The Massachusetts Supreme Judicial Court Holds that ZIP Codes Constitute “Personal Identification Information”
On March 11, 2013, in Melissa Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court ("SJC"), in responding to three certified questions from the United States District Court for the District of Massachusetts, held: (1) ZIP Codes constitute personal identification information ("PII"); (2) a person may bring an action under General Laws, chapter 93, section 105(a) absent identity fraud; and (3) the term "credit card transaction form" "refers equally to electronic and paper transaction forms." The questions arose out of a class action lawsuit against Michaels for allegedly requesting and recording its credit card customers' ZIP Codes in violation of Section 105(a). This decision has parallels to the California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc. In Pineda, the California Supreme Court held that ZIP Codes were PII under California's Song-Beverly Credit Card Act, Civil Code section 1747.08.
Source: Cooley Alert
http://www.cooley.com/massachusetts-supreme-judicial-court-holds-ZIP-codes-constitute-personal-identification-informaiton?MailKey=5546656
Officials Delay Enforcement of Two HIPAA Operating Rules
On Wednesday, CMS announced that it has delayed the enforcement date for the first two operating rules for HIPAA transaction standards, AHA News reports (AHA News, 1/3).
CMS said that its Jan. 1 compliance deadline for the operating rules remains intact, but it will not begin enforcing the rules until March 31 (Conn, Modern Healthcare, 1/4).
Read more: http://www.ihealthbeat.org/articles/2013/1/4/officials-delay-enforcement-of-two-hipaa-operating-rules.aspx#ixzz2HFYbhIRe
OCR Issues Guidance on the Use of De-Identified Health Information
Covered Entities and HIPAA practitioners should be aware that the Office of Civil Rights (OCR) has issued guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The full text is available here:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html
California Issues App Developer Noncompliance Notice
California Attorney General Kamala Harris has reportedly sent out notices warning as many as 100 mobile app developers that they must conspicuously post privacy policies within the next 30 days to be in compliance with the California Online Privacy Protection Act, Bloomberg reports. The new state protocol requires mobile applications that collect personal data within the state to post a privacy policy stating what data is collected and how it will be used. Harris said, “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws.”
Source: IAPP Full Story
Fan Sites for Pop Stars Settle Children’s Privacy Charges
The operator of fan Web sites for pop stars Justin Bieber, Selena Gomez, Rihanna and Demi Lovato agreed to pay a $1 million civil penalty to settle federal charges that the
Artist Arena, a company that operates fan web sites for pop stars like Justin Bieber and Selena Gomez, agreed to settle federal charges that the sites had violated a children's privacy protection law. Source: New York Times
sites had illegally collected personal information about thousands of children, the Federal Trade Commission said Wednesday.
Artist Arena, a company that operates fan web sites for pop stars like Justin Bieber and Selena Gomez, agreed to settle federal charges that the sites had violated a children's privacy protection law.
In a complaint, the Federal Trade Commission alleged that Artist Arena, the operator of the sites, had violated a children’s online privacy rule by collecting personal details — like the names, e-mail addresses, street addresses and cellphone numbers — of about 101,000 children aged 12 or younger without their parents’ permission.
The law, called the Children’s Online Privacy Protection Act, or COPPA for short, requires operators of Web sites to notify parents and obtain verifiable parental consent before collecting, using or disclosing personal information about children younger than 13.
Source: New York Times
California Starts Up a Privacy Enforcement Unit
Watch out, Silicon Valley, there’s a new startup in town and its gunning for you. California Attorney General Kamala Harris announced Thursday she’s created a unit intended to actually enforce federal and state privacy laws.
“The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others,” California’s top attorney said in a statement.
The announcement of the unit, comprised of six attorneys, comes just months after Harris inked a February agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to demand that mobile apps on their platforms contain privacy policies. Facebook signed on last month.
Source: Wired Threat Level
OCR Director Leon Rodriguez Says Tolerance for HIPAA Non-Compliance Is Low
On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.
In his remarks, Director Rodriguez indicated that the final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules is “very close.” Director Rodriguez reiterated that the modifications will include extending HIPAA liability to business associates, but emphasized that business associates should not wait for the final rule to be enacted to focus on compliance. This is particularly true, according to Director Rodriguez, in light of the ability of state Attorneys General to enforce the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), as evidenced by Minnesota Attorney General Lori Swanson’s recent lawsuitagainst Accretive Health, a business associate that suffered a security breach compromising patient data. Director Rodriguez stated that he would not be surprised if other state Attorneys General began enforcing the HITECH Act in the business associate context.
Breaking News: Warrant Required for GPS Tracking
In the case of the Unitied States vs. Jones, Supreme Court has held that a warrant is required prior to the use of GPS 
tracking. Writing for the majority, Justice Antonin Scalia wrote, "We hold that the government’s installation of a G.P.S. device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search,’ ”
A Guide to Facebook Security
This should be required reading for anyone using Facebook. I recommend that everyone take some time to read though this very informative guide.
https://www.facebook.com/safety/attachment/Guide%20to%20Facebook%20Security.pdf
California DNA Act Ruled Unconstitutional
Big news coming out of California today as the Court of Appeals struck down a law requiring every adult arrested on a felony charge to submit a DNA sample.
In the People v. Mark Buza, the court held that the Forensic Identification Data Base and Data Bank Act of 1998 ("DNA Act") violated the Fourth Amendment right to be free from unreasonable searches and seizures.
“What the DNA Act authorizes is the warrantless and suspicionless search of individuals, before a judicial determination of probable cause to believe they have committed a crime, for evidence of crime unrelated to that for which they have been arrested[.]”
The court rejected an argument by the attorney general that the DNA Act was an effective crime-solving tool.
While California is not the only state to have a statute like this on the books, it is certainly one of the first to hold that the DNA collection violates an individual's right to privacy. Despite this ruling, those arrested for federal crimes must still submit a DNA sample. See EFF on US v. Pool.
Source: People v. Mark Buza
