On February 4, 2013, the California Supreme Court held that Apple Inc. is permitted to request a customer's address and telephone number in connection with an online purchase. The Supreme Court reversed the trial court's decision and found that the Song-Beverly Credit Card Act does not apply to online transactions. The Supreme Court stated that "[t]he safeguards against fraud that are provided in [the act] are not available to the online retailer selling an eletronically downloadable product. Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card or the customer's photo identification." The case is Apple Inc. v. The Superior Court of Los Angeles County, Case No. S199348. Attached is a copy of the Court's opinion.
[This blog posting was previously posted on the HIPAA, HITECH and Health Information blog.]
The recent release of the HIPAA/HITECH “mega rule” or “omnibus rule” has given bloggers and lawyers like us plenty of topics for analysis and debate, as well as some tools with which to prod covered entities, business associates and subcontractors to put HIPAA/HITECH-compliant Business Associate Agreements (“BAAs”) in place. It’s also a reminder to read BAAs that are already in place, and to make sure the provisions accurately describe how and why protected health information (“PHI”) is to be created, received, maintained, and/or transmitted.
If you are an entity that participates in the Medicare Shared Savings Program as a Medicare Accountable Care Organization (“ACO”), your ability to access patient data from Medicare depends on your having signed the CMS Data Use Agreement (the “Data Use Agreement”). Just as covered entities, business associates, and subcontractors should read and fully understand their BAAs, Medicare ACOs should make sure they are aware of several Data Use Agreement provisions that are more stringent than provisions typically included in a BAA and that may come as a surprise. Here are ten provisions from the Data Use Agreement worth reviewing, whether you are a Medicare ACO or any other business associate or subcontractor, as these may very well resurface in some form in the “Super BAA” of the future:
1. CMS (the covered entity) retains ownership rights in the patient data furnished to the ACO.
2. The ACO may only use the patient data for the purposes enumerated in the Data Use Agreement.
3. The ACO may not grant access to the patient data except as authorized by CMS.
4. The ACO agrees that, within the ACO and its agents, access to patient data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the stated purposes.
5. The ACO will only retain the patient data (and any derivative data) for one year or until 30 days after the purpose specified in the Data Use Agreement is completed, whichever is earlier, and the ACO must destroy the data and send written certification of the destruction to CMS within 30 days.
6. The ACO must establish administrative, technical, and physical safeguards that meet or exceed standards established by the Office of Management and Budget and the National Institute of Standards and Technology.
7. The ACO acknowledges that it is prohibited from using unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the patient files.
8. The ACO agrees not to disclose any information derived from the patient data, even if the information does not include direct identifiers, if the information can, by itself or in combination with other data, be used to deduce an individual’s identity.
9. The ACO agrees to abide by CMS’s cell size suppression policy (which stipulates that no cell of 10 or less may be displayed).
And last, but certainly not least:
10. The ACO agrees to report to CMS any breach of personally identifiable information from the CMS data file(s), loss of these data, or disclosure to an unauthorized person by telephone or email within one hour.
While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes.
The FBI reports that cyberattacks could overtake terrorism as the major threat to the country. According to the Department of Homeland Security, between October 2011 and February 2012, there were 86 reported attacks on U.S. computer systems that control critical infrastructure, factories and databases, compared with 11 over the same period a year ago.
Now more than ever, the focus should be on securing and insulating our nation's computer and Internet infrastructure from both internal and external attacks. The first step in anticipating large-scale cyberattacks is to start thinking of them more like the proverbial disaster waiting to happen -- not a question of if, but when. Planning requires going beyond the limitations of current thinking and considering worst case scenarios.
To keep reading my full article visit “The Internet Privacy Debate Misses the Point,” published April 23 by the Huffington Post.
The Computer Crime and Intellectual Property Section of the U.S. Department of Justice compiled a summary in August 2010 of the retention periods of major cellular service providers of data transmitted to and from users' mobile devices. The report is here. (PDF link) The American Civil Liberties Union (ACLU) obtained a copy of the foregoing report through a Freedom of Information Act (FOIA) request. The contents of the report are interesting, to say the least.
As reported by Cory Doctorow on the terrific Boing Boing in this article, and by David Kravets of Wired.com in this article titled "Which Telecoms Store Your Data the Longest? Secret Memo Tells All," it is unclear which major cellular carrier treats our usage data with the most respect. On the one hand, Verizon stores text message details (just the transmission receipt details, such as recipient and time) only one year, compared to as long as 5-7 years for post-paid subscribers of AT&T. On the other hand, AT&T, Sprint and T-Mobile store none of the contents of text messages, whereas Verizon stores that information for 3-5 days. The IP Session information may be the most interesting, because of the additional information that can be gleaned from the raw data, the question of why it is stored (billing disputes?) and the disparity in length of storage. One of the excellent infographics posted on Wired's web site is posted here, but a full Wired article is a must read.
Besides this information being eye opening on a personal level, it can be crucial evidence in the case of a corporate data breach. While we all hope that law enforcement will use all tools available to it when investigating a corporate crime, knowing the tight time constraints under which businesses investigating a potential crime is crucial. To be clear, I am referring to use of these tools as an option for ethical investigations into criminal activity through law enforcement. These are not tools to assist a company in sacking an employee that is surfing the web on her mobile phone while on the clock. In any event, these time frames should be considered when investigating a suspected data breach.
If you are getting that "eye in the sky is watching me" feeling, I will be sure not to mention the warrantless GPS and triangulation tracking capabilities of the major mobile carriers available to law enforcement.
Over the last two years more and more clients have requested that we assist them with moving some or all of their business services to the "cloud." Some of these clients want to use a service that would result in sensitive information being stored on the servers of a third party service provider, such as web-based email, Salesforce.com, Google Docs. As much as each of these businesses have heavily debated the pros and cons of moving to the cloud, rarely do they consider where the cloud is physically located.
Financial and health industries have always had a focus on thinking through where their protected data was located. There is a sophisticated legal framework dealing with prohibitions on the storage of sensitive data on foreign soil, such as financial, import-export or healthcare rules and regulations. For example, a well thought-out online services agreement for a financial institution should have a strict prohibition on storage of data in certain countries or a country other than where the financial institution is located.
However, businesses do not always consider that the information that is stored in a cloud-based service may be physically located on servers not situated in the United States. Having your business information located in a foreign country can easily (very, very easily) lead to loss, unauthorized private and governmental access and the tripping of the myriad of existing laws, rules and regulations.
The Software Advice Blog has a recent blog post that highlights some of the considerations that a business should undertake when considering the storage of data in a cloud-based service. Because the decision making process for each business is unique, no blog post is going to give you all of the answers. But the examples here and in the entry on Software Advice do give you some idea of what your business should be considering.
A final note is that the physical location of cloud-based servers is relevant at all times, not just when you have offices, employees or services based in other countries. You may know that you are dealing with a company based in your home country, but you should not assume that the servers used by that company are also based in your home country.
Since early versions of web browsers, users have had the option to disable cookies, but most users find that the option to be asked whether to accept a cookie is annoying and cumbersome, and the option to completely disable cookies removes the functionality of many popular web sites.
But new technologies that have emerged and, appear to be emerging, are renewing the debate.Continue Reading...
A study commissioned by Microsoft Corp. and RSA, the Security Division of EMC, alleges that companies place too much focus on securing personal data such as customer, medical and financial information versus corporate data (trade secrets and other proprietary information). According to the report, this can cause irreparable damage to a company's competitive edge. The report offers recommendations for companies to consider in connection with their data security programs.
The lessons to be learned from data breaches are often numerous and not always apparent on the surface. The most recent example is the RockYou.com hack that occurred in December. And what a hack that was.
Briefly, when RockYou.com was hacked into, the hackers walked away with 32 million usernames and the corresponding passwords. While the number of usernames and passwords (and let’s be honest, the number of users of this service) is a shockingly high number, the unforgivable transgression is that RockYou.com apparently stored these usernames and passwords in plain text format. In other words, while industry standards dictate, and competent legal advisors and IT consultants strongly recommend, that all personally identifiable information be stored in an encrypted format, RockYou.com apparently stored the usernames and passwords in a format as readable as this blog entry. Yeah, seriously.
But while the media is focusing on the revelation of what passwords are most commonly used by users, the less obvious takeaway may be the most interesting. Starting with the premises that people are people, people use blatantly obvious passwords, and people create the passwords for your business computers and networks, it is not hard to reach the conclusion that there are also many businesses out there that are one simple password away from a data breach featured in the Wall Street Journal, like Heartland was featured.Continue Reading...
Next week, at a meeting of the Payments Processing Information Sharing Council, an organization created to share information about threats, risk mitigation and fraud, Robert O. Carr, chairman and chief executive of Heartland Payments Systems Inc., will discuss the company's recent widely reported data breach. The Payments Processing Information Sharing Council is an offshoot of the Financial Services Information Sharing and Analysis Center, a trade group that assists businesses and government agencies share information about data security issues, including network intrusions. A spokesperson for Heartland stated that the "new organization grew out of Bob Carr's feeling that payment processors needed a forum to share information on breaches like the kind that we experienced. Heartland should be able to share information with others in our industry so that an international cyber thief can't use the same malicious software to penetrate another processor."