Category Archives: Government Enforcement

Does Wyndham Confirm the FTC’s Role as Federal Privacy Enforcer?

Data breach law in the United States might have just become a lot less patchy, but a little more uncertain.  On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES.  This case arises out of a FTC action, brought under the deception and unfairness prongs of […]

HHS OCR Issues HIPAA Guidance on Sharing Information Related to Mental Health

On February 20, the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) released new guidance explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family […]

Parents’ NY Lawsuit Seeking to Block Cloud-Based Storage of Student Data Is Dismissed

In a previous post, I wrote about privacy concerns surrounding data storage nonprofit inBloom and its partnership with the New York State Education Department (“NYSED”).  On February 5, 2014, New York State Supreme Court Justice Thomas A. Breslin dismissed the lawsuit filed by parents seeking to block NYSED from sharing and storing student data with […]

Privacy Concerns “Cloud” Storage of Student Data

Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system.  On January 10, the Department announced that it would delay release of additional student data to inBloom.  The delay, which the Department said is normal […]

Want to Read Up on Cyber Issues Over the Holidays?

Have you wanted to read up on the many cyber security issues that have arisen over the past year but which you did not have time to follow in detail?  We have just the thing — four reports from the Congressional Research Service, the low-key public policy research branch of the U.S. Congress (so low-key […]

Are You a “Target”? Business Implications of the Target Breach

Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications: Legislation:  In the past, we have seen major breaches drive legislative change.  But now that most states have data security statutes, it seems unlikely that much will happen at the state level.  And […]

Federal Judge Rules NSA Phone Record Collection Likely Unconstitutional

In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs: “have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”; “have demonstrated a substantial likelihood of success on […]

Should the Computer Fraud and Abuse Act Only Apply to Acts That Are Hard to Do?

The United States District Court for the Northern District of California recently refused to dismiss a Computer Fraud and Abuse Act (CFAA) claim with an unusual twist:  the defendant allegedly circumvented an IP address block after receiving a cease-and-desist letter from the plaintiff and therefore is alleged to have acted “without authorization” in violation of […]

HHS OCR Issues HIPAA Guidance on Refill Reminders, Decedent Information, Disclosure of Proof of Student Immunications and Delays CLIA Lab Enforcement

Late last night, HHS OCR issued its anticipated guidance on “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual.”  A new “Fact Sheet” and corresponding “Frequently Asked Questions” attempt to explain how the refill reminder exception to the marketing rule works, and seek to […]

HIPAA Unconstitutional? Maybe Not, But New Marketing Regulations Are Coming

You may have seen the recent lawsuit alleging that HIPAA’s marketing regulations are unconstitutional.  In that case, the plaintiff is a company that “provides a refill reminder service and other adherence messaging services,” Adheris, Inc. Adheris sued the Department of Health and Human Services because HIPAA’s regulations threaten to put it out of business.  In […]

Revised COPPA Rules Go Into Effect July 1, 2013

In order to “keep up with technology,” the FTC revised the Children’s Online Privacy Protection Rule (COPPA) in 2012.  As a result of those revisions, some companies that may not have been covered by COPPA may now be covered, and the effective date of those changes is today, given the July 1st effective date of the […]

FTC Issues Revised Business Guide on ‘Red Flags’ Identity Theft Rule

The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.  The guidance outlines which businesses – financial institutions and some creditors – are covered […]

Recent Massachusetts Supreme Judicial Court Case Starts a Wave of Lawsuits Against Retailers for Collecting Customer ZIP Codes

            In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions.  With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes.  Especially […]

The Split in the Circuit Courts Over the Proper Interpretation of the Computer Fraud and Abuse Act Actually Goes Three Ways

Posted on March 15th, 2013 by Brian P. Bialas on our sister blog, Massachusetts Noncompete Law.               I’ve written many times about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a […]

Commentary on the Status of the Computer Fraud and Abuse Act

  Feb 18, 2013 U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains In 1st Circuit, ‘ball in employer’s court’ By Correy E. Stephenson The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a […]

PCI-DSS Update: The Payment Card Industry Security Standards Council Issues Guidelines for Security Risk Assessments, Cloud Computing, and Accepting Payments on Mobile Devices

Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so.  The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to […]

Pentagon to Increase Cybersecurity Force More than Five Times Current Size

In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.” The Pentagon’s plan would create three […]

HIPAA “Omnibus” Regulations Published in Federal Register

The revised HIPAA regulations were formally published today in the Federal Register.  In this form, they only take up 138 pages! Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes.  While I’m not sure I agree with the quote that “This is a […]

Key Elements of the New “Omnibus” HIPAA

On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations. In the 563 pages of the regulations and related regulatory comments, […]

The Wait Is Over! HHS Finally Issues Revised HIPAA Privacy and Security Regulations

Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations. While we are still making our way through all 563 pages of the regulations and related regulatory comments (and will […]

Massachusetts Attorney General Secures $140,000 Settlement of Claims that Patient Information Was Left in a Town Dump

The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.”  Under the settlements, the defendants have agreed to pay a […]

HHS Announces First HIPAA Breach Settlement Involving Less than 500 Patients

The Department of Health and Human Services’ Office for Civil Rights (“HHS OCR“) announced today that it was, for the first time, entering into a monetary HIPAA settlement for a breach involving less than 500 patients: the Hospice of North Idaho (HONI) has agreed to pay HHS OCR $50,000 to settle potential HIPAA security rule violations. HHS OCR began its investigation after HONI reported to […]

NLRB Confirms that Comments Posted on Social Media May Be Entitled to Protection

In a post from earlier today, my colleagues, Lyndsey Kruzer and Mike Rosen, discuss the NLRB’s conclusion that social media comments can be protected activity: The National Labor Relations Board (NLRB) recently issued a significant decision – solidifying the position it has staked out over the past 18 months – that an employee’s posts on social media may be entitled to […]

FTC Finally Amends Red Flags Rule Regulations to Match 2010 Statutory Amendment

The FTC announced today that it has, at long last, modified its Red Flags Rule to match the language of theRed Flag Clarification Act of 2010.  As this blog explained in 2010: As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” […]

Law360: “HHS Data-Scrubbing Guidance Backs Strict Privacy Definitions”

Today’s Law360 addresses “HHS Data-Scrubbing Guidance” with quotes from me and others on the subject: Clarifying the types of data that need to be removed from data sets can also help companies maximize the value of the information that they hold as the value of and ability to use this data for research and public […]

HHS OCR Issues Guidance Regarding Methods for De-identification of PHI in Accordance with HIPAA

On November 26, HHS OCR released guidance regarding methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. This guidance fulfills the American Recovery and Reinvestment Act of 2009 (ARRA) mandate that HHS issue such guidance. Following the passage of ARRA, OCR collected research and views regarding de-identification approaches, best practices for […]

“Privacy: Why Europeans Think You’re Inadequate”

Gant Redmon of Co3 Systems has an interesting take on the differences in U.S. and EU privacy regimes in a Security Week column entitled, “Privacy:  Why Europeans Think You’re Inadequate.”  In his column, he addresses three key issues:  “First, what does privacy mean to folks in the US versus the EU? Second, how has history played a role in defining privacy in the US […]

Protecting Health Information: Health Data Security Training

It was a pleasure to be on a panel with members of the Massachusetts Office of the Attorney General last week at the Massachusetts Medical Society to talk about how physicians can protect health information in our presentation entitled:  “Protecting Health Information: Health Data Security Training.”   We covered the latest in federal law (HIPAA, […]

Judicial Privacy and Deliberations Protected by Massachusetts High Court Decision

In a case that has received wide attention, the Massachusetts Supreme Judicial Court has issued a decision barring ethics investigators from asking a Massachusetts judge how he reached individual decisions during his 21 years on the bench. This is one of the few published decision to recognize a deliberative privilege for the judiciary, with the court concluding […]

New Hampshire Federal Court Interprets the Computer Fraud and Abuse Act More Narrowly Than Massachusetts Federal Court and Dismisses Claims Based on Violations of Computer Use Restrictions

As posted earlier today by Brian P. Bialas on the Massachusetts Non-Compete blog, a recent case from the U.S. District Court for the District of New Hampshire highlights the split between the District of New Hampshire and the District of Massachusetts over the proper interpretation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, […]

Want to Learn HIPAA Just Like Your State Attorney General? Now You Can!

As you may recall, the Health Information Technology for Clinical and Economic Health (HITECH) Act  gives state Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.  Some states, like Massachusetts, have already started to use this authority to bring and settle cases.  To […]

Vermont Quietly Updates Its Data Security Law

You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following: change the information protected to “personally identifiable information” […]

A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat. On Information Sharing:  This is a continuing challenge, in part because of the way the federal government shares information.  At present, the federal government provides cyber […]

Data Breaches Continue To Be A Problem For Health Care Providers: South Shore Hospital (Massachusetts) Pays $750,000 To Settle Data Breach Charges

An aptly-timed article from Mass High Tech Business News noted earlier today that: “Data Breaches [Are] a Growing Problem in Health Care.”  This article focused on a recent breach at Boston Children’s Hospital involving the records of 2,000 patients. The article was prescient, as this afternoon, the Massachusetts Attorney General announced a $750,000 settlement with suburban Boston’s […]

FTC Counters Constitutional Challenge to Fair Credit Reporting Act

The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act. This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting […]

ONC (“Office of the National Coordinator for Health Information Technology”) Issues Guide to Privacy and Security of Health Information

The Office of the National Coordinator for Health Information Technology (“ONC”) has issued a Guide to Privacy and Security of Health Information Guide to Privacy and Security of Health Information. The guide is targeted at smaller health care providers and their administrative staff members. The 47 pages contain five chapters: Chapter 1: What Is Privacy […]

Ninth Circuit En Banc Decision Creates Circuit Split with First Circuit that Affects Employer Claims Against Employees under the Computer Fraud and Abuse Act

(This post also appears in www.massachusettsnoncompetelaw.com) Below is an article that I wrote for the June edition of Massachusetts Lawyers Journal, the monthly publication of the Massachusetts Bar Association. It discusses an important case that interprets the Computer Fraud and Abuse Actand the split in the law that case has created with the First Circuit, […]

Massachusetts Reports on Data Breaches for 2007-2011

The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011: Through […]

Second Circuit Reverses Convictions in Data-Theft Prosecution and Narrowly Interprets Federal Criminal Statutes with Important Intellectual Property Implications

In February 2012, following oral argument, the U.S. Court of Appeals for the Second Circuit issued a brief order reversing Sergey Aleynikov’s convictions for violating the National Stolen Property Act, 18 U.S.C. § 2314 (“NSPA”), and the Economic Espionage Act, 18 U.S.C. § 1832(b) (“EEA”), and stating a longer opinion would follow. In that promised opinion, which […]

New Case Highlights Split of Authority Interpreting the Computer Fraud and Abuse Act

Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, […]

$1.5 Million Settlement of First HIPAA Enforcement Action Resulting from HITECH Breach Notification Rule

The trend toward increasingly large health information breach settlements has continued with yesterday’s announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA’s Privacy and Security Rules, HHS’s Office of Civil Rights. BCBST also agreed to a corrective […]

Breaking Down the White House Privacy Framework–a Video Blog

Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements: a Consumer Privacy Bill of Rights, a multistakeholder […]

Court Sides with Facebook, Finds Social Networking “Experience” Website Violated CAN-SPAM and Other Data Security Statutes

In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. […]

White House Releases Long-Anticipated Privacy Report

The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process.  It is curious that the […]

State Attorneys General Write to Google

In a letter sent earlier today, 37 state attorneys generals (or their equivalents) wrote to Larry Page, Google’s CEO, "to express our strong concerns with the new privacy policy that Google announced it will be adopting for all of its consumer products." According to the letter: Google’s new privacy policy is troubling for a number of reasons. […]

Lessons from the Chinese Hacking of Nortel for IT Security, Due Diligence

Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces?  A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition […]

Massachusetts Data Security Law – Contract Grandfather Provision Expires March 1, 2012

Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire: by Catherine M. Anderson, Jeffrey D. Collins  As we previously noted in our Foley Adviser dated February 3, 2010, “New Massachusetts Data Security Law and Regulations-Comprehensive Information Security Plan required before March […]

More on Google’s Privacy Policy

Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb: "From a legal perspective, I’m not seeing anything that’s much different in what’s being proposed to take effect on March 1 and what’s in place right now," Zick says. "In particular, the language about sharing across services has been in [Google's policies] […]

Jail Time for Man Who Accessed Computer of a Competing Medical Practice

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients.  The individual made this improper access in order to send marketing materials to patients at the other practice. The individual worked as an information technology […]

Supreme Court Holds Warrant Required for GPS Tracking

The Supreme Court today issued an opinion holding that police cannot track a suspect using GPS without first getting a warrant. Justice Scalia wrote the opinion, for a unanimous court, and concluded:  “We hold that the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s […]

Medicare Contractors Lag on Information Security

This report from the Office of the Inspector General for the Department of Health and Human Services reveals significant holes in Medicare contractor security.  Here’s a notable excerpt: Security Awareness Training The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who […]

Inside Counsel Magazine Revisits SEC’s Cybersecurity Guidance

As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity. This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from […]

SEC Issues Guidance On Use of Social Media by Investment Advisers

My colleagues Jen Audeh and Jeff Collins have analyzed the SEC’s guidance on the use of social media by investment advisors.  Because of the overlap this issue has with data privacy and security, we are providing this except and a link to their summary: On January 4, 2012 the SEC’s Office of Compliance Inspections and Examinations issued […]

“Once More Unto the Breach, Dear Friends, Once More”: The Increasing Recognition of Complexity in Data Breach Response and Reporting

In an article in today’s New York Times, we get some real-life insight into the difficulties in responding to a data breach.  Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity. The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee’s […]

Facebook Settles FTC Charges that It Deceived Consumers, Agrees to 20 Year Consent Order

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle “charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release. In its complaint, the FTC […]

“Foreign Spies Stealing US Economic Secrets in Cyberspace”

With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011″ is tough to ignore. The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments: “Chinese actors […]

“SEC’s Corp Fin Staff Attacks Cyber-Security Disclosure”

I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents: Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot […]

Advanced Cyber Security Center Launched

As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20.  The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley.  As described by MassHighTech: Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the […]

More Consumer Data Security and Privacy Legislation Introduced

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses […]

Another Big HIPAA Settlement: The UCLA Health System Settles for $865,000

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with […]

Supreme Court Strikes Down Vermont Data Mining Law

The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech. The first paragraph of Justice Kennedy’s opinion provides a […]

Is Teamwork the Answer to Data Security?

Increasingly, alliances are viewed as an important way to improve data security.  The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries.  We have previously noted two other initiatives:   the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and […]

2011: The Year of the Breach

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach: Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting […]

What Law Applies In “the Cloud”?

Attached is my presentation given at a recent CloudCamp, on the subject:   What Law Applies In “the Cloud”?  (CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas.)

What Can My Company Do To Fight Cybercrime Collaboratively?

Wondering what your company might be able to do at the local level to help fight cybercrime? There are a growing number of public-private collaborations that are trying to get ahead of the bad guys. One is the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).  The ACSC is a collaborative, cross-sector research facility […]

Information Security In the Age of WikiLeaks

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects: Could a Major Security Breach Be on the Horizon? The Smartphone Dilemma What Elements Are Currently Covered in Your Organization’s Security Awareness Program? Security Budgets Fare Well Implementing Risk Management Disciplines Do […]

White House Releases Framework for National Strategy for Trusted Identities in Cyberspace

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in […]

Obama Administration Seeks “Consumer Privacy Bill of Rights”

In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC: Legislation to provide a stronger statutory framework to protect consumers’ online privacy interests should contain three key elements. First, the Administration recommends that legislation […]

Health Net Announces Second Major Breach in Two Years; Creates Potential for Largest Ever Penalty

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information.  According to California regulators, these servers appear to contain the data of 1.9 million people nationwide: The company announced today that nine of its server drives containing personal information for 1.9 million current […]

What Is Inside Mass General’s $1 Million HIPAA Settlement?

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed […]

FTC Red Flags Suits Come to an End as Lawyers and Doctors Are Exempted

While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up.  The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case:  "The lawsuit filed by the Litigation […]

Supreme Court Rules Corporations Do Not Have Privacy Rights under FOIA

In a March 1, 2011 decision that has received much publicity (despite stating a fairly obvious conclusion), the Supreme Court ruled that the term "personal privacy" does not apply to corporations, at least in the context of the Freedom of Information Act ("FOIA").  The decision, FCC v. AT&T Inc., reflects the Supreme Court application of a particular exemption […]

Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape:  How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including: §Resolution Agreement with Providence Health & Services–July 16, 2008 Settlement:  $100,000 §Resolution Agreement with […]

FTC Publishes Copier Data Security Guide

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses.  In that Guide, the FTC suggests that “your information security plans .  . . should cover the digital copiers your company […]

HHS Fines Cignet Health $4.3 Million for HIPAA Violations

Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of […]

DHS Updates Its “Handbook for Safeguarding Sensitive PII”

The Department of Homeland Security has released its latest update to its internal guide to handling personally identifiable information.  The "Handbook for Safeguarding Sensitive PII at DHS" has been around since 2008; even if you do not have direct dealings with DHS, it provides a useful point of comparison for your own policies and procedures. 

U.S. Supreme Court Upholds NASA Background Checks

In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . .  [and] to certain open-ended questions on a form sent to employees’ designated references.” This particular challenge came from […]

Genetic Privacy Rights Group Publishes Guide to the World’s DNA Databases

The Council for Responsible Genetics has published a guide to the world’s DNA databases.  According to the guide, 56 countries (and in the U.S., all 50 states) maintain DNA databases. CRG describes itself as a "catalyst and thought leader in the movement to steer biotechnology toward the advancement of public health, environmental protection, equal justice […]

Does the FTC’s Report on “Protecting Consumer Privacy…” Apply to Non-Profits?

Earlier this month, the Federal Trade Commission (“FTC”) released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers.” According to the FTC, the report is intended “to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and […]

FTC Red Flags Rule Clarified; Red Flags Enforcement Likely to Begin in 2011

On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010.  The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement. As we have noted in past entries about Red Flags Rule compliance, […]

Will 2011 Bring Us “Do Not Track” Legislation?

Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws: This is an area where bipartisan concensus is possible. The industry powers will fight against “Do Not Track” and will win that fight. Industry will […]

FTC Proposes Privacy Framework That Will Impact the Business Model of All Online and Mobile Advertising Companies

Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers,” which we posted on December 1.  We are cross-posting the analysis from their blog below. It seems likely that the next two years will bring significant changes to this […]

FTC Releases Report: “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers”

Earlier today, the FTC released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers.”  The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating: Industry must do better. For every business, privacy should be a basic […]

Advocacy Groups File FTC Complaint Over Online Consumer Health Sites and Health-Related Marketing

In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health.  The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World […]

California Department of Public Health Issues Privacy Breach Fines to 8 Health Care Facilities

On November 19, the California Department of Public Health (CDPH) announced that eight health care facilities (mostly hospitals) have been assessed administrative penalties and fines totaling $792,500 after a determination that the facilities failed to prevent unauthorized access to confidential patient medical information. The fines ranged from a low of $5,000 to a high of […]

Restricting Employees’ Internet Conduct May Violate Federal Labor Law

The following post was drafted by my colleagues Rob Fisher and Brian Bialas; although their focus is on the employment law aspects of this issue, the implications for corporate security/privacy policies are significant.  In particular, they note that such policies must not prohibit employees from criticizing their employer.  Time to check your existing policies on […]

Connecticut Insurance Commissioner Fines Health Net of Connecticut $375,000 for Information Security Lapses

On November 8, 2010, the Connecticut Insurance Commissioner, Thomas Sullivan announced that the state’s Insurance Department has reached an agreement with Health Net of Connecticut to pay $375,000 in penalties levied for what the Insurance Department characterized as "failures to safeguard the personal information of its members from misuse by third parties."  This included what the Insurance […]

Connecticut Attorney General Reaches First State HIPAA Settlement with Health Net

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a […]

Spokeo In Violation of Federal Privacy Laws According to New CDT Complaint Filed With FTC

This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers.  Spokeo is a website that bills itself as a search engine that allows users the ability […]

ALERT: FTC Delays Enforcement of Red Flags Rule Through December 31, 2010

Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.

REMINDER: Red Flags Rule Enforcement Deadline Falls Next Week

This Tuesday, June 1, 2010, marks the official deadline for compliance with the Federal Trade Commission’s Red Flags Rule. The deadline for enforcement of the Red Flags Rule has been delayed repeatedly since its original deadline in November 2008, but the FTC has remained silent on further delays since it announced the current deadline in October of last year.
The FTC’s Red Flags Rule is a set of regulations that require financial institutions and creditors to adopt written identity theft prevention programs. The FTC sparked considerable controversy when it announced that the Rule applies broadly to a range of businesses unused to being subjected to financial industry regulation (i.e., any individual or company that bills its customers after it provides goods or services). As a result, a number of industry groups have filed lawsuits to challenge the FTC’s application of the Red Flags Rules to lawyers, accountants and, most recently, medical professionals.

New Google Tool Maps Goverment Requests For Users’ Personal Information

This week Google rolled out its Government Requests tool that quantifies the number of government requests it receives from various countries around the world.  The move was announced by David Drummond, Google’s Chief Legal Officer on Tuesday on the official Google blog.  In his post, Drummond stated: So it’s no surprise that Google, like other […]

Cracking Down: FINRA Fines Blackmailed Brokerage Firm $375,000 for Violation of Reg S-P

On Monday, the Financial Industry Regulatory Authority (FINRA) announced that brokerage firm D.A. Davidson & Co. had consented to the imposition of a $375,000 fine for lax security measures that allowed hackers working for an “international crime group” to obtain personal information on thousands of customers. The breach itself occurred in December 2007 when hackers used a “SQL […]

LifeLock To Pay $12 Million to Settle Charges That Identity Theft Prevention and Data Security Claims Were False

LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that […]

“Data, Data Everywhere” — Recommended Reading

The February 27 issue of The Economist has an excellent special report, "Data, data everywhere:  A special report on managing information."  It features a series of articles on the volume of information that is overtaking business and society, and the means by which business and governments are responding.

FTC Tells Businesses, Schools and Local Governments: Stop Sharing Personal Information On Peer-To-Peer Filesharing Networks

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data.  […]

Incident(s) of the Week: Recent Updates from Prior Incidents

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in […]

Is Tougher HIPAA Enforcement Finally On Its Way?

It has been well over a decade since the passage of HIPAA in 1996. HIPAA has caused many changes in the way the business of health care works, including going a long way to create the position of “health information professional.” One area where HIPAA has, as yet, had little impact has been in enforcement. The history of […]

ALERT: FTC Announces Delay in Red Flags Enforcement Until June 1, 2010

Two days before they were scheduled to go into effect, and on the same day that a federal judge ruled that lawyers should be excluded from enforcement, the Federal Trade Commission (FTC) announced today that it was delaying enforcement of its Red Flags Rule until June 1, 2010. Given the timing of the announcement, the most likely explanation for the delay is that the FTC wants to give itself time to appeal the district court’s decision in the ABA suit.

Federal Judge Rules That Lawyers Need Not Comply With Red Flags Rules

In an order entered this morning, Federal District Judge Reggie B. Walton granted the American Bar Association’s (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission’s (FTC’s) controversial Red Flags Rules. This comes as the legal community steeled itself for the FTC’s imminent November 1st enforcement deadline.

Incident of the Week: Declassified Documents Show FBI Expanding Data Mining Efforts Over 1.5 Billion Personal Records (And Counting)

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans’ personal and financial information.  According to WIRED, the FBI’s National Security Branch Analysis Center (NSAC) has compiled a database of  “more than 1.5 billion government and private-sector records” and has been mining this […]

Massachusetts Supreme Judicial Court Allows Use of Secret GPS To Track an Individual’s Movements, But Requires Police To Obtain Warrant

Earlier this year, the Wisconsin and New York state courts split on whether police may install a covert GPS tracking device on a suspect’s car without a warrant.  On September 17, the Massachusetts Supreme Judicial Court addressed the GPS tracking device issue, ruling that Article 14 of the Massachusetts Declaration of Rights requires a warrant before such a […]

FTC to Host Public Roundtables in December to Address Evolving Consumer Privacy Issues

The Federal Trade Commission will host a series of public "roundtable discussions" to explore the privacy challenges posed by "technology and business practices that collect and use consumer data," including social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The FTC’s […]

ABA Sues FTC To Stop Application of Red Flag Rules to Lawyers

In a move threatened but not expected this soon, the American Bar Association today sued the Federal Trade Commission, in an effort to stop the application of the Red Flags Rule to lawyers.  The Red Flags Rule is scheduled to go into effect on November 1, 2009.  The complaint (.pdf), which was filed in federal district court […]

ALERT: FTC Announces Delay in Red Flags Enforcement Until November 1, 2009.

Amidst calls from the legal community, the Federal Trade Commission’s (FTC) announced this morning that it was delaying enforcement of the FTC’s Red Flag Rules until November 1, 2009.  The FTC’s announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC’s "redoubled" efforts to "provid[e] additional resources […]

House Subcommittees Hold Joint Hearing On Behavioral Advertising

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing […]

Good News and Bad News: An Employer Is Hiring; It’s The HHS Office of Civil Rights!

In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team."  In particular, HHS is hiring for two new positions are located in HHS’s "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)."  […]

FTC and Other Agencies Issue Frequently Asked Questions (With Answers) on Red Flags Rules

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to “assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking” on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to […]

ABA to Consider Asking FTC and Congress to Exempt Lawyers from Red Flags Rules

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC […]

Massachusetts Regulators Present on New Information Security Rules – June 5, 2009, Suffolk University Law School

On Friday, June 5, 2009, Suffolk University Law School’s Center for Advanced Legal Studies organized a thorough presentation on the Massachusetts information security rules.  These presentations were led by  a pair of notable Massachusetts regulators: Scott D. Schafer, the head of privacy enforcement for the Massachusetts Attorney General and David A. Murray, the chief architect […]

“Hi, We’re From the FCC and We Are Here to Search Your Cellphone”

From the increasingly populated intersection of the Fourth Amendment and modern technology, comes this story from Wired’s "Threat Level."  The Federal Communications Commission (FCC) claims the right enter onto any property to inspect — without a warrant — any radio equipment, regardless of whether it is licensed or unlicensed.  In an interview with Wired, an FCC spokesperson claimed […]

Courts Split On Whether Police Can Use GPS To Track Individual’s Movements Without A Warrant

According to the Chicago Tribune, on May 7, 2009, a three-judge panel of Wisconsin Court of Appeals unanimously ruled that police "can attach GPS to cars to secretly track anybody’s movements without obtaining search warrants" without violating the Fourth Amendment.  The court’s opinion in State v. Sveum can be found here.  The defendant Sveum was under investigation for stalking […]

Cracking Down: FTC Settles Claims Against Mortgage Company For Violations of FTC Safeguards Rule – Requires Information Security Program and 10 Years of Security Audits

On Tuesday, May 5, 2009, in a press release devoted largely to the FTC’s congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement  of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums.  According to the FTC, the […]

Last Minute Reprieve: FTC Postpones Deadline for Red Flags Compliance Until August 1, 2009 – Will Release “Template” For Compliant Identity Theft Prevention Program

On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009. Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a “template” identity theft prevention program. “For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.” The FTC indicates that it will make the template available through their website.

Cracking Down: FTC Fines Credit Research Firm $500,000 For Lax Security, Obtains Court Order Requiring Company to Develop “Comprehensive Information Security Program”

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC’s claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users. This case provides a number of key lessons for businesses who have not considered whether their security practices amount to “unfair or deceptive acts or practices” under federal and state laws.

Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama’s Passport Records

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, […]

Highlights from the IAPP Privacy Summit – March 11-13, 2009 Washington, D.C.

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

Cracking Down: FCC Initiates Enforcement Action Against Hundreds of Telecommunications Carriers For Failing to Certify Compliance With Customer Privacy Rules

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) […]