Could the Government Seize Control of the Internet?

The text of the Cybersecurity Act of 2009 (the “Act”) is now available, and individuals, organizations and associations, and, of course, lawyers, are now starting to digest its contents.

This legislation, introduced by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), would appear to give the federal government sweeping and unprecedented authority over the Internet. Section 2 of the bill starts off with a lengthy series of observations about horrible things and consultants’ wisdom concerning our vulnerability to “attack.” Curiously, it is unclear exactly how the bill and the powers to be granted the government will correct that issue. But I digress.

So when the title of this post says “the Internet,” you’re kidding, right? Of course, you must mean government-operated networks or defense or intelligence systems, right? Well . . . not really. Hmm. Then you must mean those critical infrastructure systems related to national defense – you know, communications and transportation systems? Well . . . not exactly. You see the bill includes, within the meaning of systems and networks covered by the Act, “State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.” In other words, we’ll know what they are when the President tells us what they are. Comforting for federal legislation, isn’t it?

“Non-governmental” includes financial institutions – then again, the government already owns a chunk of those anyway – wired and wireless carriers, electricity grids, gas and power systems, and air and rail transportation systems, to name a few. All of these are currently in the hands of private companies and management. Go ahead, name some systems that aren’t directly or indirectly critical or connected to critical systems – my refrigerator, for instance, or your digital music account.

There is even a section in the Act that proposes to enable the President, with almost no restriction, to shut down all message traffic on the Internet in an “emergency,” and to order the disconnection of all critical infrastructure systems in furtherance of national security. Now if that amount of authority, without any guidance or parameters built into the legislation, isn’t enough, here’s more. The bill also gives the Secretary of Commerce the right to access all relevant data concerning these critical infrastructure networks without regard to any provision of law, regulation, rule, or policy that would otherwise temper or restrict such access. No standards. No limits on what data or why. No opportunity for judicial review, much less intervention.

Curiously, just this past June, the Government Accountability Office (GAO), in testimony before Congress entitled Cybersecurity: Continued Federal Efforts Are Needed to Protect Critical Systems and Information, noted that continuing efforts to remedy systems security and network vulnerability needed far less dramatic remediation – fixing things like correcting insufficient access controls, better network management, inadequate or poor audit procedures, ineffective information security programs, and in some cases, simply adding encryption where none exists today. Critics of the Act have questioned whether granting the President far-reaching and ambiguous power is proper, but just as significantly, whether they will actually deal with the problem.

As with many legislative initiatives, this appears to deal with the aftermath of a cyber-attack, not at preventing one from ever occurring. Has it occurred to anyone that mandating standards for security, updating and maintaining security where appropriate, and simply requiring government or other critical systems to practice security measures that have been known for years or even decades, is much more likely to allow the nation to avoid and withstand a cyber-attack?

One can only wonder whether placing control of the Internet in the hands of the government might actually make vulnerability to a devastating cyber-attack greater. When the ‘net was first conceived, it was precisely it’s dispersion, diversity and lack of central control that was at its core, and its endearing and enduring characteristic. No one point of control, no single point of vulnerability. Redundancy, multiple pathways, mirror image reflections and files ensured that if one part was crippled, others would continue to function. True, times change, technology changes, and, so too, must our defense mechanisms and postures. But one has to wonder whether centralizing command and control in an emergency might not just give the bad guys a single point of vulnerability and failure to concentrate on, instead of making it more difficult – precisely when we need the Internet the most. Food for thought.

For information about security (can you say PCI compliance?) or privacy (GLB anyone?) or data breach assistance (is your identity safe?) look up Joseph I. Rosenbaum, send me an email, or contact the Rimon attorney with whom you regularly work. We are happy to help.

Your Medical Information; Just A Mouse Click Away – From Hackers?

This post was written by Adam Snukal.

Kathleen Sebelius, Secretary of the Department of Health and Human Services (“HHS”), hadn’t been on the job even two months when she found herself a defendant in a class-action lawsuit brought in the Southern District of New York. A registered nurse had brought the action against Ms. Sebelius, as well as the White House Office of Health Reform Director and the Administrator of the Centers for Medicare & Medicaid Services, alleging that certain provisions of the American Recovery and Reinvestment Act (“ARRA”) violate privacy rules central to the Health Insurance Portability and Accountability Act (“HIPAA”) and the federal Privacy Act.

The suit claims that pursuant to the ARRA, the development and implementation of a new health care information technology system that will create an electronic medical records database by 2014 will include Americans who are not covered by either Medicare or Medicaid (according to the lawsuit, Medicare and Medicaid only cover approximately 23 percent of the American population). This system, according to the complaint, poses a major threat to individual privacy, placing individuals’ personal health information “just a mouse click away from being accessible to an intruder.”

The action takes issue with ARRA’s provision allowing HHS to determine what constitutes the “minimum necessary” amount of personal health information allowed to be disclosed under HIPAA. According to the suit, “This technology will be used to deprive the Plaintiff and others of their fundamental right to privacy by requiring that their medical records be released by their health care providers and upon entry into the Health Information Technology maintained under the supervision of the Secretary will be made available without the permission of the Plaintiff to an unknown and potentially unlimited number of persons.” The action seeks an injunction to prevent distribution of payments for the purchasing of the electronic health care systems.

The standard of “minimum necessary” is a central tenet of the HIPAA laws, which require that when a health care provider uses or discloses personal health information, or requests personal health information from others, the provider must undertake reasonable efforts to limit itself to “the minimum necessary amount of PHI to accomplish the intended purpose of the use, disclosure, or request.” Under this standard, providers must develop policies and procedures that limit information uses, disclosures and requests to those necessary to carry out the organization’s work. That includes identification of those within the provider’s workforce that need access to carry out their duties, and reasonable efforts to limit access accordingly. HHS has been clear that the minimum necessary standard that health care providers are required to follow calls for the employment of a “reasonableness” analysis, so that a provider’s functions are not unduly restricted.

Few elements of HIPAA have generated more controversy than this standard, but if this court elects to embrace that standard, the likelihood of the success of this action on its merits may seem remote. HIPAA places a heavy emphasis on maintaining the privacy of an individual’s personal health information, and if the ARRA regulations applicable to the manner by which health information electronic systems are permitted to collect and share personal health information are consistent with HIPAA’s standard of reasonableness, there will be a substantial burden of proof for the plaintiffs to overcome.

If you need to know, you need to contact Adam Snukal—or you can always contact your favorite Rimon attorney who will be more than happy to help you.

Employees Off-Work, But Online

This post was written by E. David Krulewicz and Cindy Schmitt Minniti.

Facebook, MySpace and Twitter have become household names, a ubiquitous part of the daily lives of many and often a tool for keeping in touch with friends and family. These websites are increasingly being used by individuals to document their daily lives and activities, voice their concerns and post their opinions for the world to read and to respond. The business community has also turned to these “social media” websites as means for marketing their brands and, in some instances, for obtaining information about current employees and prospective job applicants. A series of recent cases reminds us there are significant risks related to the posting and/or use of information discovered on “social media” websites.

For example, in Pietrylo and Marino v. Hillstone Restaurant Group, a case pending in the Unites States District Court for the District of New Jersey, two individuals sued their former employer after they were terminated for posting complaints about their workplace on an invitation-only discussion forum on MySpace.com. Much to the employees’ surprise, managers from Hillstone Restaurant Group were able to access this discussion board (although the parties dispute whether the managers had a right to do so) and were less than pleased with what they read. The employees were quickly terminated and a lawsuit followed. 

In their complaint, the former employees assert their employer not only violated state and federal Wiretap and Stored Communications Acts by accessing the invitation-only forum, but wrongfully terminated them in violation of New Jersey’s public policy favoring free expression and privacy as embodied in the U.S. and the New Jersey Constitutions. Their employer has denied the claims and asserts the plaintiffs were “at-will” employees who could be terminated for any reason or no reason at all.

Ultimately, the question of liability may hinge upon whether the employees had a right to privacy for statements made online and whether the employer has a right to make disciplinary decisions based on an employee’s off-duty conduct.

Although legal commentators and privacy advocates debate how the trial will unfold when the case goes to trial later this summer, they all agree the case highlights real- world issues that can follow an individual’s seemingly innocent decision to post his or her thoughts on a social networking website. This is far from an isolated incident – indeed, the sports media recently reported a similar incident involving the Philadelphia Eagles’ termination of a long-time employee for disparaging the team’s management and its decision to release a prominent player on his Facebook page.  

While it is unclear if any of the companies in the cases above had a policy or provided instruction to their employees on these issues, it should not surprise you that increasingly business employers are finding they must do so. Clearly, before making decisions or taking action against employees for online, but off-duty conduct, employers should seek legal counsel from lawyers who understand these issues and can guide you in this dynamically evolving environment – where federal and state (and sometimes municipal or local) law may apply and little, if any, precedent currently exists. Worried? Need help? Need to understand more? Contact E. David Krulewicz or Cindy Schmitt Minniti or the Rimon lawyer with whom you work. 

Update:  Today, May 20th, after this story was posted, the U.S. House of Representatives also approved the bill regulating some common credit card and gift card industry practices. It is likely President Obama will sign the bill once it arrives on his desk.

Digital Dilemma – How To Respond When Law Enforcement Knocks

The SEC shows up at your door asking for documents relating to options and securities granted for the past 10 years. Homeland Security Officers arrive at your plant asking to speak to several employees and asking for copies of employment records. State police, having confiscated laptop computers and CD-ROM files during a drug bust, show up at your door asking to compare database records since they suspect that identity theft or credit card fraud may be afoot. The Department of Justice wants to interview several of your employees, claiming some may have entered the United States on non-immigrant visas. Sound far-fetched? Probably not these days.

With the economy in turmoil, corporate officers on the defensive, immigration under attack, and money laundering, piracy, drugs, terrorism and Ponzi schemes making headlines almost every day, law enforcement and regulatory officials are under increasing scrutiny and increasing pressure to protect the public and get results. It doesn’t take much imagination to appreciate that during the course of a criminal investigation, the most compelling evidence often arises from third parties who aren’t even knowingly involved; airline, credit card, hotel, telephone, email and other records can often document the where, when and sometimes how of criminal activity.

From a civil law point of view, competitive pressures can lead to claims of economic espionage and theft of trade secrets, and antitrust issues can arise that will spawn litigation and the compelled disclosure of evidence. Indeed, any corporate executive or corporate lawyer who has ever been on the receiving end of a third party subpoena issued to them—innocent third parties—knows how burdensome and costly such requests for evidence can be, even if you aren’t a party to the lawsuit.

In a digital world, it is also far too easy to collect, maintain and copy vast amounts of information—information accessible with several keystrokes, available on easily transportable magnetic media. For corporations and their executives and managers, growing and often regular dilemmas must be confronted when law enforcement or regulators show up at the door and start asking questions or requesting information. Corporations have legal obligations involving compliance and cooperation with law enforcement and regulatory officials. But they also have responsibilities and legal obligations to their employees and their workplaces—and to their shareholders. If not done properly, cooperating with law enforcement and regulators can lead to lawsuits by employees, customers and, sometimes—if large amounts of time and money are expended because of improper or inadequate procedures—even shareholders. 

Continue reading “Digital Dilemma – How To Respond When Law Enforcement Knocks”

France: Online Ads Could Lead to User Data ‘Merchandising’

In a report entitled “Targeted Online Advertising” (La Publicité Ciblée en Ligne), presented in February and recently released publicly, the French data protection regulatory authority (CNIL) has expressed concern that targeted online advertising could be a conduit for the merchandising of personally identifiable information about online users. 

The CNIL has been examining context-sensitive, behavioral marketing and targeted advertising mechanisms online, and is concerned about privacy implications. The report notes that analyzing online user data for the purpose of serving more relevant advertising involves the collection of Internet protocol addresses, what websites a user arrived from or subsequently visited, and even key words entered by the user. In case you haven’t thought about it, definitions are hardly uniform in laws and regulations around the world, i.e., an IP address is considered personal data in the EU, but is not personally identifiable information in the United States. 

The report raises an alarm over what could be a means of “systematic profiling” and examines what it believes are growing risks to privacy in this context. In France, and many jurisdictions, targeted advertising must comply with the same data protection rules that apply to the use of personal data online. The French authorities have consistently maintained that users should be specifically informed about how their data will be used, and should be given the opportunity to opt out of these uses—even if it means they can no longer use the services available on the site.

The report also specifically notes that many free services on the Internet are actually subsidized by advertising. While “free” is an accurate financial description in a literal sense, consumers often don’t appreciate they are actually paying a “price”—the value of personal information provided in exchange for “free” services they receive online. 

While the report does not attempt to cover mobile or wireless advertising broadly, it does note that adding information about a user’s location through GPS and other technology, adds tracking capability that the CNIL fears will allow for even greater intrusion and profiling of individual behavior. You can read the entire CNIL report in French on their website at “La publicité ciblée en ligne” (Targeted Online Advertising).

FCC Issues Parental Controls’ Inquiry for Video and Audio

On March 3, 2009, the Federal Communications Commission (“FCC”) released a Notice of Inquiry to implement the Child Safe Viewing Act of 2007 (“CSVA”), which directs the FCC to examine advanced parental control technologies that would be compatible with various communications devices and platforms.

Click here to read the full alert, written by Amy S. Mushahwar, Judith L. Harris, and John P. Feldman.

The War on Privacy Opens a New Front

In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.

Continue reading “The War on Privacy Opens a New Front”

Cyber Attacks? It’s Not Just War Games Anymore

Is a cyber attack an act of war? Analysts reported that while the Russian military was acting against the Georgian republic, Georgian websites were also under attack. Cyber warfare can exploit security gaps to take control of civilian infrastructure, such as power grids, as well as government websites and military command and control operations. It has long been known that cyber-weaponry could supplement (and sometimes replace) traditional military activities. But when does a cyber-attack itself constitute an act of war? (We all appreciate the notion of “war” as a historical concept is and continues to change.) Tactics such as urban warfare, bioterrorism and suicide bombers have caused grave concern, not only over government’s ability to deter violent and damaging non-traditional acts of war, but also how to respond when they occur. A big challenge in the cyber warfare world is identifying who did it. In 2007, Estonia asked NATO to come to its defense when a cyber attack disabled government and bank websites. Apparently in 2008 we didn’t need a cyber attack to bring down some of our financial institutions (sorry, couldn’t resist). Question—how does one respond to a cyber attack—with bullets or chips?

Data Breach. Cause for Alarm or a Big Yawn?

By August 2008, there were more publicly disclosed data breaches among U.S. businesses than for all of 2007. More information is created, flowing and stored by commercial enterprise than ever; more clever schemes are being hatched by criminals for hacking or disrupting information; employees don’t appreciate the value of assets you can’t feel; and consumers are befuddled by a maze of privacy notices, data theft notices, credit report advertisements, and scare tactics launched by advocacy groups—well intentioned though they may be. More than 40 U.S. states have laws requiring disclosure of data breaches. If these were intended to create incentives to prevent data breaches and reduce occurrence, how do we explain the steady rise? Are the laws ineffective? Are businesses accountable beyond some adverse publicity, once they provide legally mandated disclosure? Have we become jaded by news reports, privacy and breach notices as just so much junk mail? In the credit card world, consumers generally have a maximum $50 liability if a card is lost or stolen. In situations where there are no real time approvals, credit card companies take the risk. In that environment, a business decision is made to accept certain loses because the potential revenue generated by the business model yields a greater reward. In the world of consumer privacy and personally identifiable information disclosure, who is taking what risk? Studies for years indicate IT professionals appreciate that digital crime—theft of intellectual property, piracy, theft of trade secrets, customer data or employee information—is a problem. Many companies may not even know their security is breached and others have little incentive to solve the problem. Need more information? Come to my web page, contact me and tell me what you think. Call if you need help with a policy, a position or an understanding of your legal rights and obligations. We can help.

Coping With COPPA

The Children’s Advertising Review Unit recently held that screening for age to avoid collecting personal information from children under 13 was not enough. In Bandai America (the website is Bandai’s Wireless.com site), CARU found that although Bandai’s website had a screening mechanism that asked for a date of birth, there was no tracking once a child put in a birth date. Thus, anyone under 13 could come back and enter a different (inaccurate) date of birth to get by the screen. CARU’s COPPA compliance guidelines require that not only must interactive sites have an age screening mechanism, but there also must be some reasonably effective means of tracking so children can’t get around the screening process. Forewarned is forearmed.