Privacy and Security Information - Privacy MATTERS

We've moved! Note our URL change!

2010-10-22T13:06:00.004-04:00

After a "summer hiatus," we have relaunched the Privacy and Security MATTERS Blog on a new platform.Note our new blog address and make sure to change your favorites to reflect the same.http://www.privacyandsecuritymatters.com/If you are prompted by a browser security warning to accept the URL redirection, please accept by clicking yes.

Patient privacy group welcomes HHS withdrawal of HITECH Act breach notification rule

2010-08-06T11:07:00.002-04:00

The Patient Privacy Rights Foundation welcomed last week’s announcement by the Department of Health and Human Services (HHS) that it was withdrawing the health data breach notification rule. The Foundation called the withdrawal a "huge step in the right direction" and reiterated its disappointment with the 'harm threshold' provision, which allows health care providers to conduct a risk assessment

Online Behavioral Advertising: The European Union Controversy

2010-07-30T11:59:00.004-04:00

On June 24, 2010, the European Union's body that addresses data protection issues, the so-called Article 29 Working Party, adopted Opinion 2/2010 (the “Opinion”) providing further clarification on the amended e-Privacy Directive (below) as applied to online behavioral advertising. The Working Party also issued a press release on this topic. Although the scope of the Opinion is limited to online

HHS Withdraws Breach Notification Final Rule (but breach notification still effective)

2010-07-30T11:51:00.003-04:00

Interesting press release from the Department of Health and Human Services (HHS) relating to the HITECH Breach Notification Final Rule. The Interim Final Rule is still effective, but one can't help but wonder what HHS may be reconsidering given the numbers of breaches reported since September 2009.Breach Notification Final Rule UpdateThe Interim Final Rule for Breach Notification for Unsecured

Improper Disposal Costs Rite Aid $1 Million

2010-07-28T09:39:00.002-04:00

Written by Dianne BourqueRite Aid has agreed to pay $1 million to settle allegations that it violated HIPAA by disposing of labeled pill bottles in unsecured dumpsters accessible to the public. The $1 million fine settles a joint Office of Civil Rights (OCR)/Federal Trade Commission (FTC) investigation prompted by televised media reports of pharmacies disposing of pill bottles containing patient

Analysis of Proposed HHS Regulations Implementing HITECH Act

2010-07-13T17:03:00.003-04:00

As promised last week in an earlier post, here is our first Mintz Levin client advisory analyzing the 234 pages of regulations issued on Thursday by the Department of Health and Human Services. Thanks to colleagues Alden Bianchi, Dianne Bourque and Stephen Bentfield.The regulations are slated to be published in the Federal Register tomorrow, which will trigger the start of the 60-day comment

Australian Privacy Commissioner Concludes Google Breached Privacy Act

2010-07-13T12:29:00.001-04:00

Written by Jillian Collins Australian Privacy Commissioner Karen Curtis has concluded her investigation into Google's collection of unsecured WiFi payload data in Australia using Street View vehicles and finds that such collection violated Australian law."On the information available I am satisfied that any collection of personal information would have breached the Australian Privacy Act,” she

No Harm, No Foul; Ninth Circuit Affirms Dismissal of Data Breach Case Against The Gap

2010-07-12T09:19:00.004-04:00

Written by Kevin McGintyIt’s a distressingly common scenario. A corporate laptop containing job applicant data, including social security numbers, is stolen from an employee who has taken the laptop off of corporate premises. Access to the social security numbers makes it possible for wrongdoers to engage in identity theft. Is an applicant’s fear that data will be misused enough to support claims

REMINDER - HITECH/201 CMR 17.00 Compliance Workshop

2010-07-08T16:58:00.003-04:00

Just a reminder of the FREE upcoming data security compliance workshop - Space is limited, so register today at http://tinyurl.com/35pk3yr!On July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to

First Ever State-initiated HIPAA Enforcement Action Settled

2010-07-08T14:50:00.003-04:00

Written by Dianne BourqueConnecticut Attorney General Richard Blumenthal has settled the first state-initiated HIPAA enforcement action. The settlement totals $250,000 in statutory damages and Health Net's agreement to implement a variety of measures to improve the security of consumer health and personal information. Health Net also agreed to provide two years of credit monitoring to affected

HHS (Finally!) Issues Proposed HIPAA Privacy & Security Rule Changes

2010-07-08T14:27:00.003-04:00

The long-awaited proposed changes to the HIPAA Privacy Rules have finally been released by the Department of Health and Human Services (HHS). A joint statement issued today by the HHS and the Office of Civil Rights (OCR) says that the proposed regulations “would expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans

Data Breaches du Jour

2010-07-01T13:27:00.004-04:00

Information regarding the latest reports of data breaches -- common thread: it is taking a startingly long time for entities to (a) discover that they have been breached, and (b) to then take action to notify affected customers of potential compromises to personal information.Update on Major Data Breach at California Health Insurer Updating a previous blog post (link) from Monday, WellPoint, the

Latest Postponements and Exemptions of FTC Enforcement of ‘Red Flags’ Rule

2010-06-29T16:30:00.000-04:00

Written by Kenneth GantzAt the urging of congressional lawmakers, the Federal Trade Commission has for the fifth time delayed enforcement of the “Red Flags” Rule – this time through December 31, 2010. In the interim, Congress plans to consider legislation that would alter the scope of entities covered under the Rule.Under the Fair and Accurate Credit Transactions Act, Congress directed the FTC

Major Data Breach at California Health Insurer

2010-06-28T22:05:00.003-04:00

Written by Kenneth GantzAnthem Blue Cross is notifying approximately 230,000 members and applicants for individual health insurance of a breach involving a web site used by individuals to apply for insurance and track the status of their applications. Anthem claims that attorneys managed to manipulate the web address within the web site in order to obtain information in support of a class action

July 13 Data Security Workshop - FREE

2010-06-25T11:21:00.004-04:00

On July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to federal health and medical data privacy found in the HITECH Act. We'll have an interactive hands-on workshop that will help you to

Twitter Settles With FTC

2010-06-24T17:25:00.000-04:00

Twitter has reached a settlement with the Federal Trade Commission (FTC) over charges that it “deceived consumers and put their privacy at risk by failing to safeguard their personal information.” In the Matter of Twitter, Inc., The FTC had alleged that “serious lapses” in Twitter’s security last year "allowed hackers to obtain administrative control of Twitter, including access to tweets that

FTC Highlights Need for Privacy and Security in Internet Commerce

2010-06-22T16:41:00.003-04:00

Written by Jillian CollinsThe Federal Trade Commission has weighed in as part of the Department of Commerce's public comment process on privacy and security issues. According to the FTC's comment, consumers trusting that their personal information will be safeguarded is essential to the success of e-commerce, and innovation is essential to ensuring privacy in the fast-paced, ever-changing world

The Google Payload Data Fallout Continues

2010-06-22T16:37:00.002-04:00

Written by Jillian CollinsConnecticut Attorney General Richard Blumenthal says he will lead a multistate investigation into Google Street View cars’ unauthorized collection of personal data from WiFi networks. The Connecticut AG said he expects a significant number of states to participate. More than 30 states participated in a recent conference call regarding the Connecticut investigation.In a

More on Supreme Court Ruling in Quon

2010-06-22T16:28:00.003-04:00

And as promised in our last post, here is the latest Client Advisory on the Supreme Court's ruling in the Quon case.

Breaking News: Supreme Court Issues Decision in Employee Privacy Case

2010-06-17T16:48:00.001-04:00

Written by Martha ZackinAs we’ve blogged in this space,, back in December, the Supreme Court agreed to hear City of Onatario v. Quon, a case on the privacy of text messages sent by a government employee on employer-provided devices. Specifically, the Court agreed to consider whether a police sergeant assigned to a Ontario, California SWAT team had a reasonable expectation of privacy under the

Congressmen Question Google on Wi-Fi

2010-05-26T13:06:00.002-04:00

Today, Congressmen Joe Barton (R-TX), Edward Markey (D-MA), and Henry Waxman (D-CA)wrote to Google Chairman and CEO Eric Schmidt seeking answers to the company’s collection of private information over Wi-Fi networks.“We are concerned that Google did not disclose until long after the fact that consumers’ Internet use was being recorded, analyzed and perhaps profiled. In addition, we are

Red Flags Rule Compliance Date Approaching - American Medical Association Sues

2010-05-24T13:44:00.001-04:00

It’s been a while since we have visited the Federal Trade Commission’s Red Flags Rule here in this blog. The oft-postponed deadline is now fast approaching on June 1. Except, that is, for lawyers and now, doctors. On Friday, the American Medical Association filed a lawsuit against the FTC for defining physicians as “creditors” and claiming that requiring physicians to comply with the Red Flags

Facebook Holding Privacy Summit

2010-05-13T16:20:00.003-04:00

As a follow-on to yesterday's posts regarding the public face of the Facebook privacy brouhaha, at this hour Facebook is holding an “all-hands” meeting to discuss the company’s overall privacy strategy. PC World suggests that perhaps today’s company meeting is the beginning of Facebook's effort to improve user guidance on issues of sharing and privacy, or maybe the company is considering a roll

The back-and-forth on Facebook's privacy travails

2010-05-12T16:49:00.000-04:00

Whether the terse discussions in the public arena over Facebook’s privacy “changes” demonstrate that the world’s largest social network is playing fast and loose with the truth about its internal controls on user privacy, or whether it is just an example of poor corporate communication of policies to end users is still a matter of debate. See Glitch Brings New Worries About Facebook’s Privacy -

Two privacy issues from North of the Border

2010-05-12T16:23:00.002-04:00

Ann Cavoukian, Ontario’s information and privacy commissioner, has issued her 2009 Annual Report, entitled “Access & Privacy, A Time for Innovation.” One of Cavoukian’s main subjects this year is the smart grid and the associated privacy issues, including the collection of knowledge about personal habits via “smart” appliances communicating with the grid. Cavoukian is a thought leader in

Privacy Events Calendar

2010-05-06T09:42:00.001-04:00

Symposium on Privacy and InnovationTomorrow, the Commerce Department is hosting a day-long symposium called “A Dialogue on Privacy and Innovation.” It will include several panel discussions to discuss stakeholder views and to facilitate further public discussion on privacy policy in the United States. The event will seek participation and comment from all Internet stakeholders, including the

Welcome to the Privacy Revolution

2010-05-03T15:15:00.002-04:00

This is "Choose Privacy Week" – an initiative by the American Library Association to raise awareness about sharing information online. The Association has launched a new website, Privacy Revolution, offering tips for educators and parents on ways to address privacy concerns with children. One sure way not to raise the issue was demonstrated by a principal in Ridgewood, New Jersey last week.

OT -- Emergency Response 2.0 : Solutions to Respond to Oil Spill in the Gulf of Mexico

2010-05-02T22:06:00.000-04:00

Off the privacy topic, but certainly an issue of national security. Mintz Levin client, InnoCentive, is crowdsourcing a solution to respond to the oil spill in the Gulf of Mexico. Over 250 people are currently working on the challenge posted to the site (link below) -- pass this on and get the collective wisdoms of the crowd moving!!Emergency Response 2.0 : Solutions to Respond to Oil Spill in

Privacy and Security Bits and Bytes

2010-04-30T13:18:00.002-04:00

On this last day of April, there are a couple of breaches and another clarion warning about copy machines --We have blogged on this issue here and here -- and again, there is another warning about the treasure trove of information residing on the hard drive of your copy machine. A CBS Evening News investigation revealed just how much information is stored on copy machines that gets passed on

Connecticut Woman Files First Suit Under Federal Law Prohibiting Genetic Discrimination

2010-04-29T15:21:00.002-04:00

Written by Jennifer RubinA Connecticut woman has filed a charge of discrimination under the Federal Genetic Information Nondiscrimination Act ("GINA"), which prohibits discrimination against employees based upon their status as carriers of genetic information. The woman claims her status as a carrier of the BRCA2 gene, a gene sometimes associated with the elevated risk of breast cancer, led to

Proposed HITECH Regulations Out in May?

2010-04-26T16:36:00.002-04:00

Buried in a part of today's Federal Register was the publication of the Department of Health and Human Services' regulatory agenda. The agenda presents a forecast of expected HHS rulemaking activities and suggests that in May of this year HHS will issue the long-awaited proposed rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security,

Brokerage firm victim of elaborate extortion scheme - but also gets hit with a fine

2010-04-15T13:07:00.003-04:00

Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme and the three have pleaded guilty in Montana.The hackers used a SQL injection attack to obtain access to the company’s database on Dec. 25 and 26, 2007.The Financial Industry Regulatory Authority, which

Federal Regulators Release Model Consumer Privacy Notice Online Form Builder

2010-04-15T12:54:00.003-04:00

Last year, the eight federal regulators that regulate the financial services industry issued a "simplified" model privacy notice that was published in the Federal Register on December 1, 2009. Today, the regulators released an "Online Form Builder" to guide a covered institution to select the version of the model form that fits its practices, such as whether the institution provides an opt-out

Privacy and Security Bits and Bytes

2010-04-09T14:04:00.003-04:00

Our Friday afternoon feature -- Virginia Adds Medical Information Breach Law - The Commonwealth of Virginia has amended its data breach notification law to include breaches of medical information. For the text of the amendment, link here. Even if the data is encrypted, the law requires notice if the breach involved a person with access to the encryption key. The law requires notice to

Mississippi Becomes 46th State to Enact Data Breach Notification Law

2010-04-08T17:37:00.002-04:00

It appears that Governor Haley Barbour has signed legislation sent to his desk by the Legislature on April 1, making Mississippi the 46th state to enact a data breach notification law.Similar to most of the other laws, the Mississippi law applies to any person who owns, licenses or maintains computerized personal information of any resident of that state. Breaches must be disclosed “without

More on last week's NJ Supreme Court decision -

2010-04-06T16:24:00.005-04:00

The decision we blogged about in this space last week is creating quite a bit of buzz in both privacy and employment law circles. My employment law colleagues in our New York office have authored an analysis of the decision here: Employment Alert: New Jersey Supreme Court Finds Privacy Rights in Employee E-MailsAnd, the International Association of Privacy Professionals' Daily Dashboard quoted my

BREAKING NEWS: NJ Court Upholds Employee E-mail Privacy

2010-03-31T13:15:00.001-04:00

In a precedent-setting decision, the New Jersey Supreme Court today ruled that a company should not have read e-mails a former employee sent to her lawyer from a private Web account through her employer's computer (See November 5, 2009 Privacy and Security Information blog post). According to the Star-Ledger, the court, which determined the company's policy regarding e-mail use was vague, upheld

Government "Outs" Mystery Retailers in Gonzalez Hack Case

2010-03-30T13:43:00.004-04:00

Interesting post in today’s Wired: Threat Level blog about a motion in the Alberto Gonzalez hacking case that was unsealed on Monday. We now have the identities of the other two “mystery” retailers – J.C. Penney was “Company A” and Wet Seal was “Company B.”J.C. Penney argued unsuccessfully last week to keep the company’s identity under seal, and that it (a corporation) was entitled to anonymity

More detail on Dave & Buster's FTC Settlement

2010-03-29T14:19:00.002-04:00

As we blogged here last week, we were going to post our Client Alert with further details about the settlement and consent order reached by the restaurant chain Dave & Buster's and the Federal Trade Commission relating to the breach suffered by the chain. Here is the alert -- Privacy and Security Alert: Popular Restaurant Chain Settles Federal Trade Commission Data Breach Charges.Tip: This

French Senate Passes Breach Notice Bill

2010-03-29T14:10:00.003-04:00

The French Senate has overwhelmingly approved a major draft bill updating the country's 1978 data protection act to, among other things, create the European Union's strongest breach notification requirement and expand powers of the French data protection authority, known as "CNIL."This bill also doubles monetary penalties for violations of the data protection law. It now moves on to the National

Privacy and Security Bits and Bytes

2010-03-26T15:24:00.003-04:00

Some news items for the last Friday in March -Another state has joined the Payment Card Industry Data Security Standard ("PCI") bandwagon. On March 22, 2010, Washington state became the third state to incorporate the into law. The Washington House and Senate passed HB 1149 and it has been signed into law by the governor. HB 1149 amends Washington’s breach notice law (and borrows some of its

HHS Announces Delay in Enforcement of HITECH Rules as Applied to Business Associates

2010-03-26T14:54:00.003-04:00

As we have discussed before, HHS’s Office of Civil Rights has let it be known that a proposed rule implementing the HITECH Act’s privacy and security provisions as they apply to business associate liability is in the works. The proposed rule will also deal with new limitations on the sale of protected health information, marketing, and fundraising communications, and stronger individual rights to

Restaurant Chain Settles FTC Data Breach Charges

2010-03-26T10:19:00.003-04:00

Yesterday, the Federal Trade Commission (“FTC”) weighed in with another proposed settlement agreement requiring that the Dave & Buster's restaurant chain that experienced a massive data breach in 2007 establish and maintain a comprehensive information security program as a condition of settling a consumer protection action arising out of that data breach. This is the FTC’s 27th case challenging

TJX hacker sentenced to 20 years

2010-03-25T17:04:00.001-04:00

A computer hacker has been sentenced to 20 years in prison for helping engineer one of the largest thefts of credit and debit card numbers in US history.http://www.boston.com/business/ticker/2010/03/tjx_hacker_sent.html

Senate Commerce Committee Approves Rockefeller-Snowe Cybersecurity Act

2010-03-24T15:56:00.002-04:00

We will post a link to the amended legislation as soon as it is released by the Committee.The Senate Commerce Committee press release --WASHINGTON, D.C.—Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, and Senator Olympia J. Snowe (R-ME), a senior member of the committee, issued the following statements today after the Commerce

Boston ranks 2nd in U.S. cyber-crime study

2010-03-24T15:01:00.003-04:00

A new study has Boston ranked No. 2 among U.S. cities as a "hotspot" of cybercrime.In a study published yesterday by California data security firm Symantec Corp. (Nasdaq: SYMC), Boston registered as the second-riskiest city in the U.S., after Seattle, due to its high concentration of cyber crimes and WiFi availability. Out of 50 cities spotlighted in the report, Boston narrowly missed the top

Quick Compliance Survey

2010-03-24T11:19:00.001-04:00

No, we're not "taking names" here. This is just a 10-question survey to gauge some basic compliance metrics. Please participate!Click here to take survey

International Cybercrime Reporting and Cooperation Act introduced this afternoon

2010-03-23T15:04:00.003-04:00

Senators Gillibrand and Hatch this afternoon introduced their cybersecurity bill, the International Cybercrime Reporting and Cooperation Act. The complete text of the bill is not yet available online, but the press release does include the details of the bill, which include: (1) an annual Presidential report on the state of other countries' use of communication infrastructure and the extent of

Massachusetts Data Security Compliance Workshop

2010-03-23T14:22:00.004-04:00

In case your data security compliance plan is stuck in neutral, you have questions, or you haven't started yet...there will be a free (!) breakfast hands-on workshop on Thursday in Tewksbury, MA."Massachusetts Data Protection Law: Demystifying the Details" is being sponsored by the Merrimack Valley Venture Forum. The Merrimack Valley Venture Forum has assembled a panel of legal, technology, and

Maine Legislative Committee Votes to Repeal Marketing Law Aimed at Minors

2010-03-15T15:49:00.002-04:00

We have blogged about the on-again, off-again, then on-again (but revised) Maine "Act to Prevent Predatory Marketing Practices Against Minors". Well, it’s now off. For good. Last week, a Maine legislative committee voted to repeal the controversial online marketing law, which was widely seen as unconstitutional, that restricts the data that can be collected from minors in the state.The

Privacy and Security Bits and Bytes

2010-03-11T16:55:00.001-05:00

Our Friday afternoon feature is back (albeit on Thursday due to schedule tomorrow) – a quick round-up of bits and bytes related to data privacy and security.Don't Ignore New Massachusetts Data Privacy Regs – a piece by Lora Bentley from ITBusinessEdge (for which the editor of this blog was interviewed)Your smart phone may soon be smarter than you’d like it to be: researchers in Japan have

Big Fines Coming in UK for Data Breaches

2010-03-11T15:41:00.001-05:00

By Susan Foster, Mintz Levin LondonAs of April 6, 2010, the UK’s Information Commissioner’s Office (ICO) can levy fines of up to £500,000 for breaches of the Data Protection Act 1998 that are:• serious in nature• deliberate or reckless, and• likely to cause substantial damage or distress to an individual.The standard for “reckless” non-compliance may take some by surprise: Did the data controller

Another Potential Privacy Pitfall on Facebook

2010-03-10T11:17:00.000-05:00

Rumors are flying that Facebook will unveil a new geolocation sharing device next month. According to a post in Bits Blog in the New York Times, you will be able to share your location with friends without updating your status. Jared Newman in an article in PCWorld has a good point … “My gut reaction is nervousness….”Related LinksFacebook Updates May Share Your Location Soon - PCWorld

Breaking News - ID Theft Company to Pay $12 Million for Deceptive Advertising

2010-03-09T14:17:00.002-05:00

“[E]nough holes that you could drive a truck through it…..”That’s how Federal Trade Commission Chairman Jon Leibowitz described the identity theft protection offered to consumers by the widely-advertised LifeLock product and the claims made by the company that its service provided comprehensive identity theft protection. Those claims have cost the company $12 million dollars in a settlement

Major "goof" at Citibank

2010-03-04T13:32:00.003-05:00

For all of you who have been struggling with data security compliance obligations from various fronts, and trying to handle complex technical issues such as encryption of portable devices and data "at rest" and "in transit" --- here is a very big story regarding plain old everyday mail. If you are a Citibank customer, Citi may have printed your Social Security number on the outside of an

Hotel Chain Hacked Again....

2010-03-02T13:33:00.003-05:00

Wyndham Hotels and Resorts has apparently notified the U.S. Secret Service and several state attorneys that hackers stole customer names and payment card information from its computer system. Wyndham has since notified credit card companies so that affected cardholders' accounts may be monitored. It also has hired a firm to investigate the breach and assist in data security improvements. This is

Today is the day......

2010-03-01T12:30:00.002-05:00

After implementation delays and rule changes, new data protection regulations that are widely considered the most stringent in the nation take effect today. The Massachusetts data security regulations require institutions that hold personal data on Massachusetts citizens to encrypt that information and implement written data protection policies, reports the Boston Globe.Discussion continues and

And, it's Friday, February 26th......

2010-02-26T14:29:00.005-05:00

And that means today is the last business day before the new Massachusetts data security regulations go live-- as Jim Cramer would say, "That's 201 CMR 17.00 for all you home gamers."

“Stunning”/ “Shear Madness” – Reaction to Google Convictions

2010-02-25T13:00:00.000-05:00

The reactions are coming in fast and furious to yesterday’s conviction of three Google executives in an Italian court. Linked here are just a few of the more than 1,000 media stories on the decision so far.Google privacy convictions in Italy spark outrageLarger Threat Is Seen in Google Case - NYTimes.comConviction of Google Execs in Italy Shear MadnessKerry: Sending Google execs to prison '

BREAKING NEWS: Google Executives Convicted on Privacy Charges in Italy

2010-02-24T10:01:00.002-05:00

In the first case of its kind, an Italian judge today convicted three Google executives on privacy violations in Milan court. Global Privacy Counsel Peter Fleischer, Chief Legal Officer David Drummond, and another executive were found guilty of failing to comply with Italian privacy code in allowing a disparaging video to be posted online. A fourth defendant was acquitted. All three will appeal

Today's compliance deadline - Enforcement of the HITECH/HIPAA data breach notification rule

2010-02-22T22:01:00.002-05:00

February and March are just full of significant deadlines for privacy/security reporting and compliance.Today is the day that the Health & Human Services Office of Civil Rights begins to enforce the HITECH/HIPAA data breach notification rule. To "celebrate" the occasion, the agency publicly posted the first list of reported breaches affecting 500 or more individuals. The list is available on the

HITECH Act Compliance Date Arrived -- Without the Promised Regulatory Guidance

2010-02-22T16:22:00.001-05:00

We have been so focused on the upcoming Massachusetts data security deadline, that we let one last week go without fanfare. As we have gently reminded you on several occasions, the new HIPAA privacy and security rules contained in the Health Information Technology for Clinical and Economic Health Act (HITECH) became effective on February 17th.The HITECH Act was passed as part of the “Stimulus

T Minus 10,080 Minutes and Counting.....

2010-02-22T14:34:00.003-05:00

We have just one week to go before all entities that own, store, license -- or basically do anything with -- personal information of Massachusetts residents must comply with the Commonwealth's new data security regulations. Things to consider:Have you done your risk assessment? Looked at what you collect and how you collect and how it is transmitted through and outside your organization?Have you

Countdown to compliance with 201 CMR 17.00.....11 days

2010-02-17T11:23:00.004-05:00

As we approach the 10 day mark to the March 1 effective date of the Massachusetts data security regulations, 201 CMR 17.00, we thought that we would share another misapprehension in the ever-growing list."I ordered one of those $99 "Compliance Kits" from the Internet, and they say that they will "certify" that I am compliant. I should be all set."You might be -- but then again, we are not sure

16 Days to March 1.....

2010-02-11T12:50:00.002-05:00

Just in case you missed it, March 1 is the deadline for compliance with 201 CMR 17.00, the new Massachusetts data security regulations, and we published a client alert last week as a "reminder"... Privacy and Security Alert.In addition to the top five "misapprehensions" about the applicability of the new regulations that we included in the Privacy and Security Alert, here are a couple of others:"

New Facebook privacy lawsuits

2010-02-11T09:09:00.001-05:00

Facebook has been hit with two new potential class-action lawsuits stemming from recent revisions to its privacy settings.The cases, filed recently in federal district court in San Jose, Calif. on behalf of nine Facebook users, allege that the new settings are "confusing and materially deceptive" and lessened their privacy. "Facebook has violated the privacy rights of the members of the

Roundtable data privacy and security discussions on YouTube

2010-02-01T23:36:00.003-05:00

See a series of Data & IT Security Roundtable discussions with thought leaders: www.youtube.com/user/JaxsonGroup

Tracking the cookie crumbs

2010-02-01T16:08:00.002-05:00

Disabling cookies may not be the answer to controlling your online identity. Regardless of whether you have cookies enabled or not, Web sites collect certain amounts of operational information about your browser. The Electronic Frontier Foundation has detailed how companies can use browser-configuration information to identify users, and also launched a new project, Panopticlick, aimed at

27 days and counting...

2010-02-01T14:02:00.002-05:00

March 1st is the deadline for compliance with the Massachusetts data security regulations, 201 CMR 17.00. We have blogged incessantly for months about the need to get compliance programs into gear and develop information security plans as required by the regulations. The time is here.If you are one of the procrastinators (and, you are not alone), the basic information and the regulations can

Interesting perspective on Data Privacy Day and data privacy in general

2010-01-28T22:06:00.002-05:00

Declan McCullagh is always a good read -It's been 10 years: Why won't people pay for privacy? Politics and Law - CNET News

Data Privacy Day -- Tip #4 -- Transactional Best Practices for Lawyers

2010-01-28T16:20:00.005-05:00

Written by Michael Arnold and Jennifer RubinEven though lawyers working on both sides of an M&A transaction during the due diligence phase might immerse themselves in a “confidentiality bubble”, they still must be careful not to disclose or access confidential employee information in the course of that transaction. Attorneys evaluating potential transactions might be tempted to access information

Data Privacy Day - Tip #3 - The weakest link??

2010-01-28T15:49:00.003-05:00

My lunchtime speaking engagement was at the International Association of Privacy Professional's Boston KnowledgeNet. I had the pleasure to share the panel with Mike Spinney from SixWeight (www.sixweight.com) and identity theft guru Robert Siciliano. We had a spirited discussion about privacy training and awareness. You can access their blogs in the panel to the right.Our conclusion --

Happy Data Privacy Day! Post #3 - Cable/Online Behavioral Advertising Issues

2010-01-28T14:20:00.002-05:00

Earlier this week, Mintz Levin’s Chris Harvie, a Member in the Communications section, spoke at the PLI Broadband and Cable Industry Law Seminar in New York City. Chris provided an overview of the cable privacy provisions found in Title VI of the Communications Act and discussed the restrictions and obligations that apply to the collection and use of personally identifiable information (PII) by

Data Privacy Day Tip #2 - HITECH Act

2010-01-28T14:11:00.002-05:00

Written by Dianne BourqueEffective February 17, 2010, significant new compliance obligations will be imposed on business associates through the HITECH provisions of the American Recovery and Reinvestment Act of 2009 ("ARRA"). Business associates (or organizations that use or disclose protected health information on behalf of covered entities subject to HIPAA) will be directly liable for

Happy Data Privacy Day! Tip #1

2010-01-28T10:03:00.003-05:00

Today is worldwide Data Privacy Day. What is your company doing to promote data privacy and security in your enterprise? I'll be participating in a KnowledgeNet in Boston, sponsored by the International Association of Privacy Professionals. The discussion topic is Privacy Awareness and Training.And don’t forget, the March 1 deadline for compliance with the sweeping Massachusetts data security

Connecticut Attorney General Brings Charges Against Health Net for HIPAA Violations

2010-01-15T11:31:00.002-05:00

Written by Dianne BourqueOn January 13, Connecticut Attorney General Richard Blumenthal filed charges against Health Net of Connecticut, Inc., for violating federal privacy law. Blumenthal is the first state attorney general to file such a suit using HIPAA enforcement authority granted to states under the HITECH provisions of the American Recovery and Reinvestment Act

New Settlement Agreement in Heartland Breach

2010-01-11T11:02:00.002-05:00

And the cash register continues to ring with respect to the Heartland Payment Systems Inc. breach. Heartland disclosed last week in a filing with the Securities and Exchange Commission that it has agreed to pay a maximum of $60 million to Visa Inc. and Visa card-issuing banks to settle claims arising out of the massive payment card data breach last January.The proposed settlement is conditioned

Security Bits and Bytes

2010-01-08T14:11:00.003-05:00

A few items to wrap up/review privacy and security issues in 2009 and open up 2010:Gonzalez Pleads Guilty in December 2009 - but this piece from Retail Research Systems explains why retailers should not be sanguine about data security: Privacy Risks for 2010RFID in 2010: The New Hampshire House of Representatives voted this week to prohibit the implantation of tracking devices in humans without

Maine - New Year, New Legislative Session, New Version of the Marketing to 'Tweens Law

2010-01-07T14:10:00.001-05:00

As promised last year, the Maine legislative session opened this week with the introduction of a new predatory marketing bill--LD 1677. This bill would repeal the beleaguered LD 1883, which was signed to law last year, but faced major opposition from industry groups, leading Maine's attorney general to promise not to enforce the law. The new bill applies to online information only and is limited

Happy 2010 - Data Breach du Jour

2010-01-06T10:17:00.004-05:00

We are just barely into the new year, and there is already a rather large data breach to report. Officials at Eastern Washington University (EWU) are notifying up to 130,000 current and former students that their personal information may have been exposed in a security breach, reports the Seattle Times. The data involved includes names, Social Security numbers and dates of birth for students

New Regulations Propose a Definition of 'Meaningful Use'

2010-01-04T15:05:00.001-05:00

Written by DianneOn December 30, 2009, the Centers for Medicare & Medicare Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) issued interim final rules necessary to implement electronic health record (EHR) incentive programs enacted under the American Recovery and Reinvestment Act of 2009. The ONC rule sets initial standards, implementation

Happy New Year - New Health Care Reform Issues

2010-01-04T15:01:00.002-05:00

Now that it is 2010, we will be getting back up to speed with our blog postings, bringing you the latest in the world of privacy and security information. The world of health care reform also has significant impact on all of us, and my colleagues here at Mintz published an important advisory right at the stroke of midnight -- Health Care Reform Advisory: Assessing the Impact of Federal Health

Data Security Roundtable

2009-12-22T12:45:00.004-05:00

Here is a link to a couple of segments of a data security roundtable I participated in not long ago:http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20091222005345&newsLang=enSome very interesting discussions with folks who are on the cutting edge of data security. I'll post the other segments as they are released.

The real cost of data breaches - Heartland to pay Amex $3.5 million

2009-12-21T11:26:00.003-05:00

According to its 8-K filing with the Securities and Exchange Commission (SEC), Heartland Payment Systems Inc. has agreed to pay American Express Travel Related Services Co. Inc. just over $3.5 million to settle any claims arising out of a massive payment card data breach.This settlement is likely to be only the first over the compromise of tens of millions of debitand credit card accounts by

More Detail on Quan Case

2009-12-16T15:42:00.002-05:00

My colleague, Martha Zackin, has published a more extensive discussion of the issues before the U.S. Supreme Court in the Quan case --ELB Law Information: Supreme Court to Hear Case re Employer's Access to Employee's Text Messages

Supreme Court will review some issues in Quon Case, denied review to other issues

2009-12-15T09:33:00.005-05:00

Some additional information on yesterday's post regarding the Supreme Court's decision to hear the Quon case. The high Court agreed to hear some, but not all of the issues presented by the Ninth Circuit decision in the case.The Court will consider whether a police sergeant assigned to a SWAT team had a reasonable expectation of privacy under the Fourth Amendment in text messages transmitted on a

Good data protection sense from the Brits

2009-12-14T15:53:00.001-05:00

The UK's Information Commissioner's Office (ICO) has done what the Federal Trade Commission should do -- produced a no-nonsense Guide to Data Protection. This Guide is intended to provide small and medium sized enterprises with practical advice about the UK's Data Protection Act and takes a straightforward look at the data protection principles, using practical, business-based examples. It

Supreme Court To Decide Privacy of Employee Texts

2009-12-14T12:41:00.003-05:00

U.S. Supreme Court this morning decided to hear a case on the privacy of employee text messages sent on employer-provided devices, reports the Washington Post (see below).The case--City of Ontario v. Quon--could have profound implications on employee privacy rights, according to a Baltimore Sun report. It involves an Ontario, California police officer who sent sexually explicit messages to

National Public Radio 3-part special series on privacy

2009-12-08T10:55:00.003-05:00

These are from October, but if you missed them, they are worth a look (or downloading the podcasts) --Part 1: Online Data Present a Privacy MinefieldPart 2: Is Your Facebook Profile as Private as You Think?Part 3: Digital Bread Crumbs: Following Your Cell Phone Trail

Holiday Privacy Watch: Take care before you donate that cell phone

2009-12-08T10:09:00.003-05:00

During the holiday season, many organizations are soliciting donations of old cell phones to be repurposed. This is an excellent way to "reuse, reduce, and recycle" and puts those useless (to you) items to use in a positive way, but please remember -- important and private data reside in your cell phone's internal memory, even if your phone has a removable SIM card. PINs, passwords and other

House scheduled to act today on several privacy bills

2009-12-07T10:26:00.000-05:00

The House is scheduled to vote on HR 1319, The Informed P2P User Act, and HR 2221, The Data Accountability and Trust Act, tomorrow under suspension of the rules. We will monitor the debate and keep you updated on its passage.

Federal Trade Commission hosts privacy roundtable today

2009-12-07T09:56:00.002-05:00

The FTC kicks off the first in a series of "roundtable" discussions to explore privacy challenges posed by 21st technology and business practices that collect and use consumer data. Today's roundtable is being held in Washington, DC, and will focus on data collection, use and retention, consumer expectations of privacy, online behavioral advertising, information brokers and a discussion

Privacy and Security Bits and Bytes

2009-12-04T11:08:00.004-05:00

The Most Wonderful Time of the Year -- It's time for the annual "top ten" lists. Information Security Resources has posted an article that is eye-opening reading with respect to data breaches in 2009. Ten Most Damaging Data Breaches of 2009 U.S. to Join Fingerprint Sharing -- CBC News - Canada reports that the U.S. will join Canada, Australia and Britain in sharing fingerprints and other data

Court issues written opinion explaning decision regarding applicability of Red Flags Rule to attorneys

2009-12-03T09:48:00.005-05:00

As we first blogged here, hours before the last Red Flags enforcement deadline, a federal court judge in the D.C. Circuit ruled from the bench that attorneys would not be subject to the Red Flags Rule. The court released Judge Walton's written opinion was released on December 1, 2009, which provides clarification of his comments from the bench. Click here for the opinion. Walton found the Federal

Breakfast and social media policies

2009-11-13T16:09:00.002-05:00

Related to the last post -- is your company working on its social media employee policy? If not, you should be. If you happen to be in Boston, Mintz Levin is hosting a breakfast briefing on social media in the workplace next week.Register here

Some startling statistics regarding social networking issues in the workplace......

2009-11-13T15:14:00.006-05:00

You might be surprised to know that social networking policies, governing employee use of blogging, Facebook, Twitter and the like, are still a rarity at many business, including teaching hospitals. And, you might be equally surprised to hear that studies are revealing that medical students are displaying cavalier attitudes towards the protection of patient confidentiality.The Journal of the

Massachusetts Attorney General proposes privacy regulations to apply to her office

2009-11-12T16:34:00.001-05:00

Written by Cynthia and ElissaAn oft-cited criticism of the Massachusetts data security regulations (201 CMR 17.00), effective March 1, 2010, is that the regulations specifically do not apply to government entities -- the only reason being that the Office of Consumer Affairs and Business Regulation does not have the authority or jurisdiction to enact regulations over governmental entities in

Remember the school-days admonition that something might end up on your "permanent record"?

2009-11-10T13:54:00.004-05:00

A Fordham Law School study found that state educational databases across the country have severely inadequate privacy protections for the nation's school children. The study, prepared by the Center on Law and Information Policy, reports that at least 32% of states warehouse children's social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track

When employee handbooks don't tell the whole story.....

2009-11-09T14:39:00.003-05:00

Written by Cynthia and JenniferThe discussion of employer access to employee emails in our September 21 blog entry continues with another appellate court decision about workplace privacy rights. In Stengart v. Loving Care Agency, Inc., the court completely rejected an employer's attempt to rely upon an email policy to gain access to an employee's confidential communications with her attorney

Privacy and Security Information - Privacy MATTERS

We've moved! Note our URL change!

Patient privacy group welcomes HHS withdrawal of HITECH Act breach notification rule

Online Behavioral Advertising: The European Union Controversy

HHS Withdraws Breach Notification Final Rule (but breach notification still effective)

Improper Disposal Costs Rite Aid $1 Million

Analysis of Proposed HHS Regulations Implementing HITECH Act

Australian Privacy Commissioner Concludes Google Breached Privacy Act

No Harm, No Foul; Ninth Circuit Affirms Dismissal of Data Breach Case Against The Gap

REMINDER - HITECH/201 CMR 17.00 Compliance Workshop

First Ever State-initiated HIPAA Enforcement Action Settled

HHS (Finally!) Issues Proposed HIPAA Privacy & Security Rule Changes

Data Breaches du Jour

Latest Postponements and Exemptions of FTC Enforcement of ‘Red Flags’ Rule

Major Data Breach at California Health Insurer

July 13 Data Security Workshop - FREE

Twitter Settles With FTC

FTC Highlights Need for Privacy and Security in Internet Commerce

The Google Payload Data Fallout Continues

More on Supreme Court Ruling in Quon

Breaking News: Supreme Court Issues Decision in Employee Privacy Case

Congressmen Question Google on Wi-Fi

Red Flags Rule Compliance Date Approaching - American Medical Association Sues

Facebook Holding Privacy Summit

The back-and-forth on Facebook's privacy travails

Two privacy issues from North of the Border

Privacy Events Calendar

Welcome to the Privacy Revolution

OT -- Emergency Response 2.0 : Solutions to Respond to Oil Spill in the Gulf of Mexico

Privacy and Security Bits and Bytes

Connecticut Woman Files First Suit Under Federal Law Prohibiting Genetic Discrimination

Proposed HITECH Regulations Out in May?

Brokerage firm victim of elaborate extortion scheme - but also gets hit with a fine

Federal Regulators Release Model Consumer Privacy Notice Online Form Builder

Privacy and Security Bits and Bytes

Mississippi Becomes 46th State to Enact Data Breach Notification Law

More on last week's NJ Supreme Court decision -

BREAKING NEWS: NJ Court Upholds Employee E-mail Privacy

Government "Outs" Mystery Retailers in Gonzalez Hack Case

More detail on Dave & Buster's FTC Settlement

French Senate Passes Breach Notice Bill

Privacy and Security Bits and Bytes

HHS Announces Delay in Enforcement of HITECH Rules as Applied to Business Associates

Restaurant Chain Settles FTC Data Breach Charges

TJX hacker sentenced to 20 years

Senate Commerce Committee Approves Rockefeller-Snowe Cybersecurity Act

Boston ranks 2nd in U.S. cyber-crime study

Quick Compliance Survey

International Cybercrime Reporting and Cooperation Act introduced this afternoon

Massachusetts Data Security Compliance Workshop

Maine Legislative Committee Votes to Repeal Marketing Law Aimed at Minors

Privacy and Security Bits and Bytes

Big Fines Coming in UK for Data Breaches

Another Potential Privacy Pitfall on Facebook

Breaking News - ID Theft Company to Pay $12 Million for Deceptive Advertising

Major "goof" at Citibank

Hotel Chain Hacked Again....

Today is the day......

Top 3 questions relating to compliance with 201 CMR 17.00

And, it's Friday, February 26th......

“Stunning”/ “Shear Madness” – Reaction to Google Convictions

BREAKING NEWS: Google Executives Convicted on Privacy Charges in Italy

Today's compliance deadline - Enforcement of the HITECH/HIPAA data breach notification rule

HITECH Act Compliance Date Arrived -- Without the Promised Regulatory Guidance

T Minus 10,080 Minutes and Counting.....

Countdown to compliance with 201 CMR 17.00.....11 days

16 Days to March 1.....

New Facebook privacy lawsuits

Roundtable data privacy and security discussions on YouTube

Tracking the cookie crumbs

27 days and counting...

Interesting perspective on Data Privacy Day and data privacy in general

Data Privacy Day -- Tip #4 -- Transactional Best Practices for Lawyers

Data Privacy Day - Tip #3 - The weakest link??

Happy Data Privacy Day! Post #3 - Cable/Online Behavioral Advertising Issues

Data Privacy Day Tip #2 - HITECH Act

Happy Data Privacy Day! Tip #1

Connecticut Attorney General Brings Charges Against Health Net for HIPAA Violations

New Settlement Agreement in Heartland Breach

Security Bits and Bytes