Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Privacy Monday

Posted in Uncategorized

Privacy Tidbits to start your week  


The Risk-Benefit Analysis of BYOD

As we have written in the past, the proliferation of the “bring your own device” (BYOD) trend is a high-wire balancing act for IT and privacy professionals.    What happens when employees leave the workplace with company assets on those devices that they own??   Does your company have a BYOD policy?    Have you compartmentalized the risks?   What about your ex-US employees? Think about it now – later may be too late.

An article in InfoWorld highlights steps companies can take to protect vulnerable data.

Apple Settlement for In-App Purchases Made by Minors

In-app purchases were dealt a sharp blow from Apple last week, after it quietly agreed to return $100 million to shoppers who say their children either made purchases accidentally or did so without permission.   What does this bode for e-tailers?

Read more: In-App Purchases By Children Dealt A Major Blow—Courtesy Of Apple – FierceRetail

Zip Code Class Actions Come to Washington DC

Urban Outfitters joins the list of national retailers facing class action lawsuits over allegations of collection of customer zip codes in violation of state consumer protection laws.   This latest has been filed in federal court in the District of Columbia.

We have written about suits in Massachusetts against Guitar Center, Bed Bath & Beyond and an important decision in a case against Michaels Stores, as well as the daddy of all consumer zip code suits, Pineda v. Williams-Sonoma, filed in California in 2011.

 Read about the Urban Outfitters suit here:  Legal Times


Survey Says:   Two-Thirds (yes, TWO-THIRDS) of Employees Surveyed Knowingly Violate Privacy/Security Policies

The Financial Times conducted a survey over several years on company data security policies and procedures.   Of the 165,000 employees surveys, 93 percent knowingly violate policies designed to prevent data breaches.   And just in case you needed any reinforcement, the Financial Times survey reported that it also found senior executives to be the worst offenders.

Sound familiar?  ”More than one-third of staff  … admitted to writing down critical passwords where they can be stolen, such as on post-it notes. Other common missteps included copying sensitive documents on to portable drives and sharing passwords with colleagues.”

To read more of the Financial Times survey (registration required):  link here
Also – IAPP Privacy Advisor


Revised FTC Guide on ‘Red Flags’ Identity Theft Rule Published

Posted in Federal Trade Commission, Identity Theft

UPDATE: The Federal Trade Commission recently issued a revised guide on the Red Flags Identity Theft Rule, designed to help businesses comply with the requirements of the Rule. Our detailed Client Alert on the Final Red Flags Rule and compliance obligations issued by the SEC and CFTC can be found here.   Compliance with the Red Flags Rule for entities regulated by the FTC has been required since 2007.

The revised guide is a helpful tool for entities that are considering whether they are covered by the Rule as well as for covered entities as it:

  • • Provides a two-part analysis that businesses can use to determine if they are a “financial institution” or a “creditor” covered by the Rule,
  • • Contains an FAQ section that clarifies the definition of “creditor,” and
  • • Outlines a four-step compliance process for businesses under FTC jurisdiction.

You can find a copy of the guide here.

If you need assistance with your own Red Flags compliance program, or determining whether you are covered by the Rule, contact a Mintz Levin Privacy attorney.


Amended COPPA Rule Compliance Deadline Approaching

Posted in Children, Data Compliance & Security, Federal Trade Commission, Mobile Privacy, Privacy Regulation

Time flies when it comes to compliance deadlines   As we have blogged here, the Amended COPPA Rule compliance deadline is approaching.   And if you haven’t addressed your compliance issues by Monday, you will be late.

Effective July 1, 2013, regulations issued in the December 2012 amendment to the Children’s Online Privacy Protection Act (COPPA) will be subject to enforcement by the FTC. Operators of commercial web sites and online services (including mobile apps) that collect, use, or disclose personal information from children under 13 need to be aware of how the amended COPPA rule will affect their business practices, and what is required to stay in compliance. We have prepared a comprehensive guide to the specifics of the rule, including new requirements related to personal information that was collected prior to the rule being implemented, as well as tracking, and responsibility for third-party use of information.

Link here for a copy of the Mintz Levin Guide to COPPA.


HIPAA Procrastinator? Have we got a webinar for you….REMINDER

Posted in Data Breach Notification, HIPAA/HITECH, Privacy Regulation

 REMINDER July 23, 2013 at 1 PM ET – Register here


The countdown is underway — the HIPAA Omnibus Rule compliance deadline is  less than two months away!

Covered entities and business associates have until September 23, 2013 to comply with important, new requirements under the HIPAA Omnibus Rule. To avoid penalties for noncompliance, organizations will need to update policies, procedures, forms and practices.  HIPAA is not just a concern for the health care industry – its compliance obligations, civil and criminal penalties extend to all kinds of downstream entities, no matter how remote, that handle health care data.  Mintz Levin has planned a webinar for those who are leaving compliance with new HIPAA Omnibus Rule requirements until the last minute.

This webinar will outline steps to assist in that effort, including:

  • What to do if you currently have a comprehensive, effective program
  • What to do if your compliance program consists of a dusty binder of policies and procedures
  • Approaches (and deadlines) for updating business associate agreements
  • What we expect from the Office for Civil Rights in the near future

Put July 23 at 1:00 PM ET on your calendar and register for this webinar here.
Tweet Like Email linkedin
Comments Off

Welcome to Privacy Monday

Posted in Data Breach, Data Breach Notification, Legislation, Uncategorized

Welcome to a new feature of Privacy & Security Matters – Privacy Monday.

We will start your week with a fresh collection of privacy tidbits, goofs and gaffes.

Tip:  Make Sure Your Employee Files are Distinguishable from Customer Merchandise

A Cambridge, Massachusetts Banana Republic customer got a lot more than she ordered.   When she opened the package containing her online order last week, she did not receive the expected tie and pocket square but rather an envelope containing personnel files for about 20 former Gap Inc. employees, replete with Social Security numbers and W-4s, handwritten resignation letters, doctors’ notes — everything.       According to an Associated Press story, this is not the first time this has happened at the Gap (according to the story, both customer shipments and HR files are sent in the same, gray plastic envelopes) — except that this time, the recipient was Emily Dreyfuss, an editor at CNET, the technology publication (she is also the daughter of actor Richard Dreyfuss).

Don’t expect this to end quietly.  Read Ms. Dreyfuss’ first hand account (including the customer service response….) at The Atlantic Wire

Data Security and Breach Notification Act of 2013 Introduced in U.S. Senate

In yet another effort to reach a national data breach standard and eliminate the crazy quilt of state data breach notification laws, three U.S. Senators have introduced the Data Security and Breach Notification Act of 2013.    Senators Pat Toomey (R-PA), Angus King (I-ME) and John Thune (R-SD) have reintroduced the bill in reportedly the same form as it was introduced in 2012 …. and in 2011….and in 2010.    The 2013 bill is not yet available online, but last year’s text can be found here. The 2012 version died at the end of the last session of Congress without making it out of the Senate, Commerce, Science and Transportation Committee.  Stay tuned for further analysis once the actual text is released.

More Data Security Problems for Facebook

Facebook is once again admitting a data security glitch – - a year-long breach affecting nearly 6 million users.  It is likely that most Facebook users missed the “disclosure,”  tagged as a “Message from Facebook’s White Hat Program.”    See more in the Reuters story here.







Seventh Circuit Declines to Review Class Certification Order in Enormous Computer Privacy Class Action

Posted in Class Action Litigation, Privacy Litigation

Written by Kevin McGinty and Evan Nadel

In its recent decision in Harris v. comScore, Inc., the Seventh Circuit declined to review a trial court order certifying a plaintiff class consisting of hundreds of thousands of computer owners who downloaded software that permitted comScore, Inc. to track internet traffic and usage.  The comScore software was not supposed to load onto a computer unless the user affirmatively accepted a click wrap agreement that disclosed how comScore tracked and utilized the users’ data.  Plaintiffs allege that the software sometimes loaded onto computers without giving users the opportunity to read and accept the click wrap agreement, but primarily claim that comScore accesses and uses data in ways that violate its agreement.  Plaintiffs seek damages for unjust enrichment and allege violations of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701(a)(1), the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2511(1)(a), (d), and the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2)(C).

Plaintiffs moved to certify a class consisting of all persons in every state in the U.S. who downloaded the comScore software.  Plaintiffs argued that the alleged policy of accessing and using their data in a manner contrary to the express terms of the comScore click wrap agreement meant that common issues of law and fact predominated with respect to the claimed violations of state and federal law.  In opposition, comScore raised a host of issues, including questions about whether both named plaintiffs actually downloaded the software, whether the identity of class members was ascertainable through objective criteria, whether certain class claims were timely, and whether the injury or loss could be established through proof common to the class as a whole.

The trial court declined to certify a class to pursue the unjust enrichment claims, concluding that substantial variations in applicable state laws made it impossible to adjudicate the unjust enrichment claims of the multistate class in a single action.  The court did, however, certify a class to pursue the federal statutory claims.  The court conceded that proof of some issues might vary for some class members, but ultimately found that the core issue in the case – whether comScore’s use of data violated the terms of its own agreement – could be addressed by proof common to the class as a whole.  Reinforcing this conclusion was the availability of mandatory statutory damages under the SCA and ECPA, which avoided individual questions about loss or injury that often preclude certification of classes alleging misuse of data under state common law and consumer protection causes of action.

A petition to the Seventh Circuit seeking review of the class certification decision under Rule 23(f) promptly followed.  Under that rule, appellate courts have the discretion to review class certification decisions directly where there is a likely error of law or close question of first impression.  The Seventh Circuit denied the petition without opinion, making it impossible to know the precise ground for denial.

The objections to class certification identify strong arguments for comScore on the merits.  Most significantly, comScore raises serious questions about the validity of plaintiffs’ claim that comScore violates the terms of its own agreements.  That particular question, however, is plainly common to the class as a whole.  Most of the arguments that comScore makes – particularly with respect to statute of limitations, the specific types of violations committed, and whether it is possible to identify class members whose downloads are not recorded in comScore’s records – provide better grounds for narrowing the class than for doing away with it altogether.  Finally, because the SCA and ECPA permit recovery of statutory damages without proof of financial loss, the claims advanced in Harris do not pose the types of individualized issues concerning fact of injury that often block certification of other types of data privacy claims.

These considerations demonstrate why companies that track and utilize consumer data need to be mindful of class action exposure that could result from any alleged failure to obtain consumer consent to use of data, or claimed uses that exceed the scope of that consent.  A company accessing or using data pursuant to the terms of a click wrap agreement needs to exercise particular care to ensure (i) that data is not used or accessed unless the user has entered into an agreement (proof of which the company retains); (ii) that the agreement clearly discloses how the company accesses the data and what it does with that data; and (iii) that the company does not use or access the data in any manner that is inconsistent with its agreement.

Kevin McGinty chairs Mintz Levin’s Class Action Working Group and Evan Nadel has litigated complex privacy litigation.


Delta Finds Reprieve in State Court, but Not Everyone Will Get to Fly the Friendly Skies

Posted in Data Compliance & Security, Mobile Privacy, Privacy Litigation, Privacy Regulation

By Cynthia Larose, Evan Nadel, and Jake Romero

California Attorney General Kamala Harris’ attempt to bring an enforcement action against Delta Air Lines, Inc. won’t be leaving the runway. California Superior Court Judge Marla J. Miller has dismissed a data privacy complaint against Delta brought by Attorney General Harris. The development comes as an unexpected bump in the road for the Attorney General’s office, which has made enforcement of state privacy regulations a top priority. Judge Miller agreed with Delta’s argument that the claim should be dismissed on federal preemption grounds.

See our Mintz Levin Privacy client advisory here for more information.

Mandatory Data Breach Notification Coming to Australia

Posted in Data Breach Notification, Privacy Regulation

Thanks to our friends at Gilbert + Tobin

Privacy law is once again on the Government’s legislation reform agenda with the introduction recently of the Privacy Amendment (Privacy Alerts) Bill 2013.
The Bill if passed will amend the Privacy Act 1988 (Cth) to introduce a new mandatory data breach notification scheme for entities regulated under the Federal Act, including public sector agencies, private sector organizations (other than small business), credit reporting bodies and credit providers.

Under current Australian privacy law, there is no legal requirement for an entity to notify either affected individuals, or the Commissioner, if personal information the entity holds is compromised. The Federal Privacy Commissioner – part of the Office of the Australian Information Commissioner – actively encourages voluntary notification by entities in accordance with the OAIC’s guide Data Breach Notification: A guide to handling personal information security breaches.

Wednesday’s introduction of the mandatory notification scheme comes approximately five years after the Australian Law Reform Commission first considered this, and myriad other issues, in its 2008 Report For Your Information: Australian Privacy Law and Practice. The ALRC recommended at the time that the Privacy Act be amended to compel entities to notify individuals where data breaches cause a real risk of serious harm. Somewhat belatedly, the Government released a discussion paper in October 2012 to canvas stakeholder views as to the introduction of a mandatory data breach scheme: submissions were closed off the following month and not made available or commented on by the Attorney-General until the day before introduction of this Bill into the Federal Parliament.
The Government’s mandatory notification scheme implements in large part the model first recommended by the ALRC. Specifically, the threshold test for notification under the new scheme reflects the ALRC’s recommendation for a high threshold based on a reasonable belief by the entity concerned that the data breach is sufficiently serious to pose a real risk of serious harm to affected individuals. The Bill, and its Explanatory Memorandum, are not particularly clear on the meaning of the term serious harm, other than to note that it includes reputational, economic, financial, physical and psychological harm, but excludes minor harm. It is expected that the Commissioner will provide further guidance on this issue.

The OAIC Guide suggests that serious harm may include identity theft, disclosure of credit card details and the stigma, embarrassment and discrimination that may result from the misuse of health information. Ultimately, entities will need to assess each data breach on a case-by-case basis to determine whether the circumstances of the breach give rise to a reasonable belief that affected individuals face a real risk of serious harm.

In the event of such a breach, the provisions of the Bill require the entity to notify each affected individual and the Commissioner as soon as practicable. The data breach notice must include:

the identity and contact details of the entity;
a description of the breach;
the kinds of personal information concerned;
recommendations about the steps that individuals should take in response to the breach; and
any other information specified in the regulations.

The Bill appears to express a preference for direct notification of affected individuals using methods of communication normally used by the entity to communicate with the individual. In the absence of a such a method, the entity must take reasonable steps to notify the individual (e.g. by email, telephone or post).

In circumstances, however, where it is impossible or impracticable to contact each affected individual, the Bill requires an entity to publish a copy of the statement on its website and in each State via publication in a generally circulating newspaper in that State. The circumstances in which such indirect notification is to be undertaken is to be prescribed in the regulations.

Where it is in the public interest to do so, the Commissioner may exempt an entity by notice from its notification obligations. Such notices may be issued upon application or on the Commissioner’s own initiative.

The Bill also provides the Commissioner with the power to direct an entity to notify affected individuals if it has not done so. A failure to comply with the notification requirements of the Bill, as well as a direction by the Commissioner to notify, amounts to an interference with the privacy of an individual, which triggers all the Commissioner’s enforcement powers, including the investigative powers, the power to make determinations, award compensation, seek enforceable undertakings and civil penalties for serious or repeated interferences with privacy.

If passed by Parliament, the mandatory data breach notification scheme will commence at the same time as the new Australian Privacy Principles (APPs) and credit reporting scheme, 12 March 2014.

A copy of the Bill and its Explanatory Memorandum is available here:

Click here to view a brief comparative analysis of the measures in the Bill against those set out in OAIC’s Guide on voluntary notification.

Tweet Like Email linkedin
Comments Off

Massachusetts Zip Code Class Action: Take 3

Posted in Class Action Litigation

Written by Amy Malone

Another class action suit has been filed in Massachusetts in the zip code wars.  This time, the target is instrument retailer Guitar Center for allegedly requesting customers to provide their zip codes when making purchases with a credit card in contravention of Mass. Gen Laws ch. 93§ 105(a).  Zip code class action suits started in California against retail giant Williams-Sonoma, and last year they found their way to Massachusetts in a case filed against national craft retailer, Michaels Stores.   We discussed that case in some detail, here.

The Massachusetts Michaels case was dismissed from the U.S. District Court for the District of Massachusetts in January of 2013, but questions of law were sent from the federal court to the Massachusetts Supreme Judicial Court.  The big questions referred to the SJC for determination under Massachusetts law, were (1) whether a zip code is personal identification information (“PII”) under § 105 (a) and (2) whether a complainant could state a cognizable claim under that section without suffering identity theft.   The court ruled that zip codes are personal information under the law and identity theft is not a necessary element in arguing a valid claim.

The SJC ruling kicked opened the door for lawsuits in Massachusetts against major retailers that collect zip codes when processing credit cards.  Currently there are two class actions pending against Bed, Bath and Beyond (complaints are here and here) and now there this week’s filing against Guitar Center.  The Nielan_v_Guitar_Center_complaint is very similar to the Bed, Bath and Beyond complaints: claiming that Guitar Center harmed plaintiffs by unnecessarily collecting zip codes when customers completed purchases with credit cards.   Credit card companies do not require zip codes to be collected in order to process transactions.

The plaintiffs claim they suffered injury due to (1) receiving unwanted marketing material and (2) through Guitar Center’s misappropriation of their economically valuable PII without consideration.  The SJC listed receiving unwanted marketing material and the sale of a customer’s PII as two possible injuries under a merchant’s violation of §105(a).

Plaintiffs in the Bed, Bath, and Beyond cases as well as the Guitar Center litigation are requesting statutory damages of $25 per violation as well as treble damages.


First HIPAA Resolution Agreement of 2013 — and it certainly will not be the last

Posted in HIPAA/HITECH, Privacy Regulation

Written by Stephanie D. Willis


The HHS Office of Civil Rights (OCR) announced its first HIPAA Resolution Agreement of 2013 last week.  According to the press release, Idaho State University (ISU) must pay OCR $400,000 and comply with the terms of a two-year corrective action plan (CAP) to address violations of the HIPAA Security Rule, which describes the technical, administrative, and physical safeguards against unauthorized access to electronic personal health information (ePHI).

ISU self-disclosed the exposure of the ePHI of approximately 17,500 patients at one of its health system’s facilities in August 2011.  The patients’ ePHI had become compromised when ISU staff disabled firewall protections on a server for one of its 29 outpatient clinics.  ISU officials did not discover the “hole” in the system’s security for over ten months – a fact underlying OCR’s determination that “ISU’s [privacy and security] risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities.”  The Resolution Agreement summarizes OCR’s conclusions regarding ISU’s deficient privacy and security processes after it completed an in-depth investigation pursuant to the self-disclosure:

  • ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process from April 1, 2007 until November 26, 2012;
  • ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007 until November 26, 2012; and
  • ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007 until June 6, 2012.

As part of its two-year CAP, ISU must complete an initial compliance gap analysis regarding each Security Rule provision as well as Annual Reports summarizing any training, review measures and updates of its risk management plan and information system security measures.  All in all, the ISU resolution is a prime example of OCR Director Leon Rodriguez’s statement at last week’s NIST-OCR conference that OCR is more likely to impose monetary penalties on “ongoing violations” of sets of laws.  (Our sister blog, Health Law and Policy Matters, provides more highlights of the conference here.)

Of note, ISU is a hybrid entity because it is an institution that has components other than its health clinics that perform activities that are not subject to HIPAA.  Hybrid entities must be especially careful of properly identifying entities that must comply with HIPAA and appropriately structuring privacy and security policies that adequately meet the law’s standards.  As Dianne Bourque, a Member of Mintz’s Health Law Practice, points out, “An additional complexity for hybrid entity employees is remaining mindful of their privacy and security obligations for the covered component or components of the hybrid entity as distinct from the non-covered components.  This is difficult when the hybrid operates as a single organization. Training is critical for entities like this.”