Friday, October 22, 2010
We've moved! Note our URL change!
Note our new blog address and make sure to change your favorites to reflect the same.
http://www.privacyandsecuritymatters.com/
If you are prompted by a browser security warning to accept the URL redirection, please accept by clicking yes.
Friday, August 6, 2010
Patient privacy group welcomes HHS withdrawal of HITECH Act breach notification rule
The Foundation called the withdrawal a "huge step in the right direction" and reiterated its disappointment with the 'harm threshold' provision, which allows health care providers to conduct a risk assessment of any data breach, before deciding whether it is necessary to report the breach to HHS. "The broad discretion granted to industry goes far beyond Congressional intent", read the Foundation's submission sent to HHS during the 2009 public comment period. "There was no mention of any consideration of a harm standard in HHS previous Request for Information, thus thwarting any opportunity for public debate." Several Congressmen also submitted comments to the HHS, expressing concerns over the breadth of discretion that would be given to companies, "particularly with regard to determining something as subjective as harm from the release of sensitive and personal information."
HHS is expected to publish a final rule in the Federal Register in the coming months.
Friday, July 30, 2010
Online Behavioral Advertising: The European Union Controversy
Although the scope of the Opinion is limited to online profiling, its interpretation of Article 5(3) of the amended e-Privacy Directive provides some useful clarifications regarding the legal framework applicable to online behavioral advertising and the use of cookies. There has been much heat generated by the Directive and the Opinion, and little light. Our friends at Osborne Clarke have published an excellent overview.
Read Regulating Online Behavioural Advertising for some insight into the discussion. U.S.-based online businesses will need to start paying close attention to this - the global nature of the Internet means that the actions of the Article 29 Working Party will have significant ripple effects here.
HHS Withdraws Breach Notification Final Rule (but breach notification still effective)
Breach Notification Final Rule Update
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department's experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.
Wednesday, July 28, 2010
Improper Disposal Costs Rite Aid $1 Million
Rite Aid has agreed to pay $1 million to settle allegations that it violated HIPAA by disposing of labeled pill bottles in unsecured dumpsters accessible to the public. The $1 million fine settles a joint Office of Civil Rights (OCR)/Federal Trade Commission (FTC) investigation prompted by televised media reports of pharmacies disposing of pill bottles containing patient information. Rite Aid and several other retail pharmacies in cities throughout the United Sates were highlighted in the report.
The improper disposal of patient labels violates the HIPAA Privacy Rule (not the security rule, because the labels are paper) and exposes patients to the risk of identity theft and other crimes.
In addition to paying the $1 million resolution amount to OCR, Rite Aid has agreed to implement “a strong corrective action program” including:
· Revising its policies and procedures related to the disposal of PHI and sanctioning workers who do not follow them
· Training workforce members on new policies and procedures
· Conducting internal monitoring
· Engaging a qualified, independent third party assessor to review its compliance efforts and report to HHS
A link to the resolution agreement is available here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteaidres.pdf
Tuesday, July 13, 2010
Analysis of Proposed HHS Regulations Implementing HITECH Act
The regulations are slated to be published in the Federal Register tomorrow, which will trigger the start of the 60-day comment period. We will continue to post further analysis of these regulations and discussion relating to particular points of interest. Stay tuned.
Australian Privacy Commissioner Concludes Google Breached Privacy Act
Australian Privacy Commissioner Karen Curtis has concluded her investigation into Google's collection of unsecured WiFi payload data in Australia using Street View vehicles and finds that such collection violated Australian law.
"On the information available I am satisfied that any collection of personal information would have breached the Australian Privacy Act,” she said. "Collecting personal information in these circumstances is a very serious matter. Australians should reasonably expect that private communications remain private.”
For its part, Google has promised to publish an apology to Australians for its collection of unsecured WiFi 'payload' data. Google will also conduct a Privacy Impact Assessment (PIA) on any new Street View data collection activities in Australia that include personal information and regularly consult with the Australian Privacy Commissioner about personal data collection activities arising from significant product launches in Australia.
The apology, posted on the official Google Australia blog, states in part:
“To be clear, we did not want and have never used any payload data in our products or services--and as soon as we discovered our error, we announced that we would stop collecting all WiFi data via our Street View vehicles and removed all WiFi reception equipment from them…
We want to reiterate to Australians that this was a mistake for which we are sincerely sorry. Maintaining people's trust is crucial to everything we do and we have to earn that trust every single day. We are acutely aware that we failed badly here.”
Google admitted in May that it had collected certain WiFi content information--known as "payload data"--in some 33 countries, including in Australia, with special equipment mounted on its Street View photographic image collection vehicles.
Google may not get away so easily in other countries for the privacy breach. German authorities are leading an investigation that may result in criminal penalties, there is a class-action lawsuit against the company in the U.S., and Federal Trade Commission has said it will "a very close look" at the company's behavior. In some other countries, including Britain, Germany, France, and Italy, authorities have demanded that Google hand over the payload data so that it can be used in possible legal cases against the company.
Related Links:
http://www.businessweek.com/technology/content/jul2010/tc2010079_071459.htm
http://www.smh.com.au/technology/technology-news/google-wifi-snooping-broke-the-law-privacy-watchdog-20100709-103eh.html
Google’s apology: http://google-au.blogspot.com/2010/07/were-sorry.html
Statement from the Australian Privacy Commissioner: http://www.privacy.gov.au/materials/a-z?fullsummary=7103
Monday, July 12, 2010
No Harm, No Foul; Ninth Circuit Affirms Dismissal of Data Breach Case Against The Gap
It’s a distressingly common scenario. A corporate laptop containing job applicant data, including social security numbers, is stolen from an employee who has taken the laptop off of corporate premises. Access to the social security numbers makes it possible for wrongdoers to engage in identity theft. Is an applicant’s fear that data will be misused enough to support claims for negligence and breach of contract against the company? The federal Ninth Circuit Court of Appeals has joined a growing number of courts in answering that question in the negative. In Ruiz v. Gap, Inc., the court held that California law requires actual damages to support claims for negligence and breach of contract, and that time and effort that the applicant allegedly expended to monitor for identity theft were insufficient to constitute actual damages. The court reached similar conclusions as to the claim under California’s consumer protection statute and, significantly, the claim for invasion of privacy. As to the latter, the court ruled that increased threat of a breach of privacy does not constitute an actual invasion of privacy.
None of this is to say that a company is immune from state law liability and can simply elect to do nothing when a data breach occurs. Although not detailed in the Ninth Circuit’s decision, The Gap took affirmative steps to protect applicants from potential harm arising from theft of their data. Not only did The Gap notify the applicants about the theft of the computer containing their personal information, but it also offered to provide twelve months of credit monitoring and fraud assistance without charge, plus $50,000 worth of identity theft insurance. The lesson of the Ruiz decision is that companies that do take reasonable steps to mitigate against potential misuse of stolen data will have a strong defense against further liability. It also reinforces the commonsense proposition that has bedeviled many attempts to parlay data breaches into class actions – the mere threat of bad consequences is not the same as actually suffering bad consequences. Thieves generally steal computers because they want the hardware, not the data. The loss of a computer containing personal data does not inevitably mean that such data will be misused. As such, claims arising from data breaches are unlikely to succeed unless there has also been identity theft and resulting adverse consequences for individuals whose identities have been stolen.
Thursday, July 8, 2010
REMINDER - HITECH/201 CMR 17.00 Compliance Workshop
On July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to federal health and medical data privacy found in the HITECH Act. We'll have an interactive hands-on workshop that will help you to address some critical questions within your organization:
What are my organization and business partner’s obligations?
What kind of information do I need to protect and how do identify it?
Is data encryption necessary?
What is a WISP?
What is a data breach and what is my responsibility and liability if I have one?
First Ever State-initiated HIPAA Enforcement Action Settled
Connecticut Attorney General Richard Blumenthal has settled the first state-initiated HIPAA enforcement action. The settlement totals $250,000 in statutory damages and Health Net's agreement to implement a variety of measures to improve the security of consumer health and personal information. Health Net also agreed to provide two years of credit monitoring to affected individuals, $1 million of identity theft insurance and reimbursement for the costs of security freezes.
As we reported in this space, Blumenthal sued Health Net and its affiliates after they allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut residents and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information. Blumenthal also alleged that Health Net failed to promptly notify consumers endangered by the breach even after learning that the disk drive was stolen.
The Health Net case is the first action by a state attorney general for HIPAA violations since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.
The full text of the settlement is available here:
http://www.ct.gov/ag/lib/ag/fraud/soctvhealthnetstipjudgment.pdf
HHS (Finally!) Issues Proposed HIPAA Privacy & Security Rule Changes
A joint statement issued today by the HHS and the Office of Civil Rights (OCR) says that the proposed regulations “would expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without patient authorization. In addition, the proposed rule is designed to strengthen and expand OCR’s ability to enforce HIPAA’s Privacy and Security provisions. This rulemaking will strengthen the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in health care today. We urge consumers, providers, and other stakeholders to read these proposals and offer comments during the 60-day comment period, which will officially open on July 14, 2010. Information about posting comments will be available at http://www.regulations.gov.”
The 234 pages of proposed regulations can be found at Notice of Proposed Rulemaking to Implement HITECH Act Modifications and we are in the process of reviewing these regulations to provide our readers with further information.
Thursday, July 1, 2010
Data Breaches du Jour
Update on Major Data Breach at California Health Insurer
Updating a previous blog post (link) from Monday, WellPoint, the country's largest health insurer, has now sent notice to 470,000 members and applicants for individual health insurance nationwide informing them of a breach to a web site used by individuals to apply for insurance and track the status of their applications. The web site system run by WellPoint subsidiary Anthem Blue Cross of California was allegedly manipulated by attorneys looking to bolster a class action lawsuit against the insurer. WellPoint indicated that although the breach may have affected 230,000 California customers as previously reported, data for other applicants could have been obtained and accessed by anyone merely by altering the URL, thus prompting the additional notices.
While initially saying that personal information was unsecure for "a relatively short period of time," WellPoint now explains that five months passed before the company learned in March that a failed security update to the Anthem web site left customers' data vulnerable.
Related Link:
http://www.govinfosecurity.com/articles.php?art_id=2690
Unencrypted Patient Information Goes Missing from NY Hospital
A New York hospital is notifying some 130,000 patients that their personal information may have been compromised. Patient information stored on seven CDs belonging to New York's Lincoln Medical and Mental Health Center was lost in transit after a hospital contractor shipped them, Bloomberg reports. The unencrypted data includes Social Security numbers, dates of birth, drivers' license numbers and procedure information. In a letter sent to victims earlier this month, the hospital suggested the CDs may have been displaced at a shipping facility and destroyed.
Yet another good example for encryption of all PHI and PI in transit.
Related Link:
http://www.businessweek.com/idg/2010-06-29/new-york-hospital-loses-data-on-130-000-via-fedex.html
Continuing Data Breach Over Eight Year Period Exposes Personal and Medical Records of Students at University of Maine Counseling Center
According to the Auburn-Lewiston Sun Journal, the University of Maine Police Department is investigating a data breach that exposed nearly 5,000 students' personal and medical information. Starting in 2002 and spanning eight years, hackers accessed the UMaine counseling center database, the Sun Journal reports. The database stored information including names, Social Security numbers and clinical information. The university has hired a company to monitor the credit of those potentially affected, though there is no indication the hacked data has been viewed or used. "This is a serious breach and we are profoundly sorry that this has happened," said a university spokesman.
Related Link:
http://www.sunjournal.com/state/story/870870
Tuesday, June 29, 2010
Latest Postponements and Exemptions of FTC Enforcement of ‘Red Flags’ Rule
At the urging of congressional lawmakers, the Federal Trade Commission has for the fifth time delayed enforcement of the “Red Flags” Rule – this time through December 31, 2010. In the interim, Congress plans to consider legislation that would alter the scope of entities covered under the Rule.
Under the Fair and Accurate Credit Transactions Act, Congress directed the FTC and other agencies to develop regulations requiring financial institutions and creditors to address the risk of identity theft. The FTC in turn sought to impose the Red Flags Rule, requiring all such entities to develop and implement written identity theft prevention programs.
In a news release issued on the organization’s website, “[the FTC] urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.” The Commission goes on to explain that it will begin enforcement sooner should Congress pass legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010.
Additionally, the FTC agreed on June 25 to temporarily exempt physicians from the Red Flags Rule. Per a joint stipulation with the American Medical Association and other health organizations, the FTC will wait until the U.S. Court of Appeals for the District of Columbia resolves questions concerning the Rule’s scope before it seeks enforcement against physicians. The AMA, American Osteopathic Association, and the Medical Society of the District of Columbia had filed a lawsuit on May 21 to prevent the FTC from applying the rule to physicians (AMA v. FTC, D.D.C., No. 1:10-cv-00843), arguing that the FTC exceeded its statutory powers and acted in a manner that is “arbitrary, capricious, and contrary to the law.”
The District Court previously barred the FTC from applying the Red Flags Rule to attorneys following a similar challenge by the American Bar Association. The FTC appealed that decision, and the health group’s lawsuit will now be put on hold until the Court of Appeals issues its opinion in the ABA case.
Related Links:
http://www.ftc.gov/opa/2010/05/redflags.shtm
http://www.healthdatamanagement.com/news/red-flags-rule-identity-theft-lawsuit-physicians-40572-1.html
http://www.ama-assn.org/ama1/pub/upload/mm/395/red-flags-lawsuit.pdf (AMA’s complaint)
Monday, June 28, 2010
Major Data Breach at California Health Insurer
Anthem Blue Cross is notifying approximately 230,000 members and applicants for individual health insurance of a breach involving a web site used by individuals to apply for insurance and track the status of their applications. Anthem claims that attorneys managed to manipulate the web address within the web site in order to obtain information in support of a class action lawsuit against the insurer.
The attorneys were apparently able to access medical information in addition to Social Security and credit card numbers, resulting from a failure to reinstate security mechanisms following an October 2009 upgrade to the web site.As part of a statement issued by the company, Anthem offered the following: "The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that discovered, we made the necessary security changes to prevent it from happening again."We have requested both by letter and in court filings that the attorneys return all information improperly obtained from the individual application system and as a result, that information has been delivered to a court approved custodian who will ensure its security.”
Interestingly, Anthem said that “out of an abundance of caution” it is providing a detailed notification explaining what happened to individuals who might be affected by the breach, but apparently no legal obligation from its point of view. California law requires that affected residents be notified of breaches of health information. See http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf. The insurer will also offer notified individuals a year of free identity protection services. Meanwhile, Anthem is weighing legal action it might take “with respect to the data, the impact—if any—on our members, and the remediation costs incurred as a result of these actions.”
Related Links:http://www.insurancenetworking.com/news/health_insurance_technology_Anthem_Blue_Cross_data_security_risk-25114-1.html
Friday, June 25, 2010
July 13 Data Security Workshop - FREE
- What are my organization and business partner’s obligations?
- What kind of information do I need to protect and how do identify it?
- Is data encryption necessary?
- What is a WISP?
- What is a data breach and what is my responsibility and liability if I have one?
For information or to register to attend the event, which will be hosted by Mintz Levin in our downtown Boston office, please click this link: http://tinyurl.com/35pk3yr
Thursday, June 24, 2010
Twitter Settles With FTC
The FTC had alleged that “serious lapses” in Twitter’s security last year "allowed hackers to obtain administrative control of Twitter, including access to tweets that consumers had designated private, and the ability to send out phony tweets pretending to be from then-President-elect Barack Obama and Fox News, among others." The two incidents mentioned involved hackers using password-guessing tools to gain access to administrative functions. Under the settlement, Twitter must maintain a comprehensive information security program, to be assessed by a third-party every other year for 10 years. It also will be prohibited from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information.
Related links:
Twitter Settles Charges that it Failed to Protect Consumers' Personal Information; Company Will Establish Independently Audited Information Security Program
Twitter settles with US regulators over privacy breach - Yahoo! News
Twitter settles with FTC for privacy breach Forrester Blogs
Tuesday, June 22, 2010
FTC Highlights Need for Privacy and Security in Internet Commerce
The Federal Trade Commission has weighed in as part of the Department of Commerce's public comment process on privacy and security issues. According to the FTC's comment, consumers trusting that their personal information will be safeguarded is essential to the success of e-commerce, and innovation is essential to ensuring privacy in the fast-paced, ever-changing world of the Internet economy. The topic of innovation and internet privacy controls has been, and continues to be, one of the FTC’s "highest consumer protection priorities for more than a decade," according to the comment.
In the comment, the FTC laid out several aspects of its privacy program. The agency led nearly 30 enforcement cases challenging business practices that allegedly failed to secure consumers' personal information and made efforts at educating consumers and businesses about privacy and security in an online world. The FTC also has several policy initiatives including promoting self-regulation in online behavioral advertising and participates in international privacy programs. The agency hosted several privacy roundtables and plans to public privacy and security proposals for public comment later this year.
Related links:
http://www.ftc.gov/opa/2010/06/foodinternet.shtm
The Google Payload Data Fallout Continues
Connecticut Attorney General Richard Blumenthal says he will lead a multistate investigation into Google Street View cars’ unauthorized collection of personal data from WiFi networks. The Connecticut AG said he expects a significant number of states to participate. More than 30 states participated in a recent conference call regarding the Connecticut investigation.
In a statement released yesterday, Blumenthal called Google’s data collection a “deeply disturbing invasion of personal privacy,” and said that consumers have a right to know what personal information, including potentially emails, web browsing habits and passwords, Google may have collected. “Google must come clean, explaining how and why it intercepted and saved private information broadcast over personal and business wireless networks,” he said. Google maintains that it did not collect the payload data intentionally and never used it , but the company may be facing not only domestic consequences but also investigations in the UK and other affected countries. Google says it stopped collecting Wi-Fi data from its Street View vehicles when it discovered the data collection problem last month following an inquiry by German regulators. The Google payload data incident is just one recent PR problem related to privacy concerns for the internet giant. Google took harsh criticism for the launch of Buzz because the feature initially revealed information about the names of users' email contacts. Google has significantly revised the service; now, it merely suggests followers, rather than automatically creating them.
Related links:http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=130619http://www.foxnews.com/world/2010/06/22/uk-police-investigating-alleged-google-privacy-breach-public-wi-fi-networks/
More on Supreme Court Ruling in Quon
Thursday, June 17, 2010
Breaking News: Supreme Court Issues Decision in Employee Privacy Case
As we’ve blogged in this space,, back in December, the Supreme Court agreed to hear City of Onatario v. Quon, a case on the privacy of text messages sent by a government employee on employer-provided devices. Specifically, the Court agreed to consider whether a police sergeant assigned to a Ontario, California SWAT team had a reasonable expectation of privacy under the Fourth Amendment in sexually-explicit, non-work related text messages transmitted on a department-issued pager and stored by an outside service provider even in the face of the City’s "general practice" of non-monitoring of such communications.
Today, the Court issued its opinion, finding that the City’s search of Sergeant Quon’s text messages to his colleagues and the woman with whom he was having an affair was reasonable. Although the Court did not reach agreement on whether and to what extent government workers have any reasonable expectation of privacy in communications such as those at issue here, the Court did agree that the search was reasonable.
The impact of this decision may be limited to Sergeant Quon and his co-workers; the Court explicitly cautioned against using the facts of the case to establish “far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices.”
More to come.
Wednesday, May 26, 2010
Congressmen Question Google on Wi-Fi
“We are concerned that Google did not disclose until long after the fact that consumers’ Internet use was being recorded, analyzed and perhaps profiled. In addition, we are concerned about the completeness and accuracy of Google’s public explanations about this matter,” wrote the lawmakers. “For example, on April 27, 2010, a Google blog post contained inaccurate information about whether payload data was collected. However, a Google executive on May 14, 2010, admitted in Google’s official blog that the company had ‘been mistakenly collecting samples of payload data from open (i.e., non-password-protected) Wi-Fi networks.’”
Barton and Markey, co-chairmen of the House Privacy Caucus, separately wrote last week to Federal Trade Commission Chairman Jon Liebowitz about Google’s recent revelation that it gathered the network information.
The lawmakers asked Schmidt to respond to the following questions:
What percentage of United States roads have been documented for Google Street View?
Over what time period did the collection of information for Google Street View take place or, if roads are visited by Google Street View vehicles more than once, what is the schedule for return visits to roads?
Have all Street View vehicles documenting United States roads been engaged in the monitoring or data collection of Wi-Fi transmissions at all times during those activities? If the answer is no, please explain in detail in what communities the monitoring or data collection was conducted and the reasons that these communities were chosen for monitoring or data collection.
How many Wi-Fi networks across the country have been logged since Google began its Street View program? How many consumers were subject to the data collection?
Was any notification of this monitoring and data collection made to affected communities prior to deploying Street View vehicles, and was consent sought from consumers? If so, please explain the notice and consent procedures involved. If not, please explain why this was not done.
Has Google at any time conducted a legal analysis regarding the applicability of consumer privacy laws on the monitoring and data collection of Wi-Fi transmissions? If so, please provide a copy of this analysis.
Please explain why Google chose to collect the data and how it intended to use the data.
What is the status of the consumer data collected? Has it been analyzed and used in any way? Does Google have plans to use it in the future? Please explain in detail.
Has the collected data been destroyed? If yes, when and by which method(s)? If not, why not?
What is the status of Google’s internal review of Street View’s monitoring and data collection practices to ensure adequate controls? What is the methodology? When did the review start? Who is conducting the review? Are there any interim findings? When is it expected to be completed? Will the review, or portions of it, be made available to the public?
What is Google’s process to ensure that data collection associated with new products and services offered by the company is adequately controlled?
Has Google asked a third party to review the software at issue? If so, who is the third party, and what is the nature of the review?
A copy of the letter to Schmidt can be found here. A copy of the letter to the FTC on the Google can be found here.
Monday, May 24, 2010
Red Flags Rule Compliance Date Approaching - American Medical Association Sues
On Friday, the American Medical Association filed a lawsuit against the FTC for defining physicians as “creditors” and claiming that requiring physicians to comply with the Red Flags Rule could jeopardize the doctor-patient confidential relationship. The Red Flags Rule (to refresh your memory) requires that “creditors” establish identity theft protection programs and would likely require physicians to obtain positive identification of patient identity – before providing treatment, as argued by the AMA.
The lawsuit argues that the FTC acted beyond its authority because physicians are not creditors and patients are neither accountholders nor customers under the Fair and Accurate Credit Transactions Act (FACTA). The latter is a more likely argument than the former. Under FACTA, an “entity that regularly defers payment for goods or services” can be considered to be a creditor and physicians routinely bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. I have been in doctor’s offices over the last 6 months where new patients are asked for their insurance card, and their driver’s license or a photo ID. This would seem to be a small step towards controlling medical identity theft.
Read about medical identity theft at World Privacy Forum Medical Identity Theft Page
Thursday, May 13, 2010
Facebook Holding Privacy Summit
Related links:
GigaOM » Facebook Needs to Find Its Voice on Privacy
Facebook's Eroding Privacy Policy: A Timeline Electronic Frontier Foundation
Wednesday, May 12, 2010
The back-and-forth on Facebook's privacy travails
Last week, the author of the Times’ technology blog Bits invited readers to submit questions for Facebook's vice president for public policy, Elliot Schrage. She probably got more than she (or Schrage) expected – in fact, over 300 of them. Schrage’s response is published in today’s blog entry: Facebook Executive Answers Reader Questions - Bits Blog - NYTimes.com.
For a completely different view of Mr. Schrage’s comments, I found Catharine Taylor’s post at Social Media Insider to raise some important questions.
Two privacy issues from North of the Border
Related link:
Smart grid data must be protected: Privacy czar - thestar.com
And, Canada’s Assistant Privacy Commissioner is expressing concerns about the U.S. Secure Flight Program that will complete implementation and be fully operational by December. Under the program, passengers of any nationality who raise suspicions of U.S. authorities can be prevented from boarding flights that fly over U.S. airspace. Chantal Bernier told the Canadian Parliament yesterday that there is little Canada can do about it except urge the U.S. government to address extremely long data retention periods and other privacy concerns of Canadians. Under the program, Homeland Security may retain information collected (including name, birth date, flight information, itinerary and passport number) for periods ranging from a week up to 99 years.
Related link:
Vancouver Sun
Thursday, May 6, 2010
Privacy Events Calendar
Tomorrow, the Commerce Department is hosting a day-long symposium called “A Dialogue on Privacy and Innovation.” It will include several panel discussions to discuss stakeholder views and to facilitate further public discussion on privacy policy in the United States. The event will seek participation and comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy. The event will be webcast at
http://www.ntia.doc.gov/InternetPolicyTaskForce/privacy/webcast.html
This Symposium is related to Commerce’s ongoing Notice of Inquiry seeking comment on the impact of current privacy laws in the United States and around the world on the pace of innovation in the internet economy. The Notice of Inquiry is at Internet Policy Task Force and comments are due June 7, 2010.
Roundtable on COPPA
FTC has announced that it will host a public roundtable on June 2, 2010, to examine whether technology changes warrant revisions to the Children’s Online Privacy Protection Rule. The Rule was enacted in 2000 and requires website operators to obtain parental consent before collecting, using, or disclosing personal information from children under the age of 13. Topics will include whether the Rule should be applied to emerging media, a potential expansion of the Rule to cover additional types of information, and the review of the verification methods used by websites. The roundtable will be held at the FTC Conference Center at 601 New Jersey Avenue, NW in Washington, DC. It is free and open to the public. No advanced registration is required
20th Annual CFP Conference
The 20th Conference on Computers, Freedom, and Privacy will be held on June 15-18 in San Jose, CA. Keynote speakers include Peter Cullen of Microsoft and David Drummond of Google. "Hot topics" sessions covering the latest news in freedom, privacy, and networks, and CFP's first "Unconference". Other highlights include sessions focusing on consumer advocacy, human rights, business perspectives, and cutting-edge intersections between technology and policy.
Monday, May 3, 2010
Welcome to the Privacy Revolution
One sure way not to raise the issue was demonstrated by a principal in Ridgewood, New Jersey last week. According to a post by Christopher Dawson in ZDNet Education IT, principal Anthony Orsini sent parents an email strongly urging them to take the role of cyberpolice with their middle school children, because “…there is absolutely, positively no reason for any middle school student to be a part of a social networking site! None.” Raising the consciousness of parents to the risks and dangers inherent in social networking and encouraging discussion at home is one thing. This is on an entirely different level.
Related links:
New Jersey principal deputizes parents as cyber police Education IT ZDNet.comALA Launches Choose Privacy Week - 5/3/2010 - School Library Journal
Sunday, May 2, 2010
OT -- Emergency Response 2.0 : Solutions to Respond to Oil Spill in the Gulf of Mexico
Emergency Response 2.0 : Solutions to Respond to Oil Spill in the Gulf of Mexico
Friday, April 30, 2010
Privacy and Security Bits and Bytes
We have blogged on this issue here and here -- and again, there is another warning about the treasure trove of information residing on the hard drive of your copy machine. A CBS Evening News investigation revealed just how much information is stored on copy machines that gets passed on when the machine’s lease is up and the machine is resold. Adding one more to the mounting pile of privacy-related investigation requests the Federal Trade Commission has received in recent days, U.S. Rep. Edward Markey (D-MA) requested the commission look into the issue in a statement released yesterday.
Make sure that you don’t violate data protection laws in Guernsey – the offshore banking center has amended its privacy law to include prison time for violations. Persons found guilty under Section 55 of the law of unlawfully obtaining (or disclosing) personal data without the consent of the data controller may now face a prison sentence. Previously, the most severe penalty available was a fine of up to £10,000 Data protection law amended - International Law Office
Add Mexico to the list of countries with a national comprehensive data protection law. Mexico's Senate on Tuesday unanimously approved the Federal Law of Protection of Personal Information. The law establishes the rights and principles of data protection in the private sector, and was nine years in the making.
And two “breaches du jour”: The Louisville Courier-Journal reports that a flash drive containing the personal information of 24,600 patients of a psychiatric hospital has gone missing. According to the report, the drive contained patient names, admission and discharge dates and dates of birth. (Begs the question of why protected health information (or PHI) is on an unsecured flash drive in the first place…. ) And, in California, St. Jude Heritage Healthcare has notified 22,000 patients about the theft of five hospital computers containing their PHI.
Thursday, April 29, 2010
Connecticut Woman Files First Suit Under Federal Law Prohibiting Genetic Discrimination
A Connecticut woman has filed a charge of discrimination under the Federal Genetic Information Nondiscrimination Act ("GINA"), which prohibits discrimination against employees based upon their status as carriers of genetic information. The woman claims her status as a carrier of the BRCA2 gene, a gene sometimes associated with the elevated risk of breast cancer, led to her termination after she had preventive surgery relating to her breast cancer risk.
GINA was passed to address concerns of individuals who might be reluctant to undergo genetic testing because the results, if disclosed to an employer, might be used in a discriminatory manner by employers. While it is premature to predict the probability of outcomes of this employment dispute, it reminds employers of their obligations to comply with GINA and other numerous other Federal and state laws concerning the management and use of health information in the workplace.
Related Links:
Hartford Courant
Woman claims genetic test led to firing at Stamford firm - StamfordAdvocate
Home WGGB abc40 News, Weather and Sports in Springfield Massachusetts
Monday, April 26, 2010
Proposed HITECH Regulations Out in May?
The Department is also scheduled to issue a final rule in May of this year, addressing the certification standards and implementation criteria for electronic health record technology.
Thursday, April 15, 2010
Brokerage firm victim of elaborate extortion scheme - but also gets hit with a fine
The hackers used a SQL injection attack to obtain access to the company’s database on Dec. 25 and 26, 2007.
The Financial Industry Regulatory Authority, which announced the fine agreement on Monday, said although the attack activity was reflected in the brokerage’s server logs, administrators failed to examine those logs. The intruders obtained data on about 192,000 customers, according to the press release announcing the fine. (Previous reports indicated that more than 300,000 customer files were stolen). The data included customer account numbers, Social Security numbers, names, addresses, dates of birth and other private information.
The company discovered the breach only after receiving an extortion e-mail from one of the hackers on Jan. 16, 2008, which contained an attachment with the records of 20,000 customers as proof of the intrusion. DA Davidson contacted the Secret Service, and the subsequent investigation led to four suspects, three of whom are Latvian nationals, who were extradited from the Netherlands to face charges in Montana. In a statement released yesterday by the U.S. Attorney for Montana, the three Latvians pleaded guilty to receipt of extortion proceeds.
More: Wired Magazine
Three Plead Guilty in Plot to Extort DA Davidson - Financial Planning
The United States Department of Justice - United States Attorney's Office
Federal Regulators Release Model Consumer Privacy Notice Online Form Builder
Under the new regulation, to obtain a legal "safe harbor" and satisfy the disclosure requirements under the Gramm-Leach-Bliley Act, institutions must follow the instructions in the model form regulation when using the Online Form Builder.
The form is available here: Online Form Builder
Friday, April 9, 2010
Privacy and Security Bits and Bytes
Virginia Adds Medical Information Breach Law - The Commonwealth of Virginia has amended its data breach notification law to include breaches of medical information. For the text of the amendment, link here. Even if the data is encrypted, the law requires notice if the breach involved a person with access to the encryption key. The law requires notice to affected individuals (residents of Virginia) as well as Virginia's Office of Attorney General. The Attorney General can bring an action for violations of the law and impose civil penalties up to $150,000 per breach (or a series of similar breaches of a similar nature that are discovered in a single investigation). The law does not apply to persons or entities that must report the breach under the HITECH Act.
“Data Security – It’s a Responsibility, Not an Option” – interesting point of view from InfoSecIsland.
FTC Complaint Focuses on Tracking, Profiling of Consumers. -- Yesterday, the Center for Digital Democracy, the US Public Interest Research Group, and the World Privacy Forum filed a complaint with the FTC regarding two emerging trends in online advertising that they say pose growing threats to consumer privacy: auctioning of individual Internet users for targeted advertising opportunities and the combination of online and offline data about Internet users. The complaint describes what the group feels is a growing trend in online behavioral advertising that involves the real-time sale and trade of the right to target individual users with online ads through the use of data compiled about users via their Web surfing habits. The groups have asked the FTC to investigate the data and advertising exchanges operated by Google, Microsoft and Yahoo, as well as several firms that support the auctioning and data collection/targeting system, including AppNexus, BlueKai and Rubicon Project. Furthermore, the group has asked the FTC to require the firms involved in real-time online tracking and auction bidding to allow consumers to opt-in to participate in such activities; require firms to update their privacy policies so consumers are aware of these activities; and ensure consumers are compensated for the use of their data. Stay tuned.
Large UK Data Breach Penalty Takes Effect -- As we warned you in this space last month, this week marks the effective date of the new, substantially higher fines in the UK for data loss. Reports are that up to 65 percent of workers are unaware of the new penalties – which can quickly hit £500K for large scale breaches. If you’re operating in the UK, check out Data loss fines hit £500K from today • The Register or ICO vows to impose heavy fines for major data breaches - 07 Apr 2010 - Computing.
And Finally --
This item from Wired Magazine proves yet again that identity theft is not limited to computer hacking or interception of electronic messages. A 74-count indictment unsealed yesterday in Arizona details charges that a group of sophisticated identity thieves managed to steal millions of dollars by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased.
Thursday, April 8, 2010
Mississippi Becomes 46th State to Enact Data Breach Notification Law
Similar to most of the other laws, the Mississippi law applies to any person who owns, licenses or maintains computerized personal information of any resident of that state. Breaches must be disclosed “without unreasonable delay.” It does not appear that the Mississippi law imposes any out-of –the-ordinary obligations on businesses, but the trend continues. The law becomes effective July 1, 2011.
Link to text of legislation:
HB 583 (As Sent to Governor) - 2010 Regular Session
Tuesday, April 6, 2010
More on last week's NJ Supreme Court decision -
And, the International Association of Privacy Professionals' Daily Dashboard quoted my partner, Jen Rubin:
PRIVACY LAW -- U.S.
Employee E-mail Decision Spurs More Questions
Last week's New Jersey Supreme Court decision that employees should have an expectation of privacy when they use personal e-mail accounts on corporate computers is raising new questions, NetworkWorld reports. The court's decision specified that when it comes to monitoring employees' actions online, "employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy." Jen Rubin, attorney at Mintz Levin in New York, says the decision brings up new questions about employer ownership of e-mail created on company-issued computers and is likely to have businesses taking much closer looks at their e-mail policies. Full Story
This is an important decision with wide-reaching implications. If you are an employer and you have not looked at your "Acceptible Use Policy" or other such electronic systems policy in a while (or worse, if you don't have one at all.....), this case should motivate you to pull it out and look again.
Wednesday, March 31, 2010
BREAKING NEWS: NJ Court Upholds Employee E-mail Privacy
Given the importance of this decision to both privacy issues and employer/employee workplace issues, we will provide a complete analysis.
Tuesday, March 30, 2010
Government "Outs" Mystery Retailers in Gonzalez Hack Case
J.C. Penney argued unsuccessfully last week to keep the company’s identity under seal, and that it (a corporation) was entitled to anonymity under the 2004 Crime Victims' Rights Act. That law was intended to protect the “dignity and privacy” of victims – and that is what Penney argued. but Judge Douglas P. Woodcock was not convinced -- and in fact was "astonished." The Judge said in the hearing that he believed both retailers should have announced their involvement from the start and that consumers had the right to know. Woodlock said he would not provide the companies “insulation from transparency.”
For more: StorefrontBacktalk » JC Penney, Wet Seal: Gonzalez Mystery Merchants
Motion of Government - http://www.wired.com/images_blogs/threatlevel/2010/03/09-cr-10382-14.pdf
Monday, March 29, 2010
More detail on Dave & Buster's FTC Settlement
Tip: This breach was the result of malicious hacking. In fact, the hacker - Alberto Gonzalez - was just sentenced to 20 years in federal prison for his crime. However, the FTC's concern was that the restaurant chain did not have "reasonable security measures" in place to prevent the hacking in the first place, or to detect it as it was occurring. Time to take stock of the point-of-sale systems in your store/restaurant.
French Senate Passes Breach Notice Bill
This bill also doubles monetary penalties for violations of the data protection law. It now moves on to the National Assembly.
The bill, as passed by the Senate is available, in French, at http://www.senat.fr/petite-loi-ameli/2009-2010/331.html
Friday, March 26, 2010
Privacy and Security Bits and Bytes
Another state has joined the Payment Card Industry Data Security Standard ("PCI") bandwagon. On March 22, 2010, Washington state became the third state to incorporate the into law. The Washington House and Senate passed HB 1149 and it has been signed into law by the governor. HB 1149 amends Washington’s breach notice law (and borrows some of its definitions). Similar to Minnesota’s Plastic Card Security Act, HB 1149 provides issuing banks a legal mechanism to collect the costs to reissue payment cards after a payment card security breach. The law is effective July 1, 2010
How often do you change your password? A Symantec report discovers that an astounding 10 percent of us don’t change them AT ALL. Most users don't change password often enough, report says Digital Media - CNET News
Condom Web Site Threatens to Sue Person who Outed Their Leakage - An Indian Web site that sold Durex condoms has threatened legal action against the person who exposed a data breach on the site. Earlier this month, a user of the site noticed that he could view customers' names, addresses, contact numbers and order details, The Register reports.
Following up on a Privacy and Security Bits and Bytes from a couple of weeks ago on the potential privacy implications of copy machines, The Toronto Star has a more in-depth piece on the wealth of information stored on the hard drives of high-end copy machines.
HHS Announces Delay in Enforcement of HITECH Rules as Applied to Business Associates
We take this to mean that enforcement of these particular HITECH Act provisions will be delayed.
For more information, see the Mintz Levin Health Law and Employee Benefits Alert just published.
Restaurant Chain Settles FTC Data Breach Charges
This is the FTC’s 27th case challenging faulty data security practices by organizations that handle sensitive consumer information.
Our Client Alert with complete links to the draft order and complaint and full discussion will be posted later today.
Thursday, March 25, 2010
TJX hacker sentenced to 20 years
http://www.boston.com/business/ticker/2010/03/tjx_hacker_sent.html
Wednesday, March 24, 2010
Senate Commerce Committee Approves Rockefeller-Snowe Cybersecurity Act
The Senate Commerce Committee press release --
WASHINGTON, D.C.—Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, and Senator Olympia J. Snowe (R-ME), a senior member of the committee, issued the following statements today after the Commerce Committee favorably reported out the Rockefeller-Snowe Cybersecurity Act.
“Our future is literally being stolen from us. Cyber attacks and hackers are at work raiding property and proprietary information from U.S. companies and innovators,” said Chairman Rockefeller. “The status quo is not sustainable. We need a new model for the 21st century. We must secure America’s critical networks, innovation and competitiveness in the global market. The Rockefeller-Snowe Cybersecurity Act provides a framework for a fundamentally new approach to combating cyber attacks. Today, we took another big step in moving this enormously important legislation forward.”
“It is simply undeniable that cyber intrusions and attacks represent both a potential national security and economic catastrophe as our vital information infrastructure – nearly 90 percent of it – is owned and operated by the private sector,” said Senator Snowe. “Without adequate cooperation between the public and private sectors to protect our critical infrastructure information systems – our strategic national assets – we risk a cyber-calamity of epic proportions with devastating implications for our nation. Our initiative, which is the culmination of a year’s worth of consultation and input from across the spectrum, streamlines cybersecurity-related functions and clarifies the responsibilities of government and private sector stakeholders.”
Boston ranks 2nd in U.S. cyber-crime study
In a study published yesterday by California data security firm Symantec Corp. (Nasdaq: SYMC), Boston registered as the second-riskiest city in the U.S., after Seattle, due to its high concentration of cyber crimes and WiFi availability. Out of 50 cities spotlighted in the report, Boston narrowly missed the top spot, with a risk score of 176.6 to Seattle’s 188.2. In third place was Washington, D.C., and in fourth was San Francisco.
According to Symantec’s report, Boston’s problems come from an especially high concentration of “spam zombies” — computers taken over by outside hackers to send out spam.
Another factor is the Hub’s many unsecured WiFi hotspots — 53.6 per 100,000 residents — where cyber criminals may lurk, trolling for unwitting users. While high-profile or widespread computer attacks are relatively rare, small-scale attacks like these threaten even savvy computer users, the report noted.
The complete list of cities and further description of the Symantec report can be found in a ComputerWorld report linked here: Symantec names riskiest U.S. cities for cybercrime
Quick Compliance Survey
Click here to take survey
Tuesday, March 23, 2010
International Cybercrime Reporting and Cooperation Act introduced this afternoon
The complete text of the bill is not yet available online, but the press release does include the details of the bill, which include: (1) an annual Presidential report on the state of other countries' use of communication infrastructure and the extent of cybercrime in those countries; (2) providing assistance to countries with low information, telecommunications and communications penetration in order to prevent these countries from being cybercrime havens; (3) indentify countries of cybercrime concern; (4) suspend benefits to countries that fail to meet cybercrime benchmarks; and (5) require the Secretary of State to designate a senior official at the State Department to coordinate and focus on activities, policies and opportunities to combat cybercrime internationally.
More information -- Bill Focuses On Global Cybercrime Measures - Tech Daily Dose - Tech Daily Dose
Massachusetts Data Security Compliance Workshop
"Massachusetts Data Protection Law: Demystifying the Details" is being sponsored by the Merrimack Valley Venture Forum. The Merrimack Valley Venture Forum has assembled a panel of legal, technology, and process experts to break down the law and give you a clear path to compliance through a hands-on workshop. Panelists include: Cynthia Larose, Mintz Levin, Matt Pettine, MFA Cornerstone Consulting, Nagraj Seshadri, Sophos, and Mike Spinney, SixWeight. Registration through Wednesday afternoon at 5:00 pm at sferrara@mvvf.org.
Bring your questions!
Monday, March 15, 2010
Maine Legislative Committee Votes to Repeal Marketing Law Aimed at Minors
The bill's sponsor, state senator Elizabeth Schneider, also withdrew a proposal for a narrower measure that would have only banned companies from collecting data about minors for the purpose of marketing prescription drugs to them. The full Maine legislature is expected to vote on the repeal within a few weeks.
Thursday, March 11, 2010
Privacy and Security Bits and Bytes
Don't Ignore New Massachusetts Data Privacy Regs – a piece by Lora Bentley from ITBusinessEdge (for which the editor of this blog was interviewed)
Your smart phone may soon be smarter than you’d like it to be: researchers in Japan have produced a mobile phone that can track movements of the user and beam the information back to an employer (or anyone else who wants it)….BBC News - Mobile that allows bosses to snoop on staff developed
Something else to consider when undertaking those risk assessments to determine where personal information is – and what you need to control when it leaves. Have you thought about what is stored on the hard drive of your copy machine?? This piece from Boston TV station WBZ is eyepopping -- Copy Machines Can Store Your Private Info - wbztv.com
Wired reported this week that the U.S. Supreme Court will take on another “informational privacy” case that could have far-reaching impact. This makes the second privacy case that the Supremes will be hearing in this term.
And, what you say at a privacy/security conference isn’t necessarily “private” or “secure” and could get you fired. Computerworld’s article -- Pennsylvania fires CISO over RSA talk – says that the former PA CISO spoke at an RSA security panel last Thursday – and is no longer working for the Commonwealth.
Enjoy the weekend -
Big Fines Coming in UK for Data Breaches
As of April 6, 2010, the UK’s Information Commissioner’s Office (ICO) can levy fines of up to £500,000 for breaches of the Data Protection Act 1998 that are:
• serious in nature
• deliberate or reckless, and
• likely to cause substantial damage or distress to an individual.
The standard for “reckless” non-compliance may take some by surprise: Did the data controller know, or should it have known, that there was a risk of a breach of a kind likely to cause substantial damage or distress? If so, were reasonable steps were taken to prevent the breach?
The ICO has given a specific example that may make IT and privacy officers flinch, but will come as no surprise to those in the U.S. who have been dealing with the likes of Massachusetts 201 CMR 17.00 or the HITECH Act: Does the company have appropriate policies and procedures in place such as the encryption of all laptops and removable media (such as flash drives) to avoid loss of personal data if an employee’s laptop or removable media is stolen? Failing to do so might be considered “reckless” depending on the likely consequences of the loss of personal data contained in the unsecured devices.
Further Information
For more information, see our our Mintz Levin Client Alert. Also, the ICO has published detailed guidance concerning when fines will be issued, the process for trying to get fines withdrawn or reduced, how to appeal, and payment.
Wednesday, March 10, 2010
Another Potential Privacy Pitfall on Facebook
Related Links
Facebook Updates May Share Your Location Soon - PCWorld
Tuesday, March 9, 2010
Breaking News - ID Theft Company to Pay $12 Million for Deceptive Advertising
That’s how Federal Trade Commission Chairman Jon Leibowitz described the identity theft protection offered to consumers by the widely-advertised LifeLock product and the claims made by the company that its service provided comprehensive identity theft protection. Those claims have cost the company $12 million dollars in a settlement announced today by the FTC chairman and Illinois Attorney General Lisa Madigan. According to the lawsuit, LifeLock claimed its service would protect consumers against all forms of identity theft, when, in fact, LifeLock offered only limited protection against only some forms of identity theft and had no effect on the most common form: the misuse of existing credit card and bank accounts.
The settlement was announced at a press conference today and LifeLock has agreed to pay $11 million to the FTC and $1 million to a group of 25 state attorneys general to settle the deceptive advertising charges. In addition to the $12 million settlement, LifeLock and its co-founders Richard Todd Davis and Robert J. Maynard, Jr. are prohibited from making deceptive claims and required to better safeguard customers’ personal information.
The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying.
Links
Complaint - Federal Trade Commission, Plaintiff, v. LifeLock, Inc., a corporation; Robert J. Maynard, Jr., individually and as an officer of LifeLock, Inc.; and Richard Todd Davis, individually and as an officer of LifeLock, Inc., Defendants
Press Release - Information on Lifelock Settlement
Thursday, March 4, 2010
Major "goof" at Citibank
Check this out at WalletPop
Tuesday, March 2, 2010
Hotel Chain Hacked Again....
Related Links
Letter posted to Wyndham website
V3 UK - Wyndham Hotel Chain Hacked Again
Monday, March 1, 2010
Today is the day......
Discussion continues and questions abound. Will this set the bar nationwide as the articulation of what constitutes "reasonable security" for personal information? How should companies handle the varying risk of harm standards when dealing with state laws and federal law, such as the HITECH Act?
Friday, February 26, 2010
Top 3 questions relating to compliance with 201 CMR 17.00
16 Days to March 1..... and Countdown to compliance with 201 CMR 17.00.....11 days). Here are some questions that have been reoccurring over the last few weeks:
1) What should I be doing about the requirement relating to third party service providers and how does my company get "assurances" that those service providers (like payroll and benefits) are in compliance?
The answer to this will depend upon the kind of access and extent of information that the vendors have. Some companies have created extensive 3rd party/ vendor PI due diligence forms and processes. In the end, all your vendors should provide their own attestation that they are capable of meeting the requirements of 201 CMR 17.00 as part of the vendor review process, and it should be part of the contract. Depending on the situation, targeted risk assessments of vendors may be appropriate, as well as detailed security exhibits attached to contractual agreements. With existing service providers, if the contract is in place by Monday, you will have two years to amend it....but you should be addressing the security safeguard issues now.
2) What about faxes? How can I encrypt those, and is that required under 201 CMR 17,04?
A rather complex answer, but if the fax machine is using the Plain Old Telephone System (POTS to telecom engineers) this is not a "Public Transport" as used in 17.04(3). POTS is a private, switched, 2 party connection. The fax transmission in this case is simply not traveling over a public connection....and does not need to be encrypted nor would the fax machine require an encryption key technology. There are many other concerns with the "process" of sending and receiving faxes, most of these fall under logical or physical access controls, that are required elsewhere in 201 CMR 17.00. One thought of caution, is that there are many FAX systems that are NOT, 100% based on POTS or based on private switched network technology. If your business uses eFax or some other Internet-based form of transmission, that may be going to a traditional fax machine -- it’s POTS to me, but an email to you that is traveling over the public network. If you have a concern about the security of PI in a process, then you most likely have something which needs to be locked down and controlled.
3) We have a good handle on the computer system security requirements and the technical issues, including the whole portable device issue, but what about all that paper?
Start with the basics - do you really need to have the PI in paper format, and do you need as much as you have? If you don't have it, you can't lose it. Keep track of what is in the file, so missing items will be noticed, and to enable you to comply with data breach notification obligations if the worst happens. Simple things like: use color-coding and labels to indicate the sensitivity of the file; consider whether the original or a copy can be taken, if a copy, track the number of copies and stamp them; physically attaching documents to a folder makes copying/losing items more difficult. Use log-in/out records for the files. Remind employees to keep the records in sight or in a safe location when out of sight - use a briefcase lock if there is one, keep files in the trunk of the car and not on the car seat. The most important step is to make sure the plan is followed and to TRAIN EMPLOYEES. Companies can craft great policies and procedures to handle PI and comply with 201 CMR 17.00. But if employees and third parties are not educated and trained in these policies then compliance with the law is highly unlikely! Training, training, training. Security awareness is a big key to avoiding the unfortunate data breach.
And, it's Friday, February 26th......
Thursday, February 25, 2010
“Stunning”/ “Shear Madness” – Reaction to Google Convictions
Google privacy convictions in Italy spark outrage
Larger Threat Is Seen in Google Case - NYTimes.com
Conviction of Google Execs in Italy Shear Madness
Kerry: Sending Google execs to prison 'unjust' - The Hill's Hillicon Valley
Wednesday, February 24, 2010
BREAKING NEWS: Google Executives Convicted on Privacy Charges in Italy
Judge Oscar Magi ordered a six-month suspended jail sentence and fines for Fleischer, Drummond and former Google Italy board member George De Los Reyes. The three were absolved of defamation charges. .The case stems from the posting of a video to Google Video Italia showing teenage boys taunting a classmate with Down syndrome. Prosecutors charged that the executives did not do enough to keep the offensive video off its site. In a statement, Peter Fleischer said the ruling sets a dangerous precedent. “If company employees like me can be held criminally liable for any video on a hosting platform…then our liability is unlimited.” He said today’s decision raises questions for the operators of many Internet platforms.
Stay tuned.
Monday, February 22, 2010
Today's compliance deadline - Enforcement of the HITECH/HIPAA data breach notification rule
Today is the day that the Health & Human Services Office of Civil Rights begins to enforce the HITECH/HIPAA data breach notification rule. To "celebrate" the occasion, the agency publicly posted the first list of reported breaches affecting 500 or more individuals. The list is available on the HHS’ website, but I thought I would post them here. Reasonably instructive…..see any trends??
Breaches Affecting 500 or More Individuals
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.
The Methodist Hospital
State:
Texas
Approx. # of Individuals Affected:
689
Date of Breach:
1/18/10
Type of Breach:
Theft
Location of Breached Information:
Computer
Carle Clinic Association
State:
Illinois
Approx. # of Individuals Affected:
1,300
Date of Breach:
1/13/10
Type of Breach:
Theft
Location of Breached Information:
Paper Records and Films
Ashley and Gray DDS
State:
Missouri
Approx. # of Individuals Affected:
9,309
Date of Breach:
1/10/10
Type of Breach:
Theft
Location of Breached Information:
Desktop Computer
Educators Mutual Insurance Association of Utah
State:
Utah
Business Associate Involved:
Health Behavior Innovations
Approx. # of Individuals Affected:
5,700
Date of Breach:
12/27/09
Type of Breach:
Theft
Location of Breached Information:
CDs
Goodwill Industries of Greater Grand Rapids, Inc.
State:
Michigan
Approx. # of Individuals Affected:
10,000
Date of Breach:
12/15/09
Type of Breach:
Theft
Location of Breached Information:
Backup Tapes
Private Practice
City and State:
Stoughton, MA
Approx. # of Individuals Affected:
1,860
Date of Breach:
12/11/09
Type of Breach:
Theft
Location of Breached Information:
Portable Electronic Device/Electronic Medical Record
AvMed, Inc.
State:
Florida
Approx. # of Individuals Affected:
359,000
Date of Breach:
12/10/09
Type of Breach:
Theft
Location of Breached Information:
Laptop
Blue Island Radiology Consultants
State:
Illinois
Business Associate Involved:
United Micro Data
Approx. # of Individuals Affected:
2,562
Date of Breach:
12/09/09
Type of Breach:
Loss
Location of Breached Information:
Backup Tapes
Private Practice
City and State:
Wilmington, NC
Business Associate Involved:
Rick Lawson, Professional Computer Services
Approx. # of Individuals Affected:
2,000
Date of Breach:
12/08/09
Type of Breach:
Hacking/IT Incident
Location of Breached Information:
Computer/Network Server/Electronic Medical Record
Kaiser Permanente Medical Care Program
State:
California
Approx. # of Individuals Affected:
15,500
Date of Breach:
12/01/09
Type of Breach:
Theft
Location of Breached Information:
Portable Electronic Device
University of California, San Francisco
State:
California
Approx. # of Individuals Affected:
7,300
Date of Breach:
11/30/09
Type of Breach:
Theft
Location of Breached Information:
Laptop
Detroit Department of Health and Wellness Promotion
State:
Michigan
Approx. # of Individuals Affected:
646
Date of Breach:
11/26/09
Type of Breach:
Theft
Location of Breached Information:
Laptop, Desktop Computer
Advocate Health Care
State:
Illinois
Approx. # of Individuals Affected:
812
Date of Breach:
11/24/09
Type of Breach:
Theft
Location of Breached Information:
Laptop
Concentra
State:
Texas
Approx. # of Individuals Affected:
900
Date of Breach:
11/19/09
Type of Breach:
Theft
Location of Breached Information:
Laptop
Children's Medical Center of Dallas
State:
Texas
Approx. # of Individuals Affected:
3,800
Date of Breach:
11/19/09
Type of Breach:
Loss
Location of Breached Information:
Portable Electronic Device
Universal American, Inc.
State:
New York
Business Associate Involved:
Democracy Data & Communications, LLC
Approx. # of Individuals Affected:
83,000
Date of Breach:
11/12/09
Type of Breach:
Incorrect Mailing
Location of Breached Information:
Postcards
Massachusetts Eye and Ear Infirmary
State:
Massachusetts
Approx. # of Individuals Affected:
1,076
Date of Breach:
11/10/09
Type of Breach:
Theft
Location of Breached Information:
Other
Kern Medical Center
State:
California
Approx. # of Individuals Affected:
596
Date of Breach:
10/31/09
Type of Breach:
Theft
Location of Breached Information:
Paper Records
Blue Cross Blue Shield Association
State:
District of Columbia
Business Associate Involved:
Service Benefits Plan Administrative Services Corp.
Approx. # of Individuals Affected:
3,400
Date of Breach:
10/26/09
Type of Breach:
Unauthorized Access
Location of Breached Information:
Mailings
Detroit Department of Health and Wellness Promotion
State:
Michigan
Approx. # of Individuals Affected:
10,000
Date of Breach:
10/22/09
Type of Breach:
Theft
Location of Breached Information:
Portable Electronic Device
The Children's Hospital of Philadelphia
State:
Pennsylvania
Approx. # of Individuals Affected:
943
Date of Breach:
10/20/09
Type of Breach:
Theft
Location of Breached Information:
Laptop
Public Employee Health Insurance Plan (Kentucky Employees' Health Plan)
State:
Kentucky
Approx. # of Individuals Affected:
676
Date of Breach:
10/20/09
Type of Breach:
Misdirected E-mail
Location of Breached Information:
Brooke Army Medical Center
State:
Texas
Approx. # of Individuals Affected:
1,000
Date of Breach:
10/16/09
Type of Breach:
Theft
Location of Breached Information:
Paper Records
Alaska Department of Health and Social Services
State:
Alaska
Approx. # of Individuals Affected:
501
Date of Breach:
10/12/09
Type of Breach:
Theft
Location of Breached Information:
Portable USB Device
Cogent Healthcare of Wisconsin, S.C.
State:
Tennessee
Business Associate Involved:
Cogent Healthcare, Inc.
Approx. # of Individuals Affected:
6,400
Date of Breach:
10/11/09
Type of Breach:
Theft
Location of Breached Information:
Laptop
Health Services for Children with Special Needs, Inc.
State:
District of Columbia
Approx. # of Individuals Affected:
3,800
Date of Breach:
10/09/09
Type of Breach:
Loss
Location of Breached Information:
Laptop
Blue Cross Blue Shield Association
State:
District of Columbia
Business Associate Involved:
Merkle Direct Marketing
Approx. # of Individuals Affected:
15,000
Date of Breach:
10/07/09
Type of Breach:
Unauthorized Access
Location of Breached Information:
Mailings
Blue Cross Blue Shield of Tennessee
State:
Tennessee
Approx. # of Individuals Affected:
500,000
Date of Breach:
10/02/09
Type of Breach:
Theft
Location of Breached Information:
Hard Drives
City of Hope National Medical Center
State:
California
Approx. # of Individuals Affected:
5,900
Date of Breach:
9/27/09
Type of Breach:
Theft
Location of Breached Information:
Laptop
Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
6,145
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer
Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
5,166
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer
Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
5,257
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer
Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
857
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer
Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
952
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer
University of California, San Francisco
State:
California
Approx. # of Individuals Affected:
610
Date of Breach:
9/22/09
Type of Breach:
Phishing Scam
Location of Breached Information:
Mid America Kidney Stone Association, LLC
State:
Missouri
Approx. # of Individuals Affected:
1,000
Date of Breach:
9/22/09
Type of Breach:
Theft
Location of Breached Information:
Network Server