Friday, May 8, 2009

State Secrets for Sale?

Just in case you might think that data theft is something that happens to a few hapless individuals who are lax with their Social Security number read this.

The latest results in a five-years-running study might prompt some to review data destruction policies. University researchers in the U.K., Australia, and the U.S. purchased 300 drives from eBay and other retailers, finding that 34 percent of disk drives still contained confidential data. Banking details, blueprints, patient records, employee data, embassy logs and details on a ground-to-air missile defense system were among the data left behind. Study leads at the University of Glamorgan in Wales say that over the past five years the volume of drives containing sensitive data has fallen, but the volume of data exposed has increased.
Full Story

In my efforts to assist businesses with their identity theft prevention programs one of the areas that we try to cover is the disposal of hard drives. This article illustrates how important this is. Whenever replacing drives or exchanging computers make certain that drives are disabled. The sure fire way to do that is to break the disk or drive a nail through it. Under certain circumstances the data on a wiped disk drive can be recovered. Flash (solid state) drives should be physically destroyed when they are taken from service.
Another issue in the workplace is photocopiers. A copy machine can store thousands of documents in its memory. Since most businesses lease commercial copiers it is essential that the machines' drives be wiped clean before returning it to the supplier. The service technician for the leasing company knows how to format the copier drives, and should do that prior to removing the machine from the clients' office.

Thursday, May 7, 2009

Ongoing Issues at the FTC

Here are some issues the FTC currently has on the table with regard to data security and privacy.

Posted Tuesday, May 05, 2009 - Staff infoZine1.

1. The Federal Trade Commission testified on the Commission’s efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers’ personal or sensitive data over Peer-to-Peer Internet file-sharing networks. As part of these efforts, the agency also announced that it had reached an agreement with one of the largest privately held lenders in the United States to resolve charges that the company violated federal law by failing to provide reasonable security for consumers’ sensitive information.

2. In testimony before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection, Acting Director of the Bureau of Consumer Protection Eileen Harrington said the agency strongly supports the goals of H.R. 2221, the Data Accountability and Trust Act, which would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations.“A critical element of privacy is data security. If companies do not protect the sensitive consumer information that they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace,” the testimony stated.

3. The Commission made two further recommendations regarding the data security legislation: It suggested that the legislation be extended to cover data stored on paper, as well as electronic data. It also recommended that certain provisions imposing obligations on information brokers – companies whose business is to collect and sell information about individuals who are not their customers – be targeted specifically to address harms consumers may face when brokers sell information about them, to the extent that such harms are not already addressed by federal law. These provisions should not displace existing legal protections.The FTC currently enforces several laws that restrict the disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts: the Fair Credit Reporting Act restricts disclosure of consumer credit reports except for specified permissible purposes; the Gramm-Leach-Bliley Act imposes privacy and security obligations on financial institutions; and the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce.

4. Using its authority under these laws, the testimony noted, the Commission has brought 26 law enforcement actions since 2001 against companies that allegedly failed to maintain reasonable procedures to protect consumers’ personal information, including a case the agency has just settled against James B. Nutter & Company. The company is based in Missouri and makes and services residential mortgage loans around the country. It collects information from loan applicants, including their Social Security numbers, financial information, and employment and credit histories. The Commission’s complaint alleges that, beginning in 2004, JBN engaged in a number of practices that taken together failed to provide reasonable and appropriate security for sensitive consumer information, in violation of the FTC’s Safeguards Rule. In addition, the complaint alleges that the company violated the FTC’s Privacy Rule by failing to provide privacy notices and, later, providing notices that were inaccurate. To settle these charges, JBN has agreed to a proposed order that would require it to establish and maintain a comprehensive data security program covering consumers’ personal information, and to hire an independent auditor to assess its security procedures every two years for 10 years, and to certify that these procedures comply with the proposed order. The proposed order also bars JBN from violating the agency’s Safeguards and Privacy Rules.The Commission previously has filed data security cases against retailers TJX, CVS Caremark and DSW Shoe Warehouse, and the data brokers ChoicePoint and Reed Elsevier, Inc., which operates Lexis Nexis and Seisint, Inc. The FTC also promotes better data security practices through extensive consumer and business education, the testimony stated. On the policymaking front, the FTC recently proposed a rule that would require that consumers be notified when the security of their health information is breached. In addition, the FTC is examining privacy issues associated with behavioral advertising and the use of personal health records and cloud computing networks.

5. The testimony also details the Commission’s activities with regard to inadvertent file sharing on P2P networks. Although P2P technologies hold potential benefits for computer users and businesses, they also can raise the risk that sensitive information will be made available over P2P networks, either through inadvertent sharing or through malware. The testimony noted that the agency has brought cases related to P2P file sharing, has helped P2P software developers devise voluntary best practices to help consumers prevent inadvertent file sharing, and continues to monitor efforts by companies to comply with these practices. The Commission also has held a workshop on P2P, issued a report, and alerted consumers to the risk of inadvertent file sharing. The testimony stated that the Commission also is supportive of H.R.1319, the Informed P2P User Act, legislation that would set a minimum standard for P2P software companies to follow in notifying consumers about what files a P2P program will share, and in obtaining consent from consumers before the files are made available. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through June 8, 2009, after which the Commission will decide whether to make it final. To file a public comment, please click on the following hyperlink: and follow the instructions at that site.

We are seeing, among other things from the existing laws and the new bills being introduced by Congress, a new direction in privacy and data security legislation. The convergence of these discussions suggests that a common set of compliance and consumer notification regulations are nearer than previously thought. There are laws that focus on financial data, medical data, usage of Social Security numbers, credit cards and so forth. Until now each of these is based on a different set of data. As the new Red Flags Rule points out there is no real significance in the type of data as long as the data has a value to criminals and those who do not seek to protect but exploit the data. This kind of thinking is creating the unification of regulatory practices proposed by new bills such as HR. 2221.

Theft or loss of sensitive personal information, or the exploitation of sensitive information without regard to individual privacy cannot be tolerated in any form. Neither can failing to notify individuals who might be at increased risk. The responsibility to safeguard sensitive personal information is squarely on the shoulders of industry and government agencies that use and store the information. It is obvious that industry will not police itself as seems to also be true in our current economic crisis.
It is therefore inevitable given that reality that the regulating authority will step in and create a set of guidelines to compel industry to comply. I would urge every business and local government authority to pay close attention to these discussions above and realize that identity theft and data theft are with us, perhaps permanently, and will require diligence on everyones part, just as we do in other areas of modern life..

Tuesday, May 5, 2009

Hackers Break Into Virginia Health Professions Database, Demand Ransom

Ask yourself this question. When my medical records are stolen and used for cash, or I can no longer get health insurance because my records have been corrupted and claims are made against my policy, or my vital information has been altered so that the information is no longer representative of me, what will Todd Davis of Lifelock, or Bo Holland of Debix, or Daryl Yurek of ID Watchdog do to help me? Will they provide me with ready access to attorneys who will represent me as a victim of Medical identity theft? Will they help me to sort out my records for accuracy, and help to amend my insurance claims history, and help to remove false claims from my records. Will they provide any assistance whatsoever for medical records fraud or theft, or ransom? I'm not attacking those individuals or their companies but they do not address the realities of identity theft beyond your credit report and new credit account requests.

Read on my friends,

Hackers Break Into Virginia Health Professions Database, Demand Ransom
From Brian Krebs The Washington Post

Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on, an online clearinghouse for leaked documents.
reports that the Web site for the Virginia Prescription Monitoring Program was defaced last week with a message claiming that the database of prescriptions had been bundled into an encrypted, password-protected file.
Wikileaks has published a copy of the ransom note left in place of the PMP home page, a message that claims the state of Virginia would need to pay the demand in order to gain access to a password needed to unlock those records:
"I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The site, along with a number of other Web pages related to Virginia Department of Health Professions, remains unreachable at this time. Sandra Whitley Ryals, director of Virginia's Department of Health Professions, declined to discuss details of the hacker's claims, and referred inquires to the FBI.
"There is a criminal investigation under way by federal and state authorities, and we take the information security very serious," she said.
A spokesman for the FBI declined to confirm or deny that the agency may be investigating.
Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.
"We do have some of systems restored, but we're being very careful in working with experts and authorities to take essential steps as we proceed forward," she said. "Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete."
She added that the department does have a page online at that lists the phone and fax numbers for various state health boards, and that the state would continue issuing health care licenses and investigating violations of the law or regulations of state health licensees. This is the second major extortion attack related to the theft of health care data in the past year. In October 2008, Express Scripts, one of the nation's largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands. Express Scripts is currently offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company

Monday, May 4, 2009

LexisNexis loses 32,000 from 2004 to 2007!

I normally shy away from posting data breach notices. After all there are so many that we can be inured to the severity of each one. I posted this because while we debate how bad identity theft is thieves are having a field day at our collective expense. And it took two years for the notification to the potential victims to take place! Wake up folks! You cannot prevent these breaches. Be proactive and avail yourselves of a professional identity theft service that provides you with access to attorneys, and restoration from all types of ID theft. Databases are hacked routinely across the world, and by international crime rings. One of my favorite quotes is. "You have to participate in your own rescue." Go to the link to the I've been Mugged column in my links section for a very good article on this particular breach.

LexisNexis has notified tens of thousands that their personal information was exposed in a database security breach, reports the Associated Press. On Friday, the company sent letters to 32,000 people whose information is contained in the LexisNexis database and may have been accessed by fraudsters. Thieves accessed the data between 2004 and 2007 by breaking into the mailboxes of businesses that contained LexisNexis database information, the AP report states. Postal authorities have contacted about 300 of those affected to let them know the perpetrators, former LexisNexis customers, set up fake credit cards using their information. Full Story

Adopting a Written Identity Theft Policy

In light of the recent extension by the FTC of the compliance phase of the new Red Flags Rule (FACTA) I began to wonder what business execs must be thinking. Are they simply in the dark as to whether their business is considered to be covered under this legislation? Are they unclear about being within the jurisdiction of the FTC? Are businesses confused about what compliance entails? Are they concerned about the costs, or a disruption in business? Are they fearful that compliance might expose serious flaws in their current practices? Or is the hubris such that they don't believe this is real and won't affect them? After all, some believe that if they have never had a problem so far why should they think it might happen now? One question that I might ask is. How do you know for certain that it hasn't happened yet? One very reliable national statistic out recently noted the results of interviewing thousands of small business owners. Only 6% of the small business owners surveyed could positively state that their business had not been the source of stolen data or identity fraud. It only takes a disgruntled or recently downsized employee a few minutes to download files onto a CD or flash drive and walk out. That can set into motion a very nasty series of events starting with identity theft episodes and law suits, and because of state notification rules, a possible loss of clients due to a lack of confidence. That is before the federal government steps in. The FTC has the authority to levy fines, prosecute, and require extensive audits. And the business may never discover the source ot the loss. As more people lose their jobs in the economic downturn cases like that are happening more often at businesses, medical facilities, local government agencies, and schools throughout the country.
Another relevant question is simply to ask what is the downside of a compliance program? After all, businesses comply with regulations all the time. They comply because the risk is such that non-compliance can be too costly, and of course because it is the right thing to do for reasons of safety or fairness.

I have studied the identity theft laws and regulations on both the state and federal levels sufficiently to know that they are fairly written and do attempt to stem the tide of data theft and fraud. Lets take the Red Flags Rule for example. Assessing risk and adopting an appropriate program is a very flexible part of the law. Companies are the best estimators of their risk if they are willing to accept that risk does exist and there is always room for improvements. Training of everybody on staff is the single most powerful part of the compliance procedure. After all it is the employees of a business that handle the data that is to be safeguarded and tested for accuracy. If everyone on staff knows what to do and how to respond to problems you put a serious dent in the risk to the company. Now, what company does not want to lower risk?

This should not be a topic for debate. It is the right thing to do for reasons of fairness and safety, and for most entities it can be done at very little or no cost. Every business whether covered or not should implement reasonable programs for their business. Where now is the downside?

If I ran a business that shared sensitive personal information on my employees with the business next door to mine who happens to be my payroll service, and I adopted a program such as described in the Red Flags Rule would I want that company next door to do the same? Yes! Is it because if I went through it so should he? After all it is only fair. No. It is because legally we share the responsibility and risk. Only by both of us adopting a plan we, (both businesses), lower our shared risk even more. That is the idea here. That is the reason for this law, for businesses to adopt a plan and see to it that the companies they share such information with do the same. The net result should be lowering risk to all of our businesses. Who are the winners? All of us as individuals are the winners. Our personal information is safeguarded and properly vetted to be true meaning that identity thieves have less a chance to co-opt our accounts, open new ones, and take over our good name. Shouldn't that be the goal of a good identity theft law? In 2008 there were an estimated 10 million U.S. victims of financial and non-financial identity theft combined. In 2008 businesses directly lost nearly $50 billion to identity theft. Could a well written identity theft law if applied have an affect on those numbers? I think so. Let's try it and see. What is the downside?

Taylor and Associates is prepared to assist any business with their program. Concerned about the sheer cost of using counsel to write a relevant plan for the board to adopt? We have taken care of that. We offer a framework for such a policy that any business can use and adopt to their individual needs. This policy framework was written by specialists in Privacy law to be consistent with the law, and by former Attorneys General as our panel of consultants. So now we have nearly or completely eliminated that cost. Next we train the staff. Do you need to hire expensive training consultants to perform that function? No. We are specially qualfied as Identity Theft specialists to handle that as well. The cost? How about an hour of their time. That is your cost for the training. We gather the staff together in as many meetings as it will take to eventually see everyone and give them a solid hour of orientation on the company policy as adopted by the board, and include awareness of the realities of identity theft for themselves and their families. After all identity theft can occur anywhere to anyone, no exceptions. Next we have to identify the person(s) responsible to administer the program for the business. Lastly in this case is to make notifications and communicate with the other businesses about your program and inquire about theirs. In any compliance program documentation is necessary to prove that compliance steps were taken and when. We provide all of the necessary documentation for everything mentioned above. After the program is begun we follow up as needed to update the program for all of our client businesses.

Now, lets add up the costs for these compliance services,
1. Written policy $0
2. Employee training $0 (one hour of time in mandatory company meetings)
3. letters and documentation $0
4. Notification letters and follow up with 3rd party and contractor businesses $0

No one can estimate the savings of a reduction in risk and potential liability. It cannot be done. Significantly lowering the risk of law suits and a loss of public confidence that results in losing customers could make the difference whether a business survives or fails in the most extreme cases, and at the least prevent identity theft. There is no downside to establishing an identity theft prevention program.
When can we start?