Security, Privacy and the Law

The Split in the Circuit Courts Over the Proper Interpretation of the Computer Fraud and Abuse Act Actually Goes Three Ways

Brian Bialas — Wed, 03 Apr 2013 21:45:08 +0000

Posted on March 15th, 2013 by Brian P. Bialas

on our sister blog, Massachusetts Noncompete Law.

I’ve written many times about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a confidentiality agreement or company IT policy, when an employee downloads confidential information he is permitted to access but then takes that information to a competitor. The debate centers on when an employee “exceeds authorized access” under the text of the CFAA. In states that are part of the First Circuit Court of Appeals (which includes Massachusetts), an employer can use the CFAA in a lawsuit against an employee in such a situation. But in the Ninth Circuit, which includes California, an employer can sue only if the employee did not have access to the information as part of his job, meaning, in most cases, that the employee “hacked” into an area of the employer’s computer system that he was not permitted to access.

Yet in a recent article (subscription required), Alan W. Nicgorski argues that there is another trend among the circuits that is even more favorable to employers than the First Circuit’s interpretation. Nicgorski contends that the Seventh Circuit, which is based in Chicago, allows claims under the CFAA whenever an employee “embarks on a course of conduct adverse to his employer’s interest,” such as when an employee takes company information from a computer for the purpose of giving it to a competitor, even if there is no written agreement that the employee violated. See Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). The Seventh Circuit’s reasoning is that an employee violates his duty of loyalty to the employer when he acts adverse to his employer’s interests, which automatically terminates the employee’s right to access the employer’s computers and information. As a result, the employee acts “without authorization,” another way a defendant can be liable under the statute. After all, the right to access the information was based on the employee being an “agent” of the employer, but a breach of the duty of loyalty terminates that relationship. In effect, this interpretation using the “without authorization” language eliminates an employer’s need for the “exceeds authorized access” language altogether, at least when dealing with an employee who takes information to a competitor, because any authorization given to an employee terminates once the employee acts for a competitor. An employee can’t exceed his authorized access when he has no authorization at all.

So would the First Circuit interpret “without authorization” in the same way as the Seventh Circuit? One judge of the U.S. District Court of Massachusetts thinks so. See Guest-Tek Interactive Entm’t Inc. v. Pullen, 665 F. Supp. 2d 42 (D. Mass. 2009). In Guest-Tek, Judge Nathaniel Gorton denied a motion to dismiss a CFAA claim where the plaintiff alleged that the defendant breached his duty of loyalty to the plaintiff employer by copying files and secretly planning a competitive venture. In short, Judge Gorton ruled that the First Circuit “has favored a broader reading of the CFAA” (see above) and cited Citrin. This decision by no means guarantees that the First Circuit would follow Citrin should the issue be presented to that court, but it does show that the circuits may continue to diverge in three directions. The Seventh Circuit’s decision in Citrin, I think, has been lumped together with the decisions of other circuits that allow CFAA claims based on computer use restrictions because the Seventh Circuit’s interpretation also would allow such a claim. (If anything, an employee who violates a computer use restriction likely breaches his duty of loyalty.) Because most employers have policies upon which CFAA claims can be based, many commentators (including yours truly) have tried to simplify the circuit split by drawing a line between those courts that allow CFAA claims based on computer use restrictions, and those that don’t. But the Seventh Circuit is indeed an outlier, and Nicgorski shows that, at least in that court, an employer need not have a policy to have a claim.

Commentary on the Status of the Computer Fraud and Abuse Act

Colin Zick — Thu, 28 Feb 2013 04:17:23 +0000

Feb 18, 2013

U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains

In 1st Circuit, ‘ball in employer’s court’

By Correy E. Stephenson

The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a CFAA claim to suits against former employees that take confidential information from company computer systems.

But federal courts across the country have split on just how broadly the act should be interpreted.

The CFAA provides for criminal and civil penalties against an employee who “knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”

The 1st U.S. Circuit Court of Appeals has granted employers the right to sue under the act when employees have authorized access but use it for non-job-related purposes, while others, such as the 9th Circuit, have narrowly interpreted the law to require an actual hacking of the computer system.

Raising the hopes of employment lawyers nationwide, a 4th Circuit case sought certiorari before the Supreme Court, hoping to end the circuit split.

But in January, the justices denied review, leaving employment lawyers with continuing uncertainty.

“This is a big deal for employment lawyers,” said Brian P. Bialas of Foley Hoag in Boston.

Until the Supreme Court agrees to decide the issue, Bialas added, “the ball is definitely in the employer’s court in the 1st Circuit.”

Circuit split widens

For multiple reasons, the CFAA is a valuable tool for attorneys representing employers. In addition to establishing federal jurisdiction, the CFAA lets victorious plaintiffs recover damages such as the cost of hiring a computer forensic firm to investigate the employee’s activities, Bialas said.

And the act provides for injunctive relief, which can allow employers to stop a former worker from taking information to a new employer or using it for his own benefit.

The law comes into play when an employee leaves a job or is terminated and attempts to take information with him.

While an employee typically is authorized to access company documents on an internal document management system, “if she does so not in the course of her employment but rather for the purpose of viewing information that might be helpful for her next employer or some other improper purpose, then [the CFAA] can be triggered,” said John R. Bauer, a partner at Robinson & Cole in Boston.

For example, Bauer said, an employer would consider financial information, a formula or a client list confidential.

“Even though the person has literal authorized access to the documents, the access is used not for the purpose of fulfilling job responsibilities,” he said, adding that an alleged breach of the company’s computer use policy can — in some jurisdictions — provide the basis for a CFAA claim.

In the 1st Circuit, an employer has been allowed to bring suit against a former employee for accessing data in violation of a confidentiality agreement. The decision in EF Cultural Travel BV v. Explorica stands with similar decisions from the 5th, 8th and 11th circuits, where courts have also allowed employers to allege violations of the CFAA when the employee breached a confidentiality or computer use agreement.

A case from the 9th Circuit stands in stark contrast.

In an en banc decision issued last year, a criminal action against an employee who had authorization to access his employer’s database but used his log-in credentials to download source lists, names and contact information to start his own business was dismissed.

Even though the employee in U.S. v. Nosal violated a company policy that prohibited the disclosure of confidential information, the panel held that the statute did not apply. The CFAA requires unauthorized access to computer data or computer hacking, the 9th Circuit said.

Last July, the 4th Circuit agreed, holding in WEC Carolina Energy Solutions LLC v. Miller that the CFAA does not impose liability on authorized workers who breach computer user policies.

Noting the widening circuit split, the company petitioned the high court for review, which was declined by the justices in January.

Employers: Establish a policy

The Supreme Court’s denial of cert leaves attorneys representing employers in Massachusetts standing on solid ground.

To protect a company, make sure to have a data or computer use policy in place, Bialas advised, and “include a provision about confidentiality to use as a basis for a CFAA claim.”

However, the jurisdictional split “creates a problem for employers who have employees in multiple states,” Bauer said.

The employer “might be able to bring an action against an employee in one state but can’t take action against an employee in another state for doing the exact same thing,” he said.

For now, employees — and their new employers — face potential lawsuits with the existing 1st Circuit CFAA caselaw.

But attorneys agreed that the circuit split will be resolved, whether by the Supreme Court or via an update to the legislation.

The CFAA has received the attention of federal lawmakers recently after the suicide of Aaron Swartz, a computer prodigy who had been criminally charged under the law. With the statute under consideration, a tweak to clarify the breadth of its application in civil employment suits is possible, Bialas noted.

If not, “the Supreme Court would certainly be the easiest way for a lot of people to get some clarity,” he added hopefully.

PCI-DSS Update: The Payment Card Industry Security Standards Council Issues Guidelines for Security Risk Assessments, Cloud Computing, and Accepting Payments on Mobile Devices

Brian Bialas — Wed, 27 Feb 2013 16:53:43 +0000

Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so. The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to do to protect consumers. Merchants must follow the Payment Card Industry Data Security Standard (PCI DSS) or risk fines or losing the ability to process credit cards. This past November, and then again in February, the Council issued guidelines to help merchants (and some third-party service providers) comply with PCI DSS when they perform assessments of risks to cardholder information within their systems, deal with cloud service providers, and accept payments using mobile devices.

Risk Assessments

On November 16, 2012, the Council issued its guidelines to help organizations perform risk assessments that comply with PCI DSS. According to BNA, some of the Council’s key recommendations include encouraging them to:

implement risk assessment methodologies that suit the culture and requirements of the particular organization; and

utilize continuous discovery processes that allow organizations to discover threats and mitigate them in a proactive and timely fashion.

The Council also emphasized that risk assessments should not replace the requirements of PCI DSS.

Cloud Service Providers

The Council also has published guidelines for dealing with cloud service providers. Because many organizations entrust cardholder information to cloud service providers (like Google), the Council emphasized that compliance with PCI DSS is a shared responsibility between the organization and the cloud service provider. The more aspects of a business a third party manages for that business, the more responsibility that third party has for maintaining PCI DSS protections. Significantly, the guidelines suggest that organizations and cloud service providers clearly set out security responsibilities in contracts between them to avoid misunderstandings.

Mobile Devices

The Council also has offered best practices for accepting credit card payments on mobile devices. Mobile devices are not designed to accept sensitive financial information, and are therefore particularly vulnerable. For this reason, the Council provided recommendations to ensure the security of mobile devices used to process payments. The Council did not recommend that merchants allow “bring your own device” policies, where an employee brings a device to work that the employee (who is not the merchant) owns and controls, because the merchant does not have control over the content and configuration of the device. With the increasing popularity of Square, merchant vigilance to strict standards in this area is only going to become more important.

* * *

Above all, the Council’s guidelines show just how seriously the credit card industry considers the protection of cardholder information at each step of the payment process, from the initial purchase through to the storage of the information. Yet some security threats to cardholder information, including a basic one that I wrote about here, remain unaddressed, so the credit card industry still has some work to do.

More on President Obama’s Executive Order on Cybersecurity

Stephen Bychowski — Thu, 14 Feb 2013 15:52:01 +0000

On February 12, 2013, President Obama signed an executive order entitled “Improving Critical Infrastructure Cybersecurity.” The Order has two key components.

First, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence must ensure timely production of unclassified reports of cyber threats and must rapidly disseminate the reports to the targeted entities.

Second, the National Institute of Standards and Technology (“NIST”), which is part of the Commerce Department, must develop a Cybersecurity Framework. The Cybersecurity Framework will be a set of standards, methodologies and procedures to help owners and operators of critical infrastructure to reduce cyber risks. NIST must consult with other agencies and stakeholders and must incorporate voluntary consensus standards and industry best practices.

In conjunction with the Department of Homeland Security (“DHS”), sector-specific agencies must develop a program to support the private sector in adopting the Cybersecurity Framework. DHS must coordinate and recommend to the President a set of incentives to encourage industry adoption.

The President also issued the Policy Directive on Critical Infrastructure Security and Resilience. Under the Policy Directive, DHS and sector-specific agencies must assess the Nation’s critical infrastructure and assist the owners and operators in strengthening their cyber security.

The Executive Order and Policy Directive were issued after Congress failed to pass numerous cybersecurity bills in 2012, including a proposal by the White House. In September, the White House said that it would consider issuing an executive order if Congress remained deadlocked. The White House noted that the executive branch is “hamstrung by outdated and inadequate statutory authorities,” and in President Obama’s State of the Union Address, he called on Congress to “pass[] legislation to give our government a greater capacity to secure our networks and deter attacks.”

Administration Rolls Out Its New Cybersecurity Policy

Ara Beth Gershengorn — Wed, 13 Feb 2013 19:26:29 +0000

Yesterday President Obama signed an executive order directing federal agencies to develop voluntary best cyber security practices for key industry sectors and to create a system for broader public-private information sharing, and today administration officials have been speaking at an event highlighting the order. The Order places primary responsibility for managing cyber security in the hands of the Department of Homeland Security. Under the Order, the government will also be identifying baseline data and systems requirements for the government to allow the exchange of information and intelligence, and will be producing and disseminating unclassified cyber threat reports. The Order also seeks to increase information sharing within the government and with the private sector, looking for options to improve the public-private partnership in both physical and cyber space and to streamline the process of information sharing.

Deputy Attorney General James Cole, speaking at today’s event, emphasized that this would be done without violating the Administration’s commitment to protecting privacy and civil liberties. He mentioned that each federal department and agency is required to develop and implement privacy and civil liberties safeguards in connection with their cyber space activities, and must also assess the safeguards and their implementation, with the results of the assessment sent to the DHS Chief Privacy Officer and Officer for Civil Rights and Civil Liberties to be included in a public report.

Keep watch here for further analysis of the Executive Order and industry reactions to it.

Pentagon to Increase Cybersecurity Force More than Five Times Current Size

Colin Zick — Tue, 29 Jan 2013 22:54:10 +0000

In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.”

The Pentagon’s plan would create three types of forces under the Cyber Command:

“national mission forces” to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security;
“combat mission forces” to help commanders abroad plan and execute attacks or other offensive operations; and
“cyber protection forces” to fortify the Defense Department’s networks.

The first of these categories is the one I find most interesting, as it most closely relates to daily life and work in this country. It also raises the interesting question as to which businesses are deemed to be critial infrastructure. While electric grids seem obvious, what about electronic health records? Or Google? Cloud storage? And would you want your company to be designated as critical, if there is increased government oversight as a result?

HIPAA “Omnibus” Regulations Published in Federal Register

Colin Zick — Fri, 25 Jan 2013 16:37:37 +0000

The revised HIPAA regulations were formally published today in the Federal Register. In this form, they only take up 138 pages!

Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes. While I’m not sure I agree with the quote that “This is a paradigm shift in the privacy world,” I do agree that this is “definitely something for all businesses to pay attention to.” Similarly, I agreed that “now that the starting gun has sounded, it’s a race to get ready by the Sept. 23 compliance deadline.”

Key Elements of the New “Omnibus” HIPAA

Colin Zick — Thu, 24 Jan 2013 21:02:31 +0000

On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations.

In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions:

Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now the entire food chain that deals with Protected Health Information (“PHI”) falls under HIPAA’s privacy and security regulations; and
Ramping up the regulations on data breach, including shifting of the burden on breach notification, so that it squarely now sits on the covered entity/business associate to prove a “low probability” that PHI will be compromised.

Also notable is what these regulations did not do: they did not raise the cap on HIPAA civil monetary penalties. It remains at $1.5 million, which is somewhat surprising, in light of the increasing frequency and scope of breaches involving PHI, and the increasingly large penalties the Office of Civil Rights has imposed for HIPAA privacy and security violations.

The final rule is effective on March 26, 2013 and the compliance date is 180 days thereafter (September 22, 2013). Covered entities and business associates will have up to one year after the 180-day compliance date to modify existing contracts in order to comply with these revised rules.

Listed below is a more detailed summary of the significant changes in the regulations:

HIPAA’s privacy and security requirements will now directly apply to business associates: “Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.” 45 C.F.R. § 160.102. This change includes subjecting both covered entities and business associates to compliance reviews. 45 C.F.R. § 160.308.
The definition of “business associate” itself has been expanded to include:

(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data trans-mission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.

(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on be-half of the business associate. 45 C.F.R. § 160.103.

Subcontractors of business associates will automatically become business associates themselves, and business associates will be required to obtain “satisfactory assurances” that the subcontractors are complying with HIPAA. 45 C.F.R. § 164.308(b)(2).
Business associates may also be liable for the increased penalties for noncompliance based on the level of culpability, up to a maximum penalty of $1.5 million. In addition, the factors that are taken into account for imposing civil penalties have been revised to include:
- “The number of individuals affected”;
- “The time period during which the violation occurred”;
- “financial harm” to the affected individuals;
- “harm to an [affected] individual’s reputation”;
- “hinder[ing] an [affected] individual’s ability to obtain health care”.

In other words, breaches that impact more people over a longer time with resulting harm will be punished more severely. A history of previous “indications of non-compliance” also will be factored into this HIPAA civil penalty analysis. 45 C.F.R. § 160.408.

The definition of breach is changed, with the burden now on the covered entity to prove there was not a breach. In particular, an impermissible use or disclosure of PHI ispresumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health in-formation was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.

45 C.F.R. § 164.402(2).

There are new limits on how information is used and disclosed for marketing and fund-raising purposes. Marketing is now defined to exclude the following:
- Refill reminders; and
- “For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.” 45 C.F.R. § 164.501.
For fundraising, however, some elements of PHI can be used without patient authorization:
- Name;
- Address;
- Contact information;
- Date of birth;
- Dates of care;
- Treating physician;
- Outcome information; and
- Health insurance status.

As a condition of this use, however, patients must be given the chance to opt-out of fundraising contacts. 45 C.F.R. § 164.502(f)(1)

The sale of an individual’s health information without permission is prohibited. The rules also clarify that the prohibitions on the sale of health information do not apply to public health or research purposes, or treatment, or sale of an entity, or to a business associate. 45 C.F.R. § 164.502(a)(5)(ii).
HIPAA won’t protect the information of individuals who have been deceased for over 50 years, as the definition of PHI has been changed to exclude such information. 45 C.F.R. § 164.502(f).

There are several provisions that make patient interactions with the health care system simpler and easier:

The definition of “family member” is given greater specificity and breadth. It also should be easier for family members to access records of a deceased, if they were involved in the care of that period before death. 55 C.F.R. § 164.510(b)(5).
When individuals pay for their care themselves, they can instruct their provider not to share information about their treatment with their health plan. 45 C.F.R. § 164.522(a)(1)(vi)(B);
Patients can request a copy of their electronic medical record in an electronic format; 45 C.F.R. § 164.524(c)(3).
An individuals’ ability to authorize the use of his/her health information for research purposes will be streamlined. 45 C.F.R. § 164.508(b)(3)(i);
It will be easier for parents and others to give permission to share proof of a child’s immunization with a school; 45 C.F.R. § 164.512(b)(1)(vi).

Strangely, these regulations also include an expansion of very specific genetic privacy protections (which have no basis in the 1996 HIPAA statute). In particular, the definition of “health information” now includes “genetic information” and the final rule prohibits using or disclosing protected health information that is genetic information for underwriting purposes by all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply, except with regard to issuers of long term care policies. 45 C.F.R. § 164.502(a)(5)(i).

* * *

There are several other, less notable provisions, which will nevertheless impact HIPAA notices of privacy practices, business associate agreements and authorization for release of information.

The Wait Is Over! HHS Finally Issues Revised HIPAA Privacy and Security Regulations

Colin Zick — Fri, 18 Jan 2013 20:23:25 +0000

Nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major revisions to HIPAA’s privacy and security regulations.

While we are still making our way through all 563 pages of the regulations and related regulatory comments (and will have a more detailed analysis shortly in this space), here are some of the highlights we (and the HHS press release) have noted so far:

Many of HIPAA’s privacy and security requirements will now directly apply to business associates;
Business associates may also be liable for the increased penalties for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million;
Subcontractors of business associates will automatically become business associates themselves;
HIPAA won’t protect IIHI for individuals who have been deceased for over 50 years;
The definition of breach is changed so that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.
Breach notification is not required if it is demonstrated through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule.
The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if PHI has been compromised and breach notification is necessary.
When individuals pay for their care in cash, they can instruct their provider not to share information about their treatment with their health plan;
Patients can request a copy of their electronic medical record in an electronic form;
There are new limits on how information is used and disclosed for marketing and fund-raising purposes; in particular, the sale of an individual’s health information without permission is prohibited;
An individuals’ ability to authorize the use of his/her health information for research purposes will be streamlined;
It will be easier for parents and others to give permission to share proof of a child’s immunization with a school; and
The final rule prohibits using or disclosing protected health information that is genetic information for underwriting purposes by all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply, except with regard to issuers of long term care policies.

The final rule is effective on March 26, 2013; the compliance date is 180 days thereafter (September 22, 2013). Covered entities and business associates will have up to one year after the 180-day compliance date to modify contracts in order to comply with the new rules.

Massachusetts Attorney General Secures $140,000 Settlement of Claims that Patient Information Was Left in a Town Dump

Colin Zick — Mon, 07 Jan 2013 16:04:19 +0000

The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.” Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.

The Attorney General alleged that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated Massachusetts data security laws when they mishandled and improperly disposed of medical records containing personal information and protected health information from four Massachusetts pathology groups at the Georgetown (Mass.) Transfer Station. The medical records contained information for more than 67,000 residents including patient names, Social Security numbers, and medical diagnoses that were not redacted or destroyed when they were dumped. The other defendants involved in this settlement are Dr. Kevin Dole, former President of Chestnut Pathology Services, P.C.; Milford Pathology Associates, P.C.; Milton Pathology Associates, P.C.; and Pioneer Valley Pathology Associates, P.C.

This issue came to light in July 2010 when a Boston Globe photographer was disposing of his own trash at the Georgetown Transfer Station and observed a large mound of paper which, upon closer inspection, he determined were medical records. His discovery was reported in the Globe shortly thereafter.