Privacy Law and Policy : Privacy Lawyer & Attorney : Kevin Whitaker Law Firm : Patient Confidentiality, Defamation, Identity Theft : Privacy Law & Policy Blog

The scramble in on as companies seek to comply with the identity theft regulations adopted in Massachusetts and touted as 'the first of their kind in the country' which are scheduled to take effect on March 1, 2010.

The effective date’s announcement followed a report indicating there have been over one million instances of Massachusetts residents’ personal information being exposed in two years. “We hope these regulations will make it harder for information to get into the wrong hands, and lower the number of instances of data being lost or stolen,” said Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation (OCABR).

While M.G.L. c. 93H was passed in 2007, controversy emerged over how to pursue some of the law’s objectives under the regulations. After repeated postponements and revisions—brought upon largely by changes in the economic climate as well as compliance concerns of businesses— the regulations are now set to take effect on March 1st.

• Email This
• Print
• Comments (1)
• Trackbacks

As indicated by my prior posts, You've Got Email, But Is It Private At Work? and Is Einstein Reading Your Email for the Government?, the questions and arguments about privacy and email are heating up.  A recent case in point covered by the ABA Journal in Martha Neal's article, Prosecutor’s E-Mail Sent to His Lawyer on a Work Account is Privileged, Court Says, presents an interesting case. Here Neal reports,

A federal prosecutor's e-mail to his own lawyer is privileged, even though he sent it from work on a government computer, a federal court has ruled.

As pointed out in the article, this is in contrast to similar cases and interpretations. A comparison of this case and the government's arguments reviewed in, Is Einstein Reading Your Email for the Government? shows how the divide in these matters is growing.

Attorney-client privilege is a fiercely guarded area of privacy and this case may present the opportunity for the Supreme Court to reaffirm the attorney-client privilege in the the context of email and the information age. Of course, if taken up, how they go about this could have far wider implications for privacy rights and email communications. If heard, would they focus on the rule (reasonable expectation of privacy) or rather focus on the exceptions or privileges. If examined, will they look at the totality of the circumstances and thus leave the law to be advanced case-by-case as the circumstances come before courts or could they take a more holistic approach that offers guidance in this uncertain arena. Time will tell, but the issue seems to be ripening with each "send" button pressed.

• Email This
• Print
• Comments
• Trackbacks

Not that long ago I blogged, Is Einstein Reading Your Email for the Government? The issue there was email and the government's argument about its right to read it. In short, they suggest you don't have a reasonable expectation of privacy in your email sent to (or read by) government employees. In sum, while computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission, the government argues there are things they can do to eliminate a person's reasonable expectation of privacy and thus remove any of email's privacy protections. It stands to reason that if certain things and conduct implemented by the government can remove privacy protections, then why not employers, too?

A recent Wall Street Journal article, Some Courts Raise Bar on Reading Employee Email, Companies Face Tougher Tests to Justify Monitoring Workers' Personal Accounts; Rulings Hinge on 'Expectation of Privacy' was summarized by Debra Cassens Weiss in an ABA Journal post, May Employers Monitor Personal E-Mail? Cases Turn on Disclosure.

The articles and comments at each post raise good points. Some comments from Weiss' post touch upon, email retention policies and duties to preserve email as evidence, otherwise privileged communications (example, an email to your attorney), ownership or control of the computer, private vs. company email, and more.

Nonetheless, the takeaway lesson for employers sounds a lot like the government's arguments about Einstein 2.0, be very explicit in informing your employees about your monitoring activities and those employees don't have a reasonable expectation of privacy anymore. Thus, as an employer, if you don't have an email and electronics' communications policy, then it's time to consistently adopt, implement, and enforce one. While this is no guarantee that you are on safe ground in monitoring all email, it appears to be the direction things are heading. As for employees, you should know what monitoring is taking place at your work. Take the time to review the email and other company policies and to understand what each means. Also, think twice before sending that email with your resume attached from your office computer or before checking your personal email while at work or on a work computer. Stop, think, and remember--there's a good chance your boss, as well as big brother, may be watching what you send and what you read.

While this post discusses email, don't forget about blogs, comments, tweets on twitter, text messages, Instant Messages (IM), or others, too.

• Email This
• Print
• Comments
• Trackbacks

A tweet from @AbbieCitron brought me to the Medical News Today post Electronic Medical Records Could Help Predict Domestic Abuse. The article discusses forecasting patients' risks by using electronic medical records. Specifically, the article deals with domestic abuse screening or predictions.

Dr Ben Reis of the Children’s Hospital Informatics Program at the Harvard-MIT Division of Health Sciences and Technology, Children’s Hospital Boston; and Harvard Medical School, co-authored the study, Longitudinal histories as predictors of future diagnoses of domestic abuse: modelling study. The study concluded,

Commonly available longitudinal diagnostic data can be useful for predicting a patient’s future risk of receiving a diagnosis of abuse. This modelling approach could serve as the basis for an early warning system to help doctors identify high risk patients for further screening.

• Email This
• Print
• Comments
• Trackbacks

An ABA Journal post by Martha Neil, Could Your New Facebook ‘Friend’ Be a Bill Collector? notes there is little regulation of collection practices on the Internet because current laws are focused on traditional technology.

As the number of consumers giving up landlines increases, and while the information age continues advancing, consumer protections will need to continue undergoing changes in order to keep up with the times. The Congressional Findings and Declaration of Purpose found in The Fair Debt Collections Practices Act (PDF) notes:

There is abundant evidence of the use of abusive, deceptive, and unfair debt collection practices by many debt collectors. Abusive debt collection practices contribute to the number of personal bankruptcies, to marital instability, to the loss of jobs, and to invasions of individual privacy.

In addition, Subsection (b) adds:

Existing laws and procedures for redressing these injuries are inadequate to protect consumers.

Interestingly, consumers are not the only ones who may be interested in reform. Forbes.com posted a letter from the President of a Debt Collection company who also believes reform is needed:

The Fair Debt Collection Practices Act (FDCPA) is over 30 years old and largely regulates communication pertaining to debt collecting. Keep in mind, when FDCPA was crafted over 30 years ago, answering machines were not even used, let alone faxing, e-mailing, texting, etc. ... The FDCPA is in desperate need of being updated

Without clear rules, debt collectors interested in collecting debts ethically will be disadvantaged against those who look to collect consumer debts any way they can, including through abusive tactics. This argument that debt collectors trying to follow the rules should not be prejudiced against those that are abusive is referenced in Subsection (e) of the FDCPA:

It is the purpose of this title to eliminate abusive debt col­lection practices by debt collectors, to insure that those debt collectors who refrain from using abusive debt col­lection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against debt collection abuses.

With benefits to both consumers and collection companies available by updating collection laws, this should be an area that is ripe for review and change.

Federal law does allow states to impose higher standards than those found in the FDCPA and it will be interesting to see whether legislative changes come from the states or federal government. If neither, then I'd keep an eye on unfair and deceptive trade practices claims, as well as others, to emerge in this area as courts wrestle with trying to fit today's tactics into yesterday's laws.

• Email This
• Print
• Comments
• Trackbacks

In previous posts, I discussed the legislative amendment being kicked around that would weaken the MA data security law (M.G.L. 93H).

• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part One
• An Act Ensuring Less Privacy of Massachusetts Residents' Data, Part 2 of 5
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 3 of 5
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 4 of 5,
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 5 of 5.

Well, it appears the legislative change may not be necessary as the latest and ungreatest regulatory scheme changes appear to do the hatchet job for them.  Too bad.  In short, it's not good news for Massachusetts consumers or their privacy rights as privacy rights seem, once again, to be taking a backseat to political influences.

The Official Website of the Office of Consumer Affairs & Business Regulation (OCABR) states:

BOSTON – Aug. 17, 2009 – ... The updated regulations will take effect March 1, 2010. The regulations make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

...

New language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.

The changes, Anthony said, make clear the regulations are risk-based in implementation, not just in enforcement as had been the case in earlier versions of the regulations. In addition, the regulations are technology neutral and acknowledge that technical feasibility plays a role in what many businesses, especially small businesses can do to protect data.  The overall approach is more consistent with federal law, she said.

...

The Office of Consumer Affairs and Business Regulation today sent to the Secretary of State notice of public hearing on the changes. That hearing will be held on Tuesday, Sept. 22, at 10 a.m. at the Transportation Building, 10 Park Plaza, Boston.

For more information about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website, www.mass.gov/consumer.

• Email This
• Print
• Comments
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file or see full text below) introduced this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I've addressed a few of these in past posts.

• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part One
• An Act Ensuring Less Privacy of Massachusetts Residents' Data, Part 2 of 5
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 3 of 5
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 4 of 5,

After a short vacation, today I'll briefly be addressing the fourth proposed change, but more importantly the sum of all the proposed changes, because I fear they fail to protect consumers and their privacy rights, but instead seem very good at protecting certain business interest aided by powerful lobbying efforts

Briefly, under the fourth proposed change, employees could be terminated for willful violations of the law, regulations, or written information security plans.

While I'm not going to attack this language (although you can see the proverbial passing of the buck coming here), it make me ask, "As a group, did any of the four proposed changes help consumers while guarding individuals' privacy rights?"

Let's review a summary of the three changes I've previously discussed:

1. Businesses would not have to comply with any Massachusetts state regulations with stricter standards than federal law
2. Ensures OCABR is prevented from requiring specific technology or methods be employed. Thus, the proposed amendment effectively guts OCABR's encryption requirement (and its power to do so in regulations).
3. The law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses, thus implying a person's privacy rights matter less depending on who is allowing them to be infringed upon. This would also add more delay as more layers of regulations are adopted.

The answer to my earlier question, I'm afraid, is a resounding "No," none of the four four proposed changes help consumers while guarding individuals' privacy rights--thus the title of this series of posts, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which is a play on the proposed act's title "An Act Ensuring the Privacy of Certain Data."

As stated in other posts, privacy rights simply aren't being treated as rights held by individuals but rather as things or issues to be regulated. With economic considerations, lobbying, and political influence guiding the outcome, it appears that short-term economic arguments may continue trumping individuals' privacy concerns. In the end, so long as economic incentives and business interests are placed before individuals' rights, then privacy rights can't really exist, no matter what we call or title them.

The full text of Senate Bill 173, An Act Ensuring the Privacy of Certain Data, is below. Funny, I don't think this is available anywhere else on the web except in PDF. Why is that?

• Email This
• Print
• Comments
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file) introduced earlier this year, would amend M.G.L. 93H (Massachusetts data protection law) and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority (as well as their data protection regulations) on a few fronts. I'm reviewing four of the proposed changes in separate posts. Today, I'll examine a proposed change which requires different strokes for different folks, or rather different legal standards for protecting people's personal data. The proposed change adds,

Notwithstanding the rules adopted by the department [OCABR] ..., said department shall create separate regulations for small businesses ... that reflect said small businesses unique situation and resources.

Thus, under this proposed change, the law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses. Perhaps it sounds reasonable when looked at from the perspective of protecting small businesses, but this change implies a person's privacy rights matter less depending on who is allowing them to be trampled upon. Should the law allow for different standards when it comes to individuals' rights or should the emphasis be on protecting the absolute rights held by individuals instead?

• Email This
• Print
• Comments (2)
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file) introduced by Senator Michale W. Morrissey this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I'm taking each one up in a separate post. Today, I'll address a proposed change that involves encryption and specific technologies and adds the following language,

The department [OCABR] shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

To put this proposed change in the proper context, you must know OCABR's current regulations require data be encrypted. Unlike today, this proposed change would ensure OCABR is prevented from requiring specific technology or methods be employed. Thus, the proposed amendment effectively guts OCABR's encryption requirement (and its power to do so in regulations). Not only does this weaken the agency helping protect consumers' data, but it takes the bright lines out of the regulations and makes the revised law effectively fuzzy at best. In sum, the change leads to foreseeable ambiguity and real world enforcement problems.

Who does this change really protect?

• Email This
• Print
• Comments
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file) introduced this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I'm taking each one up in a separate post and today, I'll address the first proposed change.

If SB 173 is enacted, businesses would not have to comply with any state regulations with stricter standards than federal law.  While businesses need to comply with federal law, this should not stop states from implementing higher standards to protect their residents. This suggested revision hurts individuals' privacy rights as compliance is limited to the lowest common denominator and doesn't aspire to improve safeguards beyond minimum standards.

While some commentators previously commended MA for leading the way on data privacy protections, this proposal brings us back, at best, to the status quo--a review of data breach news headlines demonstrates the status quo simply isn't working or protecting peoples' privacy. MA has a chance to take the lead in protecting individuals' privacy rights and punting isn't the best option.

In the end, so long as economic incentives and business interests are placed before individuals' rights, then privacy rights are at risk. I hope Massachusetts opts to lead the way on protecting privacy and doesn't adopt the proposed amendment. 

The timing of this proposed amendment baffles me, why gut a law the state legislature passed that hasn't even been given a chance to work?

Next, I'll discuss the data encryption and data protection methods that are being stripped away under the proposed change.

• Email This
• Print
• Comments
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file), introduced earlier this year, would amend M.G.L. 93H (MA Data Security Law) and effectively water down the law while reducing the Office of Consumer Affairs and Business Regulation's (OCABR) authority to protect Massachusetts consumers' privacy rights.

These proposed changes to the data protection law are a timely topic as the original MA law was passed following TJX's large-scale data breach. TJX has recently entered into a $9.75 million settlement with 41 states over their data breach. According to the Boston Herald in, TJX to pay states $9.75M in data breach settlement,

The $9.75 million settlement payment includes $2.5 million to establish a data security fund for the states and $1.75 million to cover the states’ investigations into the data breach. Massachusetts will receive more than $950,000 of that money.

The Herald reports, Attorney General Martha Coakley, who was a driving force for all states' involved, said in a statement

Protecting consumers’ personally-identifiable information is of paramount importance to prevent fraudulent use of credit and identity theft.

All retailers and companies that hold or use personally-identifiable information must employ data security systems that guard against the improper disclosure or use of that information. This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business.

The Identity Theft Assistance Center (ITAC) blog, in TJX Agrees to Pay $9.75 million to 41 States in Data Breach Case, states:

The company [TJX] also stated in an official news release that it “firmly believes it did not violate any consumer protection or data security laws.” However, California Attorney General Jerry Brown had a different POV [point of view] and cited the company’s 2004 internal audit, which found security vulnerabilities. ... "TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people..."

In the wake of the TJX settlement, under MA Attorney General Coakley's and other attorney generals' realized efforts, it's disappointing to see present attempts to water down the Massachusetts data protection law by state legislators. In coming posts I'll discuss four changes being proposed and how each fails to help consumers or protect individual privacy rights. Thus the title of this series, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which plays off of the proposed act's title "An Act ensuring the privacy of certain data."

• Email This
• Print
• Comments
• Trackbacks

Paul McNamara at Buzzblog posts in Bozeman backs down on demanding passwords that the flood of complaints over Bozeman, Montana's policy of requesting online account names and passwords of potential hires has led to that practice being discontinued. I commented on his blog as it reminded me of the discussion I recently had with a Patriot Ledger's Reporter, Julie Onufrak. During a recent interview, we were discussing the limits of industry self-regulation when it comes to privacy rights and the need for laws that protect them. I don't think self-regulation works when it comes to peoples' rights and whether it's demonstrated by a Sears' settlement or Bozeman's practices, my point is that we need clear laws that protect individuals and their privacy rights.

Here are my comments on buzzblog about the Bozeman situation:

It's good to see the policy change go into effect, but there's always another issue to consider anytime a privacy invasion occurs. What happens to the data that was collected? Recently the FTC entered into an agreement with Sears that required they stop collecting private consumer data in a certain manner, but also that they destroy the data which had been collected that way. This gets even trickier, however, when government agencies are the ones collecting private data as there are Freedom of Information Act and other sunshine laws that can give citizens access to government records. While it's good to see a policy change in Bozeman, it would be even better to see legal standards in place that go beyond self-policing or self-regulation.

To me the unifying theme is one that keeps popping up in privacy issues, if individual privacy rights are not being treated as recognized rights which are held by an individual, then efforts to protect them will fail. In order to protect privacy, bright-line laws giving individuals the right to enforce those rights must to be enacted and not left for government enforcement, but provide private remedies as well. Unfortunately, I don't think government see it that way, FTC Provides Views on Behavioral Advertising to House Subcommittee. I think this is true in Washington and as recent legislative efforts indicate, here in Massachusetts, too--which I'll post about shortly.

• Email This
• Print
• Comments
• Trackbacks

Does privacy matter? I was recently reviewing excerpts from an earlier interview by International Association of Privacy Professionals with Bruce Schneier where he was asked, "Is privacy the new environmentalism?" Schneier's reply was prescient,

Yes, and data is the pollution problem of the Information Age. Think about it. All computer-mediated processes produce data. Unless dealt with, it stays around. And its after-effects can be pretty toxic. And, just as 100 years ago we ignored pollution in our rush to build the Industrial Age, today we're ignoring data in our rush to build the Information Age. And, I believe, 100 years from now our great-grandchildren will look back at the decisions we made and wonder how we could have been so ignorant and short-sighted.

• Email This
• Print
• Comments
• Trackbacks

Thank you to the folks at e-Justice Blog for including Privacy Law and Policy in their 50 Best Blogs for Privacy Nuts. It's an honor to be included and also to be among the top ten blogs in the Law and Policies category.

e-Justice covers issues from cyber-law to personal security and aims to promote a more pro-active and informed citizenry by tackling issues of justice that affect people's safety and well-being.

• Email This
• Print
• Comments
• Trackbacks

The Computer Fraud and Abuse Act (CFAA) prohibits accessing a computer without authorization. The law has been used in civil cases in a variety of contexts for some time. The CFAA drew attention last year, however, when it was applied in the criminal prosecution of Lori Drew in the suicide of Meghan Taylor Meier, a 13 year old girl, who committed suicide after being cyber-bullied and harassed by Drew.

The cyber-bullying involved Drew pretending to be someone else on a fictitious MySpace account created by Drew. The account's use was "unauthorized" under the MySpace terms of service. The breach of MySpace's terms of service was used to apply the CFAA and support Drew's criminal conviction. This use of a private company's terms of service agreement to apply criminal liability under the CFAA led many to argue the case has far reaching consequences. A number of critics of the case asserted the case went too far while others hailed it as a positive step toward protecting children online. Regardless, the case illustrates the changing nature of our laws, technology, and the emerging attempts to apply existing laws in novel ways, especially in those areas where the law may be lagging behind technology's pace.

Orin Kerr, at The Volokh Conspiracy blog, posts about a case seeking to test or expand the CFAA criminal liability theory even further.  In Lori Drew, Take2? The Government's Computer Fraud and Abuse Act Prosecution in United States v. Nosal, Kerr offers,

... the government is testing a similarly broad theory of the CFAA, if not an even broader one. The case is United States v. Nosal, No. CR 08-0237 MHP, ....

• Email This
• Print
• Comments (1)
• Trackbacks

After a six month extension, the Federal Trade Commission's Red Flag Rule on business and organizations' identity theft prevention programs goes into effect May 1, 2009. In sum, the Rule requires development and adoption of a comprehensive "Identity Theft Prevention Program" into the day-to-day operations of covered companies and organizations (which includes most operating businesses, both large and small.)

The Rule requires the development, implementation, and administration of a program which must address four key areas:

1. Identifying Red Flags - Identify suspicious patterns or practices, or specific activities indicating identity theft possibilities you may come across in your business (the "Red Flags.")
2. Detecting Red Flags - Procedures to detect the identified red flags .
3. Preventing and Mitigating Identity Theft - An action plan for when red flags are detected.
4. Updating to the Program - A process for periodically re-evaluating and revising your identity theft program.

There has been some confusion over who must comply with the Red Flag Rule. The Rule applies to both "financial institutions" and "creditors" who have "covered accounts." The use of these terms has caused uncertainty as they do not refer to specific industries, but to anyone who falls under the definitions. For instance, "creditor" includes businesses and organizations who:

• Regularly defer payment for goods or services or provide goods or services and bill customers later;
• Regularly grant loans, arrange for loans or the extension of credit, or make credit decisions;
• Routinely participate in decisions to extend, renew, or continue credit, including setting the terms of the credit; or
• Extend credit to other businesses.

This expansive definition of "creditor" means most businesses would be considered a creditor under the Rule. Whether this interpretation holds up under later judicial review is an open question, but for now the FTC is clearly casting a wide net in defining "creditor."  With respect to covered accounts, these are either:

1. Consumer accounts that are primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or
2. Any other accounts where there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Should the Rule apply, then the size, scope and complexity of a business are all factors to be considered in creating a specific Program. Because noncompliance can involve heavy fines, adopting and implementing a Program is advised as soon as possible.

The FTC offers the following resources which may help with developing a Identity Theft Prevention Program:

• Email This
• Print
• Comments (1)
• Trackbacks