Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Will California Voters Move US to Opt-In?

Posted in Data Compliance & Security, Privacy Regulation

Written by Jake Romero

The California ballot measure process permits any California voter to propose a ballot initiative to the state’s Attorney General which, if enough signatures are gathered, will then appear on state-wide ballot for approval at the next election.

A draft ballot initiative has been submitted to the California Attorney General that, if added to the ballot and approved by voters, would have a tremendous impact on the way in which business is conducted with respect to data associated with consumers.  Referred to as the  California Personal Privacy Initiative, the proposed ballot measure would add a new article to California’s Constitution titled “Right to Privacy in Personally Identifying Information.”  The new article would make all personally identifiable information of consumers automatically confidential, and includes a presumption that a person has been harmed if his or her information has been disclosed without his or her authorization.

If there is cause for alarm, it is that the California Personal Privacy Initiative is being proposed as a ballot initiative.  Californians love ballot measures the same way that film director Michael Bay loves explosions; there can never be too many, and they can solve any problem.  If passed by California’s voters, the proposed article would become effective on January 1, 2016 without debate or amendment by the legislature, meaning that businesses will be forced to either change their data sharing practices, or obtain the consent of all of their current users.  In either case, the cost of doing business could potentially increase materially in the short run.

The proposed article defines “personally identifiable information” broadly to include “any information which can be used to distinguish or trace a natural person’s identity” either on its own or when combined with other information (excluding publicly available information that is lawfully made available to the public through governmental records).  While the proposed article does include an exception, it is narrow; requiring a countervailing compelling interest where no reasonable alternative is available.

In other words, if passed, the ballot initiative would create an opt-in requirement for California consumer information sharing that is beyond the requirements of any other state.  By default, businesses and governmental entities would be required to first obtain consent prior to sharing personally identifiable information with any other party, including routine service providers.

FTC v. Wyndham: Wyndham Calls for Back-Up

Posted in Data Breach Notification, Federal Trade Commission, Privacy Litigation, Privacy Regulation

Written by Adam Veness

It appears that Wyndham Hotel & Resorts LLC (“Wyndham”) has received reinforcements in its defense against the Federal Trade Commission’s (the “FTC”) case.  A federal judge has agreed to allow the U.S. Chamber of Commerce and several other organizations to file an amicus curiae brief in support of dismissing the FTC’s case against Wyndham. Since our last post about this case, Wyndham successfully had the case transferred from an Arizona federal court to a New Jersey federal court, and has requested oral arguments for its Motion to Dismiss filed last year.

In their brief, the U.S. Chamber of Commerce and the other organizations make three primary arguments:

1)      The FTC’s Section 5 authority to prohibit unfair trade practices does not give the FTC authority to establish general data security policy;

2)      Businesses cannot operate effectively and efficiently in an “evolving enforcement” regime; and

3)      Data security policy cannot be developed through unilateral pronouncement by the FTC, without regard for the legislative process.

Their arguments are similar to those made by Wyndham in its Motion to Dismiss, but they take Wyndham’s arguments one step further and focus more on the unfairness and arbitrariness of the FTC’s actions.  The brief argues that the FTC leverages its enforcement authority to extract settlements from businesses that have already been victimized by data security breaches, without formal notice of the standards being used by the FTC in its enforcement. Notably, the brief recognizes that the Wyndham case is among the first data-security “unfairness” proceedings because in the past, the FTC has been able to obtain Section 5 consent orders from the targeted businesses without evaluation by a court.

Without clear standards established by the legislative and judicial processes, the brief argues that there is no advance notice to businesses on what they are required to do to comply with the law in “in a rapidly changing technological environment.”  The brief rejects the FTC’s argument that businesses should focus on the FTC consent orders for guidance on what standards to follow because these standards are often too fact specific based on the case in the consent order, and do not have legislative or judicial oversight.

As a solution, the brief recommends that rather than establishing standards through “agency fiat”, standards should be established through a dialogue with all involved stakeholders, through democratically accountable means.  Indeed, the brief argues that the FTC focus its efforts in Congress to enact legislation to provide the FTC with the authority it seeks, rather than engaging in backdoor rulemaking through its consent orders and without having to answer to Congress or the courts.

The U.S. Chamber of Commerce and other organizations raise some interesting arguments in their brief and they have certainly provided Wyndham with much needed ammunition against the FTC.  It will be interesting to see whether this will be enough to tip the scales in Wyndham’s favor.


Earlier Posts:

The FTC Fires Back Against Wyndham (11/2/2012)

Wyndham Motion Puts the FTC on the Defensive (8/31/2012)

FTC Sues Wyndham Hotels (6/27/2012)

Tweet Like Email linkedin
Comments Off

Privacy Monday – August 5, 2013

Posted in Privacy Monday

Privacy bytes, gaffes, and goofs for the first Monday in August –

New Hampshire Bank Victimized by Malware

Manchester, NH-based St. Mary’s Bank, the oldest credit union in the United States, has begun notifying 115, 775 customers after malware was detected on several computers at the bank.  It was discovered that more than 23 workstations at the bank had been infected with the malware which was programmed to take screen shots and had been there since February 2013.

Read more:  NH Business Review

Dating Websites Under Investigation in the UK

Four of the UK’s biggest online dating websites could be in breach of the Data Protection Act over how they handle users’ personal details, the Information Commissioner’s Office (ICO) has warned. Cupid, eHarmony,, Global Personals and the industry trade body, the Association of British Introduction Agencies, have all received letters from the ICO voicing concerns following a recent survey it carried out.

Read more:   Computing UK

And finally for today — an Interactive Infographic of the 300 Biggest Data Breaches

This ought to really make your Monday …..   a stunning infographic compiled by Information is Beautiful, showing 300 of the world’s largest data breaches.   Click around:







Tweet Like Email linkedin
Comments Off

FTC Complaint: Medical Testing Lab Exposed Personal Data of Thousands Over Peer-to-Peer Network

Posted in Data Breach, Federal Trade Commission, Identity Theft

Written by Amy Malone

Just before the Labor Day holiday, the Federal Trade Commission issued a press release announcing its complaint against LabMD, Inc., a company that performs medical testing for consumers around the country.  The complaint alleges that the company did not take reasonable measures to protect the security of consumers’ personal data.   The Commission charges that by not taking such reasonable measures two incidents occurred which resulted in the exposure of personal information, including Social Security numbers and medical information.

The first incident described in the complaint is that the company’s billing information for over 9,000 customers was found on a peer-to-peer (P2P) network (for more information on P2P networks and risks, see our client alert here).  P2P software allows companies to easily share information with other users, but there is also the inherent risk that the information will be unintentionally shared.  The information disclosed in this incident included Social Security numbers, dates of birth, health insurance provider information, and standardized medical treatment codes.

The second incident includes the disclosure of names, Social Security numbers and bank account information of some 500 consumers to identity thieves.  The Commission alleges that the Sacramento, California Police department found LabMD documents in the possession of identity thieves.

The Commission alleges that, among other things, the company:

  • did not implement or maintain a comprehensive data security program to protect information;
  • did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
  • did not use adequate measures to prevent employees from assessing personal information not needed to perform their jobs;
  • did not adequately train employees on basic security practices; and
  • did not use readily available measures to prevent and detect unauthorized access to personal information.

LabMD asserts that the documents related to this complaint contain confidential information, so the Commission’s complaint will not be made public until the claims are resolved.


NJ Attorney General Settles with PulsePoint for $1 Million

Posted in Mobile Privacy, Privacy Litigation

Written by Amy Malone

Digital marketing company, PulsePoint  entered into a Consent Order with the New Jersey Attorney General and agreed to pay $1 million, following an investigation of claims that PulsePoint bypassed privacy setting of Apple’s Safari browser to allow tracking of consumer activity.

Last year, Google settled similar claims with the Federal Trade Commission for $22.5 million (see our blog post here).  The allegations against PulsePoint mirror those that the FTC brought against the search engine giant:  the NJ AG’s complaint alleged that PulsePoint placed cookies on Apple Safari web browsers without the knowledge or consent of New Jersey consumers.  PulsePoint allegedly did this by bypassing privacy settings that were chosen by Safari users.  The Safari settings allow users to select between “always” accepting cookies, “never” accepting cookies, or accepting cookies only from “sites I visit-block cookies from third parties and advertisers.”

According to the complaint, PulsePoint circumvented the user settings by using a form that made the Safari browser act as if the user had clicked on the advertisement, when in fact the user had not.   Once the form was sent, the Safari browser allowed PulsePoint to set their cookies on the browser, even when the user had opted to block cookies.

This activity occurred between June 2009 and February 2012 and in the press release, the state claims that PulsePoint may have placed up to 215 million targeted ads on the browsers of New Jersey consumers.

The $1 million settlement includes (1) a civil penalty of $556,196.96, (2) reimbursement of the state’s attorneys’ fees in the amount of $32,048.00, (3) reimbursement of the state’s investigative costs in the amount of $1,755.04, (4) a payment of $150,000.00 to be used in the state’s discretion for the promotion of consumer privacy programs and (5) a payment of $250,000.00 to be used by the state for in-kind advertising services.

PulsePoint also agreed to, among other things; implement numerous privacy controls and procedures to protect the privacy and confidentiality of consumer information.   PulsePoint agreed to not override or change a consumer’s browser settings without her affirmative consent.  And, PulsePoint must provide information on its website explaining what information it collects and how it uses that information.

The future may be a difficult one for PulsePoint as more attorneys general may engage in their own investigations.

And the hits keep on coming……..

Posted in Data Breach

The ”hits” to data bases, in any event.   Here is a rundown of some of the most recent data breach reports –

Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Modern Healthcare (subscription may be required) reports that the Oregon Health & Science University announced it is “notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google’s cloud-based information-sharing services.” The data breach, which involves “patients’ names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers’ names” posted to Gmail or Google Drive, was discovered in May by an OHSU faculty member.  According to  Healthcare IT News, this is OHSU’s “fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.”

Citigroup Reports Breach of Personal Data in Unredacted Court Filings; Settles with Justice Department

American Banker reports that Citigroup recently admitted having failed to safeguard the personal data (including birthdates and Social Security numbers) of approximately 146,000 customers who filed for bankruptcy between 2007 and 2011. Citi apparently failed to fully redact court records placed on the Public Access to Court Electronic Records (PACER) system. “The redaction issues primarily resluted from a limitation in the technology Citi had used to redact personally identifiable information in the filings,” Citi said in a statement. “As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts’ online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information.”

In a settlement with the Justice Department’s U.S. Trustee Program, Citi has agreed to redact the customer information, notify all affected debtors and third parties, and offer all those affected a year of free credit monitoring.

University of Delaware Reports Cyberattack – 72,000 Records Affected

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of more than 72,000 current and past employees, including student employees. The confidential personal information includes names, addresses, UD IDs (employee identification numbers) and Social Security numbers.

Stanford University Reports Hack – Investigating Scope

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.”

Japan’s Railway Company Apologizes for Unauthorized “Sharing”

The Wall Street Journal reported yesterday (registration may be required) that Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states.





Tweet Like Email linkedin
Comments Off

Privacy Monday – July 29, 2013

Posted in 201 CMR 17.00, Cybersecurity, Data Breach, Data Breach Notification, European Union, Privacy Monday

Privacy goofs, gaffes and tidbits for the last Monday in July —


NSA Surveillance Causes More Grief –Germany Calls for a Stop to Safe Harbor:  Time for Binding Corporate Rules?

 According to news sources the federal and state German data protection commissioners late last week sent a letter to German Chancellor Angela Merkel, requesting the suspension of the U.S.-EU Safe Harbor regime (the press release is available in German here).   The commissioners argue that mass surveillance conducted by the U.S. National Security Agency (NSA) prevents US companies from protecting personal data of Germans in compliance with data protection law.

The European Commission’s data protection directive prohibits the transfer of personal data to non-E.U. countries that do not meet the EU “adequacy” standards for privacy protection. To allow exchange of personal data with U.S. organizations, the U.S. Department of Commerce and the European Commission developed the “Safe Harbor” framework, allowing the transfer of personal data from the EU to the US as long as specified standards in notice, choice, onward transfer, access, security, data integrity and enforcement are met.

“The Safe Harbor agreement may not be so safe after all,” said Viviane Reding, vice president of the European Commission.  “U.S. data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement which we will present before the end of the year.”

The Commissioners have stopped issuing approvals for international data transfers pending the German government’s demonstration that the processing of German citizens’ personal data by foreign national intelligence services is in line with the requirements of the data protection law.  The Commissioners argue that extent of the surveillance conducted by the NSA makes interception of personal data routine and that is not in compliance with the Safe Harbor framework.

If the German government agrees with the Commissioners and suspends Safe Harbor all companies relying on Safe Harbor for the legal transfer of personal data from the EU to the U.S. would either have to suspend such transfers or face fines by the data protection authorities.

With elections approaching, this has become a heated political debate in Germany.  Chancellor Merkel has supported the U.S. surveillance and echoed President Obama’s claims that surveillance prevents terrorist attacks and protects American and Germans alike, but according to a news source Merkel pushed back last week calling for the U.S. to respect German data privacy on German soil.

We will keep you updated on developments in this area.  In the meantime one way for multinational companies to circumvent the effects of a suspended Safe Harbor program is to develop binding corporate rules, which satisfy EU standards and are an alternative means of authorizing transfers of personal data outside of Europe.  Contact the Mintz Levin privacy team for more information.


SEC Employees Victimized by Thumb Drive Data Breach:  “You ARE the Weakest Link”

A serious data breach at the Securities and Exchange Commission transferred  personal data about current and former employees into the computer system of  another federal agency, a letter sent by the SEC to staff reveals.

The July 8 letter, obtained by The Hill, is from Thomas Bayer, the SEC’s  chief information officer and senior agency official on privacy. It warned that  personal employee data had been discovered on the networks of another, unnamed  federal agency.  SEC employees’ Social Security numbers were exposed after a former worker unwittingly downloaded sensitive human resources data to a thumb drive, underscoring privacy risks posed by the ubiquitous devices.

Mintz Levin’s Cynthia Larose is quoted in Law 360 (registration required):  “Talk to most security people and they will say that the USB port is the biggest ‘You are the weakest link’ problem in corporate networks, and the government is no exception to that, obviously,” she said. “Allowing files of any kind of size whatsoever to be downloaded to a USB drive is trouble.”

Read more:

Tech Companies Want Federal Data Breach Notification Law

Will the fourth time be the charm?   For the fourth time in eight years, the U.S. House of Representatives is considering a federal law requiring companies to notify customers in the event of a data breach.   Tech companies have weighed in on the side of such legislation, hoping to put an end to the “crazy quilt” problem currently facing companies experiencing a data breach.  Corporate general counsels look for some compliance assistance in such a “breach notification standard.”

Read more:   Corporate Counsel (registration required)

Comprehensive Security Plans Should be the Rule, Not the Exception

The deadline for compliance with the HIPAA Omnibus Rule is fast approaching and the stakes will be rising. 

Not only have the threats increased for healthcare organizations, but so have the government fines as well. One-time violations stay under $50,000, but repeat violations within the same year can carry a fine of $1.5 million across all HIPAA violation categories (up substantially from the previous $250K minimum). The average economic impact of a data breach has also increased by $400K to a total of $2.4 million since 2010. Investigation and legal efforts, business downtime and decreased credibility all drive up costs beyond those of fines.   As we have been preaching for many years (at least since the implementation of the Massachusetts Security Regulations (201 CMR 17)), a comprehensive security plan is the best offense — for every sector, and now particularly for those businesses dealing with protected health information.   The plan should address hardware, software, paper records, training — and it should be in writing.

Read more:  HealthIT Security

Tweet Like Email linkedin
Comments Off

Survey Says: Fortune 500 Disclosing Cyber Risks

Posted in Cybersecurity

Written by Adam Veness

Ever since our 2013 prediction, an ever increasing number of public companies are adding disclosure related to cybersecurity and data breach risks to their public filings.  We previously analyzed how the nation’s largest banks have begun disclosing their cybersecurity risks.   Now, it appears that the rest of the Fortune 500 companies are catching on and including some level of disclosure of their cyber risks in response to the 2011 SEC Guidance.

The recently published Willis Fortune 500 Cyber Disclosure Report, 2013 (the “Report”), analyzes cybersecurity disclosure by Fortune 500 public companies.  The Report found that as of April 2013, 85% of Fortune 500 companies are following the SEC guidance and are providing some level of disclosure regarding cyber exposures.  Interestingly though, only 36% of Fortune 500 companies disclosed that such risk was “material”, “serious” or used a similar term, and only 2% of the companies used a stronger term, such as “critical”.

Following the SEC’s recommendation in its guidance, 95% of the disclosing companies mentioned specific cyber risks that they face.  The top three cyber risks identified by those companies that disclosed cyber risks were:

1)      Loss or theft of confidential information (65%).

2)      Loss of reputation (50%).

3)      Direct loss from malicious acts (hackers, viruses, etc.) (48%).

Surprisingly, 15% of Fortune 500 companies indicated that they did not have the resources to protect themselves against critical attacks and only 52% refer to technical solutions that they have in place to defend against cyber risks.

The Report notes that despite the large number of Fortune 500 companies that acknowledge cyber risks in their disclosure, only 6% mentioned that they purchase insurance to cover cyber risks.  This number runs contrary to a survey published by the Chubb Group of Insurance Companies in which Chubb indicates that about 36% of public companies purchase cyber risk insurance.  For whatever reason, it appears that many of the Fortune 500 companies are simply not disclosing that they purchase cyber risk insurance as a means of protecting against cyber risk.

Almost two years after its issuance, the Report findings indicate that the 2011 SEC Guidance is in full swing and making its way into reality.  As more large companies disclose cyber risks in their public filings, this will continue to trickle down to the smaller companies that rely on those filings for precedent and guidance.  The Report provides a clear snapshot of where things stand in cyber risk disclosure by Fortune 500 public companies.  The scope of the Report is expected to expand to include Fortune 1000 companies, and it will be interesting to see how this data changes, if at all, when comprised of a larger pool of public companies.

 Stay tuned!




Privacy Monday – July 22, 2013

Posted in Online Advertising, Privacy Monday

Privacy gaffes and tidbits to start your week.


Keeping up with Kardashians is NOT a defense under HIPAA

[Originally posted in Mintz Levin's Health Law & Policy Matters Blog]

Written by Dianne Bourque

The LA Times recently reported the firing of six workers at Cedars-Sinai Medical Center in connection with the unauthorized access to patient medical records.  The firings occurred in the days following the birth of reality TV show personality Kim Kardashian and rapper Kanye West’s baby, although the hospital has not confirmed the identities of the affected patients.  The incident demonstrates the need for vigilance in maintaining the security of records that are subject to public curiosity and value to the paparazzi.  The incident also demonstrates – remarkably – that there is information about Kim Kardashian that is not public.

Vendor Group to Develop “Best Practices”  for Retail Location Analytics — But is Perception More than Reality?

A group of mobile vendors is teaming with The Future of Privacy Forum.   According to the FPF’s statement, “[t]he companies, including Euclid, WirelessWERX, Mexia Interactive and ShopperTrak, provide solutions to retailers to develop aggregate reports used to reduce waiting times at check-out, to optimize store layouts and to understand consumer shopping patterns.  The reports are generated by recognizing the Wi-Fi or Bluetooth MAC addresses of cellphones as they interact with store Wi-Fi networks.’   Whether the best practices will benefit retailers, the vendors who develop apps to better track in-store location and shopper activity or a combination of both, privacy advocates argue that the consumer will likely not reap benefits of added privacy — only some additional vague “notices” in fine print (perhaps on those signs way up at ceiling level that say “Video surveillance active..” or some such sign, and most certainly buried deep within a multi-screen TOS document on launch of a store app.   The argument is that shoppers can always “opt-out” or turn off that phone — neither one of which is practical if you have been in a mall anytime in the last few years.   Sounds like yet another “industry guideline” that will not lead to legally enforceable standards.

To read more:

  • New York Times
  • FierceRetail


Apropos of the Above Post — The Do-Not-Track Standards Group is Off Track

On a conference call last week, the co-chair of a group trying to create DNT standards apparently has been unable to break the log jam.   Last February, Peter Swire announced that the World Wide Web Consortium’s (W3C) tracking protection group should reach “last call” by July.   That would mean that the group would have reached final consensus and release a report for public comment by the end of this month.  On a conference call last week, Swire reportedly announced to group participants that “there is not a way to get to last call by the end of July.”   Talks have reportedly turned “acrimonious” and it is unlikely that the group will ever agree.

To read more:   Wendy David at the Daily Online Examiner has been following this issue closely — Daily Online Examiner


Lloyds of London:  Cybersecurity is the No.3 Global Business Threat

The index – a survey of more than 500 of the world’s most senior business leaders – noted that cybersecurity is firmly at the top of the agenda for boards of global enterprises, third only to the risks posed by high taxation and the loss of customers. “With the risks to global organizations higher than ever, it is clear that cybersecurity has finally reached the attention of business decision makers across the enterprise – no longer just an agenda item but a key point of discussion,” said Matt Middleton-Leal, regional director for UK & Ireland at Cyber-Ark.

To read more:  InfoSecurity Europe Magazine








Tweet Like Email linkedin
Comments Off

American Bar Association’s Blawg 100 — Please Vote!

Posted in Uncategorized

The American Bar Association Journal is compiling a list of the 100 best legal blogs of 2013 and is inviting readers to submit nominations. Click the voting button below to submit a nomination for Mintz Levin’s Privacy and Security Matters Blog.

Submissions are accepted through August 9, so please vote!

Tweet Like Email linkedin
Comments Off