It’s been almost 18 months since the Massachusetts Data Privacy Law went into effect. Belmont Savings Bank has become one of the first charged with violating the law.

Belmont Savings Bank maintained personal information on an unencrypted backup data tape and then lost the tape. According to surveillance footage the tape was likely discarded inadvertently by the overnight clearing crew and sent to the incinerator.

There were several rounds of changes between the first version of 201 CMR 17.00 and the final one. One central element was the requirement that there be written information security plan in place if your company has “personal information” on a Massachusetts resident. Obviously, you need to comply with the plan.

In this case, Belmont Savings Bank has the plan. But they failed to comply with it. The data tape should have been locked-up overnight and not left on a desk.

The Massachusetts’ Attorney General entered into an Assurance of Discontinuance with Belmont Savings Bank. As part of the settlement, the bank has to

• encryp, to the extent technically feasible, all personal information stored on backup data tapes
• store backup data tapes containing personal information in a secure location
• effectively train its workforce on the policies and procedures with respect to maintaining the security of personal information

There is no evidence indicating that any customer’s personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose. The Assurance of Discontinuance states that if actual harm to customers results, the Attorney General’s Office will reopen discussions to determine appropriate restitution.

Sources:

• Massachusetts Attorney General Announces $7,500 Data Breach Settlement with Belmont Savings Bank in Hunton & Williams’ Privacy and Information Security Law Blog
• Massachusetts AG Says Having a WISP is Not Enough to Comply With Massachusetts Data Security Regulations by Amy Crafts in Proskauer’s Privacy Law Blog
• Assurance of Discontinuance in the Matter of Belmont Savings Bank (.pdf – 5 pages)
• Today is the Deadline for the Massachusetts Data Privacy Law – prior story in Compliance Building

I remember the days of the mimeograph. In class people would inevitably sniff the newly printed pages. For a teacher, the danger was that the latent copy would fall into the wrong hands. Animal House highlighted that danger.

Current day copiers are much more advanced than the mimeograph, but the dangers of the latent copy still exist. Most modern copy machines are just special purpose computers. Like all computer they have a hard drive. On that hard drive, they store the images of the documents they copy and scan.

That’s not a problem until you give back the copier. Then you should be concerned that the next person who gets it could just pull up some of your documents from the hard drive. Last year, CBS highlighted this problem in an investigative piece by Armen Keteyian: Digital Photocopiers Loaded With Secrets.

Now the Federal Trade Commission has decided to take a stance. Not a definitive stance, but guidance. The FTC points out that companies must maintain reasonable procedures to protect sensitive information. That may include your copy machine.

When you finish using the copier:

Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. The company may offer services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or destroy it yourself. Others may overwrite the hard drive for you. Typically, these services involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing or buying a new machine.

Sources:

• FTC’s Copier Data Security: A Guide for Businesses
• FTC Publishes Copier Data Security Guide by Colin J. Zick in Foley Hoag’s Security, Privacy and The Law
• Digital Photocopiers Loaded With Secrets

Data Privacy Day is January 28, 2011.

There have events throughout the week to inform and educate us all about our personal data rights and protections.

Here are some key reminders:

1. Never Post or Share Personal Information such as a date of birth, personal address, or maiden name because identity thieves now friend as many people as possible and join networks solely for the purpose of harvesting information to use to commit identity fraud.
2. Always Update Your Software
3. Use Complex Passwords
4. Don’t Download Just Any Application
5. Avoid Peer-to-Peer File Sharing

Read more:

• Data Privacy Day 2011
• The Technology of Privacy: When Geeks Meet Wonks from Google
• The top 5 mistakes of privacy awareness programs

It looks like even Dilbert is keeping an eye on the Quon case at the Supreme Court.

There was much cheering when federal regulators finally released their Final Model Privacy Notice Form back in November.

That was quickly followed by a gnashing of teeth when it turns out the regulators did not understand the concept of a form or how to use Adobe Acrobat. They merely created a static document that you would have to spend hours trying to recreate.

They finally released version of the model privacy notice that is a fillable form using adobe acrobat.

• Instructions for using the Privacy Notice Online Form Builder
• If you provide an opt out and you want to include affiliate marketing, use Form 1.
• If you provide an opt out and you do not want to include affiliate marketing, use Form 2.
• If you do not provide an opt out and you want to include affiliate marketing, use Form 3.
• If you do not provide an opt out and you do not want to include affiliate marketing, use Form 4.

To obtain a legal “safe harbor” and so satisfy the Gramm-Leach-Bliley Act’s disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder.

Sources:

• Instructions for using the Privacy Notice Online Form Builder
• SEC Press Release – Federal Regulators Release Model Consumer Privacy Notice Online Form Builder
• Federal Regulators Issue Final Model Privacy Notice Form – prior post

The New Jersey courts have been handling a case that squarely addressed a company’s ability to monitor employee email.

Back in April of 2009, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email. That later was overturned: Workplace Computer Policy and the Attorney Client Privilege.

The New Jersey Supreme Court has ruled on the appeal and found that the employee

“could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”

The court went a step further and chastised the company’s lawyers for reading and using privileged documents.

The court’s decision focused on two areas: the adequacy of the company’s notice in its computer use policy and the importance of attorney-client privilege.

Computer use policy

The court was not swayed by the company’s arguments about its computer use policy. The company took the position that its employees have no expectation of privacy in their use of company computers based on its Policy. The court found that the policy did not address personal email accounts at all and therefore had no express notice that the accounts would be subject to monitoring. Also, the policy did not warn employees that the contents of the emails could be stored on a hard drive and retrieved by the company.

Attorney Client Communication

The bigger problem was that the communications between attorneys and their client are held to a higher standard. They were not “illegal or inappropriate material” stored on the company’s equipment that could harm the company. The e-mails warned the reader directly that the e-mails are personal, confidential, and may be attorney-client communications.

In my opinion, the nature and content of these emails made this an easy decision for the court.

Key Considerations

The decision does not mean that a company cannot monitor or regulate the use of workplace computers.

• A policy should be clear that employees have no expectation of privacy in their use of company computers.
• A policy needs to explicitly not address the use of personal, web-based e-mail accounts accessed through company equipment.
• A policy should warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company.

Sources:

• Opinion in Stengart v. Loving Care Agency, Inc. (A-16-09)
• N.J. Supreme Court upholds privacy of personal e-mails accessed at work By Susan K. Livio/Statehouse Bureau for NJ.com
• Workplace Computer Policy and the Attorney Client Privilege – previous post

With the Massachusetts Data Privacy Law now in place (and presumably you are in compliance with it), you need to think about what to do if you have an incident.

Verizon has published the Verizon Incident Sharing Framework to help.

Our goal for our customers, friends, and anyone responsible for incident response, is to be able to create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality and uncertainty, and help defend the organizations we serve.

The framework is set up to help classify incidents, their discovery, mitigation and impact.

Sources:

• Verizon Incident Sharing Framework
• Verizon Incident Metrics Framework Released on the Verizon Business Security Blog

One of the features of the new Massachusetts Data Privacy Law is that it forces some knowledge management on companies in the context of data breaches.

Since the law required compliance on or before March 1, 2010, I assume you already have the policy and safeguards in place. That is, if you have social security numbers or financial account information for any Massachusetts resident in your computer systems or files. Yes, the reaches beyond the borders of Massachusetts and is not limited to Massachusetts companies.

201 CMR 17.03(h) and (i) require regular monitoring of your program and a periodic  review of its scope.

201 CMR 17.03(j) goes on to require that you document any responsive actions, have a post-incident review and document any changes to your program after the review. That sounds a lot like knowledge management to me.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf). You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Image is by Darwinek in Wikimedia Commons: Flag Map of Massachusetts

March 1 is the compliance deadline for the Massachusetts Data Privacy Law. 201 CMR 17.00 requires you to be in full compliance on or before January 1, 2009 January 1, 2010 March 1, 2010.

If your company receives, stores, maintains, processes or otherwise has access to “personal information” acquired in connection with employment or with the provision of goods or services to a Massachusetts resident you are subject to the requirements of 201 CMR 17.00.

If you have employees or customers in the Commonwealth of Massachusetts, then you are subject to this law. The law is not restricted to companies located in Massachusetts. But if you are located in Massachusetts then you have Massachusetts employees and their personal information, making you subject to the requirements of the law.

The law is a bit watered down since its initial form, but you still need to pay attention to it. There are some reasonableness standards in the requirements that make it easier to comply. You still need a policy, need to inventory your stores of “personal information” and educate your employees about the importance of safeguarding personal information.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf).

You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Since today is March 1, you still have a few hours to get things in place to be compliant with the law. If you haven’t done taken the proper steps, stop reading and go do it.

Previous Posts:

• Massachusetts Amends Strict Data Privacy Law (Again)
• Webinar Materials for: Preparing for the strictest privacy law in the nation
• Additional Guidance on the Massachusetts Privacy Regulations

Linksys WRT54GL

If you care about network security, you are probably well aware of the Massachusetts Data Privacy Law and its requirement to secure wireless networks.

But password-protecting a wireless router also has constitutional significance.

A child pornography suspect had no constitutionally protected privacy right in the files found on his personal computer, accessible by a neighbor who was piggybacking on his unsecured wireless network.

A neighbor stumbled across the shared files and alerted the local sheriff. After coming by to see the files, the sheriff ran license plates on cars on the street and found one nearby that was registered to a convicted sex offender. The sheriff then obtained warrants to determine the subscribers IP address and eventually to seize the computers.

Even though the defendant confessed on the spot, his lawyer tried to get all of the evidence thrown out claiming the sheriff violated the defendant’s reasonable expectation of privacy. The government disagreed and said the “defendant’s conduct in operating his home computer eliminated his right to privacy.”

The case ended up with Judge King in the Oregon’s United States District Court in the case of U.S. v. Ahrndt.

The case even quotes one of my favorite columns: The Ethicist by Randy Cohen in The New York Times: Wi-Fi Fairness Feb 8, 2004. Cohen came to the conclusion that “you may use but not overuse Wi-Fi hot spots you encounter.”

The judge steps over the issue of whether it is legal or not to access an open wi-fi hotspot, but is happy to point out that the accidental unauthorized use of other people’s wireless networks is a fairly common occurrence in densely populated urban environments.

“As a result of the ease and frequency with which people use others’ wireless networks, I conclude that society recognizes a lower expectation ofprivacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network.”

The judge also found “when a person shares files on iTunes over an unsecured wireless network, it is like leaving one’s documents in a box marked ‘take a look’ at the end of a cul-de-sac.” In the end, the defendant’s conduct in operating his software and maintaining his router diminished his reasonable expectation of privacy.

So not only, will improperly maintaining your wireless network open you to data loss and liability under privacy laws, but you diminish your constitutional protections.

Sources:

• United States v. Ahrndt, No. 08-cr-468 (D. Ore. Jan. 28, 2010) – hosted on JD Supra
• No expectation of privacy in computer connected to unsecured wireless network by Steve Meltzer of the Data Privacy Regulation & Management Blog
• Court Finds Constitutional Significance in Defendant’s Failure to Password-Protect Home Wireless Network from the E-Commerce and Tech law blog
• The Ethicist by Randy Cohen in The New York Times: Wi-Fi Fairness Feb 8, 2004