"Slippery Slope" defined...

Posted by John H. Lacey on April 30, 2012

slippery-jpgWay back in law school we learned a term called the "slippery slope." In academia, it usually has a negative connotation because it usually means..."the beginning of the end."

Imagine you are standing on some rocks next to a roaring river. The rock you are on is dry, but as you step forward, you step onto a wet rock. It's slippery and it slopes towards the river... whoosh, you slip on the rock and slide down into the river. There was nothing you could do, the events were set in motion by powers beyond your control (gravity dude).

In law, the term is used when a decision is made that, in all likelihood, will lead to other decisions similar to the original one. If the first decision was bad, then the following ones will be equally as bad if they follow the first. And since our legal system is based on "stare decisis", prior decisions must be given due respect and usually must be followed.

The term is used so often that, to me, it has become akin to the boy who cried wolf. Not every decision made that is termed the "slippery slope" results in bad things happening, but I fear that a recent decision in the United Kingdom may be the definition of the "slippery slope."

There is a website called "The Pirate Bay" that arguably facilitates illegal activity. It essentially allows its visitors or "users" to share files. Usually those files are not supposed to be shared (copied music or movies for example).

The courts in the UK have just ordered the various ISPs (Internet Service Providers) to block access to The Pirate Bay. That's right, if you live in England, get Internet access from one of the major players over there, you won't be able to visit The Pirate Bay.

So, if the courts are willing to order the blocking of certain Internet sites are the days of a free and open Internet over?

According to a recording industry chief executive, "The High Court has confirmed that The Pirate Bay infringes copyright on a massive scale..."

Thank you sir. The site is hosted in Sweden and the Swedish authorities already found the site operators guilty of "helping people circumvent copyright controls." (BBC Article) Resolution is pending...IN SWEDEN...!

 

There are sites out there that will allow you to mask your IP address (basically your "license plate" when you surf the net) so that your Internet usage cannot be tracked. These sites claim that there are plenty of legal reasons to do so, so they are allowed to exist.

As a former prosecutor, I am familiar with the myriad ways that criminals can hide their tracks or at least make it incredibly difficult to find them on the Internet. I would ask myself all the time "how can this service be legal, it seems to have no legitimate purpose..."

There are sites out there that will teach you how to kill someone. There are sites out there for just about every horrible aspect of humanity. There are also sites out there that may be teaching someone how to save the world, solve global warming and many other really good things. Our Government here is allowed to "seize" websites once a court order is obtained. Our Government can break down your door if they get a search warrant. There is a difference between this behavior an blocking access without addressing the source.

The British judiciary just gave private companies an end around. Forget taking down the source, just order access to the offending site blocked and force compliance on that issue...much easier, right?

There is a mountain of evidence to suggest that The Pirate Bay website operators knowingly engage in behavior that facilitates crime.  In order to bring them to justice I would have had to prove it - beyond a reasonable doubt. It appears the Swedish authorities did just that.

But here.... the British courts just ordered the access to the site shutdown. Do they really think that's going to make a difference? If the whole Napster thing taught us anything, it's that copy/paste isn't going away anytime soon, it just changes address.

To sum it up:

Access to The Pirate Bay is blocked because of copyright infringement.

Access to "how to join jihad" is blocked because of national security concerns.

Access to "candidate x's website" is blocked because candidate x's positions are far too radical for the general populous to be reading.

Access to "The Internet" is blocked because, well, we're just not ready yet.

And there you have the "slippery slope" folks.

 

Today is the Deadline for MA Data Privacy Law

Posted by John H. Lacey on March 01, 2012

On March 1, 2010, two years ago, the regulations associated with the Massachusetts Data Privacy Law went into effect. The regulations, found at 201 CMR 17, require business who possess “Personal Information” (PI) of Massachusetts’ residents to protect that data in fairly specific ways. Arguably, the most important aspect of the regulations was the requirement that all businesses have a “Written Information Security Program” or WISP. But there are certainly other important regulations, one of which comes into effect today, March 1, 2012.

March 1, 2012 is the deadline for those businesses who possess “PI” to address any third-party contracts where the third-party possesses or otherwise maintains PI on behalf of the business.

 

Let’s say you’re a large law firm who, by nature of the business, are in possession of a large amount of PI. Your firm processes hundreds or even thousands of cases each year. As each case comes to an end, the file gets boxed up and shipped out for storage for say, ten years. Contained in that box is the personal information of Massachusetts’ residents who were involved in the case. Your firm has used the same storage company for twenty years and so far things have seemingly been fine. (at least as far as you know) **NOTE: the “file” and the “box” could be, and probably are, electronic files as opposed to physical (paper) ones.

Under the regulations that come online today, your firm must now have, as part of its contract with the storage company, certain clauses or elements in that contract in order to comply with MA law. Specifically, the regulations require that the “owner” (see here: the large law firm) of the PI, must have a clause in their contract with the vendor (see here: storage company) that seeks to obtain the assurance that the vendor can protect the PI that it possess on behalf of the business.

The regulations require that owners/licensors of Personal Information of MA residents’ “oversee service providers” by selecting providers that are capable of maintaining appropriate security measures to protect PI and require by contract that the vendor implement and maintain such appropriate security measures to protect the PI. In addition, the contract should include a clause that requires the vendor, in the event of a loss or “breach” of that data, give notice to the owner as soon as is practicable and without reasonable delay. Cooperation between the owner of the PI and the vendor, or possessor of the PI is required as well. Cooperation is defined as vendor informing the owner of the breach; the date of the breach; and any steps taken by the vendor related to the breach. (M.G.L. c. 93H s. 3(a))

 

[ **NOTE: the above is not legal advice, and this blog post should not be considerer legal advice – if you have questions or concerns about this law, please consult competent legal counsel. ]

 

I suspect the large law firm who has been doing business with the storage company for twenty years will have no problem fixing up their contract. After all, the storage company wants their business.

But what about the smaller businesses who use an outside IT company to run their computer systems? Let’s say the IT company stores the client’s data on servers located in the IT company’s offices; a sort of “private cloud” arrangement since he also stores other clients’ data of these servers as well. Or what if the small business uses a behemoth like Amazon Web Services for their cloud storage of data? Will the small business be in the position to “oversee” Amazon’s internal security apparatus? These small businesses are the entities that need to be made aware of this regulation, but I fear that their education in this area is lacking.

I suppose the answers to the above questions will lie in the regulator’s definition of “oversee.” The law seems to define “oversee” as selecting entities that are capable of providing the appropriate security measures. Will having boilerplate language in your contract be enough? I guess we will have to wait and see for that answer. (Again, please consult a lawyer if you find yourself in this situation)

 

P.S.

March 1, 2012 is also a special date because it’s the first anniversary of the Massachusetts Data Privacy Law Blog. Its official launch, live on the Internet, was March 1, 2011… We’ve had over 11,000 visitors and several thousand are returning readers. I thank you for your interest in this blog. I try to keep it light, but at the same time convey interesting material.

Thanks for reading.

Your author,

John.

 

 

A Survey of Pending Federal Legislation

Posted by John H. Lacey on November 02, 2011

Good Afternoon,

Tomorrow, November 3, 2011 I will be making a presentation at the Boston Bar Association on the topic of pending Federal legislation in the area of data breach and data security. It is sure to be a historic event as I will predict the future.

OK, maybe not historic, but certainly relevant. In 2007, Massachusetts passed the "Mass Data Privacy Law", followed shortly (ha ha) thereafter by the infamous regulations found at 201 CMR 17 (2010). The pending bills clearly intend to preempt all state laws. What will happen to Massachusetts law? I mean, it just got here... does it have to leave already?

I have chosen six bills that seem to have the best chance of passage this year. Of those six, probably three have a solid chance.

Come see which six are the "chosen ones" and which three have the best chance, and why!!

The United States lacks a comprehensive data privacy / data breach notification law. Even Russia purports to have one. Will it finally happen? Will the United States join the majority of the developed world and enact a nationwide law? Or will Congress bicker and debate for another year?

I have all the answers (maybe), you just have to be in Boston tomorrow at noon to get them...

Boston Bar Association

16 Tremont Street

Boston, MA

12pm - 1pm

https://www.bostonbar.org/membership/events/event-details?ID=8110

 

 

Social Security Numbers Released by the Social Security Administration?

Posted by John H. Lacey on October 14, 2011

 

SSN jpgWhen you are born in the United States you are entitled to a "social security number." I say entitled, because it doesn't seem to be required, at least it wasn't. I didn't get mine until I was applying for my first job. My mother took me down to the Social Security Administration's office and I got myself a shiny new blue card with a number that would follow me my entire life. My children got theirs from the doctor who delivered them (kidding, but it was close in time).

When you die in the United States, apparently the Social Security Administration "re-categorizes" you as deceased in what is called the Death Master File or DMF. I can see the usefulness of that. It seems logical that you'd want to make sure that a decedent's SSN isn't used by anyone else... But what if, just maybe, the SSA listed you erroneously on the DMF? But wait, I'm not dead, in fact, I'm feeling much better now (remember Monty Python's Holy Grail..bring out yer dead scene? Hilarious).

What is the impact when you are erroneously listed on the DMF? Apparently, and according to people who were erroneously listed on the DMF, you can be turned down for loans and apartments, have bank accounts frozen and other negative events when your SSN is a required aspect. I guess the "inquirer" looks up the applicant's SSN on the DMF and if it's there, then the applicant must be dead (at least their SSN is), therefore the applicant can't have whatever it is they're asking for - because they are dead.

The DMF is apparently available for purchase, but if you buy it, you get the SSN's of living breathing humans because mistakes happen.

According to a report in the Seattle Times by Howard Scripps News Service reporter Thomas Hargrove, the news service purchased the list and then started contacting the "erroneously placed names and SSNs" to inform them that they are listed as dead. One woman said that she has been dealing with her number situation for 10 years! What a hassle.

From the article in the Seattle Times:

Social Security officials admit that, each year, they accidentally release the personal information of about 14,000 living Americans by posting their files among the records of 90 million deceased Americans.

 

WHOOPS, sorry 'bout that. Thanks for telling us though.... Oh, you didn't tell us? You don't tell us? You're not required to tell us?

Apparently the SSA takes the position that they're not required to tell those people erroneously listed that their personal information has been made available to the public, by accident. A data breach by my definition. The article doesn't clearly say that, nor do the quotes from Social Security Officials, but what other conclusion can you draw?

I know, I know, the Social Security Administration didn't KNOW that the mistake happened, otherwise, logically speaking, it wouldn't have happened. And since they didn't KNOW it happened, how could they possibly have informed the people involved?

If you read any of the pending Federal legislation regarding data breach notification requirements, you'll find that constant monitoring is required. If you have the data, it's your job to KNOW if it's been erroneously released.

If the Feds want to place these regulations on businesses across America, they should really clean up their own house first.

 

The tech world loses a visionary

Posted by John H. Lacey on October 06, 2011

As we've all heard by now, Steve Jobs has passed away. In the past 25 years or so I have been torn between the Mac world and the PC world... My first computer was an Apple IIe. I can still see it in my mind's eye, although physically I have no idea where it is (or what's on it!). After that it was PC after PC after PC. I can't even recall how many there were.

What is really amazing to me is the massive advances that Apple continuously make that leaves the PC in the dust. Even I, a diehard PC person, has to admit that Apple's technology is wicked cool. I do have a G5 at home that is pretty cool, I'm just not sure I'm a "mac guy"...

In the 80's and 90's I watched Apple get relegated to the "educational institutions of the world" only to reinvent itself as THE consumer computer company over the last 15 or so years. I know that Steve Jobs made that happen. It's also been fascinating to see how for a while there were "mac" people and "PC" people, just check out the ads about it. The way I see it now, with the iPad and the iPhone, it's gonna be a "Mac" world soon enough. Everything else will simply be a copy of theirs. (anyone remember the story about the first graphical interface? Karma's a bitch, Bill)

Rest in peace Steve.

 

PS - I am disgusted but not surprised that within hours of his passing, idiot advertising/affiliate/marketing/scammers started doing their thing. They set up "stevejobsfuneral[dot]com" which has no legitimate purpose. Check out the story over at Threatpost...

The Senate puts three data breach bills in play

Posted by John H. Lacey on September 23, 2011

 senate_large_seal.gif

Yesterday, the US Senate voted to approve three bills that deal with data privacy, security and breach notification. All three would preempt the existing state laws that deal with data breach notifications, so ya, this matters.

Senator Leahy’s bill, S. 1151, “Personal Data Privacy and Security Act of 2011”, passed on party line votes with no Republican support. A few amendments were passed during the hearing, none of them fundamentally changing the original bill, but rather “tweaking” it.

 

Senator Feinstein’s bill, S. 1408, “Data Breach Notification Act of 2011”, also passed on party lines with no Republican support. An amendment proposed by Sen. Grassley, the Chairman of the Committee debating this bill was defeated. His amendment sought to direct all fees and fines collected due to violations of the law to lower the deficit. How dare he tell Washington what to do with the money. (Should I pay my VISA card of go buy a new pair of shoes?)

 

Senator Blumenthal’s bill, S. 1535, “Personal Data Protection and Breach Accountability Act of 2011”, also passed on party lines with no Republican support. One amendment proposed again by Sen. Grassley failed. It proposed to limit the ability and authority of the FTC to expand the definition of “Personal Information”, or as the Senator calls it, “Sensitive Personally Identifiable Information” (SPII).

 

2011-2012-United-States-Senate-Breakdown--300x227.pngSo, no Republican support huh? Currently the Dems have 51 senators, the Republicans 47 and two independents. All things held constant we have a new law, but it’s not that simple, is it?

 

Blumenthal’s bill tries to do too much (102 pages). Feinstein’s bill is narrow (31 pages) and only deals with breach notifications. Leahy’s bill is somewhere in between (65 pages).

 

Recently the US Chamber of Commerce, a pretty influential group, wrote letters to the Senate and gave their position on the three bills. They didn’t like any of them. Of course they “lauded” the Senate’s efforts to protect the consumers, but their “client” is business not people. (oh wait, didn’t Romney just say that corporations are people?)

 

The Chamber dismissed Blumenthal’s bill out of hand, and rightfully so. It’s definition of personal information is about 400 words long! It gives a private right of action to the public, and as much as I can envision a million attorneys lining up to file suits and get their third, it’s not appropriate. I simply cannot see this bill getting anywhere without major revisions. Check out the Chamber's letter here: (US Chamber lett 2.pdf)

 

The Chamber addressed the other two in a little more detail.  They took issue with several parts of Leahy’s bill, nine sections to be specific. With regard to Feinstein’s bill, they only addressed a couple. You can read the Chamber's letter here: (US Chamber lett 1.pdf)

 

What’s the major differences between Leahy’s and Feinstein’s? A data security program requirement. There are other differences, and some may say they matter more, but essentially the debate will come down to whether or not the law is going to require business to have a data security program of some sort.

 

Leahy’s bill is very similar to Massachusetts. It discusses a “data privacy and security program”, but does not specify, as Massachusetts does, a specific required company policy (WISP in Massachusetts).

 

Feinstein’s bill doesn’t concern itself with any “data privacy program”, it merely requires the business to notify. Where’s the motivation to protect the data? Fear of bad press? Fear of lawsuits? Both of those fears can be easily mitigated, probably cheaper than implementing a robust data security program.

 

Now there are other, substantive, differences, but generally speaking the question is this: does government have to legislate business’ treatment of data or just require them to tell us when they’ve lost it?

 

The answer probably involves a discussion about “objective” and “motivation.” The objective seems clear, too much of individuals’ personal information is out in the wild, so let’s take better care of it. But what creates the proper motivation for businesses to do just that?

 

I am not a fan of having government run businesses. Government is too slow and is rarely produces cost effective results. Occasionally, however, government does have to regulate (speed limits for example). The profit motive can easily cause harm to both the economy as a whole and individuals in particular. The recent credit crisis is an excellent example.

 

I like Leahy’s bill because of it’s “data privacy program” requirement. It addresses the breach notification issue and once notified the government, if it chooses, could ask to see their program. In this way the business either has an answer or it doesn’t. It could make the enforcement options much easier. Did the business have a robust program, an “ok” program or none at all. I think the sanctions ordered by government would be in line with the business' level of security for the data. Oh, you didn't have a security program....POW!

 

The fear that Senator Grassley suggestshas little basis in fact. He says that businesses required to have a data privacy program will incur massive costs and force layoffs. I disagree. The requirements are necessary and in many instances are simply changing behavior not buying new technologies. If you’re in the business of collecting, using, or simply passing along our personal information, then you have an obligation to protect it. Didn’t we learn anything from the mortgage situation?

 

It would have been nice if we didn’t have to get to this point, but we are, and without swift government intervention things will not get better.

 

Compromise is key in politics. The Senate should not compromise our data any further than it already is…

 

 

 

PS – maybe the recent arrests of the LulzSec hackers will motivate the hacking to stop, and then again, maybe not.

Tracking the National Data Breach Notification Statutes

Posted by John H. Lacey on September 09, 2011

Capitol-Building.jpg

 

 

 

I have decided to get a little crazy today and use "widgets"...

The following is a list of all pending Federal Data Breach Notification bills. The associated widget should reflect the most recent activity associated with that particular bill.

Be sure to check back for the latest updates

 

It should be an interesting fall session... starting with hearings next week in the Senate.

 

 

Federal Data Breach Notification statute moves along

Posted by John H. Lacey on July 26, 2011

Today, I’d like to have a look at a Federal Data Breach notification statute that’s been getting some attention. There are, by my count, five, bills pending in Washington, D.C. Want a list?

Representative Bono Mack’s bill is the one we’re discussing today. Why? Because it’s likely to make it to at least a full House vote. Whether the Senate takes it up and the President signs it are too far off to predict. As an aside, Representative Rush’s bill, that competes with Bono Mack’s, was recently referred to the subcommittee that just approved Bono Mack’s bill. She chairs the committee, so Mr. Rush, try again next session. I can’t see Bono Mack calling for a vote on a bill that covers the same issues as hers.

 

The bill is known as the SAFE Data Act. It basically requires certain businesses to employ certain safeguards designed to protect data. Those requirements are eerily similar to the Mass regulations found at 201 CMR 17. The bill also requires certain businesses to inform the Federal Trade Commission and citizens of a data breach, in certain circumstances. Finally, the bill preempts certain state laws.

OK, I used the word “certain”, five times in that paragraph. I did so because the bill only applies to those companies engaged in interstate commerce. The security regulations only apply to those companies engaged in interstate commerce who are not already regulated by HIPAA or GLBA (Federal regulations for healthcare and banking industry respectively). And finally the preemption of the various state laws will affect its application to businesses… let’s briefly touch on that…

 

The preemption clause, in relevant part:

 …This act supersedes any provision of a statute, regulation or rule of a State…, with respect to any entity subject to this Act, that contains:

(1) requirements for information security practices or treatment of data similar to those under section 2; or

(2) requirements for notification of a breach of security similar to the notification required under section 3.

 ** Please note the “any entity subject to this act” statement. We will talk about this again.

 

Let me sum up the Massachusetts Data Law for you:

  • Massachusetts put in place strict regulations regarding the handling of Personal Information (PI), as well as notification triggers and requirements. The law and regulations apply to ALL Massachusetts businesses. In short, if you own PI, and it’s on a mobile device, got to be encrypted. If you realize that some data went missing, and there is a SUBSTANTIAL risk of identity theft, you must report it to the Attorney General and the various citizen’s whose data went missing.

 

Now let me sum up the SAFE Data Act (presuming you as a company possess PI):

  • If you are engaged in interstate commerce and you are not already regulated by HIPAA or GLBA, you have to have the required security safeguards in place.
  • If you are regulated by HIPAA or GLBA, this law doesn’t apply to you.
  • If you are not engaged in interstate commerce, then this law doesn’t apply to you.

 

  • If you are engaged in interstate commerce, not regulated by HIPAA/GLBA, and you lose data and you make the determination that “there is no reasonable risk of identity theft, fraud or other unlawful conduct… no notification necessary.   But if you do find a “REASONABLE risk” of identity theft then you must notify the Federal Trade Commission within 48 hours, and the affected citizens within 45 days.
  • If you are regulated by HIPAA or GLBA, this law doesn’t apply to you.
  • If you are not engaged in interstate commerce, then this law doesn’t apply to you.

 

Who does the law apply to then? Companies engaged in interstate commerce who are not in healthcare or banking, I guess.

So, if you are not engaged in interstate commerce, but are a Massachusetts company, where are you? Didn’t the new Federal Law preempt the Massachusetts law, or did it just preempt the law as it applies to those entities engaged in interstate commerce. Recall the “any entity subject to this act” from above. It appears that if you are engaged in interstate commerce you are an “entity subject to this act” and exempt from the Massachusetts law, right?

 

I am a small accounting firm in Central Massachusetts, I do not engage in interstate commerce. I am subject to the Massachusetts Data Law and the regulations. The neighboring business happens to be involved in interstate commerce, but offers a very similar service. Do we have different regulatory schemes? Yes, it appears you do.

 

The goal was to make data breach notification simpler. This does it, for the very largest companies in our country. Unfortunately for the small ones in Massachusetts they will end up with a more onerous law than the one that applies to say, Walmart...

 

PS - Bono Mack appears to have lost the support of Rep. Henry Waxman on this bill. That might be costly. His concerns are legitimate, but big business is happy with the bill.

 

Beth Israel Hospital suffers data breach - 2,021 people affected

Posted by John H. Lacey on July 19, 2011

The Boston Globe is reporting today that a major Boston hospital, Beth Israel, has suffered a data breach. This one appears to be "real" in the sense that no records were mistakenly left on a train, the information was purposely stolen via malware.

Hiawatha Bray, a technology writer at the Boston Globe, reports the hospital saying that "an unnamed computer service vendor had failed to restore proper security settings on a computer after performing maintenance on it." Apparently that machine was later found to be infected with a virus which transmitted data files, in encrypted format, to an unknown location. Ask me, it's a trojan, placed via a phishing e-mail... but that's just a guess.

The information taken appears to be medical record numbers, names, genders, birthdates and procedure details. The hospital says that no social security numbers were taken.

I would suggest that based on the information stolen, and the hospital's status as a "covered entity" under HIPAA, formal notification is required. Health and Human Services lists all reported data breaches here. I looked, but could not find this one... Maybe they haven't told them yet.

Interesting how the media finds out fairly early on in these situations, maybe even before the authorities.

 

Under Massachusetts Law, notification may also be required... I say "may" because according to the Globe's report, "medical record number" and "names" were stolen. On the MA Office of Consumer Affairs website, under the "Frequently Asked Questions" section, the question is asked whether an "insurance policy number" qualifies as a "financial account number" requiring notification. The answer:

An insurance policy number qualifies as a financial account number if it grants access to a person's finances, or results in an increase of financial burden, or a misappropriations of monies, credit or other asset.

I am comparing the "medical record number" with the "insurance policy number" for two reasons: one, it's likely that in the hospital's database the medical record number is associated with an insurance policy number (mine is). And two, it's certainly a way to get services under someone else's name.

If I had someone's name and their medical record number, could I show up at a hospital and obtain services via the emergency room? Of course, the bill would go to the victim, right? Why might someone do this you ask? Prescription drug access is one possibility. The FTC has a page dedicated to "Medical Identity Theft" and describes what it means.

The major problem with using the medical record number is that the bad guys would have to know some details about the victim's past before using the number. You can't walk in as a twenty-something female using the medical record number of a fifty-something female... ah, but they took the birth dates as well.

I think it's an open question as to whether notification would be required under Massachusetts law.

 

Do you know what's also an open question: Why doesn't the Massachusetts Attorney General post the reported data breaches? The Federal Government does, the Attorney General in New Hampshire does... New Hampshire posts the actual letters sent to them reporting the breach.

Did you know that I requested all filed notification letters under a Freedom of Information type request... Four months after my initial request I was told that I could have all 2,400 of them, for $2,907.00.

 

 

Most Massachusetts residents victims of data breach?

Posted by John H. Lacey on July 07, 2011

 

The Boston Herald recently reported that a whopping FIVE MILLION residents have been the "victim" of a data breach. Of course, it is very likely that in many cases the same person's information was lost several times.

The 2010 United States Census results puts the Massachusetts population at 6,547,629. Five million is 76% of our total. Just ponder those numbers for a minute... while I ask you these questions:

have you ever been a victim of a violent crime?

ever seen a violent crime in progress?

ever been a victim of a property crime?

ever seen a property crime in progress?

Chances are you haven't been a victim of violent crime, nor seen one in progress. They are rather rare events (as a percentage of our population). If you have been a victim, I sincerely hope that you were able to recover and put it behind you; I fully understand how it can impact an individual, both physically and mentally.

Property crimes are different in that they are usually crimes of opportunity. The bad guy sees something he wants, and he takes it - usually when no one is watching (thus the opportunity). There is better chance that you have either been a victim of a property crime or seen one in progress. The numbers just work that way.

 

We have learned how to protect ourselves, how to avoid risky situations, how to secure our belongings, in the physical world. But what about the digital world?

Do you have the slightest clue how to protect yourself in the digital world? Oh, did you just renew your Anti-Virus software - ya, that should do it...

No, you don't know how to protect yourself in the digital world. I don't, you don't, no one does. The way it is set up, it is, in many ways, beyond our control. Sure, there are "stay safe on the Internet" speeches - but those are for kids. Still important, mind you, but it's for kids. We teach those same kids "not to talk to strangers" and "don't get in a stranger's car". This is good advice, but it's the same advice for a different neighborhood.

 

Right now the digital world is reminiscent of the Wild West. Who tamed the bad guys back then and where are they now?

 

Crime in America is on the decline, and has been so for 10 years. Maybe the laws and their enforcement are working? Or maybe it's some statistical anomaly. Whatever it is, crime numbers are down.

That's in the physical world, however. In the digital world, crime is up, way up, and no one's immune. It's like 100,000 of us just parked our new BMW's in a parking lot, left the keys in the car with our GPS device, laptop, camera, and our golf clubs lying in the back seat. Oh, and there were no lights in that parking lot. Would we ever do that? Not in the physical world, but definitely in the digital one.

It's really not our fault. And not a fair comparison. In the physical world we lock our cars and hopefully put our possessions out of sight because we "know" that we risk losing them if we don't take certain precautions.

In the digital world, we just "go on the Internet" and go about our business having no idea what, if anything, is happening in the background. Have you noticed lately how long certain websites take to load? Ever watch the lower left hand corner and see what is "loading"... I assure you it's not the text you were seeking to read...  what about those links that we click... did you hear about the one where "Casey Anthony" supposedly confessed to her attorney, and it was videoed? Oh yeah, just click on the link marked "jaa" to see the confession...

Jaa is Finnish for share. And share you would if you clicked that link. Here's the story from ZDNet (and not the bad link).

Let's find a comparison in the physical world:

 "yessir, I am the valet, I know, its not usual to have a valet at McDonald's, but we're testing out a new service... great, I'll park it right over there, pal..."

Yes, you'd be an idiot to give your car to a "valet" at McDonalds, but clicking a link to see the purported confession of Casey Anthony... am I an idiot for just clicking it?

 

I keep asking myself the following question:

Whose responsibility is safety in the digital world?

 

National Data Breach Law Proposed

Posted by John H. Lacey on May 17, 2011

Another day of rain in Boston. That’s three in a row and at least four more coming. April showers bring May flowers, but what do May showers bring? Not pilgrims. How about data laws. Congress is awash with bills that deal with data in one way or another. They're just lining up down there in D.C.

 Bill.jpg

I was reading through what has been called the “President’s Cybersecurity Legislative Proposal.” It has multiple parts, so today we will only dive into the “Data Breach Notification” [pdf] section, and examine two problems that jump right out at me.

There is plenty of analysis to be completed here, but we have to start somewhere, this is where I am starting:

 

 

PROBLEM ONE:

The proposal follows a similar path as most of the bills that seek to protect our data. It defines what it intends to protect: Sensitive Personally Identifiable Information, or SPII.  Can’t we all just agree to call it the same thing?  Is it “PI” for personal information, or “PII” for personally identifiable information or is it now “SPII” for sensitive personally identifiable information?  As much as I like the acronym, SPII (pronounced “SPY” of course), it’s better if we all just called it “PII”. (the mathematicians took over PI a long time ago, remember: 3.14…?)

 

What difference does it make, you might ask. It makes a big difference, a real big difference. The President’s proposal defines the targeted information as:

 

(1) An individual’s first and last name, or first initial and last name in combination with any two of the following data elements:

            (A) home address or telephone number;

            (B) mother’s maiden name;

            (C) Month, day and year of birth;

 

(2) A non-truncated social security number, driver’s license number, passport number, or alien registration number or other government issued unique identification number;

 

It further defines “SPII” is sections 3 and 4 that include “biometric data”, financial account or credit or debit card number (apparently standing alone), or:

 

(5) Any combination of the following data elements:

            (A) an individual’s first and last name or first initial and last name;

            (B) a unique account identifier, including a financial account number or credit or debit card number…

            (C) any security code, access code or password or source code that could be used to generate such codes or passwords.

 

Note the missing information: e-mail addresses. I guess the Epsilon breach wasn’t that big a deal then, now was it? That party hasn’t even started yet – the bad guys are still designing the PHISH!!!

 

Recall our good Senator Kerry and his far flung fishing buddy, Senator McCain’s “Commercial Privacy Bill of Rights” definition of “PII” was (paraphrased) name, address, E-MAIL ADDRESS, (emphasis added), phone number, Social Security or other Govt number, credit card number, a “unique identifier that alone could be used to identify an individual”, and biometric data.

 

And for completeness, let’s get Massachusetts’ definition of PI out here too:

 

a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

 

(a) Social Security number;

 

(b) driver’s license number or state-issued identification card number; or

 

(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account…

 

So we have PI, PII, and now SPII and they’re all different or “legally distinct” as one may say. Wow, what a fabulous example of you say tomAYto and I say tomAHto…but  what’s the third guy supposed to say?

 

OK, I can accept the differences at some level because in practice it will just make more work for lawyers like me. (see generally $$$) I point them out to emphasize the chaotic storm that is raging in Congress. We can’t seem to agree on what we want to protect. Imagine if all the different definitions, PI, PII, SPII, are put into law. What data did you lose, Mr. Company? Oh, you lost this, then got to tell so and so. But if you lost that, you got to tell them over there. But if you lost a combination of this and that, you need to tell them. It's like an Abbott and Costello routine.

 

 

PROBLEM TWO:

 

 Let’s get to what’s likely to become the scuttlebutt here in Massachusetts: STATE LAW PREEMPTION.

 

The Federal Government is allowed to pass laws that “pre-empt” or trump the various state laws because of the “supremacy clause”, Article VI, clause 2, of the U.S. Constitution. (U.S. Const. art. VI, cl. 2. – hope that’s proper citing, old law school profs, been a while) The Federal Government also has significant leeway in passing “supreme” laws in the area of “interstate commerce”. Those two words are dropped more often than “my uncle’s a cop” after being pulled over by the “staties” here in Mass. It’s where Congress gets a lot of their juice.  You can be sure that if they can get a law passed in furtherance of protecting interstate commerce, they will.

 

 

In what has been called “Section 109”, the President puts forward the following language in his proposal:

 

Sec. 109 Effect on Federal and State Law

 

The provisions of this title shall supersede any provision of the law of any State, or a political subdivision thereof, relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data, except as provided in section 104(c).*

 

*for completeness: section 104(c) says essentially the States can require that the notice sent out after a breach include any “victim assistance program” offered by that particular State.

 

You noted the use of “interstate commerce”, right? It appears throughout the proposal.

 

So my question to ponder as I sail adrift in this storm is whether the Massachusetts requirement that businesses have a Written Information Security Program will be eliminated by the passage of this bill in its current state. You see, the proposed Federal law specifically says “supersede any provision of the law…relating to notification…” It doesn’t say any more or any less.

 

My initial read on this is that the Federal Government is trying to standardize the notification process by trumping all existing notification rules. The proposal lays out what the notification has to say, who it goes to and when. I can see the value in having a standardized approach to that, but there’s problems, “mattey!” (as in a ship’s mate – have you noticed the theme here?)

 

This law only applies to those companies who handle, (own, license, etc.) SPII of at least 10,000 people in a 12 month period. So, if I am a smaller company (i.e. less than 10K people’s PI, PII or SPII) in Massachusetts, am I off the hook?

 

 

But recall our “interstate commerce” connection. In order to have significant Federal involvement, and “supremacy”, the Feds really have to rely on “Interstate Commerce” as their basis to get involved. So this law only applies to those business who have at least 10,000 people’s information AND are involved in interstate commerce.

 

So, I am a small accounting firm or architecture firm, I do keep PI around, both of my employees and clients/customers. I employ lots of mobile devices and transmit the PI across the Internet on a regular basis. But all my business is in Massachusetts.  I paid big money for encryption software and other upgrades in order to be in compliance with the Mass regs… are you telling me that after only one year it’s going away?

 

There is an analogy… sort of… Back a bunch of years ago, Boston passed a rule/law that required restaurants to have a separate room for those customers who choose to smoke. That room had to have its own ventilation system. Many restaurants actually built out those rooms at a significant cost to the business. What happened next? Government passed a law that outlawed smoking in every restaurant, period.

 

Yes, that’s right, even government can change their mind.

 

It’s not clear that the proposal will actually sink the WISP, in fact there are several arguments to be made that the regulations under 201 CMR 17 will still stay in effect with the force of law. It’s just that there are arguments to be made that the passage of this proposal will put that issue “in play.”

This proposal now has to take the route made so famous in Schoolhouse Rock's "I'm just a bill... yes, I'm only a bill and I'm sitting here on Capitol Hill..." Do you remember how that ended?

 Bill2.jpgschoolhouse rock bill dies in committee.jpg

 Assigned to committee..... amended, negotiated, amended some more.

And it died in committee...

 

 

 

 You can be sure that your author will watch this situation closely.

 

Sony data breach discussion on Lawyer 2 Lawyer

Posted by John H. Lacey on May 13, 2011

lawyer-2-lawyer.jpgYesterday, May 12, Legal Talk Network aired their talk show, Lawyer 2 Lawyer. The topic: The Sony Data Breach... The host: Bob Ambrogi... The guest: ME. That's right, little 'ol me!

 It was a honor to be asked to discuss the issue. There were two guests, myself and Justin Brookman, Director, Consumer Privacy, at the Center for Democracy and Technology. Mr. Brookman had testified in Congress about data breaches only last week.

OK, the talk show is legit. They discuss real issues and have really good guests. How in the world did I end up on the show?

Maybe it's because I took a shot at the plaintiff's bar and their Sony lawsuits. (and by the way, I got voice mails and emails from people who want in on the suit, how ironic)  Or maybe it's because I try to shoot as straight as I can on these issues.

For whatever reason, I did get the opportunity and enjoyed the experience. If you have some time, have a listen.

What's really strange is that even after all these years of listening to myself try cases and elicit Grand Jury testimony, I still don't like the sound of my voice... I guess some people are just like that.

 

Does the Massachusetts Data Privacy Law apply to Banks, Hospitals and other federally regulated entities?

Posted by John H. Lacey on April 21, 2011

Does the Massachusetts Data Privacy Law apply to Banks, Hospitals and other federally regulated entities?

 

The regulations (201 CMR 17) say a definite YES.

The law (MGL 93H) seems to say otherwise…

 

Read on, my friends:

 

 Section 5 of the Massachusetts Data Privacy Law states:

MGL 93H Section 5.

“This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information; provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach. The notice to be provided to the attorney general and the director of the office of consumer affairs and business regulation shall consist of, but not be limited to, any steps the person or agency has taken or plans to take relating to the breach pursuant to the applicable federal law, rule, regulation, guidance or guidelines; provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.

 

 

Let’s break this down: “this chapter does not relieve a person…from the duty to comply with…[other] law[s]…” That makes sense, lawmakers didn’t want to make a law that allows someone to be immune from other laws. Okay, so the MA Data Privacy law requirements do not forgive other obligations – got it.

 

Then we see the infamous intro: “provided however.” In law school the “provided however” essentially meant that whatever you were reading was about to take a sharp left …oh dear… watch out, we’re turning….

 

… “provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter IF…”

 

OK, the legislature has now identified a group (those subject to federal laws) and is granting them “compliance”… IF – if what?

 

… “IF, the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further…”

 

So, if I am an entity that is subject to a federal law and comply with that law I am deemed in compliance with the Massachusetts law if I notify the affected Massachusetts residents when a breach occurs. Check, can do. But we see that pesky “provided further” and our sharp left continues…

 

… “provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach.”

 

Seems simple enough, I have rules and regulations promulgated by the Feds that I have to follow if I suffer a loss of data, a breach; in order to satisfy the Massachusetts law I simply have to be in compliance with the Federal law and then make sure to notify the Massachusetts residents and also the MA Attorney General and the Office of Consumer Affairs.

 

 

And just to add one more twist to our journey, the good legislature uses “provided further” one more time:

 

… “provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.”

 

So, if I ignore the federal laws, I must follow this law – sound right?

 

Is the inverse true? If I follow my federal laws, do I have to follow this one? The language of the statute seems to suggest that if you follow your federal laws, and make sure that you notify the correct people, you’re all set, or “deemed to be in compliance.”

 

Let’s see what the legislators said during their debate of the bill: (from the legislative history)

 

May 9, 2007 ----- RODRIGUES AMENDMENT: Rep. Rodrigues offered another amendment.

Rep. Rodrigues said, this amendment specifically addresses those industries governed by federal statute and regulation. There are a couple that we know are custodians of much personal information and abide by very strong federal regulations in order to protect that information. This amendment would not exempt them from the requirements of notification, but if they are in compliance with federal law relative to notification, and all of the entities are notified that are required to be notified, they will be in compliance with this bill.

The House adopted the amendment on voice vote.

 

Seems very clear, doesn’t it?

 

 

I am a hospital that is subject to HIPAA regulations. Those regulations have strict rules regarding “personal health information” and those rules specifically address what to do if you suffer a data breach. This seems to be exactly what the legislators were talking about when they voted for the “Rodriques Amendment” and wrote section five, right?

 

Allow me to refer you to the Massachusetts Office of Consumer Affairs and Business Regulations (“OCABR”) website, specifically the “FAQ’s” or “frequently asked questions” section:(pdf)

 

I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well? Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.

 

 

I want to be absolutely clear: the regulations in the code (201 CMR 17) are comprehensive and require significant effort to follow. The law, MGL 93H, says there must be regs, the OCABR created the regs. The regs require companies to have written policies, encryption technology, locking file cabinets, etc. It's not a short list.

 

The law also has this “exception” built into it, doesn’t it?

 

Why does the OCABR believe that a HIPAA compliant business must comply with their regs?

 

 

 

 I have researched the possible legal outcomes of this, so stay tuned for the conclusion.

 

******************************************

 

 

Is 2011 the year for a Federal Data Privacy Law?

Posted by John H. Lacey on February 07, 2011

A Federal Data Privacy law has been lurking for years... and seemingly is pushed back every year due to one crisis or another. Health care reform, credit crisis, international instability, you name it, we got it. What we don't have is a comprehensive data privacy law at the Federal level but rather a bunch of state level data privacy laws leaving businesses confused or even ignorant about what their responsibilities are with regard to securing the data they possess.

Senator John Kerry has proposed a Federal Data Privacy Law, but what does it look like? Back in Decmeber, Hunton and Williams, on their "Privacy and Information Security Law Blog" posted a sneak peek overview of what the bill proposes to do.

Although not official, the hints are interesting... (from Hunton's post referencing Kerry's Senior Advisor's speech)

"...covered entities be accountable..." - does that suggest actual enforcement?

"...three rights as non-negotiable...1) all firms put in procedures in place to secure...information, 2) consumers have right to know what the firms are collecting... 3) consumers can simply opt-out.

"...safe harbor" - likely: encryption of data gets you a free pass

When President Obama instituted Health Care reform and the requirement that all Americans have health insurance did he look to Massachusetts as his model? The Federal requirements look and feel a lot like the requirements in Massachusetts... no health insurance, no tax return (at least not what you expected).

When Senator Kerry put together his Data Privacy bill, did he too look to Massachusetts, his home state, for a model? Massachusetts' Data Privacy Law is rare in that it puts affirmative obligations on businesses to DO something BEFORE a data breach as opposed to doing something AFTER a data breach.

The concern I have is the exemption that Kerry suggests for financial data covered under Gramm-Leach-Bliley Act. That act is not as robust in its protection of data as it should be. Plus, this exemption, and that "ACT (GLBA)" apply to those institutions that are the best targets for the bad guys. Why tighten the screws on the landscapers, but let the banks be "exempt". (because banks have better lobbyist? just a thought) And why didn't he exempt HIPPA?

The Massachusetts Law has language that suggests an exemption as well. Section 5 reads that essentially if your entity is subject to federal laws that have breach notification rules, then you're in compliance here. The actual language says "...maintains procedures for responding to a breach pursuant to Federal laws... is deemed to be in compliance..." So, if  your company "maintains procedures" for responding to a breach in accordance with a Federal Law... My question: how do you define "procedures". Before I grant this section fully exempt status, I'd like to get a ruling by the court.

Most states that bother to have a data privacy law require the businesses that possess certain data, personally identifiable information, to tell those individuals they lost it in the event of a data breach or data "loss". For example:

Dear Sir, I am writing to tell you that we lost certain information personal to you, like your name and social security number. Feel free to contact the 3 credit rating services we list below to see if the bad guys are using it. Sorry about the inconvenience. Signed, Business Owner.

If Senator Kerry really wants to protect individuals' information he should look to Massachusetts as the model law. He should eliminate "exemptions" and instead use the words "in conjunction with" or some other well crafted "lawyer-speak" when trying to get this law to co-habitate with other Federal regulations.

In all likelihood, business owners, industry leaders, and those influential people who "assist" law makers will not want the Massachusetts version. It creates extra work for businesses (see: "extra work = extra cost").

Informing those individuals whose information was lost is a no brainer, keeping it from happening in the first place is real protection.

This is obviously a developing story... so stay tuned.