HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Joel Buckman, an associate in Hogan Lovells Privacy and Information Management practice group located in the Washington, D.C office, assisted in the preparation of this entry.

Recent guidance from the National Institute of Standards and Technology (“NIST”) encourages federal agencies to take advantage of cloud computing. It also provides draft security and privacy guidelines for federal agencies to follow when engaging cloud providers. The draft guidelines serve as roadmaps for how to negotiate meaningful privacy and data security protections from cloud providers. Though prepared for federal agencies, the draft guidelines could prove influential to the private sector as an increasing number of private businesses use cloud services. NIST has requested comments on the drafts by no later than February 28, 2011.

• Email This
• Print
• Share Link

Shining a new spotlight on health data breaches, the Federal Trade Commission recently posted a frequently asked questions guide to medical identity theft for health care providers and insurers. Medical identity theft occurs when one person obtains health care services or prescription drugs using the identity of someone else, or when those working in a health care provider setting use an individual's personal information to submit false bills to an insurer. People victimized by medical identity theft often realize the theft has occurred when they get a bill for a service they did not receive, are contacted by a debt collector for medical bills for services thy never obtained or from doctors they never saw, or are denied insurance because their records are incorrect. The guide makes clear that if a patient reports being a victim of medical identity theft, providers and insurers are expected to conduct an investigation and correct any incorrect information, follow the applicable rules of the Fair Credit Reporting Act, review their data security practices, and provide notification as required under HIPAA or other federal or state security breach notification laws. The guidance for health care providers and insurers follows on guidance posted last month for consumers on how to prevent and detect medical identity theft. 

• Email This
• Print
• Share Link

Cisco has launched a Privacy and Security Compliance Journey web site with a variety of useful materials and resources. Here is how Van Dang, Vice-President, Law and Deputy General Counsel of Cisco describes it:

We want to share with our customers, colleagues in other legal departments and other interested parties our privacy and security compliance journey - and it is a journey since the legal framework and regulations in this area are still evolving. We hope you will find useful materials and resources featured in each tab below. We also hope that you will share your best practices and give us feedback on how we can improve. Cisco is pleased to host this collaborative site in support of the privacy community and is committed to continuously refreshing content, so please bookmark the site for future reference.

Hogan Lovells is pleased to have its primer on legal issues in Cloud Computing including privacy and data security concerns as the first featured content on the Cisco site.

• Email This
• Print
• Share Link

News of an innovative client program, a strategic risk management relationship with Hogan Lovells offering proactive resources and advice to manage privacy and data security risks, as well as just in time support and access to counseling in the event of an information breach:

ZUG, Switzerland, Jan. 11, 2011 /PRNewswire/ -- Allied World Assurance Company Holdings, AG (NYSE:  AWH) announced new strategic risk management relationships with the law firm of Hogan Lovells US LLP and eRisk Hub® available for Privacy 403v2 policyholders.

"The goal of our program is to provide our policyholders with both proactive resources and advice as well as just in time support and access to industry experts in the event of an information breach," said Susan Chmieleski, Senior Vice President Healthcare Product and Risk Management Lead, Allied World U.S.

Our program includes the following Hogan Lovells resources: Guide for Data Security Breach Preparedness and Response, Monthly Updates on Important Developments in Privacy and Information Management Law, Chronicle of Data Protection, Webinars, Help Desk for Breach Response and Incident Reporting, and Proactive Consulting.

Additionally, Allied World's e-Risk Hub® portal powered by Net Diligence is an internet-based service that features news, content and services from leading practitioners in risk management, computer forensics, forensic accounting, crisis communications, legal counsel, and other highly-specialized segments of cyber risk.

Adam Sills, Vice President of Allied World U.S.' Privacy/Technology Unit adds, "We are very pleased to announce our Risk Management services providing our Privacy 403v2 policyholders with the ability to proactively manage and respond to Privacy risks."

About Allied World Assurance Company

Allied World Assurance Company Holdings, AG, through its subsidiaries, is a global provider of innovative property, casualty and specialty insurance and reinsurance solutions, offering superior client service through a global network of branches and affiliates.  Our insurance and reinsurance subsidiaries are rated A (Excellent) by A.M. Best Company, and our Lloyd's Syndicate 2232 is rated A+ (Strong) by Standard & Poor's and Fitch. Please visit our website at www.awac.com for further information on Allied World.

Cautionary Statement Regarding Forward-Looking Statements

Any forward-looking statements made in this press release reflect our current views with respect to future events and financial performance and are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995.  Such statements involve risks and uncertainties, which may cause actual results to differ materially from those set forth in these statements.  For example, our forward-looking statements could be affected by pricing and policy term trends; increased competition; the impact of acts of terrorism and acts of war; greater frequency or severity of unpredictable catastrophic events; negative rating agency actions; the adequacy of our loss reserves; the company or its subsidiaries becoming subject to significant income taxes in the United States or elsewhere; changes in regulations or tax laws; changes in the availability, cost or quality of reinsurance or retrocessional coverage; adverse general economic conditions; and judicial, legislative, political and other governmental developments, as well as management's response to these factors, and other factors identified in our filings with the U.S. Securities and Exchange Commission. You are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date on which they are made. We are under no obligation (and expressly disclaim any such obligation) to update or revise any forward-looking statement that may be made from time to time, whether as a result of new information, future developments or otherwise.

SOURCE Allied World Assurance Company Holdings, AG

• Email This
• Print
• Share Link

The beginning of the New Year gives us an opportunity to reflect on the evolution of privacy in France over the past twelve months and also to consider the new challenges and opportunities that will develop in 2011.

2010 was a year of evolution for the French data protection authority, the Commission Nationale de l'Informatique et des Libertés - "CNIL" and 2011 promises to bring further changes and evolutions. Formal changes came with evolution in the management of formalities with a new online platform for the completion of formalities, which seems to bring a much needed improvement in the delays for management of files. Policy evolutions also resulted from the adoption of documents providing guidance to data controllers with regards to the security of data or with the amendment of the general authorization of certain whistleblowing systems, which although it was needed could be regarded as slightly disappointing. 

In France, 2010 also saw privacy invite itself in the public debate, whether as a result of controls and sanctions conducted and imposed by the CNIL or as a result of high profile cases such as the Google StreetView controversy or the decision acknowledging the legitimacy of the dismissal of an employee on the basis of comments posted on his Facebook page.

The review of the past year also allows us to anticipate some of the CNIL's points of focus for 2011. Firstly, the evolution of technologies will still be at the forefront of data protection discussions during the coming year. In 2010, the CNIL approved a number of processes involving biometric data and the development of these technologies will continue to raise questions and issues this year. In 2011, the CNIL will also focus on the development and implentation of a major project: certification labels for products and services, which could become an important and discriminating factor to attract customers in the short and long term.

• Email This
• Print
• Share Link

Hong Kong   Data protection is currently a hot topic in Hong Kong. This is largely due to the furor caused by the discovery of the large scale sale of personal data by Hong Kong's Octopus Rewards Limited (a company owned by Octopus Holdings Limited) over a number of years. We reported previously that the Hong Kong Privacy Commissioner launched an investigation into Octopus Rewards Limited and Octopus Holdings Limited. In October the Hong Kong Privacy Commissioner issued his final report on the sale of personal data by Octopus for the purposes of direct marketing. A Guidance Note providing practical guidance on compliance with the requirements under the Personal Data (Privacy) Ordinance (the "Ordinance") relating to use of personal data for direct marketing was published on the same day.

On 18 October 2010 the Constitutional and Mainland Affairs Bureau (the "CMAB") published a consultation paper which summarises the responses to the consultation of the review of the Ordinance undertaken last year and puts forward the current proposals for reform. The CMAB has proposed 37 amendments to the Ordinance and the public are invited to comment on the proposals until 31 December 2010.

• Email This
• Print
• Share Link

The UK data protection authority has issued its first monetary penalties for serious data protection breaches. The two cases highlighted in the ICO press release reveal that a county council has been fined £100,000 for faxing highly sensitive information relating to child sexual abuse cases and care proceedings to the wrong recipients, on two separate occasions. The second case involves an employment services company, which has been issued with a fine of £60,000 for the loss of an unencrypted laptop. 

These are the first substantial fines imposed by the ICO, following the introduction of the new monetary penalties in April this year and the cases will attract huge attention as a result. The ICO has the power to award fines of up to £500,000 for serious breaches of the Data Protection Act, but until now, no major fines have been levied and it has been difficult to give real examples of the likely amounts for serious breaches.

The ICO has issued guidance on the new monetary penalties regime, which includes further details of the Commissioner's approach to these cases of serious data protection breach. The decision making process followed by the Commissioner is set out in a flowchart within the guidance, as follows:

The Commissioner has to be satisfied that –

a) There has been a serious contravention of section 4(4) of the Data Protection Act by the
data controller; and
b) The contravention was of a kind likely to cause substantial damage or
substantial distress; and either,
c) The contravention was deliberate; or,
d) The data controller knew or ought to have known that there was a risk that
the contravention would occur, and that such a contravention would be of a
kind likely to cause substantial damage or substantial distress, but failed to
take reasonable steps to prevent the contravention.

Once satisifed, the Commissioner will consider the level of fine to impose. The cases contained within the new press release may not be at the upper end of the scale, but they are not insignificant and should be noted by data controllers.

• Email This
• Print
• Share Link

On November 2, the General Services Administration (“GSA”) published the Proposed Security Assessment & Authorization for U.S. Government Cloud Computing guidelines, developed by an interagency team composed of representatives from the CIO Council, GSA, the National Institute of Standards and Technology (“NIST”), and other organizations.  The proposed guidelines are designed to provide a centralized system for assessing and authorizing cloud computing services for all U.S. government agencies in a manner that would provide appropriate security and maximize the efficiency of government contracting.  High impact U.S. government information services (e.g., classified military and intelligence data) would not be subject to these guidelines.  The agencies responsible for such activities would retain primary authority to assess and authorize information technology services in accordance with applicable laws and regulations.  Public comments on the proposed guidelines will be accepted until December 2, 2010.

The proposed guidelines call for security assessment and authorization of all cloud computing services for U.S. government agencies by the Federal Risk and Authorization Management Program (“FedRAMP”).  Consistent with the requirements of the Federal Information Systems Management Act, the proposed guidelines would require cloud service providers to demonstrate compliance with a variety of security obligations detailed in NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (August 9, 2009).  Some of the controls recommended within NIST SP 800-53 have been augmented in the proposed guidelines.  Examples of these modifications include:

• implementation of FIPS 140-2 compliant encryption for any Software as a Service (“SaaS”) offering that includes email and
• maintenance of at least three backups and user and system level data (one of which must be available online).

In addition to the goal of ensuring appropriate security for information used by the U.S. government, the guidelines are intended to improve the efficiency of the cloud service contracting process by creating an “authorize use, use many” system.  Once a cloud service provider has been authorized by FedRAMP for one agency, its services would be pre-authorized for other agencies. 

• Email This
• Print
• Share Link

On October 27, the Commodity Futures Trading Commission (CFTC) published two Notices of Proposed Rulemaking (NPRMs) proposing privacy rules under the Gramm-Leach-Bliley Act (GLBA) and affiliate marketing and data disposal rules under the Fair Credit Reporting Act (FCRA). 

The rulemakings were prompted by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

The CFTC, an independent federal agency, maintains oversight over the commodity and financial futures and options markets.  The Dodd-Frank Act creates two new categories of entities that are subject to CFTC jurisdiction:  “swap dealers” and “major swap participants.”  Thus, the CFTC has proposed that those two types of entities would explicitly be subject to the CFTC’s existing GLBA privacy rules, first issued in 2001. Those rules impose certain obligations regarding the treatment of consumers' nonpublic personal information - in particular, restricting the ability of a covered entity to disclose such information to a party not affiliated with that entity. 

The CFTC’s second NPRM proposes to implement sections of FCRA dealing with affiliate marketing and data disposal.  The CFTC's proposed affiliate marketing rule would closely resemble the affiliate marketing rules issued by the Federal Trade Commission and the federal banking agencies in late 2007. While the CFTC has joined those agencies in other rulemakings, it did not join that particular rulemaking.  However, the Dodd-Frank Act specifically authorizes the CFTC to issue rules implementing the affiliate marketing and data disposal provisions of FCRA.

As with the other agencies' affiliate marketing rules, under the proposed rule an entity generally could not use a consumer's "eligibility information" received from an affiliate to make marketing solicitations to that consumer unless the consumer had first been given notice that such marketing may occur, a reasonable opportunity to opt-out of such use, and had not opted out. 

The disposal rule would require entities subject to CFTC jurisdiction that possess or maintain consumer information to develop and implement written policies and procedures for the proper safeguarding and disposal of such information.  The policies and procedures would be required to address, among other things, administrative, technical, and physical safeguards for consumer information, including protections against unauthorized access to or use of such information in connection with its disposal.  Such requirements are similar to the disposal rules issued by the FTC and federal banking agencies in 2004.

The CFTC is proposing to make the rules effective on July 21, 2011, the planned "transfer date" on which certain authority over consumer protection matters is to be transferred from other federal agencies to the Consumer Financial Protection Bureau created by Dodd-Frank. 

Public comments are due on each proposal by December 27, 2010.

• Email This
• Print
• Share Link

On September 22, the U.S. Senate Commerce Committee's Consumer Protection, Product Safety, and Insurance Subcommittee held a hearing on S.3742, The Data Security and Breach Notification Act of 2010.  This Act would give the Federal Trade Commission the authority to require a wide range of commercial and nonprofit entities to establish security practices to protect personal information, including social security numbers and certain financial information.  Entities also would be required to notify individuals in the event of a breach of such information.  Hogan Lovells US LLP partner Melissa Bianchi testified before the Subcommittee about the effect this legislation would have on HIPAA covered entities, on behalf of the American Hospital Association.  A link to the hearing and video is available at http://commerce.senate.gov/public/index.cfm?p=Hearings.

• Email This
• Print
• Share Link

In this interview with Forbes, I share some perspectives on

(1) the prospects for an online privacy bill passing this year;

(2) some of the issues raised by the Rush privacy bill currently pending in Congress;

(3) the efficacy of FTC enforcement;

(4) the problems with the concept of a "Do Not Track" list, which has been proposed; and

(5) the need for reform of the Electronic Communications Privacy Act.

• Email This
• Print
• Share Link

On July 27th, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced settlements with Rite Aid Corporation for the improper disposal of personal information -- including prescriptions and labeled pill bottles containing identifiable information about Rite Aid customers, and employment applications -- in publicly accessible dumpsters behind Rite Aid stores in a number of cities across the country.  In addition to improperly disposing of personal information, HHS and the FTC also claimed that Rite Aid failed to:

• implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal;
• adequately train employees to dispose securely of such information;
• use reasonable measures to assess compliance with its established policies and procedures for disposing such information; and
• employ a reasonable process for discovering and remedying risks to such information.

Under the HHS resolution agreement, Rite Aid agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act Privacy Rule.  Rite Aid also agreed to distribute policies and procedures for protecting protected health information (such as the patient information improperly disposed in this case), train employees on the policies and procedures, monitor for violations, sanction employees who commit violations, and hire a third-party auditor to conduct periodic compliance reviews.  The HHS resolution agreement applies for three years.

In its consent order, the FTC accused Rite Aid of committing both unfair and deceptive trade practices in violation of Section 5 of the FTC Act.  Specifically, the FTC claimed that Rite Aid committed unfair trade practices when it failed to employ reasonable and appropriate measures to prevent unauthorized access to the personal information, and committed deceptive trade practices when it recklessly disposed of customers' health information despite making claims it would responsibly protect such information. 

In addition to the penalties imposed by HHS, the FTC ordered Rite Aid to cease misrepresenting its information security practices to consumers, establish a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers and employees, and obtain biannual audits of its information security program for the next 20 years.

These settlements were similar to those imposed on CVS Caremark in February of 2009, which also stemmed from a joint investigation of the HHS and the FTC into reports of improperly disposed patient and employee information into publicly accessible dumpsters.  While many of the procedural requirements of the settlements are similar, in that case HHS required CVS Caremark to pay $2.25 million to settle the charges.

These cases reaffirm the agencies' commitment to investigating and punishing improper data disposal practices, especially in light of high-profile media reports discovering sensitive consumer information in dumpsters and boxes left by the side of the road.  In order to avoid these types of high-profile investigations, organizations should implement and enforce data retention policies and always destroy sensitive customer and employee data prior to disposal.

• Email This
• Print
• Share Link

On June 24, the FTC announced a proposed consent order with social networking service provider Twitter, Inc. The Twitter investigation is consistent with the FTC’s longstanding interest in policing the data privacy and security practices of social networking services, dating back to the FTC’s first online privacy case against Geocities in 1998.  

Within the general framework of FTC information security jurisprudence, this investigation reflects three noteworthy developments. First, the investigation demonstrates the broad reach of FTC Act § 5 concerning data security, extending well beyond protection of the kinds of data traditionally considered sensitive (e.g., Social Security Numbers and payment card numbers). Second, the complaint introduces security expectations, concerning controlling administrator-level access to information systems, that had not been previously expressed by the FTC. Third, this enforcement action appears to show that the FTC considers the protection of personal information critical at all stages of the business lifecycle, from start-up to wind-down.

A. Data Security Obligations Are Not Limited to Sensitive Personal Information

The FTC alleges that lapses in Twitter’s data security practices resulted in unauthorized person’s gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses. Unlike prior data security investigations, there is no allegation that unauthorized persons gained access to the traditionally identified forms of sensitive personal information, such as SSNs, financial account numbers, government ID numbers, or consumer reports. Nor is there any allegation that the affected information revealed sensitive personal characteristics (e.g., medical conditions) either directly or as revealed by purchases. There may be a number of explanations for this departure from past precedent.  

1. Consumer Expectations Influence Security Obligations

All the data types affected by the security incidents suffered by Twitter were stored in areas that were allegedly described by Twitter as non-public. Hence, the FTC concerns appear to stem in part from the fact that consumers submitted such information to Twitter under the impression that Twitter would prevent unauthorized sharing. Accordingly, consumer expectations, rather than any fixed list of data elements, may dictate the steps that a company is expected to take to protect such data. Such a standard may have far reaching implications for websites, particularly those that encourage visitors to build profiles that are not intended for public display, including social networking services that offer users the option of maintaining “private” (or otherwise limited access) profiles.  

2. Fraud Prevention

Among the consequences of Twitter’s alleged failure to secure its systems was the misuse of existing Twitter accounts to transmit fraudulent messages. The FTC does not discuss the public policy concerns posed by the transmission of fraudulent messages in any great detail. Nonetheless, concerns likely include reputational damage, particularly for public figures and businesses (e.g., the Twitter incident resulted in fraudulent tweets transmitted from the accounts of President Barack Obama and Fox News). In addition, recent press reports indicate that criminals have used compromised social network accounts to attack the account holder’s friends list with messages containing malicious software or fraudulent pleas for money.  

B. Securing Administrator Level System Access

The attacks perpetrated against Twitter allegedly exploited weaknesses in the security measures used to limit administrator level access. Because administrator level privileges allow users to manipulate the settings and content of individual user accounts, the attackers were then able to take control of numerous accounts to view private information and engage in fraudulent activity.  

The specific security lapses cited by the FTC included the failure to:

• establish or enforce strong password policies;
• prevent the storage of administrative passwords in plaintext in employees’ private email accounts;
• suspend or disable administrative accounts after a number of failed login attempts;
• provide a separate login page for administrative access the address of which was made known only to authorized users;
• enforce periodic changes of administrative passwords (e.g., 90-day expiration);
• restrict access to administrative controls based on employees’ job functions; and
• impose other restrictions on administrative access, such as by restricting access to specified IP addresses.

• Email This
• Print
• Share Link

The U.S. Department of Defense (DOD) has issued an advanced notice of proposed rulemaking regarding amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) that would add new data protection requirements for unclassified DOD information used or handled by contractors. See 75 F.R. 9563 (March 3, 2010). The proposed amendments would create a two-tiered system of data security requirements, as well as an obligation to notify the DOD of security incidents.

The two tiers of data security requirements are described as “basic safeguards” and “enhanced safeguards,” both of which require “adequate security.” Under the proposed rules, “adequate security” would mean: “protection measures … commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information.” 75 F.R. at 9566.

Basic safeguards are required for any unclassified DOD information. The required protections would include:

§         prohibiting the posting of any DOD information on websites unless they are restricted to users that provide user ID/password, digital certificate, or similar credentials;

§         using the “best level of security and privacy available” for transmissions of any DOD information transmitted via email, text messaging, and similar technologies;

§         transmitting any DOD information via telephone or fax only when reasonably assured that access is limited to authorized recipients;

§         protection of all DOD information by at least one physical (e.g., locked container) or electronic (e.g., user/password restriction) barrier;

§         sanitization of media in accordance with NIST protocols prior to disposal;

§         implementation of regularly updated malware protection and software patches/upgrades;

§         limiting sharing of any DOD information to third parties that have a “need to know;” and

§         contractually obligating all subcontractors to abide by the proposed regulations. 

See id.

Enhanced safeguards apply to unclassified DOD information that meets one or more of the following criteria:

§         Critical Program Information (as defined in DOD Instruction 5200.39);

§         data subject to export controls under International Trafficking in Arms Regulations and Export Administration Regulations;

§         data designated for withholding under the FOIA program (as described in DOD Directive 5400.07);

§         data bearing current or prior controlled access/dissemination designations (e.g., For Official Use Only, Limited Distribution, and Proprietary);

§         technical data, software, or other information subject to DOD Directive 5230.24; and

§         personally identifiable information, including (but not limited to) data protected by the Privacy Act and HIPAA. 

See 75 F.R. at 9566 - 67.

In addition to the basic safeguards listed above, contractors would be obligated to implement the following measures for data subject to enhanced safeguard requirements:

§         reporting any “cyber intrusion incident” to DOD, which includes any event involving unauthorized access to DOD information or an “advanced persistent threat” (meaning a “proficient, patient, determined, and capable adversary”);

§         cooperate with and provide support for DOD investigations of reported cyber intrusion incidents;

§         encryption when transmitting DOD information across wireless networks (by either encrypting the wireless connection itself or the individual files transmitted across such connections);

§         encryption of DOD information stored on laptops, mobile devices, and removable media;

§         monitoring and control of network traffic through mechanisms such as firewalls and or intrusion detection/prevention systems; and

§         implementation of an information security program consistent with NIST Special Publication 800-53.

See id.

With regard to the “cyber intrusion incident” reporting requirements, “advanced persistent threats” appear to be reportable without regard to whether such a threat actually results in unauthorized access to DOD information. Attempted advanced persistent threats may be reportable events. In addition, covered contractors may be obligated to comply with all reporting, support, and cooperation requirements for incidents reported by their subcontractors.

With regard to cross-compliance with HIPAA, it appears that entities which are already compliant with the HIPAA Security Rule would not be required to make substantial changes to their existing safeguards for protected health information with the exception of adding procedures for reporting “cyber intrusion incidents” to, and cooperating with resulting investigations by, DOD.

The public comment period ends on May 3, 2010. DOD has scheduled a public meeting to discuss the proposed regulations on April 22, 2010 from 8:00 AM to 4:00 PM (EST). Attendees are expected to register two weeks in advance (thus, by April 8, 2010).

• Email This
• Print
• Share Link

On March 25, Dave & Buster's (D&B), which operates 53 restaurant and entertainment complexes across the country, entered into a consent decree with the FTC stemming from a 2007 breach of its network through which a hacker obtained information identifying approximately 130,000 payment cards when in transit to D&B's payment card processors.  
 
In this case, the FTC focused on the importance of intrusion detection systems, protecting sensitive information in transit, and securing wireless access points.  And, in an important development in FTC practice, the Commission criticized D&B for failure to monitor and filter outbound traffic to block the export of sensitive information.  While many firms voluntarily use data loss prevention software to detect and block the transmission of sensitive personal information from their systems, such as through employee e-mail, this is the first time that the FTC has claimed that those storing sensitive information might be required, under Section 5 of the FTC Act, to monitor outbound traffic.  In other words, the FTC has gotten more specific about what security measures are required to avoid a finding of an unfair consumer practice under Section 5.  The significance of this new consent decree is that companies are now on notice that they could invite FTC scrutiny if a breach could have been detected and cured by the use of data loss prevention software.

In the Complaint leading to the consent decree, D&B was cited for:

• failing to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by employing an intrusion detection system and monitoring system logs;  
• failing to adequately restrict third-party access to its networks, such as by restricting connections to specified IP addresses or granting temporary, limited access;
• failing to monitor and filter outbound traffic from its networks to identify and block export of sensitive personal information without authorization;
• failing to use readily available security measures to limit access between in-store networks, such as by employing firewalls or isolating the payment card system from the rest of the corporate network; and
• failing to use readily available security measures to limit access to its computer networks through wireless access points on the network.

In the consent decree, D&B agreed to establish a comprehensive information security program and to obtain independent, professional audits of the program biennially for ten years.

The FTC has long pursued consent decrees against companies that suffer breaches of personal or payment card information left unprotected due to lax security standards.  The requirement that D&B institute a comprehensive information security program is par for the course, as is the biennial audit requirement.  In fact, though D&B does not have any Massachusetts locations, if it maintains in its databases the credit card information of any Massachusetts resident it is already subject to a requirement that it implement a comprehensive information security program under the state's data security standards, which became effective March 1, 2010.
 

But, again, the significance of this consent decree is the new requirement to monitor outbound computer traffic as a means of detecting the unauthorized export of PII.

• Email This
• Print
• Share Link

The recent effective data for enforcement of the new HIPAA/HITECH data-security breach notification law, and continued passage of and amendments to state notification laws, make compliance with data-security breach notification requirements more challenging than ever.

The H&H Chronicle of Data Protection thought it would be useful to provide this Short Guide to Responding to Data Security Breaches as a refresher for some and as a wake-up call for others.

Companies collect, maintain, use, and exchange vast amounts of personal data on employees, consumers and others. Unwanted release or exposure of personal information can violate privacy, lead to identity theft, and result in adverse publicity. Lawmakers, regulators, and advocates are increasingly focused on data security and breaches of it. Data security is becoming a risk-management priority at companies.

Still, breaches happen, even with the most careful precautions.

Effective handling of a data-security breach and legal compliance are achieved best with advanced planning to ensure that an business's response is effective, efficient, and timely. Business responses will be facilitated if the business already knows which laws and contracts apply to its data and what its duties will be if its information is improperly disclosed or accessed.

Fundamentally, businesses should have a detailed written data security breach response plan that has been shared with those who will implement the response, because responding to a data security breach “on the fly” creates the potential for liability-creating mistakes.

What law applies to a data-security breach?

As most businesses know by now, starting in California in 2003, the law began to impose an obligation on those who hold data on persons to provide notice if there is a breach of its security. Forty-five states, Washington, DC, the Virgin Islands, and Puerto Rico have such laws currently, and federal rules govern disclosure of health-related personal information.

The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) each has issued data breach notification rules. See this previous blog entry for details. The rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and are aimed at providing increased protection of individuals’ health information. Enforcement of the HHS and FTC breach notification rules began last month, as described here.

The Federal Trade Commission, state attorneys general, and private plaintiffs have pursued companies that have experienced data-security breaches. Such investigations typically have focused not only on whether notice protocols were followed, but also on underlying data security. Under HITECH, the Department of Health and Human Services has enhanced power to investigate and enforce against data security deficiencies.

What actions should the business take promptly after a breach?

• Email This
• Print
• Share Link

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

many users are increasingly concerned about their lack of control over sensitive personal data.

The FCC then remarks:  

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

• Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;

• Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;

• Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and

• Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

• Email This
• Print
• Share Link

The Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”), include a broad range of administrative, physical, and technical obligations.  Nevertheless, there are certain common business processes that may pose unique and substantial compliance challenges.  Accordingly, organizations subject to these regulations should give very careful consideration to their practices in the following high risk areas. 

Email

First, the obligation to encrypt all sensitive personal information transmitted over public networks will have a substantial impact on the use of email to collect and transmit such data.  While there is generally accepted technology available to encrypt email and/or or files attached to emails, implementing such tools and properly training the workforce to use them may require significant expense.  (It should also be noted that this would apply to webpage forms that populate and transmit emails, as well as the use of Instant Messaging, Text Messaging, or similar technologies to transmit personal information.)

Organizations that exchange personal information directly with consumers may find the transition particularly difficult.  Many consumers may be ill-equipped to deal with encrypted messages and attachments.  Moreover, the encryption/decryption process may create negative user experiences that undermine customer goodwill.  While decrypting messages and attachments may be quite straightforward for the technology savvy consumer, it is likely to be confusing or frustrating for many others.  Similar complications may arise when dealing with small to mid-sized third party service providers that have limited technological sophistication.

In light of the foregoing, many organizations may consider alternative communications protocols, such as shifting email-dependent business processes to web browser-based processes that can be secured in a more efficient and centralized manner. Web pages served over secure HTTP or secure FTP could replace most present-day email communications involving personal information. 

Portable Devices

The Massachusetts Standards require the encryption of sensitive personal information stored on portable devices.  By the Massachusetts government’s own admission, there are no generally accepted encryption tools for use on many commonly-used portable devices, such as smartphones and PDAs.  As a result, enterprises subject to the Massachusetts Standards should carefully consider when it is necessary and appropriate, if ever, to store sensitive personal information on portable devices.  Alternatives, such as truncation of sensitive data (e.g., SSNs and financial account numbers) and use of secure online protocols (e.g., secure HTTP or secure FTP) for transmitting data to third parties, should be thoroughly contemplated.  In those instances when such storage is both necessary and appropriate, procedures, including workforce training, should be developed to ensure that the data remains secure during storage.

There is a certain level of overlap with the email concerns discussed above because a likely source of personal information on smartphones is the email messages that may accessed through the devices.  Since encryption of these messages may not be practicable, organizations may have further incentive to suspend the exchange of personal information via email in favor of browser-based protocols.  

Third Party Relationships

The Massachusetts Standards require enterprises to “select and retain” third party service providers that will provide safeguards consistent with the other requirements of the regulations, as well as contractually obligate third party service providers to maintain such safeguards.  The “select and retain” provision is fairly vague, affording the Massachusetts government (and courts) the opportunity to interpret it in ways that could introduce substantial obligations.  This provision appears to impose obligations to engage in pre-contract evaluation and post-execution monitoring of the security practices of third parties. 

Prior iterations of the Massachusetts Standards included an explicit requirement to obtain written certification of compliance from third party service providers.  Since that language has been removed, the regulations no longer provide concrete guidance on what steps should be taken to “select and retain” appropriate third party service providers.  The resulting ambiguity is a problem for both data owners and their prospective service providers.  Service providers are reluctant to reveal detailed information about their security policies and procedures because such information may be misused at significant cost to the service provider.  On the other hand, data owners are limited in their ability to rely upon imprecise representations of robust security measures from service providers because such representations appear to be self-serving. 

Accordingly, it is important for enterprises in both positions (as data owners and/or service providers) to thoroughly analyze the most effective and appropriate way to ensure that their contractual relationships satisfy the Massachusetts Standards.  Among the potential alternatives is the retention of reputable independent auditors to analyze service provider security practices and generate compliance reports for distribution to business partners (as is common for third parties that provide services subject to the Sarbanes Oxley Act). 

• Email This
• Print
• Share Link

A new era of information security law may well start as the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”) go into effect today, March 1, 2010.  All institutions collecting sensitive personal information (e.g., a name combined with a Social Security Number, state-issued identification number, or financial account number) from Massachusetts residents should pay careful attention to the requirements and enforcement of these regulations.  However, the implications beyond those entities that operate in Massachusetts may be longstanding as well.

Information Security Law Trend: From Generalities to Specificity

While information security statutes and regulations are fairly new developments in United States law, the previous trend reflected a bifurcated approach by federal and state authorities.  On the one hand, were somewhat ambiguous reasonableness standards imposed by states such as California and Texas.  On the other hand, were detailed regulations imposed upon industry sectors commonly involved in the handling of sensitive personal information, such as the HIPAA Security Rule, GLB Safeguards Rule, and FCRA/FACTA Disposal Rule. 

As press reports of significant breaches of sensitive personal information continued to mount, state lawmakers have taken an increasingly aggressive approach to regulation. Starting with the rather quiet passage of the Oregon Identity Theft Protection Act and more widely noted passage of the Minnesota Plastic Card Security Act, both in 2007, several states have attempted to adopt detailed information security obligations applicable to all entities that handle sensitive personal information.  Accordingly, Nevada has recently revised its data protection statute, which includes an obligation that businesses that handle credit card transactions must comply with the Payment Card Industry Data Security Standard (similar to the Minnesota Plastic Card Security Act).  Meanwhile, detailed information security regulations remain under development in New Jersey.

A New Revolution Starts in Massachusetts

The Massachusetts Standards stand as a unique development in this lineage because they are notably more comprehensive than the reasonable security statutes implemented in many states and expressly disclaim any exemptions based upon compliance with other regulatory schemes (whether self regulatory such as PCI DSS or federal such as HIPAA and GLB).  In fact, the Massachusetts Standards include a number of technical requirements that are not spelled out in similar detail in the federal sector-specific regulations.  For example, the Massachusetts Standards expressly require the implementation of network firewalls and regularly scheduled patching of operating systems, obligations that are not expressed in either the HIPAA Security Rule or the GLB Safeguards Rule. 

While the Commonwealth’s enforcement agenda remains to be seen, particularly with respect to out-of-state organizations, the regulations are likely to have a distinct impact on many entities. The wide scope of the regulations themselves (covering many administrative, physical, and technical security areas) and the entities arguably subject to the regulations (any entity, regardless of size, that collects sensitive personal information from Massachusetts residents), will compel a significant number of organizations to consider their compliance alternatives.

Although the Massachusetts Standards are designed to scale to the unique circumstances of each entity subject to the obligations (a point reemphasized in revisions issued on August 17, 2009), it is yet to be seen how the enforcement authorities will apply this scalability in practice.  Some of the provisions introduced in an attempt to increase the flexibility of the regulations have inadvertently led to new ambiguities.  For instance, the technical security requirements are only necessary to the degree that they are “technically feasible.”  However, the definition of “technically feasible” (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) provides limited practical guidance.  Regardless of their ultimate decisions, entities will be assuming a certain level of risk with any compliance decision until the Massachusetts authorities establish further guidance, either through supplemental documents or enforcement actions.

All that being said, many elements of the Massachusetts Standards are more evolutionary than revolutionary, but their impact may remain substantial.  For example, the Massachusetts Office of Consumer Affairs and Business Regulation has stated in its official Frequently Asked Questions that all backup media must be encrypted prospectively.  While encryption has been a solution of choice for legislators and regulators for sometime now, it has historically been encouraged as a form of safe harbor for data breach notification requirements (in state law and recently issued federal health data breach notification regulations).  However, the Massachusetts Standards join the Nevada encryption law in mandating the encryption of sensitive personal information both during transmission and during storage on portable devices and media.  The financial and opportunity costs of such wide ranging obligations to encrypt data may prove substantial and enterprises should be planning accordingly.

• Email This
• Print
• Share Link

The Federal Trade Commission has warned one hundred businesses and organizations that peer-to-peer software (typically used by employees to download and share copyrighted music, software and movie files over the Internet) is exposing information on customers and employees, including health and financial data, Social Security numbers and driver's license numbers.

In a release entitled "Widespread Data Breached Uncovered by FTC Probe" the FTC warned that the presence of privacy-violating peer-to-peer software on an organization's network may represent a violation of the security obligations under a variety of federal statutes.

In one sample letter of the type sent to one of the 100 entities referenced in the FTC release the Commission wrote:

We have not determined whether your company is violating laws enforced by the Commission. However, the FTC is urging you to review your security practices for personal information about your customers and employees, and, if appropriate, the practices of contractors and vendors with access to such information, to ensure that the practices are reasonable, appropriate, and in compliance with the law. It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers. (emphasis supplied)

In the letters sent to organizations found to be hosting the P2P software, the Commission also pointedly provided a link to the long list of enforcement actions taken by the Commission for inadequate data security (leading to compromised personal privacy).

While focused on the data security threats created by P2P software, the FTC's release also underscores the importance of data security generally and the legal risks involved in not adequately addressing the issue.   (In that connection, Hogan & Hartson's privacy and data security practice group regularly assists clients in conducting a risk management assessment to indentify privacy and data security issues, including the presence of P2P software, and to suggest remedial steps.)

• Email This
• Print
• Share Link

Today as the HHS Office of Civil Rights begins to enforce the federal health data breach notification rule, the agency publicly posted the list of reported breaches affecting 500 or more individuals. The list is available on the  HHS’ website and includes the following information:

• the entity’s name
• state
• approximate number of affected individuals
• date of breach
• type of breach (e.g. theft, misdirected e-mail)
• location of information at time of breach (e.g. desktop computer, laptop, paper, mailing).

• Email This
• Print
• Share Link

Enforcement of the Department of Health and Human Services’ (“HHS’”) and the Federal Trade Commission’s (“FTC’s”) Breach Notification rules begin today. Both agencies initially exercised their enforcement discretion and delayed enforcement until February 22, 2010, to provide entities subject to the rules with time to implement compliance processes and procedures.

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA and their business associates to provide notification following discovery of a breach of security involving an individual’s unsecured protected health information.  Under the rule, covered entities are also required to notify the HHS Secretary. For breaches affecting fewer than 500 individuals that occurred during calendar year 2009 and after the September effective date of the HHS breach rule, notification to the Secretary must be submitted by March 1, 2010. 

The FTC breach rule, issued on August 17, 2009, applies to vendors of personal health records, PHR-related entities and third-party service providers. 

• Email This
• Print
• Share Link

We regularly advise clients that the starting point for privacy and data security risk management is to understand what data is being held.  Knowing what data is being held (and preserving it) also is a key component of  compliance in litigation.  Indeed, the need for companies to data map their information long before litigation arises has increased urgency in light of a recent ruling.

In Pension Committee , the judge who issued the series of seminal Zubulake opinions, which essentially defined electronic document retention and discovery nation-wide, calls for litigants not only to identify key data keepers but to identify key data very early in litigation. Some of the new holdings described in Hogan & Hartson's Litigation Alert (link below) are likely to become as influential as the discovery-altering Zubulake decisions.

In Pension Committee Judge Scheindlin finds, among other things, that the failure to issue a written litigation hold for relevant individuals and data constituted gross negligence because that failure is likely to result in the destruction of relevant information. Severe sanctions, such as dismissal, monetary sanctions, and adverse inference instructions, were therefore presumptively appropriate absent contrary indications of good faith. Failure to appropriately collect and preserve electronically stored information from all key players may now also be considered gross negligence, and even failure to collect and preserve from less-involved employees may be considered negligent. Additionally, companies must be even more conscious of the fate of, and process in place to handle, former-employee data for fear of being found grossly-negligent if a preservation duty has attached. For more information about this important decision please see the attached Litigation Alert which was drafted by two members of our Electronic Information Group.

• Email This
• Print
• Share Link

The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding.  Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include:

• Consumer expectations of privacy, and how to meet those expectations as new technologies are deployed;
• Building Privacy by Design;
• Concerns surrounding the collection, use, and storage of transactional data; and
• The regulation of third-party applications.

The FCC, which is working to complete the Plan and submit it to Congress by March 17, has thus far not focused extensively on how to protect consumer privacy and personal information in the broadband ecosystem.  This Notice, however, indicates that the FCC may be planning to highlight a number of privacy-related consumer protection issues in the Plan.  Moreover, depending in part on the comments received in response to the Notice, it could also open the door to future privacy and data protection proceedings at the FCC.

Comments are due on January 22, 2010, just over a week after the Commission issued the Notice.

• Email This
• Print
• Share Link

In the first HIPAA action filed by a state attorney general, Connecticut Attorney General Richard Blumenthal filed a lawsuit yesterday against Health Net of Connecticut for failing to secure private medical and financial information concerning 446,000 of its Connecticut enrollees, and for subsequently neglecting to promptly notify affected individuals. Blumenthal is also seeking a court order to prevent Health Net from continued violations by requiring the company to encrypt any protected health information (“PHI”) contained on portable electronic devices. The lawsuit is the first action by a state attorney general to enforce HIPAA since the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provided state attorneys general with the power to initiate civil actions on behalf of state residents for violations of HIPAA.

In May 2009, Health Net discovered that a portable computer disk drive containing social security numbers, health claim forms and bank account numbers for approximately 446,000 Connecticut enrollees was missing. According to Blumenthal, Health Net subsequently failed to promptly notify appropriate authorities and consumers of the incident. Blumenthal further alleges that Health Net failed to comply with its own policies and federal law regarding the protection of personal information, and failed to effectively train and supervise its workforce on the proper policies for maintaining, using, and disclosing PHI.

• Email This
• Print
• Share Link

On December 8, the House of Representatives by voice vote passed H.R. 2221, entitled the "Data Accountability and Trust Act," which would require all organizations engaged in interstate commerce that manage or contract another to manage electronic data containing personal information to comply with a comprehensive set of standards designed to protect that information from unnecessary disclosure and to prevent identity theft and other fraud.

These measures include:

• Requiring covered organizations to establish and implement comprehensive policies and procedures regarding information security practices for the treatment and protection of personal information, tailored to the individual organization's capabilities.  This would include:
  • the creation of a security policy;
  • the identification of a security officer or other individual as the point of contact for the organization's security program;
  • the creation of a process for assessing vulnerabilities to electronic systems containing personal information, including regular monitoring for security breaches;
  • the creation of a process for taking preventative and corrective action to mitigate against any vulnerabilities found; and
  • the creation of a process for the secure disposal of obsolete data.
• Subjecting data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and punishing data brokers for the unauthorized disclosure of personal information through "pretexting" -- that is, obtaining or hiring someone who obtains personal information of others through false pretenses.
• Creating a federal data breach notification requirement that would mandate any organization suffering a breach of personal information to notify all affected individuals, unless it determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct (which can be presumed if the data is properly encrypted or otherwise rendered in an electronic form unreadable or undecipherable).  Organizations suffering breaches would also be required to provide consumer credit reports to affected individuals on a quarterly basis for two years.

The FTC would be directed to pass regulations and guidance implementing and interpreting many of the specifics, and would be granted civil enforcement authority through its power under the FTC Act to prevent unfair and deceptive trade practices.  In addition, the bill would empower state attorneys general to bring civil actions to enforce its provisions with regard to violations against residents of their respective states.

Penalties would be substantial.  The failure of any covered organization to implement a comprehensive data security program or of data brokers to implement requirements specific to them would carry a maximum penalty of $11,000 per violation -- which in the case of the data security program would be $11,000 per day -- up to a maximum of $5,000,000.  Failing to comply with the breach notification provision would carry a penalty of up to $11,000 per failed notification, up to a maximum of $5,000,000, which could theoretically be reached by an unreported breach of the personal information of only 455 individuals .

Importantly, the bill would preempt the breach notification laws of forty-five states, the District of Columbia, Puerto Rico, and the Virgin Islands, as well as the recent controversial Massachusetts regulations requiring the creation of a comprehensive data security program and policy of all organizations maintaining the electronic personal information of residents of that state.  It would not, however, replace any of the parallel federal breach notification standards, such as the breach notification rule recently issued by the department of Health and Human Services under the HITECH Act and other disclosure requirements under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.

Just last month, the Senate Judiciary Committee approved two bills very similar to H.R. 2221.  While there are some notable differences -- including criminal penalties, an applicability threshold for the data security program requirement, and express exemptions for entities in compliance with similar federal regulations in the Senate versions, and prohibition of pretexting and higher penalties in the House version -- all three bills have enjoyed bipartisan support and their purposes are aligned.  Though health care and other items remain higher on the Senate's agenda, and the full chamber is unlikely to vote on the bills for some time, proponents are now likely to point to the momentum generated by the passage of the House version to bring the issue before the Senate sooner rather than later.

• Email This
• Print
• Share Link

On December 1, Judge Reggie Walton of the U.S. District Court for the District of Columbia issued a memorandum opinion in a lawsuit by the American Bar Association against the Federal Trade Commission, explaining his October 29 ruling from the bench that the FTC's Red Flags Rule does not apply to lawyers.  Holding that "[e]ven a cursory review of the language of [the Fair and Accurate Transactions Act (FACT Act), through which Congress authorized the creation of the Red Flags Rule, and other legislation defining relevant terms] and the purposes underlying their enactment leads the Court to the conclusion that it was not 'the unambiguously expressed intent of Congress' to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission's Red Flags Rule," Judge Walton rejected almost every argument put forth by the FTC and indicated that the court would similarly condemn any FTC attempt to apply the Rule to other professionals outside of the banking, lending, and financial sectors who bill periodically for services previously rendered.

Specifically, Judge Walton rejected the Rule's applicability to lawyers under both prongs of the Chevron test regarding judicial deference to agency interpretation, finding that no evidence indicated that Congress intended that rules promulgated under the FACT Act would apply to lawyers, but even if Congressional intent could be considered ambiguous, that the FTC's interpretation of the FACT Act and its resulting application of the Rule to lawyers was unreasonable and therefore undeserving of deference.

• Email This
• Print
• Share Link

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

• Email This
• Print
• Share Link

 The European Network and Information Security Agency (ENISA) has just published a paper on cloud computing, which discusses the benefits and risks of cloud computing from a security perspective. The paper also includes recommendations for improving information security in the context of cloud computing and provides a - in our view very helpful - set of questions that organizations can use to assess whether or not providers of cloud computing services are sufficiently protecting the data entrusted to them.

The key conclusion of the paper is that the “cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective.” 

The paper is particularly timely in light of the European Commission’s public consultation on the legal framework for the fundamental right to protection of personal data, which closes at the end of next month. ENISA’s paper includes specific recommendations for the European Commission’s future consideration. It rightfully points out that certain issues related to the EU Data Protection Directive and Article 29 Working Party recommendations warrant clarification. In the current legal framework, it is not clear, for example, under which circumstances a provider of cloud computing services may be classified as a “joint controller” of personal data. ENISA also recommends that the European Commission examine and clarify, inter alia:

-         whether providers of cloud computing services should be obliged to notify their customers of data security breaches (and what information should be provided to these customers);

-         the legal impact of data transfers to providers of cloud computing services in countries outside the European Economic Area (EEA), if those countries do not provide an “adequate” level of data protection;

-         how the intermediary liability exemptions arising from the eCommerce Directive apply to providers of cloud computing services.

As far as information security in concerned, ENISA’s paper provides useful and practical guidance for potential and existing users of cloud computing services as well as policy makers. It will be interesting to see to what extent its recommendations will result in concrete action by the European Commission and/or Article 29 Working Party.

• Email This
• Print
• Share Link

On November 5, the Senate Judiciary Committee passed two bills that collectively would preempt a large swath of the patchwork quilt of state data security and breach notification laws that largely comprise the U.S. regulatory landscape today.

S. 1490, introduced by Sen. Patrick Leahy (D-Vt.), would preempt most state data security laws. The bill would mandate the implementation of a comprehensive data security program by all businesses maintaining personally identifiable information (PII) of 10,000 or more individuals not currently required to do so by certain federal laws (such as GLBA for those maintaining financial information and HIPAA for those maintaining health information). Covered businesses would be required to conduct an internal data security risk assessment, adopt controls to reasonably manage these risks and to detect security breaches, and conduct regular vulnerability testing and reassessment to ensure their program is appropriately managing risks.

The bill would also create a federal data breach notification requirement, preempting the variety of state laws that today cause compliance headaches among those that experience such a breach. The bill's provisions mirror most of the common themes of the state laws, including that breaches must be reported "without unreasonable delay" except as necessary for law enforcement or national security purposes, and that in addition to the affected individuals notification must be made to prominent media in all states in which the information of 5,000 or more individuals is reasonably believed to have been breached. Like some of  the state laws, the bill contains a "risk of harm" threshold, exempting notification in situations in which it is determined that there exists no significant risk that the breach will result in harm (with the approval of the Secret Service of this determination). The use of effective encryption, redaction, or other industry-standard controls would create a statutory presumption that no harm is likely to occur from a breach.

• Email This
• Print
• Share Link

The American Institute of Certified Public Accountants (AICPA) on Tuesday filed a lawsuit against the Federal Trade Commission (FTC) challenging the applicability of the agency's Red Flags Rule to Certified Public Accountants.  This comes on the heels of district court ruling in a lawsuit brought by the American Bar Association (ABA) reported here that the regulations do not apply to lawyers.

 We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” said  AICPA President and CEO Barry Melancon. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.

The accountants' lawsuit  alleges primarily that the FTC lacks authority to regulate CPAs just as it lacks authority to regulate lawyers, both of whom are regulated by state authorities.  In addition, the lawsuit claims that the FTC failed to explain how the manner in which public accountants bill their clients in the normal course of business constitutes an "extension of credit" under the rule and that it failed to identify any legally supportable basis for applying the rule to accountants.   The FTC specifically referred to accountants as potentially covered entities in its FAQs concerning the rule published over the Summer.  In promulgating the rule, the AICPA alleges that the FTC never identified CPAs as potentially covered entities.

The Red Flags rule has been the source of significant controversy which,  in addition to the lawsuit by the American Bar Association, has resulted in repeated extensions of the FTC enforcement date.  Currently, the FTC is set to enorce the rule on June 1, 2010.

• Email This
• Print
• Share Link

As reported in the blog of the American Bar Association Section of Antitrust Law Privacy and Information Security Committee:

Judge Reggie Walton of the U.S. District Court for the District of Columbia ruled today that the FTC cannot force practicing lawyers to comply with Red Flags Rule.

With the November 1st enforcement date for the Red Flags Rule looming, the court's ruling for now eliminates uncertainty for lawyers, who the FTC had argued should be covered because among other things, billing on a monthly basis made them “creditors” under the Rule.  The ABA had argued that Congress did not intend to subject lawyers to FTC regulation (an area traditionally left to the States) and that the extension of the Rule to lawyer billing practices was overly-broad.  Judge Walton's oral ruling appeared to agree with the ABA arguments.  Whether or not the FTC will appeal remains to be seen, but given the fact that it did so in the case involving the applicability of the Gramm-Leach-Bliley to lawyers suggests that it will.  See ABA v. FTC,  430 F.3d 457 (D.C. Cir. 2005).

• Email This
• Print
• Share Link

Under the Data Protection Act 1998 (“DPA”), it is an offense to knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller.  Section 55 of the DPA details the offenses and any exclusions, or defenses, which may apply.  It also sets out the procedure for monetary penalties to be imposed.  Under the current law, the maximum penalty for those found guilty of offenses such as selling personal data is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court.  However, cases leading to substantial fines are rare.

The Ministry of Justice (which oversees the Information Commissioner’s Office) has recently announced a consultation exercise to decide whether to introduce tougher penalties for breaches of section 55, DPA, which could lead to the introduction of custodial sentences for those convicted.  Although provision was made to introduce prison sentences through the Criminal Justice and Immigration Act 2008, this has yet to be implemented and is subject to the consultation exercise, which is expected to close on 7 January 2010.

If adopted as law, the maximum penalty for the knowing or reckless misuse of personal data would be a prison sentence of up to 12 months (if heard in the Magistrates Court) or up to 2 years (if heard in the Crown Court).  This is an important development for the ICO, which has fairly limited powers of enforcement, and is arguably a necessary response to the increasingly serious breaches of the DPA involving the misuse of personal data.
 

• Email This
• Print
• Share Link

“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”

That is the question a federal district judge in Maine has put to the Maine Supreme Court in the data security breach litigation involiving Hannaford Brothers.  In a ruling  dated October 5, 2009, Judge D. Brock Hornby, who earlier this year had dismissed almost all of the claims in the consolidated class action for lack of "economic loss", reversed himself and sent to the Maine Supreme Court an issue that has the potential for opening the floodgates of litigation.   Plaintiffs  so far have been unsuccessful in pursing civil actions following data security breaches where they have not suffered real economic damages.

As Judge Hornby himself observed in his decision,

 “if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.”  

Such a development could have a profound impact on the vulnerability of companies experiencing data security breaches to civil claims, something they so far largely have avoided.  Thus, added to the existing costs of a data security breach (notification costs, credit monitoring costs, regulatory investigation costs, damage to reputation costs, etc.), there may soon be "time and effort" compensation costs.  As menioned in an earlier post concerning Maine's law tp protect kids from predatory marketing, which effectively is on hold, when the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

It appears that while the State of Maine no longer has much impact on presidential elections, it could well have an impact on data security breach law.

• Email This
• Print
• Share Link

It sounds like an ‘April fool,’ but the story this week that people can sign up to a new internet game where they spot crimes on CCTV cameras posted in Britain and earn points for doing so might actually be true.  Both the Daily Mail and the Guardian’s online news pages featured stories about this bizarre game, which may be launched in November 2009 following a trial in Stratford-upon-Avon.

Customers have the opportunity to sign up to the service and have their CCTV monitored by the public in return for a fee.  Footage from the camera would be streamed on to a website to be used in the game.  Shopkeepers are an obvious target market for the service, but the police, local authorities and home owners may also be encouraged to sign up.

According to press releases, the service provider ‘Internet Eyes,’ offers users (players of the game) the chance to “earn reward money, have a chance at reducing crime, potentially become a hero and save lives.”  Users would compete to earn up to £1,000 per month, collecting points for viewing live CCTV footage and pressing a button whenever they see any suspicious activity.  If and when a crime is suspected, these alerts will be sent, by SMS, to the customer, in real-time, allowing them to take immediate action, or no action, as they wish.  Apparently it is possible to lose points for a false alarm and a ‘3 strikes and you’re out’ rule will apply.

The website also promises to feature a so-called ‘rogue’s gallery’ of ‘criminals,’ with details of their offenses and details of the user responsible for spotting them.

Internet Eyes says its service aims to reduce crime, but civil liberties campaigners and the assistant information commissioner have their doubts about the legality of the idea itself.  Disclosing images of identifiable individuals on the internet for entertainment raises serious issues under the Data Protection Act and the Human Rights Act.  The Guardian reports that the ICO will be ‘talking to’ Internet Eyes shortly.  Watch this space!

• Email This
• Print
• Share Link

The Department of Health & Human Services (“HHS”) published an electronic notification form for covered entities to submit notice of a breach of security to the Secretary. The electronic form, available on HHS’ website, is for notification of breaches affecting 500 or more individuals and for breaches affecting fewer than 500 individuals.

The on-line form includes all of the elements required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the related HHS breach regulations. The form also requires covered entities to include contact information for a business associate (where the breach occurred at or by the business associate), the type of breach, the location of the breach, safeguards in place prior to the breach, and the date(s) individual notifications were provided.

If a covered entity discovers additional information related to a breach after submitting notification to the Secretary, the covered entity may submit an updated notification form using the on-line form.

• Email This
• Print
• Share Link

It appears that Rocky Mountain Bank v. Google (ND CA), a dispute over the disclosure of a Gmail users' account, has been settled according to this newspaper report. When an employee of the bank sent a file containing names, addresses, tax ID numbers and loan information on more than 1,000 customers to a Gmail account by mistake, the Bank sued Google to get the transmittal back and to confirm that the information sent was not inappropriately accessed. The bank obtained a court order preventing Google or its unknown Gmail account holder from accessing the file, which froze e-mail access for the unknown user. This order created some controversy, as reflected here.

One of the purposes of the lawsuit was to determine whether data security breach notification obligations had been triggered. The bank sought to seal the entire record of the case but the district court refused to seal the proceedings regarding the Gmail account. A copy of the District Court's decision is here. Sealing the record was something the plaintiff bank wanted in order to avoid prematurely (and prehaps unnecessarily) announcing a data security breach. Indeed, a major goal of the lawsuit was to seek information that would allow the Bank to avoid announcing a data security breach, but that goal was undermined by the court's refusal to seal the fact of the lawsuit (although parts of the record itself were sealed).

For many companies who misdirect e-mails containing PII, it has been a given that the misdirection alone constitutes a "breach" requiring notification to the person whose PII was in the e-mail. This case suggests that even where e-mail is misdirected, if the facts reveal that the unauthorized recipient never opened the e-mail, or for other reasons did not access the information under the definitions in the breach laws, then notice may not be required.

• Email This
• Print
• Share Link

Recently-enacted amendments to the Montana and North Carolina data breach notifications go into effect today, October 1, 2009.

• North Carolina. The amendment to North Carolina’s statute increases the state’s notification requirements for smaller breaches. Under the amended law, businesses and public agencies are required to notify the state attorney general every time a resident is notified. Prior to the amendment, notification to the state attorney general was only necessary if the breach affected more than 1,000 state residents. In addition, the amendment expands the contents of any notice to residents. 
•  Montana.   The amendment to Montana’s data breach statute expands the state’s private sector data breach notification statute to cover public-sector entities. State agencies that maintain computerized data containing personal information in a data system must make “reasonable efforts” to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. In addition, the modified law requires state agencies to develop procedures to protect social security numbers.   

The amendments to the Montana and North Carolina laws exemplify the growing number of states strengthening their data breach notification laws.   It is likely that additional states will join the trend, so compliance will require monitoring amendments.

• Email This
• Print
• Share Link

The health breach notification rule issued by the Federal Trade Commission (“FTC”) went into effect on Thursday, September 24, 2009.

The FTC final rule, issued on August 17, 2009, applies to vendors of personal health records (“PHR vendors”), PHR-related entities and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) are excluded from the definition of PHR vendor and PHR-related entities and instead are subject to a separate breach notification rule issued by the Department of Health and Human Services. The FTC Rule requires PHR vendors and PHR-related entities to notify consumers following discovery of a breach involving unsecured identifiable health information that is in a personal health record. The Rule also specifies timing, method and content of notification requirements. Of particular importance, for all breaches involving 500 or more consumers, the Rule requires notice to the FTC within 10 business days of discovery of the breach. Notice of smaller breaches can be provided to the agency on an annual basis.

While the Rule is now in effect, the FTC has announced it will delay enforcement of its rule until February 22, 2010 in order to give entities time to come into compliance.

• Email This
• Print
• Share Link

The Personal Data Privacy and Security Act (“PDPSA”), recently reintroduced by Sen. Patrick Leahy (D-VT) and referred to the Senate Judiciary Committee proposes comprehensive federal regulation of data broker services.  While enactment of the PDPSA remains uncertain, the draft legislation may presage future legislative and regulatory trends.

Comprehensive Federal Regulation of “Data Brokers”

Title II of the PDPSA would introduce significant new regulation for data brokers, which are defined as

“a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.” 

PDPSA § 3(5).  Entities that are already regulated under the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), or Health Insurance Portability and Accountability Act (“HIPAA”) are not subject to the data broker requirements of the PDPSA as currently drafted.  See PDPSA § 201(b)(1)-(3).  Notably, the PDPSA requirements would apply to the use of any form of sensitive personally identifiable information ("SPII"), unlike the FCRA which is limited to information used in consumer reports. 

• Email This
• Print
• Share Link

 On July 22, 2009, Sen. Patrick Leahy (D-VT) reintroduced S. 1490, the Personal Data Privacy and Security Act (“PDPSA”), which has been referred to the Senate Judiciary Committee.   The reintroduced PDPSA is substantially similar to the prior version reported out by the Judiciary Committee in 2007, which was co-sponsored by then-Sen. Barack Obama.  Among the provisions of the proposed law are a mandated adoption and maintenance of a comprehensive information security program, a national data breach notification law, and regulation of data broker services.  Further, while the bill as currently drafted reflects many commonly accepted principles of data privacy and security underlying existing federal and state laws, it deviates from current laws and standards regarding data security and breach notification on several noteworthy points.  Although passage of this legislation during the current session of Congress is far from certain, the existing PDPSA draft may foreshadow future legislative and regulatory trends. 

• Email This
• Print
• Share Link

The breach notification rule issued by the Department of Health and Human Services (“HHS”) goes into effect on Wednesday, September 23, 2009. 

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a breach of security involving an individual’s protected health information (“PHI”). Covered entities do not need to provide breach notification if the PHI was secured through methodologies and technologies specified by HHS in recent Guidance.  Notice also is not required if the breach does not pose a significant risk of financial, reputational or other harm to the individuals whose information was breached or in limited other exceptions for internal disclosures or involving limited health information. 

While HIPAA covered entities are expected to comply with this rule effective September 23, HHS has stated that it will not impose sanctions for failure to provide breach notifications until February 22, 2010 in order to give covered entities time to come into compliance. HHS is accepting comments on the provisions of the rule until October 23, 2009.

• Email This
• Print
• Share Link

Data security breaches remain a major risk for any company or entity that handles personal information.  The costs of a breach and harm to reputation can be significant.

At the IAPP Privacy Academy in Boston on September 18, I moderated a session on dealing with the aftermath of a data breach.  I was fortunate to have an expert panel -- Chris Cwalina, Vice President, Associate General Counsel, Intersections Inc. and Carol DiBarriste, SVP Privacy, Security, Compliance and Government Affairs, LexisNexis Group. You can view a copy of our Powerpoint presentation.

There is useful information in the slide deck including information on the current legislative landscape -- note the analysis of currently-pending HR 2221 and a review of recent state laws, as well as some points on the variations in the requirements of breach notification laws. 

Fundamentally, you will find helpful tips on what to do in the aftermath of a breach, and how to take steps in advance of a breach to minimize the risks.

The session in Boston concluded with a recommendation that companies conduct an assessment of how they are collecting, using, sharing, storing, securing, and disposing of personal data -- for only by understanding how data is handled can the risk of a breach (and its expensive effects) truly be avoided.  Hogan & Hartson regularly conducts such risk management assessments for our clients, which often results in recommendations on how to close the "gaps" -- how to improve policies, practices, training and auditing.

• Email This
• Print
• Share Link

The August 17, 2009 revisions of the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (“Massachusetts Standards”) were accompanied by reassurances that the changes were designed to create a more flexible regulatory framework that would ease the burdens on business while protecting the public interests. However, the revisions also include more detailed provisions dealing with sharing of personal information with third party service providers.  Third party service provider relationships can be a substantial source of risk to the confidentiality, integrity, and availability of sensitive information.  Risk factors include the security practices of third parties within their own facilities as well as the seemingly simple process of transferring sensitive information to a service provider. 

The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has addressed these risks by requiring businesses subject to the Massachusetts Standards to take “reasonable steps to select and retain third party service providers that are capable of providing appropriate security measures” consistent with the regulations and contractually obligating those service providers to do so.  There are several particularly noteworthy implications of these requirements.

Expansive Definition of Service Provider

The revised Massachusetts Standards define a “service provider” as: “any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of service directly to a person that is subject to this regulation …” explicitly excluding the U.S. Postal Service. Accordingly, almost any vendors, suppliers, consultants, contractors, and advisors with which a business shares the personal information of Massachusetts residents appear to fall within this definition. Going forward, businesses subject to the Massachusetts Standards should carefully examine all of their third party relationships to identify all scenarios where the third party service provider requirements are applicable.  

Data Security Due Diligence

While it has been an advisable practice for some time now, the express reference to selecting third party service providers that are capable of providing appropriate security raises analysis of data security practices during due diligence to the level of a legal obligation. The Commonwealth is unlikely to be sympathetic to claims that an entity was in compliance with the Massachusetts Standards without meaningful evidence of pre-closing investigation into the data security practices of its service providers.

Monitoring Third Party Service Provider Data Security Practices

The August 17th revisions removed the prior obligation to ensure that third party service providers are applying security measures consistent with the regulations. Nonetheless, the new language contains the admonition to “retain” third party service providers capable of providing such security. Hence, OCABR maintains some authority to require monitoring of the data security performance of third party service providers. Consequently, guaranteeing the right to audit the data security measures taken by third party service providers remains a strongly advised policy. 

Limited Grandfather Clause

Finally, the August 17th revisions include a grandfather clause apparently designed to exempt third party service contracts entered into before a particular date. Due to a likely drafting error, the grandfather clause contains conflicting dates (March 1, 2010 and March 1, 2012) for the exemption. This confusion is likely to be resolved after the current public comment period. While a reasonable reading of the current language could lead one to conclude that contractual obligations are not necessary for any contract entered into before March 1, 2010, the use of contract to protect the interests of businesses subject to the Massachusetts Standards remains a very attractive option, even for agreements currently in existence. 

The grandfather clause provides no indication that it exempts presently existing third party relationships from the “selection and retention” requirements discussed above. Contractual restrictions are among the more readily practicable methods of implementing the requirement to select and retain service providers capable of providing appropriate security. Therefore, ensuring that relevant contractual obligations are in place is in the interests of all businesses subject to the Massachusetts Standards.

• Email This
• Print
• Share Link

UPS Ltd has joined the ever-increasing number of companies featuring in the ‘Enforcement’ section of the UK Information Commissioner’s website, for failing to ensure the adequate security of personal data, which was held on an unencrypted laptop.

Security is one of the key data protection principles set out in Schedule 1, Part 1, of the Data Protection Act 1998 (the “DPA”) and although organizations are familiar with the principle, the basic elements of protecting data can still be overlooked. As a reminder, the DPA requires all ‘data controllers’ (such as UPS Ltd in this case) to comply with the eight data protection principles. The seventh principle deals with the security of personal data and provides that data controllers must take “appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This means, for example, using password protection and encryption on portable hardware, such as laptops and memory devices. Of course, such measures are only effective if everyone knows about them and uses them appropriately.

This recent decision involved the loss of personal data when a UPS employee’s laptop was stolen, whilst on business abroad last year. The laptop was unencrypted and was never recovered.

Unfortunately (but as is often the case) it held personal data belonging to some 9,150 UK-based employees. Worse still, the data was payroll-related and so contained information relating to employees’ names, dates of birth, National Insurance numbers, salary and bank details.
Whilst there is no legal requirement to inform the Information Commissioner’s Office (ICO) of a DPA breach, UPS Ltd’s lawyers made the notification for their client, presumably recognizing the harm that could result from the loss of such data, for the employees themselves and also for the company’s reputation.

• Email This
• Print
• Share Link

With the compliance date for the federal health data breach notifications in the HITECH Act looming, more states are amending their data breach notification statutes to cover health information. The possible trend is evident in the newly-enacted laws of three states – Missouri, New Hampshire and Texas – all of which have been enacted since June 2009. 

• Missouri – Within the key definition of “Personal Information,” Missouri’s new data breach notification law includes both “medical information” and “health insurance information,” which if disclosed in combination with an individual’s name, may trigger notification rights. 
• New Hampshire– In a separate provision from its general data breach notification law, disclosure of HIPAA protected health information by health care providers and business associates may trigger notice requirements even if the disclosure is permitted under federal law or does not create a risk of harm.
• Texas – Expanding its existing data breach notification statute, Texas specifically amended the definition of “sensitive personal information” to include types of health information not previously covered.

These states join California, Arkansas and Puerto Rico as the only jurisdictions to protect health data under their data breach notification statutes. Still, compliance with these statutes may be costly and burdensome.  Businesses must carefully monitor access, acquisition and disclosure of health and medical information in addition to other types of sensitive information – social security number numbers, financial account numbers, etc. – routinely protected under these statutes. Definitions of health and medical information vary, but can be quite broad to cover, among other things, information relating to:

• physical or mental health or conditions and medical histories; 
•  provision of health care;
•  treatment and diagnosis; 
•  payments for health care; and 
•  insurance policy numbers and subscriber IDs.

Although the interaction of these state laws with the federal data breach notification regulations under the HITECH Act is unsettled, state laws must continue to be monitored and analyzed closely, especially if the number of states protecting health information continues to grow and their notification obligations are consistent with, but extend beyond, the federal requirements.

• Email This
• Print
• Share Link

On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued a second set of revisions to the Standards for the Protection of Personal Information of Residents of the Commonwealth (“Massachusetts Standards”), 201 CMR 17.00. In support of the revisions, the OCABR also issued Frequently Asked Questions (“FAQs”) to clarify the regulators’ views on issues that may not have been entirely clear in the text of the rules. The revisions are intended to increase the flexibility of the regulations in a manner that will reduce burdens on entities subject to the Massachusetts Standards, particularly small and mid-sized businesses. 

Notable among the revisions are the attempts by the OCABR to: (1) introduce a more risk-based approach to the comprehensive information security programs required by the Massachusetts Standards; (2) implement a “technical feasibility” test for required technological controls; and (3) adopt a technology neutral approach to data encryption. While these initiatives should assuage some of the concerns previously expressed by the private sector, the ultimate practical impact remains in doubt.

• Email This
• Print
• Share Link