Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

• Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
• Transmitting electronic information using technology and processes that provide the best level of security and privacy
• Transmitting voice and fax information on with reasonable assurances that access is limited
• Protect information by at least one physical or electronic barrier
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
• Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

• Encryption/Storage controls
• Network intrusion protection
• Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

• Email This
• Print
• Comments
• Trackbacks

Under a measure passed overwhelmingly by the U.S. House of Representatives (408-13), federal contractors would be required to adopt measures established by the Office of Management and Budget to limit open network peer-to-peer file sharing software (P2P Software). Likely a response to the leakage of House and Senate ethics investigations, if the “Secure Federal File Sharing Act” (H.R. 4098) (pdf) becomes law it would be the first widespread federal statute regulating P2P Software.

Under the law, federal government employees and contractors would be prohibited from downloading, installing, or using P2P Software on federal computers without government approval. Federal agencies would be required to take steps to find and remove P2P Software from such computers, including those government computers operated by contractors. In particular, the Act requires OMB guidelines to:

to address the download, installation, or use by Government employees and contractors of such software on home or personal computers as it relates to telework and remotely accessing Federal computers, computer systems, and networks, including those operated by contractors on the Government’s behalf.

Within 90 days of enactment, OMB will need to set up a procedure for approving the use of P2P Software. Within 180 days of enactment, with respect to contractors, agencies will need to

1. require any contract awarded by the agency to include a requirement that the contractor comply with OMB guidance in the performance of the contract;
2. update their information technology security or ethics training policies to ensure that all employees working for contractors on the government’s behalf are aware of the requirements of OMB guidance and the consequences of engaging in prohibited conduct; and
3. ensure that proper security controls are in place to prevent, detect, and remove file sharing software that is prohibited by the OMB guidance from all federal computers, computer systems, and networks operated by contractors on the government’s behalf.

Numerous examples of data leaks caused by irresponsible use of P2P Software should push all businesses to take steps to use this potentially valuable technology more carefully. 

• Email This
• Print
• Comments
• Trackbacks

Nearly 100 organizations have been notified by the Federal Trade Commission (“FTC”) that personal information, including sensitive employee and customer data, shared from the organizations’ computer networks is available on peer-to-peer (P2P) file-sharing networks. This, the FTC warned, could be used to commit identity theft or fraud. The notices went to both private and public entities, including schools and local governments. The entities ranged in size from those with as few as eight employees to public corporations employing tens of thousands. The notices come not long after the Congressional Ethics breach we discussed in October. 

With P2P file-sharing software, a user can share music, video, and documents. However, when not configured correctly, P2P file-sharing software may allow anyone on the P2P network to access files not intended for sharing.

To aid businesses in managing the security risks of file-sharing software, the FTC also has released education materials, including a new business education brochure – Peer-to-Peer File Sharing: A Guide for Business – designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks. The brochure also explains how to safeguard sensitive information on their systems, and provide other security recommendations. Additionally, the FTC published tips for consumers about computer security and P2P. 

In addition to the FTC notices, employers should consider the P2P Cyber Protection and Informed User Act, which was introduced in Congress shortly after the notices were sent. Under the Act, P2P file-sharing programs must clearly inform users when their files are made available to other P2P users, are prohibited from being installed without informed consent, and are prohibited from preventing a user from blocking/disabling/removing any sharing program. 

The FTC has urged entities to review their security practices and, if appropriate, the practices of their contractors and vendors, to ensure that the practices are reasonable, appropriate, and in compliance with the law.  FTC Chairman Jon Leibowitz also cautioned,  , “companies and institutions of all sizes are vulnerable to serious P2P-related breaches…” and “[companies] should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.” 

A company’s failure to prevent such information from being shared on a P2P network, may violate applicable law and subject the company to legal action. 

• Email This
• Print
• Comments
• Trackbacks

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

1. designating one or more employees to coordinate the program;
2. identifying reasonably foreseeable internal and external risks;
3. assessing the sufficiency of data safeguards;
4. training employees in the program’s practices and procedures;
5. limiting outside service providers to those maintaining adequate data security safeguards; and
6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

• Email This
• Print
• Comments (3)
• Trackbacks

The Washington Post is reporting another inadvertent disclosure of sensitive information involving "peer-to-peer" or "P2P" technology. This time, the disclosure exposed a House Ethics Committee document outlining ongoing ethics investigations for an uncomfortably large number of House members. The same technology raises serious issues for employers.

According to the Washington Post, the now-terminated, junior committee staff member saved a copy of the document summarizing the ethics investigations to her personal computer where her peer-to-peer file-sharing software allowed it to be shared.

Besides the difficult political questions that are sure to follow, this incident makes clear that strong data security requires more than a strong firewall and encryption. Administrative policies, training and vigilance are essential, particularly where working remotely and from home is the norm.

• Email This
• Print
• Comments
• Trackbacks