Written by Kenneth Gantz
At the urging of congressional lawmakers, the Federal Trade Commission has for the fifth time delayed enforcement of the “Red Flags” Rule – this time through December 31, 2010. In the interim, Congress plans to consider legislation that would alter the scope of entities covered under the Rule.
Under the Fair and Accurate Credit Transactions Act, Congress directed the FTC and other agencies to develop regulations requiring financial institutions and creditors to address the risk of identity theft. The FTC in turn sought to impose the Red Flags Rule, requiring all such entities to develop and implement written identity theft prevention programs.
In a news release issued on the organization’s website, “[the FTC] urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.” The Commission goes on to explain that it will begin enforcement sooner should Congress pass legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010.
Additionally, the FTC agreed on June 25 to temporarily exempt physicians from the Red Flags Rule. Per a joint stipulation with the American Medical Association and other health organizations, the FTC will wait until the U.S. Court of Appeals for the District of Columbia resolves questions concerning the Rule’s scope before it seeks enforcement against physicians. The AMA, American Osteopathic Association, and the Medical Society of the District of Columbia had filed a lawsuit on May 21 to prevent the FTC from applying the rule to physicians (AMA v. FTC, D.D.C., No. 1:10-cv-00843), arguing that the FTC exceeded its statutory powers and acted in a manner that is “arbitrary, capricious, and contrary to the law.”
The District Court previously barred the FTC from applying the Red Flags Rule to attorneys following a similar challenge by the American Bar Association. The FTC appealed that decision, and the health group’s lawsuit will now be put on hold until the Court of Appeals issues its opinion in the ABA case.
Related Links:
http://www.ftc.gov/opa/2010/05/redflags.shtm
http://www.healthdatamanagement.com/news/red-flags-rule-identity-theft-lawsuit-physicians-40572-1.html
http://www.ama-assn.org/ama1/pub/upload/mm/395/red-flags-lawsuit.pdf (AMA’s complaint)
Tuesday, June 29, 2010
Monday, June 28, 2010
Major Data Breach at California Health Insurer
Written by Kenneth Gantz
Anthem Blue Cross is notifying approximately 230,000 members and applicants for individual health insurance of a breach involving a web site used by individuals to apply for insurance and track the status of their applications. Anthem claims that attorneys managed to manipulate the web address within the web site in order to obtain information in support of a class action lawsuit against the insurer.
The attorneys were apparently able to access medical information in addition to Social Security and credit card numbers, resulting from a failure to reinstate security mechanisms following an October 2009 upgrade to the web site.As part of a statement issued by the company, Anthem offered the following: "The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that discovered, we made the necessary security changes to prevent it from happening again."We have requested both by letter and in court filings that the attorneys return all information improperly obtained from the individual application system and as a result, that information has been delivered to a court approved custodian who will ensure its security.”
Interestingly, Anthem said that “out of an abundance of caution” it is providing a detailed notification explaining what happened to individuals who might be affected by the breach, but apparently no legal obligation from its point of view. California law requires that affected residents be notified of breaches of health information. See http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf. The insurer will also offer notified individuals a year of free identity protection services. Meanwhile, Anthem is weighing legal action it might take “with respect to the data, the impact—if any—on our members, and the remediation costs incurred as a result of these actions.”
Related Links:http://www.insurancenetworking.com/news/health_insurance_technology_Anthem_Blue_Cross_data_security_risk-25114-1.html
Anthem Blue Cross is notifying approximately 230,000 members and applicants for individual health insurance of a breach involving a web site used by individuals to apply for insurance and track the status of their applications. Anthem claims that attorneys managed to manipulate the web address within the web site in order to obtain information in support of a class action lawsuit against the insurer.
The attorneys were apparently able to access medical information in addition to Social Security and credit card numbers, resulting from a failure to reinstate security mechanisms following an October 2009 upgrade to the web site.As part of a statement issued by the company, Anthem offered the following: "The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that discovered, we made the necessary security changes to prevent it from happening again."We have requested both by letter and in court filings that the attorneys return all information improperly obtained from the individual application system and as a result, that information has been delivered to a court approved custodian who will ensure its security.”
Interestingly, Anthem said that “out of an abundance of caution” it is providing a detailed notification explaining what happened to individuals who might be affected by the breach, but apparently no legal obligation from its point of view. California law requires that affected residents be notified of breaches of health information. See http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf. The insurer will also offer notified individuals a year of free identity protection services. Meanwhile, Anthem is weighing legal action it might take “with respect to the data, the impact—if any—on our members, and the remediation costs incurred as a result of these actions.”
Related Links:http://www.insurancenetworking.com/news/health_insurance_technology_Anthem_Blue_Cross_data_security_risk-25114-1.html
Friday, June 25, 2010
July 13 Data Security Workshop - FREE
On July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to federal health and medical data privacy found in the HITECH Act. We'll have an interactive hands-on workshop that will help you to address some critical questions within your organization:
- What are my organization and business partner’s obligations?
- What kind of information do I need to protect and how do identify it?
- Is data encryption necessary?
- What is a WISP?
- What is a data breach and what is my responsibility and liability if I have one?
For information or to register to attend the event, which will be hosted by Mintz Levin in our downtown Boston office, please click this link: http://tinyurl.com/35pk3yr
Thursday, June 24, 2010
Twitter Settles With FTC
Twitter has reached a settlement with the Federal Trade Commission (FTC) over charges that it “deceived consumers and put their privacy at risk by failing to safeguard their personal information.” In the Matter of Twitter, Inc.,
The FTC had alleged that “serious lapses” in Twitter’s security last year "allowed hackers to obtain administrative control of Twitter, including access to tweets that consumers had designated private, and the ability to send out phony tweets pretending to be from then-President-elect Barack Obama and Fox News, among others." The two incidents mentioned involved hackers using password-guessing tools to gain access to administrative functions. Under the settlement, Twitter must maintain a comprehensive information security program, to be assessed by a third-party every other year for 10 years. It also will be prohibited from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information.
Related links:
Twitter Settles Charges that it Failed to Protect Consumers' Personal Information; Company Will Establish Independently Audited Information Security Program
Twitter settles with US regulators over privacy breach - Yahoo! News
Twitter settles with FTC for privacy breach Forrester Blogs
The FTC had alleged that “serious lapses” in Twitter’s security last year "allowed hackers to obtain administrative control of Twitter, including access to tweets that consumers had designated private, and the ability to send out phony tweets pretending to be from then-President-elect Barack Obama and Fox News, among others." The two incidents mentioned involved hackers using password-guessing tools to gain access to administrative functions. Under the settlement, Twitter must maintain a comprehensive information security program, to be assessed by a third-party every other year for 10 years. It also will be prohibited from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information.
Related links:
Twitter Settles Charges that it Failed to Protect Consumers' Personal Information; Company Will Establish Independently Audited Information Security Program
Twitter settles with US regulators over privacy breach - Yahoo! News
Twitter settles with FTC for privacy breach Forrester Blogs
Tuesday, June 22, 2010
FTC Highlights Need for Privacy and Security in Internet Commerce
Written by Jillian Collins
The Federal Trade Commission has weighed in as part of the Department of Commerce's public comment process on privacy and security issues. According to the FTC's comment, consumers trusting that their personal information will be safeguarded is essential to the success of e-commerce, and innovation is essential to ensuring privacy in the fast-paced, ever-changing world of the Internet economy. The topic of innovation and internet privacy controls has been, and continues to be, one of the FTC’s "highest consumer protection priorities for more than a decade," according to the comment.
In the comment, the FTC laid out several aspects of its privacy program. The agency led nearly 30 enforcement cases challenging business practices that allegedly failed to secure consumers' personal information and made efforts at educating consumers and businesses about privacy and security in an online world. The FTC also has several policy initiatives including promoting self-regulation in online behavioral advertising and participates in international privacy programs. The agency hosted several privacy roundtables and plans to public privacy and security proposals for public comment later this year.
Related links:
http://www.ftc.gov/opa/2010/06/foodinternet.shtm
The Federal Trade Commission has weighed in as part of the Department of Commerce's public comment process on privacy and security issues. According to the FTC's comment, consumers trusting that their personal information will be safeguarded is essential to the success of e-commerce, and innovation is essential to ensuring privacy in the fast-paced, ever-changing world of the Internet economy. The topic of innovation and internet privacy controls has been, and continues to be, one of the FTC’s "highest consumer protection priorities for more than a decade," according to the comment.
In the comment, the FTC laid out several aspects of its privacy program. The agency led nearly 30 enforcement cases challenging business practices that allegedly failed to secure consumers' personal information and made efforts at educating consumers and businesses about privacy and security in an online world. The FTC also has several policy initiatives including promoting self-regulation in online behavioral advertising and participates in international privacy programs. The agency hosted several privacy roundtables and plans to public privacy and security proposals for public comment later this year.
Related links:
http://www.ftc.gov/opa/2010/06/foodinternet.shtm
The Google Payload Data Fallout Continues
Written by Jillian Collins
Connecticut Attorney General Richard Blumenthal says he will lead a multistate investigation into Google Street View cars’ unauthorized collection of personal data from WiFi networks. The Connecticut AG said he expects a significant number of states to participate. More than 30 states participated in a recent conference call regarding the Connecticut investigation.
In a statement released yesterday, Blumenthal called Google’s data collection a “deeply disturbing invasion of personal privacy,” and said that consumers have a right to know what personal information, including potentially emails, web browsing habits and passwords, Google may have collected. “Google must come clean, explaining how and why it intercepted and saved private information broadcast over personal and business wireless networks,” he said. Google maintains that it did not collect the payload data intentionally and never used it , but the company may be facing not only domestic consequences but also investigations in the UK and other affected countries. Google says it stopped collecting Wi-Fi data from its Street View vehicles when it discovered the data collection problem last month following an inquiry by German regulators. The Google payload data incident is just one recent PR problem related to privacy concerns for the internet giant. Google took harsh criticism for the launch of Buzz because the feature initially revealed information about the names of users' email contacts. Google has significantly revised the service; now, it merely suggests followers, rather than automatically creating them.
Related links:http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=130619http://www.foxnews.com/world/2010/06/22/uk-police-investigating-alleged-google-privacy-breach-public-wi-fi-networks/
Connecticut Attorney General Richard Blumenthal says he will lead a multistate investigation into Google Street View cars’ unauthorized collection of personal data from WiFi networks. The Connecticut AG said he expects a significant number of states to participate. More than 30 states participated in a recent conference call regarding the Connecticut investigation.
In a statement released yesterday, Blumenthal called Google’s data collection a “deeply disturbing invasion of personal privacy,” and said that consumers have a right to know what personal information, including potentially emails, web browsing habits and passwords, Google may have collected. “Google must come clean, explaining how and why it intercepted and saved private information broadcast over personal and business wireless networks,” he said. Google maintains that it did not collect the payload data intentionally and never used it , but the company may be facing not only domestic consequences but also investigations in the UK and other affected countries. Google says it stopped collecting Wi-Fi data from its Street View vehicles when it discovered the data collection problem last month following an inquiry by German regulators. The Google payload data incident is just one recent PR problem related to privacy concerns for the internet giant. Google took harsh criticism for the launch of Buzz because the feature initially revealed information about the names of users' email contacts. Google has significantly revised the service; now, it merely suggests followers, rather than automatically creating them.
Related links:http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=130619http://www.foxnews.com/world/2010/06/22/uk-police-investigating-alleged-google-privacy-breach-public-wi-fi-networks/
More on Supreme Court Ruling in Quon
And as promised in our last post, here is the latest Client Advisory on the Supreme Court's ruling in the Quon case.
Thursday, June 17, 2010
Breaking News: Supreme Court Issues Decision in Employee Privacy Case
Written by Martha Zackin
As we’ve blogged in this space,, back in December, the Supreme Court agreed to hear City of Onatario v. Quon, a case on the privacy of text messages sent by a government employee on employer-provided devices. Specifically, the Court agreed to consider whether a police sergeant assigned to a Ontario, California SWAT team had a reasonable expectation of privacy under the Fourth Amendment in sexually-explicit, non-work related text messages transmitted on a department-issued pager and stored by an outside service provider even in the face of the City’s "general practice" of non-monitoring of such communications.
Today, the Court issued its opinion, finding that the City’s search of Sergeant Quon’s text messages to his colleagues and the woman with whom he was having an affair was reasonable. Although the Court did not reach agreement on whether and to what extent government workers have any reasonable expectation of privacy in communications such as those at issue here, the Court did agree that the search was reasonable.
The impact of this decision may be limited to Sergeant Quon and his co-workers; the Court explicitly cautioned against using the facts of the case to establish “far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices.”
More to come.
As we’ve blogged in this space,, back in December, the Supreme Court agreed to hear City of Onatario v. Quon, a case on the privacy of text messages sent by a government employee on employer-provided devices. Specifically, the Court agreed to consider whether a police sergeant assigned to a Ontario, California SWAT team had a reasonable expectation of privacy under the Fourth Amendment in sexually-explicit, non-work related text messages transmitted on a department-issued pager and stored by an outside service provider even in the face of the City’s "general practice" of non-monitoring of such communications.
Today, the Court issued its opinion, finding that the City’s search of Sergeant Quon’s text messages to his colleagues and the woman with whom he was having an affair was reasonable. Although the Court did not reach agreement on whether and to what extent government workers have any reasonable expectation of privacy in communications such as those at issue here, the Court did agree that the search was reasonable.
The impact of this decision may be limited to Sergeant Quon and his co-workers; the Court explicitly cautioned against using the facts of the case to establish “far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices.”
More to come.
Subscribe to:
Posts (Atom)
Posts
