Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire:

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer's Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.

Melissa Tyler brought suit against Michaels Stores for violation of Massachusetts General Laws, chapter 93, section 105(a) on behalf of herself and a putative class, claiming that Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation
of the section 105(a).  She alleged that the violation of section 105(a) amounted to a per se violation of the Massachusetts Consumer Protection law, chapter 93A, section 9, caused unjust enrichment, and entitled Tyler to declaratory relief pursuant.

Judge Young found that "a ZIP code can indeed be personal identification information under
Section 105(a)" but that no harm resulted (that Ms. Tyler's receipt of advertisements for the store was not sufficient to constitute harm):

In the area of identity fraud, a judge in this district has similarly held that where there were no instances of actual data loss or misappropriation, the failure to comply with minimum
statutory security standards did not cause cognizable injury because the added risk of identity fraud did not actually cause harm to the plaintiff. Katz v. Pershing, LLC, Civil Action No.
10–12227-RGS, 2011 WL 3678720, at *4 (D. Mass. Aug. 23, 2011) (Stearns, J)....[R]eceiving unwanted commercial advertising through the mail is simply not an injury cognizable under chapter 93A, since Section 105(a) was enacted to prevent fraud.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.

The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Interesting article in Friday's Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government.  Perhaps the best part of the article is the citation of statistics from Symantec's annual Internet Security Threat Report:  Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:

• 2002:  20,254 updates
• 2003:  19,159 updates
• 2004:  74,981 updates
• 2005:  113,081 updates
• 2006:  167,069 updates
• 2007:  708,742 updates
• 2008:  1,691,323 updates
• 2009:  2,895,802 updates
• 2010:  10,000,000 updates

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Interesting article in Friday's Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government.  Perhaps the best part of the article is the citation of statistics from Symantec's annual Internet Security Threat Report:  Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:

• 2002:  20,254 updates
• 2003:  19,159 updates
• 2004:  74,981 updates
• 2005:  113,081 updates
• 2006:  167,069 updates
• 2007:  708,742 updates
• 2008:  1,691,323 updates
• 2009:  2,895,802 updates
• 2010:  10,000,000 updates

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle "charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC's press release.

In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook's representations that users could impose such restrictions on their accounts.

In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:

• set forth the specific privacy controls that [Facebook] has implemented and maintained during the reporting period;
   
• explain how such privacy controls are appropriate to [Facebook's] size and complexity, the nature and scope of [Facebook's] activities, and the sensitivity of the covered information;
   
• explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of this order; and
   
• certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.

This consent order will last for an astoundingly long time:  20 years.  (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.) 

Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role:  Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel, will become Facebook's Chief Privacy Officer, Products.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

My colleague Dayle Cristinzio, former Legislative Director for Senator Harry Reid, has provided me with the amendments to Senate Bill1867, the Department of Defense Authorization Act.  Among these amendments is one from Sen. McCain, amendment #1229, which could provide greater cybersecurity collaboration between the Department of Defense and the Department of Homeland Security.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a November 16, 2011 letter from Senate Majority Leader Harry Reid to his Republican counterpart, Minority Leader Mitch McConnell, it is his "intent to bring comprehensive cyber security legislation to the Senate floor for consideration during the first Senate work period next year." 

This is by no means a guarantee of legislative action, but it is the latest sign that cybersecurity will be a priority in Congress come 2012.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With an inflammatory title like "Foreign Spies Stealing US Economic Secrets in Cyberspace," the Office of the National Counterintelligence Executive's "Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011" is tough to ignore.

The Report's conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments:

• "Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible."
   
• "Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets."

The NCIX predictions for the future are sobering:

• "Over the next several years, the proliferation of portable devices that connect to the Internet and other networks will continue to create new opportunities for malicious actors to conduct espionage. The trend in both commercial and government organizations toward the pooling of information processing and storage will present even greater challenges to preserving the security and integrity of sensitive information."
   
• "The US workforce will experience a cultural shift that places greater value on access to information and less emphasis on privacy or data protection. At the same time, deepening globalization of economic activities will make national boundaries less of a deterrent to economic espionage than ever."

This last prediction is particularly disturbing, but visible, as users migrate from the relatively secure Blackberry platform to iPhones and other smartphones, trading security for an increased sense of utility.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:

Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,” he says. When companies are contemplating the definition of cyber-incidents, they should think expansively, he adds. “Think of data breach, data loss, and denial of service on your Websites when an attack occurs. The [SEC staff] wants you to do this risk assessment so you will understand what this is about,” he said.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.  It follows Chairman Schapiro's June 2011 letter to Senator Rockefeller on the subject.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal's bill, "The Personal Data Protection and Breach Accountability Act," would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the Justice Department to levy fines of $5,000 per violation per day, up to a total of $20 million per violation. The bill also includes federal data breach notification requirements.

Given the large numbers of such bills pending, the Senator's junior status, and the fact that his bill has no co-sponsors, it is unlikely that this particular bill will be adopted.  At present, at least 15 bills contain the phrase "data security" pending in Congress:

1. Data Security Act of 2011 (Introduced in Senate - IS)[S.1434.IS]
2. e-KNOW Act (Introduced in Senate - IS)[S.1029.IS]
3. BEST PRACTICES Act (Introduced in House - IH)[H.R.611.IH]
4. To facilitate implementation of title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, promote regulatory coordination, and avoid market disruption. (Reported in House - RH)[H.R.1573.RH]
5. Personal Data Privacy and Security Act of 2011 (Introduced in Senate - IS)[S.1151.IS]
6. To facilitate implementation of title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, promote regulatory coordination, and avoid market disruption. (Introduced in House - IH)[H.R.1573.IH]
7. Data Security and Breach Notification Act of 2011 (Introduced in Senate - IS)[S.1207.IS]
8. SAFE Data Act (Introduced in House - IH)[H.R.2577.IH]
9. U.S. Postal Service Improvements Act of 2011 (Introduced in Senate - IS)[S.353.IS]
10. METRICS Act (Introduced in Senate - IS)[S.1464.IS]
11. Data Accountability and Trust Act (DATA) of 2011 (Introduced in House - IH)[H.R.1841.IH]
12. Reform the Postal Service for the 21st Century Act (Introduced in House - IH)[H.R.1262.IH]
13. Data Accountability and Trust Act (Introduced in House - IH)[H.R.1707.IH]
14. Protecting the Privacy of Social Security Numbers Act (Introduced in Senate - IS)[S.1199.IS]
15. Postal Reform Act of 2011 (Introduced in House - IH)[H.R.2309.IH]

Given how many similar bills are pending, it seems likely that something like Sen. Blumenthal's bill will be adopted before this session of Congress is over.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy."  The program slides can be found at this link.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265.  This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed.  Given that the last reported date of breach on the OCR's list is May 8, there are surely over 300 breaches that have now been reported.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules.  This follows on the heels of Massachusetts General Hospital's $1 million settlement with OCR.

The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without legitimate reasons looked at the electronic protected health information of these patients. OCR's subsequent investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.  

The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years.  All in all, a very expensive proposition for UCLAHS.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As promised in our earlier entry, here is our detailed discussion of  the Supreme Court's decision in Sorrell v IMS Health, Inc.,written by Colin J. Zick, Pat A. Cerundolo, Tad Heuer 

On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure, and use of redacted pharmacy records containing physician prescribing information constituted “speech in aid of pharmaceutical marketing” and therefore enjoyed First Amendment protection. This case is an important victory for the pharmaceutical, medical device, biotechnology, and related sectors, The following summarizes this ruling and its potential consequences to those involved in these industries.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Tad Heuer, Esq.

The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy's opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.

The first paragraph of Justice Kennedy's opinion provides a brief summary of the posture of the case and of the Court's decision:

Vermont law restricts the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors. Vt. Stat. Ann., Tit. 18, §4631 (Supp. 2010). Subject to certain exceptions, the information may not be sold, disclosed by pharmacies for marketing purposes, or used for marketing by pharmaceutical manufacturers. Vermont argues that its prohibitions safeguard medical privacy and diminish the likelihood that marketing will lead to prescription decisions not in the best interests of patients or the State. It can be assumed that these interests are significant. Speech in aid of pharmaceutical marketing, however, is a form of expression protected by the Free Speech Clause of the First Amendment. As a consequence, Vermont’s statute must be subjected to heightened judicial scrutiny. The law cannot satisfy that standard.

We will be publishing a more extensive analysis shortly; watch this space for a link to it.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:

·        Epsilon: breach of customer email addresses;

·        RSA: compromise of security tokens (possibly impacting Lockheed Martin);

·        Citigroup: breach of credit card numbers:

·        Sony: multiple thefts of customer data;

·        Sega: customer data theft; and

·        ADP: breach of its benefits-administration business.

What does this mean? First, there are simply more breaches to report. Second, companies are being more open about reporting breaches, both because they are legally required to and because such disclosures are expected by consumers and regulators. Third, these breaches and the resulting publicity will bring legal and corporate reactions. 

On a legal/regulatory level, we are even more likely to see federal data security legislation and stepped-up enforcement. On the corporate side, more and more resources are going to be poured into prevention of breaches. For corporate CIOs, it’s the best of times and the worst of times: they are getting access to more resources, but are facing more and different challenges.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Attached is my presentation given at a recent CloudCamp, on the subject:   What Law Applies
In “the Cloud”?  (CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Brian Bialas 

A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators. 

The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar Group violated Massachusetts’s Consumer Protection Statute by failing to comply with the Payment Card Industry Data Security Standards (PCI DSS), standards created by the Payment Card Industry Security Standards Council that apply to all organizations that collect payment card data. To settle this suit, the Briar Group entered into a consent judgment pursuant to which it would pay $110,000 in civil fines.

What is interesting about this settlement is that it requires the Briar Group to “maintain PCI DSS compliance,” over and above Massachusetts’ own strict legal requirements.  Does the AG’s action against the Briar Group signify that all merchants are legally required to comply with both state regulations and PCI DSS? It’s too early to tell. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR's website.  It's safe to expect these figures will continue to climb for the foreseeable future.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects:

• Could a Major Security Breach Be on the Horizon?
• The Smartphone Dilemma
• What Elements Are Currently Covered in Your Organization’s Security Awareness Program?
• Security Budgets Fare Well
• Implementing Risk Management Disciplines
• Do You Really Know Who Your Friends Are?
• Denial of Service Attacks: Who’s Next?

In the interest of full disclosure, I am quoted extensively on the prospects for new legislation in the privacy/security space.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:

The goal of NSTIC is to create an “Identity Ecosystem” in which there will be interoperable, secure, and reliable credentials available to consumers who want them. Consumers who want to participate will be able to obtain a single credential--such as a unique piece of software on a smart phone, a smart card, or a token that generates a one-time digital password. Instead of having to remember dozens of passwords, the consumer can use their single credential to log into any website, with more security than passwords alone provide. Since consumers will be able to choose among a diverse market of different providers of credentials, there will be no single, centralized database of information. Consumers can use their credential to prove their identity when they're carrying out sensitive transactions, like banking, and can stay anonymous when they are not.

The White House document is mostly a vision statement, punctuated by text boxes throughout that urge the reader to “Envision it!” but with no real guidance on how to accomplish it.  The document suggests how these frameworks might be built, does not promise to build them. Precisely how this vision statement gets turned into action and results will depend on the reception it receives from the public and private sectors, both within the U.S. and abroad. The NSTIC anticipates that the U.S. will meet its interim benchmarks in 3-5 years, and the long term benchmarks in 10 years.  As such, it is unlikely that we will see anything concrete on the front in the near future.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies:  How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC:

Legislation to provide a stronger statutory framework to protect consumers’ online
privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights.” Second, legislation should provide the FTC with the authority to enforce any baseline protections. Third, legislation should create a framework that provides incentives for the development of codes of conduct as well as continued innovation around privacy protections, which could include providing the FTC with the authority to offer a safe harbor for companies that implement codes of conduct that are consistent with the baseline protections.

This testimony was presented by a Commerce Department official, Lawrence E. Strickling, Assistant Secretary for Communications and Information, National Telecommunications and Information Administration.

As we have observed previously, Congress is very interested in such legislation.  Now that the legislative battle is fully joined, it's time to start thinking about who the potential winners and losers might be if such legislation is adopted:

• Will the legislation hurt the big internet companies like Google and Facebook?
  • Small players might actually find compliance with new laws more difficult than these industry giants.
• Can "do not track" legislation still be avoided through voluntary industry efforts?
  • Might voluntary efforts be enough to change the requirement to an mandatory right to "opt out" of tracking, as opposed to an outright ban? 
• Just how will any U.S. privacy regime meld with the EU's scheme?
  • Could U.S. rules actually smooth the road to U.S.-EU data sharing the way HIPAA did across the 50 states for health data exchange?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Sam Hudson

Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com. 

Chitika uses cookies to track Internet users, so as to display behavioral advertising to them. Chitika allowed users to opt-out of receiving these cookies, but what Chitika didn’t disclose was that the opt-out only lasted for 10 days. The FTC alleged that such a short opt-out period was deceptive and a violation of the FTC Act. The FTC has reached a settlement with Chitika in which Chitika has agreed to honor any user opt-out of tracking for at least 5 years. Chitika has also agreed to display more prominent opt-out mechanisms. The consent agreement prohibits Chikita from misrepresenting the extent of its data collection about consumers or the extent to which consumers can control the collection, use or sharing of their data.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services' Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals."  There was, however, no indication that any of the PHI was ever used in any way.

While the $1 million penalty is an attention-grabber, the elements of the Corrective Action Plan are also likely to be at least as costly and will be very burdensome.  They include:

• three (3) years of reporting obligations from MGH to OCR;
• adoption of new policies that OCR must review and approve;
• training on these new policies that OCR must review and approve;
• retention of a monitor who will conduct:
  • unannounced site inspections of MGH’s locations/departments/practices;
  • interviews with any members of the workforce who use PHI; 
  • interviews with any members of the workforce involved in implementing the safeguards required by the CAP;
  • inspection of a sample of laptops and USB flash drives that contain ePHI and are under the control of workforce members to ensure that such devices satisfy all applicable requirements of the Policies and Procedures; and
  • inspection of relevant documents and interviews with workforce members for the purpose of confirming consistent training, implementation, and enforcement of the Policies and Procedures among workforce members.
• submission of semi-annual monitor reports;
• self-reporting of any "significant violations" of the CAP;
• submission of an implementation report after 120 days of the CAP; and
• annual reports to the monitor, which will be passed on to OCR.

This is a pretty heavy burden to carry around for three years.   In fact, the CAP looks much more like a Corporate Integrity Agreement of the type entered into by a pharmaceutical manufacturer after a health care fraud settlement.  I suspect that is precisely the message that OCR wanted to send.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up.  The American Bar Association's suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case:  "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a March 1, 2011 decision that has received much publicity (despite stating a fairly obvious conclusion), the Supreme Court ruled that the term "personal privacy" does not apply to corporations, at least in the context of the Freedom of Information Act ("FOIA"). 

The decision, FCC v. AT&T Inc., reflects the Supreme Court application of a particular exemption to FOIA.  Exemption 7(C) covers law enforcement records the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.” 5 U. S. C. § 552(b)(7)(C).  AT&T, having produced documents to the federal government, wanted that exemption asserted on its behalf, to block the government from responding to a FOIA request that would result in the production of AT&T's documents.  

The Supreme Court held that Exemption 7(C) applies to individuals identified in AT&T’s submissions, but not to the company itself.  This conclusion was based on the principle that corporations do not have “personal privacy” interests as required by the exemption.  As Justice Alito noted in oral argument:  “in ordinary speech, the term ‘personal’ is not . . . used to refer to a corporation.  That’s . . . legalese.”

For corporations, this decision only reinforced what experienced counsel have known for a long time -- be prepared for anything you turn over to the government to be shared with the public.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than 500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled for future reporting
to Congress; however they are treated as discretionary and only investigated if resources
permit.

While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed.  According to that same budget report, "[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals)."  That's a mere 2% of all breaches that have OCR's full attention.  The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Patrick Connolly

If Tuesday night’s failure to give fast-track approval to an extension of certain surveillance powers under the Patriot Act is any indication, Congress is in the mood to protect individual privacy. As such, a series of anticipated online privacy protection bills are likely to garner bipartisan support in the weeks and months ahead. 

Proposals will come from both sides of the aisle. According to Hillicon Valley, Rep. Jackie Speier (D-Calif.) will shortly introduce an online privacy bill directing FTC to implement a “do not track” regime applicable to online advertisers (this although public comments to the FTC report supporting such a measure, Protecting Consumer Privacy in an Era of Rapid Change, are still coming in). Rep. Speier’s bill is said not to include any safe harbor provision. In contrast, the privacy bill forthcoming from Rep. Bobby Rush (D-Ill.) will not include a “do not track” mandate, but is anticipated to be very similar to the bill he proposed in 2010 that provided a safe harbor to marketers participating in a FTC-approved, self-regulatory “Choice Program.” Any approved “Choice Program” would, true to its name, be required to provide users with a robust set of options concerning the collection and use of their information.

On the Republican side, Rep. Cliff Stearns (R-Fla.) plans to introduce a new version of the 2010 draft Boucher-Stearns bill which would have required websites to inform users of how they collect and use personally identifiable information and then allow users to opt out of having such information collected. Collection of certain sensitive information and the sharing of personally identifiable information with third parties would require users to opt in.

Other politicians reported to have an interest in addressing internet privacy this year include Rep. Joe Barton (R-Texas), and Senators Jay Rockefeller (D-W. Va.) and John Kerry (D-Mass.).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I was on a panel today with Stuart N. Brotman, former Special Assistant to Communications and the President's principal communications policy adviser and Chief of Staff at the National Telecommunications and Information Administration.  My slides are here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Kiran Ghia

The National Institute of Standards and Technology (NIST), a federal agency within the Department of Commerce, has launched a web site detailing the President Obama’s proposed National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, initially released for public comment in June 2010, was developed in response to the Obama Administration’s 2009 Cyberspace Policy Review, which called for the creation of a “cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.” 

            Coining a new phrase for a more secure virtual world, known as the Identity Ecosystem, NSTIC seeks to improve upon the passwords currently used to login online, with the broader aim to reduce identity theft and online theft; reduce inefficiencies in online transactions; and provide new online services currently thought of as too risky for e-commerce. While the Identity Ecosystem has not yet been built and there are currently no Identity Ecosystem credentials available at this time, some private-sector identity providers do exist. NSTIC envisions individuals choosing their own Identity Ecosystem credentials from a variety of service providers (both public and private) and using any of these trusted online credentials to log in to their banks, e-mail accounts, or social networking sites, without having to remember multiple passwords. In addition, the Identity Ecosystem would seek to enhance individuals’ privacy by reducing the amount of information they must disclose to authenticate their identity.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to "a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . .  [and] to certain open-ended questions on a form sent to employees’ designated references."

This particular challenge came from 28 employees of the Jet Propulsion Laboratory ("JPL").  JPL is staffed exclusively by contract employees.  NASA owns JPL, but Cal Tech operates the facility under a government contract.  

The Supreme Court acknowledge that "[i]n two cases decided more than 30 years ago, this Court referred broadly to a constitutional privacy “interest in avoiding disclosure of personal matters.” Whalen v. Roe , 429 U. S. 589, 599–600 (1977); Nixon v. Administrator of General Services, 433 U.S. 425, 457 (1977)."  The employees in this case, as federal contract employees working at a Government laboratory, claimed that two parts of a standard JPL employment background investigation violate their rights under Whalen and Nixon.  But the Supreme Court "reject[ed] the argument that the Government, when it requests job-related personal information in an employment background check, has a constitutional burden to demonstrate that its questions are 'necessary'” or the least restrictive means of furthering its interests."

The majority opinion dodged the question of where "there is no constitutional right to informational privacy," although the concurrence of Justice Scalia urged the majority to do so.

The Supreme Court assumed, "without deciding, that the Constitution protects a privacy right of the sort mentioned in Whalen and Nixon."  The Supreme Court held, "however, that the challenged portions of the Government’s background check do not violate this right in the present case. The Government’s interests as employer and proprietor in managing its internal operations, combined with the protections against public dissemination provided by the Privacy Act of 1974, 5 U. S. C. §552a, satisfy any “interest in avoiding disclosure” that may “arguably ha[ve] its roots in the Constitution.” Whalen , supra , at 599, 605."

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

The Council for Responsible Genetics has published a guide to the world's DNA databases.  According to the guide, 56 countries (and in the U.S., all 50 states) maintain DNA databases.

CRG describes itself as a "catalyst and thought leader in the movement to steer biotechnology toward the advancement of public health, environmental protection, equal justice and respect for human rights."  Although CRG has its own unique perspective on whether DNA databases should exist and how they should be used, its guide may nevertheless prove to be a useful resource.

In the late 1990s, I worked on two amicus briefs with CRG, challenging aspects of the Department of Defense DNA database and the Commonwealth of Massachusetts' DNA database statute:

• Landry v. Attorney General, 429 Mass. 336, 709 N.E.2d 1085 (1999)
• Mayfield v. Dalton, 109 F.3d 1423 (9th Cir. 1997)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Brian Bialas

On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010.  The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement.

As we have noted in past entries about Red Flags Rule compliance, the FTC has extended the deadline for enforcement of the FTC's Red Flags Rule several times, most recently through December 31, 2010.  The stated reason for these delays was “to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule.”  An unstated reason was the mounting number of lawsuits by physicians, lawyers, accountants, and other service providers seeking to exempt themselves from the Red Flags Rule.  The lawsuits should now come to an end.

Here’s how the new law will work. The definition of who is considered to be a “creditor” is a key to the application of the Red Flags Rule. As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” 15 U.S.C. § 1691a(e); see 15 U.S.C. § 1681a(r)(5). The new Act narrows this definition by excluding anyone who advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person. Examples of this exclusion would include a doctor who pays upfront for a test that a patient will reimburse him for later, or a lawyer who covers a filing fee for a client until his bill is paid. 

With this change, it is likely that the FTC will commence enforcement against the intended targets of the Red Flags Rule – the financial services industry – in 2011. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Our colleagues in Foley Hoag's Emerging Enterprise Center have summarized the FTC preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers," which we posted on December 1.  We are cross-posting the analysis from their blog below.

It seems likely that the next two years will bring significant changes to this area, either through legislation or regulation.  During this period, businesses and consumers will continue to seek an equilibrium that balances business needs and consumer expectations.  If they cannot find it, one will likely be imposed on them.

*  *  *

The Federal Trade Commission (FTC) just published its preliminary Staff report setting out its proposed framework for protecting privacy in the digital economy. View the FTC’s press release here. The FTC is seeking comments on its proposed framework by January 31, 2011 and expects to issue a final report in 2011.

Every digital media business that attracts advertising revenue online and/or through mobile devices, as well as the venture capital and private equity funds that invest in them, has a stake in the outcome of this proposed framework. It can affect current business models, future financial performance and potential exit opportunities for current and potential companies that rely on collecting data from consumers.

The final report, and possible new regulations and/or federal legislation to follow, will help shape substantive law, enforcement policies and commercial best practices regarding consumer privacy practices that will need to be followed.

Notably, the FTC staff cites flaws in commercially available, privacy-related plug-ins and browser features, and supports a more uniform and comprehensive consumer choice mechanism for online behavioral advertising than currently exists. This is often called “Do Not Track,” in a nod to the currently mandated “Do Not Call” registry that restricts the activities of telemarketers. FTC staff identified and requested comment on a number of issues concerning the formulation and adoption of any such “Do Not Track” mechanism.

Other important components of the proposed framework include:

• Scope: The proposed framework would apply to all commercial entities that collect or use consumer data that can reasonably be linked to a specific consumer, computer or other device. Here, the FTC staff recognizes the erosion of the distinction between personally- identifiable information (e.g., name, address and social security number) and supposedly anonymous information that may be collected without the knowledge of the web- or mobile device-user.
• Promotion of consumer privacy: The proposed framework would require companies to promote consumer privacy and security protections into their daily practices and to consider privacy issues at every stage of design and development of products and services. Suggested steps include:1) providing security for consumer data; 2) limiting data collection to the relevancy of a specific business practice; 3) enforcing sound retention policies; 4) providing assurances of data accuracy; and 5) implementing comprehensive data management procedures throughout the lifecycle of products and services.
• Consumer choice: In addition to the “Do Not Track” mechanism described above, the proposed framework would require companies to provide consumers with a notice-and-choice mechanism at the point when the consumer is providing data to the company. This would not be required in the context of commonly- accepted practices, such as order fulfillment or first-party marketing, however.
• Transparency and Access to Data: The proposed framework would require vastly- increased transparency with respect to data collection practices and allow for increased consumer access to data collected. As part of implementing this component, the Commission suggests a level of simplification and standardization for currently loosely governed website privacy policies.

Before this framework is submitted in final form to the FTC for a vote by its commissioners, which will accelerate the process further, the FTC is requesting comment by interested parties on a variety of key related issues, including:

• Scope: Are there practical considerations that support excluding certain types of companies or businesses from the framework?
• Substantive Privacy Protections: What substantive protections should companies provide, and how should the costs and benefits of such protections be balanced?
• Comprehensive Data Management Procedures: How can the full range of stakeholders be given an incentive to develop and deploy privacy-enhancing technologies? 
• Consumer Choice; “Do Not Track”:
  • How should a universal choice mechanism be designed for consumers to control online behavioral advertising?
  • What are the costs and benefits of offering a standardized uniform choice mechanism to control online behavioral advertising?
  • What is the likely impact if large numbers of consumers elect to opt out?
  • Should a universal choice mechanism include an option that allows consumers more granular control over the types of advertising they want to receive and the type of data they are willing to have collected about them?
• Transparency of Data Practices: With respect to website privacy notices, is it feasible to standardize the format and terminology for describing data practices across industries? Should companies inform consumers of the identity of those with whom the company has shared data about the consumer, as well as the source of that data?
• Notifying Consumers of Changes in Data-Use Practices: What is the appropriate level of transparency and consent for prospective changes to data-handling practices?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The following item was posted recently on Foley Hoag’s Law and Environment blog, and we thought it would be of interest to our readers. 

Posted on September 17, 2010 by Rebecca L. Puskas

Discussion of the Smart Grid usually focuses on efficiencies that may be achieved by a system that responds to real time information about energy production, distribution and consumption. But the development of this advanced digital infrastructure, with two-way capabilities for communicating information, controlling equipment, and distributing energy, also presents some legitimate information security and privacy concerns. For example, a disgruntled employee or a terrorist with the right computer skills could penetrate a network and alter load conditions to destabilize the grid in unpredictable ways. The grid may also be compromised by inadvertent events such as equipment failures and natural disasters. 

On the privacy side, the Smart Grid will greatly expand the amount of data that can be monitored, collected, aggregated and analyzed. For example, information about specific appliances and generators used by consumers can be tracked from the electric information “signatures” they produce. The driver of an electric vehicle will also leave an electrical roadmap of her travels. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Substance Abuse and Mental Health Services Administration ("SAMHSA"), in close cooperation with the Department of Health and Human Services Office for Civil Rights ("OCR"), is conducting a study of the “Confidentiality and Privacy Issues Related to Psychological Testing Data.”  This study was specifically called for in section 13424 of the Health Information Technology for Economic and Clinical Health ("HITECH") Act.  

HIPAA’s Privacy Rule includes special protections relating to the use and disclosure of psychotherapy notes; this SAMHSA study will address whether these special protections also be applied to test data that is related to direct responses, scores, items,forms, protocols, manuals or other materials that are part of a mental health evaluation.

To this end, SAMHSA has announced a regional public meeting in Chicago, Illinois,on October 7, 2010, to give the public a chance to learn about this issue and express opinions. Registration is necessary, but there is no charge for attending. Another regional meeting will beheld this year in Los Angeles in late November or early December.  The meeting is designed for mental health professionals, consumers, health care providers and health plans, agency administrators, health information technology experts, and test developers

The significant concepts and issues being addressed in this project include:

·        What activities and information are considered the “test data” that is part of a mental health evaluation? What are the relevant distinctions among test materials, raw data, and reports or assessments with respect to the level of protection currently afforded and/or otherwise necessary?

·        Does the individual (i.e., the subject of the test data) need to know, or have an interest in, inspecting or obtaining a copy of such information?

·        Are there circumstances under which test data should be disclosed to third parties?

·        Should the individual’s authorization be required prior to such a disclosure? To whom should test data be released?

·        How would affording mental health test data a higher level of protection affect the workflow in medical, behavioral health, or psychological practices? Are there any additional implications with respect to clinical integration efforts and the increasing availability of mental health services in general health care settings?

·        How is the issue of greater protection for test data affected by State and Federal laws other than HIPAA?

·        In light of the increasing reliance on electronic health records and the exchange of electronic health data, what are the implications of setting more stringent requirements for the use and disclosure of test data?

Small groups will consider these and other central questions following brief presentations by SAMHSA’s and OCR’s study team.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Does the “compelling need” for patient records by a state body that oversees and regulates physicians trump the statute that protects the confidentiality of psychotherapy records?  Not in Massachusetts, according to a September 2, 2010 decision of the Supreme Judicial Court, Board of Registration in Medicine v. John Doe, No. SJC-10556. 

At issue in this case were the treatment practices of a board-certified psychiatrist who specialized in “pain management.” Due to a concern that inappropriate prescriptions for pain medication were being written and that Doe himself was impaired, the state’s Board of Registration in Medicine subpoenaed the treatment records of 24 of this psychiatrist’s patients. The psychiatrist refused to comply with 23 of the requests. The psychiatrist took the position that the Massachusetts privilege for psychotherapist-patient communications, Mass. Gen. L. ch. 233, § 20, did not contain an exception that would allow him to comply for such a subpoena.  

The Supreme Judicial Court held that “the psychotherapist-patient privilege statute does not permit a weighing of the public interest against the interests protected by the privilege.” The Court explained that “[t]here is obviously a conflict between the confidentiality interest underlying the psychotherapist-patient privilege and the board's need to obtain medical records in the course of its investigations. The Legislature has resolved that conflict in favor of confidentiality by declining to enact a statutory exception to the privilege for board investigations into physician misconduct. With no constitutional considerations implicated, we accept the legislative judgment.”

While this decision only impacts privileged records in Massachusetts, the implications of this decision nevertheless will be far-reaching. Once the logic of this decision is applied in other cases, court orders in civil matters will no longer be viewed as sufficient to override privileges like those found in Mass. Gen. L. ch .233, § 20 and similar statutes (such as that protecting communications with clergy, psychologists, social workers, allied mental health providers, sexual assault and domestic violence counselors). 

The court briefs in this matter can be found here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this month, Congressmen Rick Boucher and Cliff Stearns released a discussion draft of comprehensive federal privacy legislation (.pdf). 

Among the many provisions of the draft bill is the requirement that any entity that collects information on individuals such as name, address, email address and telephone number, maintain "appropriate administrative, technical, and physical safeguards" to secure the personal information.  The draft bill would also require the FTC to implement new privacy rules and police the new safeguards. 

The bill is also available from Rep. Boucher's website.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Many digital copiers are now able to store the scanned documents on flash memory or hard drives.  This could pose a privacy/security risk, if the drives are improperly accessed, or if they are lost or resold without being scrubbed first.

Even the simple act of making a photocopy now poses privacy risks.  In response to a letter from Massachusetts Congressman Edward Markey, the FTC has responded and agreed to investigate the privacy risks posed by digital copiers that store information on internal hard drives. 

If you have photocopiers, you should investigate what type of storage devices they have.  And if you or your staff use public photocopiers, you should establish policies about what type of information cannot be copied on a public machine.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Department of Health and Human Services announced it will release proposed HIPAA/HITECH Act regulations later this month, according to the HHS's recently-published regulatory agenda, available at 75 Fed. Reg. 217821.  The announcement itself was pretty cryptic:

120. MODIFICATIONS TO THE HIPAA PRIVACY, SECURITY, AND ENFORCEMENT RULES
UNDER THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT

Legal Authority: PL 111-5, secs 13400 to 13410

Abstract: The Department of Health and Human Services Office for Civil
Rights will issue rules to modify the HIPAA Privacy, Security, and
Enforcement Rules as necessary to implement the privacy, security, and
certain enforcement provisions of subtitle D of the Health Information
Technology for Economic and Clinical Health Act (Title XIII of the
American Recovery and Reinvestment Act of 2009).

The proposed regulations will apparently cover changes to the HIPAA Privacy Rule, Security Rule, and enforcement, consistent with the mandates of the HITECH Act. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations.   The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ), Board of Governors of the Federal Reserve System (FRB), Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA) and the Commodity Futures Trading Commission (CFTC). 

The GLBA regulations issued by these agencies require financial institutions to provide initial and annual privacy notices to customers.  On December 1, 2009, the agencies adopted a Model Form (.pdf) based on length quantitative testing and research to provide financial institutions with a safe harbor for compliance with the privacy notice requirement.  Financial institutions are still free to draft their own privacy notices, but are responsible for making sure that their own notices contain all the required elements. 

The online form builder consists of a linked set of instruction (.pdf) that leads financial institutions to one of four forms that are filled out depending on whether the company is providing customers with a right to opt-out or elects to allow affiliate marketing. 

GLBA Privacy Notice Forms:

• Privacy Notice Form 1 (.pdf): if you provide an opt out and you want to include affiliate marketing
   
• Privacy Notice Form 2 (.pdf): if you provide an opt out and you do not want to include affiliate marketing
   
• Privacy Notice Form 3 (.pdf): if you do not provide an opt out and you want to include affiliate marketing
   
• Privacy Notice Form 4 (.pdf): if you do not provide an opt out and you want to include affiliate marketing
   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a notice apparently posted March 17, 2010, the Office of Civic Rights of the Department of Health and Human Services ("OCR") acknowledged its delay in issuing regulations for HIPAA business associate agreements.  Those regulations are now a month overdue and from OCR's language, they do not appear imminent:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

(Emphasis added.)  What does seem clear from this notice is that OCR enforcement of the underlying law is not imminent and that more guidance on that will come when the regulations are issued.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the past several days, three important information privacy and security deadlines have arrived.  To recap, they are:

• February 17, 2010:  the provisions of the HITECH Act regarding HIPAA business associates went into effect (albeit without regulations, which are expected to be issued any day now).  Many HIPAA covered entities have been revising their Business Associate Agreements in an effort to comply with what they think the regulations will say.  Others are waiting until they see the regulations to amend those agreements.
   
• February 22, 2010:  FTC rules regarding health information breaches went into effect.  The FTC has provided a standard reporting form for such breaches.  And the FTC is putting its money where its mouth is:  in the Fiscal Year 2011 Congressional Budget Justification, the FTC is seeking two full-time employees for “data security enforcement and rulemakings." 
   
• March 1, 2010:  Last but not least, the Massachusetts Data Security regulations went into effect on March 1, although we have not received word from the Massachusetts Attorney General as to how these regulations will be enforced.  A recent Boston Globe article (for which I was interviewed) details the apparent state of readiness for these regulations. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The FTC Red Flags Rule faces another likely challenge, based on a January 27, 2010 letter sent to the FTC by the American Medical Association, the American Osteopathic Association, the American Dental Association, and the American Veterinary Medical Association.  In that letter, the four health care organizations requested that the Red Flags Rule not be applied to health care professionals (based on the reasoning of the recent court decision that it does not apply to lawyers).  I assume that if the FTC rejects this request, suit will be filed by these groups, just as the AICPA has filed suit on behalf of accountants to except them from the Red Flags Rules.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last week the American Institute of Certified Public Accountants (AICPA) filed papers seeking summary judgment in the lawsuit filed against the Federal Trade Commission  (FTC) to exempt accountants from the FTC's Red Flags Rules.  We first posted on this case in November, when the AICPA filed a complaint asking the federal court in Washington, D.C. to declare that accountants are not subject to the Red Flags Rules.  This followed hot on the heels of the October ruling (.pdf) that lawyers were not required to comply with the Red Flags Rules in a lawsuit filed by the American Bar Association (ABA).  It should be noted that the AICPA's motion will be heard by the same judge that issued the decision in favor of the ABA, Hon. Reggie B. Walton.

Since Judge Walton's preliminary ruling in the ABA case in October, the court published a lengthy opinion (.pdf) explaining his reasoning.  In particular, the decision indicated that lawyers need not comply with the Red Flags rules because the Rules only apply to "financial institutions" and "creditors" and lawyers cannot be classified as such under the Fair and Accurate Credit Transactions Act (the FACT Act or FACTA) or the Equal Credit Opportunity Act (the ECO Act or ECOA).  The FTC has taken the position that lawyers, accountants and anyone else that invoices a customer after services have been provided is extending credit and, which makes them "creditors" under the FACT Act, ECO Act and the Red Flags Rules.  Judge Walton forcefully addressed this position in his opinion in favor of the ABA:

[T]he Commission is essentially taking the position that the period of time between when a service is provided to when a lawyer or law firm invoices a client for the service and the invoice is paid, amounts to a period during which credit was extended if there is any interval of time between the providing of the service and the payment of the invoice. . . This is clearly not what was intended by Congress by its use of the term credit in the ECO Act and its subsequent inclusion of the term in the FACT Act.

The Court further noted that noted that he found it persuasive that there is no evidence that identity theft is an actual problem in the legal profession, one that might necessitate the protections of the Red Flags Rules.

From the record before the Court (or more accurately the lack of a record), the best that can be gleaned is that identity theft in the attorney-client context is only a theoretical problem, especially given the role of state professional codes of conduct and other ethical codes to which attorneys must abide, and the Court cannot conclude that it is an actual problem given the absolute lack of any legislative, regulatory or other evidentiary findings that have been brought to the Court's attention.

The FTC will face the same arguments in the accountants' case.  Will Judge Walton side with the AICPA and rule that accountants, like lawyers, are not subject to the Red Flags Rules as "creditors?"  Or will the Court give the FTC more flexibility to extend the Red Flags Rules outside of the legal profession?  Read the AICPA's papers below and let us know your thoughts.

The FTC's opposition papers are expected next week.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Is the FTC moving to a "Post-Disclosure Era," in which consumer online privacy would be regulated in a radically different manner than the status quo?  That was a suggestion made by the chairman of the FTC, Jon Leibowitz, and David Vladeck, chief of the FTC's Bureau of Consumer Protection, during a recent on-the-record discussion about online privacy, reported in the New York Times. 

For some time, I have been asking the question, "Is Consent Dead, and Should We Even Care?"  Now it appears the FTC is asking the very same question.  According to FTC Chair Leibowitz, companies “haven’t given [online] consumers effective notice, so they can make effective choices” about the privacy of their online information.  Mr. Vladeck similarly views traditional advise-and-consent privacy notice models as dependent upon “the fiction that people were meaningfully giving consent.  The literature is clear” that few people read privacy policies.

What, if anything, will this new way of thinking mean in terms of future regulation of consumer online privacy by the FTC?  More information may be forthcoming at the FTC's next privacy roundtable, to be held on January 28 (and available to the public via webcast).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

First it was the lawyers.  Now it's the accountants.  Less than two weeks after a federal judge in the District of Columbia granted the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC) Red Flags Rule, which was followed that same day by an announcement that the FTC was moving the deadline for enforcement of the Red Flags Rule from November 1 to June 1, 2010, the American Institute for Certified Public Accountants (AICPA) has filed a lawsuit in the same court seeking an injunction barring the FTC from enforcing the Red Flags Rule as to accountants.  According to the AICPA's press release, the suit was filed on November 10.  For some reason, the case does not appear on PACER (the electronic system that contains links to court filings in the federal court system), but the AICPA included a link to the complaint on its website.

The AICPA suit seeks declaratory and injunctive relief on the grounds that the FTC exceeded its statutory authority by attempting to impose the Red Flags Rule on AICPA members who, it argues, are already strictly regulated at the state level.  The AICPA makes numerous references to the Court's decision in the ABA suit that the Red Flags Rule may not be applied to lawyers.  As with the ABA lawsuit, the AICPA does not suggest that accountants are just as vulnerable to identity theft as other professionals.

It will be interesting to see how the FTC responds to this new complaint, i.e., whether it will make the same arguments it made in the ABA suit and/or whether it will somehow try to distinguish accountants from lawyers.  It will also be interesting to see if any other large industry groups (such as the American Medical Association) decide to file their own suits.  As we noted in our earlier coverage of the ABA litigation, however, the effect of these suits, if successful, on the burdens of those bringing them is unclear.  Although we are not experts about the duties of accountants, one can imagine that, like lawyers, they will likely be required to take many, if not all, of the same security measures demanded of their clients, because the Red Flags Rule require that companies oversee how their service providers manage customer information and accounts, and because of the duties imposed on service providers by other federal and state laws.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It appears that certain groups, such as the American Bar Association (ABA), may be partially successful in their efforts to convince Congress to narrow the scope of the FTC Red Flags Rules, which are currently scheduled to go into effect on November 1.  According to the BNA Privacy & Security Law Report, the House Financial Services Committee has sent H.R. 3763, titled a bill "To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses," directly to the House floor without a markup.  The bill proceeded to the House floor after the Republican side of the Financial Services Committee consented to such a move.

The bill, which was introduced on October 8 by Rep. John Adler (D-N.J.), would exclude from the Red Flags Rules health care, accounting and legal practices with 20 or fewer employees.  It would also require the FTC, within 180 days, to issue regulations that set forth the process by which a business may apply for an exemption from the Red Flags Rules.

Of course, the passage of H.R. 3763 likely will not sufficiently narrow the Red Flags Rules in the eyes of the ABA, which has filed suit in federal district court in Washington D.C. to stop the application of the Red Flags Rules to all attorneys (see our prior post on this lawsuit).  In that case, the ABA has already moved for partial summary judgment, and the FTC has filed an opposition.  On October 13, ABA President Carolyn Lamm sent a letter to Rep. Barney Frank (D-MA), the chairman of the Financial Services Committee, urging lawmakers to exempt all attorneys from the rules.

Links:

• BNA Privacy & Security Law Report, "GOP Allows Bill Narrowing FTC Red Flags Rule to Move Directly to House Floor for Vote," 8 PVLR 1491.
• Text of H.R. 3763
• ABA's Motion for Partial Summary Judgment in American Bar Association v. Federal Trade Commission (D.D.C.).
• FTC's Opposition to Motion for Partial Summary Judgment in American Bar Association v. Federal Trade Commission (D.D.C.).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This morning, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) held a public hearing in connection with its promulgation of revisions to the Commonwealth's information privacy regulations, 201 CMR 17.00.  The standing-room-only crowd endured a modest, unventilated conference room in the Transportation Building to make comments on the stringent regulations.  OCABR Undersecretary Barbara Anthony led the meeting with OCABR Deputy General Counsel Jason Egan and Assistant Attorney General Diane Lawton.  The principal author of the original regulations, OCABR General Counsel David A. Murray, could also be seen in the audience.  The highlights of the hearing include:

• Undersecretary Anthony suggested that the OCABR may make additional revisions to the regulations in issuing final rules. 
   
• The Undersecretary admitted that the provision of the regulations governing third party service providers [201 CMR 17.03(2)(f)] "is taken essentially verbatim from the [FTC's] Safeguards Rule" that was promulgated in response to the Gramm Leach Bliley Act in 2001.  The Undersecretary indicated that while OCABR "stole it" from federal regulators at the FTC, she is aware that there may be "confusing language" in the provision and stated that the "final rules will clarify" this aspect of the regulations. 
   
• Confronted with requests for a model information security program, additional training and other outreach efforts, Undersecretary Anthony indicated that "this is something we definitely will do."
   
• There was no mention of any further extensions to the current compliance deadline: March 1, 2010.
   
• The lead enforcement officer of the new regulations and Chief of the Consumer Protection Division, Scott Schafer, began the hearing with a prepared statement crediting the OCABR with successfully addressing an "important issue" and indicating the Attorney General's support for the revised regulations.  In his statement, Mr. Schafer indicated that he believes that the revised regulations provide businesses with "appropriate flexibility" while protecting consumer confidence in the security of personal information involved in commercial transactions.

Over a dozen individuals presented comments to Undersecretary Anthony.  In general, there was a broad call for additional revisions to the requirements with respect to service providers.  There was also repeated request for "practical guidance" from regulators, in the form of revisions to ambiguous elements of the new regulations, as well as model programs, explanatory guides and materials, training and presentations.  After the jump, you will find more detail from my notes on the public comments. 

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned "Should you receive this package or a similar package DO NOT run the CDs."  The NCUA, which regulates federally insured credit unions, was tipped off to the fake Fraud Alert by a single credit union. 

As it turns out, the credit union was undergoing security penetration testing and the security firm involved, MicroSolved, Inc., put together the fake Fraud Alert to test whether the credit union was secure against this sort of social engineering scam.  When it learned of this wrinkle, the NCUA issued an update to its Fraud Alert stating:

This was an unauthorized and improper use of the NCUA logo, and also included a falsified signature of then-Chairman Michael Fryzel. The bogus alert was forwarded to NCUA, prompting the issuance of the August 25 Fraud Alert. The false Fraud Alert appears to be confined to that credit union, and is not wide-spread.

It appears that the original credit union passed its security test with flying colors. ComputerWorld obtained a number of noteworthy comments in its article on the subject, but one that stands out is from SANS Institute security researcher, Johannes Ullrich, who observed that the tactic of sending fraudulent regulatory alerts with malware was something seemingly invented by security consultants.  "I thought, 'Finally this is in the wild, because I've only seen it in pen tests before.'"

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 As we reported on August 17th, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has promulgated a revised set of information security regulations (201 CMR 17.00 et seq.) and will hold a meeting for public comment on September 22, 2009.  For those who are still wondering what revisions were made, here is a redline comparison of the amendments (.pdf).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Amidst calls from the legal community, the Federal Trade Commission's (FTC) announced this morning that it was delaying enforcement of the FTC's Red Flag Rules until November 1, 2009.  The FTC's announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC's "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply."  The FTC appears to be stepping up its outreach efforts with an "Expanded Business Education Campaign" that is intended to address those businesses that "remain uncertain about their obligations."  This seems aimed at the recent statements from the American Bar Association (ABA), which has called on the FTC and Congress to exempt lawyers from the FTC's Red Flags Rules and threatened to sue the FTC to stop any enforcement action against the legal industry.  

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After a few months of thought, the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule.  The ABA's June report on "Why the Red Flags Rule Should Not Apply to Lawyers" lays out a legal argument for why billing a client is not really an extension of credit that turns every lawyer and law firm into a "creditor" under Red Flags Rule and the Fair and Accurate Credit Transactions Act (the FACT Act).  More recently, ABA President H. Thomas Wells, Jr. told the Blog of Legal Times that the ABA plans on filing a federal lawsuit during the this week to block enforcement of the Red Flags Rule, if "we don’t get some kind of sign."  And, perhaps on the ABA's urging, a House Appropriations subcommittee apparently asked the FTC to postpone its deadline yet again.  Other blogs and websites have been abuzz with "sources" close to the discussions between the ABA and the FTC and then today, the FTC announced that  delayed the enforcement deadline yet again.

Lest anyone think that the ABA is on its own on this issue, the Massachusetts Bar Association sent the FTC a letter objecting to the application of the Red Flags Rules to lawyers and the New York County Lawyers Association also issued a report objecting to enforcement against lawyers.  State bar associations are joining the ABA in calling on the FTC to excuse them from the reach of the "new" regulations (which are, in fact, more than a year old at this point, after numerous delays in enforcement by the FTC).  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A federal suit has been filed that challenges the legality of the federal HITECH Act.  In the course of 30 often rambling pages, this complaint alleges that "HIPAA codified the Hippocratic Oath" and that HITECH improperly undermines both.  This complaint appears to be the work of a gadfly or two.  The plaintiff's lawyer is her husband; interestingly, he was described by a federal judge as filing claims that were "without merit [and which] would have been perceived as such by any objectively reasonable attorney."  And this same attorney has been disbarred in Connecticut. 

Even if there are questions about the specific allegations in this complaint and questions about the credentials of the counsel who filed it, the complaint points to some legitimate concerns about the move to electronic medical records and health information exchange.  However, it will probably be a different case that brings real scrutiny to these questions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this week, on Monday, June 22, 2009, the American Bar Association (ABA) President H. Thomas Wells, Jr. issued a public statement urging Congress and the FTC to exempt lawyers from the requirements of the federal Red Flags Rules, stating:

The Rule, adopted under the Fair and Accurate Credit Transactions Act, or FACT Act, is noble in its intent.  However, the Commission’s application of the Rule to lawyers is unnecessary and not supported by law.  Lawyers are not engaged in the type of commercial activity that Congress was attempting to regulate with the FACT Act and should not be considered creditors under the Red Flags Rule.

In support of this position, the ABA President references federal caselaw suggesting that lawyers are not "creditors" under federal law and suggests that forcing lawyers to comply would be costly and pointless.  "Compliance with the Act would complicate client arrangements and require a major commitment of lawyers’ time, yet the FTC has failed to identify a single case of identity theft in the legal service context, suggesting that such a scenario is far-fetched, if not impossible."

As we reported in our earlier post on this topic, the ABA has been considering what action to take since it asked the FTC to delay enforcement of the Red Flags Rules in April and the FTC complied, postponing broad enforcement until August 1, 2009.  The ABA statement further suggests that the ABA may already be lobbying Congress behind the scenes to relieve the legal industry from the burden of compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 15, 2006, the European Parliament issued Directive 2006/24/EC (.pdf), outlining a new program that woud require internet service providers (ISPs) and telecommunications carriers to begin retaining comprehensive records of customer communications.  Specifically, the Directive required member states to ensure that a range of communications data be retained by service providers, including:

1. The names, addresses, telephone numbers, Internet Protocol (IP) addresses and user IDs involved in Internet access, email and Internet telephony services;
2. The date and time of the start and end of communications;
3. The telephone numbers involved during a telephone call and the registered owners' names and addresses;
4. Information allowing the identification of mobile phones used to make telephone calls and their geographic location when used to make calls.

The Directive expressly states that "[n]o data revealing the content of the communication may be retained pursuant to this Directive."  Under the Directive, service providers will be required to retain these records "not less than six months and not more than two years" and ensure that the retained records can be communicated to government authorities "without undue delay." 

Implementation of Directive 2006/24/EC to Internet communications has been delayed (if, for no other reason to figure out how to store the terrabytes of information as required under the new Directive).  During the interim, Ireland challenged the Directive in the European Court of Justice.  Examining the Directive, the ECJ held that it essentially pertained to commercial activities of service providers, rather than police and security matter, and dismissed the case. 

Member states recently have begun implementing the Directive. In the United Kingdom, the Home Office has prepared draft regulations transposing Directive 2006/24/EC into law (.pdf) that requires the retention of communications data for 12 months. This has led to significant criticism of the retention rules (see news coverage at the BBC and the Telegraph). Sweden has stated that it intends to postpone implementation of the Directive to Internet activity. 

Between the implementation of Directive 2006/24/EC and other invasive surveillance law being considered in Europe (France appears to be on the verge of legalizing government spyware), the landscape of Internet communications is evolving rapidly.  Anyone transacting business in Europe or who may transfer data through member states may need to consider the privacy implications of and retention obligations imposed by the new rules.

Links:

• Directive 2006/24/EC (.pdf)
• The Home Office site on the transposition of Directive 2006/24/EC
• UK draft regulations transposing Directive 2006/24/EC into law (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With the deadline for complying with the Massachusetts identity theft law just six months away, at least one state senator is still seeking changes to that law.  In Senate Bill S173, which until now  has received little public notice, State Senator Michael Morrissey proposes to make it easier for small businesses to comply, by requiring the state's regulations to take account of a business's resources as it requires compliance:  "[S]aid department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources."  This type of language is reminiscent of the HIPAA security rules and their scalability for businesses of different sizes. 

S173 also addresses the issue of what businesses can do with employees who violate the law, by making it easier to fire them:  "A willful violation of this chapter or regulations implementing this chapter, or a written information security plan issued by a person covered by state or federal privacy laws shall provide just cause for the termination of an employee, whether the employee is employed by a private person, public agency or political subdivision of the state."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 27, 2009, Information Security and Privacy Advisory Board (ISPAB) issued a report entitled "Toward A 21st Century Framework for Federal Government Privacy Policy" (.pdf) that calls on Congress to amend the Privacy Act of 1974, establish the position of Chief Privacy Officer in numerous executive agencies and develop a Chief Privacy Officers’ Council. ISPAB is a group that advises the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Commerce Department.

In its report, ISPAB indicates that rising threats to privacy and advancements in computer technology and usage are unaddressed by outdated provisions in the Privacy Act. It also suggests that inattention by policymakers and the absence of guidance from the White House has led to a patchwork of inconsistent approaches by federal agencies. The report concludes that these factorhave contributed to the difficulty agencies have experienced in adapting to technological change. ISPAB urges the creating of a “new framework to protect privacy” by making the following recommendations:

• Amend the Privacy Act of 1974 and Section 208 of the E-Government Act of 2002 to improve Government privacy notices and re-define “System of Records” based on function and use of data and not merely possession;
   
• Institute Chief Privacy Officers at all “CFO agencies;”
   
• Institute a Chief Privacy Officers’ Council; and
   
• Develop uniform privacy policies emanating from the OMB.

The Senate Homeland Security and Governmental Affairs Committee report that they intend to modernize the law in this area.

Links:

• The ISPAB Report  "Toward A 21st Century Framework for Federal Government Privacy Policy" (.pdf), also available from the NIST website here (.pdf)
• The Computer Security Resource Center website developed by the Computer Security Division of NIST
• News report regarding possible Senate action.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC's enforcement.  (For background on the Red Flag Rules, see our prior postings here, here and here). 

The FTC has previously indicated that it plans to enforce the Red Flags Rules against lawyers along with any other business that sells goods or services now and bills its customers later (see our prior discussion here).  However, according to the ABA, the first it heard of this issue was when federal regulators notified the ABA of the government's position on April 23, 2009.  This was just a week before the FTC was to begin enforcement of the Red Flags Rules.  The next day, after the FTC attended an emergency meeting with the ABA Government Affairs Office, President H. Thomas Wells, Jr. directed a letter to FTC Chairman Jonathan D. Leibowitz (.pdf) requesting an additional three to six months delay in enforcement so that the ABA could consider its stance on this issue.  The FTC appears to have acquiesced to the ABA request a few days later, when the FTC postponed the May 1, 2009 enforcement deadline until August 1, 2009 . 

In the president's letter as well as a separate public statement (.pdf), the ABA indicated that "some" believe that federal precedent contradicts the FTC's expansive interpretation of the law (for more information, see our detailed discussion of the caselaw here and here).  The ABA has also noted that "the FTC has no examples of identity theft arising from an attorney-client relationship." 

Given the looming compliance deadline, it seems likely that we will hear from the ABA shortly -- possibly as early as next week.  In view of the FTC's response (.pdf) to the public objection raised by the American Medical Association (.pdf), the ABA may need to take a different tack to effect a change in the FTC's enforcement policy.

[I should note that an attorney in California called me up yesterday to discuss the FTC's view that that lawyers should be considered "creditors" subject to federal Red Flags Rules.  Thanks are owed to her for raising the question of whether the ABA has articulated a view on this issue.]

Links:

• The April 24, 2009 ABA letter to the FTC (.pdf), also available from the ABA website (.pdf).
• Public statement on Red Flags Rules by the ABA (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of  “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups.  Consumers' concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled, to the impact of behavioral advertising on vulnerable consumers. In recent statements, Leibowitz has suggested that he remains unsatisfied with industry efforts to address these concerns.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today's Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years.  Specifically, Section 5 of the bill requires that ISPs retain "all records or other information pertaining to the identity of a user of a temporarily assigned network address." According to a recent announcement from Senator Cornyn, the new retention provision is needed to enable law enforcement officers to identify individuals involved with online child pornography. Several privacy advocates have taken issue with the bill’s data retention requirements.  According to senior attorney with the Electronic Frontier Foundation, Kevin Bankston, those requirements “unnecessarily threaten the privacy and anonymous speech rights of every law-abiding internet user” and would “create vast new troves of data vulnerable not only to government overreaching but also to any civil litigant wielding a subpoena.”

The legislation has been referred to committee in the House and Senate. 

Links:

• The Internet SAFETY Act of 2009
• The annoucement from Senator Cornyn's office
• A National Journal article on the bill 
• The EFF comment

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an April 2009 press release (.pdf), the Public Access to Court Electronic Records system (“PACER") announced that 99% of all federal courts nationwide have implemented electronic systems allowing litigants to file and review documents online. The near-complete implementation of these online systems marks an important technological and environmental milestone for the legal profession; however, it comes with considerable risks to individuals' privacy and security: potentially limitless filings that inadvertently contain individuals' sensitive information, including financial account numbers and Social Security numbers, may be available to anyone with an Internet connection for the small price of $0.08 cents per page.

• Email This
• Print
• Comments (3)
• Trackbacks
• Share Link

As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation.  Last week the Senators introduced two bills.  The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President.  The second, S.773 (text of the bill not yet available), entitled the Cybersecurity Act of 2009, gives the President the power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network.  The other provisions of the legislation are summarized in my previous post.

Whether the legislation has any chance of passing remains to be seen.  However, some groups are already criticizing aspects of the legislation.  The President of the Center for Democracy and Technology, for example, has stated "[t]he cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."  The bills have been referred to the Committee on Homeland Security and Government Affairs.

Links:

• A draft of S.778 (.pdf)
• A draft of S.773 (.pdf) 
• The CDT's post on the legislation can be found here.
• April 6, 2009 Computerworld Article: "Yet Another Government Attempt At Cybersecurity"

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On March 5, 2005, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted Opinion 3/2009  (.pdf).  The opinion comments on European Commission proposals designed to ensure that all data processors, including contractors hired by other data processors, are contractually required to protect sensitive data.  Those proposals, contained in a Draft Commision decision which has not yet been made public, would update the standard contract clauses for the transfer of personal data to processors outside the European Union. As the Working Party explains, the Draft Commission decision proposes to update the standard contract clauses to reflect increasingly common “global outsourcing,” in which data is transferred from controller to processor to sub-processor, and often to subsequent “sub-sub processors.” In their current form, “the standard contractual clauses of 2002/16/EC do not provide a means to deal with these complex onward transfers.”  Thus, the Draft Commission decision includes additional contract clauses to address these multi-layered transfers, and the Working Party Opinion comments on the proposed clauses.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC's staff has mentioned informally that helpful guidance would be forthcoming.   As of today, the FTC has launched its new Red Flags Rule website and with it, a Red Flags Rule "How-To" guide (.pdf). 

The website is a good collection of the FTC's materials on this issue and it includes official press releases and statements directed to various industries (including the FTC's letter to the healthcare industry (.pdf), the FTC's guide for telecom companies (.pdf) and the FTC's guide for utility companies (.pdf)). 

The FTC's advice in the How-To Guide may be somewhat general (e.g., "Just getting something down on paper won't reduce the risk of identity theft."), but it does simplify compliance into four steps:

1. Identify Red Flags.
2. Develop procedures for detecting Red Flags.
3. Develop responses for Red Flags once you have detected them.
4. Re-evaluate your Identity Theft Prevention Program as circumstances change.

For more specific information on threats and security measures, the FTC's webpage on information security is a useful resource drawn from the FTC's experience with companies that have had lapses in information security.  In particular, the FTC's Protecting Personal Information: A Guide for Business (.pdf) lays out five key principles for developing reasonable security procedures:

1. Take Stock. Know what personal information you have in your records.
2. Scale Down. Keep only what you need for your business.
3. Lock It.  Protect the information that you keep.
4. Pitch it.  Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers "[t]o allow the FTC to perform a greater and more effective role in protecting consumers." The prepared text of his testimony is available here (.pdf). Of particular note, the FTC is asking Congress to:

1. Permit the FTC to use "notice and comment" rulemaking to declare business practices used in the financial industry to be unfair and deceptive acts in violation of the FTC Act -- a process that, according to Chairman Liebowitz, could shorten the time taken to put new regulations in place from 3-10 years under the current system to 1 year under a "notice and comment" system; and
    
2. Authorize the FTC to bring civil lawsuits in federal court and to obtain civil penalties for unfair and deceptive practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports.  The proposed legislation would also

• require intelligence and Homeland Security officials to perform vulnerability assessments;
• create a clearinghouse for information sharing between the government and private sector; and
• fund scholarships for those interested in cybersecurity.

The proposed legislation follows on the heels of three incidents where computers in Senator Nelson's office were hacked .  The current draft legislation contains provisions similar to those recommended by the Commission on Cybersecurity for the 44th Presidency, which released a report in December 2008.

Links:

• The post on Senator Nelson's website can be found here.
• The March 23, 2009 CNET News article, "A bill to shift cybersecurity to the White House" can be found here.
• The December 2008 report from the Commission on Cybersecurity for the 44th Presidency is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” -- the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you -- then they probably do.  In this post, we will recap the FTC's recent guidance on who should be complying with the Rules.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

On Wednesday, February 11, 2009, the Data Protection Working Party, an independent European advisory body on data protection and privacy, released its Working Document 1-2009 (.pdf) on pre-trial discovery for cross border civil litigation.  The Working Document attempts to reconcile the tension between U.S. discovery rules and the European Union’s Directive 95/46/EC (.pdf), which outlines the EU’s privacy requirements.  What follows is a summary of the Working Document and an analysis of how it begins to bridge the gap between U.S. discovery rules and the European privacy framework.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Thursday, March 5, 2009, Congresswoman Mary Bono Mack (R-CA), Congressman John Barrow (D-GA) and Congressman Joe Barton (R-TX) introduced the Informed P2P User Act (H.R. 1319) which requires peer-to-peer ("P2P") software makers to make certain changes to their software to prevent users from inadvertently sharing files from their computers.  The proposed law would require both "clear and conspicuous notice" of what files the P2P software would being sharing and "informed consent" from the user, both before installation of the software and initial activation of file sharing functions.  The Federal Trade Commission (FTC) would be empowered under the new law to enforce violations as unfair or deceptive trade practices.

Links:

• H.R. 1319, the Informed P2P User Act is available here (.pdf) or from Rep. Mack's website here (.pdf)
• Rep. Mack's press release

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday the Department of Justice released a previously classified opinion entitled “Authority for Use of Military Force To Combat Terrorist Activities Within the United States” (.pdf), which concluded, among other things, that “the Fourth Amendment [of the U.S. Constitution] does not apply to domestic military operations designed to deter and prevent further terrorist attacks.” This may come as a shock to some because the Fourth Amendment expressly prohibits the government from searching or seizing individuals or their property absent a warrant and probable cause, without any special carve out for domestic military operations. The DOJ opinion, written by Deputy Assistant Attorney General John C. Yoo and Special Counsel Robert J. Delahunty, also concluded that these constitutionally exempt counter-terrorism operations would include “making arrests, seizing documents or other property, searching persons or places or keeping them under surveillance, intercepting electronic or wireless communications, setting up roadblocks, interviewing witnesses, and searching for suspects.” The evidence recovered from these operations could then be used “for criminal investigations or prosecutions.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S. privacy legislation” and is instead “now focused on crafting an industry-wide self-regulatory framework that can be tested over time with a broad range of organizations.” The group has also changed its name to the Business Forum for Consumer Privacy, although it “is still working out legal issues involved with officially becoming a new organization.”

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers' proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information.  FCC Chairman Michael J. Copps issued a public statement addressing the enforcement action and highlighting that the FCC "continued to mconsumer privacy protection a top priority.  The FCC seeks a $20,000 fine from each of the carriers (around $13 million in total) and has stated that it moderated the amount of the fines because the carriers were small companies and because this was the first year of the certification requirement (certifications were due March 1, 2008).  As the FCC warns in its official Notice, "[t]o the extent that we determine that the proposed forfeiture adpoted herein does not have the intended deterrent effect, future noncompliance will face more severe penalties." 

If you've been looking for signs of how the Obama administration intends to enforce privacy and information security regulations, here is one of a few early signs that federal regulators are under orders to step up enforcement efforts and are begining with the backlog of violations from 2008. 

Links:

• The FCC wesbite and a link to the Enforcement Bureau's page
• The FCC's Omnibus Notice of Apparent Liability is availabe here (.pdf) or from the FCC's website here (.pdf)
• The FCC's press release is available here (.pdf) or from the FCC's website here (.pdf)
• The Electronic Privacy Information Center (EPIC) website and a link to its CPNI page

• Email This
• Print
• Comments
• Trackbacks
• Share Link

For those who want to see the source document, we have provided this link to the text of the American Recovery and Reinvestment Act of 2009.  The health security and privacy provisions start at Section 13000, around page 112.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations to non-HIPAA-covered vendors of personal health records and their business partners.

If you are hoping that federal lawmakers have used the HITECH Act to finally set a national standard for patient medical information, however, you will be disappointed.

The HITECH Act, like HIPAA, preempts any contrary state laws, but leaves intact any state laws and regulations that impose stricter requirements on the handling of patient information. As a practical matter, this means that if you are covered by HIPAA and the HITECH Act you must meet new minimum standards while continuing to monitor and comply with the ever-increasing patchwork of laws governing patient information in every state in which you operate.

What follows is a more detailed discussion of the provisions of the HITECH Act and how it attempts to provide additional security for patients' health information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If you are confused about whether you, your company or your clients are subject to federal identity theft regulations, you are not alone. When the Federal Trade Commission (FTC) announced on October 22, 2008 that they were delaying enforcement of the new Red Flags regulations by six months, until May 1, 2009 (which we reported here and here), the FTC admitted that the primary reason for the delay was that many businesses, even whole industries, were “confused” about whether they are governed by the new regulations. (See the FTC’s October 2008 release and Enforcement Policy statement.)

For some industries, this is less a point of confusion and more of a fundamental difference in opinion over whether the federal regulations apply to them at all. For many traditional financial institutions, like banks and credit card companies, there is no dispute because there are specific Red Flags regulations directed at them. See, e.g., 12 C.F.R. Pars 334 & 364. For most other industries, the legal issue at the heart of the matter is whether one can be considered a “creditor” under the general purpose Red Flags regulations, 16 C.F.R. Part 681, and the operative federal statute, the Fair and Accurate Credit Transaction Act of 2003 (FACT Act or FACTA). 

The FTC claims that the term “creditor” applies to any business or entity that allows customers to pay for goods or services after they have been delivered and is has made clear that it intends to enforce the regulations broadly. For example, see the FTC’s October 2008 Enforcement Policy. According to the FTC, virtually anyone that bills its customers is a “creditor” subject to the Red Flags regulations. This means utility companies are covered entities (see the comments to the November 2007 Final Rules [.pdf]), but also consultants, lawyers, doctors, dentists and everyone who gets a check in the mail. The FTC’s construction is so broad, it seems to encompass someone selling an autographed baseball card on eBay who only gets paid after delivery, as well as an employee who receives a paycheck every two weeks in exchange for services rendered.  I'll wager that most of us who receive paychecks did not know that somewhere along the line we have become creditors subject to the Red Flags regulations as well as the federal laws governing lending practices.

The real problem with the FTC's interpretation is that it does not seem to bear legal scrutiny.  If everyone is a "creditor", then everyone is subject a host of legal requirements that are primarily enforced against traditional lending institutions. Because of this FTC's broad interpretation of “creditor” would severely expand federal lending laws, it is unlikely to find much support among federal courts. Two courts of appeals issued key decisions in 1990 and 2002 indicating that the term "creditor" was not intended to apply to everyone, but only to entities that we might consider lenders by trade or practice. These cases discredit the FTC’s underlying legal position and suggest, as industry groups throughout the country have urged, that the Red Flags regulations only apply to more traditional financial institutions and commercial lenders. 

Below, Ramzi Ajami and I explain in greater detail the underlying legal differences in these positions and discuss why the FTC may find itself unable enforce the new regulations as broadly as it has announced.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

* By Stacy Anderson and Gabriel M. Helmer.

As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard, we are also observing a growing insistence that such legislation be consistent with the customer data security requirements of the Gramm-Leach Bliley Financial Modernization Act of 1999 (GLBA) and its implementing regulations. As a result, even industries that are not required to comply with GLBA may wish to become familiar with its requirements.

Section 501(b) of GLBA requires agencies with oversight over financial institutions to establish standards relating to administrative, technical and physical safeguards for three purposes: 1) to insure the security and confidentiality of customer information, (2) to protect against any anticipated threats to the security of customer information, and (3) to protect against unauthorized access or use of customer information. 

In 2001, the Department of Treasury, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information. These guidelines require that financial institutions adopt an information security plan, which must be approved by the institution’s Board. The plan must assess, manage and control threats that could result in unauthorized disclosure of information. The risk guidelines are flexible – they do not require that institutions implement specific risk control or assessment systems, but rather encourage them to adopt measures appropriate to their circumstances. Institutions are then required to monitor the plan and report to the Board annually. In addition, they must also ensure that their service providers implement appropriate measures to secure customer information. In 2005, the Department of the Treasury, the Board of Governors of the Federal Reserve System, and the FDIC issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” This guidance requires that institutions develop a response plan to address unauthorized access to customer information. As part of this process, institutions must notify customers if sensitive customer information has been improperly accessed and misuse of that information has occurred or is likely to occur.

In 2002, the Federal Trade Commission (FTC) issued its “Standards for Safeguarding Customer Information,” commonly referred to as the Safeguards Rule. The rule apples to financial institutions over whom the FTC has oversight and resembles the interagency guidelines for safeguarding customer information. Like those guidelines, the Safeguards Rule affords institutions considerable flexibility in implementing safeguards. Unlike the guidelines, the Safeguards Rule does not require that the information security plan be approved by the institution’s board, and does not contain customer notification requirements such as those set out in the Guidance on Response Programs, although the FTC does encourage entities to consider notifying customers in the event of a breach. In considering these federal regulations, it is worth noting that the FTC’s recently issued Red Flag Rule implements the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), and not GLBA, although the FTC does anticipate that many institutions may have implemented some of the practices required under the Red Flag Rule as part of their efforts to conform with GLBA.

Of course, it remains to be seen whether broad federal legislation governing customer data security will be enacted and if so, whether GLBA requirements will be used as a blueprint for such legislation. Regardless, an understanding of GLBA requirements and their effectiveness can help inform the debate around such legislation.

Links:

• The FTC's webpage In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act
• The FTC publication How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” as including “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” In addition to requiring notice to the affected individual(s), the bill requires that notice be provided to “major media outlets” within a state if the number of state residents affected by the breach exceeds 5,000, and also requires that notice be given to the Secret Service if the number of affected individuals exceeds 10,000 or if the affected database contains information of more than 1,000,000 individuals. The bill provides for limited exceptions for law enforcement or national security purposes. 

The bill requires that the notice include (1) a description of the categories of information that was acquired by an unauthorized person, (2) a toll-free number that the individual may use to contact the agency or business and learn what types of information the agency or business maintained about the individual, and (3) the toll-free contact telephone numbers and addresses of major credit reporting agencies. The first requirement of the notification’s content is particularly interesting, as several states (including Massachusetts) currently forbid the notification to include the nature of the breach. Bill S. 139 states that it does not provide a private right of action, meaning that a private individual may not bring suit under the bill. Finally, the bill provides that its  provisions “shall supersede any other provision of Federal law or any provision of law of any state relating to notification by a business entity . . . or agency.”

Senator Feinstein introduced a similar bill in 2007 which failed to pass the Senate. This year’s version, which has no co-sponsors, has been referred to the Judiciary Committee. 

Bill S. 141, entitled the “Protecting the Privacy of Social Security Numbers Act,” is co-sponsored by Senators Judd Gregg (R-NH) and Olympia Snowe (R-ME). It prohibits any person from displaying, selling, purchasing an individual’s Social Security number without the affirmative, express consent of the individual, subject to a number of exceptions (e.g., for national security, law enforcement, or public health purposes, or if the display is required, authorized, or excepted under any Federal law). The bill also would prohibit any federal, state, or local government from displaying Social Security numbers on public records posted on the Internet or from printing them on government checks. [These provisions parallel recent recommendations from the FTC as we Further, the bill prohibits any federal, state, or local agency from employing inmates in any position that would give the inmate access to Social Security numbers of other individuals. Finally, the bill would provide limits on when businesses may ask customers for their Social Security numbers. 

Unlike the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act provides for a private right of action, allowing any aggrieved individual to sue for an injunction or monetary damages (which could be tripled if a court finds a willful and knowing violation). As with the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act has been referred to the Judiciary Committee.

Given the many challenges facing the federal government this upcoming year as it transitions into the Obama administration, it is difficult to predict whether Senator Feinstein’s bills will face resistance. However, all signs point to a recession driven boom of cybercrime, identity theft and security breaches that will continue to expand in 2009 as it did in 2008.  Given this environment, Congress will probably enact some version of these proposals sooner rather than later.

Links:

• Senate Bill 139
• Massachusetts General Law c. 93H, s. 3
• Senate Bill 141
• Washington Post Article: Data Breaches Up Almost 50 Percent

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A number of high-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs. This comes as a prelude to the public hearing scheduled today before the Massachusetts Office of Consumer Affairs and Business (OCABR) regarding the upcoming May 1, 2009 deadline for businesses to comply with recent Massachusetts identity theft regulations (201 C.M.R. 17.00 et seq.).  The companies and organizations signing the letter included the Massachusetts Business Roundtable, the Massachusetts Package Store Association, the Massachusetts Hospital Associations, Google, Comcast, CitiGroup, AOL, Microsoft, The Gap, Verizon and Wal-Mart.

Mass High Tech's story on this event can be found here. 

Testimony of the Greater Boston Chamber of Commerce at the January 16, 2009 hearing can be found here.

The Privacy & Security Law Report reports that, at the hearing, representatives of employers, small businesses, financial institutions and universities asked the OCABR to extend the deadline for compliance beyond May 1st. According to these representatives, it will be “virtually impossible” for most of the covered entities to reach compliance by May 1, 2009. In addition, they urged the OCABR to review the new regulations again and make changes.   Whether the OCABR will be swayed by the views of those attending the hearing remains to be seen. Given the economic climate the costs associated with upgrading systems to meet the new regulations, it is a safe bet that most covered entities would breathe a sigh of relief if the OCABR decides to extend the compliance deadline.

2.13.2009 UPDATE: As we report in our alert, OCABR has responded to this request by filing amended regulations that postpone the compliance deadline by eight months, to January 1, 2010. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, January 14, 2009, the Boston Bar Association’s Privacy Law Committee hosted FTC Chief Privacy Officer Mark Groman for a brown bag lunch presentation entitled “The View from the Federal Trade Commission’s Chief Privacy Officer.” Here are a couple of highlights from the presentation:

•  Mr. Groman views law firms as businesses subject to FTC Red Flags regulations (“we regulate you, too”), so law firms should be developing identity theft prevention programs to comply with the regulations by the May 1, 2009 deadline.
  
•  To comply with FTC’s Red Flags regulations, companies need to use a “risk-based process” to evaluate potential threats and take reasonable and appropriate steps to mitigate them. Every business needs to adopt a written plan, but the FTC will not be talking to us “about particular technology” because there is a consensus that technology moves too quickly for regulators to approve or disapprove of any particular technology or counter-measures. 
  
• The FTC has brought 23 cases relating to information security issues. If you need guidance on what security measures the FTC believes must be implemented to meet federal regulations in specific circumstance, Mr. Groman suggested that we review the decisions in those cases. In particular, Mr. Groman specifically suggested that everyone should be taking what he views as simple and inexpensive measures to protect against the SQL injection exploit, in which an individual attempts to insert computer code into a company’s database using the company’s website. (The FTC website refers to this exploit as one of many “commonly known and reasonably foreseeable attacks” that can be protected against by implementing “simple, free or low-cost, and readily available security defenses.”)
  
• The primary questions businesses should to be asking themselves when they are drafting an identity theft prevention program are: (1) what have you done to date to protect against existing threats?; (2) what is “the technology of the day” used to address those threats?; and (3) “how much does it cost?”
  
• Mr. Groman confirmed that there is no one-size-fits-all solution to adopting an identity theft prevention program, and the FTC does not have a model plan to provide affected companies. “Privacy plans are like pants; they have to be tailored.” 
• The fact that there has been a data breach incident does not mean that a company’s information security program is necessarily at fault. The FTC has investigated “plenty of breaches where the [company’s] security was reasonable” and has also investigated companies that have not had any incidents where the security was insufficient. 
  
• The FTC recognizes that businesses, lawyers and whole industries are confused by what the new Red Flags regulations require. The FTC is likely to issue additional guidance on this topic soon.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers - SSNs and ID Theft. The new report articulates a series of FTC recommendations with respect to the handling of Social Security numbers (SSNs) based upon the work of the President’s Identity Theft Task Force, which was established in May 2006 and led to an extensive fact finding effort summarized in the FTC’s November 2007 staff summary report (which can be found here [.pdf]). For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, when the FTC will begin enforcing federal identity theft regulations. 

 The FTC Report first makes two key recommendations that should be considered when developing an identity theft prevention programs:

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009. 

On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009. 

In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:

• Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.

• “Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.

• Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.

• Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.

• The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software. 

The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.

2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.  This delay does not apply to users of consumer reports handling notices of address discrepancies, which still has a November 1, 2008, deadline. Likewise, enforcement against banks, credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC’s action.

The “Red Flag” rules had their genesis in 2003, when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (“FACTA”). FACTA required the FTC and a group of other regulatory agencies and committees to adopt regulations to help consumers avoid the growing epidemic of identity theft. Under the final “Red Flags” regulations that came into effect on January 1, 2008, U.S. companies that maintain customer accounts used to make periodic payments, transfers or transactions were initially given until November 1, 2008 to develop formal policies to detect the warning signs or “Red Flags” of potential identity theft and set up procedures to prevent and mitigate the harm caused by identity theft. The FTC’s latest announcement provides businesses with an additional seven months, until May 1, 2009, to assess whether they are covered by the “Red Flags” regulations and put in place a compliant Identity Theft Prevention Plan.

While the language of the regulations covers “financial institutions” and “creditors” maintaining “covered accounts,” the FTC has made clear that the “Red Flag” regulations are intended to cover a broad range of businesses, many of which may not consider themselves traditional “financial institutions”. In particular, the FTC maintains that the new regulations apply to: (1) businesses that maintain any type of account that permits multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft, (2) credit card issuers, and (3) companies that use or receive consumer credit reports. 

The FTC estimates that the new regulations apply to over 11 million businesses in the U.S., including lenders, mortgage brokers, and brokerage firms, but also automobile dealers, utilities and telecommunications companies, collection agencies and other businesses that participates in credit decisions about their customers. Any business that provides customers with any type of account that permits the customer to make repeated payments or enter into regular financial transactions needs to assess whether they are subject to the new “Red Flags” regulations.

If your business is covered by the new “Red Flag” regulations, you will need to develop an Identity Theft Prevention Plan containing procedures to:

1. Identify any indicators of a possible risk or existence of identity theft in their business — what federal regulators are calling “Red Flags” — such as discrepancies in customer information and suspicious account activity.
2. Respond appropriately to any Red Flags in order to prevent identity theft from occurring, including by monitoring suspicious activity, contacting customers and notifying law enforcement.
3. Continually assess the identity theft risks to customers and update the company’s Identity Theft Prevention Plan as necessary.

In addition, the new Red Flag regulations require an affected business to obtain approval from its board of directors for the Identity Theft Prevention Plan, train staff to administer the program and exercise oversight over any service providers retained to manage customer accounts and information. 

At present, it is still unclear what form the FTC’s enforcement of the “Red Flags” regulations will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but do not provide individuals with a right to sue for failure to comply with the new rules.

• Email This
• Print
• Comments
• Trackbacks
• Share Link