On November 28, 2017, the EU’s Article 29 Working Party issued its report on the First Annual Joint Review of the EU-US Privacy Shield, which was conducted on September 18-19, 2017.
Category Archives: Legislation & Regulation
Editors’ Note: This is the fifth in a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Previous installments include analyses of HIPAA compliance, emerging security threats, federal enforcement trends, and state enforcement trends. Up next: Education.
The term “biometrics” may conjure up images of Gattaca or Minority Report,… More
Editors’ Note: This is the fourth in a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Previous installments include analyses of HIPAA compliance, emerging security threats, and federal enforcement trends. Up next: a look at biometrics.
As state Attorneys General continue to flex their muscles in response to serious data security lapses nationwide,… More
HHS Office for Civil Rights Issues Guidance on How HIPAA Allows Information Sharing to Address the Opioid Crisis
Following President Trump’s declaration of a nationwide public health emergency regarding the opioid crisis, the HHS Office for Civil Rights has released new guidance on when and how health care providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when that patient may be in crisis and incapacitated, such as during an opioid overdose.
This guidance reveals nothing new,… More
Since the adoption of the Regulation on 27 April 2016, the Article 29 Working Party (with representatives of the Supervisory Authorities of all Member States) has issued 3 sets of guidance on “Data portability”,… More
A 152 page judgment was rendered today by the Irish High Court in Schrems II: DPC v Facebook.
Not surprisingly, the court decided to refer the case to the Court of Justice of the European Union to make a decision about the validity of the three decisions issued by the Commission for the Standard Contractual Clauses.
Ms. Justice Caroline Costello referred these issues because she concurred with the Irish Data Protection Commissioner’s view there are “well founded”… More
The current challenge to Facebook’s privacy practices in Ireland (“Schrems II”) may be coming to a head. You will recall that in Schrems I, the challenge to Facebook’s privacy practices led to a decision issued by the European Court of Justice that invalidated the US-EU Safe Harbor. Following the invalidation of the Safe Harbor, Facebook switched to the Commission’s Standard Contractual Clauses (SCC) and the Schrems complaint was reformulated to challenge the SCC.… More
As we’ve blogged in the past, the cannabis industry is particularly susceptible to cyberattacks. With threats like a federal crackdown and workplace drug testing, customers have a vested interest in keeping their information private. Unfortunately, the newly-legal cannabis industry has limited experience with data security. While traditional industries have the benefit of expertise and mature regulatory oversight to foster best cybersecurity practices,… More
As we have noted before in this space, states have begun going through the process of amending their data breach notification laws. California, for example, recently amended its data breach notification statute to expand the definition of personal information. Illinois did the same, and adjusted its safe harbor provision. And New York created first-of-its-kind financial sector cybersecurity regulations. … More
General Data Protection Regulation: What It Means For US Healthcare/Life Science Companies (Part Three)
This is the third post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Two)
GDPR Features that Apply Specifically to the Healthcare/Life Science Sectors
Even though the GDPR is a general regulation,… More
General Data Protection Regulation: What It Means For US Healthcare/Life Science Companies (Part Two)
This is the second post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Three)
New General Features of the GDPR
Some of the GDPR general features may be of particular interest for companies in the healthcare/life science sectors.… More
General Data Protection Regulation: What It Means For US Healthcare/Life Science Companies (Part One)
This is the first post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part Two and Part Three)
The clock is ticking: on May 25, 2018, in less than a year from now, the General Data Protection Regulation (“the GDPR”) will apply in all Member States of the European Union (“EU”) and will replace the Directive 95/46/CE (“the Directive”).… More
Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.… More
What happens when state and local governments respond to significant data breaches? They often turn to the private sector for breach response capabilities in order to mitigate damages. Speed is the name of the game, and state and local governments often move with alacrity to save face.
But what about procurement laws?
The rush to hire sophisticated private entities to support data breach response efforts is in tension with statutory competitive bidding mandates. … More
Did someone steal your tax return? You are not alone. Indeed, the rise in tax-related identity theft has been well documented. In 2015, the FTC reported a 50% increase in identity theft complaints. A primary cause for that increase was the rise in tax-related identity theft. In response to this increase, the IRS has made stopping identity theft and refund fraud a top priority. From 2011-2014, the IRS reported that it stopped 19 million suspicious returns and protected more than $63 billion in fraudulent returns. … More
The Federal Trade Commission (FTC) has been a critically important regulator of cybersecurity practices in the US, using its authority under Section 5 of the FTC Act to bring enforcement actions against companies for failing to protect their consumers’ private data. This past January, Trump appointed Republican Maureen Ohlhausen as the Commission’s new acting chairwoman. Here’s what you need to know about her approach to data security.… More
The Computer Fraud and Abuse Act, or CFAA, is the federal “anti-hacking” statute (or sometimes referred to as a “computer trespass” statute). In essence, the CFAA prohibits intentional unauthorized access into another computer, when such action directly accesses certain protected information or otherwise causes damage or loss. The CFAA provides for both criminal penalties and civil causes of action. The scope and meaning of access “without authorization”… More
We recently posted on the Ohio Attorney General’s CyberOhio initiative and forecasted that the Ohio Attorney General might be the first of many Attorneys General to join forces with industry in the struggle to protect consumer information. Ohio Deputy General Counsel Craig Rapp, Director of CyberOhio, contacted our blog not only to agree with our prediction, but also to shed more light on what is transpiring in his state. … More
The Economist certainly thinks computer security is broken (and it’s hard to argue the contrary). In its April 8 edition, The Economist’s cover story proclaims, “Why computers will never be safe.” While that’s good news for some of us (at least in the short run), for most of us it’s a daunting proposition. So how to address the problem? Do we need more regulation, as The Economist suggests? … More
New Mexico is one of the few remaining states to not have a law requiring companies to notify consumers when their information is part of a data breach. This, however, might change very soon. Last Wednesday, the New Mexico Legislature passed House Bill 15, called the “Data Breach Notification Act,” sending the bill to Governor Susana Martinez for her signature.
Among other things, the act requires companies with personally identifiable information of New Mexico residents to use reasonable security procedures and practices to protect that information. … More
More than two weeks ago, the President postponed issuing an executive order on cybersecurity. Since then, we’ve had no word from the White House on when he intends to sign it. However, two purported drafts of the order have wound up on the Internet—the Washington Post published the first one, and Lawfare, the second. Here are a few quick impressions on those drafts,… More
Should businesses be thought of as victims or bad actors when it comes to data breaches? State attorneys general are embracing the idea that businesses are not necessarily adversaries in the struggle to protect sensitive consumer information. Over the past several years state attorneys general have exerted efforts to both educate businesses as to their data privacy responsibilities, and collaborate with businesses in constructing more robust cybersecurity policies. The spotlight now is on the Ohio Attorney General,… More
Make Cybersecurity Great Again? Cybersecurity Challenges — and Opportunities — for the Trump Administration
The Trump Administration has taken office at a time when cybersecurity has increasingly entered the public consciousness as a major challenge facing both the United States government and the business community. Cyberattacks from both criminal and state actors have bedeviled businesses and roiled politics over the past year. Against this backdrop, the administration has professed a strong commitment to cybersecurity, for instance designating former New York City Mayor Rudy Giuliani as a high-profile cybersecurity liaison to the private sector,… More
The new (EU) 2016/679 General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. Its scope is broader than that of the current 95/46/CE Directive, which means that more companies headquartered outside of the EU will have to comply with European data protection rules than under the current regime.
The 95/46/CE Directive set up a European body, the Article 29 Working Party,… More
US companies with employees or clients in Switzerland will be interested to hear that the new Swiss-US Privacy Shield was approved on 11 January.
Although Switzerland is not a member of the European Union, its data protection law (Federal law of 19 June 1992) is very similar to the European 1995 Data Protection Directive. According to the Federal law, the transfer of personal data outside of the country is not allowed if that would pose a serious threat,… More
More information from HHS OCR about the phishing threat:
- On November 28, 2016, the HHS Office for Civil Rights issued a listserv announcement warning covered entities and their business associates about a phishing email that disguises itself as an official communication from the Department. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,…
As part of the ongoing HHS OCR HIPAA audit initiative, it is conducting “HIPAA desk audits.” These audits don’t involve auditors coming in your facility. Instead, covered entities are being asked to submit documents on:
(1) their risk analysis and risk management plans under the HIPAA security rule;
(2) the content and timeliness for following the HIPAA breach notification rule; or
(3) the notice of the entity’s privacy practices for health information and patients’… More
Editor’s Note: This is the second in a continuing end-of-year series. Stay tuned for our next installment, discussing HIPAA compliance.
In the patchwork of state and federal law regulating the use and maintenance of personal confidential information, states play a significant role and can often be the most important regulator and law enforcement authority. Recent events have signaled changes in how states interpret and enforce their data privacy standards —… More
The U.S. Department of Homeland Security says that all employees need to know the signs of a cyber-attack, not just those who work in the IT field. This is increasingly important as more companies move business operations online. The Department stresses employees should make passwords complex, beware of phishing emails and report all suspicious activity to their company’s IT department.
Does your business collect and share consumer health information? Check out these tips from the FTC for complying with HIPAA and the FTC Act.
The HIPAA Privacy Rule applies to HIPAA covered entities— a health plan, most health care providers, or a health care clearinghouse. It also applies if you are a business associate – a person or company that helps a covered entity carry out its health care activities and functions.… More
Reuters reported earlier this month that, according to three former employees, Yahoo Inc. had “complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo mail accounts at the behest of the NSA or FBI.” Yahoo responded that the article was misleading, but did not deny the scanning had occurred.
The New York Times reported further details about this scanning: Yahoo had modified a system intended to scan emails for child pornography and spam in order to satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization.… More
On July 6, 2016, the European Union adopted Directive (EU) 2016/1148, “concerning measures for a high common level of security of network and information systems across the Union,” otherwise known as the Network and Information Security Directive. (A directive, in EU parlance, is an instruction to member states to achieve a particular objective and a general framework for how to do so. This differs from a regulation, which is immediately binding on all member states.) Pursuant to this Directive,… More
In Case You Missed It: The Federal Trade Commission has opened a public comment period to evaluate its Safeguards Rule (16. C.F.R. § 314.3). Under the Gramm-Leach-Bliley Act (GLBA), which regulates financial institutions, the FTC is empowered to promulgate regulations governing how financial institutions secure consumer information. The Safeguards Rule, as currently in force, does not have specific “how-to” requirements, but rather broad and flexible standards that financial institutions can use as guidelines in assessing risks to the data they maintain and in developing viable security plans. … More
Article 29 Working Party on the EU-US Privacy Shield: A Number of Concerns Remain But Let’s See How It Works
Article 29 Working Party on the EU-US Privacy Shield:
The EU’s Article 29 Working Party analyzed the final version of the Privacy Shield and issued a statement on July 26, 2016. What does this mean?
- Recap: Where are we and how did we get here?
In Case You Missed It: U.S. Major party platforms address cybersecurity. The two major parties have released their 2016 election platforms, both of which include cybersecurity planks. The Republican platform’s perspective of cybersecurity is an element of national security and international relations. The platform called for harsh responses to cyber-attacks against American businesses, institutions, and government, applauded the Cybersecurity Information Sharing Act of 2015, and pledged to “explore the possibility of a free market for Cyber-Insurance.” The Democratic platform is largely as a continuation of President Obama’s cybersecurity policies.… More
- The Privacy Shield will now go into effect.
- The preliminary start date for companies to be certified under the Privacy Shield is August 1, 2016.
- Expect more challenges to the Privacy Shield before all is said and done.
Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case,… More
The recently-released Pokémon Go has quickly emerged as a cultural phenomenon, with legions of players using their phones to “catch” Pokémon that emerge all around them, visible (thankfully) only to players. While catching Pokémon by phone is far less cumbersome than collecting boxes upon boxes of Pokémon cards, as some of us did in the early aughts, it does come with its own set of pitfalls. Specifically,… More
In Case You Missed It: The EU/US Privacy Shield is set to go into effect this Tuesday, July 13, pending a decision today by the EU’s College of Commissioners. On Friday, July 8, the Privacy Shield agreement (entered into in February) was adopted by EU member states. EU/US data transfer has been in limbo ever since the erstwhile Safe Harbor was invalided by the European Court of Justice last year. … More
In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach. The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices. A U.S. District Court ruling last week casts some doubt on that authority. … More
In Case You Missed It
The FTC settled with mobile advertising company InMobi for $950,000 in civil penalties, along with the implementation of a privacy program, based on the FTC’s charges that InMobi impermissibly tracked the locations of both adult and child consumers for the purpose of geo-targeted advertising. The latter, of course, also implicated allegations of violations of the Children’s Online Privacy Protection Act (COPPA) rule. … More
Last week, the Department of Homeland Security (“DHS”) released its Final Rules for private-sector information-sharing under the Cybersecurity Information Sharing Act of 2015 (“CISA”). CISA permits private companies to share cyber threat information with the U.S. government and shields those companies from liability for doing so. The new CISA Rules outline exactly how this information-sharing will work, namely: how information is submitted; what information gets submitted; and what happens to the information after submission.… More
New Data Protection Obligations In Europe: Data Protection Officers and Impact Assessment under the New General Data Protection Regulation (GDPR)
The full text of the General Data Protection Regulation (GDPR) was published on 4 May 2016. Although the GDPR will not be effective until 25 May 2018, it is worth looking into it right now given the major changes it makes to the rules in the 1995 Directive.
Application of the GDPR
The GDPR applies to the processing of personal data by companies having an “establishment” in the European Union,… More
In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017. The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account. The definition is also expanded to include medical and health insurance information. … More
After the European Court of Justice invalidated Safe Harbor on October 6, 2015, the Article 29 Working Party announced in an October 16, 2015 statement that US companies that were Safe Harbor certified had until the end of January 2016 to find alternative means to transfer data to the US and, if they failed to do so, EU Data Protection Authorities would pursue enforcement measures.… More
In Case You Missed It: The SEC fined Morgan Stanley $1 million for a 2014 data breach. While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion. The SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. … More
In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week. The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday. And, like the Shield, the Umbrella has drawn its share of critics,… More
On 29 February the European Commission released its draft adequacy decision about the proposed Privacy Shield, which is intended to replace the invalidated EU-US Safe Harbor. While Microsoft stated on April 11 that they “pledged to sign up for the Privacy Shield,” the European authorities have so far been much more skeptical.
- Article 29 Working Party
On 13 April,…
Hedge Fund Association Symposium in Boston
The Securities and Exchange Commission has reiterated that cybersecurity threats and the adoption of sufficient policies and procedures will remain a compliance and examination priority for 2016. Please join us for a discussion of the primary threats facing managers of private funds, particularly emerging managers, and practical steps that they should be taking to protect their business from cybersecurity threats.
This event is complimentary for HFA members and friends of Foley Hoag. … More
Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.… More
On May 25, 2016, partners Catherine Muyl, Colin Zick and Daniel Schimmel participated in a panel discussion on how companies can transfer personal data and remain compliant. The event, co-sponsored by The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York, was part of the FACC’s “Tech, Media & Entertainment”… More
On May 11, 2016, President Obama signed the Defend Trade Secrets Act of 2016 (“DTSA”) into law. Previously, companies could only bring misappropriation of trade secrets claims under state law. (Unless they were able to convince federal prosecutors to bring criminal charges under the Economic Espionage Act, which rarely ever happens.) Now, companies have the option of pursuing a federal cause of action for misappropriation of trade secrets,… More
As litigators, we help clients resolve conflicts that have matured into disputes. In the realm of cybersecurity, we defend claims brought by private parties or governmental entities against companies facing the fallout from a data breach.
In advising clients in the context of litigation, we have identified tools that are available to mitigate or prevent the types of breaches that we see in litigation. In the area of cybersecurity,… More
The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies. For example:
- data controllers (companies collecting and using personal information) will have a wide range of new obligations,…
After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield. However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13.… More
As a follow-up to our recent discussion of IRS-related phishing attempts, here are a few quick tips to stay out of the phishing traps:
- In general, the IRS does not communicate with taxpayers via e-mail, so any time someone receives an e-mail from the “IRS,” they should be suspicious at the outset.
- Even if the IRS did correspond with taxpayers via e-mail,…
The Future of Data Privacy Regulation in Massachusetts? AG’s Office Foreshadows State Action on Consumer Data in First-of-its Kind Conference
On March 24, 2016, the Massachusetts Attorney General’s Office gave us a glimpse. In collaboration with Harvard’s Berkman Center for Internet and Society, and MIT’s Internet Policy Research Initiative and Computer Science and Artificial Intelligence Laboratory, the AG’s Office convened a “Forum on Data Privacy.” In this first-of-its-kind conference,… More
Tax season ‘tis the season to be phishing, according to the IRS. The IRS has issued a warning to payroll and human resources professionals about a “surge” in phishing emails seen this year. One of the preferred tactics of identity thieves this year appears to be impersonating CEOs and sending emails to company payroll and human resources departments asking for employee W-2s. … More
The new framework dedicated to the EU / US flow of personal data is in fact a combination of several documents issued by the US and the EU.
On the US side, we have a letter sent by the U.S. Secretary of Commerce Penny Pritzker on 23 February 2016 to EU Commissioner Věra Jourová including the “package of EU-US Privacy Shield materials” (of 128 pages) which is made of 6 letters issued by various US officials (see details at the end of this article).… More
As part of implementing the EU-US Privacy Shield, on February 24, 2016, President Obama signed the Judicial Redress Act (H.R.1428/S.1600). This law is designed to give EU citizens the right to sue the U.S. government for privacy violations. In particular:
Reminder: March 1, 2016 Effective Date for Information Systems Security Programs Including Cybersecurity for NFA Members
As noted in our earlier Foley Adviser, March 1, 2016 is the effective date for NFA member firms (including futures commissions merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants) to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.
If you have any questions regarding implementation of these policies and procedures,… More
The COPPA Rule requires website and online service operators to give notice to parents and obtain verifiable parental consent before collecting children’s “personal information” online. 16 CFR §§ 312.4, 312.5. The definition of “personal information” encompasses some obvious pieces of data – name and address, for example – and some less-obvious ones, such as screen names, geolocation data, and “persistent identifiers.” A “persistent identifier” is a piece of information “that can be used to recognize a user over time and across different web sites or online services,” such as “a cookie,… More
February 3, 2016 Statement of the Article 29 Working Party on the Consequences of the Schrems Judgment
- The Working Party will not blindly accept the EU-US Privacy Shield.
It welcomes the conclusion of the negotiations, but also is asking to see all documents pertaining to the new EU-US Privacy Shield by the end of February.…
EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield
What follows below is the EU’s press release regarding the agreement on a replacement for the EU-US Safe Harbor. We are working to get details and will schedule a webinar on the new framework shortly.
The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.
Today, the College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.… More
On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).
CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.… More
On January 22, 2016, I had the pleasure to present to the Massachusetts Health Information Management Association’s Winter Meeting, to discuss “Compliance Beyond HIPAA.” The presentation slides from the program are available here, and reflect discussion of:
As we have noted previously, in the wake of the ECJ’s decision that undid the US-EU Safe Harbor, we were told that there would be no enforcement of the EU Directive until after January 31, to allow the US and EU to hammer out a new regime. However, Isabelle Falque-Perrotin, the chair of the EU’s Article 29 Working Party, has stated that the next meeting of the Working Party will take place on February 2. … More
Amendment to the Annual Privacy Notice Delivery Obligations of Financial Institutions under the Gramm-Leach-Bliley Act contained in the FAST Act
On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. Although the FAST Act’s main focus is on improving the country’s surface transportation infrastructure, the law also contains a provision that modified the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).
Previously under the GLBA privacy regulations, financial institutions (which includes registered investment advisers,… More
HIPAA Privacy Regulations Amended to Allow Disclosures of Mental Health Information for Firearm Background Checks
On January 4, 2016, the Department of Health and Human Services (HHS) modified the HIPAA Privacy Rule to expressly permit certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons, already are prohibited by Federal law from having a firearm. According to HHS, “This modification better enables the reporting of the identities of prohibited individuals to the background check system and is an important step toward improving the public’s safety while continuing to strongly protect individuals’… More
European Union Agrees On a New Data Protection Framework To Replace the 95/46/CE Directive: Meet the “General Data Protection Regulation”
On 15 December 2015, the three main European institutions, the Commission, the Parliament and the Council, agreed on the final text of the General Data Protection Regulation (GDPR) which has been on the table since January 2012. This is a major achievement, given the number of obstacles that still needed to be overcome a few weeks ago in order to meet the end of 2015 deadline for finalizing the GDPR. … More
Today, Wyndham and the FTC settled the enforcement action brought by the FTC that had led to a significant decision by the Third Circuit in August of this year. (Wyndham’s statement on the settlement can be found here; the FTC’s statement can be found here; my earlier analysis of the Third Circuit’s decision can be found here.) While the details of the settlement are interesting in their own right – Wyndham will not be paying anything by way of a fine or monetary damages and is not required to admit liability,… More
Weltimmo v. Hungarian Data Protection Authority: EU Rules on What It Means To Be “Established” in a Jurisdiction
While the Schrems decision invalidating the US-EU Safe Harbor Program is rightly attracting a great deal of attention (as well as blogging and webinars) – and leaving many wondering what to do in the absence of the US-EU Safe Harbor System – companies doing business in the EU need also to consider the impact of another recent decision,… More
Today, the Article 29 Working Party (the advisory body on data protection and privacy composed of representatives from the national data protection authorities of all EU Member States) was to meet in Brussels to discuss, amongst other things, the consequences of the European Court of Justice ruling of 6 October 2015 in the Maximilian Schrems case, with EU-US data flow at the top of its agenda.
Hosted by Foley Hoag LLP and UK Trade & Investment, The British Consulate General in Boston
On October 6, 2015, the European Court of Justice issued a landmark decision invalidating the US-EU Safe Harbor system. In practice, this means that US organizations can no longer rely on the Safe Harbor system to permit the transfer of personal data from the European Union to the US consistent with Directive 95/46/EC.… More
Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers”
A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks. At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention,… More
The Cybersecurity and Information Sharing Act (S.754), or CISA, cleared an important hurdle on Thursday when the Senate voted 83-14 to end debate on several amendments to the bill. CISA creates a cyberthreat information sharing system to, in the words of the bill, “improve cybersecurity in the United States.” Specifically, as currently drafted, the bill requires various government actors and agencies (such as the Attorney General and the Department of Homeland Security) to create specific policies and regulations relating to the sharing of cyberthreat data from private entities and within government entities. … More
The FTC’s Broad Authority and FTC v. Wyndham: Thinking about the Future of Data Privacy Regulations
What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology. The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy: whereas, generally speaking, in the EU data privacy standards are relatively uniform,… More
The European Court of Justice has just issued a decision (ECJ 6 October 2015 Case C-362/14, Maximillian Schrems v. Data Protection Commissioner) that invalidates the so-called US-EU “Safe Harbor” system. Suddenly, what 3,500 U.S. Companies (including some of the largest companies in the world) have been doing with personal data now potentially becomes illegal.
What is the background to this decision?
In 1995,… More
By now, you have no doubt heard that the European Union’s highest court today invalidated the U.S.-EU Safe Harbor Program. The European Court of Justice overturned the European Commission’s 15 year old decision finding that the privacy principles of the U.S.-EU Safe Harbor provide an adequate level of protection of the data of EU citizens. Among other things, the court cited concerns that the data may be subject to U.S.… More
This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:
Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.… More
On June 12, 2015 the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés – CNIL) issued a notice ordering Google to draw all the consequences of the CJEU May 13, 2014 ruling and to apply delisting not only to the national domain of the individual who requests delisting but on all of the search engine’s domains, including google.com (see our article The Right to be Forgotten: Another Scuffle between Google and The French Data Protection Authority | Security,… More
By Martha Coakley and Jon Hurst
This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.
Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The impact on businesses, government, and other targets is also real,… More
The SEC Charges Investment Adviser with Violating Regulation S-P by Failing to Adopt Cybersecurity Policies and Procedures
In recent years, the SEC has been focused on cybersecurity. It has issued risk alerts, conducted examinations and provided guidance about what the agency sees as widespread weaknesses in many policies and procedures to protect against cyberthreats. The SEC has now taken the next step: a few days ago, the SEC brought its first-ever enforcement action for a violation of Regulation S-P, 17 C.F.R. § 248.30(a) – known as the “Safeguards Rule” – against an investment adviser that was itself the victim of a security breach in which hackers stole customer information.… More
SEC Issues Risk Alert Announcing Second Round of Examinations of Registered Investment Advisers and Broker-Dealers
* * *
On September 15, 2015, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a Risk Alert announcing a second round of examinations of registered investment advisers and broker-dealers under its cybersecurity examination initiative.… More
Delaware Attorney General Matt Denn is serious about online privacy, and aims to make Delaware “the safest state in America for kids to use the internet.” This August, Delaware Governor Jack Markell signed into law four online privacy bills drafted by the Attorney General, the most substantial of which is the Delaware Online Privacy and Protection Act.
Over one year ago, our colleague Chris Hart argued that the District of New Jersey court’s decision in FTC v. Wyndham Worldwide Corp. et. al., No. 13-1887-ES, “point[ed] to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter.” That possibility became substantially more concrete this week,… More
The FTC’s COPPA (the Children’s Online Privacy Protection Act) Rule requires website operators to obtain “verifiable parental consent” prior to collecting, using, or disclosing personal information from children. Though the COPPA Rule enumerates several methods for obtaining consent, the FTC, sensitive to how fluid technological developments in this space can be, also allows pre-approval of new methods not listed in the Rule. 16 CFR 312.12(a).… More
On 13 May 2014 the Court of Justice of the European Union (CJEU) issued a judgment which Google called a “landmark ruling” (Google v. Costeja Gonzalez case, C-131/12). The court held, based on the 95/46 Directive on protection of personal data that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages,… More
A key distinguishing feature of U.S. data privacy laws is their patchwork nature. There are industry-specific data privacy laws at the federal level (think HIPAA or the GLBA), yet there are no comprehensive federal standards that governs an entity’s obligations in the event of a data breach like the EU’s Data Privacy Directive. For data breach response, in addition to the possible application of an industry-specific law or regulation,… More
With the heart of the summer vacation season upon us, it seems like a good time for some reflection. Here, it comes in the form of excerpts from an essay by privacy maven, Deborah Hurley. The one time Director of the Harvard Information Infrastructure Project at Harvard University, she has been thinking and writing about privacy issues for two decades. Her entire essay can be found in the book,… More
This seminar was presented by Foley Hoag LLP and and a panel of industry experts on ISO 27018, the new international standard governing the processing and protection of personal information by public Cloud Service Providers (CSPs). Even though this new standard is voluntary, it is widely expected to become the benchmark for CSPs going forward.
As the first and only international privacy standard for the cloud,… More
As part of a series of measures aimed at increasing preparedness and defenses against international cyberattacks on U.S. industries and government agencies, on April 1, President Obama issued Executive Order No. 13694, authorizing the Treasury Department’s Office of Foreign Assets Control (OFAC) to sanction foreign individuals or entities committing such attacks. The new sanctions will allow the Treasury Department to block or freeze the assets of those outside the U.S.… More
Smart grids – electrical grids that allow two-way communication between utilities and consumers – represent an exciting frontier in the Internet of Things, with ramifications for energy efficiency, weather resiliency and climate change, among others. As the Department of Energy writes, “[t]he Smart Grid represents an unprecedented opportunity to move the energy industry into a new era of reliability, availability, and efficiency that will contribute to our economic and environmental health.”
But like many aspects of the Internet of Things,… More
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part III: Five Key Lessons for Business
Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.
Here are five takeaways for companies large and small:
- Companies are only as secure as their most vulnerable employee.…
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part II: The Executive Order
As a follow up to our summary of the key takeaways from the White House’s first Summit on Cybersecurity and Consumer Protection, the centerpiece of which was President Obama’s signing of a new Executive Order, “Promoting Private Sector Cybersecurity Information Sharing,” what follows is an analysis of that Order.
What does the Order actually do?
The Order “promotes…encourages…and…allows” but does not require anything.… More
The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama. The purpose of the summit: to “bring together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.” These stakeholders, a number of public and private sector leaders,… More
SEC Office of Compliance Inspections and Examinations Releases Cybersecurity Examination Sweep Summary of Investment Advisers and Broker-Dealers
Our colleagues Catherine M. Anderson and Kate Leonard of our Investment Management group have summarized the February 3, 2015 findings by the Office of Compliance Inspections and Examinations (OCIE) of its Cybersecurity Examination Sweep, which sought to evaluate the breadth of cybersecurity policies implemented by investment advisers (as well as by broker-dealers). For more details on the sweep, see our previous Foley Adviser update: SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers.… More
Our friends at Co3Systems and IOD recently produced a webinar, “Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits” that provides a succinct overview of what is coming down the pike for HIPAA covered entities.
In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:
The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names,… More
Last week, the FTC announced approval of a new Safe Harbor Program under the Children’s Online Privacy Protection Act (COPPA), called iKeepSafe. The program was created by the Internet Keep Safe Coalition, a nonprofit organization that describes its goal as the “creation of positive resources for parents, educators and policymakers who teach youths how to use new media devices and platforms in safe and healthy ways.”
The COPPA Rule affords some flexibility in compliance through use of a safe harbor provision,… More
The FTC’s July 10, 2014 complaint filed against Amazon has left app developers with concerns about how to make apps that target kids and still comply with the law. The complaint, brought under Section 5(a) of the FTC Act, alleged that Amazon failed to obtain parents’ or account holders’ informed consent to in-app charges incurred by children. While the complaint was not brought under the Children’s Online Privacy Protection Act (COPPA),… More
In a unanimous decision issued today, the Supreme Court ruled that police cannot search the cell phones of arrested individuals without a warrant. In reaching its decision, the Court recognized that there is an immense amount of personal information on smart phones and held that access to that information would constitute a significant invasion of individual privacy. With the relatively recent invention of cell phones and the sudden pervasiveness of smart phones in the United States,… More
The Revised COPPA Rule and “Personal Information” – One Example that Balances Anonymity and Interactivity
The revised Children’s Online Privacy Protection Act (“COPPA”) Rules, as discussed here previously were meant to bring regulations in line with, in the FTC’s words, the “rapid-fire pace of technological changes to the online environment” that have taken place since COPPA was passed in 2000. This week’s Boston Globe article about the new public television production, WGBH’s “Plum Landing,” provides an interesting illustration of the impact of the revised COPPA Rule.… More
State Securities Regulators in Massachusetts and Illinois Survey Investment Advisors on Cybersecurity Practices
Picking up on the SEC’s initiative to assess cybersecurity preparedness discussed here previously, state securities regulators in Massachusetts and Illinois sent to investment advisors registered in their respective states a survey on their cybersecurity practices.
The Massachusetts surveys were sent on June 3 and a response is due on June 24. William F. Galvin, Secretary of the Commonwealth, whose jurisdiction includes the Massachusetts Securities Division,… More
To buttress the SEC’s initiative to assess cybersecurity preparedness in its risk alert discussed here previously , the SEC also has the power to bring enforcement actions against registered entities that fail to meet cybersecurity requisites. Specifically, the SEC may bring an enforcement action against registered entities that violate the safeguards rule of Regulation S-P (17 CFR § 248.30(a)) (commonly referred to as the “Safeguards Rule”).… More
Our colleagues Catherine M. Anderson and Jennifer M. Macarchuk have summarized the recent SEC Risk Alert regarding its initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers.
The full text of the Risk Alert is available here.
SEC-registered investment advisers should review the Risk Alert,… More
Data breach law in the United States might have just become a lot less patchy, but a little more uncertain. On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES. This case arises out of a FTC action, brought under the deception and unfairness prongs of Section 5(a) of the FTCA (15 USC s.… More
Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach. Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.
Rare Massachusetts Superior Court Decision Interpreting the CFAA Takes the Narrow View Without Squarely Addressing the Broad
Judge Peter M. Lauriat of the Massachusetts Superior Court decided late last year that an employee who takes confidential documents from her employer’s electronic document system to use in a discrimination lawsuit against her employer is not liable to the employer under the Computer Fraud and Abuse Act (CFAA), especially when the employer knew about the lawsuit but nonetheless did not restrict the employee’s access to those documents while she was working for the employer. … More
On February 20, the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) released new guidance explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family members and others to enhance treatment and assure safety.
The guidance is essentially a set of answers to frequently asked questions. … More
In a previous post, I wrote about privacy concerns surrounding data storage nonprofit inBloom and its partnership with the New York State Education Department (“NYSED”). On February 5, 2014, New York State Supreme Court Justice Thomas A. Breslin dismissed the lawsuit filed by parents seeking to block NYSED from sharing and storing student data with inBloom. In his order,… More
Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system. On January 10, the Department announced that it would delay release of additional student data to inBloom. The delay, which the Department said is normal for a project of its size, comes after a class of parents filed suit in November and New York legislators proposed a bill requiring parental consent before sharing such data.… More
Have you wanted to read up on the many cyber security issues that have arisen over the past year but which you did not have time to follow in detail? We have just the thing — four reports from the Congressional Research Service, the low-key public policy research branch of the U.S. Congress (so low-key that they do not have a web site).
Four recent CRS reports on timely cyber topics are:
Massachusetts Federal Court Refuses to Dismiss CFAA Claim But Permits the Defendants to Ask Again Later
In the cross-post from our Noncompete Blog, another CFAA decision is discussed.
Echoing a new theme in the federal district court in Massachusetts, last month Chief Magistrate Judge Leo T. Sorokin refused to dismiss a Computer Fraud and Abuse Act (“CFAA”) claim brought against the former CEO of a company, but did so without prejudice, meaning that the defendants could ask the Court to dismiss the claim again later in the case.… More
Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications:
- Legislation: In the past, we have seen major breaches drive legislative change. But now that most states have data security statutes, it seems unlikely that much will happen at the state level. And action at the federal level has been long promised, but remains a distant vision.…
In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs:
- “have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”;
- “have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim”;…
The United States District Court for the Northern District of California recently refused to dismiss a Computer Fraud and Abuse Act (CFAA) claim with an unusual twist: the defendant allegedly circumvented an IP address block after receiving a cease-and-desist letter from the plaintiff and therefore is alleged to have acted “without authorization” in violation of the CFAA.
An interesting article by Jeffrey Spear that appeared in the New Hampshire Bar News in July shows that the federal district court in New Hampshire is struggling with the same question as the district court in Massachusetts: What is the proper interpretation of the Computer Fraud and Abuse Act (“CFAA”)? … More
“A Million Here, a Million There”… WellPoint Settles HIPAA Breach and Security Claims with HHS OCR for $1.7 Million
Managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential HIPAA Privacy and Security Rule violations committed in 2009 and 2010.
As so often happens, HHS OCR began its investigation following a self-report of the breach by WellPoint. That report “indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet.… More
In order to “keep up with technology,” the FTC revised the Children’s Online Privacy Protection Rule (COPPA) in 2012. As a result of those revisions, some companies that may not have been covered by COPPA may now be covered, and the effective date of those changes is today, given the July 1st effective date of the revised COPPA Rule. To streamline your response to these issues, the FTC has developed a six-step COPPA compliance guide:
The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.
The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required of businesses to protect consumers from identity theft. … More
The Split in the Circuit Courts Over the Proper Interpretation of the Computer Fraud and Abuse Act Actually Goes Three Ways
Posted on March 15th, 2013 by Brian P. Bialas
on our sister blog, Massachusetts Noncompete Law.
I’ve written many times More about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a confidentiality agreement or company IT policy, when an employee downloads confidential information he is permitted to access but then takes that information to a competitor. …
The revised HIPAA regulations were formally published today in the Federal Register. In this form, they only take up 138 pages!
Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes. While I’m not sure I agree with the quote that “This is a paradigm shift in the privacy world,” I do agree that this is “definitely something for all businesses to pay attention to.” Similarly,… More
On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations.
Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations.
The National Labor Relations Board (NLRB) recently issued a significant decision – solidifying the position it has staked out over the past 18 months – that an employee’s posts on social media may be entitled to protection under the National Labor Relations Act (NLRA),… More
As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” 15 U.S.C.… More
Today’s Law360 addresses “HHS Data-Scrubbing Guidance” with quotes from me and others on the subject:
Clarifying the types of data that need to be removed from data sets can also help companies maximize the value of the information that they hold as the value of and ability to use this data for research and public health purposes increases, Foley Hoag LLP security and privacy practice co-chair Colin Zick added.… More
On November 26, HHS OCR released guidance regarding methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. This guidance fulfills the American Recovery and Reinvestment Act of 2009 (ARRA) mandate that HHS issue such guidance.
Following the passage of ARRA, OCR collected research and views regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns.… More
At the end of what was an interesting, but rather ordinary interview in the Wall Street Journal, FTC Chair Jon Leibowitz dropped this interesting nugget:
MS. ANGWIN: The EU has a very different approach to privacy, and there has been concern about whether we’re going to move in that direction. What’s your view?
MR. LEIBOWITZ: My sense is you might see Europe moving a little bit more to our approach of allowing some advertising and allowing some collection of data.… More
FTC Announces Agenda for Workshop Exploring Practices, Privacy Implications of Comprehensive Collection of Web Data
The FTC has announced a preliminary agenda for a program it calls “The Big Picture: Comprehensive Data Collection.” This workshop “will explore the practices and privacy implications of comprehensive data collection.”
The program will be held in Washington, DC, on Dec. 6, 2012, and is free and open to the public.
The workshop will be webcast live and a link will be available on FTC.gov. … More
Gant Redmon of Co3 Systems has an interesting take on the differences in U.S. and EU privacy regimes in a Security Week column entitled, “Privacy: Why Europeans Think You’re Inadequate.” In his column, he addresses three key issues: “First, what does privacy mean to folks in the US versus the EU? Second, how has history played a role in defining privacy in the US and EU? … More
Another Massachusetts Health Care Provider Hit with Big HIPAA Settlement: Massachusetts Eye and Ear Infirmary Pays $1.5 Million
Late yesterday, the HHS Office for Civil Rights (“OCR”) announced that it had reached a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (“MEEI“) to settle potential HIPAA Security violations. As part of the settlement, MEEI also agreed to a Corrective Action Plan to improve policies and procedures to safeguard the privacy and security of its patients’… More
In a case that has received wide attention, the Massachusetts Supreme Judicial Court has issued a decision barring ethics investigators from asking a Massachusetts judge how he reached individual decisions during his 21 years on the bench. This is one of the few published decision to recognize a deliberative privilege for the judiciary, with the court concluding that: “the best approach is to consider this privilege narrowly tailored but absolute.”… More
New Hampshire Federal Court Interprets the Computer Fraud and Abuse Act More Narrowly Than Massachusetts Federal Court and Dismisses Claims Based on Violations of Computer Use Restrictions
As posted earlier today by Brian P. Bialas on the Massachusetts Non-Compete blog, a recent case from the U.S. District Court for the District of New Hampshire highlights the split between the District of New Hampshire and the District of Massachusetts over the proper interpretation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, in particular the phrase “exceeds authorized access.”… More
STATEMENT OF ADMINISTRATION POLICY
S. 3414 – Cybersecurity Act of 2012
(Sen. Lieberman, I-CT, and 4 cosponsors)
The Administration strongly supports Senate passage of S. 3414, the Cybersecurity Act of 2012. While lacking some of the key provisions of earlier bills,… More
Join Me on Tomorrow’s Free Webinar, “CT, HI, and VT – Oh my! What Do The Latest Privacy Regulation Updates Mean To You?”
In the past few months, data privacy and security laws in Connecticut, Hawaii and Vermont have been updated, without much fanfare. Although these are not revolutionary changes, they are material and they raise the compliance bar.
This webinar will review the details of these legislative updates and spell out what they may mean for your organization. The program will include before and after comparisons of language, in order to highlight what firms will need to do differently under the new rules.… More
As you may recall, the Health Information Technology for Clinical and Economic Health (HITECH) Act gives state Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. Some states, like Massachusetts, have already started to use this authority to bring and settle cases.
To advance state enforcement, HHS OCR has developed HIPAA Enforcement Training modules,… More
You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following:
- change the information protected to “personally identifiable information” (it was formerly “personal information”);
- exclude from the definition of “security breach” …
A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security
On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat.
On Information Sharing: This is a continuing challenge, in part because of the way the federal government shares information. At present, the federal government provides cyber threat information to private sector organizations,… More
The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act.
This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting Act,… More
The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011:
- Through September 30, 2011, the largest share of breaches was not in the financial sector,…
The Stanford Law Review has an interesting series of articles on privacy in its most recent edition:
A Reasonableness Approach to Searches After the Jones GPS Tracking Case by Peter Swire
In the oral argument this fall in United States v. Jones, several Supreme Court Justices struggled with the government’s view that it can place Global Positioning System (GPS) tracking devices on cars without a warrant or other Fourth Amendment limit.… More
A bill to adopt the Uniform Trade Secrets Act (“UTSA”) has been pending in the Massachusetts Legislature since late January. Forms of the UTSA have been adopted in 46 states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Only New York, Texas, North Carolina, and Massachusetts have not adopted the UTSA.
The bill would supersede the definitions, procedures, and remedies applied in Massachusetts chapter 93A actions (regulating unfair and deceptive trade practices) for trade secret misappropriation.… More
FTC Releases Final Report: “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”
FTC has today, at last, released the final version of its original 2010 Report — “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” As we have discussed previously, comments on the draft report were taken through January 31, 2011 and the final report had been expected in 2011.
Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, however, is subject to hot debate among the federal courts,… More
Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements:
- a Consumer Privacy Bill of Rights,
- a multistakeholder process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts,…
Court Sides with Facebook, Finds Social Networking “Experience” Website Violated CAN-SPAM and Other Data Security Statutes
In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. Facebook, Inc. v. Power Ventures,… More
The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process.
It is curious that the Department of Commerce has been charged with "work[ing] with other Federal agencies to convene stakeholders,… More
Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces? A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition of assets.
Apparently Nortel found and investigated the breach in question,… More
If you haven’t Googled yourself in a while, this might be a good time. My own self-search reveals, among other things, a page at mylife.com. I didn’t put it there, and I’d rather it not be there. However, right now, there isn’t a right to have your personal or professional information be deleted from social media, review sites, and other types of websites that gather your personal information. However, legislation may be coming that will address this concern.… More
Interesting article in the Wall Street Journal about Google’s iPhone tracking.
Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.
Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire:
A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer’s Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.
As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity.
This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
Interesting article in Friday’s Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government. Perhaps the best part of the article is the citation of statistics from Symantec’s annual Internet Security Threat Report: Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:
- 2002: 20,254 updates
- 2003: 19,159 updates
- 2004: 74,981 updates
- 2005: 113,081 updates
- 2006: 167,069 updates
- 2007: 708,742 updates
- 2008: 1,691,323 updates
- 2009: 2,895,802 updates
- 2010: 10,000,000 updates
In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle “charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release.
My colleague Dayle Cristinzio, former Legislative Director for Senator Harry Reid, has provided me with the amendments to Senate Bill1867, the Department of Defense Authorization Act. Among these amendments is one from Sen. McCain, amendment #1229, which could provide greater cybersecurity collaboration between the Department of Defense and the Department of Homeland Security. More
According to a November 16, 2011 letter from Senate Majority Leader Harry Reid to his Republican counterpart, Minority Leader Mitch McConnell, it is his "intent to bring comprehensive cyber security legislation to the Senate floor for consideration during the first Senate work period next year."
With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011” is tough to ignore.
The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments:
- “Chinese actors are the world’s most active and persistent perpetrators of economic espionage.…
I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:
Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,”… More
On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity.
This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. It follows Chairman Schapiro’s June 2011 letter to Senator Rockefeller on the subject. More
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures,… More
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265. This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed. Given that the last reported date of breach on the OCR’s list is May 8, there are surely over 300 breaches that have now been reported.… More
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital’s $1 million settlement with OCR.… More
On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining”… More
The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.
The first paragraph of Justice Kennedy’s opinion provides a brief summary of the posture of the case and of the Court’s decision:
Vermont law restricts the sale,… More
We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:
Does Briar Group’s Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?
A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.
The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. … More
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR’s website. It’s safe to expect these figures will continue to climb for the foreseeable future. More
- Could a Major Security Breach Be on the Horizon?
- The Smartphone Dilemma
- What Elements Are Currently Covered in Your Organization’s Security Awareness Program?
- Security Budgets Fare Well
- Implementing Risk Management Disciplines
- Do You Really Know Who Your Friends Are?…
On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:
The goal of NSTIC is to create an “Identity Ecosystem”… More
Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies: How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller. More
In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC:
Legislation to provide a stronger statutory framework to protect consumers’ online
privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights.”… More
Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com.… More
As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights. This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band.… More
While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up. The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case: "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies,… More
In a March 1, 2011 decision that has received much publicity (despite stating a fairly obvious conclusion), the Supreme Court ruled that the term "personal privacy" does not apply to corporations, at least in the context of the Freedom of Information Act ("FOIA").
The decision, FCC v. AT&T Inc., reflects the Supreme Court application of a particular exemption to FOIA. Exemption 7(C) covers law enforcement records the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.”… More
500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR
In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged: the Office of Civil Rights does not have the resources to review all reported breaches of health information. In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website,… More
If Tuesday night’s failure to give fast-track approval to an extension of certain surveillance powers under the Patriot Act is any indication, Congress is in the mood to protect individual privacy. As such, a series of anticipated online privacy protection bills are likely to garner bipartisan support in the weeks and months ahead.
The National Institute of Standards and Technology (NIST), a federal agency within the Department of Commerce, has launched a web site detailing the President Obama’s proposed National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, initially released for public comment in June 2010, was developed in response to the Obama Administration’s 2009 Cyberspace Policy Review, which called for the creation of a “cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests,… More
In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . . [and] to certain open-ended questions on a form sent to employees’ designated references.”
This particular challenge came from 28 employees of the Jet Propulsion Laboratory (“JPL”). JPL is staffed exclusively by contract employees. … More
The Council for Responsible Genetics has published a guide to the world’s DNA databases. According to the guide, 56 countries (and in the U.S., all 50 states) maintain DNA databases.
CRG describes itself as a "catalyst and thought leader in the movement to steer biotechnology toward the advancement of public health, environmental protection, equal justice and respect for human rights." Although CRG has its own unique perspective on whether DNA databases should exist and how they should be used,… More
On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010. The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement.
FTC Proposes Privacy Framework That Will Impact the Business Model of All Online and Mobile Advertising Companies
Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which we posted on December 1. We are cross-posting the analysis from their blog below.
It seems likely that the next two years will bring significant changes to this area,… More
NIST Releases Guidance On Protecting Our Digital Energy Infrastructure (Or, Is Big Brother in Our Power Lines?)
The following item was posted recently on Foley Hoag’s Law and Environment blog, and we thought it would be of interest to our readers.
Posted on September 17, 2010 by Rebecca L. Puskas
Discussion of the Smart Grid usually focuses on efficiencies that may be achieved by a system that responds to real time information about energy production, distribution and consumption. But the development of this advanced digital infrastructure,… More
The Substance Abuse and Mental Health Services Administration (“SAMHSA”), in close cooperation with the Department of Health and Human Services Office for Civil Rights (“OCR”), is conducting a study of the “Confidentiality and Privacy Issues Related to Psychological Testing Data.” This study was specifically called for in section 13424 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.
HIPAA’s Privacy Rule includes special protections relating to the use and disclosure of psychotherapy notes;… More
Does the “compelling need” for patient records by a state body that oversees and regulates physicians trump the statute that protects the confidentiality of psychotherapy records? Not in Massachusetts, according to a September 2, 2010 decision of the Supreme Judicial Court, Board of Registration in Medicine v. John Doe, No. SJC-10556.
At issue in this case were the treatment practices of a board-certified psychiatrist who specialized in “pain management.” Due to a concern that inappropriate prescriptions for pain medication were being written and that Doe himself was impaired,… More
Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.
Earlier this month, Congressmen Rick Boucher and Cliff Stearns released a discussion draft of comprehensive federal privacy legislation (.pdf).
Among the many provisions of the draft bill is the requirement that any entity that collects information on individuals such as name, address, email address and telephone number, maintain “appropriate administrative, technical, and physical safeguards” to secure the personal information. The draft bill would also require the FTC to implement new privacy rules and police the new safeguards.… More
Many digital copiers are now able to store the scanned documents on flash memory or hard drives. This could pose a privacy/security risk, if the drives are improperly accessed, or if they are lost or resold without being scrubbed first.
Even the simple act of making a photocopy now poses privacy risks. In response to a letter from Massachusetts Congressman Edward Markey, the FTC has responded and agreed to investigate the privacy risks posed by digital copiers that store information on internal hard drives.… More
The Department of Health and Human Services announced it will release proposed HIPAA/HITECH Act regulations later this month, according to the HHS’s recently-published regulatory agenda, available at 75 Fed. Reg. 217821. The announcement itself was pretty cryptic:
120. MODIFICATIONS TO THE HIPAA PRIVACY, SECURITY, AND ENFORCEMENT RULES
UNDER THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT
Legal Authority: PL 111-5,… More
Regulators Provide Online Privacy Notice Builder to Help Financial Institutions Comply with Gramm Leach Bliley Act
Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations. The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ),… More
In a notice apparently posted March 17, 2010, the Office of Civic Rights of the Department of Health and Human Services (“OCR”) acknowledged its delay in issuing regulations for HIPAA business associate agreements. Those regulations are now a month overdue and from OCR’s language, they do not appear imminent:
OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking,… More
In the past several days, three important information privacy and security deadlines have arrived. To recap, they are:
- February 17, 2010: the provisions of the HITECH Act regarding HIPAA business associates went into effect (albeit without regulations, which are expected to be issued any day now). Many HIPAA covered entities have been revising their Business Associate Agreements in an effort to comply with what they think the regulations will say. …
The FTC Red Flags Rule faces another likely challenge, based on a January 27, 2010 letter sent to the FTC by the American Medical Association, the American Osteopathic Association, the American Dental Association, and the American Veterinary Medical Association. In that letter, the four health care organizations requested that the Red Flags Rule not be applied to health care professionals (based on the reasoning of the recent court decision that it does not apply to lawyers). I assume that if the FTC rejects this request,… More
Last week the American Institute of Certified Public Accountants (AICPA) filed papers seeking summary judgment in the lawsuit filed against the Federal Trade Commission (FTC) to exempt accountants from the FTC’s Red Flags Rules. We first posted on this case in November, when the AICPA filed a complaint asking the federal court in Washington, D.C. to declare that accountants are not subject to the Red Flags Rules. … More
Is the FTC moving to a "Post-Disclosure Era," in which consumer online privacy would be regulated in a radically different manner than the status quo? That was a suggestion made by the chairman of the FTC, Jon Leibowitz, and David Vladeck, chief of the FTC’s Bureau of Consumer Protection, during a recent on-the-record discussion about online privacy, reported in the New York Times.
For some time, I have been asking the question,… More
American Institute of Certified Public Accountants Sues FTC to Stop Application of Red Flags Rules to Accountants
Following the lead of the American Bar Association (ABA), on November 10, 2009, the American Institute of Certified Public Accountants (AICPA) has filed suit in the U.S. District Court for the District of Columbia, asking the Court to rule that the Federal Trade Commission’s (FTC) Red Flags Rule may not be applied to accountants.
It appears that certain groups, such as the American Bar Association (ABA), may be partially successful in their efforts to convince Congress to narrow the scope of the FTC Red Flags Rules, which are currently scheduled to go into effect on November 1. According to the BNA Privacy & Security Law Report, the House Financial Services Committee has sent H.R. 3763, titled a bill “To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses,”… More
Massachusetts Holds Public Hearing on Information Security Regulations — Regulators Contemplating Additional Revisions in Final Rulemaking
This morning, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) held a public hearing in connection with its promulgation of revisions to the Commonwealth’s information privacy regulations, 201 CMR 17.00. The standing-room-only crowd endured a modest, unventilated conference room in the Transportation Building to make comments on the stringent regulations. OCABR Undersecretary Barbara Anthony led the meeting with OCABR Deputy General Counsel Jason Egan and Assistant Attorney General Diane Lawton. … More
Incident of the Week: NCUA Issues Fraud Alert Based On Fake NCUA Fraud Alert (Which Turns Out To Be Part of Security Consultant’s Penetration Testing)
The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware. The NCUA warned “Should you receive this package or a similar package DO NOT run the CDs.” The NCUA, which regulates federally insured credit unions,… More
Still Wondering What Changes Massachusetts Made to the State’s Information Security Regulations? Here’s a Redline of the Revisions to 201 CMR 17.00.
As we reported on August 17th, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has promulgated a revised set of information security regulations (201 CMR 17.00 et seq.) and will hold a meeting for public comment on September 22, 2009. For those who are still wondering what revisions were made, here is a redline comparison of the amendments (.pdf). More
Amidst calls from the legal community, the Federal Trade Commission’s (FTC) announced this morning that it was delaying enforcement of the FTC’s Red Flag Rules until November 1, 2009. The FTC’s announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC’s "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply." … More
On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising. More
A federal suit has been filed that challenges the legality of the federal HITECH Act. In the course of 30 often rambling pages, this complaint alleges that "HIPAA codified the Hippocratic Oath" and that HITECH improperly undermines both. This complaint appears to be the work of a gadfly or two. The plaintiff’s lawyer is her husband; interestingly, he was described by a federal judge as filing claims that were "without merit [and which] would have been perceived as such by any objectively reasonable attorney." … More
Earlier this week, on Monday, June 22, 2009, the American Bar Association (ABA) President H. Thomas Wells, Jr. issued a public statement urging Congress and the FTC to exempt lawyers from the requirements of the federal Red Flags Rules, stating:
The Rule, adopted under the Fair and Accurate Credit Transactions Act, or FACT Act, is noble in its intent. However, the Commission’s application of the Rule to lawyers is unnecessary and not supported by law. … More
On March 15, 2006, the European Parliament issued Directive 2006/24/EC (.pdf), outlining a new program that woud require internet service providers (ISPs) and telecommunications carriers to begin retaining comprehensive records of customer communications. Specifically, the Directive required member states to ensure that a range of communications data be retained by service providers, including:
- The names, addresses, telephone numbers, Internet Protocol (IP) addresses and user IDs involved in Internet access,…
With the deadline for complying with the Massachusetts identity theft law just six months away, at least one state senator is still seeking changes to that law. In Senate Bill S173, which until now has received little public notice, State Senator Michael Morrissey proposes to make it easier for small businesses to comply, by requiring the state’s regulations to take account of a business’s resources as it requires compliance: … More
A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules. Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC’s enforcement. … More
In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups. Consumers’ concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled,… More
In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years. Specifically, Section 5 of the bill requires that ISPs retain "all records or other information pertaining to the identity of a user of a temporarily assigned network address."… More
In an April 2009 press release (.pdf), the Public Access to Court Electronic Records system (“PACER") announced that 99% of all federal courts nationwide have implemented electronic systems allowing litigants to file and review documents online. The near-complete implementation of these online systems marks an important technological and environmental milestone for the legal profession; however, it comes with considerable risks to individuals’ privacy and security: potentially limitless filings that inadvertently contain individuals’… More
As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation. Last week the Senators introduced two bills. The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President. The second, S.773 (text of the bill not yet available), entitled the Cybersecurity Act of 2009, gives the President the power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network. … More
On March 5, 2005, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted Opinion 3/2009 (.pdf). The opinion comments on European Commission proposals designed to ensure that all data processors, including contractors hired by other data processors, are contractually required to protect sensitive data.
FTC Launches New Website and “How-To” Guide for Companies Wondering How to Comply with Red Flags Rules
As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC’s staff has informally mentioned that helpful guidance would be forthcoming. As of today, the FTC has launched a new website and a series of materials to assist businesses pushing to meet the May 1st deadline.
FTC Asks Congress For Enhanced Rulemaking and Enforcement Powers To Curb Abuses in Financial Industry
On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers “[t]o allow the FTC to perform a greater and more effective role in protecting consumers.”
Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports. The proposed legislation would also
- require intelligence and Homeland Security officials to perform vulnerability assessments;…
The FTC Strikes Back: (Essentially) Everyone Should Be Complying With Red Flags Rules, Especially The Healthcare Industry
In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” — the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you — then they probably do. In this post, we will recap the FTC’s recent guidance on who should be complying with the Rules.
On Wednesday, February 11, 2009, the Data Protection Working Party, an independent European advisory body on data protection and privacy, released its Working Document 1-2009 (.pdf) on pre-trial discovery for cross border civil litigation. The Working Document attempts to reconcile the tension between U.S. discovery rules and the European Union’s Directive 95/46/EC (.pdf), which outlines the EU’s privacy requirements. What follows is a summary of the Working Document and an analysis of how it begins to bridge the gap between U.S.… More
On Thursday, March 5, 2009, Congresswoman Mary Bono Mack (R-CA), Congressman John Barrow (D-GA) and Congressman Joe Barton (R-TX) introduced the Informed P2P User Act (H.R. 1319) which requires peer-to-peer ("P2P") software makers to make certain changes to their software to prevent users from inadvertently sharing files from their computers. The proposed law would require both "clear and conspicuous notice" of what files the P2P software would being sharing and "informed consent"… More
Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials. Read some of the highlights below. More
On Monday the Department of Justice released a previously classified opinion entitled “Authority for Use of Military Force To Combat Terrorist Activities Within the United States” (.pdf), which concluded, among other things, that “the Fourth Amendment [of the U.S. Constitution] does not apply to domestic military operations designed to deter and prevent further terrorist attacks.” This may come as a shock to some because the Fourth Amendment expressly prohibits the government from searching or seizing individuals or their property absent a warrant and probable cause,… More
Has the Consumer Privacy Legislative Forum Decided to Abandon Efforts to Draft Federal Privacy Legislation?
In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S.… More
Cracking Down: FCC Initiates Enforcement Action Against Hundreds of Telecommunications Carriers For Failing to Certify Compliance With Customer Privacy Rules
On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information. … More
Adding to the Patchwork: HITECH Act Sets New “Floor” for Data Breach Notification of Certain Patient Information
On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"),… More
Do The Red Flags Regulations Apply to Me? — Understanding Whether You Are A “Creditor” Under Federal Law
If you are confused about whether you, your company or your clients are subject to federal identity theft regulations, you are not alone. When the Federal Trade Commission (FTC) announced on October 22, 2008 that they were delaying enforcement of the new Red Flags regulations by six months, until May 1, 2009 (which we reported here and here), the FTC admitted that the primary reason for the delay was that many businesses,… More
Isn’t There Already A Federal Standard Governing Information Security? — Re-Examining the Gramm-Leach Bliley Act
By Stacy Anderson and Gabriel M. Helmer.
As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard,… More
On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” as including “any time necessary to determine the scope of the security breach,… More
High-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs.
On Wednesday, January 14, 2009, the Boston Bar Association’s Privacy Law Committee hosted FTC Chief Privacy Officer Mark Groman for a brown bag lunch presentation entitled “The View from the Federal Trade Commission’s Chief Privacy Officer.” Here are a couple of highlights from the presentation:
- Mr. Groman views law firms as businesses subject to FTC Red Flags regulations (“we regulate you, too”), so law firms should be developing identity theft prevention programs to comply with the regulations by the May 1,…
Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers – SSNs and ID Theft. For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, the deadline for businesses to adopt compliant identity theft prevention programs.
ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations
On Friday, November 14, 2008, Massachusetts regulators announced that they will give affected businesses until May 1, 2009 to comply with new identity theft regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same day.
ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC “Red Flags” Regulations
On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.