Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Expectation of Privacy Regarding Emails Among Business Co-Owners

Citing a test to measure an employee's expectation of privacy in email on an employer's server, a Minnesota court held that a co-owner of a limited liability company had a reasonable expectation of privacy for personal email on the company's server because he had divided his email account into personal and business files.

You can read more about the case


Personal Information Recovered From Wiped Hard Drive

Using software freely available on the Internet, two computer professionals explained how they recovered sensitive patient information, including Social Security numbers, from hard disk drives “professionally” wiped and discarded by a hospital.

Watch this WYFF Channel 4 Geenville-Spartanburg news video. (Or here.)

For effective data security businesses and consumers should shred old hard-disk drives when you discard them. Look toward NIST SP800-88 for more specific recommendations.



WiFi Hacker From Hell Sentenced To 18 Years

A Minnesota hacker prosecutors described as a “depraved criminal” was handed an 18-year prison term Tuesday for unleashing a vendetta of cyberterror that turned his neighbors’ lives into a living nightmare.

Barry Ardolf, 46, repeatedly hacked into his next-door neighbors’ Wi-Fi network in 2009, and used it to try and frame them for child pornography, sexual harassment, various kinds of professional misconduct and to  send threatening e-mail to politicians, including Vice President Joe Biden.

His motive was to get back at his new neighbors after they told the police he’d kissed their 4-year-old son on the lips.


TED Talk: Mikko Hypponen - Fighting Viruses, Defending The Net

From TED's website:

"It's been 25 years since the first PC virus (Brain A) hit the net, and what was once an annoyance has become a sophisticated tool for crime and espionage. Computer security expert Mikko Hyppönen tells us how we can stop these new viruses from threatening the internet as we know it."


Borders' Customer Data Will Not Disappear With The Company


With all the attention on the closing of the almost 400 remaining Borders stores, the chain's IT jewel—purchase history and other CRM data on tens of millions of its customers—is still to be sold to the highest bidder. When that happens, any privacy promises Borders made to loyalty-program customers are out the window.



FDA To Regulate Mobile Health Apps?

The FDA proposes to regulate at least some mobile apps, according to the Washington Post.

For example, an app that allows radiologists to view X-rays on an iPad or that turns an Android phone into a heart monitor would be regulated. But an app that stores medical records or provides training videos to physicians would not.

The full draft of the proposal is available at the FDA's website.


It Is Too Easy To "Hack" Into Another Person's Voicemail Account

In light of the recent phone-hacking scandal currently dominating U.K. headlines, Brian Krebs offers insight into the methods used to access another's voicemail. He also conducts his own test, targeting the voicemail account associated with his wife's iPhone.

For years, it has been a poorly-kept secret that some of the world’s largest wireless providers rely on caller ID information to verify that a call to check voicemail is made from the account holder’s mobile phone. Unfortunately, this means that if you haven’t set up your voicemail account to require a PIN for access, your messages may be vulnerable to snooping by anyone who has access to caller ID “spoofing” technology. Several companies offer caller ID spoofing services, and the tools needed to start your own spoofing operation are freely available online.

Bottom line: make sure you set a PIN to protect your voice mail messages. Even then, the thought that a PIN represents the best, easily available security regarding voicemail messages is alarming. Dictionary attacks targeting online passwords have been around for years.


Can The Government Force You To Decrypt Your Laptop To Use As Evidence Against You?

Privacy and data breach notification laws generally provide a safe harbor for lost data that is unusable, unreadable or indecipherable. Encrypting the media on which the data is stored, including portable devices such as laptops, is one way to meet the safe harbor requirements.

But what happens if the government seeks access to encrypted data that may be used against you in court, and you are the only one who can circumvent the encryption? Can you be compelled to provide the data?

Ramona Fricosu is arguing "no". Colorado police seized Fricosu's laptop during a raid, believing it contains evidence. The prosecutors have asked a judge to compel Fricosu to enter the passphrase to decrypt it. Fricosu refuses, citing 5th Amendment protections.

An amicus curiae submitted by the Electronic Frontier Foundation (EFF), a non-profit digital civil liberties organization, states:

“The government makes an aggressive argument here that may have far-reaching consequences for all encryption users. Fricosu will be made a witness against herself if she is forced to supply information that will give prosecutors access to files they speculate will be helpful to their case but cannot identify with any specificity.”

I suspect Fricosu's case will be closely watched. As encryption becomes more common, more people will resist sharing encrypted data.


E-Discovery: The Sedona Conference "JumpStart Outline"

Electronic Discovery is new enough to be foreign to practicing attorneys, and technical enough to be intimidating. Preparing to meet obligations related to data preservation, requests for production, court conferences, and FRCP Rule 26 can be a daunting process.

The Sedona Conference Jumpstart Outline (download here) provides a solid starting point for attorneys who wish to instruct clients about their preservation and production obligations, understand the opposing party's preservation efforts, or tailor discovery requests addressed to the opposing party.

Topics discussed within the outline include:
  • Relevant Document Retention Policies
  • Identifying Ke Custodians of Potentially Relevant Information
  • Data Stored on Network Servers
  • Emails and Instant Messages
  • Hard Drives
  • Data on Non-Company Computers
Check out the Sedona Conference website for additional publications detailing current best practices in e-discovery.


E-Commerce in China: Perspective From Chinese Graduate Students

Last year at this time I was in Xian, China as part of an effort to establish a law school exchange program between my law school and Xian Jiaotong University. It was a fascinating trip for a number of reasons (including the famous Terracotta Soldiers), but I was particularly interested in the legal and technical development of a country that has expressed a strong desire to control the flow of information.

Xian, China
During my visit I was invited to speak with a group of graduate students at Xi'an Jiaotong University specializing in Internet security. Both the professor leading the group and his students began the conversation by asking how American consumers protected themselves against e-commerce fraud and online identity theft. It was striking how passionate they spoke on the issue. When I asked what recourse Chinese citizens had if victimized with online fraud or identity theft, the professor stated that websites not handling data properly could be charged under the 7th Amendment to Criminal Law.

But in reality building a privacy policy off of judicial action would be nearly impossible because China lacks a common law system founded on stare decisis. In its place judges have a great deal of individual latitude to determine outcomes without taking precedent into account. During one morning walk I happened to meet a visiting professor from Wisconsin who had taught summer classes in China for nearly a decade. Upon hearing what I was studying he dryly noted that Chinese law "is still nothing but a theory." Lacking a solid legal foundation, it was no wonder that the Chinese graduate students asked for practical advice on how to protect themselves against fraud.

Read More . . .

Implementing EHRs in Rural Communities

Much of the discussion surrounding HITECH Act's push toward electronic health records has centered around hospitals and health exchanges in larger cities. But rural communities in Minnesota face special implementation challenges as well, according to Minnesota Public Radio.

Rural communities face special challenges, he says. "Financing is an issue. It's not just the hardware and software, but also the implementation process. There will be a productivity loss at first." Among the 102 hospitals counted as rural by the Minnesota Hospital Association in 2009, 59 percent operated with net margins of less than 5 percent, and a quarter were in the red.


TED Talk: Meet e-patient Dave

The talks on TED.com endlessly fascinate me. Here is the latest, released in June of 2011. From the summary:

When Dave deBronkart learned he had a rare and terminal cancer, he turned to a group of fellow patients online -- and found a medical treatment that even his own doctors didn't know. It saved his life. Now he calls on all patients to talk with one another, know their own health data, and make health care better one e-Patient at a time.

If the video doesn't play correctly, you can view it directly at TED.com.


Does HIPAA Apply To ISPs That Transmit Health Information?

In 2009, the HITECH Act expanded HIPAA's reach to include "Business Associates" (BAs) of the health care provider. A BA is defined as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

Under this analysis, are ISPs also governed by HIPAA regulations? It depends, according to Adam Greene and Michael Sloan of the law firm Davis Wright Tremaine. While the Department of Health and Human Services has stated the BA tag does not apply to entities serving as "conduits" by transmitting data from location to another, Green and Sloan suggest that ISPs who provide additional services may still reach BA status.

[T]o the extent a telecommunications carrier stores protected health information (PHI) by offering Internet access and related data services, it potentially faces obligations under HIPAA as a business associate. For example, an ISP may provide a limited number of e-mail accounts to all customers. If a small health care provider maintains unencrypted protected health information on an e-mail account where the emails are stored on an ISP’s servers, then this may take the ISP outside of the conduit exception and the ISP may become a business associate of the covered entity.

Green and Sloan recommend that ISPs:

  • Evaluate whether they are maintaining health information;
  • Determine whether they are a business associate under HIPAA; and
  • Assess whether a HIPAA-specific compliance program is required to meet existing requirements.

Read the whole advisory here.

This reasoning also applies to companies that provide network hardware for health care providers. When connectivity issues occur, these vendors may receive patient data in the form of tcpdumps or other network monitoring tools. According to HHS, If that data qualifies as identifiable PHI, then vendors should secure its transmission and storage.


Minnesota Clerk Denied Unemployment After Being Fired For HIPAA Violation

Last year Debra Girdeen, a file clerk for Fairview Red Wing Health Services, checked in an 81-year-old woman for a mammogram. During the check-in Girdeen improperly accessed the patient's medical information. When first questioned Girdeen declared that she was looking for a mammogram order, but later claimed she was concerned for the patient's well-being because the family member accompanying the patient was a "creep."

Medical Records
Unfortunately for Girdeen this was her third HIPAA violation, and she was fired. Worse still, because she was fired for employment misconduct Girdeen was also denied unemployment benefits .

On appeal, Girdeen claimed that she should still receive unemployment because she had a good faith belief that she was acting out of concern for the patient. But there is not a vulnerable-adult exception to either Fairview's policy or the HIPAA privacy laws, a fact Girdeen admitted to knowing. The Minnesota Court of Appeals held that "an employee's good-faith belief in the wisdom of her actions is 'irrelevant' when the employee refuses to abide by an employer's reasonable requests."

There was a time when employees committing a HIPAA violation carried little enforcement weight, but those days appear to have passed.

(Girdeen v. Fairview Red Wing Health Servs. Corp., Minn. Ct. App., No. A10-1774, unpublished opinion)


Preventing Data Breaches During The Disposal Process

Last month I discussed two encryption standards established by the National Institute of Standards and Technology (NIST), specifically NIST 800-111 which discussed encrypting Data at Rest, and NIST 800-52 which outlines procedures to encrypt Data in Motion.

NIST Special Publication 800-88, Guidelines for Media Sanitization, outlines ways to protect sensitive data during the disposal process. Three common methods of securely disposing electronic media containing sensitive information are to clear, purge or destroy the information.

(1) Clearing Information:
: To protect the confidentiality of information against a robust keyboard attack. Must not allow information to be retrieved by data, disk, or file recovery utilities.

Method: Use software or hardware products to overwrite storage space on the media with non-sensitive data, replacing written data with random data.

(2) Purging Information:
Goal: To protect the confidentiality of information against a laboratory attack using nonstandard systems to conduct data recovery attempts on media outside their normal operating environment.

Method: Degaussing (exposing magnetic media to a strong magnetic field) and executing the firmware Secure Erase command (for ATA drives only) are two methods listed by NIST. The degaussing of any hard drive assembly usually destroys the drive as the firmware that manages the device is also destroyed.

(3) Destroying Information:
Goal: The ultimate form of sanitization. After the media is destroyed, it cannot be reused as originally intended.

Method: Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.

Keep in mind that NIST 800-88 may be getting a bit long in the tooth, and isn't designed to apply to all media or storage technologies. Still, it provides a useful reminder that sensitive data resides on a wide variety of media, and thinking about the disposal process should be a part of any data protection policy.


Lulzsec Sails Away

After claiming responsibility for 50 days of chaos, the hacker group Lulzsec said goodbye this weekend. Lulzsec claimed responsibility for data breaches aganst PBS, Sony, the Arizona Department of Public Safety and InfraGard of Atlanta, and distributed denial-of-service attacks against government entities such as the U.S. Senate and CIA.

From their goodbye letter:

Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind - we hope - inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Just so there is no misunderstanding, I do not condone their actions at all. Writing about their behavior is not an endorsement. But as Ralph Losey points out, they could have done much worse things with the data, things that are being done by groups who aren't announcing their successful breaches to the media. In the end, however, their actions highlighted how lax the attitudes of some entities are toward data protection.

As for Lulzsec's desire to have a "microscopic impact," moving beyond news to satire is a sure sign that they accomplished their goal.


Stuxnet: Anatomy of a Computer Virus

Stuxnet: Anatomy of a Computer Virus from Patrick Clair on Vimeo.

An infographic dissecting the nature and ramifications of Stuxnet, the first weapon made entirely out of code. This was produced for Australian TV program HungryBeast on Australia's ABC1


PCI Mobile Payment Guidelines At Least 10 Months Away

First, a bit of background for those that might be new to PCI:

The PCI Security Standards Council (PCI SSC) was formed in 2006 by five global payment companies: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. These five companies agreed to incorporate the PCI Data Security Standards (PCI DSS), to provide technical and operational requirements for protecting cardholder data. Generally these requirements are not laws, but are enforceable under private contract and stipulated by each card brand. A few states however, including Minnesota, have passed laws that force components of the PCI DSS into law.

But as technology evolves, so must the standards. One major development has been the emergence of mobile payment options. As retailers like Starbucks busily develop their own mobile payment applications, the PCI SSC must now formulate a strategy to deal with the changing environment. According to the website Storefront Backtalk, that evaluation may take a while:

Even if the 10 months estimate is correct—and it certainly sounds reasonable—that’s the earliest point for the guidelines to be released. It will still be many months after that before it would be the law of payment and potentially more months after that before compliant applications are available, not to mention compliance with carriers, handsets, chips, readers and all the other elements of the just-barely-already-defined mobile-payment infrastructure.

In the meantime, retailers are sure to continue developing their mobile payment systems in spite of this uncertainty. Evan Schuman from Storefront Backtalk provides an excellent analysis of the pros and cons related to moving forward without PCI standards in place. It's worth reading the entire article.

UPDATE (6/24): Schuman now reports that there may be an interim fix before the end of summer.

MN Prosecutor’s Facebook Posting Not Enough To Overturn Conviction

An interesting decision was handed down by the Minnesota Court of Appeals on Monday involving whether a prosecutor's Facebook posting is enough to warrant a Schwartz hearing to investigate allegations of juror misconduct.

In February, 2010 Abdulsalam Mohamed Usee was convicted of attempted murder and assault related to a 2008 Minneapolis shooting. On the day the jury was to begin deliberations Usee's defense attorneys learned that Assistant Hennepin County Attorney Gretchen Gray-Larson had made a post on her public Facebook page that discussed one of the jurors and stated that she was 'keep[ing] the streets of Minneapolis safe from the Somalias'. Six days after learning of the comments - and four days after the jury returned the guilty verdicts - Usee moved for a Schwartz hearing, which the trial court denied.

The appellate court affirmed the denial by stating that Usee had not presented evidence that the jurors had been exposed to the comments and thus "did not establish a prima facie case of juror misconduct." The appellate court also noted that because Usee waited six days after learning of the Facebook post to move for a Schwarz hearing - until after the verdict was announced - the district court was prevented from taking any precautionary measures against juror misconduct.

Neither side came off looking good in this case. According to the Star Tribune article, the district court judge called both the prosecution and defense "careless, foolish and unprofessional." If the Facebook posts were as described in court (and the opinion suggests the only evidence of the posts was presented in the form of two defense attorney affidavits), one can only wonder what was going through the mind of the prosecutor. Even in the modern world of social networking, awareness of the ethical consequences of posting anything related to a client matter should be paramount.

State v. Usee, 2011 WL 2437271 (Minn. App. June 20, 2011)


Failed Redactions in PACER: Lawyers Should Pay Attention

PACER is the program used by the federal court system to access case management and case documents that have been either scanned or e-filed. Last month Princeton University's Center for Information Technology Policy (CITP) released an article examining the frequency of redaction failures in PACER.

Building upon Carl Malamud's "groundbreaking" audit that found more than 1600 cases in which litigants submitted documents to PACER with unredacted Social Security numbers, CITP instead sought to determine how many litigants attempted to redact documents submitted to PACER but failed.

While acknowledging that the sample size used in their survey wasn't random, and that their discovery tool may be imperfect, CITP concluded that "thousands, and probably tens of thousands" of documents in PACER existed where the authors failed in their redaction efforts. Among the information their survey pulled from the sample: trade secrets, patient medical information, and the names of witnesses, jurors, and plaintiffs.

Read the entire CITP article here.

For a guide outlining techniques to securely redact documents, check out the NSA's "Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF" published in 2005.


How the Stolen Card Market Works

Walt Conway at PCI DSS News and Information for Higher Education points out a couple of interesting reports on NPR last Friday. Each covers much of the same ground, but they provide some interesting background regarding the market for stolen credit cards. Here are the links:

How to Buy a Stolen Credit Card (NPR, 6/17/2011)

The FBI Agent who Broke the Black Market (NPR, 6/17/2011)

Conway also links to a podcast from PlanetMoney on the dark market and the how credit cards get stolen and fenced, summing up the issue in two sentences: "The bad guys are out there. They go for credit cards because (of course) that's where the money is."

Finally I recommend reading Kimberly Kiefer Peretti's 2008 law review article on the topic. Peretti is the former Senior Counsel with the United States Department of Justice's Computer Crime & Intellectual Property Section (CCIPS).


A Friday Satire: Google's Opt Out Feature

Courtesy of The Onion.

(Note: this video is safe for work, but other videos/articles on the site may contain adult language and/or themes.)

Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village


LulzSec for Hire?

From PC World:

Have you ever felt so angry at a company that you wished its website was hacked to shreds, but you didn't have the technical expertise required? Here comes LulzSec to the rescue. The marauding hackers, with their huge and growing list of conquests -- including PBS, the FBI and the U.S. Senate, pornography and gaming sites, and most of all, Sony -- opened a hack request line during their latest merry jaunt, Titanic Takeover Tuesday.


"ATTENTION VIRGINIA I have your sh**!"

In April of 2009 a hacker infiltrated the network of the Virginia Department of Health Professions and stole over eight million patient records and 35 million prescriptions. The hacker posted a note on another site which read:

"ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("

The note went on to demand $10 million within seven days, after which he threatened to put the information up to the highest bidder. Virginia officials determined they did have a proper backup and did not pay the ransom. However, Virginia notified only the 530,000 individuals whose records were believed to contain social security numbers rather than all eight million patients affected by the breach. That means almost 7.5 million consumers were not alerted to the risk that their medical data may have been compromised.

In one way Virginia officials were lucky. Had the incident occurred just five months later - after HITECH's breach notification rule went into effect - the Virginia Department of Heath would have been required to notify all 8.2 million patients of the incident, and incur the associated costs. Those costs aren't trivial: 2011 estimates suggests a data breach costs $214 per compromised record and averages $7.2 million per data breach event.

Under the HITECH Act, covered entities and business associates must follow the data breach notification reporting obligations when there is a breach of unsecured personal health information (PHI). So what does "secured PHI" look like? The DHHS has issued guidance that amounts to a rather narrow window, as there are only two methods identified that would render patient data unusable, unreadable, and indecipherable:
encryption and destruction.

Or looking at this another way, covered entities and business associates that would otherwise be obligated to follow HITECH's breach notification requirements have two "safe harbors" available: encrypting or destroying the data prior to the breach.

Image by simonok at www.sxc.hu.


HITECH Act: When Is a Breach Discovered?

In April of 2011, just as Sony's initial data breach affecting 77 million users came to light, the Verizon Risk Team released its 2011 Data Breach Investigations Report. The entire report is worth a read, but here's the fact that should give health care organizations pause: most breaches (86 percent) were discovered by third parties, not by the organization.

What does that mean in terms of the HITECH Act's Breach Notification requirement? Under the Interim Final Rule currently in effect, breach notifications must be made no later than 60 calendar days after the breach was discovered by the covered entity or its business associate.

Ah, but "discovered" can be a tricky term.

Under HITECH, discovery is defined as the first day on which a breach is known or should reasonably have been known by any officer, employee, or agent of the covered entity.

That means that covered entities must engage in due diligence and have reasonable systems for discovery of breaches in place. This may mean that a minimum level of technical measures capable of discovering breaches should exist, but also that awareness of the issue has been raised among staff through proper training of the risks and consequences of privacy violations.

In the past some organizations may have spent a minimal amount of time and resources on HIPAA training, consisting of a conversation once a year or having an employee watch a fifteen minute video after being hired. Whether those measures would meet the reasonableness standard of discovery set by HITECH is unclear, but I think that organizations that take shortcuts on training indicate a lack of preparedness in other areas. These organizations are not only more likely to experience a data breach, and also more likely to incur much higher costs if a data breach occurs.

TED Talk: Remaking My Voice by Roger Ebert

Sometimes technology lawyers and IT staff become so aware of the risks new technology poses that they forget to enjoy the benefits it provides. But every now and then a reminder filters through.

Roger Ebert is one such reminder. Ebert lost his lost his ability to speak after losing his lower jaw to cancer. Technology has not only made it possible for Ebert to still pursue what he loves - reviewing movies - but also made it possible to communicate with those he loves.



I've been traveling this past week and have just returned home. It's always nice to get away, see new places, or visit with family and friends.

But there's no place like home.


Image by arinas74 at www.sxc.hu.


Question to Technology Attorney Benjamin Wright: Is It Time To Revisit UCC 4A?

I have previously discussed how viruses pose increased risks of electronic fund transfer (EFT) fraud for small businesses that conduct online banking. In those posts I noted that commercial transfers are generally governed by Uniform Commercial Code Article 4A, specifically UCC §§4A-201-204. §4A-202(b) says that all payment orders, authorized or not, will be allowed once a bank and its customer have agreed on a security procedure for their authenticity so long as: (1) the bank's security procedure is "commercially reasonable", and (2) the payment order was accepted by the bank in good faith and in compliance with their agreement with the customer.

This week a Maine District Court tackled the issue of whether a bank who lost customer funds had a "commercially reasonable" security procedure in place. Brian Krebs, who has been in front of this story from the beginning, summarizes the case and the bank's security measures at the heart of the dispute here.

In light of the Maine ruling, I sought the opinion of Benjamin Wright, a long-time technology attorney and author of several books on technology law. In 1993 Mr. Wright wrote an extensive article on the ways UCC 4A balances the interests and risks of the banks with the interests and risks of the business consumer. However, in January of 2010 he posted that he may need to update his views in light of risks related to EFT fraud.
So I asked Mr. Wright his opinion on the following: iI the Maine ruling reflects the trend for the future, has UCC 4A's balance shifted too far against business customers?

Mr. Wright was gracious enough to respond with an update (including my actual question, which was much longer) at the bottom of his original post. In short he suggests that it may be time to revisit UCC 4A in order to align it more closely to the modern business banking environment. He also proposes that it may be better to split the loss between the parties according to the degree of negligence by each party.

That seems like a logical solution, though I suspect that determining the standards by which the degree of negligence is calculated will be a painful process indeed.

I strongly encourage you to read the entire article, and thanks to Mr. Wright for his time and thoughtful response.


REMINDER: HITECH Breach Notifications Are Still In Effect

The HITECH Act's Final Rule regarding data breach notification requirements was withdrawn last summer shortly after it was issued, partly due to the controversial harm standard that allowed providers to determine which breaches were serious enough to be reported.

But I have recently encountered some confusion as to whether the data breach notification requirements under the previous Interim Final Rule continue to be in force.  The text of the announcement on the Office of Civil Rights (OCR) website states “Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.”

That seemed pretty clear cut to me, but just to be sure I sent an email to the ONC for final verification. The response was swift and unequivocal: the Interim Final Breach Notification Rule is currently in effect. Thank you to the kind people at the ONC for such a prompt and clear response.
So if your organization was under the impression that the withdrawal of the Final Breach Notification Rule meant that breach notification was no longer required under HITECH, I'm sorry to be the bearer of bad news. You may have some work to do.


TED Talk: The Antidote to Apathy

Lately I've gotten the feeling that "breach fatigue" has set in among consumers and businesses alike. How do we combat that kind of apathy in general?

"Professional rabble-rouser" Dave Meslin offers some insights at a recent TED presentation.


The Tornado That Ripped Through Sony

Sony recently announced that the company expects to spend at least $171 million as a result of the massive data breaches that have plagued it since April. As a point of comparison, the damage from last month's tornado that hit Minneapolis has been estimated at $166 million.

There is an analogy in there somewhere.

But unlike the good folks of North Minneapolis, many of whom lost everything, Sony had the ability to prevent the type of damage that resulted in the high costs. The hackers used a simple technique that has been around forever to gain access to the data, and security experts are suggesting that Sony didn't even meet the most basic security requirements such as encrypting user information. As the hackers who claimed responsibility for the attacks asked, "Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Good question. Here's another:

What would the costs be if your organization suffered a data breach? For a quick and dirty estimate, try out the online Data Breach Calculator. If you want to take a more detailed look at the costs associated with data breaches, check out the Ponemon Institute's 2010 U.S. Cost of a Data Breach.


Remembering Liu Xiaobo, Tiananmen Square and Online Censorhip


This weekend marks the 22nd anniversary of the Chinese military opening fire on Tiananmen Square protesters. The assault resulted in the deaths of hundreds, possibly thousands. Last year I had the opportunity to spend a few weeks in China - something I'm sure I will talk about in more depth - and gained a new appreciation of not only how far the country has come over the last 20 years but also how different it still remains from the United States. One major difference involves state-sponsored censorship over computer networks, both inside and outside of China's borders.

So as this weekend approaches I'm reminded of Liu Xiaobo, a prominent advocate of political reform and an outspoken critic of the Chinese Communist regime. Liu was among the leaders of the 1989 Tiananmen Square protests.

In late 2009 Liu was sentenced to 11 years in prison for inciting subversion of state power after publishing six articles that ranged from a discussion of the post-Mao regime’s ability to maintain social stability through subtle dictatorial tactics to the government’s role in child slavery. All of Liu’s articles were posted on Web sites inaccessible in China, yet his sentencing specifically cites the number of online clicks registered for each article. Thus, it appears that Liu Xiaobo was convicted for inciting subversion of state power based partly on the number of clicks his articles generated outside of China. (See page 13 of this document).

The international outcry over Liu Xiaobo’s sentence was loud and far-reaching, and in 2010 Liu was awarded the Nobel Peace Prize “for his long and non-violent struggle for fundamental human rights in China.”

He is currently the only Nobel peace laureate still in jail.

For a more current look at the question of online censorship in China and America's role in supplying the technology that makes it possible, read this transcript of the 2010 hearing before the U.S. Congressional-Executive Commission on China: Google and Internet Control in China: A Nexus Between Human Rights and Trade?


Proposed HITECH Accounting of Disclosures Rule Generates Controversy

The HITECH Act, passed in 2009, made available incentive money through Medicare and Medicaid reimbursements for health care providers to adopt and meaningfully use certified electronic health record technology. To ensure patient privacy and protect the integrity of the electronic medical record, HITECH also strengthened existing HIPAA privacy and security regulations in a number of ways. One of these ways was to seek to hold health care providers accountable by providing patients the right to know how their health information has been used or disclosed.

On Tuesday the first rule toward reaching that goal was proposed by the Department of Health and Human Services, and it is generating some controversy. The proposal would grant the patient the right to request an access report, documenting the specific individuals who electronically accessed and viewed their protected health information (PHI). Physical access of PHI would not be covered. The proposed rule also includes a provision that the health care provider or business associate must detail the reason PHI was disclosed to a third party, such as law enforcement, judicial proceedings and public health.

Not everyone is pleased with the proposed rule's requirements. Some are suggesting that in order for many health care providers to comply, the rule effectively mandates implementing new technology and processes that were previously voluntary. Others suggest these steps should have been taken long ago under existing HIPAA rules.

My take: The proposed rule would be a big change for providers that have not taken the protection of patient data seriously. But the impact of the rule reaches far beyond the practices of health care providers, because the HITECH Act also extended HIPAA's scope to include business associates. That means insurance companies, vendors and other third party associates must also be able to account for how they disclose patient data. For organizations that were not governed by HIPAA until 2009, this may represent a significant change in business practice. The one caveat is that the patient rights only apply to PHI maintained in a designated record set as defined in 45 CFR §164.501. Business associates that possess patient data not part of a designated record set need not account for the disclosure.

It will be interesting to see how this plays out. Even if the rule isn't passed as written, health care providers need to take a hard look at the systems in place to protect patient data because this issue isn't going away.

Image credit: kilokilo at www.sxc.hu.

Jim Tressel Reminds Us About the Dangers of Email

Like so many other college football fans across the country, for the last several months I have been closely watching Ohio State's difficulties with the NCAA. Things came to a head on Monday as legendary-but-embattled head coach Jim Tressel's tenure at Ohio State officially came to an end.

For those who don't know the story, Tressel's unraveling began in April of 2010 when former Buckeye Christopher T. Cicero emailed the coach that players were selling memorabilia to Edward Rife, a local tattoo parlor owner who currently faces federal charges of drug trafficking and money laundering. Cicero, an attorney, eventually exchanged 12 emails with Tressel on the topic. If true, the players' behavior would be in violation of NCAA rules.

Then, in September of 2010 Tressel effectively lied to the NCAA by signing a compliance form stating that he knows of no NCAA infractions committed by the Buckeyes. No players were suspended for any part of the 2010 season, but in December of 2010 the U.S. Attorney's Office notified Ohio St. that player memorabilia was found during a raid of Rife's home. Five players were eventually suspended for five games of the 2011 season, but allowed to play in the Sugar Bowl. Before the bowl game Tressel lied again and said the notice from the U.S. Attorney's Office was the first time he had heard of players selling their memorabilia.

He would have gotten away with the lies too, if it weren't for those meddling emails. In January of 2011 the Ohio St. legal affairs department discovered Tressel's email exchanges with Cicero while seeking information in an effort to reduce the players' suspensions.

I am consistently amazed at how people treat their work email as if it were an unrecorded phone conversation. Even people who should know better have forgotten from time to time. So consider this another public reminder that employers and employees alike should understand that emails can be stored for a long time, whether or not they have been deleted from the computer of the sender.

Though social media, smartphones, instant messaging, peer-to-peer networks and other modern communication tools have recently garnered the attention of businesses and HR-types, a good email policy shouldn't be overlooked. Some things to include:

  • Employers' email, Internet and network resources are meant for legitimate business purposes only.
  • Email sent from business computers or while using business networks may not be private.
  • The employer may potentially access or disclose data found on company resources.

There's more of this type of common-sense language that can be included to meet any business environment. These concepts aren't new, and they aren't rocket science. But crises like Ohio State's current predicament can flare up when you least expect them due to long-forgotten emails, so understand your environment before you hit "send".


Baby Steps: FERPA, Student Records and Privacy

Since I began working in technology well over a decade ago, I've seen businesses, health care and even the government take moderate to substantial steps to improve data security and customer/employee privacy.

But one area that has consistently lagged behind has been education. A school district I worked at once had our social security numbers posted on the sign-in sheets. Privacy wasn't even on their radar.

That may be changing, at least as it applies to student records.

The 1974 Family Education Rights and Privacy Act (FERPA) applies to those that receive funding from the Department of Education. Written with the student in mind, FERPA permits them to inspect or seek to amend their education records, and grants some control over the disclosure of information from those education records.

But I suspect that most schools are not prepared to deal with current privacy issues. That's what makes the events of this past April so interesting. The Department of Education has created a Privacy Technical Assistance Center and issued a series of  "technical assistance briefs".

They also released a Notice of Proposed Rule Making (NPRM) that seeks to achieve the following:
  • Strengthen FERPA's enforcement procedures to ensure that every entity working with personally identifiable information from student education records is using it for authorized purposes only.
  • Schools will be able to implement directory information policies that limit access to student records, preventing marketers or criminals from accessing the data.
  • States can enter into research agreements on behalf of their districts to measure the success of programs, such as early childhood programs that effectively prepare kids for kindergarten.
  • High school administrators can share information on student achievement to track how their graduates perform academically in college.
Lofty goals, but in reviewing the NPRM I saw very little substantive material, certainly nothing that measures up to the more aggressive efforts of the PCI data security standards for merchants processing credit cards, or the evolving HITECH standards designed to protect patient health records.

So while progress is being made, these proposals nonetheless feel like baby steps. The public comment period for the NPRM closed May 23, and a final rule is expected to be issued later this year.

Image credit: nem_youth at www.sxc.hu.

Memorial Day

The phrase "Happy Memorial Day" has never quite rung true to me. Pleasure isn't the emotion I feel when remembering those who have served and sacrificed. So instead let me wish that everyone is able to enjoy quality time with family and friends, and maybe take in a baseball game. What's more American than that?

Image credit: linder6580 at www.sxc.hu.


The First Day of Summer

Memorial Day weekend has always been my "official" first day of summer. It is a weekend for barbecues, family, friends, and maybe fishing.

Here's hoping that it is a good one.

Patience from Triverso on Vimeo.


Audit Shows General Health IT Security Lacking

Pasted Graphic
Wrapping up this week's discussion on encryption, I present a May 17 report from the Department of Health and Human Services Office of the Inspector General (OIG).

The report analyzes specifications published by the Office of the National Coordinator for Health Information Technology (ONC), who is charged with leading the implementation of an interoperable health information technology infrastructure.

The specifications reviewed included both the interim specifications released in January of 2010 and the final rule released in July. With the increased adoption of Electronic Health Records (EHRs), IT security has become more important than ever. But the OIG suggests the ONC's security standards come up short in several key areas, such as:

  • Encrypting mobile devices,
  • Requiring two-factor authentication when remotely accessing an HIT system and
  • Keeping computer systems and their virus scans current.

In my opinion, the OIG's audit is absolutely correct. These are basic IT security considerations (or should be) that need to be factored into any comprehensive security plan.

But implementing such procedures is like herding cats in a thunderstorm . . .

Read More . . .

E-Discovery: Did you know?

This video was first posted in February, 2010 by e-discovery guru Ralph Losey and electronic archivist Jason R. Baron. It might be a little outdated by now because in technology 15 months is a lifetime, but I didn't have a blog then or I'd have been all over it.

Regardless, it is a terrific piece from two of the experts in their field. You can learn more about the origins of the video here:


The Ins and Outs of Encryption

Yesterday I mentioned that encrypting data often is considered a safe harbor when a data breach results in the loss of information that would normally trigger breach notification requirements. Today, we discuss encryption in a little more detail.

Data at Rest and Data in Motion

When considering encryption from a technical perspective, the first step is to determine the environment in which the data exists. For example, data stored on external hard drives, USB sticks, or PDAs would be considered Data at Rest. Securing data at rest may require encrypting the entire medium it resides on, such as a hard drive or USB drive. This is called whole-disk encryption, and is often used on laptops checked out of organizations. Alternatively, data at rest may also be secured by encrypting a single folder or file. The appropriate encryption solution varies depending on its environment, the amount of data to be secured and the type of storage device on which it is stored.

If the data needs to be encrypted over a company network or the Internet, it is considered Data in Motion. Data in motion is most often secured by connecting over an SSL (Secure Socket Layer) protocol, recognizable to the end user by the "https://" displayed in the web browser.

NIST Standards

When considering the implementation of encryption from a legal perspective, your best bet is to start with the standards established by the National Institute of Standards and Technology (NIST):

Data at Rest: NIST 800-111. This publication discusses full disk encryption, virtual disk and volume encryption, and file/folder encryption.

Data in Motion: NIST 800-52.

Check out NIST's site for additional publications, including their recent Cloud Computing Synopsis and Recommendations draft.


Minnesota's Data Breach Notification Law


Earlier this month, President Obama proposed a federal breach notification bill designed to inform those who may be at greater risk of fraud or identity theft due to the loss of personal information. But there is already a breach notification law on Minnesota's books that I suspect is frequently ignored: 325E.61.

The Minnesota law says in part that "any person or business that maintains [personal] data . . . shall notify the owner . . . of any [security] breach . . . immediately following discovery, if the personal information is reasonably believed to have been, acquired by an unauthorized person."

So, what exactly is personal information? For the purposes of the statute it is an individual's first name or first initial and last name in combination with:

(1) a Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any security code such as a PIN.

There's more to the law, but that's the gist of it.

But 325E.61 does provide a safe harbor: encryption. If the data is encrypted notifications are not required. This has been a common thread among federal and state breach notification requirements, as well as contractual obligations with credit vendors through the PCI-DSS standards.

So encrypt your data, folks. Tomorrow we will talk about what exactly "encryption" means.

Image credit: s-s at www.sxc.hu.



Best wishes to everyone in North Minneapolis, St. Louis Park, and the surrounding areas affected by today's tornado. Some of the scenes I saw on TV and the Internet were heartbreaking. God Bless.

Image Credit:


A Funny Friday: CIA's Facebook Program Saves Millions of Dollars

This video from The Onion is a personal favorite. The best part is the text subheading that says "CIA Calls Facebook 'Reason We Invented the Internet.'"

(As a side note,
debt collectors are also big fans of Facebook.)

CIA's 'Facebook' Program Dramatically Cut Agency's Costs

P.S., Where Does the Money Go?

A quick note to wrap up last week's posts discussing fraudulent electronic fund transfers . . .

I was talking with a friend who works in network security about the issue. He was outlining ways banking networks could be more secure when he went a little off-topic.

"I wonder what the thieves - especially abroad - are doing with the money," he mused. "Not enough people seem to ask that question. All I ever hear about are the costs involved for the company."

Later, I came across a couple of facts that provide one frightening possibility. Kimberly Kiefer Peretti, former Senior Counsel with the United States Department of Justice's Computer Crime & Intellectual Property Section (CCIPS), discussed the national security implications of credit card breaches in a 2008 law review article. Among her points:

  • In his 280-page autobiography, Imam Samudra, a convicted terrorist in Indonesia, specifically referred to credit card fraud as a means to fund terrorist activities.
  • The 2002 Bali nightclub bombing funded partly funded through online credit card fraud.
  • In 2007, a “Terror Webmaster” in Britain used $3.5 million in fraudulent charges to aid jihadi groups in the field.

I'm not an alarmist by nature, but just like credit card breaches fraudulent EFT transfers would seem to have national security implications. And it turns out that I'm not alone in thinking so: in 2010 FBI special agents were embedded with police forces in Romania, Estonia, and the Netherlands to combat cybercrime.


MN Bill: Job applicant's credit report off limits until interview selection

Minnesota public and private employers would be prohibited from inquiring into "or consider the credit history or score, criminal record, or criminal history of an applicant for employment until the applicant has been selected for an interview by the employer."under a bill (H.F. 1448 ) introduced April 14.

Nearly half the states in the nation have seen workplace credit report use legislation in their 2011 sessions, but only a handful have passed.

Image credit: darrenk at www.sxc.hu.


Social Media Defamation Lawsuits Multiplying

Social media may have a greater impact on the legal system due to defamation lawsuits, not threats or harassment, according to Vincent Gautrais, who holds the Université de Montréal Chair in e-security and e-business law. This conclusion is based on a recent study examining criminal activity on the Internet, where it was found that 15 percent of all Canadian and U.S. Internet-based rulings were on defamation cases. In France, it’s 49 percent and in Quebec it’s more than 10 percent.

“We often tend to believe that the Internet has increased the risk of threats and harassment, but that isn’t true,” says Gautrais. “It is defamation cases that have increased exponentially with the arrival of social media.”

My take: I have no doubt that defamation cases are on the rise due to social media and other web-based outlets. Those most likely to bring defamation claims, however, aren't the average Joes but businesses and individuals who have the resources to protect their public image. Also, the average Joes might have more trouble proving the legal element of harm necessary to win a defamation claim.

So if Gautrais is suggesting that defamation occurs on the Internet more often than threats and harassment, he has a ways to go before I'm convinced. The threatened and harassed might just choose to respond in a way other than using the legal system.


TED Talk: Redesigning Medical Data

If you have fifteen minutes or so and are interested in health care, watch this basic yet thought-provoking video. From the tagline: Your medical chart: it's hard to access, impossible to read -- and full of information that could make you healthier if you just knew how to use it. At TEDMED, Thomas Goetz looks at medical data, making a bold call to redesign it and get more insight from it.

My perception is that we have an opportunity to address several of these concerns through the movement toward Electronic Health Records. Some question whether a patient having only a partial understanding is worse than one that has no understanding at all, but I'm not among them. The patient/doctor relationship shouldn't be passive, and an informed patient is a critical part of that process.


A Peaceful Friday

We've talked about some technical stuff this week. Time for some beauty.

Have a great weekend, folks.

The Hourglass from Ikepod on Vimeo. Music by Philip Glass.


NIST to release HIPAA toolkit


Health care providers will love to see
this contribution from the National Institute of Standards and Technology (NIST). Implementing the security measures necessary to protect the integrity of electronic health records is a MAJOR challenge in the shift toward EHRs. The legal ramifications of unsecured medical data are complex as hospital compliance officers try to handle a horde of state privacy requirements as well as HIPAA and HITECH.

It's a downloadable interactive application that poses a series of questions and offers activities regarding 42 implementation specifications for the HIPAA security rule, says J.P. Chalpin, director of engineering at Exeter. A prototype already includes some 1,000 questions organized in what amount to decision trees that point the user to appropriate issues to resolve.

Much work lies ahead. Just a couple of years ago
fewer than 20% of hospitals had any form of EHR in place. That is changing fast, however, and providers need to be aware of the security responsibilities that come with the new format. I'm confident the end result - better sharing and collaboration of data on both individual and aggregate levels - will be worth it.

Businesses, Viruses & Online Banking Pt. II

This is the second of a two part series discussing how small businesses need to be aware of the threats posed by fraudulent electronic fund transfers (EFTs), and why the banks may not lend a helping hand. To read Part I, click here.

How do cyberthieves get the authentication credentials again?

Victims of online EFT fraud have frequently had their credentials stolen through a virus - often a version of the Zeus trojan - that has infected the computer used to access the business’ online banking system. The infection usually occurs after employees click on a link to an infected website, or open an infected email attachment through a process known as “phishing.”

Once a victim’s computer is infected, Zeus records the keystrokes used when logging into specified online banking websites. After the user successfully logs in, Zeus may intercept and modify the details of the transaction, initiate a new transaction without the user’s knowledge, or use the network connection to transmit the recorded authentication credentials to the cyberthief.

Who do they target?
Small and medium sized . . .

Read More . . .

Social Media Law Enforcement Guides

Family law attorneys and prosecutors may find this information particularly useful, but I think it's a fascinating read on its own.

EFF, along with students from the Samuelson Clinic at UC Berkeley, filed suit against a half-dozen government agencies seeking their policies for using social networking sites for investigations, data-collection, and surveillance.

Here are the results of the EFF's efforts.

Image Credit: julosstock at stock.xchng


Businesses, Viruses & Online Banking Pt. I

This weekend Joseph Flanders at Solo in Minneapolis added to his “Starting a Law Firm” series by discussing how to choose a business bank account. His post brought to mind a major topic that I feel still isn’t getting enough attention among small business owners (or the attorneys that advise them): fraudulent electronic funds transfers that result from the theft of the business’ online authentication credentials due to a computer virus.

This is the first of a two part series discussing how small businesses need to be aware of the risks fraudulent electronic funds transfers pose, and why the banks may not lend a helping hand.

Image credit: frko at stock.xchng
The Scenario:

A medium-sized business discovers that over $800,000 in unauthorized wire transfers was removed from their business account without their knowledge. $600,000 is eventually recovered, but $200,000 remains outstanding. The business claims that evidence in the form of IP addresses logged by the bank show that the transfer requests were initiated from Europe and sent to accounts in eastern Europe and the former Soviet Union. This behavior was unprecedented and according to the business should have raised a red flag with the bank.

The bank, on the other hand, alleges that the business is responsible for the lost funds because the business computer used to initiate online transfers was found to have a virus. This particular virus (the Zeus trojan) intercepted the business’ authentication credentials (username/password), then transmitted that information to foreign cyber-criminals who initiated the fraudulent transfer. Because the computer systems of the business are beyond the bank’s control, the bank argues that the business is solely responsible for the loss.

Read More . . .

If we spoke a different language, we would perceive a somewhat different world.

Attorneys and technology specialists have more in common than you might think. Both groups spend a great deal of time troubleshooting an existing situation, or planning ways to prevent one from occurring. Both analyze the issue’s boundaries by referencing written standards and searching a vast history of prior cases to provide context. And both communicate in a specialized language filled with lingo that leaves everyone else scratching their head.

Unfortunately, they usually don’t speak the same specialized language.

Read More . . .

Hello, World!

It is traditional within technology circles to test new programs by having them output the phrase “Hello, World” when they successfully run for the first time. Far be it for me to break with tradition:

Hello, World.

Looking around, I see that I am not alone . . .

Read More . . .