Forward this message to a friend
Click to view this email in a browser

Computer Crime Law Needs Revision to Prevent 'Gross Misuse'

Data Breach Bills Ignore Health Information

Good News, Bad News for Medical Record Transparency

Featured on Policy Beta

August 16, Aspen, CO - CDT President Leslie Harris will deliver an opening presentation for a session titled "Intellectual Property," during the Aspen Institute's Conference on Communications Policy.





   

At CDT, we constantly strive to identify and promote balanced solutions to policy challenges. In the past two weeks, we pointed out flaws in several otherwise well-intentioned proposals moving through the Congress and the Executive Branch. Joined by leading conservatives, we warned that the Administration's proposed amendments to the Computer Fraud and Abuse Act should not proceed until the overbroad and vague language contained in the Act itself is fixed. We noted that the federal effort to craft a national data breach notification law to replace the current patchwork of state rules itself needs to be patched: patient health information isn't covered by any of the pending proposals. And we sought to improve a rule proposed by the Department of Health and Human Services aimed at making it easier for patients to find out who has accessed their health records.

Computer Crime Law Needs Revision to Prevent 'Gross Misuse'

As part of its cybersecurity package, the Administration is urging Congress to increase penalties under the Computer Fraud and Abuse Act (CFAA). However, in a recent letter to the Senate Judiciary Committee, CDT and others from across the philosophical spectrum called on legislators to first correct overbroad and vague language in the CFAA that can be used to prosecute persons who have not engaged in any activity that can or should be considered a "computer crime." The problem arises because the CFAA imposes civil and criminal liability for accessing a protected computer "without" or "in excess of" authorization, but fails to define "authorization." This makes the definition of the precise activities that are punishable unavoidably vague. As a result, several courts have used companies' network terms of use, which lay out contractual constraints on users' use of those networks, to also define what constitutes criminal behavior on those networks. The consequence is that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies. CDT and its partners on the letter offered to work with the Committee to draft appropriate language clarifying the Act to ensure that Justice Department resources are focused on malicious hacking and identity theft.

Data Breach Bills Ignore Health Information

Data breach bills circulating in Congress all exclude health data. The gap may stem from legislators assuming that all health information is already protected by the federal health data privacy rules adopted under HIPAA; however, those rules only cover data held by certain entities. An increasing amount of digital health information is flowing into the hand of entities not covered under HIPAA. Some state laws requiring breach notification do cover health data regardless of who holds it, but those laws would be preempted by a federal law. As a result, if any of the data breach bills introduced in this Congress passes as currently written, a commercial entity that lost your full name and a list of your medications would not be obligated to notify you. As Congress debates and modifies the data breach bills now under consideration, CDT is working to ensure an appropriate match between the coverage of the federal law and the scope of preemption of state laws.

Good News, Bad News for Medical Record Transparency

One of the most significant and controversial measures being developed to implement the privacy and security provisions of the HITECH Act of 2009 is a proposed requirement that "covered entities"--such as hospitals and doctor's offices--provide each patient "upon request" with a report detailing who accessed that patient's medical records. While improving patients' ability to obtain a list of who has accessed and received their medical records would enhance transparency in the health care system, a goal CDT supports, the technology in use at most health care facilities likely cannot achieve the requirements of the proposed regulation without considerable burden and expense. CDT filed comments with HHS urging the department to focus on what current technology can accomplish and to build a long-term transparency strategy that benefits patients without overburdening health care organizations.

Privacy and Internet Standards

CDT Chief Computer Scientist Alissa Cooper gives a first hand account of the recent meeting of the Internet Engineering Task Force, one of the key technical standards bodies for the Internet. More than 1,200 engineers gathered to tackle some of the most daunting challenges in network engineering. One theme seemed to permeate the meeting: privacy.




Click to view this email in a browser

If you no longer wish to receive these emails, please reply to this message with "Unsubscribe" in the subject line or simply click on the following link: Unsubscribe

Center for Democracy & Technology
1634 I St.
Suite 1100
Washington, District of Columbia 20006
US

Read the VerticalResponse marketing policy.

Non-Profits Email Free with VerticalResponse!