On April 15, 2009, a federal district court issued a decision that keeps alive a woman’s suit "against Blockbuster and the way it offers information to the social networking site Facebook." This was reported in the Dallas Business Journal. In the ruling (.pdf), the court denied Blockbuster’s motion to compel arbitration by holding that an arbitration clause in the "Terms and Conditions" of Blockbuster Online was unenforceable.
Monthly Archives: April 2009
With swine flu on everybody’s mind right now (even leading President Obama’s news conference this evening), employers and employees should understand what questions can be asked and what information can be obtained from employees in the midst of apparent pandemic. At the federal government’s pandemic flu website, the basic rules are set out. In general, during a pandemic, employers may require employees to disclose whether they have been exposed to pandemic influenza. … More
A recent article from Computerworld reports that, according to a new study conducted by researchers from MIT and the University of Virginia, "EMR [Electronic Medical Record] adoption is often slowest in states with strong regulations for safeguarding the privacy of medical records." According to the study, in states with "strong privacy laws", the number of hospitals using EMR systems is up to 30% lower than in states with "less stringent privacy requirements." … More
Security, Privacy, and The Law recently had the chance to sit down with Dr. M. Eric Johnson to talk about his recent paper “Data Hemorrhages in the Health-Care Sector.” Dr. Johnson’s study has been in the news lately because many were startled by his finding that a great deal of patient healthcare information is available on peer-to-peer (P2P) file sharing networks. We are thrilled that Dr. Johnson agreed to do a interview with Security, Privacy, and The Law and we will be posting the full interview with Dr. Johnson in several parts.
Coming on the heels of recent cyberespionage news, the Wall Street Journal reported today on Pentagon plans to create a new military command focused on cyberwarfare. The new command will coordinate both offensive and defensive cyberwarfare efforts, focusing, in the latter case, on assisting the National Security Agency (NSA) and the Department of Homeland Security’s National Cyber Security Division (NCSD), the lead agency for domestic cybersecurity efforts.… More
Today, the Supreme Court heard oral arguments in Safford Unified School v. Redding, a dispute concerning the propriety of a school-ordered a strip-search of a 13-year-old student who was believed to be in possession of prescription strength ibuprofen in violation of the school’s zero-tolerance drug policy. The case has received a good deal of media coverage (see the New York Times article for an example) because the facts are attention grabbing. … More
Cracking Down: FTC Fines Credit Research Firm $500,000 For Lax Security, Obtains Court Order Requiring Company to Develop “Comprehensive Information Security Program”
On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC’s claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users. This case provides a number of key lessons for businesses who have not considered whether their security practices amount to “unfair or deceptive acts or practices” under federal and state laws.
In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years. Specifically, Section 5 of the bill requires that ISPs retain "all records or other information pertaining to the identity of a user of a temporarily assigned network address."… More
According to a recent report from the Wall Street Journal, cyberspies from China, Russia and other countries have penetrated into the U.S. electrical grid and left behind software that could disrupt the system. According to officials, the spies have not actually damaged the grid or any other key infrastructure, but appear to have been attempting to navigate the electrical system. More importantly, the intruders could attempt to damage the system during a war or other national security crisis.… More
In an April 2009 press release (.pdf), the Public Access to Court Electronic Records system (“PACER") announced that 99% of all federal courts nationwide have implemented electronic systems allowing litigants to file and review documents online. The near-complete implementation of these online systems marks an important technological and environmental milestone for the legal profession; however, it comes with considerable risks to individuals’ privacy and security: potentially limitless filings that inadvertently contain individuals’… More
As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation. Last week the Senators introduced two bills. The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President. The second, S.773 (text of the bill not yet available), entitled the Cybersecurity Act of 2009, gives the President the power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network. … More
On March 5, 2005, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted Opinion 3/2009 (.pdf). The opinion comments on European Commission proposals designed to ensure that all data processors, including contractors hired by other data processors, are contractually required to protect sensitive data.
The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation’s computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to be in the billions of dollars annually and that future attacks could cause physical harm or serious financial chaos. … More
FTC Launches New Website and “How-To” Guide for Companies Wondering How to Comply with Red Flags Rules
As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC’s staff has informally mentioned that helpful guidance would be forthcoming. As of today, the FTC has launched a new website and a series of materials to assist businesses pushing to meet the May 1st deadline.
First the Bad News, Your Doctor’s Lost His License; Now the Really Bad News: No One’s Taking Care of Your Records
As outlined in April 2’s Boston Globe, a Massachusetts physician who lost his license to practice is still causing problems for his patients. He left his office and records, and now his patient records are about to be destroyed unless the patients come to claim them. The state authorities claim they don’t have the resources to maintain the records, or to help find the patients. The auction company just wants them gone.… More
It seems an inevitable consequence of modern celebrity: when you go to the hospital, hospital workers will look at your records (even though they have no medical reason to). The latest example of this involved the infamous mother of octuplets, Nadya Suleman. It resulted in the firing of 15 hospital workers at Kaiser Permanente’s hospital in Bellflower, California. All these violations have been reported by Kaiser to the California Department of Public Health. … More