Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.

The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health ("HITECH") Act authorized state attorneys general to enforce HIPAA.  The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:

· A “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.

· A $250,000 payment to the state representing statutory damages.

· An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC's Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association.  The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application of the Red Flags Rule. 

The key issue in the case is whether medical practices should be considered "creditors" under the Red Flags Rule and the Fair and Accurate Credit Reporting Act (FACTA or the FACT Act).  The case follows lawsuits filed beginning in 2009 by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA) to exclude lawyers and accountants from the scope of the new rules.  In October 2009, Judge Walton ruled that lawyers were not "creditors" subject to the Red Flags Rule.  The FTC has appealed the order and the Unites States Court of Appeals for the District of Columbia Circuit is expected to issue a decision clarifying the scope of the law.

In the recently approved stipulation, the AMA and the FTC have agreed to stay their dispute until the Court of Appeals issues its opinion.  The FTC has also agreed to delay enforcement of the Red Flags Rule for 90 days after the Appeals Court issues its ruling.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers.  Spokeo is a website that bills itself as a search engine that allows users the ability to look up "people-related information from phone books, social networks, marketing lists, business sites, and other public sources." 

According the CDT's complaint, Spokeo is in violation of the Fair Credit Reporting Act, which requires "consumer reporting agencies" to take certain actions to protect consumer privacy, including allowing consumers the right to access information about themselves, to correct mistakes and to be advised of adverse decisions made based on Spokeo's data.  The FCRA also strictly limits the disclosure of consumer data to a limited number of "permissible purposes," yet the CDT complaint does not appear to raise claims regarding Spokeo's disclosure of consumer data to its users.  The complaint does allege that Spokeo's actions amount to unfair and deceptive acts in violation of the FTC Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Federal Trade Commission (FTC) and Twitter announced that Twitter has agreed to settle FTC charges that the company failed to take sufficient security measures to protect user privacy settings.  

The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access the Twitter accounts of high-profile users, including Barack Obama.  (Under hacker control, President Elect Obama's Twitter account apparently "offered his more than 150,000 followers a chance to win $500 in free gasoline.")  Twitter candidly announced the first security incident in January 2009 and blogged about a second incident in April 2009.

The FTC Complaint (.pdf) lists the following security flaws among Twitter's failings:

• Twitter allegedly did not have policies that required their administrators to select hard-to-guess passwords and instead, administrators were permitted to use "weak, lowercase, letter-only, common dictionary word[s]" as administrative passwords.
   
• Twitter employees were allowed to store administrative passwords in plaint text form, so that once hackers broke into their accounts, the hackers had full administrative access to other users' accounts.
   
• Twitter did not disable administrative accounts after a number of unsuccessful attempts, allowing hackers easily run automated tools to break into the accounts.
   
• Twitter administrators were not required to change their passwords regularly.
• Twitter did not limit administrative access to user accounts to those employees that needed such access.
   
• Twitter did not do enough to restrict administrative access to authorized individuals, including by requiring administrators to log into a separate employee website or restrict administrator access to specific IP addresses.

What may be a key issue for many online businesses developing social networking sites is that, according to the FTC, users' privacy settings may impose an implicit duty on the website operator to take certain security precautions in order to preserve the user's settings. In Twitter's case, the site allowed users to make some "tweets" (short user messages/postings) private and the alleged lack of security allowed hackers to access those private messages.  The FTC Complaint (.pdf) claims that "Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic."  According to the FTC, the lack of security was so severe that Twitter's claim that user's privacy was protected amounted to a deceptive act under the FTC Act. 

In its Agreement (.pdf) with the FTC, Twitter consented to adopt a comprehensive information security program and submit independent security assessments to the FTC every other year for the next 10 years.  In today's blog posting, Twitter indicated that "[e]ven before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This Tuesday, June 1, 2010, marks the official deadline for compliance with the Federal Trade Commission's Red Flags Rule.  The deadline for enforcement of the Red Flags Rule has been delayed repeatedly since its original deadline in November 2008, but the FTC has remained silent on further delays since it announced the current deadline in October of last year.  

The FTC's Red Flags Rule is a set of regulations that require financial institutions and creditors to adopt written identity theft prevention programs.  The FTC sparked considerable controversy when it announced that the Rule applies broadly to a range of businesses unused to being subjected to financial industry regulation (i.e., any individual or company that bills its customers after it provides goods or services).  As a result, a number of industry groups have filed lawsuits to challenge the FTC's application of the Red Flags Rules to lawyers, accountants and, most recently, medical professionals.

As Tuesday approaches, we look to the FTC to announce whether the agency is ready to begin enforcement of the Red Flags Rule.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week Google rolled out its Government Requests tool that quantifies the number of government requests it receives from various countries around the world.  The move was announced by David Drummond, Google's Chief Legal Officer on Tuesday on the official Google blog.  In his post, Drummond stated:

So it's no surprise that Google, like other technology and telecommunications companies, regularly receives demands from government agencies to remove content from our services. Of course many of these requests are entirely legitimate, such as requests for the removal of child pornography. We also regularly receive requests from law enforcement agencies to hand over private user data. Again, the vast majority of these requests are valid and the information needed is for legitimate criminal investigations. However, data about these activities historically has not been broadly available. We believe that greater transparency will lead to less censorship.

The issue has been somewhat controversial in the wake of the expansion of government requests in recent years.  The Google Tool maps the number of data requests and removal requests that Google received between July 1, 2009 and December 31, 2009.  Google indicates that it will be updating this data every six months.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday, the Financial Industry Regulatory Authority (FINRA) announced that brokerage firm D.A. Davidson & Co. had consented to the imposition of a $375,000 fine for lax security measures that allowed hackers working for an "international crime group" to obtain personal information on thousands of customers. 

The breach itself occurred in December 2007 when hackers used a "SQL injection" attack to obtain data on over 100,000 Davidson's customers from the firm's online account system.  (FINRA's announcement alleges that the breach affected 192,000 customers, but court filings and the hackers'  own claims put the number as high as 300,000).  Davidson remained unaware of the breach until January 2008, when they received an email from Robert Borko, an Eastern European man, who demanded that Davidson pay him $80,000 for the return of the data and a "security consultation."  Borko suggested in broken English that Davidson did "not want to involve FBI here and we can have agreement like businesman.”

Davidson instead worked with the U.S. Secret Service to snare the hackers / "security consultants" behind the breach.  Ultimately, this led to the indictment of not only Borko, but also Aleksandrs Hoholko, Jevgenijs Kuzmenko and Vitalkijs Drozdovs, three Latvian men who attempted to pick up Davidson's blackmail payment in a Western Union in the Netherlands.  Hoholko, Kuzmekno and Drozdovs were arrested in February 2008 by the Netherlands High Tech Crime Unit and extradited to the United States, where they have pled guilty to extortion charges.  [These and other colorful details of the breach and blackmail attempt can be pulled from the filings in the criminal case against the Latvian men, including the defendant's motion to dismiss (.pdf) and the government's response (.pdf).]

Davidson spent $1.3 million on credit monitoring for its customers and settled a class action last year by agreeing to pay up to $1 million for any harm to its customers [see the Davidson settlement site].  At present, Davidson reports that no customer has been the victim of identity theft as a result of the intrusion.

According to the FINRA press release and the parties' April 9, 2010 letter of consent (.pdf), FINRA claims that Davidson failed to adopt the minimum security measures required by Regulation S-P, when it made its customer database available over the Internet.  In particular, FINRA found that Davidson violated Reg S-P because the firm:

• did not encrypt the customer database;
   
• did not review web server logs which identified the SQL injection attacks;
   
• did not regularly review perimeter security logs (even though "the attacks were not visible on those logs");
   
• did not have any written procedures in place for the review of web server logs;
   
• did not have an intrusion detection system in place; and
   
• did not have any written procedures "setting forth an information security program designed to respond to intrusions."

FINRA specifically found it a compelling that that Davidson had retained independent security consultants in 2006 and 2007 and implemented the majority of the consultants' recommendations, but had failed to put in place the recommended intrusion detection system.  Even without the system, the security consultants were apparently unable to breach Davidson's security.

Regulated broker-dealers and other financial institutions subject to Regulation S-P or other Gramm Leach Bliley Act (GLBA) regulations, including the FTC's Safeguards Rule, should take note of the alleged violations in this case.  Regulated entities with online customer accounts should consider whether they have implemented intrusion detection systems, routinely monitor web server logs, and have adopted written incident response procedures.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that publicly disclosed its CEO’s Social Security number. As part of the settlement, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against a few types of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only about 17 percent of identity theft incidents. The FTC also alleged that Lifelock provided no protection against other types of identify theft, such as medical identity theft and employment identity theft. 

The FTC’s complaint further alleged that LifeLock claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened.  Ironically, the FTC also charged that LifeLock’s own data repositories were not encrypted, and sensitive consumer information was shared inappropriately, and could have been exploited by hackers. 

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The February 27 issue of The Economist has an excellent special report, "Data, data everywhere:  A special report on managing information."  It features a series of articles on the volume of information that is overtaking business and society, and the means by which business and governments are responding.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data. 

Poorly supervised use of P2P networks have frequently been the subject of unwanted attention, including from the FTC.  For our coverage on P2P security issues, see our prior posts here ("Congressional Aide Shares Secret Ethics List With The World"), here ("Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft") and here ("Rep. Mary Bono Mack Introduces Informed P2P User Act To Combat Inadvertent File Sharing"). 

The danger with P2P filesharing software is that failure to select the proper settings can result in opening up all documents on a computer to anonymous users on the Internet.  As the FTC warned in its press release: "when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network."  The problem commonly arises when a business' staff load P2P filesharing software on company computers to access music or other downloads (which can be illegal in itself), but fail to properly configure the software.

The FTC has provided the following examples of the notification letters it has mailed to entities: FTC Sample Letter A (.pdf), FTC Sample Letter B (.pdf) and FTC Sample Letter C (.pdf).  The FTC has also directed these entities to its newly-unveiled guide to taking proper security measures to prevent unauthorized P2P access.  The FTC has indicated that it "has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks." 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas.  The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program.  We first posted on this case a year ago, after the FTC filed its complaint (.pdf). 

In addition to the dumping of consumer financial information, the FTC alleging that Navone had failed to implement physical and electronic security procedures and or take reasonable steps to secure the customer records he stored at home in his garage.  According to the FTC, these activities violated the FTC Act, the Federal Credit Reporting Act (FCRA) and Navone's own information security policy which read:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously.  We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.

(See Complaint (.pdf), Para. 9).  Everyone subject to document destruction laws may want to note this case and keep in mind that $35,000 is the fine imposed on an individual / small business.

 2.  Fight Breaks Out Over Whether Hacker Responsible For Largest Data Breach In History Suffers From "Internet Addiction"

In December, Albert Gonzalez, aka "segvec," "soupnazi" and "j4guar17" pled guilty to charges that he masterminded the theft of over 100 million consumer credit card numbers and other financial information from Heartland Payment Systems, 7-Eleven and other companies.  We posted on his indictment last August and again on his curious role as government informant.  The public recently gained a new window on Gonzalez's soul from filings made by defense attorneys that portray the hacker as an "Internet addicted" youth compelled to commit cybercrime.  Collecting statements from Gonzalez's psychologist, family members and a former girlfriend, the defendant's sentencing memorandum (.pdf) provides an interesting point of view on the life of the hacker:

As a young boy, Gonzalez was an outwardly normal enough kid -- he had friends, engaged in activities, worked alongside his father, received good grades in school, and was part of a warm and loving family which continues to stand by him.  In middle school, things began to change, and by high school Gonzalez had become a different person -- a loner, without friends, who passed up normal teenage activities, including dating, to devote himself to his new-found and rapidly escalating obsession: computers.

*    *    *

Seeking to break Gonzalez of his computer habit, his mother periodically sought to deny him access to his computer or to at least curtail his usage, once putting it in his sister's room.  Rather than be deprived of access to his computer, Gonzalez would go to his sister's room in the middle of the night to use it.  Gonzalez's social contacts narrowed to computer chat rooms where he communicated with others with knowledge of computers and to meetings of other computer-savvy individuals, many of whom were hackers and from whom he learned much that we would, unfortunately, later convert to unlawful purposes.

*    *    *

[B]y [ ] early 2002 -- Gonzalez, age 21, had developed a serious drug and alcohol problem . . . which played a substantial role in the subsequent course of his life.  This is not to say that his substance abuse affected Gonzalez' [sic] ability to tell right from wrong.  It did not, and he knew when he turned to cyber-crime that it was wrong.  What it did do, however, was contribute to his inability to stop himself.  What developed over time was a destructive cycle of using drugs to permit him to stay awake and alert for long hours at the computer but also using them to try to get away from the computer . . . .

*    *    *

Computers . . . had become the center of his life, his raison-d'etre, if you will.  He and his computer in many ways became one: he though in computer-speak instead of normal words, and, when his computer was infected by a virus, [he] referred to the event as if it were he, himself, who had gotten the virus.

Describing Gonzalez as unable to stop his urge to commit cybercrime, defense counsel has asked the Court to sentence him to 15 years in prison, the minimum sentence permitted.  Last week, federal prosecutors renewed their request to have a government psychologist examine Gonzalez to combat the defendant's claim that his "internet addiction" merits leniency within the 15 to 25 year sentencing range. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It has been well over a decade since the passage of HIPAA in 1996. HIPAA has caused many changes in the way the business of health care works, including going a long way to create the position of “health information professional.” One area where HIPAA has, as yet, had little impact has been in enforcement. The history of enforcement of HIPAA’s privacy and security rules has been slim and almost none. The changes in behavior that have occurred have been done out of a desire to follow the law, and not due to fear of prosecution or administrative action. 

First and foremost in this regard, I note the recent decision of the Department of Health and Human Services to transfer the authority for enforcement of HIPAA’s security rules to the Office of Civil Rights. The Office of Civil Rights is certainly in a better position to undertake enforcement than CMS. According to my colleague, Tom Barker, the Office of Civil Rights has a field force of 275 investigators that have an annual budget of $40 million. I believe OCR will need to justify that budget and the most visible way to do that is to bring enforcement actions and recover significant penalties. Nevertheless, $40 million does not go as far as it used to, and it certainly is not enough for a broad-based, nationwide enforcement initiative. Instead, I suspect we will start to see incrementally more enforcement actions, higher financial penalties and a few selected audits. 

Also pushing HIPAA enforcement is the HITECH Act, which was passed in February 2009 and much of which will go into effect in February 2010. Through the HITECH Act, HIPAA business associates under HIPAA are now subject to almost the same regulations as HIPAA covered entities. Penalties for HIPAA violations also were increased, and the ability to enforce some rules has been extended to state attorneys general. 

There is one additional factor in the enforcement environment that is little-noticed, but nevertheless is very significant: the general public.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

According to BNA reporter Martha Kessler, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week.  BNA has released what they claim to be the final regulations (.pdf) [also available from BNA here (html)].  The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009.  In a redline comparison (.pdf) against the last draft, two primary revisions emerge:

1. Entities affected by the regulations have been expanded to include businesses and individuals that merely store personal information; and
    
2. A clarification was made to the provision requiring affected businesses to negotiate written contracts with service providers that handle personal information.  The tweaks make clear that the grandfather provision that permits companies to rely on service provider contracts already in place will expire on March 1, 2012.

The March 1, 2010 deadline remains unchanged. 

While the final regulations have not been posted to the OCABR website, many are eagerly awaiting to see if the OCABR also provides additional guidance on how to comply, as Undersecretary Anthony promised at the public hearing on these regulations in September.

UPDATE: On Wednesday, November 4th, the OCABR released the final Massachusetts information security regulations (.pdf) to the public, as predicted.  In its new release, the OCABR also announced the publication of its report on consumer data breaches between 2007 and 2009 (.pdf).  The report indicates that since the Massachusetts data breach notification law (M.G.L. ch. 93H) went into effect in 2007, over 1 million Massachusetts residents have been affected by a noticed breach.  Among the many practices mentioned in the report, the OCABR has warned against: (1) "poor employee handling;" (2) documents sent to the wrong recipient; and (3) not  taking steps to prevent access by terminated employees.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Two days before they were scheduled to go into effect, and on the same day that a federal judge ruled that lawyers should be excluded from enforcement, the Federal Trade Commission (FTC) announced today that it was delaying enforcement of its Red Flags Rule until June 1, 2010.  In the announcement, the FTC stated that the delay was due to "the request of Members of Congress" and highlighted the efforts it has made to provide guidance to covered entities on how to comply with the Rule.  However, the announcement specifically mentioned the October 30, 2009 ruling by District Judge Reggie B. Walton of the U.S. District Court for the District of Columbia (see our coverage here), in which the Court granted the ABA's motion for summary judgment, finding that the FTC may not apply the Rule to attorneys.  According to the announcement, the delay in enforcement "does not affect the separate timeline" of the ABA's lawsuit "and any possible appeals."  Given the timing of the announcement, the most likely explanation for the delay is that the FTC wants to give itself time to appeal the district court's decision in the ABA suit. 

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule in late June, it filed suit in federal district court on August 27, 2009, leading to the ruling in its favor this morning.

However, as we noted in our post on the district court's ruling, caution may be warranted for attorneys because a number "of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records . . . . Under these overlapping obligations [along with the fact that the FTC will almost certainly appeal Judge Walton's decision to the D.C. Court of Appeals] lawyers and law firms who represent regulated businesses may ultimately have little to celebrate as a result of the ruling in favor of the ABA" and the delay in enforcement of the Rule.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After hearing argument yesterday, Federal District Judge Reggie B. Walton entered an order (.pdf) this morning granting the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC's) controversial Red Flags Rules.  This comes as the legal community steeled itself for the FTC's imminent November 1st enforcement deadline.  The order does not go into detail to explain the Court's decision, but promises a written legal opinion within the next month.

The ABA sued the FTC in August to obtain this relief after lobbying both the FTC and Congress to exempt lawyers from the Red Flags Rules.  News of the judge's ruling spread after the hearing yesterday.  ABA President Carolyn B. Lamm stated "By voiding the FTC’s interpretation of a statute that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."  No public comment has been posted by the FTC.

Caution may be warranted here, however.  Lawyers, like many other consultants that handle clients' documents and data, will likely be required to take many, if not all of the same security measures demanded of their clients.  The Red Flags Rules require, among many things, that companies oversee how their service providers manage customer information and accounts (16 CFR Part 681.1(e)(4)).  As a result, lawyer may find themselves complying with the Red Flags Rules because they represent companies that must comply with the Rules, which currently includes financial institutions and a range of businesses. 

It should be noted that a range of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records. Many state identity theft regulations, such as the strict Massachusetts regulations promulgated as 201 CMR 17.00, require that companies obtain written certifications that service providers are taking all the same security measures as their clients.  Moreover, financial institutions governed by the Gramm Leach Bliley Act and health care providers covered by HIPAA have similar requirements.  Under these overlapping obligations, lawyers and law firms who represent regulated businesses may have little to celebrate as a result of the ruling in favor of the ABA.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Reddit co-founder Aaron Swartz was apparently the subject of an FBI investigation for “participating in a project to take the publicly owned US court records from the PACER database (where they were very expensive to access) and put them on the web.” 

Mr. Swartz has made this information public by releasing the contents of his FBI file, obtained through a Freedom of Information Act request. His file reveals that the FBI was treating his access of PACER as a crime which cost the victim, the Administrative Office of the US Courts, approximately $1.5 million. The file suggests, but does not explicitly sate, that the crime may have been a violation of the Computer Fraud and Abuse Act (18 U.S.C. §1030), as the FBI apparently asked the Administrative Office of the US Courts how Mr. Swartz would have know his access was unauthorized.

The FBI closed its investigation of Mr. Swartz without filing charges. The investigation of Swartz's activity, coupled with questions about what constitutes accessing a computer "without authorization" under anti-hacking statutes (as I previously discussed here), suggests that future efforts to open the PACER system (as well as existing efforts, like RECAP) may meet with some government resistance.

For more on efforts to make the PACER system more accessible to the public se our previous posts on the subject.

Links

• Aaron Swartz’s home page
• Aaron Swartz, “Wanted by the FBI”, Raw Thought, 10/5/09
• Cory Dotorow, “FBI file on Aaron Swartz, US court-record hacker”, BoingBoing, 10/5/09
• Computer Fraud and Abuse Act - 18 U.S.C. §1030
• The FBI's home page
• Ramzi Ajami and Aaron Wright, “RECAP Joins The Fight Against PACER -- But Do We Want Its Help?”, Security, Privacy and the Law, 9/8/09
• Ramzi Ajami, “Electronic Access to Court Filings Potentially Exposing Sensitive, Personal Information”, Security, Privacy and the Law, 4/9/09
• Aaron Wright, “How far do anti-hacking statutes extend?”, Security, Privacy and the Law 5/12/09

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans' personal and financial information.  According to WIRED, the FBI's National Security Branch Analysis Center (NSAC) has compiled a database of  "more than 1.5 billion government and private-sector records" and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies, includes transaction records from hotels, rental car companies and retailers. [Note, that this database dwarfs the largest know data breach to date, which involved a mere 130 million records. One hopes that they have policies in place to prevent abuse.]  The records include:

• International travel records of citizens and foreigners
• Financial forms filed with the Treasury by banks and casinos
• 55,000 entries on customers of Wyndham Worldwide, which includes Ramada Inn, Days Inn, Super 8, Howard Johnson and Hawthorn Suites
• 730 records from rental-car company Avis
• 165 credit card transaction histories from Sears
• Nearly 200 million records transferred from private data brokers such Accurint, Acxiom and Choicepoint
• 17,000 traveler itineraries from the Airlines Reporting Corporation

This program is picking up speed. Declassified documents obtained by WIRED apparently show that the FBI has 103 full-time employees and contractors devoted to the protect and has requested funding for 71 more.   Funding for the program has expanded from $47.5 million in 2007 to $78.7 million in 2008.  A U.S. Department of Justice document (.pdf) indicates that in 2009 alone, NSAC received 18 new employees and a more than $10 million increase in its budget.

This is not the first data mining project developed for the purposes of investigating terrorism and criminal activities.  In the wake of the September 11, 2001 attack, the U.S. government began development on a data mining project called "Total Information Awareness" or "TIA" which would analyze vast amounts of information regarding financial transactions, travel, health records and other types of customer data to detect terrorism and criminal activity.  The Defense Advanced Research Projects Agency (DARPA) and the Pentagon's short-lived Information Awareness Office was chiefly responsible for this project.  Based on concerns about the scope and privacy implications of the project, Congress pulled funding for the TIA program and shuttered the Information Awareness Office in September 2003. 

The current NSAC program makes it clear that the governments has not given up on efforts to use large-scale data mining in criminal investigations.  To many, however, the program implicate the same privacy concerns as TIA and should be subject to strict scrutiny and oversight.  In 2007, congressmen Brad Miller and James Sensenbrenner sent a letter (.pdf) to the Government Accountability Office asking them to look into the NSAC project. One year later, congressman Miller sent a second letter (.pdf) to the House Committee on Appropriations demanding that funding to NSAC be suspended until the FBI outlines the program's purpose and provides "a clear idea of how NSAC intends to ensure that the program complies" with privacy guidelines.  According to congressman Miller, the U.S. Department of Justice refused to provide any information on the FBI's plan for the program and what information they planned to obtain.  In addition, the FBI apparently told GAO officials that the NSAC program was "not yet 'operational'" in an April 3, 2008 meeting.  In contrast, documents obtained by WIRED apparently indicate that the NSAC data mining operations have been used in prosecuting a number of individuals.

Links:

• Ryan Singel, "Newly Declassified Files Detail Massive FBI Data-Mining Project," WIRED Magazine (Sept. 23, 2009)
• The Federal Bureau of Investigation (FBI) and its page on the National Security Branch Analysis Center (NSAC
• 2007 letter (.pdf) from Congressmen Miller and Sennsenbrenner to the GAO requesting an investigation into the activities of the NSAC
• 2008 letter (.pdf) from Congressman Miller to the House Committee on Appropriations.
• EPIC's page on the "Total Information Awareness" Program

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this year, the Wisconsin and New York state courts split on whether police may install a covert GPS tracking device on a suspect's car without a warrant.  On September 17, the Massachusetts Supreme Judicial Court addressed the GPS tracking device issue, ruling that Article 14 of the Massachusetts Declaration of Rights requires a warrant before such a device may be installed and used. 

The defendant, Everett Connolly, was a suspected drug dealer and who was investigated by police for more than a year.  The investigation included surveillance and controlled drug purchases by confidential informants and, towards the end of the surveillance period, by an undercover officer.  Based on this investigation, the police applied for a warrant to place a GPS tracking device on Connolly's van for fifteen days.  The application was granted and Connolly was eventually arrested (based on a separate arrest warrant), tried and convicted.  He argued to the SJC that, among other things, "surreptitious GPS monitoring without a warrant constitutes an unreasonable search and seizure that violates the Fourth Amendment . . . and art. 14 of the Massachusetts Declaration of Rights."  He based this argument on the theory that, although police had a search warrant, they continued to obtain information from that warrant after it had expired.

Read on for more detail and analysis of the SJC's opinion.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission will host a series of public "roundtable discussions" to explore the privacy challenges posed by "technology and business practices that collect and use consumer data," including social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The FTC's expressed goal of the meetings is to determine how best to protect consumer privacy while supporting beneficial uses.

The first of these free, public meeting will be held Monday, December 7, 2009, at the FTC Conference Center in Washington, DC.  A live Webcast of the program also will be available at FTC.gov.  Individuals and organizations may submit requests to participate as panelists and may recommend topics for inclusion on the agenda.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a move threatened but not expected this soon, the American Bar Association today sued the Federal Trade Commission, in an effort to stop the application of the Red Flags Rule to lawyers.  The Red Flags Rule is scheduled to go into effect on November 1, 2009. 

The complaint (.pdf), which was filed in federal district court in Washington, D.C., seeks declaratory and injunctive relief, with the goal of making clear that lawyers are not "creditors" required to comply with the Red Flags Rule.  Interestingly, nowhere does the complaint suggest that lawyers are not just as vulnerable to identify theft as other professionals.  Rather, the complaint argues that lawyers are regulated at the state level, not by the federal government, and that the FTC has not been given the necessary authority by Congress to change this state of affairs.

The FTC had already delayed its planned enforcement of these rules from August 1 to November 1, in response to the ABA's objection (see our prior post on the back and forth between the FTC and ABA).  Whether there will be further delays in the Red Flags Rule implementation date or further talks to discuss carving out lawyers, is not yet known.

Links:

• ABA Press Release
• Complaint (.pdf) in American Bar Association v. Federal Trade Commission (D.D.C.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 13, a federal judge in Miami granted a joint motion to stay an evidentiary hearing that was to be held as a result of a petition from the United States that the Swiss bank UBS be compelled to disclose the names of 52,000 American clients who were suspected of tax evasion.  The case has raised concerns about the effects of privacy laws in other nations on the ability of the federal government to enforce its own laws and created tension between the Justice Department, which had said it might fine, or even indict, UBS if the judge ordered it to disclose the names and it continued to refuse to do so, and the Swiss government, which has said it would not allow UBS to disclose any names.

The case began on February 19, 2009, when the United States filed a petition (.pdf) in the U.S. District Court for the Southern District of Florida, asking the court to enforce an IRS "John Doe" summons to UBS.  The IRS served the summons in furtherance of an investigation it was conducting to determine the identities of U.S. taxpayers who had allegedly failed to report the existence of, and income earned in, undeclared Swiss accounts with UBS.  On February 20, UBS filed a document containing what it termed "background information for the court's consideration" (.pdf).  In this filing, UBS argued that the IRS was essentially asking it to violate Swiss privacy laws, thereby exposing its employees and the bank to criminal and civil penalties.  UBS argued that the petition raised serious issues of international comity due to Swiss financial privacy laws, violated treaties between the United States and Switzerland and violated a prior agreement between the United States and UBS.  That same day, the United States filed a response (.pdf) that disputed the arguments made by UBS.

On April 30, UBS then filed a brief (.pdf) that expounded on its arguments against disclosure.  In support of UBS, the Swiss government filed an amicus brief (.pdf).  On June 30, the United States then filed its response (.pdf).  The federal judge had scheduled a hearing for July 13, 2009, to hear arguments on the petition.  On July 12, 2009, however, the parties filed a joint motion to stay the hearing, so they could continue to discuss settlement.  The judge granted the motion and re-set the hearing to August 3, in the event the parties could not reach a resolution.

The dispute between the IRS and UBS is also having effects on third parties.  The Wall Street Journal reported on Monday that Swiss banks are curbing or eliminating business with U.S. customers for fear of future action by U.S. authorities.  While it is probable that the U.S. and UBS will reach some sort of settlement (likely involving a payment by UBS to the U.S.), if the case goes forward it will interesting to see what future effects the outcome could have, not just on financial transactions between American citizens and Swiss banks, but on transactions between American citizens and any other international bank, as well as on the federal government's ability to enforce tax laws beyond its borders.

Links:

• February 19, 2009 Petition to Enforce John Doe Summons
• February 20, 2009 Background Information For the Court's Consideration Prior to the Scheduled Status Conference
• February 20, 2009 Response to Bakground Filing by Respondent (filed by the United States)
• April 30, 2009 Brief of UBS
• April 30, 2009 Amicus Brief of Switzerland
• June 30, 2009 Response Brief of the United States
• "Judge Gives UBS and U.S. Time to Seek a Settlement," New York Times, Lynnley Browning, July 13, 2009
• "Swiss Bank Freezes Out U.S. Clients," Wall Street Journal, Katharina Bart, July 21, 2009

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Amidst calls from the legal community, the Federal Trade Commission's (FTC) announced this morning that it was delaying enforcement of the FTC's Red Flag Rules until November 1, 2009.  The FTC's announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC's "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply."  The FTC appears to be stepping up its outreach efforts with an "Expanded Business Education Campaign" that is intended to address those businesses that "remain uncertain about their obligations."  This seems aimed at the recent statements from the American Bar Association (ABA), which has called on the FTC and Congress to exempt lawyers from the FTC's Red Flags Rules and threatened to sue the FTC to stop any enforcement action against the legal industry.  

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After a few months of thought, the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule.  The ABA's June report on "Why the Red Flags Rule Should Not Apply to Lawyers" lays out a legal argument for why billing a client is not really an extension of credit that turns every lawyer and law firm into a "creditor" under Red Flags Rule and the Fair and Accurate Credit Transactions Act (the FACT Act).  More recently, ABA President H. Thomas Wells, Jr. told the Blog of Legal Times that the ABA plans on filing a federal lawsuit during the this week to block enforcement of the Red Flags Rule, if "we don’t get some kind of sign."  And, perhaps on the ABA's urging, a House Appropriations subcommittee apparently asked the FTC to postpone its deadline yet again.  Other blogs and websites have been abuzz with "sources" close to the discussions between the ABA and the FTC and then today, the FTC announced that  delayed the enforcement deadline yet again.

Lest anyone think that the ABA is on its own on this issue, the Massachusetts Bar Association sent the FTC a letter objecting to the application of the Red Flags Rules to lawyers and the New York County Lawyers Association also issued a report objecting to enforcement against lawyers.  State bar associations are joining the ABA in calling on the FTC to excuse them from the reach of the "new" regulations (which are, in fact, more than a year old at this point, after numerous delays in enforcement by the FTC).  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team."  In particular, HHS is hiring for two new positions are located in HHS's "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)."  As described on USAJOBS.GOV, the people to be hired "will be responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy of health information."  If you are a privacy officer, this could be the federal government stimulus you've been waiting for!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to "assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking" on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).  Some of the highlights from the FAQ are:

• The agencies clarified that "all banks, savings associations and credit unions are covered by the Red Flags Rules and Guidelines as 'financial institutions,' whether or not they hold a transaction account belonging to a consumer," and including "those whose powers are limited to trust activities;"
   
• Brokers, dealers, investment advisors or investment or insurance companies (including those that are subsidiaries of a bank or savings association) are covered by the Rules and Guidelines if they are a "financial institution" or creditor" under the Fair Credit Reporting Act.
   
• IRAs will generally be considered "covered accounts" and thus subject to the Rules and Guidelines;
   
• The term "covered account" includes accounts established in the United States by non-U.S. residents;
   
• Check forgery or use of a stolen credit card constitutes "identity theft" because it involves a fraud using the identifying information of another person without authority;
   
• The Rules and Guidelines do not require a financial institution or creditor to educate consumers regarding the risk of identity theft, although such programs "may be helpful as part of an overall effort to address the problem of identity theft"
   
• Financial institutions may, but are not required to, use automated systems to detect red flags, but may have to supplement such a systems with non-automated procedures;
   
• The Rules and Guidelines required financial institutions or creditors to oversee all service provider arrangements that relate to the opening or accessing of a covered account, not just those with providers that offer fraud detection services;

While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful.  For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions.   Moreover, much of the guidance given was extremely vauge.  For example, many of the answers to questions regarding covered accounts could be summarized as "it depends on whether the institution determines that there is a foreseeable risk of identity theft."  It would have been helpful for the agencies to provide some examples or other more concrete information.  Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.

Links:

• Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies (.pdf), also available from the FTC here (.pdf)
• June 11, 2009 Joint Release: Agencies Issue Frequently Asked Questions on Identity Theft Rules

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC's enforcement.  (For background on the Red Flag Rules, see our prior postings here, here and here). 

The FTC has previously indicated that it plans to enforce the Red Flags Rules against lawyers along with any other business that sells goods or services now and bills its customers later (see our prior discussion here).  However, according to the ABA, the first it heard of this issue was when federal regulators notified the ABA of the government's position on April 23, 2009.  This was just a week before the FTC was to begin enforcement of the Red Flags Rules.  The next day, after the FTC attended an emergency meeting with the ABA Government Affairs Office, President H. Thomas Wells, Jr. directed a letter to FTC Chairman Jonathan D. Leibowitz (.pdf) requesting an additional three to six months delay in enforcement so that the ABA could consider its stance on this issue.  The FTC appears to have acquiesced to the ABA request a few days later, when the FTC postponed the May 1, 2009 enforcement deadline until August 1, 2009 . 

In the president's letter as well as a separate public statement (.pdf), the ABA indicated that "some" believe that federal precedent contradicts the FTC's expansive interpretation of the law (for more information, see our detailed discussion of the caselaw here and here).  The ABA has also noted that "the FTC has no examples of identity theft arising from an attorney-client relationship." 

Given the looming compliance deadline, it seems likely that we will hear from the ABA shortly -- possibly as early as next week.  In view of the FTC's response (.pdf) to the public objection raised by the American Medical Association (.pdf), the ABA may need to take a different tack to effect a change in the FTC's enforcement policy.

[I should note that an attorney in California called me up yesterday to discuss the FTC's view that that lawyers should be considered "creditors" subject to federal Red Flags Rules.  Thanks are owed to her for raising the question of whether the ABA has articulated a view on this issue.]

Links:

• The April 24, 2009 ABA letter to the FTC (.pdf), also available from the ABA website (.pdf).
• Public statement on Red Flags Rules by the ABA (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Friday, June 5, 2009, Suffolk University Law School's Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules.  These presentations were led by  a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect of the Massachusetts identity theft regulations for the Officer of Consumer Affairs and Business Regulation (OCABR). 

These men provided useful recommendations on a number of compliance issues, including when a business should be notifying customers about a security breach, how to ensure that personal information is disposed of properly, and what businesses should be doing to comply with the new information security standards.  Read on for the highlights from these presentations.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

From the increasingly populated intersection of the Fourth Amendment and modern technology, comes this story from Wired’s "Threat Level."  The Federal Communications Commission (FCC) claims the right enter onto any property to inspect -- without a warrant -- any radio equipment, regardless of whether it is licensed or unlicensed.  In an interview with Wired, an FCC spokesperson claimed that the FCC’s right to inspect radio equipment extends to “anything using RF energy.”  This includes commonplace items like wireless internet routers, remote access car keys, and cell phones.  Additionally if any illegal or suspicious items or behavior are discovered or observed during a warrantless administrative search, these observations may be the basis for a criminal search warrant or arrest.  Despite some substantial disagreements about this application of the law, operators have been fined by the FCC for failure to allow such warrantless inspections.  The ubiquity of items the FCC claims it may inspect without a warrant, combined with the potential for such searches to lead to criminal actions, is causing privacy advocates to react with concern.  And with good reason, as this could be a prelude to the expansion of other types of administrative searches.

Links:

• Cory Doctorow reports on the FCC’s inspection policy at BoingBoing here
• The Federal Communications Commission’s homepage is here
• The Federal Communications Commission’s “2005 Inspection Policy” can be found at their website here
• The Federal Communications Commission’s order imposing a fine for failure to allow inspection of radio equipment can be found here or at their website here
• John Byrne reports on the FCC’s inspection policy at the Raw Story here
• Rouge Radio Research’s FAQ arguing the FCC lacks the power to inspect unlicensed radio stations can be found here
• Ryan Singel’s report breaking this story at Wired, “FCC’s Warrantless Household Searches Alarm Experts”, can be found here

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to the Chicago Tribune, on May 7, 2009, a three-judge panel of Wisconsin Court of Appeals unanimously ruled that police "can attach GPS to cars to secretly track anybody's movements without obtaining search warrants" without violating the Fourth Amendment.  The court's opinion in State v. Sveum can be found here.  The defendant Sveum was under investigation for stalking when the police obtained a warrant to secretly place a GPS device on his car while it was parked in the his driveway.  The device recorded the defendant's movements for five weeks, after which time police retrieved it and used the information on it to obtain a warrant to search the defendant's residence.

More recently, on May 12, the New York Court of Appeals (that state's highest court), ruled that placing a GPS tracking device inside the bumper of a suspect's car without a warrant, and using that device to monitor the suspect's movements for two months, violated the suspect's rights under the New York State Constitution.  The court's opinion in People v. Weaver can be found here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, May 5, 2009, in a press release devoted largely to the FTC's congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement  of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums.  According to the FTC, the result of this alleged failure was that an intruder in the company's systems sent "millions of outgoing spam emails" and "could have accessed personal information without authorization."  In a consent order (.pdf) that parallels settlements in a number of prior FTC enforcement cases, the company has agreed to implement an information security program and subject itself to biennial security audits for 10 years. 

In the FTC complaint (.pdf), federal regulators claimed, among other things, that the mortgage company "failed to provide reasonable and appropriate security for personal information," including by failing to implement a "comprehensive written information security program."  Such a program is a requirement for financial institutions, including lenders and mortgage companies, under the FTC Safeguard's Rule, a regulation promulated in 2002 to implement Section 501(b) of the Gramm Leach Bliley Act (GLBA).  The complaint also alleged that Jame B. Nutter & Company failed to provide customers adequate notice of its security practices, as required by the FTC Privacy Rule.  The Privacy Rule was promulgated in 2000 to implement Sections 501 through 509 of the GLBA. 

Notably, the complaint makes few allegations of damage to consumers.  The only alleged harm consisted of spam email and the possibility of unauthorized access to customer information.  No doubt this is the reason why the settlement did not involve a substantial fine, as the FTC sought, at least nominally, in its last enforcement action in this area (see our posting on the FTC's settlement with Rental Research Services).  The case thus suggests that the FTC may be willing to undertake enforcement efforts when only consumer privacy interests are affected, even in the absence of concrete financial harm. 

* Update: an attorney representing James B. Nutter & Company has contacted us to provide Security, Privacy and the Law with the company's press release on this incident (.pdf) and to clarify that the company is obligated to submit to only 5 biennial security audits over 10 years.

Links:

• The FTC announcement
• The FTC complaint (.pdf), also available from the FTC website (.pdf)
• The parties' agreement and consent order (.pdf), also available from the FTC website (.pdf)
• The James B. Nutter & Company website
• The company's press release on the FTC settlement

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009.  Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a "template" identity theft prevention program.  "For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law."  The FTC indicates that it will make the template available through their website.

In delaying enforcement, the FTC continues to maintain that the Red Flags Rules apply broadly to any business that bills its customers (i.e., "all entities that regularly permit deferred payments for goods or services").  In particular, the FTC specifically mentions that the statutory term "creditor" encompasses "businesses that provide services and bill later, including many lawyers, doctors, and other professionals."  The notice conceeds that considerable confusion has surrounded the preliminary question of who is covered under the new rules.  The FTC directs businesses looking for more information to the FTC's new microsite on the Red Flags Rules.

Links:

• FTC's 4.30.2009 Notice delaying enforcement of Red Flags Rules until August 1, 2009
• FTC's microsite on the Red Flags Rules

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC's claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users.  According to the FTC, the the faults in RSS's security amounted to "unfair acts or practices" in violation of the FTC Act.  RRS and Mikkelson were fined $500,000, but the fine was suspended in light of the company's present financial condition. Also, in a move that echos the FTC's past enforcement of information security standards under the FTC Act and foreshadows future enforcement of Red Flags regulations, the terms of the FTC's court order require RRS to develop a "comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers" and submit itself to independent security audits every 2 years until 2029. 

Especially in view of the upcoming May 1, 2009 deadline for compliance with federal Red Flags regulations, this case may be a good example of what we can expect to see from federal and state regulators in enforcing existing and future information security standards, especially with respect to consumer data providers.  Below I will summarize the case and identify the key elements of the information security program that the FTC required.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers, phone numbers, emergency contact information, and photographs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers "[t]o allow the FTC to perform a greater and more effective role in protecting consumers." The prepared text of his testimony is available here (.pdf). Of particular note, the FTC is asking Congress to:

1. Permit the FTC to use "notice and comment" rulemaking to declare business practices used in the financial industry to be unfair and deceptive acts in violation of the FTC Act -- a process that, according to Chairman Liebowitz, could shorten the time taken to put new regulations in place from 3-10 years under the current system to 1 year under a "notice and comment" system; and
    
2. Authorize the FTC to bring civil lawsuits in federal court and to obtain civil penalties for unfair and deceptive practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers' proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information.  FCC Chairman Michael J. Copps issued a public statement addressing the enforcement action and highlighting that the FCC "continued to mconsumer privacy protection a top priority.  The FCC seeks a $20,000 fine from each of the carriers (around $13 million in total) and has stated that it moderated the amount of the fines because the carriers were small companies and because this was the first year of the certification requirement (certifications were due March 1, 2008).  As the FCC warns in its official Notice, "[t]o the extent that we determine that the proposed forfeiture adpoted herein does not have the intended deterrent effect, future noncompliance will face more severe penalties." 

If you've been looking for signs of how the Obama administration intends to enforce privacy and information security regulations, here is one of a few early signs that federal regulators are under orders to step up enforcement efforts and are begining with the backlog of violations from 2008. 

Links:

• The FCC wesbite and a link to the Enforcement Bureau's page
• The FCC's Omnibus Notice of Apparent Liability is availabe here (.pdf) or from the FCC's website here (.pdf)
• The FCC's press release is available here (.pdf) or from the FCC's website here (.pdf)
• The Electronic Privacy Information Center (EPIC) website and a link to its CPNI page

• Email This
• Print
• Comments
• Trackbacks
• Share Link