A recent article in Law360 discusses how “technical problems plaguing the Affordable Care Act’s online insurance marketplace could expose vast amounts of personal data to theft….” I noted in that article that while these concerns were valid, they are simply expanded versions of existing exposures in payor databases: “Will breaches and improper disclosures happen as part of […]
Category Archives: Data Breach
Apple’s latest iteration of the iPhone (the iPhone 5S) went on sale last Friday. The phone contains a new feature called Touch ID, which allows iPhone owners to unlock and purchase content from Apple’s online store using a fingerprint reader housed in the iPhone’s home button. As expected, Apple’s use of biometric authentication has raised […]
In the following article from Massachusetts Lawyers Weekly (reprinted with permission), Brian Bialas comments on the latest Computer Fraud and Abuse Act case, and the resultant split in the District of Massachusett on how to interpret the CFAA: Ex-employees sued over computer use Judge narrowly construes CFAA By Eric T. Berkman A technology company could not […]
Recent Massachusetts Supreme Judicial Court Case Starts a Wave of Lawsuits Against Retailers for Collecting Customer ZIP Codes
In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions. With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes. Especially […]
The revised HIPAA regulations were formally published today in the Federal Register. In this form, they only take up 138 pages! Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes. While I’m not sure I agree with the quote that “This is a […]
On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations. In the 563 pages of the regulations and related regulatory comments, […]
Massachusetts Attorney General Secures $140,000 Settlement of Claims that Patient Information Was Left in a Town Dump
The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.” Under the settlements, the defendants have agreed to pay a […]
The Department of Health and Human Services’ Office for Civil Rights (“HHS OCR“) announced today that it was, for the first time, entering into a monetary HIPAA settlement for a breach involving less than 500 patients: the Hospice of North Idaho (HONI) has agreed to pay HHS OCR $50,000 to settle potential HIPAA security rule violations. HHS OCR began its investigation after HONI reported to […]
It was a pleasure to be on a panel with members of the Massachusetts Office of the Attorney General last week at the Massachusetts Medical Society to talk about how physicians can protect health information in our presentation entitled: ”Protecting Health Information: Health Data Security Training.” We covered the latest in federal law (HIPAA, […]
Another Massachusetts Health Care Provider Hit with Big HIPAA Settlement: Massachusetts Eye and Ear Infirmary Pays $1.5 Million
Late yesterday, the HHS Office for Civil Rights (“OCR”) announced that it had reached a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (“MEEI“) to settle potential HIPAA Security violations. As part of the settlement, MEEI also agreed to a Corrective Action Plan to improve policies and procedures to safeguard the privacy and security […]
There’s a fascinating, and deeply troubling, report on NPR today about the FAA’s new air traffic control system: The new system is called the Next Generation Air Transportation System, or NextGen. It will be highly automated. It will rely on GPS instead of radar to locate planes, and it is designed to allow air traffic controllers and pilots to pack more planes, helicopters […]
A recent story in the Wall Street Journal discusses how small businesses can push back against banks which do not provide sufficient security for their bank accounts. The article focused on the recent First Circuit decision, Patco Construction Co. v. People’s United Bank, involving a bank account that had been drained by multiple fraudulent transactions. […]
You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following: change the information protected to “personally identifiable information” […]
A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security
On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat. On Information Sharing: This is a continuing challenge, in part because of the way the federal government shares information. At present, the federal government provides cyber […]
Data Breaches Keep Privacy and Security Lawyers Increasingly Busy and Looking for Recruits, But Recruits Are Hard to Find
Interesting article from Of Counsel regarding both the substance and the business of data privacy and security law. Lawyers from several firms (including me) talk about current and pending legislation, the mechanisms of compliance and breach response, and the pipeline for new lawyers in the field of data security and privacy. One of the other […]
Data Breaches Continue To Be A Problem For Health Care Providers: South Shore Hospital (Massachusetts) Pays $750,000 To Settle Data Breach Charges
An aptly-timed article from Mass High Tech Business News noted earlier today that: “Data Breaches [Are] a Growing Problem in Health Care.” This article focused on a recent breach at Boston Children’s Hospital involving the records of 2,000 patients. The article was prescient, as this afternoon, the Massachusetts Attorney General announced a $750,000 settlement with suburban Boston’s […]
The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011: Through […]
In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords. But despite the efforts of these researchers, the article’s conclusion is a gloomy one: The upshot is that there is probably no right answer. All security is […]
Ponemon “data breach” cost
$1.5 Million Settlement of First HIPAA Enforcement Action Resulting from HITECH Breach Notification Rule
The trend toward increasingly large health information breach settlements has continued with yesterday’s announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA’s Privacy and Security Rules, HHS’s Office of Civil Rights. BCBST also agreed to a corrective […]
Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces? A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition […]
An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients. The individual made this improper access in order to send marketing materials to patients at the other practice. The individual worked as an information technology […]
My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA." * * * No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in […]
“Once More Unto the Breach, Dear Friends, Once More”: The Increasing Recognition of Complexity in Data Breach Response and Reporting
In an article in today’s New York Times, we get some real-life insight into the difficulties in responding to a data breach. Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity. The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee’s […]
At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number. But if you ever have […]
Interesting findings in the Unisys Security Index for the United States regarding what Americans say they would do in the event that they learned of a security breach suffered by an organization with which they were dealing: Change passwords on that organization’s website and other sites (87%) Stop dealing with that organization entirely (76%) Publicly expose the issue (65%) Take […]
There is an interesting article in this week’s Boston Business Journal on venture capital in the data security space: "Securing profits: Venture capitalists betting online security will be big money-maker."
Late last week, the U.S. Court of Appeals for the First Circuit ruled that victims of a data breach could pursue compensation from the merchant whose systems were breached for their costs of credit card replacement and identify theft insurance, under theories of breach of implied contract and negligence. See Anderson v. Hannaford Brothers Co., — F.3d […]
It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches. Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys […]
Please join me and my friends at Co3 Systems for a free webinar,"Data Breaches & Compliance: Understanding The Law and How You Can Prepare" to be held on Thursday, October 20, 2011 1:00 p.m. – 2:00 p.m. EDT. To add this webinar and the call-in information to your Outlook calendar, click here. I will be presenting with Ted […]
As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20. The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley. As described by MassHighTech: Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the […]
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal’s bill, ”The Personal Data Protection and Breach Accountability Act,” would required businesses […]
I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy." The program slides can be found at this link.
A recent Massachusetts case shows that even prisoners have a right to privacy in their medical records. In this case, Alexander v. Clark, Suffolk Superior Court, Civil Action No. 0905456-H 28 Mass. L. Rptr. No. 14, 291 (May 30, 2011), the court sided with the claim of a prisoner that her health information had been wrongfully disclosed. In particular, […]
The Privacy Rights Clearinghouse has created in an interesting tool, a "Chronology of Data Breaches." It doesn’t promise that it is comprehensive; what it does say is that it is a "useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches."
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265. This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed. Given that the last reported date of breach on the OCR’s list is May […]
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with […]
hackers Anonymous “Lulz Security”
Increasingly, alliances are viewed as an important way to improve data security. The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries. We have previously noted two other initiatives: the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and […]
We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach: Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting […]
Does Briar Group’s Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?
A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators. The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my […]
On May 5, a consumer class action was filed against Sony, relating to the data breaches in its Sony PlayStation and related services. The complaint alleges negligence, invasion of privacy and misappropriation of confidential financial information, as well as breach of express and implied contract. No specific damages were alleged.
Sony Breach Update: The Scope Expands, While Consumers Wait for Answers About How and Why It Happened
The scope of the Sony data breach is growing, but the public focus continues to be on Sony’s actions following the breach, rather than on steps to prevent or mitigate events like these in the first place. As we noted earlier, this focus emphasizes a de facto burden-shifting, in which consumers bear the risk of using […]
The EU’s Justice Commissioner has chimed in on the Sony data breach, stating that Sony must "take the relevant technical and organizational measures to guarantee protection against data loss or an unjustified access."
Sony’s unenviable status as the victim of the record theft of 77,000,000 individuals’ personal information underscores a reality that the on-line business community would like its army of customers to forget: it’s not just that the so-called “hackers” can be very good at what they do, it’s that the appointed guardians of legally protected personal information […]
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR’s website. It’s safe to expect these figures will continue to climb for the foreseeable future.
In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy – Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers: “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. […]
If you are like me, you may have received an email from TripAdvisor, alerting you that "an unauthorized third party had stolen part of TripAdvisor’s member email list." The text of that email was as follows: To our travel community: This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member […]
On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information. According to California regulators, these servers appear to contain the data of 1.9 million people nationwide: The company announced today that nine of its server drives containing personal information for 1.9 million current […]
As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights. This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed […]
Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy
My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including: §Resolution Agreement with Providence Health & Services–July 16, 2008 Settlement: $100,000 §Resolution Agreement with […]
As we noted back in May, digital copiers have caught the eye of government privacy enforcers. If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses. In that Guide, the FTC suggests that ”your information security plans . . . should cover the digital copiers your company […]
You Call That a Password? Passwords Used to Protect Personal Health Information in Clinical Trials Are Cracked More Than 90% of the Time
In a recent article in the Journal of Medical Internet Research, the strength of passwords in clinical trials was analyzed. In all cases that were examined, "the recovered passwords were poorly constructed, with names of local locations (e.g., “ottawa”), names of animals (e.g., “cobra”), car brands (e.g., “nissan”), and common number sequences (e.g., “123”)." This result […]
500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR
In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged: the Office of Civil Rights does not have the resources to review all reported breaches of health information. In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all: Current […]
As so often happens following a hospital’s involvement in a high profile event, the Tucson hospital treating the victims of the recent shooting is reported to have fired several staff, presumably for looking at patient records they should not have looked at: Katie Riley, the Director of Media Relations in the Office of Public Affairs […]
In January, we provided some helpful hints about passwords, in our entry: Is Your Password Still "123456"? If So, It’s Time for a Change. It’s been nearly a year, so it’s time to change your password again. In case you need some help, we liked the guidance provided by the public radio program, Marketplace, in […]
Following on the heels of the discovery of hospital records in a town garbage dump, today’s Boston Globe reported that "computer files that possibly contained personal information on about 800,000 people connected to South Shore Hospital are ‘unrecoverable.’" However, the investigation into this breach determined that there was a low of harm risk to those individuals whose records were […]
According to a report in the Boston Globe, TJX has settled a lawsuit brought by the Louisiana Municipal Police Employees’ Retirement System, a TJX stockholder, which had alleged that the TJX board of directors failed to protect customers’ personal data, apparently in connection with Alberto Gonzalez breach. Bloomberg News has reported the case was settled for $595,000 in […]
Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports]. The highlights of the survey were announced in PGP’s press release. Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009, […]
One Million Impacted by Blue Cross Blue Shield of Tennessee Data Breach: How Do You Remediate on that Scale?
Blue Cross Blue Shield of Tennessee announced last week that nearly 1 million of its members have been affected by the theft of hard drives containing unencrypted personal data. BCBSTN had previously announced in January that 1.6 million files with unencrypted personal and protected health information of about 500,000 members in 32 states were breached in October 2009, due to a theft of 58 […]
Last week, lawyers from Microsoft issued a demand under the Digital Millennium Copyright Act (DMCA) seeking the removal of leaked copies of Microsoft’s “Global Criminal Compliance Handbook” that pulled website Cryptome.org from the Internet, at least temporarily. The DMCA provides copyright owners with the ability to request that internet service providers remove infringing materials from […]
At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals. OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 […]
1. The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in […]
If you or your co-workers use any of the passwords listed below, you are asking to be hacked. According to a report from the consulting firm Imperva, this list reflects an analysis of some 32 million passwords that an unknown hacker stole in December 2009 from RockYou, a company that makes software for users of social networking […]
In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical […]
The Department of Health and Human Services’ Office of Civil Rights (“OCR”) has tried to make a HIPAA security breach easy to report, with its newly-released online “Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information.” The online form is straightforward, featuring pull-down options tied to the new HITECH rules: it […]
Last week, it was learned that a secret report of the U.S. House of Representatives Ethics Committee was disclosed — apparently inadvertently — by a junior committee staff member. This staff apparently stored the file on a home computer that also ran a "peer-to-peer" file-sharing service. Just as peer-to-peer services let you share music and […]
Incident of the Week: ChoicePoint Settles FTC Charges That It Failed To Turn On “Key Monitoring Tool”
This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools.
Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast
Incident of the Week: in our first double feature, we report on the recent breach announced at the University of North Carolina and the plea agreement reached with one Massachusetts inmate who hacked the prison computer system while still behind bars.
As we reported on April 2, a California hospital breached the privacy of the infamous "OctoMom," Nadya Suleman. When the breach was discovered, Kaiser Permanente’s hospital in Bellflower, California fired 15 employees. These violations also were reported by Kaiser to the California Department of Public Health, which has announced a $187,500 administrative penalty against Kaiser. […]
In June, a team of researchers investigating the disposal of electronics in Ghana for PBS series Frontline discovered that computers dumped in Ghana still contained highly sensitive data from their prior owners. The researchers procured seven hard drives from the dump in Ghana and they contained credit card numbers and resumes. The highlight of the […]
In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient’s electronic medical record were to be breached. The new AMA guidelines ask physicians to: ensure patients are properly informed […]
Last month, an unusual ransom demand was made on the Commonwealth of Virginia. See Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database, May 5, 2009. In a posting late last week, the Virgina Department of Health Professions announced that it had sent a letter to affected individuals ("persons whose PMP records contained […]
In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also […]
In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.
Security, Privacy, and The Law recently had the chance to sit down with Dr. M. Eric Johnson to talk about his recent paper “Data Hemorrhages in the Health-Care Sector.” Dr. Johnson’s study has been in the news lately because many were startled by his finding that a great deal of patient healthcare information is available on peer-to-peer (P2P) file sharing networks. We are thrilled that Dr. Johnson agreed to do a interview with Security, Privacy, and The Law and we will be posting the full interview with Dr. Johnson in several parts.
The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation’s computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to […]
The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested […]
Data Breach: Not Only Can Happen to You, and Your Competitors (but Now It’s Being Publicly Reported)
As state data breach reporting regimes develop, we are going to be seeing more reporting of breaches to law enforcement authorities. If you want to see what this abstract concept of “reporting” looks like (and how your own reports might be listed for the public to see), go to the web site of the New Hampshire […]
Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama’s Passport Records
Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, […]
As discussed by Mike Rosen on Foley Hoag’s Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company […]
Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials. Read some of the highlights below.
Has the Consumer Privacy Legislative Forum Decided to Abandon Efforts to Draft Federal Privacy Legislation?
In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA […]
This settlement is particularly interesting, given that it appears to stem from a voluntary disclosure, without any prejudice to any of the physicians whose information was disclosed. Despite those mitigating factors, the disclosure still resulted in a six-figure penalty. As such, this is another suggestion that the days of soft enforcement of health-related information confidentiality are over. The […]
For those who want to see the source document, we have provided this link to the text of the American Recovery and Reinvestment Act of 2009. The health security and privacy provisions start at Section 13000, around page 112.
Adding to the Patchwork: HITECH Act Sets New “Floor” for Data Breach Notification of Certain Patient Information
On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies […]
ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations
On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010. The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal […]
It has been a bad week for the federal government’s own information security track record. The first story comes from the FAA where hackers broke into the agency’s computer systems and stole personal information on some 45,000 individuals. The second story comes from Los Alamos National Laboratory, which confirmed the theft of 67 computers, 13 in the […]
According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.” [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 […]
According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers. The McAfee Report makes […]
Most of us remember fondly the Winnie-the-Pooh stories by A.A. Milne from our childhood. One that is memorable for me is “Piglet Meets a Heffalump.” In that story, Winnie-the-Pooh and Piglet plot to catch the new animal they believe is living in the Hundred Acre Wood. They have named this animal the Heffalump. They set a trap for the […]
Trends in Data Breach Incidents, Part 1: Identity Theft Resource Center (ITRC) Reports Breaches Up 47% in 2008, Hackers Only Responsible for 13.9% of All Incidents
On January 2, 2009, the Identity Theft Resource Center (ITRC) released its report(.pdf) on data breaches in the United States in 2008 (you can read the Washington Post’s primer on the ITRC’s findings here). The raw numbers are headline grabbing — 656 data breaches in 2008, a 47% increase from 2007. The sharp increase in numbers from […]
On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” […]
High-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs.
Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers – SSNs and ID Theft. For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, the deadline for businesses to adopt compliant identity theft prevention programs.
ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations
On Friday, November 14, 2008, Massachusetts regulators announced that they will give affected businesses until May 1, 2009 to comply with new identity theft regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same day.
ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC “Red Flags” Regulations
On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.