Friday, April 30, 2010

Privacy and Security Bits and Bytes

On this last day of April, there are a couple of breaches and another clarion warning about copy machines --


We have blogged on this issue here and here -- and again, there is another warning about the treasure trove of information residing on the hard drive of your copy machine. A CBS Evening News investigation revealed just how much information is stored on copy machines that gets passed on when the machine’s lease is up and the machine is resold. Adding one more to the mounting pile of privacy-related investigation requests the Federal Trade Commission has received in recent days, U.S. Rep. Edward Markey (D-MA) requested the commission look into the issue in a statement released yesterday.

Make sure that you don’t violate data protection laws in Guernsey – the offshore banking center has amended its privacy law to include prison time for violations. Persons found guilty under Section 55 of the law of unlawfully obtaining (or disclosing) personal data without the consent of the data controller may now face a prison sentence. Previously, the most severe penalty available was a fine of up to £10,000 Data protection law amended - International Law Office

Add Mexico to the list of countries with a national comprehensive data protection law. Mexico's Senate on Tuesday unanimously approved the Federal Law of Protection of Personal Information. The law establishes the rights and principles of data protection in the private sector, and was nine years in the making.

And two “breaches du jour: The Louisville Courier-Journal reports that a flash drive containing the personal information of 24,600 patients of a psychiatric hospital has gone missing. According to the report, the drive contained patient names, admission and discharge dates and dates of birth. (Begs the question of why protected health information (or PHI) is on an unsecured flash drive in the first place…. ) And, in California, St. Jude Heritage Healthcare has notified 22,000 patients about the theft of five hospital computers containing their PHI.

Thursday, April 29, 2010

Connecticut Woman Files First Suit Under Federal Law Prohibiting Genetic Discrimination

Written by Jennifer Rubin

A Connecticut woman has filed a charge of discrimination under the Federal Genetic Information Nondiscrimination Act ("GINA"), which prohibits discrimination against employees based upon their status as carriers of genetic information. The woman claims her status as a carrier of the BRCA2 gene, a gene sometimes associated with the elevated risk of breast cancer, led to her termination after she had preventive surgery relating to her breast cancer risk.

GINA was passed to address concerns of individuals who might be reluctant to undergo genetic testing because the results, if disclosed to an employer, might be used in a discriminatory manner by employers. While it is premature to predict the probability of outcomes of this employment dispute, it reminds employers of their obligations to comply with GINA and other numerous other Federal and state laws concerning the management and use of health information in the workplace.

Related Links:

Hartford Courant
Woman claims genetic test led to firing at Stamford firm - StamfordAdvocate
Home WGGB abc40 News, Weather and Sports in Springfield Massachusetts

Monday, April 26, 2010

Proposed HITECH Regulations Out in May?

Buried in a part of today's Federal Register was the publication of the Department of Health and Human Services' regulatory agenda. The agenda presents a forecast of expected HHS rulemaking activities and suggests that in May of this year HHS will issue the long-awaited proposed rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of the HITECH Act (see our earlier blog posts).

The Department is also scheduled to issue a final rule in May of this year, addressing the certification standards and implementation criteria for electronic health record technology.

Thursday, April 15, 2010

Brokerage firm victim of elaborate extortion scheme - but also gets hit with a fine

Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme and the three have pleaded guilty in Montana.

The hackers used a SQL injection attack to obtain access to the company’s database on Dec. 25 and 26, 2007.

The Financial Industry Regulatory Authority, which announced the fine agreement on Monday, said although the attack activity was reflected in the brokerage’s server logs, administrators failed to examine those logs. The intruders obtained data on about 192,000 customers, according to the press release announcing the fine. (Previous reports indicated that more than 300,000 customer files were stolen). The data included customer account numbers, Social Security numbers, names, addresses, dates of birth and other private information.

The company discovered the breach only after receiving an extortion e-mail from one of the hackers on Jan. 16, 2008, which contained an attachment with the records of 20,000 customers as proof of the intrusion. DA Davidson contacted the Secret Service, and the subsequent investigation led to four suspects, three of whom are Latvian nationals, who were extradited from the Netherlands to face charges in Montana. In a statement released yesterday by the U.S. Attorney for Montana, the three Latvians pleaded guilty to receipt of extortion proceeds.

More: Wired Magazine
Three Plead Guilty in Plot to Extort DA Davidson - Financial Planning
The United States Department of Justice - United States Attorney's Office

Federal Regulators Release Model Consumer Privacy Notice Online Form Builder

Last year, the eight federal regulators that regulate the financial services industry issued a "simplified" model privacy notice that was published in the Federal Register on December 1, 2009. Today, the regulators released an "Online Form Builder" to guide a covered institution to select the version of the model form that fits its practices, such as whether the institution provides an opt-out for consumers.

Under the new regulation, to obtain a legal "safe harbor" and satisfy the disclosure requirements under the Gramm-Leach-Bliley Act, institutions must follow the instructions in the model form regulation when using the Online Form Builder.

The form is available here: Online Form Builder

Friday, April 9, 2010

Privacy and Security Bits and Bytes

Our Friday afternoon feature --

Virginia Adds Medical Information Breach Law - The Commonwealth of Virginia has amended its data breach notification law to include breaches of medical information. For the text of the amendment, link here. Even if the data is encrypted, the law requires notice if the breach involved a person with access to the encryption key. The law requires notice to affected individuals (residents of Virginia) as well as Virginia's Office of Attorney General. The Attorney General can bring an action for violations of the law and impose civil penalties up to $150,000 per breach (or a series of similar breaches of a similar nature that are discovered in a single investigation). The law does not apply to persons or entities that must report the breach under the HITECH Act.

“Data Security – It’s a Responsibility, Not an Option” – interesting point of view from InfoSecIsland.


FTC Complaint Focuses on Tracking, Profiling of Consumers. -- Yesterday, the Center for Digital Democracy, the US Public Interest Research Group, and the World Privacy Forum filed a complaint with the FTC regarding two emerging trends in online advertising that they say pose growing threats to consumer privacy: auctioning of individual Internet users for targeted advertising opportunities and the combination of online and offline data about Internet users. The complaint describes what the group feels is a growing trend in online behavioral advertising that involves the real-time sale and trade of the right to target individual users with online ads through the use of data compiled about users via their Web surfing habits. The groups have asked the FTC to investigate the data and advertising exchanges operated by Google, Microsoft and Yahoo, as well as several firms that support the auctioning and data collection/targeting system, including AppNexus, BlueKai and Rubicon Project. Furthermore, the group has asked the FTC to require the firms involved in real-time online tracking and auction bidding to allow consumers to opt-in to participate in such activities; require firms to update their privacy policies so consumers are aware of these activities; and ensure consumers are compensated for the use of their data. Stay tuned.

Large UK Data Breach Penalty Takes Effect -- As we warned you in this space last month, this week marks the effective date of the new, substantially higher fines in the UK for data loss. Reports are that up to 65 percent of workers are unaware of the new penalties – which can quickly hit £500K for large scale breaches. If you’re operating in the UK, check out Data loss fines hit £500K from today • The Register or ICO vows to impose heavy fines for major data breaches - 07 Apr 2010 - Computing.

And Finally --

This item from Wired Magazine proves yet again that identity theft is not limited to computer hacking or interception of electronic messages. A 74-count indictment unsealed yesterday in Arizona details charges that a group of sophisticated identity thieves managed to steal millions of dollars by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased.

Thursday, April 8, 2010

Mississippi Becomes 46th State to Enact Data Breach Notification Law

It appears that Governor Haley Barbour has signed legislation sent to his desk by the Legislature on April 1, making Mississippi the 46th state to enact a data breach notification law.

Similar to most of the other laws, the Mississippi law applies to any person who owns, licenses or maintains computerized personal information of any resident of that state. Breaches must be disclosed “without unreasonable delay.” It does not appear that the Mississippi law imposes any out-of –the-ordinary obligations on businesses, but the trend continues. The law becomes effective July 1, 2011.

Link to text of legislation:

HB 583 (As Sent to Governor) - 2010 Regular Session

Tuesday, April 6, 2010

More on last week's NJ Supreme Court decision -

The decision we blogged about in this space last week is creating quite a bit of buzz in both privacy and employment law circles. My employment law colleagues in our New York office have authored an analysis of the decision here: Employment Alert: New Jersey Supreme Court Finds Privacy Rights in Employee E-Mails

And, the International Association of Privacy Professionals' Daily Dashboard quoted my partner, Jen Rubin:

PRIVACY LAW -- U.S.
Employee E-mail Decision Spurs More Questions
Last week's New Jersey Supreme Court decision that employees should have an expectation of privacy when they use personal e-mail accounts on corporate computers is raising new questions, NetworkWorld reports. The court's decision specified that when it comes to monitoring employees' actions online, "employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy." Jen Rubin, attorney at Mintz Levin in New York, says the decision brings up new questions about employer ownership of e-mail created on company-issued computers and is likely to have businesses taking much closer looks at their e-mail policies. Full Story

This is an important decision with wide-reaching implications. If you are an employer and you have not looked at your "Acceptible Use Policy" or other such electronic systems policy in a while (or worse, if you don't have one at all.....), this case should motivate you to pull it out and look again.