Data Protection / Privacy 7/15
top of page
Search
    • Nov 9, 2020

SCOTUS to Rule on Whether Unauthorized Access to Computer Data Is a Federal Crime

Van Buren v. United States, No. 19-783 (U.S. filed Dec. 18, 2019), is a case in which the Petitioner has asked the Supreme Court of the United States to rule on whether or not a person who is authorized to access information on a computer for certain purposes violates the Computer Fraud and Abuse Act if the same information is accessed for an unauthorized purpose. Van Buren requests that the Court reverse the judgment of the 11th Circuit that the Act should be interpreted broadly as covering access to information beyond stated use restrictions. The petitioner's brief points out that any access on a computer to information which violates a business's policies; a website's terms of service; or other restrictions would constitute a federal crime. Van Buren maintains that even if the government states it will not prosecute all violations of the Act, the Court should rule that section 1030 of the Act only concerns unauthorized computer hacking. Violations of private rules or state laws about the use of computer data should not be federal crimes.


While employed as a police officer, Van Buren looked up a license plate number in a database that he was authorized to use as part of his regular duties in exchange for $5,000.


The reply brief has been filed in this case, and it has been circulated to the Court for consideration at a conference. I will post about the decision when it is published.



37 views0 comments
    • Oct 29, 2020

LabCorp and PHI

Updated: Nov 2, 2020

LabCorp is one of a few large companies that conduct most of the clinical lab testing in the United States. On its website, it has posted a notice of privacy practices under the Healthcare Insurance Portability and Accountability Act of 1996.


In addition to acknowledging that it may disclose protected health information (PHI) for treatment and healthcare operations, it will also may also disclose PHI to its business associates; to law enforcement for the identification of a suspect or victim of a crime; and to authorities for public health reasons.


LabCorp also reserves the right to anonymize patient information:


"De-identified Information and Limited Data Sets: LabCorp may use and disclose health information that has been 'de-identified' by removing certain identifiers making it unlikely that you could be identified. LabCorp also may disclose limited health information, contained in a 'limited data set'.  The limited data set does not contain any information that can directly identify you.  For example, a limited data set may include your city, county and zip code, but not your name or street address."


LabCorp states that it will consider requests by patients to limit the use and disclosure of their PHI. LabCorp honors requests by patients for a full accounting of all disclosures of their PHI over the past six years.


LabCorp also responds to individuals who ask to update their PHI.




9 views0 comments
    • Oct 26, 2020

State Laws Require Businesses to Will o' WISP

In 2018, Michigan enacted its Data Security Act which applies to persons and entities with licenses from its Department of Insurance and Financial Services.


In order to comply with the act it is necessary to :


1. Prepare a Written Information Security Program (WISP).

2. File a certificate of compliance with the Department each year.

3. Report breaches to the Department within 10 days after discovery.


Massachusetts also has cybersecurity regulations which require that a WISP be filed. A template of a WISP that complies with Massachusetts law and the Gramm-Leach-Bliley Act has been prepared by Thomson Reuters and is available here on the website of the International Association of Privacy Professionals (IAPP). A WISP should cover the following:


1. Define personal information and sensitive information.

2. Designate a person responsible for implementing the WISP.

3. Provide for regular risk assessments.

4. Direct the distribution of information security policies within the organization.

5. Monitor service providers to ensure they comply with WISP.

6. Establish Incident response procedures.


7 views0 comments
bottom of page