Tuesday, December 15, 2009

Great Article

I intend to take the balance of the year (two plus weeks) off from this column. In the meantime the link below is to a very good article written by a colleague, Julie Friend. I would encourage everyone to read this piece that shows how data loss and identity theft can have far reaching effects on individuals and businesses alike.

Someone recently told me that the release of those emails proved that the case for climate change was overstated. This individual was showing his ignorance of the realities of global weather changes. Similarly, I see a number of people who should know better who think that those of us who write and work in the field of data protection are overstating the case. I guarantee that not one single victim or breached business would agree with that. Ms. Friend and I along with many others have seen too many cases of devastating loss, arrest, character assassination, and records corruption to think for a moment that this is an overstated issue. If anything we have not reached enough people.

Originally published in Voluntary Benefits magazine Ms. Friend has graciously allowed me to provide this link for you.

http://www.voluntarybenefitsmagazine.com/article-detail.php?issue=issue-7&article=identity-theft%20%E2%80%93-yes-it%E2%80%99s-real-and-it-can-happen-to-you!



Monday, December 7, 2009

New Massachussets Regulations go into Effect in March


Now is the time to start gearing up for compliance with the Bay State's strict new data protection regulations, reports the Boston Herald. The rules take effect in March. Businesses that ignore them "could be at risk," said Bob Baker of the Smaller Business Association of New England. The regulations are widely considered the strictest in the nation. They require entities that possess personal information on any Massachusetts resident to employ certain measures to protect that data. According to Barbara Anthony of the Massachusetts Office of Consumer Affairs, the goal of the law is to "create a culture of security consciousness with respect to the handling of personal information." Editor's note: Privacy Tracker subscribers, for a compliance guide on the Mass. data protection regulations, visit the Privacy Tracker Web site.
Full Story

All covered businesses should follow these guidelines carefully. What will happen within the next 12 months is that this will become a federal set of regulations, and at that point there will be no time to argue over compliance and exemptions. Smart companies will put this sort of program in effect prior to that.

Thursday, December 3, 2009

Two Important Stories

These two stories although seemingly unrelated, point out two aspects of identity theft that are very much related. In January of this year the Kaiser Permanente Group headquarters in Oakland Ca. experienced a breach of employee personal information from its’ Human Resources offices. The person charged with the theft was a temporary worker in that office.

We see in these stories the relationship between the current economic climate, a crime of opportunity that will generate cash for the thief, temporary workers who have no real sense of responsibility the employer, and the irrefutable fact that while we can be diligent with our personal information, it is mostly in the hands of businesses and governments, and out of our control.

Business owners and Privacy specialists need to take stock of company risk by assessing their internal systems, and putting in place policy guidelines for employees to deal with sensitive information, and procedures for handling breaches when they occur.

All individuals need to be reminded that their ultimate information security policy should include tools to deal with these corporate breaches that result in identity theft. One cannot correct their own insurance or SSA files, their DMV records, and other databases once corrupted by identity theft fallout. We need that help of professionals in the business of restoring identities of fraud victims.

Medical ID Theft on the Rise
The recession has contributed to a rise in medical identity theft, and as health records move online, the problem is expected to worsen, reports the Wall Street Journal. "Medical identity theft is the fastest-growing form of identity theft," says Jim Quiggle of the Coalition Against Insurance Fraud. Most of the fraud occurs at the hands of healthcare workers who are paid to sell patients' information, the report states. Incidents of medical identity fraud are highest in states with large retiree populations. Experts advise consumers to monitor their medical and credit records, keep insurance cards private and avoid providing personal information over the phone.

Full Story

Temporary Workers Come with Risk
'Tis the season to keep an eye on temporary workers, according to the general manager of the Payment Card Industry Security Standards Council. "Vigilance is key," Bob Russo told Computerworld, adding that it's a good time of year for managers to "hover over" workers. Russo says that temps, especially, can pose a data security risk to businesses. He recommends that organizations conduct background checks and training, and says they should take care to get their access controls in place. Other tips include monitoring the use of handheld scanners, reviewing log data daily and implementing "hard" firewall policies
.
Full Story

Monday, November 30, 2009

Data breached Records Skyrockets

Forbes reports on the numbers of data breaches during the first 11 months of 2009. According to the Identity Theft Resource Center, government agencies and businesses reported 435 breaches as of November 17, the report states. But that number, which would indicate a 50 percent reduction from last year's statistics, is deceiving, says Forbes. "In fact, the number of personal records that were exposed...has skyrocketed to 220 million records...compared with 35 million in 2008." The report highlights two of this year's major breaches--Heartland Payment Systems and the National Archive and Records Administration.


If anyone is still of the impression that data breach is a fading issue needs to understand this.
The people that are actively seeking to steal and sell sensitive personal information are getting better at it. This is large-scale international crime and the profits are tremendous.
Often times the persons responsible for the collection of these data are not the identity thieves. The lists and files are sold as many times as is feasible to anyone who can pay. Organizations from al Qaeda, to international underground immigration rings have been linked to the use of stolen identifiable information to further their operations.

In the speaking engagements I do I always advocate the use of common sense when it comes to safeguarding your personal information, but also that most all identity theft is the result of large scale data theft and therefore cannot be protected by us as individuals.
If there is any one lesson I hope everyone gets from this is to understand the scope of data theft and identity theft. To understand it is to be able to secure ourselves much as we do for our health, by having a mitigating protection such as we do with healthcare insurance. But keep in mind that identity theft "insurance" per se cannot replace money lost to identity theft, only out of pocket expenses incurred by you the victim in pursuit of clearing up an identity theft episode. Only a restoration service can clear up records and reinstate the victim to pre-theft status.

Wednesday, November 25, 2009

Keeping Personal Data Private

The Personal Data Privacy and Security Act of 2009 went to the full Senate earlier this month and a New York Times editorial says that Senate leaders should find the time to vote on it. Sponsored by Vermont Senator Patrick Leahy, the bill "would put more protections in place for personal data" and would fill the gap in federal data protection legislation. "There are many important issues competing for Congress's attention," the editors state, "but keeping people's personal information safe should rank high on the list." The bill would criminalize the concealment of security breaches and mandate encryption, among other requirements.
full Story

Happy Thanksgiving everyone!

Monday, November 16, 2009

Another Suit Filed Over Red Flags Rule


The American Institute of CPAs (AICPA) has filed a lawsuit against the Federal Trade Commission (FTC) over the Red Flags Rule, reports WebCPA.com. AICPA says the FTC is wrong to interpret that the rule should apply to accountants. The Red Flags Rule requires that financial institutions and creditors take certain measures to prevent and recognize identity theft. "We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered," said AICPA president and CEO Barry Melancon. Late last month a U.S. District Court judge granted an American Bar Association motion to prevent the FTC from holding practicing attorneys accountable to the rule.
Full Story

Anyone who has read or even scanned the Red Flags legislation cannot help but to see that this is intended to lower the incidents of identity theft through a sensitivity and understanding of what some of the causes are. Attorneys seem to be sensitive more to having oversight from outside their ranks than to stopping identity theft. I am pretty certain however that when an attorney suffers at the hand of identity thieves they want to know what the company whose compromise caused the theft had done to safeguard their information prior to the breach. Not wanting to lose their own thunder the lobbyists for CPAs feel the need for their own exemption. That is evident in the statement by Mr. Melancon who mistakenly links billing to theft. It isn't the billing Mr. Melancon, it's the data lying about in your company waiting for someone to walk out with it on a CD, or to hack your servers and get it.

Again, "When you safeguard the information you keep on others you are protecting them. When someone else does it they are protecting you."


Monday, November 2, 2009

Red Flags Delayed Until June 1, 2010

At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the "Red Flags" Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.
Read the FTC Announcement:
http://www.ftc.gov/opa/2009/10/redflags.shtm

And in a related story I am sorry to report;

The American Bar Association is celebrating a ruling by the U.S. District Court for the District of Columbia barring the Federal Trade Commission (FTC) from applying the requirements of the Red Flags Rule to attorneys.
"This ruling is an important victory for American lawyers and the clients we serve," ABA President Carolyn B. Lamm said in a written statement. "The court recognized that the Federal Trade Commission's interpretation of the Fair and Accurate Credit Transactions Act (FACTA) over-reaches and its application to lawyers is unreasonable. By voiding the FTC's interpretation of a statue that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."
The FTC is expected to appeal the Court's ruling. FTC General Counsel Willard Tom said, "It's safe to assume the Commission is going to consider its options very seriously. We think there is no reason lawyers should be exempt."
Read more:
Ruling bars application of FTC 'Red Flags Rule' to legal profession

http://www.wisbar.org/AM/Template.cfm?Section=News&Template=/CM/ContentDisplay.cfm&ContentID=87099

I hope the legal profession is aware that a lot of people (including me), are going to pay close attention to the security practices of law firms. This means of course that law firms will no longer be tossing paper client records into dumpsters as has happened several times in the last year, and if police reports are accurate seems to be a favorite way for law firms to dispose of old records. As I reported last year I also had two encounters where a County Superior court judge handed out materials on recycled paper containing personal and banking information that had been previously entered into evidence. The way I see this the legal profession has shown itself to be not only ignorant of the intention of the laws and due perhaps to industry hubris cannot bear to be regulated by an outside authority.

When your or my identity is misused by thieves as the result of a law firms lax information security practices will we really care that they successfully lobbied for exemption to a procedure that might well have prevented the crime from even happening? What are they celebrating, a win?

Thursday, October 29, 2009

The FBI Favors A National Breach Notification Standard

The Federal Bureau of Investigation is in favor of a national data breach notification standard, reports Nextgov.com. Agency officials say it would help law enforcement fight cybercrime, the report states. During a cybersecurity discussion in Washington yesterday, the head of the FBI's Cyber Criminal Section said such a standard "would help us tremendously, particularly in terms of efficiency in conducting investigations." Troy said that widespread reporting would help cyber cops discover links and potentially prevent similar attacks. Senator Leahy's Personal Data Privacy and Security Act, introduced in July, and a Senate cybersecurity bill to be introduced this year includes or will include breach-notification rules.
Full Story

I've long said that unless the states can get together and pass comprehensive legislation to enforce data breach notification then the Federal government will.

Then there is this from Javelin Research,

Breach Notifications Fall Flat on Consumers

The Credit Union Times reports on study findings that suggest consumers do not understand the importance of data breach notifications and, as a result, fail to protect themselves from fraud. Javelin Strategy and Research says that consumers who have been notified of a breach of their data were four times more likely than the public at large to experience fraud, the report states. The firm said that 19 percent of consumers who received a data breach notification over the past year have become the victims of fraud within a year of the notification. Full Story

Perhaps federal regulations will also help to improve public awareness. In my experience almost no one is aware of the breadth of identity theft and its various permutations until they get some honest education on the subject. Then almost to a person they see the beauty of notifications and what than can mean as an early warning. They also usually see the great benefit of having a good service in place ahead of time.

When you are a victim of identity theft what do you really want in a service? Do you want an "Insurance Policy" , or do you want comprehensive restoration? Since insurance can ONLY replace out of pocket expenses incurred when trying to perform your own restoration what is the point of underwritten insurance?

How about credit monitoring? Is that of any real help if there isn't any follow up to work with the victim to clear the erroneous notations and record entries? Again, without restoration no monitoring service is of any substantial value.

Wednesday, October 28, 2009

Red Flags Exemptions for Small Businesses

This is very important for all business owners to read.

The U.S. House of Representatives this week unanimously passed legislation that would exempt certain small organizations from complying with the Red Flags Rules.

H.R. 3763 unanimously passed the U.S. House of Representatives this week, and would amend FACTA and the component Identity Theft Red Flags Rule to exclude health care, accounting, and legal practices with 20 or fewer employees from having to comply with the regulations, set to be enforced starting next month.

Also, the bill would create a provision to enable other businesses to apply for exemption. To be exempt from complying with the regulation, the bill stipulates that a business would have to meet at least one of the following guidelines:
It must know all of its customers or clients individually;
It must only perform services in or around the residences of its customers; or
It must not have experienced incidents of identity theft, and identity theft must be rare for businesses of its type.
The bill now will move to the U.S. Senate Committee on Banking, Housing, and Urban Affairs for a vote.

It is not yet known at this time if this pending bill will further delay the FTC's enforcement of the Red Flags Rule, which is still currently set to begin on 1 November, 2009. Read more:
New ID theft rules may not pertain to small businesses
by: Angela Moscaritolo, SCMagazine.com

Friday, October 16, 2009

Which Story to Post? Payroll company loses PII, and Underreporting losses

It isn't often I am faced with a decision as to which story to post here. I generally shy away from reporting specific breaches unless the particular story reinforces a point I am trying to stress regarding employee training perhaps or simple gross negligence in the face of what should be common knowledge amongst the business community.
In this case however, I found two such stories on the same day and have them here for you.

The Washington Post reports that, for the second time in a month, hackers have gained the login credentials of PayChoice clients. The company sent a notice to customers yesterday to let them know that thieves had exploited a weakness in the password-change component of the company's online payroll portal, the report states. PayChoice has since disabled the site and modified logins. In its e-mail alert to clients, PayChoice said "...we determined that valid user credentials...were used in an unauthorized manner to...have payments made to fraudulent bank accounts." Full Story

There is simply no excuse for a payroll company to have such an incident in light of the laws in effect (FACTA Red Flags Rules specifically), that require them to take specific precautions to prevent just such a breach.

This next item shows clearly that giving discretion to breached entities as to whether and when to report breaches serves no one. People who have had their information mishandled or lost while it is in the trust of an organization have the right to know about their increased risk so that they might take appropriate steps to protect themselves. That is the problem that I and others have issues with the reporting laws that give wide discretion to not report or delay reporting information losses.

The results of an audit involving the loss of Connecticut taxpayers' data show the state took too long to determine whether confidential information was compromised, reports The Day. The names and Social Security numbers of 106,000 Connecticut taxpayers were exposed when a Department of Revenue Services (DRS) employee's laptop was stolen from a parked car. "DRS botched its initial response to the theft," said AG Richard Blumenthal who took part in the audit. "Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets." But Blumenthal hailed DRS for tightening access controls, encrypting data and developing data breach procedures since then. Full Story

Thursday, October 15, 2009

Extroadinary Quote

"The more people who have your data, the greater likelihood that either they're going to lose it or a rogue employee will abuse it," said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.

We could use more people like Fred Cate

Wednesday, October 14, 2009

IRS Personal Identity Security Issues

The Internal Revenue Service says that efforts to help protect taxpayers from identity fraud, spearheaded by the agency's Online Fraud Detection and Prevention Office, are paying off. The agency points to more than 3,000 suspected phishing and fraud-related Web sites being shuttered since the office opened in 2007. However, Government Computer News reports that the IRS also struggles with internal data security, and that hundreds of taxpayers were affected by 149 breaches last year. A Government Accountability Office report said the "IRS has information security weaknesses that increase the likelihood of IRS employees committing identify theft," which the IRS attributes to weakness in authorization and authentication.Full Story

Every federal agency is struggling with these issues. This is yet another reminder that information security is a paramount problem. Personal information is fast becoming the most valuable asset within any enterprise. Not just company secrets but personal information on employees and customers. Our information is in many places where we have no control over its' security. Even the agencies and enterprises have no absolute control as you see here. At last count in 2008 approximately 62% of all breaches were the result of employees taking the data out of the office for the purpose of selling it or using it themselves for financial gain.

Friday, October 9, 2009

So Much for Red Flags?


A Maryland Bank Tosses Personal Records in the Trash.


I am shocked but frankly not surprised to see this story. Even though Banks were among the businesses that were supposed to be Red Flags compliant prior to Nov of 2008 I can guarantee that many are not. it is just as obvious that they do not take the intention of training seriously as is outlined in the FACT Act (where the Red Flags Rule comes from). FACTA supplemental material from the FTC makes training an important component of any data protection program. I don't think anyone who reads this column would have done something as irresponsible as to toss out personal records so haphazardly. The reason is that you are aware of the risks. Prepare the bank employees with the same sensitivity and this story would not have needed to be written. Its not as much about signing off on a compliance document as it is to understand why compliance needs to be done. Since it is the rank and file employee who handles personal information on the job it is not sufficient for banks and other businesses to orient only management staff. Security is only as good as the weakest link.

A number of customers in Rodgers Forge, Maryland were upset to learn that the institution which recently took over the local branch of the former Bradford Bank has been less than protective of their personal and banking information. Baltimore television station ABC2 reports that pages of documents were found discarded and unshredded in a trash bin outside the bank. Among them were bank statements and security-related information, days-old cancelled checks and photocopied driver's licenses. IAPP past president Chris Zoladz, CIPP, founder of the privacy consultancy Navigate LLC, comments on the breach Full Story

Wednesday, October 7, 2009

What is a Financial Institution or Creditor?

When I speak to business owners about the new Red Flags Rule, (FACTA), I am often confronted by a common response. "We are not a financial institution." I hear that from law firms, accountancys, stock brokerages, and many other types of businesses that by the definitions below are financial institutions.

In an attempt to clarify once and for all what the Federal Trade Commission considers to be a “creditor” or a “financial institution” the links below will hopefully provide a definitive explanation.

The FTC recently clarified that “creditors” covered under the Red Flags Rule are as defined by the Equal Credit Opportunity Act (ECOA). This broad ECOA definition of creditor includes any business that bills or invoices customers after products are delivered or services are rendered.

The ECOA definition includes many small businesses and professionals such as contractors, consultants, lawyers, doctors, retailers and a spectrum of clinics and practices in the health care industry including those that submit medical insurance claims on behalf of patients.

From my business experience, the ECOA definition covers most every business and many public and volunteer sector organizations too, because at least on occasion, most of them bill or invoice for goods or services after they are delivered. An FTC staff attorney said that if a business bills more than once every two years, they should consider the business covered.

Congress Seeks Repeal of HHS Breach Rule

Members of the House Committee on Energy and Commerce are concerned that the data breach notification provision included in the HITECH Act may have been undermined by a Health and Human Services rule, known as the "harm threshold," which gives breached companies leeway in deciding whether notice may be required. In a letter to HHS Secretary Kathleen Sebelius, committee chair Rep. Henry Waxman (D-CA) and other members of the committee urged the secretary to revise or repeal the provision, published in late September. Privacy watchdogs claim the HHS rule was drafted under pressure from the healthcare industry to eliminate possible financial repercussions stemming from a health information data breach.Full Story

I was heartened to see this news item. As I have said before harm thresholds give too much discretionary power to the breached entity in determining who and if to notify of a breach of NPI. The point of notification laws is twofold. To put teeth in the data protection legislation so that private and public enterprises will take heed, and also to give potential victims the advantage of an early warning when a breach does occur giving them the opportunity to respond and protect themselves.

While there needs to be a modicum of discretion on the part of investigators of data breaches to not reveal information that might compromise the discovery of evidence, it is the responsibility of the company or agency to make certain the victims are aware of the breach(es).

No business can really afford the fallout from a data breach, both in public confidence and the direct financial losses and fines. A proactive approach to information protection is essential including the identity theft awareness training of all staff regardless of job title.

Friday, October 2, 2009

76 million Veteran records in Question

The inspector general of the National Archives and Records Administration (NARA) is investigating a potential data breach involving the sensitive data of 76 million military veterans, reports Wired. The records were contained on a failed hard drive that was returned to a contractor for repair without first being sanitized, the report states. The contractor passed along the drive, which was beyond repair, to a recycling firm. The NARA IT manager who reported the incident to the inspector general told Wired: "This is the single largest release of personally identifiable information by the government ever." NARA says it does not believe there was a breach of PII. Full Story

Ladies and gentlemen, let me make this as clear as a bell for you. There is only ONE way to insure that a hard drive is safe to recycle. Do not listen to any other advice!

There is only ONE certain way to render a drive of any kind useless to data thieves. DRIVE A BIG NAIL THROUGH THE DISK. If it is a flash drive smash it with a hammer, smash it good. Never recycle a laptop, photo copy machine, server, desk top computer, fax machine, unless you, the user, render the drives useless. Never leave it to anyone else to do.

Tuesday, September 29, 2009

They Keep Sending the Faxes

For all of you who still are under the illusion that data breaches can be prevented I submit the following...

Doctors in three Tennessee cities have been sending sensitive patient information to the fax machine of an Indiana businessman for three years, reports the Tennessean.com. "This is a total breach of privacy," said the recipient of the faxes, Bill Keith. Despite repeated attempts to correct the problem, including calls, faxes and e-mails to state officials and the doctors' offices, Keith says his office continues to receive about five faxes each week that contain patients' data, including medical histories and Social Security numbers. A Department of Human Services spokesperson described the situation as "troubling." Full Story

Monday, September 28, 2009

Only 163,000 Breached Records Contained Social Security Numbers!

The University of North Carolina is notifying 163,000 women that their personally identifiable information was exposed in a security breach, reports Computerworld. A hacker broke into a system containing records on women who participated in a federally-funded research project. The information of more than 236,000 women who have participated in the UNC School of Medicine mammography research study was exposed, but only 163,000 records contained Social Security numbers. The breach was discovered in July. The system was taken offline. A university spokesperson said that UNC is implementing precautions to prevent future breaches. Full Story

Now what do you think about breach notification laws? UNC believes these intrusions might go back several years and the women affected are just being notified now. Does this provide the best opportunity for the potential victims to prepare for what might result in the worst legal nightmare they will ever experience? How many of them are already having difficulties as the result of these breaches?

This also illustrates once again that our personal information is out there in hundreds if not thousands of lists and databases of all types. It really doesn't matter much to information thieves where the info is as long as they can get it. If there is a list somewhere that has value to a data thief then it is a target.

I will always maintain that the best defense against these and other types of data misuse is to have a service that will work for you in the event of a data theft episode. Don't wait until after the fact, have something in place first. Most services will not provide the same level of services after your identity is misused as they will as a preventive tool unless you pay a healthy fee. It is more cost effective to have a service in place first. When you consider that the average identity theft episode costs over $90K an identity theft service provides an amazing ROI.

Thursday, September 24, 2009

Protecting Employee Information in the Hands of Others

In Business Management Daily, Susan Lessack of Pepper Hamilton LLP offers guidance on protecting employee data handled by third-party vendors. Lessack says: "A good contract with your vendor is your best protection against liability," and cites specific terms to include in contracts, such as those that limit the number of people who can access the data. Lessack says that, although the vendor may be reluctant to enter into such a term, the contract "should stipulate that the vendor is legally responsible for any data breach that occurs during its engagement, and that it will indemnify you and your employees for any actions resulting from a breach." Full Story

At Pre-Paid Legal those of us who are qualified to work with companies in establishing a policy framework for information protection and risk management have taken this provision of the Red Flags Rule to heart as it deals with 3rd party contractors. We ask every client company to inform all of their contractors of the efforts they have made to protect PII and to request that they do the same or similar. It is just smart business to complete the loop of data security. Even an office cleaning service should adhere to the basic rules of security. I have visited numerous businesses where the cleaning service has more or less unlimited access to hard copy left on desks, in wastebaskets, and left on file cabinets, to name a few. When we include all contractors in the security formula a much better understanding of personal information security is created which gives rise to the FTC term "Culture of Security" that we are hopefully all striving for.

The recommendations of the FTC are sound. All RFIs and contracts should contain such language. In the not too distant future all federal government contracts will contain this kind of clause I believe. As regards liability FACTA clearly gives liability to all parties who share non-public information. If a company hires an HR service for example and that contractor suffers a breach of that information then the liability is shared by both companies. Even if identity theft does not occur both firms can be sued for a "Failure to adequately protect the information." There is no requirement under such circumstances to prove penury damage.

Monday, September 21, 2009

New ID Theft Bill Introduced in the Senate

A new bill was introduced in the US Senate that would establish a new FTC office. This notice is very timely for me since I have been talking about such legislation.
New York State Senator Charles Schumer has introduced a bill aimed at helping prevent and diagnose identity theft, reports the Evening Observer. The Personal Data Privacy and Security Act would increase penalties for those who commit the crime and would make it illegal for organizations to conceal a security breach involving personal data. The law would also require entities that hold personal data to establish data protection policies. "Identity theft is a scourge on hard-working Americans, and it is a problem that is getting worse," said Schumer. The act would also establish an Office of Federal Identity Protection within the Federal Trade Commission. Full Story

For about 6 years the Federal Trade Commission has offered guidelines for businesses and other enterprises that have files and records containing personal data either of employees past and present, or of customers, or client companies such as HR and payroll businesses.
These guidelines were offered as a way for industry to police its' own operations and to train personnel on protecting the non-public info they handle.

These recommendations have been largely ignored by all but the companies regulated by the banking authorities such as the FDIC. During that time identity theft has become epidemic and is currently costing American business and individuals in excess of $45 billion annually. This figure does not reflect the identity theft losses due to personal theft and fraud, only those incidents that are the result of database losses.

Now in 2009 we are faced with legislation that will require all businesses, schools, and municipalities to take specific measures to thwart these crimes. This will likely be more costly than the voluntary measures previously on the table.

Moreover, the reporting aspect of this bill requiring business to reveal breaches to potential victims will have a profound effect on the public confidence of the breached businesses. In economic times such as we are in that is something businesses can hardly afford. Investigations into breaches will also be hampered by this requirement, and I'm certain that we will see push back from business on that point.

It is sad to see that businesses would rather do nothing than to take basic measures to safeguard information. My mantra holds true that; "When you protect the information you hold on others you are protecting them. When someone else does it they are protecting you."

Our data is only as safe as the weakest link. And with literally thousands of databases containing our personal data there are thousands of weak links to contend with.

Thursday, September 17, 2009

Breach Notification Rule Effective Next Week

Breach Notification Rule Effective Next WeekThe new HIPAA breach notification rule takes effect next week, reports HR.blr.com. The rule requires entities covered by the Health Insurance Portability and Accountability Act to notify individuals in the event their personal health information is breached, the report states. Starting on September 23, any healthcare provider, health plan or other HIPAA-covered entity that experiences a breach must notify those affected "as soon as reasonably possible," unless the organization protects the information using encryption or destruction, in which case they need not notify. If the breach involves more than 500 individuals, the organization must also notify the Department of Health and Human Services and the media. Full Story

This constitutes a real milestone in stemming identity theft on a federal level. As this bill passes we will have the first leg of a national reporting policy for all personal data loss. No legislation is perfect. There is still a threshold test for notifying potential victims, and we will most likely always have a conflict between notifying victims and investigating breaches. This is however a good beginning. The remaining conflict of course is the timeliness of the notification. Once notified of a breach individuals should be empowered to provide protection for themselves before any damage is done. The best scenario is to have this in place prior to a breach so that the potential victim will have the early warning and restoration services of professional identity theft specialists.

Wednesday, September 9, 2009

Red Flags Rule Extension

I will be away for a bit on a business trip. Until I return please see the following.
This article is copied from todays newsletter from the law firm of Wiley Rein

Red Flags Rule Deadline Again ExtendedBy Amy E. Worlton, William B. Baker and Hugh Latimer September 2009 Privacy in Focus
The Federal Trade Commission (FTC) will "delay enforcement" until November 1, 2009, of the Red Flags Rule, previously scheduled to begin in August 2009. The delay reflects FTC recognition that some businesses may need more time to develop and implement written identity theft prevention programs.The Red Flags Rule may apply to companies that bill consumers in arrears (i.e., payment is not due at the time of service but at a later point). Even telecom companies, which are generally exempt from FTC jurisdiction, are likely subject to the Red Flags Rule, because they bill in arrears. Such companies are "creditors" subject to the consumer protections of the Fair and Accurate Credit Transactions Act and the Fair Credit Reporting Act. The Red Flags Rule, adopted under these statutes, requires a "creditor" with "covered accounts" to establish a written program for the identification, detection and response to "Red Flags"-patterns or specific activities that could indicate identity theft.The FTC's Red Flags Rule requires no particular practice or procedure. Rather, businesses must tailor their identity-theft-prevention programs to their particular risks. For example, "Red Flags" that probably require a response include alerts from consumer reporting agencies, law enforcement agencies or consumers themselves. Accounts should be monitored for unusual activity to the extent they are susceptible to fraudulent use. Businesses should verify new customer information, authenticate existing account holders and verify the validity of address change requests. (For more on the Red Flags Rule, see May 2009 Privacy In Focus.Companies should ensure that their identity-theft-prevention programs are up and running by November 1, as the FTC is unlikely to extend the enforcement deadline again.

It is vital for all of us to stay focused on a good privacy policy that is aimed at eliminating breaches of personal information. A proactive approach is the most effective way to achieve that goal.

Friday, September 4, 2009

Medical Identity Theft is on the Rise

According to the Identity Theft Resource Center (ITRC), medical identity theft is on the rise as health insurance fraud becomes more common. NetworkWorld reports that, according to an ITRC study of 2008 identity theft victims, 67 percent had been charged for medical procedures they hadn't received and 11 percent were denied health or life insurance for unexplained reasons--possibly because of incorrect information resulting from fraudulent insurance claims. The NetworkWorld article includes a summary of the worst medical data breach incidents from 2009, including: Virginia Department of Health Professions hack (8 million+); Peninsula Orthopaedic Associates robbery (100K) and Moore's Cancer Center hack (30K).Full Story

Most companies hold personal medical information on their staff for purposes of health insurance, incident reports, cafeteria plans, and so forth. It was only about two years ago that there was a general concensus among professionals that medical identity theft was largely overstated despite warnings that it was largely underreported. Medical identity theft is by far the most difficult type of the crime due to far reaching implications. When medical information is used a lot of databases are automatically updated from insurance claim databases such as MIB, to hospital and doctor records. Blood types and allergy histories can be incorrect in records. When medical procedures are performed this can also effect credit worthiness if bills go unpaid, suits are filed by creditors, criminal files can be opened, in short the misuse of medical information can result in the corruption of dozens of types of records.

What we see in medical database breaches such as the ones above is only part of the puzzle.
Everyone needs to consider the restoration of medical records and legal representation when evaluating identity theft services.

Friday, August 28, 2009

Bernake was a victim of identity theft

This was too good to pass up. Thank you Reuters!

Fri Aug 28, 2009 9:30am EDT
WASHINGTON (Reuters) - Federal Reserve chief Ben Bernanke was among hundreds of victims of an identity fraud ring that stole more than $2.1 million from consumers and financial institutions across the United States, Newsweek magazine reported on its website.
The head of the U.S. central bank and his wife were swept up in a case against the ring after her purse, with personal checks inside, was snatched at a coffee shop in August 2008, Newsweek reported, citing recently filed court documents.
Someone soon began cashing checks on the Bernanke family bank account, a crime that became part of a wide-ranging federal identity theft investigation that was already underway.
The targets were members of a nationwide ring that used a combination of old-fashioned thievery and high-tech fraud to loot the bank accounts of unsuspecting victims, Newsweek reported.
The investigation by the Secret Service and the U.S. Postal Inspection Service culminated in recent months with a series of arrests, criminal complaints and indictments brought by federal prosecutors in Virginia.
In a statement to Newsweek, Bernanke said identity theft is a serious crime that affects millions of Americans each year.
"Our family was but one of 500 separate instances traced to one crime ring," Bernanke said. "I am grateful for the law enforcement officers who patiently and diligently work to solve and prevent these financial crimes."

Wednesday, August 26, 2009

Employees, Especially Temps, Cause Breaches

The majority of data breaches result from inadvertent employee error, say experts. BBC News reports on the results of a study that found unintentional data loss to be the most frequent cause of cyber breaches (14.4 percent per year). IDC and the security firm RSA analyzed 11 categories of risk at 400 organizations in various industry sectors across the U.S., UK, France and Germany. Of the employee-caused breaches, they found 52 percent to be accidental and 19 percent deliberate. Temporary employees, the study found, are more likely to be culpable. "It's likely contractors may be less well-trained in organizational policy..." said RSA's Chris Young.
Read the full story here
Full Story

This survey, one of dozens within the past two years, illustrates my point about employee training as perhaps the most critical aspect of any good breach plan. That 52% of accidental breaches can be greatly diminished by showing employees what is expected of them and seeking their help in improving data security throughout the enterprise. A clear written policy that not only delineates the information that is to be protected, but also provides guidelines for staff and names those who are administering the program is essential in our modern business world. As long as personal identifiable information has value it will be used and sold by illegal profiteers around the world.

Thursday, August 20, 2009

Attention All Keepers of Personal Data!

  1. Do you own a business with employees?
  2. Do you use personal information in sales transactions?
  3. Do you keep personally identifiable information (PII), on your clients including students?
  4. Do you share PII with any other business?
  5. Does any other business have access to your PII database?

If you can answer yes to any of these questions ask yourself this. What are you doing to actively safeguard that information from loss or theft? Remember, it is your responsibility to protect that information from misuse or theft. No business (above) is exempt.

The federal government has issued guidelines for you to follow in order to be compliant with the standards set forth in several privacy laws.The Federal Trade Commission FTC , has oversight of all businesses apart from the banking and savings industries which have separate oversight. They have the authority to investigate breaches and to even prosecute those businesses whose security practices are lacking.

The answer to anyone who questions the need for securing this kind of information is very simple. There are roughly 9 to 10 million identity theft victims in the U.S. each year. The majority of those victims had their information compromised from a database and not from direct theft. When you and your business safeguards the information you keep on others you are protecting them. When someone else does the same they are protecting you. All of us leave a trail of data behind in the course of our lives. Every school we have ever attended, every home we have purchased, loan made, insurance claim, military service, in short everything we have ever done has left a record that needs to be protected from theft or misuse. Each one of us is a link in the chain of protection. When you and your business safeguards the information you keep on others you are protecting them. When someone else does the same they are protecting you.

Tuesday, August 18, 2009

Data Security Measures Deadline Extended

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has amended its data security regulations. In a media release yesterday, the OCABR announced that the rules will facilitate a risk-based approach to data security, which is expected to help the small-business community, in particular. In creating written security programs, businesses will be able to take into account their size, industry type and identity-theft risk, among other characteristics. The OCABR also modified the regulations to make them technology neutral. The new effective date is March 1, 2010. A public hearing on the changes will take place Tuesday, September 22.

The government has long been under pressure to create a federal standard for data security. Existing laws such as the FCRA and GLB Safety Act have set out guidelines for businesses that include risk analysis, written policy definitions, and employee training. However, apart from the Red Flags Rules [sec.114 FACTA] to date nothing definitive has been issued that delineates specifically what each business must do and what criteria they must follow to safeguard PII. This new Mass. law promises to provide much of that language to guide businesses in that State. It is my belief that when enacted this new legislation will become a model for similar federal legislation.

Thursday, August 6, 2009

Companies Take Heed

Corporate Ethics Must Change, Says Matwyshyn. A Wharton School professor says that corporations will have to adapt to increasing consumer savvy when it comes to the role of information security in business dealings, reports Forbes. At Defcon last week, privacy expert and Wharton professor of legal studies and business ethics Andrea Matwyshyn said: "Companies need to be aware that their customers are going to start asking questions about their security and what they're doing." Matwyshyn studies corporate law and information technology. She says even though they are not required to disclose their security procedures to consumers, big businesses should inform customers about their security practices and threats, adding that if corporate ethics don't change, legislators might step in.

While it is true that businesses are not required to disclose security procedures and methods, the public still has the last say in this. When you go to work for a company, enter into an agreement or contract with another business, invest in or simply do business with them you have the right to expect that they are handling your personal information in a responsible manner. And you have the right to NOT get involved with a business that does not take this seriously. If covered by the Red Flags Rule you can ask to see their identity theft prevention and response policy. I have been to bank branches for speaking engagements since Nov 1st of '08 where the branch manager had no idea of the banks policy nor what the policy document looked like. Banks were to be in compliance prior to November 1st of '08. The bottom line is this. If you are one of the people who are waiting for the government to fix the problem you are not going to get any satisfaction. We are empowered to make businesses take the responsible route when it comes to data security. We live in a society where lawyers throw cases of client files in dumpsters, and personnel departments email sensitive personal info to one another without any sort of encryption or protection, and employees that lose laptops and thumb drives containing unencrypted NPI on a regular basis. These are just a few of the "mistakes" companies make daily, and do not include the intentional acts of theft of paper files, flash drives, and CD ROMS by underpaid, laid-off or disgruntled employees needing extra cash.

If a business does not address this issue head on by training and honestly assessing internal risk they are playing with fire. There is no limit in company size either. EVERY business regardless of size must take heed. This is a real issue with real consequences and businesses are the prime source of data.

Tuesday, August 4, 2009

Government Employees' Names, SSNs Exposed

HELLO!?

U.S. Commerce Department employees have been notified that their sensitive personal information was exposed last month, reports the Washington Post. The names and Social Security numbers of 27,000 were on an Excel spreadsheet that a National Finance Center employee sent to a co-worker via unencrypted e-mail, the report states. The department is making arrangements to track for identity theft resulting from the breach and is urging employees to monitor their credit reports.

I repeat, your information is out there and used, or misused each and every day of the week.
No one can prevent accidents or mistakes from happening, just as you cannot prevent intentional acts of data theft. If you have a comprehensive ID theft early warning and restoration service working for you, you can be assured that no matter how your personal information gets in the hands of the wrong people that they cannot ruin your life. The damage is very limited and correctable.

Thursday, July 30, 2009

Network Solutions Begins a Damage Control Effort

If anyone still has reservations as to whether or not to have some sort of identity theft mitigation service one only needs to consider the following.

Following disclosure of a data breach that may have compromised the credit card data of more than 573,000 patrons of small commercial Web sites, Internet domain administer and host Network Solutions has initiated a crisis response effort. Reaching out to its clients affected by the breach, Network Solutions has offered assistance in helping sites notify those customers whose credit card data may have been compromised, including offering credit monitoring services. Network Solutions spokesperson Susan Wade told DMNews, "Unfortunately, something like this could happen to any online business, so we're just letting our customers know that we're there for them, we will help them as much as we can, and we take this issue very seriously."

It is important to recognize that identity theft can and often does raise its ugly head in many different ways. Our information is out in the world and used by thousands of businesses and government agencies constantly. It doesn't take a statistician to see that the odds are that your information will be compromised, and likely many times. Why then would anyone want to gamble that they won't become the victim of the most difficult crime in history. Difficult you say? When identity theft strikes records are corrupted with false information. There is no one source to use to correct them and once corrupted the onus is on the victim to prove that they have been victimized. When the data says one thing how are you going to prove otherwise? Most victims spend years trying to correct their health or SSN files or DMV or insurance records, or any number of files that are used to shape who we are perceived to be in the official and public eye.

Having a service which will not only shortcut the crime but most importantly go to work for you to correct those records no matter how or when they have been corrupted by misuse of your personal data. It is also in the best interest of each and every employer to make such a service available to all of their employees. An employee distracted by this kind of problem cannot concentrate on work or maintain a healthy attitude for as long as they are dealing with an identity theft episode.

Wednesday, July 29, 2009

Red Flags Rule Enforcement Deadline Extended

The Federal Trade Commission has again extended the enforcement deadline for the Red Flags Rule, according to an agency press release. Creditors and financial institutions now have until November 1, 2009 to come into compliance with the rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003. Meanwhile, the commission will redouble efforts to educate businesses affected by the rule on what they must do to comply. The Red Flags Rule requires entities to implement programs for identifying, detecting and responding to harbingers of identity theft, or "red flags."
Go to www.ftc.gov/redflagsrule for more information regarding your business.

Friday, July 24, 2009

Will the Third Try be a Charm for Federal Breach Notification Law?

The following article was in today's privacy bulletin. Since the first state breach notification law went into effect in 2003 in California, 43 other states have enacted their own versions creating a worthwhile but patched together set of regulations that are at best vague, and contain huge lapses so that a company experiencing a breach can likely get away without any sort of notification to potential victims. Hopefully this legislation will contain enough bite to be effective. Only when we see transcripts of the bill will we know if we are headed in the right direction or for another legislative compromise. Thresholds for notification need to include not only electronic breaches and large scale hacks of computer servers, but also theft and misuse of paper records, and need to provide for smaller incidents. Only by creating effective notification laws can businesses be held accountable to the public who expect their information to be reasonably safe.

Vermont Senator Patrick Leahy (D) has reintroduced the Personal Data Privacy and Security Act, the third attempt by Congress to pass a federal data breach law that would pre-empt the 44 individual state data breach laws and create a single response and notification standard in the U.S. InternetNews reports that in a statement, Leahy said the bill addresses serious consumer privacy and data security issues and vowed that, "Passing this comprehensive data privacy legislation is one of my highest legislative priorities as chairman of the Judiciary Committee."Full Story

Monday, July 13, 2009

Who Needs High Tech Information Security Measures?

Whenever I see articles about the latest high tech "solution" for data loss I can't help but to think about the vast number of data breaches that result from situations such as the one below.
Just as there is no one form of data theft there is no one type of solution.


Medical records, including names, credit card numbers, Social Security numbers and cancelled checks were found in a dumpster behind a Salt Lake City shoe distribution center last week, reports KUTV News. At least some of about 20 boxes that Salt Lake City police confiscated appear to have come from a now-closed chiropractic office. KUTV reports that surveillance footage showing two people unloading materials into the dumpster exists. Disposing of medical records in this way is a violation of state law, according to the Utah Attorney General's office, and could lead to a $2,500 fine per patient record.
Full Story

Train your staff, train your staff, train your staff. This kind of an incident happens too often due to a lack of understanding of the law and simple common sense in protecting records from falling into the wrong hands.

Most ID theft that results from breaches of information at companies occurs when an employee walks out with the data with the intention of selling it, not to open credit card accounts. While the thief may be caught the data is long gone with other parties. Once the information is sold it can proliferate in a matter of days across the world.

A lack of understanding of the value of employee personal information as well as customer information has led to more identity theft incidents than any other cause.

Friday, July 10, 2009

What is a privacy policy, and what is an identity theft policy? What's the difference?

Good morning all. I have been noticeably absent from my column duties while I took care of some other projects, and fitting in a short vacation.

Very often when I speak with business owners especially in the small to mid-sized organizations I find that a lot of them either confuse a company privacy policy with identity theft, or believe that an identity theft policy is an outgrowth of a privacy policy or statement.
In very general terms the two are not the same and in fact address two different issues. A privacy policy deals with either company intellectual property or customer information. Any business that collects customer information in the course of doing business must have a privacy policy that informs the customer as to how their information is used and protected, and encryption procedures for transactions. That falls largely under the direction of the Payment Card Initiative, PCI DSS rules to protect the public from fraud resulting from purchase transactions. Also, customers are protected by other state and federal laws suchas the FTC Act and FCRA that prohibit companies from distributing personal information without regard to personal privacy without first notifying the client of their intent. That issue is being hotly debated again due to the proliferation of social networking websites. Another area of privacy policy is the protection of company secrets, proprietary information regarding how a business operates and its plans and strategies. While the distribution and misuse of personally identifiable information (PII) is highly regulated by consumer law, protecting company secrets are internal policies. Businesses engaged in technological and scientific research and development often have non-disclosure agreements with employees to protect that kind of information. Employees who violate those agreements are subject to termination, and possible prosecution as a breach of contract.

Identity Theft policy addresses the area of PII data loss, a definition of what is considered by the company to be PII, the various forms the company uses to store and use PII, and finally the procedure a company has put into place to respond to breaches and to protect the individuals who might be affected and are at increased risk of identity theft resulting from a company breach. This policy must address not only the data it keeps on its clients but also of the employees personnel records, and also must address the identity theft policies of any contractor or service provider who might have access to that information. Vendors can include not only outsourced HR, payroll, insurance and Benefits brokers, but also cleaning services, construction contractors, and even parking services, any business that has the potential of obtaining PII.

It isn’t my intention to delineate what the law is or provide legal advice in these areas but instead to provoke thought on the part of businesses. With new legislation such as GLB, FACTA, and now the Red Flags Rule under FACTA, the banking regulators and the FTC have made it clear that in order to stem the tide of identity theft and the company data breaches that result in the majority of identity theft, business needs to take certain steps proactively to prevent breaches and to respond quickly and effectively when they do occur.
Every company is different and therefore needs to take the steps that are most effective for that organization. It all begins with an honest risk assessment on the part of each company to find the weak links in information security, and to train the staff on their responsibilities. Establishing a clear identity theft policy is the roadmap every responsible business uses to lay out everyone’s duties, and how the business will handle data breaches. The FTC auditors investigating companies who have experienced these breaches are most interested in seeing what a business did to protect the information before the breach. A proactive identity theft policy is good policy, and good business.

Friday, June 26, 2009

35 days until the enforcement phase of the Red Flags Rule, Are you ready?

The deadline for non-banking entities to comply with the Fair Credit Reporting Act Red Flags Rule is August 1. Joel Winston and his colleagues at the Federal Trade Commission have spent the last several months helping businesses understand the requirements. Winston is associate director of the Division of Privacy and Identity Protection at the commission's Bureau of Consumer Protection. In this interview with GovInfoSecurity.com, he discusses the Red Flags Rule, the greatest information security risks for consumers, privacy implications of new technologies and his team's work to help prevent identity theft, among other topics.
Full Story

Thursday, June 25, 2009

Privacy Blunders Foster a New Era of Accountability

By Don Peppers and Martha Rogers, Ph.D.

The following was in my daily privacy download. It is hard to add any editorial comments as the article spells it out very well. So, without further ado here is today's thought on privacy.

In the early days of mandatory data breach disclosures, which in the U.S. began in 2005, notifications followed a now predictable pattern: Organizations issued a press release expressing contrition, mailed notification letters, strategically released details on the scale of the breach, and emphasized the strides they were taking to mend and prevent. What was perhaps most notable was what didn't happen: At the senior-executive level, no heads rolled. Overall, corporate accountability for lost data seemed slight, at best.
Lately, however, a number of episodes suggest that we may be entering a new culture of senior-level accountability--over privacy, abuses of "secrecy," and for the data-related misdeeds of subordinates. The events seem to suggest a broader cultural shift toward increased transparency and accountability for whoever's in charge, and a growing realization that when it comes to collecting data, "more is better" isn't always best. The privacy buck stops where? The misdeeds of subordinates in several organizations have recently led to the chief's ouster. Last month, discount supermarket chain Lidl sacked its head of German food operations, Frank-Michael Mros, after documents recovered from a dumpster showed that throughout 2008 and 2009, the company illegally collected confidential information on employees (noting such state-of-health information as "operated on for a tumor" and "wants to get pregnant"). In March, the head of Deutsche Bahn, Hartmut Mehdorn, resigned after revelations that the state-owned rail operator had spied on its employees. As part of an internal fraud investigation, managers accessed confidential information on hundreds of thousands of employees and illegally monitored employee e-mail.
That same month, a student journalist at Binghamton University found an unlocked storeroom containing boxes full of documents containing students' and parents' personal information, the third breach in less than a year. While the administration threatened to charge the reporter with trespassing, students circulated a petition to sack Terry Dylewski, the chief information security officer. Those calls were renewed after a fourth privacy breach in April. In December, the Ohio Department of Job and Family Services fired its Deputy Director of Child Support for authorizing database checks on a state resident for no legitimate purpose. Two other department employees associated with the checks also no longer work with the department due to their involvement in a breach of the records of Samuel J. Wurzelbacher, better known as "Joe the Plumber."
Swiss bank secrecy under fire Calls for accountability--and with it, transparency--are becoming the new norm, and the financial services industry is on the frontline, given the furor over bonuses for bailed-out bank executives, and President Obama's pledge to crack down on international tax havens. Not even Swiss banks, legendary for their secrecy, are immune. Last year, federal authorities charged several cross-border private banking executives at UBS, Switzerland's largest bank, with helping American citizens hide an estimated $20 billion in offshore accounts. That, plus the recent threat of indictment for all of the bank's executives, saw UBS, the largest bank in Switzerland, recently admit to defrauding the IRS. The bank agreed to pay a $780 million fine and release the names of American accountholders.
Parliament expenses scandal Perhaps the lesson is this: With notions of transparency and accountability on the rise, companies hide behind secrecy laws at their peril. In the UK, members of Parliament (MPs) learned that the hard way, after details of their expenses revealed that many had abused the system to pay for things not related to their duties as an MP, such as moat cleaning and tennis court repairs. The expenses, which the Labor majority in Parliament battled for five years to keep private, came to light after courts upheld a journalist's right to obtain the information under Britain's relatively new Freedom of Information Act. The irony of MPs who abused and hid their expenses--during a recession, no less--while pushing a national ID card, building a network of millions of CCTV cameras, and regularly losing large amounts of sensitive or classified data has brought British voters to the boiling point. The government and even forms of representational government are facing their biggest shakeup in more than 100 years, with citizens demanding further transparency and accountability, including proportional representation.
Life after "keep everything" Interestingly, resistance is also growing to the UK government's "collect and keep everything" approach to data. One recent study branded the country as a "database state," and estimated that 25 percent of all government databases contained illegal information and should be scrapped. Likewise, courts recently ruled that the UK police practice of photographing everyone who attends a demonstration violated people's liberty, and instructed police to cease such practices and purge all such images from their databases. The UK offers an insightful case study: If a society has gone to the brink of the "more is better" approach to collecting and retaining private data, while demanding little accountability from those in power, what happens next? In fact, the outgoing UK Information Commissioner Richard Thomas recently predicted that collecting less personal information will become the new norm, to better balance security and liberty when government agencies collect and share data to do everything from spotting child abuse to discovering potential terrorists. "If you're looking for a needle in a haystack, it does not make sense to make the haystack bigger," he said. Collect data, but collect it smarter, and retain only what you need? And know that your job is on the line if improper data gets collected, abused, or lost, or if people's rights get trampled? Those are words to live by in what is arguably our new culture of accountability.

Wednesday, June 24, 2009

45,000 Cornell University Records Exposed

Retailer TJX will pay $9.75 million to settle charges related to its 2007 data breach that exposed the financial details of thousands of customers, reports consumeraffairs.com. It is the farthest-reaching data breach settlement to date.

As stunning a piece of news as that is I am even more saddened by the following news from Cornell University. After years of hammering the point, laws passed, all of the white papers, and articles written about personal data safety and enterprize liability, why are we still seeing this kind of news? EVERY entity that maintains personal data of ANY kind needs to take care of business. There are no excuses and no arguments to the contrary. Business owners, what more do you need? Cornell just offered to pay at least $1,125,000 for credit monitoring alone at the current going rate. That is a small fraction of what this breach will eventually cost the school.

Cornell University announced that police are investigating the theft of a school laptop containing the personal information--including Social Security numbers--of approximately 45,000 students, alumni, faculty and staff. The Associated Press reports that the laptop was stolen from a Cornell technician and there are, so far, no known misuses of the data. The university sent a letter to those individuals whose records were on the computer, offering a free year of credit services. It has also set up an FAQ page on the Cornell Web site. Full Story