CAN-SPAM (15 U.S.C. § 7701-7713) was enacted in 2003 in response to a national hue and cry over spam. At the time, unsolicited commercial email was estimated to account for half of all electronic mail traffic. According to the Congressional “findings” in the preamble to the Act, the sheer quantity of spam was doing real damage to the internet, creating costs for storage, accessing, reviewing and discarding unwanted emails, and reducing the reliability and usefulness of electronic mail to the recipient. The findings further stated that “The growth in unsolicited commercial mail imposes significant monetary costs on providers of Internet access services, businesses and educational and nonprofit institutions that carry and receive such mail, as there is a finite volume of mail that such providers, businesses, and institutions can handle without further investment in infrastructure.” 15 U.S.C. § 7701(a).
Given these findings, one would think that CAN-SPAM would impose onerous penalties on spammers. Au contraire, mon frere! Instead of “canning” spam, the act became known as the “Yes, You CAN SPAM Act.” In fact, the Act does nothing to outlaw the sending of unsolicited emails per se.
Rather, the sending of unsolicited emails is permitted as long as a few basic rules are followed. In general: (i) the “from” and “subject matter” lines in the header must be accurate, relevant to the subject matter of the email and not misleading. A commercial advertiser must also provide its physical address, and a label must also be present if the email contains adult content; (ii) the email must contain an “opt-out” mechanism, that must be honored within 10 days; and (iii) the email must not be not sent to an email address obtained through “address harvesting” or a “dictionary attack” and must not be sent via automatically created email accounts or a computer network to which the sender has gained access without authorization.
Another important element of CAN-SPAM is that it provides that “any statute, regulation, or rule of a State . . . that expressly regulates the use of electronic mail to send commercial messages” is “superseded” — i.e., preempted. This means that states cannot enact laws that are expressly directed at preventing the sending of unsolicited email messages or at reducing the quantity of email messages that can be sent by a single person. In other words, CAN-SPAM means that the federal government has refused to prevent spamming per se and has declared that the states can’t do it either (unless the spam is accompanied by “falsity or deception”). The effect is that much of the job of preventing spam per se is in private hands.
Six Years After CAN-SPAM: Effective Spam Control Can Require Both Technical and Litigation Solutions
U.S. SAFE WEB Act Used by FTC to Prevent U.S. Exporter from Pretending to Be U.K.-Based Site
Internet fraud update: Under the FTC Act, the Federal Trade Commission is empowered to prevent businesses from using unfair methods of competition or engaging in unfair or deceptive practices. 15 U.S.C. § 45(a)(2). However, under the version of the FTC Act that existed prior to 2006, the FTC did not have the authority to regulate such practices unless the business involved “commerce” (i.e. sales, shipments) within in the United States. (Fn1) This meant that a business that was solely engaged in the export of goods to countries outside the U.S. was not subject to the FTC’s jurisdiction.
With the rise of the Internet, it became easy for businesses to set up shop in the U.S., but limit their business solely to export to other countries, and thus avoid FTC prosecution for unfair and deceptive trade practices. Because the FTC’s ability to share information about U.S. residents with foreign prosecutors was also limited, this meant that a lot of bad behavior by exporters went unchecked. According to the FTC, this could have made the United States a “haven for fraud.”
In December 2006, Congress passed the U.S. SAFE WEB Act, which amended the FTC Act to fill these loopholes. The U.S. SAFE WEB Act permits the FTC to provide investigative assistance to foreign law enforcement agencies, including conducting investigations to collect information and evidence for these foreign agencies. 15 U.S.C. § 46(j). It also permits the FTC to share investigative materials, such as documents, written reports or answers to questions and transcripts of oral testimony with foreign law enforcement agencies. 15 U.S.C. § 57b-2(6).
In addition, the Act expanded the FTC’s jurisdictional reach to permit it to directly regulate acts involving foreign commerce that: (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct within the United States.
Since the law was signed, the FTC has reported using it in only one prior investigation which was concluded earlier this year. (For a discussion of this case, see our blog post of July 17, 2009). The FTC has recently announced the second use of the U.S. Safe Web Act in its regulatory action against Los Angeles-based Jaivin Karnani and his company Balls of Kryptonite, LLC. (“Karnani”).
According to the FTC’s complaint, Karnani operates two websites, www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, which sell consumer electronics, such as cameras, video game systems, and computer software exclusively to customers in the United Kingdom. (Fn2) By using the suffixes “co.uk”, stating prices in pounds sterling, referring to the “Royal Mail” and using U.K. addresses, the websites gave U.K. customers the impression that they were located in the U.K. and subject to U.K consumer protection laws.
The complaint also alleged that Karnani’s websites didn’t deliver what they promised. Customers were shipped goods with power chargers that were not compatible with U.K. power systems. Because the goods shipped were not manufactured for the U.K. or E.U. markets, customers did not receive manufacturer warranties. Goods were shipped slowly and customer complaints about this slowness were ignored. Customers were also charged high restocking fees.
Security Experts: Health Data Increasingly Being Sold on Black Market
Consumer health data are increasingly being sold on the black market as health care organizations become popular targets for hackers, NPR’s “all tech considered” reports.
Background
According to Symantec, a security firm, health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. There have been more than 270 public disclosures of large health data breaches — which firms are required to disclose — over the past two years, according to “all tech considered.”
Black Market for Health Data
Meanwhile, health data have increasingly been appearing on the black market, with such information often being more costly to purchase than certain financial data. While stolen credit card numbers tend to be sold for a few dollars or even quarters, a set of Medicare ID numbers for 10 beneficiaries found online by Greg Virign, CEO of the security company RedJack, was being sold for 22 bitcoins, or about $4,700.
Stolen health information available for purchase cannot be found through simple Google searches, and websites offering such data tend to have names that end with .su and .so, as opposed to .com or .org. Some sites for criminal sales feature online rating systems, similar to Yelp, that let the buyer know if the seller is “legit.”
Insufficient Cybersecurity Measures
Meanwhile, security experts say that the cybersecurity measures put in place by health care organizations are not sufficient to adequately combat cyberattacks.
According to “all tech considered,” companies that are subject to HIPAA tend to interpret HIPAA rules loosely.
Jeanie Larson, an expert on health care security, noted that many health care organizations “do not encrypt data within … their own networks.”
In addition, Orion Hindawi — co-founder and chief technical officer at Tanium, a computer network monitoring company — said that some health care organizations are not aware of how large their networks are, including how many computers they have.
The National Healthcare and Public Health Information Sharing and Analysis Center, an industry group Larson is a part of, is pushing for hospitals to invest in cybersecurity to a similar degree as banks. She said, “The financial sector has done a lot with automating and creating fraud detection type technologies, and the health care industry’s just not there” (Shahani, “all tech considered,” NPR, 2/13).
Share With Litigants: Court Orders Social Network Posts Disclosed
A personal injury case in Suffolk County recently became New York’s testing ground for the disclosure of information posted on Facebook and MySpace. In Romano v. Steelcase Inc. , the defendant demanded access to the private portions of the plaintiff’s social networking sites, including deleted information. The defendant contended the information would refute plaintiff’s claims about the extent of her injuries. The plaintiff opposed the defendant’s request on the ground the disclosure would violate her right to privacy.
Justice Jeffrey Arlen Spinner agreed with the defendant and granted the discovery motion. Finding no New York precedent on this issue, the court cited case law from Colorado and Canada to support its decision. In rejecting the plaintiff’s privacy claims, Justice Spinner observed that the very purpose of social networking sites is to share “personal information” with others. Therefore, since the plaintiff “knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy.”
The court based its decision largely on the fact that the plaintiff voluntarily posted the information she was seeking to protect. As most social networkers know, however, any of your “Friends” can post information about you (or photos of you) on their pages and there’s not much you can do to stop them. Even if you convince them to remove the information, the history and deleted files are likely to be available. It will be interesting to see how courts will treat the disclosure of information posted by third-parties and how privacy arguments will fare in those cases.
Romano v. Steelcase serves as yet another cautionary tale about posting information on the Internet. Even if you delete a compromising photograph or status update, it could be disclosed to your adversary in litigation and used as evidence against you in a lawsuit. While Facebook members and Internet commenters have spent countless hours and immeasurable bandwidth debating Facebook’s privacy settings, in many ways that entire controversy is a red herring. Nothing you post on a social networking site is truly private.
– Nicole Hyland
Right wing cyber attacks on Healthcare.gov website confirmed
Right Wing Attacks on Healthcare.gov Site Confirmed
The House Homeland Security Committee recently posted a video on their YouTube account which highlights part of the committee’s question of Roberta Stempfley. Stempfley was acting assistant secretary of DHS’s Office of Cyber-Security and confirmed 16 attacks on the Affordable Care Act’s (ACA) website in 2013.
One successful attack Stempfley pointed to was designed to deny access to the site. Called a Distributed Denial of Service, or DDoS, this form of attacked is intended to make a network unavailable by repeatedly accessing servers and saturating them with more traffic than the site was designed for.
Right-wingers have distributed the link to the tools needed to perform the attacks. Informationweek, and other sites mentioned the tools had been circulated via social media.
“Destroy Obama Care” was the name given to the attack by individuals calling themselves “right wing patriots.”
The message distributed said: “This program displays an alternative page of the ObamaCare website and has no virus, Trojans or cookies. The purpose is to overload the site so as to deny service and possibly crash the system.”
Some news sites have spoken about this attack, and Congress held hearings to discuss the attack. Despite the mainstream media being aware of the problem, they’re ignoring it as they continue to talk about the site not working.
Proposed HIPAA privacy rule on gun background checks open for comments
An advance notice of proposed rulemaking by the Office for Civil Rights Department of the Department of Health and Human Services titled “HIPAA Privacy Rule and the National Instant Criminal Background Check System” was published yesterday in the Federal Register.
Drafted following Executive Actions signed by President Barack Obama in January, the notice claims “Concerns have been raised that, in certain states, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule may be a barrier to States’ reporting the identities of individuals subject to the mental health prohibitor to the NICS.”
Absent from that summary explanation is an identification of who raised those concerns, how widespread they are, and if they reflect a political agenda driven by government officials and special interest groups.
“The Department … is issuing this Advance Notice … to solicit public comments on such barriers to reporting and ways in which these barriers can be addressed,” the notice states. “In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS by those HIPAA covered entities responsible for involuntary commitments or the formal adjudications that would subject individuals to the mental health prohibitor, or that are otherwise designated by the States to report to the NICS.
“In addition, we are soliciting comments on the best methods to disseminate information on relevant HIPAA policies to State level entities that originate or maintain information that may be reported to NICS,” the summary continues. “Finally, we are soliciting public input on whether there are ways to mitigate any unintended adverse consequences for individuals seeking needed mental health services that may be caused by creating express regulatory permission to report relevant information to NICS.
“The Department will use the information it receives to determine how best to address these issues,” it declares.
Gun Rights Examiner addressed this development on Monday, along with a “clarification” of the Attorney General’s powers “for purposes of permanent import controls” of defense articles and services. That report reminded readers of an ongoing action in New York, where it has been alleged the State Police are cross-referencing medical records with handgun owner permit lists in apparent partnership with the Department of Homeland Security.
The HHS Advance Notice invites public commentary, giving alternative ways for citizens to communicate their concerns, but perhaps the best way is to simply fill out their online form (via “Comment Now” button at Regulations.gov). Note that comments must be submitted on or before June 7. But that is only the first step concerned gun rights advocates must take.
As “Authorized Journalists”/“legitimate media” — who time and again demonstrate they are hardly disinterested players — will hardly be inclined to play government watchdog on this, it’s up to the same gun groups and online activists who mobilized in the face of the Senate gun threat to once more pick up a burden. That means spreading this news and getting others to follow suit, it means keeping up with developments as those with legal knowledge assess likely outcomes, and it means pressuring representatives in the legislature to provide oversight in the interests of rights, of separation of powers, and, just as a telling curiosity, of determining exactly where in the Constitution any of this has been delegated within the purview of Executive powers, that is, where any of this would be even remotely lawful under the federal system established by the Framers.
Originally posted on Examiner
