Technology Law Source : Technology Lawyers & Attorneys for Patents, Trademarks & Copyright Issues in Ohio, Washington DC, Florida

The Department of Health and Human Services (HHS) announced yesterday that it was temporarily withdrawing the breach notification final rule from review of the Office of Management and Budget (OMB) to allow HHS further time to consider these regulations.  The breach notification rule, among other things, requires covered entities to notify individuals whose protected health information (as defined by HIPAA) has been compromised or breached. HHS's explanation for the withdrawal was that breach notification was "a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur."  HHS stated that it intends to publish a final rule in the coming months.

• Email This
• Print
• Share Link

This week, the Identity Theft Resource Center released its 2010 data breach statistics report for data breaches through June 22, 2010. According to this weekly report, 2010 has already seen 325 reported data breaches exposing approximately 8.3 million records. Considering that the 2009 report shows 498 reported data breaches for all of last year, it looks like 2010 will see an increase in overall data breaches.

Companies collecting personal information should take proactive measures to avoid data breaches. Proactive measures include maintaining an up-to-date security policy, safeguarding sensitive data, encrypting data, turning on and monitoring system logs, and restricting access to only those who need it. (See our previous post for an example of why security implementations should be kept up to date.)

It is also important to have a preemptive response plan in place to deal with a data breach should one occur. A response plan should include means of investigating the data breach, notifying those whose records or information are potentially affected, addressing legal concerns, addressing public relations concerns, making other required notifications (such as those described here), and ensuring the data breach is not ongoing or recurring.

• Email This
• Print
• Share Link

Is your phone ringing off the hook? Then you’d better check your bank account. According to the Federal Bureau of Investigation, a new “telephone denial-of-service” attack is combining high-tech and low-tech fraud techniques to steal money from the bank accounts of unsuspecting victims.

As reported in the alert issued by the FBI, the scam begins with the suspect obtaining a victim’s personal and banking information, perhaps including bank account numbers, PINs, and passwords. Scammer can obtain a victim’s personal and banking information in a variety of ways, such as through phishing emails, social engineering tactics, or malware surreptitiously installed on a person’s computer.

Once the scammers have the victim’s personal information, they begin tying up the victim’s telephone line by using automated resources to place hundreds or thousands of calls to the victim’s telephone, not unlike a Distributed Denial of Service attack aimed at a computer network that overwhelms a computer with requests for information resulting in a slowing or failure of the network.

While the victim is busy dealing with the onslaught of telephone calls, the scammers quickly drain the victim’s bank account using the previously obtained personal and banking information to gain access to the account. If the banking institution calls its customer to verify the transactions they find the victim’s telephone line to be busy. In some cases, scammers are brazen enough to change a victim’s contact information listed with the bank. As a result, calls from a bank to verify fraudulent transactions are redirected to the scammers. According to the FBI, “[b]y the time the victim or the financial institution realize what happens, it’s too late.”

Although the FBI did not disclose how much money it believes to have been stolen in this matter, it highlighted the case of a Florida dentist who lost $400,000 from his retirement account through such a scam. Based on the Bureau’s alert, it appears that such crimes will continue to increase in frequency.

Ultimately, the telephone calls serve as a diversion to occupy the victim and a barrier to prevent a bank from verifying the authenticity of fraudulent transactions. If you believe you have been targeted in such a scam, or if you believe you have been the victim of any other online fraud, visit the Internet Crime Complaint Center for resources and guidance.

• Email This
• Print
• Trackbacks
• Share Link

The Office of Civil Rights for the Department of Health and Human Services (HHS) recently requested comments related to its upcoming rulemaking under the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009. HITECH expands the current HIPAA Privacy Rule requirement that a covered entity provide individuals with a right to receive an accounting of certain disclosures of the individual's protected health information to certain parties. Currently, under HIPAA, a covered entity is not obligated to provide an accounting of disclosures if such disclosures were in furtherance of treatment, payment, or health care operations (TPO).  HITECH eliminated these exemptions by requiring covered entities to account for TPO disclosures if such disclosures are made through an electronic health record.

• Email This
• Print
• Share Link

Bloggers have been buzzing since the Federal Trade Commission (FTC) updated its Guides Concerning Use of Endorsements and Testimonials in Advertising (“Guides”) to cover “consumer generated media” such as blogs and other Internet media forms. (16 C.F.R. Part 255) (.PDF) The changes are the first update since 1980 for the Guides, which are intended to offer guidance to compliance under 15 USC § 45 (“Unfair methods of competition unlawful; prevention by Commission”). While the FTC describes the Guides as providing “the basis for voluntary compliance with the law by advertisers and endorsers”, the Guides could form the basis for an enforcement action by the FTC, and noncompliance may result in a civil penalty of up to $10,000 per violation.

In the interest of providing consumers with full disclosure, the updated Guides require bloggers to disclose any “material connection[s]” they have with producers of any products that they “endorse” on their blogs. A “material connection” includes not only monetary compensation, but also any free good received by the blogger—even if that good was provided unsolicited, with no conditions attached, for the purpose of allowing the blogger to review the product. Under the Guides, “endorsers” and companies must fully disclose any connection between “the endorser and the seller of the advertised product that might materially affect the weight or credibility of the endorsement.” In an effort to further explain the intent behind the Guides, the FTC has provided 35 example fact patterns in the Guides, and even an instructional video.

Much of the recent media attention to the updated Guides has addressed the required disclosure by bloggers who write about products after receiving free samples of the product or other financial benefits from the product manufacturers. Companies, however, should also be aware of the recommendations and examples set forth in the Guides, and how the Guides might apply in at least two modern contexts: (1) with respect to a company’s interactions with bloggers, and (2) with respect to a company’s own social media or other customer-interactive online presence.

• Email This
• Print
• Trackbacks
• Share Link

On Tuesday May 4, a new privacy bill, known as the Boucher-Stearns Bill was released by Representative Rick Boucher, Democrat of Virginia, and Representative Cliff Stearns, Republican of Florida. If the bill were to become law, it would represent a dramatic shift in U.S. Privacy governance. To date, privacy regulation in the U.S. has generally fallen along industry lines such as (i) HIPAA's regulation of a hospital's use of medical information or (ii) Gramm Leach Bliley's regulation of a bank's use of an individual's financial information. The Boucher-Stearns Bill represents the first non-industry specific federal privacy law moving American regulation of personal information closer to that of the European Union and other countries. The impact on businesses and online commerce would be significant by adding broad-based constraints on how businesses collect, use, and disclose information related to individuals. 

In general the Boucher-Stearns Bill, among other things, (i) requires businesses to provide notice and receive consent from individuals prior to the collection of various pieces of information from such individuals, (ii) obligates businesses to establish reasonable procedures to assure the accuracy, privacy, and security of information collected, and (iii) empowers the Federal Trade Commission to implement regulations to enforce the bill's provisions. 

A few of the bill's key provisions are highlighted below:

• Email This
• Print
• Share Link

On March 22, in Ariad Pharmaceuticals v. Eli Lilly & Co., No. 2008-1248, an en banc panel of the U.S. Court of Appeals for the Federal Circuit reaffirmed that § 112, ¶ 1 contains a written description requirement that is separate and distinct from the enablement requirement. The court ruled that the asserted claims of U.S. Patent No. 6,410,516 (the ‘516 patent) are invalid for failure to meet the statutory written description requirement.

• Email This
• Print
• Share Link

In January 2008, the Davidson Companies, a financial services holding company, announced that a database containing current and past customer records had been hacked during a SQL injection attack. On April 14, 2010—more than two years after the network intrusion—the Financial Industry Regulatory Authority (FINRA) fined the company $375,000 for the breach.

• Email This
• Print
• Share Link

It was November 1, 2007 when federal banking regulators and the Federal Trade Commission (FTC) jointly issued final rules under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). These rules established for the first time the requirements for identity theft prevention programs implemented by financial institutions and other “creditors.” Those final rules were set to go into effect one year later, on November 1, 2008. As to all financial institutions regulated by the federal banking regulatory agencies (the Federal Reserve Board, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision, and the National Credit Union Administration), those final rules became effective and enforceable as planned. For other “creditors” governed by the FTC, however, enforcement has been a long tale of hurry-up-and-wait.

• Email This
• Print
• Share Link