Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

Posted by Peter Mucklestone and Stuart Louie

The federal bank and thrift regulatory agencies recently announced the publication of a compliance guide for the Interagency Guidelines Establishing Information Security Standards (the "Security Guidelines"). The Security Guidelines (i) implement section 501(b) of the Gramm-Leach-Bliley Act (GLB Act) and section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and (ii) establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. The Small-Entity Compliance Guide (the "Compliance Guide") is intended to help financial institutions comply with the Security Guidelines by summarizing the obligations of financial institutions to protect customer information and by illustrating how certain provisions of the Security Guidelines apply to specific situations.

• Email This
• Print
• Comments
• Share Link

Posted by K.M. Das

The Electronic Privacy Information Center ("EPIC"), the Privacy Rights Clearinghouse (PRC), and the World Privacy Forum (collectively "Groups") have filed comments with the Department of Health and Human Services (HHS) encouraging HHS to adopt more stringent standards to control access to and accuracy of State Parent Locator Service ("PLS") databases. The Groups filed their comments in response to HHS's notice of proposed rulemaking ("NPRM") on the issue of "State Parent Locator Service; Safeguarding Child Support Information" (70 Fed. Reg. 60038 (Oct. 14, 2005)).

• Email This
• Print
• Comments
• Share Link

Posted by Peerapong Tantamjarik

While probably old hat to espionage experts, the latest Newsweek had a brief article on the increasing prevalence of "keylogging" software programs, up 65% from 2004. Essentially, keylogging programs (I like the term "kloggers") are software programs designed to silently record each keystroke as the user types in information. So you can imagine how confidential information can be stolen if one's computer has a "klogger" on it. Through the software, even entering passwords or confidential information on legitimate websites may be prone to theft. Kloggers can also be physically installed on the computer and keyboard, but this would require physical access to the computer space. Klogging software can be installed legitimately through system adminstrators' or parents' access so they can monitor the keyboard activities of the computer users. Kloggers can also be maliciously installed through viruses, trojan horses, spyware - all the good stuff (and you thought phishing was annoying!). A good site for more information on keylogging, including anti-keylogging solutions can be found here. Maybe we'll see an uptick in digital plumbers to deal with these unwanted "klogs."

• Email This
• Print
• Comments
• Share Link

Posted by Brian Bennett

In response to concerns that the FBI can access sensitive Canadian data that the Canadian government provides to U.S. firms, a Canadian government proposal would allow Canadian government departments to cancel contracts with U.S. firms that give information about Canadians to the FBI. Draft guidelines say that the FBI can get access through U.S. firms or their affiliates to data located in Canada. Even if the Canadian government canceled a contract, though, that may not stop the U.S. government from obtaining the Canadian data. Such a cancellation could leave a firm with the choice of breaking U.S. or Canadian law, so unless Canadian law imposes severe penalties, a firm may decide it is less costly to comply with U.S. law.

• Email This
• Print
• Comments (1)
• Share Link

Posted by Ronald London

The recent adoption of an Order and Notice of Proposed Rulemaking ( "NPRM") by the Federal Communications Commission to implement the Junk Fax Prevention Act of 2005 appears to drive the final nail into the coffin of the abortive FCC effort to tighten its "junk fax" rules by eliminating the exception for faxes to recipients with whom the sender has an "established business relationship, i.e., an "EBR." The action is the first step toward realization of Congress's reversal of an FCC decision that critics said would undermine, among other things, the vitality of faxes as a business-to-business tool and as a means for associations to communicate with their members. In the most immediate term, the significance of the FCC's action is that the Order indefinitely suspends the effectiveness of a rule the FCC adopted in 2003 (which has been stayed since its adoption and thus never has taken effect) to require prior written consent for all unsolicited fax advertisements.

• Email This
• Print
• Comments
• Share Link

Posted by Bruce Johnson

On December 6, 2005, the United States Court of Appeals for the District of Columbia Circuit affirmed the ruling of the U.S. District Court for the District of Columbia that lawyers who are merely practicing law are not subject to the privacy provisions of the Gramm-Leach-Bliley Act ("GLB"). The D.C. Circuit agreed with the district court's conclusion that the Federal Trade Commission's (FTC) attempt to regulate the practice of law under the Act fell outside its statutory authority.

• Email This
• Print
• Comments

Posted by Thomas R. Burke

If 30,000 airline passengers since last November have taken the time to complain about being mistakenly being tagged as a "terrorist" -- literally tens of thousands of others must have also been mistakenly labeled. The TSA admitted this week that some 30,000 passengers have complained because their names have mistakenly been matched with names on federal watch lists, including the government's infamous "no fly" list.

• Email This
• Print
• Comments (1)
• Share Link

Posted by Randy Gainer

The compromise announced December 8, 2005 by members of the conference committee working to reconcile the Senate and House versions of the Patriot Act amendments has been criticized by members of Congress and others. See, e.g., here. One significant failure of the legislation that has not gotten much attention is its failure to regulate -- or even require reports about -- federal data mining projects.

• Email This
• Print
• Comments
• Share Link

Posted by Lance Koonce

Although a bit far afield from your typical privacy and security issues, this blog continues to track the evolution of massively multiplayer online role-playing games (MMORPGs) and in particular the startlingly real economies that have developed within and around them, because we believe that in some cases these virtual communities are test beds for next-generation security issues. Some of those issues have already reared their head in the MMORPG worlds; see our previous entries here and here.

• Email This
• Print
• Comments
• Share Link

Posted by Steve Chung

If your puppy is missing, the microchip your vet implanted may save Spot from the fate of unwanted pets everywhere. But if it's a former Bush cabinet member that winds up at the pound....

President Bush's former Secretary of Health and Human Services, Tommy Thompson, publicly advocated that all U.S. citizens should receive RFID implants, a glass-encapsulated chip that is injected into human flesh for the purpose of instant retrieval of information about a person's identity, medical history and other important data. "It's very beneficial and it's going to be extremely helpful and it's a giant step forward to getting what we call an electronic medical record for all Americans," he told CBS MarketWatch in July. Hoping to inspire potential recipients to dream about the implants' countless benefits, Thomspon speculated that the chips "will prevent babies from being picked up by the wrong people in a maternity ward and make sure people in nursing homes don't walk away."

• Email This
• Print
• Comments
• Share Link

Posted by K.M. Das

The Center for Disease Control ("CDC") is expected to post the first round of comments in response to its Notice of Proposed Rule Making ("NPRM") relating to the Control of Communicable Diseases on Tuesday, December 6, 2005. "The intent of the proposed updates to 42 CFR Parts 70 and 71 is to clarify and strengthen existing procedures to enable CDC to respond more effectively to current and potential communicable disease threats." (see here).

• Email This
• Print
• Comments
• Share Link

Posted by Peter Mucklestone and Stuart Louie

Despite significant improvements by Banks and regulators in both (i) educating consumers about fraudulent phishing, pharming, spyware and key logging schemes and (ii) developing technologies and procedures to defend against such practices, consumers still believe that online banking may be too risky. Susanna Montezemolo, a policy analyst at Consumers Union, appreciates the concerns of these consumer noting that, "Consumers can do everything rightて絜ot give out passwords or financial informationて礼nd still become victims."

• Email This
• Print
• Comments
• Share Link

Posted by Brian Wong

Sony BMG Music Entertainment's (Sony) woes resulting from its XCP digital rights management (DRM) software continue. New York Attorney General Eliot Spitzer announced on November 23, 2005, that his investigation found that several major music retailers in New York and online continue to sell Sony music CDs that contain XCP software. He deemed it "unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves." Spitzer urged consumers not to buy the affected CDs, or, if they do, not to play them on their computers, and said consumers who have bought them should seek refunds. He noted that Sony has asked its distributors to make refunds available regardless whether the package has been opened.

• Email This
• Print
• Comments
• Share Link