Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

Organized crime has been known as a group responsible for trading in stolen, personally identifiable information. The recent 2010 Verizon Data Breach Investigations Report (PDF link) reports that organized criminals were responsible for 85% of all data breaches caused by external agents. As a whole, data breaches caused by external agents comprise 70% of all data breaches, and 98% of all record compromised. Statistics, analysis and recommendations pepper the 66-page report.

The Verizon Report also noted that 98% of all breaches came from servers, 85% of attacks were considered highly difficult, 61% of data breaches were actually discovered by third parties, 86% of parties with compromised systems had evidence in their log files that a breach had occurred, 96% of breaches were avoidable through simple or intermediate steps of fixes, and 79% of parties with compromised systems that were subject to PCI-DSS had not achieved compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Privacy lawyers see assets differently than some other attorneys.  Bankruptcy lawyers see assets even more differently.  So what happens when privacy lawyers try to get out in front of maneuvers by bankruptcy lawyers?

Let me put the issue in context.  When a privacy lawyer drafts a privacy policy for a web site, he or she will think about all of the possible scenarios where his or her client needs to transfer personal information collected on the web site.  As part of a sale of the company?  To answer law enforcement and other subpoena requests?  To litigate against the owner of the information?  In each case, the web site owner wants the right to use and transfer the personal information of its users.

But what if the company/web site goes defunct?  Some clients will take the position that they do not want subscriber information going into the hands of the highest bidder, no matter what.  Other clients will determine that if their business failed, all bets are off and the asset of the company (the personal information) should be used to generate income for the estate.  Those people in the latter category are often the same people that personally guarantee the borrowing by the company and, therefore, want every potential asset to be available.  The lawyer for clients in the last category will put in the privacy policy an explicit disclosure that the information may be transferred in bankruptcy proceedings.

But what happens when the privacy policy says nothing about bankruptcy but does say "[w]e never give your info to anybody"?  Read on to read about that exact scenario currently pending in bankruptcy court.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission entered into a settlement with the social networking site Twitter on Thursday, June 25th.  The settlement was the result two 2009 hacker breaches, which resulted in 35 user accounts (mostly celebrities and politicians) being compromised and passwords disclosed.  For those wondering, the first breach was achieved in January 2009 by using a password guessing tool to gain access through a lowercase/weak password protected Twitter administrative account and then reset user account passwords.  The second breach in April 2009 allowed the hacker to gain access to a Twitter employee's email account, where that employee had "similar" passwords stored in plain text, resulting in further user password resets.  You may recall hearing about (or receiving) the "Tweet" from President-elect Obama offering you an opportunity to receive $500 in free gas.  Seriously, that happened.

According to the FTC press release, [u]nder the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years."

What did Twitter do wrong, you may ask?  The FTC alleged in its complaint that Twitter was really bad at preventing unauthorized access to its system.  Really, really bad.  Specifically, Twitter failed to take reasonable steps to:

• require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
• prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
• suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
• provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
• enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
• restrict access to administrative controls to employees whose jobs required it; and
• impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Sounds like pretty reasonable steps for Twitter to have taken.  Frankly, it sounds like pretty reasonable expectations in 2000, not just 2009.  Your IT Department surely has at least these requirements, right?  Right?

To many, this settlement is further evidence that the "we are serious this time, seriously" approach touted by the FTC in recent years is merely lip service. 

That being said, the ban on misleading customers for 20 years is not just empty words.  If Twitter allows any other privacy breach to occur, it will find itself without much leniency from the FTC.  It also puts the FTC in a position to immediately fine Twitter up to $16,000 per incident for future lapses, a power that the FTC does not have absent the settlement and resulting (future, expected) order.

The comment period on the settlement will end on July 26, 2010, at which time it expected that the order will be entered and the settlement will become final.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Supreme Court issued a ruling yesterday (8-1) in Ontario, Calif. v. Quon, U.S., No. 08-1332, 6/17/10 (PDF link), basically punting on elaborating on Fourth Amendment privacy rights because technology is still emerging.  The technology?  Pagers.

The police department for the City of Ontario in California provided pagers to its officers in 2001.  A computer and Internet usage policy provided that the department could monitor all electronic activity of its employees, including email and Internet usage.  There was no specific reference to pager usage and text messages. 

The distinction between transmission technology for email and pager/cell phones is important.  The email and Internet usage at the police department would travel over the department's computer servers.  The pager/text messages would not but, rather, would travel over the wireless provider's (Arch Wireless) networks.  The point being, monitoring of the department's own servers is a much easier question than monitoring communications that  travel over a service provider's servers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 On a topic near and dear to my heart, I read an article at Law360 on Friday that was a real eye opener.  Not because I am concerned about my backyard (we have a CTO that is very on top of these issues), but because of the number of law firms that apparently do not have their networks secure.

I have no intention of restating the article from Law360, but I do want to state the premise that should make private practice attorneys (and, frankly, lots of General Counsel) click through: "Over the past five years, sophisticated cyber attackers have expanded their intrusions at government and defense-related targets to go after researchers, manufacturers, nonprofits and law firms, according to a January report by information security firm Mandiant Corp."

Let me put that another way.  The emails about collecting alimony from the ex-wife in Cambodia about the deadbeat ex-husband is not where your risks end.  Hackers are now targeting law firms for hacking and data theft.  And why not?  If a hacker cannot hack into a Fortune 100 company network, go to the law firm network where all of those transaction documents and SEC filings reside.

Read the article for yourself.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an effort to ease the holiday weekend of those affected, the FTC announced that the effective date of the Red Flag Rules has been delayed until December 31, 2010.  This announcement may have a familiar feel to you (January 1, 2008, November 1, 2008, June 1, 2010?).  Click here to read at the FTC web site, of read the full text by clicking "Continue Reading" below.  Happy Memorial Day.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Everyday we all read about the latest threat to our privacy.  Facebook tricks you into sharing your private, life details and Facebook staff is fed up.  The computer in your car can be hacked to disable your brakes.  Google collected wi-fi hotspot data for some (alleged) nefarious purpose.

It is not often that we come across something that just does not seem possible.  Yesterday was one of those days, when the FTC announced that it is working with copy machine manufacturers to either end or severely restrict the existing practice of storing digital images captured on photocopiers.  The FTC's response (PDF link) was in reaction to a letter (PDF link) from Representative Ed Markey (D-MA) after seeing a CBS report last month on the issue.

Photocopies made on modern photocopies are stored on an internal hard drive in the copy machine.  CBS' report last month that "[n]early every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine."  In other words, everything you have photocopies is stored on a hard drive hidden deep inside the photocopier.

WHAT!?!  Why?  Who thought this was a good idea?  And all, or almost all, copier manufacturers put this function in their copiers?  When did I photocopy those "youthful" pictures from college for my buddy's bachelor party?  We received new photocopiers last year, so that copier is gone (thank goodness).  But wait, where is it?  Read on to see some of the nightmare scenarios this raises.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the recent federal case in the Middle District of Tennessee, ReMedPar, Inc. v. AllParts Med., LLC, a split among federal circuit courts is apparent regarding the interpretation of the Computer Fraud and Abuse Act's (CFAA) civil cause of action for accessing a protected computer without authorization or exceeding the scope of permitted authorization. In ReMedPar, Inc, the plaintiff filed a suit against an independent contractor who allegedly gave a competitor the plaintiff's software and source codes to develop a comparable software system. The case was dismissed as the court found the independent contractor was not without or exceeding authorization as he was given permission to access the computers by the plaintiff. The split in interpretation among the federal circuits of the CFAA is apparent with the Middle District of Tennessee and others courts, including the 9th Circuit, holding CFAA claims are only applicable to those cases in which access was undeniably exceeded; whereas the 1st and 7th Circuits hold a less extreme approach, finding CFAA claims are permitted when a person misuses access in any way adverse to the authorizer's interest.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Rep. Rick Boucher (D-VA) and Rep. Cliff Stearns (R-FL) proposed federal legislation last week that would create a two tier standard of protection of private information, whereby “covered information” would fall under the standard “opt-out” method and “sensitive information” would fall under an “opt-in” method.

The proposed legislation breathes new life into perennial dead on arrival legislation, and potentially offers something the Obama administration can support in fulfilling its promise to close existing gaps in federal privacy legislation.

The phrase "Sensitive Information" includes any information that relates to the individual's medical records, race or ethnicity, religious beliefs, sexual orientation, financial records or precision geolocation information.

Opponents of the legislation have jumped all over it, claiming that it does not go far enough to protect individuals, especially in the online context. Others cite that European laws remain the gold standard for privacy protection, and that this legislation avoided going that far because of backlash from business.

• Email This
• Print
• Comments
• Trackbacks
• Share Link