Data Privacy Day is January 28, 2010.  Data Privacy Day 2010 is a division of The Privacy Projects, a nonprofit think tank and research organization dedicated to facilitating the role of consumer privacy and data protection in regulatory controls, technological innovation and consumer protection with key stakeholders; to the development and promotion of privacy standards;  and to the promotion of collaboration, cooperation and shared responsibility in the areas of individual data protection and commercial management of personal information.

According to its website, Data Privacy Day is an annual international celebration to raise awareness and generate discussion about information privacy.  In 2009, both the U.S. Senate and House of Representatives recognized January 28th as National Data Privacy Day.

Over the past few years, privacy professionals, corporations, government officials and representatives, academics, and students in the United States, Canada, and 27 European countries have participated in a wide variety of privacy-focused events and educational initiatives in honor of Data Privacy Day.  They have conducted discussions, examined materials and explored technologies in an effort to bring information privacy into our daily thoughts, conversations and actions.

Data Privacy Day has also provided an opportunity to promote teen education and awareness about privacy challenges when using mobile devices, social networking sites and other online services.

For more information about Data Privacy Day or The Privacy Projects, click here.

The Massachusetts Supreme Judicial Court issued an order on January 7, 2010 regarding the protection of specific personal information collected and maintained by the Massachusetts judicial branch in accordance with M.G.L. c. 93H.

The Order requires protection of specified personal information, as defined by M.G.L. c. 93H, of all individuals, including non-residents.  Each appellate court, the Trial Court and any court affiliate
that owns, stores or maintains such personal information is required to develop and implement an information security program to protect personal information from a data breach.

According to the Order, the program is to ensure that courts and court affiliates collect the minimum quantity of personal information reasonably needed to accomplish the legitimate purpose for which the information is collected; securely store and protect the information against unauthorized access, destruction, use, modification, disclosure or loss; provide access to and disseminate the information only to those who reasonably require the information to perform their duties; and destroy the information as soon as it is no longer needed or required to be maintained.

The SJC’s Order sets out the details of what such information security program shall include.  The Order also provides for departmental reviews of the collection and maintenance of personal information; review of the manner in which personal information is electronically stored; and requires that all contracts entered into by the judicial branch contain provisions regarding data breach notification and require compliance with court information security programs.

Compliance with the Order is required by September 1, 2010.  To see the SJC’s complete Order on the Protection of Personal Information, click here.

A mortgage broker who discarded consumers’ personal financial records in a publicly- accessible dumpster paid a $35,000 civil penalty to settle Federal Trade Commission charges.

According to an FTC complaint filed in December 2008, the defendant improperly disposed of about 40 boxes of sensitive consumer records collected by companies he had owned, including tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and at least 230 credit reports. In addition, two mortgage brokerage companies he previously owned failed to provide reasonable and appropriate security for sensitive consumer information, despite promising they would do so.

In addition to the $35,000 penalty, the settlement order also provides that the defendant is barred from misrepresenting measures taken to protect sensitive consumer information and failing to take reasonable measures to protect credit report information during its disposal. The order also requires the defendant to employ a comprehensive information security program for sensitive consumer information, and to hire an independent, third-party security professional to review the program every year for 10 years to ensure that it meets or exceeds the order’s requirements.

To read the compete FTC Press Release on the settlement, click here.

Connecticut Attorney General (AG) Richard Blumenthal announced that he is suing Health Net of Connecticut for a data breach resulting in the exposure of patient medical records and financial records of 446,000 Connecticut enrollees, which were allegedly stored on an unecrypted portable computer disk drive that disappeared from the company’s office in Shelton, Conn on or about May 14, 2009.

This case will mark the first action by a state general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorizes state attorneys general to enforce HIPAA.

For more information about this data breach, click here for the complete story on HealthImaging.com.

At a meeting with New York Times staff, the chairman of the F.T.C., Jon Leibowitz, and David Vladeck, chief of the commission’s Bureau of Consumer Protection, discussed online privacy and the news business, among other topics. Both individuals have indicated that they expect the FTC to take a more active role in safeguarding consumer privacy. This may also be in light of the pending federal legislation the Data Accountability and Trust Act.

Among topics covered at the meeting were that few people actually read website privacy policies and questions regarding use of consumer data with respect to its use by data brokers, data aggregators, social networks, cloud computing and mobile marketing. (These subjects will be part of a Jan. 28 F.T.C. roundtable on privacy, held in Berkeley, Calif.)

For more information, read the New York Times blog about their meeting with the F.T.C. here. http://mediadecoder.blogs.nytimes.com/2010/01/11/ftc-has-internet-gone-beyond-privacy-policies/

On December 11, 2009, the Massachusetts SJC affirmed the dismissal of claims against BJ’s and Fifth Third Bank by plaintiff credit unions and an insurance company arising out of a data breach that exposed magnetic strip data of credit and debit cards of 9.2 million BJ’s customers.

In Cumis Insurance Society, Inc., et al. v. BJ’s Wholesale Club, Inc., et al., 107 credit unions and Cumis Insurance Society brought suit against BJ’s and Fifth Third alleging that thieves were able to obtain the card information from BJ’s computer systems because BJ’s and its acquiring bank, Fifth Third, breached their contractual obligations, both to each other and to Visa and MasterCard, by storing the magnetic strip data from the back of the cards after a card transaction had been authorized or declined. The plaintiff credit unions sought damages incurred for the cost of replacing the compromised cards. Cumis sought to recover the funds paid to the credit unions to reimburse them for the fraudulent use of the cards.

The credit unions asserted claims for breach of contract on the theory that they were intended third-party beneficiaries of BJ’s contract with Fifth Third Bank and of the Visa and MasterCard regulations that were incorporated into the contract, which specifically included a prohibition on retaining magnetic strip data after a cardholder’s transaction is completed. The SJC affirmed the dismissal of the breach of contract claims finding that plaintiffs failed to establish that there was any intention by BJ’s or Fifth Third that the credit unions were supposed to be the beneficiaries of their contract. In addition, the credit unions could not recover under Visa and MasterCard regulations (specifically, prohibiting the storage of magnetic strip data) because Visa and MasterCard retained the enforcement of their regulations for themselves.

The SJC also affirmed the dismissal of plaintiffs negligence claims on the grounds of the economic loss doctrine, which prohibits recovery under a negligence theory when the only harm sustained is economic in nature.

Finally, the SJC affirmed the dismissal of plaintiff’s fraud and negligent misrepresentation claims. Plaintiffs theory was that they relied on BJ’s required compliance with the Visa and MasterCard regulations to not store the magnetic strip data. The SJC found that plaintiffs could not show BJ’s ever made any direct representations to the plaintiffs regarding its compliance with the Visa and MasterCard regulations that would support these claims.

The discussion of the fraud and negligent misrepresentation claims in this case are the most interesting aspect of the decision. The SJC found that even if plaintiffs could establish that defendants made representations about their compliance with the Visa/MasterCard regulations to the plaintiffs, the plaintiffs could not have reasonably relied on those representations because the Visa/MasterCard regs explicitly include a fine for failing to comply. Quite simply, the system was designed with the expectation that such data breaches would occur. In addition, the SJC noted that the plaintiffs even insured themselves against such fraudulent losses, showing that plaintiffs expected such a data breach to occur. Finally, the SJC noted that the plaintiffs had ongoing knowledge of noncompliance with the magnetic strip regulation because they received notifications from Visa and MasterCard regarding compromised accounts due to improper retention of magnetic strip data.

Ultimately, there was no theory under which the credit unions could recoup their losses stemming from the data breach.

On December 17, 2009, Heartland Payment Systems announced that it would pay American Express $3.6 million to resolve charges stemming from a 2008 breach of Heartland’s payment system network the AP reported.

Heartland’s data breach was the result of hackers using installed spying software on Heartland’s computer network. These hackers also attacked 7-Eleven and Hannaford Brothers Supermarkets. The Department of Justice allege that these hackers managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford.

Heartland has still not reached resolution of its disputes with other card brands, such as Visa and MasterCard, arising out of this data breach, but clearly, such additional settlements will cost Heartland additional millions.

On December 8, 2009, the U.S. House of Representatives passed by voice vote H.R. 2221, the Data Accountability and Trust Act. This bill is similar in nature to multiple state breach notification laws that have already been passed. It includes the following:

H.R. 2221 defines personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number
(ii) Driver’s license number or other State identification number
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”

Some more details of this bill include:

• The Federal Trade Commission would be the responsible enforcement agency.
• The FTC would ultimately define the proper technical procedures for protecting data.
• Organizations that have data need to establish a data security policy.
• Organizations must identify an information security officer.
• Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
• Organizations need a process for securely destroying data that is no longer required.
• Breaches need to be reported to the consumers affected, and the FTC, unless:
  • “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”, which will be defined by the FTC should the bill pass.
  • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities.

The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. There is an exemption for data encryption. In addition, the FTC will define other exemptions if the bill become law. The FTC will also be tasked with posting data breaches on their website on a case-by-case basis if the FTC deems it is in the public interest.

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) has revised - for a third time - the regulatory scheme created to protect the personal information of Massachusetts residents. The deadline for compliance is now March 1, 2010.

The OCABR originally promulgated the regulations last Fall, mandating that those holding personal information about Massachusetts residents devise and implement specific, detailed policies to protect the security and integrity of that information. Virtually all Massachusetts businesses are covered, and the regulations also apply to entities outside the Commonwealth that hold Massachusetts residents’ Social Security numbers, credit card numbers, driver’s license numbers or financial account numbers.

The regulations have been controversial, particularly among members of the Massachusetts business community, who widely complained that they were inflexible, overly broad and expensive to implement.

The new version of the regulations appears aimed at addressing some of those concerns, while still adhering to the fundamental goal of requiring business practices that minimize the risk of future data breaches.

Among the more significant changes that were just announced: (1) the regulations now apply only to entities that own or lease “personal information,” and no longer extend to those who simply “store or maintain” it; (2) the regulations now adopt a more risk-based approach, addressing criticism that the former draft amounted to a one-size-fits-all mandate; and (3) the new regulations rework the language concerning third-party service providers, requiring contract language essentially obligating service providers to comply with the regulations, but grandfathering pre-existing contracts without such language during the first two years the regulations are in effect.

Today, November 14, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline for compliance with its new data security regulations.  The regulations had been slated to take effect on January 1, 2009.  Some aspects of the regulations are now scheduled to become enforceable on May 1, 2009 and others will not be enforced until January 1, 2010.

Quoting from a press release issued by the OCABR today :

• The general compliance deadline for 201 CMR 17.00 has been extended from January 1, 2009 to May 1, 2009. The date is consistent with a new FTC Red Flag Rule, which requires financial institutions and creditors to develop and implement written identity theft prevention programs. Businesses addressing the new FTC requirements can now address the state regulations during the same time frame. 

• The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so will be extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers will be further extended to January 1, 2010. This tiered deadline for requiring certification will ensure proper consumer protection and facilitate implementation without overburdening small businesses during harsh economic times.

• The deadline for ensuring encryption of laptops will be extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices will be further extended to January 1, 2010. Many data breaches reported to date relate to laptops, and laptops are more easily encrypted than other portable devices such as memory sticks, DVDs and PDAs. 

The press release is produced below, in full:

 201 CMR 17.00 - Extension of Deadlines - Press Release