Not only the last Monday in June, but the last day of June. There are quite a few privacy-related things taking effect tomorrow, July 1. Some reminders:
Florida Amendments to Data Breach Notification Law
The Florida Information Protection Act of 2014 (“FIPA”) takes effect tomorrow. The FIPA essentially repeals Florida’s existing data breach notification law and replaces it with one of the nation’s most extensive laws relating to data security and notification.
- The definition of “personal information” now includes “a user name or e-mail in combination with a password or security question and answer that would permit access to an online account.
- Notice must be provided within 30 days of the incident.
- When a breach affects more than 500 Florida residents notice must be provided to the Attorney General’s office (see more below).
- If you rely on Florida’s “risk of harm” exception to avoid providing notice, it will require that the entity investigate the incident, consult with federal, state or local law enforcement and report to the AG of such determination within 30 days.
The Attorney General notice requirement differs in a material way from the other states that have a regulatory reporting requirement. The notice must contain information about “[a]ny services related to the breach to be offered or scheduled to be offered…” Although the AG is specifically required to be notified of credit monitoring or identity theft services to be offered, most notices to consumers contain all the information required by FIPA. Attention must be paid to the second requirement: Upon request, the entity must provide: (1) “a police report, incident report, or computer forensics report”; (2) “a copy of the policies in place regarding breaches”; and (3) “steps that have been taken to rectify the breach.” When launching into an investigation of a data breach, remember that attorney-client privilege is important when engaging with investigatory service providers who will create documentation such as “incident” reports or “computer forensics” reports.
Kentucky’s New Data Breach Notification Law
Kentucky became the 47th state to enact a data breach notification law. Consult the latest version of the Mintz Matrix for the details of the Kentucky law (and all the other July 1 effective amendments).
Canada’s Anti-Spam Law
Canada’s draconian anti-spam law (known as CASL) goes into force tomorrow. U.S. companies should have compliance programs in place and should have been carefully examining email lists to either obtain express consent or at least determining whether they could be subject to CASL. Fines of up to CSD$10 million can be imposed under CASL and the Canadian Radio-Television and Telecommunications Commission has already announced its intention to enforce. Take it seriously.
Happy Canada Day (July 1) to our Canadian readers and Happy Independence Day (July 4) to our US readers!
Written by Adam Veness
New Jersey U.S. District Judge Esther Salas agreed to allow Wyndham Hotels and Resorts LLC to immediately appeal to the Third Circuit a ruling affirming the FTC’s authority to bring data security cases. We have been following this case since the beginning, and you can see our last post here.
Judge Salas noted that businesses and consumers nationwide would benefit from appellate review of the issues. In granting Wyndham’s motion for interlocutory review of her order refusing to dismiss the case, she certified to the Third Circuit the following two questions:
1) Whether the Federal Trade Commission can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); and
2) Whether the Federal Trade Commission must formally promulgate regulations before bringing its unfairness claim under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a). Continue Reading
Finding that cellphones contain the “privacies of life”, the U.S. Supreme Court issued a broad endorsement of cell phone privacy, unanimously holding that law enforcement may not search digital information seized from an arrestee’s person without first obtaining a warrant. The high court was persuaded by the massive quantity of evidence, distinct types of information and pervasiveness of use of cell phones, as well as the private and sensitive nature of information phones hold, ranging from the financial and medical to the intimate. The court ruled in this way despite the undeniable impact it will have on law enforcement. This ruling is likely to have wide-ranging effects, including on tablets, laptops and potentially other technology.
Mintz Levin’s Bridget Rohde analyzes the landmark Riley v. U.S. decision in a piece for Law360. Read it here.
Written by Dianne J. Bourque (reprinted from Mintz Levin’s Health Law Policy Matters blog)
The most recent Office for Civil Rights (“OCR”) HIPAA enforcement action serves as an important reminder to health care providers of the security risks associated with a mishandled medical records custody transfer and the risks of leaving paper records in the driveway. The enforcement action and ensuing settlement – an $800,000 fine and corrective action plan – was levied against Parkview Health System, Inc., (“Parkview”) a provider of community-based health care services. In 2008, Parkview took custody of the paper medical records of 5,000 – 8,000 patients in connection with a physician’s retirement and in anticipation of purchasing some of the physician’s practice. In 2009, perhaps after the transaction fell through, although the Parkview Resolution Agreementdoes not specify, Parkview left 71 boxes of these medical records unattended in the driveway of the physician’s home, and, according to OCR, within 20 feet of a public road and a short distance from a heavily trafficked public shopping area.Medical records custody transfers are extremely common in health care transactions such as asset purchases or sales, or when a health care provider is retiring or leaving a practice. Medical records custody agreements ensure that records are maintained for legally required time periods to facilitate ongoing patient care, payment, audit, and other purposes. Providers should take care to ensure that, in addition to retention and availability, custody arrangements ensure the ongoing security of medical records in any form. Paper records should be secured in accordance with HIPAA standards, for example, stored in locked facility with physical safeguards consistent with HIPAA standards. Storage in a retiring physician’s driveway, abandoned office space, public storage facility, or other unsecured physical location is inconsistent with HIPAA standards. Records in electronic form must be protected in accordance with the HIPAA Security Rule. Both the transferring and the recipient provider should carefully consider technical security measures, who will have electronic access to the records, and how that access will occur. Failure to address these important considerations risks not only a breach but aggressive enforcement by OCR.
Written by Matthew D. Levitt
Today, in Commonwealth v. Gelfgatt, No. SJC-11358 (Mass. June 25, 2014), a divided Massachusetts Supreme Judicial Court held that under certain circumstances, a court may compel a criminal defendant to provide the password to encrypted digital evidence seized by the government without violating either the Fifth Amendment or Article Twelve of the Massachusetts Declaration of Rights. This is an interesting development in an emerging issue in the law that has yet to percolate its way to the United States Supreme Court. Moreover, as critical case evidence continues its migration from the physical to the digital realm, it is an issue we can expect to encounter with growing frequency, and is all but certain to eventually require resolution by the Supreme Court.
The Massachusetts high court’s decision hinged on the so-called “foregone conclusion” exception to the Fifth Amendment privilege against self-incrimination, which provides that an “act of production” is not testimonial “where the facts conveyed already are known to the government, such that the individual ‘adds little or nothing to the sum total of the Government’s information.’” Because the defendant, during his postarrest interview, had admitted his ownership and control over the seized computers, his knowledge of their encrypted files, and his knowledge of the password, the Court concluded that compelling him to provide that password “is only telling the government what it already knows.” Providing the password under such circumstances therefore was held not to violate the defendant’s privilege against self-incrimination under either the federal or state constitutions.
In a forceful dissent, two Justices disagreed with the Court’s opinion, stating that the compelled decryption was tantamount to forced self-incrimination. Describing the potential sweep of the Court’s decision, the dissent stated as follows: “The court holds today that the defendant … may be ordered to enter decryption keys sequentially on each and every electronic device seized from his home, his home office, and his automobile, in order to provide law enforcement officers with unencrypted access to those devices.”
The true scope of the Court’s holding, however, may not become clear until trial courts begin applying it under various factual scenarios, and those applications are tested in the appeals courts. For now, all that is clear is that under certain circumstances, even industrial-strength encryption may not place digital files beyond the government’s reach.
DC Update from Politico Morning Tech
“DATA BREACH DRAFT DELAYED – The thorny issue of FTC enforcement has slowed efforts to release a draft of Rep. Lee Terry’s data breach bill, according to sources close to the process. Terry had hoped to release the draft he’s been working on with Democrats John Dingell and Peter Welch after a Friday briefing with staff aimed at ironing out some final sticking points, but didn’t get the consensus he’d hoped for. Republicans have historically bulked at handing over too much control to the consumer protection agency, which is angling for more authority to combat the rising threat of data theft. Democrats have tended to side with the FTC on the matter, although some insist any power shift does not weaken state laws.”
More than a Wash and a Wax
This story caught my eye, since I just drove through a car wash yesterday, using my credit card. If you have also done that lately, you should check your credit card statements. Brian Krebs of Krebs on Security — the security blogger who broke the stories of the Target and Neiman Marcus data breaches — has done another fascinating inside look at an ongoing set of data breaches. Read Krebs’ latest here.
There are several important takeaways from this:
(1) if you are running point-of-sale (POS) software (and you need not be a “retailer” to be running such software), when is the last time that you updated it? Your POS is connected to the Internet and can be an open hole, exposing your customers’ credit card information the moment that card is swiped.
(2) How do you (or your vendors) access that POS? In the Krebs article, the POS software could be accessed using pcAnywhere – and old versions at that. We have worked on many breaches that used exactly this method for POS access either remotely by the store owner or for vendor support. That access is a “back door” that can also be easily hacked.
(3) Are you still running Windows XP? Time to upgrade….really.
If you fail to take the proper actions to keep systems up-to-date, and you experience a data breach, you may find yourself without insurance coverage and a defendant in a lawsuit.
Written by Stephanie D. Willis and Dianne J. Bourque (republished from Mintz Levin’s Health Law Policy Matters blog)
Last week, the HHS Office of Civil Rights (OCR) released two reports required by the Health Information Technology for Economic and Clinical Health (HITECH) Act: (i) the Annual Report to Congress on Breaches of Unsecured Protected Information (Breach Report); and (ii) the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance (Compliance Report). In reviewing the Breach and Compliance Reports, Chief Information Officers, compliance and privacy officers, and information security professionals in the health care field should note five key lessons:
1) Know Where Your Organization’s Protected Health Information (PHI) is Primarily Stored and Invest in the Right Protection
The statistics in both reports clearly show that the most breaches still come from “older” sources of PHI, such as paper records, desktop computers, and network servers. The Breach Report states that 225 out of the 458 total reports of breaches (or 49%) affecting 500 or more individuals involved these PHI sources in 2011 and 2012. In fact, the largest breach occurring in the two-year period covered by the Breach Report involved a TRICARE contractor’s loss of back-up tapes that affected a total of approximately 4.9 million individuals.
In addition to updating and monitoring security protocols for older PHI sources, covered entities should address security problems with newer storage media. For instance, the Breach Report documents a large jump in the number of breaches involving laptop computers with a corresponding increase in affected individuals between 2011 and 2012: from 48 reports affecting 437,770 individuals in 2011 to 60 reports affecting 654,158 individuals. Because theft was the primary cause of breaches in 2009-2012, ensuring that laptops and other portable electronic devices are secured in accordance with standards acceptable under HIPAA will become even more important as organizations adopt more “bring your own device” policies to ensure the mobility and convenience of health care delivery. Continue Reading
Written by Julia Siripurapu, CIPP
Just a little over a month after settling charges of false promises of disappearing user messages (among other things) with the Federal Trade Commission (“FTC”), mobile app developer Snapchat, Inc. (“Snapchat” or “Company”) announced (blog post) that on June 12th the Company entered into an agreement with the Office of Maryland Attorney General Douglas Gansler to resolve similar claims of consumer deception as well as additional allegations of failure to comply with the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (as amended, the “COPPA Rule”). Continue Reading
Join Mintz Levin’s Privacy & Security team for a data breach briefing in San Francisco on July 15th
Anticipating the Inevitable — What C-Suite Execs Say They Wish They Had Known Before the Data Went Missing
Medical, insurance, retail, financial services, education, hospitality, technology, and defense industries experience data losses on a daily basis through employee negligence, poor controls, insider attacks, and theft by outside interests. Our Privacy & Security Practice has developed guidance for companies in all of these industries to help them assess, prepare for, and respond to these data breach incidents.
In this hour-long event, members of our practice will discuss what they have learned from helping clients respond to these incidents, and what the executives of companies that have been the target of data breaches have said they should have done to better prepare for the inevitable day when their data went missing.
Registration here before July 11.