The FTC released a Consent Order to settle charges against Twitter surrounding its privacy and data security practices. The FTC’s complaint alleged that intruders accessed Twitter’s administrative accounts twice between January and May 2009. During that time, the hackers were able to access private tweets, reset user passwords, send false tweets, and access private user information. The FTC alleged Twitter failed to take reasonable steps to safeguard user information by following deficient password and login procedures.

The settlement does not include a monetary fine, but requires Twitter to establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years. Twitter is barred from making any misleading statements to consumer regarding its data security for 20 years. Additionally, the agreement includes provisions addressing Twitter’s use of service providers and requiring Twitter to evaluate and adjust its information security to address material changes to its business or other events that might impact the effectiveness of its security program.

The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” This is the FTC’s first case against a social networking site. Going after Twitter signals the FTC’s concern over the protection of personal information extends beyond historical notions of “trade,” and is not limited to the protection of financial information only. The FTC is interested in holding companies to their representations regarding their security practices.

The District Court for the Northern District of Illinois recently held in Devine v. Kapasi, et. al., that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the SCA [Stored Communications Act].” 2010 U.S. Dist. LEXIS 56488 (N.D. Ill. June 7, 2010).

The case arose following a split of the company Geus. Under the departure agreement, a former 50% shareholder, Jeff Devine, left the company to form Devine Solutions. Devine also received a server formerly owned and used by Geus for use in his new company. For the several days immediately following the transfer, and before the Geus-issued passwords were terminated, defendant Geus employees accessed the server to destroy electronic files belonging to Devine Solutions.

Defendants argued they could not be liable under § 2701 of the SCA because the Act requires a defendant to “intentionally access without authorization” or “intentionally exceed an authorization to access” a “facility through which an electronic communication service is provided . . . .” Defendants reasoned that § 2701 could not apply to them because they were not in the business of providing an electronic communication service to the public. Noting that no circuit court had ruled directly on point and that district courts were split on the issue, the district court held that the section did not require a plaintiff to be an electronic services provider to the public, but only that the “workplace be a facility through which an electronic service is provided.” (citing Expert Janitorial, LLC v. Williams, 2010 U.S. Dist. LEXIS 23080, at *13-14 (E.D. Tenn. March 12, 2010)). Litigators take note: this case may extend private rights of action under the SCA for unauthorized access to protected files.

For data breaches or contraventions of the United Kingdom’s Data Protection Act (DPA) occurring on or after April 6, 2010, the Information Commissioner’s Office (ICO) now has the authority to impose monetary fines against data controllers in the public, private and voluntary sectors, of up to half a million pounds. The Commissioner must first determine:

• there has been a serious contravention of section 4(4) of the DPA by the data controller; and
• the contravention was of a kind likely to cause substantial damage or substantial distress; and
• either the contravention was deliberate; or
• the data controller knew, or ought to have known, that there was a substantial risk that the contravention would occur, that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

Data controllers are expected to apply the familiar standard of care of a “reasonably prudent” data controller. This requires taking reasonable security steps, including: carrying out risk assessments of data processing activities and providing evidence of steps taken to address the risks in handling personal data, demonstrating the presence of good governance and/or internal auditing arrangements, and adopting appropriate policies, procedures, processes, and practices, such as encryption of all laptops and removable media. Serious contraventions include failures to take adequate security measures which result in losses of personal data. Sufficient substantial damage or distress includes any financially quantifiable loss suffered by an individual (including loss of earnings, lost financial opportunity and risk of identity theft) and any injury to feelings, harm, or anxiety suffered by an individual.

U.S. data providers should be cognizant of how broadly “substantial damage” can be interpreted. As with most data security enforcement, the moral seems to be to focus on establishing good procedures in the first instance.

For ICO’s published guidance about the penalties, click here.

The U.S. Supreme Court recently held in City of Ontario, California v. Quon, 560 U.S. ______ (2010), that, arguendo, a government employee had a reasonable expectation of privacy in the content of their text messages sent and received on a government-issued device and an audit of those messages constituted a search under the Fourth Amendment of the Constitution. The government employer’s audit of the content of those messages nonetheless was reasonable where:

• the audit was conducted for a legitimate work-related purpose of determining the necessary subscription plan; and

• the audit was limited in scope to a discrete period of time sufficient to obtain a useful sample;

• the employee’s off-hours communications were redacted; and where

• a coherent policy was in place that addressed the medium and technology used to send the messages and limited the employee’s privacy expectations in their communications.

The privacy rights of third-party, non-employee persons whose communications were also viewed also were not violated in this case, as their arguments relied solely on the perceived unreasonableness of the employee search. The Court specifically stated that a similar search would also be reasonable in the private-employer context. The case provides useful guidance to employers in writing privacy policies and in structuring and conducting employee audits. It is also a good warning that communications containing private information may nonetheless be subject to third-party viewing if sent to an employer-provided device.

The Wall Street Journal recently reported on a new invention, among the finalist’s of this year’s Asian Innovation Awards, PassWindow. PassWindow simplistically operates as a unique key pattern on a transparent section of a standard identity, credit, or bank card. By design, PassWindow requires no working parts or power of any kind. It instead utilizes a pattern of vertical and horizontal lines. When a PassWindow user holds the window over an email, internet, or even a printed letter, the user can see a single-use password and authenticate securely. The creator, Matt Walker, plans on licensing his cards for less than $2 each. The system is currently being tested by five banks internationally. But can the technology required for a cereal-box child’s decoder toy protect against internet fraud better than current, much more expensive and technologically advanced measures? With registered patents in his name, Mr. Walker certainly hopes the answer is “Yes.”

For the full Wall Street Journal article, click here.

Earlier this month, the first state Attorney General action initiated under the Health Information Technology and Clinical Health Act (HITECH Act) settled. Connecticut’s Attorney General brought the action against Health Net in the District Court of Connecticut following Health Net’s May 2009 HIPAA violations involving the loss of a portable computer disk drive containing protected health information (PHI) of over 1.5 million plan participants. For a copy of the stipulated judgment, click here.

Health Net represented it incurred over $7 million in expenses investigating the circumstances surrounding the disappearance of the drive, identifying and notifying affected Health Net members, and offering and providing two years of credit monitoring services and $1,000,000 in identity theft insurance to affected members. The loss investigation uncovered that though Health Net had implemented privacy policies and procedures regarding PHI, certain employees handling the drive failed to comply with those policies and also did not create a log of the data transferred to the disk drive. The investigation also determined, however, that, to date, there has been no evidence of any identify theft or fraud of any of the affected members.

Health Net’s obligations under the settlement are two-fold: 1) a guaranteed fine of $250,000, payable to the Connecticut state treasury, coupled with a contingent additional fine of $500,000 if the data on the missing disk is shown to have been accessed and misused; and 2) a Corrective Action Plan. The Corrective Action Plan requires Health Net to supplement its existing security and privacy programs, including by: utilizing a combination of hardware and software to identify and automatically encrypt email containing PHI, monitoring and controlling the transfer of PHI to removable media, identifying and logging all actual and attempted access to PHI, and encrypting the hard drives of all company laptop computers. Additionally, Health Net is required to strengthen its oversight of IT projects and institute broad HIPAA training and awareness measures for all employees.

This is only the first state Attorney General action initiated under the authority granted by HITECH in early 2009. States like California have already been aggressively fining hospitals for failure to prevent unauthorized access to confidential patient medical information. On June 10, the California Department of Public Health (CDPH) announced the imposition of $675,000 in fines to five separate hospitals, in accordance with Section 1280.15 of the California Health and Safety Code, which was amended in 2008 to hold health care providers accountable for ensuring the privacy of patients. For the California Department of Public Health’s press release on the fines, click here . With hurting state coffers, the additional authority and fines permitted under HITECH may create quite an incentive to prosecute further HIPAA violations.

Posted by Gesmer Updegrove attorney Crystal Lyons.