The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

HHS Issues Final Rule Modifying HIPPA on Same Day Persons are Identified via Anonymous Genetic Information

Happy MLK Jr. Day!

On Thursday of last week, the U.S. Department of Health and Human Services announced that it had issued a Final Omnibus Rule modifying HIPAA’s Privacy, Security, Enforcement and Breach Rules and HITECH’s Breach Notification Rule.  

Health and Human Services Office for Civil Rights Director, Leon Rodriguez, stated that the modification brings “sweeping changes” to HIPAA’s Privacy and Security Rules. The sweeping changes include, among other things:

–       Extension of HIPAA’s provisions to “business associates” and other downstream vendors

–       Modifications to permissible marketing activities

–       New provisions for potential data breach analysis and notification

–       Modifications to an individual’s right to receive his/her PHI

–       Restrictions on the use or disclosure of genetic information for underwriting purposes

The Final Rule totals 563 pages. Affected parties should thus be tuned into developments in how the modifications are ultimately interpreted and implemented.

Much attention has been directed to how the Final Rule affects business associates, such as cloud services providers and other third party industry players. But another important modification included in the Final Rule was that made to the Genetic Information Non-Discrimination Act of 2008 (GINA). The modification included confirmation of a “prohibition on using or disclosing protected health information that is genetic information for underwriting purposes to all health plans that are covered entities under the HIPAA Privacy Rule” (there is an exception for certain long term care policies).

Coincidentally (or no?), the day the Final Rule was issued, a team of researchers published an article in Science describing how they were able to identify 50 people using the DNA that they had submitted for research purposes. The researchers made the identification simply by pairing the genetic information from the DNA strands with information from publicly available online tools, such as Google searches and genealogy databases. The New York Times and other media have reported on the Science article.

This development underscores the increasingly important role that genetic information serves in both scientific research and medical care. The updates to GINA included in the Final Rule recognize this trend. It is likely that additional attention will be given to issues of privacy and genetically-sourced information (including PHI) as technology and medical practice develops. 

Leave a comment

FTC Settles First FCRA Charges with Mobile App Developer

On January 10, the Federal Trade Commission (FTC) announced a settlement with app developer Filiquarian Publishing, LLC, that compiled and sold criminal records.  The FTC alleged that the developer operated as a consumer reporting agency without complying with the consumer protection measures required under the Fair Credit Reporting Act (FCRA).  This settlement was the first FCRA enforcement action against a mobile app developer.

According to the FTC’s blog post, even though the developer included disclaimers on its website that the background screening reports weren’t to be considered screening products for insurance, employment, loans, and credit applications, and that they weren’t FCRA-compliant, these disclaimers didn’t mean much to the FTC since the developer’s ads expressly urged consumers to use the app to screen potential employees.  “Just saying that the info can’t be used for FCRA purposes doesn’t absolve a company from liability”.

The blog post also notes that a warning letter was previously sent to 6 app developers last year, warning them that if they suspected their reports were being used for employment purposes, then they needed to comply with the FCRA.  “This is true even if you have a disclaimer on your website indicating that your reports should not be used for employment or other FCRA purposes.”

So what’s the take away?  According to the blog post, it’s that regardless of the technology involved, if a company offers background reports for employment or other FCRA purposes, then they must comply with the FCRA.  Another takeaway: “It’s wise to pay attention to what the FTC says in warning letters to other companies.”

Leave a comment

Apps Privacy Act Proposed

Yesterday, Rep. Hank Johnson (D-GA) released a discussion draft of the Application Privacy, Protection and Security Act of 2013, or the APPS Act.  The Apps Act would require apps to give consumers prior notice about what data it collects and how it will be used, stored and shared, as well as obtain consent to such collection terms. It would also require the app to allow users to opt out of the service and delete personal data collected by the app.  Violations of the Apps Act would be enforced by the Federal Trade Commission.

Public input is sought on the bill via, a Web-based legislative project launched last year to solicit ideas from the public for ways the federal government could better protect app users’ rights.

As this article notes, privacy policies can be difficult to address on mobile devices given the small screen and the limited amount of time users typically are willing to spend to figure them out.  Interestingly, the Department of Commerce’s National Telecommunications & Information Administration (NTIA) also held its first Multistakeholder Meeting to Develop Consumer Data Privacy Code of Conduct Concerning Mobile Application Transparency yesterday.   The goal of these meetings is “an open, transparent, consensus-driven process to develop a code of conduct regarding mobile application transparency.”  The next of these meetings is scheduled for January 31, 2013.

Leave a comment

Welcome to the Redesigned Secure Times Blog

Welcome to the redesigned and enhanced The Secure Times Online Forum, an online forum of the ABA Section of Antitrust Law’s Privacy and Information Security (PRIS) Committee. This forum is a publication of the Privacy and Information Security Committee of the American Bar Association. For those of you who are regular readers of The Secure Times, you will notice a new format including social media sharing “widgets” to more easily tweet, email, and share individual posts, as well as the ability to register for email notification of new posts. We warmly welcome new visitors and hope you will find these posts informative and insightful on timely developments in the exciting world of privacy and information security. Please check out the social media sharing and email notification features and check back often for privacy and information security updates.

Join the Privacy and Information Security Committee

We would like to invite all our readers to join the PRIS Committee of the ABA’s Antitrust Section. Members of the PRIS Committee may sign up for our listserv as well as attend valuable webinars, teleseminars and other programming on timely and important privacy and information security issues. To further keep our members apprised of key developments in privacy and information security, the PRIS Committee sponsors monthly privacy and information security update teleconferences where seasoned practitioners discuss and analyze the important developments of the prior month. Finally, the PRIS Committee holds networking and other events as well as provides writing opportunities for members interested in meeting other professionals in this area of the law and building their professional profiles. Our website posts information on upcoming and past events.

So, please check out our website and consider joining the Committee to avail yourself of the many resources the PRIS Committee has to offer. If you have any questions, feel free to contact one of the following leaders of the Committee: Chair—Erika Brown Lee; Vice Chairs—Bridget Calhoun, Aryeh Friedman, Josh Harris, Benita Kahn, Saira Nayak, Gail Slater, Kurt Wimmer; Young Lawyer Representative—Marie-Andree Weiss.

If you also practice in the consumer protection and/or private advertising litigation areas, please also visit the Consumer Protection Committee webpage and Private Advertising Litigation Committee webpage for information on these committees and how to join.

A Special Message to Young Lawyers and Law Students

If you are interested in developing a practice in privacy and information security, joining the PRIS Committee is one way to get involved with other practitioners as well as keep abreast of key developments in the law, obtain writing and speaking opportunities to build your professional profile, and attend networking and other events.

If you want to learn more about careers in this exciting field, please stay tuned, as PRIS will soon be co-sponsoring with the Young Lawyer Division’s Antitrust Law Committee a teleconference brown bag program on the Nuts and Bolts of Privacy and Information Security Law Practice. We will announce this event on our website and on The Secure Times.

New law school graduates can join the ABA at no cost for their first year out of law school. And Law Students can join for one year at a special Law Student Rate of $25. If you have just started law school (Congratulations!), you can choose to join for 3 years for $60. Once a member of the ABA, you can join the join the Section of Antitrust Law at a discounted rate of $10, and then join PRIS and other committees of interest at no additional costs.

An Invitation to International Attorneys

We would also like to extend a special invitation to international data privacy professionals who are interested in joining the PRIS Committee. We cover global privacy developments in our programming and welcome contributions and input from our international members as well. You can join the ABA as an International Law Associate, if you are an attorney admitted to practice law outside of the U.S., or as a General Associate, if you are not an attorney. The membership dues are $175. Once a member of the ABA, you can join the Section of Antitrust law for $60, then join the PRIS Committee and other committees of interest at no additional cost.

Please contact us if you are interested in contributing posts to The Secure Times. Thank you for visiting!

2013 Consumer Protection Conference – Washington, D.C.

Mark your calendars for February 7th , 2013 – the date of the Section’s bi-annual Consumer Protection Conference in Washington D.C.! The program will present not only a look back on the hot–button consumer issues from 2012 but, more importantly, will offer a roadmap of the full range of consumer issues going forward. Expert panels will feature senior representatives from the FTC, the CFPB and State AG offices. More information is available here. We hope you will be able to attend!

Leave a comment

Privacy and Information Security Monthly Update – January 8, 2013

Please join the Privacy and Information Security Committee for our next program on privacy and information security legislative, regulatory, enforcement and litigation developments, covering developments during the month of December 2012.  To register, email Jeanne Welch at  All pertinent dial-in information will be provided in your confirmation.

Please note that the PowerPoint presentation will be available to members only through the Privacy & Information Security Committee website,

Leave a comment

No Aiding-and-Abetting Language in ECPA

The Tenth Circuit ruled on December 28 that Embarq, an ISP, cannot be liable as an aider and abettor under the Electronic Communications Privacy Act (ECPA) for allowing a third party, an online advertising company, to install a monitoring device on the ISP’s network, as the provisions of the ECPA do not include aiding-and-abettting language.
Facts of the Case
Kathleen and Terry Birch filed a putative class action against two Internet service providers (ISPs), Embarq Management Company and United Telephone Company of Eastern Kansas (collectively “Embarq”). Plaintiffs, subscribers to Embarq’s broadband Internet services, had initially alleged common law claims for invasion of privacy by intrusion into seclusion and trespass to chattels, and also violation of two federal statutes, the ECPA and the Computer Fraud and Abuse Act (CFAA). Plaintiffs agreed later to dismiss some of their claims, and only the claim that Embarq had violated the ECPA remained.
Plaintiffs claimed violation of the ECPA, which amended the Wiretap Act, and makes it a crime to intercept “any wire, oral, or electronic communication.” The statute defines ‘intercept’ as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”
However, there is no interception under the ECPA if the contents of a communication are acquired in the ordinary course of business of an ISP, or if a party to the communication consents to its interception.
Embarq had argued in front of the US district court for the district of Kansas that it could not be held liable under the ECPA because the Act does not provide for liability of aiders and abettors, and that Embarq had not itself intercepted plaintiffs’ communications.
The district court granted summary judgment to Embarq on August 19, 2011, and the plaintiffs appealed. The Tenth Circuit affirmed the district court’s judgment.
NebuAd’s Business Model (Defunct)
According to the uncontroverted facts as stated in the District Court’s grant of summary judgment,  Embarq contracted with NebuAd, an online behavioral tracking company, which is no longer in business, and allowed NebuAd to install its Ultra-Transparent Appliance (UTA) on the ISP’s networks. The UTA was able to monitor theISPs’ users’ inbound and outbound communications. NebuAd was inspecting the content of users’ Internet traffic, and used that knowledge to create de-identified user profiles which allowed it to deliver targeted advertisements to the ISP’s users. NebuAd shared the advertising profits with the ISP.
Interception of Communication
The district court interpreted the ECPA as defining interception of a communication as coming into possession or controlling the substance, purport or meaning of that communication. The court agreed with defendant that Embarq had no access to the information that NebuAd extracted from the communications traveling through the UTA, nor did it have access to the profiles constructed from that information.
The Tenth Circuit agreed with the district court, noting that “it is undisputed that the only access Embarq had to the data extracted by NebuAd was in its capacity as an ISP, not because of any special relationship with NebuAd…” and also noted that “Embarq did not engage in an “interception” under the ECPA because of the ordinary-course-of-business exclusion from the definition of interception.” The Tenth Circuit was satisfied that “the undisputed facts establish that NebuAd’s use of the UTA gave Embarq access to no more of its users’ electronic communications than it had in the ordinary course of its business as an ISP.”
Aiding and Abetting
Plaintiffs tried to hold Embarq secondarily liable based on its contractual relationship with NebuAd, arguing that Embarq was indirectly liable as a procurer, aider, abettor or co-conspirator of NebuAd’s alleged violation of the ECPA. The District court held that the ECPA does not provide for such secondary liability, as liability attaches only to the party that actually intercepts the communication, citing In re Toys R US, Inc. Privacy Litigation (N.D. Cal. 2001), where the court held the Wiretap Act does not provide a cause of action against aiders and abetters. The Tenth Circuit affirmed.
Privacy Policy and Consent
The Tenth Circuit did not, however, address the issue of consent by not-opting out of the ISP’s service, but the District Court had held that Embarq was entitled to summary judgment based on plaintiffs’consent, which is expressly excluded from the category of “unlawful interceptions.”
When Bob Dykes, NebuAd’s CEO testified before the House Subcommittee on Telecommunications and the Internet in July 2008, he stated that his company required from ISPs “to provide robust, advance notice and our operations and our privacy protections to their subscribers, who at any time can exercise their choice not to participate.” He further stated that if an user chooses to opt out, NebuAd would delete this user’s anonymous profile and ignore from then on his
Before starting its partnership with NebAd, Embarq had added a “Preference Advertising” paragraph to its privacy policy, which explained that the ISP may use web surfing information to facilitate the delivery of targeted ads, and offered the option to opt out. Plaintiffs in this case had not opted out, and Embarq argued that even if it had intercepted an electronic communication, plaintiffs had consented to it by not opting out.
For the district court, since plaintiffs continued to use the Internet after these changes, they were bound by the changes and thus impliedly consented to having their Internet activity monitored. Plaintiffs also argued unsuccessfully that NebuAd had to be identified specifically as a third party, that the privacy notice was not conspicuous enough, and that the opt-out mechanism was insufficient because it did not prevent NebuAd from collecting their data.

Leave a comment

A Few New Social Media Privacy Bills and Laws

Happy New Year everyone!
New year, new laws… A California law protecting the privacy of social media accounts of employees and university students took effect on January first.
California’s Labor Code now prevents an employer from discharging, disciplining, threatening to discharge or discipline, or otherwise retaliating against an employee or applicant for not complying with the employer’s request that he discloses a username or password for the purpose of accessing personal social media, or that he accesses personal social media in the presence of the employer, or that he divulge any personal social media (Labor Code paragraph 980).
However, an employer still has the right to request an employee “to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding.”
The California Education Code now prevents public and private postsecondary educational institutions, and their employees and representatives to require that a student, a prospective student, or a student group to disclose a personal social media user name or password, or to access personal social media in the presence of the institution’s employee or representative, or to divulge any personal social media information. Such educational institutions may not suspend, expel, discipline, or threaten to take such actions, or even penalize a student, a prospective student, or a student group for refusing to comply with such social media requests (paragraphs 99120 to 90122 of the Education Code).
In Michigan, the Internet Privacy Protection Act that took effect in December 2012, has an even broader scope as it prohibits employers and all educational institutions, not only post-secondary institutions, from requiring employees, applicants, students and prospective students to grant access to, or to allow observation of, or to disclose information that allows access to or observation of their personal internet account. The law defines “personal internet account” as an “account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data.” It thus also protects the privacy of emails accounts, private blogs, or bookmarking sites.
Legislators in several others states including New York and Massachusetts introduced similar legislation in 2012. Illinois enacted a similar law in August 2012. Texas has introduced in November 2012 a bill, SB118, which would prevent an employer from requiring access to employees’ and applicants’ personal electronic communication accounts.
There is still no similar federal law. Several bills were introduced in Congress in 2012, such as H.R.5050, the Social Networking Online Protection Act, introduced in April 2012 by Rep. Eliot Engel (D-N.Y.), which would prevent employers to request access to social media accounts. The Password Protection Act of 2012 that Rep. Martin Heinrich (D-NM) introduced (H.R. 5684), has even a broader scope as at would prohibit employers from compelling or coercing any person to authorize access to ‘a protected computer.’

Leave a comment

France on Track to Tax Personal Data Collection?

A report on taxation and the digital economy, commissioned by the French government, should be published in France during January. Although its recommendations are not yet known, the French daily newspaper Le Figaro reported on December 22 that it may recommend that personal data collection be taxed in France. If implemented, such measures would lead to Google, Facebook, or Twitter having to pay a tax on the use of information collected on the Internet in France.  According to Le Figaro, this measure would also affect banks, online retailers, and generally, companies collecting customer information.
The article quotes a French tax official, speaking anonymously, which reveals that this new tax would also be used to encourage better data collection practices, as companies selling personal data without informing their users may be taxed more heavily. This could become a strong incentive for companies collecting personal data in France to respect France’s data protection laws, which eventually will include the new European Union Regulation, when it will finally be implemented, probably in 2014.