Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Avoid an International Conflict of Laws: Court-Ordered Customer Consent

Posted By Cynthia Larose on Posted in Privacy Litigation

Cross-border discovery issues and competing data privacy laws are some of the most vexing issues in international litigation, particularly when bank secrecy laws are implicated.   Mintz Levin partner David Barres addresses the discovery of information shielded by foreign bank-secrecy law – specifically, situations where a bank faces conflicting obligations under US law (requiring disclosure of bank information) and foreign law (prohibiting disclosure) in recent New York Law Journal article.  David draws on his experience with this problem that arises repeatedly while representing international banks.  The article summarizes the applicable rules, and it argues that court-ordered customer consent to disclosure may resolve the conflict.

Read more here — New York Law Journal

 

The New Mintz Matrix Is Here!

Posted By Cynthia Larose on Posted in Data Breach Notification

Or as Navin R. Johnson might say …….  *

Our updated Mintz Levin State Data Breach Notification Matrix (fondly known as the “Mintz Matrix”) is available here.   We update this resource quarterly, or as events dictate.    Legislatures have been quiet on the data breach notification front since the end of 2012.   Since our last update, North Dakota, Texas and Vermont have amended their data breach notification laws.

In a nutshell — Effective now, Vermont now requires that Vermont-regulated financial institutions notify the state’s Department of Financial Regulation in the event of a breach.  Such notice is in addition to any notice required by applicable federal regulations.

North Dakota — Effective August 1, the definition of “personal information” has been expanded to add both “health insurance information” and “medical information.”

Texas– Effective now, Texas amended its breach notification law to (a) remove language limiting the application of the data breach notification requirement to Texas residents and residents of states that do not require notification, (b) permit for residents of states other than Texas that require notification of a breach, notice to be provided to such individuals under the states’ law or under Texas law, and (c) clarify that written notice of a security breach must be provided to the last known address of the individual.

Now, for today’s disclaimer: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

 

*(Sound clip from The Jerk starring Steve Martin, 1979)

 

Privacy Monday

Posted By Cynthia Larose on Posted in Uncategorized

Breaches, lawsuits and legislation this Monday, July 15

 

Programming Error Leads to “Low Tech” Data Breach at Indiana Family and Social Services Administration

Although it started with a programming error, the breach itself was paper document.  Apparently, a programming error led to the accidental disclosure of personal information of Indiana residents to other clients of the Indiana Family and Social Services Administration.

The error caused an undetermined number of paper documents being sent to clients to be duplicated and included with documents sent to other clients, so some people may have received others’ information along with their own, according to the agency, which handles programs including Medicaid and food assistance for the state.

According to the agency, the problem may have occurred back in April when a contractor, RCR Technology Corp., made a programming error to a document management system.

The state agency has notified the 187,553 people who may have been affected. As of July 12, the agency said, it estimated the number to be “very small.”    If you are one of the nearly 4,000 people who had this information sent to the wrong person, that determination is relative.

FSSA and RCR have, at the direction of Gov. Mike Pence (R), “expedited work to determine the specific clients involved,” the agency said in a July 12 statement. RCR has retained reporting software company I-net Software to determine the exact number and identities of clients affected by the breach within the next few weeks, FSSA said.

Of the 187,553 clients affected, 3,926 may have had their Social Security numbers disclosed. Other information that may have been inadvertently sent to others included name, address, case number, date of birth, gender, race, telephone number, email address, types of benefits received, monthly benefit amount, employer information, financial information, and medical information.

For more information:  eSecurity Planet

Indiana Family and Social Services Administration Release

 

Have You Checked in on Your Shredding Vendors Lately?

Two of the biggest document-shredding companies in the country have agreed to pay a total of $1.1 million to settle a lawsuit alleging the companies defrauded the U.S. government by failing to shred sensitive documents as required by contract.

Iron Mountain Corp., has agreed to pay $800,000 and Shred-It USA, a second company named in the lawsuit, has agreed to pay $300,000. A third defendant, Cintas Corp., continues to contest allegations that it failed to properly shred sensitive documents. The lawsuit was a whistleblower case filed in federal district court in Philadelphia in 2010 by a family-operated shredding business.  “This case presents a real-life David versus Goliath,” said attorney Michael A. Morse, who represented the plaintiff. “Mr. Knisely, the owner of a small, family shredding business in central Pennsylvania refused to cut corners in order to obtain government contracts. He had the courage to blow the whistle on the three largest shredding companies in the nation,” Morse said.

Read more, including details of the complaint:  Wall Street Journal

 

Military Consumer Protection Day

This Wednesday July 17, 2013 marks Military Consumer Protection Day!  Our military men and women can face unique consumer protection challenges for a host of reasons, including the fact that they are often relocating and don’t know what businesses they can trust.  There are a number of  scams specifically targeting military members –for example some fraudsters are trying to poach veterans’ pensions.  The Military Consumer Protection site offers lots of information for military members and businesses, be sure to check it out!

 

Privacy legislation in Massachusetts

There are several pieces of legislation on the table in Massachusetts:

The Electronic Privacy Act (S 796; H 1684) would require law enforcement to obtain a warrant to access personal electronic information–such as details of telephone use, contacts, location, and e-mail and other communication–from telecommunications companies, and would bring accepted long-standing Massachusetts law and practices governing search warrants into the digital age.

The Drone Privacy Act (Sen. Hedlund and Rep. Garry: S.1664; H.1357) aims to regulate the use of aerial surveillance vehicles to ensure that this emerging technology is used responsibly in Massachusetts—without weapons and not for warrantless surveillance of residents.

The Free Speech Act (Sen. Chandler and Rep. Lewis: S.642; H.1457) would prohibit law enforcement from collecting information about individuals’ political and religious views, associations or activities, unless it relates directly to a criminal investigation based on reasonable suspicion of criminal conduct.

 

 

Tweet Like Email linkedin
Comments Off

NIST Issues Guidelines on Mobile Security

Posted By Cynthia Larose on Posted in Mobile Privacy

The National Institute of Standards and Technology (NIST) has issued guidelines to help federal agencies manage and secure mobile devices used by their employees for government business. A valuable resource on enterprise mobile device security for all businesses, not just federal agencies, the guidelines are designed to be used by CIOs, CISOs, and other information security professionals as best practices when designing, implementing, and maintaining enterprise-level mobile device security. A Mintz Levin client alert summarizes the key recommendations in NIST’s Guidelines for Managing the Security of Mobile Devices in the Enterprise.   Read more here.

 

 

Tweet Like Email linkedin
Comments Off
Tags:

REMINDER – HIPAA Omnibus Rule Compliance Webinar

Posted By Cynthia Larose on Posted in HIPAA/HITECH

Hospital?  Health care provider?  Service provider to either a hospital or other health care provider?    You’ll want to listen in to our HIPAA Omnibus Rule Compliance webinar — details here

Topics covered by the webinar include:

  • What to do if you currently have a comprehensive, effective program
  • What to do if your compliance program consists of a dusty binder of policies and procedures
  • Approaches (and deadlines) for updating business associate agreements
  • What we expect from the Office for Civil Rights in the near future.
Tweet Like Email linkedin
Comments Off
Tags:

FCC: Carriers Must Protect Certain Data Collected on Mobile Handsets

Posted By Cynthia Larose on Posted in Mobile Privacy

Written by Ernie Cooper 

Aiming to “address the real privacy and security risks that consumers face when telecommunications carriers use their control of customers’ mobile devices to collect information about their customers’ use of the network,” the Federal Communications Commission (FCC) has adopted a Declaratory Ruling holding that the existing rules requiring carriers to protect customer proprietary network information (CPNI) apply to CPNI collected by mobile devices when such collection is undertaken at the carrier’s direction and the carrier has access to or control over that information. The FCC further clarified that this obligation applies even while the CPNI resides on the handset prior to transmission to the carrier’s servers.  The Declaratory Ruling does not restrict carriers’ ability to collect CPNI using customer handsets, but holds that if the carrier chooses to do so, it must protect the CPNI it collects.

The Declaratory Ruling applies only to the providers of common carrier and interconnected VoIP services covered by the CPNI rules, although the ruling could raise expectations that other wireless broadband providers engaged in device-based data collection will also protect that data against unauthorized disclosure and use.

Following is a summary of the main points of the Declaratory Ruling.

Many Data Elements Collected by Mobile Devices Fit the Definition of CPNI.  The statutory definition of CPNI is “information that [1] relates to the quantity, technical configuration, type, destination, location, and amount of use of a [customer’s] telecommunications service . . . [2] that is made available to the carrier by the customer [3] solely by virtue of the carrier-customer relationship.”  The FCC concluded that this type of information, even when collected or stored on a mobile device, falls within the definition of CPNI and is therefore subject to the rules governing such information.  Using the 2011 controversy over certain carriers’ use of the Carrier IQ diagnostic software as an example, the FCC explained that when software installed on a handset to collect this information for carriers is not properly secured, other entities or applications may access the CPNI, resulting in the potential disclosure of location and other data.

The Declaratory Ruling acknowledges that some information collected by Carrier IQ-type network diagnostic software, such as information on access to the carrier’s data network or URLs visited by a handset’s browser, may fall outside of the definition of CPNI.  According to the FCC, however, that fact does invalidate the principle that data that does meet the definition of CPNI must be protected as such.

The FCC explained that CPNI collected by a handset at the carrier’s direction is “made available” to the carrier even while it is stored on the handset prior to transmission to the carrier’s own servers.  Even if the information has not yet been transmitted, the configuration of the device puts the data “under the carrier’s control for all practical purposes,” and therefore “made available” to the carrier.  Thus the CPNI must be protected while resident on the customer’s handset, as well as during transmission and while on the carrier’s own servers.

CPNI collected on handsets is also “made available to the carrier by the customer solely by virtue of the carrier-customer relationship” because the carrier “is in a unique position with respect to its customers when it configures a mobile device to collect the information before the device is sold to a customer.”  The same is not true for information collected and stored on the handset by third-party applications installed on the handset by the consumer – even when the data might otherwise fit the definition of CPNI – because in that case the information is not under the carrier’s control and not intended to be transmitted to the carrier.

Carriers Must Take Reasonable Precautions to Prevent Unauthorized Disclosure of CPNI Collected on Handsets.  Obligations carriers have under FCC rules to protect and prevent misuse of their customers’ CPNI applies equally to CPNI collected on customer handsets.

Thus, if a carrier chooses to collect or store CPNI on a handset, the carrier must take reasonable precautions to prevent unauthorized access and disclosure, including access that might be obtained by third-party applications the customer may have installed on the handset.  The Commission recognizes, however, that given the openness of modern smartphones it cannot require carriers to protect customers against “all possible privacy and security risks . . . , including risks created by third-party applications.”

As with other CPNI a carrier may have access to, carriers are free to use CPNI collected from handsets to “assess and improve the performance of its network and to provide information to customer-support representatives without the customer’s specific approval.”  Similarly, as with CPNI collected by other means, carriers are not restricted in using CPNI collected from handsets if the data has been aggregated, with individual customer identities and characteristics removed.

Consistency with Other Privacy Laws and Initiatives.  In response to an argument raised by CTIA,  the nonprofit organization that represents the wireless industry, the FCC explained that the clarifications made in the Declaratory Ruling are consistent with the Stored Communications Act.  Further, while noting that mobile privacy issues are also being addressed through industry best practice development efforts by standards-development organization ATIS, and in the NTIA-led multistakeholder process to develop a privacy code of conduct for mobile apps, the FCC concluded that neither of these initiatives is a substitute for the FCC’s obligation to fulfill its statutory role” to ensure appropriate protection of CPNI.

Privacy Monday – Privacy Bits and Bytes to Start Your Week

Posted By Cynthia Larose on Posted in Uncategorized

UK Regulators Tell Google:  Rewrite that Privacy Policy — Or Else

It’s been clear since last year that many European data protection regulators were very unhappy with Google’s “new” privacy policy.   The UK Information Commissioner’s Office has now joined its counterparts in France and Spain in ordering Google to amend its privacy policy by September 20th or face legal action.   According to a release from the Information Commissioner’s Office:  “Google must now amend their privacy policy to make it more informative for individual service users.”   The reaction stems from the Google decision last year to allow it (via its privacy policy) to combine information from logged-in users across all of its platforms and services – including Gmail, Android and YouTube.  Users cannot opt out of the aggregation.

Read More:  Washington Post

The Guardian

 

 

AT&T May Sell User Data

You may not have noticed it, but AT&T has “updated” its privacy policy.   Take a look here.   The “update” promotes two new programs — one of which clearly is aimed at permitting AT&T to sell anonymized user data to third parties.

We … want to point out two new programs to help us and other businesses serve you better:

The first program will make reports available to businesses. These will contain anonymous information about groups of customers, such as how they collectively use our products and services. For example, they might tell a retailer about the number of wireless devices in or near their store by time of day, together with anonymous information about those device users’ collective age or gender.

The second program will use local geography as a factor in delivering online and mobile ads to the people who might find them most useful. For instance, if you happen to live in an area where people like going to the movies, you may get ads for movie theaters. This doesn’t mean you’ll get more ads, it just means that the ads you get from AT&T may be more suited to your interests.

Unlike the Google privacy policy changes, though, if you are an AT&T customer, you will be offered an opportunity to opt-out via a letter — see here.    Metrics on the opt-out rate should be interesting.

Read More:  Slashgear

 

University of South Carolina Hit With Another Data Breach

Even as the University of South Carolina works to eliminate unnecessary use of Social Security numbers after an earlier massive data breach, it has sent another notice to 6,300 students whose personal information, including SSNs, were on a laptop that went missing from the school.   Lesson for the day:  If you don’t need it don’t keep it — and certainly do not keep it on a portable device.

Read More:  The State

 

If Your Fourth of July Holiday Included Gaming, You Might Want to Read This

An Ubisoft account database was breached through a website assault, revealing user names, email addresses and encrypted passwords, according to the maker of games like the Assassins Creed and Just Dance series.  Ubisoft said, “We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems.”    Change that password, gamers.

Read More:  Network World/IDG News Service

AllThingsD

 

 

Tweet Like Email linkedin
Comments Off

California AG Releases Report on 2012 Data Breaches

Posted By Cynthia Larose on Posted in Data Breach Notification, Privacy Regulation

Written by Jake Romero

If You Care About the Security of Your Online Data or Just Love Charts, This Report is For You

Californians are a diverse bunch (as you’ve probably gathered from those commercials with Arnold Schwarzenegger), but apparently there is something that 2.5 million of us all have in common.  California Attorney General Kamala Harris has released a first-of-its-kind data breach report  that includes statistics, recommendations and assessments based on breaches that were reported to the Attorney General’s office during the 2012 calendar year.  The most notable/alarming finding is that in 2012, 2.5 million California residents had personal information compromised in connection with a data breach.  That’s roughly equal to the populations of San Diego, San Francisco and Oakland combined.

California was the first to pass a data breach notification law (California Civil Code Sections 1798.29(a) and 1798.82(a)) ten years ago, but 2012 was the first year in which organizations who issue certain types of data breaches were also required to notify the office of the Attorney General.  In total, 131 data breaches were reported  by 103 different entities, with the average breach incident involving 22,500 individuals.   According to the Breach Report, more than half of the breaches involved social security numbers and more than half were the result of intentional acts by an unauthorized individual.   California is the first state to compile a comprehensive review of reported breaches and the results provide important information and other states should take up the example.

The Breach Report includes recommendations for the California legislature and the state’s enforcement agencies, but arguably the most important recommendations are those directed at the providers of online services:

  • Encryption – If your online service collects personally identifiable information and does not encrypt it, expect very little sympathy from Attorney General Harris following a breach.  In the message preceding the Breach Report, Attorney General Harris calls the failure of companies to encrypt sensitive personal information “particularly striking,” and notes that if encryption had been used, over 1.4 million of the Californians would not have had their data put at risk in 2012.  As noted in the Breach Report, California’s data breach notification law includes an incentive to encrypt data in the form of an exemption for certain data breach incidents from the notification requirements where the personally identifiable information that was accessed was encrypted.  If that isn’t enough motivation, however, the Breach Report also warns that the Attorney General’s Office intends to make the investigations of breaches involving unencrypted personal information a priority, and will encourage other enforcement agencies to do the same.
  • Security Through Training – As noted above, more than half of the breaches that were reported in 2012 were the result of an intentional act by outsiders or malicious insiders.  The Attorney General’s office recommends that companies that collect private information review their security procedures on an ongoing basis to make sure that their security controls remain up to date.  As part of this process, the Attorney General’s office recommends regular training for employees and contractors to ensure that best practices are implemented and updated to address new threats.
  • Stop With the Fancy Talk – The average reading level of individuals in the United States is 8th grade.  A survey conducted by the Attorney General’s office using data breach notification samples provided by organizations in connection with reported breaches found that the average notification was written at a 14th-grade level.  The Breach Report emphasizes that the point of such notices is to ensure that each recipient can understand its contents.  Generally this is an important point to keep in mind for any notification, terms or policy that is intended for your consumers, including your privacy policy.
  • Be Prepared to Offer Credit Monitoring Assistance – The Breach Report found that in 29% of the most serious types of breaches (those involving Social Security or driver’s license numbers), credit monitoring services were not offered to the consumers whose information was put at risk.  Attorney General Harris noted that clearing up this type of identity theft can be both costly and time-consuming, but that protective measures provided by the company who experienced the breach can help to limit ongoing risks.

Perhaps the biggest take-away for providers of online services, however, is how common data breaches have become.  The data and statistics included in the report demonstrate that data breaches happen across all industry sectors, in all sizes of companies, with all types of data and in a number of different ways.  The time to prepare your company for a data breach is before it happens, rather than after.  Nobody wants to be on this list, but if you do experience a data breach, having a plan in place will help keep your sleepless nights to a minimum.  As always, your Mintz Levin privacy team is here to help.

Privacy Monday

Posted By Cynthia Larose on Posted in Uncategorized

Privacy Tidbits to start your week  

 

The Risk-Benefit Analysis of BYOD

As we have written in the past, the proliferation of the “bring your own device” (BYOD) trend is a high-wire balancing act for IT and privacy professionals.    What happens when employees leave the workplace with company assets on those devices that they own??   Does your company have a BYOD policy?    Have you compartmentalized the risks?   What about your ex-US employees? Think about it now – later may be too late.

An article in InfoWorld highlights steps companies can take to protect vulnerable data.

Apple Settlement for In-App Purchases Made by Minors

In-app purchases were dealt a sharp blow from Apple last week, after it quietly agreed to return $100 million to shoppers who say their children either made purchases accidentally or did so without permission.   What does this bode for e-tailers?

Read more: In-App Purchases By Children Dealt A Major Blow—Courtesy Of Apple – FierceRetail

Zip Code Class Actions Come to Washington DC

Urban Outfitters joins the list of national retailers facing class action lawsuits over allegations of collection of customer zip codes in violation of state consumer protection laws.   This latest has been filed in federal court in the District of Columbia.

We have written about suits in Massachusetts against Guitar Center, Bed Bath & Beyond and an important decision in a case against Michaels Stores, as well as the daddy of all consumer zip code suits, Pineda v. Williams-Sonoma, filed in California in 2011.

 Read about the Urban Outfitters suit here:  Legal Times

 

Survey Says:   Two-Thirds (yes, TWO-THIRDS) of Employees Surveyed Knowingly Violate Privacy/Security Policies

The Financial Times conducted a survey over several years on company data security policies and procedures.   Of the 165,000 employees surveys, 93 percent knowingly violate policies designed to prevent data breaches.   And just in case you needed any reinforcement, the Financial Times survey reported that it also found senior executives to be the worst offenders.

Sound familiar?  ”More than one-third of staff  … admitted to writing down critical passwords where they can be stolen, such as on post-it notes. Other common missteps included copying sensitive documents on to portable drives and sharing passwords with colleagues.”

To read more of the Financial Times survey (registration required):  link here
Also – IAPP Privacy Advisor

 

Revised FTC Guide on ‘Red Flags’ Identity Theft Rule Published

Posted By Cynthia Larose on Posted in Federal Trade Commission, Identity Theft

UPDATE: The Federal Trade Commission recently issued a revised guide on the Red Flags Identity Theft Rule, designed to help businesses comply with the requirements of the Rule. Our detailed Client Alert on the Final Red Flags Rule and compliance obligations issued by the SEC and CFTC can be found here.   Compliance with the Red Flags Rule for entities regulated by the FTC has been required since 2007.

The revised guide is a helpful tool for entities that are considering whether they are covered by the Rule as well as for covered entities as it:

  • • Provides a two-part analysis that businesses can use to determine if they are a “financial institution” or a “creditor” covered by the Rule,
  • • Contains an FAQ section that clarifies the definition of “creditor,” and
  • • Outlines a four-step compliance process for businesses under FTC jurisdiction.

You can find a copy of the guide here.

If you need assistance with your own Red Flags compliance program, or determining whether you are covered by the Rule, contact a Mintz Levin Privacy attorney.