Warner's Privacy Blog

The FTC has posted a news release that it has sent out notification letters to almost 100 organizations that personal information stored on their systems—including sensitive data about customers and/or employees—is available on peer-to-peer (P2P) file sharing networks.  Samples of the FTC letters are available here, here and here.

Sometimes a business will put in place peer-to-peer programs that make it easy for individuals to share documents.  In many cases, however, employees have downloaded P2P programs so that they can play games and share music or videos.  Depending on how these programs and your computer systems are configured, the P2P programs may also allow access to and sharing of company records, such as confidential HR records, company financial records, or trade secret information.  If the information involves social security numbers, bank account information, drivers licenses or health information, a variety of breach notification laws may also require you to send letters to affected individuals, government agencies, and maybe even local or state-wide media.

A number of privacy laws—such as HIPAA and Gramm-Leach-Bliley—specifically require companies to conduct risks assessments to identify potential ways in which the confidentiality of sensitive information can be compromised.  Other laws, such as state social security number protection laws, may implicitly require such an assessment by requiring policies and procedures to protect sensitive information.  Finally, the FTC may view the failure to protect consumer information from inadvertent sharing over P2P networks as an unfair trade practice.

The FTC has a couple of good resources available on the security issues relating to peer-to-peer programs available here and here, and some more general information available here.  Even if you’ve looked at this issue in the past, its good to revisit these issues from time to time to make sure that the protections you have in place are working as you expect them to.

If you have questions about privacy and security laws, Warner can help.  Please give us a call!

Hitting the news today is a report that an Italian court has convicted three Google executives in connection with a video that was posted on Google Video (Google’s version of YouTube before Google bought YouTube).  In case you haven’t been following this story, the video showed four Italian teenagers bullying an autistic youth.  The video was posted on Google Video for a couple months, at which point police authorities contacted Google.  Once notified, Google removed the video within a couple of hours and provided information about who posted the video, which led to the juvenile sentencing of the four teenagers.

Even though the teenagers were convicted, the Italian prosecutor also brought charges against four Google executives, arguing both defamation and violation of privacy rights.  The defamation claims were dismissed, but the prosecutor prevailed on the privacy violations, arguing that Google should have sought permission from everyone in the video before allowing it to be posted.  It’s not clear to me how Google could in any practical way do that—especially with the volume of videos that get posted on its YouTube site on a daily basis.  It seems to me the better target for criminal prosecution is the person who posted the video, as that is the person who would be in the best position to obtain permission from participants and who should be exercising judgment as to whether the video is offensive or not.

While U.S. law generally shields website operators from this kind of liability, anyone who operates a website with social networking features should be concerned about this ruling.  If someone can post content to your website that others might find objectionable, are you at risk in Italy?  I don’t think anybody’s going to hit the panic button yet and pull out of Italy over this, but I think they’re going to keep an eye on Google’s appeal to see what happens.  And if this decision is upheld, I think people will definitely re-evaluate whether its still worth doing business in Italy.

If you have questions about international privacy laws, Warner can help. Give us a call!

As you’ve probably noticed, the deadline for implementing the HITECH Amendments to HIPAA came and went last week without much fanfare—primarily because the Department of Health & Human Services still has not released any guidance on how we should be implementing these changes.  Moreover, there’s still no indication when the new guidance will come out.

What does this mean?  Well, it probably means that the Office for Civil Rights (the division within the HHS that enforces HIPAA) won’t be looking to make an example of anybody quite yet—at least with respect to the updated business associate agreement requirements.  It’s been reported that a representative from the Office for Civil Rights, speaking at a conference last week, indicated that enforcement of the business associate provisions will be delayed until final rules have been published.

But before you breathe too deep a sigh of relief, keep in mind that HITECH also gave state attorney generals the right to enforce HIPAA—and the state AGs are not bound by OCR’s decision to delay enforcement.  We’ve already seen the Connecticut Attorney General bring a HIPAA enforcement action, and who knows how soon other state AGs will get into the game.  My guess is that they’re not going to be knocking on doors asking specifically about business associate agreements—but if there’s some kind of breach and it turns out that a business associate agreement had not been updated on a timely basis, that might get thrown into the complaint as an additional violation.

I’ve previously blogged about what you should be doing to comply with the HITECH amendments to HIPAA.  If you need additional help with HIPAA, Warner can help.  Give us a call!

Interesting article at Forbes.com about how businesses—especially financial institutions—are increasingly absorbing the cost of security breaches.  According to the article, individuals who are victims of identity theft are more likely to take their business elsewhere.  The article notes that its expensive to replace a customer—to the point where it makes sense to absorb identity theft costs. Read more »

A few data breaches making the news recently:

One breach involved a lost laptop at Methodist Hospital in Houston.  The details are rather sketchy, but it seems that a thief made off with a laptop that contained SSNs and personal health information of 689 patients.  No indication whether the information was encrypted, but my assumption is that it must not have been if the hospital has sent out notification letters. Read more »

Here’s an interesting story.  BlueCross BlueShield of Tennessee seems to have suffered a data breach last year when someone broke into offices that BlueCross had abandoned and stole 57 computer hard drives containing medical information on up to 500,000 people.  So far, BlueCross of Tennessee has spent more than $7 million responding—a great deal of it probably on 700 people who are trying to figure out what was stored on those hard drives.  According to this BlueCross information sheet, the information on these computers included names, insurance numbers, and for some individuals diagnostic information, date of birth and social security numbers. Read more »

Interesting article here on privacy concerns regarding electronic health care records.  As you may be aware, the 2009 stimulus bill (also known as the American Recovery and Reinvestment Act of 2009) included financial incentives for health care providers to implement interoperable electronic medical records that can easily be shared as part of regional and national networks.  The goal is laudable: make sure that any doctor that will treat you will be able to fully access your medical records.  The concern, of course, is that the records are easily used for other purposes than just health care and vulnerable to hackers and others with mischief on their minds.  To address these concerns, the 2009 stimulus bill also included the HITECH amendments to HIPAA, which extends HIPAA to companies that provide services to health care providers and tightens certain restrictions on what can be done with electronic information. Read more »

If you are responsible for privacy compliance, then like me you’ve probably been waiting for new regulations from the Department of Health & Human Services that explain what you should be doing to comply with the HITECH amendments.  At first, I expected these regulations to come out at the start of the year, but as the weeks have gone by without regulations,  it makes me wonder if they will even come out before the February 17, 2010 compliance deadline.  If you’ve been waiting for the regulations before tackling the HITECH amendments, we’re probably at the point where its time to stop waiting and start taking some action. Read more »

Some security breach issues making the news . . . .

The Connecticut Attorney General has filed a lawsuit against Health Net of Connecticut, alleging that Health Net failed to properly secure patient medical records and financial information of 446,000 Connecticut residents.  The breach involved unencrypted data stored on a portably computer disk drive that disappeared from one of the company’s offices.  I’ve previously blogged about this breach, but this is noteworthy because this is the first lawsuit filed by a state attorney general under the new enforcement rights extended by the HITECH Amendments to HIPAA.  It will be interesting to see how it is resolved and whether other state attorneys general will be filing enforcement actions any time soon. Read more »

Here’s a story on a recent HIPAA criminal conviction.  The defendant, a cardiothoracic surgeon in China, admitted as part of a plea bargain deal to improperly accessing health records on four different occasions at the UCLA School of Medicine.  His sentencing is scheduled to take place on March 22, at which point he could face up to four years of prison. Read more »