The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Personal Health Records Industry Faces New Privacy Law

Many companies are beginning to get into the business of enabling individuals to store and manage their health records on their web sites. Often, these companies are not HIPAA-covered entities. Are there any other privacy laws that they need to consider as they enter this market?
Until recently, there was no privacy law that specifically applied to a personal health record service provider that is not covered by HIPAA. But there is a lot of focus on the part of legislative and regulatory bodies on the lack of a specific law that covers this emerging industry. In fact, California just amended its Confidentiality of Medical Information Act (CMIA) to expand its scope to cover the personal health records industry. (Civil Code 56.05 – 56.37)
California’s CMIA, among other things, requires that companies allow individuals to access their medical information and obtain patient consent before disclosing medical information to third parties. CMIA also requires that medical information not be used for purposes beyond health care services without patient consent.
Any company that collects medical information from individuals should check to see if CMIA applies to its practices and, if so, ensure that it is complying with CMIA. In particular, it should obtain all the patient approvals that are necessary for the company to use the medical information it collects as intended. Companies that are not covered by CMIA should nonetheless consult generally-applicable state privacy laws, some of which specifically cover medical information and apply to companies who are otherwise unregulated by industry-specific laws (e.g., California’s Civil Code 1798.91, requiring consumer notification when collecting medical information that will be used for direct marketing purposes).

Leave a comment

Wi-Fi Users and Hot Spot Hacking

According to this Wall Street Journal article, Wi-Fi hot spots, such as those found at hotels, airports and cafes, often attract hackers ready to steal personal information out of the air. Hackers have become adept at filching a user’s information as they use the wireless connection. Two techniques are popular: the “evil twin” and “man in the middle”. In an evil-twin attack, the hacker sets up a sham wireless hot spot Web site, one that would look just like the legitimate web site. When information is entered on the fake site, the hacker can fully access it. The man in the middle technique also involves a deceptive Wi-Fi signal, but does connect you to the legitimate wireless network via that signal.
Businesses that offer the Wi-Fi connection often aren’t aware that their networks have been breached or don’t report known breaches for fear of bad publicity. There have been few prosecutions involving wireless hacking. One of these was the case of Max Butler, aka “Iceman”. Mr. Butler was indicted on charges of wire fraud and identity theft. He got this information by “war driving”, or searching unprotected Wi-Fi networks for user names and passwords to banks’ networks.

Leave a comment

TSA exposes data on website

Sounds like the Transportation Security Administration has a little issue with information security. Consumerist reports that the website TSA operated to allow misidentified flyers to get their names off the no-fly list (bane of toddlers everywhere) has been operating for months without the proper security in place. Security flaws included no SSL on submission forms, and expired SSL certificates where it was in place. The security flaws were made public by the House Oversight and Government Reform Committee in a report last Friday.

Leave a comment

The New Yorker on Google and Privacy

Ken Auletta, long known for his in-depth profiles of media titans, has written a profile of the top three at Google. You can read the whole thing at the New Yorker, or Valleywag’s 100-word version. Most relevant for this blog are the telling quotes on privacy from Google Insiders. One anonymous executive says, "Privacy is an atomic bomb. Our success is based on trust." And Eric Schmidt notes that Google would "really be hosed" if it violated its users’ trust with privacy risks from targeted advertising.

Leave a comment

Attempted Computer Sabotage Results in Record Prison Sentence

Yung-Hsun Lin, a former employee of Medco Health Solutions, pleaded guilty to planting a “logic bomb” in the company’s computer systems. Mr. Lin modified existing computer code and added additional code in response to fears that he would be out of a job following Medco’s spin-off from Merck and Co. The “logic bomb” was set to detonate on Mr. Lin’s birthday and would wipe out computer servers on Medco’s network.  Notwithstanding the fact that he was not laid off, he set the logic bomb to deploy.  A systems administrator discovered the logic bomb a few months before its detonation date. Mr. Lin was sentenced to 30 months in prison and ordered to pay $81,200 to his former employer.    

Leave a comment

Your Hard Drive Could Be Used Against You in a Court of Law

According to this New York Times article, a custom officer at Los Angeles International Airport discovered child pornography on the laptop of Michael T. Arnold upon his return from the Philippines. From the government’s viewpoint, searching your laptop is no different from searching your suitcase and so far the federal appeals court has agreed.

Judge Dean D. Pregerson of the Federal District Court in L.A. has a different take- he suppressed the evidence against Mr. Arnold in 2006 contending that, more than just a storage device, electronic storage devices are an extension of our memory. Judge Pregerson’s decision seems to be headed for reversal. The three judges who heard arguments in the appeal of his decision seem to be of the opinion that the same information in hard-copy form would be subject to search.

Questions still remain on when a search is justified. Jennifer M. Chacón, a law professor at the University of California, likens a computer search to a search of the body, where reasonable suspicion would be required for such an invasion.

There are two more instances of laptop searches resulting in child pornography: John W. Ickes Jr.’s laptop was searched after a customs agent grew suspicious after discovering a videotape of a tennis match which focused excessively on a young ball boy. The other case is that of Sebastien Boucher who, when stopped at the Canadian border and asked if his laptop contained child pornography, answered that he was not sure. Mr. Boucher unlocked his encrypted files for the agent and the agent discovered pornography involving children. Mr. Boucher’s laptop was seized, but the government has been unable to re-open the encrypted files. This has brought up a new debate as to whether or not Mr. Boucher should be required to provide the password to his files.

Feb 12, 2008 Update: A lawsuit filed last week by the Electronic Frontier Foundation and Asian Law Caucus in the U.S. District Court for the Northern District of California alleges that airport searches of laptops and other devices are intrusive. The Customs and Border Protection disagrees, saying the agency does not need to show probable cause to look inside suitcases or laptops. A spokesperson for the Department of Homeland Security likens searches of electronic devices to those of papers in briefcases.   


Leave a comment

Sears facing class actions over privacy breach

Sears is in hot water over a series of privacy gaffes that secretly installed software on consumers’ computers and left up to a decade of their purchases exposed to the public on an unsecured website. The firm that successfully sued Sony for their rootkits has filed a class action complaint for the website security breach (claiming a violation of Sears’ own privacy policy and the Illinois Consumer Fraud Act), and is seeking plaintiffs for a suit over Sears’ secret installation of Comscore on some of their customers’ computers.

Brian Krebs’s Security Fix blog over at the Washington Post has more information.

Leave a comment

California “Shine the Light” law compliance lax

In 2005, California passed a law requiring companies to respond to consumer requests for information about how they share data with third parties, and to allow consumers to opt out of such sharing. But a recent report by CalPIRG shows that fewer than a third of companies respond adequately to such requests. They’ve issued a call for such sharing to be opt-in only. (from, via Consumerist).