Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

In connection with a class action lawsuit filed against Michaels Stores Inc., the United States District Court for the District of Massachusetts certified to the Supreme Judicial Court of Massachusetts three questions: (1) whether a ZIP code constitutes personal identification information; (2) whether, under the Massachusetts statute prohibiting collection of personal identification information during a credit card transaction, a plaintiff may pursue a claim without any evidence of identity theft; and (3) whether, under the statute a "credit card transaction form" includes an electronic transaction form.  Earlier this week, the Supreme Court answered "yes" to all three of these questions.  A copy of the Court's opinion is attached here.  The Supreme Court's decision will likely open the door to more lawsuits against retailers in Massachusetts.  Plaintiffs may now file actions against retailers who collect ZIP code information during a credit card transaction and, consistent with the Supreme Court's broad interpretation of personal identification information, plaintiffs may try to expand the definition of personal identification information even further to include other types of information.  In addition, the Supreme Court's decision has lowered the bar for plaintiffs who struggle to prove that they have been injured in these cases.  Under the Supreme Court's ruling, a plaintiff no longer needs to demonstrate that he or she has suffered identity theft in order to maintain a cause of action.  Significantly, the Court stated that receipt of unwanted marketing materials or the sale of a consumer's personal identification information to a third-party can constitute an injury sufficient to maintain an action.  As a result of the Supreme Court's decision, retailers in Massachusetts should review and evaluate their data collection practices.

• Print
• Comments
• Trackbacks
• Share Link

On February 4, 2013, the California Supreme Court held that Apple Inc. is permitted to request a customer's address and telephone number in connection with an online purchase. The Supreme Court reversed the trial court's decision and found that the Song-Beverly Credit Card Act does not apply to online transactions.  The Supreme Court stated that "[t]he safeguards against fraud that are provided in [the act] are not available to the online retailer selling an eletronically downloadable product.  Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card or the customer's photo identification."   The case is Apple Inc. v. The Superior Court of Los Angeles County, Case No. S199348.  Attached is a copy of the Court's opinion. 

• Print
• Comments
• Trackbacks
• Share Link

[This blog posting was previously posted on the HIPAA, HITECH and Health Information blog.]

The recent release of the HIPAA/HITECH “mega rule” or “omnibus rule” has given bloggers and lawyers like us plenty of topics for analysis and debate, as well as some tools with which to prod covered entities, business associates and subcontractors to put HIPAA/HITECH-compliant Business Associate Agreements (“BAAs”) in place. It’s also a reminder to read BAAs that are already in place, and to make sure the provisions accurately describe how and why protected health information (“PHI”) is to be created, received, maintained, and/or transmitted. 

If you are an entity that participates in the Medicare Shared Savings Program as a Medicare Accountable Care Organization (“ACO”), your ability to access patient data from Medicare depends on your having signed the CMS Data Use Agreement (the “Data Use Agreement”). Just as covered entities, business associates, and subcontractors should read and fully understand their BAAs, Medicare ACOs should make sure they are aware of several Data Use Agreement provisions that are more stringent than provisions typically included in a BAA and that may come as a surprise. Here are ten provisions from the Data Use Agreement worth reviewing, whether you are a Medicare ACO or any other business associate or subcontractor, as these may very well resurface in some form in the “Super BAA” of the future:

1.         CMS (the covered entity) retains ownership rights in the patient data furnished to the ACO.

2.         The ACO may only use the patient data for the purposes enumerated in the Data Use Agreement.

3.         The ACO may not grant access to the patient data except as authorized by CMS.

4.         The ACO agrees that, within the ACO and its agents, access to patient data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the stated purposes.

5.         The ACO will only retain the patient data (and any derivative data) for one year or until 30 days after the purpose specified in the Data Use Agreement is completed, whichever is earlier, and the ACO must destroy the data and send written certification of the destruction to CMS within 30 days.

6.         The ACO must establish administrative, technical, and physical safeguards that meet or exceed standards established by the Office of Management and Budget and the National Institute of Standards and Technology.

7.         The ACO acknowledges that it is prohibited from using unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the patient files. 

8.         The ACO agrees not to disclose any information derived from the patient data, even if the information does not include direct identifiers, if the information can, by itself or in combination with other data, be used to deduce an individual’s identity.

9.         The ACO agrees to abide by CMS’s cell size suppression policy (which stipulates that no cell of 10 or less may be displayed).

And last, but certainly not least:

10.       The ACO agrees to report to CMS any breach of personally identifiable information from the CMS data file(s), loss of these data, or disclosure to an unauthorized person by telephone or email within one hour.

While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes. 

• Print
• Comments
• Trackbacks
• Share Link

The following was recently posted in substantially the same form on the Fox Rothschild LLP HIPAA, HITECH and Health Information Technology blog.

Elizabeth Litten and Michael Kline write:

We have posted several blogs, including those here and here, tracking the reported 2011 theft of computer tapes from the car of an employee of Science Applications International Corporation (“SAIC”) that contained the protected health information (“PHI”) affecting approximately 5 million military clinic and hospital patients (the “SAIC Breach”).  SAIC’s recent Motion to Dismiss (the “Motion”) the Consolidated Amended Complaint filed in federal court in Florida as a putative class action (the “SAIC Class Action”) highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach. SAIC’s Motion emphasizes this gap between the incident and the realization of harm, making it appear like a chasm so wide it practically swallows the breach into oblivion. 

SAIC, a giant publicly-held government contractor that provides information technology (“IT”) management and, ironically, cyber security services, was engaged to provide IT management services to TRICARE Management Activity, a component of TRICARE, the military health plan (“TRICARE”) for active duty service members working for the U.S. Department of Defense (“DoD”).  SAIC employees had been contracted to transport backup tapes containing TRICARE members’ PHI from one location to another.

According to the original statement published in late September of 2011 ( the “TRICARE/SAIC Statement”) the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the TRICARE/SAIC Statement said that there was no financial data, such as credit card or bank account information, on the backup tapes. Note 17 to the audited financial statements (“Note 17”) contained in the SAIC Annual Report on Form 10-K for the fiscal year ended January 31, 2012, dated March 27, 2012 (the “2012 Form 10-K”), filed with the Securities and Exchange Commission (the "SEC”), includes the following:

There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person. In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.  The Company [SAIC] has notified potentially impacted persons by letter and is offering one year of credit monitoring services to those who request these services and in certain circumstances, one year of identity restoration services.

While the TRICARE/SAIC Statement contained similar language to that quoted above from Note 17, the earlier TRICARE/SAIC Statement also said, “The risk of harm to patients is judged to be low despite the data elements . . . .” Because Note 17 does not contain such “risk of harm” language, it would appear that (i) there may have been a change in the assessment of risk by SAIC six months after the SAIC Breach or (ii) SAIC did not want to state such a judgment in an SEC filing.

Note 17 also discloses that SAIC has reflected a $10 million loss provision in its financial statements relating to the  SAIC Class Action and various other putative class actions respecting the SAIC Breach filed between October 2011 and March 2012 (for a total of seven such actions filed in four different federal District Courts).  In Note 17 SAIC states that the $10 million loss provision represents the “low end” of SAIC’s estimated loss and is the amount of SAIC’s deductible under insurance covering judgments or settlements and defense costs of litigation respecting the SAIC Breach.  SAIC expresses the belief in Note 17 that any loss experienced in excess of the $10 million loss provision would not exceed the insurance coverage.  

Such insurance coverage would, however, likely not be available for any civil monetary penalties or counsel fees that may result from the current investigation of the SAIC Breach being conducted by the Office of Civil Rights of the Department of Health and Human Services (“HHS”) as described in Note 17.

Initially, SAIC did not deem it necessary to offer credit monitoring to the almost 5 million reportedly affected individuals. However, SAIC urged anyone suspecting they had been affected to contact the Federal Trade Commission’s identity theft website. Approximately 6 weeks later, the DoD issued a press release stating that TRICARE had “directed” SAIC to take a “proactive” response by covering a year of free credit monitoring and restoration services for any patients expressing “concern about their credit as a result of the data breach.”   The cost of such a proactive response easily can run into millions of dollars in the SAIC Breach. It is unclear the extent, if any, to which insurance coverage would be available to cover the cost of the proactive response mandated by the DoD, even if the credit monitoring, restoration services and other remedial activities of SAIC were to become part of a judgment or settlement in the putative class actions.

We have blogged about what constitutes an impermissible acquisition, access, use or disclosure of unsecured PHI that poses a “significant risk” of “financial, reputational, or other harm to the individual” amounting to a reportable HIPAA breach, and when that “significant risk” develops into harm that may create claims for damages by affected individuals. Our partner William Maruca, Esq., artfully borrows a phrase from former Defense Secretary Donald Rumsfeld in discussing a recent disappearance of unencrypted backup tapes reported by Women and Infants Hospital in Rhode Island. If one knows PHI has disappeared, but doubts it can be accessed or used (due to the specialized equipment and expertise required to access or use the PHI), there is a “known unknown” that complicates the analysis as to whether a breach has occurred. 

As we await publication of the “mega” HIPAA/HITECH regulations, continued tracking of the SAIC Breach and ensuing class action litigation (as well as SAIC’s SEC filings and other government filings and reports on the HHS list of large PHI security breaches) provides some insights as to how covered entities and business associates respond to incidents involving the loss or theft of, or possible access to, PHI.   If a covered entity or business associate concludes that the incident poses a “significant risk” of harm, but no harm actually materializes, perhaps (as the SAIC Motion repeatedly asserts) claims for damages are inappropriate. When the covered entity or business associate takes a “proactive” approach in responding to what it has determined to be a “significant risk” (such as by offering credit monitoring and restoration services), perhaps the risk becomes less significant. But once the incident (a/k/a, the ubiquitous laptop or computer tape theft from an employee’s car) has been deemed a breach, the chasm between incident and harm seems to open wide enough to encompass a mind-boggling number of privacy and security violation claims and issues.

• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission announced yesterday a settlement with Epic Marketplace, an online advertising network, which prohibits Epic from further collection of data obtained by "browser sniffing" the surfing history of Internet users and requires Epic to destroy all previously collected data.

According to the FTC complaint, Epic was collecting information from millions of individuals by “browser sniffing,” which is a practice that allowed Epic to determine whether the user had previously visited more than 54,000 websites, including websites relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy. Once Epic had this information, it would then send targeted advertisements to the user.

Many users have no idea that this technology even exists, and the FTC’s main gripe appears to be that the user did not have knowledge this was occurring on sites outside of Epic's advertising network. Epic’s privacy policy promised that Epic would collect information about users only for use in Epic’s 45,000 website network. Apparently, the FTC was not concerned with the practice but it’s concern was centered around Epic collecting information from users about visits to websites not in Epic’s website network.

"Consumers searching the Internet shouldn't have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge," FTC Chairman Jon Leibowitz said in a statement. "This type of unscrupulous behavior undermines consumers' confidence, and we won't tolerate it."

Stated another way, the FTC is saying that Epic could collect information about whether consumers visited sites in its advertising network having to do with fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy, and then use that information to serve that consumer advertisements. The problem was that Epic went beyond its own advertising network. That makes sense.  A company breaching the representations in its own privacy policy is low hanging fruit.

What the FTC is NOT saying is that consumers would never know what the heck Epic’s privacy policy says, so how could they consent to this collection and use of their information. Online advertisers are in this wonderful position where the consumer never really “gets” to them, the consumer only sees the advertisements that are served. . 

So is the take away that any company besides Epic can use “browser sniffing” as long as its use is disclosed in its privacy policy (which consumers would not even know existed) and followed by that company?  The FTC is certainly not taking a contrary position.

The FTC press release follows:

• Print
• Comments
• Trackbacks
• Share Link

John R. Gotaskie, Partner in Fox Rothschild's Litigation Practice and editor of the firm's Franchise Law Update blog, recently published a podcast discussing the growing concern over data breaches involving peer-to-peer networks. Using the recent example of Franklin Toyota, a Georgia car dealership that was hit with a breach, as his backdrop, John discusses how companies can steer clear of running afoul of the law and comply with federal regulations.

Click here to listen to the podcast. If you prefer to download the transcript, click here.

For additional material on the subject, please see John's article "User Beware: Data Breaches Involving Peer-to-Peer Networks May Result in FTC Enforcement Action" from the Banking & Financial Services Policy Report, and visit our practice's page.

• Print
• Comments
• Trackbacks
• Share Link

Earlier this week the South Carolina Supreme Court ruled that accessing another person’s online (personal) email is not a violation of the federal Stored Communications Act (the Act and the Wikipedia summary). This holding is in direct opposition to what the Ninth Circuit Court of Appeals held in 2004 in Theofel v. Farey-Jones.

At the outset you should keep in mind that this is a civil case, which differs from a criminal case. In this post we are looking at solely the Stored Communications Act (“SCA”), and a limited aspect thereof.

Facts of This Case

The facts of this case, Jennings v. Jennings (PDF link) are actually pretty surprising, considering the outcome. A wife suspected that her husband was carrying on an affair. The daughter-in-law, with more free time than common sense, could not resist inserting herself into the situation and accessed the husband’s Yahoo! account by guessing his secret questions. Soon thereafter emails between the husband and the girlfriend were found and became what divorce attorneys refer to as “leverage.”

• Print
• Comments
• Trackbacks
• Share Link

In its continuing efforts to give the State of California a run for its money when it comes to privacy rights, the United Kingdom’s “cookie law” is now in effect. Websites for European companies with European visitors, or non-European companies that are directed at European users, must now inform users of any tracking technology used on the website, and the purpose of the use of that tracking technology.

The Law

The new law is part of the European Union's "e-Privacy" Directive. Implementation of the e-Privacy Directive requires that each member state incorporate the e-Privacy Directive into its own law in 2011. The United Kingdom accomplished the foregoing by creating the amended Privacy and Electronic Communication Regulations (PECR) Act 2011, which became effective on May 26, 2011. The disclosure of the use of user tracking technology is only one element of PECR.

Types of Tracking Technology

The use of cookies on a website is only one practice covered by the cookie law. Uses of advertising tracking and analytics, for example are covered practices.

Affected Businesses

If you have only a U.S.-based web site, with no web page directed explicitly at the United Kingdom, then the cookie law should not affect you. However, if you have a website or web page directed specifically to residents of the United Kingdom, you almost certainly are subject to the cookie law.

Opt-Out or Opt-In

Good question. Originally the cookie law was interpreted to mean that a user must explicitly opt-in to the tracking technology. However, just before the cookie law went into effect the Information Commissioner's Office (“ICO”), the United Kingdom’s data protection agency, updated its guidance to say that “implied consent” was acceptable, and that continued use of the subject website would meet the consent requirement.

Compliance Deadline

The cookie law is currently in effect, but it is no secret that many, many organizations are not currently in compliance. Those websites that are in compliance with the cookie law will present users with a dialogue similar to this:

Mobile Applications

Just to keep things interesting, the cookie law applies to mobile applications as well. Because mobile applications have just as many, if not more, opportunities for user tracking, and because that user tracking is not always obvious, it has already been made clear that the ICO will pay particular attention to mobile application compliance

Penalties

The ICO has the authority to fine non-compliant organizations up to $780,000 (or 500,000 pounds) for not complying with the cookie law. Fortunately, the ICO is not going to be in a big rush to penalize non-compliant organizations and, instead, is focusing on educating companies regarding compliance requirements.

• Print
• Comments
• Trackbacks
• Share Link

The FBI reports that cyberattacks could overtake terrorism as the major threat to the country. According to the Department of Homeland Security, between October 2011 and February 2012, there were 86 reported attacks on U.S. computer systems that control critical infrastructure, factories and databases, compared with 11 over the same period a year ago.

Now more than ever, the focus should be on securing and insulating our nation's computer and Internet infrastructure from both internal and external attacks. The first step in anticipating large-scale cyberattacks is to start thinking of them more like the proverbial disaster waiting to happen -- not a question of if, but when. Planning requires going beyond the limitations of current thinking and considering worst case scenarios.

To keep reading my full article visit “The Internet Privacy Debate Misses the Point,” published April 23 by the Huffington Post.

• Print
• Comments
• Trackbacks
• Share Link

You may have read that Motorola announced on February 3rd that it inadvertently sold around 100 refurbished Motorola Xoom tablets through Woot.com without putting the tablets through the typical process of doing a factory reset and wiping any personal data that may have been left by the original owner(s).  Specifically, there were approximately 6,200 tablets sold between October and December 2011, of which 100 tablets were affected.

The announcement was interesting in and of itself because it highlighted the notification obligation that arose even though Motorola (likely) had no actual knowledge that refurbished tablets went out that actually contained data.  Apparently, Motorola only knew that there was a breakdown in its internal processes and some 100 tablets were not wiped, possibly resulting in the resale of some tablets with data not erased by a customer prior to returning the tablet.

Purchasers of the 6,200 tablets through Woot.com were notified by email to go to a Motorola web site and type in the serial number (or some similar identifier), at which point you would be told if your tablet was affected.  If your tablet was affected, Motorola asked that you agree to part with your tablet for four to five business days so that it could be factory wiped.

As to turns out, I owned one of the 100 tablets affected.  I never win anything, except the Affected Xoom Tablet Lottery.  A day or so later a package with easy-to-follow instructions, very protective packaging and a prepaid envelope arrived at my work.  In went the tablet, out went the package.  On the fourth business day the tablet was returned in working order with a thank you and restore instructions.

And an American Express gift card for $100!!!

Did I have to return the tablet for a factory wipe?  No.  Was it a burden for me to return the tablet?  Hardly.  Was I impressed by Motorola giving me a gift card?  Damn right I was, and that is my point.  

As someone that deals with data breaches, and clients that have to make tough decisions regarding data breaches, on an almost daily basis, this situation struck me.  Motorola did the right thing, went above and beyond what was required, and solidified good will with me.  I was not even the party with the affected data.  I was just the guy that got the great deal on Woot.com for a refurbished tablet.

That Droid Bionic MAXX suddenly is even more appealing to me.  Motorola is suddenly more appealing to me (not that I had any particular problem with them before).

It is possible that Woot.com gave me the gift card, and for that reason my patronage to Woot.com also has been strengthened.  This is a great example of partners working together to deal with data breach situations.  Making the best of a difficult situation, and earning some good will along the way.

Kudos to Motorola and Woot.com for their handling of this situation. 

• Print
• Comments
• Trackbacks
• Share Link

 The San Francisco Chronicle reported yesterday that officials at the City College of San Francisco discovered a few days after Thanksgiving 2010 that certain computers of the college have been infested with active malware for more than a decade.  Up to 100,000 students and 3,000 employees could be affected, and that number may rise based on further, ongoing investigation.

The problem was detected when the college's data security monitoring service discovered very high traffic and alerted the college.  Initially thought to be limited to one computer lab (Cloud Hall at the Phelan Avenue campus), further investigated revealed that the problem was more widespread.  The San Francisco Chronicle's article reported:

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, Hotchkiss and his team discovered. Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.

Investigation continues to determine which other computer networks at the college may have been infected, such as accounting, admissions and/or payroll systems.  Apparently, 17 different computer systems are presently being analyzed.  The college's server with medical information appears to be unaffected, although it is unclear whether any other system may also contain medical information (such as the admissions system).

The good news, besides that the college notified those potentially affected in what most would agree was a prompt timeframe, is that there are no known cases of identity theft originating from this extremely lengthy data breach.

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings found on Fox Rothschild’s HIPAA, HITECH and HIT Blog. Parts 1, 2,3, 4 and 5 ) can be accessed, can we trust that any electronically transmitted or stored information is really safe?  

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases. 

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.  

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology. 

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage. 

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

• Print
• Comments
• Trackbacks
• Share Link

Smart Money just ran a story about the top five data breaches of 2011.  While I do not necessarily agree that these are the top five (students, students, NYC hospital patients, not to mention the Stratfor breach), the takeaway is interesting: none of them have the same source for the breach:

1.  Epsilon.  What more needs to be said to keep contract attorneys up at night than "Epsilon"?  This data breach involved a third party losing data about its customers' customers.  Stated another way, the owner of the information did nothing wrong...other than hiring a contractor that mishandled information.  Indemnification mean more to you now?  The takeaway from this breach: come clean, come clean, come clean.  

2.  Sony.  Massive breach of the online gaming network.  Lots of data lost, lots of downtime for pasty, sun-adverse gamers.  Hackers targeting the network to blame.  The takeaway from this breach: do not handle it the way Sony handled it.

3.  Tricare.  A Science Applications International Corp. has data backup tapes stolen from a car.  SAIC is a defense contractor for the military.  Approximately 4.9 million veterans affected.  Hackers targeting lax security to blame.  The takeaway from this breach: don't leave the data tapes in the car (come on, people!).

4.  Sutter.  A simple stolen desktop computer containing information about possibly 3.3 million patients goes missing.  The takeaway from this breach: encrypt!  Chances are they had zero intention to stealing the actual information, but you can be sure it was still a breach notification scenario.

5.  Texas Comptroller.  This is number three in my book.  Personal information of 3.5 million people left publicly available for over one year.  Information about persons required to hand over that information, not information voluntarily handed over.  Total disaster.  Anyone could have found this information, given its availability.  The takeaway from this breach: hire IT staff that is security conscious and, more importantly, give those people the budget to do their jobs.

BONUS: not a data breach, but a significant ruling this year.  Corporations have no right to privacy.  This Supreme Court ruling impacts corporate decisions on so many levels...or it should.

Happy New Year to our readers.

• Print
• Comments
• Trackbacks
• Share Link

According to a press release issued yesterday, November 29, 2011, by the Federal Trade Commission, Facebook settled charges that Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”

The complaint (PDF link) lists a litany of bad practices by Facebook. One allegation that stands out, largely because of the media firestorm that it created at the time, was Facebook’s change in privacy settings to users’ accounts in December 2009. The foregoing settings change was, in the FTC’s opinion, particularly egregious because Facebook undertook the changes without any notice or consent from users.

Another allegation that stands out, again both because of the media firestorm and the falsehood, was Facebook’s assertion that information from deactivated user accounts would not be accessible.

And what grueling punishment must Facebook endure for its privacy-related bad acts? According to Jon Leibowitz, Chairman of the FTC, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users." Rough justice.

In all seriousness, there is some substance to the settlement. Facebook must not make any further deceptive privacy claims. Facebook must also get consumers' approval before it changes the way it shares their data. Finally, Facebook must obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

Frankly, the foregoing requirements on Facebook are all steps that a company like Facebook, if not substantially all companies handling consumer personal information, should be undertaking.

Specifically, under the proposed settlement, Facebook is:

• barred from making misrepresentations about the privacy or security of consumers' personal information;
• required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
• required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
• required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
• required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.

The proposed settlement is not yet final. The proposed settlement will be open to public comment for thirty days, ending on December 30, 2011. The terms of the proposed settlement is published in the Federal Register shortly. After the close of the comment period, the FTC will decide whether to make the proposed consent order final.

Interested in submitting your comments to the FTC? According to the press release: Interested parties can submit comments online or in paper form by following the instructions in the "Invitation To Comment" part of the "Supplementary Information" section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

• Print
• Comments
• Trackbacks
• Share Link