Monthly Archives: May 2009

“Hi, We’re From the FCC and We Are Here to Search Your Cellphone”

From the increasingly populated intersection of the Fourth Amendment and modern technology, comes this story from Wired’s "Threat Level."  The Federal Communications Commission (FCC) claims the right enter onto any property to inspect — without a warrant — any radio equipment, regardless of whether it is licensed or unlicensed.  In an interview with Wired, an FCC spokesperson claimed that the FCC’s right to inspect radio equipment extends to “anything using RF energy.”  This includes commonplace items like wireless internet routers, remote access car keys, and cell phones.  Additionally if any illegal or suspicious items or behavior are discovered or observed… More

FTC Chairman Pushes for Increasingly Specific “Self” Regulation of Behavioral Advertising

In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of  “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups.  Consumers’ concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled, to the impact of behavioral advertising on vulnerable consumers. In recent statements, Leibowitz has suggested that he remains unsatisfied with industry efforts to address these concerns.

Courts Split On Whether Police Can Use GPS To Track Individual’s Movements Without A Warrant

According to the Chicago Tribune, on May 7, 2009, a three-judge panel of Wisconsin Court of Appeals unanimously ruled that police "can attach GPS to cars to secretly track anybody’s movements without obtaining search warrants" without violating the Fourth Amendment.  The court’s opinion in State v. Sveum can be found here.  The defendant Sveum was under investigation for stalking when the police obtained a warrant to secretly place a GPS device on his car while it was parked in the his driveway.  The device recorded the defendant’s movements for five weeks, after which time police retrieved it and used the information on it… More

FTC Releases “Template” Identity Theft Prevention Program for Red Flags Rules Compliance

On Wednesday, May 13, 2009, the FTC released a "template" identity theft prevention program (.pdf) to guide businesses subject to a "low risk" of identity theft through the process of complying with federal Red Flags Rules.  The FTC template was first announced on May 1, 2009 when the agency postponed enforcement of the general purpose Red Flags Rules until August 1, 2009 (see our posting here or our more detailed client alert here).

The FTC template is divided into two parts.  The first section outlines how businesses should evaluate whether they are at low risk for identity theft.  Under the FTC’s guidance, low… More

Interview with M. Eric Johnson, Part 3

In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also talks about the specific problems associated with data security on peer-to-peer file sharing networks.

Cracking Down: FTC Settles Claims Against Mortgage Company For Violations of FTC Safeguards Rule – Requires Information Security Program and 10 Years of Security Audits

On Tuesday, May 5, 2009, in a press release devoted largely to the FTC’s congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement  of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums.  According to the FTC, the result of this alleged failure was that an intruder in the company’s systems sent "millions of outgoing spam emails" and "could have accessed personal information without authorization."  In a consent order (.pdf) that parallels settlements in a number of prior FTC enforcement cases, the company… More

How far do anti-hacking statutes extend?

An appellate court in Ohio was recently called upon to analyze that state’s cybercrime statute, OCR Ann. §2913.04, which criminalizes unauthorized access to protected computers.  In Ohio v. Wolf the court held that a city employee who was using a city computer during work hours to view pornography, visit adult “dating” websites, and solicit sexual activity, had exceeded his authorized access to the computer and was guilty of the felony of “unauthorized use of property; computer, cable, or telecommunication property or service” (or “hacking”). The court concluded that the employee has exceeded his authorized access despite the fact that there… More

Interview with M. Eric Johnson, Part 2

In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.

Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database

Wikileaks is reported to have published a copy of the ransom note (please pardon the grammar and language in the original): "I have your [expletive] in *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions.  Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password."  Neither the Wikileaks site nor the Virginia site is not accessible as I write this.  A spokesman for the FBI’s Richmond, Virginia office said… More

Last Minute Reprieve: FTC Postpones Deadline for Red Flags Compliance Until August 1, 2009 – Will Release “Template” For Compliant Identity Theft Prevention Program

On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009. Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a “template” identity theft prevention program. “For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.” The FTC indicates that it will make the template available through their website.