Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire:
by Catherine M. Anderson, Jeffrey D. Collins
As we previously noted in our Foley Adviser dated February 3, 2010, “New Massachusetts Data Security Law and Regulations-Comprehensive Information Security Plan required before March 1,… More
A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer’s Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.
Melissa Tyler brought suit against Michaels Stores for violation of Massachusetts General Laws,… More
Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb:
"From a legal perspective, I’m not seeing anything that’s much different in what’s being proposed to take effect on March 1 and what’s in place right now," Zick says. "In particular, the language about sharing across services has been in [Google’s policies] for a long time."
Zick points out that all the past versions of Google’s privacy policies are on the website,… More
As many of you have probably seen already, Google is changing its privacy policies, effective March 1, 2012. These changes will be effective across all of Google’s platforms, and users will not be able to opt out. A user’s only choice to avoid these changes will be to leave Google’s search engine, Gmail, Calendar, Search, and YouTube; there is no "opt out" or selective acceptance/rejection of these new policies. … More
An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients. The individual made this improper access in order to send marketing materials to patients at the other practice.
The individual worked as an information technology specialist for a perinatal medical practice in Atlanta. He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building. He then used his home computer to hack into his former employer’s patient database. … More
The Supreme Court today issued an opinion holding that police cannot track a suspect using GPS without first getting a warrant.
Justice Scalia wrote the opinion, for a unanimous court, and concluded: “We hold that the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search.’ It is important to be clear about what occurred in this case: The Government physically occupied private property for the purpose of obtaining information.”… More
In its recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the Office of Civil Rights of the Department of Health and Human Services, we see confirmation of certain trends– bigger breaches and breaches involving theft of electronic media:
Between January 1, 2010 and December 31, 2010, breaches involving 500 or more individuals also made up less than one percent of reports,… More
This report from the Office of the Inspector General for the Department of Health and Human Services reveals significant holes in Medicare contractor security. Here’s a notable excerpt:
Security Awareness Training
The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally,… More
Interesting Wall Street Journal article about rival banks joining forces to beat cyber crime. Sounds a lot like the Advanced Cyber Security Center. More
As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity.
This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.… More
My colleagues Jen Audeh and Jeff Collins have analyzed the SEC’s guidance on the use of social media by investment advisors. Because of the overlap this issue has with data privacy and security, we are providing this except and a link to their summary:
On January 4, 2012 the SEC’s Office of Compliance Inspections and Examinations issued an exam alert to registered investment advisers which included guidance on the use of social media.… More
Until yesterday, I did not know there was a Congressional Cyber Security Caucus. It is not clear what it has been up to, as it hasn’t had a media release in eleven months. More
My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."
* * *
No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud. … More