Privacy Law and Policy : Privacy Lawyer & Attorney : Kevin Whitaker Law Firm : Patient Confidentiality, Defamation, Identity Theft : Privacy Law & Policy Blog

Massachusetts Senate Bill No. 173 (PDF file), introduced earlier this year, would amend M.G.L. 93H (MA Data Security Law) and effectively water down the law while reducing the Office of Consumer Affairs and Business Regulation's (OCABR) authority to protect Massachusetts consumers' privacy rights.

These proposed changes to the data protection law are a timely topic as the original MA law was passed following TJX's large-scale data breach. TJX has recently entered into a $9.75 million settlement with 41 states over their data breach. According to the Boston Herald in, TJX to pay states $9.75M in data breach settlement,

The $9.75 million settlement payment includes $2.5 million to establish a data security fund for the states and $1.75 million to cover the states’ investigations into the data breach. Massachusetts will receive more than $950,000 of that money.

The Herald reports, Attorney General Martha Coakley, who was a driving force for all states' involved, said in a statement

Protecting consumers’ personally-identifiable information is of paramount importance to prevent fraudulent use of credit and identity theft.

All retailers and companies that hold or use personally-identifiable information must employ data security systems that guard against the improper disclosure or use of that information. This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business.

The Identity Theft Assistance Center (ITAC) blog, in TJX Agrees to Pay $9.75 million to 41 States in Data Breach Case, states:

The company [TJX] also stated in an official news release that it “firmly believes it did not violate any consumer protection or data security laws.” However, California Attorney General Jerry Brown had a different POV [point of view] and cited the company’s 2004 internal audit, which found security vulnerabilities. ... "TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people..."

In the wake of the TJX settlement, under MA Attorney General Coakley's and other attorney generals' realized efforts, it's disappointing to see present attempts to water down the Massachusetts data protection law by state legislators. In coming posts I'll discuss four changes being proposed and how each fails to help consumers or protect individual privacy rights. Thus the title of this series, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which plays off of the proposed act's title "An Act ensuring the privacy of certain data."

• Email This
• Print
• Comments
• Trackbacks

Paul McNamara at Buzzblog posts in Bozeman backs down on demanding passwords that the flood of complaints over Bozeman, Montana's policy of requesting online account names and passwords of potential hires has led to that practice being discontinued. I commented on his blog as it reminded me of the discussion I recently had with a Patriot Ledger's Reporter, Julie Onufrak. During a recent interview, we were discussing the limits of industry self-regulation when it comes to privacy rights and the need for laws that protect them. I don't think self-regulation works when it comes to peoples' rights and whether it's demonstrated by a Sears' settlement or Bozeman's practices, my point is that we need clear laws that protect individuals and their privacy rights.

Here are my comments on buzzblog about the Bozeman situation:

It's good to see the policy change go into effect, but there's always another issue to consider anytime a privacy invasion occurs. What happens to the data that was collected? Recently the FTC entered into an agreement with Sears that required they stop collecting private consumer data in a certain manner, but also that they destroy the data which had been collected that way. This gets even trickier, however, when government agencies are the ones collecting private data as there are Freedom of Information Act and other sunshine laws that can give citizens access to government records. While it's good to see a policy change in Bozeman, it would be even better to see legal standards in place that go beyond self-policing or self-regulation.

To me the unifying theme is one that keeps popping up in privacy issues, if individual privacy rights are not being treated as recognized rights which are held by an individual, then efforts to protect them will fail. In order to protect privacy, bright-line laws giving individuals the right to enforce those rights must to be enacted and not left for government enforcement, but provide private remedies as well. Unfortunately, I don't think government see it that way, FTC Provides Views on Behavioral Advertising to House Subcommittee. I think this is true in Washington and as recent legislative efforts indicate, here in Massachusetts, too--which I'll post about shortly.

• Email This
• Print
• Comments
• Trackbacks

Does privacy matter? I was recently reviewing excerpts from an earlier interview by International Association of Privacy Professionals with Bruce Schneier where he was asked, "Is privacy the new environmentalism?" Schneier's reply was prescient,

Yes, and data is the pollution problem of the Information Age. Think about it. All computer-mediated processes produce data. Unless dealt with, it stays around. And its after-effects can be pretty toxic. And, just as 100 years ago we ignored pollution in our rush to build the Industrial Age, today we're ignoring data in our rush to build the Information Age. And, I believe, 100 years from now our great-grandchildren will look back at the decisions we made and wonder how we could have been so ignorant and short-sighted.

• Email This
• Print
• Comments
• Trackbacks

Thank you to the folks at e-Justice Blog for including Privacy Law and Policy in their 50 Best Blogs for Privacy Nuts. It's an honor to be included and also to be among the top ten blogs in the Law and Policies category.

e-Justice covers issues from cyber-law to personal security and aims to promote a more pro-active and informed citizenry by tackling issues of justice that affect people's safety and well-being.

• Email This
• Print
• Comments
• Trackbacks

I recall a law professor telling me that when the Titanic sank it was lawful to not have enough lifeboats to hold the ships' occupants. I quickly checked on Wikipedia and it states,

The Titanic carried 20 lifeboats with a total capacity of 1,178 people. While not enough to hold all of the passengers and crew, the Titanic carried more boats than was required by the British Board of Trade Regulations. At the time, the number of lifeboats required was determined by a ship's gross register tonnage, rather than her human capacity.

Additional research indicates the Titanic had the potential to carry 48 lifeboats (as suggested by Alexander Carlisle) but cost-cutting resulted in only 20 being carried (albeit still more than the 16 required.) The NY Times headline on April 17, 1912 read, "LIFEBOATS FOR ALL NOT ORDERED BY LAW; Apparent Security of Modern Liners Kept Out-of-Date, Requirements in Force. The first paragraph states,

The disaster to the Titanic may bring about a change in the British Laws establishing the requirements in regard to appliances for the saving of life on modern liners, a development of marine architecture which was apparently not contemplated by those who framed the laws and amended them.

Sometimes privacy law seems like the Titanic to me. A U.S. District Court in the Northern District of California recently held the alleged risk of identity theft is enough to grant standing to an identity theft victim, but that the risk alone is not enough to survive summary judgment.

• Email This
• Print
• Comments
• Trackbacks