The midterm elections will likely result in a shift of political power within the House of Representatives. The resultant divided government is likely to impact the current ambitious privacy and data security legislative agenda. Rimon Washington D.C. Data Privacy, Security & Management attorneys Judith Harris, Christopher Cwalina, and Amy Mushahwar have published an analysis of their predictions for 2011 legislative priorities as the incoming crop of legislators move from campaign mode to governance. Please see their article in Information Security.
HITECH Means High Stakes in First-Ever State HIPAA Lawsuit
Yesterday, the Attorney General of the State of Connecticut filed suit against the Connecticut subsidiary of Health Net, charging it with violations of the privacy and security requirements of HIPAA. The action, filed yesterday in the United States District Court in Connecticut, comes on the heels of a security breach involving medical records and Social Security numbers. The suit also names United Health Group Inc. and Oxford Health Plans LLC, who acquired Health Net of Connecticut but who were not involved in the data breach.
If you forgot, last year the Health Information Technology for Economic and Clinical Health Act (HITECH), for the first time authorized individual state attorneys’ general to enforce the security and data privacy regulations under HIPAA, and this appears to be the first such action.
The lawsuit claims that Health Net in Connecticut failed to provide adequate security for the medical and financial records of hundreds of thousands of enrolled individuals, and failed to notify them promptly in connection with the breach. The breach, which took place last May, involved the disappearance of a computer hard drive. Health Net eventually reported the breach, posting a notice on its website and starting a staggered process of mailing letters to consumers November 30, 2009, almost six months after the security breach. For those of you involved in the collection, handling, maintenance, or use of personal, financial and medical information covered by HIPAA, new federal rules under the HITECH Act require “timely” notification of certain breaches, rules that have a compliance deadline of February 22, 2010.
Health Net attributed the delay in reporting to its inability to determine exactly what was on the computer hard drive that disappeared, thus not being sure if a notice was even required. One can only surmise that the mere fact that Health Net didn’t know what information was contained on a removable computer hard drive made its reasoning less than satisfactory to the Connecticut State Attorney General. Although Health Net appears to have conceded that the data was not encrypted, it did indicate that the data should not be visible without the use of specific software. However, Kroll Inc., a computer forensic firm retained by Health Net to investigate the breach, reported the data could be viewable with commonly available software.
Privacy, security and data protection of non-public, personally identifiable and sensitive information (e.g., health, financial data) are increasingly subject to stricter rules and regulations. The use of the Internet and web, making digital information more susceptible to undetected duplication, transmission and access – not to mention the obvious fact that carrying millions of pages of records would be impossible, while walking out with a single hard disk or CD-ROM on which the same data and information has been scanned or stored in digital form – can be virtually undetectable.
Do you know of any law firm that has a team of privacy and data security, identity theft and data breach legal professionals? A firm that has health care, financial services and insurance specialists, as well as lawyers steeped in digital technology, information security and e-commerce? A firm that has transactional, regulatory compliance and policy-oriented lawyers who can audit current practices and policies, assist in developing mechanisms needed to satisfy regulatory requirements, and provide legal support to help avoid a legal problem, and also regulatory, compliance and litigation professionals who can represent and defend clients if a problem arises? Now you do – Rimon. If you need more information, contact me, Joseph I. (“Joe”) Rosenbaum, or Mark Melodia or Paul Bond, or the Rimon attorney with whom you regularly work, if you need legal advice, information or support on this subject.
Rimon DC Office Hosting Next FCBA Privacy/Data Security & Legislative Committees Meeting
Rimon will host the next brown bag lunch meeting of the Federal Communications Bar Association’s joint Privacy/Data Security and Legislative Committees. The meeting will be held on October 13, 2009 between 12:00 noon – 2:00 p.m. at Rimon’s Washington, D.C. offices (1301 K Street, NW, Suite 1100 East Tower). The Committees will discuss the legislative priorities for the 111th Congress with special emphasis on behavioral marketing and data security legislation. The following speakers are confirmed to-date: Amy Levine, Legislative Counsel to Congressman Rich Boucher; and Paul Cancienne, Legislative Aide to Congresswoman Mary Bono Mack. We also have invited staff from the U.S. Senate. Please RSVP to Desiree Logan at dlogan@rimonlaw.com to attend.
Are You Behaving Badly? Global Regulation of Behavioral Marketing
On Wednesday, September 30, 2009, from 12 noon – 1 p.m. (U.S. EDT), Rimon will be hosting a teleseminar as part of its “Doing Business Globally” series. Entitled Global Regulation of Behavioral Marketing, this seminar will be presented by Rimon partners Douglas J. Wood and Joseph I. Rosenbaum from New York, and Gregor Pryor from London. The seminar will explore the legal implications to advertisers, marketing professionals and brands associated with the labyrinth of global regulation increasingly applicable, or newly enacted, in connection with the targeting of consumers — on and off the web — through behavioral marketing.
Privacy and consumer groups object to such sophisticated techniques, fearful it further erodes what little privacy protection remains. Regulators are concerned such practices may violate privacy and data protection laws, or worse, are simply not covered by existing law and regulation. Marketers respond that such advances allow for a far more efficient, consumer-friendly marketplace, and that self-regulation has been a successful model in the advertising industry for more than 30 years. In this interconnected, networked age of social networking and global communication, understanding the implications and the legal and regulatory landscape is critical for every advertising professional and marketer, and the brands they represent. The camps remain far apart. Advertising industry associations call for self-regulation, recently releasing a report entitled Self-Regulatory Principles for Online Behavioral Advertising. Only about two months later, as previously reported in Legal Bytes, a coalition of 10 consumer advocacy and privacy groups released a fresh call for new regulation in a report referred to as a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions. The dividing lines remain drawn, tensions remain high, and the balance unclear – perhaps because the technology environment keeps rewriting the rules of engagement. Want to know more? Don’t miss this informative presentation.
Join us for this exciting and timely Rimon Teleseminar. You can view the Invitation to obtain more information, or go right to the Registration page. We look forward to your participation.
Self-Regulatory Online Behavioral Advertising Principle No. 4: Data Security
The Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, recently released its Self-Regulatory Online Behavioral Advertising Principles. When we announced these principles, we also promised to provide you with a bit more detail regarding each of these principles, which are listed below; so here is a brief summary of the fourth – Data Security. For reference, the seven enumerated principles are:
- Education
- Transparency
- Consumer Control
- Data Security
- Material Changes
- Sensitive Data
- Accountability
The Data Security principle requires entities to provide reasonable security for, and limited retention of, data collected and used for online behavioral advertising purposes. Consistent with the FTC standard, entities must maintain appropriate physical, electronic and administrative safeguards based upon the sensitivity of the data. Further, data collected and used may not be retained any longer than necessary to fulfill a legitimate business need (e.g., testing and auditing) or as required by law. In addition, the principle sets forth the steps that service providers (e.g., entities that provide Internet service, toolbars, web browsers or comparable desktop applications) must take in connection with data collection and use, including alteration, anonymization or randomization (e.g., hashing) of personally identifiable information; enhanced notice and disclosure at the time the data is collected; and the protection of the non-identifiable nature of data shared with non-affiliates. Under the Data Security principle, service providers will be held accountable for compliance with these principles in connection with their collection and use of data for online behavioral advertising purposes. Thanks to Stacy Marcus for her analysis.
We can now also report to you that yesterday a coalition of 10 consumer and privacy advocacy groups (i.e., Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, and The World Privacy Forum, has released a draft of their own principles, in the form of a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions. Legal Bytes will have a more detailed report for you on this new development in the next day or two, and in the meantime – or any time – feel free to contact me, Stacy Marcus, or any of the Rimon attorneys with whom you regularly work.
Identity Theft: Don’t Just Yell ‘Stop Thief.’ Audit Something!
It was 1998 and identity theft had not yet hit the radar screens as heavily as it would during the course of the next decade. Who could predict? So when I received a call from Albert J. Marcella, Jr. Professor of Management in the School of Business and Technology, Department of Management, at Webster University in St. Louis, who said he was putting together an “audit oriented” publication for The Institute of Internal Auditors to guide professionals who were becoming increasingly concerned about online identity theft, I naturally wondered what I could contribute to that effort.
So we spent a great deal of time collaborating about what we knew, speculated about what we did not know, and tried to put the work in context—specifically, guidance for corporate auditors and security management professionals on what they needed to know as sensitive, personally identifiable information migrated online. The result, of which my contribution played only a small part, was a book entitled www.STOPTHIEF.net, Protecting Your Identity on the Web, published in November 1999 by The Institute of Internal Auditors.
Identity theft, not a brand new crime even then, had a new face in our online, digital interconnected world. And, it was growing and pervasive, and its implications—if for no other reason than the sheer magnitude of the potential risks and the speed at which they would materialize on or through the Internet—were unprecedented and were becoming global.
I now know what I could not have known then—that more than 40 states have passed identity theft statutes and that the Privacy Rights Clearinghouse website, which takes pride in cataloging such things, estimates that as of a day or two ago, 263,247,398 records containing sensitive personal information were involved in security breaches in the United States since January 2005—six years after the publication became available.
To appreciate the foresight and to learn about those audit guidelines and benchmarks, you have to buy the book. But to read my personal piece of that collaborative effort—an end-piece summary of the legal implications entitled “Technology, the Internet and Cyberspace: Challenges to National and International Privacy“, you just have to read Legal Bytes.
Data Protection/Breach Disclosure Laws
In the news, yet more breaches of data security and the potential disclosure of personally identifiable, non-public information about you. From Wells Fargo to the Veterans Administration, breaches are becoming almost daily news. In response, more and more states are enacting breach disclosure laws requiring companies to notify consumers if there is an actual or potential breach of security compromising (or potentially compromising) your information. Even Congress is getting into the act of considering legislation at the national level. Although not all the definitions are uniform, nor are the requirements identical, most have common themes—but to understand what they are, how they affect you and what obligations you may have, you have to contact me, or you can simply wait for the next issue of Legal Bytes—stay tuned.
Security Checks Out
OK. You’ve all been reading about the recent security breaches which are exposing sensitive financial and other non-public personally identifiable information to potential disclosure—in some cases actual release and compromise of that information. Well it turns out that in one area—the retailer cases involving Polo (Ralph Lauren), DSW (Shoe Warehouse) and others—are all being traced back to software that merchants use to process credit, charge and debit transactions. The problem, it seems, stems from the fact that the hidden coding that resides on the magnetic strip of our plastic money and that is supposed to authenticate and provide a degree of transactional security in processing payment is being retained by the merchants’ systems, rather than being immediately deleted and cleansed from these systems once the transaction is approved and complete. Hackers, learning of this vulnerability, were quick to attempt to break into these merchant systems and “steal” the codes, in many cases enabling them to create counterfeit plastic and compromise personal information of the cardholder in the process. In one case, BJ’s Wholesale Club is being sued by banks and credit unions because hackers made off with customer’s credit card numbers, and BJ’s has decided to sue IBM, whose software allegedly stored the numbers in computer logs. In legal papers filed in response to the suit, IBM not only claims there is no proof the stolen card numbers came from BJ’s systems, but it also claims that its contract with BJ’s disclaims liability for damages because of security breaches. OK, all of you go check your software contracts. Now.
Did Anyone at ChoicePoint Read the February ’04 Issue of Legal Bytes?
Shareholders are suing ChoicePoint and its executives after learning that criminals posing as bona fide businesses were given access to personal data. ChoicePoint maintains databases of background information on almost every citizen in the United States—billions of records. A class-action lawsuit has been filed in California charging that executives withheld information to avoid having the stock price fall when and if the news broke: the share price has since fallen more than 20 percent in a month. The suit claims the executives knew their data protection was inadequate; knew or should have known ChoicePoint was selling data to illegal businesses; and that security breaches had occurred previously, exposing even more people to identity theft.
The security breach was uncovered last October, when law enforcement first contacted ChoicePoint investigating an identity theft. Suspects, posing as a ChoicePoint client, gained access to its consumer databases. As if the class action and drop in share price were not trouble enough, ChoicePoint is under investigation by the FTC inquiring into its compliance with information security laws; is under investigation by the SEC for possible violations by certain executives of the insider trading regulations; and is facing lawsuits arising from violations of the Fair Credit Reporting Act and California state law. Will someone please pick up and read the February 2004 issue of Legal Bytes!?!
Avoiding a Legal Disaster: Déjà Vu All Over Again
In April 1995, Datapro Reports on Information Security published a Disaster Avoidance brief (IS38-200-101) entitled “Avoiding a Legal Disaster: Business Continuity Planning for Multinationals.” In that paper, the author analogizes a famous 1932 “technology” case decided by the Second Circuit Court of Appeals in the United States, to the growing potential liability of users in managing their technology and information security resources. Specifically, the article states that “In 1932, a famous case entitled The T.J. Hooper (60 F.2d 737; 2nd Circuit, 1932) held that the failure to take advantage of existing and available technology—even though it was not in widespread or common use—was not evidence that the defendant’s duty to take reasonable care had been fulfilled. By analogy, when a disaster occurs, it will not be a defense to argue that a recovery or security system or preventive measure is not commonly in use, especially if using it would have averted the disaster or minimized the loss.”
The article, which focuses on what organizations can do to minimize risk, goes on to note that, “The more reliant business and operations become on technology, the more available preventive and risk management tools become, the less excusable a failure to implement meaningful measures and exercise due diligence over company assets will become to government, employees, customers, suppliers, and shareholders—all potential plaintiffs.”
Now this fact and the author would probably be relegated to obscurity but for an interesting article on I.T. Litigation that has just appeared in the February 1, 2004 issue of CIO Magazine, entitled “Courts Make Users Liable for Security Glitches.” The author notes that an interesting turning point arose in the wake of 9/11 when, in October 2001, Hartford Insurance removed computer damages from its general commercial liability policy coverage. The article goes on to cite three recent cases which are beginning to look a lot like a legal trend in this area. First, a case in which Verizon asked a court to order the State of Maine to refund money because Verizon wasn’t using Maine’s network while Verizon was “down” because of the “Slammer” worm. Verizon had not implemented a Slammer patch and last April the Court ruled that while one may not be able to control a worm attack, they are foreseeable—no refund (Maine Public Utilities Commission v. Verizon).
In Cobell v. Norton, the U.S. Department of the Interior’s website and computer security became an issue in a case involving benefits allegedly and to American Indians. The Court was sufficiently irritated by the Department’s conduct related to security audits, that the Judge actually commenced contempt proceedings! Finally, in the last case cited by the article, the American Civil Liberties Union hoped to avoid liability for accidentally publishing donor information by pleading it had outsourced its security to a third-party vendor. Although the case settled, it is doubtful such a defense would have worked and it is almost certain regulated companies will not be able to escape accountability for compliance by outsourcing regulated activities—the responsibility will remain theirs!
There appears to be an increasing, and not-so-subtle, shift away from the notion that programming errors related to security breaches, computer viruses, worms, logic bombs and other malicious code or hacker and denial of service attacks are somehow equivalent to unpredictable natural disasters like earthquakes or fires—thus not subject to a “fault” analysis, but more appropriately covered by ‘accident’ insurance. Indeed, these and other cases arising in the courts treat breaches of security as fair game for negligence lawsuits—especially where damage has been done to a consumer (e.g., identity theft) or where the assets of a company—tangible or intellectual property—have been compromised. As noted in the 1995 article, liability for failure to implement available security is likely to increasingly hold both providers and users of technology liable where negligence can be shown—or even reckless disregard where safety or the protection of assets are concerned. You can read the CIO Magazine article here and, by the way, the obscure author of the 1995 Datapro article can be reached at joseph.rosenbaum@rimonlaw.com should anyone wish to see a copy or discuss the issues raised—then or now!