Scott Technology Attorneys

Privacy & Security Blog


Data Concerns in Outsourced Applications

Outsourcing information technology functions that are not mission critical can seem like an attractive proposition. E-mail, productivity applications, and hosted creative bundles can ensure that in-house staff can focus on those functions that contribute directly to revenue or customer service. But, companies that are considering outsourcing should carefully review the terms of service for the prospective vendor to ensure that the vendor will keep the data secure.

Read more


The Kaiser Breach Case-What You Can Learn

Just recently, California Attorney General Kamala Harris filed suit against Kaiser Foundation Health Plan, Inc. (“Kaiser”) because of an alleged 2011 data privacy incident. It seems as though a simple accident led to sensitive data being accessed by unauthorized third parties, and ultimately exposed Kaiser to legal and financial risk. In this case, an external hard drive containing the sensitive personal information of Kaiser’s patients was sold to a retail thrift shop.

Read more


Surprising Twist in Target's Data Breach Inquiry

In a recent article concerning the Target data breach, it was reported that the hackers used stolen credentials from one of Target’s third party vendors to gain access to Target’s systems. New information just released indicates that the third party was not a technology service provider, but rather an HVAC company (heating, ventilation, and air conditioning). While it may be surprising to the average consumer that an HVAC provider was given network access to Target’s systems, there may be a reasonable explanations for this. 

Read more


Personal Data Privacy and Security Act of 2014

Companies conducting business in highly regulated industries will often select our firm to assist with evaluating privacy compliance. Companies are often required to comply with privacy obligations from outside counsel, the Gramm Leach Bliley Act (“GLBA”) or the Health Insurance Portability and Privacy Act (“HIPAA”). The GLBA and HIPAA regulate the financial and health care industries respectively, and beyond these types of industry-specific regulations, there is not a nation-wide standard of rules governing the handling of personally identifiable information (“PII”).

Read more


Using Vendor Agreements to Protect Against Data Breaches

The recent Target data breach, one of the largest breaches in history, appears to have been initiated after intruders used stolen vendor credentials to access Target’s point-of-sale system and install malware. Even if Target had no issues with its internal security, the trust it placed on one of its vendors has already yielded federal criminal investigations, and will likely result in millions of dollars of remedial measures to protect customers’ identities after the data breach.

Read more


Google Announces a New Cloud Platform

Google recently announced new and improved Cloud platform offerings. For businesses regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) or Gramm Leach Bliley Acts (“GLBA”), moving data to the Cloud is not something to be taken lightly. HIPAA and GLBA place a heavy emphasis on the protection of sensitive customer or patient information.

Read more


Data Breach Notice Statutes

For businesses regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) or the Gramm Leach Bliley Act (“GLBA”), the amount of effort required to be compliant can be staggering. Those entities handling the personally identifiable information (“PII”) or non-public information for their customers have affirmative notice obligations and duties to protect PII under federal rules such as HIPAA and GLBA.

Read more


Contract Provisions Concerning Privacy & Security Compliance

Managing data security and privacy is becoming an increasingly larger part of a company’s risk portfolio, especially as it relates to transactions with third parties. These third-party transactions may include the outsourcing of technology services, hosted data, or software as a service (“Saas”), and as an example, consumer information privacy is an area garnering a lot of attention.  From data breach notice reporting to class action lawsuits, companies who handle the non-public personal information of individuals have possession of high-risk information, and entities regulated by HIPPA and the Gramm Leach Bliley Act need to ensure they are compliant with the statutory requirements.

Read more


Risks of Bring Your Own Device

More companies are faced with a workforce that wants to bring their own devices (“BYOD”) to work. One on-line journal cites a poll that finds that younger workers actually see bring your own device as a right rather than a privilege. For a company considering a BYOD policy, there are risks involved. Some of the risks are as follows:

Read more


Company Policies and Compliance

Compliance and risk management are becoming more important concepts for businesses, and especially those operating in regulated industries. Outside of technical legal concepts such as negligence per se or breach of contract, in the event of a dispute between parties concerning legal liability, the case often turns on whether the conduct of one party was reasonable under the circumstances. If a business deals with the non-public personal information of its clients, for example, a dispute may arise in the event this information is disclosed to an unauthorized third party.

Read more


The Costs of Data Breach

As incidents of data breach have become more prevalent, it is important to note what this could actually mean for a company who stores and maintains (or shares) the personally identifiable information (“PII”) of its consumers. Generally speaking, the sources of these legal risks could be broken down into three general categories: federal, state, and common law.

Read more


FTC Releases Report Regarding Mobile App Privacy Disclosures

In a report released by the Federal Trade Commission (“FTC”) in February 2013, the FTC makes recommendations for best practices concerning privacy disclosures in the hope of making them more effective. While noting the proliferation of smart phone usage and accessibility of apps, as well as the increasing amount of transparent personal data being shared across platforms, the report’s focus with regard to its recommendations is disclosure.

Read more


California Becomes Third State to Regulate Employer Access to Social Media

Last month, California Governor Jerry Brown signed Assembly Bill 1844 into law, making California the third state, behind Maryland and Illinois, to create statutory privacy protections for social media users from their employers. Senate Bill 1349 applies the same prohibitions on the state’s colleges and universities.

Read more


State Data Breach Laws Continue to Evolve/Diverge

While data privacy and compliance professionals clamor for a single, Federal data breach notification statute, states have continued to establish and amend their own medley of breach notification statutes. As of September, 2012, 46 states and the District of Columbia have enacted some version of consumer data breach notification requirements. This disparate environment makes compliance under these evolving and sometimes divergent state notification frameworks both technically and logically challenging for organizations that find themselves cleaning up after a data breach.

Read more


Data Breach Insurance Coverage Lawsuit Highlights Necessity for Cyber Liability

In August of 2012, the Sixth Circuit ruled on a case that determined who is responsible for the costs associated with loss of data arising from a hacking incident in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co., -- F.3d --, 2012 WL 3608432 (6th Cir. Aug. 23, 2012). In this matter, DSW Shoe Warehouse was targeted by computer hackers who successfully accessed their systems and harvested the credit card and checking account information for more than 1.4 million DSW customers. In its efforts to conduct thorough investigations into the incident and comply with the numerous state and federal data breach notification requirements, DSW incurred expenses of more than $5M.

Read more


Connecticut Amends Data Breach Notification Statute

On June 15, 2012, Connecticut amended the state’s security breach notification law. The amendment will go into effect on October 1, 2012, and requires businesses to notify the state Attorney General when notice of a security breach is provided to state residents—with such notice to affected residents to be provided “without unreasonable delay.” Connecticut follows Vermont as the second state this summer to amend its data breach statute to require notice to be given to the state’s Attorney General.

Read more


OCR’S HIPAA Audit Protocol

On June 26th, the Office for Civil Rights (OCR),the federal agency that enforces the privacy and security regulations underHIPAA, published theprotocol it uses to conduct the audits required by the 2009 HITECH Act. Accordingto OCR, the protocol is designed to analyze the “processes, controls, andpolicies” of covered entities in an effort to measure compliance under theHIPAA mandate. OCR set out three different areas that will be analyzed underthis audit protocol: 1) privacy; 2) security; and 3) breach notification.

Read more


Cyber Intelligence Sharing and Protection Act Bill Passes House

On April 26, 2012, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). According to the bill sponsors, CISPA is an essential update to the National Security Act of 1947 that adds provisions allowing for information about “cyber threats” to be shared between the government and private industry.

Read more


White House Outlines Consumer Privacy Bill of Rights

In late February 2012, the White House outlined a consumer data privacy framework that includes a “Consumer Privacy Bill of Rights” in a report entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In it, the administration sets out a plan for a four-element approach to protection of consumer privacy: 1) enumerate the consumer privacy rights; 2) encourage industry developed of codes of conduct; 3) strengthen FTC enforcement power; and 4) ensure interoperability with international privacy rules and regulations.

Read more


Office for Civil Rights to Begin HIPAA/HITECH Audits

On November 8, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services notified members of its HIPAA Privacy Rule listserv that it will begin conducting a pilot program of the audit requirement under Section 13411 of the HITECH Act. In the communication, OCR indicated that it will perform approximately 150 audits of covered entities in order to assess the protocols established for conducting the audits as well as to uncover any additional risks or vulnerabilities in the privacy and security rules themselves. The targeted covered entities will be notified of the request for their participation sometime this month, with OCR’s goal to conclude these pilot program audits by the end of next year.

Read more


SOPA Moves To House Committee with Modifications

The U.S. House Judiciary Committee will consider the Stop Online Piracy Act ("SOPA") on November 16, a bill designed to complement the proposed PROTECT IP Act in the Senate in efforts to fight online piracy and copyright infringement.

Read more


New Texas Healthcare Privacy Law

Starting on September 1, 2012, businesses handling electronic protected health information (ePHI) in Texas will be subject to more stringent data privacy and security regulations and harsher penalties than those imposed by federal HIPAA regulations. Among other things, the new bill, signed into law in June 2011 by Governor Rick Perry, expands on the HIPAA definition of a “covered entity.”

Read more


Overview of Proposed Federal Data Privacy Legislation for 2011

Arguably as a result of the Obama administration’s call for federal data privacy and security legislation, a number of bills have been introduced this year in both the House and Senate to address consumer-data privacy issues. Introduced earlier this spring were the Do Not Track Online Act, discussed here previously, and the comprehensive, Commercial Privacy Bill of Rights Act sponsored by political heavyweights Senators John Kerry and John McCain. A new crop of bills introduced this summer focuses on data-protection procedures and breach-notification requirements. Highlights from these entries, by Senators Leahy and Pryor and Representative Bono Mack, are outlined below.

Read more


Do Not Track Me Bill Introduced in Congress

Last month, California Representative Jackie Speier introduced H.R. 654, the so-called Do Not Track Me Online bill, to Congress. The bill is the first response to the Federal Trade Commission’s December 2010 request for the establishment of a Do Not Track registry for online users that would be similar to the Do Not Call registry for telemarketing calls established in 2003. The Do Not Track Me Online bill calls for the FTC to establish regulations requiring covered entities (defined as companies engaging in interstate commerce that collect or store online data), to allow customers to opt out of online tracking. The bill provides for monetary penalties for violations of the bill, not to exceed $5 million for a related series of events.

Read more


Sixth Circuit Recognizes Right to Privacy in E-mail

In a ruling handed down on December 14, 2010, the Sixth Circuit in United States v. Warshak held that a user of a third-party e-mail service has a reasonable expectation of privacy in the e-mails stored on the third-party’s servers. In the case, the government failed to obtain a search warrant based on probable cause before it compelled Warshak’s ISP to turn over his e-mail communications. The government argued that the Stored Communications Act of 1986 (SCA) permitted just such a warrantless search. In holding that Warshak had a reasonable expectation of privacy, the court struck that part of the SCA as unconstitutional.

Read more


Mississippi Becomes 46th State to Pass Data Breach Notification Law

Earlier this year, Mississippi passed legislation requiring organizations to notify individuals whose personal information is compromised by a data breach. With only Alabama, Kentucky, New Mexico and South Dakota as the remaining states without data breach notification laws, Mississippi joins the vast majority of states to have passed such legislation. House Bill 583 will not go into effect until July 1, 2011, but its form and structure tracks many other states’ notice requirements in the event of a data breach.

Read more


Dave & Buster’s Busted

The FTC recently approved a settlement with Dave & Buster’s, Inc., a restaurant and arcade chain, for the largest recorded data breach of private credit card information.

Read more


Costly Privacy Breaches in 2009

Costly Privacy Breaches in 2009 Network security failures have led to some of the largest breaches of private financial and personal data in 2009. Heartland Payment Systems reached a settlement with American Express for $3.6 million after a security breach revealed 130 million credit and debit card numbers,

Read more


Businesses Fail to Guard Against and Respond to Data Security Breaches at their Peril

A complaint filed in the U.S. District Court for the Eastern District of Missouri is a reminder of the importance of implementing a thorough system of procedures and protocols regarding data security and responses to security breaches.

Read more


The Privacy Act

Like other companies, governmental agencies are also required to maintain the privacy of records in their possession. The Privacy Act prohibits government agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.”

Read more


Drafting and Defending Privacy Policies and Incident Response Plans

Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).

Read more


State Data Breach Notification Legislative Update

 In the past year, five states – Alaska, Iowa, South Carolina, Virginia, and West Virginia – have enacted data breach notification laws, bringing to 45 the total number of U.S. jurisdictions (plus Washington D.C.) with laws on the books. The states with no data breach notification laws are Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.

Read more


State Data Encryption Laws Ready to Take Effect

 By now, many U.S. businesses (hopefully) have taken steps to familiarize themselves and to contend with the patchwork quilt of state laws that sets forth standards regarding what must be done in the wake of an IT security breach affecting customer data.

Read more


New Potential Liability for Internet Service Providers

The U.S. District Court in New Hampshire recently issued a written opinion that undoubtedly will give some Internet service providers reason to re-think their policies with regard to some anonymous user accounts. In Doe v. Friendfinder Network, Inc., the plaintiff discovered prior to filing suit that an unnamed individual had created a number of profiles using information about the plaintiff’s identity on various social networking websites operated by the defendants and oriented toward people seeking sexual relationships with others. 

Read more


New Jersey Court Determines Internet Users Have a Constitutional Right to Privacy

The Supreme Court of New Jersey recently became one of the first courts in the nation to determine that Internet users have a Constitutional right to privacy under Article I of the New Jersey Constitution. Because of the ruling, a grand jury warrant will be required before law enforcement officials can access personal information about the Internet users.  

Read more


Student Loan Company Settles With FTC

The FTC announced on March 4 a settlement with Goal Financial, LLC, a San Diego-based student loan company that allegedly violated information privacy laws. If accepted, the settlement will require Goal Financial to implement a comprehensive information security program and subject itself to independent, third-party audits every two years for 10 years. 

Read more


Accenture Sued for Negligence by the State of Connecticut

 Many companies have started to experience the consequences of non-existent, insufficient or poorly implemented data security plans in the form of enforcement lawsuits filed by state attorneys general for violations of state data privacy and data security laws. However, in an interesting twist on this usual variety of state-initiated litigation arising out of poor data breach planning, the State of Connecticut is suing IT consultant Accenture for alleged negligence in losing electronic files containing information on bank accounts for almost all Connecticut state agencies as well as several hundred state purchasing cards and a handful of Connecticut taxpayers.

Read more


More Food for Thought on Data Breach Notification Laws

A recent Government Accountability Office report has provided some interesting new statistics regarding the effects of data breaches on victims. The gist of the report (available here) is helpfully summarized in its title: “Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However the Full Extent is Unknown.” The GAO found that there have been what would seem to be a distressingly high total number of reported breaches in recent years, including 570 breaches reported in the public media from 2005 to 2006, 788 breaches involving 17 different federal agencies 2003 to 2006, and 225 reported breaches in New York State alone in the ten months from December 2005 to October 2006.  

Read more


ValueClick agrees to Settle with FTC for $2.9 Million

In a record settlement, ValueClick recently agreed to pay the Federal Trade Commission (“FTC”) $2.9 million to settle claims that ValueClick violated federal law and used deceptive advertising. The FTC alleged that ValueClick failed to protect consumer information and misled consumers with advertising that did not clearly disclose the cost of products. 

Read more