Privacy & Cybersecurity

Symposium on Privacy and Innovation
Tomorrow, the Commerce Department is hosting a day-long symposium called “A Dialogue on Privacy and Innovation.” It will include several panel discussions to discuss stakeholder views and to facilitate further public discussion on privacy policy in the United States.

A Connecticut woman has filed a charge of discrimination under the Federal Genetic Information Nondiscrimination Act ("GINA"), which prohibits discrimination against employees based upon their status as carriers of genetic information.

Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme and the three have pleaded guilty in Montana.

Our Friday afternoon feature --
Virginia Adds Medical Information Breach Law - The Commonwealth of Virginia has amended its data breach notification law to include breaches of medical information.

The decision we blogged about in this space last week is creating quite a bit of buzz in both privacy and employment law circles. My employment law colleagues in our New York office have authored an analysis of the decision here: Employment Alert: New Jersey Supreme Court Finds Privacy Rights in Employee E-Mails

As we blogged here last week, we were going to post our Client Alert with further details about the settlement and consent order reached by the restaurant chain Dave & Buster's and the Federal Trade Commission relating to the breach suffered by the chain.

We will post a link to the amended legislation as soon as it is released by the Committee.

In case your data security compliance plan is stuck in neutral, you have questions, or you haven't started yet...there will be a free (!) breakfast hands-on workshop on Thursday in Tewksbury, MA.

Our Friday afternoon feature is back (albeit on Thursday due to schedule tomorrow) – a quick round-up of bits and bytes related to data privacy and security.

That’s how Federal Trade Commission Chairman Jon Leibowitz described the identity theft protection offered to consumers by the widely-advertised LifeLock product and the claims made by the company that its service provided comprehensive identity theft protection.

For all of you who have been struggling with data security compliance obligations from various fronts, and trying to handle complex technical issues such as encryption of portable devices and data "at rest" and "in transit" --- here is a very big story regarding plain old everyday mail.

At the beginning of the "countdown" to the March 1st effective date of 201 CMR 17.00, we offered some posts with "misapprehensions" and compliance suggestions.

February and March are just full of significant deadlines for privacy/security reporting and compliance.

We have been so focused on the upcoming Massachusetts data security deadline, that we let one last week go without fanfare. As we have gently reminded you on several occasions, the new HIPAA privacy and security rules contained in the Health Information Technology for Clinical and Economic Health Act (HITECH) became effective on February 17th.

As we approach the 10 day mark to the March 1 effective date of the Massachusetts data security regulations, 201 CMR 17.00, we thought that we would share another misapprehension in the ever-growing list.

Disabling cookies may not be the answer to controlling your online identity. Regardless of whether you have cookies enabled or not, Web sites collect certain amounts of operational information about your browser.

Effective February 17, 2010, significant new compliance obligations will be imposed on business associates through the HITECH provisions of the American Recovery and Reinvestment Act of 2009 ("ARRA").

A few items to wrap up/review privacy and security issues in 2009 and open up 2010:

On December 30, 2009, the Centers for Medicare & Medicare Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) issued interim final rules necessary to implement electronic health record (EHR) incentive programs enacted under the American Recovery and Reinvestment Act of 2009.

According to its 8-K filing with the Securities and Exchange Commission (SEC), Heartland Payment Systems Inc. has agreed to pay American Express Travel Related Services Co. Inc. just over $3.5 million to settle any claims arising out of a massive payment card data breach.