Category Archives: Government Enforcement

What to Expect from the EU’s New Network and Information Security Directive

On July 6, 2016, the European Union adopted Directive (EU) 2016/1148, “concerning measures for a high common level of security of network and information systems across the Union,” otherwise known as the Network and Information Security Directive. (A directive, in EU parlance, is an instruction to member states to achieve a particular objective and a general framework for how to do so.  This differs from a regulation, which is immediately binding on all member states.)  Pursuant to this Directive,… More

Article 29 Working Party on the EU-US Privacy Shield: A Number of Concerns Remain But Let’s See How It Works

Article 29 Working Party on the EU-US Privacy Shield:

The EU’s Article 29 Working Party analyzed the final version of the Privacy Shield and issued a statement on July 26, 2016.  What does this mean?

  • Recap: Where are we and how did we get here?

On February 29, 2016, the European Commission issued a draft adequacy decision reflecting the outcome of its negotiations with US authorities in relation to the Privacy Shield,… More

Guest Podcast: Europe’s New General Data Protection Regulation–What Is It and Are You Ready for It?

Are you looking for an introduction to the European Union’s General Data Protection Regulation (GDPR)?  To find out when and how it’s going to impact you and your organization, listen to this quick 10 minute podcast with, Deborah Hurley. Deborah is an adjunct professor of the practice of computer science at Brown University, fellow at the Institute for Quantitative Social Science at Harvard University, and principal at Hurley Consulting.… More

Cybersecurity News and Notes – July 25, 2016

In Case You Missed It: U.S. Major party platforms address cybersecurity.  The two major parties have released their 2016 election platforms, both of which include cybersecurity planks.  The Republican platform’s perspective of cybersecurity is an element of national security and international relations. The platform called for harsh responses to cyber-attacks against American businesses, institutions, and government, applauded the Cybersecurity Information Sharing Act of 2015, and pledged to “explore the possibility of a free market for Cyber-Insurance.” The Democratic platform is largely as a continuation of President Obama’s cybersecurity policies.… More

At Long Last, US-EU Privacy Shield Adopted By EU Member States

Key takeaways:

  • The Privacy Shield will now go into effect.
  • The preliminary start date for companies to be certified under the Privacy Shield is August 1, 2016.
  • Expect more challenges to the Privacy Shield before all is said and done.

The Details:

Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case,… More

Pokémon Go Catches More Than It Bargained For

Pikachu figure characterThe recently-released Pokémon Go has quickly emerged as a cultural phenomenon, with legions of players using their phones to “catch” Pokémon that emerge all around them, visible (thankfully) only to players.  While catching Pokémon by phone is far less cumbersome than collecting boxes upon boxes of Pokémon cards, as some of us did in the early aughts, it does come with its own set of pitfalls.  Specifically,… More

Cybersecurity News & Notes – July 5, 2016

In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach.  The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices.  A U.S. District Court ruling last week casts some doubt on that authority. … More

Cybersecurity News and Notes: June 27, 2016

In Case You Missed It

The FTC settled with mobile advertising company InMobi for $950,000 in civil penalties, along with the implementation of a privacy program, based on the FTC’s charges that InMobi impermissibly tracked the locations of both adult and child consumers for the purpose of geo-targeted advertising.  The latter, of course, also implicated allegations of violations of the Children’s Online Privacy Protection Act (COPPA) rule. … More

DHS Issues New Rules Governing Sharing of Cyberthreat Data

Last week, the Department of Homeland Security (“DHS”) released its Final Rules for private-sector information-sharing under the Cybersecurity Information Sharing Act of 2015 (“CISA”). CISA permits private companies to share cyber threat information with the U.S. government and shields those companies from liability for doing so.  The new CISA Rules outline exactly how this information-sharing will work, namely: how information is submitted; what information gets submitted; and what happens to the information after submission.… More

New Data Protection Obligations In Europe: Data Protection Officers and Impact Assessment under the New General Data Protection Regulation (GDPR)

The full text of the General Data Protection Regulation (GDPR) was published on 4 May 2016. Although the GDPR will not be effective until 25 May 2018, it is worth looking into it right now given the major changes it makes to the rules in the 1995 Directive.

Application of the GDPR

The GDPR applies to the processing of personal data by companies having an “establishment” in the European Union,… More

Cybersecurity News & Notes – June 20, 2016

In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017.  The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account.  The definition is also expanded to include medical and health insurance information. … More

Ransomware Update: The FBI Weighs In

The FBI recently released an article discussing the spate of ransomware attacks on a variety of different entities, including hospitals. In the article, the FBI warned that ransomware attacks and the cybercriminals carrying them out are growing increasingly sophisticated.  The FBI opposes paying a ransom when hit by a ransomware attack, saying that doing do incentivizes more ransomware attacks, can inadvertently fund other illegal activity, and does not always result in the restoration of access. … More

OCR Releases Video Guidance on Provision of Medical Records

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. 

The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. … More

Cybersecurity News & Notes – June 13, 2016: A Brief Digest of Cybersecurity News You Can Use

In Case You Missed It:  The SEC fined Morgan Stanley $1 million for a 2014 data breach.  While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion.  The  SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. … More

Join Us June 23: Cybersecurity Challenges and Solutions for Emerging Managers

Hedge Fund Association Symposium in Boston

The Securities and Exchange Commission has reiterated that cybersecurity threats and the adoption of sufficient policies and procedures will remain a compliance and examination priority for 2016. Please join us for a discussion of the primary threats facing managers of private funds, particularly emerging managers, and practical steps that they should be taking to protect their business from cybersecurity threats.

This event is complimentary for HFA members and friends of Foley Hoag. … More

Watch: HIPAA Crimes Webinar – How the New Crime Wave Affects You

Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.… More

Obama Signs Defend Trade Secrets Act Into Law: Important New Tool for Victims of Data Breach

On May 11, 2016, President Obama signed the Defend Trade Secrets Act of 2016 (“DTSA”) into law.  Previously, companies could only bring misappropriation of trade secrets claims under state law.  (Unless they were able to convince federal prosecutors to bring criminal charges under the Economic Espionage Act, which rarely ever happens.)  Now, companies have the option of pursuing a federal cause of action for misappropriation of trade secrets,… More

Cybersecurity, Corporate Governance, and Risk Management: Best Practices

As litigators, we help clients resolve conflicts that have matured into disputes.  In the realm of cybersecurity, we defend claims brought by private parties or governmental entities against companies facing the fallout from a data breach.

In advising clients in the context of litigation, we have identified tools that are available to mitigate or prevent the types of breaches that we see in litigation.  In the area of cybersecurity,… More

EU General Data Protection Regulation Adopted

After years of intense discussions, the EU General Data Protection Regulation (GDPR) was finally adopted on 14 April 2016.

The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies.  For example:

  • data controllers (companies collecting and using personal information) will have a wide range of new obligations,…
  • More

EU-US Privacy Shield: Working Party Urges European Commission to Improve Current Scheme

After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield.  However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13.… More

The Future of Data Privacy Regulation in Massachusetts? AG’s Office Foreshadows State Action on Consumer Data in First-of-its Kind Conference

What is the future of data privacy regulation in Massachusetts?

On March 24, 2016, the Massachusetts Attorney General’s Office gave us a glimpse. In collaboration with Harvard’s Berkman Center for Internet and Society, and MIT’s Internet Policy Research Initiative and Computer Science and Artificial Intelligence Laboratory, the AG’s Office convened a “Forum on Data Privacy.”  In this first-of-its-kind conference,… More

IRS Warns of “Surge” in Tax Season Phishing Scams

tax iconTax season ‘tis the season to be phishing, according to the IRS.  The IRS has issued a warning to payroll and human resources professionals about a “surge” in phishing emails seen this year.  One of the preferred tactics of identity thieves this year appears to be impersonating CEOs and sending emails to company payroll and human resources departments asking for employee W-2s. … More

President Obama Signs the Judicial Redress Act (H.R.1428/S.1600)

As part of implementing the EU-US Privacy Shield, on February 24, 2016, President Obama signed the Judicial Redress Act (H.R.1428/S.1600). This law is designed to give EU citizens the right to sue the U.S. government for privacy violations.  In particular:

  • It authorizes the U.S. Department of Justice to designate specific foreign countries or regional economic integration organizations (i.e., the EU) whose natural citizens may bring civil actions under the U.S.…
  • More

Reminder: March 1, 2016 Effective Date for Information Systems Security Programs Including Cybersecurity for NFA Members

As noted in our earlier Foley Adviser, March 1, 2016 is the effective date for NFA member firms (including futures commissions merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants) to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.

If you have any questions regarding implementation of these policies and procedures,… More

FTC Announces COPPA Settlements Based on Persistent Identifiers

The COPPA Rule requires website and online service operators to give notice to parents and obtain verifiable parental consent before collecting children’s “personal information” online.  16 CFR §§ 312.4, 312.5.  The definition of “personal information” encompasses some obvious pieces of data – name and address, for example – and some less-obvious ones, such as screen names, geolocation data, and “persistent identifiers.”  A “persistent identifier” is a piece of information “that can be used to recognize a user over time and across different web sites or online services,” such as “a cookie,… More

In Cybersecurity, No Harm Does Not Necessarily Mean No Foul

This article was originally published in Law360 with permission to reprint.

How much does the question of harm matter in cybersecurity law? The answer is: It depends on who is bringing the claim.

Businesses confronting data breaches can face litigation from private consumers as well as from governmental entities. Managing litigation risk varies in these contexts because of the limitations of bringing private rights of action.… More

EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield

What follows below is the EU’s press release regarding the agreement on a replacement for the EU-US Safe Harbor.  We are working to get details and will schedule a webinar on the new framework shortly.

***

The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.

Today, the College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.… More

The Cybersecurity Act of 2015: Implications for Threat Sharing

On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).

CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.… More

Massachusetts Health Information Management Association Winter Meeting: Compliance Beyond HIPAA

On January 22, 2016, I had the pleasure to present to the Massachusetts Health Information Management Association’s Winter Meeting, to discuss “Compliance Beyond HIPAA.”  The presentation slides from the program are available here, and reflect discussion of:

EU Safe Harbor Update: No Solution in January?

As we have noted previously, in the wake of the ECJ’s decision that undid the US-EU Safe Harbor, we were told that there would be no enforcement of the EU Directive until after January 31, to allow the US and EU to hammer out a new regime. However, Isabelle Falque-Perrotin, the chair of the EU’s Article 29 Working Party, has stated that the next meeting of the Working Party will take place on February 2.  … More

Amendment to the Annual Privacy Notice Delivery Obligations of Financial Institutions under the Gramm-Leach-Bliley Act contained in the FAST Act

On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. Although the FAST Act’s main focus is on improving the country’s surface transportation infrastructure, the law also contains a provision that modified the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).

Previously under the GLBA privacy regulations, financial institutions (which includes registered investment advisers,… More

European Union Agrees On a New Data Protection Framework To Replace the 95/46/CE Directive: Meet the “General Data Protection Regulation”

On 15 December 2015, the three main European institutions, the Commission, the Parliament and the Council, agreed on the final text of the General Data Protection Regulation (GDPR) which has been on the table since January 2012. This is a major achievement, given the number of obstacles that still needed to be overcome a few weeks ago in order to meet the end of 2015 deadline for finalizing the GDPR. … More

Wyndham and FTC Settle Data Breach Lawsuit: Implications

Today, Wyndham and the FTC settled the enforcement action brought by the FTC that had led to a significant decision by the Third Circuit in August of this year.  (Wyndham’s statement on the settlement can be found here; the FTC’s statement can be found here; my earlier analysis of the Third Circuit’s decision can be found here.)  While the details of the settlement are interesting in their own right – Wyndham will not be paying anything by way of a fine or monetary damages and is not required to admit liability,… More

Guidance on EU-US Data Flow Delayed by New Terrorist Threats in Brussels

Today, the Article 29 Working Party (the advisory body on data protection and privacy composed of representatives from the national data protection authorities of all EU Member States) was to meet in Brussels to discuss, amongst other things, the consequences of the European Court of Justice ruling of 6 October 2015 in the Maximilian Schrems case, with EU-US data flow at the top of its agenda.

However,… More

WATCH: Webinar on US-EU Safe Harbor

On November 19, Foley Hoag and UK Trade & Investment presented a webinar discussing the latest developments following ECJ’s decision to invalidate the US-EU Safe Harbor system. Watch the recording here:

 

Click here to download the slides. More

US-EU Safe Harbor: A Webinar on the Latest Developments

Hosted by Foley Hoag LLP and UK Trade & Investment, The British Consulate General in Boston

On October 6, 2015, the European Court of Justice issued a landmark decision invalidating the US-EU Safe Harbor system. In practice, this means that US organizations can no longer rely on the Safe Harbor system to permit the transfer of personal data from the European Union to the US consistent with Directive 95/46/EC.… More

Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers”

A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age:  The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks.  At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention,… More

Cybersecurity and Information Sharing Act Clears Senate Hurdle; House Action Unclear

The Cybersecurity and Information Sharing Act (S.754), or CISA, cleared an important hurdle on Thursday when the Senate voted 83-14 to end debate on several amendments to the bill.  CISA creates a cyberthreat information sharing system to, in the words of the bill, “improve cybersecurity in the United States.”  Specifically, as currently drafted, the bill requires various government actors and agencies (such as the Attorney General and the Department of Homeland Security) to create specific policies and regulations relating to the sharing of cyberthreat data from private entities and within government entities.  … More

The FTC’s Broad Authority and FTC v. Wyndham: Thinking about the Future of Data Privacy Regulations

What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology.  The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy:  whereas, generally speaking, in the EU data privacy standards are relatively uniform,… More

The European Court of Justice Invalidates Safe Harbor

The European Court of Justice has just issued a decision (ECJ 6 October 2015 Case C-362/14, Maximillian Schrems v. Data Protection Commissioner) that invalidates the so-called US-EU “Safe Harbor” system. Suddenly, what 3,500 U.S. Companies (including some of the largest companies in the world) have been doing with personal data now potentially becomes illegal.

What is the background to this decision?

In 1995,… More

What is reasonable? The emerging legalities of cybersecurity post-Wyndham

This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:

Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.… More

Google and the Right to be Forgotten: The French Data Protection Authority Takes the Matter Further

On June 12, 2015 the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés – CNIL) issued a notice ordering Google to draw all the consequences of the CJEU May 13, 2014 ruling and to apply delisting not only to the national domain of the individual who requests delisting but on all of the search engine’s domains, including google.com (see our article The Right to be Forgotten: Another Scuffle between Google and The French Data Protection Authority | Security,… More

The SEC Charges Investment Adviser with Violating Regulation S-P by Failing to Adopt Cybersecurity Policies and Procedures

In recent years, the SEC has been focused on cybersecurity. It has issued risk alerts, conducted examinations and provided guidance about what the agency sees as widespread weaknesses in many policies and procedures to protect against cyberthreats. The SEC has now taken the next step: a few days ago, the SEC brought its first-ever enforcement action for a violation of Regulation S-P, 17 C.F.R. § 248.30(a) – known as the “Safeguards Rule” – against an investment adviser that was itself the victim of a security breach in which hackers stole customer information.… More

SEC Issues Risk Alert Announcing Second Round of Examinations of Registered Investment Advisers and Broker-Dealers

From our colleagues Catherine Anderson and Lauren Tran, we present this update on OCIE’s 2015 Cybersecurity Examination Initiative:  Second Round of Cybersecurity Examinations to Begin

*   *   *

On September 15, 2015, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a Risk Alert announcing a second round of examinations of registered investment advisers and broker-dealers under its cybersecurity examination initiative.… More

COPPA, Meet DOPPA – Delaware AG Action Leads to New Child-Protection Data Privacy Laws

Delaware Attorney General Matt Denn is serious about online privacy, and aims to make Delaware “the safest state in America for kids to use the internet.” This August, Delaware Governor Jack Markell signed into law four online privacy bills drafted by the Attorney General, the most substantial of which is the Delaware Online Privacy and Protection Act.

DOPPA goes further than its federal cousin,… More

The FTC, COPPA, and Riyo’s “Face Match to Verified Photo Identification”

Webcamera on laptop staring at you(clipping path)The FTC’s COPPA (the Children’s Online Privacy Protection Act) Rule requires website operators to obtain “verifiable parental consent” prior to collecting, using, or disclosing personal information from children. Though the COPPA Rule enumerates several methods for obtaining consent, the FTC, sensitive to how fluid technological developments in this space can be, also allows pre-approval of new methods not listed in the Rule. 16 CFR 312.12(a).… More

The Right to be Forgotten: Another Scuffle between Google and The French Data Protection Authority

On 13 May 2014 the Court of Justice of the European Union (CJEU) issued a judgment which Google called a “landmark ruling” (Google v. Costeja Gonzalez case, C-131/12). The court held, based on the 95/46 Directive on protection of personal data that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages,… More

Federal Data Breach Bill Stalled in Congress

A key distinguishing feature of U.S. data privacy laws is their patchwork nature.  There are industry-specific data privacy laws at the federal level (think HIPAA or the GLBA), yet there are no comprehensive federal standards that governs an entity’s obligations in the event of a data breach like the EU’s Data Privacy Directive.  For data breach response, in addition to the possible application of an industry-specific law or regulation,… More

DOJ Releases Best Practices for Victim Response and Reporting of Cyber Incidents

Last week, the Cybersecurity Unit of the Department of Justice (DOJ) issued a list of “best practices” for companies concerning preparing for and responding to cyber-attacks. The report details the lessons federal prosecutors have learned while handling cyber investigations, as well as feedback from private sector companies. Some of the key pieces of advice are:

  • Identify Your “Crown Jewels”: Before creating a cyber-incident response plan,…
  • More

Obama Executive Order Targets International Cyberattacks Against U.S. with New Sanctions

By Gwen Jaramillo and Shrutih V. Tewarie

As part of a series of measures aimed at increasing preparedness and defenses against international cyberattacks on U.S. industries and government agencies, on April 1, President Obama issued Executive Order No. 13694, authorizing the Treasury Department’s Office of Foreign Assets Control (OFAC) to sanction foreign individuals or entities committing such attacks. The new sanctions will allow the Treasury Department to block or freeze the assets of those outside the U.S.… More

Privacy Issues in Smart Electrical Grids: Another Internet of Things Problem

Smart grids – electrical grids that allow two-way communication between utilities and consumers – represent an exciting frontier in the Internet of Things, with ramifications for energy efficiency, weather resiliency and climate change, among others. As the Department of Energy writes, “[t]he Smart Grid represents an unprecedented opportunity to move the energy industry into a new era of reliability, availability, and efficiency that will contribute to our economic and environmental health.”

But like many aspects of the Internet of Things,… More

Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part III: Five Key Lessons for Business

Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.

Here are five takeaways for companies large and small:

  1. Companies are only as secure as their most vulnerable employee.…
  2. More

Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part II: The Executive Order

As a follow up to our summary of the key takeaways from the White House’s first Summit on Cybersecurity and Consumer Protection, the centerpiece of which was President Obama’s signing of a new Executive Order, “Promoting Private Sector Cybersecurity Information Sharing,” what follows is an analysis of that Order.

What does the Order actually do?

The Order “promotes…encourages…and…allows” but does not require anything.… More

Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part I

The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama.  The purpose of the summit:  to “bring[] together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.”  These stakeholders, a number of public and private sector leaders,… More

Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data

In an age when many of us briskly scroll through website terms and conditions and check, “I agree” without thinking, how should businesses design their websites to obtain proper authorization to access users’ sensitive information? The announcement of the settlement of a pair of recent FTC complaints against PaymentsMD, a medical billing services provider and its former CEO, and the resulting settlement, provide some important guidance,… More

FCC Enters the Data Security Enforcement Field with $10 Million Fine on Telecoms

In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:

The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names,… More

COPPA Compliance is Important for General Audience Websites, Too

Yelp’s $450,000 settlement with the FTC in September should serve as an important reminder for all owners and operators of websites or mobile apps – even if your site is not for kids, you need to know and abidge by what the Children’s Online Privacy Protection Act (COPPA), and the related COPPA Rule, requires.

Yelp allows registered users to write reviews of local businesses. A user can access Yelp through desktop and mobile websites,… More

Don’t Put Off That New HIPAA Business Associate Agreement: September 23, 2014 Deadline Looms

It’s been a while, but we have another HIPAA deadline just around the corner: September 23, 2014.

September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations (often called the Omnibus Rule). The current rules went into effect on March 26, 2013, but certain then-existing HIPAA BAAs were grandfathered and did not have to be updated immediately.… More

New COPPA Safe Harbor Added By iKeepSafe

Last week, the FTC announced approval of a new Safe Harbor Program under the Children’s Online Privacy Protection Act (COPPA), called iKeepSafe. The program was created by the Internet Keep Safe Coalition, a nonprofit organization that describes its goal as the “creation of positive resources for parents, educators and policymakers who teach youths how to use new media devices and platforms in safe and healthy ways.”

The COPPA Rule affords some flexibility in compliance through use of a safe harbor provision,… More

App Developers Should Note Revisions to COPPA FAQs

The FTC’s July 10, 2014 complaint filed against Amazon has left app developers with concerns about how to make apps that target kids and still comply with the law. The complaint, brought under Section 5(a) of the FTC Act, alleged that Amazon failed to obtain parents’ or account holders’ informed consent to in-app charges incurred by children. While the complaint was not brought under the Children’s Online Privacy Protection Act (COPPA),… More

In Riley v. California, Supreme Court Rules Police Must Obtain Warrant before Searching Cell Phones

In a unanimous decision issued today, the Supreme Court ruled that police cannot search the cell phones of arrested individuals without a warrant. In reaching its decision, the Court recognized that there is an immense amount of personal information on smart phones and held that access to that information would constitute a significant invasion of individual privacy. With the relatively recent invention of cell phones and the sudden pervasiveness of smart phones in the United States,… More

The Revised COPPA Rule and “Personal Information” – One Example that Balances Anonymity and Interactivity

The revised Children’s Online Privacy Protection Act (“COPPA”) Rules, as discussed here previously were meant to bring regulations in line with, in the FTC’s words, the “rapid-fire pace of technological changes to the online environment” that  have taken place since COPPA was passed in 2000.  This week’s Boston Globe article about the new public television production, WGBH’s “Plum Landing,” provides an interesting illustration of the impact of the revised COPPA Rule.… More

State Securities Regulators in Massachusetts and Illinois Survey Investment Advisors on Cybersecurity Practices

Picking up on the SEC’s initiative to assess cybersecurity preparedness discussed here previously, state securities regulators in Massachusetts and Illinois sent to investment advisors registered in their respective states a survey on their cybersecurity practices.

The Massachusetts surveys were sent on June 3 and a response is due on June 24. William F. Galvin, Secretary of the Commonwealth, whose jurisdiction includes the Massachusetts Securities Division,… More

European Court Establishes “Right to be Forgotten” Online

(This was originally posted May 13, 2014 on CRS and the Law.)

Flag_of_Europe.svgToday’s decision by the European Court of Justice (ECJ) that individuals enjoy the right to have truthful yet unflattering information about them “forgotten” from online search results is generating a great deal of controversy in Europe and beyond. In a case brought by Spanish national Mario Costeja Gonzalez against Google demanding that the search giant remove results referring to a years-old newspaper notice of a tax auction of his property,… More

Initial Thoughts on The FTC Report, “Data Brokers: A Call for Transparency and Accountability”

In a 110 page report issued yesterday, the Federal Trade Commission suggested that data brokers operate without transparency and asked Congress to consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over personal information that is collected and shared by data brokers.

The report, “Data Brokers: A Call for Transparency and Accountability” is the result of a study of nine data brokers undertaken by the FTC to shed light on the data broker industry. … More

HHS OCR Issues HIPAA Guidance on Sharing Information Related to Mental Health

On February 20, the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) released new guidance explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family members and others to enhance treatment and assure safety.

The guidance is essentially a set of answers to frequently asked questions. … More

Privacy Concerns “Cloud” Storage of Student Data

Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system.  On January 10, the Department announced that it would delay release of additional student data to inBloom.  The delay, which the Department said is normal for a project of its size, comes after a class of parents filed suit in November and New York legislators proposed a bill requiring parental consent before sharing such data.… More

Want to Read Up on Cyber Issues Over the Holidays?

Have you wanted to read up on the many cyber security issues that have arisen over the past year but which you did not have time to follow in detail?  We have just the thing — four reports from the Congressional Research Service, the low-key public policy research branch of the U.S. Congress (so low-key that they do not have a web site).

Four recent CRS reports on timely cyber topics are:

Federal Judge Rules NSA Phone Record Collection Likely Unconstitutional

In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs:

  • “have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”;
  • “have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim”;…
  • More

Should the Computer Fraud and Abuse Act Only Apply to Acts That Are Hard to Do?

The United States District Court for the Northern District of California recently refused to dismiss a Computer Fraud and Abuse Act (CFAA) claim with an unusual twist:  the defendant allegedly circumvented an IP address block after receiving a cease-and-desist letter from the plaintiff and therefore is alleged to have acted “without authorization” in violation of the CFAA.

The dispute began with Craigslist Inc.… More

HHS OCR Issues HIPAA Guidance on Refill Reminders, Decedent Information, Disclosure of Proof of Student Immunications and Delays CLIA Lab Enforcement

Late last night, HHS OCR issued its anticipated guidance on “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual.”  A new “Fact Sheet” and corresponding “Frequently Asked Questions” attempt to explain how the refill reminder exception to the marketing rule works, and seek to address both the scope of communications that fall within the exception,… More

HIPAA Unconstitutional? Maybe Not, But New Marketing Regulations Are Coming

You may have seen the recent lawsuit alleging that HIPAA’s marketing regulations are unconstitutional.  In that case, the plaintiff is a company that “provides a refill reminder service and other adherence messaging services,” Adheris, Inc.

Adheris sued the Department of Health and Human Services because HIPAA’s regulations threaten to put it out of business.  In particular, HIPAA now requires patient authorizations for its kind of patient reminders. … More

Revised COPPA Rules Go Into Effect July 1, 2013

In order to “keep up with technology,” the FTC revised the Children’s Online Privacy Protection Rule (COPPA) in 2012.  As a result of those revisions, some companies that may not have been covered by COPPA may now be covered, and the effective date of those changes is today, given the July 1st effective date of the revised COPPA Rule.  To streamline your response to these issues, the FTC has developed a six-step COPPA compliance guide:

Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.… More

FTC Issues Revised Business Guide on ‘Red Flags’ Identity Theft Rule

The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.

 The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required of businesses to protect consumers from identity theft. … More

Recent Massachusetts Supreme Judicial Court Case Starts a Wave of Lawsuits Against Retailers for Collecting Customer ZIP Codes

            In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions.  With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes.  Especially vulnerable are those retailers that collected customer ZIP Codes and used them to send unwanted marketing materials or sold the ZIP Codes or information derived from them to third parties. … More

The Split in the Circuit Courts Over the Proper Interpretation of the Computer Fraud and Abuse Act Actually Goes Three Ways

Posted on March 15th, 2013 by
on our sister blog, Massachusetts Noncompete Law.
 
            I’ve written many times More about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a confidentiality agreement or company IT policy, when an employee downloads confidential information he is permitted to access but then takes that information to a competitor. …

Commentary on the Status of the Computer Fraud and Abuse Act

 

Massachusetts Lawyers Weekly

Feb 18, 2013
U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains
In 1st Circuit, ‘ball in employer’s court’

By Correy E. Stephenson More

The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a CFAA claim to suits against former employees that take confidential information from company computer systems.…

PCI-DSS Update: The Payment Card Industry Security Standards Council Issues Guidelines for Security Risk Assessments, Cloud Computing, and Accepting Payments on Mobile Devices

Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so.  The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to do to protect consumers.  Merchants must follow the Payment Card Industry Data Security Standard (PCI DSS) or risk fines or losing the ability to process credit cards. … More

Pentagon to Increase Cybersecurity Force More than Five Times Current Size

In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.”

The Pentagon’s plan would create three types of forces under the Cyber Command:

  • “national mission forces” to protect computer systems that undergird electrical grids,…
  • More

HIPAA “Omnibus” Regulations Published in Federal Register

The revised HIPAA regulations were formally published today in the Federal Register.  In this form, they only take up 138 pages!

Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes.  While I’m not sure I agree with the quote that “This is a paradigm shift in the privacy world,” I do agree that this is “definitely something for all businesses to pay attention to.”  Similarly,… More

The Wait Is Over! HHS Finally Issues Revised HIPAA Privacy and Security Regulations

Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations.

While we are still making our way through all 563 pages of the regulations and related regulatory comments (and will have a more detailed analysis shortly in this space),… More

Massachusetts Attorney General Secures $140,000 Settlement of Claims that Patient Information Was Left in a Town Dump

The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.”  Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees,… More

HHS Announces First HIPAA Breach Settlement Involving Less than 500 Patients

The Department of Health and Human Services’ Office for Civil Rights (“HHS OCR“) announced today that it was, for the first time, entering into a monetary HIPAA settlement for a breach involving less than 500 patients: the Hospice of North Idaho (HONI) has agreed to pay HHS OCR $50,000 to settle potential HIPAA security rule violations.

HHS OCR began its investigation after HONI reported to it that an unencrypted laptop computer containing the electronic protected health information (“ePHI”) of 441 patients had been stolen in June 2010.… More

NLRB Confirms that Comments Posted on Social Media May Be Entitled to Protection

In a post from earlier today, my colleagues, Lyndsey Kruzer and Mike Rosen, discuss the NLRB’s conclusion that social media comments can be protected activity:

The National Labor Relations Board (NLRB) recently issued a significant decision – solidifying the position it has staked out over the past 18 months – that an employee’s posts on social media may be entitled to protection under the National Labor Relations Act (NLRA),… More

Law360: “HHS Data-Scrubbing Guidance Backs Strict Privacy Definitions”

Today’s Law360 addresses “HHS Data-Scrubbing Guidance” with quotes from me and others on the subject:

Clarifying the types of data that need to be removed from data sets can also help companies maximize the value of the information that they hold as the value of and ability to use this data for research and public health purposes increases, Foley Hoag LLP security and privacy practice co-chair Colin Zick added.… More

HHS OCR Issues Guidance Regarding Methods for De-identification of PHI in Accordance with HIPAA

On November 26, HHS OCR released guidance regarding methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. This guidance fulfills the American Recovery and Reinvestment Act of 2009 (ARRA) mandate that HHS issue such guidance.

Following the passage of ARRA, OCR collected research and views regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns.… More

Judicial Privacy and Deliberations Protected by Massachusetts High Court Decision

In a case that has received wide attention, the Massachusetts Supreme Judicial Court has issued a decision barring ethics investigators from asking a Massachusetts judge how he reached individual decisions during his 21 years on the bench. This is one of the few published decision to recognize a deliberative privilege for the judiciary, with the court concluding that: “the best approach is to consider this privilege narrowly tailored but absolute.”… More

New Hampshire Federal Court Interprets the Computer Fraud and Abuse Act More Narrowly Than Massachusetts Federal Court and Dismisses Claims Based on Violations of Computer Use Restrictions

As posted earlier today by Brian P. Bialas on the Massachusetts Non-Compete blog, a recent case from the U.S. District Court for the District of New Hampshire highlights the split between the District of New Hampshire and the District of Massachusetts over the proper interpretation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, in particular the phrase “exceeds authorized access.”… More

Want to Learn HIPAA Just Like Your State Attorney General? Now You Can!

As you may recall, the Health Information Technology for Clinical and Economic Health (HITECH) Act  gives state Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.  Some states, like Massachusetts, have already started to use this authority to bring and settle cases

To advance state enforcement, HHS OCR has developed HIPAA Enforcement Training modules,… More

A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat.

On Information Sharing:  This is a continuing challenge, in part because of the way the federal government shares information.  At present, the federal government provides cyber threat information to private sector organizations,… More

Data Breaches Keep Privacy and Security Lawyers Increasingly Busy and Looking for Recruits, But Recruits Are Hard to Find

Interesting article from Of Counsel regarding both the substance and the business of data privacy and security law.  Lawyers from several firms (including me) talk about current and pending legislation, the mechanisms of compliance and breach response, and the pipeline for new lawyers in the field of data security and privacy. 

One of the other attorneys discussed the shortage of trained attorneys in this area as follows:

You’d think,… More

Data Breaches Continue To Be A Problem For Health Care Providers: South Shore Hospital (Massachusetts) Pays $750,000 To Settle Data Breach Charges

An aptly-timed article from Mass High Tech Business News noted earlier today that: “Data Breaches [Are] a Growing Problem in Health Care.”  This article focused on a recent breach at Boston Children’s Hospital involving the records of 2,000 patients.

The article was prescient, as this afternoon, the Massachusetts Attorney General announced a $750,000 settlement with suburban Boston’s South Shore Hospital, relating to a 2010 data breach.… More

ONC (“Office of the National Coordinator for Health Information Technology”) Issues Guide to Privacy and Security of Health Information

The Office of the National Coordinator for Health Information Technology (“ONC”) has issued a Guide to Privacy and Security of Health Information Guide to Privacy and Security of Health Information. The guide is targeted at smaller health care providers and their administrative staff members. The 47 pages contain five chapters:

  • Chapter 1: What Is Privacy & Security and Why Does It Matter?
  • Chapter 2: Privacy &…
  • More

Ninth Circuit En Banc Decision Creates Circuit Split with First Circuit that Affects Employer Claims Against Employees under the Computer Fraud and Abuse Act

(This post also appears in www.massachusettsnoncompetelaw.com)

Below is an article that I wrote for the June edition of Massachusetts Lawyers Journal, the monthly publication of the Massachusetts Bar Association. It discusses an important case that interprets the Computer Fraud and Abuse Act Moreand the split in the law that case has created with the First Circuit, which includes Massachusetts.The U.S. District Court for the District of Massachusetts has noted that employers are increasingly using the federal Computer Fraud and Abuse Act (CFAA) “to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.” But in April,…

Second Circuit Reverses Convictions in Data-Theft Prosecution and Narrowly Interprets Federal Criminal Statutes with Important Intellectual Property Implications

In February 2012, following oral argument, the U.S. Court of Appeals for the Second Circuit issued a brief order reversing Sergey Aleynikov’s convictions for violating the National Stolen Property Act, 18 U.S.C. § 2314 (“NSPA”), and the Economic Espionage Act, 18 U.S.C. § 1832(b) (“EEA”), and stating a longer opinion would follow. In that promised opinion, which was issued earlier this month, see United States v. Aleynikov,… More

FTC Releases Final Report: “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”

FTC has today, at last, released the final version of its original 2010 Report “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.”  As we have discussed previously, comments on the draft report were taken through January 31, 2011 and the final report had been expected in 2011.

The FTC received over 450 comments from businesses,… More

New Case Highlights Split of Authority Interpreting the Computer Fraud and Abuse Act

Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, however, is subject to hot debate among the federal courts,… More

$1.5 Million Settlement of First HIPAA Enforcement Action Resulting from HITECH Breach Notification Rule

The trend toward increasingly large health information breach settlements has continued with yesterday’s announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA’s Privacy and Security Rules, HHS’s Office of Civil Rights. BCBST also agreed to a corrective action plan to address gaps in its HIPAA compliance program.… More

Breaking Down the White House Privacy Framework–a Video Blog

Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements:

  • a Consumer Privacy Bill of Rights,
  • a multistakeholder process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts,…
  • More

Court Sides with Facebook, Finds Social Networking “Experience” Website Violated CAN-SPAM and Other Data Security Statutes

In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. Facebook, Inc. v. Power Ventures,… More

White House Releases Long-Anticipated Privacy Report

The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process. 

It is curious that the Department of Commerce has been charged with "work[ing] with other Federal agencies to convene stakeholders,… More

State Attorneys General Write to Google

In a letter sent earlier today, 37 state attorneys generals (or their equivalents) wrote to Larry Page, Google’s CEO, "to express our strong concerns with the new privacy policy that Google announced it will be adopting for all of its consumer products."

According to the letter:

Google’s new privacy policy is troubling for a number of reasons. On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products.… More

More on Google’s Privacy Policy

Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb:

"From a legal perspective, I’m not seeing anything that’s much different in what’s being proposed to take effect on March 1 and what’s in place right now," Zick says. "In particular, the language about sharing across services has been in [Google’s policies] for a long time."

Zick points out that all the past versions of Google’s privacy policies are on the website,… More

Jail Time for Man Who Accessed Computer of a Competing Medical Practice

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients.  The individual made this improper access in order to send marketing materials to patients at the other practice.

The individual worked as an information technology specialist for a perinatal medical practice in Atlanta.  He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building.  He then used his home computer to hack into his former employer’s patient database. … More

Supreme Court Holds Warrant Required for GPS Tracking

The Supreme Court today issued an opinion holding that police cannot track a suspect using GPS without first getting a warrant.

Justice Scalia wrote the opinion, for a unanimous court, and concluded:  “We hold that the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search.’  It is important to be clear about what occurred in this case: The Government physically occupied private property for the purpose of obtaining information.”… More

Medicare Contractors Lag on Information Security

This report from the Office of the Inspector General for the Department of Health and Human Services reveals significant holes in Medicare contractor security.  Here’s a notable excerpt:

Security Awareness Training
The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally,… More

SEC Issues Guidance On Use of Social Media by Investment Advisers

My colleagues Jen Audeh and Jeff Collins have analyzed the SEC’s guidance on the use of social media by investment advisors.  Because of the overlap this issue has with data privacy and security, we are providing this except and a link to their summary:

On January 4, 2012 the SEC’s Office of Compliance Inspections and Examinations issued an exam alert to registered investment advisers which included guidance on the use of social media.… More

“Once More Unto the Breach, Dear Friends, Once More”: The Increasing Recognition of Complexity in Data Breach Response and Reporting

In an article in today’s New York Times, we get some real-life insight into the difficulties in responding to a data breach.  Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.

The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee’s car was broken into and a company laptop stolen. … More

“Foreign Spies Stealing US Economic Secrets in Cyberspace”

With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011” is tough to ignore.

The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments:

  • “Chinese actors are the world’s most active and persistent perpetrators of economic espionage.…
  • More

More Consumer Data Security and Privacy Legislation Introduced

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures,… More

Another Big HIPAA Settlement: The UCLA Health System Settles for $865,000

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules.  This follows on the heels of Massachusetts General Hospital’s $1 million settlement with OCR.… More

Supreme Court Strikes Down Vermont Data Mining Law

The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.

The first paragraph of Justice Kennedy’s opinion provides a brief summary of the posture of the case and of the Court’s decision:

Vermont law restricts the sale,… More

Is Teamwork the Answer to Data Security?

Increasingly, alliances are viewed as an important way to improve data security.  The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries.  We have previously noted two other initiatives:   the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program. … More

2011: The Year of the Breach

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:

Does Briar Group’s Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?

A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.

The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. … More

Information Security In the Age of WikiLeaks

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects:

  • Could a Major Security Breach Be on the Horizon?
  • The Smartphone Dilemma
  • What Elements Are Currently Covered in Your Organization’s Security Awareness Program?
  • Security Budgets Fare Well
  • Implementing Risk Management Disciplines
  • Do You Really Know Who Your Friends Are?…
  • More

White House Releases Framework for National Strategy for Trusted Identities in Cyberspace

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:

The goal of NSTIC is to create an “Identity Ecosystem”… More

Obama Administration Seeks “Consumer Privacy Bill of Rights”

In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC:

Legislation to provide a stronger statutory framework to protect consumers’ online
privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights.”… More

Online Advertising Company Chitikia Enters FTC Consent Agreement for Deceptive “Opt-Out” Policy

Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com.… More

Health Net Announces Second Major Breach in Two Years; Creates Potential for Largest Ever Penalty

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health informationAccording to California regulators, these servers appear to contain the data of 1.9 million people nationwide:

The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC,… More

What Is Inside Mass General’s $1 Million HIPAA Settlement?

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band.… More

Supreme Court Rules Corporations Do Not Have Privacy Rights under FOIA

In a March 1, 2011 decision that has received much publicity (despite stating a fairly obvious conclusion), the Supreme Court ruled that the term "personal privacy" does not apply to corporations, at least in the context of the Freedom of Information Act ("FOIA"). 

The decision, FCC v. AT&T Inc., reflects the Supreme Court application of a particular exemption to FOIA.  Exemption 7(C) covers law enforcement records the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.”… More

Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape:  How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:

FTC Publishes Copier Data Security Guide

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses.  In that Guide, the FTC suggests that “your information security plans .  . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands,… More

HHS Fines Cignet Health $4.3 Million for HIPAA Violations

Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of $4.3 million for the violations, representing what OCR said was "the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule." … More

500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website,… More

U.S. Supreme Court Upholds NASA Background Checks

In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . .  [and] to certain open-ended questions on a form sent to employees’ designated references.”

This particular challenge came from 28 employees of the Jet Propulsion Laboratory (“JPL”).  JPL is staffed exclusively by contract employees. … More

Genetic Privacy Rights Group Publishes Guide to the World’s DNA Databases

The Council for Responsible Genetics has published a guide to the world’s DNA databases.  According to the guide, 56 countries (and in the U.S., all 50 states) maintain DNA databases.

CRG describes itself as a "catalyst and thought leader in the movement to steer biotechnology toward the advancement of public health, environmental protection, equal justice and respect for human rights."  Although CRG has its own unique perspective on whether DNA databases should exist and how they should be used,… More

Does the FTC’s Report on “Protecting Consumer Privacy…” Apply to Non-Profits?

Earlier this month, the Federal Trade Commission (“FTC”) released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers.” According to the FTC, the report is intended “to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.” Judging from the initial wave of public commentary,… More

Will 2011 Bring Us “Do Not Track” Legislation?

Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:

  1. This is an area where bipartisan concensus is possible.
  2. The industry powers will fight against “Do Not Track” and will win that fight.
  3. Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”

We could see passage of a federal data security and privacy statute,… More

FTC Proposes Privacy Framework That Will Impact the Business Model of All Online and Mobile Advertising Companies

Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers,” which we posted on December 1.  We are cross-posting the analysis from their blog below.

It seems likely that the next two years will bring significant changes to this area,… More

FTC Releases Report: “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers”

Earlier today, the FTC released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers.”  The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating:

Industry must do better. For every business, privacy should be a basic consideration –
similar to keeping track of costs and revenues,… More

California Department of Public Health Issues Privacy Breach Fines to 8 Health Care Facilities

On November 19, the California Department of Public Health (CDPH) announced that eight health care facilities (mostly hospitals) have been assessed administrative penalties and fines totaling $792,500 after a determination that the facilities failed to prevent unauthorized access to confidential patient medical information.

The fines ranged from a low of $5,000 to a high of $250,000:

  1. Biggs Gridley Memorial Hospital, Gridley, Butte County: The hospital was assessed a $5,000 fine after the facility failed to prevent unauthorized access of one patient’s medical information by two employees on three occasions.…
  2. More

Restricting Employees’ Internet Conduct May Violate Federal Labor Law

The following post was drafted by my colleagues Rob Fisher and Brian Bialas; although their focus is on the employment law aspects of this issue, the implications for corporate security/privacy policies are significant.  In particular, they note that such policies must not prohibit employees from criticizing their employer.  Time to check your existing policies on this point.

*  *  *

The rise of social media websites has created a host of challenges for employers.… More

Connecticut Insurance Commissioner Fines Health Net of Connecticut $375,000 for Information Security Lapses

On November 8, 2010, the Connecticut Insurance Commissioner, Thomas Sullivan announced that the state’s Insurance Department has reached an agreement with Health Net of Connecticut to pay $375,000 in penalties levied for what the Insurance Department characterized as "failures to safeguard the personal information of its members from misuse by third parties."  This included what the Insurance Department considered untimely notification of the 2009 loss of a disk drive resulting in the loss of personal health information of approximately 500,000 Connecticut members. … More

Taking of a Blood Sample and Creation of a DNA Profile Found Not to Be an Unreasonable Search

In a recent decision by the United States Court of Appeals for the First Circuit, Martin Boroiang v. Robert S. Mueller, III, et al., No. 09-1630, the First Circuit rejected a challenge to the requirement that a blood sample be given by a federal offender for purposes of creating a DNA profile and entering it into a centralized government database.

The DNA Analysis Backlog Elimination Act of 2000 (“DNA Act”) applies to individuals who have been convicted of a “qualifying federal offense”… More

Connecticut Attorney General Reaches First State HIPAA Settlement with Health Net

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.… More

FTC Delays Enforcement of Red Flags Rule Against Doctors & Hospitals Until Appeals Court Rules

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC’s Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association.  The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf),… More

Spokeo In Violation of Federal Privacy Laws According to New CDT Complaint Filed With FTC

This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers.  Spokeo is a website that bills itself as a search engine that allows users the ability to look up “people-related information from phone books,… More

Cracking Down: Twitter Settles Charges that It Did Not Take Adequate Security Precautions To Protect User Privacy Settings

Today, the Federal Trade Commission (FTC) and Twitter announced that Twitter has agreed to settle FTC charges that the company failed to take sufficient security measures to protect user privacy settings.

The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access the Twitter accounts of high-profile users,… More

ALERT: FTC Delays Enforcement of Red Flags Rule Through December 31, 2010

Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.

REMINDER: Red Flags Rule Enforcement Deadline Falls Next Week

This Tuesday, June 1, 2010, marks the official deadline for compliance with the Federal Trade Commission’s Red Flags Rule. The deadline for enforcement of the Red Flags Rule has been delayed repeatedly since its original deadline in November 2008, but the FTC has remained silent on further delays since it announced the current deadline in October of last year.
The FTC’s Red Flags Rule is a set of regulations that require financial institutions and creditors to adopt written identity theft prevention programs. The FTC sparked considerable controversy when it announced that the Rule applies broadly to a range of businesses unused to being subjected to financial industry regulation (i.e., any individual or company that bills its customers after it provides goods or services). As a result, a number of industry groups have filed lawsuits to challenge the FTC’s application of the Red Flags Rules to lawyers, accountants and, most recently, medical professionals.

New Google Tool Maps Goverment Requests For Users’ Personal Information

This week Google rolled out its Government Requests tool that quantifies the number of government requests it receives from various countries around the world.  The move was announced by David Drummond, Google’s Chief Legal Officer on Tuesday on the official Google blog.  In his post, Drummond stated:

So it’s no surprise that Google, like other technology and telecommunications companies, regularly receives demands from government agencies to remove content from our services.… More

Cracking Down: FINRA Fines Blackmailed Brokerage Firm $375,000 for Violation of Reg S-P

On Monday, the Financial Industry Regulatory Authority (FINRA) announced that brokerage firm D.A. Davidson & Co. had consented to the imposition of a $375,000 fine for lax security measures that allowed hackers working for an “international crime group” to obtain personal information on thousands of customers.

The breach itself occurred in December 2007 when hackers used a “SQL injection” attack to obtain data on over 100,000 Davidson’s customers from the firm’s online account system. … More

LifeLock To Pay $12 Million to Settle Charges That Identity Theft Prevention and Data Security Claims Were False

LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that publicly disclosed its CEO’s Social Security number. As part of the settlement,… More

FTC Tells Businesses, Schools and Local Governments: Stop Sharing Personal Information On Peer-To-Peer Filesharing Networks

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data. 

Poorly supervised use of P2P networks have frequently been the subject of unwanted attention,… More

Is Tougher HIPAA Enforcement Finally On Its Way?

It has been well over a decade since the passage of HIPAA in 1996. HIPAA has caused many changes in the way the business of health care works, including going a long way to create the position of “health information professional.” One area where HIPAA has, as yet, had little impact has been in enforcement. The history of enforcement of HIPAA’s privacy and security rules has been slim and almost none. The changes in behavior that have occurred have been done out of a desire to follow the law,… More

ALERT: FTC Announces Delay in Red Flags Enforcement Until June 1, 2010

Two days before they were scheduled to go into effect, and on the same day that a federal judge ruled that lawyers should be excluded from enforcement, the Federal Trade Commission (FTC) announced today that it was delaying enforcement of its Red Flags Rule until June 1, 2010. Given the timing of the announcement, the most likely explanation for the delay is that the FTC wants to give itself time to appeal the district court’s decision in the ABA suit.

Federal Judge Rules That Lawyers Need Not Comply With Red Flags Rules

In an order entered this morning, Federal District Judge Reggie B. Walton granted the American Bar Association’s (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission’s (FTC’s) controversial Red Flags Rules. This comes as the legal community steeled itself for the FTC’s imminent November 1st enforcement deadline.

Subject of FBI Investigation Reveals Government Concerns About Access to Federal Courts’ Public PACER System

Reddit co-founder Aaron Swartz was apparently the subject of an FBI investigation for “participating in a project to take the publicly owned US court records from the PACER database (where they were very expensive to access) and put them on the web.” 

Mr. Swartz has made this information public by releasing the contents of his FBI file, obtained through a Freedom of Information Act request. His file reveals that the FBI was treating his access of PACER as a crime which cost the victim,… More

Incident of the Week: Declassified Documents Show FBI Expanding Data Mining Efforts Over 1.5 Billion Personal Records (And Counting)

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans’ personal and financial information.  According to WIRED, the FBI’s National Security Branch Analysis Center (NSAC) has compiled a database of  “more than 1.5 billion government and private-sector records” and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies,… More

Massachusetts Supreme Judicial Court Allows Use of Secret GPS To Track an Individual’s Movements, But Requires Police To Obtain Warrant

Earlier this year, the Wisconsin and New York state courts split on whether police may install a covert GPS tracking device on a suspect’s car without a warrant.  On September 17, the Massachusetts Supreme Judicial Court addressed the GPS tracking device issue, ruling that Article 14 of the Massachusetts Declaration of Rights requires a warrant before such a device may be installed and used

The defendant,… More

FTC to Host Public Roundtables in December to Address Evolving Consumer Privacy Issues

The Federal Trade Commission will host a series of public "roundtable discussions" to explore the privacy challenges posed by "technology and business practices that collect and use consumer data," including social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The FTC’s expressed goal of the meetings is to determine how best to protect consumer privacy while supporting beneficial uses.… More

ABA Sues FTC To Stop Application of Red Flag Rules to Lawyers

In a move threatened but not expected this soon, the American Bar Association today sued the Federal Trade Commission, in an effort to stop the application of the Red Flags Rule to lawyers.  The Red Flags Rule is scheduled to go into effect on November 1, 2009. 

The complaint (.pdf), which was filed in federal district court in Washington, D.C., seeks declaratory and injunctive relief, with the goal of making clear that lawyers are not "creditors"… More

IRS In Discussions With Swiss Bank UBS Over Identification of Bank Clients Suspected of Tax Evasion

On July 13, a federal judge in Miami granted a joint motion to stay an evidentiary hearing that was to be held as a result of a petition from the United States that the Swiss bank UBS be compelled to disclose the names of 52,000 American clients who were suspected of tax evasion.  The case has raised concerns about the effects of privacy laws in other nations on the ability of the federal government to enforce its own laws and created tension between the Justice Department,… More

ALERT: FTC Announces Delay in Red Flags Enforcement Until November 1, 2009.

Amidst calls from the legal community, the Federal Trade Commission’s (FTC) announced this morning that it was delaying enforcement of the FTC’s Red Flag Rules until November 1, 2009.  The FTC’s announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC’s "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply." … More

House Subcommittees Hold Joint Hearing On Behavioral Advertising

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising. More

Good News and Bad News: An Employer Is Hiring; It’s The HHS Office of Civil Rights!

In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team."  In particular, HHS is hiring for two new positions are located in HHS’s "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)."  As described on USAJOBS.GOV, the people to be hired "will be responsible for reviewing,… More

FTC and Other Agencies Issue Frequently Asked Questions (With Answers) on Red Flags Rules

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to “assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking” on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC),… More

ABA to Consider Asking FTC and Congress to Exempt Lawyers from Red Flags Rules

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC’s enforcement. … More

Massachusetts Regulators Present on New Information Security Rules – June 5, 2009, Suffolk University Law School

On Friday, June 5, 2009, Suffolk University Law School’s Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules.  These presentations were led by  a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect of the Massachusetts identity theft regulations for the Officer of Consumer Affairs and Business Regulation (OCABR).… More

“Hi, We’re From the FCC and We Are Here to Search Your Cellphone”

From the increasingly populated intersection of the Fourth Amendment and modern technology, comes this story from Wired’s "Threat Level."  The Federal Communications Commission (FCC) claims the right enter onto any property to inspect — without a warrant — any radio equipment, regardless of whether it is licensed or unlicensed.  In an interview with Wired, an FCC spokesperson claimed that the FCC’s right to inspect radio equipment extends to “anything using RF energy.” … More

Courts Split On Whether Police Can Use GPS To Track Individual’s Movements Without A Warrant

According to the Chicago Tribune, on May 7, 2009, a three-judge panel of Wisconsin Court of Appeals unanimously ruled that police "can attach GPS to cars to secretly track anybody’s movements without obtaining search warrants" without violating the Fourth Amendment.  The court’s opinion in State v. Sveum can be found here.  The defendant Sveum was under investigation for stalking when the police obtained a warrant to secretly place a GPS device on his car while it was parked in the his driveway. … More

Cracking Down: FTC Settles Claims Against Mortgage Company For Violations of FTC Safeguards Rule – Requires Information Security Program and 10 Years of Security Audits

On Tuesday, May 5, 2009, in a press release devoted largely to the FTC’s congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement  of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums.  According to the FTC, the result of this alleged failure was that an intruder in the company’s systems sent "millions of outgoing spam emails"… More

Last Minute Reprieve: FTC Postpones Deadline for Red Flags Compliance Until August 1, 2009 – Will Release “Template” For Compliant Identity Theft Prevention Program

On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009. Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a “template” identity theft prevention program. “For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.” The FTC indicates that it will make the template available through their website.

Cracking Down: FTC Fines Credit Research Firm $500,000 For Lax Security, Obtains Court Order Requiring Company to Develop “Comprehensive Information Security Program”

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC’s claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users. This case provides a number of key lessons for businesses who have not considered whether their security practices amount to “unfair or deceptive acts or practices” under federal and state laws.

Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama’s Passport Records

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers,… More

Cracking Down: FCC Initiates Enforcement Action Against Hundreds of Telecommunications Carriers For Failing to Certify Compliance With Customer Privacy Rules

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information. … More