Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

On June 4, 2009, the Electronic Frontier Foundation (EFF) launched TOSBack – a site that tracks changes in the terms of service for major websites such as Facebook, Google, Apple, and eBay. If you're wondering why anyone would be interested in such a thing, you may want to revisit the controversy that accompanied the revisions to the Facebook terms of service. 

At TOSBack, users can click on one of over two dozen organizations to identify changes to the organization’s terms of service and/or privacy policies. TOSBack allows users to compare new and older versions of those policies, with a side-by-side view that shows additions and deletions to the policies. Users can also subscribe to an RSS feed that will alert them to new changes in the policies. TOSBack will undoubtedly help consumers identify changes that have been made to the policies of websites they visit. Nevertheless, because TOSBack exhaustively documents all changes to the policies it tracks, some users may find themselves spending considerable time sifting through immaterial changes.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While the media frenzy surrounding the Conficker worm may have died down over the past several months, recent reports suggest that the computer worm is alive and well, and continues to expose PC users worldwide to the risk of identity theft and other mischief. 

Conficker (also known as Downup, Downandup, Conflicker, and Kido), a computer worm that attacks Microsoft Windows operating systems, was pegged by the media to wreak havoc worldwide on April Fool’s Day of this year. In the weeks leading to what some experts dubbed our “digital Pearl Harbor,” numerous reports surfaced documenting the sheer scope of the worm’s reach: in addition to infecting millions of Windows operating systems worldwide, the worm also reportedly infiltrated the French government’s naval systems – forcing the French to ground their warplanes – and the British Parliament’s computer network.

Despite the massive media furor, April Fool’s Day passed with relatively little disruption. However, recent reports suggest that Conficker not only remains active – but that it has begun its bid to steal users’ private and financial information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this week, on Monday, June 22, 2009, the American Bar Association (ABA) President H. Thomas Wells, Jr. issued a public statement urging Congress and the FTC to exempt lawyers from the requirements of the federal Red Flags Rules, stating:

The Rule, adopted under the Fair and Accurate Credit Transactions Act, or FACT Act, is noble in its intent.  However, the Commission’s application of the Rule to lawyers is unnecessary and not supported by law.  Lawyers are not engaged in the type of commercial activity that Congress was attempting to regulate with the FACT Act and should not be considered creditors under the Red Flags Rule.

In support of this position, the ABA President references federal caselaw suggesting that lawyers are not "creditors" under federal law and suggests that forcing lawyers to comply would be costly and pointless.  "Compliance with the Act would complicate client arrangements and require a major commitment of lawyers’ time, yet the FTC has failed to identify a single case of identity theft in the legal service context, suggesting that such a scenario is far-fetched, if not impossible."

As we reported in our earlier post on this topic, the ABA has been considering what action to take since it asked the FTC to delay enforcement of the Red Flags Rules in April and the FTC complied, postponing broad enforcement until August 1, 2009.  The ABA statement further suggests that the ABA may already be lobbying Congress behind the scenes to relieve the legal industry from the burden of compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 15, 2006, the European Parliament issued Directive 2006/24/EC (.pdf), outlining a new program that woud require internet service providers (ISPs) and telecommunications carriers to begin retaining comprehensive records of customer communications.  Specifically, the Directive required member states to ensure that a range of communications data be retained by service providers, including:

1. The names, addresses, telephone numbers, Internet Protocol (IP) addresses and user IDs involved in Internet access, email and Internet telephony services;
2. The date and time of the start and end of communications;
3. The telephone numbers involved during a telephone call and the registered owners' names and addresses;
4. Information allowing the identification of mobile phones used to make telephone calls and their geographic location when used to make calls.

The Directive expressly states that "[n]o data revealing the content of the communication may be retained pursuant to this Directive."  Under the Directive, service providers will be required to retain these records "not less than six months and not more than two years" and ensure that the retained records can be communicated to government authorities "without undue delay." 

Implementation of Directive 2006/24/EC to Internet communications has been delayed (if, for no other reason to figure out how to store the terrabytes of information as required under the new Directive).  During the interim, Ireland challenged the Directive in the European Court of Justice.  Examining the Directive, the ECJ held that it essentially pertained to commercial activities of service providers, rather than police and security matter, and dismissed the case. 

Member states recently have begun implementing the Directive. In the United Kingdom, the Home Office has prepared draft regulations transposing Directive 2006/24/EC into law (.pdf) that requires the retention of communications data for 12 months. This has led to significant criticism of the retention rules (see news coverage at the BBC and the Telegraph). Sweden has stated that it intends to postpone implementation of the Directive to Internet activity. 

Between the implementation of Directive 2006/24/EC and other invasive surveillance law being considered in Europe (France appears to be on the verge of legalizing government spyware), the landscape of Internet communications is evolving rapidly.  Anyone transacting business in Europe or who may transfer data through member states may need to consider the privacy implications of and retention obligations imposed by the new rules.

Links:

• Directive 2006/24/EC (.pdf)
• The Home Office site on the transposition of Directive 2006/24/EC
• UK draft regulations transposing Directive 2006/24/EC into law (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient's electronic medical record were to be breached.  The new AMA guidelines ask physicians to:

1. ensure patients are properly informed of the breach and the potential for harm;
2. follow ethically appropriate procedures for disclosure, including:
   a) confidential disclosure of the breach in a timely manner; and
   b) describing what information was subject to the breach, how the breach happened, corrective actions that have been taken, and steps the patient can take to further minimize adverse consequences;
3. support responses to security breaches that place the interests of patients above those of physician, medical practice or institution; and 
4. to the extent possible, provide information to patients to enable them to diminish potential adverse consequences of the breach of personal health information.

The report itself states that the "suggestions are not intended to be comprehensive" and its right -- these general rules raise more questions than they answer: 

i) do these suggestions conflict with federal or state law?
ii) might disclosure to a mentally fragile patient not be in the patient's best interest?
iii) how is a physician to know the "potential for harm"?

In particular, that third element -- placing the interests of patients above those of physicians, their practice or hospital -- is going to make this difficult for physicians in the real world to adopt.  What about when the interests are not clear, or the interests of patients conflict?  No answers to these questions are provided by the AMA.

It's not clear why the AMA felt compelled to jump into the EMR fray, given that there's no lack of state or federal regulation or attention at this point.  It's even less clear whether physicians will pay any attention or be able to make sense out of these suggestions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With the deadline for complying with the Massachusetts identity theft law just six months away, at least one state senator is still seeking changes to that law.  In Senate Bill S173, which until now  has received little public notice, State Senator Michael Morrissey proposes to make it easier for small businesses to comply, by requiring the state's regulations to take account of a business's resources as it requires compliance:  "[S]aid department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources."  This type of language is reminiscent of the HIPAA security rules and their scalability for businesses of different sizes. 

S173 also addresses the issue of what businesses can do with employees who violate the law, by making it easier to fire them:  "A willful violation of this chapter or regulations implementing this chapter, or a written information security plan issued by a person covered by state or federal privacy laws shall provide just cause for the termination of an employee, whether the employee is employed by a private person, public agency or political subdivision of the state."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 27, 2009, Information Security and Privacy Advisory Board (ISPAB) issued a report entitled "Toward A 21st Century Framework for Federal Government Privacy Policy" (.pdf) that calls on Congress to amend the Privacy Act of 1974, establish the position of Chief Privacy Officer in numerous executive agencies and develop a Chief Privacy Officers’ Council. ISPAB is a group that advises the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Commerce Department.

In its report, ISPAB indicates that rising threats to privacy and advancements in computer technology and usage are unaddressed by outdated provisions in the Privacy Act. It also suggests that inattention by policymakers and the absence of guidance from the White House has led to a patchwork of inconsistent approaches by federal agencies. The report concludes that these factorhave contributed to the difficulty agencies have experienced in adapting to technological change. ISPAB urges the creating of a “new framework to protect privacy” by making the following recommendations:

• Amend the Privacy Act of 1974 and Section 208 of the E-Government Act of 2002 to improve Government privacy notices and re-define “System of Records” based on function and use of data and not merely possession;
   
• Institute Chief Privacy Officers at all “CFO agencies;”
   
• Institute a Chief Privacy Officers’ Council; and
   
• Develop uniform privacy policies emanating from the OMB.

The Senate Homeland Security and Governmental Affairs Committee report that they intend to modernize the law in this area.

Links:

• The ISPAB Report  "Toward A 21st Century Framework for Federal Government Privacy Policy" (.pdf), also available from the NIST website here (.pdf)
• The Computer Security Resource Center website developed by the Computer Security Division of NIST
• News report regarding possible Senate action.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to "assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking" on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).  Some of the highlights from the FAQ are:

• The agencies clarified that "all banks, savings associations and credit unions are covered by the Red Flags Rules and Guidelines as 'financial institutions,' whether or not they hold a transaction account belonging to a consumer," and including "those whose powers are limited to trust activities;"
   
• Brokers, dealers, investment advisors or investment or insurance companies (including those that are subsidiaries of a bank or savings association) are covered by the Rules and Guidelines if they are a "financial institution" or creditor" under the Fair Credit Reporting Act.
   
• IRAs will generally be considered "covered accounts" and thus subject to the Rules and Guidelines;
   
• The term "covered account" includes accounts established in the United States by non-U.S. residents;
   
• Check forgery or use of a stolen credit card constitutes "identity theft" because it involves a fraud using the identifying information of another person without authority;
   
• The Rules and Guidelines do not require a financial institution or creditor to educate consumers regarding the risk of identity theft, although such programs "may be helpful as part of an overall effort to address the problem of identity theft"
   
• Financial institutions may, but are not required to, use automated systems to detect red flags, but may have to supplement such a systems with non-automated procedures;
   
• The Rules and Guidelines required financial institutions or creditors to oversee all service provider arrangements that relate to the opening or accessing of a covered account, not just those with providers that offer fraud detection services;

While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful.  For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions.   Moreover, much of the guidance given was extremely vauge.  For example, many of the answers to questions regarding covered accounts could be summarized as "it depends on whether the institution determines that there is a foreseeable risk of identity theft."  It would have been helpful for the agencies to provide some examples or other more concrete information.  Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.

Links:

• Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies (.pdf), also available from the FTC here (.pdf)
• June 11, 2009 Joint Release: Agencies Issue Frequently Asked Questions on Identity Theft Rules

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC's enforcement.  (For background on the Red Flag Rules, see our prior postings here, here and here). 

The FTC has previously indicated that it plans to enforce the Red Flags Rules against lawyers along with any other business that sells goods or services now and bills its customers later (see our prior discussion here).  However, according to the ABA, the first it heard of this issue was when federal regulators notified the ABA of the government's position on April 23, 2009.  This was just a week before the FTC was to begin enforcement of the Red Flags Rules.  The next day, after the FTC attended an emergency meeting with the ABA Government Affairs Office, President H. Thomas Wells, Jr. directed a letter to FTC Chairman Jonathan D. Leibowitz (.pdf) requesting an additional three to six months delay in enforcement so that the ABA could consider its stance on this issue.  The FTC appears to have acquiesced to the ABA request a few days later, when the FTC postponed the May 1, 2009 enforcement deadline until August 1, 2009 . 

In the president's letter as well as a separate public statement (.pdf), the ABA indicated that "some" believe that federal precedent contradicts the FTC's expansive interpretation of the law (for more information, see our detailed discussion of the caselaw here and here).  The ABA has also noted that "the FTC has no examples of identity theft arising from an attorney-client relationship." 

Given the looming compliance deadline, it seems likely that we will hear from the ABA shortly -- possibly as early as next week.  In view of the FTC's response (.pdf) to the public objection raised by the American Medical Association (.pdf), the ABA may need to take a different tack to effect a change in the FTC's enforcement policy.

[I should note that an attorney in California called me up yesterday to discuss the FTC's view that that lawyers should be considered "creditors" subject to federal Red Flags Rules.  Thanks are owed to her for raising the question of whether the ABA has articulated a view on this issue.]

Links:

• The April 24, 2009 ABA letter to the FTC (.pdf), also available from the ABA website (.pdf).
• Public statement on Red Flags Rules by the ABA (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Friday, June 5, 2009, Suffolk University Law School's Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules.  These presentations were led by  a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect of the Massachusetts identity theft regulations for the Officer of Consumer Affairs and Business Regulation (OCABR). 

These men provided useful recommendations on a number of compliance issues, including when a business should be notifying customers about a security breach, how to ensure that personal information is disposed of properly, and what businesses should be doing to comply with the new information security standards.  Read on for the highlights from these presentations.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

Last month, an unusual ransom demand was made on the Commonwealth of Virginia.  See Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database, May 5, 2009.  In a posting late last week, the Virgina Department of Health Professions announced that it had sent a letter to affected individuals ("persons whose PMP records contained a nine-digit number that could be a social security number").  If you are crafting such a notice for your own use, this letter is of particular note.  While it isn't a universally-approved model, it would seem like a pretty good initial response to a claim of inadequate notice that you used the same form that the Commonwealth of Virginia used.

• Email This
• Print
• Comments
• Trackbacks
• Share Link