State Data Breach Laws: Mississippi Makes 46

July 1, 2011

Mississippi’s  data breach law, enacted in 2010, comes into effect today (July 1, 2011), and brings to 46 the number of U.S. states that have data breach notification laws in effect.   The District of Columbia, Puerto Rico and the U.S. Virgin Islands also have such laws.  The only states that remain without data breach notification laws are Alabama, Kentucky, New Mexico and South Dakota. 

Mississippi’s statute on the matter is similar to that of most of the other states that address data breaches.  Notification is required if there is a covered data breach by an entity or person doing business in the state, with exceptions for encrypted data or an incident that has been reasonably determined after an appropriate investigation to not be likely to result in harm to the affected individuals.

You Know Cloud Security Is An Issue When . . .

July 1, 2011

It’s not often that matters that fall into the techy-wonk category make the editorial page of the NY Times.  So, it’s noteworthy that the lead editorial in yesterday’s Times expressed many of the commonly cited security and privacy concerns and risks associated with cloud computing.   The commentary was by no means of the doom-and-gloom variety and could be viewed as both a validator that the cloud is now just about as mainstream as any technology phenomenon — if the recent fanfare around Apple’s announcement of iCloud or the seemingly ubiquitous “Cloud with Confidence”  commercials by Cisco, among many other things, hasn’t already made that evident — and a harbinger of even more regulatory focus on ensuring online privacy and security, which has been simmering now for quite a while.   

Photo Credit: Mammatus Storm Clouds, by Derrich, Wikimedia Commons

PCI DSS Guidelines Issued for Virtualized Environments, including Cloud Computing

June 22, 2011

As the business and consumer worlds migrate their activities to the cloud, it’s logical that participants in the payment cards ecosystem are also part of that inexorable movement toward all things cloud.  Relevant legal rules and industry best practices standards are still catching up to this shift.  In keeping with this, after ruminating on related considerations for some time, the PCI Security Standards Council last week issued a supplement to its PCI Data Security Standard focused on the peculiar risks associated with virtualized computing environments and resources, including cloud computing.  Not surprisingly, the general rule of thumb is that if a security feature is required in a non-virtual computing environment that feature is also required in the virtual environment.    However, the PCI document, entitled Information Supplement: PCI DSS Virtualization Guidelines, recognizes that assessing and addressing the security risks posed by virtualization technologies presents more daunting challenges than is the case with non-virtual resources. 

While there is good discussion within the Guidelines about many technologies, I found the cloud computing discussion most interesting.    The Guidelines recognize that each cloud service needs to be evaluated for its specific security and processing attributes in relation to PCI DSS compliance.  However, because of the generally comprehensive functions performed by many SaaS cloud providers as opposed to user organizations, the Guidelines make clear that greater PCI compliance burdens will likely be the responsibility of the cloud service provider and, as a result, the Guidelines outline a variety of matters for which a cloud services user should seek assurance from the provider. 

Link to Supplement

More Alphabet Soup for Internal Controls: SSAE 16, SOC 1, SOC 2 and SOC 3

June 9, 2011

Starting June 15, 2011, audits of the internal controls of a service provider for several key service areas will be based on a new audit standard, SSAE 16, promulgated by the American Institute of Certified Public Accountants (AICPA) rather than the currently prevailing SAS 70 standard, which was originally introduced in 1992.  Along with this new standard are new associated report standards — Service Organization Control (SOC) Reports, of which there are three:  SOC1, SOC 2 and SOC3.  


The increased attention in recent years given to an organization’s internal controls has somewhat naturally extended to the internal controls of service providers and support partners.  This is based partly on the simple notion that any given control environment is only as strong as its weakest link, so validation of controls implemented by significant service providers makes sense.  It’s long been customary where service provider controls are sought to be confirmed that a SAS 70 report would be requested from the service provider.  SAS 70 is principally a standard that allows an auditor to confirm that its clients’ service providers have adequate controls in place to the extent those controls have an impact on client financial statements.  While SAS 70 is not truly focused on specific controls or whether controls can be said to have been effective over a stated period, in the absence of anything more tailored the SAS 70 report was made to do double duty as a rough proxy for service provider security controls.  SSAE 16 and the new SOC reports were specifically intended to address this shortcoming. Read the rest of this entry »

Social Media and Debt Collectors

May 23, 2011

Under the Fair Debt Collection Practices Act (FDCPA), debt collectors are restricted in the manner in which they may seek to collect a debt.  Among those restrictions are strict limits on communications with debtors and avoiding deception in those communications.   An article on the use of social media by debt collectors that I read last week in the American Banker (article access may require a subscription), which does a pretty good job covering technology issues related to the financial and payments industry, focused my attention on this topic as an example of how business practices involving social media raise questions on what should be allowed. 

If we think of social media applications as simply variations of other communications tool, there should not be much difficulty in analyzing whether the FDCPA rules apply to social media when used by debt collectors  — generally speaking, the rules should apply.  Yet, the extent to which the FDCPA limits social media use by debt collectors is an open issue in some circles.  So, much so that as the American Banker article mentioned above reports that a court in Florida recently issued an order restraining a debt collector from contacting a debtor via Facebook.  As another example, see a story on The Consumerist website reports a particularly interesting and extensive use of Facebook by a debt collection agency to friend unsuspecting debtors and thereby collect information that might otherwise not be available to the collectors.   

Expect the states and the FTC to step into what appears to be something of a void — putting aside whether it should even be regarded as that.  On April 28, the FTC held a day-long public workshop entitled “Debt Collection 2.0:  Protecting Consumers As Technologies Change”, for which the period to submit additional public comments runs through May 27.   Given all this, it is likely that the FTC will either recommend a regulatory framework or step up its own enforcement actions based on its authority to investigate unfair and deceptive trade practices.

Graphics Credit: Terinea IT Support on Flickr

NIST Releases Cloud Computing Security and Privacy Guidelines

March 15, 2011

In January of this year the National Institute of Standards and Technology (NIST) released two draft publications that both provide additional useful information to better understanding the issues raised by cloud computing.  

The NIST Definition of Cloud Computing (Special Pub. No. 800-145) sets forth five essential characteristics that define cloud computing, which are:

  • On-Demand Self-Service
  • Broad Network Access
  • Resource Pooling
  • Rapid Elasticity
  • Measured Service

Three principal cloud service models are also described: (i) Software as a Service (SaaS), (ii) Platform as a Service (PaaS), and (iii) Infrastructure as a Service (IaaS).  Because the term “cloud computing” is used so loosely to refer to many variations on the central characteristics, these definitions should assist businesses and other organizations to have more meaningful discussions with organizational stakeholders and service providers about cloud services.

The NIST Guidelines on Security and Privacy in Public Cloud Computing (Special Pub. No. 800-144) provides a useful overview and discussion of key security and privacy concerns.  Although this document is written as a set of guidelines for public procurement officials and managers involved with technology implementation, many of the considerations identified in the Guidelines are equally applicable to businesses.   Particularly helpful are the contract negotiation aspects sprinkled throughout the discussion.

FTC Proposes New Privacy Framework

February 3, 2011

In December 2010, the Federal Trade Commission issued an extensive staff report outlining a proposed new framework for consumer privacy protections for use by businesses.  The report, a copy of which is available here, results from an extensive review and a series of public roundtables conducted by the FTC over the past year on evolving privacy issues.

The framework contemplates three core principles: (i) so-called “privacy by design”, which requires an organization to promote sound privacy practices throughout all aspects of their operations and product or service offerings, (ii) simplified consumer choice, and (iii) greater transparency about data practices.  The report is useful in providing extensive background on the FTC’s enforcement activities in the privacy area.

Because the FTC plans to sort through the public comments solicited on the report (the comment deadline was recently extended from January 31 to February 18) and to decide later in 2011 what further recommendations it might make based on that feedback, it is too early to assess whether the proposed framework will, in fact, result in a notable shift in the FTC’s approach to enforcement of offline and online privacy practices.

Workplace Communications and Employee Privacy Rights: Stengart v. Loving Care Agency and City of Ontario v. Quon

April 25, 2010

Consider this typical scenario:  an employer makes available to its employees computer and other communications devices to enable its employees to perform their roles for the employer.  The company adopts a broad computer use policy, which sets forth restrictions on the use of the employer’s equipment for non-company business, including a right by the company to review communications that pass through the company’s computer network.  Are there (or should there be) any exceptions to the employer’s right to review the communications made through mobile communications devices?  Or stated another way, when does an employee have a reasonable expectation of privacy with respect to such communications?  In the past month there were two notable case developments wrestling with these very issues.

Stengart v. Loving Care Agency

 In Stengart v. Loving Care Agency, A-16, Sept. Term 2009 (N.J. Mar. 30, 2010), the New Jersey Supreme Court addressed the issue of whether an employee that used a company-issued laptop computer to access an e-mail account maintained with a third party e-mail service (a Yahoo e-mail account) had a reasonable expectation of privacy with respect to communications she had with her attorney.  This court answered that question in the affirmative.  The plaintiff, Ms. Stengart, anticipated filing a claim against her employer, the Loving Care Agency, prior to her resignation from the company and engaged a lawyer to review potential claims that she might bring against her employer.  She filed an employment discrimination claim shortly after her departure and her employer hired a forensics expert to record all files contained on the laptop she had been using.  Among the files recovered were hard disk copies of numerous messages between Ms. Stengart and her legal counsel, which the company’s counsel used in preparing its defense of the company and who divulged access to the e-mails only after routine discovery requests in the case.

In evaluating the contrary positions of employee and employer, the New Jersey Supreme Court engaged in a thorough analysis of the developing case law of employee privacy with respect to workplace communications, including, in passing, considerations under the Fourth Amendment to the U.S. Constitution, which addresses the individual right to be free from unreasonable governmental searches.  The opinion is worth reading for this discussion alone.  What seemed most relevant to the court, perhaps because it was looking for a narrow ground upon which to decide the case, were two facts:  (i) the communications at issue were subject to the attorney-client privilege, which could not be considered under these facts (particularly with attorney-client privilege notices posted in each e-mail) to have been waived, and (ii) the employer’s policy did not directly address use of third party e-mail accounts in any way.  The court seemed to suggest that but for the attorney-client privilege issue an employee might not have a reasonable expectation of privacy in a non-work-related personal e-mail account merely because an employer’s computer was used to access the e-mail account over the Internet.

City of Ontario v Quon

On April 19, 2010, the U.S. Supreme Court heard oral arguments in the City of Ontario v Quon(08-1332), a case in which some of the salient facts resemble those in the Stengart case.  In Quon, a SWAT team sergeant in the city of Ontario, California used a text pager issued by the police force to send numerous personal messages, including many that were of a sexual nature.  As in Stengart, the city, as the employer had a broad electronic communication policy prohibiting usage of city-issued communications devices for personal use.  However, the policy was not clear about whether pagers were covered and when an official announced that they were the official also noted that so long as any personal usage was paid for by the individual officer that such uses would not be subject to review for whether they were personal uses, it not being clear whether the city was more concerned with issue of cost as opposed to personal pager usage.  So, during a subsequent audit of the phone messages of sergeant Quon it was revealed that his usage was in violation of the city’s policy both for the personal use and because of the sexual nature of his messages.  Quon and several of the message recipients subsequently sued the city for a violation of their rights.

Just as in Stengart, the principal issue was whether the individual officer and those with whom he communicated using the pager had a reasonable expectation of privacy in the messages sent through the pager.  Because the employer is a city government, the issue of Fourth Amendment coverage was invoked.  Although the trial court found for the city, the U.S. Court of Appeals for the Ninth Circuit, found for Quon and the other plaintiffs on the grounds that the city’s policy had in effect been countermanded or modified by the contrary statements made by the police official who first announced that pager use would now be within the scope of the city’s communications policy.

It is almost always difficult to discern case outcomes from the tenor of oral arguments in the Supreme Court.  The Justices appear to enjoy the opportunity to engage in as much devil’s advocate type questioning as you will see in any court.  However, to read the transcript of the oral arguments, it is fair to note that counsel for Quon and the other plaintiffs had a greater challenge keeping their arguments and responses consistent throughout the questioning.

The Takeaway

Both Stengart and Quon provide good examples of how the law frequently has to race to keep up with technology.  It is likely that the Supreme Court’s eventual decision in Quon will have implications beyond the government employment context and will be one that will be instructive to private employers as well.  However, regardless of how the Court decides that case, the situations presented by both these cases should cause employers and employees alike to pause and exercise even greater care with respect to workplace communications and how they should interact in that arena.  An employer should reexamine its policies to ensure they are sufficiently broad top cover the types of communications used by its employees and that these policies are not unintentionally undermined by those speaking out of school.  Employees should also be cautious about their expectations of privacy in the face of such broad business communications policies and exercise an extra degree of common sense in such matters.


Copy of N.J. Supreme Court Opinion in Stengart v. Loving Care Agency:  Stengart v. Loving Care Agency

Link to Transcript of Oral Argument in City of Ontario v. Quon:

Washington State Joins PCI / Encryption Bandwagon for Data Breaches

March 22, 2010

Washington State is following closely on the heels of Nevada, which updated its data breach statute at the beginning of this year to add encryption usage and compliance with the Payment Card Industry — Data Security Standards (PCI-DSS) as a factor in determining liability for damages (see Tech Razor post on 1/1/10).  The Governor of Washington today signed into law an amendment to the state’s data breach statute that exposes certain businesses to liability for damages incurred by financial institutions unless the subject business utilized encryption or was PCI-DSS compliant at the time of the breach. 

The new provisions, which are effective July 1, 2010, will subject any business that processes over 6 million credit or debt card transactions annually to liability to financial institutions for not exercising reasonable care to prevent unauthorized access to account information unless the business encrypts processed account information or is  compliant with PCI-DSS standards.  Similarly, vendors of software and equipment designed to process, transmit or store account information or vendors that maintain account information for third parties will also be liable to financial institutions for damages that result from a data breach caused by the vendor’s negligence with respect to their software, equipment or services unless the data was encrypted or the vendor was certified within the prior 12 months as being compliant with applicable PCI-DSS requirements. 

Compared to the Nevada Act, the Washington legislation is narrower.  Washington’s latest revision is only focused on damages incurred by financial institutions and does not mandate encryption or PCI compliance, whereas Nevada imposes PCI-DSS compliance on businesses accepting credit cards and encryption on all other businesses transmitting or transporting covered data.  Although this amendment may be viewed as an attempt to address the very real concerns of financial institutions, which incurred substantial card re-issuance and other costs following several major data breaches over the past few years – most notably from the TJX/TJ Maxx and Heartland Systems incidents – the amendment is also a harbinger of both the increased attention focused on data security issues and of similar legislation that may be expected in the near future from other states.  In addition, the differing scopes of the Washington and Nevada statutes highlight the challenge that businesses will face by having to keep up with another layer in the patchwork of data-security requirements as such state-level legislation continues to emerge. 

PDF of Washington Amendment:  HB 1149 Washington State

Enlightenment Sensibility of Netflix Prize Runs Afoul of FTC

March 13, 2010

The data privacy and breach stories that have made the biggest headlines over the past couple of years have principally involved companies either not adequately securing data or being the subject or hackers, which in turn resulted in exposure to statutory breach claims under various state laws, contractual breach claims and tort liability under negligence theory.  So, the news this week that Netflix is suspending its much vaunted Netflix Prize 2 until it resolves data privacy concerns expressed by the Federal Trade Commission (FTC) provides a good reminder of the authority at the federal level of the FTC to hold companies accountable for the assurances they provide their customers about data privacy.

Well before the advent of the Nobel Prize, arguably the premier prize for scientific achievement, there existed a tradition dating back at least to the Enlightenment of science-focused groups and clubs staking a prize for the proving of some scientific theorem or mathematical conjecture.  In a sense, Netflix was following in this long tradition, with a little bit of marketing and general business savvy thrown in to the mix, when in 2006 it announced its initial Netflix Prize contest in which it would award $1 million to whoever could most improve its movie recommendation algorithm.  Much like a mini-space program, this spurred numerous teams of professional and amateur researchers to pore over the data that Netflix then made available to facilitate the contest.  Therein lies the rub.  The data was supposed to be anonymous — and for all practical purposes this may have been the case.  The data was purged of all names and other personally identifiable information.  Yet, proving that clever people can do a lot with very little, a separate researchers uninterested in the Netflix prize proceeded to show that with a little effort the purportedly anonymous data was, in fact, not so anonymous. 

While the parallel analysis did not achieve any sort of prize recognition, it garnered the attention of the FTC.  Made aware of the research after the second Netflix Prize contest was announced and that Netflix actually planned to provide even more demographic information than was provided in the first contest, the FTC opened an investigation this past fall pursuant to its broad authority under Section 5 of the FTC Act to address unfair and deceptive trade practices.  While businesses other than those in certain  regulated areas (for example, financial institutions and healthcare providers) do not have to have any privacy policy, if they do have such a policy they are obligated to adhere to what they promise. 

The current Netflix Privacy Policy states, in part, that:  “We may also disclose and otherwise use, on an anonymous basis, movie ratings, consumption habits, commentary, reviews and other non-personal information about customers.” (Emphasis added.)   The quoted portion of the Netflix Privacy Policy is a fairly plain vanilla statement.  Variants of this are commonly found in many consumer-focused websites and work just fine so long as the policy is adhered to.  Netflix is not alone in wanting to use its storehouse of seemingly anonymous customer data for analytical purposes, and there is real good that comes from such efforts.  But, with advanced methodologies and the telling ingredient of a little ingenuity continually posing challenges to long-held assumptions about how secure data is, you can be sure the FTC will keep knocking on the doors of those who are less than vigilant.

NetFlix Blog Notice on Ending Contest: NetflixBlog–PrizeNotice

FTC Letter Closing Investigation:


Get every new post delivered to your Inbox.