Category Archives: Legislation & Regulation

SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers

Our colleagues Catherine M. Anderson and Jennifer M. Macarchuk have summarized the recent SEC Risk Alert regarding its initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers. The full text of the Risk Alert is available here. SEC-registered investment advisers should review the Risk […]

Does Wyndham Confirm the FTC’s Role as Federal Privacy Enforcer?

Data breach law in the United States might have just become a lot less patchy, but a little more uncertain.  On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES.  This case arises out of a FTC action, brought under the deception and unfairness prongs of […]

Health Insurer Hit With A Record HIPAA Penalty: What Does It Mean?

Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach.  Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.  The penalty, which also […]

HHS OCR Issues HIPAA Guidance on Sharing Information Related to Mental Health

On February 20, the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) released new guidance explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family […]

Parents’ NY Lawsuit Seeking to Block Cloud-Based Storage of Student Data Is Dismissed

In a previous post, I wrote about privacy concerns surrounding data storage nonprofit inBloom and its partnership with the New York State Education Department (“NYSED”).  On February 5, 2014, New York State Supreme Court Justice Thomas A. Breslin dismissed the lawsuit filed by parents seeking to block NYSED from sharing and storing student data with […]

Privacy Concerns “Cloud” Storage of Student Data

Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system.  On January 10, the Department announced that it would delay release of additional student data to inBloom.  The delay, which the Department said is normal […]

Want to Read Up on Cyber Issues Over the Holidays?

Have you wanted to read up on the many cyber security issues that have arisen over the past year but which you did not have time to follow in detail?  We have just the thing — four reports from the Congressional Research Service, the low-key public policy research branch of the U.S. Congress (so low-key […]

Are You a “Target”? Business Implications of the Target Breach

Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications: Legislation:  In the past, we have seen major breaches drive legislative change.  But now that most states have data security statutes, it seems unlikely that much will happen at the state level.  And […]

Federal Judge Rules NSA Phone Record Collection Likely Unconstitutional

In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs: “have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”; “have demonstrated a substantial likelihood of success on […]

Should the Computer Fraud and Abuse Act Only Apply to Acts That Are Hard to Do?

The United States District Court for the Northern District of California recently refused to dismiss a Computer Fraud and Abuse Act (CFAA) claim with an unusual twist:  the defendant allegedly circumvented an IP address block after receiving a cease-and-desist letter from the plaintiff and therefore is alleged to have acted “without authorization” in violation of […]

“A Million Here, a Million There”… WellPoint Settles HIPAA Breach and Security Claims with HHS OCR for $1.7 Million

Managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential HIPAA Privacy and Security Rule violations committed in 2009 and 2010.    As so often happens, HHS OCR began its investigation following a self-report of the breach by WellPoint.  That report “indicated that security weaknesses in an […]

Revised COPPA Rules Go Into Effect July 1, 2013

In order to “keep up with technology,” the FTC revised the Children’s Online Privacy Protection Rule (COPPA) in 2012.  As a result of those revisions, some companies that may not have been covered by COPPA may now be covered, and the effective date of those changes is today, given the July 1st effective date of the […]

FTC Issues Revised Business Guide on ‘Red Flags’ Identity Theft Rule

The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.  The guidance outlines which businesses – financial institutions and some creditors – are covered […]

The Split in the Circuit Courts Over the Proper Interpretation of the Computer Fraud and Abuse Act Actually Goes Three Ways

Posted on March 15th, 2013 by Brian P. Bialas on our sister blog, Massachusetts Noncompete Law.               I’ve written many times about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a […]

HIPAA “Omnibus” Regulations Published in Federal Register

The revised HIPAA regulations were formally published today in the Federal Register.  In this form, they only take up 138 pages! Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes.  While I’m not sure I agree with the quote that “This is a […]

Key Elements of the New “Omnibus” HIPAA

On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations. In the 563 pages of the regulations and related regulatory comments, […]

The Wait Is Over! HHS Finally Issues Revised HIPAA Privacy and Security Regulations

Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations. While we are still making our way through all 563 pages of the regulations and related regulatory comments (and will […]

NLRB Confirms that Comments Posted on Social Media May Be Entitled to Protection

In a post from earlier today, my colleagues, Lyndsey Kruzer and Mike Rosen, discuss the NLRB’s conclusion that social media comments can be protected activity: The National Labor Relations Board (NLRB) recently issued a significant decision – solidifying the position it has staked out over the past 18 months – that an employee’s posts on social media may be entitled to […]

FTC Finally Amends Red Flags Rule Regulations to Match 2010 Statutory Amendment

The FTC announced today that it has, at long last, modified its Red Flags Rule to match the language of theRed Flag Clarification Act of 2010.  As this blog explained in 2010: As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” […]

Law360: “HHS Data-Scrubbing Guidance Backs Strict Privacy Definitions”

Today’s Law360 addresses “HHS Data-Scrubbing Guidance” with quotes from me and others on the subject: Clarifying the types of data that need to be removed from data sets can also help companies maximize the value of the information that they hold as the value of and ability to use this data for research and public […]

HHS OCR Issues Guidance Regarding Methods for De-identification of PHI in Accordance with HIPAA

On November 26, HHS OCR released guidance regarding methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. This guidance fulfills the American Recovery and Reinvestment Act of 2009 (ARRA) mandate that HHS issue such guidance. Following the passage of ARRA, OCR collected research and views regarding de-identification approaches, best practices for […]

FTC Chair Sees E.U. “Moving” Toward U.S. Standards; Is Seeing Believing?

At the end of what was an interesting, but rather ordinary interview in the Wall Street Journal, FTC Chair Jon Leibowitz dropped this interesting nugget: MS. ANGWIN: The EU has a very different approach to privacy, and there has been concern about whether we’re going to move in that direction. What’s your view? MR. LEIBOWITZ: My sense […]

“Privacy: Why Europeans Think You’re Inadequate”

Gant Redmon of Co3 Systems has an interesting take on the differences in U.S. and EU privacy regimes in a Security Week column entitled, “Privacy:  Why Europeans Think You’re Inadequate.”  In his column, he addresses three key issues:  “First, what does privacy mean to folks in the US versus the EU? Second, how has history played a role in defining privacy in the US […]

Another Massachusetts Health Care Provider Hit with Big HIPAA Settlement: Massachusetts Eye and Ear Infirmary Pays $1.5 Million

Late yesterday, the HHS Office for Civil Rights (“OCR”) announced that it had reached a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (“MEEI“) to settle potential HIPAA Security violations.  As part of the settlement, MEEI also agreed to a Corrective Action Plan to improve policies and procedures to safeguard the privacy and security […]

Judicial Privacy and Deliberations Protected by Massachusetts High Court Decision

In a case that has received wide attention, the Massachusetts Supreme Judicial Court has issued a decision barring ethics investigators from asking a Massachusetts judge how he reached individual decisions during his 21 years on the bench. This is one of the few published decision to recognize a deliberative privilege for the judiciary, with the court concluding […]

New Hampshire Federal Court Interprets the Computer Fraud and Abuse Act More Narrowly Than Massachusetts Federal Court and Dismisses Claims Based on Violations of Computer Use Restrictions

As posted earlier today by Brian P. Bialas on the Massachusetts Non-Compete blog, a recent case from the U.S. District Court for the District of New Hampshire highlights the split between the District of New Hampshire and the District of Massachusetts over the proper interpretation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, […]

White House States Support for Sen. Lieberman’s Cybersecurity Act of 2012

The Obama Administration officially put its weight behind Sen. Lieberman’s Cybersecurity Act of 2012, with the issuance of the following Statement of Administration Policy: STATEMENT OF ADMINISTRATION POLICY S. 3414 – Cybersecurity Act of 2012 (Sen. Lieberman, I-CT, and 4 cosponsors) The Administration strongly supports Senate passage of S. 3414, the Cybersecurity Act of 2012. […]

Want to Learn HIPAA Just Like Your State Attorney General? Now You Can!

As you may recall, the Health Information Technology for Clinical and Economic Health (HITECH) Act  gives state Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.  Some states, like Massachusetts, have already started to use this authority to bring and settle cases.  To […]

Vermont Quietly Updates Its Data Security Law

You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following: change the information protected to “personally identifiable information” […]

A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat. On Information Sharing:  This is a continuing challenge, in part because of the way the federal government shares information.  At present, the federal government provides cyber […]

FTC Counters Constitutional Challenge to Fair Credit Reporting Act

The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act. This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting […]

Massachusetts Reports on Data Breaches for 2007-2011

The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011: Through […]

Stanford Law Review’s Privacy Symposium

The Stanford Law Review has an interesting series of articles on privacy in its most recent edition: A Reasonableness Approach to Searches After the Jones GPS Tracking Case by Peter Swire In the oral argument this fall in United States v. Jones, several Supreme Court Justices struggled with the government’s view that it can place […]

Will Massachusetts Adopt the Uniform Trade Secrets Act?

A bill to adopt the Uniform Trade Secrets Act (“UTSA”) has been pending in the Massachusetts Legislature since late January. Forms of the UTSA have been adopted in 46 states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Only New York, Texas, North Carolina, and Massachusetts have not adopted […]

New Case Highlights Split of Authority Interpreting the Computer Fraud and Abuse Act

Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, […]

Breaking Down the White House Privacy Framework–a Video Blog

Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements: a Consumer Privacy Bill of Rights, a multistakeholder […]

Court Sides with Facebook, Finds Social Networking “Experience” Website Violated CAN-SPAM and Other Data Security Statutes

In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. […]

White House Releases Long-Anticipated Privacy Report

The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process.  It is curious that the […]

Lessons from the Chinese Hacking of Nortel for IT Security, Due Diligence

Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces?  A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition […]

The Right To Be Deleted

If you haven’t Googled yourself in a while, this might be a good time. My own self-search reveals, among other things, a page at mylife.com.  I didn’t put it there, and I’d rather it not be there. However, right now, there isn’t a right to have your personal or professional information be deleted from social media, review sites, […]

Google Disables Its iPhone Tracking

Interesting article in the Wall Street Journal about Google’s iPhone tracking. Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked. The companies used […]

Massachusetts Data Security Law – Contract Grandfather Provision Expires March 1, 2012

Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire: by Catherine M. Anderson, Jeffrey D. Collins  As we previously noted in our Foley Adviser dated February 3, 2010, “New Massachusetts Data Security Law and Regulations-Comprehensive Information Security Plan required before March […]

Retailer’s Request for Zip Code Violated Law, But Generated No Harm

A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer’s Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages. Melissa Tyler brought […]

Inside Counsel Magazine Revisits SEC’s Cybersecurity Guidance

As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity. This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from […]

Is Public-Private Information Sharing Needed to Respond to the Massive Increase in Cyber Attacks?

Interesting article in Friday’s Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government.  Perhaps the best part of the article is the citation of statistics from Symantec’s annual Internet Security Threat Report:  Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing: […]

Facebook Settles FTC Charges that It Deceived Consumers, Agrees to 20 Year Consent Order

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle “charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release. In its complaint, the FTC […]

Sen. McCain Inserts Cybersecurity Amendment into DoD Authorization Act

My colleague Dayle Cristinzio, former Legislative Director for Senator Harry Reid, has provided me with the amendments to Senate Bill1867, the Department of Defense Authorization Act.  Among these amendments is one from Sen. McCain, amendment #1229, which could provide greater cybersecurity collaboration between the Department of Defense and the Department of Homeland Security.

Cybersecurity Legislation to Come to Senate Floor in January 2012

According to a November 16, 2011 letter from Senate Majority Leader Harry Reid to his Republican counterpart, Minority Leader Mitch McConnell, it is his "intent to bring comprehensive cyber security legislation to the Senate floor for consideration during the first Senate work period next year."  This is by no means a guarantee of legislative action, but […]

“Foreign Spies Stealing US Economic Secrets in Cyberspace”

With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011″ is tough to ignore. The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments: “Chinese actors […]

“SEC’s Corp Fin Staff Attacks Cyber-Security Disclosure”

I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents: Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot […]

SEC Publishes Guidance on Cyber Incidents

On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity. This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.  It follows Chairman Schapiro’s June 2011 letter to Senator Rockefeller on the subject.

More Consumer Data Security and Privacy Legislation Introduced

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses […]

HIPAA Breaches Reported to OCR Near 300

When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265.  This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed.  Given that the last reported date of breach on the OCR’s list is May […]

Another Big HIPAA Settlement: The UCLA Health System Settles for $865,000

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with […]

Supreme Court Strikes Down Vermont Data Mining Law

The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech. The first paragraph of Justice Kennedy’s opinion provides a […]

2011: The Year of the Breach

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach: Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting […]

What Law Applies In “the Cloud”?

Attached is my presentation given at a recent CloudCamp, on the subject:   What Law Applies In “the Cloud”?  (CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas.)

Big HIPAA Breaches Now Number 265

When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR’s website.  It’s safe to expect these figures will continue to climb for the foreseeable future.

Information Security In the Age of WikiLeaks

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects: Could a Major Security Breach Be on the Horizon? The Smartphone Dilemma What Elements Are Currently Covered in Your Organization’s Security Awareness Program? Security Budgets Fare Well Implementing Risk Management Disciplines Do […]

White House Releases Framework for National Strategy for Trusted Identities in Cyberspace

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in […]

Obama Administration Seeks “Consumer Privacy Bill of Rights”

In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC: Legislation to provide a stronger statutory framework to protect consumers’ online privacy interests should contain three key elements. First, the Administration recommends that legislation […]

What Is Inside Mass General’s $1 Million HIPAA Settlement?

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed […]

FTC Red Flags Suits Come to an End as Lawyers and Doctors Are Exempted

While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up.  The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case:  "The lawsuit filed by the Litigation […]

Supreme Court Rules Corporations Do Not Have Privacy Rights under FOIA

In a March 1, 2011 decision that has received much publicity (despite stating a fairly obvious conclusion), the Supreme Court ruled that the term "personal privacy" does not apply to corporations, at least in the context of the Freedom of Information Act ("FOIA").  The decision, FCC v. AT&T Inc., reflects the Supreme Court application of a particular exemption […]

Online Privacy Bills Planned for 2011

If Tuesday night’s failure to give fast-track approval to an extension of certain surveillance powers under the Patriot Act is any indication, Congress is in the mood to protect individual privacy. As such, a series of anticipated online privacy protection bills are likely to garner bipartisan support in the weeks and months ahead. Proposals will come […]

NIST Launches Web Site for National Strategy for Trusted Identities in Cyberspace

The National Institute of Standards and Technology (NIST), a federal agency within the Department of Commerce, has launched a web site detailing the President Obama’s proposed National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, initially released for public comment in June 2010, was developed in response to the Obama Administration’s 2009 Cyberspace Policy Review, which called for the creation of a “cybersecurity-based identity […]

U.S. Supreme Court Upholds NASA Background Checks

In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . .  [and] to certain open-ended questions on a form sent to employees’ designated references.” This particular challenge came from […]

Genetic Privacy Rights Group Publishes Guide to the World’s DNA Databases

The Council for Responsible Genetics has published a guide to the world’s DNA databases.  According to the guide, 56 countries (and in the U.S., all 50 states) maintain DNA databases. CRG describes itself as a "catalyst and thought leader in the movement to steer biotechnology toward the advancement of public health, environmental protection, equal justice […]

FTC Red Flags Rule Clarified; Red Flags Enforcement Likely to Begin in 2011

On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010.  The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement. As we have noted in past entries about Red Flags Rule compliance, […]

FTC Proposes Privacy Framework That Will Impact the Business Model of All Online and Mobile Advertising Companies

Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers,” which we posted on December 1.  We are cross-posting the analysis from their blog below. It seems likely that the next two years will bring significant changes to this […]

Public Discussion on Confidentiality and Privacy Issues Related to Psychological Testing

The Substance Abuse and Mental Health Services Administration (“SAMHSA”), in close cooperation with the Department of Health and Human Services Office for Civil Rights (“OCR”), is conducting a study of the “Confidentiality and Privacy Issues Related to Psychological Testing Data.”  This study was specifically called for in section 13424 of the Health Information Technology for Economic […]

Patient Privacy Trumps Subpoena in Physician Disciplinary Action

Does the “compelling need” for patient records by a state body that oversees and regulates physicians trump the statute that protects the confidentiality of psychotherapy records?  Not in Massachusetts, according to a September 2, 2010 decision of the Supreme Judicial Court, Board of Registration in Medicine v. John Doe, No. SJC-10556. At issue in this case […]

ALERT: FTC Delays Enforcement of Red Flags Rule Through December 31, 2010

Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.

Rep. Boucher and Stearns Release Discussion Draft of Comprehensive Federal Privacy Legislation

Earlier this month, Congressmen Rick Boucher and Cliff Stearns released a discussion draft of comprehensive federal privacy legislation (.pdf). Among the many provisions of the draft bill is the requirement that any entity that collects information on individuals such as name, address, email address and telephone number, maintain “appropriate administrative, technical, and physical safeguards” to […]

One More Thing to Worry About — Hard Drives on Digital Copiers

Many digital copiers are now able to store the scanned documents on flash memory or hard drives.  This could pose a privacy/security risk, if the drives are improperly accessed, or if they are lost or resold without being scrubbed first. Even the simple act of making a photocopy now poses privacy risks.  In response to […]

Coming This Month — Proposed HIPAA Regs!

The Department of Health and Human Services announced it will release proposed HIPAA/HITECH Act regulations later this month, according to the HHS’s recently-published regulatory agenda, available at 75 Fed. Reg. 217821.  The announcement itself was pretty cryptic: 120. MODIFICATIONS TO THE HIPAA PRIVACY, SECURITY, AND ENFORCEMENT RULES UNDER THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT Legal […]

Deadlines, Deadlines, Deadlines: Three Important Privacy and Security Dates

In the past several days, three important information privacy and security deadlines have arrived.  To recap, they are: February 17, 2010:  the provisions of the HITECH Act regarding HIPAA business associates went into effect (albeit without regulations, which are expected to be issued any day now).  Many HIPAA covered entities have been revising their Business Associate […]

Doctors and Other Health Care Professionals Challenge Application of FTC Red Flags Rule

The FTC Red Flags Rule faces another likely challenge, based on a January 27, 2010 letter sent to the FTC by the American Medical Association, the American Osteopathic Association, the American Dental Association, and the American Veterinary Medical Association.  In that letter, the four health care organizations requested that the Red Flags Rule not be applied to health care professionals (based […]

Accountants Ask Court To Exempt Them From Red Flags Rules

Last week the American Institute of Certified Public Accountants (AICPA) filed papers seeking summary judgment in the lawsuit filed against the Federal Trade Commission  (FTC) to exempt accountants from the FTC’s Red Flags Rules.  We first posted on this case in November, when the AICPA filed a complaint asking the federal court in Washington, D.C. […]

Is the FTC “Moving to a Post-Disclosure Era” for Online Consumer Privacy?

Is the FTC moving to a "Post-Disclosure Era," in which consumer online privacy would be regulated in a radically different manner than the status quo?  That was a suggestion made by the chairman of the FTC, Jon Leibowitz, and David Vladeck, chief of the FTC’s Bureau of Consumer Protection, during a recent on-the-record discussion about online privacy, reported in the New […]

Bill to Narrow Red Flags Rules Moves Forward

It appears that certain groups, such as the American Bar Association (ABA), may be partially successful in their efforts to convince Congress to narrow the scope of the FTC Red Flags Rules, which are currently scheduled to go into effect on November 1.  According to the BNA Privacy & Security Law Report, the House Financial Services Committee has […]

Massachusetts Holds Public Hearing on Information Security Regulations — Regulators Contemplating Additional Revisions in Final Rulemaking

This morning, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) held a public hearing in connection with its promulgation of revisions to the Commonwealth’s information privacy regulations, 201 CMR 17.00.  The standing-room-only crowd endured a modest, unventilated conference room in the Transportation Building to make comments on the stringent regulations.  OCABR Undersecretary Barbara Anthony […]

Incident of the Week: NCUA Issues Fraud Alert Based On Fake NCUA Fraud Alert (Which Turns Out To Be Part of Security Consultant’s Penetration Testing)

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned “Should you receive this package or a similar package DO NOT run the CDs.”  […]

ALERT: FTC Announces Delay in Red Flags Enforcement Until November 1, 2009.

Amidst calls from the legal community, the Federal Trade Commission’s (FTC) announced this morning that it was delaying enforcement of the FTC’s Red Flag Rules until November 1, 2009.  The FTC’s announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC’s "redoubled" efforts to "provid[e] additional resources […]

House Subcommittees Hold Joint Hearing On Behavioral Advertising

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing […]

Lawsuit Challenges Legality of HITECH Act

A federal suit has been filed that challenges the legality of the federal HITECH Act.  In the course of 30 often rambling pages, this complaint alleges that "HIPAA codified the Hippocratic Oath" and that HITECH improperly undermines both.  This complaint appears to be the work of a gadfly or two.  The plaintiff’s lawyer is her husband; interestingly, he was described […]

ABA Urges Congress and FTC to Exempt Lawyers from Red Flags Rules

Earlier this week, on Monday, June 22, 2009, the American Bar Association (ABA) President H. Thomas Wells, Jr. issued a public statement urging Congress and the FTC to exempt lawyers from the requirements of the federal Red Flags Rules, stating: The Rule, adopted under the Fair and Accurate Credit Transactions Act, or FACT Act, is […]

European Service Providers To Begin (or Continue) Recording Data on All Electronic Communications

On March 15, 2006, the European Parliament issued Directive 2006/24/EC (.pdf), outlining a new program that woud require internet service providers (ISPs) and telecommunications carriers to begin retaining comprehensive records of customer communications.  Specifically, the Directive required member states to ensure that a range of communications data be retained by service providers, including: The names, addresses, […]

Bill Seeks Changes Massachusetts Data Security Law

With the deadline for complying with the Massachusetts identity theft law just six months away, at least one state senator is still seeking changes to that law.  In Senate Bill S173, which until now  has received little public notice, State Senator Michael Morrissey proposes to make it easier for small businesses to comply, by requiring the […]

Privacy Panel Recommends Updates to Privacy Act, Privacy Officers for Federal Agencies

On May 27, 2009, Information Security and Privacy Advisory Board (ISPAB) issued a report entitled “Toward A 21st Century Framework for Federal Government Privacy Policy” (.pdf) that calls on Congress to amend the Privacy Act of 1974, establish the position of Chief Privacy Officer in numerous executive agencies and develop a Chief Privacy Officers’ Council. ISPAB is a […]

ABA to Consider Asking FTC and Congress to Exempt Lawyers from Red Flags Rules

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC […]

FTC Chairman Pushes for Increasingly Specific “Self” Regulation of Behavioral Advertising

In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of  “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups.  Consumers’ concerns range […]

New Law Would Require ISPs to Retain User Logs and Subscriber Records for Two Years

In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years.  Specifically, Section 5 of the […]

Electronic Access to Court Filings Potentially Exposing Sensitive, Personal Information

In an April 2009 press release (.pdf), the Public Access to Court Electronic Records system (“PACER") announced that 99% of all federal courts nationwide have implemented electronic systems allowing litigants to file and review documents online. The near-complete implementation of these online systems marks an important technological and environmental milestone for the legal profession; however, it comes […]

New Cybersecurity Legislation Introduced in the Senate

As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation.  Last week the Senators introduced two bills.  The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President.  The second, S.773 (text of the […]

EU Working Party Issues Opinion on Standard Contract Clauses for Transfer of Data

On March 5, 2005, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted Opinion 3/2009 (.pdf). The opinion comments on European Commission proposals designed to ensure that all data processors, including contractors hired by other data processors, are contractually required to protect sensitive data.

Senate Drafting Cybersecurity Law – Seeks To Appoint National “Cybersecurity Czar”

Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports.  The proposed legislation would also require […]

The FTC Strikes Back: (Essentially) Everyone Should Be Complying With Red Flags Rules, Especially The Healthcare Industry

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” — the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you — then they probably do. In this post, we will recap the FTC’s recent guidance on who should be complying with the Rules.

EU Data Protection Working Party Issues Guidance on Cross Border Discovery

On Wednesday, February 11, 2009, the Data Protection Working Party, an independent European advisory body on data protection and privacy, released its Working Document 1-2009 (.pdf) on pre-trial discovery for cross border civil litigation.  The Working Document attempts to reconcile the tension between U.S. discovery rules and the European Union’s Directive 95/46/EC (.pdf), which outlines the EU’s privacy requirements.  […]

Rep. Mary Bono Mack Introduces Informed P2P User Act To Combat Inadvertent File Sharing

On Thursday, March 5, 2009, Congresswoman Mary Bono Mack (R-CA), Congressman John Barrow (D-GA) and Congressman Joe Barton (R-TX) introduced the Informed P2P User Act (H.R. 1319) which requires peer-to-peer ("P2P") software makers to make certain changes to their software to prevent users from inadvertently sharing files from their computers.  The proposed law would require both […]

Highlights from the IAPP Privacy Summit – March 11-13, 2009 Washington, D.C.

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

Newly released opinions on privacy shed light on past government practices

On Monday the Department of Justice released a previously classified opinion entitled “Authority for Use of Military Force To Combat Terrorist Activities Within the United States” (.pdf), which concluded, among other things, that “the Fourth Amendment [of the U.S. Constitution] does not apply to domestic military operations designed to deter and prevent further terrorist attacks.” This may come […]

Has the Consumer Privacy Legislative Forum Decided to Abandon Efforts to Draft Federal Privacy Legislation?

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA […]

Cracking Down: FCC Initiates Enforcement Action Against Hundreds of Telecommunications Carriers For Failing to Certify Compliance With Customer Privacy Rules

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) […]

Isn’t There Already A Federal Standard Governing Information Security? — Re-Examining the Gramm-Leach Bliley Act

By Stacy Anderson and Gabriel M. Helmer. As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a […]

Senator Feinstein Introduces Two New Security/Privacy Bills

On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” […]

FTC Chief Privacy Officer Mark Groman Presents At The Boston Bar Association

On Wednesday, January 14, 2009, the Boston Bar Association’s Privacy Law Committee hosted FTC Chief Privacy Officer Mark Groman for a brown bag lunch presentation entitled “The View from the Federal Trade Commission’s Chief Privacy Officer.” Here are a couple of highlights from the presentation:  Mr. Groman views law firms as businesses subject to FTC Red […]

FTC Issues Guidance to Businesses on How To Handle Social Security Numbers

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers – SSNs and ID Theft. For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, the deadline for businesses to adopt compliant identity theft prevention programs.

ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations

On Friday, November 14, 2008, Massachusetts regulators announced that they will give affected businesses until May 1, 2009 to comply with new identity theft regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same day.

ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC “Red Flags” Regulations

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.