Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

From the increasingly populated intersection of the Fourth Amendment and modern technology, comes this story from Wired’s "Threat Level."  The Federal Communications Commission (FCC) claims the right enter onto any property to inspect -- without a warrant -- any radio equipment, regardless of whether it is licensed or unlicensed.  In an interview with Wired, an FCC spokesperson claimed that the FCC’s right to inspect radio equipment extends to “anything using RF energy.”  This includes commonplace items like wireless internet routers, remote access car keys, and cell phones.  Additionally if any illegal or suspicious items or behavior are discovered or observed during a warrantless administrative search, these observations may be the basis for a criminal search warrant or arrest.  Despite some substantial disagreements about this application of the law, operators have been fined by the FCC for failure to allow such warrantless inspections.  The ubiquity of items the FCC claims it may inspect without a warrant, combined with the potential for such searches to lead to criminal actions, is causing privacy advocates to react with concern.  And with good reason, as this could be a prelude to the expansion of other types of administrative searches.

Links:

• Cory Doctorow reports on the FCC’s inspection policy at BoingBoing here
• The Federal Communications Commission’s homepage is here
• The Federal Communications Commission’s “2005 Inspection Policy” can be found at their website here
• The Federal Communications Commission’s order imposing a fine for failure to allow inspection of radio equipment can be found here or at their website here
• John Byrne reports on the FCC’s inspection policy at the Raw Story here
• Rouge Radio Research’s FAQ arguing the FCC lacks the power to inspect unlicensed radio stations can be found here
• Ryan Singel’s report breaking this story at Wired, “FCC’s Warrantless Household Searches Alarm Experts”, can be found here

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of  “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups.  Consumers' concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled, to the impact of behavioral advertising on vulnerable consumers. In recent statements, Leibowitz has suggested that he remains unsatisfied with industry efforts to address these concerns.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to the Chicago Tribune, on May 7, 2009, a three-judge panel of Wisconsin Court of Appeals unanimously ruled that police "can attach GPS to cars to secretly track anybody's movements without obtaining search warrants" without violating the Fourth Amendment.  The court's opinion in State v. Sveum can be found here.  The defendant Sveum was under investigation for stalking when the police obtained a warrant to secretly place a GPS device on his car while it was parked in the his driveway.  The device recorded the defendant's movements for five weeks, after which time police retrieved it and used the information on it to obtain a warrant to search the defendant's residence.

More recently, on May 12, the New York Court of Appeals (that state's highest court), ruled that placing a GPS tracking device inside the bumper of a suspect's car without a warrant, and using that device to monitor the suspect's movements for two months, violated the suspect's rights under the New York State Constitution.  The court's opinion in People v. Weaver can be found here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, May 13, 2009, the FTC released a "template" identity theft prevention program (.pdf) to guide businesses subject to a "low risk" of identity theft through the process of complying with federal Red Flags Rules.  The FTC template was first announced on May 1, 2009 when the agency postponed enforcement of the general purpose Red Flags Rules until August 1, 2009 (see our posting here or our more detailed client alert here).

The FTC template is divided into two parts.  The first section outlines how businesses should evaluate whether they are at low risk for identity theft.  Under the FTC's guidance, low risk businesses include:

• Businesses, such as doctor or lawyer practices, that are personally familiar with their customers and therefore are unlikely to be fooled by impostors.
• Businesses that provide services at customers' homes.
• Businesses that have never received a complaint or discovered an incident of identity theft.
• Industries in which identity theft is uncommon.

While the template does not discuss this point, those businesses that do not fall into the category of "low risk" presumably are required to undertake a more in depth review of the risks and implement a substantially more detailed identity theft prevention program. 

The second section of the template is essentially an identity theft prevention program checklist that requires the business to fill in the procedural and administrative blanks.  Anyone using the FTC template should recognize that the template is a guide for performing the assessments required by the federal regulations - it does not excuse low risk businesses from compliance.  For instance, the template requires that a business identify any red flags it is aware of in addition to a mandatory red flag: receiving a notice from a customer or law enforcement.  While the template provides helpful structure to the process of compliance, low risk businesses appear to be subject to the same requirements.  In particular, the template program requires a business to identify applicable red flags, identify procedures it will take to detect these warning signs, identify a coordinator, develop a training program, identify key service providers who will need to be appropriately vetted and keep the program up to date.  The template does help us understand what level of compliance the FTC will be looking for at many smaller businesses.

Links:

• The FTC announcement
• The FTC "template" identity theft prevention program (.pdf), also available from the FTC website here (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also talks about the specific problems associated with data security on peer-to-peer file sharing networks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, May 5, 2009, in a press release devoted largely to the FTC's congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement  of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums.  According to the FTC, the result of this alleged failure was that an intruder in the company's systems sent "millions of outgoing spam emails" and "could have accessed personal information without authorization."  In a consent order (.pdf) that parallels settlements in a number of prior FTC enforcement cases, the company has agreed to implement an information security program and subject itself to biennial security audits for 10 years. 

In the FTC complaint (.pdf), federal regulators claimed, among other things, that the mortgage company "failed to provide reasonable and appropriate security for personal information," including by failing to implement a "comprehensive written information security program."  Such a program is a requirement for financial institutions, including lenders and mortgage companies, under the FTC Safeguard's Rule, a regulation promulated in 2002 to implement Section 501(b) of the Gramm Leach Bliley Act (GLBA).  The complaint also alleged that Jame B. Nutter & Company failed to provide customers adequate notice of its security practices, as required by the FTC Privacy Rule.  The Privacy Rule was promulgated in 2000 to implement Sections 501 through 509 of the GLBA. 

Notably, the complaint makes few allegations of damage to consumers.  The only alleged harm consisted of spam email and the possibility of unauthorized access to customer information.  No doubt this is the reason why the settlement did not involve a substantial fine, as the FTC sought, at least nominally, in its last enforcement action in this area (see our posting on the FTC's settlement with Rental Research Services).  The case thus suggests that the FTC may be willing to undertake enforcement efforts when only consumer privacy interests are affected, even in the absence of concrete financial harm. 

* Update: an attorney representing James B. Nutter & Company has contacted us to provide Security, Privacy and the Law with the company's press release on this incident (.pdf) and to clarify that the company is obligated to submit to only 5 biennial security audits over 10 years.

Links:

• The FTC announcement
• The FTC complaint (.pdf), also available from the FTC website (.pdf)
• The parties' agreement and consent order (.pdf), also available from the FTC website (.pdf)
• The James B. Nutter & Company website
• The company's press release on the FTC settlement

• Email This
• Print
• Comments
• Trackbacks
• Share Link

An appellate court in Ohio was recently called upon to analyze that state’s cybercrime statute, OCR Ann. §2913.04, which criminalizes unauthorized access to protected computers.  In Ohio v. Wolf the court held that a city employee who was using a city computer during work hours to view pornography, visit adult “dating” websites, and solicit sexual activity, had exceeded his authorized access to the computer and was guilty of the felony of “unauthorized use of property; computer, cable, or telecommunication property or service” (or “hacking”). The court concluded that the employee has exceeded his authorized access despite the fact that there was no city computer use policy or software that placed limits on employees' use of city computers.

This ruling, which appears to expand the scope of anti-hacking statutes, has been criticized in the media. For a detailed analysis of the case, see the Wired article “Court Upholds Hacking Conviction of Man for Uploading Porn Pics from Work Computer”

Links:

• 18 U.S.C.A. §1030
• OCR Ann. §2913.04
• Ohio v. Wolf (pdf)
• Scott Lowe, 5/11/09, TechRepublic, “Visit an adult site at work and go to prison”
• Kim Zetter, 5/7/09, Wired, “Court Upholds Hacking Conviction of Man for Uploading Porn Pics from Work Computer”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

Wikileaks is reported to have published a copy of the ransom note (please pardon the grammar and language in the original): "I have your [expletive] in *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions.  Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password."  Neither the Wikileaks site nor the Virginia site is not accessible as I write this.  A spokesman for the FBI's Richmond, Virginia office said today that the agency was investigating a referral from the Virginia Information Technologies Agency.  Assuming this breach is real, it carries with it a certain amount of irony, in that encryption is being used as part of the extortion plot. Could this breach have been prevented? It is also hard to believe that hackers would be able to access the backup files as well. There are more questions than answers at this point, but there will surely be lessons to be learned.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009.  Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a "template" identity theft prevention program.  "For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law."  The FTC indicates that it will make the template available through their website.

In delaying enforcement, the FTC continues to maintain that the Red Flags Rules apply broadly to any business that bills its customers (i.e., "all entities that regularly permit deferred payments for goods or services").  In particular, the FTC specifically mentions that the statutory term "creditor" encompasses "businesses that provide services and bill later, including many lawyers, doctors, and other professionals."  The notice conceeds that considerable confusion has surrounded the preliminary question of who is covered under the new rules.  The FTC directs businesses looking for more information to the FTC's new microsite on the Red Flags Rules.

Links:

• FTC's 4.30.2009 Notice delaying enforcement of Red Flags Rules until August 1, 2009
• FTC's microsite on the Red Flags Rules

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link