Header graphic for print

Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

New Hampshire Establishes Privacy Protections for Student Online Personal Information

Posted in Children, Data Compliance & Security, Privacy Regulation, Security

California again has provided a model of privacy legislation for other states to follow.  New Hampshire Governor Maggie Hassan recently signed into law House Bill 520 (the “Bill”), a bipartisan effort to establish guidelines for the protection of student online personal information.

Who is covered by the Bill?

Modeled after California’s Student Online Personal Information Protection Act (SOPIPA), the Bill applies to operators of Internet websites, online services (including cloud computing services), and mobile applications with actual knowledge that their website, service or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes (“Operators”). Like SOPIPA, the Bill imposes certain obligations and restrictions on Operators with respect to the collection, use, storage and destruction of student personal information and becomes effective on January 1, 2016. We discuss SOPIPA in more detail here and provide recommendations for preparing to comply with the SOPIPA requirements.

The Bill does not apply to general audience websites, online services, and mobile applications, even if login credentials created for a covered site, service, or application may be used to access the general audience sites, services, or applications. The Bill also makes it clear that it is not intended to:

  • limit Internet service providers from providing Internet connectivity to schools or students and their families;
  • prohibit operators of websites, online service, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of “Covered Information” under the Bill;
  • impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with the Bill on those applications or software;
  • impose a duty upon a provider of an interactive computer service, as defined in 47 U.S.C. section 230, to review or enforce compliance with the Bill by third-party content providers; or
  • impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.

What information is covered by the Bill?

The Bill defines “Covered Information” very broadly to include personally identifiable information or materials, in any media or format, created or provided to an Operator by either a student (or his/her parent or guardian) while using the Operator’s site, service, or application or by an employee or agent of the K-12 school, school district, local education agency, or county office of education, as well as information gathered by the Operator that is related to the student, such as information that is “descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student’s educational record or email, first and last name, home address, date of birth, telephone number, unique pupil identifier, social security number, financial or insurance account numbers, email address, other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, other student identifiers, search activity, photos, voice recordings, or geo-location information.”

What do you have to do to comply with the Bill?


Avoid the following prohibited activities:

  • Using any information (including persistent identifiers) created or collected through your site, service, or application to create a profile about a K-12 student;
  • Engaging in targeted advertising (either on your site, service, or application or any other site, service, or application) when the targeting is based on any information (including covered information and persistent identifiers) that you have acquired as a result of the use of your site, service, or application;
  • Selling, leasing, renting, trading, or otherwise making available a student’s information (including covered information), except in connection with a sale of your business provided that the buyer continues to be bound by this restriction with respect to previously acquired student information; or
  • Disclosing protected information, except where the disclosure is mandated to “respond to or participate in judicial process”.

Implement and maintain the following security and deletion requirements:

  • reasonable security procedures and practices (appropriate to the nature of the Covered Information) to protect Covered Information from unauthorized access, destruction, use, modification, or disclosure, and
  • delete covered information if the school or district requests deletion of data under the control of the school or district.

What can you do with Covered Information?

Although, as discussed above, there are many restrictions on the use of Covered Information, Operators are permitted to:

  • Use de-identified Covered Information within their sites, service, or application (or other sites, services, or applications owned by the Operator) to improve educational products and to demonstrate the effectiveness of their products or services (including in their marketing), and
  • Share aggregated de-identified Covered Information for the development and improvement of educational sites, services, or applications.

Although the effective date is January 1, 2016, if you are an “Operator” under the Bill, this is the time to begin thinking about what kind of changes you may need to make in your processes and procedures and to put in place an implementation plan to be compliant with the Bill by its effective date.

Connecticut Amends Data Breach Notification Law

Posted in Data Breach, Data Breach Notification, Identity Theft, Privacy Regulation

In the absence of any meaningful moves in Congress to enact uniform data breach notification, the states continue to make adjustments to existing laws to better protect affected residents in their states. Continue Reading

Privacy Monday – June 15, 2015 – OPM Hack

Posted in Cybersecurity, Data Breach, Privacy Monday

The news continues to pour in about the two-part massive hack into the federal government’s Office of Personnel Management (OPM) and the compromise of personal information of millions of present and former federal employees.

Today’s Privacy Monday has 3 things you should know about the incident — Continue Reading

Save the Date: June 24, 2015 — All You Need to Know About Risk Assessments

Posted in Cybersecurity, Events and Webinars, HIPAA/HITECH, Security

Register now for our June Wednesday Webinar.    This webinar, the sixth in our Privacy series, will address risk assessment best practices and data breach readiness. A risk assessment is the foundational step in the development of a comprehensive privacy and security program for your company. It is also a regulatory requirement under HIPAA and some state laws. Join us for a roundtable discussion with a group of privacy and security professionals, moderated by Mintz Levin’s Cynthia Larose, on risk assessment best practices and data breach readiness.

You can’t manage the risk if you do not know what it is — a risk assessment is the first step towards effective — and proactive — risk management.

Registration is open here.  Hope you will join us!

 

UPDATE: Union Claims that Hackers Have Accessed Personal Data of “All” Federal Employees

Posted in Cybersecurity

As an update to our blog post, “Data Breach Affects Millions of Current and Former Government Workers”, a union representing federal workers is now claiming that the hack may be worse than originally feared.  Yesterday, the president of the American Federation of Government Employees said his organization now believes hackers stole the personal data — including Social Security numbers — of every single federal worker.  In a letter to Katherine Archuleta, the director of the Office of Personnel Management, obtained by the Associated Press, union head David Cox wrote:

We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to 1 million federal employees.

 

The agency has not yet responded, and the Cox letter does not provide evidence or other information to support the claim of expanded reach.

 

 

Controls Coming for Intrusion & Network Surveillance Tools

Posted in Cybersecurity, Uncategorized

The Commerce Department’s export control agency, BIS, has proposed a new rule to control exports of equipment and software designed or modified to perform network intrusion and internet protocol communications surveillance.  The proposed controls also cover technology used to develop intrusion software or network communications surveillance systems.

“Intrusion software” is defined to include software specially designed or modified to defeat protective countermeasures and monitoring tools that have the ability to extract or modify information on the target device or enable the execution of externally provided instructions.

As drafted, the proposed rule would cover equipment and software designed to perform penetration testing of networks to determine vulnerabilities of computers and network connected devices by the owners of the networks or their security contractors.  The rule would impose a license requirement on all exports, except those to Canada.

Some of the items designated in the proposed rule may already require licenses for export under existing export regulation governing encryption, but the new rule is focused directly on the cybersecurity threat such technologies pose.

Another part of the proposed rule restricts export of network traffic analysis systems.  Systems that intercept and analyze internet traffic to produce personal, human and social information for the communications stream also could not be exported anywhere (except Canada) without a license.

Parties interested in commenting on this proposed rule may do so at the www.regulations.gov website, under Docket No. BIS-2015-0011.   The comment period closes July 20, 2015.

Data Breach Affects Millions of Current and Former Government Workers

Posted in Class Action Litigation, Data Breach, Data Compliance & Security, Employee Privacy, Identity Theft, Privacy Litigation, Security

The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers.  OPM serves as the human resources department -and holds employee records – for the entire federal government, ranging from security clearances to the identities of covert CIA agents.  Every federal agency is potentially affected by this breach.  Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail.  OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.

OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach.  Early reports suggest that the breach originated in China.

Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website  notice that the agency recently implemented an “aggressive effort” to update its network security.  Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.

OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests.  In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.

As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure.  According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:

At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.

It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities.  According to Kevin McGinty, Mintz Levin privacy class action litigator:

As day follows night, class actions typically follow data breaches.  Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue.  The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM.  Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.

We will have more on this story as it evolves.

Home Depot Moves to Dismiss Consumer Data Breach Claims for Lack of Standing

Posted in Class Action Litigation, Data Breach, Privacy Litigation

Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue.  Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims.  While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing.  The survival of the consumer claims will depend on which line of precedent the Home Depot court follows. Continue Reading

Privacy Monday – June 1, 2015 – Courts Affirm Insurers’ Denial of Coverage for Electronic Data Claims  

Posted in Cybersecurity, Insurance, Privacy Litigation, Privacy Monday

Happy June – the first day of meteorological summer!

In the last month, both a federal and state court denied coverage for claims relating to an insured’s handling of electronic data.  In the first case, a federal court held that there was no coverage under a cyber insurance policy for a claim alleging that the insured had intentionally refused to return electronic financial data.  In the second, a state supreme court held that there was no coverage under a general liability policy for a claim alleging that the insured had lost computer tapes storing personal information.   Both of these decisions illustrate the importance of the specific language contained in an insurance policy as that language determines the scope and breadth of the coverage actually afforded under that policy. Continue Reading

REMINDER: Webinar – The Long Reach of COPPA

Posted in Children, Events and Webinars, Online Advertising

If your company has an online presence — or provides marketing or advertising services — you should be registered for the fifth webinar in our 2015 Wednesday Privacy Webinar series:  The Long Reach of COPPA.   Recall the recent FTC settlement agreement with Yelp — clearly a site not targeted at children — that cost the online review company $450,000.

 

Register online here – NY and CA CLE credit is available.