Homeland Security Gets Kansas City Panties In A Knot.

You might know that it would take an article on unmentionables to get me back on the blog horse. Well, thanks DHS, for just such a push. It is reported that Homeland Security raided a Kansas City store and confiscated several dozen pairs of panties with the Kansas City Royals trademark on them.

OK, several questions: (i) Panties?; (ii) Homeland Security?; and (iii) Why Kansas City and not my Cardinals in the World Series? Oh, and what does this have to do with law and technology? More on that later.

First, Panties? A Kansas City shop had hand drawn the KC logo and a crown and printed them on ladies panties. Apparently, it was too similar to the actual Kansas City logo and this brought down the wrath of Major League Baseball, which manifested itself in a raid by a division of Homeland Security set up to police intellectual property right infringements. In the past this has sometimes been handled on a local basis by interdictions on the part of local or state police on tee shirt sales at concerts or illegal use of music in bars. However, apparently this is now a national security matter.

You may ask if counterfeit drawers are of such importance that it justifies a diversion of resources such as this. I might ask the same thing. DHS has a division set up to police this type of thing, primarily at the behest of the movie industry. It would have made more sense if the panties were Ebola laden or carried the ISIL logo. Anyway, a word to the wise. If panties can be confiscated, it is apparent that software or hardware and bio-medical equipment or compounds, whether carrying a trademark or not, could become subject to this treatment. That's when technology and law intersect and you don't want to be in that collision.

Insurance Company Gets Sloppy and Unlucky and a $1.2 Million HIPAA Penalty.

As is often the case, health care regulations and tech law overlap. 

Consider the unfortunate case of Affinity Health Plan, Inc., a not for profit managed care plan company in New York.  Affinity leased some copiers.  When the lease ran out on the copiers, Affinity let the copiers go back to the lessor.  The lessor stored the copiers in a warehouse in New Jersey.  As you may or may not know, digital copiers have a hard drive, much like the one in your laptop.  The copier makes a copy (hence the name) on its hard drive of each document run through the copier.  These copies on the hard drive remain until overwritten by other copies or until erased.  Most copiers don't have a readily available function that wipes the drive.

Now, Affinity either didn't know (probably) or didn't care about the copies on the hard drive and didn't take any action to delete them before turning them back to the lessor.  So, Affinity was either sloppy, negligent or uniformed, doesn't really matter.  What they were also, was really unlucky. 

Consider this further, there is a company called Digital Copier Security that is owned by a Mr. Juntunen.  Digital Copier Security markets a product to erase information from copier hard drives.  Mr. Juntunen of Sacramento and CBS News of New York somehow got together and decided to do a story on information left on copiers.  You can make your own assumptions as to how they got together and who profits from the arrangement.  Mr. Juntunen and CBS News went to a warehouse in New Jersey and purchased four copiers picked out by Mr. Juntunen.  Affinity's copier was one of the copiers selected.  When Mr. Juntunen removed the hard drive from the Affinity copier and printed out the images left there, several hundred pages of medical records were revealed.  CBS News notified Affinity about this and returned the hard drives to Affinity. 

If this copier hadn't been chosen, it is unlikely that anyone would ever have known about this and probably no records would have been revealed to anyone.  However, saddled with this unfortunate and unwelcome information, Affinity was required, under HIPAA/HITECH regulations, to file a breach report.  Affinity's breach report estimated that almost 350,000 people may have been affected by this breach.  A couple of weeks ago, Affinity settled with Health and Human Services.  The settlement required Affinity to pay a fine of $1,215,780, use best efforts to recover the hard drives from all other copiers they had similarly leased and discarded and to take certain other measures to safeguard all electronic protected health information.

To be fair, the other three copiers purchased by CBS all had sensitive information on them.  One was from the Buffalo, N.Y. Police Sex Crimes Division and it had detailed information on domestic violence complaints and a list of wanted sex offenders.  Another machine from the Buffalo Police Department had a list of targets in a major drug raid.  The other machine was from a construction company and had a number of pay records along with social security numbers.

However, Affinity was the only one that was regulated by HIPAA.  Most unfortunate.

Thus, lessons learned: Things that have digital storage devices, e.g. computers, copiers, fax machines, cameras, smart phones, etc. should be covered in a comprehensive policy that requires their storage to be scrubbed before disposal.  You do not want to be unlucky too.

Updates and Breaking News on Gene Patents, PHI in the Cloud, Class Actions on ClickWraps and SEC Disclosures On Cybersecurity.

Some recent developments in the great, wide world of technology include:

(i)  The Supremes, in a unanimous decision (what?) ruled that naturally occurring genes could not be the subject of patent protection.  However, if you can create a gene artificially, you might still qualify.  Therefore, the creative force described in the Hebrew bible, missed his or her chance when on the sixth day, he or she created all those man genes.  Further, the one year bar and the first to file things have cluttered up the claim.  Also, since man was supposedly created in the image of the creator, there's that pesky prior art issue.  See Assn. for Molecular Pathology v. Myriad Genetics, Inc

(ii)  The recently released rules under HIPAA provide that entities that store protected health information ("PHI") for a covered entity are business associates even if the storage provider does not routinely access the information.  [See 45 CFR Parts 160 and 164 IV(3)]On the other hand, a data transmission organization (such as the U.S. Postal Service or internet service providers) that serve as a mere conduit are not business associates even if they do access the information occasionally in order to provide the service.  So, cloud providers of storage of PHI must sign a business associate agreement.  It is not clear how long one must hold on to a piece of information to be a storer as opposed to a transferor or if encrypting the information in storage without the key would serve to exclude the storage provider from the definition of a business associate.

(iii)  In a recent decision by the Seventh Circuit in Harris v. comScore, Inc., the court allowed the certification of a class to stand.  The class was composed of entities that had downloaded comScore's software that gathered information on the user's activities and sent the information back to comScore's servers.  One of the basic allegations of the plaintiff class was that comScore's clickwrap license was ineffective.  We have discussed this before in this post.  The court did not make factual finding as to any issues and this is only a class certification hearing and comScore may have legitimate individual defenses to many of the allegations.  However, comScore will have to deal with this in the context of a class action.

(iv)  The Securities and Exchange Commission has regulations in place regarding a publicly traded company's obligation to disclose its controls for cybersecurity and is now considering increasing the stringency of those rules.  A recent study by Willis Fortune 500 finds that a substantial percentage of  reporting companies fails (in Willis' opinion) to adequately disclose such company's exposure to cybersecurity issues and the impact on the company if an event occurs.  Look for this to increase in importance as the supposed cybersecurity wars increase in intensity.

New Top Level Domain Name Scheme Approved By ICANN

You will recall that we mentioned in February that the Internet Corporation for Assigned Names and Numbers (ICANN) was proposing opening up the top level domain game to everybody.  ICANN has now approved that move by a vote in Singapore on June 20.  Applications for positions as new top level domain registrars will be accepted for a three month period beginning on January 12, 2012.

So, anyone with $185,000 and an infrastructure for doing registration acceptable to ICANN can get their own top level domain registration business.  As we mentioned before, this will greatly expand the present .com, .edu, .net scheme to anything you could imagine and that ICANN will approve.  This could include names relating to common interests (.badminton, .skiing or .coins), society segments (.democrats, .gay or .baptist), individual company or brand names (.ford, .ibm or .dell), professions (.doc, .law or .cpa) or any else that can be envisioned and approved.

Get your applications ready.

Stanfield Hiserodt To Present Discussion On Cloud Computing At RISE Tomorrow.

We will be leading a discussion on "Ten Things You Should Know About Cloud Computing Agreements" at Austin RISE Week 2011 tomorrow at 4:00 pm at the PeopleFund offices at 207 Chalmers Avenue in Austin.  If you need something to do during that awkward time between afternoon coffee break and happy hour, come on out and share it with us.

Your Government And Courts At Work.

A few things for your consideration:

1.  The White House's proposed budget includes the authority for the USPTO to charge a surcharge on patent applications.  The proposed budget would provide $2.7 billion for fiscal 2012 with one of the stated objectives to reduce the backlog of 720,000+ applications.

2.  By Executive Order 13565 of February 8, 2011, the White House established two I.P. committees.  One is the Senior Intellectual Property Enforcement Advisory Committee, which will facilitate the formation and implementation of each Joint Strategic Plan, which will be be developed by the other committee established, the Intellectual Property Enforcement Advisory Committee.  As is evidenced by their names (i.e. Senior and not Senior) the Senior Advisory Committee will be comprised of cabinet level members or their designees and the Enforcement Advisory Committee will be comprised of representatives from the USPTO, DOJ, Department of Commerce and others.

3.  Health and Human Services through its Office for Civil Rights has assessed its first ever civil penalty for violation of HIPAA.  The penalty was $4.3 million against Cignet Health of Prince George’s County, Md.  Cignet failed or refused to provide health records to at least 41 patients and then apparently stonewalled the patients and requests from the Office for Civil Rights to the extent that the Office for Civil Rights obtained a default judgment against them.  Cignet also apparently was uncooperative in the investigation into this affair.  The penalty was $1.3 million for failure to provide access to the records and $3.0 million for being uncooperative.

4.  Microsoft was successful in getting a patent infringement suit originally filed in the Eastern District of Texas transferred to the Western District of Washington on the grounds of forum non conveniens.  For some strange reason, there are a lot of patent infringement suits and class actions filed in the Eastern District of Texas.  The plaintiff here, Allvoice, was an U.K. company with an office in the Eastern District of Texas but with no employees there or anywhere in the U.S.  Calls there were transferred to their office in the U..K.  Allvoice was incorporated in Texas but had done so 16 days before the suit was filed.  Forum shop much?  The Circuit Court of Appeals issued a writ of mandamus compelling transfer to Microsoft's home court even though Microsoft had also petitioned to move the case the Southern District of Texas.

 

More Sophisticated Spyware Hits Utility Systems - "Stuxnet" Gone Wild

Cyber security experts are scrambling to assess the past effects and the potential of a recently detected malware that has targeted utility systems primarily in the Middle East (beginning in Iran) and the United States. Microsoft has named the Trojan intruder “Stuxnet”.

On a very basic level, here is what Stuxnet does:
1. So far, it has targeted a Siemens system (SCADA) used primarily in the operation and control of electric power plants;
2. It has been carried on USB sticks that, when attached to a computer, automatically executes without any further action by a user, even if the AutoRun function is disabled;
3. The Trojan then seeks out and copies certain database information, including power plant designs;
4. Stuxnet exploits a flaw in the shortcut links files in Windows.

Microsoft has issued a work around that essentially turns off the shortcut function and changes the shortcut icons appearance on the screen.

So, if this only targets utility companies, unless you are a utility company or have one as a client, why should you care? Experts surmise that this was created to carry out industrial espionage but the same technique can be used for other targets. It could be used to target other trade secrets, personal financial information, medical records, etc.

We talked to a local security expert and there are reports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.

McAfee alleges that it has a defense against Stuxnet as does Symantec. As we noted in earlier posts (see here and here), these are examples of blacklisting. CoreTrace has demonstrated effectiveness against the intruder by using the whitelisting capabilities of its product Bouncer. See the YouTube video here:  http://bit.ly/bFCEdc.

This attack seems to be much more targeted and much more sophisticated that most of the prior threats and may herald a new age of malware menace.

So, it’s a dangerous cyber world out there. Use protection.
 

Health Care Reform and IT

One of initiatives contained in the newly passed healthcare reform bill is the move towards electronic health records.  This will obviously have a tremendous impact on data management by IT departments everywhere.  This article discusses some of the changes that we can expect after the "deluge of data."

"As the impact of the new law works its way through the healthcare system, Mark Bowker, analyst at Enterprise Strategy Group, said he expects to see more data center consolidation, greater challenges around database management and an uptick in desktop virtualization adoption.

Earlier this year, an ESG report found that the total 2010 healthcare IT spend will increase by 67 percent compared with last year. There also will be a 50 percent increase in new IT staff positions in 2010, ESG said."

The bill also contains potential IT opportunities in a number of other areas.