With the heart of the summer vacation season upon us, it seems like a good time for some reflection. Here, it comes in the form of excerpts from an essay by privacy maven, Deborah Hurley. The one time Director of the Harvard Information Infrastructure Project at Harvard University, she has been thinking and writing about privacy issues for two decades. Her entire essay can be found in the book, Privacy in the Modern Age, and this excerpt is provided with her permission:
Category Archives: Legislation & Regulation
This seminar was presented by Foley Hoag LLP and and a panel of industry experts on ISO 27018, the new international standard governing the processing and protection of personal information by public Cloud Service Providers (CSPs). Even though this new standard is voluntary, it is widely expected to become the benchmark for CSPs going forward.
As the first and only international privacy standard for the cloud, ISO 27018 addresses the means of keeping customer information confidential and secure, as well as preventing personal information from being used for advertising or data analytics without customer approval. More importantly, adherence to ISO… More
As part of a series of measures aimed at increasing preparedness and defenses against international cyberattacks on U.S. industries and government agencies, on April 1, President Obama issued Executive Order No. 13694, authorizing the Treasury Department’s Office of Foreign Assets Control (OFAC) to sanction foreign individuals or entities committing such attacks. The new sanctions will allow the Treasury Department to block or freeze the assets of those outside the U.S. engaging in malicious cyber activities that threaten the national security, foreign policy and financial stability of the U.S. Once OFAC designates… More
Smart grids – electrical grids that allow two-way communication between utilities and consumers – represent an exciting frontier in the Internet of Things, with ramifications for energy efficiency, weather resiliency and climate change, among others. As the Department of Energy writes, “[t]he Smart Grid represents an unprecedented opportunity to move the energy industry into a new era of reliability, availability, and efficiency that will contribute to our economic and environmental health.”
But like many aspects of the Internet of Things, smart grids also present privacy concerns. Few people fret about the privacy of their monthly electric bill, but smart meters… More
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part III: Five Key Lessons for Business
Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.
Here are five takeaways for companies large and small:
Companies are only as secure as their most vulnerable employee. In the course of the panel discussion, Mike George, CEO of QVC, elaborated on how training and constant vigilance were at the… More
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part II: The Executive Order
As a follow up to our summary of the key takeaways from the White House’s first Summit on Cybersecurity and Consumer Protection, the centerpiece of which was President Obama’s signing of a new Executive Order, “Promoting Private Sector Cybersecurity Information Sharing,” what follows is an analysis of that Order.
What does the Order actually do?
The Order “promotes…encourages…and…allows” but does not require anything. Specifically, it creates a voluntary framework for the formation of Information Sharing and Analysis Organizations (“ISAOs”). Per the Order, the Department of Homeland Security (“DHS”) will “engage in continuous, collaborative, and inclusive coordination” with ISAOS to… More
The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama. The purpose of the summit: to “bring together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.” These stakeholders, a number of public and private sector leaders, preceded the President with several speeches and panels. Here are some key takeaways from these earlier speakers, as well as a brief look at President Obama’s remarks:
Collaboration is front and center. As… More
SEC Office of Compliance Inspections and Examinations Releases Cybersecurity Examination Sweep Summary of Investment Advisers and Broker-Dealers
Our colleagues Catherine M. Anderson and Kate Leonard of our Investment Management group have summarized the February 3, 2015 findings by the Office of Compliance Inspections and Examinations (OCIE) of its Cybersecurity Examination Sweep, which sought to evaluate the breadth of cybersecurity policies implemented by investment advisers (as well as by broker-dealers). For more details on the sweep, see our previous Foley Adviser update: SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers.
The released report examines the varying degrees of preparedness of firms, steps taken to combat cybersecurity threats, the incidence of such threats,… More
Our friends at Co3Systems and IOD recently produced a webinar, “Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits” that provides a succinct overview of what is coming down the pike for HIPAA covered entities.
In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:
The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is… More
Last week, the FTC announced approval of a new Safe Harbor Program under the Children’s Online Privacy Protection Act (COPPA), called iKeepSafe. The program was created by the Internet Keep Safe Coalition, a nonprofit organization that describes its goal as the “creation of positive resources for parents, educators and policymakers who teach youths how to use new media devices and platforms in safe and healthy ways.”
The COPPA Rule affords some flexibility in compliance through use of a safe harbor provision, 16 C.F.R. § 312.10. The provision allows that operators – that is, persons who operate… More
The FTC’s July 10, 2014 complaint filed against Amazon has left app developers with concerns about how to make apps that target kids and still comply with the law. The complaint, brought under Section 5(a) of the FTC Act, alleged that Amazon failed to obtain parents’ or account holders’ informed consent to in-app charges incurred by children. While the complaint was not brought under the Children’s Online Privacy Protection Act (COPPA), the increased scrutiny on child-targeted apps should have all app developers making sure they understand what COPPA requires when it comes to getting parental consent.
Generally, COPPA… More
In a unanimous decision issued today, the Supreme Court ruled that police cannot search the cell phones of arrested individuals without a warrant. In reaching its decision, the Court recognized that there is an immense amount of personal information on smart phones and held that access to that information would constitute a significant invasion of individual privacy. With the relatively recent invention of cell phones and the sudden pervasiveness of smart phones in the United States, the Court was forced to grapple with the application of century old legal principles to the practical realties of modern day technology. As… More
The Revised COPPA Rule and “Personal Information” – One Example that Balances Anonymity and Interactivity
The revised Children’s Online Privacy Protection Act (“COPPA”) Rules, as discussed here previously were meant to bring regulations in line with, in the FTC’s words, the “rapid-fire pace of technological changes to the online environment” that have taken place since COPPA was passed in 2000. This week’s Boston Globe article about the new public television production, WGBH’s “Plum Landing,” provides an interesting illustration of the impact of the revised COPPA Rule.
Plum Landing is not a television show, but rather a series of videos, online games and activities spanning a variety of platforms (e.g., computers, tablets, and… More
State Securities Regulators in Massachusetts and Illinois Survey Investment Advisors on Cybersecurity Practices
Picking up on the SEC’s initiative to assess cybersecurity preparedness discussed here previously, state securities regulators in Massachusetts and Illinois sent to investment advisors registered in their respective states a survey on their cybersecurity practices.
The Massachusetts surveys were sent on June 3 and a response is due on June 24. William F. Galvin, Secretary of the Commonwealth, whose jurisdiction includes the Massachusetts Securities Division, was quoted saying: “With the almost universal reliance on computer trading and communication, it is essential that investors can be confident that their financial data is secure from unauthorized intrusion from whatever source…. More
To buttress the SEC’s initiative to assess cybersecurity preparedness in its risk alert discussed here previously , the SEC also has the power to bring enforcement actions against registered entities that fail to meet cybersecurity requisites. Specifically, the SEC may bring an enforcement action against registered entities that violate the safeguards rule of Regulation S-P (17 CFR § 248.30(a)) (commonly referred to as the “Safeguards Rule”).
Under the Safeguards Rule, all registered entities must have written policies and procedures “designed to:
(a) Insure the security and confidentiality of customer records and information;
(b) Protect against… More
Our colleagues Catherine M. Anderson and Jennifer M. Macarchuk have summarized the recent SEC Risk Alert regarding its initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers.
The full text of the Risk Alert is available here.
SEC-registered investment advisers should review the Risk Alert, assess their current level of preparedness for cybersecurity threats, and consider whether any changes need to be made to their current cybersecurity policies and procedures. The Risk Alert includes an appendix containing 28 sample information requests that the SEC may… More
Data breach law in the United States might have just become a lot less patchy, but a little more uncertain. On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES. This case arises out of a FTC action, brought under the deception and unfairness prongs of Section 5(a) of the FTCA (15 USC s. 54(a)), against Wyndham Worldwide relating to a series of data breaches between April 2008 and January 2010. The question before the court, on a 12(b)(6) motion to dismiss brought by Wyndham,… More
Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach. Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.
The penalty, which also is described in a securities filing, is based a breach involving 13,336 of Triple-S’s Dual Eligible Medicare beneficiaries. This penalty dwarfs the previous record fine of $4.3 million, which was related to non-cooperative behavior after a breach by Cignet Health in 2011.
Rare Massachusetts Superior Court Decision Interpreting the CFAA Takes the Narrow View Without Squarely Addressing the Broad
Judge Peter M. Lauriat of the Massachusetts Superior Court decided late last year that an employee who takes confidential documents from her employer’s electronic document system to use in a discrimination lawsuit against her employer is not liable to the employer under the Computer Fraud and Abuse Act (CFAA), especially when the employer knew about the lawsuit but nonetheless did not restrict the employee’s access to those documents while she was working for the employer. In so deciding, Judge Lauriat had to grapple with two… More
On February 20, the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) released new guidance explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family members and others to enhance treatment and assure safety.
The guidance is essentially a set of answers to frequently asked questions. Set out below is a highly truncated version of those FAQs (please view the entire Q&A for the full position and explanation of… More
In a previous post, I wrote about privacy concerns surrounding data storage nonprofit inBloom and its partnership with the New York State Education Department (“NYSED”). On February 5, 2014, New York State Supreme Court Justice Thomas A. Breslin dismissed the lawsuit filed by parents seeking to block NYSED from sharing and storing student data with inBloom. In his order, Justice Breslin ruled that the agreement between NYSED and inBloom did not violate New York state privacy law. Noting that the new storage system “can support more security features” than current systems used by New York… More
Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system. On January 10, the Department announced that it would delay release of additional student data to inBloom. The delay, which the Department said is normal for a project of its size, comes after a class of parents filed suit in November and New York legislators proposed a bill requiring parental consent before sharing such data.
Have you wanted to read up on the many cyber security issues that have arisen over the past year but which you did not have time to follow in detail? We have just the thing — four reports from the Congressional Research Service, the low-key public policy research branch of the U.S. Congress (so low-key that they do not have a web site).
Four recent CRS reports on timely cyber topics are:
Massachusetts Federal Court Refuses to Dismiss CFAA Claim But Permits the Defendants to Ask Again Later
In the cross-post from our Noncompete Blog, another CFAA decision is discussed.
Echoing a new theme in the federal district court in Massachusetts, last month Chief Magistrate Judge Leo T. Sorokin refused to dismiss a Computer Fraud and Abuse Act (“CFAA”) claim brought against the former CEO of a company, but did so without prejudice, meaning that the defendants could ask the Court to dismiss the claim again later in the case. Under the CFAA, ”[a] defendant is liable where he or she ‘knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized… More
Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications:
Legislation: In the past, we have seen major breaches drive legislative change. But now that most states have data security statutes, it seems unlikely that much will happen at the state level. And action at the federal level has been long promised, but remains a distant vision. Law enforcement: While the actual hackers may remain elusive, Target is an easy target. Expect significant investigations, record-setting financial penalties and a burdensome compliance agreement for Target. And, of course,… More
In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs:
“have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”; “have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim”; and “will suffer irreparable harm absent preliminary injunctive relief.”
This is by no means the last stop for this litigation; rather, it is just the end of the beginning. While granting the requested injunction against the NSA… More
The United States District Court for the Northern District of California recently refused to dismiss a Computer Fraud and Abuse Act (CFAA) claim with an unusual twist: the defendant allegedly circumvented an IP address block after receiving a cease-and-desist letter from the plaintiff and therefore is alleged to have acted “without authorization” in violation of the CFAA.
The dispute began with Craigslist Inc. sending a letter to 3Taps, Inc. because 3Taps was “scraping” content posted to the Craigslist website in real time and then using that information to create its own website and interface with… More
An interesting article by Jeffrey Spear that appeared in the New Hampshire Bar News in July shows that the federal district court in New Hampshire is struggling with the same question as the district court in Massachusetts: What is the proper interpretation of the Computer Fraud and Abuse Act (“CFAA”)? The CFAA, as I have mentioned many times on this blog, is a federal statute that has been interpreted… More
“A Million Here, a Million There”… WellPoint Settles HIPAA Breach and Security Claims with HHS OCR for $1.7 Million
Managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential HIPAA Privacy and Security Rule violations committed in 2009 and 2010.
As so often happens, HHS OCR began its investigation following a self-report of the breach by WellPoint. That report “indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.” Based on its investigation, HHS… More
In order to “keep up with technology,” the FTC revised the Children’s Online Privacy Protection Rule (COPPA) in 2012. As a result of those revisions, some companies that may not have been covered by COPPA may now be covered, and the effective date of those changes is today, given the July 1st effective date of the revised COPPA Rule. To streamline your response to these issues, the FTC has developed a six-step COPPA compliance guide:
The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.
The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required of businesses to protect consumers from identity theft. The Red Flags Rule was revised in late 2012 to more narrowly define the types of creditors subject to the rule’s requirements.
The Split in the Circuit Courts Over the Proper Interpretation of the Computer Fraud and Abuse Act Actually Goes Three Ways
Posted on March 15th, 2013 by Brian P. Bialas on our sister blog, Massachusetts Noncompete Law. I’ve written many times about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a confidentiality agreement or company IT policy, when an employee downloads confidential information he is permitted to access but then takes that information to a competitor. The… More
The revised HIPAA regulations were formally published today in the Federal Register. In this form, they only take up 138 pages!
Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes. While I’m not sure I agree with the quote that “This is a paradigm shift in the privacy world,” I do agree that this is “definitely something for all businesses to pay attention to.” Similarly, I agreed that “now that the starting gun has sounded, it’s a race to get ready by the Sept. 23 compliance… More
On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations.
In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions:
Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now… More
Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations.
While we are still making our way through all 563 pages of the regulations and related regulatory comments (and will have a more detailed analysis shortly in this space), here are some of the highlights we (and the HHS press release) have noted so far:
Many of HIPAA’s privacy and security requirements will now directly apply to business associates; Business associates may also be liable… More
The National Labor Relations Board (NLRB) recently issued a significant decision – solidifying the position it has staked out over the past 18 months – that an employee’s posts on social media may be entitled to protection under the National Labor Relations Act (NLRA), regardless of whether the employee is part of a unionized workforce.
As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” 15 U.S.C. § 1691a(e); see 15 U.S.C. § 1681a(r)(5). The new Act narrows this definition by excluding anyone who advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person. Examples… More
Today’s Law360 addresses “HHS Data-Scrubbing Guidance” with quotes from me and others on the subject:
Clarifying the types of data that need to be removed from data sets can also help companies maximize the value of the information that they hold as the value of and ability to use this data for research and public health purposes increases, Foley Hoag LLP security and privacy practice co-chair Colin Zick added.
“The guidance answers discrete questions that people have come across in operational circumstances, like can you list parts of a ZIP code,” he said. “The answers to… More
On November 26, HHS OCR released guidance regarding methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. This guidance fulfills the American Recovery and Reinvestment Act of 2009 (ARRA) mandate that HHS issue such guidance.
Following the passage of ARRA, OCR collected research and views regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns. The guidance synthesizes these diverse perspectives. It provides particularly helpful insight into the use of experts to confirm de-identification:
At the end of what was an interesting, but rather ordinary interview in the Wall Street Journal, FTC Chair Jon Leibowitz dropped this interesting nugget:
MS. ANGWIN: The EU has a very different approach to privacy, and there has been concern about whether we’re going to move in that direction. What’s your view?
MR. LEIBOWITZ: My sense is you might see Europe moving a little bit more to our approach of allowing some advertising and allowing some collection of data.
Perhaps Mr. Leibowitz should sit down with Alan Shatter, the Irish minister charged with putting together an… More
FTC Announces Agenda for Workshop Exploring Practices, Privacy Implications of Comprehensive Collection of Web Data
The FTC has announced a preliminary agenda for a program it calls “The Big Picture: Comprehensive Data Collection.” This workshop “will explore the practices and privacy implications of comprehensive data collection.”
The program will be held in Washington, DC, on Dec. 6, 2012, and is free and open to the public.
The workshop will be webcast live and a link will be available on FTC.gov. FTC staff will live-tweet the day-long event using the hashtag #FTCpriv from the agency’s @FTC account.
Gant Redmon of Co3 Systems has an interesting take on the differences in U.S. and EU privacy regimes in a Security Week column entitled, “Privacy: Why Europeans Think You’re Inadequate.” In his column, he addresses three key issues: “First, what does privacy mean to folks in the US versus the EU? Second, how has history played a role in defining privacy in the US and EU? And third, what financial incentives does the EU have in declaring the US inadequate?”
Another Massachusetts Health Care Provider Hit with Big HIPAA Settlement: Massachusetts Eye and Ear Infirmary Pays $1.5 Million
Late yesterday, the HHS Office for Civil Rights (“OCR”) announced that it had reached a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (“MEEI“) to settle potential HIPAA Security violations. As part of the settlement, MEEI also agreed to a Corrective Action Plan to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.
OCR’s investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the 2010 theft of an unencrypted personal laptop containing the electronic protected health information of MEEI patients and research subjects while… More
In a case that has received wide attention, the Massachusetts Supreme Judicial Court has issued a decision barring ethics investigators from asking a Massachusetts judge how he reached individual decisions during his 21 years on the bench. This is one of the few published decision to recognize a deliberative privilege for the judiciary, with the court concluding that: “the best approach is to consider this privilege narrowly tailored but absolute.”
The court sided with other jurisdictions that have ruled similarly:
Consequently, we join other courts, State and Federal, that, when faced with attempts by third parties… More
New Hampshire Federal Court Interprets the Computer Fraud and Abuse Act More Narrowly Than Massachusetts Federal Court and Dismisses Claims Based on Violations of Computer Use Restrictions
As posted earlier today by Brian P. Bialas on the Massachusetts Non-Compete blog, a recent case from the U.S. District Court for the District of New Hampshire highlights the split between the District of New Hampshire and the District of Massachusetts over the proper interpretation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, in particular the phrase “exceeds authorized access.”
Under various provisions of the CFAA, an individual can be liable if certain conditions are met for exceeding his or her authorized access to information in a computer. The District… More
STATEMENT OF ADMINISTRATION POLICY
S. 3414 – Cybersecurity Act of 2012
(Sen. Lieberman, I-CT, and 4 cosponsors)
The Administration strongly supports Senate passage of S. 3414, the Cybersecurity Act of 2012. While lacking some of the key provisions of earlier bills, the revised legislation will provide important tools to strengthen the Nation’s response to cybersecurity risks. The legislation also reflects many of the priorities included in the Administration’s legislative proposal.
The Administration particularly… More
Join Me on Tomorrow’s Free Webinar, “CT, HI, and VT – Oh my! What Do The Latest Privacy Regulation Updates Mean To You?”
In the past few months, data privacy and security laws in Connecticut, Hawaii and Vermont have been updated, without much fanfare. Although these are not revolutionary changes, they are material and they raise the compliance bar.
This webinar will review the details of these legislative updates and spell out what they may mean for your organization. The program will include before and after comparisons of language, in order to highlight what firms will need to do differently under the new rules.
My co-presenter will be Gant Redmon, Esq., General Counsel, Co3 Systems CIPP/US
Title: CT, HI, and VT-… More
As you may recall, the Health Information Technology for Clinical and Economic Health (HITECH) Act gives state Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. Some states, like Massachusetts, have already started to use this authority to bring and settle cases.
To advance state enforcement, HHS OCR has developed HIPAA Enforcement Training modules, designed to help State Attorneys General and their staff understand and use their new authority to enforce the HIPAA Privacy and Security Rules.
The very same training materials being used by your state AG… More
You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following:
change the information protected to “personally identifiable information” (it was formerly “personal information”); exclude from the definition of “security breach” mere “unauthorized access” and “good faith but unauthorized acquisition” of PII; require notice of breaches now be made “45 days after the discovery or notification”; and require entities suffering a breach to “provide notice… More
A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security
On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat.
On Information Sharing: This is a continuing challenge, in part because of the way the federal government shares information. At present, the federal government provides cyber threat information to private sector organizations, but prohibits discussion between those very organizations. His Office at DHS is working to address this unintended siloing of information, so as to allow for greater cooperation and collaboration.
On Research and Development: He views cyber security… More
The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act.
This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x. (“FCRA”)." In her complaint, Ms. King brought suit "on behalf of thousands of employment applicants throughout the country who have been the subject of prejudicial, misleading and illegal background reports performed by the Defendant… More
The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011:
Through September 30, 2011, the largest share of breaches was not in the financial sector, but in the retail and healthcare industries, along with government. Since the Data Security law, c. 93H, went into effect, the Office of Consumer Affairs and Business… More
The Stanford Law Review has an interesting series of articles on privacy in its most recent edition:
A Reasonableness Approach to Searches After the Jones GPS Tracking Case by Peter Swire In the oral argument this fall in United States v. Jones, several Supreme Court Justices struggled with the government’s view that it can place Global Positioning System (GPS) tracking devices on cars without a warrant or other Fourth Amendment limit.
Privacy in the Age of Big Data by Omer Tene & Jules Polonetsky We live in an age of “big data.” Data has… More
A bill to adopt the Uniform Trade Secrets Act (“UTSA”) has been pending in the Massachusetts Legislature since late January. Forms of the UTSA have been adopted in 46 states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Only New York, Texas, North Carolina, and Massachusetts have not adopted the UTSA.
The bill would supersede the definitions, procedures, and remedies applied in Massachusetts chapter 93A actions (regulating unfair and deceptive trade practices) for trade secret misappropriation. The UTSA expands the definition of “trade secret” to include information that has not been “continuously used… More
FTC Releases Final Report: “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”
FTC has today, at last, released the final version of its original 2010 Report — “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” As we have discussed previously, comments on the draft report were taken through January 31, 2011 and the final report had been expected in 2011.
The FTC received over 450 comments from businesses, privacy advocates, and consumers and claims that the final Report retains the basic principles outlined previously, but claiming it makes several important refinements. There’s also a brief new video explaining the FTC’s positions. … More
Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, however, is subject to hot debate among the federal courts, as highlighted by a recent case from the District of Minnesota.
Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements:
a Consumer Privacy Bill of Rights, a multistakeholder process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts, effective enforcement, and a commitment to increase interoperability with the privacy frameworks of our international partners.
Specifically, in the Consumer Privacy Bill of Rights,… More
Court Sides with Facebook, Finds Social Networking “Experience” Website Violated CAN-SPAM and Other Data Security Statutes
In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. Facebook, Inc. v. Power Ventures, Inc., 2012 WL 542586 (N.D. Cal. Feb. 16, 2012).
Power Ventures, which operated the “experience” website, began a “Launch Promotion” in December 2008 that promised users the chance to win $100 if… More
The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process.
It is curious that the Department of Commerce has been charged with "work[ing] with other Federal agencies to convene stakeholders, including our international partners, to develop enforceable codes of conduct that build on the Consumer Privacy Bill of Rights" since it has been the FTC that has… More
Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces? A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition of assets.
Apparently Nortel found and investigated the breach in question, but did not try to determine if its products were compromised. Nortel’s internal structure also provided little barrier to hackers; according to a Wall Street Journal interview of a former employee, "Once you were… More
If you haven’t Googled yourself in a while, this might be a good time. My own self-search reveals, among other things, a page at mylife.com. I didn’t put it there, and I’d rather it not be there. However, right now, there isn’t a right to have your personal or professional information be deleted from social media, review sites, and other types of websites that gather your personal information. However, legislation may be coming that will address this concern.
According to the Wall Street Journal,
Lawmakers and regulators are trying to do more to address consumer concerns. There is no U.S…. More
Interesting article in the Wall Street Journal about Google’s iPhone tracking.
Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.
The companies used special computer code that tricks Apple’s Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default.
A telling statement:
Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire:
As we previously noted in our Foley Adviser dated February 3, 2010, “New Massachusetts Data Security Law and Regulations-Comprehensive Information Security Plan required before March 1, 2010”, under the regulations, an investment adviser must require third-party service providers by contract to implement and maintain appropriate security measures for personal information. There currently is a grandfather provision that deems any contract with a service provider entered… More
A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer’s Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.
Melissa Tyler brought suit against Michaels Stores for violation of Massachusetts General Laws, chapter 93, section 105(a) on behalf of herself and a putative class, claiming that Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation of… More
As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity. This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.
Interesting article in Friday’s Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government. Perhaps the best part of the article is the citation of statistics from Symantec’s annual Internet Security Threat Report: Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:
2002: 20,254 updates 2003: 19,159 updates 2004: 74,981 updates 2005: 113,081 updates 2006: 167,069 updates 2007: 708,742 updates 2008: 1,691,323 updates 2009: 2,895,802 updates 2010: 10,000,000 updates
In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle “charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release.
In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook’s representations that users could impose such restrictions on… More
My colleague Dayle Cristinzio, former Legislative Director for Senator Harry Reid, has provided me with the amendments to Senate Bill1867, the Department of Defense Authorization Act. Among these amendments is one from Sen. McCain, amendment #1229, which could provide greater cybersecurity collaboration between the Department of Defense and the Department of Homeland Security.
According to a November 16, 2011 letter from Senate Majority Leader Harry Reid to his Republican counterpart, Minority Leader Mitch McConnell, it is his "intent to bring comprehensive cyber security legislation to the Senate floor for consideration during the first Senate work period next year."
This is by no means a guarantee of legislative action, but it is the latest sign that cybersecurity will be a priority in Congress come 2012.
With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011″ is tough to ignore.
The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments:
“Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.” “Russia’s intelligence services are conducting… More
I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:
Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,” he says. When companies are contemplating the definition of cyber-incidents, they should think expansively, he adds. “Think of data breach, data loss, and denial of… More
On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity. This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. It follows Chairman Schapiro’s June 2011 letter to Senator Rockefeller on the subject.
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the… More
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265. This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed. Given that the last reported date of breach on the OCR’s list is May 8, there are surely over 300 breaches that have now been reported.
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital’s $1 million settlement with OCR.
The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints… More
On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure,… More
The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.
The first paragraph of Justice Kennedy’s opinion provides a brief summary of the posture of the case and of the Court’s decision:
We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:
Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting Lockheed Martin); Citigroup: breach of credit card numbers: Sony: multiple thefts of customer data; Sega: customer data theft; and ADP: breach of its benefits-administration business.
What does this mean? First, there are simply more breaches to report. Second, companies are being more open about… More
Does Briar Group’s Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?
A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.
The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar… More
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR’s website. It’s safe to expect these figures will continue to climb for the foreseeable future.
Could a Major Security Breach Be on the Horizon? The Smartphone Dilemma What Elements Are Currently Covered in Your Organization’s Security Awareness Program? Security Budgets Fare Well Implementing Risk Management Disciplines Do You Really Know Who Your Friends Are? Denial of Service Attacks: Who’s Next?
In the interest of full disclosure, I am quoted extensively on the prospects for new legislation in the privacy/security space.
On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:
The goal of NSTIC is to create an “Identity Ecosystem” in which there will be interoperable, secure, and reliable credentials available to consumers who want them. Consumers who want to participate will be able to obtain a single credential–such… More
Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies: How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.
In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC:
Legislation to provide a stronger statutory framework to protect consumers’ online privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights.” Second, legislation should provide the FTC with the authority to enforce any baseline protections. Third, legislation should create a framework that provides incentives for the development of codes… More
Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com.
As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights. This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the… More
While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up. The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case: "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."
In a March 1, 2011 decision that has received much publicity (despite stating a fairly obvious conclusion), the Supreme Court ruled that the term "personal privacy" does not apply to corporations, at least in the context of the Freedom of Information Act ("FOIA").
The decision, FCC v. AT&T Inc., reflects the Supreme Court application of a particular exemption to FOIA. Exemption 7(C) covers law enforcement records the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.” 5 U. S. C. § 552(b)(7)(C). AT&T, having produced documents to the federal government, wanted that exemption asserted on its behalf, to block the… More
500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR
In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged: the Office of Civil Rights does not have the resources to review all reported breaches of health information. In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website, and subsequently investigate all breach reports that impacted more than 500 individuals. Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and… More
If Tuesday night’s failure to give fast-track approval to an extension of certain surveillance powers under the Patriot Act is any indication, Congress is in the mood to protect individual privacy. As such, a series of anticipated online privacy protection bills are likely to garner bipartisan support in the weeks and months ahead.
Proposals will come from both sides of the aisle. According to Hillicon Valley, Rep. Jackie Speier (D-Calif.) will shortly introduce an online privacy bill directing FTC to implement a “do not track” regime applicable to online advertisers (this although public comments to the FTC report supporting such… More
Security and Privacy Issues of 2011: How to Stay a Step Ahead of the Coming Wave of Legislation and Self-Regulation
I was on a panel today with Stuart N. Brotman, former Special Assistant to Communications and the President’s principal communications policy adviser and Chief of Staff at the National Telecommunications and Information Administration. My slides are here.
The National Institute of Standards and Technology (NIST), a federal agency within the Department of Commerce, has launched a web site detailing the President Obama’s proposed National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, initially released for public comment in June 2010, was developed in response to the Obama Administration’s 2009 Cyberspace Policy Review, which called for the creation of a “cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.”
Coining a new phrase for a more secure virtual world, known as the Identity Ecosystem, NSTIC seeks to improve upon the passwords currently used to… More
In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . . [and] to certain open-ended questions on a form sent to employees’ designated references.”
This particular challenge came from 28 employees of the Jet Propulsion Laboratory (“JPL”). JPL is staffed exclusively by contract employees. NASA owns JPL, but Cal Tech operates the facility under a government contract.
The Supreme Court acknowledge that “[i]n two cases decided more than 30 years ago, this Court referred broadly… More
The Council for Responsible Genetics has published a guide to the world’s DNA databases. According to the guide, 56 countries (and in the U.S., all 50 states) maintain DNA databases.
CRG describes itself as a "catalyst and thought leader in the movement to steer biotechnology toward the advancement of public health, environmental protection, equal justice and respect for human rights." Although CRG has its own unique perspective on whether DNA databases should exist and how they should be used, its guide may nevertheless prove to be a useful resource.
In the late 1990s, I worked on two amicus briefs with… More
On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010. The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement.
As we have noted in past entries about Red Flags Rule compliance, the FTC has extended the deadline for enforcement of the FTC’s Red Flags Rule several times, most recently through December 31, 2010. The stated reason for these delays was “to give Congress time to reach a consensus on the types of… More
FTC Proposes Privacy Framework That Will Impact the Business Model of All Online and Mobile Advertising Companies
Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which we posted on December 1. We are cross-posting the analysis from their blog below.
It seems likely that the next two years will bring significant changes to this area, either through legislation or regulation. During this period, businesses and consumers will continue to seek an equilibrium that balances business needs and consumer expectations. If they cannot find… More
NIST Releases Guidance On Protecting Our Digital Energy Infrastructure (Or, Is Big Brother in Our Power Lines?)
The following item was posted recently on Foley Hoag’s Law and Environment blog, and we thought it would be of interest to our readers.
Posted on September 17, 2010 by Rebecca L. Puskas
Discussion of the Smart Grid usually focuses on efficiencies that may be achieved by a system that responds to real time information about energy production, distribution and consumption. But the development of this advanced digital infrastructure, with two-way capabilities for communicating information, controlling equipment, and distributing energy, also presents some legitimate information security and privacy concerns. For example, a disgruntled employee or a terrorist with… More
The Substance Abuse and Mental Health Services Administration (“SAMHSA”), in close cooperation with the Department of Health and Human Services Office for Civil Rights (“OCR”), is conducting a study of the “Confidentiality and Privacy Issues Related to Psychological Testing Data.” This study was specifically called for in section 13424 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.
HIPAA’s Privacy Rule includes special protections relating to the use and disclosure of psychotherapy notes; this SAMHSA study will address whether these special protections also be applied to test data that is related to direct responses, scores, items,forms, protocols, manuals or… More
Does the “compelling need” for patient records by a state body that oversees and regulates physicians trump the statute that protects the confidentiality of psychotherapy records? Not in Massachusetts, according to a September 2, 2010 decision of the Supreme Judicial Court, Board of Registration in Medicine v. John Doe, No. SJC-10556.
At issue in this case were the treatment practices of a board-certified psychiatrist who specialized in “pain management.” Due to a concern that inappropriate prescriptions for pain medication were being written and that Doe himself was impaired, the state’s Board of Registration in Medicine subpoenaed the treatment records of 24… More
Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.
Earlier this month, Congressmen Rick Boucher and Cliff Stearns released a discussion draft of comprehensive federal privacy legislation (.pdf).
Among the many provisions of the draft bill is the requirement that any entity that collects information on individuals such as name, address, email address and telephone number, maintain “appropriate administrative, technical, and physical safeguards” to secure the personal information. The draft bill would also require the FTC to implement new privacy rules and police the new safeguards.
The bill is also available from Rep. Boucher’s website.
Many digital copiers are now able to store the scanned documents on flash memory or hard drives. This could pose a privacy/security risk, if the drives are improperly accessed, or if they are lost or resold without being scrubbed first.
Even the simple act of making a photocopy now poses privacy risks. In response to a letter from Massachusetts Congressman Edward Markey, the FTC has responded and agreed to investigate the privacy risks posed by digital copiers that store information on internal hard drives.
If you have photocopiers, you should investigate what type of storage devices they have. And if… More
The Department of Health and Human Services announced it will release proposed HIPAA/HITECH Act regulations later this month, according to the HHS’s recently-published regulatory agenda, available at 75 Fed. Reg. 217821. The announcement itself was pretty cryptic:
120. MODIFICATIONS TO THE HIPAA PRIVACY, SECURITY, AND ENFORCEMENT RULES UNDER THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT
Legal Authority: PL 111-5, secs 13400 to 13410
Abstract: The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions… More
Regulators Provide Online Privacy Notice Builder to Help Financial Institutions Comply with Gramm Leach Bliley Act
Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations. The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ), Board of Governors of the Federal Reserve System (FRB), Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA) and… More
In a notice apparently posted March 17, 2010, the Office of Civic Rights of the Department of Health and Human Services (“OCR”) acknowledged its delay in issuing regulations for HIPAA business associate agreements. Those regulations are now a month overdue and from OCR’s language, they do not appear imminent:
OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and… More
In the past several days, three important information privacy and security deadlines have arrived. To recap, they are:
February 17, 2010: the provisions of the HITECH Act regarding HIPAA business associates went into effect (albeit without regulations, which are expected to be issued any day now). Many HIPAA covered entities have been revising their Business Associate Agreements in an effort to comply with what they think the regulations will say. Others are waiting until they see the regulations to amend those agreements. February 22, 2010: FTC rules regarding health information breaches went into effect. The FTC has provided a… More
The FTC Red Flags Rule faces another likely challenge, based on a January 27, 2010 letter sent to the FTC by the American Medical Association, the American Osteopathic Association, the American Dental Association, and the American Veterinary Medical Association. In that letter, the four health care organizations requested that the Red Flags Rule not be applied to health care professionals (based on the reasoning of the recent court decision that it does not apply to lawyers). I assume that if the FTC rejects this request, suit will be filed by these groups, just as the AICPA has filed suit on behalf of accountants to except them from… More
Last week the American Institute of Certified Public Accountants (AICPA) filed papers seeking summary judgment in the lawsuit filed against the Federal Trade Commission (FTC) to exempt accountants from the FTC’s Red Flags Rules. We first posted on this case in November, when the AICPA filed a complaint asking the federal court in Washington, D.C. to declare that accountants are not subject to the Red Flags Rules. This followed hot on the heels of the October ruling (.pdf) that lawyers were not required to comply with the Red Flags Rules in a lawsuit filed by the… More
Is the FTC moving to a "Post-Disclosure Era," in which consumer online privacy would be regulated in a radically different manner than the status quo? That was a suggestion made by the chairman of the FTC, Jon Leibowitz, and David Vladeck, chief of the FTC’s Bureau of Consumer Protection, during a recent on-the-record discussion about online privacy, reported in the New York Times.
For some time, I have been asking the question, "Is Consent Dead, and Should We Even Care?" Now it appears the FTC is asking the very same question. According to FTC Chair Leibowitz, companies “haven’t given [online] consumers effective notice, so… More
American Institute of Certified Public Accountants Sues FTC to Stop Application of Red Flags Rules to Accountants
Following the lead of the American Bar Association (ABA), on November 10, 2009, the American Institute of Certified Public Accountants (AICPA) has filed suit in the U.S. District Court for the District of Columbia, asking the Court to rule that the Federal Trade Commission’s (FTC) Red Flags Rule may not be applied to accountants.
It appears that certain groups, such as the American Bar Association (ABA), may be partially successful in their efforts to convince Congress to narrow the scope of the FTC Red Flags Rules, which are currently scheduled to go into effect on November 1. According to the BNA Privacy & Security Law Report, the House Financial Services Committee has sent H.R. 3763, titled a bill “To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses,” directly to the House floor without a markup. The bill proceeded to the House floor after the Republican… More
Massachusetts Holds Public Hearing on Information Security Regulations — Regulators Contemplating Additional Revisions in Final Rulemaking
This morning, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) held a public hearing in connection with its promulgation of revisions to the Commonwealth’s information privacy regulations, 201 CMR 17.00. The standing-room-only crowd endured a modest, unventilated conference room in the Transportation Building to make comments on the stringent regulations. OCABR Undersecretary Barbara Anthony led the meeting with OCABR Deputy General Counsel Jason Egan and Assistant Attorney General Diane Lawton. The principal author of the original regulations, OCABR General Counsel David A. Murray, could also be seen in the audience. The highlights of the hearing include:
Undersecretary Anthony suggested that… More
Incident of the Week: NCUA Issues Fraud Alert Based On Fake NCUA Fraud Alert (Which Turns Out To Be Part of Security Consultant’s Penetration Testing)
The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware. The NCUA warned “Should you receive this package or a similar package DO NOT run the CDs.” The NCUA, which regulates federally insured credit unions, was tipped off to the fake Fraud Alert by a single credit union.
As it turns out, the credit union was undergoing security penetration testing and the… More
Still Wondering What Changes Massachusetts Made to the State’s Information Security Regulations? Here’s a Redline of the Revisions to 201 CMR 17.00.
As we reported on August 17th, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has promulgated a revised set of information security regulations (201 CMR 17.00 et seq.) and will hold a meeting for public comment on September 22, 2009. For those who are still wondering what revisions were made, here is a redline comparison of the amendments (.pdf).
Amidst calls from the legal community, the Federal Trade Commission’s (FTC) announced this morning that it was delaying enforcement of the FTC’s Red Flag Rules until November 1, 2009. The FTC’s announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC’s "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply." The FTC appears to be stepping up its outreach efforts with an "Expanded Business Education Campaign" that is intended to address those businesses that "remain uncertain… More
On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising.
A federal suit has been filed that challenges the legality of the federal HITECH Act. In the course of 30 often rambling pages, this complaint alleges that "HIPAA codified the Hippocratic Oath" and that HITECH improperly undermines both. This complaint appears to be the work of a gadfly or two. The plaintiff’s lawyer is her husband; interestingly, he was described by a federal judge as filing claims that were "without merit [and which] would have been perceived as such by any objectively reasonable attorney." And this same attorney has been disbarred in Connecticut.
Even if there are questions about the specific allegations in this complaint and questions… More
Earlier this week, on Monday, June 22, 2009, the American Bar Association (ABA) President H. Thomas Wells, Jr. issued a public statement urging Congress and the FTC to exempt lawyers from the requirements of the federal Red Flags Rules, stating:
The Rule, adopted under the Fair and Accurate Credit Transactions Act, or FACT Act, is noble in its intent. However, the Commission’s application of the Rule to lawyers is unnecessary and not supported by law. Lawyers are not engaged in the type of commercial activity that Congress was attempting to regulate with the FACT Act and should not be… More
On March 15, 2006, the European Parliament issued Directive 2006/24/EC (.pdf), outlining a new program that woud require internet service providers (ISPs) and telecommunications carriers to begin retaining comprehensive records of customer communications. Specifically, the Directive required member states to ensure that a range of communications data be retained by service providers, including:
The names, addresses, telephone numbers, Internet Protocol (IP) addresses and user IDs involved in Internet access, email and Internet telephony services; The date and time of the start and end of communications; The telephone numbers involved during a telephone call and the registered owners’ names and addresses;… More
With the deadline for complying with the Massachusetts identity theft law just six months away, at least one state senator is still seeking changes to that law. In Senate Bill S173, which until now has received little public notice, State Senator Michael Morrissey proposes to make it easier for small businesses to comply, by requiring the state’s regulations to take account of a business’s resources as it requires compliance: "[S]aid department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources." This type of language is reminiscent of the HIPAA security rules… More
In its report, ISPAB indicates that rising threats to privacy and advancements in computer technology and usage are unaddressed… More
A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules. Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC’s enforcement. (For background on the Red Flag Rules, see our prior postings here, here and here).
The FTC has previously… More
In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups. Consumers’ concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled, to the impact of behavioral advertising on vulnerable consumers. In recent statements, Leibowitz has suggested that he remains unsatisfied with industry efforts to address these concerns.
In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years. Specifically, Section 5 of the bill requires that ISPs retain "all records or other information pertaining to the identity of a user of a temporarily assigned network address." According to a recent announcement from Senator Cornyn, the new retention provision is needed to enable law enforcement officers to identify individuals… More
In an April 2009 press release (.pdf), the Public Access to Court Electronic Records system (“PACER") announced that 99% of all federal courts nationwide have implemented electronic systems allowing litigants to file and review documents online. The near-complete implementation of these online systems marks an important technological and environmental milestone for the legal profession; however, it comes with considerable risks to individuals’ privacy and security: potentially limitless filings that inadvertently contain individuals’ sensitive information, including financial account numbers and Social Security numbers, may be available to anyone with an Internet connection for the small price of $0.08 cents per… More
As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation. Last week the Senators introduced two bills. The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President. The second, S.773 (text of the bill not yet available), entitled the Cybersecurity Act of 2009, gives the President the power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network. The other provisions of the legislation are summarized in… More
On March 5, 2005, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted Opinion 3/2009 (.pdf). The opinion comments on European Commission proposals designed to ensure that all data processors, including contractors hired by other data processors, are contractually required to protect sensitive data.
FTC Launches New Website and “How-To” Guide for Companies Wondering How to Comply with Red Flags Rules
As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC’s staff has informally mentioned that helpful guidance would be forthcoming. As of today, the FTC has launched a new website and a series of materials to assist businesses pushing to meet the May 1st deadline.
FTC Asks Congress For Enhanced Rulemaking and Enforcement Powers To Curb Abuses in Financial Industry
On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers “[t]o allow the FTC to perform a greater and more effective role in protecting consumers.”
Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports. The proposed legislation would also
require intelligence and Homeland Security officials to perform vulnerability assessments; create a clearinghouse for information sharing between the government and private sector; and fund scholarships for those interested in cybersecurity.
The proposed legislation follows on the heels of three incidents where computers in Senator Nelson’s office… More
The FTC Strikes Back: (Essentially) Everyone Should Be Complying With Red Flags Rules, Especially The Healthcare Industry
In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” — the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you — then they probably do. In this post, we will recap the FTC’s recent guidance on who should be complying with the Rules.
On Wednesday, February 11, 2009, the Data Protection Working Party, an independent European advisory body on data protection and privacy, released its Working Document 1-2009 (.pdf) on pre-trial discovery for cross border civil litigation. The Working Document attempts to reconcile the tension between U.S. discovery rules and the European Union’s Directive 95/46/EC (.pdf), which outlines the EU’s privacy requirements. What follows is a summary of the Working Document and an analysis of how it begins to bridge the gap between U.S. discovery rules and the European privacy framework.
On Thursday, March 5, 2009, Congresswoman Mary Bono Mack (R-CA), Congressman John Barrow (D-GA) and Congressman Joe Barton (R-TX) introduced the Informed P2P User Act (H.R. 1319) which requires peer-to-peer ("P2P") software makers to make certain changes to their software to prevent users from inadvertently sharing files from their computers. The proposed law would require both "clear and conspicuous notice" of what files the P2P software would being sharing and "informed consent" from the user, both before installation of the software and initial activation of file sharing functions. The Federal Trade Commission (FTC) would be empowered under the new law to enforce… More
Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials. Read some of the highlights below.
On Monday the Department of Justice released a previously classified opinion entitled “Authority for Use of Military Force To Combat Terrorist Activities Within the United States” (.pdf), which concluded, among other things, that “the Fourth Amendment [of the U.S. Constitution] does not apply to domestic military operations designed to deter and prevent further terrorist attacks.” This may come as a shock to some because the Fourth Amendment expressly prohibits the government from searching or seizing individuals or their property absent a warrant and probable cause, without any special carve out for domestic military operations. The DOJ opinion, written by Deputy… More
Has the Consumer Privacy Legislative Forum Decided to Abandon Efforts to Draft Federal Privacy Legislation?
In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S. privacy legislation” and is instead “now focused on crafting an industry-wide self-regulatory framework that can be tested over time… More
Cracking Down: FCC Initiates Enforcement Action Against Hundreds of Telecommunications Carriers For Failing to Certify Compliance With Customer Privacy Rules
On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information. FCC Chairman Michael J. Copps issued a public statement addressing the enforcement action and highlighting that the FCC "continued to mconsumer privacy protection a top priority. The FCC seeks… More
For those who want to see the source document, we have provided this link to the text of the American Recovery and Reinvestment Act of 2009. The health security and privacy provisions start at Section 13000, around page 112.
Adding to the Patchwork: HITECH Act Sets New “Floor” for Data Breach Notification of Certain Patient Information
On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations… More
Do The Red Flags Regulations Apply to Me? — Understanding Whether You Are A “Creditor” Under Federal Law
If you are confused about whether you, your company or your clients are subject to federal identity theft regulations, you are not alone. When the Federal Trade Commission (FTC) announced on October 22, 2008 that they were delaying enforcement of the new Red Flags regulations by six months, until May 1, 2009 (which we reported here and here), the FTC admitted that the primary reason for the delay was that many businesses, even whole industries, were “confused” about whether they are governed by the new regulations. (See the FTC’s October 2008 release and Enforcement Policy statement.)
For some… More
Isn’t There Already A Federal Standard Governing Information Security? — Re-Examining the Gramm-Leach Bliley Act
By Stacy Anderson and Gabriel M. Helmer.
As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard, we are also observing a growing insistence that such legislation be consistent with the customer data security requirements of the Gramm-Leach Bliley Financial Modernization Act… More
On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” as including “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” In addition to requiring notice to the affected individual(s), the bill requires that… More
High-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs.
On Wednesday, January 14, 2009, the Boston Bar Association’s Privacy Law Committee hosted FTC Chief Privacy Officer Mark Groman for a brown bag lunch presentation entitled “The View from the Federal Trade Commission’s Chief Privacy Officer.” Here are a couple of highlights from the presentation:
Mr. Groman views law firms as businesses subject to FTC Red Flags regulations (“we regulate you, too”), so law firms should be developing identity theft prevention programs to comply with the regulations by the May 1, 2009 deadline. To comply with FTC’s Red Flags regulations, companies need to use a “risk-based process” to evaluate potential threats… More
Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers – SSNs and ID Theft. For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, the deadline for businesses to adopt compliant identity theft prevention programs.
ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations
On Friday, November 14, 2008, Massachusetts regulators announced that they will give affected businesses until May 1, 2009 to comply with new identity theft regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same day.
ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC “Red Flags” Regulations
On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.