Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire:

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb:

"From a legal perspective, I'm not seeing anything that's much different in what's being proposed to take effect on March 1 and what's in place right now," Zick says. "In particular, the language about sharing across services has been in [Google's policies] for a long time."

Zick points out that all the past versions of Google's privacy policies are on the website, and the last two versions offer line-by-line comparisons to the previous version. Zick expects that Google will do the same with the new policy once it's officially issued.

"What we have is not a reaction to a change in legal language," Zick says, "but it's a change in perception. ... People are just reflexively reacting to the idea that Google is big."

The entire article can be viewed here, and our earlier post here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients.  The individual made this improper access in order to send marketing materials to patients at the other practice.

The individual worked as an information technology specialist for a perinatal medical practice in Atlanta.  He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building.  He then used his home computer to hack into his former employer's patient database.  He downloaded the names, telephone numbers, and addresses of his former employer's patients and then deleted all the patient information from their system. He subsequently used the patient names and contact information to launch a direct-mail marketing campaign for the benefit of his new employer.  Even so, there was no evidence that patient medical information was accessed or misused.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Supreme Court today issued an opinion holding that police cannot track a suspect using GPS without first getting a warrant.

Justice Scalia wrote the opinion, for a unanimous court, and concluded:  "We hold that the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a 'search.'  It is important to be clear about what occurred in this case: The Government physically occupied private property for the purpose of obtaining information."

This statement about the government occupying private property is going to be used in many future arguments.  Justice Sotomayor's concurrence foresees this future:

With increasing regularity, the Government will be capable of duplicating the monitoring undertaken in this case by enlisting factory- or owner-installed vehicle tracking devices or GPS-enabled smartphones. See United States v. Pineda-Moreno, 617 F. 3d 1120, 1125 (CA9 2010) (Kozinski, C. J., dissenting from denial of rehearing enbanc). In cases of electronic or other novel modes of surveillance that do not depend upon a physical invasion on property, the majority opinion’s trespassory test may provide little guidance. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This report from the Office of the Inspector General for the Department of Health and Human Services reveals significant holes in Medicare contractor security.  Here's a notable excerpt:

Security Awareness Training
The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally, Federal regulations (5 C.F.R. § 930.301(a)) require that role-specific training be provided based on each user’s security responsibilities and require agencies to provide training for employees with significant information security responsibilities. The CMS Business Partners Systems Security Manual requires Medicare contractors to document and monitor information security training activities.

Sixteen of the twenty-one Medicare contractors had no identified gaps in security awareness training, while the remaining 5 had 3 to 4 gaps each. In total, 16 gaps were identified in this area, with no gaps assigned to a high-impact subcategory. Following are examples of gaps in security awareness training:

• The contractor did not formally track and monitor job-specific security training to ensure that employees received the minimal requirements stated in the policy.
• Employees did not complete security awareness refresher training.

Employees who are unaware of their security responsibilities or have not received adequate training may be at increased risk of causing or exacerbating a computer security incident. If security personnel are not provided specific job-related training, management has no assurance that these employees can effectively perform their job responsibilities. Inadequately trained employees could cause the loss, destruction, or misuse of sensitive information and information technology (IT) assets.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.

The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

My colleagues Jen Audeh and Jeff Collins have analyzed the SEC's guidance on the use of social media by investment advisors.  Because of the overlap this issue has with data privacy and security, we are providing this except and a link to their summary:

On January 4, 2012 the SEC’s Office of Compliance Inspections and Examinations issued an exam alert to registered investment advisers which included guidance on the use of social media. The alert is not meant to be a comprehensive summary of all compliance matters related to the use of social media, but rather is intended to cover measures that may assist advisers in developing procedures to prevent violations of the Advisers Act and other federal securities law with respect to the use of social media such as the antifraud, compliance and record keeping provisions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Until yesterday, I did not know there was a Congressional Cyber Security Caucus.  It is not clear what it has been up to, as it hasn't had a media release in eleven months.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an article in today's New York Times, we get some real-life insight into the difficulties in responding to a data breach.  Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.

The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee's car was broken into and a company laptop stolen.  The ramifications included:

• spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees;
• devoting 600 person-hours of staff time to the breach;
• hiring a crisis team of lawyers and customers and a chief security officer;
• hiring a private investigator to scour local pawnshops and Craigslist for the stolen laptop; and
• notifying some of the affected patients and offering them free credit monitoring.

The eHealth Collaborative's Executive Director, Micky Tripathi, first outlined the breach and critiques the article in his blog. 
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle "charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC's press release.

In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook's representations that users could impose such restrictions on their accounts.

In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:

• set forth the specific privacy controls that [Facebook] has implemented and maintained during the reporting period;
   
• explain how such privacy controls are appropriate to [Facebook's] size and complexity, the nature and scope of [Facebook's] activities, and the sensitivity of the covered information;
   
• explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of this order; and
   
• certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.

This consent order will last for an astoundingly long time:  20 years.  (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.) 

Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role:  Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel, will become Facebook's Chief Privacy Officer, Products.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With an inflammatory title like "Foreign Spies Stealing US Economic Secrets in Cyberspace," the Office of the National Counterintelligence Executive's "Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011" is tough to ignore.

The Report's conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments:

• "Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible."
   
• "Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets."

The NCIX predictions for the future are sobering:

• "Over the next several years, the proliferation of portable devices that connect to the Internet and other networks will continue to create new opportunities for malicious actors to conduct espionage. The trend in both commercial and government organizations toward the pooling of information processing and storage will present even greater challenges to preserving the security and integrity of sensitive information."
   
• "The US workforce will experience a cultural shift that places greater value on access to information and less emphasis on privacy or data protection. At the same time, deepening globalization of economic activities will make national boundaries less of a deterrent to economic espionage than ever."

This last prediction is particularly disturbing, but visible, as users migrate from the relatively secure Blackberry platform to iPhones and other smartphones, trading security for an increased sense of utility.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:

Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,” he says. When companies are contemplating the definition of cyber-incidents, they should think expansively, he adds. “Think of data breach, data loss, and denial of service on your Websites when an attack occurs. The [SEC staff] wants you to do this risk assessment so you will understand what this is about,” he said.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20.  The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley.  As described by MassHighTech:

Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the government, industry and academia, the ACSC is also hosted at the five universities that make up the Massachusetts Green High Performance Computing Center – MIT, Harvard University, Boston University, Northeastern University and the University of Massachusetts.

The driving force behind the ACSC is Mass Insight Global Partnerships, and that organization’s president and founder William Guenther opened the event and acted as master of ceremonies during the day. But it was Gov. Deval Patrick who started the day off on a practical note, talking about jobs.

“The center represents an incredible employment opportunity for Massachusetts,” Gov. Patrick said. “I want you to see the opportunity.”

Foley Hoag is counsel to the ACSC and Foley Hoag partner Michele Whitham serves on its Strategic Advisory Board.  Conference materials and related security resources are available on the Foley Hoag website.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal's bill, "The Personal Data Protection and Breach Accountability Act," would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the Justice Department to levy fines of $5,000 per violation per day, up to a total of $20 million per violation. The bill also includes federal data breach notification requirements.

Given the large numbers of such bills pending, the Senator's junior status, and the fact that his bill has no co-sponsors, it is unlikely that this particular bill will be adopted.  At present, at least 15 bills contain the phrase "data security" pending in Congress:

1. Data Security Act of 2011 (Introduced in Senate - IS)[S.1434.IS]
2. e-KNOW Act (Introduced in Senate - IS)[S.1029.IS]
3. BEST PRACTICES Act (Introduced in House - IH)[H.R.611.IH]
4. To facilitate implementation of title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, promote regulatory coordination, and avoid market disruption. (Reported in House - RH)[H.R.1573.RH]
5. Personal Data Privacy and Security Act of 2011 (Introduced in Senate - IS)[S.1151.IS]
6. To facilitate implementation of title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, promote regulatory coordination, and avoid market disruption. (Introduced in House - IH)[H.R.1573.IH]
7. Data Security and Breach Notification Act of 2011 (Introduced in Senate - IS)[S.1207.IS]
8. SAFE Data Act (Introduced in House - IH)[H.R.2577.IH]
9. U.S. Postal Service Improvements Act of 2011 (Introduced in Senate - IS)[S.353.IS]
10. METRICS Act (Introduced in Senate - IS)[S.1464.IS]
11. Data Accountability and Trust Act (DATA) of 2011 (Introduced in House - IH)[H.R.1841.IH]
12. Reform the Postal Service for the 21st Century Act (Introduced in House - IH)[H.R.1262.IH]
13. Data Accountability and Trust Act (Introduced in House - IH)[H.R.1707.IH]
14. Protecting the Privacy of Social Security Numbers Act (Introduced in Senate - IS)[S.1199.IS]
15. Postal Reform Act of 2011 (Introduced in House - IH)[H.R.2309.IH]

Given how many similar bills are pending, it seems likely that something like Sen. Blumenthal's bill will be adopted before this session of Congress is over.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy."  The program slides can be found at this link.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules.  This follows on the heels of Massachusetts General Hospital's $1 million settlement with OCR.

The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without legitimate reasons looked at the electronic protected health information of these patients. OCR's subsequent investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.  

The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years.  All in all, a very expensive proposition for UCLAHS.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Interesting article in The Economist, focusing on hackers like Anonymous and Lulz Security.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Tad Heuer, Esq.

The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy's opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.

The first paragraph of Justice Kennedy's opinion provides a brief summary of the posture of the case and of the Court's decision:

Vermont law restricts the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors. Vt. Stat. Ann., Tit. 18, §4631 (Supp. 2010). Subject to certain exceptions, the information may not be sold, disclosed by pharmacies for marketing purposes, or used for marketing by pharmaceutical manufacturers. Vermont argues that its prohibitions safeguard medical privacy and diminish the likelihood that marketing will lead to prescription decisions not in the best interests of patients or the State. It can be assumed that these interests are significant. Speech in aid of pharmaceutical marketing, however, is a form of expression protected by the Free Speech Clause of the First Amendment. As a consequence, Vermont’s statute must be subjected to heightened judicial scrutiny. The law cannot satisfy that standard.

We will be publishing a more extensive analysis shortly; watch this space for a link to it.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Increasingly, alliances are viewed as an important way to improve data security.  The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries.  We have previously noted two other initiatives:   the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program.  One of the oldest and best examples of successful collaboration is PCI, the credit card industry's security program.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:

·        Epsilon: breach of customer email addresses;

·        RSA: compromise of security tokens (possibly impacting Lockheed Martin);

·        Citigroup: breach of credit card numbers:

·        Sony: multiple thefts of customer data;

·        Sega: customer data theft; and

·        ADP: breach of its benefits-administration business.

What does this mean? First, there are simply more breaches to report. Second, companies are being more open about reporting breaches, both because they are legally required to and because such disclosures are expected by consumers and regulators. Third, these breaches and the resulting publicity will bring legal and corporate reactions. 

On a legal/regulatory level, we are even more likely to see federal data security legislation and stepped-up enforcement. On the corporate side, more and more resources are going to be poured into prevention of breaches. For corporate CIOs, it’s the best of times and the worst of times: they are getting access to more resources, but are facing more and different challenges.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Attached is my presentation given at a recent CloudCamp, on the subject:   What Law Applies
In “the Cloud”?  (CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Brian Bialas 

A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators. 

The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar Group violated Massachusetts’s Consumer Protection Statute by failing to comply with the Payment Card Industry Data Security Standards (PCI DSS), standards created by the Payment Card Industry Security Standards Council that apply to all organizations that collect payment card data. To settle this suit, the Briar Group entered into a consent judgment pursuant to which it would pay $110,000 in civil fines.

What is interesting about this settlement is that it requires the Briar Group to “maintain PCI DSS compliance,” over and above Massachusetts’ own strict legal requirements.  Does the AG’s action against the Briar Group signify that all merchants are legally required to comply with both state regulations and PCI DSS? It’s too early to tell. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Wondering what your company might be able to do at the local level to help fight cybercrime? There are a growing number of public-private collaborations that are trying to get ahead of the bad guys.

One is the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).  The ACSC is a collaborative, cross-sector research facility working to address critical and sophisticated cyber security challenges. Based at the MITRE Corporation campus in Bedford, Massachusetts, the Center takes advantage of  university, industrial and research resources to develop next-generation solutions and strategies for protecting the nation's public and private IT infrastructure.

Another collaborative group is InfraGuard, a Federal Bureau of Investigation program that began in its Cleveland Field Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBI’s investigative efforts in the cyber arena.  InfraGard is an information sharing and analysis effort composed of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters are geographically linked with FBI Field Office territories and each chapter has an FBI Special Agent Coordinator assigned to it..

• Email This
• Print
• Comments
• Trackbacks
• Share Link

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects:

• Could a Major Security Breach Be on the Horizon?
• The Smartphone Dilemma
• What Elements Are Currently Covered in Your Organization’s Security Awareness Program?
• Security Budgets Fare Well
• Implementing Risk Management Disciplines
• Do You Really Know Who Your Friends Are?
• Denial of Service Attacks: Who’s Next?

In the interest of full disclosure, I am quoted extensively on the prospects for new legislation in the privacy/security space.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:

The goal of NSTIC is to create an “Identity Ecosystem” in which there will be interoperable, secure, and reliable credentials available to consumers who want them. Consumers who want to participate will be able to obtain a single credential--such as a unique piece of software on a smart phone, a smart card, or a token that generates a one-time digital password. Instead of having to remember dozens of passwords, the consumer can use their single credential to log into any website, with more security than passwords alone provide. Since consumers will be able to choose among a diverse market of different providers of credentials, there will be no single, centralized database of information. Consumers can use their credential to prove their identity when they're carrying out sensitive transactions, like banking, and can stay anonymous when they are not.

The White House document is mostly a vision statement, punctuated by text boxes throughout that urge the reader to “Envision it!” but with no real guidance on how to accomplish it.  The document suggests how these frameworks might be built, does not promise to build them. Precisely how this vision statement gets turned into action and results will depend on the reception it receives from the public and private sectors, both within the U.S. and abroad. The NSTIC anticipates that the U.S. will meet its interim benchmarks in 3-5 years, and the long term benchmarks in 10 years.  As such, it is unlikely that we will see anything concrete on the front in the near future.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC:

Legislation to provide a stronger statutory framework to protect consumers’ online
privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights.” Second, legislation should provide the FTC with the authority to enforce any baseline protections. Third, legislation should create a framework that provides incentives for the development of codes of conduct as well as continued innovation around privacy protections, which could include providing the FTC with the authority to offer a safe harbor for companies that implement codes of conduct that are consistent with the baseline protections.

This testimony was presented by a Commerce Department official, Lawrence E. Strickling, Assistant Secretary for Communications and Information, National Telecommunications and Information Administration.

As we have observed previously, Congress is very interested in such legislation.  Now that the legislative battle is fully joined, it's time to start thinking about who the potential winners and losers might be if such legislation is adopted:

• Will the legislation hurt the big internet companies like Google and Facebook?
  • Small players might actually find compliance with new laws more difficult than these industry giants.
• Can "do not track" legislation still be avoided through voluntary industry efforts?
  • Might voluntary efforts be enough to change the requirement to an mandatory right to "opt out" of tracking, as opposed to an outright ban? 
• Just how will any U.S. privacy regime meld with the EU's scheme?
  • Could U.S. rules actually smooth the road to U.S.-EU data sharing the way HIPAA did across the 50 states for health data exchange?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Sam Hudson

Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com. 

Chitika uses cookies to track Internet users, so as to display behavioral advertising to them. Chitika allowed users to opt-out of receiving these cookies, but what Chitika didn’t disclose was that the opt-out only lasted for 10 days. The FTC alleged that such a short opt-out period was deceptive and a violation of the FTC Act. The FTC has reached a settlement with Chitika in which Chitika has agreed to honor any user opt-out of tracking for at least 5 years. Chitika has also agreed to display more prominent opt-out mechanisms. The consent agreement prohibits Chikita from misrepresenting the extent of its data collection about consumers or the extent to which consumers can control the collection, use or sharing of their data.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information.  According to California regulators, these servers appear to contain the data of 1.9 million people nationwide:

The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare.. 

Since this is the second incident in two years for the company (see "Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit"), it will be interesting to see what  kind of penalty Health Net could face from the federal government.  In that regard, consider that the loss of 192 records just cost Massachusetts General Hospital $1 million.  If a penalty in the same proportion were applied to this breach, Health Net could face a penalty of over $9 billion.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services' Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals."  There was, however, no indication that any of the PHI was ever used in any way.

While the $1 million penalty is an attention-grabber, the elements of the Corrective Action Plan are also likely to be at least as costly and will be very burdensome.  They include:

• three (3) years of reporting obligations from MGH to OCR;
• adoption of new policies that OCR must review and approve;
• training on these new policies that OCR must review and approve;
• retention of a monitor who will conduct:
  • unannounced site inspections of MGH’s locations/departments/practices;
  • interviews with any members of the workforce who use PHI; 
  • interviews with any members of the workforce involved in implementing the safeguards required by the CAP;
  • inspection of a sample of laptops and USB flash drives that contain ePHI and are under the control of workforce members to ensure that such devices satisfy all applicable requirements of the Policies and Procedures; and
  • inspection of relevant documents and interviews with workforce members for the purpose of confirming consistent training, implementation, and enforcement of the Policies and Procedures among workforce members.
• submission of semi-annual monitor reports;
• self-reporting of any "significant violations" of the CAP;
• submission of an implementation report after 120 days of the CAP; and
• annual reports to the monitor, which will be passed on to OCR.

This is a pretty heavy burden to carry around for three years.   In fact, the CAP looks much more like a Corporate Integrity Agreement of the type entered into by a pharmaceutical manufacturer after a health care fraud settlement.  I suspect that is precisely the message that OCR wanted to send.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up.  The American Bar Association's suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case:  "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a March 1, 2011 decision that has received much publicity (despite stating a fairly obvious conclusion), the Supreme Court ruled that the term "personal privacy" does not apply to corporations, at least in the context of the Freedom of Information Act ("FOIA"). 

The decision, FCC v. AT&T Inc., reflects the Supreme Court application of a particular exemption to FOIA.  Exemption 7(C) covers law enforcement records the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.” 5 U. S. C. § 552(b)(7)(C).  AT&T, having produced documents to the federal government, wanted that exemption asserted on its behalf, to block the government from responding to a FOIA request that would result in the production of AT&T's documents.  

The Supreme Court held that Exemption 7(C) applies to individuals identified in AT&T’s submissions, but not to the company itself.  This conclusion was based on the principle that corporations do not have “personal privacy” interests as required by the exemption.  As Justice Alito noted in oral argument:  “in ordinary speech, the term ‘personal’ is not . . . used to refer to a corporation.  That’s . . . legalese.”

For corporations, this decision only reinforced what experienced counsel have known for a long time -- be prepared for anything you turn over to the government to be shared with the public.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape:  How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:

• §Resolution Agreement with Providence Health & Services--July 16, 2008
  Settlement:  $100,000
• §Resolution Agreement with CVS Pharmacy, Inc.--January 16, 2009
  Settlement:  $2.25 million
• §Resolution Agreement with Rite Aid Corporation--July 27, 2010
  Settlement:  $1 million
• §Resolution Agreement with Management Services Organization Washington, Inc.--December 13, 2010 Settlement:  $35,000
• §Civil Money Penalty issued to Cignet Health of Prince George's County, MD--February 4, 2011
  Civil penalty:  $4.3 million
• §Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011
  Settlement:  $1 million

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC's Copier Data Security:
A Guide for Businesses.  In that Guide, the FTC suggests that "your information security plans .  . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of $4.3 million for the violations, representing what OCR said was "the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule."  The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

According to the HHS press release, in a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations was$1.3 million.

HHS also concluded that during the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010.  On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations was $3 million.
 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than 500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled for future reporting
to Congress; however they are treated as discretionary and only investigated if resources
permit.

While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed.  According to that same budget report, "[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals)."  That's a mere 2% of all breaches that have OCR's full attention.  The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Department of Homeland Security has released its latest update to its internal guide to handling personally identifiable information.  The "Handbook for Safeguarding Sensitive PII at DHS" has been around since 2008; even if you do not have direct dealings with DHS, it provides a useful point of comparison for your own policies and procedures. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to "a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . .  [and] to certain open-ended questions on a form sent to employees’ designated references."

This particular challenge came from 28 employees of the Jet Propulsion Laboratory ("JPL").  JPL is staffed exclusively by contract employees.  NASA owns JPL, but Cal Tech operates the facility under a government contract.  

The Supreme Court acknowledge that "[i]n two cases decided more than 30 years ago, this Court referred broadly to a constitutional privacy “interest in avoiding disclosure of personal matters.” Whalen v. Roe , 429 U. S. 589, 599–600 (1977); Nixon v. Administrator of General Services, 433 U.S. 425, 457 (1977)."  The employees in this case, as federal contract employees working at a Government laboratory, claimed that two parts of a standard JPL employment background investigation violate their rights under Whalen and Nixon.  But the Supreme Court "reject[ed] the argument that the Government, when it requests job-related personal information in an employment background check, has a constitutional burden to demonstrate that its questions are 'necessary'” or the least restrictive means of furthering its interests."

The majority opinion dodged the question of where "there is no constitutional right to informational privacy," although the concurrence of Justice Scalia urged the majority to do so.

The Supreme Court assumed, "without deciding, that the Constitution protects a privacy right of the sort mentioned in Whalen and Nixon."  The Supreme Court held, "however, that the challenged portions of the Government’s background check do not violate this right in the present case. The Government’s interests as employer and proprietor in managing its internal operations, combined with the protections against public dissemination provided by the Privacy Act of 1974, 5 U. S. C. §552a, satisfy any “interest in avoiding disclosure” that may “arguably ha[ve] its roots in the Constitution.” Whalen , supra , at 599, 605."

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

The Council for Responsible Genetics has published a guide to the world's DNA databases.  According to the guide, 56 countries (and in the U.S., all 50 states) maintain DNA databases.

CRG describes itself as a "catalyst and thought leader in the movement to steer biotechnology toward the advancement of public health, environmental protection, equal justice and respect for human rights."  Although CRG has its own unique perspective on whether DNA databases should exist and how they should be used, its guide may nevertheless prove to be a useful resource.

In the late 1990s, I worked on two amicus briefs with CRG, challenging aspects of the Department of Defense DNA database and the Commonwealth of Massachusetts' DNA database statute:

• Landry v. Attorney General, 429 Mass. 336, 709 N.E.2d 1085 (1999)
• Mayfield v. Dalton, 109 F.3d 1423 (9th Cir. 1997)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

by Katie Perry

Earlier this month, the Federal Trade Commission (“FTC”) released a preliminary staff report entitled, "Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers." According to the FTC, the report is intended “to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.” Judging from the initial wave of public commentary, consumer support for the proposed framework is widespread.

While the framework will undoubtedly impact the for-profit sector, its application to non-profit organizations remains unclear.  As currently drafted, the FTC’s proposal would apply to “all commercial entities that collect or use consumer data that can reasonably be linked to a specific consumer, computer or other device.” The term “commercial entities” remains undefined.

As currently drafted, the FTC’s proposals could impact any organization that collects consumer/donor information. While the typical non-profit organization collecting donor information will likely be exempt from the “Do Not Track” provisions under the “commonly accepted business practices” exception, the framework’s requirements relating to data privacy, security and transparency could potentially apply to non-profit organizations. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Brian Bialas

On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010.  The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement.

As we have noted in past entries about Red Flags Rule compliance, the FTC has extended the deadline for enforcement of the FTC's Red Flags Rule several times, most recently through December 31, 2010.  The stated reason for these delays was “to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule.”  An unstated reason was the mounting number of lawsuits by physicians, lawyers, accountants, and other service providers seeking to exempt themselves from the Red Flags Rule.  The lawsuits should now come to an end.

Here’s how the new law will work. The definition of who is considered to be a “creditor” is a key to the application of the Red Flags Rule. As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” 15 U.S.C. § 1691a(e); see 15 U.S.C. § 1681a(r)(5). The new Act narrows this definition by excluding anyone who advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person. Examples of this exclusion would include a doctor who pays upfront for a test that a patient will reimburse him for later, or a lawyer who covers a filing fee for a client until his bill is paid. 

With this change, it is likely that the FTC will commence enforcement against the intended targets of the Red Flags Rule – the financial services industry – in 2011. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:

1)      This is an area where bipartisan concensus is possible.

2)      The industry powers will fight against “Do Not Track” and will win that fight.  

3)      Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”

We could see passage of a federal data security and privacy statute, not unlike those that the various states have been adopting. The states have already passed models for such legislation and have shown that these increased protections can be implemented without too much opposition from the business sector. Also, adoption of a single standard for data security and privacy could actually relieve some of the regulatory burden on business: instead of having to comply with 50 different state laws, there would just be one federal law. This is the very same logic that led to the passage of HIPAA (and its standards for health information privacy) in 1996.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Our colleagues in Foley Hoag's Emerging Enterprise Center have summarized the FTC preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers," which we posted on December 1.  We are cross-posting the analysis from their blog below.

It seems likely that the next two years will bring significant changes to this area, either through legislation or regulation.  During this period, businesses and consumers will continue to seek an equilibrium that balances business needs and consumer expectations.  If they cannot find it, one will likely be imposed on them.

*  *  *

The Federal Trade Commission (FTC) just published its preliminary Staff report setting out its proposed framework for protecting privacy in the digital economy. View the FTC’s press release here. The FTC is seeking comments on its proposed framework by January 31, 2011 and expects to issue a final report in 2011.

Every digital media business that attracts advertising revenue online and/or through mobile devices, as well as the venture capital and private equity funds that invest in them, has a stake in the outcome of this proposed framework. It can affect current business models, future financial performance and potential exit opportunities for current and potential companies that rely on collecting data from consumers.

The final report, and possible new regulations and/or federal legislation to follow, will help shape substantive law, enforcement policies and commercial best practices regarding consumer privacy practices that will need to be followed.

Notably, the FTC staff cites flaws in commercially available, privacy-related plug-ins and browser features, and supports a more uniform and comprehensive consumer choice mechanism for online behavioral advertising than currently exists. This is often called “Do Not Track,” in a nod to the currently mandated “Do Not Call” registry that restricts the activities of telemarketers. FTC staff identified and requested comment on a number of issues concerning the formulation and adoption of any such “Do Not Track” mechanism.

Other important components of the proposed framework include:

• Scope: The proposed framework would apply to all commercial entities that collect or use consumer data that can reasonably be linked to a specific consumer, computer or other device. Here, the FTC staff recognizes the erosion of the distinction between personally- identifiable information (e.g., name, address and social security number) and supposedly anonymous information that may be collected without the knowledge of the web- or mobile device-user.
• Promotion of consumer privacy: The proposed framework would require companies to promote consumer privacy and security protections into their daily practices and to consider privacy issues at every stage of design and development of products and services. Suggested steps include:1) providing security for consumer data; 2) limiting data collection to the relevancy of a specific business practice; 3) enforcing sound retention policies; 4) providing assurances of data accuracy; and 5) implementing comprehensive data management procedures throughout the lifecycle of products and services.
• Consumer choice: In addition to the “Do Not Track” mechanism described above, the proposed framework would require companies to provide consumers with a notice-and-choice mechanism at the point when the consumer is providing data to the company. This would not be required in the context of commonly- accepted practices, such as order fulfillment or first-party marketing, however.
• Transparency and Access to Data: The proposed framework would require vastly- increased transparency with respect to data collection practices and allow for increased consumer access to data collected. As part of implementing this component, the Commission suggests a level of simplification and standardization for currently loosely governed website privacy policies.

Before this framework is submitted in final form to the FTC for a vote by its commissioners, which will accelerate the process further, the FTC is requesting comment by interested parties on a variety of key related issues, including:

• Scope: Are there practical considerations that support excluding certain types of companies or businesses from the framework?
• Substantive Privacy Protections: What substantive protections should companies provide, and how should the costs and benefits of such protections be balanced?
• Comprehensive Data Management Procedures: How can the full range of stakeholders be given an incentive to develop and deploy privacy-enhancing technologies? 
• Consumer Choice; “Do Not Track”:
  • How should a universal choice mechanism be designed for consumers to control online behavioral advertising?
  • What are the costs and benefits of offering a standardized uniform choice mechanism to control online behavioral advertising?
  • What is the likely impact if large numbers of consumers elect to opt out?
  • Should a universal choice mechanism include an option that allows consumers more granular control over the types of advertising they want to receive and the type of data they are willing to have collected about them?
• Transparency of Data Practices: With respect to website privacy notices, is it feasible to standardize the format and terminology for describing data practices across industries? Should companies inform consumers of the identity of those with whom the company has shared data about the consumer, as well as the source of that data?
• Notifying Consumers of Changes in Data-Use Practices: What is the appropriate level of transparency and consent for prospective changes to data-handling practices?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, the FTC released a preliminary staff report entitled, "Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers."  The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating:

Industry must do better. For every business, privacy should be a basic consideration –
similar to keeping track of costs and revenues, or strategic planning. To further this goal, this report proposes a normative framework for how companies should protect consumers’ privacy.  

We'll have our more detailed thoughts on this document posted shortly.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health. 

The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World Privacy Forum.  They allege (in 144 pages, complete with web page screen-shots) that:

"Digital marketing raises many distinct consumer protection and privacy issues, including an overall lack of transparency, accountability and personal control, which consumers should have over data collection and the various interactive applications used to track, target, and influence them online (including on mobile devices).  The use of these technologies by pharmaceutical, health product, and medical information providers that directly affect the public health and welfare of consumers requires immediate action."

Any business that has a web presence should read this complaint; it will show you what these (and other) advocacy groups are complaining about.  While I do not expect the FTC to jump into action based on this complaint alone, it would not surprise me to see an increase in the discussion of regulation and enforcement in this patch of cyberspace during 2011. It is only a matter of time until a consumer health web site has a significant data breach.  Traditionally, such breaches bring increased inforcement activity.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The following post was drafted by my colleagues Rob Fisher and Brian Bialas; although their focus is on the employment law aspects of this issue, the implications for corporate security/privacy policies are significant.  In particular, they note that such policies must not prohibit employees from criticizing their employer.  Time to check your existing policies on this point.

*  *  *

The rise of social media websites has created a host of challenges for employers. An employee’s post about his or her job can lead to claims of defamation or harassment by co-workers or may reveal confidential information. For these and other reasons, employers are taking steps to regulate what employees can and cannot do on the Internet. The recent issuance of a complaint by the General Counsel of the National Labor Relations Board (“NLRB”) against an ambulance company, however, is a reminder that efforts by employers to police employees’ posts on social media websites may run afoul of the National Labor Relations Act, the federal labor law. Although federal labor law never before has been applied to social media sites, the General Counsel alleged in the complaint that the company’s blogging and Internet policy was illegal and that the company unlawfully fired an employee for posting critical comments about a supervisor on her personal Facebook site.

According to the complaint, the company maintained a blogging and Internet policy that prohibited employees from posting pictures of themselves which depict the company, its logo or its ambulances and from “making disparaging, discriminatory or defamatory comments when discussing the Company or the employee’s superiors, co-workers and/or competitors.” Because the NLRB has long held that employees have the right under federal labor law to criticize their employer, the General Counsel alleged that this policy was unlawful.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On November 8, 2010, the Connecticut Insurance Commissioner, Thomas Sullivan announced that the state's Insurance Department has reached an agreement with Health Net of Connecticut to pay $375,000 in penalties levied for what the Insurance Department characterized as "failures to safeguard the personal information of its members from misuse by third parties."  This included what the Insurance Department considered untimely notification of the 2009 loss of a disk drive resulting in the loss of personal health information of approximately 500,000 Connecticut members. 

Health Net will be providing credit monitoring protection for 2 years to all Connecticut members and providers who were affected by the 2009 data breach.  Health Net also has undertaken significant steps to improve data and equipment security.  Under the terms of the settlement, none of the cost of those improvements will be passed along to Health Net members.

Sources have indicated that the overall cost to Health Net in responding to this breach has been over $7 million.  Our July 7, 2010 posting contains information about the Connecticut AG's settlement of HIPAA claims with Health Net.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent decision by the United States Court of Appeals for the First Circuit, Martin Boroiang v. Robert S. Mueller, III, et al., No. 09-1630, the First Circuit rejected a challenge to the requirement that a blood sample be given by a federal offender for purposes of creating a DNA profile and entering it into a centralized government database.

The DNA Analysis Backlog Elimination Act of 2000 (“DNA Act”) applies to individuals who have been convicted of a “qualifying federal offense” and who are incarcerated or on parole, probation, or supervised release.  It requires such individuals to provide a DNA sample.  These samples are loaded on CODIS, a powerful identification and investigation tool, permitting state and local forensic laboratories "to exchange and compare DNA profiles electronically in an attempt to link evidence from crime scenes for which there are no suspects to DNA samples of convicted offenders on file in the system." H.R. Rep. 106-900(I), at 8 (2000), 2000 WL 1420163.

Mr. Boroiang was convicted of making a false statement in violation of 18 U.S.C. § 1001, and sentenced to one year of probation.  Just before his term of probation was to expire, the United States Probation Office ordered him to submit to the drawing of a blood sample pursuant to the DNA Act.  Presumably troubled by the imposition of this requirement even though he had served no time in jail and had not committed any violent offense, Boroiang filed a pro se complaint, asking to have the request withdrawn, but at the same time he submitted to the request so that he could complete his probation.

The First Circuit’s opinion addressed the question of whether it is constitutional for the government to retain and access a qualified federal offender’s DNA profile after his term of supervised release or probation has ended. The First Circuit held that the DNA sample was not a separate “search” and that the taking of the sample was consistent with historical practices and precedents on the retention or matching of offenders identification records (such as fingerprints or mugshots).

The Court made it clear that it was not suggesting that "once a DNA sample is lawfully extracted from an individual and a DNA profile lawfully created, the individual necessarily loses a reasonable expectation of privacy with respect to any subsequent use of that profile."  Rather, the ruling was a narrow one, standing only for the proposition "that once a qualified federal offender's profile has been lawfully created and entered into CODIS under the DNA Act, the FBI's retention and periodic matching of the profile against other profiles in CODIS for the purpose of identification is not an intrusion on the offender's legitimate expectation of privacy and thus does not constitute a separate Fourth Amendment search."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.

The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health ("HITECH") Act authorized state attorneys general to enforce HIPAA.  The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:

· A “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.

· A $250,000 payment to the state representing statutory damages.

· An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC's Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association.  The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application of the Red Flags Rule. 

The key issue in the case is whether medical practices should be considered "creditors" under the Red Flags Rule and the Fair and Accurate Credit Reporting Act (FACTA or the FACT Act).  The case follows lawsuits filed beginning in 2009 by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA) to exclude lawyers and accountants from the scope of the new rules.  In October 2009, Judge Walton ruled that lawyers were not "creditors" subject to the Red Flags Rule.  The FTC has appealed the order and the Unites States Court of Appeals for the District of Columbia Circuit is expected to issue a decision clarifying the scope of the law.

In the recently approved stipulation, the AMA and the FTC have agreed to stay their dispute until the Court of Appeals issues its opinion.  The FTC has also agreed to delay enforcement of the Red Flags Rule for 90 days after the Appeals Court issues its ruling.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers.  Spokeo is a website that bills itself as a search engine that allows users the ability to look up "people-related information from phone books, social networks, marketing lists, business sites, and other public sources." 

According the CDT's complaint, Spokeo is in violation of the Fair Credit Reporting Act, which requires "consumer reporting agencies" to take certain actions to protect consumer privacy, including allowing consumers the right to access information about themselves, to correct mistakes and to be advised of adverse decisions made based on Spokeo's data.  The FCRA also strictly limits the disclosure of consumer data to a limited number of "permissible purposes," yet the CDT complaint does not appear to raise claims regarding Spokeo's disclosure of consumer data to its users.  The complaint does allege that Spokeo's actions amount to unfair and deceptive acts in violation of the FTC Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Federal Trade Commission (FTC) and Twitter announced that Twitter has agreed to settle FTC charges that the company failed to take sufficient security measures to protect user privacy settings.  

The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access the Twitter accounts of high-profile users, including Barack Obama.  (Under hacker control, President Elect Obama's Twitter account apparently "offered his more than 150,000 followers a chance to win $500 in free gasoline.")  Twitter candidly announced the first security incident in January 2009 and blogged about a second incident in April 2009.

The FTC Complaint (.pdf) lists the following security flaws among Twitter's failings:

• Twitter allegedly did not have policies that required their administrators to select hard-to-guess passwords and instead, administrators were permitted to use "weak, lowercase, letter-only, common dictionary word[s]" as administrative passwords.
   
• Twitter employees were allowed to store administrative passwords in plaint text form, so that once hackers broke into their accounts, the hackers had full administrative access to other users' accounts.
   
• Twitter did not disable administrative accounts after a number of unsuccessful attempts, allowing hackers easily run automated tools to break into the accounts.
   
• Twitter administrators were not required to change their passwords regularly.
• Twitter did not limit administrative access to user accounts to those employees that needed such access.
   
• Twitter did not do enough to restrict administrative access to authorized individuals, including by requiring administrators to log into a separate employee website or restrict administrator access to specific IP addresses.

What may be a key issue for many online businesses developing social networking sites is that, according to the FTC, users' privacy settings may impose an implicit duty on the website operator to take certain security precautions in order to preserve the user's settings. In Twitter's case, the site allowed users to make some "tweets" (short user messages/postings) private and the alleged lack of security allowed hackers to access those private messages.  The FTC Complaint (.pdf) claims that "Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic."  According to the FTC, the lack of security was so severe that Twitter's claim that user's privacy was protected amounted to a deceptive act under the FTC Act. 

In its Agreement (.pdf) with the FTC, Twitter consented to adopt a comprehensive information security program and submit independent security assessments to the FTC every other year for the next 10 years.  In today's blog posting, Twitter indicated that "[e]ven before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This Tuesday, June 1, 2010, marks the official deadline for compliance with the Federal Trade Commission's Red Flags Rule.  The deadline for enforcement of the Red Flags Rule has been delayed repeatedly since its original deadline in November 2008, but the FTC has remained silent on further delays since it announced the current deadline in October of last year.  

The FTC's Red Flags Rule is a set of regulations that require financial institutions and creditors to adopt written identity theft prevention programs.  The FTC sparked considerable controversy when it announced that the Rule applies broadly to a range of businesses unused to being subjected to financial industry regulation (i.e., any individual or company that bills its customers after it provides goods or services).  As a result, a number of industry groups have filed lawsuits to challenge the FTC's application of the Red Flags Rules to lawyers, accountants and, most recently, medical professionals.

As Tuesday approaches, we look to the FTC to announce whether the agency is ready to begin enforcement of the Red Flags Rule.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week Google rolled out its Government Requests tool that quantifies the number of government requests it receives from various countries around the world.  The move was announced by David Drummond, Google's Chief Legal Officer on Tuesday on the official Google blog.  In his post, Drummond stated:

So it's no surprise that Google, like other technology and telecommunications companies, regularly receives demands from government agencies to remove content from our services. Of course many of these requests are entirely legitimate, such as requests for the removal of child pornography. We also regularly receive requests from law enforcement agencies to hand over private user data. Again, the vast majority of these requests are valid and the information needed is for legitimate criminal investigations. However, data about these activities historically has not been broadly available. We believe that greater transparency will lead to less censorship.

The issue has been somewhat controversial in the wake of the expansion of government requests in recent years.  The Google Tool maps the number of data requests and removal requests that Google received between July 1, 2009 and December 31, 2009.  Google indicates that it will be updating this data every six months.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday, the Financial Industry Regulatory Authority (FINRA) announced that brokerage firm D.A. Davidson & Co. had consented to the imposition of a $375,000 fine for lax security measures that allowed hackers working for an "international crime group" to obtain personal information on thousands of customers. 

The breach itself occurred in December 2007 when hackers used a "SQL injection" attack to obtain data on over 100,000 Davidson's customers from the firm's online account system.  (FINRA's announcement alleges that the breach affected 192,000 customers, but court filings and the hackers'  own claims put the number as high as 300,000).  Davidson remained unaware of the breach until January 2008, when they received an email from Robert Borko, an Eastern European man, who demanded that Davidson pay him $80,000 for the return of the data and a "security consultation."  Borko suggested in broken English that Davidson did "not want to involve FBI here and we can have agreement like businesman.”

Davidson instead worked with the U.S. Secret Service to snare the hackers / "security consultants" behind the breach.  Ultimately, this led to the indictment of not only Borko, but also Aleksandrs Hoholko, Jevgenijs Kuzmenko and Vitalkijs Drozdovs, three Latvian men who attempted to pick up Davidson's blackmail payment in a Western Union in the Netherlands.  Hoholko, Kuzmekno and Drozdovs were arrested in February 2008 by the Netherlands High Tech Crime Unit and extradited to the United States, where they have pled guilty to extortion charges.  [These and other colorful details of the breach and blackmail attempt can be pulled from the filings in the criminal case against the Latvian men, including the defendant's motion to dismiss (.pdf) and the government's response (.pdf).]

Davidson spent $1.3 million on credit monitoring for its customers and settled a class action last year by agreeing to pay up to $1 million for any harm to its customers [see the Davidson settlement site].  At present, Davidson reports that no customer has been the victim of identity theft as a result of the intrusion.

According to the FINRA press release and the parties' April 9, 2010 letter of consent (.pdf), FINRA claims that Davidson failed to adopt the minimum security measures required by Regulation S-P, when it made its customer database available over the Internet.  In particular, FINRA found that Davidson violated Reg S-P because the firm:

• did not encrypt the customer database;
   
• did not review web server logs which identified the SQL injection attacks;
   
• did not regularly review perimeter security logs (even though "the attacks were not visible on those logs");
   
• did not have any written procedures in place for the review of web server logs;
   
• did not have an intrusion detection system in place; and
   
• did not have any written procedures "setting forth an information security program designed to respond to intrusions."

FINRA specifically found it a compelling that that Davidson had retained independent security consultants in 2006 and 2007 and implemented the majority of the consultants' recommendations, but had failed to put in place the recommended intrusion detection system.  Even without the system, the security consultants were apparently unable to breach Davidson's security.

Regulated broker-dealers and other financial institutions subject to Regulation S-P or other Gramm Leach Bliley Act (GLBA) regulations, including the FTC's Safeguards Rule, should take note of the alleged violations in this case.  Regulated entities with online customer accounts should consider whether they have implemented intrusion detection systems, routinely monitor web server logs, and have adopted written incident response procedures.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that publicly disclosed its CEO’s Social Security number. As part of the settlement, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against a few types of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only about 17 percent of identity theft incidents. The FTC also alleged that Lifelock provided no protection against other types of identify theft, such as medical identity theft and employment identity theft. 

The FTC’s complaint further alleged that LifeLock claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened.  Ironically, the FTC also charged that LifeLock’s own data repositories were not encrypted, and sensitive consumer information was shared inappropriately, and could have been exploited by hackers. 

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The February 27 issue of The Economist has an excellent special report, "Data, data everywhere:  A special report on managing information."  It features a series of articles on the volume of information that is overtaking business and society, and the means by which business and governments are responding.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data. 

Poorly supervised use of P2P networks have frequently been the subject of unwanted attention, including from the FTC.  For our coverage on P2P security issues, see our prior posts here ("Congressional Aide Shares Secret Ethics List With The World"), here ("Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft") and here ("Rep. Mary Bono Mack Introduces Informed P2P User Act To Combat Inadvertent File Sharing"). 

The danger with P2P filesharing software is that failure to select the proper settings can result in opening up all documents on a computer to anonymous users on the Internet.  As the FTC warned in its press release: "when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network."  The problem commonly arises when a business' staff load P2P filesharing software on company computers to access music or other downloads (which can be illegal in itself), but fail to properly configure the software.

The FTC has provided the following examples of the notification letters it has mailed to entities: FTC Sample Letter A (.pdf), FTC Sample Letter B (.pdf) and FTC Sample Letter C (.pdf).  The FTC has also directed these entities to its newly-unveiled guide to taking proper security measures to prevent unauthorized P2P access.  The FTC has indicated that it "has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks." 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas.  The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program.  We first posted on this case a year ago, after the FTC filed its complaint (.pdf). 

In addition to the dumping of consumer financial information, the FTC alleging that Navone had failed to implement physical and electronic security procedures and or take reasonable steps to secure the customer records he stored at home in his garage.  According to the FTC, these activities violated the FTC Act, the Federal Credit Reporting Act (FCRA) and Navone's own information security policy which read:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously.  We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.

(See Complaint (.pdf), Para. 9).  Everyone subject to document destruction laws may want to note this case and keep in mind that $35,000 is the fine imposed on an individual / small business.

 2.  Fight Breaks Out Over Whether Hacker Responsible For Largest Data Breach In History Suffers From "Internet Addiction"

In December, Albert Gonzalez, aka "segvec," "soupnazi" and "j4guar17" pled guilty to charges that he masterminded the theft of over 100 million consumer credit card numbers and other financial information from Heartland Payment Systems, 7-Eleven and other companies.  We posted on his indictment last August and again on his curious role as government informant.  The public recently gained a new window on Gonzalez's soul from filings made by defense attorneys that portray the hacker as an "Internet addicted" youth compelled to commit cybercrime.  Collecting statements from Gonzalez's psychologist, family members and a former girlfriend, the defendant's sentencing memorandum (.pdf) provides an interesting point of view on the life of the hacker:

As a young boy, Gonzalez was an outwardly normal enough kid -- he had friends, engaged in activities, worked alongside his father, received good grades in school, and was part of a warm and loving family which continues to stand by him.  In middle school, things began to change, and by high school Gonzalez had become a different person -- a loner, without friends, who passed up normal teenage activities, including dating, to devote himself to his new-found and rapidly escalating obsession: computers.

*    *    *

Seeking to break Gonzalez of his computer habit, his mother periodically sought to deny him access to his computer or to at least curtail his usage, once putting it in his sister's room.  Rather than be deprived of access to his computer, Gonzalez would go to his sister's room in the middle of the night to use it.  Gonzalez's social contacts narrowed to computer chat rooms where he communicated with others with knowledge of computers and to meetings of other computer-savvy individuals, many of whom were hackers and from whom he learned much that we would, unfortunately, later convert to unlawful purposes.

*    *    *

[B]y [ ] early 2002 -- Gonzalez, age 21, had developed a serious drug and alcohol problem . . . which played a substantial role in the subsequent course of his life.  This is not to say that his substance abuse affected Gonzalez' [sic] ability to tell right from wrong.  It did not, and he knew when he turned to cyber-crime that it was wrong.  What it did do, however, was contribute to his inability to stop himself.  What developed over time was a destructive cycle of using drugs to permit him to stay awake and alert for long hours at the computer but also using them to try to get away from the computer . . . .

*    *    *

Computers . . . had become the center of his life, his raison-d'etre, if you will.  He and his computer in many ways became one: he though in computer-speak instead of normal words, and, when his computer was infected by a virus, [he] referred to the event as if it were he, himself, who had gotten the virus.

Describing Gonzalez as unable to stop his urge to commit cybercrime, defense counsel has asked the Court to sentence him to 15 years in prison, the minimum sentence permitted.  Last week, federal prosecutors renewed their request to have a government psychologist examine Gonzalez to combat the defendant's claim that his "internet addiction" merits leniency within the 15 to 25 year sentencing range. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It has been well over a decade since the passage of HIPAA in 1996. HIPAA has caused many changes in the way the business of health care works, including going a long way to create the position of “health information professional.” One area where HIPAA has, as yet, had little impact has been in enforcement. The history of enforcement of HIPAA’s privacy and security rules has been slim and almost none. The changes in behavior that have occurred have been done out of a desire to follow the law, and not due to fear of prosecution or administrative action. 

First and foremost in this regard, I note the recent decision of the Department of Health and Human Services to transfer the authority for enforcement of HIPAA’s security rules to the Office of Civil Rights. The Office of Civil Rights is certainly in a better position to undertake enforcement than CMS. According to my colleague, Tom Barker, the Office of Civil Rights has a field force of 275 investigators that have an annual budget of $40 million. I believe OCR will need to justify that budget and the most visible way to do that is to bring enforcement actions and recover significant penalties. Nevertheless, $40 million does not go as far as it used to, and it certainly is not enough for a broad-based, nationwide enforcement initiative. Instead, I suspect we will start to see incrementally more enforcement actions, higher financial penalties and a few selected audits. 

Also pushing HIPAA enforcement is the HITECH Act, which was passed in February 2009 and much of which will go into effect in February 2010. Through the HITECH Act, HIPAA business associates under HIPAA are now subject to almost the same regulations as HIPAA covered entities. Penalties for HIPAA violations also were increased, and the ability to enforce some rules has been extended to state attorneys general. 

There is one additional factor in the enforcement environment that is little-noticed, but nevertheless is very significant: the general public.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

According to BNA reporter Martha Kessler, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week.  BNA has released what they claim to be the final regulations (.pdf) [also available from BNA here (html)].  The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009.  In a redline comparison (.pdf) against the last draft, two primary revisions emerge:

1. Entities affected by the regulations have been expanded to include businesses and individuals that merely store personal information; and
    
2. A clarification was made to the provision requiring affected businesses to negotiate written contracts with service providers that handle personal information.  The tweaks make clear that the grandfather provision that permits companies to rely on service provider contracts already in place will expire on March 1, 2012.

The March 1, 2010 deadline remains unchanged. 

While the final regulations have not been posted to the OCABR website, many are eagerly awaiting to see if the OCABR also provides additional guidance on how to comply, as Undersecretary Anthony promised at the public hearing on these regulations in September.

UPDATE: On Wednesday, November 4th, the OCABR released the final Massachusetts information security regulations (.pdf) to the public, as predicted.  In its new release, the OCABR also announced the publication of its report on consumer data breaches between 2007 and 2009 (.pdf).  The report indicates that since the Massachusetts data breach notification law (M.G.L. ch. 93H) went into effect in 2007, over 1 million Massachusetts residents have been affected by a noticed breach.  Among the many practices mentioned in the report, the OCABR has warned against: (1) "poor employee handling;" (2) documents sent to the wrong recipient; and (3) not  taking steps to prevent access by terminated employees.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Two days before they were scheduled to go into effect, and on the same day that a federal judge ruled that lawyers should be excluded from enforcement, the Federal Trade Commission (FTC) announced today that it was delaying enforcement of its Red Flags Rule until June 1, 2010.  In the announcement, the FTC stated that the delay was due to "the request of Members of Congress" and highlighted the efforts it has made to provide guidance to covered entities on how to comply with the Rule.  However, the announcement specifically mentioned the October 30, 2009 ruling by District Judge Reggie B. Walton of the U.S. District Court for the District of Columbia (see our coverage here), in which the Court granted the ABA's motion for summary judgment, finding that the FTC may not apply the Rule to attorneys.  According to the announcement, the delay in enforcement "does not affect the separate timeline" of the ABA's lawsuit "and any possible appeals."  Given the timing of the announcement, the most likely explanation for the delay is that the FTC wants to give itself time to appeal the district court's decision in the ABA suit. 

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule in late June, it filed suit in federal district court on August 27, 2009, leading to the ruling in its favor this morning.

However, as we noted in our post on the district court's ruling, caution may be warranted for attorneys because a number "of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records . . . . Under these overlapping obligations [along with the fact that the FTC will almost certainly appeal Judge Walton's decision to the D.C. Court of Appeals] lawyers and law firms who represent regulated businesses may ultimately have little to celebrate as a result of the ruling in favor of the ABA" and the delay in enforcement of the Rule.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After hearing argument yesterday, Federal District Judge Reggie B. Walton entered an order (.pdf) this morning granting the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC's) controversial Red Flags Rules.  This comes as the legal community steeled itself for the FTC's imminent November 1st enforcement deadline.  The order does not go into detail to explain the Court's decision, but promises a written legal opinion within the next month.

The ABA sued the FTC in August to obtain this relief after lobbying both the FTC and Congress to exempt lawyers from the Red Flags Rules.  News of the judge's ruling spread after the hearing yesterday.  ABA President Carolyn B. Lamm stated "By voiding the FTC’s interpretation of a statute that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."  No public comment has been posted by the FTC.

Caution may be warranted here, however.  Lawyers, like many other consultants that handle clients' documents and data, will likely be required to take many, if not all of the same security measures demanded of their clients.  The Red Flags Rules require, among many things, that companies oversee how their service providers manage customer information and accounts (16 CFR Part 681.1(e)(4)).  As a result, lawyer may find themselves complying with the Red Flags Rules because they represent companies that must comply with the Rules, which currently includes financial institutions and a range of businesses. 

It should be noted that a range of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records. Many state identity theft regulations, such as the strict Massachusetts regulations promulgated as 201 CMR 17.00, require that companies obtain written certifications that service providers are taking all the same security measures as their clients.  Moreover, financial institutions governed by the Gramm Leach Bliley Act and health care providers covered by HIPAA have similar requirements.  Under these overlapping obligations, lawyers and law firms who represent regulated businesses may have little to celebrate as a result of the ruling in favor of the ABA.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Reddit co-founder Aaron Swartz was apparently the subject of an FBI investigation for “participating in a project to take the publicly owned US court records from the PACER database (where they were very expensive to access) and put them on the web.” 

Mr. Swartz has made this information public by releasing the contents of his FBI file, obtained through a Freedom of Information Act request. His file reveals that the FBI was treating his access of PACER as a crime which cost the victim, the Administrative Office of the US Courts, approximately $1.5 million. The file suggests, but does not explicitly sate, that the crime may have been a violation of the Computer Fraud and Abuse Act (18 U.S.C. §1030), as the FBI apparently asked the Administrative Office of the US Courts how Mr. Swartz would have know his access was unauthorized.

The FBI closed its investigation of Mr. Swartz without filing charges. The investigation of Swartz's activity, coupled with questions about what constitutes accessing a computer "without authorization" under anti-hacking statutes (as I previously discussed here), suggests that future efforts to open the PACER system (as well as existing efforts, like RECAP) may meet with some government resistance.

For more on efforts to make the PACER system more accessible to the public se our previous posts on the subject.

Links

• Aaron Swartz’s home page
• Aaron Swartz, “Wanted by the FBI”, Raw Thought, 10/5/09
• Cory Dotorow, “FBI file on Aaron Swartz, US court-record hacker”, BoingBoing, 10/5/09
• Computer Fraud and Abuse Act - 18 U.S.C. §1030
• The FBI's home page
• Ramzi Ajami and Aaron Wright, “RECAP Joins The Fight Against PACER -- But Do We Want Its Help?”, Security, Privacy and the Law, 9/8/09
• Ramzi Ajami, “Electronic Access to Court Filings Potentially Exposing Sensitive, Personal Information”, Security, Privacy and the Law, 4/9/09
• Aaron Wright, “How far do anti-hacking statutes extend?”, Security, Privacy and the Law 5/12/09

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans' personal and financial information.  According to WIRED, the FBI's National Security Branch Analysis Center (NSAC) has compiled a database of  "more than 1.5 billion government and private-sector records" and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies, includes transaction records from hotels, rental car companies and retailers. [Note, that this database dwarfs the largest know data breach to date, which involved a mere 130 million records. One hopes that they have policies in place to prevent abuse.]  The records include:

• International travel records of citizens and foreigners
• Financial forms filed with the Treasury by banks and casinos
• 55,000 entries on customers of Wyndham Worldwide, which includes Ramada Inn, Days Inn, Super 8, Howard Johnson and Hawthorn Suites
• 730 records from rental-car company Avis
• 165 credit card transaction histories from Sears
• Nearly 200 million records transferred from private data brokers such Accurint, Acxiom and Choicepoint
• 17,000 traveler itineraries from the Airlines Reporting Corporation

This program is picking up speed. Declassified documents obtained by WIRED apparently show that the FBI has 103 full-time employees and contractors devoted to the protect and has requested funding for 71 more.   Funding for the program has expanded from $47.5 million in 2007 to $78.7 million in 2008.  A U.S. Department of Justice document (.pdf) indicates that in 2009 alone, NSAC received 18 new employees and a more than $10 million increase in its budget.

This is not the first data mining project developed for the purposes of investigating terrorism and criminal activities.  In the wake of the September 11, 2001 attack, the U.S. government began development on a data mining project called "Total Information Awareness" or "TIA" which would analyze vast amounts of information regarding financial transactions, travel, health records and other types of customer data to detect terrorism and criminal activity.  The Defense Advanced Research Projects Agency (DARPA) and the Pentagon's short-lived Information Awareness Office was chiefly responsible for this project.  Based on concerns about the scope and privacy implications of the project, Congress pulled funding for the TIA program and shuttered the Information Awareness Office in September 2003. 

The current NSAC program makes it clear that the governments has not given up on efforts to use large-scale data mining in criminal investigations.  To many, however, the program implicate the same privacy concerns as TIA and should be subject to strict scrutiny and oversight.  In 2007, congressmen Brad Miller and James Sensenbrenner sent a letter (.pdf) to the Government Accountability Office asking them to look into the NSAC project. One year later, congressman Miller sent a second letter (.pdf) to the House Committee on Appropriations demanding that funding to NSAC be suspended until the FBI outlines the program's purpose and provides "a clear idea of how NSAC intends to ensure that the program complies" with privacy guidelines.  According to congressman Miller, the U.S. Department of Justice refused to provide any information on the FBI's plan for the program and what information they planned to obtain.  In addition, the FBI apparently told GAO officials that the NSAC program was "not yet 'operational'" in an April 3, 2008 meeting.  In contrast, documents obtained by WIRED apparently indicate that the NSAC data mining operations have been used in prosecuting a number of individuals.

Links:

• Ryan Singel, "Newly Declassified Files Detail Massive FBI Data-Mining Project," WIRED Magazine (Sept. 23, 2009)
• The Federal Bureau of Investigation (FBI) and its page on the National Security Branch Analysis Center (NSAC
• 2007 letter (.pdf) from Congressmen Miller and Sennsenbrenner to the GAO requesting an investigation into the activities of the NSAC
• 2008 letter (.pdf) from Congressman Miller to the House Committee on Appropriations.
• EPIC's page on the "Total Information Awareness" Program

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this year, the Wisconsin and New York state courts split on whether police may install a covert GPS tracking device on a suspect's car without a warrant.  On September 17, the Massachusetts Supreme Judicial Court addressed the GPS tracking device issue, ruling that Article 14 of the Massachusetts Declaration of Rights requires a warrant before such a device may be installed and used. 

The defendant, Everett Connolly, was a suspected drug dealer and who was investigated by police for more than a year.  The investigation included surveillance and controlled drug purchases by confidential informants and, towards the end of the surveillance period, by an undercover officer.  Based on this investigation, the police applied for a warrant to place a GPS tracking device on Connolly's van for fifteen days.  The application was granted and Connolly was eventually arrested (based on a separate arrest warrant), tried and convicted.  He argued to the SJC that, among other things, "surreptitious GPS monitoring without a warrant constitutes an unreasonable search and seizure that violates the Fourth Amendment . . . and art. 14 of the Massachusetts Declaration of Rights."  He based this argument on the theory that, although police had a search warrant, they continued to obtain information from that warrant after it had expired.

Read on for more detail and analysis of the SJC's opinion.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission will host a series of public "roundtable discussions" to explore the privacy challenges posed by "technology and business practices that collect and use consumer data," including social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The FTC's expressed goal of the meetings is to determine how best to protect consumer privacy while supporting beneficial uses.

The first of these free, public meeting will be held Monday, December 7, 2009, at the FTC Conference Center in Washington, DC.  A live Webcast of the program also will be available at FTC.gov.  Individuals and organizations may submit requests to participate as panelists and may recommend topics for inclusion on the agenda.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a move threatened but not expected this soon, the American Bar Association today sued the Federal Trade Commission, in an effort to stop the application of the Red Flags Rule to lawyers.  The Red Flags Rule is scheduled to go into effect on November 1, 2009. 

The complaint (.pdf), which was filed in federal district court in Washington, D.C., seeks declaratory and injunctive relief, with the goal of making clear that lawyers are not "creditors" required to comply with the Red Flags Rule.  Interestingly, nowhere does the complaint suggest that lawyers are not just as vulnerable to identify theft as other professionals.  Rather, the complaint argues that lawyers are regulated at the state level, not by the federal government, and that the FTC has not been given the necessary authority by Congress to change this state of affairs.

The FTC had already delayed its planned enforcement of these rules from August 1 to November 1, in response to the ABA's objection (see our prior post on the back and forth between the FTC and ABA).  Whether there will be further delays in the Red Flags Rule implementation date or further talks to discuss carving out lawyers, is not yet known.

Links:

• ABA Press Release
• Complaint (.pdf) in American Bar Association v. Federal Trade Commission (D.D.C.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 13, a federal judge in Miami granted a joint motion to stay an evidentiary hearing that was to be held as a result of a petition from the United States that the Swiss bank UBS be compelled to disclose the names of 52,000 American clients who were suspected of tax evasion.  The case has raised concerns about the effects of privacy laws in other nations on the ability of the federal government to enforce its own laws and created tension between the Justice Department, which had said it might fine, or even indict, UBS if the judge ordered it to disclose the names and it continued to refuse to do so, and the Swiss government, which has said it would not allow UBS to disclose any names.

The case began on February 19, 2009, when the United States filed a petition (.pdf) in the U.S. District Court for the Southern District of Florida, asking the court to enforce an IRS "John Doe" summons to UBS.  The IRS served the summons in furtherance of an investigation it was conducting to determine the identities of U.S. taxpayers who had allegedly failed to report the existence of, and income earned in, undeclared Swiss accounts with UBS.  On February 20, UBS filed a document containing what it termed "background information for the court's consideration" (.pdf).  In this filing, UBS argued that the IRS was essentially asking it to violate Swiss privacy laws, thereby exposing its employees and the bank to criminal and civil penalties.  UBS argued that the petition raised serious issues of international comity due to Swiss financial privacy laws, violated treaties between the United States and Switzerland and violated a prior agreement between the United States and UBS.  That same day, the United States filed a response (.pdf) that disputed the arguments made by UBS.

On April 30, UBS then filed a brief (.pdf) that expounded on its arguments against disclosure.  In support of UBS, the Swiss government filed an amicus brief (.pdf).  On June 30, the United States then filed its response (.pdf).  The federal judge had scheduled a hearing for July 13, 2009, to hear arguments on the petition.  On July 12, 2009, however, the parties filed a joint motion to stay the hearing, so they could continue to discuss settlement.  The judge granted the motion and re-set the hearing to August 3, in the event the parties could not reach a resolution.

The dispute between the IRS and UBS is also having effects on third parties.  The Wall Street Journal reported on Monday that Swiss banks are curbing or eliminating business with U.S. customers for fear of future action by U.S. authorities.  While it is probable that the U.S. and UBS will reach some sort of settlement (likely involving a payment by UBS to the U.S.), if the case goes forward it will interesting to see what future effects the outcome could have, not just on financial transactions between American citizens and Swiss banks, but on transactions between American citizens and any other international bank, as well as on the federal government's ability to enforce tax laws beyond its borders.

Links:

• February 19, 2009 Petition to Enforce John Doe Summons
• February 20, 2009 Background Information For the Court's Consideration Prior to the Scheduled Status Conference
• February 20, 2009 Response to Bakground Filing by Respondent (filed by the United States)
• April 30, 2009 Brief of UBS
• April 30, 2009 Amicus Brief of Switzerland
• June 30, 2009 Response Brief of the United States
• "Judge Gives UBS and U.S. Time to Seek a Settlement," New York Times, Lynnley Browning, July 13, 2009
• "Swiss Bank Freezes Out U.S. Clients," Wall Street Journal, Katharina Bart, July 21, 2009

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Amidst calls from the legal community, the Federal Trade Commission's (FTC) announced this morning that it was delaying enforcement of the FTC's Red Flag Rules until November 1, 2009.  The FTC's announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC's "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply."  The FTC appears to be stepping up its outreach efforts with an "Expanded Business Education Campaign" that is intended to address those businesses that "remain uncertain about their obligations."  This seems aimed at the recent statements from the American Bar Association (ABA), which has called on the FTC and Congress to exempt lawyers from the FTC's Red Flags Rules and threatened to sue the FTC to stop any enforcement action against the legal industry.  

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After a few months of thought, the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule.  The ABA's June report on "Why the Red Flags Rule Should Not Apply to Lawyers" lays out a legal argument for why billing a client is not really an extension of credit that turns every lawyer and law firm into a "creditor" under Red Flags Rule and the Fair and Accurate Credit Transactions Act (the FACT Act).  More recently, ABA President H. Thomas Wells, Jr. told the Blog of Legal Times that the ABA plans on filing a federal lawsuit during the this week to block enforcement of the Red Flags Rule, if "we don’t get some kind of sign."  And, perhaps on the ABA's urging, a House Appropriations subcommittee apparently asked the FTC to postpone its deadline yet again.  Other blogs and websites have been abuzz with "sources" close to the discussions between the ABA and the FTC and then today, the FTC announced that  delayed the enforcement deadline yet again.

Lest anyone think that the ABA is on its own on this issue, the Massachusetts Bar Association sent the FTC a letter objecting to the application of the Red Flags Rules to lawyers and the New York County Lawyers Association also issued a report objecting to enforcement against lawyers.  State bar associations are joining the ABA in calling on the FTC to excuse them from the reach of the "new" regulations (which are, in fact, more than a year old at this point, after numerous delays in enforcement by the FTC).  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team."  In particular, HHS is hiring for two new positions are located in HHS's "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)."  As described on USAJOBS.GOV, the people to be hired "will be responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy of health information."  If you are a privacy officer, this could be the federal government stimulus you've been waiting for!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to "assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking" on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).  Some of the highlights from the FAQ are:

• The agencies clarified that "all banks, savings associations and credit unions are covered by the Red Flags Rules and Guidelines as 'financial institutions,' whether or not they hold a transaction account belonging to a consumer," and including "those whose powers are limited to trust activities;"
   
• Brokers, dealers, investment advisors or investment or insurance companies (including those that are subsidiaries of a bank or savings association) are covered by the Rules and Guidelines if they are a "financial institution" or creditor" under the Fair Credit Reporting Act.
   
• IRAs will generally be considered "covered accounts" and thus subject to the Rules and Guidelines;
   
• The term "covered account" includes accounts established in the United States by non-U.S. residents;
   
• Check forgery or use of a stolen credit card constitutes "identity theft" because it involves a fraud using the identifying information of another person without authority;
   
• The Rules and Guidelines do not require a financial institution or creditor to educate consumers regarding the risk of identity theft, although such programs "may be helpful as part of an overall effort to address the problem of identity theft"
   
• Financial institutions may, but are not required to, use automated systems to detect red flags, but may have to supplement such a systems with non-automated procedures;
   
• The Rules and Guidelines required financial institutions or creditors to oversee all service provider arrangements that relate to the opening or accessing of a covered account, not just those with providers that offer fraud detection services;

While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful.  For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions.   Moreover, much of the guidance given was extremely vauge.  For example, many of the answers to questions regarding covered accounts could be summarized as "it depends on whether the institution determines that there is a foreseeable risk of identity theft."  It would have been helpful for the agencies to provide some examples or other more concrete information.  Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.

Links:

• Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies (.pdf), also available from the FTC here (.pdf)
• June 11, 2009 Joint Release: Agencies Issue Frequently Asked Questions on Identity Theft Rules

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC's enforcement.  (For background on the Red Flag Rules, see our prior postings here, here and here). 

The FTC has previously indicated that it plans to enforce the Red Flags Rules against lawyers along with any other business that sells goods or services now and bills its customers later (see our prior discussion here).  However, according to the ABA, the first it heard of this issue was when federal regulators notified the ABA of the government's position on April 23, 2009.  This was just a week before the FTC was to begin enforcement of the Red Flags Rules.  The next day, after the FTC attended an emergency meeting with the ABA Government Affairs Office, President H. Thomas Wells, Jr. directed a letter to FTC Chairman Jonathan D. Leibowitz (.pdf) requesting an additional three to six months delay in enforcement so that the ABA could consider its stance on this issue.  The FTC appears to have acquiesced to the ABA request a few days later, when the FTC postponed the May 1, 2009 enforcement deadline until August 1, 2009 . 

In the president's letter as well as a separate public statement (.pdf), the ABA indicated that "some" believe that federal precedent contradicts the FTC's expansive interpretation of the law (for more information, see our detailed discussion of the caselaw here and here).  The ABA has also noted that "the FTC has no examples of identity theft arising from an attorney-client relationship." 

Given the looming compliance deadline, it seems likely that we will hear from the ABA shortly -- possibly as early as next week.  In view of the FTC's response (.pdf) to the public objection raised by the American Medical Association (.pdf), the ABA may need to take a different tack to effect a change in the FTC's enforcement policy.

[I should note that an attorney in California called me up yesterday to discuss the FTC's view that that lawyers should be considered "creditors" subject to federal Red Flags Rules.  Thanks are owed to her for raising the question of whether the ABA has articulated a view on this issue.]

Links:

• The April 24, 2009 ABA letter to the FTC (.pdf), also available from the ABA website (.pdf).
• Public statement on Red Flags Rules by the ABA (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Friday, June 5, 2009, Suffolk University Law School's Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules.  These presentations were led by  a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect of the Massachusetts identity theft regulations for the Officer of Consumer Affairs and Business Regulation (OCABR). 

These men provided useful recommendations on a number of compliance issues, including when a business should be notifying customers about a security breach, how to ensure that personal information is disposed of properly, and what businesses should be doing to comply with the new information security standards.  Read on for the highlights from these presentations.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

From the increasingly populated intersection of the Fourth Amendment and modern technology, comes this story from Wired’s "Threat Level."  The Federal Communications Commission (FCC) claims the right enter onto any property to inspect -- without a warrant -- any radio equipment, regardless of whether it is licensed or unlicensed.  In an interview with Wired, an FCC spokesperson claimed that the FCC’s right to inspect radio equipment extends to “anything using RF energy.”  This includes commonplace items like wireless internet routers, remote access car keys, and cell phones.  Additionally if any illegal or suspicious items or behavior are discovered or observed during a warrantless administrative search, these observations may be the basis for a criminal search warrant or arrest.  Despite some substantial disagreements about this application of the law, operators have been fined by the FCC for failure to allow such warrantless inspections.  The ubiquity of items the FCC claims it may inspect without a warrant, combined with the potential for such searches to lead to criminal actions, is causing privacy advocates to react with concern.  And with good reason, as this could be a prelude to the expansion of other types of administrative searches.

Links:

• Cory Doctorow reports on the FCC’s inspection policy at BoingBoing here
• The Federal Communications Commission’s homepage is here
• The Federal Communications Commission’s “2005 Inspection Policy” can be found at their website here
• The Federal Communications Commission’s order imposing a fine for failure to allow inspection of radio equipment can be found here or at their website here
• John Byrne reports on the FCC’s inspection policy at the Raw Story here
• Rouge Radio Research’s FAQ arguing the FCC lacks the power to inspect unlicensed radio stations can be found here
• Ryan Singel’s report breaking this story at Wired, “FCC’s Warrantless Household Searches Alarm Experts”, can be found here

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to the Chicago Tribune, on May 7, 2009, a three-judge panel of Wisconsin Court of Appeals unanimously ruled that police "can attach GPS to cars to secretly track anybody's movements without obtaining search warrants" without violating the Fourth Amendment.  The court's opinion in State v. Sveum can be found here.  The defendant Sveum was under investigation for stalking when the police obtained a warrant to secretly place a GPS device on his car while it was parked in the his driveway.  The device recorded the defendant's movements for five weeks, after which time police retrieved it and used the information on it to obtain a warrant to search the defendant's residence.

More recently, on May 12, the New York Court of Appeals (that state's highest court), ruled that placing a GPS tracking device inside the bumper of a suspect's car without a warrant, and using that device to monitor the suspect's movements for two months, violated the suspect's rights under the New York State Constitution.  The court's opinion in People v. Weaver can be found here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, May 5, 2009, in a press release devoted largely to the FTC's congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement  of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums.  According to the FTC, the result of this alleged failure was that an intruder in the company's systems sent "millions of outgoing spam emails" and "could have accessed personal information without authorization."  In a consent order (.pdf) that parallels settlements in a number of prior FTC enforcement cases, the company has agreed to implement an information security program and subject itself to biennial security audits for 10 years. 

In the FTC complaint (.pdf), federal regulators claimed, among other things, that the mortgage company "failed to provide reasonable and appropriate security for personal information," including by failing to implement a "comprehensive written information security program."  Such a program is a requirement for financial institutions, including lenders and mortgage companies, under the FTC Safeguard's Rule, a regulation promulated in 2002 to implement Section 501(b) of the Gramm Leach Bliley Act (GLBA).  The complaint also alleged that Jame B. Nutter & Company failed to provide customers adequate notice of its security practices, as required by the FTC Privacy Rule.  The Privacy Rule was promulgated in 2000 to implement Sections 501 through 509 of the GLBA. 

Notably, the complaint makes few allegations of damage to consumers.  The only alleged harm consisted of spam email and the possibility of unauthorized access to customer information.  No doubt this is the reason why the settlement did not involve a substantial fine, as the FTC sought, at least nominally, in its last enforcement action in this area (see our posting on the FTC's settlement with Rental Research Services).  The case thus suggests that the FTC may be willing to undertake enforcement efforts when only consumer privacy interests are affected, even in the absence of concrete financial harm. 

* Update: an attorney representing James B. Nutter & Company has contacted us to provide Security, Privacy and the Law with the company's press release on this incident (.pdf) and to clarify that the company is obligated to submit to only 5 biennial security audits over 10 years.

Links:

• The FTC announcement
• The FTC complaint (.pdf), also available from the FTC website (.pdf)
• The parties' agreement and consent order (.pdf), also available from the FTC website (.pdf)
• The James B. Nutter & Company website
• The company's press release on the FTC settlement

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009.  Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a "template" identity theft prevention program.  "For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law."  The FTC indicates that it will make the template available through their website.

In delaying enforcement, the FTC continues to maintain that the Red Flags Rules apply broadly to any business that bills its customers (i.e., "all entities that regularly permit deferred payments for goods or services").  In particular, the FTC specifically mentions that the statutory term "creditor" encompasses "businesses that provide services and bill later, including many lawyers, doctors, and other professionals."  The notice conceeds that considerable confusion has surrounded the preliminary question of who is covered under the new rules.  The FTC directs businesses looking for more information to the FTC's new microsite on the Red Flags Rules.

Links:

• FTC's 4.30.2009 Notice delaying enforcement of Red Flags Rules until August 1, 2009
• FTC's microsite on the Red Flags Rules

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC's claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users.  According to the FTC, the the faults in RSS's security amounted to "unfair acts or practices" in violation of the FTC Act.  RRS and Mikkelson were fined $500,000, but the fine was suspended in light of the company's present financial condition. Also, in a move that echos the FTC's past enforcement of information security standards under the FTC Act and foreshadows future enforcement of Red Flags regulations, the terms of the FTC's court order require RRS to develop a "comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers" and submit itself to independent security audits every 2 years until 2029. 

Especially in view of the upcoming May 1, 2009 deadline for compliance with federal Red Flags regulations, this case may be a good example of what we can expect to see from federal and state regulators in enforcing existing and future information security standards, especially with respect to consumer data providers.  Below I will summarize the case and identify the key elements of the information security program that the FTC required.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers, phone numbers, emergency contact information, and photographs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers "[t]o allow the FTC to perform a greater and more effective role in protecting consumers." The prepared text of his testimony is available here (.pdf). Of particular note, the FTC is asking Congress to:

1. Permit the FTC to use "notice and comment" rulemaking to declare business practices used in the financial industry to be unfair and deceptive acts in violation of the FTC Act -- a process that, according to Chairman Liebowitz, could shorten the time taken to put new regulations in place from 3-10 years under the current system to 1 year under a "notice and comment" system; and
    
2. Authorize the FTC to bring civil lawsuits in federal court and to obtain civil penalties for unfair and deceptive practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers' proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information.  FCC Chairman Michael J. Copps issued a public statement addressing the enforcement action and highlighting that the FCC "continued to mconsumer privacy protection a top priority.  The FCC seeks a $20,000 fine from each of the carriers (around $13 million in total) and has stated that it moderated the amount of the fines because the carriers were small companies and because this was the first year of the certification requirement (certifications were due March 1, 2008).  As the FCC warns in its official Notice, "[t]o the extent that we determine that the proposed forfeiture adpoted herein does not have the intended deterrent effect, future noncompliance will face more severe penalties." 

If you've been looking for signs of how the Obama administration intends to enforce privacy and information security regulations, here is one of a few early signs that federal regulators are under orders to step up enforcement efforts and are begining with the backlog of violations from 2008. 

Links:

• The FCC wesbite and a link to the Enforcement Bureau's page
• The FCC's Omnibus Notice of Apparent Liability is availabe here (.pdf) or from the FCC's website here (.pdf)
• The FCC's press release is available here (.pdf) or from the FCC's website here (.pdf)
• The Electronic Privacy Information Center (EPIC) website and a link to its CPNI page

• Email This
• Print
• Comments
• Trackbacks
• Share Link