Here is a link to a couple of segments of a data security roundtable I participated in not long ago:
http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20091222005345&newsLang=en
Some very interesting discussions with folks who are on the cutting edge of data security. I'll post the other segments as they are released.
Tuesday, December 22, 2009
Monday, December 21, 2009
The real cost of data breaches - Heartland to pay Amex $3.5 million
According to its 8-K filing with the Securities and Exchange Commission (SEC), Heartland Payment Systems Inc. has agreed to pay American Express Travel Related Services Co. Inc. just over $3.5 million to settle any claims arising out of a massive payment card data breach.
This settlement is likely to be only the first over the compromise of tens of millions of debit
and credit card accounts by malicious software planted on Heartland's computers
that the Princeton, N.J.-based payment card processor revealed in January of this year.
On November 12, Heartland filed a Form 8-K with the SEC, stating that it had doubled from $35.6 million to $73.3 million its anticipated breach expenses for 2009, because it expected to settle litigation related to the breach.
Heartland faced a total of 17 consumer class actions and 10 bank and credit union class actions related to the breach, which were consolidated in the U.S. District Court for the Southern District of Texas. According to the Form 8-K filing, the newly announced settlement agreement
would release Heartland from any claims raised by AmEx or its issuing banks. The filing did not indicate whether the settlement is subject to court approval and did not include a copy of the agreement.
This settlement is likely to be only the first over the compromise of tens of millions of debit
and credit card accounts by malicious software planted on Heartland's computers
that the Princeton, N.J.-based payment card processor revealed in January of this year.
On November 12, Heartland filed a Form 8-K with the SEC, stating that it had doubled from $35.6 million to $73.3 million its anticipated breach expenses for 2009, because it expected to settle litigation related to the breach.
Heartland faced a total of 17 consumer class actions and 10 bank and credit union class actions related to the breach, which were consolidated in the U.S. District Court for the Southern District of Texas. According to the Form 8-K filing, the newly announced settlement agreement
would release Heartland from any claims raised by AmEx or its issuing banks. The filing did not indicate whether the settlement is subject to court approval and did not include a copy of the agreement.
Wednesday, December 16, 2009
More Detail on Quan Case
My colleague, Martha Zackin, has published a more extensive discussion of the issues before the U.S. Supreme Court in the Quan case --
ELB Law Information: Supreme Court to Hear Case re Employer's Access to Employee's Text Messages
ELB Law Information: Supreme Court to Hear Case re Employer's Access to Employee's Text Messages
Tuesday, December 15, 2009
Supreme Court will review some issues in Quon Case, denied review to other issues
Some additional information on yesterday's post regarding the Supreme Court's decision to hear the Quon case. The high Court agreed to hear some, but not all of the issues presented by the Ninth Circuit decision in the case.
The Court will consider whether a police sergeant assigned to a SWAT team had a reasonable expectation of privacy under the Fourth Amendment in text messages transmitted on a department-issued pager and stored by an outside service providerk even in the face of the City of Ontario's "general practice" of non-monitoring of such communications. The Court denied review (known as "certiorari") to questions of whether the surrender to the city in the first instance by Arch Wireless (the service provider) of those messages violated the Stored Communications Act.
The questions for review are limited, then, to three:
• Does a SWAT team member have a reasonable expectation of privacy in text
messages transmitted on his SWAT pager, when the police department has an
official no-privacy policy but a non-policymaking lieutenant announced an
informal policy of allowing some personal use of pagers?
• Did the Ninth Circuit contravene Fourth Amendment precedents and create
circuit conflict by analyzing whether the police department could have used
'less intrusive methods' of reviewing text messages transmitted by the SWAT
team member on his SWAT pager?
• Do individuals who send text messages to a SWAT team member's SWAT pager
have a reasonable expectation that their messages will be free from review by
the recipient's government employer?
The Court will consider whether a police sergeant assigned to a SWAT team had a reasonable expectation of privacy under the Fourth Amendment in text messages transmitted on a department-issued pager and stored by an outside service providerk even in the face of the City of Ontario's "general practice" of non-monitoring of such communications. The Court denied review (known as "certiorari") to questions of whether the surrender to the city in the first instance by Arch Wireless (the service provider) of those messages violated the Stored Communications Act.
The questions for review are limited, then, to three:
• Does a SWAT team member have a reasonable expectation of privacy in text
messages transmitted on his SWAT pager, when the police department has an
official no-privacy policy but a non-policymaking lieutenant announced an
informal policy of allowing some personal use of pagers?
• Did the Ninth Circuit contravene Fourth Amendment precedents and create
circuit conflict by analyzing whether the police department could have used
'less intrusive methods' of reviewing text messages transmitted by the SWAT
team member on his SWAT pager?
• Do individuals who send text messages to a SWAT team member's SWAT pager
have a reasonable expectation that their messages will be free from review by
the recipient's government employer?
Monday, December 14, 2009
Good data protection sense from the Brits
The UK's Information Commissioner's Office (ICO) has done what the Federal Trade Commission should do -- produced a no-nonsense Guide to Data Protection. This Guide is intended to provide small and medium sized enterprises with practical advice about the UK's Data Protection Act and takes a straightforward look at the data protection principles, using practical, business-based examples. It allows users to choose whether they need very basic, or more detailed compliance advice, depending on their needs.
Stephen Alambritis, Head of Public Affairs at the Federation of Small Businesses, said: “Small businesses do not have time for pages and pages of jargon and gobbledegook, but getting data protection right makes good business sense. Data protection lapses cost reputations and can affect the bottom line. But, many organisations tell us that data protection law is difficult to understand. This new no-nonsense guide will help the business community to understand and comply with the law.”
This Guide will also be helpful for non-UK companies to understand their data protection obligations when doing business in the UK with the data of UK citizens. Clear, straight-forward and unambiguous. Makes sense.
Stephen Alambritis, Head of Public Affairs at the Federation of Small Businesses, said: “Small businesses do not have time for pages and pages of jargon and gobbledegook, but getting data protection right makes good business sense. Data protection lapses cost reputations and can affect the bottom line. But, many organisations tell us that data protection law is difficult to understand. This new no-nonsense guide will help the business community to understand and comply with the law.”
This Guide will also be helpful for non-UK companies to understand their data protection obligations when doing business in the UK with the data of UK citizens. Clear, straight-forward and unambiguous. Makes sense.
Supreme Court To Decide Privacy of Employee Texts
U.S. Supreme Court this morning decided to hear a case on the privacy of employee text messages sent on employer-provided devices, reports the Washington Post (see below).
The case--City of Ontario v. Quon--could have profound implications on employee privacy rights, according to a Baltimore Sun report. It involves an Ontario, California police officer who sent sexually explicit messages to another officer using the department-issued device. The messages were discovered during an audit, and a lawsuit claiming privacy violations followed. California's Ninth Circuit Court of Appeals ruled in favor of the sender of the messages, but dissent by a number of judges prompted an appeal to the Supreme Court.
9th Circuit Opinion:
Quon v. Arch Wireless (9th Circuit)
Additional reports:
Washington Post
The Curmudgeon's Comments - City of Ontario v. Quon — USSC
Pittsburgh Tribune-Review
The case--City of Ontario v. Quon--could have profound implications on employee privacy rights, according to a Baltimore Sun report. It involves an Ontario, California police officer who sent sexually explicit messages to another officer using the department-issued device. The messages were discovered during an audit, and a lawsuit claiming privacy violations followed. California's Ninth Circuit Court of Appeals ruled in favor of the sender of the messages, but dissent by a number of judges prompted an appeal to the Supreme Court.
9th Circuit Opinion:
Quon v. Arch Wireless (9th Circuit)
Additional reports:
Washington Post
The Curmudgeon's Comments - City of Ontario v. Quon — USSC
Pittsburgh Tribune-Review
Tuesday, December 8, 2009
National Public Radio 3-part special series on privacy
These are from October, but if you missed them, they are worth a look (or downloading the podcasts) --
Part 1: Online Data Present a Privacy Minefield
Part 2: Is Your Facebook Profile as Private as You Think?
Part 3: Digital Bread Crumbs: Following Your Cell Phone Trail
Part 1: Online Data Present a Privacy Minefield
Part 2: Is Your Facebook Profile as Private as You Think?
Part 3: Digital Bread Crumbs: Following Your Cell Phone Trail
Holiday Privacy Watch: Take care before you donate that cell phone
During the holiday season, many organizations are soliciting donations of old cell phones to be repurposed. This is an excellent way to "reuse, reduce, and recycle" and puts those useless (to you) items to use in a positive way, but please remember -- important and private data reside in your cell phone's internal memory, even if your phone has a removable SIM card. PINs, passwords and other critical information are often stored in a cell phone's memory. The more mobile apps you use, the more important it is for you to ensure that you wipe the cell phone internal memory before donating, trading-ins or selling.
Some tips -
1) Don't forget to remove the SIM card!
2) Call logs, photos, memos, and other information might reside in the phone's internal memory, and are often difficult to delete if you rely on the phone's manual (and who keeps those, anyway??). The folks at ReCellular - a cell phone recycling service - have a great solution called The Cell Phone Data Eraser. It lets you choose the brand and model number of your phone, and then displays the precise commands you need to delete every piece of data from it. The ReCellular website is http://www.recellular.com/recycling/data_eraser/default.asp. If you can't find the info you need here, most cell phone manuals are available online at the manufacturer website for download.
If you think you can circumvent the privacy threat by sending your phone back to your service provider, you could be mistaken. According to one report, a Cingular customer who received a refurbished phone as a replacement for one that malfunctioned found the new phone was filled with the previous owner's private data, including account numbers, user names, and passwords. In December, an old BlackBerry sold at a McCain campaign garage sale for 20 dollars was found to be preloaded with a mountain of Republican donor information, emails, and more.
Don't let this discourage you from turning those paperweights back into useable technology for folks who need it -- just take some extra time to protect your personal information.
Happy Holidays!
Some tips -
1) Don't forget to remove the SIM card!
2) Call logs, photos, memos, and other information might reside in the phone's internal memory, and are often difficult to delete if you rely on the phone's manual (and who keeps those, anyway??). The folks at ReCellular - a cell phone recycling service - have a great solution called The Cell Phone Data Eraser. It lets you choose the brand and model number of your phone, and then displays the precise commands you need to delete every piece of data from it. The ReCellular website is http://www.recellular.com/recycling/data_eraser/default.asp. If you can't find the info you need here, most cell phone manuals are available online at the manufacturer website for download.
If you think you can circumvent the privacy threat by sending your phone back to your service provider, you could be mistaken. According to one report, a Cingular customer who received a refurbished phone as a replacement for one that malfunctioned found the new phone was filled with the previous owner's private data, including account numbers, user names, and passwords. In December, an old BlackBerry sold at a McCain campaign garage sale for 20 dollars was found to be preloaded with a mountain of Republican donor information, emails, and more.
Don't let this discourage you from turning those paperweights back into useable technology for folks who need it -- just take some extra time to protect your personal information.
Happy Holidays!
Monday, December 7, 2009
House scheduled to act today on several privacy bills
The House is scheduled to vote on HR 1319, The Informed P2P User Act, and HR 2221, The Data Accountability and Trust Act, tomorrow under suspension of the rules. We will monitor the debate and keep you updated on its passage.
Federal Trade Commission hosts privacy roundtable today
The FTC kicks off the first in a series of "roundtable" discussions to explore privacy challenges posed by 21st technology and business practices that collect and use consumer data. Today's roundtable is being held in Washington, DC, and will focus on data collection, use and retention, consumer expectations of privacy, online behavioral advertising, information brokers and a discussion surrounding existing regulatory frameworks.
The event is being streamed live at the FTC website.
Live Webcast here
The event is being streamed live at the FTC website.
Live Webcast here
Friday, December 4, 2009
Privacy and Security Bits and Bytes
The Most Wonderful Time of the Year -- It's time for the annual "top ten" lists. Information Security Resources has posted an article that is eye-opening reading with respect to data breaches in 2009. Ten Most Damaging Data Breaches of 2009
U.S. to Join Fingerprint Sharing -- CBC News - Canada reports that the U.S. will join Canada, Australia and Britain in sharing fingerprints and other data to help authorities discern people's true identities in cracking down on asylum shopping and unlawful immigration.
Another site thinks "Privacy Matters" --
The Interactive Advertising Bureau yesterday launched an online campaign aimed at educating consumers about targeted advertising. On its website, IAB Privacy Matters, the IAB describes how marketers collect and use information about users' Web activities. IAB Senior Vice President David Doty said the site describes "in plain English" how online advertising works and includes guidance on how users can adjust their settings to control their information. The site is part of a broader effort among ad industry trade groups to head off potential regulation, the report states.
Facebook Changing -- Again -- Facebook will roll out new privacy controls in the coming weeks, reports itnews. The new options will let users control who sees their posts on a per-post basis. In an open letter to users, CEO Mark Zuckerberg said: "We're adding something that many of you have asked for--the ability to control who sees each individual piece of content you create or upload." The company will also roll out a simplified privacy settings page with a "walk-through" option where users can get recommendations from Facebook. In addition, the company will shutter its regional networks.
U.S. to Join Fingerprint Sharing -- CBC News - Canada reports that the U.S. will join Canada, Australia and Britain in sharing fingerprints and other data to help authorities discern people's true identities in cracking down on asylum shopping and unlawful immigration.
Another site thinks "Privacy Matters" --
The Interactive Advertising Bureau yesterday launched an online campaign aimed at educating consumers about targeted advertising. On its website, IAB Privacy Matters, the IAB describes how marketers collect and use information about users' Web activities. IAB Senior Vice President David Doty said the site describes "in plain English" how online advertising works and includes guidance on how users can adjust their settings to control their information. The site is part of a broader effort among ad industry trade groups to head off potential regulation, the report states.
Facebook Changing -- Again -- Facebook will roll out new privacy controls in the coming weeks, reports itnews. The new options will let users control who sees their posts on a per-post basis. In an open letter to users, CEO Mark Zuckerberg said: "We're adding something that many of you have asked for--the ability to control who sees each individual piece of content you create or upload." The company will also roll out a simplified privacy settings page with a "walk-through" option where users can get recommendations from Facebook. In addition, the company will shutter its regional networks.
Thursday, December 3, 2009
Court issues written opinion explaning decision regarding applicability of Red Flags Rule to attorneys
As we first blogged here, hours before the last Red Flags enforcement deadline, a federal court judge in the D.C. Circuit ruled from the bench that attorneys would not be subject to the Red Flags Rule. The court released Judge Walton's written opinion was released on December 1, 2009, which provides clarification of his comments from the bench. Click here for the opinion. Walton found the Federal Trade Commission overreached when it tried to define lawyers as "creditors". Walton wrote, "The Court is confident in concluding that the term attorney-client is nuanced enough that if Congress, which is comprised of many members who are themselves attorneys, intended to regulate attorneys and their invoiced billing practices it would have used the appropriate terminology to denote that intent and not hidden it in a statute expressly targeted at the credit industry." Judge Walton further noted, "Attorneys are already obligated to conduct themselves in a manner that promotes the objectives of the Red Flags Rule, and the Commission's position that its regulation is needed to protect third-parties against identity theft is just not the case."
On October 31, the FTC extended the Red Flags enforcement deadline for the fourth time to June 1, 2010.
Related Link:
Privacy and Security Information - Privacy MATTERS: Happy Halloween - No Red Flags Enforcement Until June 1, 2010.........
On October 31, the FTC extended the Red Flags enforcement deadline for the fourth time to June 1, 2010.
Related Link:
Privacy and Security Information - Privacy MATTERS: Happy Halloween - No Red Flags Enforcement Until June 1, 2010.........
Friday, November 13, 2009
Breakfast and social media policies
Related to the last post -- is your company working on its social media employee policy? If not, you should be. If you happen to be in Boston, Mintz Levin is hosting a breakfast briefing on social media in the workplace next week.
Register here
Register here
Some startling statistics regarding social networking issues in the workplace......
You might be surprised to know that social networking policies, governing employee use of blogging, Facebook, Twitter and the like, are still a rarity at many business, including teaching hospitals. And, you might be equally surprised to hear that studies are revealing that medical students are displaying cavalier attitudes towards the protection of patient confidentiality.
The Journal of the American Medical Association published a the results of an eye-popping study in the September issue. In response to a survey conducted by the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE), only 38 percent of survey respondents said that they have policies to cover online conduct. The “status update” features of social media platforms encourages people to record what they’re working on or who they are meeting with -- jeopardizing personal information and confidentiality.
Related Links
Mintz Levin Client Alert - HCCA/SCCE Survey
Social media behavior could threaten your reputation, job prospects :: Oct. 12, 2009 ... American Medical News
Medical students using Facebook and Twitter can get expelled
The Journal of the American Medical Association published a the results of an eye-popping study in the September issue. In response to a survey conducted by the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE), only 38 percent of survey respondents said that they have policies to cover online conduct. The “status update” features of social media platforms encourages people to record what they’re working on or who they are meeting with -- jeopardizing personal information and confidentiality.
Related Links
Mintz Levin Client Alert - HCCA/SCCE Survey
Social media behavior could threaten your reputation, job prospects :: Oct. 12, 2009 ... American Medical News
Medical students using Facebook and Twitter can get expelled
Thursday, November 12, 2009
Massachusetts Attorney General proposes privacy regulations to apply to her office
Written by Cynthia and Elissa
An oft-cited criticism of the Massachusetts data security regulations (201 CMR 17.00), effective March 1, 2010, is that the regulations specifically do not apply to government entities -- the only reason being that the Office of Consumer Affairs and Business Regulation does not have the authority or jurisdiction to enact regulations over governmental entities in Massachusetts.
One agency is seeking to correct that. The Massachusetts Office of the Attorney General has released draft privacy regulations to apply to the AG’s office, effective December 31, 2009. The regulations mirror the obligations imposed upon private business by 201 CMR 17.00.
This post would not be complete if we did not also take note of the fact that Attorney General Martha Coakley is a candidate for the U.S. Senate seat left vacant by the death of Senator Edward Kennedy.
An oft-cited criticism of the Massachusetts data security regulations (201 CMR 17.00), effective March 1, 2010, is that the regulations specifically do not apply to government entities -- the only reason being that the Office of Consumer Affairs and Business Regulation does not have the authority or jurisdiction to enact regulations over governmental entities in Massachusetts.
One agency is seeking to correct that. The Massachusetts Office of the Attorney General has released draft privacy regulations to apply to the AG’s office, effective December 31, 2009. The regulations mirror the obligations imposed upon private business by 201 CMR 17.00.
This post would not be complete if we did not also take note of the fact that Attorney General Martha Coakley is a candidate for the U.S. Senate seat left vacant by the death of Senator Edward Kennedy.
Tuesday, November 10, 2009
Remember the school-days admonition that something might end up on your "permanent record"?
A Fordham Law School study found that state educational databases across the country have severely inadequate privacy protections for the nation's school children. The study, prepared by the Center on Law and Information Policy, reports that at least 32% of states warehouse children's social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children's educational records. Almost all states with known programs collect family wealth indicators.
According to the study, most states use third party vendors for at least part of their data collecting and reporting needs. Some states outsource the data processing without any restrictions on use or confidentiality for children's information. The Fordham study therefore recommended that states which outsource data processing have comprehensive agreements explicitly addressing the privacy obligations of the third party vendors. Furthermore, access to the information and the disclosure of personal data may occur for decades and follow children well into their adult lives. More than 80% of states fail to have data-retention policies and may retain the information indefinitely. Thus, the study recommended that states should limit data collection to necessary information and should have specific data retention policies and procedures.
The Fordham report also recommended that data at the state level be made anonymous, that the collection of information by the state be minimized and specifically tied to an articulated audit or evaluation purpose, and that states should have a Chief Privacy Officer in the department of education who monitors the privacy protections of educational record databases and who publicly reports privacy impact assessments.
Study Website:
http://law.fordham.edu/childrensprivacy
According to the study, most states use third party vendors for at least part of their data collecting and reporting needs. Some states outsource the data processing without any restrictions on use or confidentiality for children's information. The Fordham study therefore recommended that states which outsource data processing have comprehensive agreements explicitly addressing the privacy obligations of the third party vendors. Furthermore, access to the information and the disclosure of personal data may occur for decades and follow children well into their adult lives. More than 80% of states fail to have data-retention policies and may retain the information indefinitely. Thus, the study recommended that states should limit data collection to necessary information and should have specific data retention policies and procedures.
The Fordham report also recommended that data at the state level be made anonymous, that the collection of information by the state be minimized and specifically tied to an articulated audit or evaluation purpose, and that states should have a Chief Privacy Officer in the department of education who monitors the privacy protections of educational record databases and who publicly reports privacy impact assessments.
Study Website:
http://law.fordham.edu/childrensprivacy
Monday, November 9, 2009
When employee handbooks don't tell the whole story.....
Written by Cynthia and Jennifer
In Stengart v. Loving Care Agency, Inc., the court completely rejected an employer's attempt to rely upon an email policy to gain access to an employee's confidential communications with her attorney conducted through the employer's email system. The court found that the employer could have no legitimate interest in reviewing an employee's private communications with her attorney, noting that "[p]roperty rights are no less offended when an employer examines documents stored on a computer as when an employer rifles through a folder containing an employee's private papers or reaches in and examines the contents of an employee's pockets; indeed, even when a legitimate business purpose could support such a search, we can envision no valid precept of property law that would convert the employer's interest in determining what is in those locations with a right to own the contents of the employee's folder of private papers or the contents of his pocket." The court went on to reject the notion that emails relating to an anticipated lawsuit against her employer would seem to be an illegitimate business use of the computer system: "the company had no greater interest in those communications than it would if it had engaged in the highly impermissible conduct of electronically eavesdropping on a conversation between plaintiff and her attorney while she was on a lunch break." Additionally, the court sanctioned the employer's law firm for not returning the emails to the employee as soon as the law firm became aware they were privileged communications.
This is a very interesting pro-employee decision but its lesson is clear: even email policies that notify employees that they are waiving certain privacy rights in the workplace do not give employers carte blanche to access or take ownership of all of those communications. Employers who access (intentionally or not) such information should promptly seek counsel before proceeding further.
Tuesday, November 3, 2009
Privacy Class Actions....Waiting for Hannaford
My colleague, Kevin McGinty, has penned an interesting analysis of the latest in the class action litigation arising out of the Hannaford supermarket chain data breach.
Specifically, Maine’s highest court is being asked to determine whether the law recognizes the time and effort payment cardholders spend trying to protect themselves after a data breach as a “substantial injury” for which they can be compensated. Kevin analyzes how the Maine Supreme Court's decision could affect the protections that zero-liability programs afford retailers involved in data breaches because consumers do not experience actual out-of-pocket damages.
Links:
Mintz Levin Privacy and Class Action Alert
Motion to Dismiss
Complaint
Specifically, Maine’s highest court is being asked to determine whether the law recognizes the time and effort payment cardholders spend trying to protect themselves after a data breach as a “substantial injury” for which they can be compensated. Kevin analyzes how the Maine Supreme Court's decision could affect the protections that zero-liability programs afford retailers involved in data breaches because consumers do not experience actual out-of-pocket damages.
Links:
Mintz Levin Privacy and Class Action Alert
Motion to Dismiss
Complaint
Friday, October 30, 2009
Happy Halloween - No Red Flags Enforcement Until June 1, 2010.........
Yet again, at the last minute, the Federal Trade Commission has announced that it is delaying enforcement of the Red Flags Rule. This time, the postponement is until June 1, 2010 and comes "[a]t the request of Congress."
This is the FOURTH time that the FTC has delayed "enforcement" of the controversial rules intended to detect and mitigate identity theft. It follows yesterday's federal court ruling that the Red Flags Rule does not apply to lawyers. It also follows on the heels of a 400-0 vote in favor of a House bill (H.R.3763) exempting certain small businesses from compliance with the Red Flags Rule.
As we have discussed in this blog on many occasions, the Red Flags Rule has been plagued with misunderstanding, controversy, and objections from the business community since its enactment in July of 2006. In the meantime, according to the FTC and other compilations of ID theft reports, nearly 25 million U.S. residents have reportedly been victims of identity theft. The regulatory effort is in danger of losing credibility.
Links:
Federal Trade Commission: www.ftc.gov/opa/2009/10/redflags.shtm
Privacy and Security MATTERS: www.privacyandsecuritymatters.blogspot.com/2009/10/changes-to-red-flag-rules-may-be-coming.html
Identity Theft Statistics: www.privacyrights.org/ar/idtheftsurveys
This is the FOURTH time that the FTC has delayed "enforcement" of the controversial rules intended to detect and mitigate identity theft. It follows yesterday's federal court ruling that the Red Flags Rule does not apply to lawyers. It also follows on the heels of a 400-0 vote in favor of a House bill (H.R.3763) exempting certain small businesses from compliance with the Red Flags Rule.
As we have discussed in this blog on many occasions, the Red Flags Rule has been plagued with misunderstanding, controversy, and objections from the business community since its enactment in July of 2006. In the meantime, according to the FTC and other compilations of ID theft reports, nearly 25 million U.S. residents have reportedly been victims of identity theft. The regulatory effort is in danger of losing credibility.
Links:
Federal Trade Commission: www.ftc.gov/opa/2009/10/redflags.shtm
Privacy and Security MATTERS: www.privacyandsecuritymatters.blogspot.com/2009/10/changes-to-red-flag-rules-may-be-coming.html
Identity Theft Statistics: www.privacyrights.org/ar/idtheftsurveys
Thursday, October 29, 2009
BREAKING NEWS: Lawyers Need Not Implement Red Flag Program
Just before noon today, Judge Walton granted summary judgment from the bench in favor of the American Bar Association in the ABA lawsuit over application of Red Flag Rules to legal profession. We’ll post the decision as soon as it is available.
$1.8 Million Verdict in Pretexting Case
Written by Cynthia and Michael
A Cook County, Illinois jury recently awarded $1.8 million dollars to Kathy Lawlor, who claimed that her former employer, North American Corp. of Illinois, violated her privacy rights by hiring a private investigator who fraudulently obtained her telephone records through the use of “pretexting” – or by pretending to be Lawlor herself. Some of you might be familiar with the concept of pretexting from the Hewlett Packard scandal in 2006 where HP’s Chairwoman directed independent security experts to investigate the source of an information leak. The security experts obtained the personal phone records of journalists and HP board members by pretexting – or by pretending to be them - and it ultimately allowed HP to determine the source of leak. HP’s efforts caused an uproar, including leading to criminal charges, a congressional investigation and the passage state and federal laws prohibiting pretexting.
In the summer of 2005, prior to the HP scandal, North American terminated Ms. Lawlor’s employment because she would not agree to modify her salesperson commission agreement prior to landing the biggest account of her career. As a result, Ms. Lawlor sued North American seeking to recover certain commissions and for a judgment to lift her non-compete agreement. Ms. Lawlor did not know that at the time she sued North American, it had decided to hire a private investigator to investigate whether Ms. Lawlor’s was stealing its confidential information and clients, and that it had provided certain personal information about Ms. Lawlor to the private investigator, including her Social Security number and phone numbers. During its investigation, in addition to stationing individuals outside Ms. Lawlor’s home, the private investigator arranged for a third party vendor to obtain Ms. Lawlor’s personal phone records by pretexting. When Ms. Lawlor later discovered that North American was investigating her activities she added a claim for invasion of privacy to her lawsuit.
At trial, North American denied that it knew that its private investigator had engaged in pretexting, but the jury was unsympathetic and awarded Ms. Lawlor $1.8 million, most of it coming in the form of punitive damages. North American is contesting the jury’s decision, and the parties continue to litigate North American’s claim that Ms. Lawlor misappropriated its trade secrets, but this case should serve as a warning to employers considering whether and how to conduct investigations of their employees. The North American case confirms that any time an employer conducts an investigation into an employee’s activities it runs the risk of violating that employee’s rights and a resulting lawsuit. Employers must takes steps to ensure that any investigation, whether it be conducted internally or through the use of third party investigators, do not utilize unlawful or other inappropriate methods, including the use of pretexting, which is now prohibited by state and federal law.
A Cook County, Illinois jury recently awarded $1.8 million dollars to Kathy Lawlor, who claimed that her former employer, North American Corp. of Illinois, violated her privacy rights by hiring a private investigator who fraudulently obtained her telephone records through the use of “pretexting” – or by pretending to be Lawlor herself. Some of you might be familiar with the concept of pretexting from the Hewlett Packard scandal in 2006 where HP’s Chairwoman directed independent security experts to investigate the source of an information leak. The security experts obtained the personal phone records of journalists and HP board members by pretexting – or by pretending to be them - and it ultimately allowed HP to determine the source of leak. HP’s efforts caused an uproar, including leading to criminal charges, a congressional investigation and the passage state and federal laws prohibiting pretexting.
In the summer of 2005, prior to the HP scandal, North American terminated Ms. Lawlor’s employment because she would not agree to modify her salesperson commission agreement prior to landing the biggest account of her career. As a result, Ms. Lawlor sued North American seeking to recover certain commissions and for a judgment to lift her non-compete agreement. Ms. Lawlor did not know that at the time she sued North American, it had decided to hire a private investigator to investigate whether Ms. Lawlor’s was stealing its confidential information and clients, and that it had provided certain personal information about Ms. Lawlor to the private investigator, including her Social Security number and phone numbers. During its investigation, in addition to stationing individuals outside Ms. Lawlor’s home, the private investigator arranged for a third party vendor to obtain Ms. Lawlor’s personal phone records by pretexting. When Ms. Lawlor later discovered that North American was investigating her activities she added a claim for invasion of privacy to her lawsuit.
At trial, North American denied that it knew that its private investigator had engaged in pretexting, but the jury was unsympathetic and awarded Ms. Lawlor $1.8 million, most of it coming in the form of punitive damages. North American is contesting the jury’s decision, and the parties continue to litigate North American’s claim that Ms. Lawlor misappropriated its trade secrets, but this case should serve as a warning to employers considering whether and how to conduct investigations of their employees. The North American case confirms that any time an employer conducts an investigation into an employee’s activities it runs the risk of violating that employee’s rights and a resulting lawsuit. Employers must takes steps to ensure that any investigation, whether it be conducted internally or through the use of third party investigators, do not utilize unlawful or other inappropriate methods, including the use of pretexting, which is now prohibited by state and federal law.
Wednesday, October 21, 2009
Changes to the "Red Flag" Rules may be coming -- and so is the November 1 compliance deadline
By an overwhelming vote of 400-0, the U.S. House yesterday approved legislation that will exempt certain businesses from the Federal Trade Commission’s Red Flag Rules. As we have reported, the Red Flag Rules require a broadly-defined class of “creditors” to implement identity theft prevention programs by November 1st. Under H.R. 3763, health care, accounting, and legal practices with 20 or fewer employees will be excluded from the definition of “creditor.” The measure also requires the FTC to issue new regulations allowing any business -- regardless of size -- to apply for an exemption.
New Exemption Provision
Under the exemption provision, the bill allows any business to be exempted if the FTC determines that the organization knows all of its customers or clients individually, only performs services in or around the residences of its customers, or has not experienced incidents of identity theft and is part of an industry that rarely experiences the problem. The FTC will be required to issue regulations setting out the exemption process.
ABA Still Not Happy
The American Bar Association says the legislation does not go far enough and
is demanding a full exemption for law firms. The ABA also continues
asking a federal court to bar the FTC from enforcing the rules against
attorneys. Besides the ABA, the FTC's broad interpretation of the creditor
category has prompted objections from the American Medical Association and the AICPA.
It is unlikely that this legislation will be finalized by the current November 1st enforcement deadline, and it remains to be seen whether this will cause the FTC to announce another delay.
New Exemption Provision
Under the exemption provision, the bill allows any business to be exempted if the FTC determines that the organization knows all of its customers or clients individually, only performs services in or around the residences of its customers, or has not experienced incidents of identity theft and is part of an industry that rarely experiences the problem. The FTC will be required to issue regulations setting out the exemption process.
ABA Still Not Happy
The American Bar Association says the legislation does not go far enough and
is demanding a full exemption for law firms. The ABA also continues
asking a federal court to bar the FTC from enforcing the rules against
attorneys. Besides the ABA, the FTC's broad interpretation of the creditor
category has prompted objections from the American Medical Association and the AICPA.
It is unlikely that this legislation will be finalized by the current November 1st enforcement deadline, and it remains to be seen whether this will cause the FTC to announce another delay.
Wednesday, October 7, 2009
More on the real cost of the Heartland breach
Nearly 10 months after disclosing a months-long data breach that affected millions of consumers, the financial impact of the Heartland data breach continues to unfold. InformationWeek reports that Heartland stock prices plunged more than $500 million following the breach, and while shareholder value has rebounded, other breach related costs have thus far totaled $32 million, with numerous lawsuits against the company still pending.
When the "Safe Harbor" is Not So Safe
If your company transfers personal data cross-border and you participate in the Safe Harbor program, it’s time to check the status of your certification. For the second time in a month, the Federal Trade Commission has announced enforcement actions against companies under Safe Harbor, the international privacy framework that provides a means for U.S. companies to transfer data from the European Union to the United States in keeping with EU and U.S. law.
In September, the first ever Safe Harbor enforcement action was announced against a California company, Balls of Kryptonite, which had falsely represented that it had self-certified to the Safe Harbor program, when apparently it never had. Yesterday, the FTC continued the trend by announcing six separate enforcement actions in one fell swoop.
According to the six separate complaints, the companies deceptively claimed they held current certifications under the Safe Harbor framework, when in fact the companies had allowed those certifications to expire. Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. To participate in Safe Harbor, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The proposed settlements do not include any monetary penalties nor any admission of guilt, but would require compliance monitoring for 20 years.
If you have put Safe Harbor (either compliance or certification) on the “back burner” because it appeared that the FTC was not enforcing the program, the time for change has come. You should check what representations are being made on public-facing websites and privacy policies regarding Safe Harbor certification and ensure that these representations are accurate and up-to-date. In the cases announced yesterday, the defendant companies had been certified, but had let those certifications lapse. The exhibits to the FTC’s complaints included pages from their websites (see links below), and their own words were used against them.
For more information:
To file a public comment in the FTC proceeding - http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf and follow the instructions at that site.
FTC Complaints:
In the Matter of World Innovators, Inc.
In the Matter of ExpatEdge Partners, LLC
In the Matter of Onyx Graphics, Inc.
In the Matter of Directors Desk LLC
In the Matter of Progressive Gaitways LLC
In the Matter of Collectify LLC
Safe Harbor List
To check the status of your company’s Safe Harbor certification - Safe Harbor List
In September, the first ever Safe Harbor enforcement action was announced against a California company, Balls of Kryptonite, which had falsely represented that it had self-certified to the Safe Harbor program, when apparently it never had. Yesterday, the FTC continued the trend by announcing six separate enforcement actions in one fell swoop.
According to the six separate complaints, the companies deceptively claimed they held current certifications under the Safe Harbor framework, when in fact the companies had allowed those certifications to expire. Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. To participate in Safe Harbor, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The proposed settlements do not include any monetary penalties nor any admission of guilt, but would require compliance monitoring for 20 years.
If you have put Safe Harbor (either compliance or certification) on the “back burner” because it appeared that the FTC was not enforcing the program, the time for change has come. You should check what representations are being made on public-facing websites and privacy policies regarding Safe Harbor certification and ensure that these representations are accurate and up-to-date. In the cases announced yesterday, the defendant companies had been certified, but had let those certifications lapse. The exhibits to the FTC’s complaints included pages from their websites (see links below), and their own words were used against them.
For more information:
To file a public comment in the FTC proceeding - http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf and follow the instructions at that site.
FTC Complaints:
In the Matter of World Innovators, Inc.
In the Matter of ExpatEdge Partners, LLC
In the Matter of Onyx Graphics, Inc.
In the Matter of Directors Desk LLC
In the Matter of Progressive Gaitways LLC
In the Matter of Collectify LLC
Safe Harbor List
To check the status of your company’s Safe Harbor certification - Safe Harbor List
Tuesday, October 6, 2009
Vets Data At Risk? Again?
Wired.com reports on a possible breach at -- of all places -- the National Archives and Records Administration (NARA) that, if verified, could affect tens of millions of records about U.S. military veterans. It appears that it may involve an issue that I call “Data Security 101” -- the failure of a contractor to wipe clean a defective hard drive returned to it by NARA . The contractor determined that the drive could not be fixed, and sent it elsewhere to be recycled --- without following ordinary industry procedures (and U.S. Government policy) requiring that hard drives be degaussed before recycling or other disposition.
According to the Wired piece, the incident was reported to NARA’s inspector general by Hank Bellomy, a NARA IT manager, “who charges that the move put 70 million veterans at risk of identity theft, and that NARA’s practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America’s record-keeping agency.”
The Veterans Administration settled a class action earlier this year at a cost of $20 million over the 2006 loss of a laptop containing records with personal information of up to 26.5 million veterans and active duty personnel.
According to the Wired piece, the incident was reported to NARA’s inspector general by Hank Bellomy, a NARA IT manager, “who charges that the move put 70 million veterans at risk of identity theft, and that NARA’s practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America’s record-keeping agency.”
The Veterans Administration settled a class action earlier this year at a cost of $20 million over the 2006 loss of a laptop containing records with personal information of up to 26.5 million veterans and active duty personnel.
Tuesday, September 29, 2009
Save the Date - Safe Harbor/Cross Border Data Transfer Conference in Washington
If you have cross-border privacy issues as part of your portfolio, you should mark your calendar for November 16th. The Department of Commerce has just announced that the 2009 International Conference on Cross Border Data Flows, Data Protection and Privacy will be held on that date in Washington.
“Cross the Divide: Successfully Navigating Safe Harbor” will include discussions of issues such as
“Cross the Divide: Successfully Navigating Safe Harbor” will include discussions of issues such as
• progress on the Safe Harbor framework;
• changes in the binding corporate rules approval process;
• new privacy compliance paradigms;
• sharing data across borders during pandemics;
• privacy management in social networks;
• behavioral advertising in cloud computing; and
• civil litigation e-discovery.
The Conference will be hosted by the Department of Commerce, with the cooperation of the European Commission and the Article 29 Working Party on Data Protection, made up of data protection officials from each of the European Union Member States.
Further information on the conference is available at
Friday, September 25, 2009
Privacy and Security Bits and Bytes
After a bit of a hiatus, our Friday afternoon feature is back:
- Do you know what your information is worth on the black market? It may just surprise you. Good piece on a new Symantec tool to let you do the calculations. See Information Security Resources - What Are You Worth On The Black Market?
- Despite all of the public flurry surrounding security breaches, and customer expectations that the information entrusted to vendors will be secure, a new survey finds that an astounding 71 percent of those companies surveyed said they still weren't making data security a top initiative in their IT budgets, even though 79 percent of them admitted that they had been hit by one or more data breaches since the PCI DSS standard was enacted in 2005. Companies Still Not Securing Customer Data - InternetNews.com.
- Companies around the world are preparing for the swine flu pandemic and putting policies and procedures in place for workers and business continuity. What, if anything, are people doing about the privacy issues that need to be addressed in that planning?
Good article, with links to resources here - Protecting Your Privacy During a Pandemic - Remember our blog posts on the demise of the Clear program? Next week, the Committee on Homeland Security is holding a hearing on "The Future of the Registered Traveler Program"
Wednesday, September 30, 2009 @ 2pm
311 Cannon House Office Building
The hearing will evaluate the recent cessation of operations by Registered Traveler (RT) providers, actions undertaken by the Transportation Security Administration (TSA), and the impact on airports. There will be a webcast of this hearing.
Should be fascinating viewing. I wonder if we'll hear anymore about whatever happened to all that data???
Check your employee handbook - what you might think is fraud and abuse may not be a federal case....
My colleagues over at the Employment Matters blog report on an
interesting decision drawing attention to the need for clear and explicit policies regarding "acceptable use" of computers and company information and the absolute necessity to terminate access once an employee or contractor is terminated.
Particularly in light of the upcoming Massachusetts data security regulations, permitting employees (contract or otherwise) to email unencrypted documents containing personal information of customers/clients/employees outside of the organization to be stored on a home computer (similarly unencrypted, one can presume) will be a violation of 201 CMR 17.00 if that list contains "Personal Information" of Massachusetts residents, and failing to have procedures as part of your information security plan that terminates access to such information for former employees will also be a violation. Similarly, because a health care provider and protected health information is involved here, this action would be in violation of the new HHS guidelines for the handling of PHI and, finally, because the defendant was no longer authorized to have the information, it was likely a reportable breach under HIPAA and many state laws.
For all that the incident is, it seems that the Ninth Circuit does not find that it was a violation of the federal Computer Fraud and Abuse Act.
interesting decision drawing attention to the need for clear and explicit policies regarding "acceptable use" of computers and company information and the absolute necessity to terminate access once an employee or contractor is terminated.
Particularly in light of the upcoming Massachusetts data security regulations, permitting employees (contract or otherwise) to email unencrypted documents containing personal information of customers/clients/employees outside of the organization to be stored on a home computer (similarly unencrypted, one can presume) will be a violation of 201 CMR 17.00 if that list contains "Personal Information" of Massachusetts residents, and failing to have procedures as part of your information security plan that terminates access to such information for former employees will also be a violation. Similarly, because a health care provider and protected health information is involved here, this action would be in violation of the new HHS guidelines for the handling of PHI and, finally, because the defendant was no longer authorized to have the information, it was likely a reportable breach under HIPAA and many state laws.
For all that the incident is, it seems that the Ninth Circuit does not find that it was a violation of the federal Computer Fraud and Abuse Act.
Thursday, September 24, 2009
"Smart Grid" privacy issues to be examined by Federal Communications Commission
Smart Grid technology enables electric utilities to use communications and computing technology to glean consumer electric usage patterns to facilitate more efficient network management. It's been identified by the FCC as a promising way to use broadband to promote energy efficiency, reduce greenhouse gas emissions, and encourage energy independence.
These consumer electric usage patterns could conceivably do far more.... For example, marketing firms may find valuable market penetration data in consumer electric usage patterns and law enforcement could use information about electricity usage to pinpoint potential sites of criminal activity. Basically, the very characteristics that make smart grid information valuable to environmental efforts may also have serious implications for consumer privacy and are attracting the interest of regulators here in the U.S. and elsewhere.
Specifically, the FCC has sought comment by October 2, 2009 on the issue of how strong privacy and security requirements can be satisfied in deploying smart grid technology without stifling innovation.
The Colorado Public Utilities Commission just closed a comment period last week on the following issues and the comments received on these questions may help to further inform the debate at the national level:
1. What concerns surrounding the collection and analysis of detailed electricity usage information should the CPUC consider as it establishes policies governing access to and use of this information?
2. What, if any, are the trade-offs between protecting privacy and promoting innovation with regards to smart grid technology?
3. Should detailed electricity usage information be protected? If so, how?
4. How do constitutional or statutory protections impact the use of consumers’ detailed electricity usage information collected as part of smart grid initiatives? What protections should be put in place even if not covered by constitutional or statutory provisions?
5. What are the necessary components of effective privacy regulation of consumer electricity usage patterns? For example, should disclosure of consumer information to third-parties be on an opt-in or an opt-out basis, or should the consent-requirement depend on the nature of the party receiving the information?
6. How much information about consumer electricity usage do electric utilities and “edge service providers” require to facilitate more efficient network management, load forecasting, asset management, bill control, demand-side load management, efficiency consulting, energy savings contracting, etc.?
7. How do privacy regulations affect electric utilities and “edge service providers” in their efforts to provide enhanced electricity management services?
8. Who “owns” customer information?
9. What should be a utility’s obligation to “unbundle” metering in homes and businesses?
These consumer electric usage patterns could conceivably do far more.... For example, marketing firms may find valuable market penetration data in consumer electric usage patterns and law enforcement could use information about electricity usage to pinpoint potential sites of criminal activity. Basically, the very characteristics that make smart grid information valuable to environmental efforts may also have serious implications for consumer privacy and are attracting the interest of regulators here in the U.S. and elsewhere.
Specifically, the FCC has sought comment by October 2, 2009 on the issue of how strong privacy and security requirements can be satisfied in deploying smart grid technology without stifling innovation.
The Colorado Public Utilities Commission just closed a comment period last week on the following issues and the comments received on these questions may help to further inform the debate at the national level:
1. What concerns surrounding the collection and analysis of detailed electricity usage information should the CPUC consider as it establishes policies governing access to and use of this information?
2. What, if any, are the trade-offs between protecting privacy and promoting innovation with regards to smart grid technology?
3. Should detailed electricity usage information be protected? If so, how?
4. How do constitutional or statutory protections impact the use of consumers’ detailed electricity usage information collected as part of smart grid initiatives? What protections should be put in place even if not covered by constitutional or statutory provisions?
5. What are the necessary components of effective privacy regulation of consumer electricity usage patterns? For example, should disclosure of consumer information to third-parties be on an opt-in or an opt-out basis, or should the consent-requirement depend on the nature of the party receiving the information?
6. How much information about consumer electricity usage do electric utilities and “edge service providers” require to facilitate more efficient network management, load forecasting, asset management, bill control, demand-side load management, efficiency consulting, energy savings contracting, etc.?
7. How do privacy regulations affect electric utilities and “edge service providers” in their efforts to provide enhanced electricity management services?
8. Who “owns” customer information?
9. What should be a utility’s obligation to “unbundle” metering in homes and businesses?
Tuesday, September 22, 2009
Your mother was right: the FTC confirms you don't get a second chance to make a first impression
Written by Cynthia and Michele
So you thought that if you made "full disclosure" in your online agreements with customers, you'd be OK -- well, it's time to think again.
The FTC recently confirmed in In re Sears Holdings Management Corp that even full disclosure of company practices in an end user license agreement (“EULA”) or terms of service (“TOS”) may be no defense to fraud claims. Nearly all online service providers require users to agree to terms of use. And, typically these terms of use are enforceable. However, the FTC’s recent order makes it clear that the adequacy of the disclosures in a EULA or TOS will be determined not by the completeness of the disclosure itself, but on a case-by-case basis in light of all of the other representations made to consumers. Thus, burying the use of marketing software with behavioral tracking capabilities, even though ultimately disclosed fully, in a multi-step sign-up and download process as Sears did will not necessarily shield a company from a fraud claim.
Requiring online service providers to obtain express consent before employing marketing software is nothing new. For example, in a consent order reached with a company called Zango, the FTC said that express consent is required before employing tracking software with pop-ups --- and tagged Zango for $3 million. In another case, In re DirectRevenue LLC, the FTC required express consent before installing what they called “lureware,” along with a fine of $1.5 million.
What is notable about Sears, however, is the shift in focus from the completeness of disclosure itself to its completeness in light of all other representations. While a EULA disclosure may be complete in itself, it is now clear that even a full and complete disclosure will correct other representations if the overall impression is misleading. In short, service providers will not get a second chance to make a good first impression.
Practical advice -- take another look at your EULA or TOS and make sure that it is not just complete, but it is accurate.
So you thought that if you made "full disclosure" in your online agreements with customers, you'd be OK -- well, it's time to think again.
The FTC recently confirmed in In re Sears Holdings Management Corp that even full disclosure of company practices in an end user license agreement (“EULA”) or terms of service (“TOS”) may be no defense to fraud claims. Nearly all online service providers require users to agree to terms of use. And, typically these terms of use are enforceable. However, the FTC’s recent order makes it clear that the adequacy of the disclosures in a EULA or TOS will be determined not by the completeness of the disclosure itself, but on a case-by-case basis in light of all of the other representations made to consumers. Thus, burying the use of marketing software with behavioral tracking capabilities, even though ultimately disclosed fully, in a multi-step sign-up and download process as Sears did will not necessarily shield a company from a fraud claim.
Requiring online service providers to obtain express consent before employing marketing software is nothing new. For example, in a consent order reached with a company called Zango, the FTC said that express consent is required before employing tracking software with pop-ups --- and tagged Zango for $3 million. In another case, In re DirectRevenue LLC, the FTC required express consent before installing what they called “lureware,” along with a fine of $1.5 million.
What is notable about Sears, however, is the shift in focus from the completeness of disclosure itself to its completeness in light of all other representations. While a EULA disclosure may be complete in itself, it is now clear that even a full and complete disclosure will correct other representations if the overall impression is misleading. In short, service providers will not get a second chance to make a good first impression.
Practical advice -- take another look at your EULA or TOS and make sure that it is not just complete, but it is accurate.
Monday, September 21, 2009
What is "reasonable expectation of privacy" in an employment context?
Written by Cynthia and Jennifer
A recent decision by the Maine Supreme Court highlights the tension between an employee's reasonable expectation of privacy in conducting personal business through a company's computer system and the individual's right to prevent the company's publishing of such material. In Fiber Materials, Inc. v. Subilia, the Maine Supreme Court dismissed an interlocutory appeal by a former executive who charged the company with improperly accessing and publishing the executive's attorney-client privileged communications with his attorney which had been stored on the company's computer system. While the court dismissed the appeal for procedural reasons, the court criticized the company's counsel for taking the preemptive position that the material retrieved was appropriately disclosed publicly without first seeking advice from state bar counsel before publishing it in a complaint.
The issues in this case are similar to those raised in the Scott v. Beth Israel case, where a New York trial court concluded that an employee's use of the employer's email system to communicate with his attorney waived the privilege because the employer's policy expressly prohibited personal use of the email system.
While these cases appear to produce two different results, they dictate the care employees and employers alike must take with respect to accessing information on a company-owned computer system and the use of that system in the first instance to conduct any type of personal business, especially sensitive personal business.
A recent decision by the Maine Supreme Court highlights the tension between an employee's reasonable expectation of privacy in conducting personal business through a company's computer system and the individual's right to prevent the company's publishing of such material. In Fiber Materials, Inc. v. Subilia, the Maine Supreme Court dismissed an interlocutory appeal by a former executive who charged the company with improperly accessing and publishing the executive's attorney-client privileged communications with his attorney which had been stored on the company's computer system. While the court dismissed the appeal for procedural reasons, the court criticized the company's counsel for taking the preemptive position that the material retrieved was appropriately disclosed publicly without first seeking advice from state bar counsel before publishing it in a complaint.
The issues in this case are similar to those raised in the Scott v. Beth Israel case, where a New York trial court concluded that an employee's use of the employer's email system to communicate with his attorney waived the privilege because the employer's policy expressly prohibited personal use of the email system.
While these cases appear to produce two different results, they dictate the care employees and employers alike must take with respect to accessing information on a company-owned computer system and the use of that system in the first instance to conduct any type of personal business, especially sensitive personal business.
Friday, September 18, 2009
Federal Breach Notification Rules -- NEXT WEEK. Are you ready?
Written by Cynthia and Dianne
New federal breach notification rules go into effect next week for covered entities and their business associates and also for vendors of personal health records.
Covered entities (organizations subject to the HIPAA privacy rule) and their business associates must report breaches of unsecured protected health information in accordance with new rules from the Department of Health and Human Services (HHS) starting Wednesday, September 23, 2009. Unsecured protected health information is information that has not been either encrypted or destroyed in accordance with HHS standards. Note that under the rules, a covered entity may not have to report a breach of unsecured protected health information if, after conducting a risk analysis, it believes in good faith that the unauthorized recipient of the PHI would not reasonably have been able to retain it (for example, if misdirected patient correspondence is returned as undeliverable and is unopened).
The breach notification regulations require prompt notification to affected individuals, as well as to the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches by the business associate.
The HHS regulations were developed in close consultation with the Federal Trade Commission (FTC), which has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA. The FTC regulations are effective September 24, 2009. The rules are identical with respect to some provisions, similar in others, and completely different in a few others. Those differences can matter because some organizations will be covered by both regulations.
Both the FTC and HHS intend for their regulations’ notices to be combined with the state-required notices, so that a consumer would receive only a single notice. The agencies’ requirements for the content of the notices are practically identical, but the regulations have many differing requirements on a wide range of topics. For example, HHS’ requirements extend to breaches of health information in all formats, including paper, whereas the FTC’s requirements extend only to health information in electronic form. Also remember, there will be different state requirements for notice, some of which (particularly in Massachusetts) will conflict with the FTC/HHS content.
Links:
Text of HHS Breach Notification Rule
Text of FTC Breach Notification Rule
Mintz Matrix of State Data Breach Notification Laws, current as of August 31, 2009
New federal breach notification rules go into effect next week for covered entities and their business associates and also for vendors of personal health records.
Covered entities (organizations subject to the HIPAA privacy rule) and their business associates must report breaches of unsecured protected health information in accordance with new rules from the Department of Health and Human Services (HHS) starting Wednesday, September 23, 2009. Unsecured protected health information is information that has not been either encrypted or destroyed in accordance with HHS standards. Note that under the rules, a covered entity may not have to report a breach of unsecured protected health information if, after conducting a risk analysis, it believes in good faith that the unauthorized recipient of the PHI would not reasonably have been able to retain it (for example, if misdirected patient correspondence is returned as undeliverable and is unopened).
The breach notification regulations require prompt notification to affected individuals, as well as to the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches by the business associate.
The HHS regulations were developed in close consultation with the Federal Trade Commission (FTC), which has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA. The FTC regulations are effective September 24, 2009. The rules are identical with respect to some provisions, similar in others, and completely different in a few others. Those differences can matter because some organizations will be covered by both regulations.
Both the FTC and HHS intend for their regulations’ notices to be combined with the state-required notices, so that a consumer would receive only a single notice. The agencies’ requirements for the content of the notices are practically identical, but the regulations have many differing requirements on a wide range of topics. For example, HHS’ requirements extend to breaches of health information in all formats, including paper, whereas the FTC’s requirements extend only to health information in electronic form. Also remember, there will be different state requirements for notice, some of which (particularly in Massachusetts) will conflict with the FTC/HHS content.
Links:
Text of HHS Breach Notification Rule
Text of FTC Breach Notification Rule
Mintz Matrix of State Data Breach Notification Laws, current as of August 31, 2009
FTC to Hold Data Privacy Roundtables
Here’s an important notice from the Federal Trade Commission -
The FTC will host a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.
The roundtable discussions will consider the risks and benefits of information collection and use in online and offline contexts, consumer expectations surrounding various information management practices, and the adequacy of existing legal and self-regulatory regimes to address privacy interests. Roundtable participants will include stakeholders representing a wide rangeof views and experiences, such as academics, privacy experts, consumer advocates, industry participants and associations, technology experts, legislators, international representatives, and others.
The Privacy Roundtables are free and open to the public. The first will be held Monday, December 7, 2009, at the FTC Conference Center at 601 New Jersey Avenue, N.W., Washington, DC. Pre-registration is not required. Members of the public and press who wish to participate but who cannot attend can view a live Webcast at FTC.gov. The Commission plans to convene additional roundtables in subsequent months, and will post information regarding these events at a later date.
Links:
FTC to Host Public Roundtables to Address Evolving Consumer Privacy Issues
The FTC will host a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.
The roundtable discussions will consider the risks and benefits of information collection and use in online and offline contexts, consumer expectations surrounding various information management practices, and the adequacy of existing legal and self-regulatory regimes to address privacy interests. Roundtable participants will include stakeholders representing a wide rangeof views and experiences, such as academics, privacy experts, consumer advocates, industry participants and associations, technology experts, legislators, international representatives, and others.
The Privacy Roundtables are free and open to the public. The first will be held Monday, December 7, 2009, at the FTC Conference Center at 601 New Jersey Avenue, N.W., Washington, DC. Pre-registration is not required. Members of the public and press who wish to participate but who cannot attend can view a live Webcast at FTC.gov. The Commission plans to convene additional roundtables in subsequent months, and will post information regarding these events at a later date.
Links:
FTC to Host Public Roundtables to Address Evolving Consumer Privacy Issues
Thursday, September 17, 2009
From Privacy Academy - The Seven Step Program
Sounds like common sense, but it is food for thought -- and will be required under new Massachusetts data security regulations:
The seven easy ways to protect PC based information from theft
The proliferation of Personal Storage Devices (thumb drives, iPods, USB external hard disks, etc.) and simple remote access has created unprecedented levels of convenience and at the same time a substantially increased risk of data loss. Pocket sized external USB storage devices can put hundreds of Gigabytes of data storage at your fingertips which is easily enough space to house an industrial-strength database or thousands of documents, spreadsheets, photos and other sensitive information. With the right software installed, these devices can be configured to automatically transfer data off any machine into which they’re plugged. This can be a convenience for the owner of the data, or for the Bad Guy an easy way to potentially access and steal your data. Exploiting this type of threat is very inexpensive and does not take expertise.
Securing your environment is very easy and involves a multi-tiered Best Practices approach including:
The seven easy ways to protect PC based information from theft
The proliferation of Personal Storage Devices (thumb drives, iPods, USB external hard disks, etc.) and simple remote access has created unprecedented levels of convenience and at the same time a substantially increased risk of data loss. Pocket sized external USB storage devices can put hundreds of Gigabytes of data storage at your fingertips which is easily enough space to house an industrial-strength database or thousands of documents, spreadsheets, photos and other sensitive information. With the right software installed, these devices can be configured to automatically transfer data off any machine into which they’re plugged. This can be a convenience for the owner of the data, or for the Bad Guy an easy way to potentially access and steal your data. Exploiting this type of threat is very inexpensive and does not take expertise.
Securing your environment is very easy and involves a multi-tiered Best Practices approach including:
- Creating and enforcing sound policies and procedures that lock down the system BIOS on all computers processing, storing or transmitting data.
- Creating a logon requirement that uses password and / or biometric authentication every time the PC is turned on.
- Requiring the use of strong passwords that contain a minimum 7 character combination of both alpha and numeric symbols.
- Never sharing or writing down your passwords.
- Automated forced changing of passwords every 60 days.
- Locking the PC after 10 minutes of inactivity to prevent unauthorized access to the machine and its data when the user steps away.
- Turning off the PC when it is unattended for long periods of time. This one is an often overlooked critical step. If it’s on it can be accessed remotely.
Gonzalez Hearing: More than 40 MILLION Distinct Credit Card Numbers Recovered
Evan Schuman of StorefrontBacktalk has an interesting piece about last week’s plea in the massive credit card fraud case currently in federal court. Albert Gonzalez pleaded guilty in federal court in the cyberthief case and the plea hearing revealed some remarkable details. According to testimony, the Secret Service has collected “more than forty million distinct credit and debit card numbers from two computer servers” controlled by Gonzalez and his associates and has counted the consumer, retail and bank victims as “an enormous number of people, certainly millions upon millions, perhaps tens of millions.”
Schuman points out that the plea hearing may be the first and last details that we receive because the plea has avoided a federal trial.
Schuman points out that the plea hearing may be the first and last details that we receive because the plea has avoided a federal trial.
IAPP Privacy Academy 2009
The IAPP Privacy Academy is taking place in Boston this week. Privacy professionals from all over the world are gathered to catch up on the latest developments and best practices. I'll blog a bit from the Academy and pass on some of the tidbits.
Thursday, September 10, 2009
Some "light reading" for privacy geeks...
Or, actually, for anyone interested in building privacy into business from the "ground up" and how privacy can (and should) become a business differentiator. Dr. Ann Cavoukian is Ontario's Information and Privacy Commissioner and has long been an advocate of privacy technologies and coined the term "Privacy by Design" in the late-nineties. Her latest book is called exactly that -- "Privacy by Design" and can be downloaded at http://www.privacybydesign.ca/pbdbook/PrivacybyDesignBook.pdf .
It's a must-read for thought leadership in this space.
It's a must-read for thought leadership in this space.
Maine Lawsuit Dismissed and Law "Likely Unconstitutional"
The kerfuffle over the controversial Maine law slated to become effective this week that would have prohibited all marketing to minors has been dismissed. Yesterday, the District of Maine issued a Stipulated Order of Dismissal stating that there is a likelihood that the statute is "overbroad and violates the First Amendment." Further (and perhaps more important to business), Judge Woodcock warned that any individual lawsuits brought under the statute’s private right of action would likely face the same fate -- dismissal. "[T]hird parties are on notice that a private cause of action under Chapter 230 could suffer from the same constitutional infirmities" that resulted in his finding that the law was likely overbroad, Woodcock concluded.
In the meantime, the lawsuit was dismissed without prejudice in light of the Attorney General’s representation to the Court that Maine will not enforce the statute and that the Legislature will reconsider it when they reconvene in January 2010.
Other links:
eWeek
Portland Press Herald
In the meantime, the lawsuit was dismissed without prejudice in light of the Attorney General’s representation to the Court that Maine will not enforce the statute and that the Legislature will reconsider it when they reconvene in January 2010.
Other links:
eWeek
Portland Press Herald
Thursday, September 3, 2009
Maine AG - I Will Not Enforce New Marketing Law
It looks as though Maine’s Attorney General will not enforce a controversial new state law that restricts marketing to minors, but has drawn a federal lawsuit because plaintiffs argued that the law swept too broadly. The Wall Street Journal today reports that a spokesperson for Maine AG Janet Mills said that Mills will not be enforcing the law and will work with sponsors to amend the legislation when Maine’s legislature reconvenes in January, 2010. One caution here, though -- the Maine law contains a private right of action which means that, although the AG has decided against enforcement, a private party could still bring an individual suit ---- or a class action. Stay tuned.
Wednesday, September 2, 2009
Low Tech ID Theft ......
As Federal Reserve Chairman Ben Bernanke and his wife recently found out, identity theft often has nothing to do with technology….
PC Mag: Fed Chairman Hit by ID Theft
PC Mag: Fed Chairman Hit by ID Theft
Thursday, August 27, 2009
Some Social Networking Developments
If you are a regular user of online social networks such as Facebook, LinkedIn, Twitter and others, you want to check out a new research paper by a couple of researchers at AT&T Labs and Worcester Polytech that points to some disturbing evidence of the “leakage” of personally identifiable information from the social networking sites to third party advertisers through cookies. The study is reportedly the first of its kind to describe a way by which tracking sites could directly link browsing habits to specific individuals. Privacy advocates have certainly taken notice: Electronic Frontier Foundation calls social networking privacy study alarming.
Also, if you are a Facebook user, be on the lookout for some changes to the Privacy Policy. Canada’s Privacy Commissioner held a press conference this morning to announce that Facebook has agreed to implement a host of changes responding to an investigation by Canadian regulators, including changes that will give users more control over third-party applications.
Speech: Remarks at a Press Conference on the Facebook Investigation by the Privacy Commissioner of Canada – August 27, 2009
Facebook Tweaks Privacy Policy in Face of Inquiry - InternetNews.com
Also, if you are a Facebook user, be on the lookout for some changes to the Privacy Policy. Canada’s Privacy Commissioner held a press conference this morning to announce that Facebook has agreed to implement a host of changes responding to an investigation by Canadian regulators, including changes that will give users more control over third-party applications.
Speech: Remarks at a Press Conference on the Facebook Investigation by the Privacy Commissioner of Canada – August 27, 2009
Facebook Tweaks Privacy Policy in Face of Inquiry - InternetNews.com
Lawsuit Filed to Block New Maine Marketing Law
As expected, a lawsuit was filed yesterday in U.S. District Court for the District of Maine seeking to block enforcement of the controversial new Maine marketing law we discussed in this blog last month. The plaintiffs are the Maine Independent Colleges Association, Maine Press Association, NetChoice, and publisher Reed Elsevier, Inc. NetChoice is a coalition of trade associations and e-commerce businesses, including AOL/TimeWarner, Yahoo! and eBay. The law takes effect September 12, 2009.
Friday, August 21, 2009
Privacy and Security Bits and Bytes
Our Friday afternoon feature -
No Anonymity -- This week’s ruling by the New York State Supreme Court that resulted in the “outing” of a blogger who made unfavorable comments about a Canadian model has online privacy groups reacting to the “skank” case
No Sale of Data for Clear - To update earlier posts here about the now-defunct biometric airline passenger data company, Clear, Wired reports that a federal judge in Manhattan has ordered Clear not to sell the biometric data of its customers. The judge said that doing so would be breach of Clear’s contracts with customers.
Radisson Reports Breach - ComputerWorld reports on the latest data breach, this one at the Radisson Hotels site. Radisson posts an Open Letter to its guests, but doesn’t give much information. Check your accounts…..
No Anonymity -- This week’s ruling by the New York State Supreme Court that resulted in the “outing” of a blogger who made unfavorable comments about a Canadian model has online privacy groups reacting to the “skank” case
No Sale of Data for Clear - To update earlier posts here about the now-defunct biometric airline passenger data company, Clear, Wired reports that a federal judge in Manhattan has ordered Clear not to sell the biometric data of its customers. The judge said that doing so would be breach of Clear’s contracts with customers.
Radisson Reports Breach - ComputerWorld reports on the latest data breach, this one at the Radisson Hotels site. Radisson posts an Open Letter to its guests, but doesn’t give much information. Check your accounts…..
Changes to the Massachusetts Data Security Regulations: What do they really mean?
Now that the dust has settled after this week’s “Breaking News” regarding the proposed changes to the Massachusetts data security regulations, here is an analysis of what the changes actually mean to the business community.
Some other interesting commentary is linked below:
Evan Schuman - Storefront Backtalk
Some other interesting commentary is linked below:
Evan Schuman - Storefront Backtalk
Monday, August 17, 2009
Long-Awaited California Decision on Cameras in the Workplace
California Supreme Court has finally issued its decision in a workplace privacy case finding that an employer's placement of a hidden camera in an office used by two employees did not violate the employees' right to privacy. This case has drawn much attention as it worked its way through the appellate courts.
My colleagues in the Mintz Levin Employment and Benefits Group have written a great Client Alert on the case.
My colleagues in the Mintz Levin Employment and Benefits Group have written a great Client Alert on the case.
BREAKING NEWS - Changes to 201 CMR 17.00
Just released - proposed amendments to the Massachusetts data security regulations -- and a three-month extension of time to comply. Stay tuned for a full analysis.
Friday, August 14, 2009
Privacy and Security Bits and Bytes
Just some nuggets to wrap up the week:
Think about this as you speed through the E-Z Pass lanes this weekend…..
Report Warns of Losing "Locational Privacy" Security Management - The Electronic Frontier Foundation (EFF) has a new report out, as discussed in Security Management, about the issues of locational privacy.
An interesting piece at Information Security Resources -- A Guide to Identity Theft and the Recession : Information Security Resources
More on the real cost of data breaches…
Heartland Payment Systems said it spent $32 million this year paying for costs related to the major data breach it disclosed in January, including $22.1 million to cover fines from key payment card brands and a settlement offer. Read more on StoreFront Backtalk
And finally…. (SATIRE ALERT)
Would you like to move where NO ONE knows your name? The intrepid reporters at The Onion tell us about The “Opt-Out Village” at Google. Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village The Onion - America's Finest News Source
Have a great (and private) weekend!
Think about this as you speed through the E-Z Pass lanes this weekend…..
Report Warns of Losing "Locational Privacy" Security Management - The Electronic Frontier Foundation (EFF) has a new report out, as discussed in Security Management, about the issues of locational privacy.
An interesting piece at Information Security Resources -- A Guide to Identity Theft and the Recession : Information Security Resources
More on the real cost of data breaches…
Heartland Payment Systems said it spent $32 million this year paying for costs related to the major data breach it disclosed in January, including $22.1 million to cover fines from key payment card brands and a settlement offer. Read more on StoreFront Backtalk
And finally…. (SATIRE ALERT)
Would you like to move where NO ONE knows your name? The intrepid reporters at The Onion tell us about The “Opt-Out Village” at Google. Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village The Onion - America's Finest News Source
Have a great (and private) weekend!
To Encrypt or Not To Encrypt…….An Incentive Rather than a Mandate From Michigan
Add Michigan to the list of states that are proposing that adoption of comprehensive data security safeguards will provide a safe harbor for data breaches.
The Information Security Program Standards Act introduced last week differs a bit from Massachusetts and Nevada (and other pending legislation) in that it would not require the implementation of detailed security measures --- the Michigan act provides a carrot to those who do: Breach liability immunity.
The Information Security Program Standards Act introduced last week differs a bit from Massachusetts and Nevada (and other pending legislation) in that it would not require the implementation of detailed security measures --- the Michigan act provides a carrot to those who do: Breach liability immunity.
Data Breach du Jour ….
The Associated Press reports that American Express has notified some card-holders that their information may have been compromised. According to an American Express spokesperson, the breach resulted from an employee’s recent theft of data.
In this tough economy, outside threats to personal information held by companies is not the end of the story. The possibility of “insider” data misuse and misappropriation needs to be considered and factored into your risk assessments and data protection security planning. Don't think it can't happen to you......
In this tough economy, outside threats to personal information held by companies is not the end of the story. The possibility of “insider” data misuse and misappropriation needs to be considered and factored into your risk assessments and data protection security planning. Don't think it can't happen to you......
Friday, August 7, 2009
Massachusetts Data Security Standards vs. New HIPAA Guidelines
Here's a link to an article (by the author of this blog...) comparing the Massachusetts data security standards (effective January 1, 2010) to the Department of Health & Human Services Guidelines promulgated under the new HITECH Act (effective in mid-September). Compliance challenges are coming on all fronts -- and it's best not to duplicate efforts.
Monday, August 3, 2009
Privacy and Security Bits and Bytes
Coming back from vacation and catching up on what’s been going on …. In case you are looking for something security-related to do in the month of August -- check out the Internet Security Alliance Calendar of Events
According to an InternetNews.com article, cookies may be back on the menu for U.S. Government web sites. Back in 2000, all U.S. government web sites stopped using cookies for visitor web tracking and it looks as though the policy is about to change.
Mike Spinney at Information Security Resources does a great commentary piece about the importance of top-down example when establishing internal privacy and security programs. Personal ethics, and the emphasis by management that personal ethics is the key to compliance at your company, can be a very cost-effective addition to an overall information security program.
According to an InternetNews.com article, cookies may be back on the menu for U.S. Government web sites. Back in 2000, all U.S. government web sites stopped using cookies for visitor web tracking and it looks as though the policy is about to change.
Mike Spinney at Information Security Resources does a great commentary piece about the importance of top-down example when establishing internal privacy and security programs. Personal ethics, and the emphasis by management that personal ethics is the key to compliance at your company, can be a very cost-effective addition to an overall information security program.
Wednesday, July 29, 2009
BREAKING NEWS -- FTC Delays Enforcement of "Red Flag" Rules ---Again
BREAKING NEWS:
The Federal Trade Commission has again extended the enforcement deadline for the Red Flags Rule, according to an agency press release. Creditors and financial institutions now have until November 1, 2009 to come into compliance with the rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003. Meanwhile, the commission will redouble efforts to educate businesses affected by the rule on what they must do to comply. The Red Flags Rule requires entities to implement programs for identifying, detecting and responding to harbingers of identity theft, or "red flags." Hospitals and retailers had been especially vocal about lack of knowledge as to whether they should be required to comply. In addition, the American Bar Association had been threatening to take legal action if the FTC did not clarify that the rule should not apply to lawyers before August 1.
Friday, July 24, 2009
Do you market to 'tweens?? Better watch out for the new Maine law.....
Maine Governor John Baldacci has signed a sweeping new law called "An Act to Prevent Predatory Marketing Practices to Minors." While that is a laudatory effort and responsible marketers would not want to be predatory, it is not difficult to see this law as overreaching. It goes beyond restrictions in federal law under the Children's Online Privacy Protection Act, where the cutoff age is 13 and applies to "minors" -- not otherwise defined in the Maine law, but the age of majority in that state is 18.
The law prohibits "marketers" -- which is anyone promoting a product or service - from knowingly collecting, receiving or using personal information of minors without obtaining verifiable parental consent. Additionally, even with verifiable parental consent, the law still prohibits the of personal information regarding a minor in the marketing of products or services or in promoting a course of action to a minor. This Act then seemingly cuts off "minors" from being marketed to about colleges and universities, testing services such as the SAT and ACT, test prep services, and financial aid services, along with any other kind of marketing. The law contains a private right of action with injunctive relief and recovery of actual damages for each violation, and allows for civil fines over $20,000 for repeat offenses.A link to the legislation is below. The law takes effect September 12, 2009. It is likely to be challenged, and interest groups are gearing up to try and force an amendment, because of its breadth and scope, but the law will be in effect come September and the Maine Legislature does not reconvene until January of 2010. Clear to see that this will create some major compliance issues....
Maine Act to Prevent Predatory Marketing Practices to Minors: http://www.mainelegislature.org/legis/bills/bills_124th/chapters/PUBLIC230.asp
Tuesday, July 14, 2009
New E-Discovery Rules in California
It's not necessarily a "privacy" issue, per se, but electronic discovery (known as "e-discovery") rules of litigation require that companies plan ahead with respect to document retention. Here is the latest on the new California e-discovery rules just enacted.
Update from ComputerWorld on Denial of Service Attacks
Article says that likely source of last week's massive DDOS attacks was the U.K. and not North Korea.
Link here
Link here
Seminar today on compliance with Massachusetts Data Security Regulations
Twitter feed from the event -- http://twitter.com/ITcompliance
Monday, July 13, 2009
Privacy and Security Bits and Bytes
There's a report out of the UK that a proposed (and highly controversial) mobile directory has so many people opting-out, that the system has crashed. I guess no one really wants those telemarketers to be able to find them via mobile....UK Mobile Directory Crashes
A good summary from the Edmonton Sun regarding the stunning breach of the Alberta Health Services database - lessons for the US race to electronic medical records....
Privacy breach shocker Alberta News Edmonton Sun
BusinessWeek had a real "heart-to-heart"with Heartland Payment Systems CEO Robert Carr on the data security breach his company experienced late last year. In the article, Carr details the series of events leading up to the breach, and those that followed--the board meeting, the disclosure, damage containment, and the drop in stock price, among others. It's a fascinating look at the inside of a massive data breach and what happens while the company is spinning the disclosure.
A good summary from the Edmonton Sun regarding the stunning breach of the Alberta Health Services database - lessons for the US race to electronic medical records....
Privacy breach shocker Alberta News Edmonton Sun
BusinessWeek had a real "heart-to-heart"with Heartland Payment Systems CEO Robert Carr on the data security breach his company experienced late last year. In the article, Carr details the series of events leading up to the breach, and those that followed--the board meeting, the disclosure, damage containment, and the drop in stock price, among others. It's a fascinating look at the inside of a massive data breach and what happens while the company is spinning the disclosure.
State BT Legislation
Much as it is with general federal privacy legislation, nature abhors a vacuum, and the states take up the "hot potato."
In the same realm as the last post, Massachusetts and several other states have legislation working their way through the current legislative session dealing with BT. The Massachusetts bill, H 313, heads for a hearing tomorrow before the Joint Committee on Consumer Protection and Professional Licensure.
H 313 is similar to behavioral advertising bills that have been introduced in New York(probably dead for the session) and Connecticut. It would establish a broad notice and consent regime for personally identifiable information and non-personally identifiable information that is used for behavioral advertising. Note that the Massachusetts legislation only applies to online behavioral advertising and would not apply to behavioral advertising campaigns that are conducted offline.
In the same realm as the last post, Massachusetts and several other states have legislation working their way through the current legislative session dealing with BT. The Massachusetts bill, H 313, heads for a hearing tomorrow before the Joint Committee on Consumer Protection and Professional Licensure.
H 313 is similar to behavioral advertising bills that have been introduced in New York(probably dead for the session) and Connecticut. It would establish a broad notice and consent regime for personally identifiable information and non-personally identifiable information that is used for behavioral advertising. Note that the Massachusetts legislation only applies to online behavioral advertising and would not apply to behavioral advertising campaigns that are conducted offline.
Trade Groups Release BT "Self-Regulatory" Standards
Nearly missed in the long Fourth of July holiday weekend was the announcement of "behavioral advertising" standards by a coalition of industry trade groups. These standards are in response to the FTC's public statements that regulation would soon follow if industry did not step up.
The standards have now been released and are as follows:
The Education Principle calls for participation in efforts to inform individuals and businesses about online behavioral advertising. The industry intends, in a major educational campaign involving over 500 million ad impressions over the next 18 months.
The Transparency Principle calls for clearer and easily accessible disclosures about data collection and use practices. The result will be a new notice on the page where data is collected and will occur via links embedded in or around advertisements, or on the Web page itself.
The Consumer Control Principle expands the consumer's ability to opt-out of data collection. The opt-out will occur via a link on the page where data is collected. This principle also requires service providers such as Internet access providers and desktop application software companies to obtain consent of users before engaging in online behavioral advertising.
The Data Security Principle calls for reasonable security and limited retention of data.
The Material Changes Principle calls for the acquisition of consent for any material change to data collection and use policies as well as practices to data collected prior to any change.
The Sensitive Data Principle requires parental consent for consumers known to be under 13 on child-directed Web sites. This Principle also calls for heightened protections to certain health and financial data when attributable to a specific individual.
The Accountability Principle calls for the development of programs to monitor and report uncorrected non-compliance to appropriate government agencies. The Council of Better Business Bureaus and Direct Marketing Association will work cooperatively to establish accountability mechanisms under the Principles.
For more:
Interactive Advertising Bureau Release
Google Public Policy Blog
http://www.ftc.gov/opa/2009/06/behavadvert.shtm
The standards have now been released and are as follows:
The Education Principle calls for participation in efforts to inform individuals and businesses about online behavioral advertising. The industry intends, in a major educational campaign involving over 500 million ad impressions over the next 18 months.
The Transparency Principle calls for clearer and easily accessible disclosures about data collection and use practices. The result will be a new notice on the page where data is collected and will occur via links embedded in or around advertisements, or on the Web page itself.
The Consumer Control Principle expands the consumer's ability to opt-out of data collection. The opt-out will occur via a link on the page where data is collected. This principle also requires service providers such as Internet access providers and desktop application software companies to obtain consent of users before engaging in online behavioral advertising.
The Data Security Principle calls for reasonable security and limited retention of data.
The Material Changes Principle calls for the acquisition of consent for any material change to data collection and use policies as well as practices to data collected prior to any change.
The Sensitive Data Principle requires parental consent for consumers known to be under 13 on child-directed Web sites. This Principle also calls for heightened protections to certain health and financial data when attributable to a specific individual.
The Accountability Principle calls for the development of programs to monitor and report uncorrected non-compliance to appropriate government agencies. The Council of Better Business Bureaus and Direct Marketing Association will work cooperatively to establish accountability mechanisms under the Principles.
For more:
Interactive Advertising Bureau Release
Google Public Policy Blog
http://www.ftc.gov/opa/2009/06/behavadvert.shtm
Thursday, July 9, 2009
Major Consumer Protection Actions at FTC
There is increased activity at the Federal Trade Commission on the consumer protection front. David Vladeck, the FTC's new director of the Bureau of Consumer Protection is wasting no time in getting down to business. With less than a month on the job, Vladeck announced two major enforcement actions: one involving a nationwide crackdown against scammers, and the other resulting in a $3.7 million penalty for CAN-SPAM violations.
Mintz Levin colleague Farrah Short writes that "Director Vladeck was named to the position in April and began his new role in June, after a handful of consumer watchdog groups called for the FTC Chairman to appoint someone with “a track record as a genuine champion of consumer rights.” If these early announcements are any indication, Director Vladeck may be on his way to fulfilling that wish."
For more:
CAN-SPAM action
FTC scammer action
Mintz Levin colleague Farrah Short writes that "Director Vladeck was named to the position in April and began his new role in June, after a handful of consumer watchdog groups called for the FTC Chairman to appoint someone with “a track record as a genuine champion of consumer rights.” If these early announcements are any indication, Director Vladeck may be on his way to fulfilling that wish."
For more:
CAN-SPAM action
FTC scammer action
Google on Trial in Italy
Friends at the Norton Rose law firm have published a great Update on Google Italian prosecution. The trial of the Google executives has been delayed, but the Norton Rose piece outlines the background of the proceedings and the current status.
North Korea behind denial of service attacks?
Reports today are indicating that several South Korean Web sites have been attacked again. Several officials have voiced speculation that North Korea was behind both today's denial of service attacks and last week's wave of outages that hit sites in both the U.S. and South Korea. No comment from Pyongyang.
The official news agency in South Korea says that today, seven sites - one belonging to the government and the others to private entities - were attacked.
The U.S. targets included the White House, Pentagon, Treasury Department and the Nasdaq stock exchange.
These attacks demonstrate the vulnerability of the global government and commercial web infrastructure to outside attack. The Obama Administration may want to reconsider the position of cyberczar and elevate it to Cabinet-level status.
For more:
FT.com / Global Economy - Fresh cyber attacks hit S Korea and US
New York Times
MSNBC
Wall Street Journal
(registration may be required to access some articles)
The official news agency in South Korea says that today, seven sites - one belonging to the government and the others to private entities - were attacked.
The U.S. targets included the White House, Pentagon, Treasury Department and the Nasdaq stock exchange.
These attacks demonstrate the vulnerability of the global government and commercial web infrastructure to outside attack. The Obama Administration may want to reconsider the position of cyberczar and elevate it to Cabinet-level status.
For more:
FT.com / Global Economy - Fresh cyber attacks hit S Korea and US
New York Times
MSNBC
Wall Street Journal
(registration may be required to access some articles)
Wednesday, July 8, 2009
What is happening with Registered Traveler data? It's not "Clear"....
As I blogged a few weeks back, the "Clear" Registered Traveler program abruptly ended because the service provider ceased operations. The announcement at the time raised the questions of what happens to the vast trove of personal information and biometric data that the company collected in order to "clear" frequent fliers who ponied up the $199 annual fee. Those questions have still not been completely answered, and just before the holiday, the Chairman of the House Committee on Homeland Security sent a letter to the Transportation Security Administration asking the same questions........and giving TSA until July 8th to explain how the agency plans to ensure the security of the data.
Chairman Thompson wants TSA to explain what role it will take in ensuring that "adequate privacy protections are in place prior to any disposition of the personally identifiable information." The TSA has posted an FAQ on its website directing questions about Clear back to the vendor.
We have learned a bit more from Verified Identity Pass (VIP), the company that operated the Clear program. VIP has issued a statement regarding the handling of existing data on hardware -- airport kiosks and computers assigned to VIP employees. According to VIP, all such equipment was being cleared using a process known as "triple wiping," which is a reliable method for clearing hard disks of data. Once the information has been wiped, Clear says that it will send members one final email confirming that their information has been deleted from the kiosks and computers.
None of this addresses the issue of the central database. What we do not know -- and will not know until it happens -- is whether the data will be sold. VIP has not filed for protection under the Bankruptcy Code and is presumably trying to sell itself to another Registered Traveler service provider (there are 8 approved by TSA). In the FAQ, the company's response was that "(t)he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider." Short answer, if it can find a buyer that is a TSA-authorized RT provider, your data will most certainly be sold. Clear says nothing about informing members that their information will be transferred to another provider in a sale of what is left of the company, or obtaining consent to such a transfer.
All of this illustrates a ticking time bomb in difficult economic times --- what happens to the myriad of personal and financial data that a failing or failed company has collected during the time it was in business?? Databases and customer lists are assets that can be converted to cash to pay creditors. Hardware is often sold for scrap without "triple wiping" or is just transferred to a new buyer.
Good discussion of the Clear program issues at ComputerWorld.
Chairman Thompson wants TSA to explain what role it will take in ensuring that "adequate privacy protections are in place prior to any disposition of the personally identifiable information." The TSA has posted an FAQ on its website directing questions about Clear back to the vendor.
We have learned a bit more from Verified Identity Pass (VIP), the company that operated the Clear program. VIP has issued a statement regarding the handling of existing data on hardware -- airport kiosks and computers assigned to VIP employees. According to VIP, all such equipment was being cleared using a process known as "triple wiping," which is a reliable method for clearing hard disks of data. Once the information has been wiped, Clear says that it will send members one final email confirming that their information has been deleted from the kiosks and computers.
None of this addresses the issue of the central database. What we do not know -- and will not know until it happens -- is whether the data will be sold. VIP has not filed for protection under the Bankruptcy Code and is presumably trying to sell itself to another Registered Traveler service provider (there are 8 approved by TSA). In the FAQ, the company's response was that "(t)he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider." Short answer, if it can find a buyer that is a TSA-authorized RT provider, your data will most certainly be sold. Clear says nothing about informing members that their information will be transferred to another provider in a sale of what is left of the company, or obtaining consent to such a transfer.
All of this illustrates a ticking time bomb in difficult economic times --- what happens to the myriad of personal and financial data that a failing or failed company has collected during the time it was in business?? Databases and customer lists are assets that can be converted to cash to pay creditors. Hardware is often sold for scrap without "triple wiping" or is just transferred to a new buyer.
Good discussion of the Clear program issues at ComputerWorld.
Monday, June 29, 2009
Breaking News - SCOTUS
Reuters reports that the U.S. Supreme Court this morning refused to hear an appeal requested by two companies that want a New Hampshire prescription privacy law overturned. According to the article, the high court rejected without comment the request of Verispan and IMS Health, who argued that a law prohibiting companies from using physicians' prescribing records to boost drug sales violates their First Amendment rights to free speech. The Supreme Court's refusal means a 1st U.S. Circuit Court of Appeals decision to uphold the law stands. Last week, the companies asked the 2nd U.S. Circuit Court of Appeals to block implementation of a similar law in Vermont. For further information about the New Hampshire and Vermont laws, see our advisories.
Friday, June 26, 2009
A "Wayback Machine" for Privacy Policies??
The typical "boilerplate" (lawyers' hate that word, BTW) in website Terms of Use goes as follows: "We reserve the right to change these Terms of Use at any time. You should check back to this page to view changes. Continued use of this website is deemed acceptance of any such changes." Ever wonder what "such changes" might have occurred?
Wonder no more. The Electronic Frontier Foundation (“EFF”) has launched the TOSBack website, which tracks changes to several different types of website policies, including Terms of Service, User Agreements, and Privacy Policies. The site's home page lists those policies with the most recent changes and the dates on which the changes took effect. You can click on each entry or on the specific website and policy to see a side-by-side comparison of the old version and new versions of the policy with the changes highlighted.
Go to the website for a full list, but it currently tracks changes to 44 separate policies including those of Amazon, eBay, Apple, Facebook, Whitehouse.gov and others. The EFF plans to track more agreements on the TOSBack site in the future, including agreements from credit card issuers, banks, and cable TV providers. Fair warning.
Wonder no more. The Electronic Frontier Foundation (“EFF”) has launched the TOSBack website, which tracks changes to several different types of website policies, including Terms of Service, User Agreements, and Privacy Policies. The site's home page lists those policies with the most recent changes and the dates on which the changes took effect. You can click on each entry or on the specific website and policy to see a side-by-side comparison of the old version and new versions of the policy with the changes highlighted.
Go to the website for a full list, but it currently tracks changes to 44 separate policies including those of Amazon, eBay, Apple, Facebook, Whitehouse.gov and others. The EFF plans to track more agreements on the TOSBack site in the future, including agreements from credit card issuers, banks, and cable TV providers. Fair warning.
Wednesday, June 24, 2009
FTC: BT Inquiry Coming "Soon"
Apparently, the FTC plans on stepping up the Commission's inquiries into online behavioral tracking. That's what an American Bar Association Antitrust Section conference on consumer protection heard last week from two senior FTC officials.
On his third day on the job, David Vladeck, director of the FTC's Bureau of Consumer Protection, said he plans to maintain, and even step up, the bureau's aggressive law enforcement
efforts, and has set his sights on companies' data collection practices, saying that "[n]otice and consent may have outlived its usefulness." Vladeck said the bureau will consider alternatives to privacy policies, at least as they exist today.
Stay tuned as we find out what form the FTC's promised hard look will take--another town hall meeting or perhaps a rulemaking proceeding. Eileen Harrington, deputy director of the FTC's Bureau of Consumer Protection, told the group that FTC action is imminent.
On his third day on the job, David Vladeck, director of the FTC's Bureau of Consumer Protection, said he plans to maintain, and even step up, the bureau's aggressive law enforcement
efforts, and has set his sights on companies' data collection practices, saying that "[n]otice and consent may have outlived its usefulness." Vladeck said the bureau will consider alternatives to privacy policies, at least as they exist today.
Stay tuned as we find out what form the FTC's promised hard look will take--another town hall meeting or perhaps a rulemaking proceeding. Eileen Harrington, deputy director of the FTC's Bureau of Consumer Protection, told the group that FTC action is imminent.
Tuesday, June 23, 2009
More on the Real Cost of Data Breaches -- $9.75 Million
Add another $9.75 million (plus - see below) to the cost of the TJX Cos. Inc. 2006 data breach.
The company has reached a settlement with 42 states over allegations that it failed to provide adequate security for its customers. $5.5 million of the settlement will be dedicated to data protection and consumer protection efforts by the states and another $1.75 million will be used to reimburse the costs and fees of the investigation.
Massachusetts AG Martha Coakley's office led the executive committee running the investigation. In a statement, AG Coakley said, "This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business. In addition to the monetary relief, this agreement requires TJX to implement and maintain a substantial data security program to ensure that this kind of data breach does not happen again." Massachusetts will get nearly $1 million in the settlement.
The parenthetical "plus" in my first paragraph refers to an additional cost included in the settlement agreement. TJX must implement major security improvements and report and must certify that its computer system meets detailed data security requirements specified by the states. The settlement also requires the company to encourage the development of new technologies to address weaknesses in the U.S. payment card system.
The company has reached a settlement with 42 states over allegations that it failed to provide adequate security for its customers. $5.5 million of the settlement will be dedicated to data protection and consumer protection efforts by the states and another $1.75 million will be used to reimburse the costs and fees of the investigation.
Massachusetts AG Martha Coakley's office led the executive committee running the investigation. In a statement, AG Coakley said, "This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business. In addition to the monetary relief, this agreement requires TJX to implement and maintain a substantial data security program to ensure that this kind of data breach does not happen again." Massachusetts will get nearly $1 million in the settlement.
The parenthetical "plus" in my first paragraph refers to an additional cost included in the settlement agreement. TJX must implement major security improvements and report and must certify that its computer system meets detailed data security requirements specified by the states. The settlement also requires the company to encourage the development of new technologies to address weaknesses in the U.S. payment card system.
The other states participating in the agreement are Alabama, Arizona, Colorado, Delaware, Hawaii, Idaho, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Rhode Island, South Dakota, Texas, Washington, West Virginia, Wisconsin, and the District of Columbia.
Other links:
Not "Clear" What Happens to Passenger Data.....
Bad news if you were a frequent flyer who ponied up the $199 annual fee to participate in Verified Identity Pass, Inc.'s registered traveler program, branded as "Clear." Last night, the company announced that it was "unable to negotiate an agreement with its senior creditor" and shut down. Membership fees will not be refunded.
The bigger concern is what will happen to the (very) personal information of some 260,000 travelers who had registered and been "cleared." In order to receive a Clear card, you had to provide substantial background information, fingerprints and iris scans. In its announcement, Clear Lanes Are No Longer Available, the website says that the company will take "appropriate steps" to delete its customers' personal data. Given some of the prior history of the company with respect to securing that information, I am not reassured by that statement.
Last year, the company acknowledged temporarily losing an unencrypted laptop at San Francisco International Airport that contained the personal data of approximately 33,000 of its customers. In a press release, the Transportation Security Administration announced at the time that it was temporarily suspending Verified Identity Pass' operations of the Clear program until VIP got its security house in order. The question is: now what? Does a bankruptcy judge decide what happens to the data? Will those whose information is in the database be informed in a manner other than a post on the company website? What methods will this now-defunct company use to "delete" the wealth of personal data it has on 260,000 Americans and how can those people be assured that any such deletion is reliable (I'll be interested in hearing about that...)?
Tip of the iceberg...............
See also: Clear's Privacy Policy
The bigger concern is what will happen to the (very) personal information of some 260,000 travelers who had registered and been "cleared." In order to receive a Clear card, you had to provide substantial background information, fingerprints and iris scans. In its announcement, Clear Lanes Are No Longer Available, the website says that the company will take "appropriate steps" to delete its customers' personal data. Given some of the prior history of the company with respect to securing that information, I am not reassured by that statement.
Last year, the company acknowledged temporarily losing an unencrypted laptop at San Francisco International Airport that contained the personal data of approximately 33,000 of its customers. In a press release, the Transportation Security Administration announced at the time that it was temporarily suspending Verified Identity Pass' operations of the Clear program until VIP got its security house in order. The question is: now what? Does a bankruptcy judge decide what happens to the data? Will those whose information is in the database be informed in a manner other than a post on the company website? What methods will this now-defunct company use to "delete" the wealth of personal data it has on 260,000 Americans and how can those people be assured that any such deletion is reliable (I'll be interested in hearing about that...)?
Tip of the iceberg...............
See also: Clear's Privacy Policy
Subscribe to:
Posts (Atom)
Posts
