Complimentary Webinar - Massachusetts Data Security Regulations: A Plan for Compliance

Posted on February 8, 2010 by Joseph Lazzarotti

Beginning March 1, 2010, businesses will be required to safeguard from identity theft and other dangers personal information about Massachusetts residents under a “written information security program” or WISP. Similar requirements exist in other states around the country, although those requirements generally are not as comprehensive as those becoming effective in the Bay state.

Our complimentary webinar is designed to help employers and businesses become compliant. The program will cover:

  • the emergence of data security mandates across the country,
  • the Massachusetts approach to data security – breach notification, data destruction, the nuts and bolts of the identity theft/data security regulations, and
  • best practices when creating a WISP.

We hope you enjoy the webinar.

Tags: , , ,

Best Buy Counsel Speaks on Data Privacy

Posted on February 5, 2010 by V. John Ella

On January 29, 2009, I had the opportunity to attend a brief presentation sponsored by Minnesota CLE entitled, “Corporate Data Privacy & Security: 10 Legal Practice Tips,” given by Brad Bolin, Senior Corporate Counsel for Best Buy, Inc. a Fortune 500 electronics retailer headquartered in Richfield, Minnesota. Bolin is a specialist in information security and privacy law. I was curious to hear what data privacy issues were on the mind of someone who monitors these issues for a living on behalf of a large corporation, especially a company that sells some of the very devices that make data privacy more challenging and which is known for its “results oriented” work environment. Many of the issues relate to topics discussed on this blog. The views expressed were strictly those of Bolin, not Best Buy. Here were his observations:

1. Work/Life Balance.  Electronic connections are collapsing the distinctions between work and personal life. Employees expect to be connected 24 -7. Bolin quoted Best Buy CEO Brian Dunn as noting, “Technology is … a constant backdrop in people’s lives, at home, at work, on the road and literally in the palms of their hands. We call it the ‘connected world’ and, as exciting as it is, it’s also increasingly complex, and difficult to keep pace with.”

12259312. Smart Phones Part 1.  Smart phones are becoming common and are a great example of how the “limited personal use” exception is swallowing the rule. He cited a survey showing that 20% of companies allow their employees to use personal devices for work, and the number is surely growing. Bolin discussed how under the old corporate model, a company that pays for an employee’s smart phone ought to take it back from the employee upon his or her departure, erase the contents and either recycle or reuse the device to prevent the disclosure of confidential corporate information. But what about the employee’s personal photographs, “apps”, movies, contacts and downloaded songs? What if the employee paid for the device but the company reimburses the cost? Securing employee-owned smart phones is not the same as securing corporate-owned devices, he emphasized.

3. Smart Phones Part 2.  Bolin said that, whatever rules you choose, a departing employee should be able to take his or her personal data, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all. Adopt simple rules that make corporate data on an employee's smart phone easier to identify and control. For example, distinguish between media files on the one hand, and xls doc, ppt, and pdf documents on the other. Have a transparent dialog with employees about the trade-offs that exist cost when placing personal phones on the corporate network. For example, an employee might be required to archive SMS text messages on his phone for e-discovery purposes.

4. Texting Issues.  While e-mail typically is stored on a common server, text messages usually are stored by cell phone companies or directly on phones, and often the employer does not directly pay for their storage. Employers must have either a warrant or the employee's permission to see cell phone text messages that are not stored by the employer or by someone the employer pays for storage, Bolin said, citing Quon v. Arch Wireless, et al. 529 F.3d 892 (9th Cir. 2008),  The case is now under review by the United States Supreme Court.

5. TMI = Too much information.  An embedded Global Positioning System (GPS) feature is great for supporting and measuring effectiveness of a mobile sales force, but it raises the danger of collecting information about employees regarding the personal part of their life.

Continue Reading...
Tags: , , , , , ,

e-Discovery Traps (and Significant Sanctions) for the Unwary

Posted on February 4, 2010 by Joseph Lazzarotti

Effectively managing company data means more than HIPAA compliance and avoiding data breaches. As two of my colleagues Brett Anders and Cliff Atlas would tell us, failing to preserve electronic evidence can jeopardize a company’s litigation strategy. Their recent article discusses a new decision that illustrates the kind of sanctions litigants could suffer even where the failure to preserve appropriate information was not the result of an intentional act, but was merely negligence.

The Hon. Shira Scheindlin, whose decisions have been perhaps the most influential in the area of e-discovery, wrote the decision in Pension Committee of the Univ. of Montreal Pension Plan v. Banc of America Securities, LLC, No. 05 Civ. 9016 (S.D.N.Y. Jan. 15, 2010) (pdf). The plaintiffs in the case failed to issue litigation hold notices until 2007, even though the litigation commenced in February 2004. The sanctions were significant:

  • attorney’s fees and costs incurred by the defendants in bringing their motion,
  • costs of discovery relating to uncovering the facts of the wrongdoing, and
  • a jury instruction highlighting certain of the plaintiffs’ gross negligence in complying with discovery and explaining how the jury can conclude that an adverse inference should be drawn against those plaintiffs.

So, not only was there a direct monetary sanction, but the court made it more difficult for the plaintiffs to win their case. Brett and Cliff provide the following tips for managing e-discovery obligations, which they expand upon in their article:

  • For plaintiffs, anticipate litigation well before the case is filed and take appropriate steps then to preserve the appropriate information.
  • Cast a wide preservation net so that you collect records from all employees, even those with only a passing encounter with the issues in the litigation.
  • Back up tapes can be critical when “they are the sole source of relevant information or when they relate to key players, if the relevant information maintained by those players is not obtainable from readily accessible sources.”
  • Make sure those preserving the data understand what they need to do and are appropriately supervised.
  • Maintain a litigation hold policy and plan ahead!
Tags: , ,

Dealing with Data Breaches: Health Net Suit Highlights Need for Effective Security Incident Procedures and Training

Posted on February 2, 2010 by Jason C. Gavejian

As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training). 

A case in point: Connecticut's Attorney General has filed a civil action against Health Net of the Northeast Inc. (“Health Net”) for failing to secure approximately 446,000 individuals’ patient information on a missing portable computer disk drive, and for failing to provide prompt notice of the breach. Among other things, the suit alleges Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, when it failed to provide prompt notice, failed to encrypt the data, failed to provide for and implement appropriate policies to safeguard the information, and failed to supervise and train its workforce on safeguarding protected health information and personal information. 

As this suit demonstrates, state Attorneys General will use the authority granted by HITECH to enforce the privacy and security protections of HIPAA for protected health information, as many breaches involving such information may not be covered by state data breach laws. Such enforcement will only add to the cost of a data breach, which, according to the 2009 Ponemon Institute Annual Cost of a Data Breach study, continues to rise.

While a company’s first line of defense always should be a comprehensive data security policy, preparation should include an effective security incident procedure. Several key questions, some of which will form the foundation for any good security incident procedure, must be answered immediately following a breach: 

  • How did the breach occur?
  • Are measures in place to contain the breach?
  • What information was compromised? 
  • Whose information was compromised?
  • Will the local authorities be alerted?
  • What potential breach notice laws are implicated?
  • Does notice of the breach have to be provided?
  • If so, to whom and how will notice be provided?
  • Does the company have applicable insurance to cover the notification process?
  • Will any monitoring service be provided for affected individuals?
  • Are measures in place for public relations implications?

However, a security incident procedure is only as strong as the awareness you create among your employees as to what constitutes a data breach and who to notify in the event of a possible breach. Therefore, in addition to an effective security incident procedure, it is essential that training, like the sample above, be provided to employees on a regular basis.   

Tags: , , , , , , , , ,

Happy Data Privacy Day!

Posted on January 28, 2010 by Joseph Lazzarotti

While most are not taking the day off, January 28 is recognized internationally as Data Privacy Day - a day for people to become more aware of and promote data privacy related issues.

Many organizations support these initiatives and some have created and contributed to a website to promote this day and data privacy and security generally. This website provides a wealth of information and resources related to data privacy in all facets of our lives.

Of course, our focus is on employers and we encourage all employers to use this day as an opportunity to focus on this emerging issue and create awareness in their organizations.

Tags: ,

Data Security, Destruction and Encryption Leads the Way for States in 2010

Posted on January 26, 2010 by Jason C. Gavejian

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

  • The Florida and Michigan laws would amend personal data destruction rules for companies.
  • The New York law would mandate data security and encryption measures.
  • The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
  • The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
  • The Kansas law would require state agencies to engage in periodic network security reviews.
  • The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

Continue Reading...
Tags: , , , , , , , , , , , , , ,

Haiti Charity Fraud - FBI Guidelines To Donate With Care

Posted on January 17, 2010 by Joseph Lazzarotti

We all are deeply saddened by the tragic situation in Haiti. Many are motivated to help in any way they can, which usually means donating to charities that are able to more effectively bring relief to the suffering. At the same time, many see this as an opportunity to commit identity theft.

CBS News and TBG Fraud Solutions remind us to be aware of charity fraud and donate carefully.

In connection with the earthquake with in Haiti, the FBI suggests the following steps to avoid charity fraud:

  • Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
  • Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
  • Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its nonprofit status rather than following a purported link to the site.
  • Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
  • Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
  • Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.
Tags: , ,

Health Care Employees Fired For Improperly Accessing Patient's Electronic Health Records

Posted on January 8, 2010 by Nick Beermann

As reported by the December 23 Rochester, Minnesota Post Bulletin, the Mayo Clinic has terminated two medical professionals, a physician and another staff member, after determining that they had inappropriately accessed a patient’s confidential electronic health records (EHRs).

The access highlights what should be a growing concern for health care industry employers: the increased availability EHRs provide about patients’ private information that is otherwise protected by HIPAA. As reported in the Bulletin, according to the President of the Minnesota-based Citizens’ Council on Health Care, “the development of the electronic medical record has allowed all sorts of people to have access” that they would not have had before the advent of EHRs.

As previously reported here, the risks of data breaches and misuses of personal information rise significantly when the information is in electronic format. The trend toward putting more information in electronic format will only continue given the significant cost savings through technological advancements and, for health information, federal subsidies for the adoption of EHRs. Despite protections mandated by law, the portability and availability of EHRs nevertheless facilitate the improper viewing or misuse patients’ protected health information.

The Mayo Clinic terminations come on the heels of a string of employee terminations in 2008 by the UCLA Medical Center, which, through investigations dating back to 2004, found that at least 127 employees had improperly accessed the medical records of celebrities. One employee was even indicted in 2009 after she was found to have purposefully removed the social security numbers of celebrity patients and recorded actor Farah Fawcett’s medical records. Farah Fawcett subsequently sued her.

While most medical providers are well-aware of HIPAA’s requirements, the interest in all things celebrity may be too much for some to resist. We expect that the American Recovery and Reinvestment Act of 2009 (ARRA) [pdf] may only increase the risk of privacy breaches for it provides incentives to health care-related businesses to develop even more extensive uses of electronic health records. However, even famous celebrities have privacy rights under HIPAA, and health care employers should revisit their policies, procedures and training in the area of maintaining patient privacy and more closely monitor the use of electronic medical records.

Tags: , , , , ,

FTC Endorsement Rules Provide For Employer Liability for Employees' Online Conduct

Posted on January 6, 2010 by Jason C. Gavejian

 According to the newly revised Federal Trade Commission (“FTC”) Guides, employers may face liability for employees’ commenting on their employer’s services or products on “new media,” such as blogs or social networking sites, if the employment relationship is not disclosed. Potential liability may exist even if the comments were not sponsored or authorized by the employer. 

The revised Guides took effect December 1, 2009. They address the application of Section 5 of the FTC Act (15 U.S.C 45) to the use of endorsements and testimonials in advertising and provide examples of the application of Section 5, including examples that could lead to potential employer liability. One such example specifies liability for an employee’s blog posting concerning his employers’ product, where the employment relationship is not previously disclosed:

An online message board designated for discussions of new music download technology is frequented by MP3 player enthusiasts. They exchange information about new products, utilities, and the functionality of numerous playback devices. Unbeknownst to the message board community, an employee of a leading playback device manufacturer has been posting messages on the discussion board promoting the manufacturer’s product. Knowledge of this poster’s employment likely would affect the weight or credibility of her endorsement. Therefore, the poster should clearly and conspicuously disclose her relationship to the manufacturer to members and readers of the message board.”

In comments to the proposed revisions, the Commission agreed that the establishment of appropriate procedures governing “new media” would be a factor in its determination as to whether law enforcement action is appropriate. Tellingly, the Commission stated that it has brought enforcement actions against companies “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury. However, the Commission refused to spell out the procedures companies should put in place to monitor compliance with the principles set forth in the Guides, leaving companies to determine for themselves the process that would best fulfill their responsibilities. 

In light of the FTC’s clear recognition of “new media” and enforcement goal, employers should adopt social media and blogging policies as soon as possible. Employers should consider policies and procedures which address employee use of blog or social networking sites. Those policies, like this sample policy, should articulate the types of disclosure employees must include when they discuss their employers or their employers’ products or services. 

Tags: , , , , , ,

FTC Investigates Cloud Computing

Posted on January 5, 2010 by Joseph Lazzarotti

Last month, we briefly discussed "cloud computing," along with some issues that should be considered when deciding whether to adopt this new technology. Our post focused on data privacy and security issues.

As reported by Kim Hart, of The Hill's Technology Blog, a December 9, 2009, Federal Communications Commission filing states that the Federal Trade Commission is in the process of investigating "cloud computing" to address some of the same concerns noted in the post referenced above - privacy and security concerns.

Companies operating in the cloud, or thinking of moving in that direction, ought to be on the lookout for regulation or guidance that could come from the FTC's investigation.

Tags: , , ,