Privacy Compliance & Data Security

California Legislature Advances Groundbreaking Privacy "Right to Know Act"

Mark McCreary — Wed, 03 Apr 2013 06:03:15 -0500

In what amounts to a potential, unprecedented victory for consumers’ right to know how their personal information is used by businesses, California's "Right to Know Act of 2013" (AB 1291) made further headway by being re-read and amended a second time on Monday, April 1^st. As reported by Ars Technica, the Right to Know Act, which was introduced by California Assembly Member Bonnie Lowenthal, was the result of significant lobbying by the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California.

The current summary of the bill states:

(1) Existing law requires a business to ensure the privacy of a customer’s personal information, as defined, contained in records by destroying, or arranging for the destruction of, the records, as specified. Any customer injured by a business’ violation of these provisions is entitled to recover damages, obtain injunctive relief, or seek other remedies.

This bill would create the Right to Know Act of 2013, would repeal and reorganize certain provisions of existing law, and would provide legislative findings in support thereof.

(2) Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request, as specified, in writing or by e-mail, the names and addresses of the recipients of that information and specified details regarding the information disclosed, except as specified. Existing law requires a business subject to these provisions to provide an address, electronic address, or toll-free telephone or facsimile number that a customer may use to deliver requests for copies of his or her personal information.

This bill would instead require any business that has retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.

(3) Existing law also requires a business that is required to comply with these provisions to provide information to customers regarding its privacy policy and to provide a designated means of preventing disclosure of personal information.

This bill would require a business that is required to comply with these provisions to provide specified notice to the customer of its privacy policies.

(4) Existing law provides that a customer who sustains injury as a result of a violation of these provisions is entitled to specified remedies, including civil penalties.

This bill would also provide that a violation of these provisions is deemed to constitute an injury to the customer for purposes of seeking remedies available under law.

In other words, the Act also provides a private right of action to consumers for businesses that do not comply with the Act.

The EFF appears to be quite pleased with the bill, as noted in its press release on April 2^nd. The EFF noted that the point of the law if to allow consumers to better understand the vast economy that is data sharing: "This law is about transparency and access, not new restrictions on data sharing. The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

It will be interesting to see (1) if the Act continues toward enactment, (2) how companies outside of California, but with information regarding California residents, implement the law, and (3) if this very European-style law catches on in other states.

In Massachusetts, ZIP Codes Constitute Personal Identification Information

Amy C. Purcell — Fri, 15 Mar 2013 08:20:43 -0500

In connection with a class action lawsuit filed against Michaels Stores Inc., the United States District Court for the District of Massachusetts certified to the Supreme Judicial Court of Massachusetts three questions: (1) whether a ZIP code constitutes personal identification information; (2) whether, under the Massachusetts statute prohibiting collection of personal identification information during a credit card transaction, a plaintiff may pursue a claim without any evidence of identity theft; and (3) whether, under the statute a "credit card transaction form" includes an electronic transaction form. Earlier this week, the Supreme Court answered "yes" to all three of these questions. A copy of the Court's opinion is attached here. The Supreme Court's decision will likely open the door to more lawsuits against retailers in Massachusetts. Plaintiffs may now file actions against retailers who collect ZIP code information during a credit card transaction and, consistent with the Supreme Court's broad interpretation of personal identification information, plaintiffs may try to expand the definition of personal identification information even further to include other types of information. In addition, the Supreme Court's decision has lowered the bar for plaintiffs who struggle to prove that they have been injured in these cases. Under the Supreme Court's ruling, a plaintiff no longer needs to demonstrate that he or she has suffered identity theft in order to maintain a cause of action. Significantly, the Court stated that receipt of unwanted marketing materials or the sale of a consumer's personal identification information to a third-party can constitute an injury sufficient to maintain an action. As a result of the Supreme Court's decision, retailers in Massachusetts should review and evaluate their data collection practices.

California Supreme Court Permits Apple To Collect Personal Information Online

Amy C. Purcell — Tue, 05 Feb 2013 10:06:42 -0500

On February 4, 2013, the California Supreme Court held that Apple Inc. is permitted to request a customer's address and telephone number in connection with an online purchase. The Supreme Court reversed the trial court's decision and found that the Song-Beverly Credit Card Act does not apply to online transactions. The Supreme Court stated that "[t]he safeguards against fraud that are provided in [the act] are not available to the online retailer selling an eletronically downloadable product. Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card or the customer's photo identification." The case is Apple Inc. v. The Superior Court of Los Angeles County, Case No. S199348. Attached is a copy of the Court's opinion.

HIPAA "Mega Rule", Meet "Super BAA": The CMS Data Use Agreement

Elizabeth Litten — Thu, 24 Jan 2013 11:36:37 -0500

[This blog posting was previously posted on the HIPAA, HITECH and Health Information blog.]

The recent release of the HIPAA/HITECH “mega rule” or “omnibus rule” has given bloggers and lawyers like us plenty of topics for analysis and debate, as well as some tools with which to prod covered entities, business associates and subcontractors to put HIPAA/HITECH-compliant Business Associate Agreements (“BAAs”) in place. It’s also a reminder to read BAAs that are already in place, and to make sure the provisions accurately describe how and why protected health information (“PHI”) is to be created, received, maintained, and/or transmitted.

If you are an entity that participates in the Medicare Shared Savings Program as a Medicare Accountable Care Organization (“ACO”), your ability to access patient data from Medicare depends on your having signed the CMS Data Use Agreement (the “Data Use Agreement”). Just as covered entities, business associates, and subcontractors should read and fully understand their BAAs, Medicare ACOs should make sure they are aware of several Data Use Agreement provisions that are more stringent than provisions typically included in a BAA and that may come as a surprise. Here are ten provisions from the Data Use Agreement worth reviewing, whether you are a Medicare ACO or any other business associate or subcontractor, as these may very well resurface in some form in the “Super BAA” of the future:

1. CMS (the covered entity) retains ownership rights in the patient data furnished to the ACO.

2. The ACO may only use the patient data for the purposes enumerated in the Data Use Agreement.

3. The ACO may not grant access to the patient data except as authorized by CMS.

4. The ACO agrees that, within the ACO and its agents, access to patient data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the stated purposes.

5. The ACO will only retain the patient data (and any derivative data) for one year or until 30 days after the purpose specified in the Data Use Agreement is completed, whichever is earlier, and the ACO must destroy the data and send written certification of the destruction to CMS within 30 days.

6. The ACO must establish administrative, technical, and physical safeguards that meet or exceed standards established by the Office of Management and Budget and the National Institute of Standards and Technology.

7. The ACO acknowledges that it is prohibited from using unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the patient files.

8. The ACO agrees not to disclose any information derived from the patient data, even if the information does not include direct identifiers, if the information can, by itself or in combination with other data, be used to deduce an individual’s identity.

9. The ACO agrees to abide by CMS’s cell size suppression policy (which stipulates that no cell of 10 or less may be displayed).

And last, but certainly not least:

10. The ACO agrees to report to CMS any breach of personally identifiable information from the CMS data file(s), loss of these data, or disclosure to an unauthorized person by telephone or email within one hour.

While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes.

The SAIC Breach and a Look Across the Chasm Between Significant Risk and Actual Harm Resulting from a HIPAA Breach

Elizabeth Litten — Fri, 07 Dec 2012 15:08:38 -0500

The following was recently posted in substantially the same form on the Fox Rothschild LLP HIPAA, HITECH and Health Information Technology blog.

Elizabeth Litten and Michael Kline write:

We have posted several blogs, including those here and here, tracking the reported 2011 theft of computer tapes from the car of an employee of Science Applications International Corporation (“SAIC”) that contained the protected health information (“PHI”) affecting approximately 5 million military clinic and hospital patients (the “SAIC Breach”). SAIC’s recent Motion to Dismiss (the “Motion”) the Consolidated Amended Complaint filed in federal court in Florida as a putative class action (the “SAIC Class Action”) highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach. SAIC’s Motion emphasizes this gap between the incident and the realization of harm, making it appear like a chasm so wide it practically swallows the breach into oblivion.

SAIC, a giant publicly-held government contractor that provides information technology (“IT”) management and, ironically, cyber security services, was engaged to provide IT management services to TRICARE Management Activity, a component of TRICARE, the military health plan (“TRICARE”) for active duty service members working for the U.S. Department of Defense (“DoD”). SAIC employees had been contracted to transport backup tapes containing TRICARE members’ PHI from one location to another.

According to the original statement published in late September of 2011 ( the “TRICARE/SAIC Statement”) the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the TRICARE/SAIC Statement said that there was no financial data, such as credit card or bank account information, on the backup tapes. Note 17 to the audited financial statements (“Note 17”) contained in the SAIC Annual Report on Form 10-K for the fiscal year ended January 31, 2012, dated March 27, 2012 (the “2012 Form 10-K”), filed with the Securities and Exchange Commission (the "SEC”), includes the following:

There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person. In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. The Company [SAIC] has notified potentially impacted persons by letter and is offering one year of credit monitoring services to those who request these services and in certain circumstances, one year of identity restoration services.

While the TRICARE/SAIC Statement contained similar language to that quoted above from Note 17, the earlier TRICARE/SAIC Statement also said, “The risk of harm to patients is judged to be low despite the data elements . . . .” Because Note 17 does not contain such “risk of harm” language, it would appear that (i) there may have been a change in the assessment of risk by SAIC six months after the SAIC Breach or (ii) SAIC did not want to state such a judgment in an SEC filing.

Note 17 also discloses that SAIC has reflected a $10 million loss provision in its financial statements relating to the SAIC Class Action and various other putative class actions respecting the SAIC Breach filed between October 2011 and March 2012 (for a total of seven such actions filed in four different federal District Courts). In Note 17 SAIC states that the $10 million loss provision represents the “low end” of SAIC’s estimated loss and is the amount of SAIC’s deductible under insurance covering judgments or settlements and defense costs of litigation respecting the SAIC Breach. SAIC expresses the belief in Note 17 that any loss experienced in excess of the $10 million loss provision would not exceed the insurance coverage.

Such insurance coverage would, however, likely not be available for any civil monetary penalties or counsel fees that may result from the current investigation of the SAIC Breach being conducted by the Office of Civil Rights of the Department of Health and Human Services (“HHS”) as described in Note 17.

Initially, SAIC did not deem it necessary to offer credit monitoring to the almost 5 million reportedly affected individuals. However, SAIC urged anyone suspecting they had been affected to contact the Federal Trade Commission’s identity theft website. Approximately 6 weeks later, the DoD issued a press release stating that TRICARE had “directed” SAIC to take a “proactive” response by covering a year of free credit monitoring and restoration services for any patients expressing “concern about their credit as a result of the data breach.” The cost of such a proactive response easily can run into millions of dollars in the SAIC Breach. It is unclear the extent, if any, to which insurance coverage would be available to cover the cost of the proactive response mandated by the DoD, even if the credit monitoring, restoration services and other remedial activities of SAIC were to become part of a judgment or settlement in the putative class actions.

We have blogged about what constitutes an impermissible acquisition, access, use or disclosure of unsecured PHI that poses a “significant risk” of “financial, reputational, or other harm to the individual” amounting to a reportable HIPAA breach, and when that “significant risk” develops into harm that may create claims for damages by affected individuals. Our partner William Maruca, Esq., artfully borrows a phrase from former Defense Secretary Donald Rumsfeld in discussing a recent disappearance of unencrypted backup tapes reported by Women and Infants Hospital in Rhode Island. If one knows PHI has disappeared, but doubts it can be accessed or used (due to the specialized equipment and expertise required to access or use the PHI), there is a “known unknown” that complicates the analysis as to whether a breach has occurred.

As we await publication of the “mega” HIPAA/HITECH regulations, continued tracking of the SAIC Breach and ensuing class action litigation (as well as SAIC’s SEC filings and other government filings and reports on the HHS list of large PHI security breaches) provides some insights as to how covered entities and business associates respond to incidents involving the loss or theft of, or possible access to, PHI. If a covered entity or business associate concludes that the incident poses a “significant risk” of harm, but no harm actually materializes, perhaps (as the SAIC Motion repeatedly asserts) claims for damages are inappropriate. When the covered entity or business associate takes a “proactive” approach in responding to what it has determined to be a “significant risk” (such as by offering credit monitoring and restoration services), perhaps the risk becomes less significant. But once the incident (a/k/a, the ubiquitous laptop or computer tape theft from an employee’s car) has been deemed a breach, the chasm between incident and harm seems to open wide enough to encompass a mind-boggling number of privacy and security violation claims and issues.

FTC "History Sniffing" Settlement Meaningless or the Start of Something Bigger

Mark McCreary — Thu, 06 Dec 2012 09:49:59 -0500

The Federal Trade Commission announced yesterday a settlement with Epic Marketplace, an online advertising network, which prohibits Epic from further collection of data obtained by "browser sniffing" the surfing history of Internet users and requires Epic to destroy all previously collected data.

According to the FTC complaint, Epic was collecting information from millions of individuals by “browser sniffing,” which is a practice that allowed Epic to determine whether the user had previously visited more than 54,000 websites, including websites relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy. Once Epic had this information, it would then send targeted advertisements to the user.

Many users have no idea that this technology even exists, and the FTC’s main gripe appears to be that the user did not have knowledge this was occurring on sites outside of Epic's advertising network. Epic’s privacy policy promised that Epic would collect information about users only for use in Epic’s 45,000 website network. Apparently, the FTC was not concerned with the practice but it’s concern was centered around Epic collecting information from users about visits to websites not in Epic’s website network.

"Consumers searching the Internet shouldn't have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge," FTC Chairman Jon Leibowitz said in a statement. "This type of unscrupulous behavior undermines consumers' confidence, and we won't tolerate it."

Stated another way, the FTC is saying that Epic could collect information about whether consumers visited sites in its advertising network having to do with fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy, and then use that information to serve that consumer advertisements. The problem was that Epic went beyond its own advertising network. That makes sense. A company breaching the representations in its own privacy policy is low hanging fruit.

What the FTC is NOT saying is that consumers would never know what the heck Epic’s privacy policy says, so how could they consent to this collection and use of their information. Online advertisers are in this wonderful position where the consumer never really “gets” to them, the consumer only sees the advertisements that are served. .

So is the take away that any company besides Epic can use “browser sniffing” as long as its use is disclosed in its privacy policy (which consumers would not even know existed) and followed by that company? The FTC is certainly not taking a contrary position.

The FTC press release follows:

For Release: 12/05/2012

FTC Settlement Puts an End to "History Sniffing" by Online Advertising Network Charged With Deceptively Gathering Data on Consumers

Network Tracked Interest in Sensitive Medical and Financial Issues, Agency Says

An online advertising company agreed to settle Federal Trade Commission charges that it used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues ranging from fertility and incontinence to debt relief and personal bankruptcy.

The FTC settlement order bars the company, Epic Marketplace Inc., from continuing to use history sniffing technology, which allows online operators to “sniff” a browser to see what sites consumers have visited in the past. It also bars future misrepresentations by Epic and requires the company to destroy information that it gathered unlawfully.

“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” said FTC Chairman Jon Leibowitz. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”

Epic Marketplace is a large advertising network that has a presence on 45,000 websites. Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed. The cookies allowed Epic to serve consumers ads targeted to their interests, a practice known as online behavioral advertising.

In its privacy policy, Epic claimed that it would collect information only about consumers’ visits to sites in its network. However, according to the FTC, Epic was employing history-sniffing technology that allowed it to collect data about sites outside its network that consumers had visited, including sites relating to personal health conditions and finances.

According to the FTC complaint, the history sniffing was deceptive and allowed Epic to determine whether a consumer had visited any of more than 54,000 domains, including pages relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy.

The FTC complaint alleges that depending on which domains a consumer had visited, Epic assigned the consumer an interest segment, including categories such as “Incontinence,” “Arthritis,” “Memory Improvement,” and “Pregnancy-Fertility Getting Pregnant.” Epic used these categories to send consumers targeted ads.

The consent order bars Epic Marketplace, Inc., and Epic Media Group, LLC from using history sniffing, and requires that they delete and destroy all data collected using it. It also bars misrepresentations about the extent to which they maintain the privacy or confidentiality of data from or about a particular consumer, computer or device, including misrepresenting how that data is collected, used, disclosed or shared. It bars misrepresentations about the extent to which software code on a webpage determines whether a user has previously visited a website.

The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through January 7, 2013, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondent has actually violated the law. A consent order is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC's online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

MEDIA CONTACT:

Office of Public Affairs
202-326-2180

STAFF CONTACT:

Kate White
Bureau of Consumer Protection
202-326-2878

Podcast: An Overview of P2P Data Breaches

John Witts — Wed, 05 Dec 2012 09:10:03 -0500

John R. Gotaskie, Partner in Fox Rothschild's Litigation Practice and editor of the firm's Franchise Law Update blog, recently published a podcast discussing the growing concern over data breaches involving peer-to-peer networks. Using the recent example of Franklin Toyota, a Georgia car dealership that was hit with a breach, as his backdrop, John discusses how companies can steer clear of running afoul of the law and comply with federal regulations.

Click here to listen to the podcast. If you prefer to download the transcript, click here.

For additional material on the subject, please see John's article "User Beware: Data Breaches Involving Peer-to-Peer Networks May Result in FTC Enforcement Action" from the Banking & Financial Services Policy Report, and visit our practice's page.

Hacking and Reading Someone's Online Email Just Got Easier in South Carolina

Mark McCreary — Fri, 12 Oct 2012 07:03:46 -0500

Earlier this week the South Carolina Supreme Court ruled that accessing another person’s online (personal) email is not a violation of the federal Stored Communications Act (the Act and the Wikipedia summary). This holding is in direct opposition to what the Ninth Circuit Court of Appeals held in 2004 in Theofel v. Farey-Jones.

At the outset you should keep in mind that this is a civil case, which differs from a criminal case. In this post we are looking at solely the Stored Communications Act (“SCA”), and a limited aspect thereof.

Facts of This Case

The facts of this case, Jennings v. Jennings (PDF link) are actually pretty surprising, considering the outcome. A wife suspected that her husband was carrying on an affair. The daughter-in-law, with more free time than common sense, could not resist inserting herself into the situation and accessed the husband’s Yahoo! account by guessing his secret questions. Soon thereafter emails between the husband and the girlfriend were found and became what divorce attorneys refer to as “leverage.”

The husband would have none of this, and brought several causes of action against the soon-to-be ex-wife, her attorney and his private investigator, including the SCA. The lower court dismissed all counts against the defendants, the appeals court overturned the lower court decision with respect to violations of the SCA, and the Supreme Court of South Carolina took up the appeal.

The court focused on the definition of “electronic storage” under the SCA:

(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and

(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.

The justices advanced two theories in arriving at the same conclusion. On the one hand, some justices held that because the husband did not download any copies of the email (he read and left the “original” copy on Yahoo’s servers), the second component of the definition was not satisfied. They wanted to see two copies of the same email, and storing the email on the server was not the intended “backup” under the SCA.

The one other justice read an “or” between (A) and (B) of the definition, concluded that transmission of the email for viewing was not sufficient storage, and otherwise held that there was no backup of the email. These facts satisfied neither (A) nor (B).

Now I am Confused

This decision leaves an obvious split in the courts with respect to the SCA, which should be addressed by amending the legislation or by the United States Supreme Court. Ars Technica has an excellent article here discussing the case in more detail and offering more insight into how to correct this split. The article is a great read if this topic is of interest to you.

Unfortunately, there are no clear answers and accessing another person’s email remains a very, very dangerous activity.

How Relevant to You

Why does this matter for your business?

CEO: We just let Johnson go, and I think he uploaded trade secrets to his personal email.

General Counsel: We need some reasonable basis to accuse Johnson of this.

CEO: I don’t know why I hired you.

(Calling the IT guy)

CEO: Bill, give me Johnson’s computer password.

Bill: It is iLovePonies44.

(CEO accesses the machine, finds that Johnson is still logged into Gmail, finds evidence that trade secrets were uploaded by Johnson to his personal email account. CEO calls the General Counsel.)

CEO: Ted, I caught Johnson red-handed. Johnson sent emails with our customer lists and contact information to his personal email account.

General Counsel: Unbelievable. How did you find out?

CEO: He left his Gmail open on his work computer.

General Counsel: I don’t think you can read his personal email. Let me check with outside counsel.

Outside Counsel: It is dangerous and may violate federal law.

CEO: You are both fired.

The South Carolina decision throws some doubt on the above conclusion, and on some level these hypothetical facts are not as nefarious as the Johnson case because there was no password guessing/hacking.

Before, if an employee had downloaded mail to a mail client resident on her computer (e.g., POP3 or IMAP), the issue was much clearer because the correspondence was deemed abandoned (it was not a complete green light, but things looked better for the non-account owner). Webmail, by definition, completely changes the above analysis (or so we thought). The information is stored on the mail provider’s servers, always accessible and never downloaded unless a mail client is used.

This decision should not be viewed as the only obstacle to accessing an employee’s personal email. Putting the ethical issues aside, there are many laws lurking for the unwary. The point really is that the SCA is a bit of a mess in this regard, and like many laws touching the online world is in need of some freshening up to deal with current technology.

Website Operators With U.K. Directed Websites or Web Pages Now Subject to "Cookie Law"

Mark McCreary — Wed, 30 May 2012 13:36:12 -0500

In its continuing efforts to give the State of California a run for its money when it comes to privacy rights, the United Kingdom’s “cookie law” is now in effect. Websites for European companies with European visitors, or non-European companies that are directed at European users, must now inform users of any tracking technology used on the website, and the purpose of the use of that tracking technology.

The Law

The new law is part of the European Union's "e-Privacy" Directive. Implementation of the e-Privacy Directive requires that each member state incorporate the e-Privacy Directive into its own law in 2011. The United Kingdom accomplished the foregoing by creating the amended Privacy and Electronic Communication Regulations (PECR) Act 2011, which became effective on May 26, 2011. The disclosure of the use of user tracking technology is only one element of PECR.

Types of Tracking Technology

The use of cookies on a website is only one practice covered by the cookie law. Uses of advertising tracking and analytics, for example are covered practices.

Affected Businesses

If you have only a U.S.-based web site, with no web page directed explicitly at the United Kingdom, then the cookie law should not affect you. However, if you have a website or web page directed specifically to residents of the United Kingdom, you almost certainly are subject to the cookie law.

Opt-Out or Opt-In

Good question. Originally the cookie law was interpreted to mean that a user must explicitly opt-in to the tracking technology. However, just before the cookie law went into effect the Information Commissioner's Office (“ICO”), the United Kingdom’s data protection agency, updated its guidance to say that “implied consent” was acceptable, and that continued use of the subject website would meet the consent requirement.

Compliance Deadline

The cookie law is currently in effect, but it is no secret that many, many organizations are not currently in compliance. Those websites that are in compliance with the cookie law will present users with a dialogue similar to this:

Mobile Applications

Just to keep things interesting, the cookie law applies to mobile applications as well. Because mobile applications have just as many, if not more, opportunities for user tracking, and because that user tracking is not always obvious, it has already been made clear that the ICO will pay particular attention to mobile application compliance

Penalties

The ICO has the authority to fine non-compliant organizations up to $780,000 (or 500,000 pounds) for not complying with the cookie law. Fortunately, the ICO is not going to be in a big rush to penalize non-compliant organizations and, instead, is focusing on educating companies regarding compliance requirements.

Vernick on Cyber Security in the Huffington Post

Scott L. Vernick — Tue, 24 Apr 2012 10:11:48 -0500

The FBI reports that cyberattacks could overtake terrorism as the major threat to the country. According to the Department of Homeland Security, between October 2011 and February 2012, there were 86 reported attacks on U.S. computer systems that control critical infrastructure, factories and databases, compared with 11 over the same period a year ago.

Now more than ever, the focus should be on securing and insulating our nation's computer and Internet infrastructure from both internal and external attacks. The first step in anticipating large-scale cyberattacks is to start thinking of them more like the proverbial disaster waiting to happen -- not a question of if, but when. Planning requires going beyond the limitations of current thinking and considering worst case scenarios.

To keep reading my full article visit “The Internet Privacy Debate Misses the Point,” published April 23 by the Huffington Post.

An Example of the Right Way to Handle a Data Breach: Motorola Xoom

Mark McCreary — Tue, 14 Feb 2012 19:24:08 -0500

You may have read that Motorola announced on February 3rd that it inadvertently sold around 100 refurbished Motorola Xoom tablets through Woot.com without putting the tablets through the typical process of doing a factory reset and wiping any personal data that may have been left by the original owner(s). Specifically, there were approximately 6,200 tablets sold between October and December 2011, of which 100 tablets were affected.

The announcement was interesting in and of itself because it highlighted the notification obligation that arose even though Motorola (likely) had no actual knowledge that refurbished tablets went out that actually contained data. Apparently, Motorola only knew that there was a breakdown in its internal processes and some 100 tablets were not wiped, possibly resulting in the resale of some tablets with data not erased by a customer prior to returning the tablet.

Purchasers of the 6,200 tablets through Woot.com were notified by email to go to a Motorola web site and type in the serial number (or some similar identifier), at which point you would be told if your tablet was affected. If your tablet was affected, Motorola asked that you agree to part with your tablet for four to five business days so that it could be factory wiped.

As to turns out, I owned one of the 100 tablets affected. I never win anything, except the Affected Xoom Tablet Lottery. A day or so later a package with easy-to-follow instructions, very protective packaging and a prepaid envelope arrived at my work. In went the tablet, out went the package. On the fourth business day the tablet was returned in working order with a thank you and restore instructions.

And an American Express gift card for $100!!!

Did I have to return the tablet for a factory wipe? No. Was it a burden for me to return the tablet? Hardly. Was I impressed by Motorola giving me a gift card? Damn right I was, and that is my point.

As someone that deals with data breaches, and clients that have to make tough decisions regarding data breaches, on an almost daily basis, this situation struck me. Motorola did the right thing, went above and beyond what was required, and solidified good will with me. I was not even the party with the affected data. I was just the guy that got the great deal on Woot.com for a refurbished tablet.

That Droid Bionic MAXX suddenly is even more appealing to me. Motorola is suddenly more appealing to me (not that I had any particular problem with them before).

It is possible that Woot.com gave me the gift card, and for that reason my patronage to Woot.com also has been strengthened. This is a great example of partners working together to deal with data breach situations. Making the best of a difficult situation, and earning some good will along the way.

Kudos to Motorola and Woot.com for their handling of this situation.

Data Breach Potentially Affects Up to 100,000 Students, 3,000 Employees

Mark McCreary — Sat, 14 Jan 2012 08:27:28 -0500

The San Francisco Chronicle reported yesterday that officials at the City College of San Francisco discovered a few days after Thanksgiving 2010 that certain computers of the college have been infested with active malware for more than a decade. Up to 100,000 students and 3,000 employees could be affected, and that number may rise based on further, ongoing investigation.

The problem was detected when the college's data security monitoring service discovered very high traffic and alerted the college. Initially thought to be limited to one computer lab (Cloud Hall at the Phelan Avenue campus), further investigated revealed that the problem was more widespread. The San Francisco Chronicle's article reported:

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, Hotchkiss and his team discovered. Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.

Investigation continues to determine which other computer networks at the college may have been infected, such as accounting, admissions and/or payroll systems. Apparently, 17 different computer systems are presently being analyzed. The college's server with medical information appears to be unaffected, although it is unclear whether any other system may also contain medical information (such as the admissions system).

The good news, besides that the college notified those potentially affected in what most would agree was a prompt timeframe, is that there are no known cases of identity theft originating from this extremely lengthy data breach.

Personal Information Data Breaches - Not if, but When?

Amy C. Purcell — Tue, 03 Jan 2012 16:29:57 -0500

By Elizabeth Litten

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings found on Fox Rothschild’s HIPAA, HITECH and HIT Blog. Parts 1, 2,3, 4 and 5 ) can be accessed, can we trust that any electronically transmitted or stored information is really safe?

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases.

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology.

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage.

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

2011 Data Breach Summary

Mark McCreary — Wed, 28 Dec 2011 18:30:33 -0500

Smart Money just ran a story about the top five data breaches of 2011. While I do not necessarily agree that these are the top five (students, students, NYC hospital patients, not to mention the Stratfor breach), the takeaway is interesting: none of them have the same source for the breach:

1. Epsilon. What more needs to be said to keep contract attorneys up at night than "Epsilon"? This data breach involved a third party losing data about its customers' customers. Stated another way, the owner of the information did nothing wrong...other than hiring a contractor that mishandled information. Indemnification mean more to you now? The takeaway from this breach: come clean, come clean, come clean.

2. Sony. Massive breach of the online gaming network. Lots of data lost, lots of downtime for pasty, sun-adverse gamers. Hackers targeting the network to blame. The takeaway from this breach: do not handle it the way Sony handled it.

3. Tricare. A Science Applications International Corp. has data backup tapes stolen from a car. SAIC is a defense contractor for the military. Approximately 4.9 million veterans affected. Hackers targeting lax security to blame. The takeaway from this breach: don't leave the data tapes in the car (come on, people!).

4. Sutter. A simple stolen desktop computer containing information about possibly 3.3 million patients goes missing. The takeaway from this breach: encrypt! Chances are they had zero intention to stealing the actual information, but you can be sure it was still a breach notification scenario.

5. Texas Comptroller. This is number three in my book. Personal information of 3.5 million people left publicly available for over one year. Information about persons required to hand over that information, not information voluntarily handed over. Total disaster. Anyone could have found this information, given its availability. The takeaway from this breach: hire IT staff that is security conscious and, more importantly, give those people the budget to do their jobs.

BONUS: not a data breach, but a significant ruling this year. Corporations have no right to privacy. This Supreme Court ruling impacts corporate decisions on so many levels...or it should.

Happy New Year to our readers.

FTC Settles With Facebook, Agrees to Whopping 20-Year Consent Order

Mark McCreary — Wed, 30 Nov 2011 06:52:38 -0500

According to a press release issued yesterday, November 29, 2011, by the Federal Trade Commission, Facebook settled charges that Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”

The complaint (PDF link) lists a litany of bad practices by Facebook. One allegation that stands out, largely because of the media firestorm that it created at the time, was Facebook’s change in privacy settings to users’ accounts in December 2009. The foregoing settings change was, in the FTC’s opinion, particularly egregious because Facebook undertook the changes without any notice or consent from users.

Another allegation that stands out, again both because of the media firestorm and the falsehood, was Facebook’s assertion that information from deactivated user accounts would not be accessible.

And what grueling punishment must Facebook endure for its privacy-related bad acts? According to Jon Leibowitz, Chairman of the FTC, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users." Rough justice.

In all seriousness, there is some substance to the settlement. Facebook must not make any further deceptive privacy claims. Facebook must also get consumers' approval before it changes the way it shares their data. Finally, Facebook must obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

Frankly, the foregoing requirements on Facebook are all steps that a company like Facebook, if not substantially all companies handling consumer personal information, should be undertaking.

Specifically, under the proposed settlement, Facebook is:

barred from making misrepresentations about the privacy or security of consumers' personal information;
required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.

The proposed settlement is not yet final. The proposed settlement will be open to public comment for thirty days, ending on December 30, 2011. The terms of the proposed settlement is published in the Federal Register shortly. After the close of the comment period, the FTC will decide whether to make the proposed consent order final.

Interested in submitting your comments to the FTC? According to the press release: Interested parties can submit comments online or in paper form by following the instructions in the "Invitation To Comment" part of the "Supplementary Information" section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Comparison of Major Carriers' Retention of Mobile Device Usage

Mark McCreary — Fri, 30 Sep 2011 04:59:31 -0500

The Computer Crime and Intellectual Property Section of the U.S. Department of Justice compiled a summary in August 2010 of the retention periods of major cellular service providers of data transmitted to and from users' mobile devices. The report is here. (PDF link) The American Civil Liberties Union (ACLU) obtained a copy of the foregoing report through a Freedom of Information Act (FOIA) request. The contents of the report are interesting, to say the least.

As reported by Cory Doctorow on the terrific Boing Boing in this article, and by David Kravets of Wired.com in this article titled "Which Telecoms Store Your Data the Longest? Secret Memo Tells All," it is unclear which major cellular carrier treats our usage data with the most respect. On the one hand, Verizon stores text message details (just the transmission receipt details, such as recipient and time) only one year, compared to as long as 5-7 years for post-paid subscribers of AT&T. On the other hand, AT&T, Sprint and T-Mobile store none of the contents of text messages, whereas Verizon stores that information for 3-5 days. The IP Session information may be the most interesting, because of the additional information that can be gleaned from the raw data, the question of why it is stored (billing disputes?) and the disparity in length of storage. One of the excellent infographics posted on Wired's web site is posted here, but a full Wired article is a must read.

Besides this information being eye opening on a personal level, it can be crucial evidence in the case of a corporate data breach. While we all hope that law enforcement will use all tools available to it when investigating a corporate crime, knowing the tight time constraints under which businesses investigating a potential crime is crucial. To be clear, I am referring to use of these tools as an option for ethical investigations into criminal activity through law enforcement. These are not tools to assist a company in sacking an employee that is surfing the web on her mobile phone while on the clock. In any event, these time frames should be considered when investigating a suspected data breach.

If you are getting that "eye in the sky is watching me" feeling, I will be sure not to mention the warrantless GPS and triangulation tracking capabilities of the major mobile carriers available to law enforcement.

Source: BoingBoing.net; Wired.com

Purdue Notifies 7,000 Students of SSN Theft 16 Months After Discovering the Breach

Mark McCreary — Thu, 18 Aug 2011 05:43:59 -0500

Purdue University informed 7,093 former students on Monday that their Social Security numbers may have been stolen from servers at the University on April 5, 2010. The notification comes 16 months after the discovery of the breach.

According to the (Indiana) Journal & Courier, the server contained 6.6 million nine-digit numbers in the accessed files. After spending six months analyzing those numbers, Purdue determined that approximately 65,000 of those number combinations could be Social Security numbers. An additional four months was spent reanalyzing the numbers and performing forensic analysis. Based on those efforts, the University had matched 7,093 of those number combinations to Social Security numbers of former students.

The breach was discovered only three days after it occurred, approximately April 8, 2010. Fourteen months after discovery of the breach, Purdue notified the Office of the Indiana Attorney General. Now, approximately two months later, the affected former students were notified.

Purdue did not offer any sort of credit monitoring and, instead, recommended to those affected to be vigilant and keep and eye on their credit activity.

The announcement by Purdue comes on the heals of an announcement by The University of Wisconsin-Milwaukee on August 10th that 75,000 of its students had been exposed to a hacking incident in May 2011, as reported earlier here.

While the delay of three months may have seemed excessive last week, at least UWM beat Purdue's delay by almost 14 months.

PSA: LinkedIn Assumes You "Opt-In" to Social Media Advertising

Mark McCreary — Fri, 12 Aug 2011 06:25:16 -0500

Boing Boing has an excellent how-to located here on how to opt out of being included in LinkedIn's social media advertising. Briefly, LinkedIn assumes that you consent to LinkedIn's use of your image in the adverstising of its sponsor's products. If you recommend your CPA firm, and your CPA firm purchases advertising on LinkedIn, your photo may appear in that advertising.

This approach may be fine in certain cases. However, besides just the general creepiness of it, employers should be aware that it creates a potential association between your company (not just the individual) and that third party. I can imagine a scenario where a company is suing its former CPA firm and an advertisement appears with the Controller's image in a LinkedIn advertisement for the same CPA firm.

If your company's social media policy allows employees to participate in LinkedIn and other social media sites, consider whether the policy needs an update to require opting-out of this social media advertising.

HACKED: 75,000 Social Security Numbers at Risk at University of Wisconsin

Mark McCreary — Fri, 12 Aug 2011 05:39:46 -0500

The University of Wisconsin-Milwaukee (“UWM”) announced on Wednesday that a malware-infected, university server was discovered on May 25th that allowed hackers, apparently seeking research data, to access several types of scanned documents. Included in the potentially accessed documents were student applications from past and present students, which applications contained Social Security numbers.

At this time, UWM has not been able to confirm that any of the documents were actually taken by the hackers. UWM reports that “[t]he university learned of the installation of malware on May 25, and immediately shut down the system and began to investigate. During the course of the investigation, on June 30, 2011, we discovered that the database containing social security numbers was included in the compromised system.”

UWM wants to assure students that although names and Social Security numbers were possibly taken, the potentially accessed documents did not contain any financial data or academic information such as student grades. At least students don’t have to worry about having embarrassing grades posted.

The announcement asks “[s]houldn’t the university be offering free credit monitoring?” After all, free credit monitoring is expected these days, although certainly no required. The response? “We have no evidence that anyone’s personal information was retrieved or that any information was misused. However, it is recommended that everyone should monitor their financial information by:

Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.
Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.
Request a free credit report and carefully inspect your own credit scores.

That is one approach, I suppose. It is certainly different.

While the details of the investigation by this public institution remains under wraps, it does raise interesting questions. To be clear, there may be excellent bases for not making the disclosure earlier. However, we have seen more and more experts commenting on how huge delays in public announcements are justified. Sure, delays in notification can sometimes be justified where only an intrusion is known and it is unclear whether personal information is accessible through that intrusion.

We have come to the point where using the “ongoing internal investigation” excuse is habitually abused. In this case, based on facts known, it took 35 days for a “national computer security consultant” to determine the source and extent of the breach. In other words, it took experts 35 day to conclude that if a certain port on a server was exposed, then access to a certain, non-encrypted database was possible. I asked our network guys about this, and they said it should take about 30 minutes to determine what was exposed if a port was left open.

After confirmation of the possibility that the sensitive documents could have been accessed, it too another 41 days to make a public announcement.

Okay, so maybe law enforcement delayed the notification. Certainly possible. These comments are not meant to be an indictment of UWM specifically, but of the new approach to data breach notification that is occurring more often than not.

In the cases where delay notification is grossly delayed, it is more often that company executives and their counsel decide that if the breach was announced, and it was later determined that access to the potentially accessed documents did not occur, then the “bad press” would be worse than delaying notification for 77 days. Stated another way, they don't want to unnecessarily worry potentially affected persons.

Again, we do not know all the facts. In all likelihood the sensitive documents were not accessed. However, more and more we all are seeing HUGE delays in notifying those affected. If I received a breach notification 77 days after discovery I would be mad as hell. That is 77 days when identity theft could have occurred and I was not being vigilant because I was unaware of a breach. This is the exploding Pinto approach to data breaches.

UCLA Health System Hospitals To Pay $865,000 For Privacy Breaches

Amy C. Purcell — Fri, 08 Jul 2011 09:41:57 -0500

From 2005 through 2009, UCLA Health System Hospitals ("UCLA") received complaints that its employees had viewed celebrities' medical records without authorization. After an investigation, federal health regulators determined that UCLA employees reviewed patients' electronic medical records "repeatedly and without a permissible reason." Federal health regulators found that UCLA failed to remedy the problem and discipline or retrain its staff. Ultimately, UCLA entered into a settlement agreement with federal health regulators. Under the settlement agreement, UCLA must pay a fine of $865,000. The settlement agreement further requires UCLA to: (1) submit a plan to federal regulators outlining how it plans to prevent future privacy breaches; (2) retrain its staff about privacy protections; (3) institute privacy policies; (4) appoint a representative to oversee its privacy improvements; and (5) report to federal regulators for the next three years.