Saturday, September 13, 2008

Hackers On The Loose

Privacy Protection Mandated by Law



By RICHARD MEEHAN

The Cool Justice Report
www.cooljustice.blogspot.com

Sept. 13, 2008

EDITOR'S NOTE: This column is available for reprint courtesy of The Cool Justice Report, http://cooljustice.blogspot.com

Recent news reports have detailed a growing number of instances in which hackers have invaded otherwise secure Internet sites and hijacked personal identity information.

In response, the Connecticut Legislature has created Public Act 08-167, An Act Concerning The Confidentiality of Social security Numbers. The act provides in pertinent part, "Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal." The act becomes effective Oct. 1.

It defines "personal information" to include Social Security numbers, driver's license numbers, state identification card numbers, an account number, a credit card or debit card number, passport number, alien registration number or health insurance number. It excludes publicly available information. Persons or entities with this responsibility are also charged with the obligation to inform you of the existence of a privacy policy enforcing the Act's mandates.

Violations can lead to civil fines: $500 and up to $500,000 for a single event. Unintentional violations are not punished. For persons or agencies regulated by the state, it can include referral for disciplinary action. Thus, doctors or dentists who fail to adhere to the act can be referred to the Department of Public Health. Lawyers who violate the act can be brought before the Statewide Grievance Committee.

The failure to safeguard identity information can lead to a lawsuit for money damages. Prior to the effective date of the new law such a lawsuit would be based on common law negligence-that is, the failure to do what a reasonable person would do under the circumstances. After Oct. 1, this law may serve as the basis for any future lawsuit.

Violations of a statute that give rise to a claim for money damages are grounded in the doctrine of negligence per se. The doctrine of "negligence per se" allows a plaintiff to establish legal responsibility merely by proving that the defendant violated a statutory obligation that was designed to protect people within the class to which the plaintiff belonged, without the need to prove whether the conduct violated the "reasonable person" standard inherent in negligence.

While well intended, the new law potentially creates some confusion. It only punishes intentional violations of its provisions. It does not impose civil fines for negligent, or otherwise unintentional violations. Consider the numerous recent reports of major data losses by banks and others. The number of people potentially affected is often in the millions. Let's assume a situation where a bank is aware that its Internet security protocol has flaws that will expose the protected information to hackers. If that bank's system has been hacked this act provides no penalty unless it can be proved that the bank intentionally failed to provide the necessary protection.

The law also requires that those it regulates must publish their privacy practices. Identifying those policies on a website satisfies the act's notice requirement. Medical and dental professionals have adhered to a similar requirement since the passage in 1996 of the Health Insurance Portability and Accountabilty Act (HIPPAA). Where HIPPAA is designed to protect a patient's privacy regarding health information, the new law goes further by creating greater insulation for identity information as well.

Next month when you visit your doctor, lawyer, accountant, banker or other professionals, look for the required notice. If you don't see it, ask how your identity is being safeguarded. Once lost, your identity cannot be easily secured again.

Bridgeport attorney Richard Meehan Jr. was the lead defense counsel for former Bridgeport Mayor Joseph Ganim's corruption trial. Meehan is certified as a criminal trial specialist by the National Board of Trial Advocacy since 1994 and serves on the organizations Board of Examiners. He is a Charter Fellow, Litigation Counsel of America -- Trial Lawyer Honorary Society. Meehan has also obtained multi-million dollar verdicts and settlements in complex medical and dental malpractice and personal injury litigation. He is a past president of the Greater Bridgeport Bar Association and appears regularly on Court TV. Website, www.meehanlaw.com


  • Meehan law firm
  • No comments: