Save the Date - Safe Harbor/Cross Border Data Transfer Conference in Washington

If you have cross-border privacy issues as part of your portfolio, you should mark your calendar for November 16th. The Department of Commerce has just announced that the 2009 International Conference on Cross Border Data Flows, Data Protection and Privacy will be held on that date in Washington.

“Cross the Divide: Successfully Navigating Safe Harbor” will include discussions of issues such as

• progress on the Safe Harbor framework;
• changes in the binding corporate rules approval process;
• new privacy compliance paradigms;
• sharing data across borders during pandemics;
• privacy management in social networks;
• behavioral advertising in cloud computing; and
• civil litigation e-discovery.

The Conference will be hosted by the Department of Commerce, with the cooperation of the European Commission and the Article 29 Working Party on Data Protection, made up of data protection officials from each of the European Union Member States.

Further information on the conference is available at

www.regonline.com/safeharbor2009.

Privacy and Security Bits and Bytes

After a bit of a hiatus, our Friday afternoon feature is back:

• Do you know what your information is worth on the black market? It may just surprise you. Good piece on a new Symantec tool to let you do the calculations. See Information Security Resources - What Are You Worth On The Black Market?
  
• Despite all of the public flurry surrounding security breaches, and customer expectations that the information entrusted to vendors will be secure, a new survey finds that an astounding 71 percent of those companies surveyed said they still weren't making data security a top initiative in their IT budgets, even though 79 percent of them admitted that they had been hit by one or more data breaches since the PCI DSS standard was enacted in 2005. Companies Still Not Securing Customer Data - InternetNews.com.
• Companies around the world are preparing for the swine flu pandemic and putting policies and procedures in place for workers and business continuity. What, if anything, are people doing about the privacy issues that need to be addressed in that planning?
  Good article, with links to resources here - Protecting Your Privacy During a Pandemic
• Remember our blog posts on the demise of the Clear program? Next week, the Committee on Homeland Security is holding a hearing on "The Future of the Registered Traveler Program"
  Wednesday, September 30, 2009 @ 2pm
  311 Cannon House Office Building
  The hearing will evaluate the recent cessation of operations by Registered Traveler (RT) providers, actions undertaken by the Transportation Security Administration (TSA), and the impact on airports. There will be a webcast of this hearing.

Should be fascinating viewing. I wonder if we'll hear anymore about whatever happened to all that data???

Check your employee handbook - what you might think is fraud and abuse may not be a federal case....

My colleagues over at the Employment Matters blog report on an
interesting decision drawing attention to the need for clear and explicit policies regarding "acceptable use" of computers and company information and the absolute necessity to terminate access once an employee or contractor is terminated.

Particularly in light of the upcoming Massachusetts data security regulations, permitting employees (contract or otherwise) to email unencrypted documents containing personal information of customers/clients/employees outside of the organization to be stored on a home computer (similarly unencrypted, one can presume) will be a violation of 201 CMR 17.00 if that list contains "Personal Information" of Massachusetts residents, and failing to have procedures as part of your information security plan that terminates access to such information for former employees will also be a violation. Similarly, because a health care provider and protected health information is involved here, this action would be in violation of the new HHS guidelines for the handling of PHI and, finally, because the defendant was no longer authorized to have the information, it was likely a reportable breach under HIPAA and many state laws.

For all that the incident is, it seems that the Ninth Circuit does not find that it was a violation of the federal Computer Fraud and Abuse Act.

"Smart Grid" privacy issues to be examined by Federal Communications Commission

Smart Grid technology enables electric utilities to use communications and computing technology to glean consumer electric usage patterns to facilitate more efficient network management. It's been identified by the FCC as a promising way to use broadband to promote energy efficiency, reduce greenhouse gas emissions, and encourage energy independence.

These consumer electric usage patterns could conceivably do far more.... For example, marketing firms may find valuable market penetration data in consumer electric usage patterns and law enforcement could use information about electricity usage to pinpoint potential sites of criminal activity. Basically, the very characteristics that make smart grid information valuable to environmental efforts may also have serious implications for consumer privacy and are attracting the interest of regulators here in the U.S. and elsewhere.

Specifically, the FCC has sought comment by October 2, 2009 on the issue of how strong privacy and security requirements can be satisfied in deploying smart grid technology without stifling innovation.

The Colorado Public Utilities Commission just closed a comment period last week on the following issues and the comments received on these questions may help to further inform the debate at the national level:

1. What concerns surrounding the collection and analysis of detailed electricity usage information should the CPUC consider as it establishes policies governing access to and use of this information?
2. What, if any, are the trade-offs between protecting privacy and promoting innovation with regards to smart grid technology?
3. Should detailed electricity usage information be protected? If so, how?
4. How do constitutional or statutory protections impact the use of consumers’ detailed electricity usage information collected as part of smart grid initiatives? What protections should be put in place even if not covered by constitutional or statutory provisions?
5. What are the necessary components of effective privacy regulation of consumer electricity usage patterns? For example, should disclosure of consumer information to third-parties be on an opt-in or an opt-out basis, or should the consent-requirement depend on the nature of the party receiving the information?
6. How much information about consumer electricity usage do electric utilities and “edge service providers” require to facilitate more efficient network management, load forecasting, asset management, bill control, demand-side load management, efficiency consulting, energy savings contracting, etc.?
7. How do privacy regulations affect electric utilities and “edge service providers” in their efforts to provide enhanced electricity management services?
8. Who “owns” customer information?
9. What should be a utility’s obligation to “unbundle” metering in homes and businesses?

Your mother was right: the FTC confirms you don't get a second chance to make a first impression

Written by Cynthia and Michele

So you thought that if you made "full disclosure" in your online agreements with customers, you'd be OK -- well, it's time to think again.

The FTC recently confirmed in In re Sears Holdings Management Corp that even full disclosure of company practices in an end user license agreement (“EULA”) or terms of service (“TOS”) may be no defense to fraud claims. Nearly all online service providers require users to agree to terms of use. And, typically these terms of use are enforceable. However, the FTC’s recent order makes it clear that the adequacy of the disclosures in a EULA or TOS will be determined not by the completeness of the disclosure itself, but on a case-by-case basis in light of all of the other representations made to consumers. Thus, burying the use of marketing software with behavioral tracking capabilities, even though ultimately disclosed fully, in a multi-step sign-up and download process as Sears did will not necessarily shield a company from a fraud claim.

Requiring online service providers to obtain express consent before employing marketing software is nothing new. For example, in a consent order reached with a company called Zango, the FTC said that express consent is required before employing tracking software with pop-ups --- and tagged Zango for $3 million. In another case, In re DirectRevenue LLC, the FTC required express consent before installing what they called “lureware,” along with a fine of $1.5 million.

What is notable about Sears, however, is the shift in focus from the completeness of disclosure itself to its completeness in light of all other representations. While a EULA disclosure may be complete in itself, it is now clear that even a full and complete disclosure will correct other representations if the overall impression is misleading. In short, service providers will not get a second chance to make a good first impression.

Practical advice -- take another look at your EULA or TOS and make sure that it is not just complete, but it is accurate.

What is "reasonable expectation of privacy" in an employment context?

Written by Cynthia and Jennifer

A recent decision by the Maine Supreme Court highlights the tension between an employee's reasonable expectation of privacy in conducting personal business through a company's computer system and the individual's right to prevent the company's publishing of such material. In Fiber Materials, Inc. v. Subilia, the Maine Supreme Court dismissed an interlocutory appeal by a former executive who charged the company with improperly accessing and publishing the executive's attorney-client privileged communications with his attorney which had been stored on the company's computer system. While the court dismissed the appeal for procedural reasons, the court criticized the company's counsel for taking the preemptive position that the material retrieved was appropriately disclosed publicly without first seeking advice from state bar counsel before publishing it in a complaint.

The issues in this case are similar to those raised in the Scott v. Beth Israel case, where a New York trial court concluded that an employee's use of the employer's email system to communicate with his attorney waived the privilege because the employer's policy expressly prohibited personal use of the email system.

While these cases appear to produce two different results, they dictate the care employees and employers alike must take with respect to accessing information on a company-owned computer system and the use of that system in the first instance to conduct any type of personal business, especially sensitive personal business.

Federal Breach Notification Rules -- NEXT WEEK. Are you ready?

Written by Cynthia and Dianne

New federal breach notification rules go into effect next week for covered entities and their business associates and also for vendors of personal health records.

Covered entities (organizations subject to the HIPAA privacy rule) and their business associates must report breaches of unsecured protected health information in accordance with new rules from the Department of Health and Human Services (HHS) starting Wednesday, September 23, 2009. Unsecured protected health information is information that has not been either encrypted or destroyed in accordance with HHS standards. Note that under the rules, a covered entity may not have to report a breach of unsecured protected health information if, after conducting a risk analysis, it believes in good faith that the unauthorized recipient of the PHI would not reasonably have been able to retain it (for example, if misdirected patient correspondence is returned as undeliverable and is unopened).

The breach notification regulations require prompt notification to affected individuals, as well as to the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches by the business associate.

The HHS regulations were developed in close consultation with the Federal Trade Commission (FTC), which has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA. The FTC regulations are effective September 24, 2009. The rules are identical with respect to some provisions, similar in others, and completely different in a few others. Those differences can matter because some organizations will be covered by both regulations.

Both the FTC and HHS intend for their regulations’ notices to be combined with the state-required notices, so that a consumer would receive only a single notice. The agencies’ requirements for the content of the notices are practically identical, but the regulations have many differing requirements on a wide range of topics. For example, HHS’ requirements extend to breaches of health information in all formats, including paper, whereas the FTC’s requirements extend only to health information in electronic form. Also remember, there will be different state requirements for notice, some of which (particularly in Massachusetts) will conflict with the FTC/HHS content.

Links:
Text of HHS Breach Notification Rule
Text of FTC Breach Notification Rule
Mintz Matrix of State Data Breach Notification Laws, current as of August 31, 2009

FTC to Hold Data Privacy Roundtables

Here’s an important notice from the Federal Trade Commission -

The FTC will host a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.

The roundtable discussions will consider the risks and benefits of information collection and use in online and offline contexts, consumer expectations surrounding various information management practices, and the adequacy of existing legal and self-regulatory regimes to address privacy interests. Roundtable participants will include stakeholders representing a wide rangeof views and experiences, such as academics, privacy experts, consumer advocates, industry participants and associations, technology experts, legislators, international representatives, and others.

The Privacy Roundtables are free and open to the public. The first will be held Monday, December 7, 2009, at the FTC Conference Center at 601 New Jersey Avenue, N.W., Washington, DC. Pre-registration is not required. Members of the public and press who wish to participate but who cannot attend can view a live Webcast at FTC.gov. The Commission plans to convene additional roundtables in subsequent months, and will post information regarding these events at a later date.

Links:
FTC to Host Public Roundtables to Address Evolving Consumer Privacy Issues

From Privacy Academy - The Seven Step Program

Sounds like common sense, but it is food for thought -- and will be required under new Massachusetts data security regulations:

The seven easy ways to protect PC based information from theft

The proliferation of Personal Storage Devices (thumb drives, iPods, USB external hard disks, etc.) and simple remote access has created unprecedented levels of convenience and at the same time a substantially increased risk of data loss. Pocket sized external USB storage devices can put hundreds of Gigabytes of data storage at your fingertips which is easily enough space to house an industrial-strength database or thousands of documents, spreadsheets, photos and other sensitive information. With the right software installed, these devices can be configured to automatically transfer data off any machine into which they’re plugged. This can be a convenience for the owner of the data, or for the Bad Guy an easy way to potentially access and steal your data. Exploiting this type of threat is very inexpensive and does not take expertise.

Securing your environment is very easy and involves a multi-tiered Best Practices approach including:

• Creating and enforcing sound policies and procedures that lock down the system BIOS on all computers processing, storing or transmitting data.
• Creating a logon requirement that uses password and / or biometric authentication every time the PC is turned on.
• Requiring the use of strong passwords that contain a minimum 7 character combination of both alpha and numeric symbols.
• Never sharing or writing down your passwords.
• Automated forced changing of passwords every 60 days.
• Locking the PC after 10 minutes of inactivity to prevent unauthorized access to the machine and its data when the user steps away.
• Turning off the PC when it is unattended for long periods of time. This one is an often overlooked critical step. If it’s on it can be accessed remotely.
  

Gonzalez Hearing: More than 40 MILLION Distinct Credit Card Numbers Recovered

Evan Schuman of StorefrontBacktalk has an interesting piece about last week’s plea in the massive credit card fraud case currently in federal court. Albert Gonzalez pleaded guilty in federal court in the cyberthief case and the plea hearing revealed some remarkable details. According to testimony, the Secret Service has collected “more than forty million distinct credit and debit card numbers from two computer servers” controlled by Gonzalez and his associates and has counted the consumer, retail and bank victims as “an enormous number of people, certainly millions upon millions, perhaps tens of millions.”

Schuman points out that the plea hearing may be the first and last details that we receive because the plea has avoided a federal trial.

IAPP Privacy Academy 2009

The IAPP Privacy Academy is taking place in Boston this week. Privacy professionals from all over the world are gathered to catch up on the latest developments and best practices. I'll blog a bit from the Academy and pass on some of the tidbits.

Some "light reading" for privacy geeks...

Or, actually, for anyone interested in building privacy into business from the "ground up" and how privacy can (and should) become a business differentiator. Dr. Ann Cavoukian is Ontario's Information and Privacy Commissioner and has long been an advocate of privacy technologies and coined the term "Privacy by Design" in the late-nineties. Her latest book is called exactly that -- "Privacy by Design" and can be downloaded at http://www.privacybydesign.ca/pbdbook/PrivacybyDesignBook.pdf .

It's a must-read for thought leadership in this space.

Maine Lawsuit Dismissed and Law "Likely Unconstitutional"

The kerfuffle over the controversial Maine law slated to become effective this week that would have prohibited all marketing to minors has been dismissed. Yesterday, the District of Maine issued a Stipulated Order of Dismissal stating that there is a likelihood that the statute is "overbroad and violates the First Amendment." Further (and perhaps more important to business), Judge Woodcock warned that any individual lawsuits brought under the statute’s private right of action would likely face the same fate -- dismissal. "[T]hird parties are on notice that a private cause of action under Chapter 230 could suffer from the same constitutional infirmities" that resulted in his finding that the law was likely overbroad, Woodcock concluded.

In the meantime, the lawsuit was dismissed without prejudice in light of the Attorney General’s representation to the Court that Maine will not enforce the statute and that the Legislature will reconsider it when they reconvene in January 2010.

Other links:
eWeek
Portland Press Herald

Maine AG - I Will Not Enforce New Marketing Law

It looks as though Maine’s Attorney General will not enforce a controversial new state law that restricts marketing to minors, but has drawn a federal lawsuit because plaintiffs argued that the law swept too broadly. The Wall Street Journal today reports that a spokesperson for Maine AG Janet Mills said that Mills will not be enforcing the law and will work with sponsors to amend the legislation when Maine’s legislature reconvenes in January, 2010. One caution here, though -- the Maine law contains a private right of action which means that, although the AG has decided against enforcement, a private party could still bring an individual suit ---- or a class action. Stay tuned.

Low Tech ID Theft ......

As Federal Reserve Chairman Ben Bernanke and his wife recently found out, identity theft often has nothing to do with technology….

PC Mag: Fed Chairman Hit by ID Theft