MESSAGES ON SOCIAL NETWORKING SITES HELD NOT AUTOMATICALLY SUBJECT TO SUBPOENA
A judge in the U.S. District Court of Central California has reversed a magistrate judge’s ruling by holding that a plaintiff’s communications on social networking sites and web hosting services cannot be subpoened unless they were not intended to be private. The privacy dispute—which pertained to messages on Facebook and MySpace websites—is the first to address the issue. The district judge recognized that various social network communications may have different levels of privacy expectations attached to them and ordered the magistrate judge to have an evidentiary hearing relating to the plaintiff’s privacy settings on the websites.
MAN BITES DOG: BANK SUIT AGAINST CYBERCRIME VICTIM SETTLES
In an unusual twist on cyber crime cases, at the beginning of the year PlainsCapital bank sued a business customer who was a victim of cyber crime. In November 2009, cyber thieves wired more than $800,000 out of a PlainsCapital account owned by Hillary Machinery Inc.—approximately $600,000 was ultimately recovered. Hillary wrote to the bank demanding that it repay the balance of the missing funds under the theory that PlainsCapital failed to provide adequate protections for the online account. The bank responded by suing Hillary, requesting that the court declare that PlainsCapital’s security measures were adequate.
PlainsCapital has a security process in place that requires online users to access accounts from authenticated computers. In the Hillary case, though, the bank authenticated computer systems outside the U.S. based on an email that originated from an Italian IP address. Hillary countersued PlainsCapital claiming that it should have known that a foreign IP address was suspect and verified its authenticity. Furthermore, Hillary claimed that PlainsCapital should have detected an unusual pattern in the wire transfers because Hillary never wired money outside the U.S. before and the dollar amounts were unusual compared to past practices. Both the suit and subsequent countersuit were settled in May of this year, two days after the court rejected motions by the bank that the case be arbitrated. The terms are confidential and the settlement forestalls a finding on the adequacy of the bank’s security procedures.
FTC DELAYS WIDER RED FLAGS RULE ENFORCEMENT (AGAIN)
In what is becoming a familiar move, the FTC has delayed enforcement of the Red Flags Rule requiring written identify theft prevention programs until December 31, 2010 while Congress contemplates the scope of the rule. This delay affects certain organizations subject to FTC oversight but does not affect any entity subject to one of the financial regulatory agencies.
GUIDANCE ON HOW TO JUDGE RISK UNDER HIPAA
In May, the Office for Civil Rights issued the first in a series of guidance on the HIPAA Security Rule, which focused on the risk analysis provision of the rule. The guidance defines “vulnerability”, “threat” and “risk” as used in the risk analysis requirement of the HIPAA Security Rule.
If you have any comments or questions regarding this publication or would like additional information please contact one of the following attorneys: