Data Privacy Monitor - Commentary on Data Privacy, Security and Social Media Subjects

The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far:

• BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements:  impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual's designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.
• Insurers may need a business associate agreement (BAA) with a covered entity if it is performing risk management or assessment activities or legal services for the covered entity which involve access to PHI.
• Additional guidance has been provided regarding the assessment of civil monetary penalties (CMPs):  number of individuals affected and time period during which violations occurred will be considered.  As noted below, OCR's presentation to the State Attorneys General shows how quickly CMPs can reach very high numbers.
• Reputational harm is a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis.  Instead, OCR will look at whether there were adverse affects on employment, standing in the community, or personal relationships.  
• When assessing CMPs, an organization's history of compliance and non-compliance will be considered.  A mere complaint does not constitute an indication of non-compliance.
• There are significant changes to treatment and care communications when the covered entity receives financial remuneration for promoting a third party's goods and services.
• Individuals must have a right to access and to obtain a copy of PHI within 30 days (with a one-time 30 day extension after written notice for the delay and when the records will be provided).
• The definition of breach has been modified to clarify that an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised.  Documentation sufficient to meet this burden of proof must be maintained.
• Breach notification is not required if a CE or BA demonstrates through a risk assessment that there is a low probability that the PHI has been compromised--the focus is no longer on the harm to the individual.
• The probability of harm must be assessed by considering at least: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). Most of these factors were likely considered previously by CEs.
• Notification does not require an analysis of risk because the occurrence of a breach is presumed.
• Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.  An example is provided of a misdirected fax to the incorrect physician who immediately calls to report the error. This is nothing new, just a clear expression of what many have already believed.
• Substitute notice or media notice may at times occur after the 60-day period dependin g on circumstances.
• Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred.
• Notification to the Secretary must occur contemporaneously with notice to individuals for breaches over 500.

We also notice some things remain:

• HITECH only preempts state law to the extent HITECH is more stringent.  HITECH is only a Federal floor of privacy protection.
• The revised penalty structure remains.  A presentation by the OCR to state Attorneys General shows how aggressive OCR may be in assessing civil monetary penalties (CMPs).
• "The goal of enforcement is to ensure that violations do not recur without impeding access to care." P. 79.  An entity's financial condition will still be considered.
• The addressable standard remains.  HHS does "not mandate the use of specific technologies, or require uniform policies and procedures for compliance, because [they] recognize the diversity of regulated entities and appreciate the unique characteristics of their environments." P. 102.
• The "minimum necessary" standard applies directly to BAs.
• Certain provisions of the Privacy Rule do not apply to BAs unless the CE delegates that responsibility: designating a privacy officer, providing a notice of privacy practices (NPP).
• BAAs are still required to help clarify and limit permissible uses and disclosures.
• A decedent's PHI will require protection for 50 years.
• The requirement for return or destruction of PHI by the BA at the termination of the contract (if feasible) does extend to sub-BAAs.
• HHS will not establish or endorse a certification process for HIPAA compliance by BAAs and sub-BAAs.
• Timeliness and content of notification have not changed.
• A CE retains the ultimate obligation for proper notification.  Notification by the BA can be delegated.
• Media notification and notification to HHS has not changed.
• Law enforcement delays remain available.
• There are no changes to the circumstances permitting preemption of state law of HITECH.

We will continue to assess these changes and post updates as our analysis develops and the impact of these changes is further considered.  

As I last reported in August, just before Congress recessed to campaign for reelection, the Senate failed to end debate and take up the Cybersecurity Act of 2012, S. 3414 by eight votes (really only seven, as Majority Leader Reid switched his vote so as to be able to bring it up again in the future). Since that time, the Administration has circulated draft Executive Order language, Iran has been accused of cyber attacks on Saudi Aramco and several American banks, Commerce Committee Chairman Rockefeller has probed the Fortune 500 about their concerns with the bill, and Leader Reid has indicated he intends to take up legislation again before the end of the year -- possibly as early as this week. And then there was that election last Tuesday.

So whither the Cybersecurity Act? More precisely, are there now seven more votes to move forward on the bill? It seems doubtful: First, the two Senators who didn’t vote on August 2, Mark Kirk (R-IL) and Marco Rubio (R-FL) are not likely to jump on board in support of the bill. Second, none of the 46 Senators who opposed moving forward on the bill in August – Democrat (there were five, excluding Reid) or Republican – lost reelection. The only truly “lame ducks” among the opponents are two retiring Republicans from red states who aren’t likely to switch their votes. Third, looking to next year and the 113^th Congress, the three seats Democrats gained in the Senate are held by moderate Republicans who supported moving the bill in August. (For the record, it’s mathematically possible Arizona could still flip, potentially changing one vote.) Thus, without some change in the substance of the legislation or the politics of cybersecurity, perhaps prompted by external events, it’s hard to see a bill getting enacted during the lame duck session or even next year. Unlike healthcare, the deficit, taxes, and spending – prominent issues on which Obama ran and claims some popular affirmation for his position – cybersecurity was not major pillar of the campaign. The spirit of compromise may well surface on Capitol Hill in the next few weeks, but it’s likely being reserved for the fiscal cliff issues.

We will continue to update you on significant developments regarding this legislation and/or any executive branch action as they occur.

This morning, the Senate failed to conclude debate on the cybersecurity bill by a vote of 52 to 46 (60 votes required), likely sounding the death knell for the legislation this year. Five Republicans voted in favor of moving ahead, while five Democrats voted against, but the vote otherwise followed party lines. In other words, proponents failed to overcome a filibuster.

Technically and procedurally, it’s still possible to reconsider and pass a bill by year-end; in fact, the US Chamber of Commerce reportedly expects a deal on an information-sharing measure to be reached in September.  Politically and temporally, it’s hard to see that happening: The White House blamed “special interests seeking to avoid accountability” for torpedoing the bill. Tensions on Capitol Hill aren’t likely to fade as the elections draw closer. Time-wise, there just isn’t much left:  Congress is scheduled to recess for five weeks beginning tomorrow, leaving only a month of session (give or take) when it returns in September before it leaves town again to campaign for the elections. While a three or four week lame duck session is a virtual certainty, it is already overflowing with pressing tax and budget issues. For cybersecurity legislation in the 112^th Congress, the bell appears to be tolling.

We will continue to update you on significant developments regarding this legislation as they occur.

That is the $64,000 question. This being Washington, DC, it’s more likely a multi-million dollar question, and the answer is unclear. The Senate voted 84-11 last Thursday to end debate on a procedural motion that allows a revised bill, S. 3414, sponsored by Homeland Security and Government Affairs Committee Chairman Joe Lieberman (D-CT) to be brought up for consideration. However, agreeing to debate a bill doesn’t mean agreeing to a vote on it, much less support for it. As of Tuesday afternoon Senators were still negotiating how to move forward on the 90 amendments the bill has already attracted. There is little time left to consider more than a few before the Senate is scheduled to recess this Friday for a month-long summer break.

As this blog has described since the beginning of the year, there is widespread support among Democrats, Republicans, and the White House on the need for cybersecurity legislation. But there is fierce disagreement over what it should look like. A principal issue all along has been whether the bill should impose certain security standards on the private sector, with which most of the nation’s critical infrastructure resides, or set up a voluntary program. The government’s authority over information collected in the name of cybersecurity has also raised concerns among privacy advocates.

The 200-page revised bill, (summary and outline) has shifted away from a regulatory approach toward providing incentives for businesses to adopt best practices. It also contains restrictions on what government agencies can receive cybersecurity information and on how that information can be used and provides legal recourse for individuals if the law is violated. These and other changes have garnered the support of numerous businesses and the ACLU, as well as the Obama Administration. However, divisions in the business community remain, as demonstrated by continuing opposition by the US Chamber of Commerce, which fears the bill could ultimately lead to regulation.

Further complicating the picture are the host of amendments – some related, some not – to the bill: Sen. Pat Toomey (R-PA) has filed his Data Security and Breach Notification Act as an amendment and Oversight of Government Management Subcommittee Chairman Daniel Akaka (D-HI) said at today’s hearing on the “State of Federal Privacy and Data Security Law: Lagging Behind the Times?” that he will do the same with his Privacy Act Modernization for the Information Age Act. The Chamber and several other industry trade associations oppose the addition of such data privacy and breach notification measures to the bill, preferring that they be vetted in committees and taken up independently. Read Joint Association Letter to the U.S. Senate Regarding Amendments to S. 3414. The bill could also become a focal point for gun control amendments in light of the recent tragedy in Colorado and for any number of pet issues various Senators have been trying to move for the last 19 months. To wax metaphorical, when the last train appears to be leaving the station, all sorts of folks try to hitch a ride.

It’s hard to tell how this will end up. With the elections only three months away, at least 1/3 of the Senate is very sensitive to lobbying by key constituencies and Members may decide that the Hippocratic oath / political rule of thumb “first, do no harm” means don’t pass an obscure bill the public isn’t clamoring for. But outside-the-beltway events such as the massive power outages across India (which so far don’t appear to involve cyber breaches) may yet spur action, as no candidate wants to be caught flat footed were a cybersecurity incident to occur before November 6. For now, the Senate Chamber is spending most of the day in a quorum call while leaders work to resolve issues off the floor, so check back here for updates as things progress.

The Social Media revolution is built on two legal foundations – the Digital Millennium Copyright Act (“DMCA”) which generally protects websites that host user generated content from copyright claims, and the Communications Decency Act, which generally protects such websites from claims based on the publication of defamatory or other illegal content. The Second Circuit sent shockwaves through one of those foundations – the DMCA – by issuing a decision yesterday that reinstated copyright claims made against YouTube based upon videos posted on the YouTube site by users. While the direct implications of this suit for YouTube may be minimal -- YouTube has stated that the suit on remand only involves a handful of videos that were eliminated many years ago -- the decision should be taken as a warning by any website hosting user generated content.

In March 2007 Viacom International Inc. (“Viacom”) filed suit against YouTube, Inc. alleging copyright infringement of the content of the company’s television programs and movies which were displayed on YouTube’s popular website. Many other copyright owners joined the suit. Following a long line of decisions that have insulated website operators from copyright suits based on content posted on the site by users, District Judge Stanton dismissed the complaint, citing the protections offered by the DMCA. Yesterday, April 5, 2012 the Second Circuit upheld most of Judge Stanton’s decision but remanded specific issues for trial.

The Second Circuit’s decision minimizes the level of protection service providers recently enjoyed under the DCMA against copyright claims. In the earlier decision of this matter, the district court was presented evidence that surveys by YouTube employees showed that many of the videos on the site might be the result of potential copyright infringement. The court, however, found that such knowledge constituted only generalized knowledge of possible infringement and not specific type that fell outside of the protection of the DMCA. However, Judge Stanton did not consider the willful blindness doctrine, which would assess whether YouTube made a “deliberate effort to avoid guilty knowledge” of specific infringing activity on its website.

In reversing part of the district court’s decision, the Second Circuit ruled that a trier of fact may apply this doctrine “to demonstrate knowledge or awareness of specific instances of infringement under the DCMA” in order to determine whether YouTube should receive protection under the act.

The good news for a host of user generated content is that the Second Circuit affirmed that the DMCA does provide broad protection for hosts of user generated content. Specifically, the Second Circuit affirmed the following protections provided by the DMCA:

• The website operator still must have knowledge or awareness of “specific and identifiable infringements.”
• A host of user generated content has no duty to moderate the site or seek out specific infringing activity.
• A host of user generated content is not subject to liability under vicarious infringement principals merely because it has the ability to block content.

The following activities by the host of user generate content were specifically found to be protected by the DMCA: “transcoding content” (converting it to another format); playing back content at user’s requests; and providing for the automated indexing of content.

But in reinstating part of the case for trial, and by directing the district court to make factual findings on specific issues, the Second Circuit identified conduct that could place any host of user generated content at risk of losing the safe harbor protection of the DMCA:

• Communications by employees which suggest awareness that specific content posted by users is infringing.
• Activities which a jury might view as attempts to avoid knowledge that content posted by users is infringing.
• Syndicating or licensing user generated content to third parties.

While the DMCA remains alive and well after the Second Circuit’s Viacom decision, the hosts of user generated content should not assume that they are insulated from liability just because they are complying with the formal procedures established by the DMCA for the removal of infringing user generated content from websites. The host of any user generated content should review their practices and procedures in light of the “issue of fact” identified by the Second Circuit’s Viacom decision, to ensure that they are minimizing the risk of copyright liability for the acts of others.

Authorship credit: Gerald Ferguson & Peter Brown

Today eight Republican Senators – all Ranking Members of various committees – introduced the SECURE IT Act, S. 2151, their alternative cybersecurity bill to the bipartisan Cybersecurity Act, S. 2105, introduced two weeks ago.  In remarks on the Senate floor this afternoon, Sen. Kay Bailey Hutchison, Ranking Member of the Senate Committee on Commerce, Science, and Transportation, described the bill as providing an antitrust exemption and liability protection to companies for information sharing, requiring certain federal contractors to share relevant cyber information with the government, developing procedures for sharing classified information, prioritizing cybersecurity R&D, and updating criminal law for cyber crimes.  She explained that a primary reason for offering alternate legislation was to avoid creating an unnecessary bureaucracy that would overlay agencies already in place to handle cybersecurity issues.  Hutchison has indicated she hopes to meet with Sen. Joe Lieberman and the other authors of S. 2105 to reach a compromise.  The press release is here!

Yesterday, Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (ID-Conn.), Ranking Member Susan Collins (R-Maine), Commerce Committee Chairman Jay Rockefeller (D-W.Va.), and Select Intelligence Committee Chairman Dianne Feinstein, D-Ca. introduced The Cybersecurity Act of 2012.  The press release can be found here.

We are seeing an increasing number of attacks targeting government secrets, trade secrets, and other intellectual property rather than the traditional personal information used to fraudulently open credit card accounts.  Law firms, for example, are a prime target for an attacker to obtain the intellectual property of the firm’s clients in an effort to compete against them or enter into business deals with the leverage the criminals would not otherwise possess.  And, these attackers oftentimes have plans in place to effectively shutdown the victim of the attack if they are discovered. The issues trying to be addressed by this proposed legislation are real.

This is not a federal data breach statute, but rather an attempt to prepare our defense against cyber attacks that could cripple our ability to function.  The Act uses the term “critical infrastructure” which relates to services like utilities, telecommunications, transportation, public health services, agriculture, banking, and security services.  The proposed legislation speaks more in general terms of the private sector “providing input” and gaining participation of private entities in public-private partnerships.  What will be key is how the baseline for compliance is defined.  If the government is too aggressive initially, there will be a lack of buy-in from private companies.  The government is going to need to work to gain the cooperation they are probably looking for from the private sector, and one of the ways to do that is to provide real incentives to those companies.  What is being proposed offers certain immunity from punitive damages in lawsuits; however, perhaps it could go further in that regard and provide even more incentives and broader immunity from civil liability. 

There will be concern about the extent to which a private company, or the government, will be able to monitor cybersecurity threats.  However, there are many limitations in place under the current laws regarding a company’s ability to monitor its own information systems.  Indeed, that is one of the challenges we face when responding to a data security incident which implicates employee personal information and personal email accounts—even when that information is on a network or computer owned by a company.  Section 701 in the proposed legislation, however, is clear about requiring authorization from a third party a private entity may be monitoring.  And, any of this monitoring must be in the name of detecting “cybersecurity threats”.  “Cyber risk “ is defined in Section 101, and if a “cybersecurity threat”  is a “cyber risk”, it means “any risk to information infrastructure . . .  that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure”.  Although the authority to monitor may seem broad, there must still be a significant risk of disruption posed to an essential component of the operations of systems we depend on to function—power, water, and transportation.  That could still pose a burden on the company doing the monitoring to ensure that our privacy laws are not abrogated by this proposed legislation.

The Act as proposed does include an exemption to the Freedom of Information Act (FOIA) rules and I think you need that.  Otherwise, no company is going to share the type of information being sought by the government to defend against these types of cybersecurity threats.  The question remains how a private citizen is going to find out that the information being monitored went beyond an attempt to detect a cybersecurity threat—however, that challenge exists today under current laws because a company’s monitoring activities often go undetected.

Another concern that will likely be raised is that the government will able to require compliance by a company by designating an entity as a covered critical infrastructure.  However, there are significant protections under the proposed legislation to limit the government’s ability to make such a designation.  The unanswered question is how much the civil penalties are going to be for non-compliance once designated, and how tough the government will be when it comes to defining the level of security that needs to be in place to address a vulnerability.  The government will still need to balance the cost to the covered entity to implement those security measures with the cost being passed along to consumers.  In fact – with much of the country’s critical infrastructure privately owned – the government depends on the privately owned infrastructure to support its day-to-day operations.  This would not be different during a cyber threat.  The intent here seems to be, and should be, fine tuning federal government and private entity coordination in preventing and responding to threats. 

 The proposed law should not present significant changes to companies that own infrastructure assets.  By way of a presidential directive, policies and procedures have been in place since 1998--and updated in 2003--for preparedness and response to serious incidents that may affect the critical infrastructure here in the US.  In fact, the federal government requires companies with infrastructure assets to:  assess its vulnerabilities, plan to eliminate such vulnerabilities, develop systems to identify and prevent attacks, and to contain any attacks with the Federal Emergency Management Agency (FEMA) in order to rebuild infrastructure capabilities. 

Seven Senate Republican Ranking Members signed a letter expressing process and substance concerns and demanding hearings in their respective committees.

Odds are good that legislation to address online threats to the nation’s critical infrastructure assets will finally be released this week, but real action on it won’t take place until March: The Homeland Security and Government Affairs Committee, chaired by Joe Lieberman (I-CT), has scheduled a hearing on the ‘Cybersecurity Act of 2012’ for Thursday afternoon, February 16.

Next week Congress begins a week-long President’s Day recess, meaning a committee markup (if one occurs) and the initiation of floor consideration wouldn’t take place until at least February 28. Debate over the bill could be lengthy and contentious, though not particularly partisan, due to privacy, national security and internet regulation implications of the bill itself and likely amendments, which include data breach and notification measures. The US Chamber of Commerce raised several outstanding concerns, both procedural and substantive, about the legislation in a recent letter to Majority Leader Harry Reid. Late last week, Reid responded that there have been more than 20 hearings to date and saying the bill would come to the Senate floor, “in the next few weeks” and would undergo a “fair and reasonable” amendment process.

With the return of the Congress to Washington this week and high-profile data breaches continuing to be announced, it's worth taking stock of what 2012 holds for data security and online privacy legislation. As we described on December 28, several bills were introduced in the House and Senate last year on data security and breach notification. This week, staff of House Energy and Commerce Subcommittee Chairman Mary Bono Mack (R-CA) said in an interview that passage of data breach legislation is the Chairman's top priority this year and that prospects for getting her SAFE Data Act, H.R. 2577, through the House are very good. The bill stalled last year after being marked up in the Subcommittee due to concerns on both sides of the aisle that it was either too weak or too strong. Some of these concerns have been addressed, staff indicated, while additional outreach to Committee members continues. While full Committee action has not been scheduled, staff has yet-to-be-released compromise language at the ready and is optimistic the bill will move early this year.

Keep checking back here for further developments; the Senate returns to Washington next week.

There has been no shortage of cybersecurity bills introduced in Congress in 2011.  The Obama Administration even issued a cybersecurity legislative proposal in May 2011 that would require the Department of Homeland Security (DHS) “to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators.”  As we reported here, Senator Harry Reid (D-Nev.) announced his intention to bring comprehensive cybersecurity legislation to the floor when Congress returns in January of 2012.

The PRECISE Act is the newest edition.  Two members of the House Homeland Security Committee—Rep. Dan Lungren (R-CA) and Rep. Peter King (R-NY)—introduced the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 on December 15.  A section-by-section summary can be found here.  The PRECISE Act would amend the Homeland Security Act of 2002 by tasking DHS with creating market-based incentives to entice “critical infrastructure” operators to adopt voluntary cybersecurity standards.  The term “critical infrastructure” is broadly defined to include any infrastructure that if destroyed or disabled would result in a significant number of deaths, cause mass evacuations, major disruptions of the economy, or significant disruption to national security.  The industries that fall under this category would include utilities, financial services, and telecommunications.  The PRECISE Act would also authorize the creation of a National Information Sharing Organization to serve as a central source for sharing cyber threat data (classified as Sensitive Security Information) with government agencies and the operators of critical infrastructure.

There have been news reports regarding the “undeclared global cyber war” and corporate espionage attacks, including a recent attack against the U.S. Chamber of Commerce.  However, aside from an erroneous report of a Russian attack on an Illinois water pump, there have been no publicly reported accounts of cyberattacks crippling U.S. infrastructure.  Although based on reports about the impact the Stuxnet worm had on Iranian SCADA systems (supervisory control and data acquisition management systems, used in large manufacturing and utility plants), the risk certainly exists.  Moving into next year, there appears to be bipartisan consensus regarding the need for a federal cybersecurity law, and some of the similarities between the White House’s legislative proposal and the pending bills create the possibility for cybersecurity legislation to be enacted in 2012.      

Do you feel compelled to wear a Richard Nixon mask or a baseball hat equipped with infrared signal emitters on the brim when you leave the house?  If so, you may be trying to prevent a passerby on the street from guessing your name, interests, Social Security number, or credit score using only a pair of face-scanning glasses and an iPhone.  This is not science fiction—law enforcement has been using facial recognition technology for years.  Through advances in facial recognition software and the convergence of the vast amount of personal information on social networks (especially photographs), smartphones, the power of cloud computing, and statistical re-identification, the use of this technology has the potential to become widespread.  The potential ubiquitous use of facial recognition technology raises critical concerns regarding privacy, security, and basic freedom.

Facial recognition technology traces its origin to government-funded research in the 1960s.  The technology works by using an algorithm to create a unique numerical code from distinguishable landmarks on faces, sometimes called nodal points.  The technology measures approximately 80 nodal points, such as the distance between eyes, nose width, eye socket depth, and jaw line length.  The unique code or “biometric template” created by facial recognition software from a photograph can be stored in a database and later compared to other photographs to create a match. 

There are several applications of facial recognition technology in law enforcement that most would agree are useful.  Police in Tampa, Florida have made over 500 arrests after identifying suspects by taking photographs at a traffic stop and comparing the images to a mugshot database.  In 2010, the Massachusetts state police obtained over 100 arrest warrants for creating false identities and revoked 1,860 licenses using facial recognition software against the state’s driver’s license registry.  In Britain, Scotland Yard is using facial recognition software to identify suspects from the recent riots in London.    

Facial recognition can also provide modern convenience.  Since 2002, Australians have been able to use self-processing e-passports at airport customs checkpoints.  Advertisers have generated more relevant billboard advertisements based on the age and gender of passers-by.  Even Facebook uses facial recognition to suggest the identity of friends to tag in a photo, and programs like iPhoto and Picassa allow users to organize photographs by faces.  

The technology is not foolproof, and there are other applications that are outright alarming.  The ability to successfully identify a person by matching two photographs is dependent on the quality of the images.  If the person in the photograph is not directly facing the camera with open eyes and in front of a plain, light-colored background, the performance of the facial recognition software declines.  Thus, while you can obtain a high-quality picture from a driver’s license database, pictures taken without the cooperation of the subject (e.g. through surveillance cameras) rarely meet the ideal standard.  Although the technology has improved over the last ten years, there is an inherent error rate because it is reliant on statistics.  Accordingly, either matches that should be made do not occur or false identifications happen.   

A driver in Boston recently had his license revoked because his picture closely matched the picture of another driver.  Although his license was returned, it took days of wrangling for him to prove his identity.  At least 34 other states are using similar technology.  There are no current reported statistics on the number of false positives, but Massachusetts alone issues 1,500 suspension letters per day using the system. 

On August 4, 2011, researchers from Carnegie Mellon’s CyLab presented the results of three experiments from which they concluded that it is possible to use facial recognition software to identify strangers and then determine sensitive information about that person, including their Social Security number.

In one experiment, the researchers were able to identify members of Match.com, who used pseudonyms on the dating site to protect their identities, by comparing their profile photograph to photographs on Facebook. 

In the second experiment, they took photographs of college students that they were able to successfully match one-third of the time to the student’s Facebook profile (in less than three seconds). 

In the third experiment, the researchers used a custom iPhone application to predict a stranger’s Social Security number (generally just the first five digits) by matching a photograph to a Facebook profile picture in conjunction with information about the stranger’s state and year of birth gathered online.  The lead researcher, Alessandro Acquisiti, said: “A person’s face is the veritable link between their offline and online identities.” 

In addition to the obvious privacy concerns, there are security and personal liberty concerns.  According to a report, one in 750 passengers scanned at an international airport in the United States is falsely identified, and some of the falsely identified individuals may have been temporarily detained by the FBI.  In locations where biometric data like facial recognition is used to gain entry to a secured area or through customs, the failure of those institutions to safeguard that data in a computer system can lead to unauthorized persons gaining access. 

Although it is not yet possible to consistently and accurately identify all of the faces in a crowd, the technological limitations are likely to continue to fade.  The billions of images tagged on social networking sites and associated data provide an easily accessible source of personal information to match with other offline data collected by data aggregators, which can be turned into detailed personal profiles and sold to companies for use in behavioral advertising targeted directly to you through your smartphone or cable box.   It may become possible to search for a person online using an image of their face just as easily as it is now to enter a name in a search engine.  On the law enforcement side, the FBI will begin testing its Next Generation Identification facial recognition system in January 2012 in four states.  The system, which will also use biometric indicators (e.g. iris scans and voice recordings) to identify suspects, will match a photo of an unknown person against mug shots.   

Facial recognition technology has not gone unnoticed by lawmakers and regulators.  The FTC is hosting a workshop to explore beneficial uses of the technology and the associated privacy and security concerns on December 8, 2011.  And U.S. Senator John Rockefeller has asked the FTC to provide a report on the findings from its workshop to his Commerce Committee.    

This article, which was published in the December 2011 CBA Report, is republished with permission.

Despite a strong bipartisan consensus that the United States needs a federal cybersecurity law, partisan bickering has prevented any significant progress on the many versions of cybersecurity legislation pending before Congress. Senate Majority Leader Harry Reid (D-Nev.) is seeking to break the gridlock by bringing comprehensive cybersecurity legislation to the floor when Congress returns from its winter recess in January of 2012. In a letter.pdf to Minority Leader Mitch McConnell (R-Ky.), Senator Reid said the issue must be addressed quickly, even if it means moving ahead of Senate "working groups" that have been tasked with reconciling differences among committees that share jurisdiction over cybersecurity.

As Senator Reid points out in his letter, the Senate has been working on comprehensive cybersecurity legislation for the past two years, but the efforts have been complicated by the fact that many Senate committees claim jurisdiction over cybersecurity. For the past six month, working groups composed of staff from relevant committees have been set up to assist in negotiating consensus legislation that can be expedited to the floor. But nothing in Washington seems to happen on an expedited basis these days, and the working groups have not yet produced any consensus. Senator Reid is prepared to jumpstart the process by bringing proposed legislation to floor in January, even if the working groups have not yet reached a consensus.

While perhaps every Senator agrees with Senator Reid's assertion that the United States needs a national cybersecurity law, it remains to be seen whether Congress can overcome the gridlock now paralyzing legislative processes, even on an issue engendering a national consensus.

We will continue to monitor and comment on significant legislative developments

On June 2, 2011, representatives from Sony Network Entertainment International and Epsilon Data Management, LLC appeared before a House panel to answer questions regarding their responses to recent security breaches.  The hearing of the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade was called by Subcommittee Chairwoman Mary Bono Mack (R-Calif.) as part of the subcommittee’s comprehensive review of data security for the purpose of assessing the need for comprehensive federal data security and breach notification laws.

Jeanette Fitzgerald, general counsel for Epsilon Data Management, LLC, and Tim Schaaff, president of Sony Network Entertainment International, appeared on behalf of their respective companies.  Their testimony to the subcommittee regarding their companies' breach investigation, response, and disclosure closely tracked the information each company had already provided in written responses to subcommittee inquiry letters.   Fitzgerald and Schaaff both agreed that there was a need for a national uniform standard for notifying individuals whose personal information is affected by a breach that preempted existing state laws.  Indeed, Fitzgerald’s prepared testimony states that: “Epsilon fully supports national legislation that would create a uniform standard for data breach notification. The current patchwork of individual state breach notification laws only serves to create confusion among consumers and businesses, and imposes unnecessary compliance costs.”  Similarly, Schaaff warned in his prepared testimony that any national data breach notice standard should follow a common sense approach that allows companies adequate opportunity to investigate breaches and take remedial measures before making them public.  He said that “issuing vague or speculative statements before you have specific and reliable information” could lead companies to “either confuse and panic people, without giving them useful facts, or … bombard them with so many announcements that they become background noise.”

At the end of the hearing Rep. Bono Mack committed to working with her colleagues to pass comprehensive data security legislation to ensure Americans are protected from cyber crimes.

While Epsilon has not made any public statements regarding the costs it has or anticipates as a result of the breach of its systems, Sony estimates its costs at $171 million for data security remediation, customer services, and legal fees by the March 31, 2012 close of its 2011 fiscal year.  The subcommittee background memorandum, which includes links to communications with Sony and Epsilon is available hear.  Rep. Bono Mack's opening remarks are available here.  You can watch a recording of the hearing here. 

Similar to the bill introduced by Rep. Jackie Speier in February 2011, Sen. John Rockefeller (D-WV) introduced the Do-Not-Track Online Act of 2011 on May 9, 2011.  Sen. Rockefeller announced that the bill would offer a “simple, straightforward way for people to stop companies from tracking their movements online.”

The FTC would be given one year to establish standards for implementing and enforcing a Do-Not-Track mechanism.  The standards would apply to online service providers, including providers of mobile applications and services.  If an individual expresses a Do-Not-Track preference, online service providers may only collect and use personal information from that person if: (1) it is necessary to provide a service requested by the individual and the information is anonymized or deleted after providing the service; or (2) the individual affirmatively consents after receiving “clear, conspicuous, and accurate notice on the collection and use of such information.” 

The Act directs the FTC to consider six factors when implementing the Do-Not-Track standards: (1) the appropriate scope of covered conduct and persons; (2) technical feasibility and cost associated with the mechanism; (3) existing mechanisms; (4) how to make the public aware of the mechanism; (5) whether and how information could be collected on an anonymous basis so that it is not subject to the rules; and (6) standards by which personal information can be collected and used to provide a service requested by the user even if the user expressed a Do-Not-Track preference.

The FTC would be authorized to enforce the Do-Not-Track rules by treating violations as unfair and deceptive acts or practices.  Moreover, state attorneys general may bring a civil enforcement action with penalties for non-compliance of up to $16,000 per day and a maximum total liability of $15,000,000—three times the cap on penalties proposed by Rep. Speier’s bill.  Lastly, no private right of action is created, non-profit organizations are not exempt, and the FTC would be required to conduct a biennial review to assess the effectiveness of the rules and their effect on online commerce.

Unlike Rep. Speier’s bill, Rockefeller’s bill does not address preemption of inconsistent state laws.  Preemption will be an interesting issue to follow in conjunction with the pending Do-Not-Track legislation in California. 

The FTC—in its December 2010 online privacy report and testimony before Congress—discussed the need for a browser-based “Do Not Track” mechanism to give consumers greater control over behavioral advertising.  Under the “Do Not Track Me Online Act of 2011” (H.R. 654)—introduced by Rep. Speier (D-CA) on February 11—the FTC will have 18 months to establish regulations for an online opt-out mechanism.  The opt-out mechanism must “allow a consumer to effectively and easily prohibit the collection or use of any covered information and to require a covered entity to respect the choice of such consumer to opt-out of such collection or use.” 

The new regulations will apply to any person engaged in interstate commerce that stores or collects any of the following online data regarding an individual: (1) online activity, including web sites visited and time of access; (2) IP address; and (3) personal information, including name, e-mail address, phone number, or financial account information.  Covered entities would have to disclose their collection and sharing practices, including identifying by name who they share information with.  The bill would allow the FTC to exempt commonly accepted commercial practices like the collection of information for billing purposes.

Failure to comply with the new regulations would constitute an unfair or deceptive trade practice.   In addition to the FTC, state attorneys general would have the authority to bring a civil action to enforce violations of the new Do Not Track regulations.  Civil penalties would be calculated by multiplying the number of days a covered entity was not in compliance by an amount up to $11,000 per day, up to a maximum total liability of $5,000,000.      

Speier also introduced the “Financial Information Privacy Act of 2011” on February 11.  According to her press release:

“The Financial Information Privacy Act of 2011 would finally give consumers the ability to control the sharing of their own financial information. The bill mirrors legislation Speier successfully steered to passage in California that prevents financial institutions from sharing or selling personally identifiable nonpublic information with affiliates without an opportunity to opt-out, or in the case of unaffiliated third parties, a requirement that consumers opt-in. This bill gives consumers control of their personal financial information and provides meaningful but workable privacy protection.”

Since 2008, the Federal Trade Commission (“FTC”) has announced multiple times that it would delay enforcement of the Red Flags Rule.  The last Enforcement Policy  announced a delay through December 31, 2010, so that Congress could consider legislation regarding the scope of entities covered by the Rule. 

The Rule applies to “financial institutions” and “creditors” that maintain “covered accounts,” and it requires covered entities to implement a written program designed to detect patterns and practices that indicate possible identity theft—“Red Flags.”  Because the Rule initially broadly defined “creditor” (an entity that regularly extends credit) and “covered account” (a consumer account that permits multiple transactions or a commercial account where there is a “reasonably foreseeable risk” of identity theft), a wide range of businesses were required to comply with the Rule (e.g. car dealers, health care providers, accountants, law firms, mortgage brokers, utility companies, and telecommunication companies). 

After lawsuits were filed by groups representing health care providers, attorneys, and accountants seeking to enjoin the FTC from applying the Rule to their members, the House and Senate introduced legislation to limit the scope of the Rule.  On December 18, President Obama signed the Red Flag Program Clarification Act of 2010, which limited the scope of the Rule by amending the definition of “creditor.” 

The amended definition of “creditor” specifically excludes creditors “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  The amended definition also includes a provision that will allow regulating authorities to promulgate a rule defining entities they regulate as a “creditor” upon making a “determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”

Essentially, the amended definition of “creditor” exempts service providers like lawyers, doctors, and accountants from complying with the Rule.  According to Sen. Mark Begich, D-Alaska, who sponsored the legislation in the Senate with Sen. John Thune, R-S.D., the basis for excluding service providers from complying with the Rule is that service providers generally do not offer or maintain accounts that pose a reasonable risk of identity theft.

The legislative amendment to the definition of “creditor” likely clears the way for the FTC to begin enforcement of the Rule on January 1, 2011. 

Many of the topics on this blog are related to the security of personal and financial information, but information regarding our nation’s defense is just as sensitive, and the loss of that information could be exponentially more catastrophic. 

Federal agencies are authorized under and required by the Federal Information Security Management Act of 2002 (44 U.S.C. § 3541 et seq.) to put programs in place regarding the security of information used in their operations.  Minimum guidelines and standards for such programs are provided and amended from time to time by the National Institute of Standards and Technology (NIST), aided by the Computer Security Division of the Information Technology Laboratory. 

One element of many agencies’ programs is that federal contractors are contractually required to protect information given to them by the agency and generated by the contractor for the agency.  In March 2010, the Department of Defense (DoD) announced proposed amendments to its regulations that would implement a two-tiered data security for its contractors, as well as a reporting requirement for those contractors.

For unclassified agency information, contractors would be required to implement basic security measures, such as:

• Protecting against computer intrusions
• Requiring authorization for the release of information and “cleaning” of released electronic data
• Providing at least one physical or electronic barrier to information
• Transmitting electronic information with processes that provide the best security
• Providing reasonable assurance that voice and fax transmissions are secure
• Regular updates and upgrades of malware protection services and security software

For certain types of information that have not been cleared for public release (including personally identifiable information), enhanced security measures are required, such as encryption, network intrusion controls, and other security controls specified in NIST Publication 800-53.

If a DoD contractor experiences an intrusion into its information systems that affect DoD information, the contractor is required to notify DoD within 72 hours.  The contractor then must take steps to preserve images of its systems and assist in the forensic investigation of the intrusion.

Defense contractors will be required to include similar requirements in their subcontracts if the subcontractor will have access to or generate DoD information.  Contractors that fail to meet these requirements, if and when they are put in place, could lose their status as federal contractors.

Public comments on these proposed amendments were due in May 2010.  The rules have not yet been put in place.

On July 28, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that it withdrew the draft of the final rule for HIPAA breach notification that it had submitted in May to the Office of Management and Budget (OMB) for review.  The possible reasons for such withdrawal will be discussed below, but covered entities should note that the obligation to report breaches of unsecured protected health information (PHI), which took effect on September 23, 2009, following the publication of an Interim Final Rule promulgated under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), remains in effect.  All covered entities, and their business associates, should have in place and/or adhere to an effective Breach Notification Policy containing appropriate procedures to investigate, report and mitigate breaches of privacy or security of PHI.

Continue Reading