22 October 2011

Health PID

The Australian Privacy Commissioner has sought public comment on an application for a Public Interest Determination under the Privacy Act 1988 (Cth) regarding Collection of Family, Social and Medical Histories.

The invitation reflects an application from Dr Steve Hambleton, President of the Australian Medical Association (AMA) for a public interest determination under s.73 of the Act. That application concerns collection by health service providers of third party health information that is relevant to a patient's family or social medical histories, without the third party's consent. In the absence of a determination, such acts or practices may be in breach of the Privacy Act.

Public Interest Determinations 10 (Collection of Family, Social and Medical Histories) and 10A (giving general effect to Public Interest Determination No. 10) currently permit the collection by health service providers of third party health information that is relevant to a patient's family or social medical histories, without the third party's consent.

In essence, the PID covers collection by practitioners of health information from an individual or from a person responsible for the health consumer regarding another individual (a 'third party') in circumstances where:
a) the collection of the third party’s information into the health consumer’s family, social or medical history [sic] is necessary for the applicant to provide a health service directly to the health consumer; and
b) the third party’s information is relevant to the health consumer’s family, social or medical history; and
c) the applicant collects the third party’s information without obtaining the consent of the third party; and
d) the third party’s information is only collected from a person responsible for the health consumer if the health consumer is physically or legally incapable of providing the information themselves.
The PID is thus narrower than the PID 11 and 11A, highlighted in this blog and in a Privacy Law Bulletin article, that empowers practitioners to embark on a genetic fishing expedition.

The Commissioner's consultation paper outlines the issues raised in the application, provides brief background information and suggests matters that could be addressed in submissions.

PIDs 10 and 10A expire on 10 December 2011. New PIDs will have to be made before this date in order for health service providers to continue to lawfully collect third party health information that is relevant to a patient's family or social medical histories.

The ALRC's 2008 For your Information: Australian Privacy Law and Practice report recommended that new health regulations should include provisions based upon PIDs 10 and 10A. The Australian Government' 'First Stage Response' to the ALRC Report accepted that an amendment should be made to overcome the need to issue PIDs in relation to this matter, although it indicated this should be achieved by way of amending the Privacy Act.

The Commissioner comments that -
Dr Hambleton notes that without a PID on this issue health service providers would be required to obtain the consent of third parties to collect personal and health information on these persons, and notify third parties of the collection of their information. Dr Hambleton asserts this is clearly impractical and could compromise the health care of patients. In addition, if a patient's social, family or medical history is not sought, this could require increased investigation procedures and possibly result in litigation in relation to medical negligence claims. Further, Dr Hambleton is of the view, as stated by ACHA Health in its application, the absence of a PID to exempt health care providers from NPP 10, would result in significant inefficiencies and impracticalities, which would have a detrimental effect on the provision of quality health care.

Dr Hambleton states that he considers it important to highlight the comments made in submissions during the previous consultation process, which noted that standards for the accreditation of general practitioners include the collection of current and accurate health summaries, including pertinent medical or social history information for patient care. Indeed, this practice is considered best-practice clinical care. He submits a patient's social, family or medical history information is collected in an environment of maximum consumer privacy (governed by professional codes of privacy and confidentiality) and clinicians are bound to treat personal information collected in the course of providing a health service as confidential, regardless of the person to whom the particular facts or opinions relate.

Dr Hambleton asserts the collection of a patient's full medical history, including social and family history, is considered best practice and in his experience the majority of patients have an expectation that questions of this nature will be asked. There is also a level of understanding among the general public of the importance of this history in informing their diagnosis and treatment. ...

If the determination sought by the applicant is granted health service providers will be allowed to collect third party health information from an individual, without the third party's consent, for inclusion in the individual's family, social or medical history where that information is necessary to provide a health service to the individual. It will also clarify that third party health information can also be collected from ‘a person responsible' for an individual where the individual lacks the capacity to provide that informational themselves. In the absence of the determination, health service providers engaging in this practice could be in breach of NPP 10.1. Accordingly, the likely effect of the determination will be to permit the established and widely supported healthcare practice of medical history-taking to continue.
The Commissioner states that in considering the application it looked at factors such as -
* the important role the collection of social, family or medical histories from health consumers across all clinical settings and by all clinicians plays in delivering best practice health care;
* the extent to which the practice of collecting health consumers' family, social and medical histories for diagnosis, treatment and care - without the need to obtain third parties' consent - is widespread, considered best clinical practice and generally known and accepted in the community;
* the way in which the risk of harm to individuals through inappropriate use or disclosure of their sensitive information is reduced through the confidential setting and existing ethical protocols which exist for the collection of relevant information about both health consumers themselves and other relevant third parties; and
* the fact that third parties' information, once collected, will continue to be protected under NPPs 1 to 9 and 10.2 to 10.3. For example, NPPs 1.1 and 1.2 ensure that information that is collected should be confined to that necessary to an organisation's functions or activities, be collected only by lawful and fair means and in a way that is not unreasonably intrusive. Further, NPP 4.1 protects the security of personal information by providing that an organisation ‘must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure'.

Cosmology

Reading 'When Cosmology Meets Property: Indigenous Peoples’ Innovation and Intellectual Property' (Queen Mary School of Law Legal Studies Research Paper No. 90) by the great Peter Drahos.

He argues that -
The protection of traditional knowledge by means of intellectual property rights is one of the major work items of international organizations. Less attention has been paid to the relationship between systems of indigenous innovation and intellectual property. Using Australia as a case study, the paper argues that indigenous innovation systems are located within a connectionist cosmological framework. The distinctive institutional features of this innovation system are identified. A key feature is that it is innovation in systems to maintain the health of other systems. The commodity-based nature of intellectual property systems does not suit this kind of innovation. Property rights in land matter to this innovation system far more than intellectual property. Forms of intellectual property based on the right to distinguish one’s product in the market will generally be more useful to indigenous innovation than commodity regimes such as the patent system. Voluntary certification systems can probably be harnessed to much greater effect by indigenous business enterprises.
Drahos comments that -
Asking how intellectual property might protect TK presupposes an item of knowledge. The inquiry takes on a juridical bent, one in which lawyers excel as they investigate which intellectual property box offers the best fit or whether in fact a new box is needed.

A different question lies behind the analysis in this paper. Do intellectual property rights help the innovation systems of Aboriginal people? TK is often said to have a dynamic quality, but there has been little explicit analysis of the features of the indigenous innovation systems that must presumably be responsible for this dynamic quality.

Instead the tendency is to conceive of TK, either explicitly or implicitly, as an existing resource upon which one might draw. Yet the standard economic justification for intellectual property rights is that such rights encourage investment in the search for new knowledge by allowing the searchers to appropriate privately the social value of the new knowledge they find (Granstrand, 1999, p.56; Greenhalgh and Rogers, 2010, p. 32). As mentioned above, there are massive international efforts being made to design intellectual property solutions for the protection of TK. If this were simply about compensating indigenous people for the use of their existing knowledge then a targeted system of wealth transfers might be the best solution. But this option is not on the table. Instead one finds proposals to modify existing systems of intellectual property or to create new standards of protection. The assumption seems to be that intellectual property rights can have positive effects on systems of indigenous innovation. How plausible is this assumption?

In order to answer this question one needs to shift the analysis to the level of institutions that support an innovation system. If the incentive effects of intellectual property rights operate at all, they operate upon actors within an institutional setting. If we are to understand the dynamic effects of intellectual property we have to focus on the institutional system in which actors search and generate new knowledge and not on the abstract qualities of the knowledge that is produced. The generation of useful knowledge and techniques implies a set of institutions working in convergent ways to produce innovation (Mokyr, 2002). A systems perspective on innovation requires one to look more broadly at the institutions that contribute to innovative performance (Nelson, 1992).

Once we shift the level of analysis away from TK and the rules of intellectual property to institutions of indigenous innovation different questions arise. Innovation is often conceptualized in terms of firms developing new products and processes (Greenhalgh and Rogers, 2010, p. 4). Does indigenous innovation fit into this kind of standard definition?

The ethno-botanical record in Australia provides some examples of indigenous innovation that fit with this standard approach. For example, recorded interviews with Wagiman elders show that the Wagiman people developed products and processes. The leaves of the Ironwood tree, for example, were used as a fish poison and the roots provided the basis for the production of a glue (Liddy et al, 2006, 39). Similarly they discovered a method for producing a damper from the seeds of cycas canalis (bush palm) that has the qualities of long term storage and high food energy (Liddy et al, 2006, 34).

However, we will see that the most important innovative achievement of indigenous people lies in the innovation of systems to maintain systems, especially ecological systems. This is a form of service innovation, one that would have been hard for colonists to see, let alone understand. The scale of its achievement has only begun to be mapped by scientists in Australia in the last few decades.

A systems approach to innovation also requires one to identify the set of institutions that matter to innovation as well as the distinctive linkages and interactions amongst institutional actors that characterize an innovation system. In the context of modern economies this usually involves an examination of the linkages amongst firms and their industrial research laboratories, universities and government laboratories as well as looking at the role of institutions such as tax and venture capital markets (Nelson, 1992; Hall and Soskice, 2001). The third section of this paper identifies some institutional features of indigenous innovation, but this part of the analysis should be seen as preliminary. Clearly a full institutional analysis of indigenous innovation is an interdisciplinary quest in which a number of disciplines including ethnobotany, cognitive anthropology and human ecology play a crucial role (Brush 1993; Sillitoe 1998; Berkes, 2008, pp.22-25). From the discussion of indigenous innovation the paper moves to considering the role of intellectual property in supporting indigenous innovation.

The upshot of this section is that intellectual property rights are only likely to make a modest contribution to indigenous innovation and that the intellectual property systems that matter most are those based on rights to distinguish products in the market as opposed to rights to originate products. The property rights that matter most to indigenous innovation are land rights.

a square archaic peg

In Crookes v. Newton, 2011 SCC 47 the Supreme Court of Canada has unanimously ruled that hyperlinking to defamatory content is not inherently defamatory behavior and noted the danger of "trying to fit a square archaic peg into the hexagonal hole of modernity".

The decision emphasises the importance of free expression online but should be interpreted with some caution in the face of statements that it is a persuasive international precedent and the first of its kind.

The Court stated that -
N[ewton] owns and operates a website in British Columbia containing commentary about various issues, including free speech and the Internet. One of the articles he posted on it contained shallow and deep hyperlinks to other websites, which in turn contained information about C[rookes]. C sued N on the basis that two of the hyperlinks he created connected to defamatory material, and that by using those hyperlinks, N was publishing the defamatory information. At trial, the judge concluded that the mere creation of a hyperlink in a website does not lead to a presumption that someone actually used the hyperlink to access the impugned words. The judge agreed that hyperlinks were analogous to footnotes since they only refer to another source without repeating it. Since there was no repetition, there was no publication. Furthermore, in the absence of evidence that anyone other than C used the links and read the words to which they linked, there could not be a finding of publication. A majority of the Court of Appeal upheld the decision, finding that while some words in an article may suggest that a particular hyperlink is an encouragement or invitation to view the impugned site, there was no such encouragement or invitation in this case. In addition, the number of “hits” on the article itself was an insufficient basis for drawing an inference in this case that a third party had read the defamatory words. The dissenting judge held that there was publication. The fact that N’s website had been viewed 1,788 times made it unlikely that no one had followed the hyperlinks and read the impugned article. Furthermore, the context of the article suggested that readers were encouraged or invited to click on the links.
The majority decision by Abella J comments that the net -
cannot, in short, provide access to information without hyperlinks. Limiting their usefulness…would have the effect of seriously restricting the flow of information and, as a result, freedom of expression.
. The Court held that -
Hyperlinks are, in essence, references, which are fundamentally different from other acts of “publication”. Hyperlinks and references both communicate that something exists, but do not, by themselves, communicate its content. They both require some act on the part of a third party before he or she gains access to the content. The fact that access to that content is far easier with hyperlinks than with footnotes does not change the reality that a hyperlink, by itself, is content neutral.

Furthermore, inserting a hyperlink into a text gives the author no control over the content in the secondary article to which he or she has linked.

A hyperlink, by itself, should never be seen as “publication” of the content to which it refers. When a person follows a hyperlink to a secondary source that contains defamatory words, the actual creator or poster of the defamatory words in the secondary material is the person who is publishing the libel. Only when a hyperlinker presents content from the hyperlinked material in a way that actually repeats the defamatory content, should that content be considered to be “published” by the hyperlinker.

Here, nothing on N’s page is itself alleged to be defamatory. Since the use of a hyperlink cannot, by itself, amount to publication even if the hyperlink is followed and the defamatory content is accessed, N has not published the defamatory content and C’s action cannot succeed.
McLachlin CJ and Fish J were more nuanced, stating that -
The reasons of the majority are agreed with substantially. However, a hyperlink should constitute publication if, read contextually, the text that includes the hyperlink constitutes adoption or endorsement of the specific content it links to. A mere general reference to a website is not enough to find publication.
Deschamps J stated that -
Excluding hyperlinks from the scope of the publication rule is an inadequate solution to the novel issues raised by the Internet.

This blanket exclusion exaggerates the difference between references and other acts of publication, and treats all references, from footnotes to hyperlinks, alike, thereby disregarding the fact that references vary greatly in how they make defamatory information available to third parties and, consequently, in the harm they can cause to people’s reputations.

In the common law of defamation, publication has two components:
(1) an act that makes the defamatory information available to a third party in a comprehensible form, and (2) the receipt of the information by a third party in such a way that it is understood.
In the context of Internet hyperlinks, a simple reference, absent evidence that someone actually viewed and understood the defamatory information to which it directs third parties, is not publication of that content. In order to satisfy the requirements of the first component of publication, the plaintiff must establish, on a balance or probabilities, that the hyperlinker performed a deliberate act that made defamatory information readily available to a third party in a comprehensible form.

An act is deliberate if the defendant played more than a passive instrumental role in making the information available. In determining whether hyperlinked information is readily available, a court should consider a number of factors, including whether the hyperlink is user-activated or automatic, whether it is a shallow or a deep link, and whether the linked information is available to the general public (as opposed to being restricted). Any matter that has a bearing on the ease with which the referenced information could be accessed will be relevant to the inquiry.

For an action in defamation to succeed, the plaintiff must also satisfy the requirements of the second component of publication on a balance of probabilities, namely that a third party received and understood the defamatory information. This requirement can be satisfied either by adducing direct evidence or by asking the court to draw an inference based on, notably, whether the link was user-activated or automatic; whether it was a deep or a shallow link; whether the page contained more than one hyperlink and, if so, where the impugned link was located in relation to others; the context in which the link was presented to users; the number of hits on the page containing the hyperlink; the number of hits on the page containing the linked information (both before and after the page containing the link was posted); whether access to the Web sites in question was general or restricted; whether changes were made to the linked information and, if so, how they correlate with the number of hits on the page containing that information; and evidence concerning the behaviour of Internet users. Once the plaintiff establishes prima facie liability for defamation, the defendant can invoke any available defences.

Here, N acted as more than a mere conduit in making the hyperlinked information available. His action was deliberate. However, having regard to the totality of the circumstances, it cannot be inferred that the first, shallow hyperlink made the defamatory content readily available. The various articles were not placed on N’s site’s home page and they had separate addresses. The fact that the reader had to take further action in order to find the defamatory material constituted a meaningful barrier to the receipt, by a third party, of the linked information. The second, deep hyperlink, however, did make the content readily available. All the reader had to do to gain access to the article was to click on the link, which does not constitute a barrier to the availability of the material. Thus, C has satisfied the requirements of the first component of publication on a balance of probabilities where this link is concerned. However, the nature of N’s article, the way the various links were presented and the number of hits on the article do not support an inference that the allegedly defamatory information was brought to the knowledge of some third person. The defamation action with respect to either of the impugned hyperlinks cannot succeed.

Super data breach

I'm following with interest the claims and counter-claims about the First State Super data breach, not least because it's an illustration in my cybersecurity conference paper on breach regulation.

The major superannuation fund manager has acknowledged that there were problems with its security, which allowed a customer (and IT security consultant) Patrick Webster to access financial information about other customers. That information reportedly included full names, addresses, email addresses, membership numbers, age, insurance information, superannuation amounts, fund allocations, beneficiaries and employer information. Mooted legal action against Webster for alerting First State appears to be going nowhere.

The SMH has now reported anonymous claims "by a former IT staffer" that First State "knew of a major security flaw that potentially exposed 770,000 member details years ago and did nothing". The Federal and NSW Privacy Commissioners are apparently reporting.

A spokesperson for Pillar, the fund manager, reportedly denied the allegations with the comment that "It's garbage - we fixed this thing in a matter of hours so why would we sit on it for years? Makes no sense, there's no logic." Pillar dismissed the SMH source as a "disenfranchised employee making ridiculous claims".

Interestingly, the SMH source contests First State claims that the IT system would generate alerts when a member accessed another member's statement. The source reportedly commented that there were "no controls that produce security or privacy alerts", so that unauthorised access would not be detected. That is consistent with the SMH's claim that another First State customer "stumbled across the security flaw while checking their statement more than 18 months ago"

The Australian Prudential Regulation Authority (APRA), as regulator of the super fund industry, reportedly could not comment on the matter because "a secrecy provision in the APRA Act prevents us from" commenting on the regulated bodies. We can and should fix that provision in the public interest.

the SMH points to the APRA Prudential Practice Guide (PPG) 234 – Management of security risk in information and information technology [PDF], which features the statement that -
Controls, commensurate with the sensitivity and criticality of the data/information involved, would normally be implemented where sensitive data/information is at risk of leakage
That Guide could usefully be read in conjunction with the recent SEC guidance noted here.

In the UK the national Information Commissioner has revealed that the number of reported data breaches has increased by 58% on the previous year. That figure is newsworthy but is problematical, given the uncertainty about how many breaches are occurring but are not detected and/or are not divulged.

In a statement earlier this month the Commissioner commented that -
Powers to conduct compulsory data protection audits in local government, the health service and the private sector are needed to ensure compliance with the law, the Information Commissioner said today at the 10th annual data protection compliance conference in London.

Christopher Graham’s call came as figures showed that the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.

The only compulsory data protections audit powers the ICO currently has are for central government departments. For all other organisations the ICO has to win consent before an audit can take place.

Data breaches in the NHS continue to be a major problem. Of the 47 undertakings the ICO has agreed with organisations that have breached the Data Protection Act since April, over 40% (19) were in the healthcare sector. In addition, the most serious personal data breaches that have resulted in a civil monetary penalty occurred in the local government sector. Four of the six penalties served so far involved local authorities.

Businesses remain the sector generating the most data protection complaints. Despite this, as reported in July, just 19% of companies contacted by the ICO accepted the offer of undergoing an audit. The ICO has written to 29 banks and building societies and so far only six (20%) have agreed to undergo an audit. The insurance sector has also shown reluctance in this area. Of the 19 companies contacted this year by the ICO, only two agreed to an audit.

Information Commissioner, Christopher Graham said:
Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices. Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on.

With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job. I am preparing the business case for the extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act 2009 to these problematic sectors.

20 October 2011

Promo

The 2010-2011 annual report of Australian Crime Commission [PDF] echoes the organised crime report of earlier this year in announcing that "Serious and organised crime is an ever-evolving transnational phenomenon". It goes on to explain - quelle surprise - that -
But for all its manifestations, the underlying motivations are constant: greed and power drive organised crime and money is its lifeblood.

This greed has a significant impact on all of us. Organised crime threatens national security, affects our wellbeing and undermines our economy. In monetary value alone, organised crime costs the Australian community around $15 billion a year. Add to this the untold damage caused to communities, families and individuals.

The Australian Crime Commission (ACC) reduces that impact by working with our partner agencies to identify, disrupt and prevent organised crime of national significance.

It does this by bringing people together to defeat, and defend against, serious and organised crime, through effective use of knowledge derived from criminal intelligence.
The report is very much a promo document, punctuated with breakout boxes such as "ACC are making a very positive contribution in the national
security arena by developing good partnerships with key enabling organisations. ACC Stakeholder Research". Only a brave agency would publish statements indicating that our numerous competitors think that we're fat, lazy, stupid, not necessary, egregiously self-involved or otherwise a waste of resources, so I shouldn't be too hard on the self-justification.

From an identity crime perspective the highlights are -
Corsair/Kensai — These long-term joint Victoria Police/ACC investigations disrupted a network of Victorian drug trafficking syndicates.
– In November 2010, Victoria Police members intercepted a vehicle of interest, seizing 127 grams of methylamphetamine, a card-making machine for VICROADS licences and several false identifications. Police charged one man with drug trafficking offences and some 80 other matters related to making, possessing and using false identifications. [p89]

ACC support and membership of the Organised Crime Framework Identity Crime Response Team (a multi-agency identity crime working group) resulted in the Response Team initiating and endorsing intelligence products including:
◗ a national all-agency Identity Crime Intelligence Collection Plan aimed at identifying current intelligence gaps and defining collection strategies
◗ an ACC intelligence scoping paper of recent significant identity crime investigations across Australia, aimed at identifying links between crime groups, as well as new methodologies and prevention strategies
◗ an ACC intelligence scoping paper examining current and future trends in the exploitation of technology for organised crime purposes. [p128]
We helped scope and develop tools to support partner agencies to combat and reduce the impact of complex organised technology enabled crime on the Australian community.
These tools include:
◗ the proposed National Cybercrime online reporting portal
◗ a specific Cybercrime Desk and Identity Crime Desk within the Australian Law Enforcement Intelligence Net (ALEIN)
◗ Australia New Zealand Policing Advisory Agency (ANZPAA) national cybercrime information sharing protocols agreement.
In addition, the Organised Crime Framework Identity Crime Response Team’s work initiated key harm reduction strategies including:
◗ a national Document Verification System to reduce the incidence of false identity documents
◗ identity crime victims statements under amendments to the Commonwealth Criminal Code 1995
◗ support for the Industry & Community Partnerships Project to detect and prevent identity crimes.
We conducted 10 examinations which have provided operational reporting products addressing:
◗ credit card and EFTPOS skimming (facilitators, organisers and technical aspects)
◗ organised identity crime in migration and loan fraud (facilitators, organisers and methodologies)
◗ manufacturing, sale and purchase of falsified identity documents including foreign passports
◗ the use of telecommunications cloning technology by groups in New South Wales and Victoria — including facilitators, technical intelligence and the identity of compromised equipment (subscriber identity module or 'SIM' and international mobile equipment identity or 'IMEI').
The Complex Organised Technology Enabled Crime (incorporating Identity Crime) Special Intelligence Operation concluded on 30 June 2011. Our contribution in this area will continue under our new work priorities, in particular the Special Operations: National Security Impacts from Serious & Organised Crime; and Making Australia Hostile to Serious & Organised Crime. [p129]
Questions by the ANAO and other bodies regarding the national Document Verification System have been noted elsewhere on this blog. In the absence of information it's impossible to make an authoritative assessment of what's happening at the ACC and whether it's operating effectively.

Enhancement

'A risk profile of elite Australian athletes who use illicit drugs' by Johanna Thomas & Matthew Dunn in (2011) 37 Addictive Behaviors 144-147 argues that -
Much of the literature investigating the relationship between sports participation and substance use has focused upon student populations, with little focus being given to athletes who participate at elite levels. Identifying why some athletes may be at a greater risk for substance use can help in the design and implementation of prevention initiatives. Data for the current study was from 1684 self-complete surveys with elite Australian athletes.

Eight percent (n=134) of the sample reported the use of at least one of the six illicit drugs under investigation (ecstasy, cannabis, cocaine, meth/amphetamine, ketamine and GHB) in the past year. Having been offered or having had the opportunity to use illicit drugs in the past year, knowing other athletes who use drugs and identifying as a ‘full-time athlete’ were significant predictors of past-year illicit drug use, while having completed secondary education or a post-school qualification was associated with a lower likelihood of past-year illicit drug use.

Athletes are part of a sportsnet that includes family, coaches, support staff and other athletes, and these relationships may encourage the use, supply and demand for drugs. The current findings suggest that relationships with some of those in the sportsnet may play an important role when understanding illicit drug use among elite athletes. As education appears to be associated with a lower likelihood of illicit drug use among this group, initiatives should encourage athletes to engage in offfield pursuits which may also help prepare them for life after sport.
The authors comment that -
Athletes do not live in isolation. Even athletes who compete in so-called ‘individual’ sports are part of a sportsnet that includes family, coaches, support staff and other athletes, and these relationships may encourage the use, supply and demand for drugs. In high profile cases where athletes have been found to have engaged in banned substances use, such as track and field athlete Marion Jones, it has been shown that those in the sportsnet are either knowledgeable or actively complicit in the athlete's substance use. As such, those in the sportsnet are now subject to penalties under the 2009 World Anti-Doping Agency Code (World Anti-Doping Agency, 2009), as well as being identified as an important target group for education. The current findings suggest that relationships with some of those in the sportsnet may play an important role when understanding illicit drug use among elite athletes.

Among the current sample, those who used illicit drugs were more likely to be male, older, know other athletes who used illicit drugs and had been offered or had the opportunity to use drugs. Previous research among other athletic populations have found that gender, other substance use, type of sport and personal factors such as sensation seeking and religiosity are just some of the factors found to be associated with drug use. However, these relationships are not simple and are further undermined by the possibility that the factors that relate to “illicit drug” use may differ from those related to “performance enhancing drug” use, and even then, factors may vary. For instance, in discussing why cyclists might engage in doping behaviour, one participant in a study conducted by Hardie, Shilbury, et al. (2010) stated “I'd like to give you one straight answer but I can't. Amateurs do it to turn professional. Professionals do it to keep a job. But then you've also got the high end guys like guys who are winning Tours and are on multimillion dollar contracts are still doing it. You can't say it's for the money. You have to look a bit deeper and say it's probably not peer pressure but pressure to perform and pressure they put on themselves and pressure to win.” (pg. 63).

Identifying as a “full-time” athlete was associated with an increased likelihood of engaging in illicit drug use, while completing post-secondary education was associated with a lower likelihood of illicit drug use. Increased focus has been given to athletes' on- and off-field lives and how these interact. For athletes, career termination may occur suddenly and involuntarily and sporting organisations are persuading their athletes to undergo training and education to prepare for life after sport. This, in turn, may have positive benefits for the athlete while they still have an active sporting career. Price, Morrison, et al. (2010) found that 90% of elite athletes actively engaged in non-sporting pursuits to help lengthen their sporting career; that these non-sporting pursuits provided an outlet from sport; and that 72% of those athletes undertaking work outside of sport or studying believed that this aided their performance. Further research should explore the relationship between off-field pursuits and on-field performance.

Trust me

A previous post noted concerns regarding vetting processes within the Australian government. The SMH today reports that -
tens of thousands of Defence Department security clearances are being urgently investigated after fake information was entered to speed the process, officials revealed yesterday. ... Under questioning at a Senate committee hearing, the Defence Department's head of security and intelligence also admitted that 5000 of those clearances were classified ''top secret''. It is the first indication of how widespread the problems were.
The report goes on to comment that -
Claims that Defence Department employees were forced to enter fake data at the initial stages of the clearances were first aired earlier this year.

Whistleblowers said the fake information was designed to fill gaps in personal histories, speeding up the processing of clearances, which were passed to ASIO for further evaluation.

The department's deputy secretary for intelligence and security, Stephen Merchant, told the committee hearing yesterday about 20,000 clearances might need to be rechecked.

At the May Senate hearing, Mr Merchant claimed the fake entries were part of a monitored process - with agreed fake terms designed to spark attention.

He said the ''work arounds'' were agreed to by ASIO.

The Defence Minister, Stephen Smith, last month admitted that neither of those two claims were correct and said that no more ''work arounds'' would be entered without a formal agreement with ASIO.

However, the Herald revealed that in June several clearances were filled in with fake information despite there having been no agreement with ASIO and defence officials telling the committee the previous month that there was no more need for ''work arounds''.
We can sleep soundly, as Mr Merchant is reported as stating that the investigation is ''well-advanced'' and swill be finished shortly. A very similar article in the Age last month - alas, there's a lot of recycling going on at Fairfax - indicated that Merchant will be retiring shortly.

Searches

'Arresting Development: Facebook Searches and the Information Super Highway Patrol' (San Diego Legal Studies Paper No. 11-076) by Junichi Semitsu asks -
Does the right of the police to search an arrestee’s person and vehicle include the right to rifle through and clone all the content on his smart phone’s Facebook account? As recent court decisions have largely given police officers carte blanche to search a person’s cellular device, I raise this question because of the additional privacy and speech concerns triggered when such searches extend to social networking sites.
Semitsu goes on to comment -
Facebook may be the furthest thing from the minds of those placed under arrest — especially those booked for minor traffic offenses only punishable by fines. But for those handcuffed near their smart phone, the social networking site may seismically shift the balance between their privacy and the police. As the most frequented stop today on the information super highway, Facebook has both mushroomed civilian traffic and escalated the highway patrol policing it away from public view. However, the true genesis of any seismic shift lies with the Court’s outdated Fourth Amendment jurisprudence and Congress’s failure to update federal privacy laws to consider methods of modern communication tools.

I begin this Article by conducting an empirical analysis of the ways that lower courts have allowed or barred a government search of an arrestee’s cellular phone (or other mobile electronic device). I demonstrate that these decisions suggest little hope of suppressing a post-arrest Facebook search, despite running afoul of principles underlying any exceptions to Fourth Amendment search rules. I then analyze the federal privacy laws that may be implicated by such searches. I determine that even if a search triggers federal privacy laws or avoids the myriad holes in the Swiss cheese of Fourth Amendment jurisprudence, the digital architecture of social networking punctures any hope that such searches can be challenged under existing privacy grounds.

This Article thus concludes that a First Amendment theory of privacy is necessary to offset the ramifications that boundless social networking searches have on free expression. Such blanket surveillance — along with the digital technology to perfectly record and copy it — has the potential to chill so much speech that the First Amendment may be the more meaningful and faithful lens through which to consider such searches. After all, in a matter of minutes, a police duplication of an arrestee’s Facebook account could cast a net covering years of personal communications by the arrestee — as well as the speech of hundreds of others. The implications are just as staggering as the difficulties facing an arrestee who wishes to challenge these practices under existing laws. As such, only the overbreadth doctrine provides the proper remedy to fully safeguard online First Amendment activities from these warrantless government fishing expeditions.

19 October 2011

TK and Trade Secrets

'A Trade Secret Approach to Protecting Traditional Knowledge' by Deepa Varadarajan in (2011) 36(2) Yale Journal of International Law comments that -
The skills and innovations of indigenous and local communities - their so-called “traditional knowledge” - go largely unrecognized by intellectual property law. Meanwhile, patent and copyright laws reward the innovative and creative contributions of individuals and firms that freely use traditional knowledge as inputs for a variety of products. The perceived inequity has inspired the ire of indigenous groups, advocates and developing country governments, led to impassioned accusations of “biopiracy” and “First-World imperialism,” and triggered various reform efforts. Despite a decade of trying, however, traditional knowledge holders and their advocates still seek meaningful recognition and rights within the international IP framework. This Article argues that the doctrinal and normative divide between traditional knowledge and intellectual property law has been overemphasized and that trade secret law can potentially narrow it. I argue that the application of trade secret law to protect traditional knowledge - a trade secret approach - is a practical path forward in the current international impasse. Moreover, I argue that the underlying justifications for trade secret law offer a useful normative guide for theorizing traditional knowledge protection and linking it to the broader purposes of IP law. Like trade secret law generally, the protection of traditional knowledge can ultimately serve the broader purposes of IP law by reducing holders’ distrust in negotiating with outsiders and by encouraging the disclosure of potentially valuable secret information to more productive users and improvers.
The author goes on to state that -
The relationship between intellectual property law, secrecy, and disclosure has important consequences for the traditional knowledge debate. In the traditional knowledge context too, society as a whole benefits from the disclosure of commercially valuable information. If bark from a tree and ashaman’s knowledge of its special properties can cure ulcers, then society has an interest in encouraging the disclosure of this knowledge to other entities that can improve upon it and bring it to the larger public.

At least some anecdotal evidence suggests that traditional knowledge holders are willing to share otherwise secret information with outsiders for research and commercial purposes, so long as they are afforded a degree of control over subsequent uses of the knowledge and, in some cases, a portion of the benefit. For example, traditional healers from indigenous communities in Uganda reported to WIPO IGC field researchers that they would be “willing to collaborate with modern health practitioners and the pharmaceutical industry to share information,” but that “[p]rotective measures should be in place before [they] would be willing to collaborate with outsiders.”

Evidence also suggests that in the absence of protection, traditional knowledge holders are warier of sharing and, in some cases, will go to great lengths to erect walls around potentially valuable information. A number of traditional knowledge holders interviewed during the course of the WIPO IGC’s nine fact-finding missions expressed an unwillingness to share their traditional knowledge out of fear that they would not have any control over the way the information was used or derive any economic benefits. Members of the Kuna community in Panama, for example, expressed their aversion toward collaborating with ethnobotanists or other scientists:
Expeditions by [these researchers] have started to be regarded with suspicion because community members are not involved in, nor informed of, the subsequent use of the information and biological material supplied by them. It is believed that if new products were to be developed or new scientific publications issued on the basis of that information, the communities of origin would probably never be informed and would in all likelihood not participate in any economic benefits deriving therefrom.
Some local and indigenous groups have taken more drastic steps to prevent the flow of information to outsiders. In 2000, a Wapishana indigenous community in the Guyanese Amazon banned all “researchers” from entering their villages. This community had previously shared valuable medicinal information with a British chemist about the healing powers of certain plants - Tipir, the nut of the Greenheart tree, and Cunani, a bush plant - used since ancient times. The chemist subsequently obtained U.S. and European patents based on the active ingredients in these plants, which he claimed were useful in treating malaria and preventing heart blockages. The community viewed the incident as a betrayal of their sharing. In response, they have banned the research efforts of all outsiders - to the potential detriment of society. Thus, even if an initial transmission of information - like the chemist’s initial acquisition of knowledge - can occur in the absence of traditional knowledge protection, the erosion of trust from such a one-sided transaction can pollute future transmissions.

To be sure, formal law’s role in lessening distrust may operate differently in the commercial context than in the traditional knowledge context, depending on the level of social or cultural significance that such knowledge may have for a particular community or the community’s level of wariness toward outsiders.

Information sharing in the traditional knowledge context may require greater indicia of respect or trustworthiness than the arms-length commercial licensing transactions that govern information sharing for modern firms. As Rosemary Coombe writes, “Acquiring traditional knowledge ... may require rather different forms of social relationship that involve trust [and] collaboration,” as well as a showing of “respect that our intellectual property laws ... do little to encourage.”

Here, too, a fair amount of variation is likely to exist among and between groups. But what is striking about the data collected by the WIPO IGC is that a number of traditional knowledge holders have voiced a greater willingness to share knowledge and collaborate upon receiving internationally recognized IP rights. And experimental projects such as Ecociencia’s closed-access registry of botanical knowledge suggest trade secret law’s potential for eliciting hitherto unknown and undisclosed traditional knowledge and encouraging its categorization, classification, and storage in forms that can be more easily shared with outsiders.

Even outside of the traditional knowledge context, the effects of formal law on trust and behavior are difficult to measure in any absolute terms; its role is often “modest but [nonetheless] important.” As Dagan and Heller observe:
The myriad details of the law do not matter individually, but jointly they produce practices and experiences that in turn generate social expectations. For law to affect behavior, we do not assume widespread knowledge of any doctrinal detail, only that people generally believe that if things turn ugly, the law will serve as one form of social organization that protects them against extreme abuse and exploitation.
Thus, while the evidence may be limited, there are both logical and evidentiary reasons to suggest that without legal protection, traditional knowledge holders would disclose less and take more assertive steps to prevent the flow of information to outsiders. This is problematic for a number of reasons, including that it will “slow the process of commercialization and improvement of” relatively secret knowledge and ultimately interfere with “both the invention and disclosure functions of IP law.” For example, researchers might be prevented from entering these communities at all, or even if they did enter, traditional knowledge holders might be unwilling to share information that could lead to the next antimalarial or heart medicine.

The role of intellectual property law in facilitating trust and cooperation in the traditional knowledge context merits additional research and investigation. Trade secret law - and more specifically, a clarification of TRIPS Article 39’s commercial value requirement and a richer understanding of the intersection of reasonable secrecy efforts and customary law in the traditional knowledge context - may, in the end, comprise only part of a broader package of useful policy reforms. My purpose here is not to suggest that trade secret law is the only desirable path. Rather, I seek to illuminate the ways in which trade secret law can protect a subset of traditional knowledge and help frame the international discussion in a more fruitful way - a way that emphasizes important connections between traditional knowledge protection and the broader purposes of intellectual property, instead of merely its divisions.
Varadarajan concludes that -
For over a decade, the issue of traditional knowledge protection has posed an intractable problem for advocates, scholars, and developing country governments. Traditional knowledge advocates seek greater recognition and rights within international intellectual property law—particularly, the muscular TRIPS framework. But thus far, they have failed to effectively link their arguments to the IP framework or the broader purposes of existing IP regimes. Instead, traditional knowledge advocates have operated primarily within “human rights” and “preservation” approaches. These approaches appear more hospitable to traditional knowledge advocates than the conventional IP approach, especially given the latter’s focus on ex ante “incentives to create.” But the conventional IP approach need not be so narrow.

I have argued that trade secret law is useful to the traditional knowledge debate in two underexamined ways. First, a trade secret approach to traditional knowledge protection is a practical initial step forward in the international impasse. Trade secret law can be a useful legal vehicle for traditional knowledge holders when dealing with outsiders’ improper acquisition, disclosure, and use of relatively secret information. Admittedly, many traditional knowledge holders may view trade secret law as too limited - too fragile - because it does not apply to publicly available, reverse-engineered, or independently developed information. While I am sympathetic to such concerns, this Article takes a decidedly pragmatic approach; more idealized approaches that significantly undercut the purposes of existing intellectual property regimes are less likely to be accepted within the framework of international IP law and enforced by the international community. Absent a model for protection that incorporates some objective limits and preserves access to generally available information, “an international approach is likely to be a more abstract gesture” than a reality.

In addition to outlining trade secret law’s practical possibilities in the traditional knowledge arena, I have argued that trade secret law can serve as a normative guide to help ground an IP theory of traditional knowledge protection. One prominent justification for trade secret law’s inclusion in the IP law family is that it serves the “disclosure” purposes of IP law by reducing holders’ over-investment in secrecy, lessening distrust, and encouraging the disclosure of valuable information to those who can improve or make more productive use of it. Similarly, traditional knowledge protection may lessen the distrust of indigenous and local communities toward outsiders and encourage their disclosure of valuable information in socially beneficial ways.

17 October 2011

Try caring, not sharing

In following up the recent item regarding litigation against Stanford Hospital over a data breach involving 20,000 patient records I note a proposed US$4.9bn class action against the US Defense Department over the TRICARE healthcare system for military personnel and their families.

The lawsuit alleges that the DOD failed to adequately protect private data (ie did not encrypt sensitive personal information) and exhibited "intentional, willful and reckless disregard" for patient privacy rights, including delays in notifying people whose data had been exposed. The plaintiffs seek US$1000 in damages for each of the 4.9 million individuals affected by the breach.

Last month it was revealed [PDF] that names, addresses, phone numbers, clinical notes, Social Security Numbers, pathology and other personal health data regarding around 4.9 million people (over 20 years) featured on unencrypted backup tapes stolen from the car of a Science Applications International Corporation (SAIC) at the employee's residence. The corporation is a TRICARE contractor. We might wonder about the prudence of leaving such data lying around.

The DOD advises that -
The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure," according to the Tricare statement. "Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low.
As a result the Department and SAIC will identify individuals who were exposed; those people will receive a notifications by mail over a six week period. SAIC is reported to be paying for the contact exercise but will not be funding free consumer alert services under the Health Insurance Portability & Accountability Act (HIPAA) regulations, amid claims that the data is covered by weaker Federal Trade Commission rules.

Cybersecurity disclosure

The US Securities & Exchange Commission (Division of Corporation Finance) has issued a 'disclosure guidance' regarding cybersecurity risks and cyber incidents.

The Guidance provides the Division of Corporation Finance's views regarding disclosure obligations. It states that -
For a number of years, registrants have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity1 have also increased, resulting in more frequent and severe cyber incidents. Recently, there has been increased focus by registrants and members of the legal and accounting professions on how these risks and their related impact on the operations of a registrant should be described within the framework of the disclosure obligations imposed by the federal securities laws. As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.

We prepared this guidance to be consistent with the relevant disclosure considerations that arise in connection with any business risk. We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts - for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security - and we emphasize that disclosures of that nature are not required under the federal securities laws.
The Division comments that -
In general, cyber incidents can result from deliberate attacks or unintentional events. We have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Cyber attacks may also be carried out in a manner that does not require gaining unauthorized access, such as by causing denial-of-service attacks on websites. Cyber attacks may be carried out by third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access.

The objectives of cyber attacks vary widely and may include theft of financial assets, intellectual property, or other sensitive information belonging to registrants, their customers, or other business partners. Cyber attacks may also be directed at disrupting the operations of registrants or their business partners. Registrants that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:
* Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
* Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
* Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
* Litigation; and
* Reputational damage adversely affecting customer or investor confidence.
In relation to disclosure by public companies regarding "Cybersecurity Risks and Cyber Incidents" it indicates that -
The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.2 Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.3 Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.
The specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents are -
Risk Factors

Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.4 In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure. Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:
* Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
* To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
* Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
* Risks related to cyber incidents that may remain undetected for an extended period; and
* Description of relevant insurance coverage.
A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.

While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.
In discussing Financial Statement Disclosures the Guidance notes that "Cybersecurity risks and cyber incidents may have a broad impact on a registrant’s financial statements, depending on the nature and severity of the potential or actual incident". It comments -
Prior to a Cyber Incident

Registrants may incur substantial costs to prevent cyber incidents. Accounting for the capitalization of these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent that such costs are related to internal use software.

During and After a Cyber Incident

Registrants may seek to mitigate damages from a cyber incident by providing customers with incentives to maintain the business relationship. Registrants should consider ASC 605-50, Customer Payments and Incentives, to ensure appropriate recognition, measurement, and classification of these incentives.

Cyber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts. Registrants should refer to ASC 450-20, Loss Contingencies, to determine when to recognize a liability if those losses are probable and reasonably estimable. In addition, registrants must provide certain disclosures of losses that are at least reasonably possible.

Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory. Registrants may not immediately know the impact of a cyber incident and may be required to develop estimates to account for the various financial implications. Registrants should subsequently reassess the assumptions that underlie the estimates made in preparing the financial statements. A registrant must explain any risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements.9 Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue.

Stanford

Last month I noted the breach of medical information (including patient names and diagnostic codes) at Stanford Hospital. Stanford is now facing a class action over that breach. It states that -
Stanford Hospital & Clinics (SHC) understands that a purported class action lawsuit was filed against it and Multi-Specialty Collection Services, LLC (MSCS), an outside vendor that caused some confidential information about patients who visited Stanford Hospital’s emergency room to be posted on a website. SHC intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit.

SHC takes very seriously its obligation to treat its patient information as private and confidential. As soon as this was brought to SHC’s attention by a patient, the hospital demanded and had the spreadsheet taken down from the website and backup servers. SHC quickly notified the affected patients of this breach and offered to provide free identity protection services to all the patients, even though the information disclosed on the website is not the type used for identity theft. To date there is no evidence that anyone saw this information on the website and improperly used it for fraudulent or any other improper purpose. SHC has investigated this matter, terminated its relationship with MSCS, and reported this breach to law enforcement authorities.

MSCS is a California company that provided business and financial support to SHC and was operating under a contract with SHC that specifically required it to protect the privacy of the patient information sent to it and that prohibited unauthorized disclosure of that information. SHC properly sent the data to MSCS in an encrypted format to protect its confidentiality. SHC’s investigation of this regrettable incident has determined that MSCS then prepared an electronic spreadsheet from that data that had the names, addresses and diagnosis codes of almost 20,000 patients. Unfortunately, MSCS improperly sent the spreadsheet it had created to a third person who was not authorized to have that information and who improperly posted it on a website, apparently to get assistance in generating a graph from MSCS’s spreadsheet. This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS’s contract with SHC and is shockingly irresponsible.

SHC regrets that its patients’ confidentiality was breached and is committed to protecting the health and privacy of all of its patients
Elsewhere Stanford states that -
* SHC aggressively pursued a comprehensive investigation, which resulted in identifying the person who caused the information to be posted in violation of federal law and SHC’s contract. The individual who created the spreadsheet was SHC’s primary contact at MSCS and MSCS’s executive vice president. SHC has learned that his relationship with MSCS was that of an independent contractor.

* The vendor’s file, which was posted on September 9, 2010, had limited information about 20,000 patients treated in SHC’s Emergency Department from March 1 through August 31, 2009. The information included the patient’s name, medical record and hospital account numbers, an emergency department admission/discharge date, diagnosis codes related to the emergency department visit, and billing charges.

* Information generally associated with identity theft, such as credit card and social security numbers, was not published on the web site or otherwise breached.

* SHC notified appropriate government authorities and is cooperating fully. Letters were sent to affected patients informing them of the breach. Any patient receiving the letter may call 855-731-6016 for assistance with their questions or concerns.

* While information generally used for identity theft was not compromised, SHC has made arrangements for affected patients to receive free identity protection services if they wish to.

* From Diane Meyer, Chief Privacy Officer at Stanford Hospital & Clinics: “We sincerely apologize for the concern this has caused our patients. We value the privacy of patient health information and are committed to protecting it at all times. Our contractors are explicitly required to commit to strong safeguards to protect the confidentiality of our patients’ information. We have worked extremely hard to identify all the parties responsible. No Hospital staff member was involved in posting the file to the website. We will continue to take aggressive action to hold all responsible parties accountable.
The New York Times has meanwhile reported that -
an e-mail sent to a victim of the breach, the billing contractor, Joe Anthony Reyna, president of Multi-Specialty Collection Services in Los Angeles, explained that his marketing vendor, Frank Corcino, had received the data directly from Stanford Hospital, converted it to a new spreadsheet and then forwarded it to a woman he was considering for a short-term job.

The position was with Mr. Corcino’s one-man shop, Corcino & Associates, Mr. Reyna wrote in the e-mail, which was authenticated by his lawyer, Ellyn L. Sternfield. The job applicant apparently was challenged to convert the spreadsheet — which included names, admission dates, diagnosis codes and billing charges — into a bar graph and charts, Stanford Hospital officials said.

Not knowing that she had been given real patient data, the applicant posted it as an attachment to a request for help on studentoffortune.com, which allows students to solicit paid assistance with their work. First posted on Sept. 9, 2010, the spreadsheet remained on the site until a patient discovered it on Aug. 22 and notified Stanford.

The hospital, located on the campus of Stanford University in Palo Alto, demanded that the spreadsheet be removed, and the Web site quickly complied. Pressed for time, the job prospect wound up completing the assignment herself and, in the end, did not get hired, Ms. Sternfield said.
Not hiring the contender doesn't make the problem go away, and the claims and counterclaims have become nasty.

The NYT reports that
Mr. Corcino, in his first public statement, attributed the breach to "a chain of mistakes which are far too easy to make when handling electronic data." ...

The Stanford breach was notable for the duration of public exposure, and for spotlighting the vulnerability created by a medical provider’s business relationships with outside parties.

Last week, lawyers filed suit in state court in Los Angeles, seeking certification as a class action and $20 million in damages from Stanford Hospital & Clinics and Multi-Specialty Collection Services, which is known as MSCS. The threat of liability set off a predictable round of finger-pointing.

In written responses to questions, Lisa Lapin, Stanford University’s assistant vice president for university communications, said, “MSCS bears the complete and sole responsibility for the breach.”

Ms. Lapin said the hospital had sent the data in encrypted form to Mr. Corcino, who requested it on behalf of MSCS to analyze a strategy for improving billing collections. She said Mr. Corcino had regularly represented himself as MSCS’s executive vice president and had been Stanford’s “primary contact” during a seven-year relationship. MSCS, a five-person firm that audits hospital accounts to maximize reimbursement, possessed the passwords to unencrypt the data, she said.

“This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS’s contract and is shockingly irresponsible,” the hospital said in a statement.
FRelying on the Casablanca model, various people are expressing shock, distress and amazement -
Ms. Sternfield, Mr. Reyna’s lawyer, said Mr. Corcino had never been an MSCS employee, but rather was paid a monthly fee to drum up business, typically in face-to-face meetings with health care executives. Mr. Reyna, she said, had no knowledge that the Stanford data had been sent to Mr. Corcino, or that he had passed it on.

Mr. Corcino was not authorized to use an MSCS title, Ms. Sternfield said, but she declined to say whether Mr. Reyna was aware of the practice. She acknowledged that Mr. Corcino sometimes used an MSCS e-mail account.

In his e-mail to the breach victim, who shared it with The Times, Mr. Reyna wrote that Stanford had sent the file to Mr. Corcino “for a potential MSCS project that would audit paid accounts to verify that the reimbursement was correct.”

For his part, Mr. Corcino said in a statement that he was an independent contractor but was “the marketing face of the company,” and that MSCS “allowed me to use the title of executive vice president.” He wrote: “Stanford sent the file to me at MSCS, and I imported the data into a spreadsheet that was forwarded to the job applicant as part of a skills test. I did not intend to provide any personal health information in the file. This was a marketing project.”

Without explaining how or why he sent the data to the applicant, Mr. Corcino said MSCS had not trained him properly and faulted Stanford for sending him private information that he did not need. That, he said, was the “first link in a chain of mistakes.”

“I regret that Stanford released a file containing unnecessary information,” Mr. Corcino said, “that MSCS did not have an appropriate training and audit system for the handling of electronic data and that I was not more careful with the file. While Stanford and MSCS left the information in the file I received, it was my mistake to not catch its inclusion and remove the data.”
Oh dear.

The NYT notes that "breaches of private medical data have become distressingly commonplace, with two substantial ones disclosed in the last week alone" -
officials with Florida Hospital reported that three employees had improperly combed through emergency department records of 2,252 patients, apparently to forward information about accident victims to lawyers. The employees were fired, and law enforcement officials are investigating.

Meanwhile, Science Applications International Corporation disclosed that computer backup tapes containing medical data for 4.9 million military patients had been stolen from an employee’s car in San Antonio. The data included Social Security numbers, clinical notes, laboratory test results and prescriptions. The company said the risk of harm was low because retrieving data from the tapes would require specialized knowledge, software and hardware.

The Texas breach is by far the largest since September 2009, when a new federal law began requiring disclosures of medical privacy violations involving at least 500 people. Some 330 such episodes have been tallied, including four others that affected more than one million people each.

Officials at the Department of Health and Human Services said the new reporting requirements had exposed deep vulnerabilities and encouraged renewed vigilance.

“We’re moving in the right direction in terms of a culture of compliance,” said Leon Rodriguez, director of the department’s Office for Civil Rights, which investigates medical privacy cases. “Are there still a lot of problems out there? Yeah, my sense is there are still a lot of problems.”

Media Issues

Australia's Independent Inquiry into Media and Media Regulation has released a short Issues Paper [PDF].

The Inquiry indicates that "the list of issues is not set out in any order of importance. Nor is the list intended to be comprehensive. The issues are, however, among the important matters that the inquiry will consider."

The issues are -
Access

1.1 One common justification for freedom of the press (nowadays referred to as freedom of the media) is that given by Mr Justice Holmes in his dissenting opinion in Abrams v United States 250 US 616, 624 (1919). He said:
[T]he ultimate good desired is better reached by free trade in ideas—that the test of truth is the power of thought to get accepted in the competition of the market.
1.2 Does this ’marketplace of ideas’ theory assume that the market is open and readily accessible?

1.3 Are there alternative or preferable justifications for freedom of the media?

1.4 Regardless of the justification, is it appropriate, especially in the search for the ‘truth’ on political issues, that persons holding opposing views have an opportunity to express their views in the media?

2.1 If a substantial attack is made on the honesty, character, integrity or personal qualities of a person or group, is it appropriate for the person or group to have an opportunity to respond?

2.2 What factors should be considered in determining (a) whether there should be an opportunity to respond? (b) how that opportunity should be exercised? Would those factors differ depending on whether the attack is published in the print or the online media?

Standards

3 Is it appropriate that media outlets conform to standards of conduct or codes of practice? For example, should standards such as those in the Australian Press Council’s Statements of Principles (1999) apply to the proprietors of print and online media?

4 Is it appropriate that journalists conform to standards of conduct or codes of practice? If it is, are the standards in the Media Entertainment and Arts Alliance’s Code of Ethics (1999) an appropriate model?

5 Do existing standards of conduct or codes of practice such as those mentioned in 3 and 4, as well as those established by individual print and/or online media organisations, fulfil their goals?

6 To what extent, if any, does the increased use of online platforms affect the applicability or usefulness of existing standards of conduct or codes of practice?

7 Can and should the standards of conduct or codes of practice that apply to the traditional print media also apply to the online media?

Regulation

8 Is self-regulation via standards of conduct or codes of practice necessary to maintain the independence of the media?

9.1 Is there effective self-regulation of (a) print media and (b) online media by the Australian Press Council?

9.2 What are the Australian Press Council’s strengths and limitations as a regulator of those two forms of publication?

9.3 Is it necessary to adopt new, and if so what, measures to strengthen the effectiveness of the Australian Press Council, including in the handling of complaints from members of the public (for example, additional resourcing, statutory powers)?

9.4 As an alternative to strengthening the effectiveness of the Australian Press Council, would it be preferable to establish a statutory body to take over its functions?

9.5 Concerning any proposed new measures, which are specific to the print media and which the online media?

10 If self-regulation is not an effective means of regulation, what alternative models of regulation could be adopted that would appropriately maintain freedom of the media?

11 Would it be appropriate for such a model to include rules that would:
(a) prohibit the publication of deliberately inaccurate statements
(b) require a publisher to distinguish between comment and fact
(c) prevent the unreasonable intrusion into an individual’s private life
(d) prohibit the gathering of information by unfair means (for example, by subterfuge or harassment)
(e) require disclosure of payment or offers of payment for stories
(f) deal with other topics such as those currently covered in the Australian Press Council advisory guidelines?
12 If an alternative model was to be a statutory complaints tribunal, is it appropriate for that tribunal to have power to:
(a) obtain information necessary to resolve a complaint
(b) require a publisher to do an act (for example, publish a correction of unfair or misleading reporting)
(c) impose sanctions for a failure to do that act?
13 Is there any reason why the regulation of the print media should be different from the regulation of broadcast or online media?

New media and business models

14 To what extent has the development of digital and online platforms had an impact on the traditional business model for media organisations, and to what extent is the further development of these platforms likely to affect the business model/s for media organisations over the medium to long term?

15 What are the other key factors that have an impact on the business models of media organisations, what is the magnitude of their impact to date, and to what extent are they likely to be significant over the medium to long term?

16 What is the impact to date on the level of investment in quality journalism and the production of news and what is the expected impact over the medium to long term?

Support

17 Is there need for additional support to:
(a) assist independent journalism
(b) assist the media to cater for minority audiences
(c) remove obstacles that may hinder small-scale publications
(d) promote ease of entry to the media market
(e) foster other aspect of the media’s operations?
18 What are the best methods for providing that support?

16 October 2011

Dot stupid

From Evgeny Morozov's 12 October 2011 TNR evisceration of Jeff Jarvis' Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live (New York: Simon & Schuster 2011) -
For Jarvis, privacy is the preserve of the selfish; keep too much to yourself, and the “Privacy Police” may pay you a visit.

Why are we so obsessed with privacy? Jarvis blames rapacious privacy advocates — “there is money to be made in privacy” — who are paid to mislead the “netizens,” that amorphous elite of cosmopolitan Internet users whom Jarvis regularly volunteers to represent in Davos. On Jarvis’s scale of evil, privacy advocates fall between Qaddafi’s African mercenaries and greedy investment bankers. All they do is “howl, cry foul, sharpen arrows, get angry, get rankled, are incredulous, are concerned, watch, and fret.” Reading Jarvis, you would think that Privacy International (full-time staff: three) is a terrifying behemoth next to Google (lobbying expenses in 2010: $5.2 million).

“Privacy should not be our only concern,” Jarvis declares. “Privacy has its advocates. So must publicness.” He compiles a long and somewhat tedious list of the many benefits of “publicness”: “builds relationships,” “disarms strangers,” “enables collaboration,” “unleashes the wisdom (and generosity) of the crowd,” “defuses the myth of perfection", "neutralizes stigmas", "grants immortality ... or at least credit", "organizes us", and even "protects us". Much of this is self-evident. Do we really need to peek inside the world of Internet commerce to grasp that anyone entering into the simplest of human relationships surrenders a modicum of privacy? But Jarvis has mastered the art of transforming the most trivial observations into empty business maxims.

In one respect — his unrivaled ability to attract attention to his diva-like self — Jarvis has outdone even the fictional Dr. Kirk. Jarvis’s public parts are truly public: his recent battle with prostate cancer has become something of an online Super Bowl, with Jarvis tweeting from the operating table and blogging about the diaper problems that followed. And like the fictional Kirk, Jarvis likes his privacy when he likes it: the evangelist for publicness does not want his credit card numbers, his passwords, his e-mails, his calendar, his salary, his browsing habits, or his iTunes playlist made public. The digital disclosure of such things is off-limits for Jarvis — but not because of a scruple about privacy. He prefers to justify such immunities by appealing to other rights, fears, and concerns: he won’t share his passwords out of a fear of crime; or his calendar, because he is a busy man and doesn’t want any more commitments; or his salary, because of “cultural conventions”; or his iTunes playlist, because, well, it’s too trivial.

Had Jarvis written his book as self-parody — as a cunning attack on the narrow-mindedness of new media academics who trade in pronouncements so pompous, ahistorical, and vacuous that even the nastiest of post-modernists appear lucid and sensible in comparison — it would have been a remarkable accomplishment. But alas, he is serious. This is a book that should have stayed a tweet. Stripped of all the inspirational buzzwords, it offers a two-fold, and insipid, argument. First, a democratic society cannot afford to have privacy as its main — let alone its only — value. Second, the acts of information disclosure — by individuals, corporations, or public institutions — can be beneficial, under certain conditions, to some or all of the parties involved. Jarvis believes that these points are new and original and heroically subversive of the conventional wisdom. Public Parts is meant to be a polemic, but Jarvis has a hard time finding anyone who disagrees with either of his premises. Forced to introduce at least some contention into the book, he has to venture very far from his main themes, opining on the Arab Spring, the fall of the Soviet Union, and the future of the car industry.

A few such diversions are entertaining, but Jarvis cannot joke his way through the banality of his book’s central argument. Here is Jarvis at his most typical: “Memo to doctors, lawyers, and manicurists: You’d better be online and public.” What an incredible insight, in 2011: an online presence can help your business! Or consider this breakthrough in marketing theory: “If you are known as the company that collaborates with customers to give them the products they want, you may end up with more loyal customers.” Better products boost customer loyalty! Such bland pronouncements make Public Parts sound less cutting edge than the 1996 edition of The Complete Idiot’s Guide to the Web. ...

As if to live up to the old joke about an expert being someone who knows more and more about less and less until eventually he knows everything about nothing, Jarvis casts his eye over a gazillion different industries — from cars to airlines and from retail stores to public institutions — but rarely ventures beyond the most obvious analysis anywhere he looks. There are only two pages on WikiLeaks — an oddity in a book on the virtues of publicness — and even those pages are filled with generalities (the WikiLeaks scandal “demonstrated the banality of secrecy” and showed that “government keeps too much secret”). According to Jarvis, Julian Assange is driven by a law that posits that “those who held secrets once held power. Now those who create transparency gain power.” What does that actually mean? Journalists, NGOs, even Google: all of them create transparency in one way or another. But is it true that they now hold more power? What does the WikiLeaks disclosure of all those diplomatic cables imply about the powers lost or gained by the likes of Human Rights Watch, which needs secrecy to work in difficult countries but also needs publicness to make the world aware of those countries’ dire human rights record? Jarvis doesn’t say. If, as a result of legislative changes triggered by WikiLeaks, whistle-blowers end up getting much weaker legal protection, would it mean that they, too, gain power?

There is not much consistency in Jarvis’s thought about technology. Whenever he needs to explain something positive, his instinct is always to credit the Internet: it is the one factor responsible for more publicness, more democracy, more freedom. And every time he turns to darker and more difficult subjects — like discrimination, or shame — he announces that they have nothing to do with the Internet and are simply the product of outdated social mores or ineffective politics. In Jarvis’s universe, all the good things are technologically determined and all the bad things are socially determined.

This perverse analytical framework is most pronounced when he criticizes privacy advocates for not wanting to tackle more fundamental problems — such as social stigmas — that are made less severe by invoking one’s privacy rights. Jarvis writes that “a larger fear of sharing health information is the stigma associated with illness. That stigma is most certainly society’s problem. Why should anyone be ashamed of being sick?” He applies the same logic to discrimination based on sexual orientation: “That anyone would still feel shame about being revealed as gay ... is also our failing. If we think that technology is the problem, we risk ignoring the deeper faults and more important lessons.” Yet Jarvis seems blind to ways in which the rhetoric of publicness could be mobilized to distract from finding equally “deeper faults and more important lessons” about the sprawling national security state. “Knowing that no security at all is not an option, what’s your choice: body scans, physical searches, facial recognition via surveillance cameras, more personal data attached to travel records?” he asks — and quickly informs us that he objects to none of the above. He includes this tirade in a section called “publicness protects us” — but he presents no evidence that it does protect us. And why, one might ask, is the choice so stark? Why not entertain the option of extirpating the roots of terrorism rather than investing more money in surveillance technology and embracing “publicness”? It seems that Jarvis wants to fight root causes only of problems such as shame and discrimination; for everything else, there are quick technological fixes.

Victorian Privacy Case Notes

The Victorian Privacy Commissioner has released two Case Notes.

Complainant AU v Public Sector Agency [2011] VPrivCmr 3 concerns handling of a bullying complaint from a female state government employee. The Complainant made a written complaint regarding co-workers and was advised that a full copy of the documentation would be provided to each of the alleged bullies. She initially agreed, in the belief that there was no choice but later attempted via to withdraw consent. She was then advised that the complaint documentation had already been forwarded to the unit manager (an alleged bully) who had forwarded it to other alleged bullies, consistent with the employer's internal policy. She claimed that the disclosure to the alleged bullies breached her privacy under Information Privacy Principles 2.1, 4.1 and 1.3 and argued that the alleged bullies should only have had access to the information that was relevant to each individual rather than the entire document containing all alleged incidents. She also argued that the policy statement provided to her was out of date.

The Privacy Commissioner found that in dealing with a complaint about staff members an employer must disclose only what those people 'need to know' in order to respond to the complaint. In considering the employer's handling of the bullying complaint -
the disclosure of all of the Complainant’s documentation in full (setting out the Complainant’s state of mind, emotional responses to the incidents, and outcomes sought) to all of the alleged bullies appeared to be far more than what they needed to respond to the complaint about their own alleged behaviour.

Disclosure of information in this context should have been kept to the minimum necessary to investigate the matter and would not require the wholesale disclosure that had occurred in this instance.
The Commissioner considered that it was possible to edit the document to protect the Complainant’s privacy.

The Commissioner considered the notion of consent, deciding that in this instance consent could not be relied on by the employer because under 2.1(b) individuals must be provided with a real choice about what will happen with their personal information.

In considering IPP 4 (Data Security) the Commissioner found that by providing more information to the alleged bullies than was necessary the employer had not taken reasonable steps to protect the personal information it held.

In Complainant AV v Body Established for a Public Purpose [2011] VPrivCmr 4 the Commissioner referred a complaint to conciliation, on the basis that there were insufficient grounds to exercise discretion to decline the complaint under s 29 of the Act.

The Complainant had attended two performances at a theatre (a body established for a public purpose under statute). Each time the Complainant was asked for his name, address, email address and telephone number, despite wanting to pay with cash.
Staff of the theatre informed him that refusal or failure to provide the requested information would result in him being refused entry to the venue. The Complainant complained at the time about the unnecessary collection of his personal information, but the complaint was not logged by the organisation and was not escalated further. He was admitted to the venue, however, as he already had an account under his name with the theatre.

The Complainant complained to the Privacy Commissioner, arguing that the theatre had breached IPP 1.1 by collecting personal information about him that was not necessary for its functions or activities, and had failed to provide him with the option of transacting anonymously with the organisation under IPP 8.1.
The theatre argued that there was no breach of the Complainant’s privacy as it had conducted an investigation into the complaint and found that staff at the ticket office could not recall the incident. It also argued that because the Complainant had only complained to ticket office staff and had not escalated the complaint higher the theatre did not have a chance to respond to the complaint.

The Commissioner took a positive stance, noting that there was disagreement about whether the information had been collected at all. The Commissioner stated that a ticket person's failure to escalate a complaint was insufficient reason for the Commissioner to decline the complaint. The Commissioner indicated that whether information collected was necessary for a function or activity of an organisation, and accordingly whether an option to transact anonymously was practicable, depended on the circumstances.