The House has approved the Cyber Intelligence Sharing and Protection Act (CISPA, H.R. 624). CISPA allows private companies and the federal government to exchange information relating to cybersecurity threats.

The bill was passed in the face of some concerns that it might provide private consumer information to the government. According to Reuters, President Obama has threatened to veto the bill on the basis that it supposedly does not mandate that companies take the greatest efforts to remove personal information before providing it to the government.

Google has posted a “Transparency Report” that provides a range of how many National Security Letters (NSLs) it has received and a range of how many users/accounts were specified in these NSLs each year since 2009. Of course, your first question may be: What is an NSL?

An NSL is a special search vehicle by which the FBI has the authority to demand the disclosure of customer records maintained by banks, Internet Service Providers, telephone companies and other entities. When this happens, these entities are prohibited from revealing to others their receipt of an NSL. There have been reports that the issuance of NSLs has expanded significantly since the Patriot Act increased the FBI’s power to issue them.

Are international governments already engaging in cyberwarfare by hacking into each other’s computer systems? According to recent Reuters articles, at a minimum, a war of words is brewing suggesting that this already is the case.

On January 17, 2013 the federal Department of Health & Human Services (“HHS”) announced a final omnibus rule that details amendments to the privacy, security, data breach and enforcement rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The 2013 HIPAA Amendments (which, with commentary from HHS, weighs in at 563 pages) are closely based on statutory changes under the HITECH Act of 2009, and were previewed in proposed and interim rules issued by HHS several years ago. They involve a number of sweeping expansions to the existing HIPAA Rules including: (1) a broader definition of “business associates” (“BAs”) to include downstream subcontractors that handle protected health information (“PHI”) on behalf of BAs; (2) increased penalties for noncompliance, with a maximum penalty of $1.5 million per violation; (3) expanded individual rights, including the right to request electronic medical records; and (4) new limitations on the use of PHI for marketing and fundraising, or the sale of PHI; among other broad changes.   Read the full text here.  Duane Morris is preparing a fuller description of the 2013 HIPAA Amendments that will be distributed shortly. Please do not hesitate to contact Lisa Clark, lwclark@duanemorris.com, Neville Bilimoria, NMBilimoria@duanemorris.com, or your contact at Duane Morris for more information.  Thanks to Elinor Hart, EHart@duanemorris.com, for her prompt assistance with this breaking development.  

We usually think of the Internet as a place where we can obtain information, communicate with others, and engage in various business and personal activities.

However, is it also a new battlefield?

Yes, according to Defense Secretary Leon Panetta. Indeed, as reported by Reuters, he maintains that while hackers have already attacked financial institutions, they also have the capability to strike mission-critical domestic power grids and government systems.

All sorts of businesses and organizations are potentially vulnerable to hackers. Educational institutions are no exception, as highlighted by a recent example involving Northwest Florida State College.

One or more hackers accessed a folder on the school's main server from May through September, according to a memo from the College's President to all employees. The folder contained multiple files.

By working between the files, the hacker(s) apparently managed to assemble sufficient information to steal the identities of 50 employees, CNET reports. Names, social security numbers, dates of birth and direct deposit account numbers were accessed. Apparently, data relating to addresses, phone numbers, and college email addresses also was compromised.

The London 2012 Olympics games were successful, and indeed spectacular, on many levels.

Of course, there were incredible performances by phenomenal athletes, including veterans like Michael Phelps and Usain Bolt, as well as new breakout stars such as Missy Franklin and Gabby Douglas.

Great Britain also served up wonderful musical acts for entertainment purposes. Not only were we regaled by Paul McCartney, Annie Lennox, George Michael, and bits and pieces from Queen and Pink Floyd, but we also witnessed the reunion of the Spice Girls (oh my).

It was also a technologically advanced event.

On August 9, 2012, the FTC announced that Google agreed to pay a record $22.5 million civil penalty to settle charges that it made misrepresentations to users of the Safari Internet browser when Google represented that it would not place cookies or serve targeted ads to those users.  In doing so, Google violated an earlier privacy settlement it had with the FTC.

FTC Chairman Jon Leibowitz said “[t]he record setting penalty in this matter sends a clear message to all companies under an FTC privacy order. . . “[n]o matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

The FTC's aggressive enforcement is expected to continue and it is important that businesses review their privacy policies to ensure that the policies have not become dated and no longer represent the current data collection and maintenance practices of the business.

The FTC press release can be viewed at http://ftc.gov/opa/2012/08/google.shtm

Lawyers should know how to protect information belonging to their firms and their clients, right? Well, perhaps they can do a better job, according to The Wall Street Journal. Indeed, it's now more important than ever for lawyers' cybersecurity skills to get up to speed.

According to the article, hackers intent on insider trading may target attorneys who handle merger and acquisition transactions. They could put links in text messages that, when clicked on smartphones, activate malware that could log keystrokes and record phone conversations.

Many people use the same password for all of their accounts. Why? Because it is easy to remember just one password across all accounts.

But is that a good idea? Nope. If that password were to fall into the wrong hands, it potentially could be used more pervasively to the disadvantage of the true password holder.

And this is not a hypothetical concern. Indeed, recent press reports are rife with disclosures of major password hacks/leaks.

Today, the Federal Trade Commission released its final report titled "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers."  http://www.ftc.gov/opa/2012/03/privacyframework.shtm

The report details best practices for businesses to protect the privacy of consumers.  Recognizing the burden on small businesses, the FTC says that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year. 

In the report, the FTC addressed the following:

Do-Not-Track – the FTC will work with various groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system.

Mobile - the FTC continues to urge companies offering mobile services to work toward improved privacy protections, including disclosures. It will host a workshop on May 30, 2012 to address how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens.

Data Brokers – the FTC called on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data.  In addition, the website should detail the choices that data brokers provide consumers about their own information.

Large Platform Providers - The FTC cited heightened privacy concerns about the extent to which platforms, such as ISPs, operating systems, browsers and social media companies, comprehensively track consumers' online activities. It will host a public workshop in the second half of 2012 to explore issues related to comprehensive tracking.

Promoting Enforceable Self-Regulatory Codes - the FTC is working to develop industry-specific codes of conduct.

Business want to know whether they are potential targets for security breaches, and if so, they seek to identify the types of electric records that may be at risk.

The Trustwave 2012 Global Security Report sheds some light on these concerns by identifying top data-security risk areas.

A few weeks ago this blog pointed out that the Department of Homeland Security's command center regularly monitors social networking sites such as Facebook and Twitter, popular sites like Hulu, controversial sites including WikiLeaks, and news and commentary sites like The Huffington Post and Drudge Report, according to a government document.

Now, there is an indication that the Federal Bureau of Investigation is developing a web application that will have the ability to monitor social media sites like Facebook and Twitter. Such an application supposedly will give the FBI intelligence about potential security threats.

Just when you thought the state breach notification laws could not get more cumbersome, states continue to amend their breach notification laws in an effort to expand the content and reach of the notice. 

Texas Amendment Requires Notification to Affected Residents in All 50 States

Texas recently amended its data breach notification law by expanding the notification requirements to cover affected non-residents.  Prior to the amendment, Texas required that entities conducting business in Texas notify residents when sensitive personal information was believed to have been acquired by an unauthorized person.  The amended law, which becomes effective September 1, 2012, now requires notification to affected persons residing in all 50 states if affected non-residents live in a state that does not already require notification of the data breach.  The Texas amendment is a novel use of the state breach notification laws, essentially requiring national notification of the breach.  Penalties are incurred if non-residents are not appropriately notified.  The Texas law also expands state health privacy requirements, imposing further notification requirements for a breach of health information