Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

In what amounts to a potential, unprecedented victory for consumers’ right to know how their personal information is used by businesses, California's "Right to Know Act of 2013" (AB 1291) made further headway by being re-read and amended a second time on Monday, April 1^st.  As reported by Ars Technica, the Right to Know Act, which was introduced by California Assembly Member Bonnie Lowenthal, was the result of significant lobbying by the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California.

The current summary of the bill states:

(1) Existing law requires a business to ensure the privacy of a customer’s personal information, as defined, contained in records by destroying, or arranging for the destruction of, the records, as specified. Any customer injured by a business’ violation of these provisions is entitled to recover damages, obtain injunctive relief, or seek other remedies.

This bill would create the Right to Know Act of 2013, would repeal and reorganize certain provisions of existing law, and would provide legislative findings in support thereof.

(2) Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request, as specified, in writing or by e-mail, the names and addresses of the recipients of that information and specified details regarding the information disclosed, except as specified. Existing law requires a business subject to these provisions to provide an address, electronic address, or toll-free telephone or facsimile number that a customer may use to deliver requests for copies of his or her personal information.

This bill would instead require any business that has retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.

(3) Existing law also requires a business that is required to comply with these provisions to provide information to customers regarding its privacy policy and to provide a designated means of preventing disclosure of personal information.

This bill would require a business that is required to comply with these provisions to provide specified notice to the customer of its privacy policies.

(4) Existing law provides that a customer who sustains injury as a result of a violation of these provisions is entitled to specified remedies, including civil penalties.

This bill would also provide that a violation of these provisions is deemed to constitute an injury to the customer for purposes of seeking remedies available under law.

In other words, the Act also provides a private right of action to consumers for businesses that do not comply with the Act.

The EFF appears to be quite pleased with the bill, as noted in its press release on April 2^nd.  The EFF noted that the point of the law if to allow consumers to better understand the vast economy that is data sharing: "This law is about transparency and access, not new restrictions on data sharing. The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

It will be interesting to see (1) if the Act continues toward enactment, (2) how companies outside of California, but with information regarding California residents, implement the law, and (3) if this very European-style law catches on in other states.  

• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission announced yesterday a settlement with Epic Marketplace, an online advertising network, which prohibits Epic from further collection of data obtained by "browser sniffing" the surfing history of Internet users and requires Epic to destroy all previously collected data.

According to the FTC complaint, Epic was collecting information from millions of individuals by “browser sniffing,” which is a practice that allowed Epic to determine whether the user had previously visited more than 54,000 websites, including websites relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy. Once Epic had this information, it would then send targeted advertisements to the user.

Many users have no idea that this technology even exists, and the FTC’s main gripe appears to be that the user did not have knowledge this was occurring on sites outside of Epic's advertising network. Epic’s privacy policy promised that Epic would collect information about users only for use in Epic’s 45,000 website network. Apparently, the FTC was not concerned with the practice but it’s concern was centered around Epic collecting information from users about visits to websites not in Epic’s website network.

"Consumers searching the Internet shouldn't have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge," FTC Chairman Jon Leibowitz said in a statement. "This type of unscrupulous behavior undermines consumers' confidence, and we won't tolerate it."

Stated another way, the FTC is saying that Epic could collect information about whether consumers visited sites in its advertising network having to do with fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy, and then use that information to serve that consumer advertisements. The problem was that Epic went beyond its own advertising network. That makes sense.  A company breaching the representations in its own privacy policy is low hanging fruit.

What the FTC is NOT saying is that consumers would never know what the heck Epic’s privacy policy says, so how could they consent to this collection and use of their information. Online advertisers are in this wonderful position where the consumer never really “gets” to them, the consumer only sees the advertisements that are served. . 

So is the take away that any company besides Epic can use “browser sniffing” as long as its use is disclosed in its privacy policy (which consumers would not even know existed) and followed by that company?  The FTC is certainly not taking a contrary position.

The FTC press release follows:

• Print
• Comments
• Trackbacks
• Share Link

Earlier this week the South Carolina Supreme Court ruled that accessing another person’s online (personal) email is not a violation of the federal Stored Communications Act (the Act and the Wikipedia summary). This holding is in direct opposition to what the Ninth Circuit Court of Appeals held in 2004 in Theofel v. Farey-Jones.

At the outset you should keep in mind that this is a civil case, which differs from a criminal case. In this post we are looking at solely the Stored Communications Act (“SCA”), and a limited aspect thereof.

Facts of This Case

The facts of this case, Jennings v. Jennings (PDF link) are actually pretty surprising, considering the outcome. A wife suspected that her husband was carrying on an affair. The daughter-in-law, with more free time than common sense, could not resist inserting herself into the situation and accessed the husband’s Yahoo! account by guessing his secret questions. Soon thereafter emails between the husband and the girlfriend were found and became what divorce attorneys refer to as “leverage.”

• Print
• Comments
• Trackbacks
• Share Link

In its continuing efforts to give the State of California a run for its money when it comes to privacy rights, the United Kingdom’s “cookie law” is now in effect. Websites for European companies with European visitors, or non-European companies that are directed at European users, must now inform users of any tracking technology used on the website, and the purpose of the use of that tracking technology.

The Law

The new law is part of the European Union's "e-Privacy" Directive. Implementation of the e-Privacy Directive requires that each member state incorporate the e-Privacy Directive into its own law in 2011. The United Kingdom accomplished the foregoing by creating the amended Privacy and Electronic Communication Regulations (PECR) Act 2011, which became effective on May 26, 2011. The disclosure of the use of user tracking technology is only one element of PECR.

Types of Tracking Technology

The use of cookies on a website is only one practice covered by the cookie law. Uses of advertising tracking and analytics, for example are covered practices.

Affected Businesses

If you have only a U.S.-based web site, with no web page directed explicitly at the United Kingdom, then the cookie law should not affect you. However, if you have a website or web page directed specifically to residents of the United Kingdom, you almost certainly are subject to the cookie law.

Opt-Out or Opt-In

Good question. Originally the cookie law was interpreted to mean that a user must explicitly opt-in to the tracking technology. However, just before the cookie law went into effect the Information Commissioner's Office (“ICO”), the United Kingdom’s data protection agency, updated its guidance to say that “implied consent” was acceptable, and that continued use of the subject website would meet the consent requirement.

Compliance Deadline

The cookie law is currently in effect, but it is no secret that many, many organizations are not currently in compliance. Those websites that are in compliance with the cookie law will present users with a dialogue similar to this:

Mobile Applications

Just to keep things interesting, the cookie law applies to mobile applications as well. Because mobile applications have just as many, if not more, opportunities for user tracking, and because that user tracking is not always obvious, it has already been made clear that the ICO will pay particular attention to mobile application compliance

Penalties

The ICO has the authority to fine non-compliant organizations up to $780,000 (or 500,000 pounds) for not complying with the cookie law. Fortunately, the ICO is not going to be in a big rush to penalize non-compliant organizations and, instead, is focusing on educating companies regarding compliance requirements.

• Print
• Comments
• Trackbacks
• Share Link

 The San Francisco Chronicle reported yesterday that officials at the City College of San Francisco discovered a few days after Thanksgiving 2010 that certain computers of the college have been infested with active malware for more than a decade.  Up to 100,000 students and 3,000 employees could be affected, and that number may rise based on further, ongoing investigation.

The problem was detected when the college's data security monitoring service discovered very high traffic and alerted the college.  Initially thought to be limited to one computer lab (Cloud Hall at the Phelan Avenue campus), further investigated revealed that the problem was more widespread.  The San Francisco Chronicle's article reported:

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, Hotchkiss and his team discovered. Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.

Investigation continues to determine which other computer networks at the college may have been infected, such as accounting, admissions and/or payroll systems.  Apparently, 17 different computer systems are presently being analyzed.  The college's server with medical information appears to be unaffected, although it is unclear whether any other system may also contain medical information (such as the admissions system).

The good news, besides that the college notified those potentially affected in what most would agree was a prompt timeframe, is that there are no known cases of identity theft originating from this extremely lengthy data breach.

• Print
• Comments
• Trackbacks
• Share Link

Smart Money just ran a story about the top five data breaches of 2011.  While I do not necessarily agree that these are the top five (students, students, NYC hospital patients, not to mention the Stratfor breach), the takeaway is interesting: none of them have the same source for the breach:

1.  Epsilon.  What more needs to be said to keep contract attorneys up at night than "Epsilon"?  This data breach involved a third party losing data about its customers' customers.  Stated another way, the owner of the information did nothing wrong...other than hiring a contractor that mishandled information.  Indemnification mean more to you now?  The takeaway from this breach: come clean, come clean, come clean.  

2.  Sony.  Massive breach of the online gaming network.  Lots of data lost, lots of downtime for pasty, sun-adverse gamers.  Hackers targeting the network to blame.  The takeaway from this breach: do not handle it the way Sony handled it.

3.  Tricare.  A Science Applications International Corp. has data backup tapes stolen from a car.  SAIC is a defense contractor for the military.  Approximately 4.9 million veterans affected.  Hackers targeting lax security to blame.  The takeaway from this breach: don't leave the data tapes in the car (come on, people!).

4.  Sutter.  A simple stolen desktop computer containing information about possibly 3.3 million patients goes missing.  The takeaway from this breach: encrypt!  Chances are they had zero intention to stealing the actual information, but you can be sure it was still a breach notification scenario.

5.  Texas Comptroller.  This is number three in my book.  Personal information of 3.5 million people left publicly available for over one year.  Information about persons required to hand over that information, not information voluntarily handed over.  Total disaster.  Anyone could have found this information, given its availability.  The takeaway from this breach: hire IT staff that is security conscious and, more importantly, give those people the budget to do their jobs.

BONUS: not a data breach, but a significant ruling this year.  Corporations have no right to privacy.  This Supreme Court ruling impacts corporate decisions on so many levels...or it should.

Happy New Year to our readers.

• Print
• Comments
• Trackbacks
• Share Link

According to a press release issued yesterday, November 29, 2011, by the Federal Trade Commission, Facebook settled charges that Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”

The complaint (PDF link) lists a litany of bad practices by Facebook. One allegation that stands out, largely because of the media firestorm that it created at the time, was Facebook’s change in privacy settings to users’ accounts in December 2009. The foregoing settings change was, in the FTC’s opinion, particularly egregious because Facebook undertook the changes without any notice or consent from users.

Another allegation that stands out, again both because of the media firestorm and the falsehood, was Facebook’s assertion that information from deactivated user accounts would not be accessible.

And what grueling punishment must Facebook endure for its privacy-related bad acts? According to Jon Leibowitz, Chairman of the FTC, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users." Rough justice.

In all seriousness, there is some substance to the settlement. Facebook must not make any further deceptive privacy claims. Facebook must also get consumers' approval before it changes the way it shares their data. Finally, Facebook must obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

Frankly, the foregoing requirements on Facebook are all steps that a company like Facebook, if not substantially all companies handling consumer personal information, should be undertaking.

Specifically, under the proposed settlement, Facebook is:

• barred from making misrepresentations about the privacy or security of consumers' personal information;
• required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
• required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
• required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
• required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.

The proposed settlement is not yet final. The proposed settlement will be open to public comment for thirty days, ending on December 30, 2011. The terms of the proposed settlement is published in the Federal Register shortly. After the close of the comment period, the FTC will decide whether to make the proposed consent order final.

Interested in submitting your comments to the FTC? According to the press release: Interested parties can submit comments online or in paper form by following the instructions in the "Invitation To Comment" part of the "Supplementary Information" section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

• Print
• Comments
• Trackbacks
• Share Link

The Computer Crime and Intellectual Property Section of the U.S. Department of Justice compiled a summary in August 2010 of the retention periods of major cellular service providers of data transmitted to and from users' mobile devices.  The report is here. (PDF link)  The American Civil Liberties Union (ACLU) obtained a copy of the foregoing report through a Freedom of Information Act (FOIA) request.  The contents of the report are interesting, to say the least.

As reported by Cory Doctorow on the terrific Boing Boing in this article, and by David Kravets of Wired.com in this article titled "Which Telecoms Store Your Data the Longest? Secret Memo Tells All," it is unclear which major cellular carrier treats our usage data with the most respect.  On the one hand, Verizon stores text message details (just the transmission receipt details, such as recipient and time) only one year, compared to as long as 5-7 years for post-paid subscribers of AT&T.  On the other hand, AT&T, Sprint and T-Mobile store none of the contents of text messages, whereas Verizon stores that information for 3-5 days.  The IP Session information may be the most interesting, because of the additional information that can be gleaned from the raw data, the question of why it is stored (billing disputes?) and the disparity in length of storage.  One of the excellent infographics posted on Wired's web site is posted here, but a full Wired article is a must read.

Besides this information being eye opening on a personal level, it can be crucial evidence in the case of a corporate data breach.  While we all hope that law enforcement will use all tools available to it when investigating a corporate crime, knowing the tight time constraints under which businesses investigating a potential crime is crucial.  To be clear, I am referring to use of these tools as an option for ethical investigations into criminal activity through law enforcement.  These are not tools to assist a company in sacking an employee that is surfing the web on her mobile phone while on the clock.  In any event, these time frames should be considered when investigating a suspected data breach.

If you are getting that "eye in the sky is watching me" feeling, I will be sure not to mention the warrantless GPS and triangulation tracking capabilities of the major mobile carriers available to law enforcement.

Source: BoingBoing.net; Wired.com

• Print
• Comments
• Trackbacks
• Share Link

Purdue University informed 7,093 former students on Monday that their Social Security numbers may have been stolen from servers at the University on April 5, 2010.  The notification comes 16 months after the discovery of the breach.

According to the (Indiana) Journal & Courier, the server contained 6.6 million nine-digit numbers in the accessed files.  After spending six months analyzing those numbers, Purdue determined that approximately 65,000 of those number combinations could be Social Security numbers.  An additional four months was spent reanalyzing the numbers and performing forensic analysis.  Based on those efforts, the University had matched 7,093 of those number combinations to Social Security numbers of former students. 

The breach was discovered only three days after it occurred, approximately April 8, 2010.  Fourteen months after discovery of the breach, Purdue notified the Office of the Indiana Attorney General.  Now, approximately two months later, the affected former students were notified.

Purdue did not offer any sort of credit monitoring and, instead, recommended to those affected to be vigilant and keep and eye on their credit activity.

The announcement by Purdue comes on the heals of an announcement by The University of Wisconsin-Milwaukee on August 10th that 75,000 of its students had been exposed to a hacking incident in May 2011, as reported earlier here. 

While the delay of three months may have seemed excessive last week, at least UWM beat Purdue's delay by almost 14 months.

• Print
• Comments
• Trackbacks
• Share Link

Boing Boing has an excellent how-to located here on how to opt out of being included in LinkedIn's social media advertising.  Briefly, LinkedIn assumes that you consent to LinkedIn's use of your image in the adverstising of its sponsor's products.  If you recommend your CPA firm, and your CPA firm purchases advertising on LinkedIn, your photo may appear in that advertising.

This approach may be fine in certain cases. However, besides just the general creepiness of it, employers should be aware that it creates a potential association between your company (not just the individual) and that third party. I can imagine a scenario where a company is suing its former CPA firm and an advertisement appears with the Controller's image in a LinkedIn advertisement for the same CPA firm.

If your company's social media policy allows employees to participate in LinkedIn and other social media sites, consider whether the policy needs an update to require opting-out of this social media advertising.

• Print
• Comments
• Trackbacks
• Share Link

The University of Wisconsin-Milwaukee (“UWM”) announced on Wednesday that a malware-infected, university server was discovered on May 25th that allowed hackers, apparently seeking research data, to access several types of scanned documents. Included in the potentially accessed documents were student applications from past and present students, which applications contained Social Security numbers.

At this time, UWM has not been able to confirm that any of the documents were actually taken by the hackers. UWM reports that “[t]he university learned of the installation of malware on May 25, and immediately shut down the system and began to investigate. During the course of the investigation, on June 30, 2011, we discovered that the database containing social security numbers was included in the compromised system.”

UWM wants to assure students that although names and Social Security numbers were possibly taken, the potentially accessed documents did not contain any financial data or academic information such as student grades. At least students don’t have to worry about having embarrassing grades posted.

The announcement asks “[s]houldn’t the university be offering free credit monitoring?” After all, free credit monitoring is expected these days, although certainly no required. The response? “We have no evidence that anyone’s personal information was retrieved or that any information was misused. However, it is recommended that everyone should monitor their financial information by:

• Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.
• Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.
• Request a free credit report and carefully inspect your own credit scores.

That is one approach, I suppose.  It is certainly different.

While the details of the investigation by this public institution remains under wraps, it does raise interesting questions. To be clear, there may be excellent bases for not making the disclosure earlier. However, we have seen more and more experts commenting on how huge delays in public announcements are justified. Sure, delays in notification can sometimes be justified where only an intrusion is known and it is unclear whether personal information is accessible through that intrusion.

We have come to the point where using the “ongoing internal investigation” excuse is habitually abused. In this case, based on facts known, it took 35 days for a “national computer security consultant” to determine the source and extent of the breach. In other words, it took experts 35 day to conclude that if a certain port on a server was exposed, then access to a certain, non-encrypted database was possible. I asked our network guys about this, and they said it should take about 30 minutes to determine what was exposed if a port was left open.

After confirmation of the possibility that the sensitive documents could have been accessed, it too another 41 days to make a public announcement.

Okay, so maybe law enforcement delayed the notification. Certainly possible. These comments are not meant to be an indictment of UWM specifically, but of the new approach to data breach notification that is occurring more often than not.

In the cases where delay notification is grossly delayed, it is more often that company executives and their counsel decide that if the breach was announced, and it was later determined that access to the potentially accessed documents did not occur, then the “bad press” would be worse than delaying notification for 77 days.  Stated another way, they don't want to unnecessarily worry potentially affected persons.

Again, we do not know all the facts. In all likelihood the sensitive documents were not accessed.  However, more and more we all are seeing HUGE delays in notifying those affected. If I received a breach notification 77 days after discovery I would be mad as hell. That is 77 days when identity theft could have occurred and I was not being vigilant because I was unaware of a breach. This is the exploding Pinto approach to data breaches.

• Print
• Comments
• Trackbacks
• Share Link

The breaches about which we normally hear have to do with retailers and service providers.  Those businesses are the ones that do not appreciate the importance of protecting data, feel they could use the money necessary to create good security in better ways and are the easy targets for hackers.  Thankfully, what we generally do not hear about are data breaches at large financial institutions.  

Citigroup announced yesterday that its servers were hacked into in early May and the names, addresses account numbers and other account information of 200,000 credit card customers were stolen.  Citigroup further reported that social security numbers, CVV security codes and dates of birth were NOT stolen.  This data breach affects approximately 1% of all of Citigroup's customers.

There is no information about how the hackers were able to access Citigroup's servers.  It is unclear whether information on this security breakdown will ever be released, but the occurrence is a stark contrast to the normal data loss involving systems that are not as well-protected as financial company systems.  Generally speaking, retailers are easy targets, financial institutions are not.

The current delay in notifying affected individuals may be the result of Citigroup's cooperation with law enforcement, considering that Citigroup is otherwise required to notify those affected individuals almost immediately.  Some are speculating that the delay may (finally) result in federal legislation detailing data breach response guidelines.  You know, because the massive prior data breaches were not enough to make federal legislation a priority.

In any event, if you are a Citigroup customer you should keep your eyes out of an email notifying you of the breach.  That being said, it would not be surprising to see a phishing effort undertaken to have unsuspecting Citigroup customers that may or may not actually be affected by the breach click on links in email in order to steal usernames and passwords.  In other words, if you do receive a notice from Citigroup about the breach, make sure that the email really is from Citigroup by confirming the links take you to a genuine Citigroup web site or navigating to the Citigroup web site manually and looking for information on the data breach.

• Print
• Comments
• Trackbacks
• Share Link

Sony announced yesterday that its PlayStation Network and Qriocity services were compromised by an "unauthorized" person.  What was the haul?  According to Sony, the "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID" and the "profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers" of 77 million individuals.

That's right, 77 million people.  This is one of the largest Internet data losses in history.  We can assume that the data was not encrypted, otherwise we would hear little or nothing about the data loss (most states exempt encrypted data from disclosure requirements), or else Sony would be screaming "Don't fret too much, the data was encrypted and we did not lose the decryption key."  Sony is not making either claim at this time.

Well, data breaches happen, you may be thinking.  We have seen companies with best practices still suffer at the hands of hackers or rogue employees.  Sony is taking the most heat not from the data loss, but from the timing of the disclosure to those affected.  The disclosure of the data breach to customers directly was on April 26th.  The data breach apparently occurred between April 17 and April 19.  It has been reported that Sony discovered the breach on April 20th.  There was a gap of six days between discovery and disclosure.  Six days may be an eternity when you are a gamer and your network is down (there are likely millions of teenagers with fresh sunburns), but how long is six days in the data breach world?

Six days between discovery and disclosure may be acceptable, especially to the extent that Sony was working with law enforcement and was requested/told not to make a public announcement.  To clarify the preceding sentence, six days may not be too long when working with law enforcement as long as Sony was truly working with law enforcement and the delay had a genuine purpose.  However, Sony did not explain that law enforcement cooperation was the reason for the delay.  It is not likely that Sony ran afoul of any state statute timing requirements, which have quite a bit of leeway built in. 

If you or your children are on one of these services, you need to pay particular attention to this story as it develops.  You (the keyword being "you") need to monitor your bank accounts and credit cards - frankly, any account into which a third party can back into knowing your security question or your password on this service (remember, if you use the same password for your email account AND this service, somebody may have both of those right now).  For now, Sony has not offered any type of monitoring service, so your financial/credit monitoring is currently your responsibility.

Hopefully Sony will continue to come out with more information, or we will learn that the data is in "safe" hands (think Matthew Broderick in War Games - almost nothing went wrong in that movie).  In any event, your children that go to business school will enjoy reading the future case study on this one.

• Print
• Comments
• Trackbacks
• Share Link

The cost per customer record in a data breach increased $10 over the 2009 average to $214 per customer record compromised in a data breach, which is $12 more than the 2008 average of $202 per customer record. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its sixth Annual Study: U.S. Cost of Data Breach (Available Here - PDF link), declaring that the average cost per compromised customer record rose to $214.  The report is sponsored by Symantec Corporation.  Excellent materials such as an infographic, summaries, blog entries, a podcast and slide presentation can be found on Symantec's web site here.

Before getting into the numbers, you should note that Symantec is offering a Data Breach Risk Calculator.  The foregoing calculator is NOT for the feint of heart, so consider yourself warned.  That being said, the calculator is a powerful tool that considers several factors when estimating data breach costs to businesses.

The report is based on 51 reported data breaches in the United States (other country reports are also published) in 2010, ranging from 4,200 to approximately 105,000 records in 15 different industries. Of the breaches studied, organizations paid a low of $780,000 ($750,000 in 2009), and a high of $35.3 Million ($31 Million in 2009) in connection with the breach response. The average cost to an organization from a data breach increased from $6.65 Million in 2008, and $6.75 Million in 2009, to $7.2 Million in 2010 (Summary).

The cost breakdown for breach response among lost business, ex-post response, notification and detection & escalation is eye-opening and, if nothing else, should be motivational to businesses to address problems before they arise.

Source: Poneman Institute/Symantec Corporation

According to the report and infographic that was published, the source of the data breach was related to negligence in 41% of the cases. 31% of the data breaches were the cause of intentional and malicious attacks, up seven percent from 2009.  Breaches due to third party mistakes dropped three percent to 39%.  Encryption as a post-breach remedy remained the most popular, up three percent to 61%

As in prior years, those organizations that move quickly tend to experience a higher cost per record for the data response. Organizations that move quickly tend to do so in a disorganized manner with little efficiency (e.g., they do not have a breach response plan in place), and spend on average $268 per record, up significantly from the 2009 average of $219 per record. Those organizations that took longer to respond paid $174 per record on average.

The news regarding data breach costs and impacts continues to worsen and shows no sign of improving or slowing.

• Print
• Comments
• Trackbacks
• Share Link

The Supreme Court of the United States has ruled in Federal Communications Commission, et al. v. AT&T Inc., et al. (slip opinion - PDF link) that business entities have no personal privacy rights under the Freedom of Information Act (FOIA) (PDF link).  The ruling was unanimous and arose from a Third Circuit decision.

There are several exemptions built into the FOIA, whereby federal agencies do not have to make certain information available when requested.  Exemption 7(C) pertains to law enforcement records that, if disclosed, “could reasonably be expected to constitute an unwarranted invasion of personal privacy.” 5 U. S. C. §552(b)(7)(C).  The issue addressed was whether corporations have "personal privacy" for purposes of exemption 7(C).

AT&T was investigated by the Federal Communications Commission in connection with AT&T's participation in the FCC's E-Rate (Education-Rate) program for schools and libraries.  As a result, AT&T disclosed to the FCC that it may have overcharged the Government for its services in connection with the E-Rate program.  During the resulting investigation, AT&T disclosed various information to the Government, including billing information, name and job descriptions of employees involved and AT&T's conclusion regarding wrongdoing by its own employees.  The matter was resolved in December 2004 and AT&T paid $500,000 and instituted a plan to ensure the incorrect billing did not occur again.

CompTel, "a trade association representing some of AT&T's competitors," submitted a FOIA request in connection with the E-Rate program investigation.  The FCC's Enforcement Bureau did withhold some competitive information, as well as names and other personal information related to AT&T's employees.  However, the Enforcement Bureau did not apply exemption 7(C) to AT&T itself because "businesses do not possess 'personal privacy' interests as required by the exemption."

AT&T took the position the root term “person” in the phrase "personal privacy" refers to "persons" as defined under the Administrative Procedures Act. The definition of "person" under the Administrative Procedures Act includes several types of business entities, specifically, corporations.  The FCC concluded that AT&T's position that it is “a ‘private corporate citizen’ with personal privacy rights that should be protected from disclosure that would ‘embarrass’ it . . . within the meaning of Exemption 7(C) . . . at odds with established [FCC] and judicial precedent,” and concluded that “Exemption 7(C) has no applicability to corporations such as [AT&T].”

The Court of Appeals for the Third Circuit agreed with AT&T, and the FCC petitioned the United States Supreme Court for review, and the Third Circuit holding was overturned.

Chief Justice Roberts delivers a thoughtful analysis of why the terms "person" and "personal" should not be read to give business entities "personal privacy rights," which you can read in detail in the opinion (PDF link).  In a final wink, nudge and affirmation of his reasoning, Chief Justice Roberts concludes the analysis by stating that "[w]e trust that AT&T will not take it personally." 

• Print
• Comments
• Trackbacks
• Share Link

Over the last two years more and more clients have requested that we assist them with moving some or all of their business services to the "cloud."  Some of these clients want to use a service that would result in sensitive information being stored on the servers of a third party service provider, such as web-based email, Salesforce.com, Google Docs.  As much as each of these businesses have heavily debated the pros and cons of moving to the cloud, rarely do they consider where the cloud is physically located.

Financial and health industries have always had a focus on thinking through where their protected data was located.  There is a sophisticated legal framework dealing with prohibitions on the storage of sensitive data on foreign soil, such as financial, import-export or healthcare rules and regulations.  For example, a well thought-out online services agreement for a financial institution should have a strict prohibition on storage of data in certain countries or a country other than where the financial institution is located.

However, businesses do not always consider that the information that is stored in a cloud-based service may be physically located on servers not situated in the United States.  Having your business information located in a foreign country can easily (very, very easily) lead to loss, unauthorized private and governmental access and the tripping of the myriad of existing laws, rules and regulations.

The Software Advice Blog has a recent blog post that highlights some of the considerations that a business should undertake when considering the storage of data in a cloud-based service.  Because the decision making process for each business is unique, no blog post is going to give you all of the answers.  But the examples here and in the entry on Software Advice do give you some idea of what your business should be considering.

A final note is that the physical location of cloud-based servers is relevant at all times, not just when you have offices, employees or services based in other countries.  You may know that you are dealing with a company based in your home country, but you should not assume that the servers used by that company are also based in your home country.

• Print
• Comments
• Trackbacks
• Share Link

As many people know, California was ahead of the national curve with its anti-spam law, codified at California Business & Professions Code Section 17529.5. The California law is tough, dispenses with many elements normally required to be pled in a fraud proceeding and, as with many “tech” California laws, is very pro-consumer.

With the eventual passage of the CAN-SPAM Act and the subsequent rulemaking process, many people were left wondering whether the California anti-spam law would be preempted.

The United States Court of Appeal for the Second Appellate District in California responded on January 18, 2011, in a big way, ruling (PDF link) that the California law is not preempted. The court in Hypertouch v. Valueclick held, among other things, that the CAN-SPAM Act does not preempt the California anti-spam law and the plaintiff, therefore, has a much less burdensome case to prove. The foregoing ruling overturned the District Court ruling and is contrary to positions taken in other courts.

There are a lot of underlying issues regarding ultimate liability for the various levels of agency involved between an advertiser and a consumer inbox, but ultimately makes the advertiser just as liable as any party acting on its behalf.

The full text of the decision can be found here. (PDF link)
 

• Print
• Comments
• Trackbacks
• Share Link

The recent hacking of Gawker Media’s servers and subsequent release of nearly one and one-half million user names, email addresses and passwords has put a new spotlight on two particular brands of web users: The One Password User and The Terrible Password User.

In case you lost the news of the Gawker hack between the news of Wikileaks, and the related “takedowns” of several popular web sites, it is understandable. It has been an incredible couple of weeks on the hacking/denial-of-service front.

If you did miss the news, and you are a registered user of the web sites Gawker, Gizmodo, Lifehacker, Deadspin, Jezebel, Kotaku, Jalopnik or i09, then you better listen up. Hackers were able to steal a reported 1.25 million accounts, including half a million email addresses and 185,000 decrypted passwords. In other words, it is a big deal. Want to see if your email address is in the online database published by the hackers, Slate has you covered by clicking here.  Excellent resource.

Yes, we should call ourselves what we are. We are lazy. We refuse to remember multiple passwords for multiple web sites. We know there is a risk to engaging in this practice but do it anyway. We are idiots.

The hack is being reported as an example of users using terrible passwords. The most popular password (as reported by The Wall Street Journal here) of users was “123456” with “password” a distant second. Should we take away from this that at least most users have heard the warnings about using “password” as a password?

Another issue being discussed, but not on the same level as the terrible password issue, is the one-size-fits-all approach that users take with their password. Consider the scenario that you have a GMail account. More often than not, your user account on most web sites will be either the full GMail email address or the user name (the part before the @gmail.com). If you had a Gawker account, then there is a significant chance that your email address and password for Gawker is now published and available online to anyone able to use Google.

How hard do you think it will be for criminals to create a computer script that will plug in your email address and password into major web sites to see if your account can be accessed? Wachovia account? Twitter account (this actually happened the other day)? eTrade brokerage account? Facebook account? You get the picture.

The final step here is what applies to your organization. What if within those email addresses from Gawker there is a user’s work email address? (There is. LOTS of them.) And what if the password used to register the Gawker account is the same as the password for the corporate user account? Are we that far removed from a criminal seeing a corporate domain in that Gawker database and giving the foregoing scenario a shot? What, your organization requires that users change passwords every 90 days? Well, you have nothing to worry about…as long as the Gawker account was not created in the last 90 days. Or the user did not recycle a prior password that happened to be the one in use when the Gawker account was created.

Maybe it is time to “re-“emphasize to your employees that they are not to use their corporate passwords anywhere. As a Human Resources matter, you may also want to prohibit employees from using their work email address on personal web sites (this is excellent advice for many reasons, but not often followed by employees even when in place). Finally, you may also want to consider a Gawker-specific announcement about (1) the same email address used at multiple web sites, (2) sophisticated password usage and (3) changing their corporate password if it was used at any other web site.
 

• Print
• Comments
• Trackbacks
• Share Link

We just wrote about the recent privacy SNAFU by Facebook and other mega-social media site that was reported on by the Wall Street Journal.  If you want to hear some really smart people, plus me, talk about the issue, you should check out this brief podcast.

Description:    According to a Wall Street Journal investigation, many of the public’s favorite Facebook applications like Farmville, Texas HoldEm Poker and FrontierVille, are allegedly sharing users’ personal information with third-party advertisers and Internet tracking companies.  Attorneys and co-hosts Bob Ambrogi and J. Craig Williams  welcome Kimberley Isbell, a Fellow at the Berkman Center for Internet and Society and Mark G. McCreary from the firm Fox Rothschild LLP, to discuss this matter.  They look at the potential impact of this privacy breach, the legal issues and how this breach could affect the business of Facebook.


Page URL:    http://legaltalknetwork.com/podcasts/lawyer-2-lawyer/2010/10/the-facebook-privacy-breach/

MP3 Link: Click Here

• Print
• Comments
• Trackbacks
• Share Link

The Wall Street Journal wrote a series of articles on Monday about Facebook and other meda-social media sites passing User Identifications (UIDs) to its advertisers.  The article has generated a huge amount of attention, begging the question whether the Wall Street Journal is exposing a significant privacy problem, or making something of nothing in the pursuit of web page impressions.

The UID for users can be used to look up all of the public information of Facebook (for example) users, but does not allow access to information that the user has chosen to make private through privacy controls.  Basically, if you are a Facebook user you cannot hide your name and gender, but everything else can be hidden.  The hidden information is not a risk.  The UID unlocks the public information.

To be clear, there should be no confusion that we are not talking about disclosure of personally identifiable information in the sense of a data breach (i.e., name with SSN, bank information, health information or the like).  This is all information that users know is to be made public.

But because of a web protocol deficiency (this is a technology issue, not a Facebook issue), the UID is transmitted as part of the "referrer" when the user clicks on an application in Facebook.  Basically, almost any web page that you browse to can learn from what page you just left.  In this case, the "referrer" told the application maker your UID because it is coded into the "referrer."

At that point, privacy red flags go up.

• Print
• Comments
• Trackbacks
• Share Link

Following freshly on the heels of these articles in the New York Times and Wall Street Journal, there are reports about an "evercookie" being reported by AOL's Download Squad blog.

The use of "cookie" technology, which is basically a small data file that is stored in the cache on your computer when you visit many sites, is nothing new.  The most often cited purposes for the use of cookies is to recognize you when you return to a site, remember what your preferences, reading and/or shopping habits are, and to otherwise make your experience at the web site more enjoyable. 

Since early versions of web browsers, users have had the option to disable cookies, but most users find that the option to be asked whether to accept a cookie is annoying and cumbersome, and the option to completely disable cookies removes the functionality of many popular web sites. 

In short, the public's acceptance of the use of cookies has been taken for granted, and the outrage over their use has gone the way of the outrage over municipal security cameras and airport security checkpoint mauling.

But new technologies that have emerged and, appear to be emerging, are renewing the debate.

• Print
• Comments (1)
• Trackbacks
• Share Link

Organized crime has been known as a group responsible for trading in stolen, personally identifiable information. The recent 2010 Verizon Data Breach Investigations Report (PDF link) reports that organized criminals were responsible for 85% of all data breaches caused by external agents. As a whole, data breaches caused by external agents comprise 70% of all data breaches, and 98% of all record compromised. Statistics, analysis and recommendations pepper the 66-page report.

The Verizon Report also noted that 98% of all breaches came from servers, 85% of attacks were considered highly difficult, 61% of data breaches were actually discovered by third parties, 86% of parties with compromised systems had evidence in their log files that a breach had occurred, 96% of breaches were avoidable through simple or intermediate steps of fixes, and 79% of parties with compromised systems that were subject to PCI-DSS had not achieved compliance.

• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission entered into a settlement with the social networking site Twitter on Thursday, June 25th.  The settlement was the result two 2009 hacker breaches, which resulted in 35 user accounts (mostly celebrities and politicians) being compromised and passwords disclosed.  For those wondering, the first breach was achieved in January 2009 by using a password guessing tool to gain access through a lowercase/weak password protected Twitter administrative account and then reset user account passwords.  The second breach in April 2009 allowed the hacker to gain access to a Twitter employee's email account, where that employee had "similar" passwords stored in plain text, resulting in further user password resets.  You may recall hearing about (or receiving) the "Tweet" from President-elect Obama offering you an opportunity to receive $500 in free gas.  Seriously, that happened.

According to the FTC press release, [u]nder the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years."

What did Twitter do wrong, you may ask?  The FTC alleged in its complaint that Twitter was really bad at preventing unauthorized access to its system.  Really, really bad.  Specifically, Twitter failed to take reasonable steps to:

• require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
• prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
• suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
• provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
• enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
• restrict access to administrative controls to employees whose jobs required it; and
• impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Sounds like pretty reasonable steps for Twitter to have taken.  Frankly, it sounds like pretty reasonable expectations in 2000, not just 2009.  Your IT Department surely has at least these requirements, right?  Right?

To many, this settlement is further evidence that the "we are serious this time, seriously" approach touted by the FTC in recent years is merely lip service. 

That being said, the ban on misleading customers for 20 years is not just empty words.  If Twitter allows any other privacy breach to occur, it will find itself without much leniency from the FTC.  It also puts the FTC in a position to immediately fine Twitter up to $16,000 per incident for future lapses, a power that the FTC does not have absent the settlement and resulting (future, expected) order.

The comment period on the settlement will end on July 26, 2010, at which time it expected that the order will be entered and the settlement will become final.

• Print
• Comments
• Trackbacks
• Share Link

The Supreme Court issued a ruling yesterday (8-1) in Ontario, Calif. v. Quon, U.S., No. 08-1332, 6/17/10 (PDF link), basically punting on elaborating on Fourth Amendment privacy rights because technology is still emerging.  The technology?  Pagers.

The police department for the City of Ontario in California provided pagers to its officers in 2001.  A computer and Internet usage policy provided that the department could monitor all electronic activity of its employees, including email and Internet usage.  There was no specific reference to pager usage and text messages. 

The distinction between transmission technology for email and pager/cell phones is important.  The email and Internet usage at the police department would travel over the department's computer servers.  The pager/text messages would not but, rather, would travel over the wireless provider's (Arch Wireless) networks.  The point being, monitoring of the department's own servers is a much easier question than monitoring communications that  travel over a service provider's servers.

• Print
• Comments
• Trackbacks
• Share Link

 On a topic near and dear to my heart, I read an article at Law360 on Friday that was a real eye opener.  Not because I am concerned about my backyard (we have a CTO that is very on top of these issues), but because of the number of law firms that apparently do not have their networks secure.

I have no intention of restating the article from Law360, but I do want to state the premise that should make private practice attorneys (and, frankly, lots of General Counsel) click through: "Over the past five years, sophisticated cyber attackers have expanded their intrusions at government and defense-related targets to go after researchers, manufacturers, nonprofits and law firms, according to a January report by information security firm Mandiant Corp."

Let me put that another way.  The emails about collecting alimony from the ex-wife in Cambodia about the deadbeat ex-husband is not where your risks end.  Hackers are now targeting law firms for hacking and data theft.  And why not?  If a hacker cannot hack into a Fortune 100 company network, go to the law firm network where all of those transaction documents and SEC filings reside.

Read the article for yourself.

• Print
• Comments
• Trackbacks
• Share Link

In an effort to ease the holiday weekend of those affected, the FTC announced that the effective date of the Red Flag Rules has been delayed until December 31, 2010.  This announcement may have a familiar feel to you (January 1, 2008, November 1, 2008, June 1, 2010?).  Click here to read at the FTC web site, of read the full text by clicking "Continue Reading" below.  Happy Memorial Day.

• Print
• Comments
• Trackbacks
• Share Link

Everyday we all read about the latest threat to our privacy.  Facebook tricks you into sharing your private, life details and Facebook staff is fed up.  The computer in your car can be hacked to disable your brakes.  Google collected wi-fi hotspot data for some (alleged) nefarious purpose.

It is not often that we come across something that just does not seem possible.  Yesterday was one of those days, when the FTC announced that it is working with copy machine manufacturers to either end or severely restrict the existing practice of storing digital images captured on photocopiers.  The FTC's response (PDF link) was in reaction to a letter (PDF link) from Representative Ed Markey (D-MA) after seeing a CBS report last month on the issue.

Photocopies made on modern photocopies are stored on an internal hard drive in the copy machine.  CBS' report last month that "[n]early every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine."  In other words, everything you have photocopies is stored on a hard drive hidden deep inside the photocopier.

WHAT!?!  Why?  Who thought this was a good idea?  And all, or almost all, copier manufacturers put this function in their copiers?  When did I photocopy those "youthful" pictures from college for my buddy's bachelor party?  We received new photocopiers last year, so that copier is gone (thank goodness).  But wait, where is it?  Read on to see some of the nightmare scenarios this raises.

• Print
• Comments
• Trackbacks
• Share Link

Rep. Rick Boucher (D-VA) and Rep. Cliff Stearns (R-FL) proposed federal legislation last week that would create a two tier standard of protection of private information, whereby “covered information” would fall under the standard “opt-out” method and “sensitive information” would fall under an “opt-in” method.

The proposed legislation breathes new life into perennial dead on arrival legislation, and potentially offers something the Obama administration can support in fulfilling its promise to close existing gaps in federal privacy legislation.

The phrase "Sensitive Information" includes any information that relates to the individual's medical records, race or ethnicity, religious beliefs, sexual orientation, financial records or precision geolocation information.

Opponents of the legislation have jumped all over it, claiming that it does not go far enough to protect individuals, especially in the online context. Others cite that European laws remain the gold standard for privacy protection, and that this legislation avoided going that far because of backlash from business.

• Print
• Comments
• Trackbacks
• Share Link

Do you recall that little data breach that Educational Credit Management Corporation (ECMC) had a couple of weeks ago?   That "theft" of data that included names, addresses, dates of birth and social security numbers of some 3.3 million individual student loan borrowers was big news in data breach circles.  We reported about it here.

Well, hope springs eternal as I was pinged today by ECMC's PR firm letting me know that the storage medium was recovered and "law enforcement officials" do not believe that the personal information was compromised.  (Savvy move, Weber Shandwick.)

I hope, for the sake of the borrowers if nothing else, that none of the information was accessed.  I also hope that experts can determine that nobody accessed information (which probably can be done if we are talking about a thumb drive or hard drive, probably much less likely if we are taking about a DVD, fingerprints notwithstanding).

Maybe some encryption firm is making a lot of money from ECMC as we speak and that Congress is noticing this apparent dodged bullet and will use it to advance a toothy, federal breach notification law. 

The full press release is available if you click Continue Reading below.

• Print
• Comments
• Trackbacks
• Share Link

You may recall that Governor Schwarzenegger "terminated" the proposed update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto), the original author of California's breach notification law after which many states model their breach notification laws.

Well, the Governator's office encouraged Rep. Simitian to reintroduce the amendment, which is now Senate Bill 1166.  This Bill was approved by the California Senate last Thursday and now moves to the California State Assembly for approval and, if approved, signature by the Governor.

The existing legislation requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. States adopting breach notification laws similar to California's now number 46, plus the District of Columbia, Puerto Rico and the US Virgin Islands. 

At its heart, SB 1166 accomplishes two major goals. First, SB 1166 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”  At least 13 states already have laws indicating the contents of breach notification letters to affected individuals.  These provisions are often encouraged because consumers receiving notices are often confused about what data is affected, and because as the number generic notices received by consumers increased there is fear that apathy will set in and a consumer will miss notice of a particularly troubling breach.

Second, SB 1166 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

We will have to wait and see if Skynet orders the Governor signs this law when and if it reaches his desk.

• Print
• Comments
• Trackbacks
• Share Link

The New York Times had an interesting article on Friday discussing a recent trend in state legislatures to prevent the use of credit reports as a tool for private businesses to screen job applicants.  According to the article, more than a dozen state legislatures are currently considering such legislation.

With the downturn in the economy, the continually rising cost of health care (and the lack of insurance because of unexpected unemployment) and the failure of recently unemployed to change their spending habits, the issue of poor credit has affected more and more individuals.

To fight this potential trend to prohibit the use of credit reports in the hiring process, credit reporting agencies such as TransUnion (you know, one of the companies that sells the credit reports to those private businesses) has lobbied to block such legislation.  A tactic has been to sell the credit report as a mechanism to protect your business and employees.  Don't you care enough to protect your employees, you monster?  This approach is why there are parents paying $800 for a baby stroller.  Apparently, these efforts have been successful in some states, such as California, Maryland and Connecticut.

But what does a tainted credit report really tell you about the applicant?  The article does a keen job of pointing out that there have been no comprehensive studies on the correlations between poor credit and employee fraud and theft, but a small study cited found no such correlation.

If your business does credit checks as part of a background check on a potential employee, I suggest you read the article and consider a few questions.  First, do you get written permission to obtain the credit report?  (You need that written permission under federal law.)  Second, does your human resources staff understand that it cannot make employment decisions based solely on the credit report?  (You should not do that.)  Finally, do you really need the report, meaning does it really tell you anything and, if it does, do you limit your practice of obtaining the report to positions that involve the handling of money or positions that come with other fiduciary responsibilities?

• Print
• Comments
• Trackbacks
• Share Link

Marina Stengart, a former employee of northern New Jersey-based Loving Care Agency, sued Loving Care for wrongful termination of employment based on discrimination. Loving Care hired an outside firm to analyze Stengart’s computer for information helpful to defense of the lawsuit. The third party investigators accessed Stengart’s Yahoo! email account (presumably because of a saved password), where they found information helpful to defense of the lawsuit. Can Loving Care’s attorneys use the information found on that personal email account? What if the communications are between Stengart and her attorney?

The New Jersey Supreme Court, in a 7-0 ruling (PDF link) upholding the appellate panel that reversed the trial court’s decision, ruled on March 30th that Loving Care wrongfully accessed those emails between Stengart and her counsel. The court held that “[f]inding that the policies undergirding the attorney-client privilege substantially outweigh the employer's interest in enforcement of its unilaterally imposed regulation, we reject the employer's claimed right to rummage through and retain the employee's emails to her attorney.”

In its defense that it had every right to access all electronic records on its computer hardware, Loving Care turned to its company handbook, which provides in part that:

E-mail and voice mail messages, internet use and communication and computer files are considered part of the company's business and client records. Such communications are not to be considered private or personal to any individual employee.

But the attorney-client nature of the communications may be a red herring if there is something to be learned from this case.

• Print
• Comments
• Trackbacks
• Share Link

ECMC reported last Friday, March 26th, that a data theft occurred over the weekend of March 20-21 from ECMC's headquarters.  During this breach, which has been termed a "theft," data was stolen that included names, addresses, dates of birth and social security numbers of some 3.3 million individual student loan borrowers.  ECMC did note in its press release that no "bank account or other financial information" was stolen, which may not come as a huge relief to those affected considering the types of data that was stolen.

What is not clear is whether the information was encrypted, although it is not difficult to conclude that the information almost certainly was not encrypted in light of the public announcement and credit reporting.  The media on which the records were contained, although not specifically identified, was referred to as "portable media."

ECMC's president and CEO, Richard Boyle, said in the statement "[w]e deeply regret that this incident occurred and the stress it has caused our borrowers and our partners and are doing everything we can to help protect our borrowers' identity and personal information."

ECMC is a guarantor of federal student loans.  It is offering, gratis, the now-customary credit monitoring service from one of the major credit reporting bureaus (Experian, in this case).

ECMC reports that it delayed its public announcement at the direction of the law enforcement divisions.

This data breach of ECMC's records further highlights the vast gap between state-level data encryption requirements that are emerging and the lack of the same at the federal level.

• Print
• Comments
• Trackbacks
• Share Link

A co-conspirator in the TJX breach, Humza Zaman, saw the next 46 months of his life laid out before him in Boston yesterday, as he was sentenced in federal court for his role in the TJX breach. He was also fined $75,000.  He will also have  three years of supervised release, must disclose his conviction to future employers, but he will not be prevented from using computers.

Zaman’s role appears to be limited to money laundering activity while he was employed by Barclay’s Bank. Zaman, apparently feeling he was only doing favors for Albert Gonzalez (by all accounts, the mastermind behind the data theft), would meet and mule large amounts of cash that he received from “an unknown man of apparent Eastern European descent.”

The writer of the “sniffer” computer program that was used in the data theft, Stephen Watt, was sentenced last December to two years in prison.

Lex Luther Albert Gonzalez is awaiting sentencing and faces a minimum sentence of 17 years in prison.

Wired has a much more thorough reporting of the prosecution side of the TJX breach, which is worth a read by not only business folks, but people that may get drawn into similar schemes.

Updated: Special thanks to the German Privacy Foundation for noting that I had punishments for Mr. Zaman and Mr. Watt flipped in certain portions of the original posting.  It is nice to have such friendly and professional communications from our friends in Germany.

• Print
• Comments
• Trackbacks
• Share Link

Judge Legrome D. Davis of the United States District Court for the Eastern District of Pennsylvania issued an amended order on March 9th (amended from March 8th) dismissing a recent case seeking speculative damages arising from a data breach of Aetna’s job application web site. A copy of the opinion can be viewed here.

In Allison v. Aetna (09-2560), the plaintiffs sought, among other relief, damages in connection with possible future damages from identity theft that may occur in the future. Mr. Allison’s identity had not been stolen at the time the complaint was filed (and presumably not since then).

The facts are set forth in more detail in the attached opinion, but essentially hackers gained access to some 450,000 (!!!) job applicants’ personal information contained in Aetna’s job application web site database. Also taken was the social security numbers of employees of Aetna (reports say 65,000 employees were affected). The applicants then received emails, purporting to be from Aetna, requesting additional personal information from the applicant. It is unclear what additional information was actually sent by applicants, but it is a pretty safe assumption that at least some of the applicants were tricked into supplying the information.

Judge Davis walks through a detailed analysis of “increased risk of harm” claims, and concludes that there is no legally cognizable injury based on such claims. A detailed analysis of recent decisions related to “increased risk of harm” claims arising in connection with data breaches is included in the opinion.

There was no proof that Mr. Allison’s personal information was ever accessed and the only information known for certain to be stolen was email addresses. Mr. Allison never received the phishing email, and an implication arises that no other information was taken if the phishers were asking for the same information. (I think the opposite inference is possible, that only those applicants for which more detailed information was not taken were "phished.") Judge Davis notes that “[a]t best, Plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.”

This decision joins a growing line of cases where plaintiffs are not being allowed to collect damages where there has been no actual proof of harm.

A copy of the opinion can be found here.

• Print
• Comments
• Trackbacks
• Share Link

The AP is reporting that Customers having Swiss bank accounts with HSBC between late 2006 and early 2007 had their account information stolen by a former IT employee of an HSBC subsidiary. CBS News, also publishing an AP report, is stating that the number is 15,000 customers, although the 24,000 number appears to be a later publication time. Customers affected are worldwide in scope.

If you were one of the affected customers, you apparently are already aware of the data breach because HSBC says that it contacted you. Stated another way, HSBC contacted you to tell you that your (presumably) secret Swiss bank account is not so much of a secret anymore.

The accounts have been closed, and there does not appear to be any real risk that the information will be used to access account holders’ accounts. That may sound reassuring to the customer being contacted. That is, unless the customer asks a few more questions.

“Well, where is my information,” you may have asked if you were one of the customers contacted. You probably had spent years funneling this money into your secret, non-taxed, Swiss bank account.  You will not be happy if some criminal takes your illegally shielded money.

This is where the story takes an interesting turn. Apparently, the IT employee was not content to let the information sit in a drawer, and the data was "turned over" to the French government. What could possibly come from that, right?

We have read reports that the German government may be buying information on Swiss account holders. Now we can add the French government to that list. France released the names of 3,000 Swiss account holders in 2009. The AP story cites the same IT employee as one of the sources of the information on those 3,000 account holders.

Apparently the stolen data was returned by the French government to the Swiss government, and eventually made its way back to HSBC. Thank goodness.  But wait, France still has copies of the information.  Not to worry, the information will not be used "inappropriately" by the French government. It does, however, remain to be seen whether an appropriate use would be the prosecution of tax evaders.

It also is not immediately apparent what sanctions HSBC may face as a result of the breach, which triggers very strict, European privacy laws.

• Print
• Comments
• Trackbacks
• Share Link

A video of an autistic boy being harassed by bullies is posted to a service offered by Google in Italy. Google is informed of the availability and content of the video. Google removes the video within two (2) hours of being informed. Did Google react appropriately?

Those familiar with US privacy laws know that there is little about which Google should be concerned. Those familiar with European Union (EU) privacy laws generally conclude that Google is protected by the safe harbor under Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market. Those unfamiliar with EU privacy laws probably conclude that Google did the right thing, acted swiftly and should not be responsible for material posted by third parties about which Google is not aware.

Google is guilty of violation of Italian privacy laws, says an Italian court. The Italian court held three (3) Google executives criminally liable for making the bully video available. Yeah, seriously, convicted in absentia for violation of privacy (but cleared of defamation charges), Google’s Chief Legal Officer, Chief Privacy Counsel and a former Chief Financial Officer were sentenced to six-month suspended sentences. (I understand that for most convictions of less than two years, sentences are generally suspended if there are no prior convictions.)

• Print
• Comments
• Trackbacks
• Share Link

CBS 3 in Philadelphia reported last night about local resident Al Butler, whose identity was stolen for use on international dating sites. As reported, criminals would create an account on international dating sites, post images of Mr. Butler taken from social media sites frequented by Mr. Butler, and pass themselves off as Mr. Butler. The “scam” would come when Fake Al Butler would ask for money from women he met on the dating site.

The CBS 3 report, originally airing in glorious HD and all of its facial pore, thinning hair glory, can be viewed here. As yours truly advised the CBS viewers, stealing online photos for the purpose of passing oneself off as that person while committing a crime is the cyberworld version of a classic scam.

What did not make the three minute segment is the realities of situations similar to those described in the report: what are you gonna do about it? Probably not much, which is why we all need to think about what photographs get posted.

We all see everyday friends and family posting personal photographs on Facebook, Flickr, Twitter and similar social media sites. We read reports about how some of these services have tracking features to tell the world where you have been and where you are going. To a lot of people, sharing like this is fun.

What is often forgotten is where this type of sharing can lead. The obvious is that it is probably not a great idea to tell the world where you go and presently are. The foregoing sentence makes no sense to a lot of people, especially younger folks. But even those people that know bad things can come from location awareness are not aware how much information they actually do share.

• Print
• Comments
• Trackbacks
• Share Link

 A complaint (PDF link) seeking class action status on behalf of all high school students at Harriton High School and Lower Merion High School (the “High Schools”) in the Lower Merion School District (the “School District”) in suburban Philadelphia was filed on February 16th.

Apparently, the School District maintains a program whereby all high school students at the High Schools are provided with a laptop in connection with their educational endeavors. Like most modern laptops, apparently these laptops include a webcam embedded in the laptop bezel.

The Complaint alleges that students and parents were never told that the School District (and its agents) have the ability (or would) to remotely activate the webcam. The Plaintiffs cite all documentation provided with the laptop and on the School District’s online resources as further support that they were never told of this remote activation/capture ability. Once activated, the School District can apparently then view and capture whatever is happening within the view of the webcam. Plaintiffs point out that this activity occurs regardless of whether anyone is sitting in front of the webcam, and captures the entire viewing area of the webcam.

• Print
• Comments
• Trackbacks
• Share Link

Google committed its biggest misstep in recent memory with the launch of its new social media tool, Google Buzz.  You would have to intentionally not be paying attention to have missed the furor over the privacy and trust violations alleged by angry users and advocates since its launch on February 9th.  But hearing the buzz about Buzz and understanding what Google Buzz actually is, or how it may affect your workplace, are independent realizations. Now a week after its launch, Google has made two major tweaks to the privacy settings in Google Buzz in attempts to quell users’ anger.

What is Google Buzz

Google Buzz is the latest effort at merging existing social media options into a new platform. Google is in an enviable position to be a big, if not the biggest, player in this convergence model because of their existing Gmail service.  Google Buzz essentially allows all Gmail users to broadcast and share messages, photos, videos, web links and tweets with friends and colleagues directly within Gmail.

At the heart of Google Buzz’s functionality is the built-in feature that “links” those people that a user emails the most through Gmail. In other words, a user would automatically follow, and be followed by, those people with whom that user exchanges a lot of emails.

The auto-follow feature works for many people and is probably pretty innocuous in a vacuum. However, what if a user emails an ex-boyfriend or ex-husband a lot? That person most likely does not want that person “following” them.
 

• Print
• Comments (1)
• Trackbacks
• Share Link

I came across an insightful interview with Bob Russo, general manager of the Payment Card Industry Security Standards Council (the “Council”), that was conducted by cnet news. The interview can be found here and it is a strongly suggested read.

The Council was created by Visa, MasterCard, American Express, Discover, and JCB for the purpose of creating a unified compliance program for organizations accepting and processing payment card transactions. The Payment Card Industry Data Security Standard (the “Standard”), available here, was created by the Council to deter credit card fraud. Many view these efforts as an industry-wide effort to apply uniform security practices, which largely has been the effect.

All organizations that enter into a merchant processing agreement to accept credit and payment card transactions must comply with the Standard in some manner. While the reporting requirements may be less onerous for organizations accepting payments below some fixed amount, in any event all such organizations must comply.
 

• Print
• Comments
• Trackbacks
• Share Link

The cost per customer record in a data breach increased $2 over the 2008 average to $204 per customer record compromised in a data breach. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its fifth annual report (Available Here) declaring that the average cost per compromised customer record rose to $204.  The report is sponsored by PGP Corporation.

The report is based on 45 reported data breaches in the real world, with samples ranging from 5,000 to approximately 10,000 records. Of the breaches studied, organizations paid a low of $750,000, and a high of $31 Million in connection with the breach response. The average cost to an organization from a data breach increased from to $6.65 Million to $6.75 Million from the 2008 to the 2009 (Summary) studies.

• Print
• Comments
• Trackbacks
• Share Link

The lessons to be learned from data breaches are often numerous and not always apparent on the surface. The most recent example is the RockYou.com hack that occurred in December. And what a hack that was.

Briefly, when RockYou.com was hacked into, the hackers walked away with 32 million usernames and the corresponding passwords. While the number of usernames and passwords (and let’s be honest, the number of users of this service) is a shockingly high number, the unforgivable transgression is that RockYou.com apparently stored these usernames and passwords in plain text format. In other words, while industry standards dictate, and competent legal advisors and IT consultants strongly recommend, that all personally identifiable information be stored in an encrypted format, RockYou.com apparently stored the usernames and passwords in a format as readable as this blog entry. Yeah, seriously.

But while the media is focusing on the revelation of what passwords are most commonly used by users, the less obvious takeaway may be the most interesting. Starting with the premises that people are people, people use blatantly obvious passwords, and people create the passwords for your business computers and networks, it is not hard to reach the conclusion that there are also many businesses out there that are one simple password away from a data breach featured in the Wall Street Journal, like Heartland was featured.

• Print
• Comments
• Trackbacks
• Share Link

With 2009 (thankfully) behind us, we should take a minute to look back before moving on.  As most people recognize and accept, history tends to repeat itself and 2009 is a great year to learn from others' mistakes and missteps.

Computerworld created a "2009 data breach hall of shame" recently that is an excellent read if you would like an overview of the most notorious data breaches of 2009.  None of us should lose sight of the thousands (if not tens of thousands) of smaller and unreported data breaches that occur every year.

I will not restate the work down by Computerworld, but I do believe that the RockYou breach is the most egregious.  Assuming all of the facts as reported in various media outlets are true, the idiotic (ignorant is just not the right word) storage of passwords in plain text (rather than in an encrypted form) highlights just how far companies have yet to go to understand even the most basic principles of data protection.

Let's all hope for a safer, more compliant year in 2010 if, for no other reason, so that our own personal information is not released into the wilds.  Happy new year.

• Print
• Comments (1)
• Trackbacks
• Share Link

A standing room meeting organized by the Federal Trade Commission (FTC) in Washington on Monday, December 7th, highlighted a crucial divide in the discussion over the regulation of online privacy. The New York Times provides an excellent summary of the mainstream newsworthy aspects of the meeting.

While the take away may be that the FTC is taking a more serious look at online privacy and net neutrality, the reality is that any oversight is not going to happen anytime soon. Not anytime soon as in years, if ever. Policy making as the solution is not going to address any immediate concerns or problems.

What may be of more interest is the deep divide between the parties with a vested interest in the outcome of the discussion, namely, the consumer/consumer advocates and parties making money from information that may one day be regulated.

• Print
• Comments
• Trackbacks
• Share Link

Ars Technica reported yesterday about a graduate student at Indiana University's School of Informatics and Computing that has compiled documents and recordings obtained through Freedom of Information Act requests that support that Sprint/Nextel has provided GPS location data about Sprint’s wireless customers to law enforcement over eight (8) million times in just over one year.

• Print
• Comments
• Trackbacks
• Share Link

The FTC has again extended enforcement of the Red Flag Rules, this time until June 1, 2010.

This extension comes just one day after the ABA won a victory with its request that practicing attorneys be exempted from compliance with the Red Flag Rules.

The extension of the enforcement deadline also comes shortly after certain other exemptions, namely, health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, were passed in the House of Representatives.

Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009, and then further extended to November 1, 2009.

• Print
• Comments
• Trackbacks
• Share Link

The United States District Court for the District of Columbia ruled that the Red Flag Rules are not applicable to attorneys engaged in the practice of law.

The complaint, filed in late August 2009, argues that the FTC overstepped its statutory authority by imposing the Red Flag Rules on attorneys engaged in the practice of law.

The ruling is another victory by the American Bar Association when it comes to exempting attorneys from rules regarding the handling of financial and/or sensitive information. It would seem that the FTC would have made adjustments to its definitions of “creditor” to make it clear that attorneys should be included in its regulations, but that clarification may need to be addressed at the Congressional level to avoid future ambiguity.

If Congress does present future legislation, or an amendment to existing legislation, that specifically includes attorneys, it will be interesting to see how the ABA argues that attorneys should be exempted from these these types of federal consumer protection statutes.

The BLT: The Blog of LegalTimes reports that it is expected that the FTC will appeal the ruling.

• Print
• Comments
• Trackbacks
• Share Link

Representative John Adler’s (D-NJ) amendment to the FTC Red Flag Rules, an act titled “To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses,” passed the House of Representatives on October 20, 2009.

Currently, the Red Flag Rules go into effect on November 1, 2009.

Set forth in full below, the bill exempts health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, from complying with the Red Flag Rules.

The Adler amendment will have little effect on the litigation brought in August by the American Bar Association because of its limited scope.

• Print
• Comments
• Trackbacks
• Share Link

The Office of Consumer Affairs and Business Regulations (OCABR) proposed revisions to the Massachusetts’ identity theft regulations, which would take effect on March 1, 2010.

The proposed regulations can be found here (PDF).  A comparison, or redline, of the proposed regulations to the current regulations can be found here (.DOC).  Finally, a set of frequently asked questions (FAQs) regarding the proposed regulations was prepared by the OCABR and can be found here (PDF), and they are certainly worth a read.

Citing a desire to undertake data security as “a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers,” the OCABR emphasized that a business should assess the size and nature of the business, the kinds of records maintained and the risk of the business as an identity theft target when deciding its policies and procedures to handle personal information.

Borrowing from the FAQs above, the OCABR cites four major changes under the proposed regulations:

• As noted above, a risk-based approach to information security is adopted (consistent with other state and federal law). This approach is friendlier to small businesses and does not place the same burdens on travel agencies (collecting little personal information) that may be placed on wealth managers (collecting significant amounts of personal information).
• Many provisions that are currently required under a written information security program have been removed (and would be for guidance purposes moving forward).
• The encryption requirement under the current regulation has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Businesses must still use available, reasonable means if they are available.
• Fourth, the third party vendor requirements have been changed to be consistent with federal law.

One aspect that has NOT been proposed to be changed, and the one aspect of Massachusetts’ cutting-edge privacy regulations, and that (in my experience) most often catches business off guard, is that all means of storage of personal information must be encrypted. This includes hard drives, thumb drives, backup tapes and any other method of electronic storage. Although this encryption requirement is almost certainly the direction most states are headed, this requirement is almost unknown outside of the “privacy community.” As with most laws, ignorance of the requirement is not a defense.

Although the future for the proposed regulations is by no means decided, it is likely that some (if not all) of the proposed changes will see the light of day. We will know more after the public hearings on the revised regulations that are scheduled to occur on September 22, 2009.

• Print
• Comments
• Trackbacks
• Share Link

Minnesota made waves in 2007 when it became the first state to make part the Payment Card Industry (“PCI”) Data Security Standard applicable to its Plastic Card Security Act ( PDF Link). Although it has taken over two years, Nevada has become the second state to incorporate PCI and it has done so by making all of the PCI standard applicable.

Nevada’s existing Security of Personal Information law now requires that affected parties comply with PCI as a whole. Unfortunately, the Nevada amendment (PDF link) does not get off to a good start, requiring compliance deadlines that do not exist under the PCI standard, but are (in actuality) created independently by the card issuers. Amending the existing Security of Personal Information law, the amendment (PDF link) requires that each affected party meet the following standard:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

The effect of the amendment itself is quite interesting. First, the amendment creates statutory authority for required compliance with the PCI standard, where before this requirement (as applied to merchants) existed only through contractual relationships. This will be academic for many merchants already complying, but it does go a long way to closing the existing gap whereby the PCI standard applied to merchants only because of contractual obligations with those parties directly affected.

Second, the amendment proposes a standard that creates some interesting outcomes. This safe guard provides that “[a] data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.” Previously, an affected party would have recourse under various theories of law, with varying (and often undefined) standards of care or duty. Arguably, absent gross negligence or willful misconduct, an otherwise PCI-compliant merchant that experiences a data loss may escape liability in Nevada.

It is also likely that a savvy litigator will argue that the standards created in existing contractual relationships should be replaced with the statutory standard. Whether such an argument would prevail remains to be seen, but it is likely to be tested sooner than later.

Notwithstanding the inexplicable compliance deadline error, the Nevada amendment blazes the way for other states to incorporate the PCI standard into their existing and new laws. With the addition of the safe harbor set forth by Nevada, these laws may be a welcome addition to merchants that are PCI-compliant but experience a data loss.

• Print
• Comments
• Trackbacks
• Share Link

Microsoft recently announced its new Trustworthy Computing: Data Governance web site at Tech•Ed.

According to Microsoft, it is promoting data governance because:

“Growing public concerns about abuses of consumers’ personal information threatens to curtail the growth of online commerce and services. Data Governance directly addresses these concerns.

Data Governance can reduce an organization’s IT costs and improve its control over its information, which increases data security and privacy and improves responses to changing compliance requirements.

Conversely, poor Data Governance raises the risks of data breaches, including identity theft and fraud, which can erode trust in an organization, trigger financial or legal penalties, or reduce confidence among employees, customers, and investors.”

Although the purpose of the Data Governance web site is to serve as a reference for software and application developers, it is also a good reference to any person involved in developing and maintaining data integrity, security, storage and sharing that contains personal information.

Among other things, the Data Governance web site is a resource for developing data policies, complying with regulatory and best practices requirements, and establishing length of storage issues.

As required by more and more state statutes, Microsoft is promoting the development and implementation of data policies and action plans.

Although the materials are helpful and directed as more of a what-to-do, not a how-to-do it, Microsoft does publish its own standard privacy guidelines, as well as an IT Compliance Management Guide. Although these materials are prepared for Microsoft, and are not applicable to very many businesses, they are good resources for anyone wanting to get a flavor for these types of documents.

• Print
• Comments
• Trackbacks
• Share Link

The RFID (radio frequency identification) camps are many and varied throughout the world. Privacy proponents are calling the security risks from RFID technology monumental and ripe for data and identity theft. The federal government has decided that when coupled with pin codes and/or protective sleeves, RFID technology used in passports and passport cards is safe. The European Commission has said it believes that RFID technology can be safe, provided its new recommendations are followed.

On Tuesday, May 12, 2009, the European Commission adopted a set of recommendations, hoping to ensure that companies involved in the design or operation of RFID products respect the individual's fundamental right to privacy and data protection, contained in the charter of fundamental rights of the European Union. The recommendations can be read in full here (pdf link).

Members of the European Union are required to report back in two years regarding the steps taken to conform to the recommendations, and the Commission will publish a report within three years of its impact assessment and success with implementation to date.

The recommendations require that all operators in the European Union, regardless of whether those operators are subject to other obligations under The EU Data Protection Directive 95/46/EC, comply with its steps set forth in the recommendations. The following are some of the more significant recommendations:

• Member States should ensure that industry, in collaboration with relevant civil society stakeholders, develops a framework for privacy and data protection impact assessments.
• Member States should support the Commission in identifying those applications that might raise information security threats with implications for the general public. For such applications, Member States should ensure that operators, together with national competent authorities and civil society organisations, develop new schemes, or apply existing schemes, such as certification or operator self-assessment, in order to demonstrate that an appropriate level of information security and protection of privacy is established in relation to the assessed risks.

• Print
• Comments
• Trackbacks
• Share Link

There is a very interesting article posted at Nextgov.com regarding major data breaches and thefts.  The article can be found here.

The author, quoting James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, makes the point that the list of breaches would be much larger if smaller breaches were reported.

So how many breaches go unreported?  Well, nobody knows for sure but the number would almost certainly be staggering.  With new federal requirements poised to go into effect, we may start to have a better idea of just how many breaches occur.  At the very least, we may have a way to track those breaches that are actually reported.

• Print
• Comments
• Trackbacks
• Share Link

The U.S. House of Representatives, referred to the House Committee on Energy and Commerce on April 30, 2009, continues to debate, revise and take testimony on a major piece of proposed federal legislation regarding privacy, the Data Accountability and Trust Act (H.R. 2221) (“DATA”).

The proposed DATA legislation has three primary goals. First, DATA would put into place a first of its kind (other than the HITECH Act applicable to medical data, discussed here) federal law regarding the standards for notification of breaches or thefts involving personally identifiable information. DATA would also require that notification be provided to the FTC if there is a breach. Although there is no current requirement of notification to state agencies, DATA does allow state agencies and the FTC to enforce the provisions of DATA. Although almost all states and jurisdictions have data breach notification laws in place, and other states are on the verge of passing new data breach notification laws, a federal law would replace the jumble of standards and reporting requirements. Although privacy proponents summarily applaud the idea of data breach notification standards, fear of putting in place a lower standard than already in place in some jurisdictions continues to cast a shadow over this prospect. As with many state laws, a firm can avoid notifying customers and the FTC if it determines that there is no risk of harm from the breach or theft. This “no risk” standard, however, would be a lesser standard than those states that require reporting regardless of whether there is a risk. Therefore, while preemption is not being dismissed by those following the legislation, a demand for adequate notification standards continues.

• Print
• Comments
• Trackbacks (1)
• Share Link

The World Privacy Forum has published a list of their favorite opt out opportunities.  Click here to review this very helpful list, some of which may be new to you.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

• Print
• Comments
• Trackbacks
• Share Link

After years of water cooler whispering (with raised eyebrows) and urban legends of terminated employees, savvy Internet users know not to have any realistic expectation of privacy when it comes to work-hosted email, Internet access and the like.

Is there now cause for concern when it comes to discussing work-related topics on employees’ own time on personally owned computers? The United States District Court for the District of New Jersey is taking up the case right now.

In Pietrylo v. Hillstone Restaurant Group, Docket No. 2:06-cv-05754 (D.N.J. 2008), the plaintiffs allege that their use of MySpace is protected from their employer’s prying eyes. The plaintiffs, Brian Pietrylo and Doreen Marino were terminated by Hillstone, which operates the Houston’s chain of restaurants.

Pietrylo, a bartender at Houston’s in Hackensack, New Jersey, created the MySpace user group “Spec-Tator” for the purpose of current and former employees to “vent” about their experience while working at the restaurant. Allegedly, the user group was created on personal time, and invitations were distributed on personal time. According to Pietrylo, the forum was a "nice place to vent ... without any eyes outside spying on us."

• Print
• Comments
• Trackbacks
• Share Link

The New York Times is reporting that DNA databases built and maintained by the Federal Bureau of Investigations (F.B.I.) and various states are quickly increasing in size and use.

The debate over whether persons convicted of felonies should have their DNA collected and stored by law enforcement has long been considered decided. Additionally, the collection of fingerprints of persons arrested (but not necessarily convicted) of crimes has also long been considered decided.

However, what about the collection of DNA from persons merely arrested or detained, but not convicted? The F.B.I. and 15 states are going to do just that starting this month, with a vast majority of those persons being suspected illegal immigrants.

The National DNA Index System, initiated under the E-Government Act of 2002, P.L. 107-347, and the accompanying guidelines issued by the Office of Management and Budget (OMB) on September 26, 2003, already contains information on 6.7 million people. The rate of collection is expected by the F.B.I. to increase from around 80,000 persons per year to 1.2 million people per year by 2012, a 17-fold increase, according to The New York Times.

• Print
• Comments
• Trackbacks
• Share Link

As with NebuAd here in the United States, the Phorm service in Europe is under constant and increasing attack.  The business model for both is basically to team up with Internet service providers, track and collect Internet usage data, and then use that information to serve interest-based ads to the Internet user.  Take a trip to a popular gadget web site, and expect to be served advertisements that offer gadgets for sale.  Visit a travel interest web site, and expect to start noticing advertisements from travel sites in other web pages. 

Announcing that the European Union has "opened an infringement proceeding" to investigate Phorm’s activities, the European Union's Commissioner for Information Society and Media, Viviane Reding, said in a video message that "European privacy rules are crystal clear: a person's information can only be used with their prior consent. We cannot give up this basic principle, and have all our exchanges monitored, surveyed and stored in exchange for a promise of 'more relevant' advertising! I will not shy away from taking action where an EU country falls short of this duty."

The legal action commenced by the European Union basically consists of an inquiry and warning to Britain, inquiring into Britain’s interpretation of the privacy regulations and rules in place, and an explanation of how operations by Phorm comply with those privacy regulations and rules.  In other words, the European Union wants Britain to explain why it has not commenced any action against Phorm.  Britain has two months to respond, and additional inquiries and warnings may follow before the European Union forces Britain into court.

• Print
• Comments
• Trackbacks
• Share Link

Symantec Corp. has released its Internet Security Threat Report Volume XIV, and the news is excellent for thieves of personal information.  Symantec reports that the income received by sellers of stolen personal information continues to be high. 

Credit card information continues to reign supreme, generating from $0.06 to $30.00 per record, while access to email accounts, access to proxies and shell scripts saw the biggest rises from 2007 to 2008.

A recent article by the Associated Press focuses on economic factors related to the trading of stolen personal information.  Citing reasons ranging from the bottoming out of the prices, to sellers of stolen information not want to undercut each other, to the difficulty in getting PIN codes and security codes, to the renewed efforts to scam information because of a failing economy, the article explains why prices are holding steady even though thefts are increasing.

However, the most interest statistic may relate to so-called phishing scams.  A study from Gartner estimated that more than 5 million persons in the United States were the victim of a phishing scam between September 2007 and September 2008, representing a forty (40%) percent increase over the prior twelve months. 

Reports also indicate that the trading in financial information has become so lucrative, and apparently relatively easy, that “gangs” of hackers and traders have become more common and visible. 

What this means is that one or both of these two things are happening: (1) those persons that set up phishing scams are getting even better at tricking unsuspecting people into providing their personal information, and (2) Internet users are not being nearly vigilant enough when it comes to “clicking” on emails and providing personal information online.

Issues from businesses are dramatic:

- Are employees falling for phishing scams on work computers, possibly allowing the installation of malicious software

- Are you customers being duped into thinking that your business is communicating with them (which begs the question of whether you have educated your customers about information you collect through email links)

- Are you accepting payments that do not conform to the PCI Standards and/or do not request enough information to ensure that you payees are who they say they are

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

• Print
• Comments
• Trackbacks
• Share Link

Starting April 6, 2009, European Union telecommunications companies and Internet service providers (ISPs) suddenly found themselves required to store even more data about their users.

Under existing requirements under the 2006 Data Retention Directive, telecommunications providers are required to retain records (when calls were made and the origination/destination details) regarding telephone calls made over their lines.

Now, The Data Retention Regulations 2009, those European telecommunication providers, and for the first time some ISPs (other than ISPs that also provide voice over IP services, which have always been covered), must retain details of Internet traffic and electronic mail transmissions for a period of six (6) to twenty-four (24) months from origination.  The United Kingdom has determined that the period of retention shall be twelve (12) months.  Sweden has threatened to “ignore” these new requirements.

Although the new regulations do not require the retention of the actual data (i.e., the telephone conversations, Internet content or the electronic mail content), affected European telecommunication providers and ISPs must retain the details of the transmissions (e.g., origination and destination telephone numbers, length of telephone calls, IP address of the user, but not the destination IP addresses, and electronic mail addresses, time of transmission).

• Print
• Comments
• Trackbacks
• Share Link

A young woman in Coalinga, California, following a visit home from college, penned to her MySpace page “An ode to Coalinga” (the “Ode”).  The Ode opens with “the older I get, the more I realize how much I despise Coalinga” and then proceeds to make a number of extremely negative comments about Coalinga and its residents.  She removed the Ode from her MySpace page within six days of posting it.

However, during the six days that the Ode was posted on MySpace, the principal of Coalinga high school discovered the Ode and sent it to his friend, the editor of the local paper, the Coalinga Record.

The editor of the Coalinga Record republished the Ode as a “Letter to the Editor,” adding the author’s last name (which was not present on the MySpace page).  The author and her family received death threats, and a shot was fired at the family home, forcing the family to move out of Coalinga.  Due to severe losses, her father closed the 20-year-old family business.

The California Court of Appeal, in Moreno et al. v. Hanford Sentinel, Inc., et al., F054138, slip op. (Cal. Ct. App. April 2, 2009) (PDF link) ruled that the principal did not invade the author’s privacy when he handed it over to the Coalinga Record.  The court further held that the editor of the Coalinga Record did not violate the author’s rights when it published her full name.

• Print
• Comments
• Trackbacks
• Share Link

The Cybersecurity Act of 2009 (PDF link), introduced by Senators John Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine), in no April Fool’s joke.  The proposed law would give President Obama have the power to shut down domestic Internet traffic (services, applications and software) during a state of emergency.  The Committee on Commerce, Science and Transportation will take up this proposed law.

The proposed law would create the Office of the National Cybersecurity Advisor, which would be an extension of the executive branch that would have broad power to control and monitor Internet traffic to protect against cybersecurity threats.  Furthermore, the Commerce Department would be given the ability to bypass every existing law regarding privacy, and access any relevant information regarding citizens and businesses use of the Internet while investigating cybersecurity threats (real and perceived).

The proposed law makes no clear indication of what is meant by the phrases “critical information network” or a “cybersecurity emergency,” instead (broadly) leaving that interpretation to the president.  The Secretary of Commerce would have “access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access.”

• Print
• Comments
• Trackbacks
• Share Link

An early March death of a University of Kansas student has many colleges and universities rethinking privacy policies regarding their students.

Recent news reports indicate that Jason Wren, a 19 year-old student from Colorado was ejected from university housing after repeated infractions involving alcohol. Reportedly, the university’s policy regarding its students’ privacy prohibited the disclosure of the basis for his removal from university housing to Mr. Wren’s parents.

On March 8, 2009, Jason Wren was found dead in his bed at a fraternity house in Lawrence, Kansas. The Kansas City Star reported that Jay Wren, the father of the deceased student, indicated that the university would not disclose to him the basis for his son’s removal from university housing. The Star further reported that Mr. Wren said he would have pulled his son out of school if he knew of an alcohol problem.

Kansas University has reported that it is examining the privacy issues (and policies) currently in place. Apparently the university will be examining whether any changes can or should be made to the policy, in light of these recent events.

• Print
• Comments
• Trackbacks
• Share Link

We are pleased to announce and launch Fox Rothschild’s Privacy Compliance and Data Security Blog. With a new President, a new national mission throughout government to secure and protect personal information and prevent cyber threats, as well as quickly evolving privacy requirements here and abroad, there could not be a better time to think about data privacy.

We decided to create this blog so that our clients and friends would have timely access to current, pending and anticipated requirements on such issues as privacy compliance, data security and breach notification. Although we do not expect every topic on our blog to be important to you, we hope to provide our readers with information regarding a wide array of issues and developments that are relevant in today’s world.  While you may be reading our blog because you want to ensure that your business complies with applicable laws, privacy laws and practices effect all of our daily lives on business, personal and professional levels. Whether you find your business responding to a data breach, or you are concerned about more closed-circuit cameras in public places and less personal restraint on online social networks, our blog may be helpful to you.

We encourage active discussion and an exchange of ideas on our blog. We hope that your visit to our blog stimulates news ideas and initiatives.  Whether you decide to share your ideas with us, or simply review our posts, we appreciate your participation. Please sign up for either our RSS feed or email alerts.

Mark McCreary
215.299.2010
mmccreary@foxrothschild.com

Amy C. Purcell
215.299.2798
apurcell@foxrothschild.com

Scott L. Vernick
215.299.2860
svernick@foxrothschild.com

• Print
• Comments
• Trackbacks
• Share Link