The Massachusetts Supreme Judicial Court Holds that ZIP Codes Constitute “Personal Identification Information”
On March 11, 2013, in Melissa Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court ("SJC"), in responding to three certified questions from the United States District Court for the District of Massachusetts, held: (1) ZIP Codes constitute personal identification information ("PII"); (2) a person may bring an action under General Laws, chapter 93, section 105(a) absent identity fraud; and (3) the term "credit card transaction form" "refers equally to electronic and paper transaction forms." The questions arose out of a class action lawsuit against Michaels for allegedly requesting and recording its credit card customers' ZIP Codes in violation of Section 105(a). This decision has parallels to the California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc. In Pineda, the California Supreme Court held that ZIP Codes were PII under California's Song-Beverly Credit Card Act, Civil Code section 1747.08.
Source: Cooley Alert
California’s Supreme Court has ruled Apple did not violate state law by requiring customers to provide personally identifiable information (PII) to complete online credit card transactions, CNET News reports. Plaintiff David Krescent filed a proposed class-action suit in June 2011 after he was allegedly required to provide his telephone number and address for an online purchase from Apple. The majority found California’s Song-Beverly Credit Card Act, forbidding the collecting of PII for transactions, applies only to brick-and-mortar businesses. “The statutory language suggests that the legislature…did not contemplate commercial transactions conducted on the Internet,” said Justice Marvin Baxter in the ruling.
This afternoon, HHS released the attached omnibus final rule modifying the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as required the Health Information Technology Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA).
Notably, the final rule makes business associates of covered entities directly liable for certain HIPAA Privacy and Security rule requirements; expands individuals’ right to receive electronic copies of their health information; incorporates an increased tiered and civil money penalty structure as provided by the HITECH Act; changes to the “harm” definition included in the HIPAA Breach Notification interim final rule; and modifies the HIPAA Privacy Rule as required by GINA.
Link: HIPAA Final Rule
On Wednesday, CMS announced that it has delayed the enforcement date for the first two operating rules for HIPAA transaction standards, AHA News reports (AHA News, 1/3).
CMS said that its Jan. 1 compliance deadline for the operating rules remains intact, but it will not begin enforcing the rules until March 31 (Conn, Modern Healthcare, 1/4).
Read more: http://www.ihealthbeat.org/articles/2013/1/4/officials-delay-enforcement-of-two-hipaa-operating-rules.aspx#ixzz2HFYbhIRe
Covered Entities and HIPAA practitioners should be aware that the Office of Civil Rights (OCR) has issued guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The full text is available here:
Source: IAPP Full Story
The operator of fan Web sites for pop stars Justin Bieber, Selena Gomez, Rihanna and Demi Lovato agreed to pay a $1 million civil penalty to settle federal charges that the
sites had illegally collected personal information about thousands of children, the Federal Trade Commission said Wednesday.
Artist Arena, a company that operates fan web sites for pop stars like Justin Bieber and Selena Gomez, agreed to settle federal charges that the sites had violated a children's privacy protection law.
In a complaint, the Federal Trade Commission alleged that Artist Arena, the operator of the sites, had violated a children’s online privacy rule by collecting personal details — like the names, e-mail addresses, street addresses and cellphone numbers — of about 101,000 children aged 12 or younger without their parents’ permission.
The law, called the Children’s Online Privacy Protection Act, or COPPA for short, requires operators of Web sites to notify parents and obtain verifiable parental consent before collecting, using or disclosing personal information about children younger than 13.
Source: New York Times
In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.
The warnings Brooks and millions of other people received that December weren't fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.
"The danger of weak password habits is becoming increasingly well-recognized," said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, "show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks."
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
Read the full article here