Category Archives: Government Enforcement

Posted on March 15th, 2013 by Brian P. Bialas on our sister blog, Massachusetts Noncompete Law.               I’ve written many times about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a [...]

  Feb 18, 2013 U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains In 1st Circuit, ‘ball in employer’s court’ By Correy E. Stephenson The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a [...]

Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so.  The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to [...]

In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.” The Pentagon’s plan would create three [...]

The revised HIPAA regulations were formally published today in the Federal Register.  In this form, they only take up 138 pages! Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes.  While I’m not sure I agree with the quote that “This is a [...]

On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations. In the 563 pages of the regulations and related regulatory comments, [...]

Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations. While we are still making our way through all 563 pages of the regulations and related regulatory comments (and will [...]

The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.”  Under the settlements, the defendants have agreed to pay a [...]

The Department of Health and Human Services’ Office for Civil Rights (“HHS OCR“) announced today that it was, for the first time, entering into a monetary HIPAA settlement for a breach involving less than 500 patients: the Hospice of North Idaho (HONI) has agreed to pay HHS OCR $50,000 to settle potential HIPAA security rule violations. HHS OCR began its investigation after HONI reported to [...]

In a post from earlier today, my colleagues, Lyndsey Kruzer and Mike Rosen, discuss the NLRB’s conclusion that social media comments can be protected activity: The National Labor Relations Board (NLRB) recently issued a significant decision – solidifying the position it has staked out over the past 18 months – that an employee’s posts on social media may be entitled to [...]

The FTC announced today that it has, at long last, modified its Red Flags Rule to match the language of theRed Flag Clarification Act of 2010.  As this blog explained in 2010: As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” [...]

Today’s Law360 addresses “HHS Data-Scrubbing Guidance” with quotes from me and others on the subject: Clarifying the types of data that need to be removed from data sets can also help companies maximize the value of the information that they hold as the value of and ability to use this data for research and public [...]

On November 26, HHS OCR released guidance regarding methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. This guidance fulfills the American Recovery and Reinvestment Act of 2009 (ARRA) mandate that HHS issue such guidance. Following the passage of ARRA, OCR collected research and views regarding de-identification approaches, best practices for [...]

Gant Redmon of Co3 Systems has an interesting take on the differences in U.S. and EU privacy regimes in a Security Week column entitled, “Privacy:  Why Europeans Think You’re Inadequate.”  In his column, he addresses three key issues:  “First, what does privacy mean to folks in the US versus the EU? Second, how has history played a role in defining privacy in the US [...]

It was a pleasure to be on a panel with members of the Massachusetts Office of the Attorney General last week at the Massachusetts Medical Society to talk about how physicians can protect health information in our presentation entitled:  ”Protecting Health Information: Health Data Security Training.”   We covered the latest in federal law (HIPAA, [...]

In a case that has received wide attention, the Massachusetts Supreme Judicial Court has issued a decision barring ethics investigators from asking a Massachusetts judge how he reached individual decisions during his 21 years on the bench. This is one of the few published decision to recognize a deliberative privilege for the judiciary, with the court concluding [...]

As posted earlier today by Brian P. Bialas on the Massachusetts Non-Compete blog, a recent case from the U.S. District Court for the District of New Hampshire highlights the split between the District of New Hampshire and the District of Massachusetts over the proper interpretation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, [...]

As you may recall, the Health Information Technology for Clinical and Economic Health (HITECH) Act  gives state Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.  Some states, like Massachusetts, have already started to use this authority to bring and settle cases.  To [...]

You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following: change the information protected to “personally identifiable information” [...]

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat. On Information Sharing:  This is a continuing challenge, in part because of the way the federal government shares information.  At present, the federal government provides cyber [...]

Interesting article from Of Counsel regarding both the substance and the business of data privacy and security law.  Lawyers from several firms (including me) talk about current and pending legislation, the mechanisms of compliance and breach response, and the pipeline for new lawyers in the field of data security and privacy.  One of the other [...]

An aptly-timed article from Mass High Tech Business News noted earlier today that: “Data Breaches [Are] a Growing Problem in Health Care.”  This article focused on a recent breach at Boston Children’s Hospital involving the records of 2,000 patients. The article was prescient, as this afternoon, the Massachusetts Attorney General announced a $750,000 settlement with suburban Boston’s [...]

The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act. This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting [...]

The Office of the National Coordinator for Health Information Technology (“ONC”) has issued a Guide to Privacy and Security of Health Information Guide to Privacy and Security of Health Information. The guide is targeted at smaller health care providers and their administrative staff members. The 47 pages contain five chapters: Chapter 1: What Is Privacy [...]

(This post also appears in www.massachusettsnoncompetelaw.com) Below is an article that I wrote for the June edition of Massachusetts Lawyers Journal, the monthly publication of the Massachusetts Bar Association. It discusses an important case that interprets the Computer Fraud and Abuse Actand the split in the law that case has created with the First Circuit, [...]

The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011: Through [...]

In February 2012, following oral argument, the U.S. Court of Appeals for the Second Circuit issued a brief order reversing Sergey Aleynikov’s convictions for violating the National Stolen Property Act, 18 U.S.C. § 2314 (“NSPA”), and the Economic Espionage Act, 18 U.S.C. § 1832(b) (“EEA”), and stating a longer opinion would follow. In that promised opinion, which [...]

FTC has today, at last, released the final version of its original 2010 Report — “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.”  As we have discussed previously, comments on the draft report were taken through January 31, 2011 and the final report had been expected in 2011. The [...]

Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, [...]

The trend toward increasingly large health information breach settlements has continued with yesterday’s announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA’s Privacy and Security Rules, HHS’s Office of Civil Rights. BCBST also agreed to a corrective [...]

Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements: a Consumer Privacy Bill of Rights, a multistakeholder [...]

In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. [...]

The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process.  It is curious that the [...]

In a letter sent earlier today, 37 state attorneys generals (or their equivalents) wrote to Larry Page, Google’s CEO, "to express our strong concerns with the new privacy policy that Google announced it will be adopting for all of its consumer products." According to the letter: Google’s new privacy policy is troubling for a number of reasons. [...]

Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces?  A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition [...]

Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire: by Catherine M. Anderson, Jeffrey D. Collins  As we previously noted in our Foley Adviser dated February 3, 2010, “New Massachusetts Data Security Law and Regulations-Comprehensive Information Security Plan required before March [...]

Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb: "From a legal perspective, I’m not seeing anything that’s much different in what’s being proposed to take effect on March 1 and what’s in place right now," Zick says. "In particular, the language about sharing across services has been in [Google's policies] [...]

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients.  The individual made this improper access in order to send marketing materials to patients at the other practice. The individual worked as an information technology [...]

The Supreme Court today issued an opinion holding that police cannot track a suspect using GPS without first getting a warrant. Justice Scalia wrote the opinion, for a unanimous court, and concluded:  “We hold that the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s [...]

This report from the Office of the Inspector General for the Department of Health and Human Services reveals significant holes in Medicare contractor security.  Here’s a notable excerpt: Security Awareness Training The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who [...]

As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity. This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from [...]

My colleagues Jen Audeh and Jeff Collins have analyzed the SEC’s guidance on the use of social media by investment advisors.  Because of the overlap this issue has with data privacy and security, we are providing this except and a link to their summary: On January 4, 2012 the SEC’s Office of Compliance Inspections and Examinations issued [...]

Until yesterday, I did not know there was a Congressional Cyber Security Caucus.  It is not clear what it has been up to, as it hasn’t had a media release in eleven months.

In an article in today’s New York Times, we get some real-life insight into the difficulties in responding to a data breach.  Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity. The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee’s [...]

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle ”charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release. In its complaint, the FTC [...]

With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011″ is tough to ignore. The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments: “Chinese actors [...]

I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents: Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot [...]

As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20.  The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley.  As described by MassHighTech: Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the [...]

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal’s bill, ”The Personal Data Protection and Breach Accountability Act,” would required businesses [...]

I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy."  The program slides can be found at this link.

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with [...]

hackers Anonymous “Lulz Security”

The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech. The first paragraph of Justice Kennedy’s opinion provides a [...]

Increasingly, alliances are viewed as an important way to improve data security.  The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries.  We have previously noted two other initiatives:   the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and [...]

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach: Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting [...]

Attached is my presentation given at a recent CloudCamp, on the subject:   What Law Applies In “the Cloud”?  (CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas.)

A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators. The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my [...]

Wondering what your company might be able to do at the local level to help fight cybercrime? There are a growing number of public-private collaborations that are trying to get ahead of the bad guys. One is the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).  The ACSC is a collaborative, cross-sector research facility [...]

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects: Could a Major Security Breach Be on the Horizon? The Smartphone Dilemma What Elements Are Currently Covered in Your Organization’s Security Awareness Program? Security Budgets Fare Well Implementing Risk Management Disciplines Do [...]

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in [...]

In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC: Legislation to provide a stronger statutory framework to protect consumers’ online privacy interests should contain three key elements. First, the Administration recommends that legislation [...]

Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads [...]

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information.  According to California regulators, these servers appear to contain the data of 1.9 million people nationwide: The company announced today that nine of its server drives containing personal information for 1.9 million current [...]

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed [...]

While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up.  The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case:  "The lawsuit filed by the Litigation [...]

In a March 1, 2011 decision that has received much publicity (despite stating a fairly obvious conclusion), the Supreme Court ruled that the term "personal privacy" does not apply to corporations, at least in the context of the Freedom of Information Act ("FOIA").  The decision, FCC v. AT&T Inc., reflects the Supreme Court application of a particular exemption [...]

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape:  How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including: §Resolution Agreement with Providence Health & Services–July 16, 2008 Settlement:  $100,000 §Resolution Agreement with [...]

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses.  In that Guide, the FTC suggests that ”your information security plans .  . . should cover the digital copiers your company [...]

Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of [...]

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all: Current [...]

The Department of Homeland Security has released its latest update to its internal guide to handling personally identifiable information.  The "Handbook for Safeguarding Sensitive PII at DHS" has been around since 2008; even if you do not have direct dealings with DHS, it provides a useful point of comparison for your own policies and procedures. 

In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . .  [and] to certain open-ended questions on a form sent to employees’ designated references.” This particular challenge came from [...]

The Council for Responsible Genetics has published a guide to the world’s DNA databases.  According to the guide, 56 countries (and in the U.S., all 50 states) maintain DNA databases. CRG describes itself as a "catalyst and thought leader in the movement to steer biotechnology toward the advancement of public health, environmental protection, equal justice [...]

Earlier this month, the Federal Trade Commission (“FTC”) released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers.” According to the FTC, the report is intended “to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and [...]

On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010.  The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement. As we have noted in past entries about Red Flags Rule compliance, [...]

Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws: This is an area where bipartisan concensus is possible. The industry powers will fight against “Do Not Track” and will win that fight. Industry will [...]

Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers,” which we posted on December 1.  We are cross-posting the analysis from their blog below. It seems likely that the next two years will bring significant changes to this [...]

Earlier today, the FTC released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers.”  The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating: Industry must do better. For every business, privacy should be a basic [...]

In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health.  The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World [...]

On November 19, the California Department of Public Health (CDPH) announced that eight health care facilities (mostly hospitals) have been assessed administrative penalties and fines totaling $792,500 after a determination that the facilities failed to prevent unauthorized access to confidential patient medical information. The fines ranged from a low of $5,000 to a high of [...]

The following post was drafted by my colleagues Rob Fisher and Brian Bialas; although their focus is on the employment law aspects of this issue, the implications for corporate security/privacy policies are significant.  In particular, they note that such policies must not prohibit employees from criticizing their employer.  Time to check your existing policies on [...]

On November 8, 2010, the Connecticut Insurance Commissioner, Thomas Sullivan announced that the state’s Insurance Department has reached an agreement with Health Net of Connecticut to pay $375,000 in penalties levied for what the Insurance Department characterized as "failures to safeguard the personal information of its members from misuse by third parties."  This included what the Insurance [...]

In a recent decision by the United States Court of Appeals for the First Circuit, Martin Boroiang v. Robert S. Mueller, III, et al., No. 09-1630, the First Circuit rejected a challenge to the requirement that a blood sample be given by a federal offender for purposes of creating a DNA profile and entering it [...]

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a [...]

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC’s Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) [...]

This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers.  Spokeo is a website that bills itself as a search engine that allows users the ability [...]

Today, the Federal Trade Commission (FTC) and Twitter announced that Twitter has agreed to settle FTC charges that the company failed to take sufficient security measures to protect user privacy settings. The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access [...]

Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.

This Tuesday, June 1, 2010, marks the official deadline for compliance with the Federal Trade Commission’s Red Flags Rule. The deadline for enforcement of the Red Flags Rule has been delayed repeatedly since its original deadline in November 2008, but the FTC has remained silent on further delays since it announced the current deadline in October of last year.
The FTC’s Red Flags Rule is a set of regulations that require financial institutions and creditors to adopt written identity theft prevention programs. The FTC sparked considerable controversy when it announced that the Rule applies broadly to a range of businesses unused to being subjected to financial industry regulation (i.e., any individual or company that bills its customers after it provides goods or services). As a result, a number of industry groups have filed lawsuits to challenge the FTC’s application of the Red Flags Rules to lawyers, accountants and, most recently, medical professionals.

This week Google rolled out its Government Requests tool that quantifies the number of government requests it receives from various countries around the world.  The move was announced by David Drummond, Google’s Chief Legal Officer on Tuesday on the official Google blog.  In his post, Drummond stated: So it’s no surprise that Google, like other [...]

On Monday, the Financial Industry Regulatory Authority (FINRA) announced that brokerage firm D.A. Davidson & Co. had consented to the imposition of a $375,000 fine for lax security measures that allowed hackers working for an “international crime group” to obtain personal information on thousands of customers. The breach itself occurred in December 2007 when hackers used a “SQL [...]

LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that [...]

The February 27 issue of The Economist has an excellent special report, "Data, data everywhere:  A special report on managing information."  It features a series of articles on the volume of information that is overtaking business and society, and the means by which business and governments are responding.

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data.  [...]

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in [...]

It has been well over a decade since the passage of HIPAA in 1996. HIPAA has caused many changes in the way the business of health care works, including going a long way to create the position of “health information professional.” One area where HIPAA has, as yet, had little impact has been in enforcement. The history of [...]

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week. The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009.

Two days before they were scheduled to go into effect, and on the same day that a federal judge ruled that lawyers should be excluded from enforcement, the Federal Trade Commission (FTC) announced today that it was delaying enforcement of its Red Flags Rule until June 1, 2010. Given the timing of the announcement, the most likely explanation for the delay is that the FTC wants to give itself time to appeal the district court’s decision in the ABA suit.

In an order entered this morning, Federal District Judge Reggie B. Walton granted the American Bar Association’s (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission’s (FTC’s) controversial Red Flags Rules. This comes as the legal community steeled itself for the FTC’s imminent November 1st enforcement deadline.

Reddit co-founder Aaron Swartz was apparently the subject of an FBI investigation for “participating in a project to take the publicly owned US court records from the PACER database (where they were very expensive to access) and put them on the web.”  Mr. Swartz has made this information public by releasing the contents of his [...]

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans’ personal and financial information.  According to WIRED, the FBI’s National Security Branch Analysis Center (NSAC) has compiled a database of  “more than 1.5 billion government and private-sector records” and has been mining this [...]

Earlier this year, the Wisconsin and New York state courts split on whether police may install a covert GPS tracking device on a suspect’s car without a warrant.  On September 17, the Massachusetts Supreme Judicial Court addressed the GPS tracking device issue, ruling that Article 14 of the Massachusetts Declaration of Rights requires a warrant before such a [...]

The Federal Trade Commission will host a series of public "roundtable discussions" to explore the privacy challenges posed by "technology and business practices that collect and use consumer data," including social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The FTC’s [...]

In a move threatened but not expected this soon, the American Bar Association today sued the Federal Trade Commission, in an effort to stop the application of the Red Flags Rule to lawyers.  The Red Flags Rule is scheduled to go into effect on November 1, 2009.  The complaint (.pdf), which was filed in federal district court [...]

On July 13, a federal judge in Miami granted a joint motion to stay an evidentiary hearing that was to be held as a result of a petition from the United States that the Swiss bank UBS be compelled to disclose the names of 52,000 American clients who were suspected of tax evasion.  The case has [...]

Amidst calls from the legal community, the Federal Trade Commission’s (FTC) announced this morning that it was delaying enforcement of the FTC’s Red Flag Rules until November 1, 2009.  The FTC’s announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC’s "redoubled" efforts to "provid[e] additional resources [...]

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing [...]

In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team."  In particular, HHS is hiring for two new positions are located in HHS’s "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)."  [...]

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to “assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking” on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to [...]

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC [...]

On Friday, June 5, 2009, Suffolk University Law School’s Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules.  These presentations were led by  a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect [...]

From the increasingly populated intersection of the Fourth Amendment and modern technology, comes this story from Wired’s "Threat Level."  The Federal Communications Commission (FCC) claims the right enter onto any property to inspect — without a warrant — any radio equipment, regardless of whether it is licensed or unlicensed.  In an interview with Wired, an FCC spokesperson claimed [...]

According to the Chicago Tribune, on May 7, 2009, a three-judge panel of Wisconsin Court of Appeals unanimously ruled that police "can attach GPS to cars to secretly track anybody’s movements without obtaining search warrants" without violating the Fourth Amendment.  The court’s opinion in State v. Sveum can be found here.  The defendant Sveum was under investigation for stalking [...]

On Tuesday, May 5, 2009, in a press release devoted largely to the FTC’s congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement  of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums.  According to the FTC, the [...]

On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009. Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a “template” identity theft prevention program. “For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.” The FTC indicates that it will make the template available through their website.

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC’s claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users. This case provides a number of key lessons for businesses who have not considered whether their security practices amount to “unfair or deceptive acts or practices” under federal and state laws.

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, [...]

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers “[t]o allow the FTC to perform a greater and more effective role in protecting consumers.”

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) [...]