The Ninth Circuit rejected an employer’s argument that a former employee violated the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, when he emailed company client lists and financial data to himself for personal use. LVRC Holdings LLC v. Brekka, ___ F.3d ___, 2009 WL 2928952 (9th Cir. 2009). Superficially this decision is at odds with another decision in the Seventh Circuit. The employer in LVRC Holding based its theory on the 7th Circuit’s application of agency law as a basis for finding liability under the CFAA. However, the 9th Circuit decision seems sound and consistent with avoiding turning the CFAA into a catchall basis for finding criminal and/or civil liability in the absence of other relevant legal authority. While I disagree with the reasoning of the 7th Circuits decision, I believe justice was served in both cases, and the 9th Circuit laid out a logically more stable basis for assessing liability under the [...]
|
|||||
|
By Robert Hudock, on September 18th, 2009
 Print This PostSeptember 18th, 2009 | Tags: 18 USC 1030, agency, Brekka, CFAA, Citrin, Computer Fraud and Abuse Act, congress, IAC, intent, LVRC Holdings LLC, motivation | Category: 18 USC 1030, 7th Circuit, 9th Circuit, Circuit Courts, Computer Security Law -- Federal, Forensic Tools |
Leave a comment
Print This PostBy Robert Hudock, on September 15th, 2009
Print This PostAttached is an updated summary of the major provisions of each state law that have enacted security breach statutes. In the event of a security breach, you should consult legal counsel to ascertain the appropriate method of notification and other requirements. To date — forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. States with no security breach laws include: Alabama, Kentucky, Mississippi, New Mexico, and South Dakota. Arkansas, California, Minnesota, and Texas now include health information within the scope of their respective security breach statutes by including health information within the definition of personal information. Eight states take an acquisition based approach when defining whether notice should be given, while the remaining states take a more pragmatic risk assessment of the likelihood of harm as controlling whether notice should be sent to consumers. [...] September 15th, 2009 | Tags: choicepoint security breach, hipaa breach notification, information security breach and notification act, security breach disclosure, Security Breach Notification, security breach notification laws | Category: Privacy Law, State Privacy and Computer Security Laws, State Security Breach Laws |
4 comments
Print This PostBy Kristen McDonald, on September 15th, 2009
Print This PostWhat happens if the offices of a covered entity are broken into and unsecured protected health information (PHI) of more than 500 individuals is stolen? With the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 the ramifications to the covered entity and potential liability stemming from such a breach2 are significant to say the least. Not only is the covered entity required to notify the affected individuals of the breach of unsecured PHI,3 but also the covered entity must notify the media and the Department of Health and Human Services Secretary (HHS Secretary) of potentially damaging information concerning the breach. The HITECH Act’s requirement to report details of a significant breach not only to the affected individuals but also to the media and the Secretary may negatively impact the covered entity’s goodwill in the community and cause a loss of business. Of particular concern to the covered entity’s litigation counsel, though, is the potential liability that the covered entity may face due to the [...] September 15th, 2009 | Tags: Damages, HHS, HIPAA, HITECH Act, litigation, PHI, security, significant breach, unsecured PHI | Category: Computer Security Law -- Federal, Damages, HIPAA Privacy, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Identity Theft, Individually identifiable health information, Office of Civil Rights, unsecured protected health information |
One comment
Print This PostBy Robert Hudock, on September 11th, 2009
Print This PostSocial networking sites, efficient search tools (bing, dogpile, google, yahoo), blogs, cookies, mailing lists, message boards, active x controls/ embedded java script on websites and other databases make it easy to identify that new business prospect or easily cross-reference materials from multiple sources to yield unique insights into a matter of interest. However, these online repositories of data are making it much more difficult to maintain the anonymity of those whose confidential information has been de-identified. De-identified data has many useful purposes; the data can be used in its aggregate for tracking disease, flu outbreaks, tax purposes, etc. There is a darker use of these many data sources, where those in our society that are ethically challenged use these data sources for socially unproductive purposes. [...] September 11th, 2009 | Tags: adversary, auxiliary information, census data, cyber harrasment, cyber stalking, data fingerprint, de-identified, HIPAA, identify, PHI, PII, re0identified | Category: CMS, Computer Security Law -- Federal, Deidentified Health Information, HIPAA Privacy, Health and Humans Services (HHS), Identity Theft, Individually identifiable health information, Law and Technology, Privacy, Safe Harbor Method, unsecured protected health information |
Leave a comment
Print This PostBy Robert Hudock, on September 8th, 2009
Print This PostSecurity Incidents can be accidental incursions or deliberate attempts to break into systems and can be benign to malicious in purpose or consequence, each incident requires a careful response at a level commensurate with its potential impact to the security of individuals and your organization as a whole however few organizations have an appropriate security incident policy. The fundamental components of a security incident response plan include the following — [...] September 8th, 2009 | Tags: malicious hackers, malware, NIST, policy, Privacy, security, security incident | Category: Computer Security Law -- Federal, Data Hemorrages, FTC Security Breach Notification, Forensic Tools, HIPAA Privacy, HIPAA Security, Identity Theft, Law and Technology, Media Sanitization, NIST, Peer-2-Peer File Sharing, Privacy, State Privacy and Computer Security Laws, State Security Breach Laws |
2 comments
Print This PostBy Robert Hudock, on September 3rd, 2009
Print This PostPfizer to pay $2.3 billion to resolve criminal and civil health care liability relating to fraudulent marketing and the payment of kickbacks: (1) Largest combined federal and state health care fraud settlement in the history of the Department of Justice; and (2) Resolution includes $1.3 billion in criminal fines and forfeiture and a combined federal and state civil False Claims Act settlement of $1 billion. The September 3, 2009, settlement is the third in which Pfizer signed a corporate integrity agreement (CIA). Realtors get $103 [...] September 3rd, 2009 | Tags: antikickback, CIA, corporate integrity agreement, DOJ, false claim act, fca, fraud, pfizer | Category: FCA - False Claim Act, Federal Agencies |
Leave a comment
Print This PostImprove the web with Nofollow Reciprocity. |
|||||
|
Copyright © 2010 Law Blog 2.0 - Robert Hudock, Esq., CISSP - All Rights Reserved - This Blog is a personal blog of Robert Hudock. |
|||||
Fear Mongering or Legitimate Criticism --
I am a little unclear as to why privacy advocates and security vendors believe that the harm standard, found within the new HHS regulations for security breaches, in any way hampers the HITECH Act’s security breach notice rule for covered entities and business associates. Many states use a similar risk based type analysis, in fact only seven states have a strict acquisition based standard, of those only a couple of these states link their definition of encryption to FIPS 140-2. In comparison to risk based states where one assesses the potential risk to a consumer resulting from theft of sensitive informatioin, the federal standard is more helpful in the sense that it highlights key criteria to be evaluated in assessing risk to consumers. [...]