The AICPA suit seeks declaratory and injunctive relief on the grounds that the FTC exceeded its statutory authority by attempting to impose the Red Flags Rule on AICPA members who, it argues, are already strictly regulated at the state level.  The AICPA makes numerous references to the Court's decision in the ABA suit that the Red Flags Rule may not be applied to lawyers.  As with the ABA lawsuit, the AICPA does not suggest that accountants are just as vulnerable to identity theft as other professionals.

It will be interesting to see how the FTC responds to this new complaint, i.e., whether it will make the same arguments it made in the ABA suit and/or whether it will somehow try to distinguish accountants from lawyers.  It will also be interesting to see if any other large industry groups (such as the American Medical Association) decide to file their own suits.  As we noted in our earlier coverage of the ABA litigation, however, the effect of these suits, if successful, on the burdens of those bringing them is unclear.  Although we are not experts about the duties of accountants, one can imagine that, like lawyers, they will likely be required to take many, if not all, of the same security measures demanded of their clients, because the Red Flags Rule require that companies oversee how their service providers manage customer information and accounts, and because of the duties imposed on service providers by other federal and state laws.

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule in late June, it filed suit in federal district court on August 27, 2009, leading to the ruling in its favor this morning.

However, as we noted in our post on the district court's ruling, caution may be warranted for attorneys because a number "of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records . . . . Under these overlapping obligations [along with the fact that the FTC will almost certainly appeal Judge Walton's decision to the D.C. Court of Appeals] lawyers and law firms who represent regulated businesses may ultimately have little to celebrate as a result of the ruling in favor of the ABA" and the delay in enforcement of the Rule.

The bill, which was introduced on October 8 by Rep. John Adler (D-N.J.), would exclude from the Red Flags Rules health care, accounting and legal practices with 20 or fewer employees.  It would also require the FTC, within 180 days, to issue regulations that set forth the process by which a business may apply for an exemption from the Red Flags Rules.

Of course, the passage of H.R. 3763 likely will not sufficiently narrow the Red Flags Rules in the eyes of the ABA, which has filed suit in federal district court in Washington D.C. to stop the application of the Red Flags Rules to all attorneys (see our prior post on this lawsuit).  In that case, the ABA has already moved for partial summary judgment, and the FTC has filed an opposition.  On October 13, ABA President Carolyn Lamm sent a letter to Rep. Barney Frank (D-MA), the chairman of the Financial Services Committee, urging lawmakers to exempt all attorneys from the rules.

Links:

• BNA Privacy & Security Law Report, "GOP Allows Bill Narrowing FTC Red Flags Rule to Move Directly to House Floor for Vote," 8 PVLR 1491.
• Text of H.R. 3763
• ABA's Motion for Partial Summary Judgment in American Bar Association v. Federal Trade Commission (D.D.C.).
• FTC's Opposition to Motion for Partial Summary Judgment in American Bar Association v. Federal Trade Commission (D.D.C.).

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that .  These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered.  Exactly how many passwords have been compromised, and from how many companies?  Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online?  Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

• Keizer, Gregg, "Hacker Leaks Thousands of Hotmail passwords say site,"  Computerworld, October 5, 2006.
• Keizer, Gregg, "Gmail, Yahoo join Hotmail; passwords exposed," Computerworld, October 6, 2009.
• Keizer, Gregg, "Researcher refutes Microsoft's account of hijacked Hotmail passwords," Computerworld, October 7, 2009.
• Richmond, Riva, "More E-Mail Account Details Leaked Online," New York Times, October 6, 2009.

The University of North Carolina at Chapel Hill recently disclosed a data breach that exposed information on 160,000 women, including the Social Security Numbers of 114,000.  Original reports estimated that more than 200,000 women were affected.  The source of the breach was a computer intrusion into a server housing the Carolina Mammography Registry, which is "a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina."

Evidently, the breach was discovered in July, but it may have occurred over two years ago.  According to Matt Mauro, chairman of the UNC Department of Radiology, traces of computer viruses were found on a UNC School of computer server dating back to 2007 were found on the server.  The school delayed in notifying those affected while it conducted a forensic investigation to determine exactly who was affected.  To this point, however, the school still does not know who committed the breach or where the attack originated from, how the server (which had all required security measures) was breached, or whether any data was actually downloaded.

Links:

• Ferreri, Eric, "Hacker breaks into research study data," Charlotte Observer, September 29, 2009.
• "UNC says hacker got into fewer files than reported," The News & Observer, October 1, 2009.

Incident 2: Massachusetts Inmate Pleads Guilty to Charges that He Hacked Prison Computer While Incarcerated, Accessed Personal Information On 1,100 Correctional Officers

On September 14, 2009, Francis G. Janosko pled guilty to charges that he hacked a legal research computer provided to inmates in the Plymouth County Correctional Facility.  A highly restricted computer terminal was provided to inmates for the sole purpose of allowing them access to legal research resources.  Janosko apparently circumvented security measures restricting the computer to legal research tools and obtained accessed the administrator's username and password, the prison's internal network, and a report listing the names, birthdays, Social Security Numbers and contact information for 1,100 current and former prison personnel.  He also used the computer to send email and download publicly-available photographs and videos.

A grand jury in Boston indicted Janosko for these activities about a year ago in a sealed indictment (.pdf).  In the plea agreement (.pdf) recently reached with the U.S. Attorney's Office in Boston, federal prosecutors have agreed to dismiss the original charge of aggravated identity theft in exchange for Janosko's guilty plea to charges under the Computer Fraud and Abuse Act.  Janosko has agreed to accept an additional incarceration of 18 months for the hack.  Sentencing in the case is scheduled for December 15th.

The defendant, Everett Connolly, was a suspected drug dealer and who was investigated by police for more than a year.  The investigation included surveillance and controlled drug purchases by confidential informants and, towards the end of the surveillance period, by an undercover officer.  Based on this investigation, the police applied for a warrant to place a GPS tracking device on Connolly's van for fifteen days.  The application was granted and Connolly was eventually arrested (based on a separate arrest warrant), tried and convicted.  He argued to the SJC that, among other things, "surreptitious GPS monitoring without a warrant constitutes an unreasonable search and seizure that violates the Fourth Amendment . . . and art. 14 of the Massachusetts Declaration of Rights."  He based this argument on the theory that, although police had a search warrant, they continued to obtain information from that warrant after it had expired.

Read on for more detail and analysis of the SJC's opinion.

Three justices concurred in the judgment.  They agreed with the majority that installation of a GPS device constituted a seizure requiring a warrant.  However, they argued that the use of a vehicle to conduct GPS monitoring did not constitute a seizure of the vehicle; rather, they believed that such use invaded the reasonable expectation of privacy of any person authorized to drive the vehicle, and that such invasion was better characterized as a search.  According to the concurrence, only by focusing on the "privacy interest at risk from contemporaneous GPS monitoring . . . will we be able to establish a constitutional jurisprudence that can adapt to changes in the technology of real-time monitoring, and that can better balance the legitimate needs of law enforcement with the legitimate privacy concerns of our citizens.

 As I noted in an earlier post, the use of GPS devices to monitor suspects' movements is bound to become a hot-button issue over the next few years.  The courts that have addressed the issue have expressed great concern about the threat to privacy posed by the rapid progression in monitoring technology.  What is interesting about the SJC's decision is that it appears the majority was attempting to craft a more narrow decision by basing its holding on the seizure of the vehicle, which implicates an individual's property interest.  The concurrence's position is arguably broader, more subjective, and more flexible, as it requires analysis of a person's expectation of privacy.  One wonders, then, if the issue behind the scenes with the SJC was not what result to reach, but how broad to stretch in the opinion.

Links:

• The SJC's opinion in Commonwealth v. Connolly
• Security, Privacy and the Law, "Courts Split on Whether Police Can Use GPS to Track Individual's Movements Without a Warrant," Jeff Bone, 5/13/09

According to the press release, the lab "will expand the office's forensic capabilities, allowing it to conduct exams on a variety of digital media such as computers, cell phones, laptops, PDAs and GPS devices."  The lab is 3,000 square feet and is the largest of its size for any attorney general's office in New England.  It will have the latest technology available to forensic investigators to allow them to extract information such as text messages, videos and pictures from mobile devices, and will also have imaging machines that can be used to capture information that cannot be extracted from a device or hard drive.  In addition, lab space will be used to train police officers on how to "bag and tag," using the proper techniques for evidence seizure at a crime scene. 

According to the press release, the Attorney General's Office has trained more than 1,000 Massachusetts law enforcement officers and cyber crime experts from across the nation, focusing primarily on investigation of identity theft.  While it certainly seems that Attorney General Coakley has made prevention of cyber-crime one of her top priorities (indeed, the office recently received and award from the National White Collar Crime Center for its work in cyber crime), it will be interesting to see what happens if she is successful in her candidacy for the U.S. Senate.

Links:

• September 15, 2009 Press Release: Attorney General Martha Coakley Announces Opening of New State-of-the-Art Computer Forensics Lab
• Massachusetts Attorney General Cybercrime Initiative

Note that this is the same Albert Gonzalez that is awaiting trial for his role in the notable attack suffered by TJX that is now only the second largest known breach of its kind.

The indictment alleges that, between October 2006 and May 2008, Gonzales and an uncharged co-conspirator named "P.T." identified potential corporate victims by, among other things, reviewing a list of Fortune 500 companies.  They would then travel to retail stores of potential victims to identify point of sale terminals (checkout machines) and learn about potential vulnerabilities of those systems.  P.T. would visit the corporate websites of potential victims to identify vulnerabilities in the payment processing systems the victims used.  According to the indictment, the conspirators maintained computers in New Jersey and around the world that stored malware and other information critical to the hack.  Gonzalez, P.T. and Hackers 1 and 2 then hacked into the victims' networks using various methods, including SQL injection attacks, which is a well-known attack that exploits security vulnerabilities between an online interface and the back-end customer database.

Once they had hacked into the computer networks, the conspirators placed malware on the victims' networks that enabled them to access the networks at a later date.  They would then find credit and debit card data and transmit it to servers they controlled.  At the same time, they installed "sniffer" programs, which would conduct real-time interception of data being processed by the victims and periodically transfer this data to the conspirators.  The indictment alleges that the conspirators often worked together on a real-time basis via instant messaging to advise each other how to navigate the victims' networks.  The conspirators concealed their actions in numerous ways, including disguising the IP addresses of their computers through intermediary (or "proxy") servers, and by placing additional malware on the victims' networks that could evade anti-virus software and would erase traces of the malware's presence on the networks.

Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the gain from the crimes, whichever is greater.  According to the press release, Gonzalez is currently in jail in Brooklyn, New York and awaiting trial in New York and Massachusetts related to prior instances of data theft. 

While it is certainly good to know that the Department of Justice continues to take an active role in large-scale incidents, the description of the scheme in the indictment should give retailers and other institutions pause and perhaps a reason to review information security measures.  While the perpetrators in this case are obviously skilled programmers, it appears that they obtained some of the information essential to executing their scheme simply by observing check out registers and visiting corporate websites.  [Editor's note: the FTC has considered SQL injection attacks to be "commonly known or reasonably foreseeable" since at least 2000, see FTC's enforcement action against Guess? and comments by the FTC's chief privacy officer. If your company has not hardened its website to these attacks, it may be assuming an undue risk.]  Moreover, it appears from the indictment that three of the four individuals are still at large, and of course there are likely numerous individuals out there with both the means and the motive to perpetrate similar schemes.  Because the indictment is fairly general in the details of the mechanics of the hacks, it will be interesting to see what details come out in the prosecution of the case and what lessons, if any, companies can learn from those details.

Links:

• "Three Men Indicted for Hacking into Five Corporate Entities, including Heartland, 7-Eleven, and Hannaford, With Over 130 Million Credit and Debut Card Numbers Stolen", August 17, 2009 Press Release from New Jersey United States Attorney's Office
• Indictment Against Albert Gonzalez, Hacker 1 and Hacker 2

The case began on February 19, 2009, when the United States filed a petition (.pdf) in the U.S. District Court for the Southern District of Florida, asking the court to enforce an IRS "John Doe" summons to UBS.  The IRS served the summons in furtherance of an investigation it was conducting to determine the identities of U.S. taxpayers who had allegedly failed to report the existence of, and income earned in, undeclared Swiss accounts with UBS.  On February 20, UBS filed a document containing what it termed "background information for the court's consideration" (.pdf).  In this filing, UBS argued that the IRS was essentially asking it to violate Swiss privacy laws, thereby exposing its employees and the bank to criminal and civil penalties.  UBS argued that the petition raised serious issues of international comity due to Swiss financial privacy laws, violated treaties between the United States and Switzerland and violated a prior agreement between the United States and UBS.  That same day, the United States filed a response (.pdf) that disputed the arguments made by UBS.

On April 30, UBS then filed a brief (.pdf) that expounded on its arguments against disclosure.  In support of UBS, the Swiss government filed an amicus brief (.pdf).  On June 30, the United States then filed its response (.pdf).  The federal judge had scheduled a hearing for July 13, 2009, to hear arguments on the petition.  On July 12, 2009, however, the parties filed a joint motion to stay the hearing, so they could continue to discuss settlement.  The judge granted the motion and re-set the hearing to August 3, in the event the parties could not reach a resolution.

The dispute between the IRS and UBS is also having effects on third parties.  The Wall Street Journal reported on Monday that Swiss banks are curbing or eliminating business with U.S. customers for fear of future action by U.S. authorities.  While it is probable that the U.S. and UBS will reach some sort of settlement (likely involving a payment by UBS to the U.S.), if the case goes forward it will interesting to see what future effects the outcome could have, not just on financial transactions between American citizens and Swiss banks, but on transactions between American citizens and any other international bank, as well as on the federal government's ability to enforce tax laws beyond its borders.

Links:

• February 19, 2009 Petition to Enforce John Doe Summons
• February 20, 2009 Background Information For the Court's Consideration Prior to the Scheduled Status Conference
• February 20, 2009 Response to Bakground Filing by Respondent (filed by the United States)
• April 30, 2009 Brief of UBS
• April 30, 2009 Amicus Brief of Switzerland
• June 30, 2009 Response Brief of the United States
• "Judge Gives UBS and U.S. Time to Seek a Settlement," New York Times, Lynnley Browning, July 13, 2009
• "Swiss Bank Freezes Out U.S. Clients," Wall Street Journal, Katharina Bart, July 21, 2009

According to RIM, the software was not RIM-authorized and was not developed, tested, promoted or distributed by RIM.  On July 17, RIM sent a more detailed note to customers explaining that "Etisalat appears to have distributed a telecommunications surveillance application that was designed and developed by SS8," which is a California company that describes itself as "a leader in communications intercept and a worldwide provider of regulatory compliant, electronic intercept and surveillance solutions."  RIM has offered a new update to remove the spyware. 

The incident was discovered after customers who installed the software began complaining that it was draining the batteries on their devices.  According to an article in PC World, SS8 has not responded to telephone calls seeking comment, while Etisalat has described the problem as a "slight technical fault" that "has resulted in reduced battery life in a very limited number of devices."  An article from Wired notes that a security consultant in Asia named Sheran A. Gunasekera has released a white paper analyzing the code that made up the spyware.  According to Mr. Gunasekera, the spyware could only intercept outgoing e-mail messages.  It could not intercept incoming messages (whether they be e-mails, instant messages, PIN messages, phone calls, etc.), nor could it silently update itself with newer releases. 

Although this version of spyware apparently affected a limited number of Blackberry users, that is no cause for comfort.  Mr. Gunasekera believes that the source code used for "Registration" could easily be modified, improved and used in the future on unsuspecting Blackberry users.  In a New York Times article, Internet security and privacy consult Richard M. Smith of Boston Software Forensics was quoted as stating that smart phones are "perfect personal spying devices" and that the threat is "an evolving one.  As the technology advances, the security problems follow behind."  Given the ever increasing security risks in the information security world, it is likely only a matter of time before there is another, much larger incident related to smartphone security. 

Links:

• Post on Blackberry's Website:  "App Remover for removing Etisalat's 'Registration' application on Blackberry smartphones"
• July 17, 2009 RIM Customer Statement Regarding Etisalat / SS8 Software
• SS8 Homepage
• Statement by Etisalat about the incident
• "RIM: UAE Carrier's Blackberry Update Was Spyware," by Robert McMillan, IDG News Service, PCWorld, July 21, 2009
• "Analyzing the SS8 Interceptor Application for the BlackBerry Handheld," by Sheran A. Gunasekera
• "Researcher: Blackberry Spyware Wasn't Ready For Primetime," by Kim Zetter, Wired, July 21, 2009
• "Blackberry Maker: UAE Partner's Update Was Spyware," by the Associated Press, found at the New York Times, July 22, 2009

The task force will be named the European Electronic Crime Task Force, will be based in Rome and, according to Italian police, will be open to other European countries. Its main focus will be to combine the resources and efforts of the United States and European Union nations in order to fortify cyber-defenses for government sites hosting sensitive data. The Italian Postal Service (and, presumably, other entities that decide to contribute) will exchange alerts with the Secret Service, monitor computer networks across Europe using Italian Postal Service software for threats, and coordinate to quickly respond to attacks. According to the articles, the Italian Postal Service now makes more money from banking and insurance services than from traditional sending of letters and packages. Given this shift in focus, it has developed a software that can review electronic monetary transfers for suspcious signs.

Ironically, and as discussed in more detail elsewhere, the announcement of this new task force came just a few days before the Secret Service's website, along with the websites of the Treasury Department and Federal Trade Commission, were paralyzed due to cyberattacks, which government officials speculate originated from North Korea.  Perhaps the Secret Service should have first established a task force with Asia?

Links:

• U.S. and Europe Jointly Establish Cyber-Crime Force, Jennifer Clark, Wall Street Journal, June 30, 2009
• U.S. teams with Italy to fight cyber crime, Phillip Willan, Computerworld, June 30, 2009
• U.S. and South Korea Targeted in Ongoing Denial of Service Attacks, Aaron Wright, securityprivacyandthelaw.com, July 8, 2009
• 18 U.S.C. sec. 1030
• Mission Statement of the U.S. Secret Service

• The agencies clarified that "all banks, savings associations and credit unions are covered by the Red Flags Rules and Guidelines as 'financial institutions,' whether or not they hold a transaction account belonging to a consumer," and including "those whose powers are limited to trust activities;"
   
• Brokers, dealers, investment advisors or investment or insurance companies (including those that are subsidiaries of a bank or savings association) are covered by the Rules and Guidelines if they are a "financial institution" or creditor" under the Fair Credit Reporting Act.
   
• IRAs will generally be considered "covered accounts" and thus subject to the Rules and Guidelines;
   
• The term "covered account" includes accounts established in the United States by non-U.S. residents;
   
• Check forgery or use of a stolen credit card constitutes "identity theft" because it involves a fraud using the identifying information of another person without authority;
   
• The Rules and Guidelines do not require a financial institution or creditor to educate consumers regarding the risk of identity theft, although such programs "may be helpful as part of an overall effort to address the problem of identity theft"
   
• Financial institutions may, but are not required to, use automated systems to detect red flags, but may have to supplement such a systems with non-automated procedures;
   
• The Rules and Guidelines required financial institutions or creditors to oversee all service provider arrangements that relate to the opening or accessing of a covered account, not just those with providers that offer fraud detection services;

While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful.  For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions.   Moreover, much of the guidance given was extremely vauge.  For example, many of the answers to questions regarding covered accounts could be summarized as "it depends on whether the institution determines that there is a foreseeable risk of identity theft."  It would have been helpful for the agencies to provide some examples or other more concrete information.  Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.

Links:

• Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies (.pdf), also available from the FTC here (.pdf)
• June 11, 2009 Joint Release: Agencies Issue Frequently Asked Questions on Identity Theft Rules

More recently, on May 12, the New York Court of Appeals (that state's highest court), ruled that placing a GPS tracking device inside the bumper of a suspect's car without a warrant, and using that device to monitor the suspect's movements for two months, violated the suspect's rights under the New York State Constitution.  The court's opinion in People v. Weaver can be found here. 

The New York court was even more concerned.  It ruled that under the New York State Constitution, the New York defendant had a reasonable expectation of privacy that was infringed by the placement of the GPS device on his car and the use of that device to monitor his movements for two months.  As such, there had been a search under the New York Constitution, and that the search was illegal because it was conducted without a warrant (or justification to excuse the lack of a warrant).

The use of GPS devices to monitor suspect's movements is bound to become a hot-button issue over the next few years.  Both the New York and Wisconsin courts expressed great concern about the threat to privacy posed by the rapid progression in monitoring technology.  Moreover, the last  Supreme Court decision to substantively address a similar issue was over 25 years ago, in, U.S. v. Knotts, 460 U.S. 276 (1983).  In Knotts, the Court upheld the surreptitious installation of a beeper tracking device (a radio transmitter emitting periodic signals to enable tracking in a container of chloroform).  This was because "a person traveling in automobiles on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another."  The New York state court in Weaver noted that the amount of information that could be gathered from by a GPS device is much greater than a beeper in 1983 and so court may reach different results in teh future based on the technology at issue.  

Links:

• May 7, 2009 Chicago Tribune article by Ryan J. Foley: "Wisconsin court upholds GPS tracking by police";
• The Wisconsin court's opinion in State v. Sveum;
• May 12, 2009 Wisconsin Law Journal article by David Ziemer: "Fourth Amendment is not implicated by tracking"
• New York Court of Appeals' opinion in People v. Weaver.

The case is being brought as a class action under the Video Privacy Protection Act, 18 U.S.C. s. 2710, which was enacted after a newspaper published a list of 146 video tapes rented by the family of Supreme Court judge nominee Robert Bork.  According to the court's opinion, Blockbuster entered into an agreement with Facebook which caused the movie rental choices of Blockbuster Online's customers to be sent to Facebook, which would then broadcast those choices to the customer's Facebook friends.  Plaintiffs claimed this violates that Video Privacy Protection Act, which prohibits a videotape service provider from knowingly disclosing personally identifiable information concerning any customer of the provider unless the customer gives informed, written consent at the time the disclosure was sought (the Act provides for certain other exceptions not applicable to the case).  The Act provides for liquidated damages of $2,500.00 for each violation. 

According to the Plaintiffs' complaint, when a Blockbuster Online customer rented a movie or placed a movie into their queue, a notification would pop up in the bottom right hand corner of the screen informing the customer that the information would be sent to the user's Facebook friends.  The customers were allegedly given an opportunity to prevent friends from seeing the information by marking an "x no thanks box," but if they did not respond quickly enough, the pop up went away and a "yes" was sent to Facebook.  The customer's selection was then placed in the customer's news feed on their Facebook profile and in their friends' news feeds, along with a picture of the individual and a Blockbuster ad.  The complaint also alleges that the summary is sent to a user's Facebook profile even before the user has a chance to decline the distribution of his/her personal information (unless the user has marked a privacy feature telling Blockbuster never to send summaries).

Blockbuster has appealed the court's decision to the U.S. Court of Appeals for the Fifth Circuit.  The issue of whether the case is subject to arbitration is a narrow one that has little, if anything, to do with the actual merits.  What will be more interesting is to see how the case plays out if the Fifth Circuit affirms and the case moves forward in the district court.

Links

• Dallas Business Journal, April 22, 2009, "Privacy suit against Blockbuster survives"
• April 15, 2008 Memorandum Opinion Denying Defendant's Motion to Compel Arbitration (.pdf)
• Plaintiffs' Amended Complaint (filed June 3, 2008) (.pdf)
• Text of the Video Privacy Protection Act

It is worth noting that the study's methodology has been subject to some criticism.  According to the article, Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, said that "the study was based on old data and didn't consider all of the factors that a health care organization would typically look at when deciding whether to adopt an EMR system."  Instead, according to McGraw, the study "looked at whether a state has a medical privacy law and then looked at EMR adoption in that state to draw its conclusions."  Deborah Peel, chair of the Patient Privacy Rights Foundation in Austin, Texas, also criticized the studies conclusions.

Links:

• April 14, 2009 Computerworld article by Jaikumar Vijayan: "Privacy rules hamper adoption of electronic medical records, study says"
• Link to page where the study, "Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records" can be downloaded (Note: you must pay to download the study)

Evidently, there have been a growing number of intrusions over the past year, most of which were detected by intelligence agencies and not the companies actually in charge of the infrastructure.  According to officials, the software left behind "could be used to destroy infrastructure components," and "water, sewage and other infrastructure systems were at risk."  These same officials cautioned, however, that "the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger."

The Journal also notes that "protecting the electrical grid and other infrastructure is a key part of the Obama's administration cybersecurity review, which is to be completed next week" (Aaron Wright's post on this blog regarding the review can be found here).  One also wonders if news of this breach will increase momentum for a cybersecurity bill recently introduced in the Senate (see my post here).  That bill would give the President power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network (which would presumably include the electricity grid) and would also require that infrastructure companies meet new security standards.

Links:

• Wall Street Journal Article: "Electricity Grid in U.S. Penetrated by Spies"

Whether the legislation has any chance of passing remains to be seen.  However, some groups are already criticizing aspects of the legislation.  The President of the Center for Democracy and Technology, for example, has stated "[t]he cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."  The bills have been referred to the Committee on Homeland Security and Government Affairs.

Links:

• A draft of S.778 (.pdf)
• A draft of S.773 (.pdf) 
• The CDT's post on the legislation can be found here.
• April 6, 2009 Computerworld Article: "Yet Another Government Attempt At Cybersecurity"

• require intelligence and Homeland Security officials to perform vulnerability assessments;
• create a clearinghouse for information sharing between the government and private sector; and
• fund scholarships for those interested in cybersecurity.

The proposed legislation follows on the heels of three incidents where computers in Senator Nelson's office were hacked .  The current draft legislation contains provisions similar to those recommended by the Commission on Cybersecurity for the 44th Presidency, which released a report in December 2008.

Links:

• The post on Senator Nelson's website can be found here.
• The March 23, 2009 CNET News article, "A bill to shift cybersecurity to the White House" can be found here.
• The December 2008 report from the Commission on Cybersecurity for the 44th Presidency is available here.

As I posted back in early February, another recent report, this one from McAfee, concluded that the shrinking economy and growing ranks of unemployed were increasing incentives for insiders to steal confidential information.  The Ponemon report seems to bear this out.

What's troubling is that the Ponemon report found that only "15% of respondents' companies review or perform an audit of the paper and/or electronic documents employees are taking.  If they conduct a review, 45% say it was not complete and 29% say it was superficial."  According to the McAfee report, however, 68% of the senior IT decision-makers surveyed cited insider threats as the top threat to essential information.  Taking these two reports together, it appears that companies understand that their (and their customers') confidential information is vulnerable to insider threats, yet they are not taking the necessary steps to secure that information from departing employees.  In this current climate, where data breaches are expanding (both in terms of numbers and size), it is imperative for companies to adopt and implement comprehensive approaches to ensure the security of proprietary information accessible to a departing employee and to minimize the accessibility of such information.

Links:

• The Washington Post Article "Data Theft Common by Departing Employees" can be found here.
• The cnn.com article can be found here.
• The Ponemon report is available for download here (requires registration). 
• The post on the Ponemon report at the Massachusetts Noncompete Law Blog can be found here.

It may disappointing for some to hear that the CPLF is no longer primarily committed to drafting a federal privacy framework. For others this may be good news, given the natural resistance to imposing new regulatory obligations during a time of economic crisis.  As businesses struggle with the patchwork of laws being crafted by the states to address information security concerns, we are curious to see the proposed legislation that would emerge from a sophisticated industry group like the CPLF.  In any event, it will certainly be interesting to see what the forum presents at the IAPP conference in the comming weeks.

Links:

•  BNA Privacy & Security Law Report: 8 PVLR 331:
• CPLF Statement of Support of Comprehensive Consumer Privacy Legislation
• The IAPP website and the website of the IAPP's March 2009 Privacy Summit is available here