Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Expectation of Privacy Regarding Emails Among Business Co-Owners

Citing a test to measure an employee's expectation of privacy in email on an employer's server, a Minnesota court held that a co-owner of a limited liability company had a reasonable expectation of privacy for personal email on the company's server because he had divided his email account into personal and business files.

You can read more about the case


Personal Information Recovered From Wiped Hard Drive

Using software freely available on the Internet, two computer professionals explained how they recovered sensitive patient information, including Social Security numbers, from hard disk drives “professionally” wiped and discarded by a hospital.

Watch this WYFF Channel 4 Geenville-Spartanburg news video. (Or here.)

For effective data security businesses and consumers should shred old hard-disk drives when you discard them. Look toward NIST SP800-88 for more specific recommendations.



Borders' Customer Data Will Not Disappear With The Company


With all the attention on the closing of the almost 400 remaining Borders stores, the chain's IT jewel—purchase history and other CRM data on tens of millions of its customers—is still to be sold to the highest bidder. When that happens, any privacy promises Borders made to loyalty-program customers are out the window.



It Is Too Easy To "Hack" Into Another Person's Voicemail Account

In light of the recent phone-hacking scandal currently dominating U.K. headlines, Brian Krebs offers insight into the methods used to access another's voicemail. He also conducts his own test, targeting the voicemail account associated with his wife's iPhone.

For years, it has been a poorly-kept secret that some of the world’s largest wireless providers rely on caller ID information to verify that a call to check voicemail is made from the account holder’s mobile phone. Unfortunately, this means that if you haven’t set up your voicemail account to require a PIN for access, your messages may be vulnerable to snooping by anyone who has access to caller ID “spoofing” technology. Several companies offer caller ID spoofing services, and the tools needed to start your own spoofing operation are freely available online.

Bottom line: make sure you set a PIN to protect your voice mail messages. Even then, the thought that a PIN represents the best, easily available security regarding voicemail messages is alarming. Dictionary attacks targeting online passwords have been around for years.


Can The Government Force You To Decrypt Your Laptop To Use As Evidence Against You?

Privacy and data breach notification laws generally provide a safe harbor for lost data that is unusable, unreadable or indecipherable. Encrypting the media on which the data is stored, including portable devices such as laptops, is one way to meet the safe harbor requirements.

But what happens if the government seeks access to encrypted data that may be used against you in court, and you are the only one who can circumvent the encryption? Can you be compelled to provide the data?

Ramona Fricosu is arguing "no". Colorado police seized Fricosu's laptop during a raid, believing it contains evidence. The prosecutors have asked a judge to compel Fricosu to enter the passphrase to decrypt it. Fricosu refuses, citing 5th Amendment protections.

An amicus curiae submitted by the Electronic Frontier Foundation (EFF), a non-profit digital civil liberties organization, states:

“The government makes an aggressive argument here that may have far-reaching consequences for all encryption users. Fricosu will be made a witness against herself if she is forced to supply information that will give prosecutors access to files they speculate will be helpful to their case but cannot identify with any specificity.”

I suspect Fricosu's case will be closely watched. As encryption becomes more common, more people will resist sharing encrypted data.


E-Commerce in China: Perspective From Chinese Graduate Students

Last year at this time I was in Xian, China as part of an effort to establish a law school exchange program between my law school and Xian Jiaotong University. It was a fascinating trip for a number of reasons (including the famous Terracotta Soldiers), but I was particularly interested in the legal and technical development of a country that has expressed a strong desire to control the flow of information.

Xian, China
During my visit I was invited to speak with a group of graduate students at Xi'an Jiaotong University specializing in Internet security. Both the professor leading the group and his students began the conversation by asking how American consumers protected themselves against e-commerce fraud and online identity theft. It was striking how passionate they spoke on the issue. When I asked what recourse Chinese citizens had if victimized with online fraud or identity theft, the professor stated that websites not handling data properly could be charged under the 7th Amendment to Criminal Law.

But in reality building a privacy policy off of judicial action would be nearly impossible because China lacks a common law system founded on stare decisis. In its place judges have a great deal of individual latitude to determine outcomes without taking precedent into account. During one morning walk I happened to meet a visiting professor from Wisconsin who had taught summer classes in China for nearly a decade. Upon hearing what I was studying he dryly noted that Chinese law "is still nothing but a theory." Lacking a solid legal foundation, it was no wonder that the Chinese graduate students asked for practical advice on how to protect themselves against fraud.

Read More . . .

Does HIPAA Apply To ISPs That Transmit Health Information?

In 2009, the HITECH Act expanded HIPAA's reach to include "Business Associates" (BAs) of the health care provider. A BA is defined as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

Under this analysis, are ISPs also governed by HIPAA regulations? It depends, according to Adam Greene and Michael Sloan of the law firm Davis Wright Tremaine. While the Department of Health and Human Services has stated the BA tag does not apply to entities serving as "conduits" by transmitting data from location to another, Green and Sloan suggest that ISPs who provide additional services may still reach BA status.

[T]o the extent a telecommunications carrier stores protected health information (PHI) by offering Internet access and related data services, it potentially faces obligations under HIPAA as a business associate. For example, an ISP may provide a limited number of e-mail accounts to all customers. If a small health care provider maintains unencrypted protected health information on an e-mail account where the emails are stored on an ISP’s servers, then this may take the ISP outside of the conduit exception and the ISP may become a business associate of the covered entity.

Green and Sloan recommend that ISPs:

  • Evaluate whether they are maintaining health information;
  • Determine whether they are a business associate under HIPAA; and
  • Assess whether a HIPAA-specific compliance program is required to meet existing requirements.

Read the whole advisory here.

This reasoning also applies to companies that provide network hardware for health care providers. When connectivity issues occur, these vendors may receive patient data in the form of tcpdumps or other network monitoring tools. According to HHS, If that data qualifies as identifiable PHI, then vendors should secure its transmission and storage.


Preventing Data Breaches During The Disposal Process

Last month I discussed two encryption standards established by the National Institute of Standards and Technology (NIST), specifically NIST 800-111 which discussed encrypting Data at Rest, and NIST 800-52 which outlines procedures to encrypt Data in Motion.

NIST Special Publication 800-88, Guidelines for Media Sanitization, outlines ways to protect sensitive data during the disposal process. Three common methods of securely disposing electronic media containing sensitive information are to clear, purge or destroy the information.

(1) Clearing Information:
: To protect the confidentiality of information against a robust keyboard attack. Must not allow information to be retrieved by data, disk, or file recovery utilities.

Method: Use software or hardware products to overwrite storage space on the media with non-sensitive data, replacing written data with random data.

(2) Purging Information:
Goal: To protect the confidentiality of information against a laboratory attack using nonstandard systems to conduct data recovery attempts on media outside their normal operating environment.

Method: Degaussing (exposing magnetic media to a strong magnetic field) and executing the firmware Secure Erase command (for ATA drives only) are two methods listed by NIST. The degaussing of any hard drive assembly usually destroys the drive as the firmware that manages the device is also destroyed.

(3) Destroying Information:
Goal: The ultimate form of sanitization. After the media is destroyed, it cannot be reused as originally intended.

Method: Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.

Keep in mind that NIST 800-88 may be getting a bit long in the tooth, and isn't designed to apply to all media or storage technologies. Still, it provides a useful reminder that sensitive data resides on a wide variety of media, and thinking about the disposal process should be a part of any data protection policy.


Lulzsec Sails Away

After claiming responsibility for 50 days of chaos, the hacker group Lulzsec said goodbye this weekend. Lulzsec claimed responsibility for data breaches aganst PBS, Sony, the Arizona Department of Public Safety and InfraGard of Atlanta, and distributed denial-of-service attacks against government entities such as the U.S. Senate and CIA.

From their goodbye letter:

Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind - we hope - inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Just so there is no misunderstanding, I do not condone their actions at all. Writing about their behavior is not an endorsement. But as Ralph Losey points out, they could have done much worse things with the data, things that are being done by groups who aren't announcing their successful breaches to the media. In the end, however, their actions highlighted how lax the attitudes of some entities are toward data protection.

As for Lulzsec's desire to have a "microscopic impact," moving beyond news to satire is a sure sign that they accomplished their goal.


PCI Mobile Payment Guidelines At Least 10 Months Away

First, a bit of background for those that might be new to PCI:

The PCI Security Standards Council (PCI SSC) was formed in 2006 by five global payment companies: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. These five companies agreed to incorporate the PCI Data Security Standards (PCI DSS), to provide technical and operational requirements for protecting cardholder data. Generally these requirements are not laws, but are enforceable under private contract and stipulated by each card brand. A few states however, including Minnesota, have passed laws that force components of the PCI DSS into law.

But as technology evolves, so must the standards. One major development has been the emergence of mobile payment options. As retailers like Starbucks busily develop their own mobile payment applications, the PCI SSC must now formulate a strategy to deal with the changing environment. According to the website Storefront Backtalk, that evaluation may take a while:

Even if the 10 months estimate is correct—and it certainly sounds reasonable—that’s the earliest point for the guidelines to be released. It will still be many months after that before it would be the law of payment and potentially more months after that before compliant applications are available, not to mention compliance with carriers, handsets, chips, readers and all the other elements of the just-barely-already-defined mobile-payment infrastructure.

In the meantime, retailers are sure to continue developing their mobile payment systems in spite of this uncertainty. Evan Schuman from Storefront Backtalk provides an excellent analysis of the pros and cons related to moving forward without PCI standards in place. It's worth reading the entire article.

UPDATE (6/24): Schuman now reports that there may be an interim fix before the end of summer.

How the Stolen Card Market Works

Walt Conway at PCI DSS News and Information for Higher Education points out a couple of interesting reports on NPR last Friday. Each covers much of the same ground, but they provide some interesting background regarding the market for stolen credit cards. Here are the links:

How to Buy a Stolen Credit Card (NPR, 6/17/2011)

The FBI Agent who Broke the Black Market (NPR, 6/17/2011)

Conway also links to a podcast from PlanetMoney on the dark market and the how credit cards get stolen and fenced, summing up the issue in two sentences: "The bad guys are out there. They go for credit cards because (of course) that's where the money is."

Finally I recommend reading Kimberly Kiefer Peretti's 2008 law review article on the topic. Peretti is the former Senior Counsel with the United States Department of Justice's Computer Crime & Intellectual Property Section (CCIPS).


The Tornado That Ripped Through Sony

Sony recently announced that the company expects to spend at least $171 million as a result of the massive data breaches that have plagued it since April. As a point of comparison, the damage from last month's tornado that hit Minneapolis has been estimated at $166 million.

There is an analogy in there somewhere.

But unlike the good folks of North Minneapolis, many of whom lost everything, Sony had the ability to prevent the type of damage that resulted in the high costs. The hackers used a simple technique that has been around forever to gain access to the data, and security experts are suggesting that Sony didn't even meet the most basic security requirements such as encrypting user information. As the hackers who claimed responsibility for the attacks asked, "Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Good question. Here's another:

What would the costs be if your organization suffered a data breach? For a quick and dirty estimate, try out the online Data Breach Calculator. If you want to take a more detailed look at the costs associated with data breaches, check out the Ponemon Institute's 2010 U.S. Cost of a Data Breach.


Proposed HITECH Accounting of Disclosures Rule Generates Controversy

The HITECH Act, passed in 2009, made available incentive money through Medicare and Medicaid reimbursements for health care providers to adopt and meaningfully use certified electronic health record technology. To ensure patient privacy and protect the integrity of the electronic medical record, HITECH also strengthened existing HIPAA privacy and security regulations in a number of ways. One of these ways was to seek to hold health care providers accountable by providing patients the right to know how their health information has been used or disclosed.

On Tuesday the first rule toward reaching that goal was proposed by the Department of Health and Human Services, and it is generating some controversy. The proposal would grant the patient the right to request an access report, documenting the specific individuals who electronically accessed and viewed their protected health information (PHI). Physical access of PHI would not be covered. The proposed rule also includes a provision that the health care provider or business associate must detail the reason PHI was disclosed to a third party, such as law enforcement, judicial proceedings and public health.

Not everyone is pleased with the proposed rule's requirements. Some are suggesting that in order for many health care providers to comply, the rule effectively mandates implementing new technology and processes that were previously voluntary. Others suggest these steps should have been taken long ago under existing HIPAA rules.

My take: The proposed rule would be a big change for providers that have not taken the protection of patient data seriously. But the impact of the rule reaches far beyond the practices of health care providers, because the HITECH Act also extended HIPAA's scope to include business associates. That means insurance companies, vendors and other third party associates must also be able to account for how they disclose patient data. For organizations that were not governed by HIPAA until 2009, this may represent a significant change in business practice. The one caveat is that the patient rights only apply to PHI maintained in a designated record set as defined in 45 CFR §164.501. Business associates that possess patient data not part of a designated record set need not account for the disclosure.

It will be interesting to see how this plays out. Even if the rule isn't passed as written, health care providers need to take a hard look at the systems in place to protect patient data because this issue isn't going away.

Image credit: kilokilo at www.sxc.hu.

Baby Steps: FERPA, Student Records and Privacy

Since I began working in technology well over a decade ago, I've seen businesses, health care and even the government take moderate to substantial steps to improve data security and customer/employee privacy.

But one area that has consistently lagged behind has been education. A school district I worked at once had our social security numbers posted on the sign-in sheets. Privacy wasn't even on their radar.

That may be changing, at least as it applies to student records.

The 1974 Family Education Rights and Privacy Act (FERPA) applies to those that receive funding from the Department of Education. Written with the student in mind, FERPA permits them to inspect or seek to amend their education records, and grants some control over the disclosure of information from those education records.

But I suspect that most schools are not prepared to deal with current privacy issues. That's what makes the events of this past April so interesting. The Department of Education has created a Privacy Technical Assistance Center and issued a series of  "technical assistance briefs".

They also released a Notice of Proposed Rule Making (NPRM) that seeks to achieve the following:
  • Strengthen FERPA's enforcement procedures to ensure that every entity working with personally identifiable information from student education records is using it for authorized purposes only.
  • Schools will be able to implement directory information policies that limit access to student records, preventing marketers or criminals from accessing the data.
  • States can enter into research agreements on behalf of their districts to measure the success of programs, such as early childhood programs that effectively prepare kids for kindergarten.
  • High school administrators can share information on student achievement to track how their graduates perform academically in college.
Lofty goals, but in reviewing the NPRM I saw very little substantive material, certainly nothing that measures up to the more aggressive efforts of the PCI data security standards for merchants processing credit cards, or the evolving HITECH standards designed to protect patient health records.

So while progress is being made, these proposals nonetheless feel like baby steps. The public comment period for the NPRM closed May 23, and a final rule is expected to be issued later this year.

Image credit: nem_youth at www.sxc.hu.

Audit Shows General Health IT Security Lacking

Pasted Graphic
Wrapping up this week's discussion on encryption, I present a May 17 report from the Department of Health and Human Services Office of the Inspector General (OIG).

The report analyzes specifications published by the Office of the National Coordinator for Health Information Technology (ONC), who is charged with leading the implementation of an interoperable health information technology infrastructure.

The specifications reviewed included both the interim specifications released in January of 2010 and the final rule released in July. With the increased adoption of Electronic Health Records (EHRs), IT security has become more important than ever. But the OIG suggests the ONC's security standards come up short in several key areas, such as:

  • Encrypting mobile devices,
  • Requiring two-factor authentication when remotely accessing an HIT system and
  • Keeping computer systems and their virus scans current.

In my opinion, the OIG's audit is absolutely correct. These are basic IT security considerations (or should be) that need to be factored into any comprehensive security plan.

But implementing such procedures is like herding cats in a thunderstorm . . .

Read More . . .

The Ins and Outs of Encryption

Yesterday I mentioned that encrypting data often is considered a safe harbor when a data breach results in the loss of information that would normally trigger breach notification requirements. Today, we discuss encryption in a little more detail.

Data at Rest and Data in Motion

When considering encryption from a technical perspective, the first step is to determine the environment in which the data exists. For example, data stored on external hard drives, USB sticks, or PDAs would be considered Data at Rest. Securing data at rest may require encrypting the entire medium it resides on, such as a hard drive or USB drive. This is called whole-disk encryption, and is often used on laptops checked out of organizations. Alternatively, data at rest may also be secured by encrypting a single folder or file. The appropriate encryption solution varies depending on its environment, the amount of data to be secured and the type of storage device on which it is stored.

If the data needs to be encrypted over a company network or the Internet, it is considered Data in Motion. Data in motion is most often secured by connecting over an SSL (Secure Socket Layer) protocol, recognizable to the end user by the "https://" displayed in the web browser.

NIST Standards

When considering the implementation of encryption from a legal perspective, your best bet is to start with the standards established by the National Institute of Standards and Technology (NIST):

Data at Rest: NIST 800-111. This publication discusses full disk encryption, virtual disk and volume encryption, and file/folder encryption.

Data in Motion: NIST 800-52.

Check out NIST's site for additional publications, including their recent Cloud Computing Synopsis and Recommendations draft.


Minnesota's Data Breach Notification Law


Earlier this month, President Obama proposed a federal breach notification bill designed to inform those who may be at greater risk of fraud or identity theft due to the loss of personal information. But there is already a breach notification law on Minnesota's books that I suspect is frequently ignored: 325E.61.

The Minnesota law says in part that "any person or business that maintains [personal] data . . . shall notify the owner . . . of any [security] breach . . . immediately following discovery, if the personal information is reasonably believed to have been, acquired by an unauthorized person."

So, what exactly is personal information? For the purposes of the statute it is an individual's first name or first initial and last name in combination with:

(1) a Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any security code such as a PIN.

There's more to the law, but that's the gist of it.

But 325E.61 does provide a safe harbor: encryption. If the data is encrypted notifications are not required. This has been a common thread among federal and state breach notification requirements, as well as contractual obligations with credit vendors through the PCI-DSS standards.

So encrypt your data, folks. Tomorrow we will talk about what exactly "encryption" means.

Image credit: s-s at www.sxc.hu.


MN Bill: Job applicant's credit report off limits until interview selection

Minnesota public and private employers would be prohibited from inquiring into "or consider the credit history or score, criminal record, or criminal history of an applicant for employment until the applicant has been selected for an interview by the employer."under a bill (H.F. 1448 ) introduced April 14.

Nearly half the states in the nation have seen workplace credit report use legislation in their 2011 sessions, but only a handful have passed.

Image credit: darrenk at www.sxc.hu.


Social Media Law Enforcement Guides

Family law attorneys and prosecutors may find this information particularly useful, but I think it's a fascinating read on its own.

EFF, along with students from the Samuelson Clinic at UC Berkeley, filed suit against a half-dozen government agencies seeking their policies for using social networking sites for investigations, data-collection, and surveillance.

Here are the results of the EFF's efforts.

Image Credit: julosstock at stock.xchng