The FTC released a Consent Order to settle charges against Twitter surrounding its privacy and data security practices. The FTC’s complaint alleged that intruders accessed Twitter’s administrative accounts twice between January and May 2009. During that time, the hackers were able to access private tweets, reset user passwords, send false tweets, and access private user information. The FTC alleged Twitter failed to take reasonable steps to safeguard user information by following deficient password and login procedures.

The settlement does not include a monetary fine, but requires Twitter to establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years. Twitter is barred from making any misleading statements to consumer regarding its data security for 20 years. Additionally, the agreement includes provisions addressing Twitter’s use of service providers and requiring Twitter to evaluate and adjust its information security to address material changes to its business or other events that might impact the effectiveness of its security program.

The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” This is the FTC’s first case against a social networking site. Going after Twitter signals the FTC’s concern over the protection of personal information extends beyond historical notions of “trade,” and is not limited to the protection of financial information only. The FTC is interested in holding companies to their representations regarding their security practices.

The District Court for the Northern District of Illinois recently held in Devine v. Kapasi, et. al., that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the SCA [Stored Communications Act].” 2010 U.S. Dist. LEXIS 56488 (N.D. Ill. June 7, 2010).

The case arose following a split of the company Geus. Under the departure agreement, a former 50% shareholder, Jeff Devine, left the company to form Devine Solutions. Devine also received a server formerly owned and used by Geus for use in his new company. For the several days immediately following the transfer, and before the Geus-issued passwords were terminated, defendant Geus employees accessed the server to destroy electronic files belonging to Devine Solutions.

Defendants argued they could not be liable under § 2701 of the SCA because the Act requires a defendant to “intentionally access without authorization” or “intentionally exceed an authorization to access” a “facility through which an electronic communication service is provided . . . .” Defendants reasoned that § 2701 could not apply to them because they were not in the business of providing an electronic communication service to the public. Noting that no circuit court had ruled directly on point and that district courts were split on the issue, the district court held that the section did not require a plaintiff to be an electronic services provider to the public, but only that the “workplace be a facility through which an electronic service is provided.” (citing Expert Janitorial, LLC v. Williams, 2010 U.S. Dist. LEXIS 23080, at *13-14 (E.D. Tenn. March 12, 2010)). Litigators take note: this case may extend private rights of action under the SCA for unauthorized access to protected files.

For data breaches or contraventions of the United Kingdom’s Data Protection Act (DPA) occurring on or after April 6, 2010, the Information Commissioner’s Office (ICO) now has the authority to impose monetary fines against data controllers in the public, private and voluntary sectors, of up to half a million pounds. The Commissioner must first determine:

• there has been a serious contravention of section 4(4) of the DPA by the data controller; and
• the contravention was of a kind likely to cause substantial damage or substantial distress; and
• either the contravention was deliberate; or
• the data controller knew, or ought to have known, that there was a substantial risk that the contravention would occur, that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

Data controllers are expected to apply the familiar standard of care of a “reasonably prudent” data controller. This requires taking reasonable security steps, including: carrying out risk assessments of data processing activities and providing evidence of steps taken to address the risks in handling personal data, demonstrating the presence of good governance and/or internal auditing arrangements, and adopting appropriate policies, procedures, processes, and practices, such as encryption of all laptops and removable media. Serious contraventions include failures to take adequate security measures which result in losses of personal data. Sufficient substantial damage or distress includes any financially quantifiable loss suffered by an individual (including loss of earnings, lost financial opportunity and risk of identity theft) and any injury to feelings, harm, or anxiety suffered by an individual.

U.S. data providers should be cognizant of how broadly “substantial damage” can be interpreted. As with most data security enforcement, the moral seems to be to focus on establishing good procedures in the first instance.

For ICO’s published guidance about the penalties, click here.

The U.S. Supreme Court recently held in City of Ontario, California v. Quon, 560 U.S. ______ (2010), that, arguendo, a government employee had a reasonable expectation of privacy in the content of their text messages sent and received on a government-issued device and an audit of those messages constituted a search under the Fourth Amendment of the Constitution. The government employer’s audit of the content of those messages nonetheless was reasonable where:

• the audit was conducted for a legitimate work-related purpose of determining the necessary subscription plan; and

• the audit was limited in scope to a discrete period of time sufficient to obtain a useful sample;

• the employee’s off-hours communications were redacted; and where

• a coherent policy was in place that addressed the medium and technology used to send the messages and limited the employee’s privacy expectations in their communications.

The privacy rights of third-party, non-employee persons whose communications were also viewed also were not violated in this case, as their arguments relied solely on the perceived unreasonableness of the employee search. The Court specifically stated that a similar search would also be reasonable in the private-employer context. The case provides useful guidance to employers in writing privacy policies and in structuring and conducting employee audits. It is also a good warning that communications containing private information may nonetheless be subject to third-party viewing if sent to an employer-provided device.

The Wall Street Journal recently reported on a new invention, among the finalist’s of this year’s Asian Innovation Awards, PassWindow. PassWindow simplistically operates as a unique key pattern on a transparent section of a standard identity, credit, or bank card. By design, PassWindow requires no working parts or power of any kind. It instead utilizes a pattern of vertical and horizontal lines. When a PassWindow user holds the window over an email, internet, or even a printed letter, the user can see a single-use password and authenticate securely. The creator, Matt Walker, plans on licensing his cards for less than $2 each. The system is currently being tested by five banks internationally. But can the technology required for a cereal-box child’s decoder toy protect against internet fraud better than current, much more expensive and technologically advanced measures? With registered patents in his name, Mr. Walker certainly hopes the answer is “Yes.”

For the full Wall Street Journal article, click here.

Earlier this month, the first state Attorney General action initiated under the Health Information Technology and Clinical Health Act (HITECH Act) settled. Connecticut’s Attorney General brought the action against Health Net in the District Court of Connecticut following Health Net’s May 2009 HIPAA violations involving the loss of a portable computer disk drive containing protected health information (PHI) of over 1.5 million plan participants. For a copy of the stipulated judgment, click here.

Health Net represented it incurred over $7 million in expenses investigating the circumstances surrounding the disappearance of the drive, identifying and notifying affected Health Net members, and offering and providing two years of credit monitoring services and $1,000,000 in identity theft insurance to affected members. The loss investigation uncovered that though Health Net had implemented privacy policies and procedures regarding PHI, certain employees handling the drive failed to comply with those policies and also did not create a log of the data transferred to the disk drive. The investigation also determined, however, that, to date, there has been no evidence of any identify theft or fraud of any of the affected members.

Health Net’s obligations under the settlement are two-fold: 1) a guaranteed fine of $250,000, payable to the Connecticut state treasury, coupled with a contingent additional fine of $500,000 if the data on the missing disk is shown to have been accessed and misused; and 2) a Corrective Action Plan. The Corrective Action Plan requires Health Net to supplement its existing security and privacy programs, including by: utilizing a combination of hardware and software to identify and automatically encrypt email containing PHI, monitoring and controlling the transfer of PHI to removable media, identifying and logging all actual and attempted access to PHI, and encrypting the hard drives of all company laptop computers. Additionally, Health Net is required to strengthen its oversight of IT projects and institute broad HIPAA training and awareness measures for all employees.

This is only the first state Attorney General action initiated under the authority granted by HITECH in early 2009. States like California have already been aggressively fining hospitals for failure to prevent unauthorized access to confidential patient medical information. On June 10, the California Department of Public Health (CDPH) announced the imposition of $675,000 in fines to five separate hospitals, in accordance with Section 1280.15 of the California Health and Safety Code, which was amended in 2008 to hold health care providers accountable for ensuring the privacy of patients. For the California Department of Public Health’s press release on the fines, click here . With hurting state coffers, the additional authority and fines permitted under HITECH may create quite an incentive to prosecute further HIPAA violations.

Posted by Gesmer Updegrove attorney Crystal Lyons.

On Tuesday, May 4, 2010, Representatives Rick Boucher, Democrat of Virginia, and Cliff Stearns, Republican of Florida released a draft of a Congressional bill would extend privacy protections both on the web and off line. Mr. Boucher is the chairman of the House subcommittee on communications, technology and the Internet, and Mr. Stearns is the panel’s ranking minority member. After collecting comments on the draft, they lawmakers hope to have have formal legislation introduced within a month or so, Mr. Boucher reported in an interview.

There is currently no national legislation governing how companies tell consumers that they are collecting data, but companies do post privacy notices because certain state laws require it. This bill would be the first law to apply to businesses requiring privacy notices.

The bill provides a privacy baseline, providing limited protection for “covered information” and much tougher protection for “sensitive information.” The bill makes a key distinction between the two kinds of data: covered information collection is “opt-out,” while sensitive information collection would become “opt-in” only.

According to the bill, covered information includes:

* The first name or initial and last name
* A postal address
* A telephone or fax number
* An e-mail address
* Unique biometric data, including a fingerprint or retina scan
* A Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number
* A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account
* Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer

Companies and websites that disclose their data collection practices can harvest this data on the assumption that, by using the site, one has agreed to such collection. But they are required to provide an opt-out option that would stop all such data collection and prevent the company from using even previously acquired data.

Sensitive information can’t be collected and stored without an explicit opt-in assent by the consumer. The bill defines sensitive information as:

* Medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
* Race or ethnicity
* Religious beliefs
* Sexual orientation
* Financial records and other financial information associated with a financial account, including balances and other financial information
* Precise geolocation information

The proposed bill would expand what information should be considered confidential. It would also require companies to post clear and understandable privacy notices when they collected information. Such information could range from health or financial data to any unique identifier, including a customer identification number, a user’s race or sexual orientation, the user’s precise location or any preference profile the user has filled out. It could also include an Internet Protocol address, the numerical address assigned to each computer connecting to the Internet that many companies use now to aim particular messages at users, which the companies argue is not personally identifiable.

The proposed bill is already seems to be making everyone unhappy. The New York Times reports that privacy advocates have said that the bill did not go far enough in protecting consumers. While other groups such as the Progress & Freedom Foundation believe the bill “could unintentionally devastate the ‘free’ Internet as we know it” given the use of data collection for online advertising resulting in “diminished consumer choice in ad-supported content and services, raise prices, quash digital innovation, and hurt online speech platforms enjoyed by Internet users worldwide.”

To see the draft bill, click here.

To see the New York Times coverage of this bill, click here.

(hat tip to Ars Techica for its post on the bill)

The social website Blippy, which allows users to share information about when and where they make purchases is posing a data security risk to users after it was revealed Friday that user credit card numbers are appearing online.

VentureBeat first noticed the glitch and reported that credit card numbers appeared in some 130 Google search results, Mashable and CNET report. To date Blippy has not responded to inquiries regarding this privacy breach. To see the ABA Journal article regarding this security glitch, click here.

For a New York Times article regarding the trend of oversharing of personal information on the web, click here.

For users of Blippy and other applications that share personal information, clearly there is a risk of someone misusing your credit cards or other personal information that you are publicly providing. So before you share, perhaps you should refrain from providing too much information before that information falls into the wrong hands.

On April 7, 2010, Mississippi enacted H.B. 583, making Mississippi state the forty-sixth state with a data security breach notification law on the books.

The law, which goes into effect on July 1, 2011, requires that any person who conducts business in Mississippi and who, in the ordinary course of the person’s business, functions, owns, licenses or maintains personal information of any Mississippi resident to notify certain individuals when the security of their unencrypted personal information may be at risk.

The language of this law is consistent with that of other states’ data privacy laws in most respects. The one significant difference is that this law requires that notice of a breach only be provided to “affected individuals,” which are defined by the statute to mean residents of Mississippi whose “personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach of security.” As drafted, this limitation could excuse providing notice when electronic storage devices containing personal information is lost or accidentally sent to the wrong person.

This law does not require notification be provided if, after an investigation, that the security breach “will not likely result in harm to the affected individuals.”

Failure to comply with the law is deemed to constitute an unfair trade practice, but the right to enforce the law lies only with the Attorney General. The law does not permit a private right of action.

To see a full text of the new law, click here.

Business Week reports that medical ID theft is on the rise. There were more than 275,000 cases of medical information theft in the U.S. last year, twice the number in 2008, according to Javelin Strategy & Research, a Pleasanton, California-based market research firm. The average fraud cost $12,100, Javelin said. Given that about 44 percent of U.S. doctors used some form of electronic records last year, according to the National Center for Health Statistics, such theft is not surprising.

Individuals are using stolen information to file false claims. Criminals also set up fake clinics to bill for phony treatments, according to Pam Dixon, founder of the World Privacy Forum, a non-profit consumer-research group based in San Diego, California, which has worked with more than 3,000 victims. Thieves also may impersonate a patient, like in Morgan’s case, and some medical workers download records to sell, she said.

The economic stimulus bill of 2009 includes $2 billion to create a national system of computerized health records and as much as $27 billion over 10 years in payments to Medicare and Medicaid providers who adopt the technology, according to the Department of Health and Human Services. The purpose of creating the digital files was to improve care and help lower costs, but digitizing these files makes the information more vulnerable to theft or hacking.

Insurers are working on improving technology to spot false claims, but better standards are needed. The government is considering new regulations to enhance privacy and security of health information, said David Blumenthal, national coordinator for Health Information Technology at the Health and Human Services Department. Precautions, such as adding photos to patient records are being adopted by by some medical facilities.

Given the mobility of the current population, it makes sense that a person’s medical records are available whether you are seeking treatment while living in Boston or need emergency care while vacationing in California. Efforts need to be made by the medical community to take all necessary safeguards to protect patient data and to ensure that the software used to store such sensitive patient information is as secure as possible.

To read more, please go to Business Week.