NCSD), the lead agency for domestic cybersecurity efforts. 

This development is not surprising, given that cyberespionage is a rapidly growing and serious threat.  Earlier this month, the Wall Street Journal published a story on cyberespionage attacks originating from China against the U.S. power distribution grid (reported earlier in this blog).  And yesterday the Journal reported that computers holding data concerning both the developmental F-35/Joint Strike Fighter (JSF) and the United States Air Force's air-traffic-control system had been breached.  In the case of the Joint Strike Fighter breach, it appears that hackers were able to copy several terabytes of design information on the aircraft, potentially including information relating to its electronics system.  Lockheed Martin, the lead contractor in the Joint Strike Fighter program, disputes the article's representation of successful attacks, claiming that "there has never been any classified information breach." 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Supreme Court heard oral arguments in Safford Unified School v. Redding, a dispute concerning the propriety of a school-ordered a strip-search of a 13-year-old student who was believed to be in possession of prescription strength ibuprofen in violation of the school’s zero-tolerance drug policy.  The case has received a good deal of media coverage (see the New York Times article for an example) because the facts are attention grabbing.  But, attention-grabbing facts aside, the case has the potential to clarify the Fourth Amendment rights of students and, in particular, whether suspicion of violating school policy may justify strip searches in schools.

The Supreme Court granted certiorari, in part, to address the question (.pdf): “Whether the Fourth Amendment prohibits public school officials from conducting a search of a student suspected of possessing and distributing a prescription drug on campus in violation of school policy.”  Early reporting from today’s oral arguments suggests that the Court is likely to reach that question.  

Links:

• The Argument Calendar for the Supreme Court (.pdf) – also available from Supreme Court website here (.pdf).
• Safford Unified School v. Redding Questions Presented (.pdf).
• New York Times, “Strip-Search of Girl Tests Limits of School Policy”, 3/23/09 (registration required).
• Lyle Denniston “Analysis: A Fear May Drive A Decision”, SCOTUSBlog 4/21/09

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC's claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users.  According to the FTC, the the faults in RSS's security amounted to "unfair acts or practices" in violation of the FTC Act.  RRS and Mikkelson were fined $500,000, but the fine was suspended in light of the company's present financial condition. Also, in a move that echos the FTC's past enforcement of information security standards under the FTC Act and foreshadows future enforcement of Red Flags regulations, the terms of the FTC's court order require RRS to develop a "comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers" and submit itself to independent security audits every 2 years until 2029. 

Especially in view of the upcoming May 1, 2009 deadline for compliance with federal Red Flags regulations, this case may be a good example of what we can expect to see from federal and state regulators in enforcing existing and future information security standards, especially with respect to consumer data providers.  Below I will summarize the case and identify the key elements of the information security program that the FTC required.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today's Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years.  Specifically, Section 5 of the bill requires that ISPs retain "all records or other information pertaining to the identity of a user of a temporarily assigned network address." According to a recent announcement from Senator Cornyn, the new retention provision is needed to enable law enforcement officers to identify individuals involved with online child pornography. Several privacy advocates have taken issue with the bill’s data retention requirements.  According to senior attorney with the Electronic Frontier Foundation, Kevin Bankston, those requirements “unnecessarily threaten the privacy and anonymous speech rights of every law-abiding internet user” and would “create vast new troves of data vulnerable not only to government overreaching but also to any civil litigant wielding a subpoena.”

The legislation has been referred to committee in the House and Senate. 

Links:

• The Internet SAFETY Act of 2009
• The annoucement from Senator Cornyn's office
• A National Journal article on the bill 
• The EFF comment

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a recent report from the Wall Street Journal, cyberspies from China, Russia and other countries have penetrated into the U.S. electrical grid and left behind software that could disrupt the system.  According to officials, the spies have not actually damaged the grid or any other key infrastructure, but appear to have been attempting to navigate the electrical system.  More importantly, the intruders could attempt to damage the system during a war or other national security crisis.

Evidently, there have been a growing number of intrusions over the past year, most of which were detected by intelligence agencies and not the companies actually in charge of the infrastructure.  According to officials, the software left behind "could be used to destroy infrastructure components," and "water, sewage and other infrastructure systems were at risk."  These same officials cautioned, however, that "the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger."

The Journal also notes that "protecting the electrical grid and other infrastructure is a key part of the Obama's administration cybersecurity review, which is to be completed next week" (Aaron Wright's post on this blog regarding the review can be found here).  One also wonders if news of this breach will increase momentum for a cybersecurity bill recently introduced in the Senate (see my post here).  That bill would give the President power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network (which would presumably include the electricity grid) and would also require that infrastructure companies meet new security standards.

Links:

• Wall Street Journal Article: "Electricity Grid in U.S. Penetrated by Spies"

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an April 2009 press release (.pdf), the Public Access to Court Electronic Records system (“PACER") announced that 99% of all federal courts nationwide have implemented electronic systems allowing litigants to file and review documents online. The near-complete implementation of these online systems marks an important technological and environmental milestone for the legal profession; however, it comes with considerable risks to individuals' privacy and security: potentially limitless filings that inadvertently contain individuals' sensitive information, including financial account numbers and Social Security numbers, may be available to anyone with an Internet connection for the small price of $0.08 cents per page.

• Email This
• Print
• Comments (3)
• Trackbacks
• Share Link

As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation.  Last week the Senators introduced two bills.  The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President.  The second, S.773 (text of the bill not yet available), entitled the Cybersecurity Act of 2009, gives the President the power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network.  The other provisions of the legislation are summarized in my previous post.

Whether the legislation has any chance of passing remains to be seen.  However, some groups are already criticizing aspects of the legislation.  The President of the Center for Democracy and Technology, for example, has stated "[t]he cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."  The bills have been referred to the Committee on Homeland Security and Government Affairs.

Links:

• A draft of S.778 (.pdf)
• A draft of S.773 (.pdf) 
• The CDT's post on the legislation can be found here.
• April 6, 2009 Computerworld Article: "Yet Another Government Attempt At Cybersecurity"

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On March 5, 2005, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted Opinion 3/2009  (.pdf).  The opinion comments on European Commission proposals designed to ensure that all data processors, including contractors hired by other data processors, are contractually required to protect sensitive data.  Those proposals, contained in a Draft Commision decision which has not yet been made public, would update the standard contract clauses for the transfer of personal data to processors outside the European Union. As the Working Party explains, the Draft Commission decision proposes to update the standard contract clauses to reflect increasingly common “global outsourcing,” in which data is transferred from controller to processor to sub-processor, and often to subsequent “sub-sub processors.” In their current form, “the standard contractual clauses of 2002/16/EC do not provide a means to deal with these complex onward transfers.”  Thus, the Draft Commission decision includes additional contract clauses to address these multi-layered transfers, and the Working Party Opinion comments on the proposed clauses.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation's computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to be in the billions of dollars annually and that future attacks could cause physical harm or serious financial chaos. 

While future spending levels will not be set until after the White House's 60-day review of the nation's information infrastructure is completed,  the potential move has sent major defense contractors and consulting groups scrambling to capture a share of the potential spending. The Journal reports that defense contractors are adding, growing, and consolidating their cybersecurity capabilities and bumping up against already established consulting firms in the process. Foreign defense contractors are also apparently looking to become involved and are buying smaller firms and making strategic hires to position themselves.

Links:

• The Wall Street Journal article, "Defense Firms Pursue Cyber-Security Work"
• The White House announcement of the 60-day review of information infrastructure

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC's staff has mentioned informally that helpful guidance would be forthcoming.   As of today, the FTC has launched its new Red Flags Rule website and with it, a Red Flags Rule "How-To" guide (.pdf). 

The website is a good collection of the FTC's materials on this issue and it includes official press releases and statements directed to various industries (including the FTC's letter to the healthcare industry (.pdf), the FTC's guide for telecom companies (.pdf) and the FTC's guide for utility companies (.pdf)). 

The FTC's advice in the How-To Guide may be somewhat general (e.g., "Just getting something down on paper won't reduce the risk of identity theft."), but it does simplify compliance into four steps:

1. Identify Red Flags.
2. Develop procedures for detecting Red Flags.
3. Develop responses for Red Flags once you have detected them.
4. Re-evaluate your Identity Theft Prevention Program as circumstances change.

For more specific information on threats and security measures, the FTC's webpage on information security is a useful resource drawn from the FTC's experience with companies that have had lapses in information security.  In particular, the FTC's Protecting Personal Information: A Guide for Business (.pdf) lays out five key principles for developing reasonable security procedures:

1. Take Stock. Know what personal information you have in your records.
2. Scale Down. Keep only what you need for your business.
3. Lock It.  Protect the information that you keep.
4. Pitch it.  Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As outlined in April 2’s Boston Globe, a Massachusetts physician who lost his license to practice is still causing problems for his patients. He left his office and records, and now his patient records are about to be destroyed unless the patients come to claim them. The state authorities claim they don’t have the resources to maintain the records, or to help find the patients. The auction company just wants them gone. 

Normally, when a physician closes a practice, patient records are placed with another physician; if they are placed in storage, prepayment of storage fees or a bond is usually required. Wouldn’t it be interesting if there were some criminal charges under HIPAA in cases like this -- after all, HIPAA has fines of up to $250,000 and penalties up to 10 years in prison for disclosing or obtaining health information with the intent to transfer it for commercial advantage, personal gain or malicious harm?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It seems an inevitable consequence of modern celebrity: when you go to the hospital, hospital workers will look at your records (even though they have no medical reason to). The latest example of this involved the infamous mother of octuplets, Nadya Suleman. It resulted in the firing of 15 hospital workers at Kaiser Permanente’s hospital in Bellflower, California. All these violations have been reported by Kaiser to the California Department of Public Health. 

But this isn’t really news. The hospital records of other celebrities (like Britney Spears, Farrah Fawcett and Gianni Versace) also have been improperly accessed in recent years. The real issue raised by these events is: what lesson do we take away for compliance purposes to prevent it from happening in the future? The vigilant CIO sends these examples around to his/her staff to remind them of these pitfalls. And when you learn of celebrity in your midst, you should specifically warn staff not to pursue the records of individuals for matters that do not concern them on a professional basis; you might even consider special additional security precautions. There will always be more of these types of breaches, but it doesn’t have to happen at your company if you continually remind people about their obligations to maintain confidentiality. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link