All posts by Paul E. Paray

Law Firm, Litigation Management

Law Firm Sues to Have Non-Lawyer Ownership

On May 18, 2011, Jacoby & Meyers Law Offices LLP filed lawsuits challenging state professional rules in New York, New Jersey and Connecticut that prohibit non-lawyers from having an ownership interest in law firms.  The New York lawsuit was filed in the United States District Court for the Southern District of New York and alleges that Rule 5.4 of New York’s Rules of Professional Conduct — which precludes a lawyer from practicing law with an entity where a non-lawyer owns any interest therein — causes “critical sources of funding (to be) unavailable to a majority of lawyers in New York (and elsewhere) which dramatically impedes access to legal services for those otherwise unable to afford them.” See Complaint at Paragraph 2.

In contrast to the well-thought out plan executed in the UK that will soon allow UK law firms to take on non-lawyer equity owners and managers, Jacoby & Meyers is doing what most plaintiffs’ counsel resort to when they don’t get their way, namely the filing of a lawsuit.  There is nothing new in the Complaint regarding this longstanding debate and certainly nothing that has not been argued before by law firms looking to combat a stagnating book of business. 

The gist of the Complaint turns on the purported need for law firms to have access to outside capital.  Specifically, the Complaint alleges that without such access firms like Jacoby & Meyers are unable to pay for necessary improvements in technology and infrastructure.  And, without such improvements, the disenfranchised will not have adequate legal services available to them.

Although it is unlikely that the three filed lawsuits will survive very long or directly change longstanding ethical requirements, there is certainly nothing wrong in having this issue come up for discussion.   And, it may be very timely given the American Bar Association ethics committee is now taking comments on whether to change its model ethics rules to allow for the joint ownership of law firms.  In fact, this ABA initiative may have actually precipitated the Jacoby & Meyers lawsuit given it is cited in the Complaint.

Privacy, Social Media

Do Not Track Law Comes Closer to Reality

Apparently seeking to mimic the success of the “do not call” registry, on May 9, 2011, Sen. Jay Rockefeller (D-W.Va.) introduced an online “do not track” privacy bill that would give consumers the ability to block companies from tracking their online activities.  The proposed Do-Not-Track Online Act of 2011 comes on the heels of another consumer privacy bill proposed by Senators Kerry and McCain.  The competing Kerry bill does not have a “do not track” feature, excludes the possibility of a private right of action (Sec. 406)  and was generally panned by privacy activists as potentially being too pro-business.   On the other hand, an ACLU spokesman described the Rockefeller bill as “a crucial civil liberties protection for the twenty-first century.

Given the support being offered by the White House, the Rockefeller bill has a real chance of being passed into law.  What it will eventually mean to the cost of “free” applications sponsored by marketers and their clients remains to be seen.

 

 

Privacy

Location Tracking Class Action Suit is Filed Against Google

On the heels of the awareness created by a recent California Supreme Court decision, the actions of a German privacy advocate, and a widely tweeted Wall Street Journal article, Google has been sued for its holding of location-based tracking information.   This action differs from an earlier Apple lawsuit in several respects outlined by infosec island.

Given the broad scope of the five claims brought against Google, this suit is definitely worth monitoring.

Update — August 18, 2011

Korea gets into the action with a class action suit from 27,000 South Koreans claiming Apple violated Korean privacy law with the location based tracking feature found on the company’s iPhone smartphone, iPad tablet and iPod Touch.

Social Media

Is it Time to Ditch Your Facebook Account?

A recently published study funded in part by the National Institutes of Health shows that the brain’s capacity to move back and forth from distractions diminishes with age.  The findings, which were reported in the online edition of the Proceedings of the National Academy of Sciences (April 11, 2011), ultimately suggest that multi-tasking may impact our working memory, i.e., the ability to hold and manipulate information in the mind.  According to one of the study’s authors, Adam Gazzaley, MD, PhD, director of the UCSF Neuroscience Imaging Center:

The impact of distractions and interruptions reveals the fragility of working memory.  This is an important fact to consider, given that we increasingly live in a more demanding, high-interference environment, with a dramatic increase in the accessibility and variety of electronic media and the devices that deliver them, many of which are portable.

Other researchers are more direct in pointing a finger at the potential cause of this problem.  According to Dr. Elias Aboujaoude, director of Stanford’s Impulse Control Disorders Clinic, “persons are suffering in terms of cognition and attention spans because of the time spent online.”  Interestingly, some studies have shown that students may be aware that technology is having a detrimental effect on their academic performance and are open to learning time management strategies and strategies for managing cognitive workloads.

What exactly does all of this research mean for the average tech junkie remains unclear.  At the very least, it may be an early wake up call to have a more measured approach to social media.  If the tweets are in the thousands and the blog posts number in the hundreds it may not be healthy to continually jump on an iPad to use Bizzy or check on a Facebook account.  In other words, give it a rest or the work product may ultimately suffer.

[Update:  June 14, 2011]
As per this article in the Daily Mail, Facebook fatigue may be catching on —  six million US users apparently deactivated their accounts in May 2011.

Privacy, Risk Management

Location-Based Tracking Data Creates a New Privacy Concern

On March 25, 2011, Fordham Law School conducted a timely symposium on the legal and privacy policy implications of location-based technologies, i.e., those technologies that collect and use data indicating a person’s specific physical location.  The lively panel discussions all had one underlying theme – location-based tracking may be pervasive but the relevant policies are still in their infancy.  Although the “privacy-worthiness” of geo-location data has recently been in the news given the California Supreme Court’s ruling that Zip Code information can be considered “personal identifiable information”, location-based tracking of persons may actually loom as an even more fertile proving ground for privacy litigation given the ubiquitous nature of the activity.

It is commonly known that most smart mobile devices built today have some sort of GPS tracking capability.  Despite numerous media accounts, it is unlikely, however, that many mobile phone users also realize that their phone carriers ping their location every seven seconds and actually store this data.  Although consumers may not be fully aware of the location-based tracking that is going on, there are a number of startups banking on this capability.  Free mobile apps such as “Color” provide folks with the opportunity to share images and videos with those persons located in their very near geographic location.  And, start-ups such as Foursquare and Bizzy offer a more commercially viable application that provides consumers with opt-in shopping recommendations based on their geographic location.

Just how big an issue this will become remains to be seen given we are at the early stages of location-based data collection and marketing.  What should be of concern is the fact huge stores of data exist on pretty much every mobile phone user.  Although the EU has had rules in place since 2005 regarding located-based tracking, the FTC has only recently raised the privacy implications of the vast amounts of location-based data being collected.  See Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers (Preliminary FTC Staff Report, December 2010) at 23 – 25.

German privacy advocate Malte Spitz wanted to find out exactly how much of tracking data T-Mobile Germany was storing about him so he used German privacy laws to obtain the information.  What he got back from T-Mobile was six months of data including 35,831 points of location information.

According to a German newspaper that first wrote about the data trove maintained by Spitz’s phone company:

This profile reveals when Spitz walked down the street, when he took a train, when he was in an airplane. It shows where he was in the cities he visited. It shows when he worked and when he slept, when he could be reached by phone and when was unavailable. It shows when he preferred to talk on his phone and when he preferred to send a text message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life.

On March 29, 2011, U.S. Reps. Edward Markey (D-Mass) and Joe Barton (R-Texas), Co-Chairmen of the House Bi-Partisan Privacy Caucus, responded to the public disclosure of the Spitz data request, by sending letters to the CEOs of the four major U.S. wireless carriers – AT&T, Verizon, Sprint, and T-Mobile.  These letters request information regarding data collection, storage and disclosure practices.

After the four major U.S. wireless carriers respond to Congressmen Markey and Barton, we may be in a better position to understand how companies plan on using the location-based data that is being collected.  More importantly, we will get a better handle on how the FTC and other regulatory bodies may eventually chime in on this privacy debate.  In the interim, companies looking to harness the marketing potential of location-based tracking data should evaluate whether it makes sense to refrain from selling available data.

Financial Reporting, Law Firm, Privacy

CNIL Goes Easy With Google Fine

On March 17, 2011, CNIL fined Google €100,000 for improperly gathering and storing data for its Street View application.   Founded over thirty years ago, CNIL is an independent administrative authority that protects the privacy and personal data of French citizens.

Although this is the largest penalty ever awarded by CNIL, it certainly does not begin to move the needle when it comes to hurting Google’s very deep pockets.  This is nothing more than an interesting wrist slap in light of the significant privacy infraction.  The vast amount of personal data that was improperly collected by roaming “Google bikes” and “Google cars” – included e-mails and web browsing histories amounted to 600 gigabytes of unencrypted Wi-Fi data.

Even though US regulators have been hitting hard with recent fines of $4.3 million and $1 million, one lingering threat that was always out there on the privacy regulatory front was from an EU privacy agency holding a firm to unexpectedly high standards.   After seeing CNIL’s Google fine, that threat may have sputtered away.  What US firms need to continue to fear are the many class action suits that quickly sprout up — as they did when Google disclosed this “Wi-Spy” mishap — whenever there is a public disclosure of a privacy breach.

Network Security, Privacy, Risk Management

Latest APT Victim: RSA

In what has become an annual mecca for the data security industry, thousands visit San Francisco each February to attend “RSA” — a conference named after the network security company purchased by data storage firm EMC five years ago.  This mega-conference caters to the security cognoscenti — as well as those who only profess to be.

Well, a few days ago, RSA announced it was the latest high-profile victim of an APT exploit.  As recognized by RSA’s Executive Chairman, Art Coviello,”APT threats are becoming a significant challenge for all large corporations.”  These exploits are the same sort of attacks that the press were quick to blame the Chinese on last year.  In fact, the Wall Street Journal reported last year that these attacks impacted over 2,400 businesses.  How exactly can a company avoid an APT or “advanced persistent attack” when a firm like RSA also gets hit by such criminal activity?

By way of background, APTs are social engineering techniques — once upon a time simply known as confidence or con games — applied with a healthy dose of hacking and malware.  RSA’s attack is a bit more troublesome than most APTs given the possible repercussions to customers as per a recent alert:

We have determined that a recent attack on RSA’s systems has resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. RSA urges immediate action.

The reason that this breach is significant has to do with the fact RSA customers all over the world use RSA SecurID to protect outside access to sensitive data.  In order to access a computer protected by SecurID, users enter a traditional password as well as the number displayed on their RSA SecurID hardware token. The numeric value displayed on the token changes once every few minutes to provide added protection.

Although the security community gave RSA high marks for its quick disclosure, there are obvious concerns — not the least of which is the mere fact that a firm such as RSA was able to be compromised in the first place.  A leading security consultant voiced a complaint that the lack of information emanating from firm makes it hard for customers to know what exactly to do other than be really diligent regarding password usage.

Although exactly how RSA was compromised will likely never make it to the kitchen table, there are many vectors that can be compromised during a successful APT threat.  The key factor to a successful APT exploit is the level of trusted connection breached — whether that is an executive friend on FaceBook or a next door neighbor’s email address.  Another important success factor is the willingness to be patient and wait for the right time to retrieve the sought-after information.  This is where there is a significant disconnect from the typical financial data hacker.  Such hackers may wait before using card data to commit a fraudulent purchase but will not likely wait to steal the compromised data.  That is why most APTs are blamed on governmental entities — who are notoriously patient when moving on a target.  Those committing APTs may get very valuable data along the way but would never risk getting caught with such data until the final target is achieved.  In other words, the APT criminal may spend months lurking in a network before any information is even compromised.  That is one of the reasons why detecting APT activity is so difficult.

For now, the way to address this very real corporate threat is not necessarily to change a firm’s security posture.  The threat is more derived from employee policy lapses, i.e., use of social media at a workstation and use of infected thumb drives, than it is from brute force hacking.  Accordingly, employee training and testing that is tied to discipline and compensation is a step in the right direction.

Thinking like an intelligence agency can’t hurt.  If a senior executive does not need to know all aspects of a project, there is no need to provide her with constant email reports.   In other words, the old adage “on a need to know basis” becomes more and more important as APTs become more and more familiar to corporations.

Finally, the basic tenets of risk management should play a role in the defense of APTs — if there is even such as a thing as a viable defense.  Knowing the relative value of your assets and the costs to mitigate a loss in advance of a loss are the bread and butter of risk managers.  Applying such insight in the proper measure will remove from the equation some ego-driven security initiatives to be replaced by focused efforts aimed at the most sensitive data of an organization.  Risk managers are routinely given the task of protecting the personal assets of the chairman of the board — by, among other things, a D&O insurance placement — as well as coordinating large scale enterprise risk management initiatives.  Providing some guidance on this front should not be that much of a stretch.

Privacy, Risk Management

New Amazon Class Action Based on Privacy Setting Circumvention

In a class action suit filed against Amazon.com, Inc.  on March 2, 2011, plaintiffs argue that “Amazon circumvents the privacy filters of IE users by spoofing [Internet Explorer] into categorizing Amazon.com as more privacy protective than it actually is” and seek relief “under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030; the [Washington State] Consumer Protection Act, RCW § 19.86.010 et seq.; and common law [unjust enrichment, trespass to chattels, and fraud].”  Although this suit appears to be similar to the flash cookie suits filed against against marketing firms such as Quantcast and their respective clients, the case has different implications.

By way of background, according to the Quantcast complaint filed last July, Quantcast used flash cookies to “respawn” previously deleted HTTP cookies in order to continue tracking web users.  The Quantcast suit was settled this past December using a cy pres fund akin to what was done by Google a few months prior.  It is worth pointing out that none of the settlement proceeds in a cy pres fund actually go directly to any victims.  Applying a class settlement strategy only previously deployed after plaintiffs were compensated, plaintiffs’ counsel now use cy pres funds — which usually go to non-profit organizations — even if plaintiffs receive zero actual compensation.  This stands apart as a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to file and resolve class actions even when actual damages are not readily apparent.

At some point, the Amazon.com suit may also end up resolving itself via the cy pres route given the potential lack of actual damages.  Plaintiffs in the Amazon.com case are claiming that Amazon.com found a way to trick browsers into believing the site was more privacy conscious than it was.    Given that Internet Explorer automates for a user the process of reading a website’s privacy policy, such shenanigans can obviously lead visitors to go on a site she or he might not otherwise visit.   Not exactly a powder-keg of potential damages.  Plaintiffs up the ante by claiming that, in contravention to its privacy policy, Amazon.com was allegedly rewarded for its trickery by gaining access to a visitor’s personally identifiable information (PII) and providing it to third parties.  Specifically, the Complaint states:  “Amazon claims in its privacy notice that it does not share users’ information with third parties for advertising purposes and that, instead, it delivers third parties’ advertisements on their behalf.  In fact, Amazon shares users’ PII with third parties for those third parties’ independent use and does not disclose this fact to consumers.”  Complaint at paragraphs 64 – 65.  Despite several readings of the Complaint, it remains far from certain what quantum of damages were actually sustained by plaintiffs.

This suit should, nevertheless, be monitored given the new FTC online privacy framework set forth in December (“The FTC’s harm-based approach also has limitations. In general, it focuses on a narrow set of privacy-related harms – those that cause physical or economic injury or unwarranted intrusion into consumers’ daily lives.  But, for some consumers, the actual range of privacy related harms is much wider and includes reputational harm, as well as the fear of being monitored or simply having private information ‘out there.'”) as well as the bills currently being discussed that may very well use the FTC’s new perspective as a legislative springboard.  According to recent public statements from Representative Cliff Stearns, a senior member of the House Energy and Commerce Committee, he will soon propose online privacy legislation that will focus “on allowing Web users to know what personal information Internet companies are collecting about them and to control how it’s used.”

Electronic Health Records, Privacy, Risk Management

OCR: Lost Records of 192 Patients = $1 million

On the heels of the Cignet Health CMP, the OCR has just announced a Resolution Agreement with Massachusetts General that includes a $1 million “resolution amount”.  Under this Resolution Agreement, Mass General is also required to develop and implement “a comprehensive set of policies and procedures to safeguard the privacy of its patients.”

According to the OCR’s Resolution Agreement dated February 14, 2011, the incident giving rise to the agreement involved the loss of protected health information of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.   Specifically, the facts (as recited in the Resolution Agreement) are as follows:

On March 6, 2009, an MGH employee removed from the MGH premises documents containing protected health information (“PHI”). The MGH employee removed the PHI from the MGH premises for the purpose of working on the documents from home. The documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients.

On March 9, 2009, while commuting to work on the subway, the MGH employee removed the documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered.  These documents contained the PHI of 192 individuals.

In other words, HHS has just determined that employee negligence of the most common variety is worth a cool $1 million.   Enough said.

Electronic Health Records, Network Security, Privacy, Risk Management

OCR Gets Serious: $4.3 Million Penalty Under Privacy Rule

As shown by yesterday’s press release and this morning’s email blast, OCR is certainly eager to let the world know that it just issued a Notice of Final Determination and Notice of Proposed Determination finding that Cignet Health violated the HIPAA Privacy Rule to the tune of $4.3 million dollars.

According to yesterday’s Associated Press news feed that blanketed the news outlets as well as fed many privacy blogs, Cignet Health “is a Christian-influenced medical service, has four locations in Prince George’s County, in southern Maryland just outside Washington.”   And, according to its website, “[t]he focus of Cignet health center is to minister to the whole person, both spiritually and physically. Our desire is to help the sick and suffering people the best way we can to the glory of God.”   Cignet Health offers health plans in Nigeria as well as Ghana and acts as “a patient-Provider advocacy alternative to other healthcare presently available in the healthcare market today.”

It is unknown whether this apparently small-scale operation is equipped to pay a $4.3 million penalty.  Frankly, it is pretty surprising that such a small healthcare player has the honor of being the very first CE in which HHS has imposed a civil money penalty (CMP) for alleged  violations of the HIPAA Privacy Rule.  As well, this CMP is the first one based on the “violation categories and increased penalty amounts authorized under the Health Information Technology for Economic and Clinical Health (HITECH) Act.”  The HITECH Act has certainly seen noteworthy action given the Connecticut AG’s HITECH Act penalties against Health Net – the first time a state has used the HITECH Act to settle a data breach claim — as well as the enforcement of the HITECH Act’s public disclosure of data breaches.  Cignet Health, however, did not sustain a data breach so the huge penalty is curious to say the least.

What exactly did Cignet Health do?  For starters, it did NOT breach the privacy rights of its patients in any traditional sense.  Unlike with the Health Net breach or the HITECH publications of breaches, this incident involved a more vanilla HIPAA violation.  According to the OCR:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009.  These patients individually filed complaints with OCR, initiating investigations of each complaint.  The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records.  Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena.  OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010.  On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.  Covered entities are required under law to cooperate with the Department’s investigations.  The CMP for these violations is $3 million.

In other words, Cignet Health failed to give 41 patients copies of their records on a timely basis and then “failed to cooperate with OCR’s investigations” after complaints were filed by these patients.   Although OCR points out in its Notice of Proposed Determination that the boxes provided to OCR by Cignet Health “also contained the medical records of approximately 4,500 individuals for whom OCR made no request or demand and for whom Cignet had no basis for the disclosure of their protected health information to OCR” this inadvertent disclosure was not the basis of the CMP.

This Cignet Health result is in contrast to the non-CMP “resolution amount” of $100,000 issued to Providence Health in 2008 for alleged HIPAA privacy violations involving unprotected backup tapes, optical disks and laptops that compromised the protected health information of more than 386,000 patients.  HHS publicly stated there was no need for a CMP given the level of cooperation given during the investigation.  Providence Health did, however, sustain significant defense costs and a corrective action plan that brought that $100,000 fee into the millions.

The lesson here is that if called upon to respond to an investigation, do it.  Based on the Cignet Health result and public statements made by OCR personnel at various privacy seminars, OCR certainly places a significant premium on what it perceives to be good faith during an investigation.  As well, be ready to smile into the camera because the OCR is obviously launching into an aggressive enforcement campaign in 2011 and beyond.   For example, the OCR email missive of February 23, 2011 includes the following appeal to potential claimants and whistleblowers:

If you believe that a person or organization covered by the Privacy and Security Rules (a “covered entity”) violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.  For additional information about how to file a complaint, visit OCR’s web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

Make no mistake about it:  The OCR is HHS’s enforcement arm and is looking to knock some heads together and make some money for the boss.  And, the tools, i.e., the HITECH Act and accompanying regs, are now in place to make that Supranos moment a reality.