Wednesday, March 31, 2010

BREAKING NEWS: NJ Court Upholds Employee E-mail Privacy

In a precedent-setting decision, the New Jersey Supreme Court today ruled that a company should not have read e-mails a former employee sent to her lawyer from a private Web account through her employer's computer (See November 5, 2009 Privacy and Security Information blog post). According to the Star-Ledger, the court, which determined the company's policy regarding e-mail use was vague, upheld the sanctity of attorney-client privilege in electronic communications.

Given the importance of this decision to both privacy issues and employer/employee workplace issues, we will provide a complete analysis.

Tuesday, March 30, 2010

Government "Outs" Mystery Retailers in Gonzalez Hack Case

Interesting post in today’s Wired: Threat Level blog about a motion in the Alberto Gonzalez hacking case that was unsealed on Monday. We now have the identities of the other two “mystery” retailers – J.C. Penney was “Company A” and Wet Seal was “Company B.”

J.C. Penney argued unsuccessfully last week to keep the company’s identity under seal, and that it (a corporation) was entitled to anonymity under the 2004 Crime Victims' Rights Act. That law was intended to protect the “dignity and privacy” of victims – and that is what Penney argued. but Judge Douglas P. Woodcock was not convinced -- and in fact was "astonished." The Judge said in the hearing that he believed both retailers should have announced their involvement from the start and that consumers had the right to know. Woodlock said he would not provide the companies “insulation from transparency.”

For more: StorefrontBacktalk » JC Penney, Wet Seal: Gonzalez Mystery Merchants

Motion of Government - http://www.wired.com/images_blogs/threatlevel/2010/03/09-cr-10382-14.pdf

Monday, March 29, 2010

More detail on Dave & Buster's FTC Settlement

As we blogged here last week, we were going to post our Client Alert with further details about the settlement and consent order reached by the restaurant chain Dave & Buster's and the Federal Trade Commission relating to the breach suffered by the chain. Here is the alert -- Privacy and Security Alert: Popular Restaurant Chain Settles Federal Trade Commission Data Breach Charges.

Tip: This breach was the result of malicious hacking. In fact, the hacker - Alberto Gonzalez - was just sentenced to 20 years in federal prison for his crime. However, the FTC's concern was that the restaurant chain did not have "reasonable security measures" in place to prevent the hacking in the first place, or to detect it as it was occurring. Time to take stock of the point-of-sale systems in your store/restaurant.

French Senate Passes Breach Notice Bill

The French Senate has overwhelmingly approved a major draft bill updating the country's 1978 data protection act to, among other things, create the European Union's strongest breach notification requirement and expand powers of the French data protection authority, known as "CNIL."

This bill also doubles monetary penalties for violations of the data protection law. It now moves on to the National Assembly.

The bill, as passed by the Senate is available, in French, at http://www.senat.fr/petite-loi-ameli/2009-2010/331.html

Friday, March 26, 2010

Privacy and Security Bits and Bytes

Some news items for the last Friday in March -

Another state has joined the Payment Card Industry Data Security Standard ("PCI") bandwagon. On March 22, 2010, Washington state became the third state to incorporate the into law. The Washington House and Senate passed HB 1149 and it has been signed into law by the governor. HB 1149 amends Washington’s breach notice law (and borrows some of its definitions). Similar to Minnesota’s Plastic Card Security Act, HB 1149 provides issuing banks a legal mechanism to collect the costs to reissue payment cards after a payment card security breach. The law is effective July 1, 2010

How often do you change your password? A Symantec report discovers that an astounding 10 percent of us don’t change them AT ALL. Most users don't change password often enough, report says Digital Media - CNET News

Condom Web Site Threatens to Sue Person who Outed Their Leakage - An Indian Web site that sold Durex condoms has threatened legal action against the person who exposed a data breach on the site. Earlier this month, a user of the site noticed that he could view customers' names, addresses, contact numbers and order details, The Register reports.

Following up on a Privacy and Security Bits and Bytes from a couple of weeks ago on the potential privacy implications of copy machines, The Toronto Star has a more in-depth piece on the wealth of information stored on the hard drives of high-end copy machines.

HHS Announces Delay in Enforcement of HITECH Rules as Applied to Business Associates

As we have discussed before, HHS’s Office of Civil Rights has let it be known that a proposed rule implementing the HITECH Act’s privacy and security provisions as they apply to business associate liability is in the works. The proposed rule will also deal with new limitations on the sale of protected health information, marketing, and fundraising communications, and stronger individual rights to access electronic medical records, among other things. According to the Office of Civil Rights, the proposed rule “will provide specific information regarding the expected date of compliance and enforcement of these new requirements.”

We take this to mean that enforcement of these particular HITECH Act provisions will be delayed.

For more information, see the Mintz Levin Health Law and Employee Benefits Alert just published.

Restaurant Chain Settles FTC Data Breach Charges

Yesterday, the Federal Trade Commission (“FTC”) weighed in with another proposed settlement agreement requiring that the Dave & Buster's restaurant chain that experienced a massive data breach in 2007 establish and maintain a comprehensive information security program as a condition of settling a consumer protection action arising out of that data breach.

This is the FTC’s 27th case challenging faulty data security practices by organizations that handle sensitive consumer information.

Our Client Alert with complete links to the draft order and complaint and full discussion will be posted later today.

Thursday, March 25, 2010

TJX hacker sentenced to 20 years

A computer hacker has been sentenced to 20 years in prison for helping engineer one of the largest thefts of credit and debit card numbers in US history.

http://www.boston.com/business/ticker/2010/03/tjx_hacker_sent.html

Wednesday, March 24, 2010

Senate Commerce Committee Approves Rockefeller-Snowe Cybersecurity Act

We will post a link to the amended legislation as soon as it is released by the Committee.

The Senate Commerce Committee press release --

WASHINGTON, D.C.—Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, and Senator Olympia J. Snowe (R-ME), a senior member of the committee, issued the following statements today after the Commerce Committee favorably reported out the Rockefeller-Snowe Cybersecurity Act.

“Our future is literally being stolen from us. Cyber attacks and hackers are at work raiding property and proprietary information from U.S. companies and innovators,” said Chairman Rockefeller. “The status quo is not sustainable. We need a new model for the 21st century. We must secure America’s critical networks, innovation and competitiveness in the global market. The Rockefeller-Snowe Cybersecurity Act provides a framework for a fundamentally new approach to combating cyber attacks. Today, we took another big step in moving this enormously important legislation forward.”

“It is simply undeniable that cyber intrusions and attacks represent both a potential national security and economic catastrophe as our vital information infrastructure – nearly 90 percent of it – is owned and operated by the private sector,” said Senator Snowe. “Without adequate cooperation between the public and private sectors to protect our critical infrastructure information systems – our strategic national assets – we risk a cyber-calamity of epic proportions with devastating implications for our nation. Our initiative, which is the culmination of a year’s worth of consultation and input from across the spectrum, streamlines cybersecurity-related functions and clarifies the responsibilities of government and private sector stakeholders.”

Boston ranks 2nd in U.S. cyber-crime study

A new study has Boston ranked No. 2 among U.S. cities as a "hotspot" of cybercrime.

In a study published yesterday by California data security firm Symantec Corp. (Nasdaq: SYMC), Boston registered as the second-riskiest city in the U.S., after Seattle, due to its high concentration of cyber crimes and WiFi availability. Out of 50 cities spotlighted in the report, Boston narrowly missed the top spot, with a risk score of 176.6 to Seattle’s 188.2. In third place was Washington, D.C., and in fourth was San Francisco.

According to Symantec’s report, Boston’s problems come from an especially high concentration of “spam zombies” — computers taken over by outside hackers to send out spam.
Another factor is the Hub’s many unsecured WiFi hotspots — 53.6 per 100,000 residents — where cyber criminals may lurk, trolling for unwitting users. While high-profile or widespread computer attacks are relatively rare, small-scale attacks like these threaten even savvy computer users, the report noted.

The complete list of cities and further description of the Symantec report can be found in a ComputerWorld report linked here: Symantec names riskiest U.S. cities for cybercrime

Quick Compliance Survey

No, we're not "taking names" here. This is just a 10-question survey to gauge some basic compliance metrics. Please participate!

Click here to take survey

Tuesday, March 23, 2010

International Cybercrime Reporting and Cooperation Act introduced this afternoon

Senators Gillibrand and Hatch this afternoon introduced their cybersecurity bill, the International Cybercrime Reporting and Cooperation Act.

The complete text of the bill is not yet available online, but the press release does include the details of the bill, which include: (1) an annual Presidential report on the state of other countries' use of communication infrastructure and the extent of cybercrime in those countries; (2) providing assistance to countries with low information, telecommunications and communications penetration in order to prevent these countries from being cybercrime havens; (3) indentify countries of cybercrime concern; (4) suspend benefits to countries that fail to meet cybercrime benchmarks; and (5) require the Secretary of State to designate a senior official at the State Department to coordinate and focus on activities, policies and opportunities to combat cybercrime internationally.

More information -- Bill Focuses On Global Cybercrime Measures - Tech Daily Dose - Tech Daily Dose

Massachusetts Data Security Compliance Workshop

In case your data security compliance plan is stuck in neutral, you have questions, or you haven't started yet...there will be a free (!) breakfast hands-on workshop on Thursday in Tewksbury, MA.

"Massachusetts Data Protection Law: Demystifying the Details" is being sponsored by the Merrimack Valley Venture Forum. The Merrimack Valley Venture Forum has assembled a panel of legal, technology, and process experts to break down the law and give you a clear path to compliance through a hands-on workshop. Panelists include: Cynthia Larose, Mintz Levin, Matt Pettine, MFA Cornerstone Consulting, Nagraj Seshadri, Sophos, and Mike Spinney, SixWeight. Registration through Wednesday afternoon at 5:00 pm at sferrara@mvvf.org.

Bring your questions!

Monday, March 15, 2010

Maine Legislative Committee Votes to Repeal Marketing Law Aimed at Minors

We have blogged about the on-again, off-again, then on-again (but revised) Maine "Act to Prevent Predatory Marketing Practices Against Minors". Well, it’s now off. For good. Last week, a Maine legislative committee voted to repeal the controversial online marketing law, which was widely seen as unconstitutional, that restricts the data that can be collected from minors in the state.

The bill's sponsor, state senator Elizabeth Schneider, also withdrew a proposal for a narrower measure that would have only banned companies from collecting data about minors for the purpose of marketing prescription drugs to them. The full Maine legislature is expected to vote on the repeal within a few weeks.

Thursday, March 11, 2010

Privacy and Security Bits and Bytes

Our Friday afternoon feature is back (albeit on Thursday due to schedule tomorrow) – a quick round-up of bits and bytes related to data privacy and security.

Don't Ignore New Massachusetts Data Privacy Regs – a piece by Lora Bentley from ITBusinessEdge (for which the editor of this blog was interviewed)

Your smart phone may soon be smarter than you’d like it to be: researchers in Japan have produced a mobile phone that can track movements of the user and beam the information back to an employer (or anyone else who wants it)….BBC News - Mobile that allows bosses to snoop on staff developed

Something else to consider when undertaking those risk assessments to determine where personal information is – and what you need to control when it leaves. Have you thought about what is stored on the hard drive of your copy machine?? This piece from Boston TV station WBZ is eyepopping -- Copy Machines Can Store Your Private Info - wbztv.com

Wired reported this week that the U.S. Supreme Court will take on another “informational privacy” case that could have far-reaching impact. This makes the second privacy case that the Supremes will be hearing in this term.

And, what you say at a privacy/security conference isn’t necessarily “private” or “secure” and could get you fired. Computerworld’s article -- Pennsylvania fires CISO over RSA talk – says that the former PA CISO spoke at an RSA security panel last Thursday – and is no longer working for the Commonwealth.

Enjoy the weekend -

Big Fines Coming in UK for Data Breaches

By Susan Foster, Mintz Levin London

As of April 6, 2010, the UK’s Information Commissioner’s Office (ICO) can levy fines of up to £500,000 for breaches of the Data Protection Act 1998 that are:
• serious in nature
• deliberate or reckless, and
• likely to cause substantial damage or distress to an individual.

The standard for “reckless” non-compliance may take some by surprise: Did the data controller know, or should it have known, that there was a risk of a breach of a kind likely to cause substantial damage or distress? If so, were reasonable steps were taken to prevent the breach?

The ICO has given a specific example that may make IT and privacy officers flinch, but will come as no surprise to those in the U.S. who have been dealing with the likes of Massachusetts 201 CMR 17.00 or the HITECH Act: Does the company have appropriate policies and procedures in place such as the encryption of all laptops and removable media (such as flash drives) to avoid loss of personal data if an employee’s laptop or removable media is stolen? Failing to do so might be considered “reckless” depending on the likely consequences of the loss of personal data contained in the unsecured devices.

Further Information
For more information, see our our Mintz Levin Client Alert. Also, the ICO has published detailed guidance concerning when fines will be issued, the process for trying to get fines withdrawn or reduced, how to appeal, and payment.

Wednesday, March 10, 2010

Another Potential Privacy Pitfall on Facebook

Rumors are flying that Facebook will unveil a new geolocation sharing device next month. According to a post in Bits Blog in the New York Times, you will be able to share your location with friends without updating your status. Jared Newman in an article in PCWorld has a good point … “My gut reaction is nervousness….”


Related Links

Facebook Updates May Share Your Location Soon - PCWorld

Tuesday, March 9, 2010

Breaking News - ID Theft Company to Pay $12 Million for Deceptive Advertising

“[E]nough holes that you could drive a truck through it…..”

That’s how Federal Trade Commission Chairman Jon Leibowitz described the identity theft protection offered to consumers by the widely-advertised LifeLock product and the claims made by the company that its service provided comprehensive identity theft protection. Those claims have cost the company $12 million dollars in a settlement announced today by the FTC chairman and Illinois Attorney General Lisa Madigan. According to the lawsuit, LifeLock claimed its service would protect consumers against all forms of identity theft, when, in fact, LifeLock offered only limited protection against only some forms of identity theft and had no effect on the most common form: the misuse of existing credit card and bank accounts.

The settlement was announced at a press conference today and LifeLock has agreed to pay $11 million to the FTC and $1 million to a group of 25 state attorneys general to settle the deceptive advertising charges. In addition to the $12 million settlement, LifeLock and its co-founders Richard Todd Davis and Robert J. Maynard, Jr. are prohibited from making deceptive claims and required to better safeguard customers’ personal information.

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying.

Links
Complaint - Federal Trade Commission, Plaintiff, v. LifeLock, Inc., a corporation; Robert J. Maynard, Jr., individually and as an officer of LifeLock, Inc.; and Richard Todd Davis, individually and as an officer of LifeLock, Inc., Defendants

Press Release - Information on Lifelock Settlement

Thursday, March 4, 2010

Major "goof" at Citibank

For all of you who have been struggling with data security compliance obligations from various fronts, and trying to handle complex technical issues such as encryption of portable devices and data "at rest" and "in transit" --- here is a very big story regarding plain old everyday mail. If you are a Citibank customer, Citi may have printed your Social Security number on the outside of an envelope that it has sent to you ..... and about 600,000 other customers.

Check this out at WalletPop

Tuesday, March 2, 2010

Hotel Chain Hacked Again....

Wyndham Hotels and Resorts has apparently notified the U.S. Secret Service and several state attorneys that hackers stole customer names and payment card information from its computer system. Wyndham has since notified credit card companies so that affected cardholders' accounts may be monitored. It also has hired a firm to investigate the breach and assist in data security improvements. This is the company's third data breach in one year.

Related Links
Letter posted to Wyndham website
V3 UK - Wyndham Hotel Chain Hacked Again

Monday, March 1, 2010

Today is the day......

After implementation delays and rule changes, new data protection regulations that are widely considered the most stringent in the nation take effect today. The Massachusetts data security regulations require institutions that hold personal data on Massachusetts citizens to encrypt that information and implement written data protection policies, reports the Boston Globe.

Discussion continues and questions abound. Will this set the bar nationwide as the articulation of what constitutes "reasonable security" for personal information? How should companies handle the varying risk of harm standards when dealing with state laws and federal law, such as the HITECH Act?