There was much cheering when federal regulators finally released their Final Model Privacy Notice Form back in November.

That was quickly followed by a gnashing of teeth when it turns out the regulators did not understand the concept of a form or how to use Adobe Acrobat. They merely created a static document that you would have to spend hours trying to recreate.

They finally released version of the model privacy notice that is a fillable form using adobe acrobat.

• Instructions for using the Privacy Notice Online Form Builder
• If you provide an opt out and you want to include affiliate marketing, use Form 1.
• If you provide an opt out and you do not want to include affiliate marketing, use Form 2.
• If you do not provide an opt out and you want to include affiliate marketing, use Form 3.
• If you do not provide an opt out and you do not want to include affiliate marketing, use Form 4.

To obtain a legal “safe harbor” and so satisfy the Gramm-Leach-Bliley Act’s disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder.

Sources:

• Instructions for using the Privacy Notice Online Form Builder
• SEC Press Release – Federal Regulators Release Model Consumer Privacy Notice Online Form Builder
• Federal Regulators Issue Final Model Privacy Notice Form – prior post

The New Jersey courts have been handling a case that squarely addressed a company’s ability to monitor employee email.

Back in April of 2009, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email. That later was overturned: Workplace Computer Policy and the Attorney Client Privilege.

The New Jersey Supreme Court has ruled on the appeal and found that the employee

“could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”

The court went a step further and chastised the company’s lawyers for reading and using privileged documents.

The court’s decision focused on two areas: the adequacy of the company’s notice in its computer use policy and the importance of attorney-client privilege.

Computer use policy

The court was not swayed by the company’s arguments about its computer use policy. The company took the position that its employees have no expectation of privacy in their use of company computers based on its Policy. The court found that the policy did not address personal email accounts at all and therefore had no express notice that the accounts would be subject to monitoring. Also, the policy did not warn employees that the contents of the emails could be stored on a hard drive and retrieved by the company.

Attorney Client Communication

The bigger problem was that the communications between attorneys and their client are held to a higher standard. They were not “illegal or inappropriate material” stored on the company’s equipment that could harm the company. The e-mails warned the reader directly that the e-mails are personal, confidential, and may be attorney-client communications.

In my opinion, the nature and content of these emails made this an easy decision for the court.

Key Considerations

The decision does not mean that a company cannot monitor or regulate the use of workplace computers.

• A policy should be clear that employees have no expectation of privacy in their use of company computers.
• A policy needs to explicitly not address the use of personal, web-based e-mail accounts accessed through company equipment.
• A policy should warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company.

Sources:

• Opinion in Stengart v. Loving Care Agency, Inc. (A-16-09)
• N.J. Supreme Court upholds privacy of personal e-mails accessed at work By Susan K. Livio/Statehouse Bureau for NJ.com
• Workplace Computer Policy and the Attorney Client Privilege – previous post

With the Massachusetts Data Privacy Law now in place (and presumably you are in compliance with it), you need to think about what to do if you have an incident.

Verizon has published the Verizon Incident Sharing Framework to help.

Our goal for our customers, friends, and anyone responsible for incident response, is to be able to create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality and uncertainty, and help defend the organizations we serve.

The framework is set up to help classify incidents, their discovery, mitigation and impact.

Sources:

• Verizon Incident Sharing Framework
• Verizon Incident Metrics Framework Released on the Verizon Business Security Blog

One of the features of the new Massachusetts Data Privacy Law is that it forces some knowledge management on companies in the context of data breaches.

Since the law required compliance on or before March 1, 2010, I assume you already have the policy and safeguards in place. That is, if you have social security numbers or financial account information for any Massachusetts resident in your computer systems or files. Yes, the reaches beyond the borders of Massachusetts and is not limited to Massachusetts companies.

201 CMR 17.03(h) and (i) require regular monitoring of your program and a periodic  review of its scope.

201 CMR 17.03(j) goes on to require that you document any responsive actions, have a post-incident review and document any changes to your program after the review. That sounds a lot like knowledge management to me.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf). You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Image is by Darwinek in Wikimedia Commons: Flag Map of Massachusetts

March 1 is the compliance deadline for the Massachusetts Data Privacy Law. 201 CMR 17.00 requires you to be in full compliance on or before January 1, 2009 January 1, 2010 March 1, 2010.

If your company receives, stores, maintains, processes or otherwise has access to “personal information” acquired in connection with employment or with the provision of goods or services to a Massachusetts resident you are subject to the requirements of 201 CMR 17.00.

If you have employees or customers in the Commonwealth of Massachusetts, then you are subject to this law. The law is not restricted to companies located in Massachusetts. But if you are located in Massachusetts then you have Massachusetts employees and their personal information, making you subject to the requirements of the law.

The law is a bit watered down since its initial form, but you still need to pay attention to it. There are some reasonableness standards in the requirements that make it easier to comply. You still need a policy, need to inventory your stores of “personal information” and educate your employees about the importance of safeguarding personal information.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf).

You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Since today is March 1, you still have a few hours to get things in place to be compliant with the law. If you haven’t done taken the proper steps, stop reading and go do it.

Previous Posts:

• Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)
• Massachusetts Amends Strict Data Privacy Law (Again)
• Webinar Materials for: Preparing for the strictest privacy law in the nation
• Additional Guidance on the Massachusetts Privacy Regulations

Linksys WRT54GL

If you care about network security, you are probably well aware of the Massachusetts Data Privacy Law and its requirement to secure wireless networks.

But password-protecting a wireless router also has constitutional significance.

A child pornography suspect had no constitutionally protected privacy right in the files found on his personal computer, accessible by a neighbor who was piggybacking on his unsecured wireless network.

A neighbor stumbled across the shared files and alerted the local sheriff. After coming by to see the files, the sheriff ran license plates on cars on the street and found one nearby that was registered to a convicted sex offender. The sheriff then obtained warrants to determine the subscribers IP address and eventually to seize the computers.

Even though the defendant confessed on the spot, his lawyer tried to get all of the evidence thrown out claiming the sheriff violated the defendant’s reasonable expectation of privacy. The government disagreed and said the “defendant’s conduct in operating his home computer eliminated his right to privacy.”

The case ended up with Judge King in the Oregon’s United States District Court in the case of U.S. v. Ahrndt.

The case even quotes one of my favorite columns: The Ethicist by Randy Cohen in The New York Times: Wi-Fi Fairness Feb 8, 2004. Cohen came to the conclusion that “you may use but not overuse Wi-Fi hot spots you encounter.”

The judge steps over the issue of whether it is legal or not to access an open wi-fi hotspot, but is happy to point out that the accidental unauthorized use of other people’s wireless networks is a fairly common occurrence in densely populated urban environments.

“As a result of the ease and frequency with which people use others’ wireless networks, I conclude that society recognizes a lower expectation ofprivacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network.”

The judge also found “when a person shares files on iTunes over an unsecured wireless network, it is like leaving one’s documents in a box marked ‘take a look’ at the end of a cul-de-sac.” In the end, the defendant’s conduct in operating his software and maintaining his router diminished his reasonable expectation of privacy.

So not only, will improperly maintaining your wireless network open you to data loss and liability under privacy laws, but you diminish your constitutional protections.

Sources:

• United States v. Ahrndt, No. 08-cr-468 (D. Ore. Jan. 28, 2010) – hosted on JD Supra
• No expectation of privacy in computer connected to unsecured wireless network by Steve Meltzer of the Data Privacy Regulation & Management Blog
• Court Finds Constitutional Significance in Defendant’s Failure to Password-Protect Home Wireless Network from the E-Commerce and Tech law blog
• The Ethicist by Randy Cohen in The New York Times: Wi-Fi Fairness Feb 8, 2004

Today is International Data Privacy Day.

Massachusetts Recognizes Data Privacy Day 2010 and touts the the new data security regulations.

Disney has enlisted Phineas and Ferb to help guide your kids through cyberspace and teach them about the rules of the road on the internet.

Google published their guiding privacy principles and published a video discussing them:

Data Privacy Day is an annual international celebration to raise awareness and generate discussion about information privacy. Last year, both the U.S. Senate and House of Representatives recognized January 28th, 2009 as National Data Privacy Day.

Intel, Microsoft, Google, AT&T, LexisNexis and The Privacy Projects are sponsoring Data Privacy Day efforts, with assistance from Intuit and Oracle.

Even if you are not responsible for privacy at the office, you are responsible for your kids. The Data Privacy Day 2010 has some great resources for Teens, Young Adults, and Parents & Kids. Take a look at the FTC’s You Are Here to see some of the problems faced by kids online. Make sure to Visit the Security Plaza to learn about protecting your privacy (online and off).

You are responsible for your own online activity. In looking at a recent data breach, “123456″, “12345″, “123456789″ and password were the most common passwords. Even Twitter banned these passwords, along with 366 other obvious passwords.

A list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites, provided a treasure trove of information for security analysis. About 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords. Hackers could easily break into many accounts just by trying the most common passwords.

Security experts advise that a password should consist of letters, numbers and even punctuation symbols. They should be changed regularly and you should not use the same password for all your online services.

Sources:

• Imperva’s Customer password worst practices (.pdf)
• Previous post – International Data Privacy Day 2009
• If Your Password Is 123456, Just Make It HackMe by Ashlee Vance for The New York Times
• Twitter bans 370 ‘obvious’ passwords in the Telegraph

The key to a defensible system of e-mail monitoring is the creation of a comprehensive and communicated computer use policy. That is apparently as true in Canada as it in the United States.

Brian Bowman and Andrew Buck put together an excellent privacy primer on Monitoring employee e-mail: a privacy primer.

In what situations is e-mail monitoring justified? And what tests can we use to answer this question? Canada has no definitive answer either.