Privacy Compliance & Data Security

Latest TJX Breach Lesson: Crime Does Not Pay

Mark McCreary — Fri, 12 Mar 2010 06:44:04 -0500

A co-conspirator in the TJX breach, Humza Zaman, saw the next 46 months of his life laid out before him in Boston yesterday, as he was sentenced in federal court for his role in the TJX breach. He was also fined $75,000. He will also have three years of supervised release, must disclose his conviction to future employers, but he will not be prevented from using computers.

Zaman’s role appears to be limited to money laundering activity while he was employed by Barclay’s Bank. Zaman, apparently feeling he was only doing favors for Albert Gonzalez (by all accounts, the mastermind behind the data theft), would meet and mule large amounts of cash that he received from “an unknown man of apparent Eastern European descent.”

The writer of the “sniffer” computer program that was used in the data theft, Stephen Watt, was sentenced last December to two years in prison.

~~Lex Luther~~ Albert Gonzalez is awaiting sentencing and faces a minimum sentence of 17 years in prison.

Wired has a much more thorough reporting of the prosecution side of the TJX breach, which is worth a read by not only business folks, but people that may get drawn into similar schemes.

Updated: Special thanks to the German Privacy Foundation for noting that I had punishments for Mr. Zaman and Mr. Watt flipped in certain portions of the original posting. It is nice to have such friendly and professional communications from our friends in Germany.

Aetna Wins Dismissal on "Increased Risk of Identity Theft" Damages Sought for Class Action

Mark McCreary — Thu, 11 Mar 2010 10:50:46 -0500

Judge Legrome D. Davis of the United States District Court for the Eastern District of Pennsylvania issued an amended order on March 9th (amended from March 8th) dismissing a recent case seeking speculative damages arising from a data breach of Aetna’s job application web site. A copy of the opinion can be viewed here.

In Allison v. Aetna (09-2560), the plaintiffs sought, among other relief, damages in connection with possible future damages from identity theft that may occur in the future. Mr. Allison’s identity had not been stolen at the time the complaint was filed (and presumably not since then).

The facts are set forth in more detail in the attached opinion, but essentially hackers gained access to some 450,000 (!!!) job applicants’ personal information contained in Aetna’s job application web site database. Also taken was the social security numbers of employees of Aetna (reports say 65,000 employees were affected). The applicants then received emails, purporting to be from Aetna, requesting additional personal information from the applicant. It is unclear what additional information was actually sent by applicants, but it is a pretty safe assumption that at least some of the applicants were tricked into supplying the information.

Judge Davis walks through a detailed analysis of “increased risk of harm” claims, and concludes that there is no legally cognizable injury based on such claims. A detailed analysis of recent decisions related to “increased risk of harm” claims arising in connection with data breaches is included in the opinion.

There was no proof that Mr. Allison’s personal information was ever accessed and the only information known for certain to be stolen was email addresses. Mr. Allison never received the phishing email, and an implication arises that no other information was taken if the phishers were asking for the same information. (I think the opposite inference is possible, that only those applicants for which more detailed information was not taken were "phished.") Judge Davis notes that “[a]t best, Plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.”

This decision joins a growing line of cases where plaintiffs are not being allowed to collect damages where there has been no actual proof of harm.

A copy of the opinion can be found here.

HSBC Reports Information of 24,000 Account Holders Stolen

Mark McCreary — Thu, 11 Mar 2010 07:38:33 -0500

The AP is reporting that Customers having Swiss bank accounts with HSBC between late 2006 and early 2007 had their account information stolen by a former IT employee of an HSBC subsidiary. CBS News, also publishing an AP report, is stating that the number is 15,000 customers, although the 24,000 number appears to be a later publication time. Customers affected are worldwide in scope.

If you were one of the affected customers, you apparently are already aware of the data breach because HSBC says that it contacted you. Stated another way, HSBC contacted you to tell you that your (presumably) secret Swiss bank account is not so much of a secret anymore.

The accounts have been closed, and there does not appear to be any real risk that the information will be used to access account holders’ accounts. That may sound reassuring to the customer being contacted. That is, unless the customer asks a few more questions.

“Well, where is my information,” you may have asked if you were one of the customers contacted. You probably had spent years funneling this money into your secret, non-taxed, Swiss bank account. You will not be happy if some criminal takes your illegally shielded money.

This is where the story takes an interesting turn. Apparently, the IT employee was not content to let the information sit in a drawer, and the data was "turned over" to the French government. What could possibly come from that, right?

We have read reports that the German government may be buying information on Swiss account holders. Now we can add the French government to that list. France released the names of 3,000 Swiss account holders in 2009. The AP story cites the same IT employee as one of the sources of the information on those 3,000 account holders.

Apparently the stolen data was returned by the French government to the Swiss government, and eventually made its way back to HSBC. Thank goodness. But wait, France still has copies of the information. Not to worry, the information will not be used "inappropriately" by the French government. It does, however, remain to be seen whether an appropriate use would be the prosecution of tax evaders.

It also is not immediately apparent what sanctions HSBC may face as a result of the breach, which triggers very strict, European privacy laws.

With Conviction of Google Executives for Invasion of Privacy, Companies Need to Consider Risks of Social Media Services in the European Union

Mark McCreary — Thu, 25 Feb 2010 07:01:50 -0500

A video of an autistic boy being harassed by bullies is posted to a service offered by Google in Italy. Google is informed of the availability and content of the video. Google removes the video within two (2) hours of being informed. Did Google react appropriately?

Those familiar with US privacy laws know that there is little about which Google should be concerned. Those familiar with European Union (EU) privacy laws generally conclude that Google is protected by the safe harbor under Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market. Those unfamiliar with EU privacy laws probably conclude that Google did the right thing, acted swiftly and should not be responsible for material posted by third parties about which Google is not aware.

Google is guilty of violation of Italian privacy laws, says an Italian court. The Italian court held three (3) Google executives criminally liable for making the bully video available. Yeah, seriously, convicted in absentia for violation of privacy (but cleared of defamation charges), Google’s Chief Legal Officer, Chief Privacy Counsel and a former Chief Financial Officer were sentenced to six-month suspended sentences. (I understand that for most convictions of less than two years, sentences are generally suspended if there are no prior convictions.)

Prosecutors may have successfully argued that Google is not a service provider (and protected by the above EU Directive), but rather is a content provider because of the numerous ways that Google “touches” its users. The amount of user data Google collects raises the level of duty owed to its users, making an invasion of privacy charge stick, prosecutors argued. The judge has until late May to issue his rationale for the convictions.

This case creates an absolute chilling effect on Internet companies that allow third parties to distribute or post content online. The number of possible scenarios where Internet companies can be found liable for invasion of privacy in Italy in light of this ruling is mind boggling. A user posts a naked picture of an ex-boyfriend out of anger, Facebook could be liable. A user publishes some private details about another user, Twitter could be liable. There are existing laws that effectively provide relief for those aggrieved parties that do not involve the Internet company, but in Italy they go after the Internet company.

I believe that the ruling in Italy is not in line with privacy laws in the EU, or at least with enforcement of those laws. Will Italian citizens now have a claim against Vodafone when a mobile phone user uses MMS messaging to send a private photograph to another person? What if Federal Express delivers stolen credit card information of Italian residents to an address in Italy?

Until this situation plays out (you know Google will be appealing the ruling), companies with social media services or capabilities for users to post their content to a company-hosted web site need to give real consideration of the risks of doing business in Italy, specifically in the EU.

Privacy Invasion: Personal Images Posted Online Stolen for Identity Theft

Mark McCreary — Tue, 23 Feb 2010 07:22:37 -0500

CBS 3 in Philadelphia reported last night about local resident Al Butler, whose identity was stolen for use on international dating sites. As reported, criminals would create an account on international dating sites, post images of Mr. Butler taken from social media sites frequented by Mr. Butler, and pass themselves off as Mr. Butler. The “scam” would come when Fake Al Butler would ask for money from women he met on the dating site.

The CBS 3 report, originally airing in glorious HD and all of its facial pore, thinning hair glory, can be viewed here. As yours truly advised the CBS viewers, stealing online photos for the purpose of passing oneself off as that person while committing a crime is the cyberworld version of a classic scam.

What did not make the three minute segment is the realities of situations similar to those described in the report: what are you gonna do about it? Probably not much, which is why we all need to think about what photographs get posted.

We all see everyday friends and family posting personal photographs on Facebook, Flickr, Twitter and similar social media sites. We read reports about how some of these services have tracking features to tell the world where you have been and where you are going. To a lot of people, sharing like this is fun.

What is often forgotten is where this type of sharing can lead. The obvious is that it is probably not a great idea to tell the world where you go and presently are. The foregoing sentence makes no sense to a lot of people, especially younger folks. But even those people that know bad things can come from location awareness are not aware how much information they actually do share.

What I think is often overlooked is geotagging. Geotagging is basically data embedded in your photograph that includes where the picture was taken. Many new cameras have this, as well as many smartphones (such as the iPhone). The location information of that photograph of you taken in a living room can be compared with the location information of that photograph of you taken in a backyard, which can then be compared with the location information of that photograph of you taken in a driveway. That geographical information matches, I may know where you live.

What about several photographs overtime that show you at the same location? I could probably figure out where that is and approximately what days and times you are there from the geotagging information. Those couple of photos of you in an office environment? Maybe I know where you live.

The point is to think about where and with whom we share photographs. Maybe it is enough that we share them only with our friends. Then again, those people can copy and forward those photographs to other friends, post them on their personal web site and otherwise put them places that you did not intend them to appear.

Pennsylvania School District Sued After Allegedly Remotely Activating Student Laptop Webcam

Mark McCreary — Thu, 18 Feb 2010 08:02:27 -0500

A complaint (PDF link) seeking class action status on behalf of all high school students at Harriton High School and Lower Merion High School (the “High Schools”) in the Lower Merion School District (the “School District”) in suburban Philadelphia was filed on February 16th.

Apparently, the School District maintains a program whereby all high school students at the High Schools are provided with a laptop in connection with their educational endeavors. Like most modern laptops, apparently these laptops include a webcam embedded in the laptop bezel.

The Complaint alleges that students and parents were never told that the School District (and its agents) have the ability (or would) to remotely activate the webcam. The Plaintiffs cite all documentation provided with the laptop and on the School District’s online resources as further support that they were never told of this remote activation/capture ability. Once activated, the School District can apparently then view and capture whatever is happening within the view of the webcam. Plaintiffs point out that this activity occurs regardless of whether anyone is sitting in front of the webcam, and captures the entire viewing area of the webcam.

The ability of the School District came to the attention of the plaintiffs when an Assistant Principal of one of the high schools accused the minor plaintiff of engaging in improper behavior in his home, the Complaint alleges. The Complaint also creates the impression that the Assistant Principal produced evidence of this alleged improper behavior by producing a photograph (presumably a screen shot) from the webcam, although the Complaint never actually states the foregoing.

The plaintiffs, a minor child and his parents, allege that their privacy was violated through the conduct of the School District pursuant to Sections 2511 and 2520 of the Electronic Communications Privacy Act, Section 1030 of the Computer Fraud and Abuse Act, Section 2701 of the Stored Communication Act, Section 1983 of the Civil Rights Act, The Fourth Amendment of the United States Constitution, the Pennsylvania Wiretapping and Electronic Surveillance Act and Pennsylvania common law.

No response has been filed by the School District, and is any response due at this time.

Robbins, et al. v. Lower Merion School District, et al. Complaint is here.

Latest Privacy Nightmare: Google Buzz in the Workplace

Mark McCreary — Tue, 16 Feb 2010 08:22:08 -0500

Google committed its biggest misstep in recent memory with the launch of its new social media tool, Google Buzz. You would have to intentionally not be paying attention to have missed the furor over the privacy and trust violations alleged by angry users and advocates since its launch on February 9th. But hearing the buzz about Buzz and understanding what Google Buzz actually is, or how it may affect your workplace, are independent realizations. Now a week after its launch, Google has made two major tweaks to the privacy settings in Google Buzz in attempts to quell users’ anger.

What is Google Buzz

Google Buzz is the latest effort at merging existing social media options into a new platform. Google is in an enviable position to be a big, if not the biggest, player in this convergence model because of their existing Gmail service. Google Buzz essentially allows all Gmail users to broadcast and share messages, photos, videos, web links and tweets with friends and colleagues directly within Gmail.

At the heart of Google Buzz’s functionality is the built-in feature that “links” those people that a user emails the most through Gmail. In other words, a user would automatically follow, and be followed by, those people with whom that user exchanges a lot of emails.

The auto-follow feature works for many people and is probably pretty innocuous in a vacuum. However, what if a user emails an ex-boyfriend or ex-husband a lot? That person most likely does not want that person “following” them.

One of the features of Google Buzz is that it shares what I read in Google Reader with my followers. Google Reader is an RSS reader, a sort of automatic article fetcher that pulls from publications that I choose. Again, most users may not care, or may even want to share, that he or she loves to read TMZ.com or Engadget.com. However, what if a user reads publications with alternative lifestyle subject matters, but does not share his or her sexual orientation with friends or co-workers? What if a user has subscribed to job search services, but does not want it known that he or she is looking for a new job? What if a wife reads spousal abuse publications, and the person she emails the most is her abusive spouse? Someone at Google apparently thought it would be a great feature to have these people automatically know what I read and follow. Ready, fire, aim.

Another feature is a direct connection to Picasa, Google’s online photo sharing service. The issues that could arise with Picasa are similar to those that could arise with Google Reader, only with the likelihood of being more graphic (no pun intended) and personal. Likewise, Twitter posts can be viewed (although not responded to) when following a Google Buzz user.

Google’s Response and Changes to Google Buzz

Google, to its credit, responded quickly to the mass of complaints and made changes to its system, tweaking the system so that users won't be set up to follow anyone until the user has reviewed the suggestions and clicked “Follow selected people and start using Buzz.” In other words, you will choose who you follow and who you allow to follow you, with Google Buzz suggesting people to you. Google installed a link that permits a Gmail user to shut off Google Buzz. Google also changed its broadcast system in Google Buzz so that users can decide how to share particular content, such as private, to a small group of users or publicly. Google Buzz also no longer automatically includes Google Reader and Picasa content. Other changes were made as well.

In the Workplace

With that dense history (and what a short history), what does Google Buzz mean for the workplace? The opportunities for further privacy concerns multiply. Let’s start with a premise that you may not have accepted: employees use Gmail. At work, Gmail is certainly one of the most popular email services for sharing email that employees do not want going through their employer’s email servers. Clients also use Gmail, sometimes because they email you from vacation, sometimes because it is the only thing they can get to work on their mobile device. In any event, Gmail is out there and it affects almost any business.

First, now there is another service where we can learn about a co-workers or client’s personal life. In most cases, these are nuggets of information that we do not want to know, should not know, or both. And when someone learns this information, it is difficult if not impossible to forget. Employment-related actions and reactions based on this personal information can often be in violation of applicable employment and nondiscrimination laws. In other words, there are more opportunities for lawsuits.

Second, online stalking and harassment opportunities are created where they may not have previously existed. Facebook and Twitter may have opened the door to “following” co-workers and clients, but Google Buzz adds to it, and does so in a multiple factor way by consolidating several sources of information. Should employers be concerned about employees becoming more involved with and learning more about the personal lives of other co-workers? Absolutely.

Finally, many employers have banned employee access at work to sites like Facebook and Twitter while at work for productivity reasons. With the launch of Google Buzz, should employers now block access to Gmail? Would such a “block” affect the productivity of employees who (for whatever reason) use Gmail as part of his or her job? And if Google Buzz (like most social networking services) can be accessed by mobile devices, can access while at work effectively be blocked?

These are just a few of the privacy issues that are mounting as new social media services are launched. Those employers that get in front of these issues are going to be able to avoid potentially costly lawsuits and public relations nightmares. Unfortunately, as long as service providers take the “ready, fire, aim” approach, thinking through the impact of, and staying in front of, these issues will be employers responsibilities.

Payment Card Industry (PCI) Standards Council Speaks

Mark McCreary — Thu, 11 Feb 2010 13:51:07 -0500

I came across an insightful interview with Bob Russo, general manager of the Payment Card Industry Security Standards Council (the “Council”), that was conducted by cnet news. The interview can be found here and it is a strongly suggested read.

The Council was created by Visa, MasterCard, American Express, Discover, and JCB for the purpose of creating a unified compliance program for organizations accepting and processing payment card transactions. The Payment Card Industry Data Security Standard (the “Standard”), available here, was created by the Council to deter credit card fraud. Many view these efforts as an industry-wide effort to apply uniform security practices, which largely has been the effect.

All organizations that enter into a merchant processing agreement to accept credit and payment card transactions must comply with the Standard in some manner. While the reporting requirements may be less onerous for organizations accepting payments below some fixed amount, in any event all such organizations must comply.

It is widely reported and accepted that most affected organizations have failed to meet full compliance with the Standard. Compliance with the Standard can be extremely onerous and expensive, and many large organizations simply weigh the costs of being out of compliance with the costs of gradually inching toward compliance.

What is impossible to predict are the costs of having a data breach while not being compliant. The merchant processor agreements have placed the liability on merchant for breaches occurring during non-compliant periods. This possibility is the greatest drive, and motivation, for merchants to become compliant as soon as possible.

In addition to the Standard, merchants and processors must also be aware of, and comply with if applicable, the Pin Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS).

While efforts are continually undertaken to avoid data breaches and plug potential security weaknesses, a breach that leads to a loss of payment card information while not in compliance with the Standard, PED or PA-DSS creates issues that have the potential to be even more problematic that traditionally considered. The problems realized by Heartland and TJX were further exacerbated by failing to be PCI compliant.

Data Breach Costs Increase to $204 per Compromised Record

Mark McCreary — Tue, 26 Jan 2010 07:13:00 -0500

The cost per customer record in a data breach increased $2 over the 2008 average to $204 per customer record compromised in a data breach. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its fifth annual report (Available Here) declaring that the average cost per compromised customer record rose to $204. The report is sponsored by PGP Corporation.

The report is based on 45 reported data breaches in the real world, with samples ranging from 5,000 to approximately 10,000 records. Of the breaches studied, organizations paid a low of $750,000, and a high of $31 Million in connection with the breach response. The average cost to an organization from a data breach increased from to $6.65 Million to $6.75 Million from the 2008 to the 2009 (Summary) studies.

The $204 cost is further broken down: $144 relates to indirect costs, such as losses related to related customer loss and lost of prospective customers. The balance relates to direct costs incurred by organizations, an increase of $10 over the 2008 report.

The source of the data breach was related to third party errors in 42% of the cases. Only 24% of the data breaches were the cause of intentional attacks and breaches. Shockingly, 82% of the breaches studied by the Poneman Institute were of organizations that had multiple data breaches in 2009 of 1,000 records or more. But the good news for the repeat offenders is that the average cost per record is only $198 per record (versus organizations with first time data breaches spending on average $228 per record).

But those organizations that move quickly tend to experience a higher cost per record for the data response. Organizations that move quickly tend to do so in a disorganized manner with little efficiency, and spend on average $219 per record. Those organizations that have a much more organized response spend on average $196 per record.

Organizations that engage third parties to assist in the response and compliance following a data breach actually spend much less per record compromised ($170 versus $230).

In less than half of the cases studied (40%), the response management was managed by the organization’s chief information security officer.

Password Security Often Overlooked as Source of Data Breaches

Mark McCreary — Fri, 22 Jan 2010 06:50:00 -0500

The lessons to be learned from data breaches are often numerous and not always apparent on the surface. The most recent example is the RockYou.com hack that occurred in December. And what a hack that was.

Briefly, when RockYou.com was hacked into, the hackers walked away with 32 million usernames and the corresponding passwords. While the number of usernames and passwords (and let’s be honest, the number of users of this service) is a shockingly high number, the unforgivable transgression is that RockYou.com apparently stored these usernames and passwords in plain text format. In other words, while industry standards dictate, and competent legal advisors and IT consultants strongly recommend, that all personally identifiable information be stored in an encrypted format, RockYou.com apparently stored the usernames and passwords in a format as readable as this blog entry. Yeah, seriously.

But while the media is focusing on the revelation of what passwords are most commonly used by users, the less obvious takeaway may be the most interesting. Starting with the premises that people are people, people use blatantly obvious passwords, and people create the passwords for your business computers and networks, it is not hard to reach the conclusion that there are also many businesses out there that are one simple password away from a data breach featured in the Wall Street Journal, like Heartland was featured.

The security firm iMPERVA published a detailed analysis (PDF link) of the passwords obtained through the RockYou.com hack. The above analysis is a good read, and has many suggestions for best practices that you can read there.

The analysis reveals that the top three passwords are 123456, 12345, and 123456789. The fourth must common password? It is Password. It feels odd even writing the foregoing two sentences.

But you are not a hacker, you run a business. You run it well. You do not ignore the details, and you make sure you exactly what every contract says before you sign it. But you probably do not select the “Administrator” password for your business. If your business is named Competent, what are the chances that password is Competent1? You are probably not responsible for ensuring that the password on the router/firewall between your customer’s personally identifiable information (and your proprietary information) has been changed, and changed to a strong password. You have people that do that. That being said, people are people, etc.

So, what is a strong password? Well, strong passwords are a lot like the way Justice Potter Stewart described pornography: I know it when I see it. There are suggestions about the use and intermingling of letters (uppercase and lowercase), numbers and punctuation, 12-14 characters and non-English words. 3d4$d@Ga1GhS3p is a quickly mashed out password. Yes, nearly impossible to remember, but very difficult to hack and in an era of doing all reasonable things to prevent hacks, a terrific first step. Wikipedia has an easy to read primer on strong password selection here.

2009 Most Notorious Data Breaches

Mark McCreary — Thu, 07 Jan 2010 09:01:56 -0500

With 2009 (thankfully) behind us, we should take a minute to look back before moving on. As most people recognize and accept, history tends to repeat itself and 2009 is a great year to learn from others' mistakes and missteps.

Computerworld created a "2009 data breach hall of shame" recently that is an excellent read if you would like an overview of the most notorious data breaches of 2009. None of us should lose sight of the thousands (if not tens of thousands) of smaller and unreported data breaches that occur every year.

I will not restate the work down by Computerworld, but I do believe that the RockYou breach is the most egregious. Assuming all of the facts as reported in various media outlets are true, the idiotic (ignorant is just not the right word) storage of passwords in plain text (rather than in an encrypted form) highlights just how far companies have yet to go to understand even the most basic principles of data protection.

Let's all hope for a safer, more compliant year in 2010 if, for no other reason, so that our own personal information is not released into the wilds. Happy new year.

Online Privacy Regulation Comes Front and Center at FTC, and Will Quickly Fade

Mark McCreary — Sat, 19 Dec 2009 11:31:12 -0500

A standing room meeting organized by the Federal Trade Commission (FTC) in Washington on Monday, December 7th, highlighted a crucial divide in the discussion over the regulation of online privacy. The New York Times provides an excellent summary of the mainstream newsworthy aspects of the meeting.

While the take away may be that the FTC is taking a more serious look at online privacy and net neutrality, the reality is that any oversight is not going to happen anytime soon. Not anytime soon as in years, if ever. Policy making as the solution is not going to address any immediate concerns or problems.

What may be of more interest is the deep divide between the parties with a vested interest in the outcome of the discussion, namely, the consumer/consumer advocates and parties making money from information that may one day be regulated.

Consumers generally have no idea what information or Internet usage habits are being shared, or how it is being shared. Sure, legitimate businesses state clearly in privacy policies and disclosures what is going to happen with your information. Less scrupulous companies lie in those policies and statements. But you don’t read those policies or disclosures. Nobody does.

Consumer/privacy advocate groups do read those policies and disclosures, and they speak for consumers. But the consumer often feels he or she has no real vested interest in the use of the most benign of that information. Why do I care if information about what movies I rent gets made public in an anonymous manner? You probably do not care.

You would care if that information about you concerned your sexual orientation, which is a personal matter that you have felt personal enough to keep to yourself. An exploit in Netflix’s database exposed that information about one woman (according to her), and she sued.

The businesses that make money off of your information and Internet usage habits stand to lose money. Lots and lots of money. Groups like Google, the Direct Marketing Association, Facebook and even those URL shortening services that aggregate data to sell reports on what is hot in Internet traffic.

And the answer for those groups that stand to lose money if the current “opt-out” approach is abandoned? Turn off cookies. Do not sign up for services that disclose personal information in exchange for you to use the providers’ services. The web site will not “function” properly with the cookies turned off? Well, you do not have to use the web site. You do not want anything about your use shared? Hey, don’t use Facebook. You are concerned about law enforcement accessing your Internet history without probable cause or reasonable suspicion of wrongdoing (specifically, without a warrant)? There must be alternatives to Comcast and FIOS, right?

Most people do not want governmental regulation of more and more activities, but most people will also admit that where rights are trampled, government regulation is often the best tool to stamp it out. Most businesses do not want regulation, period.

The debate is going to get heated, it is going to be protracted and it is going to expose who has an interest and what sacrifices (often of others) they are willing to make. We look forward to seeing how the debates unfold. If it is anything like the underreported FTC meeting in Washington almost two weeks ago, the debate will be interesting with no clear winner (unless the status quo remains, in which businesses brokering data continue to win).

Alleged that Sprint Provided Law Enforcement Customer GPS Data over 8 Million Times

Mark McCreary — Wed, 02 Dec 2009 07:25:28 -0500

Ars Technica reported yesterday about a graduate student at Indiana University's School of Informatics and Computing that has compiled documents and recordings obtained through Freedom of Information Act requests that support that Sprint/Nextel has provided GPS location data about Sprint’s wireless customers to law enforcement over eight (8) million times in just over one year.

The number itself may be misleading, as there does not appear to be any confirmation that this was about eight million different wireless customers, or even eight million separate requests. For example, if the GPS location data refreshes every minute, tracking one individual for 24 hours could account for 1,440 of the aggregate number. There appears to be a mix of approximately 110 Sprint employees and contractors handing these law enforcement requests, so it is possible that the number of requests is as extraordinary as it appears.

But the troubling aspect of this revelation may not be whether the number is eight million wireless customers or eight wireless customers, but rather the access system described in the reports. Apparently, law enforcement can log into a Sprint web portal and obtain the information (for a fee, of course). The ability of law enforcement to obtain the information without showing probably cause has long been decided, and law enforcement can obtain an appropriate court order and the telecommunications companies will typically provide call and text message logs, even GPS data. With this Sprint web portal, it is entirely unclear (and improbable) that law enforcement is obtaining the GPS data with an order. It may be that Sprint is serving this information on is wireless customers without requiring the customary trap & trace order. It is likely that Sprint is able to provide this information about its wireless customers to law enforcement without requiring a warrant (ever read your carrier’s terms and conditions of service?).

AT&T has approximately 81.6 million wireless customers, and Verizon has approximately 89 million wireless customers. Sprint has approximately 48.3 million wireless customers. With AT&T and Verizon having a combined 3.5 times more wireless customers than Sprint (which does not include T-Mobile and the multiple regional carriers), this report does beg the question of how often is customer GPS data provided by all wireless carriers to law enforcement without a warrant. This report also raises the question of how much will these numbers skyrocket when/if other carriers start making access for law enforcement so easy and presumably available without warrant.

You should decide for yourself how much weight should be given to this report, and a response from Sprint may be forthcoming. The report does highlight that customer wireless information is being requested a received by law enforcement in increasing numbers (with Sprint’s web portal possibly being the most accessible yet, resulting in the huge surge in requests).

It is also up to each of us to decide whether the “if I am doing nothing wrong, what do I care,” or the “enough already with Big Brother” response is appropriate. But before you answer the question, think about how that response may change when reports of abuse start emerging (“Well, Mark, my brother-in-law is a cop and he requested and learned for me that according to your GPS data you were not sick on Monday but at the golf course.”)

Give the Ars Technica

article

a read. It is a true eye opener.

FTC Extends Red Flag Rules Enforcement Until June 1, 2010

Mark McCreary — Tue, 03 Nov 2009 09:28:46 -0500

The FTC has again extended enforcement of the Red Flag Rules, this time until June 1, 2010.

This extension comes just one day after the ABA won a victory with its request that practicing attorneys be exempted from compliance with the Red Flag Rules.

The extension of the enforcement deadline also comes shortly after certain other exemptions, namely, health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, were passed in the House of Representatives.

Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009, and then further extended to November 1, 2009.

ABA SCORES VICTORY WITH ATTORNEY EXEMPTION FROM RED FLAG RULES

Mark McCreary — Fri, 30 Oct 2009 10:19:58 -0500

The United States District Court for the District of Columbia ruled that the Red Flag Rules are not applicable to attorneys engaged in the practice of law.

The complaint, filed in late August 2009, argues that the FTC overstepped its statutory authority by imposing the Red Flag Rules on attorneys engaged in the practice of law.

The ruling is another victory by the American Bar Association when it comes to exempting attorneys from rules regarding the handling of financial and/or sensitive information. It would seem that the FTC would have made adjustments to its definitions of “creditor” to make it clear that attorneys should be included in its regulations, but that clarification may need to be addressed at the Congressional level to avoid future ambiguity.

If Congress does present future legislation, or an amendment to existing legislation, that specifically includes attorneys, it will be interesting to see how the ABA argues that attorneys should be exempted from these these types of federal consumer protection statutes.

The BLT: The Blog of LegalTimes reports that it is expected that the FTC will appeal the ruling.

EXEMPTIONS UNDER FTC RED FLAG RULES AMENDMENT PASSES THE HOUSE

Mark McCreary — Thu, 22 Oct 2009 08:19:02 -0500

Representative John Adler’s (D-NJ) amendment to the FTC Red Flag Rules, an act titled “To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses,” passed the House of Representatives on October 20, 2009.

Currently, the Red Flag Rules go into effect on November 1, 2009.

Set forth in full below, the bill exempts health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, from complying with the Red Flag Rules.

The Adler amendment will have little effect on the litigation brought in August by the American Bar Association because of its limited scope.

CALIFORNIA'S PROPOSED STRENGTHENED DATA PRIVACY LAW TERMINATED

Mark McCreary — Tue, 13 Oct 2009 07:37:34 -0500

It appears that John Connor is not the only thing from the future in Governor Schwarzenegger’s crosshairs. The Governator vetoed the update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto).

Simitan, the author of California’s existing privacy legislation (AB 700), created a bill that had no apparent opposition. In fact, Simitan has a record of creating trend-setting legislation in the privacy field, with more than 40 states adopting legislation similar to the legislation that he authored for California (AB 700). Scientific American named Simitan as member of the “Scientific American 50” in 2003 in the “Privacy & Security” category for his work on California’s existing legislation (AB 700).

The California Chronicle quoted Simitan as saying “I’m surprised as well as disappointed by the Governor’s veto. There was no opposition to the bill in its final form. This was a common sense step to help consumers.”

As a refresher, SB 20 would accomplish two major goals. First, SB 20 would have required that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also have required that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office.

While the basis for the Governor's veto of SB 20 was not immediately apparent, it is likely that Simitan will reintroduce this legislation with some adjustments.

Proposed California Data Breach Law Could Create a Clearinghouse

Mark McCreary — Fri, 11 Sep 2009 17:28:10 -0500

We have written before about how the lack of a national clearinghouse for large data breaches is a significant shortcoming of existing federal law. We have also speculated that if a large state were to create a de facto clearinghouse, the shortcoming may be partially alleviated.

President Obama’s administration may be disappointing many privacy experts to date, but California’s Governator now has an opportunity to make some major strides.

California’s State Legislature approved SB 20, a bill proposed by State Senator Joe Simitian´s (D-Palo Alto), which the Senator states would “strengthen and update California´s landmark privacy protection law.”

Governor Schwarzenegger will have until October 11th to sign or veto the proposed bill.

The existing legislation, originally authored by Simitan, requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. Simitan’s office proudly and accurately states that California’s law has been widely praised, and more than 40 states have adopted similar legislation.

At its heart, SB 20 accomplishes two major goals. First, SB 20 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

While the proposed revision to California’s data breach law is not a cure for the lack of a national database, it does create hope that a national requirement may be on the horizon. In any event, as more states consider and require such reporting requirements, at the very least there may come into existence a patchwork of clearinghouses. Even such a patchwork has the potential to be better than the current systems.

Identity Theft Regulations in Massachusetts May Get Small Business Friendly

Mark McCreary — Tue, 18 Aug 2009 07:34:09 -0500

The Office of Consumer Affairs and Business Regulations (OCABR) proposed revisions to the Massachusetts’ identity theft regulations, which would take effect on March 1, 2010.

The proposed regulations can be found here (PDF). A comparison, or redline, of the proposed regulations to the current regulations can be found here (.DOC). Finally, a set of frequently asked questions (FAQs) regarding the proposed regulations was prepared by the OCABR and can be found here (PDF), and they are certainly worth a read.

Citing a desire to undertake data security as “a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers,” the OCABR emphasized that a business should assess the size and nature of the business, the kinds of records maintained and the risk of the business as an identity theft target when deciding its policies and procedures to handle personal information.

Borrowing from the FAQs above, the OCABR cites four major changes under the proposed regulations:

• As noted above, a risk-based approach to information security is adopted (consistent with other state and federal law). This approach is friendlier to small businesses and does not place the same burdens on travel agencies (collecting little personal information) that may be placed on wealth managers (collecting significant amounts of personal information).
• Many provisions that are currently required under a written information security program have been removed (and would be for guidance purposes moving forward).
• The encryption requirement under the current regulation has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Businesses must still use available, reasonable means if they are available.
• Fourth, the third party vendor requirements have been changed to be consistent with federal law.

One aspect that has NOT been proposed to be changed, and the one aspect of Massachusetts’ cutting-edge privacy regulations, and that (in my experience) most often catches business off guard, is that all means of storage of personal information must be encrypted. This includes hard drives, thumb drives, backup tapes and any other method of electronic storage. Although this encryption requirement is almost certainly the direction most states are headed, this requirement is almost unknown outside of the “privacy community.” As with most laws, ignorance of the requirement is not a defense.

Although the future for the proposed regulations is by no means decided, it is likely that some (if not all) of the proposed changes will see the light of day. We will know more after the public hearings on the revised regulations that are scheduled to occur on September 22, 2009.

The Information Security and Privacy Advisory Board Issues Federal Privacy Recommendations

Mark McCreary — Tue, 28 Jul 2009 18:02:23 -0500

The Information Security and Privacy Advisory Board (the “Board”), known from the late 1980’s until 2002 as the Computer System Security and Privacy Advisory Board, has released its expected report with recommendations on updating privacy law and policy in light of technological advancements. The Board’s report, titled “Toward a 21^st Century Framework for Federal Government Privacy Policy,” (PDF), makes several recommendations at the federal government level to address longstanding deficiencies in current practices, as follows:

Amendments to the Privacy Act of 1974 and Section 208 of the E-Government Act of 2002 are needed to:
- Improve Government privacy notices
- Update the definition of System of Records to cover relational and distributed systems based on government use, not holding, of records
- Clearly cover commercial data sources under both the Privacy Act and the E-Government Act
Government leadership on privacy must be improved
- OMB should hire a full‐time Chief Privacy Officer with resources
- Privacy Act Guidance from OMB must be regularly updated
- Chief Privacy Officers should be hired at all “CFO agencies”
- A Chief Privacy Officers’ Council should be developed
Other changes in privacy policy are necessary
- OMB should update the federal government’s cookie policy
- OMB should issue privacy guidance on agency use of location information
- OMB should work with US-CERT to create interagency information on data loss across the government
- There should be public reporting on use of Social Security Numbers

Citing a lack of leadership from Congress, the failure to update federal laws and regulations, and the breakneck speed of technological evolution, the Board appeared critical that “only a few privacy leaders in key agencies have been empowered by their internal leadership to fill the policy vacuum.”

Whether this report will be the catalyst of sweeping privacy reform from the Obama administration that many have expected remains to be seen.