Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

Purdue University informed 7,093 former students on Monday that their Social Security numbers may have been stolen from servers at the University on April 5, 2010.  The notification comes 16 months after the discovery of the breach.

According to the (Indiana) Journal & Courier, the server contained 6.6 million nine-digit numbers in the accessed files.  After spending six months analyzing those numbers, Purdue determined that approximately 65,000 of those number combinations could be Social Security numbers.  An additional four months was spent reanalyzing the numbers and performing forensic analysis.  Based on those efforts, the University had matched 7,093 of those number combinations to Social Security numbers of former students. 

The breach was discovered only three days after it occurred, approximately April 8, 2010.  Fourteen months after discovery of the breach, Purdue notified the Office of the Indiana Attorney General.  Now, approximately two months later, the affected former students were notified.

Purdue did not offer any sort of credit monitoring and, instead, recommended to those affected to be vigilant and keep and eye on their credit activity.

The announcement by Purdue comes on the heals of an announcement by The University of Wisconsin-Milwaukee on August 10th that 75,000 of its students had been exposed to a hacking incident in May 2011, as reported earlier here. 

While the delay of three months may have seemed excessive last week, at least UWM beat Purdue's delay by almost 14 months.

• Print
• Comments
• Trackbacks
• Share Link

The University of Wisconsin-Milwaukee (“UWM”) announced on Wednesday that a malware-infected, university server was discovered on May 25th that allowed hackers, apparently seeking research data, to access several types of scanned documents. Included in the potentially accessed documents were student applications from past and present students, which applications contained Social Security numbers.

At this time, UWM has not been able to confirm that any of the documents were actually taken by the hackers. UWM reports that “[t]he university learned of the installation of malware on May 25, and immediately shut down the system and began to investigate. During the course of the investigation, on June 30, 2011, we discovered that the database containing social security numbers was included in the compromised system.”

UWM wants to assure students that although names and Social Security numbers were possibly taken, the potentially accessed documents did not contain any financial data or academic information such as student grades. At least students don’t have to worry about having embarrassing grades posted.

The announcement asks “[s]houldn’t the university be offering free credit monitoring?” After all, free credit monitoring is expected these days, although certainly no required. The response? “We have no evidence that anyone’s personal information was retrieved or that any information was misused. However, it is recommended that everyone should monitor their financial information by:

• Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.
• Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.
• Request a free credit report and carefully inspect your own credit scores.

That is one approach, I suppose.  It is certainly different.

While the details of the investigation by this public institution remains under wraps, it does raise interesting questions. To be clear, there may be excellent bases for not making the disclosure earlier. However, we have seen more and more experts commenting on how huge delays in public announcements are justified. Sure, delays in notification can sometimes be justified where only an intrusion is known and it is unclear whether personal information is accessible through that intrusion.

We have come to the point where using the “ongoing internal investigation” excuse is habitually abused. In this case, based on facts known, it took 35 days for a “national computer security consultant” to determine the source and extent of the breach. In other words, it took experts 35 day to conclude that if a certain port on a server was exposed, then access to a certain, non-encrypted database was possible. I asked our network guys about this, and they said it should take about 30 minutes to determine what was exposed if a port was left open.

After confirmation of the possibility that the sensitive documents could have been accessed, it too another 41 days to make a public announcement.

Okay, so maybe law enforcement delayed the notification. Certainly possible. These comments are not meant to be an indictment of UWM specifically, but of the new approach to data breach notification that is occurring more often than not.

In the cases where delay notification is grossly delayed, it is more often that company executives and their counsel decide that if the breach was announced, and it was later determined that access to the potentially accessed documents did not occur, then the “bad press” would be worse than delaying notification for 77 days.  Stated another way, they don't want to unnecessarily worry potentially affected persons.

Again, we do not know all the facts. In all likelihood the sensitive documents were not accessed.  However, more and more we all are seeing HUGE delays in notifying those affected. If I received a breach notification 77 days after discovery I would be mad as hell. That is 77 days when identity theft could have occurred and I was not being vigilant because I was unaware of a breach. This is the exploding Pinto approach to data breaches.

• Print
• Comments
• Trackbacks
• Share Link

On February 10, 2011, the New York City public hospital system filed a lawsuit against its records management contractor over allegations that the contractor permitted the theft of unencrypted data tapes storing health information and other personal data on some 1.7 million patients and staff. The New York City hospital system disclosed the breach, which occurred on December 23, 2010, for the first time in a February 11, 2011, statement. The complaint alleges that six data tapes, storing HIPAA protected information and other personal data for approximately 1.7 million patients at three facilities, as well as for employees, vendors, contractors and other service providers, were stolen from a van left unlocked in Manhattan by the hospital system's records management contractor. In a statement, the hospital system said that, while the stolen tapes have not been found, no fraud has been reported and the tapes are protected by a proprietary system that makes the data difficult to access.

• Print
• Comments
• Trackbacks
• Share Link

California State Senator, Joe Simitian (D-Palo Alto), who authored the state's existing data breach law in 2002, has introduced Senate Bill 24 to strengthen the content of notices provided to individuals when their personal information has been hacked, stolen or lost. If passed, Senate Bill 24 proposes to offer individuals better protection against identity theft by standardizing the content for data breach notification, including (i) a general description of the incident, (ii) the type of information breached, (iii) the date and time of the breach and (iv) a toll-free telephone number of major credit reporting agencies for security breach notices in California. Senate Bill 24 would also require public agencies, businesses and others to send a copy of the breach notification to the California Attorney General if more than 500 Californians are affected by a single breach. Former Governor Arnold Swarzenegger vetoed similar legislation introduced by Senator Simitian.

• Print
• Comments
• Trackbacks
• Share Link

The recent hacking of Gawker Media’s servers and subsequent release of nearly one and one-half million user names, email addresses and passwords has put a new spotlight on two particular brands of web users: The One Password User and The Terrible Password User.

In case you lost the news of the Gawker hack between the news of Wikileaks, and the related “takedowns” of several popular web sites, it is understandable. It has been an incredible couple of weeks on the hacking/denial-of-service front.

If you did miss the news, and you are a registered user of the web sites Gawker, Gizmodo, Lifehacker, Deadspin, Jezebel, Kotaku, Jalopnik or i09, then you better listen up. Hackers were able to steal a reported 1.25 million accounts, including half a million email addresses and 185,000 decrypted passwords. In other words, it is a big deal. Want to see if your email address is in the online database published by the hackers, Slate has you covered by clicking here.  Excellent resource.

Yes, we should call ourselves what we are. We are lazy. We refuse to remember multiple passwords for multiple web sites. We know there is a risk to engaging in this practice but do it anyway. We are idiots.

The hack is being reported as an example of users using terrible passwords. The most popular password (as reported by The Wall Street Journal here) of users was “123456” with “password” a distant second. Should we take away from this that at least most users have heard the warnings about using “password” as a password?

Another issue being discussed, but not on the same level as the terrible password issue, is the one-size-fits-all approach that users take with their password. Consider the scenario that you have a GMail account. More often than not, your user account on most web sites will be either the full GMail email address or the user name (the part before the @gmail.com). If you had a Gawker account, then there is a significant chance that your email address and password for Gawker is now published and available online to anyone able to use Google.

How hard do you think it will be for criminals to create a computer script that will plug in your email address and password into major web sites to see if your account can be accessed? Wachovia account? Twitter account (this actually happened the other day)? eTrade brokerage account? Facebook account? You get the picture.

The final step here is what applies to your organization. What if within those email addresses from Gawker there is a user’s work email address? (There is. LOTS of them.) And what if the password used to register the Gawker account is the same as the password for the corporate user account? Are we that far removed from a criminal seeing a corporate domain in that Gawker database and giving the foregoing scenario a shot? What, your organization requires that users change passwords every 90 days? Well, you have nothing to worry about…as long as the Gawker account was not created in the last 90 days. Or the user did not recycle a prior password that happened to be the one in use when the Gawker account was created.

Maybe it is time to “re-“emphasize to your employees that they are not to use their corporate passwords anywhere. As a Human Resources matter, you may also want to prohibit employees from using their work email address on personal web sites (this is excellent advice for many reasons, but not often followed by employees even when in place). Finally, you may also want to consider a Gawker-specific announcement about (1) the same email address used at multiple web sites, (2) sophisticated password usage and (3) changing their corporate password if it was used at any other web site.
 

• Print
• Comments
• Trackbacks
• Share Link

 With the ever-growing popularity of social networking sites, and with so many employees exercising poor judgment online, it's easy to understand why employers are concerned about the messages and images that that their employees are disseminating on these websites.

For employers, the costs are real: Poor choices by their employees can bring with it not only bad publicity but the loss of confidential information and the risk that the employer and employee will be sued by a third party for a wide range of legal claims, including defamation, invasion of privacy, negligence, discrimination, false light publicity, public disclosure of private facts, infliction of emotional distress and violations of state and federal data breach laws.

Employees seem to comprehend the potential effect of their online rants. According to the 2009 Deloitte Ethics and Workplace Survey, 74 percent of employees believe it is easy to damage a company’s reputation on social media sites. Yet, many conduct themselves as they have a right to do so. Fifty three percent of the employees surveyed believe that an employee’s social networking page is not their employer’s business, and nearly one third said they never consider what their boss would think before posting material online. 

Social media content is also becoming a new source of evidence in employment cases. Employers view such material as a unique way to identify false statements employees make in these cases.  Employees, however, often view their employer’s interest in such content as an invasion of their privacy.

These divergent viewpoints are creating new tensions in the workplace and new issues for the courts to address.  I have written an article in the New Jersey Law Journal this week discussing these issues and trends.   To view the article, click this link.

• Print
• Comments
• Trackbacks
• Share Link

Organized crime has been known as a group responsible for trading in stolen, personally identifiable information. The recent 2010 Verizon Data Breach Investigations Report (PDF link) reports that organized criminals were responsible for 85% of all data breaches caused by external agents. As a whole, data breaches caused by external agents comprise 70% of all data breaches, and 98% of all record compromised. Statistics, analysis and recommendations pepper the 66-page report.

The Verizon Report also noted that 98% of all breaches came from servers, 85% of attacks were considered highly difficult, 61% of data breaches were actually discovered by third parties, 86% of parties with compromised systems had evidence in their log files that a breach had occurred, 96% of breaches were avoidable through simple or intermediate steps of fixes, and 79% of parties with compromised systems that were subject to PCI-DSS had not achieved compliance.

• Print
• Comments
• Trackbacks
• Share Link

A co-conspirator in the TJX breach, Humza Zaman, saw the next 46 months of his life laid out before him in Boston yesterday, as he was sentenced in federal court for his role in the TJX breach. He was also fined $75,000.  He will also have  three years of supervised release, must disclose his conviction to future employers, but he will not be prevented from using computers.

Zaman’s role appears to be limited to money laundering activity while he was employed by Barclay’s Bank. Zaman, apparently feeling he was only doing favors for Albert Gonzalez (by all accounts, the mastermind behind the data theft), would meet and mule large amounts of cash that he received from “an unknown man of apparent Eastern European descent.”

The writer of the “sniffer” computer program that was used in the data theft, Stephen Watt, was sentenced last December to two years in prison.

Lex Luther Albert Gonzalez is awaiting sentencing and faces a minimum sentence of 17 years in prison.

Wired has a much more thorough reporting of the prosecution side of the TJX breach, which is worth a read by not only business folks, but people that may get drawn into similar schemes.

Updated: Special thanks to the German Privacy Foundation for noting that I had punishments for Mr. Zaman and Mr. Watt flipped in certain portions of the original posting.  It is nice to have such friendly and professional communications from our friends in Germany.

• Print
• Comments
• Trackbacks
• Share Link

Judge Legrome D. Davis of the United States District Court for the Eastern District of Pennsylvania issued an amended order on March 9th (amended from March 8th) dismissing a recent case seeking speculative damages arising from a data breach of Aetna’s job application web site. A copy of the opinion can be viewed here.

In Allison v. Aetna (09-2560), the plaintiffs sought, among other relief, damages in connection with possible future damages from identity theft that may occur in the future. Mr. Allison’s identity had not been stolen at the time the complaint was filed (and presumably not since then).

The facts are set forth in more detail in the attached opinion, but essentially hackers gained access to some 450,000 (!!!) job applicants’ personal information contained in Aetna’s job application web site database. Also taken was the social security numbers of employees of Aetna (reports say 65,000 employees were affected). The applicants then received emails, purporting to be from Aetna, requesting additional personal information from the applicant. It is unclear what additional information was actually sent by applicants, but it is a pretty safe assumption that at least some of the applicants were tricked into supplying the information.

Judge Davis walks through a detailed analysis of “increased risk of harm” claims, and concludes that there is no legally cognizable injury based on such claims. A detailed analysis of recent decisions related to “increased risk of harm” claims arising in connection with data breaches is included in the opinion.

There was no proof that Mr. Allison’s personal information was ever accessed and the only information known for certain to be stolen was email addresses. Mr. Allison never received the phishing email, and an implication arises that no other information was taken if the phishers were asking for the same information. (I think the opposite inference is possible, that only those applicants for which more detailed information was not taken were "phished.") Judge Davis notes that “[a]t best, Plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.”

This decision joins a growing line of cases where plaintiffs are not being allowed to collect damages where there has been no actual proof of harm.

A copy of the opinion can be found here.

• Print
• Comments
• Trackbacks
• Share Link

The AP is reporting that Customers having Swiss bank accounts with HSBC between late 2006 and early 2007 had their account information stolen by a former IT employee of an HSBC subsidiary. CBS News, also publishing an AP report, is stating that the number is 15,000 customers, although the 24,000 number appears to be a later publication time. Customers affected are worldwide in scope.

If you were one of the affected customers, you apparently are already aware of the data breach because HSBC says that it contacted you. Stated another way, HSBC contacted you to tell you that your (presumably) secret Swiss bank account is not so much of a secret anymore.

The accounts have been closed, and there does not appear to be any real risk that the information will be used to access account holders’ accounts. That may sound reassuring to the customer being contacted. That is, unless the customer asks a few more questions.

“Well, where is my information,” you may have asked if you were one of the customers contacted. You probably had spent years funneling this money into your secret, non-taxed, Swiss bank account.  You will not be happy if some criminal takes your illegally shielded money.

This is where the story takes an interesting turn. Apparently, the IT employee was not content to let the information sit in a drawer, and the data was "turned over" to the French government. What could possibly come from that, right?

We have read reports that the German government may be buying information on Swiss account holders. Now we can add the French government to that list. France released the names of 3,000 Swiss account holders in 2009. The AP story cites the same IT employee as one of the sources of the information on those 3,000 account holders.

Apparently the stolen data was returned by the French government to the Swiss government, and eventually made its way back to HSBC. Thank goodness.  But wait, France still has copies of the information.  Not to worry, the information will not be used "inappropriately" by the French government. It does, however, remain to be seen whether an appropriate use would be the prosecution of tax evaders.

It also is not immediately apparent what sanctions HSBC may face as a result of the breach, which triggers very strict, European privacy laws.

• Print
• Comments
• Trackbacks
• Share Link

There is a very interesting article posted at Nextgov.com regarding major data breaches and thefts.  The article can be found here.

The author, quoting James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, makes the point that the list of breaches would be much larger if smaller breaches were reported.

So how many breaches go unreported?  Well, nobody knows for sure but the number would almost certainly be staggering.  With new federal requirements poised to go into effect, we may start to have a better idea of just how many breaches occur.  At the very least, we may have a way to track those breaches that are actually reported.

• Print
• Comments
• Trackbacks
• Share Link

Symantec Corp. has released its Internet Security Threat Report Volume XIV, and the news is excellent for thieves of personal information.  Symantec reports that the income received by sellers of stolen personal information continues to be high. 

Credit card information continues to reign supreme, generating from $0.06 to $30.00 per record, while access to email accounts, access to proxies and shell scripts saw the biggest rises from 2007 to 2008.

A recent article by the Associated Press focuses on economic factors related to the trading of stolen personal information.  Citing reasons ranging from the bottoming out of the prices, to sellers of stolen information not want to undercut each other, to the difficulty in getting PIN codes and security codes, to the renewed efforts to scam information because of a failing economy, the article explains why prices are holding steady even though thefts are increasing.

However, the most interest statistic may relate to so-called phishing scams.  A study from Gartner estimated that more than 5 million persons in the United States were the victim of a phishing scam between September 2007 and September 2008, representing a forty (40%) percent increase over the prior twelve months. 

Reports also indicate that the trading in financial information has become so lucrative, and apparently relatively easy, that “gangs” of hackers and traders have become more common and visible. 

What this means is that one or both of these two things are happening: (1) those persons that set up phishing scams are getting even better at tricking unsuspecting people into providing their personal information, and (2) Internet users are not being nearly vigilant enough when it comes to “clicking” on emails and providing personal information online.

Issues from businesses are dramatic:

- Are employees falling for phishing scams on work computers, possibly allowing the installation of malicious software

- Are you customers being duped into thinking that your business is communicating with them (which begs the question of whether you have educated your customers about information you collect through email links)

- Are you accepting payments that do not conform to the PCI Standards and/or do not request enough information to ensure that you payees are who they say they are

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

• Print
• Comments
• Trackbacks
• Share Link

We are pleased to announce and launch Fox Rothschild’s Privacy Compliance and Data Security Blog. With a new President, a new national mission throughout government to secure and protect personal information and prevent cyber threats, as well as quickly evolving privacy requirements here and abroad, there could not be a better time to think about data privacy.

We decided to create this blog so that our clients and friends would have timely access to current, pending and anticipated requirements on such issues as privacy compliance, data security and breach notification. Although we do not expect every topic on our blog to be important to you, we hope to provide our readers with information regarding a wide array of issues and developments that are relevant in today’s world.  While you may be reading our blog because you want to ensure that your business complies with applicable laws, privacy laws and practices effect all of our daily lives on business, personal and professional levels. Whether you find your business responding to a data breach, or you are concerned about more closed-circuit cameras in public places and less personal restraint on online social networks, our blog may be helpful to you.

We encourage active discussion and an exchange of ideas on our blog. We hope that your visit to our blog stimulates news ideas and initiatives.  Whether you decide to share your ideas with us, or simply review our posts, we appreciate your participation. Please sign up for either our RSS feed or email alerts.

Mark McCreary
215.299.2010
mmccreary@foxrothschild.com

Amy C. Purcell
215.299.2798
apurcell@foxrothschild.com

Scott L. Vernick
215.299.2860
svernick@foxrothschild.com

• Print
• Comments
• Trackbacks
• Share Link