Monthly Archives: March 2009

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players,… More

As state data breach reporting regimes develop, we are going to be seeing more reporting of breaches to law enforcement authorities. If you want to see what this abstract concept of “reporting” looks like (and how your own reports might be listed for the public to see), go to the web site of the New Hampshire Attorney General. On that site, you can read about 20 New Hampshire breaches that have been reported thus far in 2009 for that modestly sized state. And if you want to get a feel for the national scope of data breaches,… More

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers,… More

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers “[t]o allow the FTC to perform a greater and more effective role in protecting consumers.”

Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports.  The proposed legislation would also

• require intelligence and Homeland Security officials to perform vulnerability assessments;…

More

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” — the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you — then they probably do. In this post, we will recap the FTC’s recent guidance on who should be complying with the Rules.

As discussed by Mike Rosen on Foley Hoag’s Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company information also admitted that they used that information to leverage a new job.… More

For all their problems, Veterans Affairs medical centers across the country are at the vanguard of the implementation of electronic health records. As such, there is a lot to learn from the problems that the VA system has experienced in this area. According to an article in the March 4, 2009 Journal of the American Medical Association, the problems experienced by the VA include mixed-up patient names and missing medication orders. These types of problems are probably endemic in any EHR system.… More

On Wednesday, February 11, 2009, the Data Protection Working Party, an independent European advisory body on data protection and privacy, released its Working Document 1-2009 (.pdf) on pre-trial discovery for cross border civil litigation.  The Working Document attempts to reconcile the tension between U.S. discovery rules and the European Union’s Directive 95/46/EC (.pdf), which outlines the EU’s privacy requirements.  What follows is a summary of the Working Document and an analysis of how it begins to bridge the gap between U.S.… More

On Thursday, March 5, 2009, Congresswoman Mary Bono Mack (R-CA), Congressman John Barrow (D-GA) and Congressman Joe Barton (R-TX) introduced the Informed P2P User Act (H.R. 1319) which requires peer-to-peer ("P2P") software makers to make certain changes to their software to prevent users from inadvertently sharing files from their computers.  The proposed law would require both "clear and conspicuous notice" of what files the P2P software would being sharing and "informed consent"… More

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below. More

On Monday the Department of Justice released a previously classified opinion entitled “Authority for Use of Military Force To Combat Terrorist Activities Within the United States” (.pdf), which concluded, among other things, that “the Fourth Amendment [of the U.S. Constitution] does not apply to domestic military operations designed to deter and prevent further terrorist attacks.” This may come as a shock to some because the Fourth Amendment expressly prohibits the government from searching or seizing individuals or their property absent a warrant and probable cause,… More

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S.… More

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information. … More

This settlement is particularly interesting, given that it appears to stem from a voluntary disclosure, without any prejudice to any of the physicians whose information was disclosed.  Despite those mitigating factors, the disclosure still resulted in a six-figure penalty. As such, this is another suggestion that the days of soft enforcement of health-related information confidentiality are over.

The Queen’s Medical Center (“QMC”) of Hawaii recently agreed to pay $150,500 in civil money penalties for allegedly violating the confidentiality requirements applicable to National Practitioner Data Bank (“NPDB”) information.… More