Privacy & Cybersecurity

Nemours Children’s Health System has reported the loss of three, unencrypted computer backup takes containing patient billing and employee payroll data.  The tapes had been stored in a locked cabinet, and were reported missing on September 8th. 

We have a new expert in the house for cybersecurity, privacy and technology issues. Our government relations affiliate, ML Strategies has announced a new Manager of Government Relations,  Rachel Sanford. 

We update the myriad of state data breach notification laws on a quarterly basis in what we fondly call the Mintz Data Breach Matrix. Hot off the presses is the version current as of October 1, 2011. 

In an important ruling for Internet service providers, the U.S. Court of Appeals for the Ninth Circuit has  unanimously affirmed the ruling of a district court that the provisions of the Electronic Communications Privacy Act of 1986 (ECPA) prohibiting internet service providers from disclosing the contents of stored communications protect the U.S.-stored electronic communications of foreign citizens.

Connecticut Attorney General George Jepsen has announced the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers.

The Federal Trade Commission has released its long anticipated proposed revisions to its rule implementing the Children’s Online Privacy Protection Act (“COPPA”). COPPA governs (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13. 

In a mixed decision, a federal court judge in New York dismissed federal statutory claims arising from Web-based advertisers' use of cookies that tracked users' Web browsing activities, but denied a motion to dismiss claims under state law.

Recently the California Public Utilities Commission (CPUC) in a unanimous decision approved data protection rules for the following Smart Grid providers: Pacific Gas and Electric Company, Southern California Edison, San Diego Gas and Electric Company, and the companies that assist them in utility operations, companies under contract with the utilities, and other companies that, after authorization by a customer or by the action of the CPUC, gain access to such customer's usage data directly from the utility.

Texas covered entities (health care providers, health insurers and clearinghouses) and other entities that use and disclose PHI of Texas residents using electronic health records (EHRs) face new risks and stringent requirements under HB300, a new Texas privacy law. 

It is time for covered entities and business associates to jump start HIPAA privacy and security programs and make sure that everything is in compliance.   GovInfoSecurity reports that the Department of Health and Human Services (HHS) has awarded a $9.2 million contract to KPMG to develop protocols for conducting the long-awaited HITECH Act-mandated HIPAA compliance audit program. 

Regular readers of this blog will be familiar with my view that difficulty in proving actual damages poses challenges to would-be plaintiffs in privacy class actions. 

In a settlement announced by the Federal Trade Commission (“FTC”) on June 27, 2011, Teletrack, Inc. agreed to pay $1.8 million to settle FTC charges that it violated the Fair Credit Reporting Act (“FCRA”) by selling consumer reports to marketers without a “permissible purpose.”

Bank Info Security reports that a magistrate for the U.S. District Court in Maine issued an Order that further defines what constitutes “reasonable” security practices.

On Monday, a federal judge in Los Angeles issued an order granting final approval to a previously-announced settlement of consolidated class actions alleging that the use of so-called “flash cookies” in connection with advertising on web sites resulted in unauthorized tracking of web users’ browsing activity.

The United States District Court for the Northern District of California has dismissed the claims of the plaintiffs against Facebook in the case of In re: Facebook Privacy Litigation. 

The Chairman of the Federal Trade Commission, Jon Leibowitz, said: It's the law, it's the right thing to do, and, as today's settlement demonstrates, violating COPPA will not come cheap.

With the inevitability of death and taxes, data breaches spawn class action lawsuits. The massive Sony PlayStation Network data breach has now resulted in the filing of a class action in federal court in Massachusetts captioned Thompson v. Sony Computer Entertainment. 

There have been hundreds of articles written in the past week on the Sony Playstation Network breaches. Cynthia Larose, chair of Mintz Levin's Privacy and Data Security practice, has been quoted in several articles over the weekend, including The Wall Street Journal, Reuters, and The Chicago Tribune.

We've had the Epsilon breach. We've had Sony Breach One and Sony Breach Two. Today, Bloomberg News reports on a breach that may be, as one security expert in the article calls it, "the nastiest password hack in history...." LastPass is reporting that hackers may have broken into its database and stolen info on as many as 1.25 million users.

Yesterday, in a Customer Service Notification posted on its website, Sony Online Entertainment LLC (“SOE”) based in San Diego, California revealed that its systems were also the subject of a hacking attack.