Chris Hoofnagle at EPIC West reports on new anti-ID theft legislation in New Jersey that is said to be among the strongest in the US: EPIC West: Electronic Privacy Information Center West Coast Office: NJ to Enjoy Strong Identity Theft Protections.

His post also links to a convenient table of US credit freeze and security notification legislation maintained by US PIRG: State Breach and Freeze Laws.

Labels: breach notification, identity theft, information breaches

According to Identity Theft Spy, Hawai'i has joined the growing list of states with laws designed to prevent identity theft and to require notification of consumers for certain security breaches: Identity Theft Spy: Hawaii implements anti-identity theft laws.

Labels: breach notification, identity theft, information breaches

Michael Geist, in his regular Toronto Star column, is calling for immedate reforms to Canada's privacy laws to deal with the problem of cross-border issues and to give the Commissioner more substantial powers: Michael Geist - Canada's Privacy Wake-Up Call.

Labels: information breaches

The Canadian Press is reporting on a handful of statistics related to identity theft in Canada, compiled by Phone Busters:

IDiots? Bank warns against identity theft miscues:

TORONTO (CP) - More than 9,000 people in Canada have had their identities stolen this year, and a new poll indicates 77 per cent of Canadians worry about identity theft but only 10 per cent feel they know what to do about it.

Identity theft occurs when criminals steal and use personal information, such as a social insurance number and date of birth, to assume a person's identity and make purchases or open credit card accounts and other debt lines in the assumed name.

According to PhoneBusters, the central agency that collects information on identity theft in Canada, there were 9,034 victims of identity theft reported in the first 10 months of this year, with losses totalling $7.2 million.

The early-November poll for the Canadian subsidiary of U.S.-based Capital One Financial Corp. found 45 per cent of the 2,002 adults surveyed do not monitor their credit reports on a regular basis for errors or suspicious items.

The Ipsos Reid survey, which claims a margin of error of 2.2 percentage points, 'reveals that consumers should be more cognizant of some simple practices that could help protect against identity theft,' says Capital One Bank....

Labels: identity theft, information breaches

From News 14 Charlotte:

News 14 Carolina | 24 Hour Local News | TOP STORIES | New law to require document shredding:

"RALEIGH, N.C. � North Carolina celebrated a new law going into effect this week that will require companies to shred people's personal documents in an effort to curb the increasingly costly problem of identity theft...."

Labels: identity theft, information breaches

eWeek is chronicling the twists and turns of various privacy laws through the Senate and Congress in the US: Teed Up for '06: Data Breaches, Spyware.

Labels: information breaches

David Canton's regular column in the London Free Press is on cross-border privacy issues. Check it out: eLegal Canton: November 2005 Archives.

Labels: information breaches

Google has been the target of a number of privacy critics, most likely because of the huge amount of information it is privy to and the lack of transparency about how much of it is kept in a personally identifiable state and for how long. An editorial in today's New York Times calls for a "privacy upgrade" at Google.

Here's a snippet:

What Google Should Roll Out Next: A Privacy Upgrade - New York Times:

The biggest area where Google's principles are likely to conflict is privacy. Google has been aggressive about collecting information about its users' activities online. It stores their search data, possibly forever, and puts "cookies" on their computers that make it possible to track those searches in a personally identifiable way - cookies that do not expire until 2038. Its e-mail system, Gmail, scans the content of e-mail messages so relevant ads can be posted. Google's written privacy policy reserves the right to pool what it learns about users from their searches with what it learns from their e-mail messages, though Google says it won't do so. It also warns that users' personal information may be processed on computers located in other countries.

The government can gain access to Google's data storehouse simply by presenting a valid warrant or subpoena. Under the Patriot Act, Google may not be able to tell users when it hands over their searches or e-mail messages. If the federal government announced plans to directly collect the sort of data Google does, there would be an uproar - in fact there was in 2003, when the Pentagon announced its Total Information Awareness program, which was quickly shut down.

In the early days of the Internet, privacy advocates argued that data should be collected on individuals only if they affirmatively agreed. But businesses like Google have largely succeeded in reversing the presumption. There is a privacy policy on the site, but many people don't read privacy policies. It is hard to believe most Google users know they have a cookie that expires in 2038, or have thought much about the government's ability to read their search history and stored e-mail messages without them knowing it.

Google says it needs the data it keeps to improve its technology, but it is doubtful it needs so much personally identifiable information. Of course, this sort of data is enormously valuable for marketing. The whole idea of "Don't be evil," though, is resisting lucrative business opportunities when they are wrong. Google should develop an overarching privacy theory that is as bold as its mission to make the world's information accessible - one that can become a model for the online world. Google is not necessarily worse than other Internet companies when it comes to privacy. But it should be doing better.

Labels: google, information breaches, patriot act, privacy

Andreas Busch at Politics of Privacy Blog reports that pressure is building up to allow police access to databases that are the foundation of Germany's automated highway tolling system. See: Politics of Privacy Blog: Mission creep par excellence? Germany considers using road toll data for police purposes.

Labels: information breaches

Techdirt often discusses interesting privacy stories. This one is pure gold:

Techdirt:We're Spamming You To Tell You How Much We Respect Your Privacy:
Contributed by Mike on Wednesday, October 26th, 2005 @ 11:22AM from the who-comes-out-looking-worse? dept.

Yesterday there was the story of a startup that sent a marketing message that revealed all the email addresses of people on their list. While the company blamed it on a 'technical error' rather than the very human error that it was, they also insisted that the addresses were 'secure' despite not being able to really promise that. As if to drive that fact home, a competitor has now spammed the entire list, childishly claiming that they would do a better job 'respecting your privacy.' Of course, as theRegister points out, if that were true, they wouldn't have gone out and spammed that whole list, would they? In this case, both firms come out looking bad. The first one for not admitting how badly they screwed up, and the second one for exploiting the situation. "

The original post at Techdirt has links to the original news stories.

Labels: information breaches

Chris Slane has some absolutely brilliant cartoons related to privacy. I just happened upon this one that is worth checking out.

Labels: humour, information breaches

According to the Washington Post, the maze of intelligence agencies operating within the United States may be expanding. A proposal advanced by the White House would give the little-known Counterintelligence Field Activity (CIFA) additional powers to investigate treason, sabotage and economic espionage. The Pentagon is simultaneously pushing an intelligence exception to the US Privacy Act. Both initiatives would see an increased ability for the military to gather intelligence about US citizens domestically. See: Pentagon Expanding Its Domestic Surveillance Activity.

Labels: information breaches, surveillance

Michael Geist reports that the new Do-Not-Call legislation (Bill C-37) quickly passed through the Senate last week and was given Royal Assent on Friday at 4:57 PM. It will come into force on the date set by the Governor in Council. See: Michael Geist - Canadian Do-Not-Call Legislation Receives Royal Assent.

Labels: information breaches

Thanks to Brian Krebs on Computer and Internet Security for pointing me to this story ...

One of the largest online brokerage houses in the United States has started informing a large group of its customers that a hacker has obtained access to information on customers of Troy Group's eCheck Secure service, which is used by a number of Scot's customers to settle their accounts. Scot is the fifth or sixth largest such service provider in the US. Customers received the following letter:

Scottrade:

November 11, 2005

Re: Alert for users of the eCheck Secure™ Service

Dear Customer:

We are contacting you to inform you that Scottrade has experienced a data security issue with the eCheck Secure™ service. Our records indicate that you have used eCheck Secure™ for the purpose of electronically moving funds from your bank to Scottrade. We will detail what we know about the situation and also what steps you should consider taking to safeguard your information.

On October 25, 2005, Troy Group Inc., the provider of the eCheck Secure™ service and other services to the financial services industry, reported to us that a computer hacker had compromised its eCheck Secure™ servers. As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised. If you used your Social Security number as your driver's license or state ID number, your Social Security number may have been compromised as well. We do not know whether the hacker has actually accessed and/or used any of your personal information. However, Troy has notified us that it has blocked further unauthorized access to the information. The eCheck Secure™ service cannot be used to withdraw funds from your Scottrade account. Troy has filed a report with the FBI and is investigating in conjunction with a forensic analysis firm that it has retained. Scottrade has also contacted the FBI on this matter, and has a dedicated team to work on this issue and assist our customers who may have been affected.

We suggest taking the following steps for all your accounts that have eCheck Secure™ activated.

1. Contact your local Scottrade branch office for additional information or to change your Scottrade account number. If it is not possible or convenient for you to contact your local Scottrade branch office, then you can reach our Service Center at 866-476-6500. Our Service Center is open Monday - Friday, 7 a.m. to 11 p.m. EST. Although this is not a situation where Scottrade's network was breached, you may, nevertheless, want to consider changing your Scottrade account number for additional protection.
2. Remember to review your Scottrade account activity regularly and statement promptly. Report any suspicious activity to us.
3. Although this was not an Internet security issue, you may want to change your Scottrade account access password periodically (a secure password that is easy for you to remember, but difficult for others to guess) by using our online change password process.
4. Since your bank information could have been accessed, contact your bank immediately so it is aware of the situation and can monitor for unusual activity in your bank account.
5. Review your bank activity and statements promptly to detect and prevent fraud. Look for transactions with strange payees or amounts you do not recognize. The more frequently you review your activity and statements, the easier it will be to detect suspicious transactions.
6. If you use your Social Security number for your driver's license or state ID card, we strongly urge you to change your account number and place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. For more information on placing a fraud alert on your credit file, please see www.scottrade.com/security, a website that we have dedicated to this issue.

We are extremely sorry about this matter and will strive to rectify the situation to the best of our abilities. If you have any questions or concerns, please contact us, so we may be of assistance.

Sincerely,

Ellis Hough
Manager
Risk Management

I haven't heard of any other eCheck customers being notified.

Labels: information breaches, law enforcement

Today's London Free Press has an article on the obstacle faced by parents of alienated teens who are trying to get information about their kids but are thwarted by privacy laws. See: London Free Press - City & Region - Privacy laws block help path to teens.

Labels: information breaches

A Dutch high court has ordered the Lycos wrongly withheld the identity of one of its users who allegedly anonymously posted a defamatory message about an internet-based stamp dealer. According tho the article on Yahoo! News, this is the first time that such an order has been made by a Dutch court in connection with a civil matter, which probably has repurcussions for future suits related to alleged copyright violations. See: Dutch Court Orders Lycos To Reveal Client's Identity - Yahoo! News.

Labels: information breaches

eCommerce Times is reporting on a study carried out by a Boston-based research firm on the personal information management practices of US companies. The results are not chock full of high scores, but they do suggest that companies are slowing changing how they handle customer information: E-Commerce News: Best of ECT News: What Is Happening to Your Personal Data?.

Labels: information breaches

The United States Army, in an attempt to deal with the problem of sexual assaults within its ranks, is proposing to develop a database to track all sexual assaults and victims. Privacy advocates are concerned about the risks associated with this database and the chilling effect it may have on victims coming forward. See:

Some Oppose Army's Sexual Assault Database - Yahoo! News:

...The planned Army system would include the victim's name, Social Security number, date of birth, other demographic information, military service data, assault investigation and police reports, medical and other support records, and any actions taken against offenders...

Just imagine what would happen if this database on a laptop or a USB thumb drive gets "lost" ...

Labels: information breaches, laptop

Via Boing Boing, a woman in Denver has been charged and will be araigned early next month for refusing to show ID to a security guard on a public bus. I can't imagine what security purpose something like this is supposed to serve. For more, check out PapersPlease.org: Deborah Davis.

Labels: information breaches

A special committee of the BC Legislature has unanimously recommended that David Loukidelis be re-appointed as Information and Privacy Commissioner of BC. The committee's report is here: http://www.legis.gov.bc.ca/cmt/38thparl/session-1/ipc/reports/Rpt-38-1-1-IPC.pdf.

Special thanks to Cappone D'Angelo of McCarthy Tétrault LLP for the head's up.

Labels: british columbia, information breaches

Further to my posting of Tuesday, The Canadian Privacy Law Blog: EU Advocate General says European-US passenger data sharing agreement violates European law, there is speculation that a ban on cross-Atlantic data sharing may result in European airlines being prevented from flying to the US: RedOrbit - Technology - Privacy Battle Could Halt European Flights to U.S.. I doubt it'll come to that, but ...

Labels: air travel, information breaches

Many people are willing to sacrifice some privacy to gain increased security. In this "age of terrorism", initiatives such as the European Data Retention Directive and the Canadian Lawful Access proposals seem more palatable when we are told they are essential to protecting against serious crimes such as terrorism. The European Data Protection Directive has consistenly been "sold" as being limited to protecting the continent against terrorism. Now, representatives of the entertainment industry are making the request that the retained information be available for investigations of copyright and other IP violations. Critics are saying that the entertainment industry is trying to hijack the directive. See: Entertainment industry 'trying to hijack data retention directive' - ZDNet UK News.

Also, check out the discussion on Slashdot: Slashdot | Music Industry 'trying to hijack EU data laws'.

Update (20051127) from Schneier on Security: European Terrorism Law and Music Downloaders:

"Our society definitely needs a serious conversation about the fundamental freedoms we are sacrificing in a misguided attempt to keep us safe from terrorism. It feels both surreal and sickening to have to defend out fundamental freedoms against those who want to stop people from sharing music. How is possible that we can contemplate so much damage to our society simply to protect the business model of a handful of companies."

Labels: information breaches, lawful access, retention, schneier

The saga related to the scanning of IDs in Alberta bars continues. The Gauntlet, a University of Calgary student publication, reports that the bar in question is planning to ignore the Information and Privacy Commissioner's recommendation by continuing to use the Secureclub system. The investigation by the IPC will likely continue and may culminate with an order under the Personal Information Protection Act of Alberta in the new year. In the meantime, the univeristy pub is going ahead with using the technology. See Gauntlet News - Private info or no beer.

For some background on this complaint and the issue generally:

• The Canadian Privacy Law Blog: Article: Swiping driver's licenses - instant marketing lists?
• The Canadian Privacy Law Blog: Calgary student challenges nightclub over scanning ID
• The Canadian Privacy Law Blog: New technologies for scanning IDs

Labels: alberta, id swiping, information breaches, pipa

I blogged some time ago about a case in which the personal information of an Edmonton lawyer was found in the cell of a prisoner in the US (The Canadian Privacy Law Blog: Authorities give US prisoner detailed personal information on Albertans and The Canadian Privacy Law Blog: The Commissioner is on the case of leaked lawyer's personal information). The case is apparently now closed and the federal Privacy Commissioner has cleared both the RCMP and the Canada Revenue Agency of wrongdoing. See: edmontonsun.com - World - Dead end in leaked info case.

Labels: information breaches

The Ottawa Business Journal is reporting on a survey by Leger Marketing on perceptions of identity theft and threats to personal information:

Ottawa Business Journal:

... An overwhelming majority of Canadians are concerned about the privacy of information stored in online databases, and more than half of companies admit their data is at risk

A Leger Marketing poll found 83 per cent of Canadians are concerned about the privacy of their personal data, and 55 per cent of companies say their confidential and private data is at risk of an attack. According to the poll, 58 per cent of consumers say they would immediately terminate their relationship with a company that compromised their personal information....

Labels: identity theft, information breaches

Dan Rogers is a retiree in Kingston, Ontario. He isn't too thrilled that the bank that issues his Visa card sends his data to the United States for processing. He has complained to them, but to no avail. So what does he do? He pays his bill online, one penny at a time. I don't really see the connection between the two, but he is rather pleased with it and Visa is not impressed. Apparently his latest statement was almost an inch think and Visa had to process many of the payments by hand.

The Globe and Mail: Irate client gives Visa pennies for his thoughts

"It's difficult for the average citizen to get large corporations to listen," explained Mr. Rogers, who nevertheless managed to get a one-on-one conversation with the bank's chief executive officer this year, and has had a dialogue with its privacy officer.

"Us retired guys are the most dangerous, because we have time on our hands. You have to look for the weaknesses in their system, and I think I found it."

Labels: information breaches

With the renewed interest in companies that sell others' cell phone and other records, the Red Tape Chronicles at MSNBC takes another look at the issue. Bob Sullivan discusses the issue and talks about steps that Verizon in particular is taking to protect customer information: I *still* know who you called last month - The Red Tape Chronicles - MSNBC.com.

Labels: information breaches

• PIPEDA Case summary #314: Insurance company denies access to personal information in third party claimant's statement
  November 22, 2005 - UPDATED
• PIPEDA Case summary #317: Fax from debt collector contained debtor’s personal information
  November 22, 2005
• PIPEDA Case summary #316: Hotel revises privacy policy and consent form
  November 22, 2005
• Settled case summary #15: Disclosure of personal information to estranged spouse
  November 22, 2005

Labels: information breaches, privacy

The top legal advisor to the European Court of Justice has determined that the agreement between the European Union and the United States to allow for sharing of air passenger information is illegal under European law and must be annulled. See: RTE News - Overturn data sharing law, says EU law officer.

Thanks to Boing Boing for the link.

Labels: information breaches

From the Santa Cruz Sentinel:

Safeway discloses possible security compromise - By Gwen Mickelson - Sentinel staff writer - November 22, 2005:

About 500 Safeway employees in Santa Cruz County could be affected by a company laptop theft.

In October, Pleasanton-based Safeway Inc. notified employees in California and Hawaii that certain personal information may have been compromised when a company laptop was stolen in August from a division director's home, along with other unrelated items.

In a letter to Safeway employees dated Oct. 17, Human Resources Director Bob Carlson said the computer contained several reports that include names, Social Security numbers, hire dates and work locations for a number of Safeway employees. The computer was protected by a power-on password, the company said, but nonetheless recommended that employees place a fraud alert on their credit files and request copies of their credit reports every three months for the next year.

No information breaches have been reported, spokeswoman Jennifer Webber said.

...

But union leaders criticized the company, asking why it took so long to notify employees and why the information was stored on a laptop.

...

Members of the union, which represents about 1,200 employees in Monterey, Santa Cruz and San Benito counties, "don't want to hear 'no one's been compromised yet,'" he said. "They want to hear 'we're sorry, we apologize for the 60-day delay, we assure you you're not going to pay out-of-pocket for one thing, we've put measures in place so that this won't happen again.'"

...

Briley said the password protection doesn't soothe his members, and said he wants assurance from Safeway that if anyone does fall victim to identity theft down the road, the company would take responsibility and help out.

He criticized the grocer for keeping members information on a laptop, saying he'd "bet a hundred-dollar bill" that Safeway Club Card data the company keeps on consumers is "kept on a safer computer than my members' information."

Webber called Safeway security processes "incredibly tight," and said procedures "have been and will be to keep information as secure as possible."

...

Labels: identity theft, information breaches, laptop

According to ClickOnDetroit.com, a number of medical records have been found in a dumpster behind a Detroit shopping centre. The information was of the usual variety and the operator of the medical centre says they were supposed to be securely stored and destroyed. Guess that didn't happen. See: ClickOnDetroit.com - News - Patients' Private Records Found In Dumpster.

Labels: information breaches

In response to a complaint against US-based data-broker Abika.com (see The Canadian Privacy Law Blog: CIPPIC complaint raises a number of novel and interesting issues), the Assistant Privacy Commissioner has posted a letter on the Commission's website lamenting that office's lack of ability to investigate beyond Canada's borders:

Letter released about Abika.com, an on-line data broker in the U.S. - Privacy Commissioner of Canada:

... In order to investigate Abika.com based in Cheyenne, Wyoming, our Office must have the requisite legislative authority to exercise our powers outside Canada. However, basic principles of sovereignty and comity under international law state that a country cannot legislate outside its borders. The general convention is that Canada only legislates for Canada and only regulates activities within its borders. While Parliament may legislate with extraterritorial effect, this is rarely done. In the infrequent case that it is, it is for national security purposes or for a limited class of other purposes. In assessing whether a statute is to be applied outside Canada, a court will consider the intention of the legislature when it enacted the statute. There is a strong presumption that, absent an explicit or implicit contrary intention, Canadian legislation will only apply to the persons, property, juridical acts and events that occur within the territorial boundaries of the enacting body’s jurisdiction.

There is nothing explicit in PIPEDA to suggest that it was meant to apply outside of Canada or that the powers of the Commissioner would extend beyond Canada’s borders. According to leading case law, where the language of a statute can be construed so as not to have extraterritorial effect, then that construction must be adopted. It seems clear that this Act should not be construed to have extraterritorial effect. In the absence of any express or implied legislative intent, I must conclude that PIPEDA has no direct application outside of Canada.

While it is clear that the Commissioner may request information from anyone who she believes may have information relevant to an investigation, the formal investigative powers apply only within Canada. Abika.com has not responded to our request for the names of its Canadian-based sources. As such, we have no means of identifying - let alone investigating - those who would represent a Canadian presence for this organization and further, have no ability to compel an American organization to respond.

Although you referred only to Abika.com, we noted that an Abika.ca existed and enquired with respect to its registration information, on the understanding that a “.ca” registration could not be granted without a Canadian presence. We learned that the registrant of the “.ca” may be a Canadian citizen, but is still residing and working in the United States. In other words, despite the existence of a “.ca” registration, there are still insufficient connecting factors to indicate a real and important link between Canada and Abika.com’s operations in the U.S. As such, we cannot bring Abika.com within Canadian jurisdiction and deem them subject to PIPEDA. As for the legitimacy of the website registration application, we have referred this matter to the Canadian Internet Registration Authority (CIRA) to pursue further.

Global e-commerce poses challenges to all national governments that attempt to safeguard privacy and protect consumers. As you are aware from ongoing meetings with our Office, we share your concerns about the indiscriminate, non-consensual collection, use, and disclosure of personal information by profiling and data broker organizations. We agree that this raises serious privacy considerations. To this end, we have asked the Government of Canada to advise us what formal protocols, if any, exist that would allow us to investigate potential privacy breaches which may violate Canadian data protection laws. As important as it is, however, the specific instance you raise cannot be resolved through the complaint mechanism under PIPEDA....

For more on this issue, see The Canadian Privacy Law Blog: Jurisdictional limits on Canadian privacy law.

CIPPIC, which launched the complaint about Abika in the first place is not pleased by the OPC's response:

CIPPIC News - CIPPIC:

"In a letter dated Nov.18, 2005, the Assistant Privacy Commissioner of Canada responded to CIPPIC's 2004 complaint about Abika.com, a US-based online investigative service that offers to dig up detailed personal information about individuals, including telephone records. The Assistant Commissioner determined that "we cannot proceed with your complaint as we lack jurisdiction to compel U.S. organizations to produce the evidence necessary for us to conduct the investigation". Interestingly, however, the Privacy Commissioner's office recently launched an investigation in respect of another US-based online investigative service, Locatecell.com, using the information provided by a journalist who purchased the Privacy Commissioner's cell phone records and published a cover story on the issue. "

I'm not sure if you can make a direct comparison between the Abika complaint and the investigation of Locatecell.com, since it is pretty clear where in Canada that information actually came from (see: The Canadian Privacy Law Blog: MacLean's cover story on privacy and information brokers).

Labels: information breaches, privacy

As blogged about here last week, a reporter for MacLean's Magazine recently purchased the phone records of the Canadian Privacy Commissioner to prove the point that huge amounts of personal information are available for sale online (The Canadian Privacy Law Blog: MacLean's cover story on privacy and information brokers). It was a pretty effective illustration.

Now, the CRTC wants to know how it happened:

Halifax Live - CRTC Directs Three Phone Companies Investigate Privacy Breach Exposed by A National Magazine:

The Canadian Radio-television and Telecommunications Commission (CRTC) is calling the country's phone companies onto the carpet over revelations in Maclean's magazine that U.S. databrokers are selling the home and cellphone records of Canadian consumers.

In a terse letter dated Nov. 18, the telecommunications regulator demands that three phone companies immediately launch internal investigations into how the magazine was able to obtain the phone records of Canada's privacy commissioner, and another customer, via a Tennessee-based online service.

The companies have been given a strict 10-day deadline to report back to the commission with a host of information, including descriptions of the safeguards that were in place when the breaches occurred, explanations of how the companies verify customer identity and new measures being taken to improve security.

The phone carriers have had little to say publicly about what steps are being taken to tighten internal security. But, in response to the Maclean's cover story, Bell Canada did issue a press release in which the company provided assurances that its customers' privacy was considered a priority and in the case of the Maclean's magazine ability to breach security, the information was obtained through "subterfuge and misrepresentation" acording to Bell's press release.

The Bell press releases continues, "This problem has affected others in our industry, both in Canada and the U.S. The Company is continuing to investigate whether there are any legal actions, either criminal or civil, that Bell or others in the industry, or government agencies can take to stop these fraudulent practices and protect consumers."

Labels: information breaches, media-mention, vanity

Currently, there's a significant debate raging in the United States as the Congress considers a whole range of proposals related to an organization's obligation to notify individuals if the security related to personal information is compromised. The "gold standard" is that set out in California's legislation (Civil Code Sections 1798.29 and 1798.82), which requires notification of consumers if certain kinds of unencripted personal information is disclosed. Other states have followed California's lead with varying degrees of similarity.

Many pro-privacy commentators are concerned that Congress will ultimately enact legislation, such as HR 4127, which will pre-empt state laws and will only require notification if there is a "a reasonable basis to conclude that there is a significant risk of identity theft". This threshold is too high, it is argued, and consumers will never know when their information has been released. (See: DATA bill will not effectively help deal with the very real threat of ID theft.) Other commentators are concerned that if the threshold is too low, too many notices will be sent out to consumers and the notices will eventually be ignored and be meaningless.

For the purposes of the debate, allow me to suggest a compromise:

1. The following information shall be defined to be "Sensitive Personal Information":
   • Social security number.
   • Driver's license number.
   • State-issued identification card number.
   • Passport number.
   • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
   • Information related to an individual's physical or mental health.
   • Telephone number, if it is unlisted.
   • Income information.
   • Information related to an individual's pardoned criminal convictions.
   • Information related to an individual's religious, political or other personal beliefs, unless such beliefs have been publicly communicated by the individual in a context where there is no reasonable expectation of privacy.
2. Every orgnaization shall be required to report all breaches or suspected breaches of Sensitive Personal Information (communication of such information to an unauthorized third party) to the Federal Trade Commission, along with details of the breach or suspected breach.
3. The FTC shall develop guidelines to determine what information, if compromised, may reasonably place the individual at greater risk of fraud or other harms.
4. The FTC shall promptly determine, with reference to the guidelines, whether the individuals should be notified. If the FTC is of the view that notification is warranted, it shall issue a binding order to the organization.
5. A summary of all notifications made by organizations to the FTC shall be made available by the FTC on its website.

I don't think this is the magic bullet, but I expect it would satisfy the stated objectives of both sides of the debate.

Any thoughts? Comments are welcomed, either using the blog's comment feature or via e-mail.

UPDATE 20051121: Added reference to letter by privacy and consumer groups.

Labels: breach notification, health information, identity theft, information breaches

I didn't hear about this incident: Apparently last month, a USB "thumb drive" containing sensitive personal information of ONE HUNDRED TWENTY THOUSAND current and former patients of Wilcox Memorial Hospital in Hawai'i went missing. No word on where it went. (See: TheHawaiiChannel - KITV 4 News - Kauai Hospital Missing Drive With Patients' Social Security Numbers.)

Bob Sullivan, at MSNBC, uses it as an example of the latest challenges facing custodians of personal information: information is mobile and huge quantities of personal information can leave your control on thumb-drives, laptops, iPods, Blackberries and the like. See Your life secrets, left in a taxi - Security - MSNBC.com.

As I mentioned in a previous post about the Boeing missing laptop incident, the solution is to not let this information go on a walkabout. If you have an employee who needs access to sensitive data offsite, provide access using a secure VPN. And two-factor authentication. And a dumb terminal. That doesn't address all the data that goes on an unauthorized sojourn, but it does deal with those companies that let relatively unsecured data wander about in easily stolen devices.

Labels: information breaches, laptop

From the Independent Online:

IOL: New legislation to protect privacy:

Giving out or selling people's personal information could land you behind bars for 10 years. With the introduction of laws protecting personal information, the police will also be barred from seizing documents containing communication between a professional legal adviser and his client.

And, if the Protection of Personal Information Bill is passed by parliament, it will be against the law to insist on being given certain information such as a person's sexual orientation, age, or religion.

The bill will introduce new laws protecting the right to privacy and regulating the way in which information is gathered.

Earlier this year, after a request from the minister of justice and constitutional development to beef up laws relating to personal information, the South African Law Reform Commission released a discussion document and draft legislation.

Labels: information breaches

I've written loads of privacy statements and have probably reviewed five times as many since I started practicing privacy law. One of the first things that the writer of a privacy statement has to ask is, "who is the intended audience?" "Our customers" is invariably the reply. That's a start and gets you part-way there. I've found that not many people read privacy statements. Most are aware they exist, but don't care.

The main audience for privacy statements is almost always a subset of your customers: those who are privacy aware, those who have a specific question and those who are really upset about something. There's a secondary audience, too: regulators (such as the privacy commissioner), privacy activists and journalists who are looking for a "gotcha!". Writers of privacy statements need to keep this in mind.

Your privacy statement may make your lawyer happy and may be legally correct, but writing it in legalese and burying important provisions in the text are actually counter-productive. Nobody in your intended audience appreciate this and doing so actually undermines whatever good stuff may be in your policy.

From time to time, journalists and columnists read the privacy policies from the companies with whom they deal and are often surprised with what they find. That certainly was the case with Nicole Brodeur of the Seattle Times, who took a gander at the Starbucks privacy policy and wrote a column for today's paper:

The Seattle Times: Local News: Your life is theirs to share:

Thought you were just getting a happy holiday Peppermint Mocha from Starbucks?

If you paid for it with a Starbucks card, you weren't so much warming yourself up as opening yourself up to a world where your personal information is traded like animal skins. After years of surfing, searching and shopping online, I took the time to read the coffee company's just-revised privacy policy, which opens by stressing the company's "foundation of trust."

A later paragraph made me wonder: "Unless permitted by law, no personal information is collected, without first obtaining your consent for the collection, use and sharing of that information."

Fine, but read on: "The provision of personal information to Starbucks means that you agree and consent that we may collect, use, and share your personal information in accordance with this privacy policy."

In other words, the simple act of giving personal information is implied consent for Starbucks to share that information with its "consultants, strategic partners, agents, distributors, suppliers, contractors and other companies," as well as third-party, credit-card processors, mailing houses, Web hosts and e-mail vendors.

That's a lot of people to share a couple of pounds of Christmas Blend with, isn't it?

Indeed, Starbucks is as connected as Santa. The company sees where you are surfing. It knows when you're online. It knows just what you bought for whom, so be patient as you try to "opt out." ...

The "problematic" paragraph in the policy reads:

Our website may also share information with companies that provide support services to us (such as credit card processors, mailing houses or web hosts) or that help us market our products and services (such as email vendors). These companies may need information about you in order to perform their functions. These companies are not authorized to use the information we share with them for any other purpose.

Frankly, all of this "sharing" of information is entirely reasonable (if you pay with Visa, that transaction won't process itself and Starbucks ain't your bank), but you can easily see how an upset customer or someone looking make a story can read this paragraph to suggest they throw your personal information to the four winds.

If you have the task in your organization of writing or updating your privacy statement, be very aware of who will be reading it and how it can be interpreted.

Labels: information breaches

No wonder some people are paranoid about the returns procedures at some stores:

(Click on image for full size.)

But seriously, folks ... it has caused some complaints to the privacy commissioners in Canada:

• The Canadian Privacy Law Blog: Retailers demanding ID, tracking returns
• The Canadian Privacy Law Blog: Alberta Commissioner releases report concerning collection and retention of personal information by two retail stores
• The Canadian Privacy Law Blog: Electronic Blacklists: Some shoppers find fewer happy returns
• The Canadian Privacy Law Blog: BC Commissioner issues first order under province's private sector privacy law

Labels: alberta, information breaches, retention

Dan Mitchell at the New York Times sums up some lessons learned from the Sony rootkit fiasco: The Rootkit of All Evil - New York Times. The same lessons apply for privacy problems (see Choicepoint, especially): "One, bloggers will catch you. And two, it's not the screw-up, it's the cover-up."

Labels: choicepoint, information breaches

Thanks to Bruce Schneier for pointing to this great cartoon: False sense of security.

Labels: humour, information breaches, schneier

A personal computer containing sensitive personal information on current and former Boeing employees has been stolen. The information included names, addresses, social insurance number and, in some cases, banking information. Boeing says that the information was password protected. The PC was being used by an employee off-site, but the company wouldn't elaborate on the details of the theft. See: The Seattle Times: Business & Technology: PC stolen from Boeing packed with employees' personal data.

Saying it is "password protected" isn't a lot of assurance, given that Windows login passwords are not very secure. (See The Canadian Privacy Law Blog: Don't worry, your data is password protected. Yeah? How?)

Rob Hyndman comments:

"All interesting, etc. etc., but really just another day in the wacky world of data security. For my part, it's difficult to understand why one would ever need the personal and banking information of 161,000 people on a laptop - so one can read it on the sofa? Or take it to that HR Symposium in Duluth, 'just in case'?"

In this day and age, with the widespread adoption of relatively secure remote access by VPN, it is difficult to see why this sort of sensitive information really needs to be on an easily stolen laptop.

Labels: information breaches, laptop

The Halifax Chronicle Herald is reporting on a mix-up from the Canadian Passport Office that has at least one person upset.

The ChronicleHerald.ca: Passport office passing the buck in document mix-up, woman says

When Alana Hines opened an envelope from Passport Canada recently, it contained more than her newest passport — she also found the complete credit card information, phone number, address and original marriage certificate for a stranger in Ontario.

Ms. Hines was not surprised, because the woman had called her at work earlier to say she received Ms. Hines’s marriage certificate and driver’s licence with her own new passport.

"I had her Visa number and her expiry date. I’m an honest person so I didn’t do anything with it but if it had gotten into the wrong hands, that could have been very serious," said Ms. Hines, of Dutch Settlement, Halifax County.

She called Passport Canada immediately but said the agency wasn’t any help.

"They tried to make excuses, they just said that they’d have to look into it and have somebody call me back. But they told me that I should try and contact (the Ontario woman) and see if she’d send my information back to me, and I didn’t believe that was acceptable, as they’re the ones that messed up."

Ms. Hines, who got married in August, had applied for a new passport Oct. 4 to reflect her married name. The passport arrived correctly but without the accompanying personal documents she had sent along with her application. And the ones she did receive had little in common to possibly explain the mix-up, she said.

...

Darce Fardy of the Nova Scotia Freedom of Information and Protection of Privacy Review Office said the mix-up is unacceptable.

"That is really awful, particularly for a government body."

Mr. Fardy said privacy concerns are becoming a big issue and easy access to personal information can quickly lead to fraud and identity theft.

"Those two people, they obviously knew that there was something wrong with this and that it was a privacy concern."

A Passport Canada spokesman said he was unaware Ms. Hines had not heard from the agency.

"We’re certainly going to recognize that incidents like this do happen but they are very rare,"" Dan Kingsbury said. "Obviously we take this kind of stuff very seriously."

...

Ms. Hines said she just wants to know how the mix-up happened and is disappointed with Passport Canada’s handling of the situation. "It was like they didn’t care."

Labels: identity theft, information breaches

Any time you send an e-mail to 1780 people, make very sure what you are sending and to whom:

VTNZ currently investigating privacy botch up after customers' details circulated by e-mail:

18 November 2005

A computer glitch is being blamed after the private details of more than a thousand Vehicle Testing New Zealand customers were accidently circulated by e-mail.

Yesterday, the company sent out reminder e-mails alerting motorists their registration was due.

However, attached was a list of 1780 names and addresses of other customers who were also sent reminder notices.

VTNZ is currently investigating the privacy botch up, but say at this stage it appears only a small number of customers received the attachment.

Labels: information breaches

Another university-related security/privacy incident:

IU says hacker had access to records of 5,300 students

The Associated Press

BLOOMINGTON, Ind. - Personal information about nearly 5,300 Indiana University students might have been accessed by a computer hacker, school officials said.

Technicians discovered during a routine scan that three malicious software programs had been installed on a Kelley School of Business instructor's computer in mid-August, said James Anderson, the school's director of information technology.

'You're not going to find folks who are not malicious hackers who have access to these programs,' Anderson said. 'They are not something your average computer user would use. They are very cryptic and non user-friendly.'

The programs were accessed in early October, but it could not be determined whether any personal information was removed, the school said.

A letter was sent Friday to 5,278 students notifying them of the security breach. All of the students had been enrolled in an introduction to business course between 2001 and 2005.

Anderson said no misuse of personal information had been reported, but encouraged students who received the letter to take precautions, including a check of their credit report.

'We are completing an audit of all computers in the school to ensure that they are configured properly to automatically update antivirus software and system patches,' Kelley Dean Daniel Smith said."

Labels: information breaches

The federal government's "lawful access" legislation, also known as the Modernization of Investigative Techniques Act (MITA) was introduced in the House today. The government's press release is here: Legislation to modernize investigative techniques introduced today. I guess the bill's many critics are hoping for a quick election call.

Update: Michael Geist, who has been critical of the proposal since the beginning, has some things to say about Bill C-74: Michael Geist - The Lawful Access Spin.

Labels: information breaches, lawful access

I pointed yesterday to a preview of MacLean's magazine's most recent cover story (see The Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net). I saw the magazine on the new stand today and, luckily, the article is available on the MacLeans' website. A snippet:

Macleans.ca | Top Stories | Canada | You are exposed:

...Yet Maclean's was able to purchase the privacy commissioner's phone logs online from a U.S. data broker, no questions asked. For about US$200 per order, Locatecell.com delivered months of long-distance records from her Bell Canada home and cottage accounts. They were also able to access her Telus Mobility cellphone call logs for October -- a monthly bill she probably hadn't even received at the time. And all the Internet requests were turned around in a matter of hours. (In a test run, the company was also able to obtain the cell records of a senior Maclean's editor from Fido, a division of Rogers, the company that owns this magazine.) Reverse phone number lookup engines on federal government and phone company websites provided the identities of many of the people Stoddart called, or who called her. On Sept. 15, for example, there was a call from her Montreal home to a relative in Frelighsburgh, Que. On Oct. 15, she called the house of one of her communications advisers from her cellphone. And on Oct. 27, she twice called the desk of another. While many of the numbers on the bills were cellphones or unlisted, anyone looking to fill in the blanks would only have to call until they hit voicemail recordings.

Confidential phone records are just the latest breach in the levee of government laws and corporate policies intended to protect private and personal data. Abuses -- whether it is medical records being scattered about a Toronto street as "garbage" for a film shoot, or Edmonton police running the names of pesky reporters and lawyers -- are reported almost every week. And in the wired world, almost anything is available for a price. A British teen recently tracked down his sperm-donor father using his own DNA and two different for-hire databases.

Many of the same websites that offer call records advertise even more invasive services like "personality profiles," complete with sexual preferences, names of exes, and gossip from neighbours. Or email and instant messenger traces that will provide the name of the person who owns the account, and their location, sometimes down to the street they live on. While some of the sites demand a signed release from the person being sought for items like credit reports and driver's records, the "verification" process wouldn't be much of an impediment for anyone willing to commit some garden-variety forgery.

Stoddart, whose office website offers tips to foil those trying to access or steal personal information -- including the prompt removal of incoming mail from your mailbox and shredding those pre-approved credit card applications -- was not a particularly easy catch. Despite her years in the public eye, and the numerous interviews she has given to journalists, there was little on the record beyond her professional qualifications. No one Maclean's contacted had her cellphone number, knew her home address, or even basic family information like the name of her spouse. "I've always been fairly mistrustful of people," she says. "If people want my personal data, I want to know why." Nonetheless, a thorough Internet search with Google yielded enough bits and pieces of information to start the process rolling.

Labels: google, information breaches, privacy

The most recent MacLeans magazine has a cover story on privacy, including one in which a reporter acquired the cell phone records of the federal Privacy Commissioner, Jennifer Stoddart (see: The Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net).

Bell Canada has just issued this press release to deal with the fallout from the story:

Bell Canada statement on the protection of customer information: Financial News - Yahoo! Finance:

Monday November 14, 6:00 pm ET

MONTREAL, Nov. 14 /CNW Telbec/ - Bell Canada today issued the following statement in response to an article in Maclean's Magazine about some customer call information obtained from Bell and other telecommunications companies.

Bell has learned that a journalist working for Maclean's hired a U.S.- based information brokerage company to seek privileged call information records of a few customers of Canada's leading telecommunications providers including the Federal Privacy Commissioner.

Bell wishes to assure its customers that protecting the privacy of customer information is a serious matter for the Company. To this end, Bell has systems and procedures in place that are continually updated to better protect customer information.

In this case, the information was obtained through subterfuge and misrepresentation. Bell, other telecommunications companies and the customers involved were victims of fraudulent and unethical activity. We sincerely regret any embarrassment or inconvenience that has occured.

As soon as the Company was made aware of this incident, it took additional steps to further tighten the safeguards in place to protect customer information. Unfortunately this may cause some inconvenience to customers legitimately requesting their personal information. We ask for their understanding as these procedures are for the protection of their private account information.

This problem has affected others in our industry, both in Canada and the U.S. The Company is continuing to investigate whether there are any legal actions, either criminal or civil, that Bell or others in the industry, or government agencies can take to stop these fraudulent practices and protect consumers.

Perhaps they can complain to the Privacy Commissioner?

Labels: information breaches

HR 4127, also known as the Data Accountability and Trust Act (DATA), has apparently crossed a preliminary hurdle in the House by passing the House Energy and Commerce committee's Subcommittee on Commerce, Trade and Consumer Protection.

This bill, among others, is rather unpopular as it sets a very high threshold for requiring notification of consumers of security breaches. "Security breach" is defined in a way that requires "a reasonable basis to conclude that there is a significant risk of identity theft":

(1) BREACH OF SECURITY- The term `breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised.

And by the way, it pre-empts all similar state laws.

Read about the latest and some commentary on the bill: Bill Requiring Notice of Breaches Goes Forward - Computerworld

Labels: breach notification, identity theft, information breaches

Anita Ramasastry's most recent column on FindLaw is about the controvertial printer tracking technology that was recently decoded by EFF: FindLaw's Writ - Ramasastry: Printers and Privacy Why Government-Sponsored Printer Identification Raises Serious Privacy Concerns.

Labels: information breaches

Canadian privacy complainants have faced delays because of the backlog in the Office of the Privacy Commissioner. Notwithstanding that PIPEDA says the Commissioner's findings should be issued within twelve months, it has taken longer in many cases. The Australian Privacy Commissioner is facing similar problems, according to the annual report released recently. In some cases, it is taking twelve months to even begin an investigation and reports take an average of seventeen months. See: Delays raise privacy fears - National - smh.com.au.

Labels: information breaches, privacy

The Associated Press is distributing an article by Brian Bergstein that takes a closer look at the oft' cited statistics related to "identity theft." He, and the folks he has interviewed, suggest that the statistics of identity theft, particularly those based on public surveys, are probably overstating the problem. Probably a big part of the difficulty of coming up with meaningful statistics is lack of agreement on what is identity theft.

We need to refine our vocabulary so that we are sure of what we are discussing. At least to me, "identity theft" is not simple cheque forgery or using a stolen credit card. That's basic fraud. Identity theft is not the ilicit obtaining of personal information, by hacking, dumpster diving or otherwise. That might be theft of identifying information, but nobody's identity is stolen. To me, identity theft is the impersonation of an individual, without their knowledge, to obtain credit facilities or other such services. Perhaps a better term would be "identity hijacking", since the criminal is taking over that person's identity for his or her own purposes. Fraudulent charges and cheque forgery may be part of it, but it also includes obtaining new identity documents, new loans, mortgages and the like.

"Identity-related fraud" is the term I'd use for the larger basket of crimes that the media often call identity theft.

In any event, take a look at the informative AP article at the Chicago Tribune site: Chicago Tribune | Identity theft fears may be overblown.

Labels: identity theft, information breaches

CBC Arts is running an article on the newly revamped MacLean's Magazine. What does this have to do with privacy? Well, it offers a preview of the cover story in the next edition:

CBC Arts: Revamped Maclean's revives current affairs format

The cover story of the redesigned magazine is a "special investigation" of the way data brokers, most of them in the U.S., are accumulating private and personal information about Canadian citizens.

To prove the vulnerability of Canadians' private information, national correspondent Jonathon Gatehouse bought the phone records of Canada's privacy commissioner Jennifer Stoddart.

The redesigned cover has dropped its borders in favour of a full-page photo of Stoddart, looking startled, and five throw boxes pointing to stories inside. In the future, cover photos will be "candid," Whyte says. Also, a maple leaf has replaced the apostrophe in Maclean's.

Labels: information breaches

The State of Georgia is in the final phases of a fourteen million dollar effort to centralize massive amounts of information related to elementary, middle and senior school students in the state. Each student will be assigned a random number that will follow the student throughout their academic careers and will link to a central database of their academic records.

The system is meant to replace ad hoc, disparate data depositories that have used social security numbers to link students to their data. As with any project such as this, there are privacy concerns:

Macon Telegraph | 11/13/2005 | Statewide student ID system almost ready:

There's also a concern among teachers and parents about protecting students' private records.

"I have a problem with it. It could fall into the hands of the wrong people," said Ella Carter, principal of Northeast High School in Macon. Carter said the state already can access all of the information, so why store it in a giant database?

Carter said she received a letter in the mail two weeks ago that alerted her to monitor her credit report because she is on the state health benefit plan, and the Georgia Technology Authority, which has access to state records, had a recent data breech.

"As a parent, I really don't like the fact that my child's personal information is out there for someone to break into," said Kathy Brown, a Houston County High School parent. "We seem to be doing fine" without a statewide student ID system.

Any large state office keeping personal data brings concerns, said Woodard, the state information officer.

"We have built enormous security systems. Only a designated person from a district can get in," he said.

And that designated person can view only their local student records, he said.

At the state level, the data is open to the Office of School Readiness, the Department of Education, the Department of Technical and Adult Education and the Board of Regents.

And a designated state official can access the information for lawmakers.

"As long as it's used for honorable purposes, I'm all for it," said Rep. Larry O'Neal, R-Warner Robins. "Having direct student data means more than political whim or emotions we get from lobbyists. We are always glad to have valid data to explore in the lawmaking process."

Woodard said the state is talking to state education officials in Tennessee and South Carolina about sharing information to track students who move across state lines.

There doesn't seem to be any suggestion that the state has undertaken a privacy impact assessment, which would at least provide assurances that privacy issues have been thoroughly thought through.

Labels: health information, information breaches

According to GovExec.com, a Freedom of Information Act request has revealed that embattled ChoicePoint has been providing extensive services to the FBI and the Defense Department, essentially providing access to its enormous databases that the US government would not be able to compile on its own.

www.GovExec.com - FBI, Pentagon pay for access to trove of public records (11/11/05):

"To help the government track suspected terrorists and spies who may be visiting or residing in this country, the FBI and the Defense Department for the past three years have been paying a Georgia-based company for access to its vast databases that contain billions of personal records about nearly every person -- citizens and noncitizens alike -- in the United States.

According to federal documents obtained by National Journal and Government Executive, among the services that ChoicePoint provides to the government is access to a previously undisclosed, and vaguely described, 'exclusive' data-searching system. This system in effect gives law enforcement and intelligence agents the ability to use the private data broker to do something that they legally can't -- keep tabs on nearly every American citizen and foreigner in the United States."

Thanks to beSpacfic for the link: beSpacific: Gov't Pays Aggregator for Access to Extensive Database of Personal Info.

Labels: choicepoint, information breaches, law enforcement

According to the Associated Press, Sony music has just announced that it will no longer use the controvertial XCP/Rootkit rights management software that many have criticized as oppressive and a potential security/privacy threat. From Yahoo!: Sony to Stop Controversial CD Software - Yahoo! News.

Labels: information breaches

Hawai'i is now making criminal and motor vehicle conviction records available online:

Criminal pasts now displayed on Web - The Honolulu Advertiser - Hawaii's Newspaper:

...'It provides a service where you don't force the public to come into the police station or downtown Honolulu to our offices and stand in line,' said Liane Moriyama, the data center director. 'We're trying to get electronic and provide more services out in the community.'...

Labels: information breaches

I am amazed with the power of blogs and amateur journalists to start the ball rolling on what become news stories. Not long ago, nobody knew about Sony's rootkit. Then, a lone blogger posted Sony, Rootkits and Digital Rights Management Gone Too Far. Now, there are more than five hundred separate stories in the more convential media that show up when you search Google news' for "rootkit". Amazing.

Labels: google, information breaches, privacy

The US Congress is not likely to pass any of the personal information protection laws that are currently in consideration before the Christmas break, and consumer groups are actually happy. That's because many of the bills are weaker than state laws and will pre-empt those laws. See: Wired News: No Fed Security Laws, Hurrah!!.

Labels: information breaches

The majority of Americans are concerned about the privacy of their health information and are unaware of their rights, according to a survey by the California HealthCare Foundation. Not a surprising finding, but needs to be said. From the Foundation's media release:

California HealthCare Foundation Survey Finds Americans Have Acute Concerns about the Privacy of Their Personal Health Information:

Wednesday November 9, 12:24 pm ET

However, Consumers Are Willing to Share Information If It Benefits Their Health

Study Underscores and Informs Efforts to Build National Health Care Network

WASHINGTON--(BUSINESS WIRE)--Nov. 9, 2005--Despite new federal protections, 67% of Americans remain concerned about the privacy of their personal health information and are largely unaware of their rights. Moreover, many consumers may be putting their health at risk with such behaviors as avoiding their regular doctor or forgoing needed tests, according to the National Consumer Health Privacy Survey 2005. The survey, released today by the California HealthCare Foundation (CHCF), also found that a majority of consumers are concerned that employers will use their medical information to limit job opportunities.

Despite these concerns, the survey revealed that consumers have a favorable view of health information technology and are willing to share their personal health data when it offers a benefit, such as improving the coordination or safety of their care. For example, 65% of consumers recognize that computerization could potentially reduce medical errors.

"These findings will help inform and guide efforts to build a nationwide health information network. Americans' privacy concerns pose potential barriers to realizing the significant benefits of health IT to improve health care quality, reduce medical errors, and lower health care costs," said Sam Karp, Chief Program Officer of CHCF, a nonprofit health care philanthropy based in Oakland, CA. "Without better education about their rights, strong privacy safeguards and vigorous enforcement, the public's support for health IT may be in jeopardy."

The new survey, conducted by Forrester Research, follows a groundbreaking 1999 study on medical privacy by CHCF. Since that time, national privacy protections have been implemented under the Health Insurance Portability and Accountability Act (HIPAA) and President Bush has pushed to adopt electronic medical records. The 2005 survey found that 67% of Americans continue to show high levels of concern about the privacy of their personal health information. Ethnic and racial minorities (73%) and chronically ill populations (67%) show the greatest concern. The survey also found that one in four consumers is aware of recent privacy breaches reported in the media. Of those who are aware of these incidents, 42% said the reports increased their concern about their own medical privacy.

Consumers are Unaware of Their Rights

A majority of survey respondents (67%) have some level of awareness of federal laws that protect the privacy and confidentiality of their personal health information. However, consumer awareness of privacy rights varies with education and race. Ethnic and racial minorities (60%) are the least likely to acknowledge or recall receiving a notification of their privacy rights.

Increase in Concern about Employer Access to Medical Information

Additionally, the survey found that concerns about employer use of medical claims information increased dramatically since 1999 (52% in 2005; 36% in 1999). Ethnic and racial minorities (61%), the chronically ill (55%), older workers (51%) and people with less education (53%) were significantly more concerned that an employer would use medical information to limit their job opportunities.

"Although employers work to ensure that their health plans or third party administrators always keep all medical claims data private and confidential, in line with federal and state laws as well professional ethics, this survey suggests that we need to work harder and communicate more effectively to reassure employees and their dependents," noted Helen Darling, President of the National Business Group on Health. "We need to demonstrate through frequent communications that trustworthy systems with many safeguards are in place to ensure that their records are safe and can never be used in ways they haven't authorized."

Consumers are Practicing Privacy Protective Behaviors

The survey found that one in eight consumers engage in behavior intended to protect his or her privacy. These "privacy protective behaviors" - asking their doctor to not record a health problem, going to another doctor to avoid telling their regular doctor about a health condition, and avoiding medical tests - suggest some consumers are putting their own health at risk. The chronically ill are more likely to risk their health over privacy concerns. Privacy protective behaviors have also increased for people with certain diseases, such as cancer, diabetes and depression.

"People should not have to sacrifice their health in order to shield themselves from job discrimination and loss of health benefits," said Janlori Goldman, Director of the Health Privacy Project, and a research scholar at Columbia University's College of Physicians and Surgeons. "The large rise in people fearful that their medical information will be used against them on the job makes it imperative to expand the scope of health privacy law to cover employers."

Consumers are Willing to Share their Health Information for a Benefit

Despite increased concerns about health care privacy, the survey found that most Americans (59%) are willing to share their personal health information when it is beneficial to their care, or could result in better coordination of medical treatment. The largest motivating factors for consumers to share their medical data are better treatment coordination (60%), enhanced coverage benefits (59%), and access to experimental treatments (58%). Consumers are most willing to share their medical information with their regular doctor (98%) or other doctors involved in their care (92%), but are less willing to share their data with drug companies (27%), and government agencies (20%).

Although consumers are more willing to share the medical information for a benefit, the survey found that 66% of consumers believe that health information stored in paper files is more secure, compared to 58% who believe electronic records are more secure.

An Executive Summary and detailed survey findings can be downloaded from the CHCF Web site at www.chcf.org/privacy.

The California HealthCare Foundation (CHCF), based in Oakland, is an independent philanthropy committed to improving California's health care delivery and financing systems. Visit www.chcf.org for more information.

Labels: breach notification, health information, information breaches

Don't talk to strangers. Oh, and don't give them personal information.

United Press International - Hi-Tech - Live phishing shows risk of personal info

WASHINGTON, Nov. 9 (UPI) -- Despite all the warnings about giving out personal information, many people still freely give away seemingly innocuous details that can be used to crack their passwords, according to the results of a "live phishing" survey.

The 18-question survey, conducted by RSA Security in New York City, asked respondents for information such as birth date, mother's maiden name and pet's name. The survey was touted as being about tourism in New York.

It found that 70 percent of the 108 respondents gave their mother's maiden name, and 90 percent gave their date and place of birth, according to a news release from RSA.

Additionally, almost 85 percent of respondents provided their full name, street address and e-mail address.

"A lot of personal information actually functions like a password and, as such, needs to be robustly protected," said Chris Young, RSA's vice president of consumer authentication services.

Labels: information breaches

From ComputerWorld:

TransUnion notifies consumers of data loss - Computerworld:

NOVEMBER 09, 2005 (COMPUTERWORLD) - TransUnion LLC, one of the three major credit reporting companies in the U.S., today confirmed that a desktop computer containing the Social Security numbers and other sensitive information belonging to more than 3,600 consumers was stolen from one of its facilities in October....

Labels: information breaches

Fraudsters, blackmailers and identity theives are usually pretty quiet about what they find while dumpster diving. Reporters, on the other hand, are more than happy to tell you what they've found. This is the case with Amy Fox of WZZM in Michigan. Ms. Fox went on an expedition to check out the dumpsters in the vicinity of medical centres. She found that half of all unsecured dumpsters had personal health information, incuding some very sensitive information. Today is a day that I'm glad that I'm not Dr. Dorsey Ligon:

WZZM 13 Grand Rapids - Medical Privacy: Trashed

In the same dumpster, outside the same medical office complex, we found multiple documents from OB/GYN, Dr. Dorsey Ligon's office. We found forms with patient's names, addresses, social security numbers, and other identifiers like where they work. We also found a patient's hospital discharge report with detailed information about her hysterectomy and her history of treatment for depression. It's a document that disturbed Denise Chrysler of the Department of Community Health. She asked, “You said, in a dumpster?" That's right; we found the documents in an unprotected dumpster just outside of a doctor's office. Dr. Ligon's office gave us a statement about the strict measures in place to protect patient's privacy, including paper shredders throughout the office. The statement also says, "When a flaw in the system has been recognized we take immediate action to resolve the issue. Our patients can be assured that their expectation for privacy will be met."

Part II is here: WZZM 13 Grand Rapids - MEDICAL PRIVACY TRASHED PART 2

Labels: health information, information breaches

Verizon, one of the largest wireless service providers in the United States, has obtained a court injunction to prevent Global Information Group Inc. from seeking customer information under false pretenses. Though the ComputerWorld article does not go into details, I have a hunch that this is part of the hubub about companies that claim to sell cellular records (See: The Canadian Privacy Law Blog: Online Data Gets Personal: Cell Phone Records for Sale). Check out the ComputerWorld article: Verizon moves to thwart ID theft by Fla. investigative firm - Computerworld.

Labels: information breaches

Purdue University is joining the hundreds of other universities that have given up on using social security numbers as a form of student ID number. See: The Exponent - Purdue's Independent Student Newspaper.

Labels: information breaches

If you don't need particular information, don't collect it. Do not collect it particularly if that information can put others at risk. A bloodbank in Bedford, Mass. learned the heard way and has stopped requiring social security numbers from donors. A employee allegedly tried to steal the identity of a donor, forcing the rethink. See: Southcoast Blood Bank stops using SS numbers for ID.

Labels: information breaches

ChoicePoint's most recent 10-Q filing with the SEC suggests that an additiona 17,000 consumers were affected by the high-profile data breach. See: ChoicePoint filing: 17,000 more may be fraud victims - 2005-11-08.

It's interesting to look at the filing itself, just to get a flavour of the cost of this issue to ChoicePoint and its impact upon their bottom line:

CHOICEPOINT INC (Form: 10-Q, Received: 11/08/2005 15:01:50):

Fraudulent Data Access

ChoicePoint’s review of the Los Angeles fraudulent data access described in the Company’s Form 10-K for the year ended December 31, 2004 and other similar incidents is ongoing. The Company currently expects that the number of consumers to which it will send notice of potential fraudulent data access will increase from the approximately 162,000 consumers it has notified to date, but the Company does not anticipate that the increase will be significant.

As previously disclosed in the Company’s Form 10-K for the year ended December 31, 2004, ChoicePoint is continuing to strengthen its customer credentialing procedures and is recredentialing components of its customer base, particularly customers that have access to products that contain personally identifiable information. Further, the Company continues to review and investigate other matters related to credentialing and customer use. The Company’s investigations as well as those of law enforcement continue. The Company believes that there are other instances that will likely result in notification to consumers. As previously stated, the Company intends for consumers to be notified, irrespective of current state law requirements, if it is determined that their sensitive personally identifiable information has been acquired by unauthorized parties. The Company does not believe that the impact from notifying affected consumers will be material to the financial position, results of operations or cash flows of the Company.

On March 4, 2005, ChoicePoint announced that the Company will discontinue the sale of certain information services that contain sensitive consumer data, including social security numbers, except (1) where there is either a specific consumer driven transaction or benefit, or (2) where such services serve as authentication or fraud prevention tools provided to large accredited customers with existing consumer relationships, or (3) where the services support federal, state or local government and law enforcement purposes. The Company cannot currently accurately estimate the future impact that the customer fraud, related events and the decision to discontinue certain services will have on our operating results and financial condition. The Company will review various technology investments in this small business segment as well as other related costs incurred in serving this segment.

ChoicePoint incurred $5.4 million ($3.3 million net of taxes) in the first quarter of 2005, $6.0 million ($3.7 million net of taxes) in the second quarter of 2005, and $4.0 million ($2.5 million net of taxes) in the third quarter of 2005 for specific expenses related to the fraudulent data access previously disclosed. Approximately $2.0 million of the $15.5 million total charges through September 30, 2005 were for communications to, and credit reports and credit monitoring for, individuals receiving notice of the fraudulent data access and approximately $13.5 million for legal expenses and other professional fees. The Company currently estimates that it will incur additional incremental expenses as a result of the fraudulent data access of approximately $3 to $5 million in the fourth quarter of 2005. In addition, the publicity associated with these events or changes in regulation may materially harm the business and ChoicePoint’s relationship with customers or data suppliers.

The Company is involved in several legal proceedings or investigations that relate to these matters, as described in “Legal Proceedings” of this Form 10-Q. ChoicePoint is unable at this time to predict the outcome of these actions. The ultimate resolution of these matters could have a material adverse impact on the financial results, financial condition, and liquidity and on the trading price of the Company’s common stock. Regardless of the merits and ultimate outcome of these lawsuits and other proceedings, litigation and proceedings of this type are expensive and will require that substantial Company resources and executive time be devoted to defend these proceedings.

Security Breaches and Misuse of Information Services

Security breaches in the Company’s facilities, computer networks, and databases may cause harm to ChoicePoint’s business and reputation and result in a loss of customers. Many security measures have been instituted to protect the systems and to assure the marketplace that these systems are secure. However, despite such security measures, the Company’s systems may be vulnerable to physical intrusion, computer viruses, attacks by hackers or similar disruptive problems. Users may also obtain improper access to the Company’s information services if they use stolen identities or other fraudulent means to become ChoicePoint customers or by improperly accessing ChoicePoint’s information services through legitimate customer accounts. If users gain improper access to ChoicePoint’s databases, they may be able to steal, publish, delete or modify confidential third-party information that is stored or transmitted on the networks. A security or privacy breach may affect ChoicePoint in a variety of ways, including but not limited to, the following ways:

• deterring customers from using ChoicePoint’s products and services or resulting in a loss of existing customers;
• deterring data suppliers from supplying data to the Company;
• harming the Company’s reputation;
• exposing ChoicePoint to litigation and other liabilities;
• increasing operating expenses to correct problems caused by the breach;
• affecting the Company’s ability to meet customers’ expectations;
• causing inquiry from governmental authorities; or
• legislation that could materially affect the Company’s operations.

The Company expects that, despite its ongoing efforts to prevent fraudulent or improper activity, in the future it may detect additional incidents in which consumer data has been fraudulently or improperly acquired. The number of potentially affected consumers identified by any future incidents is obviously unknown. "

Labels: breach notification, choicepoint, information breaches

The second hour of CBC Radio's "The Current" was devoted to a very interested discussion of latest on lawful access in Canada. You can listen in Real Audio by clicking here. A synopsis is here:

CBC Radio | The Current | Whole Show Blow-by-Blow:

The Current: Part 2

Lawful Access – Part One

We started this segment with the music of Robin Rimbaud, also known around the world as Scanner. He's a British musician and artist who began his career as a self-titled "techno data-pirate." Using a portable radio scanner, he would pluck cell-phone conversations from the ether--anything from arguments to phone-sex sessions to gossip---and then layer these voice snippets over music and sound. His work is haunting but controversial because he's often accused of invading other peoples' privacy.

Well, they're not planning to make music, but Canadian law enforcement groups are facing some similar privacy accusations when it comes to their latest plans to sample things from peoples' personal cyberspace.

This month, parliament debates a bill that will give the RCMP and CSIS access to everything WE access on the Internet---from the sites we surf, to the things we buy, to the people we instant message and e-mail. It's called the Lawful Access Initiative, and it's been in the works since October of 2000.

Those in favour say the new law will replace a terribly outmoded one, drawn up in the days before cell phones, voice mail and high speed internet. The original 1974 law HAS been updated but police say the latest technological leaps have left some of their investigations in the dust.

And so the debate over when email should just be between friends, has begun in earnest. Michael Geist is the Canada Research Chair in Internet & E-commerce Law at the University of Ottawa, and we reached him at his home.

Lawful Access – Part Two

Proponents of the new lawful access bill say that far from threatening our security and privacy, these changes go a long way towards increasing our government's ability to protect us.

Wesley Wark is one of them. He's a national security expert and professor at the University of Toronto's Munk Center for International Studies. He joined us from Guelph this morning.

Listen to The Current: Part 2

Labels: information breaches, lawful access

CTV News is reporting the arrest of two people in New Brunswick for allegedly skimming debit cards at a bank machine near Moncton: CTV.ca | Montreal pair charged with N.B. debit card scam.

Labels: information breaches

Here's a good news story: Wal-Mart is rolling out a new device that make it easier for the visually impaired to enter their own PINs and other confidential information at the point of sale. Without device such as these, blind customers apparently have had to rely upon having someone do the data entry for them, raising the risk that the information will be overheard or even abused by the person who assists them. See the media release via Yahoo! Finance: Wal-Mart Installs New Equipment to Protect Financial Privacy of Wal-Mart Shoppers With Visual Impairments: Financial News - Yahoo! Finance.

Labels: information breaches

I wrote about a month ago about a relatively new website, DontDateHimGirl.com, that allows women to share their stories of cheating boyfriends and husbands. These are apparently to serve as a warning to others. It's a veritable rogues' gallery on the site. (See: The Canadian Privacy Law Blog: On website, women identify cheaters.)

CanWest News Service has run a feature about the site in many of its papers today. I spoke with the reporter on Friday and the article is an interesting read. Unfortunately, it is available only to subscribers to the Canada.com network and the individual newspapers, but the bit about the legal aspect of the site is below:

The men profiled on the site would probably agree. At present, a number of them are attempting to launch a class-action lawsuit against the site.

But Ms. Joseph, who created the online database with legal counsel, believes she is protected by U.S. law.

According to a privacy lawyer from Halifax, that may not be the case in Canada.

“If the person’s reputation is in Canada, and they are in Canada, and likely the person who posted the information is in Canada, there’s more than enough connection for Canadian defamation law to apply,” says David T.S. Fraser, chairman of the Privacy Practice Group at McInnes Cooper. But he hastens to add the statements aren’t considered defamatory if they’re true.

“If you’re a slug,” says Mr. Fraser, “it’s only appropriate people know you’re a slug.”

Labels: information breaches, media-mention, vanity

I think we might see some backlash against the proposition that Muslims in the United States should pre-register with the Department of Homeland Security if they want to fly on a commercial aircraft. It is a bit ironic that it is coming from the head of Civil Rights for the DHS. And I would have thought that they would have spun this a little better. I'm not so sure that too many people will be comfortable with handing the DHS a completed "Passenger Identity Verification Form", including name, address, birth date, height, weight, eye and hair color, and attaching copies of three of the following documents: passport, visa, birth certificate, naturalization certificate, voter registration card, government identity card or military identity card. The more suspicious and cynical among us might think that law enforcement and intelligence folks may keep that information on hand and use it for other purposes. See: Homeland Security rights chief urges Muslim fliers to register (phillyBurbs.com) | New Jersey News.

Labels: homeland security, information breaches

The Washtington Post has a very long and equally interesting article on "national security letters", a new tool given to the FBI under the USA Patriot Act. Their use is growing quickly and, as importantly, the FBI is putting all information gleaned by this mechanism into large databases. Thanks to Daniel Solove at Concurring Opinions for pointing to this article:

The FBI's Secret Scrutiny

The FBI now issues more than 30,000 national security letters a year, according to government sources, a hundredfold increase over historic norms. The letters -- one of which can be used to sweep up the records of many people -- are extending the bureau's reach as never before into the telephone calls, correspondence and financial lives of ordinary Americans.

Issued by FBI field supervisors, national security letters do not need the imprimatur of a prosecutor, grand jury or judge. They receive no review after the fact by the Justice Department or Congress. The executive branch maintains only statistics, which are incomplete and confined to classified reports. The Bush administration defeated legislation and a lawsuit to require a public accounting, and has offered no example in which the use of a national security letter helped disrupt a terrorist plot.

The burgeoning use of national security letters coincides with an unannounced decision to deposit all the information they yield into government data banks -- and to share those private records widely, in the federal government and beyond. In late 2003, the Bush administration reversed a long-standing policy requiring agents to destroy their files on innocent American citizens, companies and residents when investigations closed. Late last month, President Bush signed Executive Order 13388, expanding access to those files for "state, local and tribal" governments and for "appropriate private sector entities," which are not defined.

National security letters offer a case study of the impact of the Patriot Act outside the spotlight of political debate. Drafted in haste after the Sept. 11, 2001, attacks, the law's 132 pages wrought scores of changes in the landscape of intelligence and law enforcement. Many received far more attention than the amendments to a seemingly pedestrian power to review "transactional records." But few if any other provisions touch as many ordinary Americans without their knowledge.

Senior FBI officials acknowledged in interviews that the proliferation of national security letters results primarily from the bureau's new authority to collect intimate facts about people who are not suspected of any wrongdoing. Criticized for failure to detect the Sept. 11 plot, the bureau now casts a much wider net, using national security letters to generate leads as well as to pursue them. Casual or unwitting contact with a suspect -- a single telephone call, for example -- may attract the attention of investigators and subject a person to scrutiny about which he never learns.

Labels: information breaches, law enforcement, patriot act

The internet has been abuzz over the last week about the discovery of digital rights management software that is installed when users attempt to play certain Sony CDs on their windows PCs. The software is installed without the knowledge of the user and adopted many of the characteristics of "malware" or malicious software. (See the blog post that started it all: Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far). Since then, Sony has released an update, which Sony says removes the software, but some are reporting to be equally sneaky:

Freedom to Tinker - SonyBMG and First4Internet Release Mysterious Software Update

... The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function — they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.

No doubt they’ll ask us to just trust them. I wouldn’t. The companies still assert — falsely — that the original rootkit-like software “does not compromise security” and “[t]here should be no concern” about it. So I wouldn’t put much faith in any claim that the new update is harmless. And the companies claim to have developed “new ways of cloaking files on a hard drive”. So I wouldn’t derive much comfort from carefully worded assertions that they have removed “the … component .. that has been discussed”.

The companies need to come clean with the public — their customers — about what they did in the first place, and what they are doing now. At the very least, they need to tell us what is in the software update they’re now distributing....

UPDATE: Mark of Mark's Sysinternals blog has done some dissecting of the Sony DRM uninstaller and is not at all pleased with what he has found: Mark's Sysinternals Blog: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home.

1. Users are required to provide personal information, including their e-mail address, to download the patch.
2. The Sonly privacy policy says your address will be added to their marketing lists.
3. The software "phones home", meaning it connects to Sony's computers though the EULA says it specifically does not.
4. The software is buggy and likely will not unistall properly.
5. The software may crash your PC.

I haven't verified any of this myself, but it shows that there are likely real privacy risks with this and that Sony's PR problems aren't close to being over. [Added 2005.11.05 @ 0653]

Labels: information breaches

A medical centre in Columbus, Ohio is reported to have mistakenly posted patient appointment information on the internet. The information included the names, social security numbers, birth dates and the reasons for the particular appointments for 2800 people. See: Patients' personal information mistakenly posted online.

Labels: information breaches

The Washington Post is continuing to chronicle the ongoing debate between the US political parties on proposals to implement a federal privacy law to protect consumers against indentity theft. Privacy advocates are very concerned that the process will result in a weak law that pre-empts much more rigorous state laws, such as that in California. The California law is largely responsible for the wave of publicity about privacy breaches in the last year.

Parties Split on Data-Protection Bill:

"... Under the bill, data brokers and other firms that store consumer data would have to notify consumers that their information was breached only when it was determined that a 'significant risk' of identity theft or other fraud might result.

That decision would be made by the company that was breached, which Democrats said was akin to having to no requirement at all.

This year alone, tens of millions of consumers have been notified of breaches at information brokers such as ChoicePoint Inc. and LexisNexis, financial institutions, government agencies, universities, online retailers and other firms.

Many notices were sent out under a California law that covers any firm doing business in the state.

'No notices would have gone out under the standard put forth in this bill,' which would preempt state laws, said Rep. Janice D. Schakowsky (D-Ill.). 'We would not have known how badly corporations treat personal information, nor would consumers have been able to take action to protect themselves -- even from financial identity theft -- if this bill had been in place in February 2005.'

Data brokers, direct marketers, financial institutions and several large technology companies supported the approach of the bill, as did FTC Chairman Deborah P. Majoras. They argue that thieves or hackers cannot always use data they might gain access to, and that bombarding consumers with notices every time a breach occurs would cause people to ignore them...."

Labels: breach notification, choicepoint, identity theft, information breaches

Yet another privacy incident, this time from University of Tennessee:

University notifies staff, students of security breach:

"Approximately 1,900 students have been contacted by the University of Tennessee regarding a Web site that accidentally posted their social security numbers online from April 2004 to early October of this year, and all others affected will be notified by early next week.

“There is absolutely no evidence that anything malicious happened to the social security numbers,” said Brice Bible, assistant vice president and acting chief information officer for OIT. “However, we felt it was the right thing to do to inform students that something could happen, and they should feel completely confident that the university is protecting them.”

A mistaken configuration of archives of the main system allowed the records to be seen publicly rather than kept private, but Bible said that the university as well as OIT has done everything possible to ensure the privacy and safety of the students.

“Students need to be assured that the university — from the chancellor to every member of the staff — takes the protection of students very, very seriously,” he said.

The majority of the identification numbers belonged to students, however, a small amount included university employees, and according to a statement, UT is currently taking steps to perfect Web security and access to student information.

Karen Collins, director of media relations, also emphasized the security measures taken by the university to protect students and their personal information.

“UT has gone above and beyond to make sure all records are kept private, and managed in that matter. Very aggressive steps have been taken to monitor any hacking, as well as to ensure that the Web site was taken down immediately,” Collins said. “We have worked very hard to quickly notify anyone who’s data was misused.”

Collins added that the social security numbers were not posted on a main or department Web page, but on an archive page of one of 800 list-servers.

Bible also would like students to know that many actions have been taken to ensure that a similar incident does not reoccur, and no other identifying information of each student was released.

Any other information concerning issues such as credit fraud, identify theft and credit is available at http://security.utk.edu."

Labels: information breaches

Microsoft has come out in favour of a national privacy law for the United States. Notably, this proposal calls for the federal law to pre-empt state laws that may be more onerous. From the Microsoft release:

Microsoft Advocates Comprehensive Federal Privacy Legislation: General counsel outlines framework to protect consumers and promote online commerce.:

Related Links

Feature Stories:

• Microsoft Addresses Need for Comprehensive Federal Data Privacy Legislation - Nov. 3, 2005

Microsoft Resources:

• White Paper: Protecting Consumers and the Marketplace: The Need for Federal Privacy Legislation (.doc file, 86 KB)
• Security & Privacy Newsroom

WASHINGTON — Nov. 3, 2005 — Microsoft Corp. today announced its support for a comprehensive legislative approach at the federal level on the issue of data privacy. In a speech delivered to the Congressional Internet Caucus, Brad Smith, senior vice president and general counsel for Microsoft, told Caucus members that “the time has come” for a strong national standard for privacy protection that will benefit consumers and set clear guidelines for businesses while still allowing commerce to flourish.

Smith explained the three key factors that have led Microsoft to support a comprehensive federal legislative response: an increasingly complex patchwork of state, federal and even international laws related to data privacy and security; the potential for consumer fears about identity theft and other online dangers to dampen online commerce; and the increasing consumer desire for more control over the collection and use of online and offline personal information.

“The growing focus on privacy at both state and federal levels has resulted in an increasingly rapid adoption of well-intended privacy laws that are at times overlapping, inconsistent and often incomplete,” Smith said. “This is not only confusing for businesses, but it also leaves consumers unprotected. A single federal approach will create a common standard for protection that consumers and businesses can understand and count on.”

Smith noted an increasing level of concern from Americans on the subject of identity theft over the Internet.

“Individuals will not take full advantage of the Internet or any commercial medium if they believe that their information or data could be compromised or disclosed in unexpected ways,” Smith said. “There is a causal link here: protecting consumers promotes commerce, and that’s good for everyone.”

The third factor — consumers’ increasing desire for more control over the collection and use of their personal information — springs from the response to the increasingly aggressive tactics of computer criminals.

“We’ve seen a spate of legislative activity in the aftermath of several highly publicized data breaches, but for consumers, the reality is still pretty daunting. They do not necessarily have a better experience and in many cases still do not clearly understand how companies are collecting, using and disclosing their personal information in the first place,” Smith said. “We have to make this more transparent and manageable for consumers.”

“Microsoft’s call for strong national privacy legislation is a landmark moment in the cause of establishing and protecting individual privacy rights online,” said Jerry Berman, president of the Center for Democracy and Technology. “Microsoft’s privacy legislation commitment creates momentum for a serious effort to establish consumer privacy expectations for the digital age. While we have not reached consensus on all of the provisions of a privacy bill, we applaud Microsoft’s willingness to work actively with other high-tech companies, consumer organizations and policymakers to make serious privacy legislation a reality.”

Smith described four core principles that Microsoft believes should be the foundation of any federal legislation on data privacy:

• Create a baseline standard across all organizations and industries for offline and online data collection and storage. This federal standard should pre-empt state laws and, as much as possible, be consistent with privacy laws around the world.
• Increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and features that permit individuals to access and manage their personal information collected online.
• Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals’ consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice.
• Ensure a minimum level of security for personal information in storage and transit. A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information.

Peter Cullen, Microsoft’s chief privacy strategist responsible for managing and promoting the company’s implementation of privacy across its products, services and processes, reinforced the need for and value of a uniform approach that complements technological advances.

“Microsoft’s overarching goal for privacy continues to be to create a trusted environment for Internet users,” Cullen said. “We have woven privacy into the DNA of Microsoft, from product development to deployment, and decisions are made with privacy in mind. A comprehensive legislative approach to privacy that applies across the country would be part of the solution to give all consumers strong privacy and security protection, and allow everyone to realize the full potential that the Internet and technology can provide.”

There is growing support throughout the technology industry for a more standardized approach to data privacy. Leading companies such as HP have voiced support for a federal legislative approach and have incorporated similar ideals into their standard operating procedures.

Barb Lawler, HP’s chief privacy officer, concurs with Cullen. “HP believes a uniform federal approach to data privacy would provide a consistent level of expectation for consumers and business continuity for corporations,” Lawler said. “HP believes that upholding the highest standards for the protection of personal information is a business imperative and, through our ‘Design for Privacy’ initiative, we integrate privacy into every facet of our business processes, products and services.”

Labels: breach notification, identity theft, information breaches

Bruce Schneier has a great article at Wired News on the new RFID enabled passports that the US Government is introducing. It chronicles the security problems and the (half way) solutions offered by the US State Department. It is very interesting reading, both for those interested in the actual project and those interested in problems that can arise in projects with privacy issues that require a high level of technical expertise:

Wired News: Fatal Flaw Weakens RFID Passports

"...The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID is just one example of where, apparently, the State Department didn't have enough of the expertise it needed to do this right.

Of course it can fix the problem, but the real issue is how many other problems like this are lurking in the details of its design? We don't know, and I doubt the State Department knows either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny.

The State Department's plan to issue RFID passports by October 2006 is both precipitous and risky. It made a mistake designing this behind closed doors. There needs to be some pretty serious quality assurance and testing before deploying this system, and this includes careful security evaluations by independent security experts. Right now the State Department has no intention of doing that; it's already committed to a scheme before knowing if it even works or if it protects privacy."

Labels: information breaches, rfid, schneier

Slashdot is an online community of self-confessed nerds. Many of the nerds care a lot about privacy, know a lot about technology and have some interesting discussions about it from time to time. Most recently, a user asked what sort of identity-theft/fraud mischief one can get into without a social security number:

Slashdot | Identity Theft-What Can Really be Done w/o a SSN?:

"TheItalianGuy asks: 'Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?' "

Perhaps the most interesting and chilling response was from an anonymous user:

As part of my studies on "How easy is it to steal you"... I walked the UT Quad in Austin on the first day of school with some fake credit card apps... I had 100 apps in the first hour all with SSN, mothers maiden name, birthdays, the whole shebang. we found out that all you have to do is offer a t-shirt and some candy and these kids will give you anything you ask for. We tried asking for absurd stuff like bank account numbers,"This card can also act as a debit card if we have your bank information...", paypal info, "We can tie your new credit card into your paypal account too... all we need is your username and password."... we got everything we needed to totally rob someone... Here is the best part... you know all the disclaimer text on the CC apps... we worded ours to say EXACTLY what we were doing... Not a single person read the information... had they they would have seen that...

"I certify that the information above is correct and that this application is not a real credit card application. I hear by grant the final holder of this document all rights to this information to use as needed to assume my identity. All information requested on this document can be used to assume my identity. Never give our your personal information out to anyone who does not have direct cause to have this information known."

its insane what you can get people to give you...

Labels: identity theft, information breaches

The largest bank based in Wisconsin has replaced a number of customers' debit and credit cards after the high-profile CardSystems breach: JS Online: M&I reissues credit, debit cards.

Labels: cardsystems, information breaches

The New Brunswick cabinet minister responsible for the Family and Community Services portfolio has recently resigned because of a leak of confidential personal information to the media. This is the second resignation from the NB cabinet over a privacy leak. From CTV News:

CTV.ca | N.B. minister resigns over privacy breach:

"SAINT JOHN, N.B. - New Brunswick Premier Bernard Lord has had to accept the resignation of yet another cabinet minister who blurted private information in public.

Tony Huntjens, New Brunswick's Family and Community Services Minister, resigned Monday after he released the identity of a ward of the province to a newspaper reporter.

Huntjens is the second minister in three months to quit after mistakenly releasing information that is supposed to be kept private.

Environment Minister Brenda Fowlie quit in the summer after she blabbed about a zoning issue involving a Liberal politician...."

Labels: information breaches

Engadget is pointing to a recently-filed patent application for a "call override feature" that automatically answers the phone if the caller is authorized to, in effect, turn the phone into a mobile eavesdropping device. In Engadget's words:

Sony Ericsson files patent for cellphone eavesdropping feature - Engadget - www.engadget.com:

"To some jittery parents, that voicemail rollover might as well be a death rattle when trying to check-in on their untethered teenagers. In an age of unfettered options for tracking your human of choice, it's no surprise to find a US patent filed by Sony Ericsson that will turn an unanswered cellphone into an eavesdropping device. The "call override feature" would automatically answer the phone from any flagged phone number (like that of a parent) allowing the caller to listen-in and then communicate over the phone's loudspeaker with whoever might be within ear-shot. The filing also calls for the ability to disable this auto-answer mode by entering a PIN which would allow parents to always monitor their kids while grandma could still whoop it up at Bingo without her handbag shouting "Ma, you ok! MAA!?" Seems something like this is just going to create more problems on that slippery-slope of control than it will assuage given spotty coverage, tech-savvy teens, forgetful elders, and any number of valid reasons to be disconnected."

Labels: information breaches

How weird is this?

The place that has no secrets...:

"Wed Nov 2, 2005 10:05 AM ET

By Daniel Frykholm

HELSINKI (Reuters) - Care to find out what your neighbor earned last year, or how much your partner really has stashed in the bank? In Finland you can -- and a lot of people did Wednesday.

Every November when the Nordic nation's tax records of the previous year become public, Finns indulge on a massive scale in satisfying their curiosity about each other's finances.

Newspapers were crammed with lists of the wealthiest and highest-earning men and women in 2004.

Veroporssi, a private firm which offers income details on everyone in Finland via mobile text message, said it was its busiest day of the year and had no time to comment.

Iltalehti tabloid devoted a 24-page supplement to juicy details on which celebrity earned what, while sports stars like Formula 1's Kimi Raikkonen and Liverpool footballer Sami Hyypia, who escape high taxes by living abroad, were highlighted for being "zero-income millionaires."

"People have always been interested in taxation, because in Finland you don't talk about your income, it's considered very vulgar, and even more impolite is to ask what someone earns," said Reijo Ruokanen, managing editor of Iltalehti.

"This is your chance to see if you're keeping up with the Joneses."

In a country where keeping your head down and not sticking out has traditionally been considered a virtue, the tax and income publication is a chance to brag a bit, Ruokanen said.

"A lot of them don't like it when we publish their names, but for some it's a way to be known as wealthy people without having to say so for themselves."

So who's the richest man of the republic?

Aatos Erkko, the main owner of media house SanomaWSOY, topped the list with a personal fortune of 192 million euros, while Olli Riikala, an executive of U.S. General Electric, was the top wage earner, making 5.3 million euros."

Labels: information breaches

Ontario's controvertial law to open adoption records (past and future) has passed in the Ontario legislature: CTV.ca | Ontario's adoption records bill passes in vote.

Labels: information breaches, ontario