Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Monthly Archives: September 2005

California Court Orders Discovery To Determine Whether Visa and MasterCard Fall Under California’s Data Breach Notification Statute

Posted in Litigation, Policy and Regulatory Positioning

Posted by Min Lee San Francisco Superior Court Judge Richard Kramer has ordered Visa and MasterCard to disclose the nature of their relationship with CardSystems, the payment processor whose computer systems were breached sometime between August 2004 and May of this year, exposing about 40 million credit and debit accounts to potential abuse. The Judge explained that the information would clarify whether the two credit card companies are subject to the individual notification requirements of California’s data breach statute, California Civil Code ㋔ 1798.82, which obligates “[a]ny person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security of the system following discovery … to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Cal. Civ. Code ㋔ 1798.82(a).... Continue Reading

Health Privacy Compromised, But When Is It Okay To Share?

Posted in Healthcare

Posted by Peerapong Tantamjarik

While not involving computer hackers, here’s a story about an old-fashioned invasion of privacy. The Kansas City Star reported on September 28th that a University of Missouri hospital faces a class-action lawsuit after allegedly releasing confidential medical records for hundreds of patients to a company it hired to solicit business. The suit was filed earlier this year on behalf of approximately 800 patients with liver diseases, including hepatitis C. The complaint alleges that records were turned over by University Hospital’s internal medicine chairman to a home health care provider dba Option Care, who then allegedly called the patients in an effort to sell them antiviral drugs and keep them in the hospital network. The Option Care nurse who contacted the patients using the list from the hospital stated that the calls were not for solicitation, but for patient safety.... Continue Reading

The Federal Government Updates its Guide to Federal Privacy Act — and Its Free!

Posted in Policy and Regulatory Positioning

Posted by Tom Burke

Said to be “one of the most widely read congressional committee reports in history,” this manual explains how to use the federal Freedom of Information Act and the federal Privacy Act of 1974 to request records from the federal government. It includes practical forms. One of the most useful items the federal government publishes; last updated in 2003.... Continue Reading

Too Many Passwords?

Posted in Cyber and National Security

Posted by Lance Koonce

RSA Security today released the results of a survey of 1700 technology end users in the United States about their password management habits. The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques such as listing passwords on post-it notes (you know who you are) or on computer spreadsheets, and also creates a drain on productivity by taxing the resources of IT help desks. Corporate requirements of frequent password changes further exacerbates the problem.... Continue Reading

Stalemate in the Battle to Protect Against Internet Credit Card Fraud

Posted in Cyber and National Security, Data Protection

Posted by Peter Mucklestone and Stuart Louie

High ranking security experts at both Visa USA Inc. and MasterCard International Inc., two of the world’s largest credit-card associations, have suggested that the struggle to protect against the fraudulent use of credit card and accountholder information has reached a stalemate, and those tasked with enforcement are in danger of losing ground. According to recent data compiled by the F.B.I., in 2004, the incidents of internet-related credit card crimes increased by sixty-six percent (66%) and the average reported loss associated with each such incident tripled to $2,400.00.... Continue Reading

Think Your Anonymizer is Foolproof?

Posted in Marketing and Consumer Privacy

Posted by Lance Koonce

Those who rely on anonymizers to surf and transact business on the web may soon have their identities laid bare, if the National Security Agency has anything to say about it. According to World Net Daily, a new patent filed by the NSA,

describes a process based on latency, or time lag between computers exchanging data, of “numerous” known locations on the Internet to build a “network latency topology map” for all users. Identifying the physical location of an individual user, reports CNET News.com, could then be accomplished by measuring how long it takes to connect to an unknown computer from numerous known machines, and using the latency response to display location on a map.

... Continue Reading

Secret-Decoder Ring Inventors Beware

Posted in Cyber and National Security

Posted by Tom Burke

Inventors of devices that may be of interest to the security-focused federal government might take note of Crater v. Lucent, a recent decision of the Federal Circuit Court of Appeals. The case features a fascinating discussion of the “state secrets privilege,” used in this case to dismiss a civil lawsuit filed by an inventor who, inspired by the symmetrical halves of a tennis ball, created a coupler for connecting pipes without threads or bolted flanges. The problem? The invention had military applications which ultimately led to the dismissal of the inventor’s infringement action on national security grounds. See Kevin Poulsen of Wired who followed this interesting case.... Continue Reading

Secure Flight Will Not Use Commercial Databases

Posted in Policy and Regulatory Positioning

Posted by Brian Bennett

The Transportation Security Administration (“TSA”) has scrapped plans to use commercial data to check the identities of airline passengers in “Secure Flight,” the government’s proposed passenger prescreening system. As envisioned by the TSA, Secure Flight would be used by the government to compare passenger name records against information compiled by the Terrorist Screening Center, including “no fly” lists. The TSA would also use Secure Flight to detect suspicious travel behavior. The TSA intended to use information collected in commercial databases, such as data related to drivers and credit history, to verify the accuracy of information provided by travelers. Shortly after the TSA made the decision not to use commercial data, a working group of experts appointed by the TSA issued a confidential report on September 19, 2005, that criticized the privacy impacts of the Secure Flight program.

Bruce Schneir, who was one of the members of the working group that released the report, further discusses these issues on his blog.... Continue Reading

California Court Rules that Personal Notification Not Required in CardSystems Data Breach Case

Posted in Data Protection, Policy and Regulatory Positioning

Posted by K.M. Das

In one of the first tests of the notice provisions of California’s data breach statute ‚Äî Senate Bill 1386 (codified at California Civil Code ¬ß 1798.82) ‚Äî San Francisco Superior Court Judge Richard Kramer ruled that Visa and MasterCard do not have to send individual notices to thousands of their customers in California based on the CardSystems data breach that occurred between August 2004 and May of this year.... Continue Reading

Credit Reporting Companies to Use Coordinated Encryption Standard

Posted in Cyber and National Security

Posted by Lance Koonce

Equifax, Experian and TransUnion announced today that they will each adopt a single standard for protection of data provided to them by financial institutions and merchants, in order to protect the massive quantity of sensitive data that the three companies maintain. Published reports on the coordinated effort state that it will involve “the development and adoption of a data-cloaking code built on encrypted algorithm and 128-bit, secret-key technologies.”... Continue Reading

Verizon Sues Telemarketers for Calling Wireless Customers

Posted in Marketing and Consumer Privacy

Posted by Ronnie London

In what is believed to be a first in the U.S., Verizon Wireless filed two separate lawsuits against telemarketers Intelligent Alternatives and Resort Marketing Trends, alleging that the companies violated the Telephone Consumer Protection Act (“TCPA”) and state law by transmitting automated and/or prerecorded messages to Verizon Wireless customers. The suits, filed in New Jersey (where Verizon is headquartered) and California (where the largest proportion of the calls were received), seek injunctive relief and damages for what the company claims were more than a million calls by Intelligent Alternatives, and more than 200,000 calls by Resort Marketing to Verizon Wireless subscribers.... Continue Reading

Court of Appeals Suspends Injunction Lifting Gag Order in National Security Letter Case

Posted in Cyber and National Security

Posted by Randy Gainer The Hartford Courant reports that The Second Circuit has stayed temporarily the injunction issued by U.S. District Court Judge Janet C. Hall granting a Connecticut library’s motion to enjoin the government from enforcing a gag order permitted under the Patriot Act in conncection with National Security Letters. Prior reports here and here.... Continue Reading

But the Miami-Dade Cop is a piker compared with Tesco

Posted in Marketing and Consumer Privacy

Posted by Bruce Johnson

From London, Tuesday’s Guardian reports that the supermarket chain Tesco “is quietly building a profile of you, along with every individual in the country – a map of personality, travel habits, shopping preferences and even how charitable and eco-friendly you are. A subsidiary of the supermarket chain has set up a database, called Crucible, that is collating detailed information on every household in the UK, whether they choose to shop at the retailer or not.”... Continue Reading

Cops get ChoicePoint Data?

Posted in Cyber and National Security, Data Protection, Marketing and Consumer Privacy

SiliconValley.com reports that a Miami-Dade County police officer has been relieved of duty and is under investigation for allegedly obtaining unauthorized access to Social Security numbers and other personal data on 4,689 people maintained by ChoicePoint Inc. The company reported that the Secret Service was investigating the matter — at this point, it does not appear that any identity thefts have occurred.... Continue Reading

Judge Roberts’ Views on Government Searches & Privacy of Records Issues Are Unknown

Posted in Marketing and Consumer Privacy

Judge Roberts’ impressive performance answering the questions of Senate Judiciary Committee members has left little doubt that he will be confirmed as the next Chief Justice. As one commentator noted, “The only real question about his prospects, it appears, is how many votes he will get from the Democratic senators.”

Much attention has appropriately been given to Judge Roberts’ views on the right to privacy at issue in Roe v. Wade and Griswold v. Connecticut. Little attention has been paid to other important issues, however, such as how he will approach his duties regarding the Foreign Intelligence Surveillance Act court and what his philosophy is regarding police and other government agencies’ searches of individuals’ property.... Continue Reading

Wireless Provider Sues Telemarketing Firms

Posted in Litigation, Marketing and Consumer Privacy, Policy and Regulatory Positioning

What can a wireless provider do to stop telemarketers from illegally soliciting their customers? By bringing suit against the telemarking firms for an injunction and monetary damages in the Superior Court in Sacramento, CA and the Superior Court in Somerville, NJ, Verizon Wireless claims that it is “standing up once again for customer privacy rights”.... Continue Reading

Caveat Inventor

Posted in Marketing and Consumer Privacy

Note to all US patent holders: pay your maintenance fees if you value the privacy of your financial information. A recent investigative report (Patent Office Rules Allow Simple Access to Tax, Financial Data, 108 Tax Notes 1079 (Sept. 5, 2005)) reveals that patent holders who fall behind on fee payments with the U.S. Patent and Trademark Office (PTO), and then request a waiver of their payment obligations, may be asked to submit private information to validate claims of financial hardship. While the PTO claims that it never asks for or requires sensitive information, such as Social Security or account numbers, delinquent patent holders may unwittingly submit such information, which then could find its way to the publicly-available patent files. No legislative fix is imminent, but privacy advocates are investigating the issue further, and IRS Commissioner Don Alexander has urged members of the Bush cabinet to push for remedial action.

Posted by Merrill Baumann... Continue Reading

Connecticut Judge Bars Enforcement of NSL Gag Order

Posted in Cyber and National Security

On Friday, September 9, U.S. District Court Judge Janet C. Hall granted a Connecticut member of the American Library Association’s motion for a preliminary injunction. Her ruling enjoined the government from enforcing the part of 28 U.S.C. 2709(c) that prevents the library association from revealing its identity as an organization that received a National Security Letter (NSL) from the FBI in August. The ACLU, which is both a co-plaintiff with the library organization and represents it, hailed the judge’s decision, stating “the court has recognized that gagging our client from participating in the Patriot Act debate violates the First Amendment and is profoundly undemocratic.” The ACLU’s press release is available here.... Continue Reading

What Does Sarbanes-Oxley Have To Do With Information Security?

Posted in Cyber and National Security, Policy and Regulatory Positioning

Although it has a high profile in corporate America, the Sarbanes-Oxley Act has not been at the center of discussions about the need for corporations to adopt appropriate information security measures. However, a recent article in the August 29th, 2005 issue of the National Law Journal by well-known Chicago trade secrets lawyer R. Mark Halligan persuasively suggests that “… directors and top managers must become actively involved with intellectual asset management and information security, to avoid both civil and criminal liability under Sarbanes-Oxley and shareholder derivative suits for the breach of the fiduciary duty to adequately protect intellectual property assets.”, and that this represents a “sea change” in the law.... Continue Reading