ALERT: FTC Announces Delay in Red Flags Enforcement Until June 1, 2010

Posted on October 30, 2009 by Jeff Bone

Two days before they were scheduled to go into effect, and on the same day that a federal judge ruled that lawyers should be excluded from enforcement, the Federal Trade Commission (FTC) announced today that it was delaying enforcement of its Red Flags Rule until June 1, 2010.  In the announcement, the FTC stated that the delay was due to "the request of Members of Congress" and highlighted the efforts it has made to provide guidance to covered entities on how to comply with the Rule.  However, the announcement specifically mentioned the October 30, 2009 ruling by District Judge Reggie B. Walton of the U.S. District Court for the District of Columbia (see our coverage here), in which the Court granted the ABA's motion for summary judgment, finding that the FTC may not apply the Rule to attorneys.  According to the announcement, the delay in enforcement "does not affect the separate timeline" of the ABA's lawsuit "and any possible appeals."  Given the timing of the announcement, the most likely explanation for the delay is that the FTC wants to give itself time to appeal the district court's decision in the ABA suit. 

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule in late June, it filed suit in federal district court on August 27, 2009, leading to the ruling in its favor this morning.

However, as we noted in our post on the district court's ruling, caution may be warranted for attorneys because a number "of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records . . . . Under these overlapping obligations [along with the fact that the FTC will almost certainly appeal Judge Walton's decision to the D.C. Court of Appeals] lawyers and law firms who represent regulated businesses may ultimately have little to celebrate as a result of the ruling in favor of the ABA" and the delay in enforcement of the Rule.

Tags: , , , , , ,

Federal Judge Rules That Lawyers Need Not Comply With Red Flags Rules

Posted on October 30, 2009 by Gabriel M. Helmer

After hearing argument yesterday, Federal District Judge Reggie B. Walton entered an order (.pdf) this morning granting the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC's) controversial Red Flags Rules.  This comes as the legal community steeled itself for the FTC's imminent November 1st enforcement deadline.  The order does not go into detail to explain the Court's decision, but promises a written legal opinion within the next month.

The ABA sued the FTC in August to obtain this relief after lobbying both the FTC and Congress to exempt lawyers from the Red Flags Rules.  News of the judge's ruling spread after the hearing yesterday.  ABA President Carolyn B. Lamm stated "By voiding the FTC’s interpretation of a statute that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."  No public comment has been posted by the FTC.

Caution may be warranted here, however.  Lawyers, like many other consultants that handle clients' documents and data, will likely be required to take many, if not all of the same security measures demanded of their clients.  The Red Flags Rules require, among many things, that companies oversee how their service providers manage customer information and accounts (16 CFR Part 681.1(e)(4)).  As a result, lawyer may find themselves complying with the Red Flags Rules because they represent companies that must comply with the Rules, which currently includes financial institutions and a range of businesses. 

It should be noted that a range of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records. Many state identity theft regulations, such as the strict Massachusetts regulations promulgated as 201 CMR 17.00, require that companies obtain written certifications that service providers are taking all the same security measures as their clients.  Moreover, financial institutions governed by the Gramm Leach Bliley Act and health care providers covered by HIPAA have similar requirements.  Under these overlapping obligations, lawyers and law firms who represent regulated businesses may have little to celebrate as a result of the ruling in favor of the ABA.

Tags: , , , , ,

Incident of the Week: ChoicePoint Settles FTC Charges That It Failed To Turn On "Key Monitoring Tool"

Posted on October 23, 2009 by Gabriel M. Helmer

This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers.  According to the FTC, the breach occurred because ChoicePoint implemented a security tool designed to detect unauthorized access to its databases, but "failed to detect that the security tool was off" for a period of four months.  Apparently, during this outtage, "an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers."  The unauthorized access apparently occurred between August 8, 2008 and September 8, 2008.  According to ChoicePoint, the incident occurred because "a former ChoicePoint government customer failed to properly safeguard one of its user IDs."  (See ChoicePoint's news release.) ChoicePoint voluntarily approached the FTC when it discovered the breach. 

ChoicePoint, which suffered a more significant breach in 2005, was already subject to a 2006 order requiring that the company implement a comprehensive information security program.  (See the FTC's materials on the prior breach.)  The FTC and ChoicePoint dispute whether the current breach was the result of failing to meet its security obligations under the 2006 order.  The supplemental stipulated judgment entered this week (.pdf) provides that ChoicePoint will pay $275,000 into a fund to redress potential harm to consumers and submit to biennial security assessments.

This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools. In practice, many companies react to information security regulations by purchasing a suite of security products. But are these tools being utilized effectively? At least according to the FTC, companies may face sanctions if their adopted security measures are not turned on and managed appropriately.

Links:

 

Tags: , , , , ,

Massachusetts Court Holds Disclosure of Patient Records Does Not Violate HIPAA or State Consumer Statute

Posted on October 22, 2009 by Colin J. Zick

In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident.  The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault.  The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.

The court, however, held HIPAA permitted disclosure of medical records “in the course of a judicial proceeding,” including in response to a court order, subpoena or discovery request. The court further observed that, although a Massachusetts regulation states that unauthorized release of a patient’s personal or medical record violates ch. 93A, the regulation contains a specific exception for disclosures “required by law.”  The court held that disclosure pursuant to a court order requiring production of records constituted such a disclosure.  The court also held that the sought-after records were likely to lead to admissible evidence regarding defendant’s knowledge of the alleged propensity for violence of the resident who had committed the assault and therefore ordered production of the records.  [Thanks to Foley Hoag's Eric Haskell for this entry.]

Tags: , , , ,

Bill to Narrow Red Flags Rules Moves Forward

Posted on October 20, 2009 by Jeff Bone

It appears that certain groups, such as the American Bar Association (ABA), may be partially successful in their efforts to convince Congress to narrow the scope of the FTC Red Flags Rules, which are currently scheduled to go into effect on November 1.  According to the BNA Privacy & Security Law Report, the House Financial Services Committee has sent H.R. 3763, titled a bill "To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses," directly to the House floor without a markup.  The bill proceeded to the House floor after the Republican side of the Financial Services Committee consented to such a move.

The bill, which was introduced on October 8 by Rep. John Adler (D-N.J.), would exclude from the Red Flags Rules health care, accounting and legal practices with 20 or fewer employees.  It would also require the FTC, within 180 days, to issue regulations that set forth the process by which a business may apply for an exemption from the Red Flags Rules.

Of course, the passage of H.R. 3763 likely will not sufficiently narrow the Red Flags Rules in the eyes of the ABA, which has filed suit in federal district court in Washington D.C. to stop the application of the Red Flags Rules to all attorneys (see our prior post on this lawsuit).  In that case, the ABA has already moved for partial summary judgment, and the FTC has filed an opposition.  On October 13, ABA President Carolyn Lamm sent a letter to Rep. Barney Frank (D-MA), the chairman of the Financial Services Committee, urging lawmakers to exempt all attorneys from the rules.

Links:

 

Tags: , , , ,

Incident of the Week: Russian Company Proves That WiFi/Wireless Networks No Longer Secure

Posted on October 15, 2009 by Gabriel M. Helmer

ElcomSoft Co. Ltd., a Moscow-based "password recovery" company, has announced that its  software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia.  This software would appear to allow anyone to intercept internet traffic over wireless networks encrypted with the WPA or WPA2 algorithms.  British security consultancy Global Secure Systems says that this is "extremely worrying" and has indicated that this means that WiFi networks are no longer secure.

Decrypting wireless traffic by guessing the encryption key, a "brute force" decryption, has been a possibility for some time; however, the computing power of most personal computers has prevented this from becoming a realistic threat (e.g., a computer attempting to guess the right password might take months or years to guess correctly).  New leaps in computing power has changed this landscape.  Computer graphics card companies like Nvidia have opened up the computing power bottleneck by allowing developers to run programs on high-powered parallel processors used in consumer graphics cards.  The end result is that buying a new video card and a $1,200 software package reportedly could speed up a brute force decryption 10,000 percent (and the same graphics card will let you play the newest PC games and speed up a variety of other, more innocent applications like Adobe Photoshop).  As a result, our use of wireless networks, everything from passwords to email, could be intercepted and decrypted relatively easily. 

David Hobson of Global Secure Systems indicates that anyone with a high-end graphics card has “a machine capable of tumbling wireless keys out of the ether and decrypting them in a matter of hours rather than months."  In an interview with SC Magazine, Hobson takes the view that additional security measures, such as running an encrypted VPN (Virtual Private Network), are now necessary to comply with the UK Data Protection Act. Similarly, U.S. companies in the EU Safe Harbor Program or complying with U.S. information security rules, such as Gramm Leach Blilely Act regulations, HIPAA or federal and state identity theft rules, need to consider whether their wireless networks are appropriately secured against this threat.  Businesses transferring regulated information on WiFi networks may need to adjust their information security programs and practices accordingly.

Links:

 

Tags: , , , , , , , , , , ,

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

Posted on October 8, 2009 by Jeff Bone

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected.  According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com.  The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected.  The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack.  But more information is surfacing that indicates that the breach is much larger than many first thought.

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that .  These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered.  Exactly how many passwords have been compromised, and from how many companies?  Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online?  Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

 

Tags: , , , , , , , , , , ,

Subject of FBI Investigation Reveals Government Concerns About Access to Federal Courts' Public PACER System

Posted on October 6, 2009 by Aaron Wright

Reddit co-founder Aaron Swartz was apparently the subject of an FBI investigation for “participating in a project to take the publicly owned US court records from the PACER database (where they were very expensive to access) and put them on the web.” 

Mr. Swartz has made this information public by releasing the contents of his FBI file, obtained through a Freedom of Information Act request. His file reveals that the FBI was treating his access of PACER as a crime which cost the victim, the Administrative Office of the US Courts, approximately $1.5 million. The file suggests, but does not explicitly sate, that the crime may have been a violation of the Computer Fraud and Abuse Act (18 U.S.C. §1030), as the FBI apparently asked the Administrative Office of the US Courts how Mr. Swartz would have know his access was unauthorized.

The FBI closed its investigation of Mr. Swartz without filing charges. The investigation of Swartz's activity, coupled with questions about what constitutes accessing a computer "without authorization" under anti-hacking statutes (as I previously discussed here), suggests that future efforts to open the PACER system (as well as existing efforts, like RECAP) may meet with some government resistance.

For more on efforts to make the PACER system more accessible to the public se our previous posts on the subject.

Links

Tags: , , , , , ,

Incident(s) of the Week: Double Feature

Posted on October 1, 2009 by Jeff Bone

Incident 1: UNC Data Breach Exposes Information On Over 100,000 Women Listed In Mammogram Registry

The University of North Carolina at Chapel Hill recently disclosed a data breach that exposed information on 160,000 women, including the Social Security Numbers of 114,000.  Original reports estimated that more than 200,000 women were affected.  The source of the breach was a computer intrusion into a server housing the Carolina Mammography Registry, which is "a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina."

Evidently, the breach was discovered in July, but it may have occurred over two years ago.  According to Matt Mauro, chairman of the UNC Department of Radiology, traces of computer viruses were found on a UNC School of computer server dating back to 2007 were found on the server.  The school delayed in notifying those affected while it conducted a forensic investigation to determine exactly who was affected.  To this point, however, the school still does not know who committed the breach or where the attack originated from, how the server (which had all required security measures) was breached, or whether any data was actually downloaded.

Links:

Incident 2: Massachusetts Inmate Pleads Guilty to Charges that He Hacked Prison Computer While Incarcerated, Accessed Personal Information On 1,100 Correctional Officers

On September 14, 2009, Francis G. Janosko pled guilty to charges that he hacked a legal research computer provided to inmates in the Plymouth County Correctional Facility.  A highly restricted computer terminal was provided to inmates for the sole purpose of allowing them access to legal research resources.  Janosko apparently circumvented security measures restricting the computer to legal research tools and obtained accessed the administrator's username and password, the prison's internal network, and a report listing the names, birthdays, Social Security Numbers and contact information for 1,100 current and former prison personnel.  He also used the computer to send email and download publicly-available photographs and videos.

A grand jury in Boston indicted Janosko for these activities about a year ago in a sealed indictment (.pdf).  In the plea agreement (.pdf) recently reached with the U.S. Attorney's Office in Boston, federal prosecutors have agreed to dismiss the original charge of aggravated identity theft in exchange for Janosko's guilty plea to charges under the Computer Fraud and Abuse Act.  Janosko has agreed to accept an additional incarceration of 18 months for the hack.  Sentencing in the case is scheduled for December 15th.

Tags: , , , , , , , , , , , ,