Doctors and Other Health Care Professionals Challenge Application of FTC Red Flags Rule

Posted on January 29, 2010 by Colin J. Zick

The FTC Red Flags Rule faces another likely challenge, based on a January 27, 2010 letter sent to the FTC by the American Medical Association, the American Osteopathic Association, the American Dental Association, and the American Veterinary Medical Association.  In that letter, the four health care organizations requested that the Red Flags Rule not be applied to health care professionals (based on the reasoning of the recent court decision that it does not apply to lawyers).  I assume that if the FTC rejects this request, suit will be filed by these groups, just as the AICPA has filed suit on behalf of accountants to except them from the Red Flags Rules.

Tags: , , , , , ,

Incident of the Week: OIG Reports that the FBI Routinely Circumvented Electronic Communications Privacy Act

Posted on January 29, 2010 by Gabriel M. Helmer

A report entitled A Review of the Federal Bureau of Investigation's Use of Exigent Letters and Other Informal Requests for Telephone Records (.pdf) from the Department of Justice Office of the Inspector General (OIG) indicates that between 2003 and 2005, FBI routinely "circumvented the requirements of the Electronic Communications Privacy Act (ECPA)" by using so-called "exigent letters" to obtain telephone call data from telecommunications companies.  The ECPA, 18 USC Sec. 2702, provides that service providers will not provide customer data to government authorities, absent a national security letter signed by the Director of the FBI or a subpoena. 

The 700+ "exigent letters" examined by the OIG became common after the terrorist attacks on September 11, 2001.  In reaction to the attacks, a telecommunications company (referenced as "Company A" in the report) provided a "fraud detection analyst" to the FBI's New York field office to access telephone records in response to subpoenas from the U.S. Attorney's Office.  Apparently, over time the Company A analysts began to provide the requested customer data in response to "placeholder" letters signed by FBI special agents while the grand jury subpoenas were in the process of being obtained.  These letters, which claimed "exigent circumstances" and requested the production of customer data before the submission of a subpoena, became known as "exigent letters."  When the FBI's investigation moved to Washington, D.C., three service providers moved analysts into the FBI's offices to respond to the requests for telephone data covered by the ECPA.  

Observations from the OIG report include:

  • The "concept of using exigent letter originated as a time-saving technique" in the wake of 2001 terror attack, but over the years the embedding of service provider analysts with the FBI "led to a culture in which exigent letters and other even less formal and equally inappropriate requests for information became the [FBI Communication Analysis Unit's] accepted and customer method of conducting business."
     
  • Some letters called for the production of thousands of telephone numbers and customer transaction data.
     
  • OIG concluded that exigent letters were issued and customer records were obtained even though the "circumstances . . . were not exigent," including "media leak investigations . . . and other investigations that did not include exigent or life-threatening circumstances."
     
  • The FBI special agent responsible for signing over 100 exigent letters told OIG investigators "that the communications service providers' employees often gave him exigent letters to sign after he had already been given the requested records -- and he simply signed the letters.  This SSA also said that while he realized the exigent letters inaccurately states that grand jury subpoenas had been submitted, he signed the letter because he 'thought it was all part of the program coming from the phone companies themselves[.]'"
     
  • Another FBI special agent responsible for a large number of the letters told the OIG that the telecommunications analyst from "Company A" informed him about the letters and told him that the letters had been approved by legal counsel.
     
  • When asked, the FBI unit chief described the exigent letters as "standard operating procedure."
     
  • Telecommunications company analysts interviewed by the OIG described pressure from the FBI to accept the "placeholder" exigent letters.  One noted: "personally, it wasn't my place to police the police."
     
  • FBI sought court orders under the Foreign Intelligence Surveillance Act (FISA) using customer data obtained through exigent letters in violation of the ECPA.  Howeveragents mischaracterized how the FBI had obtained the data -- suggesting that the data had been properly produced in response to a national security letter or subpoena.
     
  • OIG "found that numerous, repeated, and significant management failures led to the FBI's use of exigent letters and other informal requests for telephone transactional records over an extended period of time."
Tags: , , , , , ,

Incident(s) of the Week: Recent Updates from Prior Incidents

Posted on January 22, 2010 by Gabriel M. Helmer

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas.  The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program.  We first posted on this case a year ago, after the FTC filed its complaint (.pdf). 

In addition to the dumping of consumer financial information, the FTC alleging that Navone had failed to implement physical and electronic security procedures and or take reasonable steps to secure the customer records he stored at home in his garage.  According to the FTC, these activities violated the FTC Act, the Federal Credit Reporting Act (FCRA) and Navone's own information security policy which read:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously.  We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.

(See Complaint (.pdf), Para. 9).  Everyone subject to document destruction laws may want to note this case and keep in mind that $35,000 is the fine imposed on an individual / small business.

 2.  Fight Breaks Out Over Whether Hacker Responsible For Largest Data Breach In History Suffers From "Internet Addiction"

In December, Albert Gonzalez, aka "segvec," "soupnazi" and "j4guar17" pled guilty to charges that he masterminded the theft of over 100 million consumer credit card numbers and other financial information from Heartland Payment Systems, 7-Eleven and other companies.  We posted on his indictment last August and again on his curious role as government informant.  The public recently gained a new window on Gonzalez's soul from filings made by defense attorneys that portray the hacker as an "Internet addicted" youth compelled to commit cybercrime.  Collecting statements from Gonzalez's psychologist, family members and a former girlfriend, the defendant's sentencing memorandum (.pdf) provides an interesting point of view on the life of the hacker:

As a young boy, Gonzalez was an outwardly normal enough kid -- he had friends, engaged in activities, worked alongside his father, received good grades in school, and was part of a warm and loving family which continues to stand by him.  In middle school, things began to change, and by high school Gonzalez had become a different person -- a loner, without friends, who passed up normal teenage activities, including dating, to devote himself to his new-found and rapidly escalating obsession: computers.

*    *    *

Seeking to break Gonzalez of his computer habit, his mother periodically sought to deny him access to his computer or to at least curtail his usage, once putting it in his sister's room.  Rather than be deprived of access to his computer, Gonzalez would go to his sister's room in the middle of the night to use it.  Gonzalez's social contacts narrowed to computer chat rooms where he communicated with others with knowledge of computers and to meetings of other computer-savvy individuals, many of whom were hackers and from whom he learned much that we would, unfortunately, later convert to unlawful purposes.

*    *    *

[B]y [ ] early 2002 -- Gonzalez, age 21, had developed a serious drug and alcohol problem . . . which played a substantial role in the subsequent course of his life.  This is not to say that his substance abuse affected Gonzalez' [sic] ability to tell right from wrong.  It did not, and he knew when he turned to cyber-crime that it was wrong.  What it did do, however, was contribute to his inability to stop himself.  What developed over time was a destructive cycle of using drugs to permit him to stay awake and alert for long hours at the computer but also using them to try to get away from the computer . . . .

*    *    *

Computers . . . had become the center of his life, his raison-d'etre, if you will.  He and his computer in many ways became one: he though in computer-speak instead of normal words, and, when his computer was infected by a virus, [he] referred to the event as if it were he, himself, who had gotten the virus.

Describing Gonzalez as unable to stop his urge to commit cybercrime, defense counsel has asked the Court to sentence him to 15 years in prison, the minimum sentence permitted.  Last week, federal prosecutors renewed their request to have a government psychologist examine Gonzalez to combat the defendant's claim that his "internet addiction" merits leniency within the 15 to 25 year sentencing range. 

Tags: , , , , , , , ,

Is Your Password Still "123456"? If So, It's Time for a Change

Posted on January 21, 2010 by Colin J. Zick

If you or your co-workers use any of the passwords listed below, you are asking to be hacked.  According to a report from the consulting firm Imperva, this list reflects an analysis of some 32 million passwords that an unknown hacker stole in December 2009 from RockYou, a company that makes software for users of social networking sites.  Somewhat shockingly, the password "123456" was used by nearly 1% of all RockYou users; the "top 20" RockYou passwords are reproduced below:   

1.    123456
2.    12345
3.    123456789
4.     Password
5.     iloveyou
6.    princess
7.    rockyou
8.    1234567
9.    12345678
10.   abc123
11.   Nicole
12.   Daniel
13.   babygirl
14.   monkey
15.   Jessica
16.   Lovely
17.   michael
18.   Ashley
19.   654321
20.   Qwerty

Hackers around the world now have this list of 32 million passwords and are using it to make brute force attacks on accounts and networks.  How can you defend yourself?  Change and toughen your passwords, lengthening them and adding a mix of letters and numbers.  If you are trying to defend your company's network, you need to adopt and enforce more rigorous password policies.  Tougher passwords will not make you or your networks hack-proof, but they will put you ahead of the thousands of people who still use "123456."

Tags: , , , , , ,

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit

Posted on January 13, 2010 by Colin J. Zick

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach.  AG Blumenthal is also seeking a court order to require Health Net to encrypt any protected health information (“PHI”) contained on a portable electronic device.

The AG’s suit stems from events that occurred in May 2009, when he alleges Health Net learned that a portable computer disk drive disappeared from a company office. The disk contained protected health information, Social Security numbers, and bank account numbers for approximately 446,000 of its past and present Connecticut enrollees.  AG Blumenthal further alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing information. The missing information is said to include 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.  

According to an investigative report by Kroll Inc., a computer forensic consulting firm hired by Health Net, the data was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties, but rather was viewable through the use of commonly available software. The Connecticut Attorney General alleges that it was not until six months after Health Net discovered the breach that it posted a notice on its website, and then sent letters to consumers on a rolling mailing basis beginning on November 30, 2009.

Tags: , , , , ,

Accountants Ask Court To Exempt Them From Red Flags Rules

Posted on January 12, 2010 by Gabriel M. Helmer

Last week the American Institute of Certified Public Accountants (AICPA) filed papers seeking summary judgment in the lawsuit filed against the Federal Trade Commission  (FTC) to exempt accountants from the FTC's Red Flags Rules.  We first posted on this case in November, when the AICPA filed a complaint asking the federal court in Washington, D.C. to declare that accountants are not subject to the Red Flags Rules.  This followed hot on the heels of the October ruling (.pdf) that lawyers were not required to comply with the Red Flags Rules in a lawsuit filed by the American Bar Association (ABA).  It should be noted that the AICPA's motion will be heard by the same judge that issued the decision in favor of the ABA, Hon. Reggie B. Walton.

Since Judge Walton's preliminary ruling in the ABA case in October, the court published a lengthy opinion (.pdf) explaining his reasoning.  In particular, the decision indicated that lawyers need not comply with the Red Flags rules because the Rules only apply to "financial institutions" and "creditors" and lawyers cannot be classified as such under the Fair and Accurate Credit Transactions Act (the FACT Act or FACTA) or the Equal Credit Opportunity Act (the ECO Act or ECOA).  The FTC has taken the position that lawyers, accountants and anyone else that invoices a customer after services have been provided is extending credit and, which makes them "creditors" under the FACT Act, ECO Act and the Red Flags Rules.  Judge Walton forcefully addressed this position in his opinion in favor of the ABA:

[T]he Commission is essentially taking the position that the period of time between when a service is provided to when a lawyer or law firm invoices a client for the service and the invoice is paid, amounts to a period during which credit was extended if there is any interval of time between the providing of the service and the payment of the invoice. . . This is clearly not what was intended by Congress by its use of the term credit in the ECO Act and its subsequent inclusion of the term in the FACT Act.

The Court further noted that noted that he found it persuasive that there is no evidence that identity theft is an actual problem in the legal profession, one that might necessitate the protections of the Red Flags Rules.

From the record before the Court (or more accurately the lack of a record), the best that can be gleaned is that identity theft in the attorney-client context is only a theoretical problem, especially given the role of state professional codes of conduct and other ethical codes to which attorneys must abide, and the Court cannot conclude that it is an actual problem given the absolute lack of any legislative, regulatory or other evidentiary findings that have been brought to the Court's attention.

The FTC will face the same arguments in the accountants' case.  Will Judge Walton side with the AICPA and rule that accountants, like lawyers, are not subject to the Red Flags Rules as "creditors?"  Or will the Court give the FTC more flexibility to extend the Red Flags Rules outside of the legal profession?  Read the AICPA's papers below and let us know your thoughts.

The FTC's opposition papers are expected next week.

     

Tags: , , , , , , , ,

Is the FTC "Moving to a Post-Disclosure Era" for Online Consumer Privacy?

Posted on January 12, 2010 by Colin J. Zick

Is the FTC moving to a "Post-Disclosure Era," in which consumer online privacy would be regulated in a radically different manner than the status quo?  That was a suggestion made by the chairman of the FTC, Jon Leibowitz, and David Vladeck, chief of the FTC's Bureau of Consumer Protection, during a recent on-the-record discussion about online privacy, reported in the New York Times

For some time, I have been asking the question, "Is Consent Dead, and Should We Even Care?"  Now it appears the FTC is asking the very same question.  According to FTC Chair Leibowitz, companies “haven’t given [online] consumers effective notice, so they can make effective choices” about the privacy of their online information.  Mr. Vladeck similarly views traditional advise-and-consent privacy notice models as dependent upon “the fiction that people were meaningfully giving consent.  The literature is clear” that few people read privacy policies.

What, if anything, will this new way of thinking mean in terms of future regulation of consumer online privacy by the FTC?  More information may be forthcoming at the FTC's next privacy roundtable, to be held on January 28 (and available to the public via webcast).

Tags: , , , ,

Incident of the Week: Twitter Used In Sting Operation To Find Out Who Leaked TSA Security Directive

Posted on January 8, 2010 by Gabriel M. Helmer

Rumors are circulating that Special Agents from the Transportation Security Administration (TSA) have been posing as a Connecticut blogger on Twitter to find out who leaked airport security screening procedures put in place after the recent attack by the "underwear bomber."  This is a new twist in what some are describing as an overzealous investigation of government documents posted online.

As many of us found out on Christmas Day, a 23 year old Nigerian man identified as Umar Farouk Abdulmutallab apparently ignite an incendiary or explosive device in his lap while he was sitting on Northwest Airlines Flight 253 to Detroit.  While no passengers were harmed, the same cannot be said for the would-be bomber's lap, which combusted.  In reaction to the attack, issued Security Directive 1544-09-06 directing TSA airport officers to pat down 100% of all passengers, "concentrating on upper legs and torso," with the notable exception of heads of state. 

Two days later on December 27, 2009, the TSA Security Directive was posted to the Flying with Fish blog run by Steven Frischling and Chris Elliot's blog at Elliot.org.  TSA was not pleased with this attention.  Apparently, the TSA considered the Security Directive secret, even though it was sent to thousands of airports and airlines around the world and arguably was somewhat obvious to anyone in an airport around Christmas-time.  The agency launched an immediate investigation, sending agents and subpoenas to Frishling's and Elliot's homes (the text of which is available at his blog). 

Frischling ultimately cooperated with the probe, gave them access to his BlackBerry, iPhone and computers and let TSA agents know that his source had contacted him anonymously using a free email service. 

Then an unusual message appeared on blogger Steven Frischling's Twitter account:

To the gentleman who sent Flying With Fish the TSA Security Directive … Thank You! Can you drop me an email?I have a question. Thanks-Fish.

According to sources interviewed by Wired, a TSA agent took possession of Frischling's BlackBerry, typed the Twitter update into the device and then directed Frischling to click on the “send” button to post the message to his Twitter page.  According to Wired's source, this was an attempt to induce the anonymous informer to send Frischling an email and draw him or her out of hiding.  Of course, implicit in this strategy is that the TSA already had or expected to gain access to Frischling's email, as well.  The TSA deny this account.  Other bloggers, such as TechCrunch's Michael Arrington, have pointed the finger at Frischling and have criticized him for caving to government pressure and cooperating in the effort to oust his own confidential source.

No doubt, the TSA is under considerable pressure to heighten its security since early December, when an employee inadvertently posted online the agency's highly classified airport security operating manual.

Tags: , , , , , , , , ,