Monthly Archives: January 2010

Doctors and Other Health Care Professionals Challenge Application of FTC Red Flags Rule

The FTC Red Flags Rule faces another likely challenge, based on a January 27, 2010 letter sent to the FTC by the American Medical Association, the American Osteopathic Association, the American Dental Association, and the American Veterinary Medical Association.  In that letter, the four health care organizations requested that the Red Flags Rule not be applied to health care professionals (based on the reasoning of the recent court decision that it does not apply to lawyers).  I assume that if the FTC rejects this request, suit will be filed by these groups, just as the AICPA has filed suit on behalf of accountants to except them from… More

Incident of the Week: OIG Reports that the FBI Routinely Circumvented Electronic Communications Privacy Act

A report entitled A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records (.pdf) from the Department of Justice Office of the Inspector General (OIG) indicates that between 2003 and 2005, FBI routinely “circumvented the requirements of the Electronic Communications Privacy Act (ECPA)” by using so-called “exigent letters” to obtain telephone call data from telecommunications companies.  The ECPA, 18 USC Sec. 2702, provides that service providers will not provide customer data to government authorities, absent a national security letter signed by the Director of the FBI or a subpoena.


Incident(s) of the Week: Recent Updates from Prior Incidents

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas.  The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program.  We first posted on this case a year ago,… More

Is Your Password Still “123456”? If So, It’s Time for a Change

If you or your co-workers use any of the passwords listed below, you are asking to be hacked.  According to a report from the consulting firm Imperva, this list reflects an analysis of some 32 million passwords that an unknown hacker stole in December 2009 from RockYou, a company that makes software for users of social networking sites.  Somewhat shockingly, the password “123456” was used by nearly 1% of all RockYou users; the “top 20” RockYou passwords are reproduced below:

123456 12345 123456789 Password iloveyou princess rockyou 1234567 12345678 abc123 Nicole Daniel babygirl monkey Jessica Lovely michael Ashley 654321 Qwerty

Hackers around the… More

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach.  AG Blumenthal is also seeking a court order to require Health Net to encrypt any protected health information (“PHI”) contained on a portable… More

Accountants Ask Court To Exempt Them From Red Flags Rules

Last week the American Institute of Certified Public Accountants (AICPA) filed papers seeking summary judgment in the lawsuit filed against the Federal Trade Commission  (FTC) to exempt accountants from the FTC’s Red Flags Rules.  We first posted on this case in November, when the AICPA filed a complaint asking the federal court in Washington, D.C. to declare that accountants are not subject to the Red Flags Rules.  This followed hot on the heels of the October ruling (.pdf) that lawyers were not required to comply with the Red Flags Rules in a lawsuit filed by the… More

Is the FTC “Moving to a Post-Disclosure Era” for Online Consumer Privacy?

Is the FTC moving to a "Post-Disclosure Era," in which consumer online privacy would be regulated in a radically different manner than the status quo?  That was a suggestion made by the chairman of the FTC, Jon Leibowitz, and David Vladeck, chief of the FTC’s Bureau of Consumer Protection, during a recent on-the-record discussion about online privacy, reported in the New York Times

For some time, I have been asking the question, "Is Consent Dead, and Should We Even Care?"  Now it appears the FTC is asking the very same question.  According to FTC Chair Leibowitz, companies “haven’t given [online] consumers effective notice, so… More

Incident of the Week: Twitter Used In Sting Operation To Find Out Who Leaked TSA Security Directive


Rumors are circulating that Special Agents from the Transportation Security Administration (TSA) have been posing as a Connecticut blogger on Twitter to find out who leaked airport security screening procedures put in place after the recent attack by the “underwear bomber.”  This is a new twist in what some are describing as an overzealous investigation of government documents posted online.

As many of us found out on Christmas Day, a 23 year old… More