Posted on May 19, 2010 by Mark McCreary

FTC Concerned About Retention of Scans on Copy Machines

Everyday we all read about the latest threat to our privacy.  Facebook tricks you into sharing your private, life details and Facebook staff is fed up.  The computer in your car can be hacked to disable your brakes.  Google collected wi-fi hotspot data for some (alleged) nefarious purpose.

It is not often that we come across something that just does not seem possible.  Yesterday was one of those days, when the FTC announced that it is working with copy machine manufacturers to either end or severely restrict the existing practice of storing digital images captured on photocopiers.  The FTC's response (PDF link) was in reaction to a letter (PDF link) from Representative Ed Markey (D-MA) after seeing a CBS report last month on the issue.

Photocopies made on modern photocopies are stored on an internal hard drive in the copy machine.  CBS' report last month that "[n]early every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine."  In other words, everything you have photocopies is stored on a hard drive hidden deep inside the photocopier.

WHAT!?!  Why?  Who thought this was a good idea?  And all, or almost all, copier manufacturers put this function in their copiers?  When did I photocopy those "youthful" pictures from college for my buddy's bachelor party?  We received new photocopiers last year, so that copier is gone (thank goodness).  But wait, where is it?  Read on to see some of the nightmare scenarios this raises.

The used photocopier in the CBS story was from the Buffalo, New York Police Sex Crimes Division.  Putting aside that a page was still on the glass of the scanner bought from a used wholesaler, there were also tens of thousands of images detailing confidential police reports, victim statements and investigations.  All of these images were pulled from the hard drive using forensic software available on the Internet.  You have to read this article to believe it.

But what about your business?  You probably don't own your photocopiers, and instead opt to lease or finance copiers that you turn back over after a set number of years.  Do you photocopy medical information, social security numbers or banking/tax information of your employees?  What about your clients?  If you are in the medical field, clearly a problem.  What about CPAs?  Insurance companies?  Almost any business is affected.

If they do not already, I bet litigators reading about this are going to start adding photocopier hard drives to their Requests for Production of Documents.  Talk about smoking guns!

Used copiers go somewhere, and they are generally cheap.  A thief that trades in personal information would certainly be interested in looking into purchasing used copy machines on the chance (likelihood) that personal information is in there (kind of a game of Identity Theft Bingo). 

It is easy to have an alarmist reaction to this news.  Depending on your field, you may want to consider some of the software solutions for this problem (CBS cites Digital Copier Security as a solution vendor).  But everyone is affected, so you are not alone.  Ultimately, your response depends on how much your organization takes the protection of your clients' and employees' confidential information.
Tags: , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on February 23, 2010 by Mark McCreary

Privacy Invasion: Personal Images Posted Online Stolen for Identity Theft

http://dataprivacy.foxrothschild.comCBS 3 in Philadelphia reported last night about local resident Al Butler, whose identity was stolen for use on international dating sites. As reported, criminals would create an account on international dating sites, post images of Mr. Butler taken from social media sites frequented by Mr. Butler, and pass themselves off as Mr. Butler. The “scam” would come when Fake Al Butler would ask for money from women he met on the dating site.

The CBS 3 report, originally airing in glorious HD and all of its facial pore, thinning hair glory, can be viewed here. As yours truly advised the CBS viewers, stealing online photos for the purpose of passing oneself off as that person while committing a crime is the cyberworld version of a classic scam.

What did not make the three minute segment is the realities of situations similar to those described in the report: what are you gonna do about it? Probably not much, which is why we all need to think about what photographs get posted.

We all see everyday friends and family posting personal photographs on Facebook, Flickr, Twitter and similar social media sites. We read reports about how some of these services have tracking features to tell the world where you have been and where you are going. To a lot of people, sharing like this is fun.

What is often forgotten is where this type of sharing can lead. The obvious is that it is probably not a great idea to tell the world where you go and presently are. The foregoing sentence makes no sense to a lot of people, especially younger folks. But even those people that know bad things can come from location awareness are not aware how much information they actually do share.

What I think is often overlooked is geotagging. Geotagging is basically data embedded in your photograph that includes where the picture was taken. Many new cameras have this, as well as many smartphones (such as the iPhone). The location information of that photograph of you taken in a living room can be compared with the location information of that photograph of you taken in a backyard, which can then be compared with the location information of that photograph of you taken in a driveway. That geographical information matches, I may know where you live.

What about several photographs overtime that show you at the same location? I could probably figure out where that is and approximately what days and times you are there from the geotagging information. Those couple of photos of you in an office environment? Maybe I know where you live.

The point is to think about where and with whom we share photographs. Maybe it is enough that we share them only with our friends. Then again, those people can copy and forward those photographs to other friends, post them on their personal web site and otherwise put them places that you did not intend them to appear.
Tags: , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on August 18, 2009 by Mark McCreary

Identity Theft Regulations in Massachusetts May Get Small Business Friendly

The Office of Consumer Affairs and Business Regulations (OCABR) proposed revisions to the Massachusetts’ identity theft regulations, which would take effect on March 1, 2010.

The proposed regulations can be found here (PDF).  A comparison, or redline, of the proposed regulations to the current regulations can be found here (.DOC).  Finally, a set of frequently asked questions (FAQs) regarding the proposed regulations was prepared by the OCABR and can be found here (PDF), and they are certainly worth a read.

Citing a desire to undertake data security as “a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers,” the OCABR emphasized that a business should assess the size and nature of the business, the kinds of records maintained and the risk of the business as an identity theft target when deciding its policies and procedures to handle personal information.

Borrowing from the FAQs above, the OCABR cites four major changes under the proposed regulations:

• As noted above, a risk-based approach to information security is adopted (consistent with other state and federal law). This approach is friendlier to small businesses and does not place the same burdens on travel agencies (collecting little personal information) that may be placed on wealth managers (collecting significant amounts of personal information).
• Many provisions that are currently required under a written information security program have been removed (and would be for guidance purposes moving forward).
• The encryption requirement under the current regulation has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Businesses must still use available, reasonable means if they are available.
• Fourth, the third party vendor requirements have been changed to be consistent with federal law.

One aspect that has NOT been proposed to be changed, and the one aspect of Massachusetts’ cutting-edge privacy regulations, and that (in my experience) most often catches business off guard, is that all means of storage of personal information must be encrypted. This includes hard drives, thumb drives, backup tapes and any other method of electronic storage. Although this encryption requirement is almost certainly the direction most states are headed, this requirement is almost unknown outside of the “privacy community.” As with most laws, ignorance of the requirement is not a defense.

Although the future for the proposed regulations is by no means decided, it is likely that some (if not all) of the proposed changes will see the light of day. We will know more after the public hearings on the revised regulations that are scheduled to occur on September 22, 2009.

Tags: , , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on June 19, 2009 by Amy C. Purcell

Eleventh Circuit Court of Appeals Rejects Veterans' Claims For Damages

On June 17, 2009, the Eleventh Circuit Court of Appeals affirmed the decision of the United States District Court for the District of Alabama and held that veterans were not entitled to damages as a result of data security breach.

In February 2007, the Department of Veterans Affairs announced that a computer hard drive, which contained the unencrypted names, social security numbers, birth dates and healthcare files for more than 198,000 living veterans, was missing. Veterans instituted a lawsuit against the VA and claimed that the "stress caused by their fear of identity theft" and "from their loss of trust in the VA" aggravated certain of their medical conditions. The district court granted the VA's motion for summary judgment and dismissed the veterans' claims. The Eleventh Circuit upheld the district court's decision and stated that the veterans were not entitled to monetary damages because they failed to prove "actual damages" or "pecuniary losses". The Eleventh Circuit did, however, remand the case to the district court to order the VA to take certain steps to avoid similar incidents in the future.

Tags: , , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on May 1, 2009 by Mark McCreary

Red Flags Rules Further Delayed, Now Go Into Effect August 1, 2009

UPDATE: Whether it is because of the economy, or a fear that the Red Flags Rules affects far more retailers than may be understood, the FTC has granted a further delay of enforcement of the Red Flags Rules until August 1, 2009.  Additionally, the FTC will issue a template for lower risk covered entities.  The most recent update can be read here.

This time, nobody can accuse the Federal Trade Commission (“FTC”) and other agencies of implementing new requirements that sneak up on us. These particular regulations (the “Red Flags Rules”), which require that financial institutions and creditors develop and implement written identity theft prevention programs, were issued by the FTC, the federal bank regulatory agencies and the National Credit Union Administration ("NCUA"), as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003 go into effect on August 1, 2009. Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009.

The Red Flags Rules require that a program be put in place by financial institutions and creditors that provides for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags.” The purpose of the Red Flags Rules is to help avoid identity theft.

 

 

These "red flags" may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

As explained by the FTC:
The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”

Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.


A supplement to the Guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point. They fall into five categories:

• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information, such as a suspicious address;
• unusual use of – or suspicious activity relating to – a covered account; and
• notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

A full list of the 26 possible red flags is set forth below.

It is important that your business, if affected, conforms with the Red Flags Rules.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

Alerts, Notifications or Warnings from a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.
2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 334.82(b) of this part.
4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries;
b. An unusual number of recently established credit relationships;
c. A material change in the use of credit, especially with respect to recently established credit relationships; or
d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Suspicious Documents
5. Documents provided for identification appear to have been altered or forged.
6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.
9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information
10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example:

a. The address does not match any address in the consumer report; or
b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.

11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.
12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or
b. The phone number on an application is the same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is fictitious, a mail drop, or prison; or
b. The phone number is invalid, or is associated with a pager or answering service.

14. The SSN provided is the same as that submitted by other persons opening an account or other customers.
15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual Use of, or Suspicious Activity Related to, the Covered Account
19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized users on the account.
20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or
b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example

a. Nonpayment when there is no history of late or missed payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in connection with a deposit account; or
e. A material change in telephone call patterns in connection with a cellular phone account.

22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.
24. The financial institution or creditor is notified that the customer is not receiving paper account statements.
25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.

Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor
26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
Tags: , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link