In Case You Missed It: U.S. Major party platforms address cybersecurity. The two major parties have released their 2016 election platforms, both of which include cybersecurity planks. The Republican platform’s perspective of cybersecurity is an element of national security and international relations. The platform called for harsh responses to cyber-attacks against American businesses, institutions, and government, applauded the Cybersecurity Information Sharing Act of 2015, and pledged to “explore the possibility of a free market for Cyber-Insurance.” The Democratic platform is largely as a continuation of President Obama’s cybersecurity policies. It promises to “build on the Obama… More
Category Archives: Government Enforcement
The Privacy Shield will now go into effect. The preliminary start date for companies to be certified under the Privacy Shield is August 1, 2016. Expect more challenges to the Privacy Shield before all is said and done.
Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case, the European Commission negotiated with the US a new scheme called the Privacy Shield. The first draft was issued in February and submitted to the Article 29 Working Party, which gave its opinion on April 13, 2016. The EU… More
The recently-released Pokémon Go has quickly emerged as a cultural phenomenon, with legions of players using their phones to “catch” Pokémon that emerge all around them, visible (thankfully) only to players. While catching Pokémon by phone is far less cumbersome than collecting boxes upon boxes of Pokémon cards, as some of us did in the early aughts, it does come with its own set of pitfalls. Specifically, users have learned that Niantic, the… More
In Case You Missed It: The EU/US Privacy Shield is set to go into effect this Tuesday, July 13, pending a decision today by the EU’s College of Commissioners. On Friday, July 8, the Privacy Shield agreement (entered into in February) was adopted by EU member states. EU/US data transfer has been in limbo ever since the erstwhile Safe Harbor was invalided by the European Court of Justice last year. Stay tuned in this space for much more on the ins-and-outs of what the Privacy Shield says, and what it means for business.
News of Note: In further evidence that… More
In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach. The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices. A U.S. District Court ruling last week casts some doubt on that authority. Although the court concluded against Amazon on the facts at issue (involving in app purchases not data security), it also cast doubt on the FTC’s… More
In Case You Missed It
The FTC settled with mobile advertising company InMobi for $950,000 in civil penalties, along with the implementation of a privacy program, based on the FTC’s charges that InMobi impermissibly tracked the locations of both adult and child consumers for the purpose of geo-targeted advertising. The latter, of course, also implicated allegations of violations of the Children’s Online Privacy Protection Act (COPPA) rule. The FTC alleged in particular that, when installing an application to which InMobi’s advertising was attached, even if a user declined to share location information with the application, InMobi’s software would… More
Last week, the Department of Homeland Security (“DHS”) released its Final Rules for private-sector information-sharing under the Cybersecurity Information Sharing Act of 2015 (“CISA”). CISA permits private companies to share cyber threat information with the U.S. government and shields those companies from liability for doing so. The new CISA Rules outline exactly how this information-sharing will work, namely: how information is submitted; what information gets submitted; and what happens to the information after submission.
HOW IS INFORMATION SUBMITTED?
The preferred method for submitting cyber-threat data to DHS is through “TAXII”, short for “Trusted Automated Exchange of Indicator Information.” TAXII… More
New Data Protection Obligations In Europe: Data Protection Officers and Impact Assessment under the New General Data Protection Regulation (GDPR)
The full text of the General Data Protection Regulation (GDPR) was published on 4 May 2016. Although the GDPR will not be effective until 25 May 2018, it is worth looking into it right now given the major changes it makes to the rules in the 1995 Directive.
Application of the GDPR
The GDPR applies to the processing of personal data by companies having an “establishment” in the European Union, regardless of whether the processing takes place in the EU or not. It also applies to companies not established in the EU, where the processing activities are related… More
In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017. The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account. The definition is also expanded to include medical and health insurance information. However, if a company already complies with the data security elements of HIPAA and HITECH, then it will be deemed to comply with the Illinois law. Illinois’ amendments… More
The FBI recently released an article discussing the spate of ransomware attacks on a variety of different entities, including hospitals. In the article, the FBI warned that ransomware attacks and the cybercriminals carrying them out are growing increasingly sophisticated. The FBI opposes paying a ransom when hit by a ransomware attack, saying that doing do incentivizes more ransomware attacks, can inadvertently fund other illegal activity, and does not always result in the restoration of access. The FBI recommends that entities focus on prevention efforts like employee training, patching operating systems and software, and restricting access to files, directories, and/or… More
The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services.
The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics… More
After the European Court of Justice invalidated Safe Harbor on October 6, 2015, the Article 29 Working Party announced in an October 16, 2015 statement that US companies that were Safe Harbor certified had until the end of January 2016 to find alternative means to transfer data to the US and, if they failed to do so, EU Data Protection Authorities would pursue enforcement measures. DPAs in France, Germany, and Ireland have all addressed these issues, but in different ways.
The Head of the European Working Party, Isabelle Falque-Pierrotin, is also the head of the French DPA,… More
In Case You Missed It: The SEC fined Morgan Stanley $1 million for a 2014 data breach. While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion. The SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. This fine is a reminder of two important things: first, that the SEC is going to be an increasingly active player… More
In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week. The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday. And, like the Shield, the Umbrella has drawn its share of critics, who claim that it “effectively undoes” much of EU’s data protection.
News of Note: Zuckerberg Hacked. Demonstrating that no one is immune from a cybersecurity attack, Facebook founder… More
On 29 February the European Commission released its draft adequacy decision about the proposed Privacy Shield, which is intended to replace the invalidated EU-US Safe Harbor. While Microsoft stated on April 11 that they “pledged to sign up for the Privacy Shield,” the European authorities have so far been much more skeptical.
Hedge Fund Association Symposium in Boston
The Securities and Exchange Commission has reiterated that cybersecurity threats and the adoption of sufficient policies and procedures will remain a compliance and examination priority for 2016. Please join us for a discussion of the primary threats facing managers of private funds, particularly emerging managers, and practical steps that they should be taking to protect their business from cybersecurity threats.
This event is complimentary for HFA members and friends of Foley Hoag. Space is limited.
Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.
To download a copy of the presentation, click here.
Watch a recording of the webinar:
On May 25, 2016, partners Catherine Muyl, Colin Zick and Daniel Schimmel participated in a panel discussion on how companies can transfer personal data and remain compliant. The event, co-sponsored by The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York, was part of the FACC’s “Tech, Media & Entertainment” task force.
Click here to download a copy of the presentation:
On May 11, 2016, President Obama signed the Defend Trade Secrets Act of 2016 (“DTSA”) into law. Previously, companies could only bring misappropriation of trade secrets claims under state law. (Unless they were able to convince federal prosecutors to bring criminal charges under the Economic Espionage Act, which rarely ever happens.) Now, companies have the option of pursuing a federal cause of action for misappropriation of trade secrets, which brings with it… More
As litigators, we help clients resolve conflicts that have matured into disputes. In the realm of cybersecurity, we defend claims brought by private parties or governmental entities against companies facing the fallout from a data breach.
In advising clients in the context of litigation, we have identified tools that are available to mitigate or prevent the types of breaches that we see in litigation. In the area of cybersecurity, companies have begun to consider the… More
The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies. For example:
data controllers (companies collecting and using personal information) will have a wide range of new obligations, including: data breach notification; implementation of the right to be forgotten; appointment of a data protection officer; privacy impact assessment before processing data; and implementation… More
After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield. However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13. It concluded that the proposed version of the Privacy Shield does not offer a protection essentially equivalent to that offered under EU law. WP29 noted… More
As a follow-up to our recent discussion of IRS-related phishing attempts, here are a few quick tips to stay out of the phishing traps:
In general, the IRS does not communicate with taxpayers via e-mail, so any time someone receives an e-mail from the “IRS,” they should be suspicious at the outset. Even if the IRS did correspond with taxpayers via e-mail, there are some features of the following example that indicate the IRS… More
The Future of Data Privacy Regulation in Massachusetts? AG’s Office Foreshadows State Action on Consumer Data in First-of-its Kind Conference
On March 24, 2016, the Massachusetts Attorney General’s Office gave us a glimpse. In collaboration with Harvard’s Berkman Center for Internet and Society, and MIT’s Internet Policy Research Initiative and Computer Science and Artificial Intelligence Laboratory, the AG’s Office convened a “Forum on Data Privacy.” In this first-of-its-kind conference, stakeholders from government, academia, business, and consumer groups assembled to discuss the inherent… More
You have seen all the hysterical headlines — “The HIPAA audits are coming, the HIPAA audits are coming….” But when you really think about it, what is the big deal? If you are a HIPAA covered entity, you surely know by now what you are supposed to be doing. And you probably have been doing it– so just check around to make sure before you get the dreaded letter from HHS OCR. And if you are a HIPAA business associate, you are probably a bit behind the covered entities, but again, it’s not a secret what you need… More
Last month we presented a webinar detailing what you need to know about the EU-U.S. Privacy Shield and what your company should do now. Watch the recording here:
To download a copy of the presentation, click here.
Tax season ‘tis the season to be phishing, according to the IRS. The IRS has issued a warning to payroll and human resources professionals about a “surge” in phishing emails seen this year. One of the preferred tactics of identity thieves this year appears to be impersonating CEOs and sending emails to company payroll and human resources departments asking for employee W-2s. The employees think they… More
As part of implementing the EU-US Privacy Shield, on February 24, 2016, President Obama signed the Judicial Redress Act (H.R.1428/S.1600). This law is designed to give EU citizens the right to sue the U.S. government for privacy violations. In particular:
It authorizes the U.S. Department of Justice to designate specific foreign countries or regional economic integration organizations (i.e., the EU) whose natural citizens may bring civil actions under the U.S. Privacy Act of 1974. These suits may be brought against certain U.S. government agencies. The suits are limited to accessing, amending, or redressing unlawful disclosures of records transferred from… More
Reminder: March 1, 2016 Effective Date for Information Systems Security Programs Including Cybersecurity for NFA Members
As noted in our earlier Foley Adviser, March 1, 2016 is the effective date for NFA member firms (including futures commissions merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants) to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.
If you have any questions regarding implementation of these policies and procedures, please contact your Foley Hoag attorney.
The COPPA Rule requires website and online service operators to give notice to parents and obtain verifiable parental consent before collecting children’s “personal information” online. 16 CFR §§ 312.4, 312.5. The definition of “personal information” encompasses some obvious pieces of data – name and address, for example – and some less-obvious ones, such as screen names, geolocation data, and “persistent identifiers.” A “persistent identifier” is a piece of information “that can be used to recognize a… More
This article was originally published in Law360 with permission to reprint.
Businesses confronting data breaches can face litigation from private consumers as well as from governmental entities. Managing litigation risk varies in these contexts because of the limitations of bringing private rights of action. One such limitation is the requirement of proving actual harm in private actions…. More
February 3, 2016 Statement of the Article 29 Working Party on the Consequences of the Schrems Judgment
The Working Party will not blindly accept the EU-US Privacy Shield. It welcomes the conclusion of the negotiations, but also is asking to see all documents pertaining to the new EU-US Privacy Shield by the end of February. The Article 29 Working Party will then evaluate whether the arrangement meets what it considers to be the four essential guarantees relating to the processing of data by intelligence agencies:
the processing should… More
EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield
What follows below is the EU’s press release regarding the agreement on a replacement for the EU-US Safe Harbor. We are working to get details and will schedule a webinar on the new framework shortly.
The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.
Today, the College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. This new framework will protect the fundamental rights of Europeans where their… More
On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).
CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.
CISA: An Optional Opportunity
CISA does not require non-federal entities (private entities and state,… More
On January 22, 2016, I had the pleasure to present to the Massachusetts Health Information Management Association’s Winter Meeting, to discuss “Compliance Beyond HIPAA.” The presentation slides from the program are available here, and reflect discussion of:
recent HHS OCR guidance on “Individuals’ Right under HIPAA to Access their Health Information 45 CFR §164.524” a new HHS OCR FAQ on EHR incentives and their interaction with HIPAA; amendment of the HIPAA Privacy Rule to address release of mental health information for firearm background checks; charges for copying of records (especially involving attorneys); a new HHS OIG… More
As we have noted previously, in the wake of the ECJ’s decision that undid the US-EU Safe Harbor, we were told that there would be no enforcement of the EU Directive until after January 31, to allow the US and EU to hammer out a new regime. However, Isabelle Falque-Perrotin, the chair of the EU’s Article 29 Working Party, has stated that the next meeting of the Working Party will take place on February 2. There has been no indication of any extension in the EU’s moratorium on enforcement. While we do expect the question of enforcement to be addressed… More
Amendment to the Annual Privacy Notice Delivery Obligations of Financial Institutions under the Gramm-Leach-Bliley Act contained in the FAST Act
On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. Although the FAST Act’s main focus is on improving the country’s surface transportation infrastructure, the law also contains a provision that modified the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).
Previously under the GLBA privacy regulations, financial institutions (which includes registered investment advisers, investment companies, broker-dealers and private funds) had to circulate to their customers an annual… More
As the Wall Street Journal noted yesterday, banks are being deluged with phishing attacks. These attacks are especially fierce around the holiday season, when more personnel are absent and normal procedures are ignored or bypassed. The FBI and other law enforcement agencies are focused on these attacks, but it only takes one employee to “believe” a phishing email for the trouble to start.
This is the time of year when we think of giving to others, but those gifts… More
European Union Agrees On a New Data Protection Framework To Replace the 95/46/CE Directive: Meet the “General Data Protection Regulation”
On 15 December 2015, the three main European institutions, the Commission, the Parliament and the Council, agreed on the final text of the General Data Protection Regulation (GDPR) which has been on the table since January 2012. This is a major achievement, given the number of obstacles that still needed to be overcome a few weeks ago in order to meet the end of 2015 deadline for finalizing the GDPR. The GDPR provides a brand new single set of rules for the protection of data within the whole Europe and these rules are very different from those enshrined… More
Today, Wyndham and the FTC settled the enforcement action brought by the FTC that had led to a significant decision by the Third Circuit in August of this year. (Wyndham’s statement on the settlement can be found here; the FTC’s statement can be found here; my earlier analysis of the Third Circuit’s decision can be found here.) While the details of the settlement are interesting in their own right – Wyndham will not be paying anything by way… More
Weltimmo v. Hungarian Data Protection Authority: EU Rules on What It Means To Be “Established” in a Jurisdiction
While the Schrems decision invalidating the US-EU Safe Harbor Program is rightly attracting a great deal of attention (as well as blogging and webinars) – and leaving many wondering what to do in the absence of the US-EU Safe Harbor System – companies doing business in the EU need also to consider the impact of another recent decision, reached just days before Schrems. In Case c-230/14, Weltimmo s. r. o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság (Weltimmo v. Hungarian… More
Today, the Article 29 Working Party (the advisory body on data protection and privacy composed of representatives from the national data protection authorities of all EU Member States) was to meet in Brussels to discuss, amongst other things, the consequences of the European Court of Justice ruling of 6 October 2015 in the Maximilian Schrems case, with EU-US data flow at the top of its agenda.
However, this meeting could not take place because of the current lockdown in the European capital. This delay is quite unfortunate in view of the statement which was previously released by the Working… More
On November 19, Foley Hoag and UK Trade & Investment presented a webinar discussing the latest developments following ECJ’s decision to invalidate the US-EU Safe Harbor system. Watch the recording here:
Click here to download the slides.
Hosted by Foley Hoag LLP and UK Trade & Investment, The British Consulate General in Boston
On October 6, 2015, the European Court of Justice issued a landmark decision invalidating the US-EU Safe Harbor system. In practice, this means that US organizations can no longer rely on the Safe Harbor system to permit the transfer of personal data from the European Union to the US consistent with Directive 95/46/EC. EU authorities have given the US and EU until the end of January 2016 to find a replacement… More
Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers”
A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks. At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention, developing action plans, legal and regulatory challenges, the internet of things, and building readiness… More
The Cybersecurity and Information Sharing Act (S.754), or CISA, cleared an important hurdle on Thursday when the Senate voted 83-14 to end debate on several amendments to the bill. CISA creates a cyberthreat information sharing system to, in the words of the bill, “improve cybersecurity in the United States.” Specifically, as currently drafted, the bill requires various government actors and agencies (such as the Attorney General and the Department of Homeland Security) to create specific policies and regulations relating to the sharing… More
The FTC’s Broad Authority and FTC v. Wyndham: Thinking about the Future of Data Privacy Regulations
What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology. The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy: whereas, generally speaking, in the EU data privacy standards are relatively uniform, in the U.S. there are as many different sets of regulations as there… More
The European Court of Justice has just issued a decision (ECJ 6 October 2015 Case C-362/14, Maximillian Schrems v. Data Protection Commissioner) that invalidates the so-called US-EU “Safe Harbor” system. Suddenly, what 3,500 U.S. Companies (including some of the largest companies in the world) have been doing with personal data now potentially becomes illegal.
What is the background to this decision?
By now, you have no doubt heard that the European Union’s highest court today invalidated the U.S.-EU Safe Harbor Program. The European Court of Justice overturned the European Commission’s 15 year old decision finding that the privacy principles of the U.S.-EU Safe Harbor provide an adequate level of protection of the data of EU citizens. Among other things, the court cited concerns that the data may be subject to U.S. government surveillance.
This ruling is very unsettling, as our initial reading is that this decision gives the EU member nations the power to act against companies even if they… More
This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:
Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.
On the other hand, large enterprises, especially those that… More
On June 12, 2015 the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés – CNIL) issued a notice ordering Google to draw all the consequences of the CJEU May 13, 2014 ruling and to apply delisting not only to the national domain of the individual who requests delisting but on all of the search engine’s domains, including google.com (see our article The Right to be Forgotten: Another Scuffle between Google and The French Data Protection Authority | Security, Privacy… More
By Martha Coakley and Jon Hurst
This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.
Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The impact on businesses, government, and other targets is also real, and includes monetary harm and reputational damage that can devastate those so reliant on the trust of their customers.
Retailers recognize that… More
The SEC Charges Investment Adviser with Violating Regulation S-P by Failing to Adopt Cybersecurity Policies and Procedures
In recent years, the SEC has been focused on cybersecurity. It has issued risk alerts, conducted examinations and provided guidance about what the agency sees as widespread weaknesses in many policies and procedures to protect against cyberthreats. The SEC has now taken the next step: a few days ago, the SEC brought its first-ever enforcement action for a violation of Regulation S-P, 17 C.F.R. § 248.30(a) – known as the “Safeguards Rule” – against an investment adviser that was itself the victim of a security breach in which hackers stole customer information. See In re Matter of R.T. Jones Capital… More
SEC Issues Risk Alert Announcing Second Round of Examinations of Registered Investment Advisers and Broker-Dealers
* * *
On September 15, 2015, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a Risk Alert announcing a second round of examinations of registered investment advisers and broker-dealers under its cybersecurity examination initiative. The Risk Alert’s purpose is to provide additional information on the areas of focus for the OCIE’s examinations, which will involve more testing to assess implementation… More
Delaware Attorney General Matt Denn is serious about online privacy, and aims to make Delaware “the safest state in America for kids to use the internet.” This August, Delaware Governor Jack Markell signed into law four online privacy bills drafted by the Attorney General, the most substantial of which is the Delaware Online Privacy and Protection Act.
The FTC’s COPPA (the Children’s Online Privacy Protection Act) Rule requires website operators to obtain “verifiable parental consent” prior to collecting, using, or disclosing personal information from children. Though the COPPA Rule enumerates several methods for obtaining consent, the FTC, sensitive to how fluid technological developments in this space can be, also allows pre-approval of new methods not listed in the Rule. 16 CFR 312.12(a). (As I previously blogged, the Rule also allows for… More
On 13 May 2014 the Court of Justice of the European Union (CJEU) issued a judgment which Google called a “landmark ruling” (Google v. Costeja Gonzalez case, C-131/12). The court held, based on the 95/46 Directive on protection of personal data that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and… More
A key distinguishing feature of U.S. data privacy laws is their patchwork nature. There are industry-specific data privacy laws at the federal level (think HIPAA or the GLBA), yet there are no comprehensive federal standards that governs an entity’s obligations in the event of a data breach like the EU’s Data Privacy Directive. For data breach response, in addition to the possible application of an industry-specific law or regulation, companies doing business in the U.S. must look to… More
Last week, the Cybersecurity Unit of the Department of Justice (DOJ) issued a list of “best practices” for companies concerning preparing for and responding to cyber-attacks. The report details the lessons federal prosecutors have learned while handling cyber investigations, as well as feedback from private sector companies. Some of the key pieces of advice are:
Identify Your “Crown Jewels”: Before creating a cyber-incident response plan, companies should first identify which data, services, and infrastructure warrants the most protection. Loss of some data or services might only result in a minor disruption, which loss of others could be devastating. A… More
As part of a series of measures aimed at increasing preparedness and defenses against international cyberattacks on U.S. industries and government agencies, on April 1, President Obama issued Executive Order No. 13694, authorizing the Treasury Department’s Office of Foreign Assets Control (OFAC) to sanction foreign individuals or entities committing such attacks. The new sanctions will allow the Treasury Department to block or freeze the assets of those outside the U.S. engaging in malicious cyber activities that threaten the national security, foreign policy and financial stability of the U.S. Once OFAC designates… More
Smart grids – electrical grids that allow two-way communication between utilities and consumers – represent an exciting frontier in the Internet of Things, with ramifications for energy efficiency, weather resiliency and climate change, among others. As the Department of Energy writes, “[t]he Smart Grid represents an unprecedented opportunity to move the energy industry into a new era of reliability, availability, and efficiency that will contribute to our economic and environmental health.”
But like many aspects of the Internet of Things, smart grids also present privacy concerns. Few people fret about the privacy of their monthly electric bill, but smart meters… More
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part III: Five Key Lessons for Business
Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.
Here are five takeaways for companies large and small:
Companies are only as secure as their most vulnerable employee. In the course of the panel discussion, Mike George, CEO of QVC, elaborated on how training and constant vigilance were at the… More
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part II: The Executive Order
As a follow up to our summary of the key takeaways from the White House’s first Summit on Cybersecurity and Consumer Protection, the centerpiece of which was President Obama’s signing of a new Executive Order, “Promoting Private Sector Cybersecurity Information Sharing,” what follows is an analysis of that Order.
What does the Order actually do?
The Order “promotes…encourages…and…allows” but does not require anything. Specifically, it creates a voluntary framework for the formation of Information Sharing and Analysis Organizations (“ISAOs”). Per the Order, the Department of Homeland Security (“DHS”) will “engage in continuous, collaborative, and inclusive coordination” with ISAOS to… More
The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama. The purpose of the summit: to “bring together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.” These stakeholders, a number of public and private sector leaders, preceded the President with several speeches and panels. Here are some key takeaways from these earlier speakers, as well as a brief look at President Obama’s remarks:
Collaboration is front and center. As… More
Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data
In an age when many of us briskly scroll through website terms and conditions and check, “I agree” without thinking, how should businesses design their websites to obtain proper authorization to access users’ sensitive information? The announcement of the settlement of a pair of recent FTC complaints against PaymentsMD, a medical billing services provider and its former CEO, and the resulting settlement, provide some important guidance, at least with regard to health information practices. In that settlement, the Atlanta-based health billing company and its former CEO settled charges that they misled thousands of consumers who signed up for… More
Our friends at Co3Systems and IOD recently produced a webinar, “Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits” that provides a succinct overview of what is coming down the pike for HIPAA covered entities.
In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:
The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is… More
Yelp’s $450,000 settlement with the FTC in September should serve as an important reminder for all owners and operators of websites or mobile apps – even if your site is not for kids, you need to know and abidge by what the Children’s Online Privacy Protection Act (COPPA), and the related COPPA Rule, requires.
Yelp allows registered users to write reviews of local businesses. A user can access Yelp through desktop and mobile websites, as well as apps on both iOS and Android. Once registered, a user can upload a profile picture and post photos to go along with reviews… More
It’s been a while, but we have another HIPAA deadline just around the corner: September 23, 2014.
September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations (often called the Omnibus Rule). The current rules went into effect on March 26, 2013, but certain then-existing HIPAA BAAs were grandfathered and did not have to be updated immediately. The grandfathering ends and up-to-date BAAs must be in place starting September 23, 2014.
Specifically, compliance was required 180 days following the HIPAA Omnibus Rule’s effective date (3/26/13); that initial deadline was… More
Last week, the FTC announced approval of a new Safe Harbor Program under the Children’s Online Privacy Protection Act (COPPA), called iKeepSafe. The program was created by the Internet Keep Safe Coalition, a nonprofit organization that describes its goal as the “creation of positive resources for parents, educators and policymakers who teach youths how to use new media devices and platforms in safe and healthy ways.”
The COPPA Rule affords some flexibility in compliance through use of a safe harbor provision, 16 C.F.R. § 312.10. The provision allows that operators – that is, persons who operate… More
The FTC’s July 10, 2014 complaint filed against Amazon has left app developers with concerns about how to make apps that target kids and still comply with the law. The complaint, brought under Section 5(a) of the FTC Act, alleged that Amazon failed to obtain parents’ or account holders’ informed consent to in-app charges incurred by children. While the complaint was not brought under the Children’s Online Privacy Protection Act (COPPA), the increased scrutiny on child-targeted apps should have all app developers making sure they understand what COPPA requires when it comes to getting parental consent.
Generally, COPPA… More
In a unanimous decision issued today, the Supreme Court ruled that police cannot search the cell phones of arrested individuals without a warrant. In reaching its decision, the Court recognized that there is an immense amount of personal information on smart phones and held that access to that information would constitute a significant invasion of individual privacy. With the relatively recent invention of cell phones and the sudden pervasiveness of smart phones in the United States, the Court was forced to grapple with the application of century old legal principles to the practical realties of modern day technology. As… More
The Revised COPPA Rule and “Personal Information” – One Example that Balances Anonymity and Interactivity
The revised Children’s Online Privacy Protection Act (“COPPA”) Rules, as discussed here previously were meant to bring regulations in line with, in the FTC’s words, the “rapid-fire pace of technological changes to the online environment” that have taken place since COPPA was passed in 2000. This week’s Boston Globe article about the new public television production, WGBH’s “Plum Landing,” provides an interesting illustration of the impact of the revised COPPA Rule.
Plum Landing is not a television show, but rather a series of videos, online games and activities spanning a variety of platforms (e.g., computers, tablets, and… More
State Securities Regulators in Massachusetts and Illinois Survey Investment Advisors on Cybersecurity Practices
Picking up on the SEC’s initiative to assess cybersecurity preparedness discussed here previously, state securities regulators in Massachusetts and Illinois sent to investment advisors registered in their respective states a survey on their cybersecurity practices.
The Massachusetts surveys were sent on June 3 and a response is due on June 24. William F. Galvin, Secretary of the Commonwealth, whose jurisdiction includes the Massachusetts Securities Division, was quoted saying: “With the almost universal reliance on computer trading and communication, it is essential that investors can be confident that their financial data is secure from unauthorized intrusion from whatever source…. More
Today’s decision by the European Court of Justice (ECJ) that individuals enjoy the right to have truthful yet unflattering information about them “forgotten” from online search results is generating a great deal of controversy in Europe and beyond. In a case brought by Spanish national Mario Costeja Gonzalez against Google demanding that the search giant remove results referring to a years-old newspaper notice of a tax auction of… More
In a 110 page report issued yesterday, the Federal Trade Commission suggested that data brokers operate without transparency and asked Congress to consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over personal information that is collected and shared by data brokers.
The report, “Data Brokers: A Call for Transparency and Accountability” is the result of a study of nine data brokers undertaken by the FTC to shed light on the data broker industry. The report found that data brokers collect and store billions of data elements covering nearly every… More
Data breach law in the United States might have just become a lot less patchy, but a little more uncertain. On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES. This case arises out of a FTC action, brought under the deception and unfairness prongs of Section 5(a) of the FTCA (15 USC s. 54(a)), against Wyndham Worldwide relating to a series of data breaches between April 2008 and January 2010. The question before the court, on a 12(b)(6) motion to dismiss brought by Wyndham,… More
On February 20, the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) released new guidance explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family members and others to enhance treatment and assure safety.
The guidance is essentially a set of answers to frequently asked questions. Set out below is a highly truncated version of those FAQs (please view the entire Q&A for the full position and explanation of… More
In a previous post, I wrote about privacy concerns surrounding data storage nonprofit inBloom and its partnership with the New York State Education Department (“NYSED”). On February 5, 2014, New York State Supreme Court Justice Thomas A. Breslin dismissed the lawsuit filed by parents seeking to block NYSED from sharing and storing student data with inBloom. In his order, Justice Breslin ruled that the agreement between NYSED and inBloom did not violate New York state privacy law. Noting that the new storage system “can support more security features” than current systems used by New York… More
Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system. On January 10, the Department announced that it would delay release of additional student data to inBloom. The delay, which the Department said is normal for a project of its size, comes after a class of parents filed suit in November and New York legislators proposed a bill requiring parental consent before sharing such data.
Have you wanted to read up on the many cyber security issues that have arisen over the past year but which you did not have time to follow in detail? We have just the thing — four reports from the Congressional Research Service, the low-key public policy research branch of the U.S. Congress (so low-key that they do not have a web site).
Four recent CRS reports on timely cyber topics are:
Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications:
Legislation: In the past, we have seen major breaches drive legislative change. But now that most states have data security statutes, it seems unlikely that much will happen at the state level. And action at the federal level has been long promised, but remains a distant vision. Law enforcement: While the actual hackers may remain elusive, Target is an easy target. Expect significant investigations, record-setting financial penalties and a burdensome compliance agreement for Target. And, of course,… More
In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs:
“have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”; “have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim”; and “will suffer irreparable harm absent preliminary injunctive relief.”
This is by no means the last stop for this litigation; rather, it is just the end of the beginning. While granting the requested injunction against the NSA… More
The United States District Court for the Northern District of California recently refused to dismiss a Computer Fraud and Abuse Act (CFAA) claim with an unusual twist: the defendant allegedly circumvented an IP address block after receiving a cease-and-desist letter from the plaintiff and therefore is alleged to have acted “without authorization” in violation of the CFAA.
The dispute began with Craigslist Inc. sending a letter to 3Taps, Inc. because 3Taps was “scraping” content posted to the Craigslist website in real time and then using that information to create its own website and interface with… More
HHS OCR Issues HIPAA Guidance on Refill Reminders, Decedent Information, Disclosure of Proof of Student Immunications and Delays CLIA Lab Enforcement
Late last night, HHS OCR issued its anticipated guidance on “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual.” A new “Fact Sheet” and corresponding “Frequently Asked Questions” attempt to explain how the refill reminder exception to the marketing rule works, and seek to address both the scope of communications that fall within the exception, as well as the types of third party payments that are considered “reasonable” under the statute and regulations for making such communications. In addition, the Secretary has decided not to enforce the… More
You may have seen the recent lawsuit alleging that HIPAA’s marketing regulations are unconstitutional. In that case, the plaintiff is a company that “provides a refill reminder service and other adherence messaging services,” Adheris, Inc.
Adheris sued the Department of Health and Human Services because HIPAA’s regulations threaten to put it out of business. In particular, HIPAA now requires patient authorizations for its kind of patient reminders. As described by Adheris:
39. In the final regulations, HHS excepted from the definition of “marketing” those communications made “[t]o provide refill reminders or otherwise communicate about a… More
An interesting article by Jeffrey Spear that appeared in the New Hampshire Bar News in July shows that the federal district court in New Hampshire is struggling with the same question as the district court in Massachusetts: What is the proper interpretation of the Computer Fraud and Abuse Act (“CFAA”)? The CFAA, as I have mentioned many times on this blog, is a federal statute that has been interpreted… More
In order to “keep up with technology,” the FTC revised the Children’s Online Privacy Protection Rule (COPPA) in 2012. As a result of those revisions, some companies that may not have been covered by COPPA may now be covered, and the effective date of those changes is today, given the July 1st effective date of the revised COPPA Rule. To streamline your response to these issues, the FTC has developed a six-step COPPA compliance guide:
The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.
The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required of businesses to protect consumers from identity theft. The Red Flags Rule was revised in late 2012 to more narrowly define the types of creditors subject to the rule’s requirements.
Recent Massachusetts Supreme Judicial Court Case Starts a Wave of Lawsuits Against Retailers for Collecting Customer ZIP Codes
In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions. With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes. Especially vulnerable are those retailers that collected customer ZIP Codes and used them to send unwanted marketing materials or sold the ZIP Codes or information derived from them to third parties. But any retailer that has collected ZIP Codes should be on… More
The Split in the Circuit Courts Over the Proper Interpretation of the Computer Fraud and Abuse Act Actually Goes Three Ways
Posted on March 15th, 2013 by Brian P. Bialas on our sister blog, Massachusetts Noncompete Law. I’ve written many times about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a confidentiality agreement or company IT policy, when an employee downloads confidential information he is permitted to access but then takes that information to a competitor. The… More
Feb 18, 2013 U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains In 1st Circuit, ‘ball in employer’s court’
By Correy E. Stephenson
The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a CFAA claim to suits against former employees that take confidential information from company computer systems.
But federal courts across the country have split on just how broadly the act should be interpreted.
The CFAA provides for criminal… More
PCI-DSS Update: The Payment Card Industry Security Standards Council Issues Guidelines for Security Risk Assessments, Cloud Computing, and Accepting Payments on Mobile Devices
Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so. The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to do to protect consumers. Merchants must follow the Payment Card Industry Data Security Standard (PCI DSS) or risk fines or losing the ability to process credit cards. This past November, and then again in February, the Council issued guidelines to help merchants (and some… More
In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.”
The Pentagon’s plan would create three types of forces under the Cyber Command:
“national mission forces” to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; “combat mission forces” to help commanders abroad plan and execute attacks or other… More
The revised HIPAA regulations were formally published today in the Federal Register. In this form, they only take up 138 pages!
Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes. While I’m not sure I agree with the quote that “This is a paradigm shift in the privacy world,” I do agree that this is “definitely something for all businesses to pay attention to.” Similarly, I agreed that “now that the starting gun has sounded, it’s a race to get ready by the Sept. 23 compliance… More
On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations.
In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions:
Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now… More
Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations.
While we are still making our way through all 563 pages of the regulations and related regulatory comments (and will have a more detailed analysis shortly in this space), here are some of the highlights we (and the HHS press release) have noted so far:
Many of HIPAA’s privacy and security requirements will now directly apply to business associates; Business associates may also be liable… More
Massachusetts Attorney General Secures $140,000 Settlement of Claims that Patient Information Was Left in a Town Dump
The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.” Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.
The Attorney General alleged that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated Massachusetts data security… More
The Department of Health and Human Services’ Office for Civil Rights (“HHS OCR“) announced today that it was, for the first time, entering into a monetary HIPAA settlement for a breach involving less than 500 patients: the Hospice of North Idaho (HONI) has agreed to pay HHS OCR $50,000 to settle potential HIPAA security rule violations.
HHS OCR began its investigation after HONI reported to it that an unencrypted laptop computer containing the electronic protected health information (“ePHI”) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of… More
The National Labor Relations Board (NLRB) recently issued a significant decision – solidifying the position it has staked out over the past 18 months – that an employee’s posts on social media may be entitled to protection under the National Labor Relations Act (NLRA), regardless of whether the employee is part of a unionized workforce.
As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” 15 U.S.C. § 1691a(e); see 15 U.S.C. § 1681a(r)(5). The new Act narrows this definition by excluding anyone who advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person. Examples… More
Today’s Law360 addresses “HHS Data-Scrubbing Guidance” with quotes from me and others on the subject:
Clarifying the types of data that need to be removed from data sets can also help companies maximize the value of the information that they hold as the value of and ability to use this data for research and public health purposes increases, Foley Hoag LLP security and privacy practice co-chair Colin Zick added.
“The guidance answers discrete questions that people have come across in operational circumstances, like can you list parts of a ZIP code,” he said. “The answers to… More
On November 26, HHS OCR released guidance regarding methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. This guidance fulfills the American Recovery and Reinvestment Act of 2009 (ARRA) mandate that HHS issue such guidance.
Following the passage of ARRA, OCR collected research and views regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns. The guidance synthesizes these diverse perspectives. It provides particularly helpful insight into the use of experts to confirm de-identification:
Gant Redmon of Co3 Systems has an interesting take on the differences in U.S. and EU privacy regimes in a Security Week column entitled, “Privacy: Why Europeans Think You’re Inadequate.” In his column, he addresses three key issues: “First, what does privacy mean to folks in the US versus the EU? Second, how has history played a role in defining privacy in the US and EU? And third, what financial incentives does the EU have in declaring the US inadequate?”
It was a pleasure to be on a panel with members of the Massachusetts Office of the Attorney General last week at the Massachusetts Medical Society to talk about how physicians can protect health information in our presentation entitled: “Protecting Health Information: Health Data Security Training.” We covered the latest in federal law (HIPAA, HITECH) and Massachusetts law.
In a case that has received wide attention, the Massachusetts Supreme Judicial Court has issued a decision barring ethics investigators from asking a Massachusetts judge how he reached individual decisions during his 21 years on the bench. This is one of the few published decision to recognize a deliberative privilege for the judiciary, with the court concluding that: “the best approach is to consider this privilege narrowly tailored but absolute.”
The court sided with other jurisdictions that have ruled similarly:
Consequently, we join other courts, State and Federal, that, when faced with attempts by third parties… More
New Hampshire Federal Court Interprets the Computer Fraud and Abuse Act More Narrowly Than Massachusetts Federal Court and Dismisses Claims Based on Violations of Computer Use Restrictions
As posted earlier today by Brian P. Bialas on the Massachusetts Non-Compete blog, a recent case from the U.S. District Court for the District of New Hampshire highlights the split between the District of New Hampshire and the District of Massachusetts over the proper interpretation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, in particular the phrase “exceeds authorized access.”
Under various provisions of the CFAA, an individual can be liable if certain conditions are met for exceeding his or her authorized access to information in a computer. The District… More
As you may recall, the Health Information Technology for Clinical and Economic Health (HITECH) Act gives state Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. Some states, like Massachusetts, have already started to use this authority to bring and settle cases.
To advance state enforcement, HHS OCR has developed HIPAA Enforcement Training modules, designed to help State Attorneys General and their staff understand and use their new authority to enforce the HIPAA Privacy and Security Rules.
The very same training materials being used by your state AG… More
You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following:
change the information protected to “personally identifiable information” (it was formerly “personal information”); exclude from the definition of “security breach” mere “unauthorized access” and “good faith but unauthorized acquisition” of PII; require notice of breaches now be made “45 days after the discovery or notification”; and require entities suffering a breach to “provide notice… More
A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security
On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat.
On Information Sharing: This is a continuing challenge, in part because of the way the federal government shares information. At present, the federal government provides cyber threat information to private sector organizations, but prohibits discussion between those very organizations. His Office at DHS is working to address this unintended siloing of information, so as to allow for greater cooperation and collaboration.
On Research and Development: He views cyber security… More
Data Breaches Keep Privacy and Security Lawyers Increasingly Busy and Looking for Recruits, But Recruits Are Hard to Find
Interesting article from Of Counsel regarding both the substance and the business of data privacy and security law. Lawyers from several firms (including me) talk about current and pending legislation, the mechanisms of compliance and breach response, and the pipeline for new lawyers in the field of data security and privacy.
One of the other attorneys discussed the shortage of trained attorneys in this area as follows:
You’d think, "Well heck, privacy has been around forever." But this is different. At law schools they need to find someone to teach this,… More
Data Breaches Continue To Be A Problem For Health Care Providers: South Shore Hospital (Massachusetts) Pays $750,000 To Settle Data Breach Charges
An aptly-timed article from Mass High Tech Business News noted earlier today that: “Data Breaches [Are] a Growing Problem in Health Care.” This article focused on a recent breach at Boston Children’s Hospital involving the records of 2,000 patients.
The article was prescient, as this afternoon, the Massachusetts Attorney General announced a $750,000 settlement with suburban Boston’s South Shore Hospital, relating to a 2010 data breach.
According to the Attorney General’s press release:
South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of… More
The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act.
This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x. (“FCRA”)." In her complaint, Ms. King brought suit "on behalf of thousands of employment applicants throughout the country who have been the subject of prejudicial, misleading and illegal background reports performed by the Defendant… More
ONC (“Office of the National Coordinator for Health Information Technology”) Issues Guide to Privacy and Security of Health Information
The Office of the National Coordinator for Health Information Technology (“ONC”) has issued a Guide to Privacy and Security of Health Information Guide to Privacy and Security of Health Information. The guide is targeted at smaller health care providers and their administrative staff members. The 47 pages contain five chapters:
Chapter 1: What Is Privacy & Security and Why Does It Matter? Chapter 2: Privacy & Security and Meaningful Use Chapter 3: Privacy & Security 10-Step Plan for Meaningful Use Chapter 4: Integrating Privacy and Security into Your Practice Chapter 5: Privacy and Security Resources
At first glance,… More
Ninth Circuit En Banc Decision Creates Circuit Split with First Circuit that Affects Employer Claims Against Employees under the Computer Fraud and Abuse Act
(This post also appears in www.massachusettsnoncompetelaw.com) Below is an article that I wrote for the June edition of Massachusetts Lawyers Journal, the monthly publication of the Massachusetts Bar Association. It discusses an important case that interprets the Computer Fraud and Abuse Actand the split in the law that case has created with the First Circuit, which includes Massachusetts.The U.S. District Court for the District of Massachusetts has noted that employers are increasingly using the federal Computer Fraud and Abuse Act (CFAA) “to sue former employees and their new companies who seek a competitive edge through wrongful use… More
The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011:
Through September 30, 2011, the largest share of breaches was not in the financial sector, but in the retail and healthcare industries, along with government. Since the Data Security law, c. 93H, went into effect, the Office of Consumer Affairs and Business… More
Second Circuit Reverses Convictions in Data-Theft Prosecution and Narrowly Interprets Federal Criminal Statutes with Important Intellectual Property Implications
In February 2012, following oral argument, the U.S. Court of Appeals for the Second Circuit issued a brief order reversing Sergey Aleynikov’s convictions for violating the National Stolen Property Act, 18 U.S.C. § 2314 (“NSPA”), and the Economic Espionage Act, 18 U.S.C. § 1832(b) (“EEA”), and stating a longer opinion would follow. In that promised opinion, which was issued earlier this month, see United States v. Aleynikov, No. 11-1126 (2d Cir. Apr. 11, 2012), the appeals court explained why Aleynikov did not commit the charged federal crimes, and more importantly, it established significant limits on future federal prosecutions concerning the… More
FTC Releases Final Report: “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”
FTC has today, at last, released the final version of its original 2010 Report — “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” As we have discussed previously, comments on the draft report were taken through January 31, 2011 and the final report had been expected in 2011.
The FTC received over 450 comments from businesses, privacy advocates, and consumers and claims that the final Report retains the basic principles outlined previously, but claiming it makes several important refinements. There’s also a brief new video explaining the FTC’s positions. … More
Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, however, is subject to hot debate among the federal courts, as highlighted by a recent case from the District of Minnesota.
$1.5 Million Settlement of First HIPAA Enforcement Action Resulting from HITECH Breach Notification Rule
The trend toward increasingly large health information breach settlements has continued with yesterday’s announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA’s Privacy and Security Rules, HHS’s Office of Civil Rights. BCBST also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the HITECH Act’s Breach Notification Rule.
The investigation started with a notice submitted by BCBST to HHS reporting… More
Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements:
a Consumer Privacy Bill of Rights, a multistakeholder process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts, effective enforcement, and a commitment to increase interoperability with the privacy frameworks of our international partners.
Specifically, in the Consumer Privacy Bill of Rights,… More
Court Sides with Facebook, Finds Social Networking “Experience” Website Violated CAN-SPAM and Other Data Security Statutes
In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. Facebook, Inc. v. Power Ventures, Inc., 2012 WL 542586 (N.D. Cal. Feb. 16, 2012).
Power Ventures, which operated the “experience” website, began a “Launch Promotion” in December 2008 that promised users the chance to win $100 if… More
The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process.
It is curious that the Department of Commerce has been charged with "work[ing] with other Federal agencies to convene stakeholders, including our international partners, to develop enforceable codes of conduct that build on the Consumer Privacy Bill of Rights" since it has been the FTC that has… More
According to the letter:
Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces? A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition of assets.
Apparently Nortel found and investigated the breach in question, but did not try to determine if its products were compromised. Nortel’s internal structure also provided little barrier to hackers; according to a Wall Street Journal interview of a former employee, "Once you were… More
Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire:
As we previously noted in our Foley Adviser dated February 3, 2010, “New Massachusetts Data Security Law and Regulations-Comprehensive Information Security Plan required before March 1, 2010”, under the regulations, an investment adviser must require third-party service providers by contract to implement and maintain appropriate security measures for personal information. There currently is a grandfather provision that deems any contract with a service provider entered… More
"From a legal perspective, I’m not seeing anything that’s much different in what’s being proposed to take effect on March 1 and what’s in place right now," Zick says. "In particular, the language about sharing across services has been in [Google’s policies] for a long time."
Zick points out that all the past versions of Google’s privacy policies are on the website, and the last two versions offer line-by-line comparisons to the previous version. Zick expects that Google will do… More
An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients. The individual made this improper access in order to send marketing materials to patients at the other practice.
The individual worked as an information technology specialist for a perinatal medical practice in Atlanta. He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building. He then used his home computer to hack into his former employer’s patient database. He downloaded the names, telephone numbers, and addresses… More
The Supreme Court today issued an opinion holding that police cannot track a suspect using GPS without first getting a warrant.
Justice Scalia wrote the opinion, for a unanimous court, and concluded: “We hold that the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search.’ It is important to be clear about what occurred in this case: The Government physically occupied private property for the purpose of obtaining information.”
This statement about the government occupying private property is going to be used in many future… More
Security Awareness Training The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally, Federal regulations (5 C.F.R. § 930.301(a)) require that role-specific training be provided based on each user’s security responsibilities and require agencies to provide training for employees with significant information security responsibilities. The CMS… More
As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity. This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.
My colleagues Jen Audeh and Jeff Collins have analyzed the SEC’s guidance on the use of social media by investment advisors. Because of the overlap this issue has with data privacy and security, we are providing this except and a link to their summary:
On January 4, 2012 the SEC’s Office of Compliance Inspections and Examinations issued an exam alert to registered investment advisers which included guidance on the use of social media. The alert is not meant to be a comprehensive summary of all compliance matters related to the use of social media, but rather is… More
“Once More Unto the Breach, Dear Friends, Once More”: The Increasing Recognition of Complexity in Data Breach Response and Reporting
In an article in today’s New York Times, we get some real-life insight into the difficulties in responding to a data breach. Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.
The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee’s car was broken into and a company laptop stolen. The ramifications included:
spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees; devoting 600 person-hours of staff time to the breach; hiring a crisis team of lawyers and customers and a chief security officer; hiring… More
In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle “charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release.
In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook’s representations that users could impose such restrictions on… More
With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011” is tough to ignore.
The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments:
“Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.” “Russia’s intelligence services are conducting… More
I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:
Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,” he says. When companies are contemplating the definition of cyber-incidents, they should think expansively, he adds. “Think of data breach, data loss, and denial of… More
As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20. The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley. As described by MassHighTech:
Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the government, industry and academia, the ACSC is also hosted at the five universities that make up the Massachusetts Green High Performance Computing Center – MIT, Harvard University, Boston University, Northeastern University and the University of Massachusetts.
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the… More
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital’s $1 million settlement with OCR.
The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints… More
hackers Anonymous “Lulz Security”
The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.
The first paragraph of Justice Kennedy’s opinion provides a brief summary of the posture of the case and of the Court’s decision:
Increasingly, alliances are viewed as an important way to improve data security. The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries. We have previously noted two other initiatives: the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program. One of the oldest and best examples of successful collaboration is PCI, the credit card industry’s security program.
We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:
Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting Lockheed Martin); Citigroup: breach of credit card numbers: Sony: multiple thefts of customer data; Sega: customer data theft; and ADP: breach of its benefits-administration business.
What does this mean? First, there are simply more breaches to report. Second, companies are being more open about… More
Does Briar Group’s Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?
A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.
The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar… More
Wondering what your company might be able to do at the local level to help fight cybercrime? There are a growing number of public-private collaborations that are trying to get ahead of the bad guys.
One is the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel). The ACSC is a collaborative, cross-sector research facility working to address critical and sophisticated cyber security challenges. Based at the MITRE Corporation campus in Bedford, Massachusetts, the Center takes advantage of university, industrial and research resources to develop next-generation solutions and strategies for protecting the nation’s public and private IT infrastructure.
Could a Major Security Breach Be on the Horizon? The Smartphone Dilemma What Elements Are Currently Covered in Your Organization’s Security Awareness Program? Security Budgets Fare Well Implementing Risk Management Disciplines Do You Really Know Who Your Friends Are? Denial of Service Attacks: Who’s Next?
In the interest of full disclosure, I am quoted extensively on the prospects for new legislation in the privacy/security space.
On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:
The goal of NSTIC is to create an “Identity Ecosystem” in which there will be interoperable, secure, and reliable credentials available to consumers who want them. Consumers who want to participate will be able to obtain a single credential–such… More
In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC:
Legislation to provide a stronger statutory framework to protect consumers’ online privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights.” Second, legislation should provide the FTC with the authority to enforce any baseline protections. Third, legislation should create a framework that provides incentives for the development of codes… More
Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com.
On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information. According to California regulators, these servers appear to contain the data of 1.9 million people nationwide:
The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare..
Since this is the… More
As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights. This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the… More
While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up. The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case: "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."
In a March 1, 2011 decision that has received much publicity (despite stating a fairly obvious conclusion), the Supreme Court ruled that the term "personal privacy" does not apply to corporations, at least in the context of the Freedom of Information Act ("FOIA").
The decision, FCC v. AT&T Inc., reflects the Supreme Court application of a particular exemption to FOIA. Exemption 7(C) covers law enforcement records the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.” 5 U. S. C. § 552(b)(7)(C). AT&T, having produced documents to the federal government, wanted that exemption asserted on its behalf, to block the… More
Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy
My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:
§Resolution Agreement with Providence Health & Services–July 16, 2008 Settlement: $100,000 §Resolution Agreement with CVS Pharmacy, Inc.–January 16, 2009 Settlement: $2.25 million §Resolution Agreement with Rite Aid Corporation–July 27, 2010 Settlement: $1 million §Resolution Agreement with Management Services Organization Washington, Inc.–December 13, 2010 Settlement: $35,000 §Civil… More
As we noted back in May, digital copiers have caught the eye of government privacy enforcers. If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses. In that Guide, the FTC suggests that “your information security plans . . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft.”
Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of $4.3 million for the violations, representing what OCR said was "the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule." The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the… More
500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR
In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged: the Office of Civil Rights does not have the resources to review all reported breaches of health information. In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website, and subsequently investigate all breach reports that impacted more than 500 individuals. Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and… More
The Department of Homeland Security has released its latest update to its internal guide to handling personally identifiable information. The "Handbook for Safeguarding Sensitive PII at DHS" has been around since 2008; even if you do not have direct dealings with DHS, it provides a useful point of comparison for your own policies and procedures.
In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . . [and] to certain open-ended questions on a form sent to employees’ designated references.”
This particular challenge came from 28 employees of the Jet Propulsion Laboratory (“JPL”). JPL is staffed exclusively by contract employees. NASA owns JPL, but Cal Tech operates the facility under a government contract.
The Supreme Court acknowledge that “[i]n two cases decided more than 30 years ago, this Court referred broadly… More
The Council for Responsible Genetics has published a guide to the world’s DNA databases. According to the guide, 56 countries (and in the U.S., all 50 states) maintain DNA databases.
CRG describes itself as a "catalyst and thought leader in the movement to steer biotechnology toward the advancement of public health, environmental protection, equal justice and respect for human rights." Although CRG has its own unique perspective on whether DNA databases should exist and how they should be used, its guide may nevertheless prove to be a useful resource.
In the late 1990s, I worked on two amicus briefs with… More
Earlier this month, the Federal Trade Commission (“FTC”) released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” According to the FTC, the report is intended “to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.” Judging from the initial wave of public commentary, consumer support for the proposed framework is widespread.
While the framework will undoubtedly impact the for-profit sector, its… More
On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010. The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement.
As we have noted in past entries about Red Flags Rule compliance, the FTC has extended the deadline for enforcement of the FTC’s Red Flags Rule several times, most recently through December 31, 2010. The stated reason for these delays was “to give Congress time to reach a consensus on the types of… More
Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:
This is an area where bipartisan concensus is possible. The industry powers will fight against “Do Not Track” and will win that fight. Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”
We could see passage of a federal data security and privacy statute, not unlike those that the various states have been adopting. The states have already passed models for such legislation and… More
FTC Proposes Privacy Framework That Will Impact the Business Model of All Online and Mobile Advertising Companies
Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which we posted on December 1. We are cross-posting the analysis from their blog below.
It seems likely that the next two years will bring significant changes to this area, either through legislation or regulation. During this period, businesses and consumers will continue to seek an equilibrium that balances business needs and consumer expectations. If they cannot find… More
FTC Releases Report: “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers”
Earlier today, the FTC released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating:
Industry must do better. For every business, privacy should be a basic consideration – similar to keeping track of costs and revenues, or strategic planning. To further this goal, this report proposes a normative framework for how companies should protect consumers’ privacy.
We’ll have our more detailed thoughts on this document posted shortly.
In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health.
The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World Privacy Forum. They allege (in 144 pages, complete with web page screen-shots) that:
"Digital marketing raises many distinct consumer protection and privacy… More
On November 19, the California Department of Public Health (CDPH) announced that eight health care facilities (mostly hospitals) have been assessed administrative penalties and fines totaling $792,500 after a determination that the facilities failed to prevent unauthorized access to confidential patient medical information.
The fines ranged from a low of $5,000 to a high of $250,000:
Biggs Gridley Memorial Hospital, Gridley, Butte County: The hospital was assessed a $5,000 fine after the facility failed to prevent unauthorized access of one patient’s medical information by two employees on three occasions. Children’s Hospital of Orange, Orange, Orange County: The hospital… More
The following post was drafted by my colleagues Rob Fisher and Brian Bialas; although their focus is on the employment law aspects of this issue, the implications for corporate security/privacy policies are significant. In particular, they note that such policies must not prohibit employees from criticizing their employer. Time to check your existing policies on this point.
* * *
The rise of social media websites has created a host of challenges for employers. An employee’s post about his or her job can lead to claims of defamation or harassment by co-workers or may reveal confidential… More
Connecticut Insurance Commissioner Fines Health Net of Connecticut $375,000 for Information Security Lapses
On November 8, 2010, the Connecticut Insurance Commissioner, Thomas Sullivan announced that the state’s Insurance Department has reached an agreement with Health Net of Connecticut to pay $375,000 in penalties levied for what the Insurance Department characterized as "failures to safeguard the personal information of its members from misuse by third parties." This included what the Insurance Department considered untimely notification of the 2009 loss of a disk drive resulting in the loss of personal health information of approximately 500,000 Connecticut members.
Health Net will be providing credit monitoring protection for 2 years to all Connecticut members and providers who were affected by… More
In a recent decision by the United States Court of Appeals for the First Circuit, Martin Boroiang v. Robert S. Mueller, III, et al., No. 09-1630, the First Circuit rejected a challenge to the requirement that a blood sample be given by a federal offender for purposes of creating a DNA profile and entering it into a centralized government database.
The DNA Analysis Backlog Elimination Act of 2000 (“DNA Act”) applies to individuals who have been convicted of a “qualifying federal offense” and who are incarcerated or on parole, probation, or supervised release. It requires such individuals to provide a DNA… More
On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.
The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health (“HITECH“) Act authorized state attorneys general to… More
On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the Federal Trade Commission (FTC) to delay enforcement of the FTC’s Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association. The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application… More
This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers. Spokeo is a website that bills itself as a search engine that allows users the ability to look up “people-related information from phone books, social networks, marketing lists, business sites, and other public sources.”
According the CDT’s complaint, Spokeo is in violation of tMore
Cracking Down: Twitter Settles Charges that It Did Not Take Adequate Security Precautions To Protect User Privacy Settings
Today, the Federal Trade Commission (FTC) and Twitter announced that Twitter has agreed to settle FTC charges that the company failed to take sufficient security measures to protect user privacy settings.
The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access the Twitter accounts of high-profile users, including Barack Obama. (Under hacker control, President Elect Obama’s Twitter account apparently “offered his more than 150,000 followers a chance to win $500 in free gasoline.”) Twitter… More
Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.
This Tuesday, June 1, 2010, marks the official deadline for compliance with the Federal Trade Commission’s Red Flags Rule. The deadline for enforcement of the Red Flags Rule has been delayed repeatedly since its original deadline in November 2008, but the FTC has remained silent on further delays since it announced the current deadline in October of last year.
The FTC’s Red Flags Rule is a set of regulations that require financial institutions and creditors to adopt written identity theft prevention programs. The FTC sparked considerable controversy when it announced that the Rule applies broadly to a range of businesses unused to being subjected to financial industry regulation (i.e., any individual or company that bills its customers after it provides goods or services). As a result, a number of industry groups have filed lawsuits to challenge the FTC’s application of the Red Flags Rules to lawyers, accountants and, most recently, medical professionals.
This week Google rolled out its Government Requests tool that quantifies the number of government requests it receives from various countries around the world. The move was announced by David Drummond, Google’s Chief Legal Officer on Tuesday on the official Google blog. In his post, Drummond stated:
So it’s no surprise that Google, like other technology and telecommunications companies, regularly receives demands from government agencies to remove content from our services. Of course many of these requests are entirely legitimate, such as requests for the removal of child pornography. We also regularly receive requests from law enforcement agencies… More
On Monday, the Financial Industry Regulatory Authority (FINRA) announced that brokerage firm D.A. Davidson & Co. had consented to the imposition of a $375,000 fine for lax security measures that allowed hackers working for an “international crime group” to obtain personal information on thousands of customers.
The breach itself occurred in December 2007 when hackers used a “SQL injection” attack to obtain data on over 100,000 Davidson’s customers from the firm’s online account system. (FINRA’s announcement alleges that the breach affected 192,000 customers, but court filings and the hackers’ own claims put the… More
LifeLock To Pay $12 Million to Settle Charges That Identity Theft Prevention and Data Security Claims Were False
LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that publicly disclosed its CEO’s Social Security number. As part of the settlement, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.
The February 27 issue of The Economist has an excellent special report, "Data, data everywhere: A special report on managing information." It features a series of articles on the volume of information that is overtaking business and society, and the means by which business and governments are responding.
FTC Tells Businesses, Schools and Local Governments: Stop Sharing Personal Information On Peer-To-Peer Filesharing Networks
The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data.
Poorly supervised use of P2P networks have frequently been the subject of unwanted attention, including from the FTC. For our coverage on P2P security issues, see our prior posts here ("Congressional Aide Shares Secret Ethics List With The World"), here (
1. The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster
This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas. The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program. We first posted on this case a year ago,… More
It has been well over a decade since the passage of HIPAA in 1996. HIPAA has caused many changes in the way the business of health care works, including going a long way to create the position of “health information professional.” One area where HIPAA has, as yet, had little impact has been in enforcement. The history of enforcement of HIPAA’s privacy and security rules has been slim and almost none. The changes in behavior that have occurred have been done out of a desire to follow the law, and not due to fear of prosecution or administrative action.
First and foremost in… More
The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week. The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009.
Two days before they were scheduled to go into effect, and on the same day that a federal judge ruled that lawyers should be excluded from enforcement, the Federal Trade Commission (FTC) announced today that it was delaying enforcement of its Red Flags Rule until June 1, 2010. Given the timing of the announcement, the most likely explanation for the delay is that the FTC wants to give itself time to appeal the district court’s decision in the ABA suit.
In an order entered this morning, Federal District Judge Reggie B. Walton granted the American Bar Association’s (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission’s (FTC’s) controversial Red Flags Rules. This comes as the legal community steeled itself for the FTC’s imminent November 1st enforcement deadline.
Subject of FBI Investigation Reveals Government Concerns About Access to Federal Courts’ Public PACER System
Reddit co-founder Aaron Swartz was apparently the subject of an FBI investigation for “participating in a project to take the publicly owned US court records from the PACER database (where they were very expensive to access) and put them on the web.”
Mr. Swartz has made this information public by releasing the contents of his FBI file, obtained through a Freedom of Information Act request. His file reveals that the FBI was treating his access of PACER as a crime which cost the victim, the Administrative Office of the US Courts, approximately $1.5 million. The file suggests, but… More
Incident of the Week: Declassified Documents Show FBI Expanding Data Mining Efforts Over 1.5 Billion Personal Records (And Counting)
Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans’ personal and financial information. According to WIRED, the FBI’s National Security Branch Analysis Center (NSAC) has compiled a database of “more than 1.5 billion government and private-sector records” and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies, includes transaction records from hotels, rental car companies and retailers. [Note, that this database… More
Massachusetts Supreme Judicial Court Allows Use of Secret GPS To Track an Individual’s Movements, But Requires Police To Obtain Warrant
Earlier this year, the Wisconsin and New York state courts split on whether police may install a covert GPS tracking device on a suspect’s car without a warrant. On September 17, the Massachusetts Supreme Judicial Court addressed the GPS tracking device issue, ruling that Article 14 of the Massachusetts Declaration of Rights requires a warrant before such a device may be installed and used.
The defendant, Everett Connolly, was a suspected drug dealer and who was investigated by police for more than a year. The investigation included surveillance and controlled drug purchases by confidential informants and, towards the end… More
The Federal Trade Commission will host a series of public "roundtable discussions" to explore the privacy challenges posed by "technology and business practices that collect and use consumer data," including social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The FTC’s expressed goal of the meetings is to determine how best to protect consumer privacy while supporting beneficial uses.
The first of these free, public meeting will be held Monday, December 7, 2009, at the FTC Conference Center in Washington, DC. A live Webcast of the program also will… More
In a move threatened but not expected this soon, the American Bar Association today sued the Federal Trade Commission, in an effort to stop the application of the Red Flags Rule to lawyers. The Red Flags Rule is scheduled to go into effect on November 1, 2009.
The complaint (.pdf), which was filed in federal district court in Washington, D.C., seeks declaratory and injunctive relief, with the goal of making clear that lawyers are not "creditors" required to comply with the Red Flags Rule. Interestingly, nowhere does the complaint suggest that lawyers are not just as vulnerable to identify theft… More
On July 13, a federal judge in Miami granted a joint motion to stay an evidentiary hearing that was to be held as a result of a petition from the United States that the Swiss bank UBS be compelled to disclose the names of 52,000 American clients who were suspected of tax evasion. The case has raised concerns about the effects of privacy laws in other nations on the ability of the federal government to enforce its own laws and created tension between the Justice Department, which had said it might fine, or even indict, UBS if the judge ordered it to disclose the names and it… More
Amidst calls from the legal community, the Federal Trade Commission’s (FTC) announced this morning that it was delaying enforcement of the FTC’s Red Flag Rules until November 1, 2009. The FTC’s announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC’s "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply." The FTC appears to be stepping up its outreach efforts with an "Expanded Business Education Campaign" that is intended to address those businesses that "remain uncertain… More
On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising.
In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team." In particular, HHS is hiring for two new positions are located in HHS’s "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)." As described on USAJOBS.GOV, the people to be hired "will be responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR’s authority for ensuring compliance with the privacy of health information." If you are a privacy officer, this… More
On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to “assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking” on identity theft. The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the… More
A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules. Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC’s enforcement. (For background on the Red Flag Rules, see our prior postings here, here and here).
The FTC has previously… More
Massachusetts Regulators Present on New Information Security Rules – June 5, 2009, Suffolk University Law School
On Friday, June 5, 2009, Suffolk University Law School’s Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules. These presentations were led by a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect of the Massachusetts identity theft regulations for the Officer of Consumer Affairs and Business Regulation (OCABR).
These men provided useful recommendations on a number of compliance issues, including when a business should be notifying customers about a security breach, how to ensure that personal… More
From the increasingly populated intersection of the Fourth Amendment and modern technology, comes this story from Wired’s "Threat Level." The Federal Communications Commission (FCC) claims the right enter onto any property to inspect — without a warrant — any radio equipment, regardless of whether it is licensed or unlicensed. In an interview with Wired, an FCC spokesperson claimed that the FCC’s right to inspect radio equipment extends to “anything using RF energy.” This includes commonplace items like wireless internet routers, remote access car keys, and cell phones. Additionally if any illegal or suspicious items or behavior are discovered or observed… More
According to the Chicago Tribune, on May 7, 2009, a three-judge panel of Wisconsin Court of Appeals unanimously ruled that police "can attach GPS to cars to secretly track anybody’s movements without obtaining search warrants" without violating the Fourth Amendment. The court’s opinion in State v. Sveum can be found here. The defendant Sveum was under investigation for stalking when the police obtained a warrant to secretly place a GPS device on his car while it was parked in the his driveway. The device recorded the defendant’s movements for five weeks, after which time police retrieved it and used the information on it… More
Cracking Down: FTC Settles Claims Against Mortgage Company For Violations of FTC Safeguards Rule – Requires Information Security Program and 10 Years of Security Audits
On Tuesday, May 5, 2009, in a press release devoted largely to the FTC’s congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums. According to the FTC, the result of this alleged failure was that an intruder in the company’s systems sent "millions of outgoing spam emails" and "could have accessed personal information without authorization." In a consent order (.pdf) that parallels settlements in a number of prior FTC enforcement cases, the company… More
Last Minute Reprieve: FTC Postpones Deadline for Red Flags Compliance Until August 1, 2009 – Will Release “Template” For Compliant Identity Theft Prevention Program
On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009. Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a “template” identity theft prevention program. “For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.” The FTC indicates that it will make the template available through their website.
Cracking Down: FTC Fines Credit Research Firm $500,000 For Lax Security, Obtains Court Order Requiring Company to Develop “Comprehensive Information Security Program”
On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC’s claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users. This case provides a number of key lessons for businesses who have not considered whether their security practices amount to “unfair or deceptive acts or practices” under federal and state laws.
Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama’s Passport Records
Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers, phone numbers, emergency contact information, and photographs.
FTC Asks Congress For Enhanced Rulemaking and Enforcement Powers To Curb Abuses in Financial Industry
On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers “[t]o allow the FTC to perform a greater and more effective role in protecting consumers.”
Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials. Read some of the highlights below.
Cracking Down: FCC Initiates Enforcement Action Against Hundreds of Telecommunications Carriers For Failing to Certify Compliance With Customer Privacy Rules
On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information. FCC Chairman Michael J. Copps issued a public statement addressing the enforcement action and highlighting that the FCC "continued to mconsumer privacy protection a top priority. The FCC seeks… More