top of page
Search

SCOTUS to Rule on Whether Unauthorized Access to Computer Data Is a Federal Crime

  • Nov 8, 2020

Van Buren v. United States, No. 19-783 (U.S. filed Dec. 18, 2019), is a case in which the Petitioner has asked the Supreme Court of the United States to rule on whether or not a person who is authorized to access information on a computer for certain purposes violates the Computer Fraud and Abuse Act if the same information is accessed for an unauthorized purpose. Van Buren requests that the Court reverse the judgment of the 11th Circuit that the Act should be interpreted broadly as covering access to information beyond stated use restrictions. The petitioner's brief points out that any access on a computer to information which violates a business's policies; a website's terms of service; or other restrictions would constitute a federal crime. Van Buren maintains that even if the government states it will not prosecute all violations of the Act, the Court should rule that section 1030 of the Act only concerns unauthorized computer hacking. Violations of private rules or state laws about the use of computer data should not be federal crimes.


While employed as a police officer, Van Buren looked up a license plate number in a database that he was authorized to use as part of his regular duties in exchange for $5,000.


The reply brief has been filed in this case, and it has been circulated to the Court for consideration at a conference. I will post about the decision when it is published.



 
 

LabCorp and PHI

  • Oct 28, 2020

Updated: Nov 1, 2020

LabCorp is one of a few large companies that conduct most of the clinical lab testing in the United States. On its website, it has posted a notice of privacy practices under the Healthcare Insurance Portability and Accountability Act of 1996.


In addition to acknowledging that it may disclose protected health information (PHI) for treatment and healthcare operations, it will also may also disclose PHI to its business associates; to law enforcement for the identification of a suspect or victim of a crime; and to authorities for public health reasons.


LabCorp also reserves the right to anonymize patient information:


"De-identified Information and Limited Data Sets: LabCorp may use and disclose health information that has been 'de-identified' by removing certain identifiers making it unlikely that you could be identified. LabCorp also may disclose limited health information, contained in a 'limited data set'.  The limited data set does not contain any information that can directly identify you.  For example, a limited data set may include your city, county and zip code, but not your name or street address."


LabCorp states that it will consider requests by patients to limit the use and disclosure of their PHI. LabCorp honors requests by patients for a full accounting of all disclosures of their PHI over the past six years.


LabCorp also responds to individuals who ask to update their PHI.




 
 

State Laws Require Businesses to Will o' WISP

  • Oct 25, 2020

In 2018, Michigan enacted its Data Security Act which applies to persons and entities with licenses from its Department of Insurance and Financial Services.


In order to comply with the act it is necessary to :


1. Prepare a Written Information Security Program (WISP).

2. File a certificate of compliance with the Department each year.

3. Report breaches to the Department within 10 days after discovery.


Massachusetts also has cybersecurity regulations which require that a WISP be filed. A template of a WISP that complies with Massachusetts law and the Gramm-Leach-Bliley Act has been prepared by Thomson Reuters and is available here on the website of the International Association of Privacy Professionals (IAPP). A WISP should cover the following:


1. Define personal information and sensitive information.

2. Designate a person responsible for implementing the WISP.

3. Provide for regular risk assessments.

4. Direct the distribution of information security policies within the organization.

5. Monitor service providers to ensure they comply with WISP.

6. Establish Incident response procedures.


 
 

Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page