Friday, June 26, 2009

35 days until the enforcement phase of the Red Flags Rule, Are you ready?

The deadline for non-banking entities to comply with the Fair Credit Reporting Act Red Flags Rule is August 1. Joel Winston and his colleagues at the Federal Trade Commission have spent the last several months helping businesses understand the requirements. Winston is associate director of the Division of Privacy and Identity Protection at the commission's Bureau of Consumer Protection. In this interview with, he discusses the Red Flags Rule, the greatest information security risks for consumers, privacy implications of new technologies and his team's work to help prevent identity theft, among other topics.
Full Story

Thursday, June 25, 2009

Privacy Blunders Foster a New Era of Accountability

By Don Peppers and Martha Rogers, Ph.D.

The following was in my daily privacy download. It is hard to add any editorial comments as the article spells it out very well. So, without further ado here is today's thought on privacy.

In the early days of mandatory data breach disclosures, which in the U.S. began in 2005, notifications followed a now predictable pattern: Organizations issued a press release expressing contrition, mailed notification letters, strategically released details on the scale of the breach, and emphasized the strides they were taking to mend and prevent. What was perhaps most notable was what didn't happen: At the senior-executive level, no heads rolled. Overall, corporate accountability for lost data seemed slight, at best.
Lately, however, a number of episodes suggest that we may be entering a new culture of senior-level accountability--over privacy, abuses of "secrecy," and for the data-related misdeeds of subordinates. The events seem to suggest a broader cultural shift toward increased transparency and accountability for whoever's in charge, and a growing realization that when it comes to collecting data, "more is better" isn't always best. The privacy buck stops where? The misdeeds of subordinates in several organizations have recently led to the chief's ouster. Last month, discount supermarket chain Lidl sacked its head of German food operations, Frank-Michael Mros, after documents recovered from a dumpster showed that throughout 2008 and 2009, the company illegally collected confidential information on employees (noting such state-of-health information as "operated on for a tumor" and "wants to get pregnant"). In March, the head of Deutsche Bahn, Hartmut Mehdorn, resigned after revelations that the state-owned rail operator had spied on its employees. As part of an internal fraud investigation, managers accessed confidential information on hundreds of thousands of employees and illegally monitored employee e-mail.
That same month, a student journalist at Binghamton University found an unlocked storeroom containing boxes full of documents containing students' and parents' personal information, the third breach in less than a year. While the administration threatened to charge the reporter with trespassing, students circulated a petition to sack Terry Dylewski, the chief information security officer. Those calls were renewed after a fourth privacy breach in April. In December, the Ohio Department of Job and Family Services fired its Deputy Director of Child Support for authorizing database checks on a state resident for no legitimate purpose. Two other department employees associated with the checks also no longer work with the department due to their involvement in a breach of the records of Samuel J. Wurzelbacher, better known as "Joe the Plumber."
Swiss bank secrecy under fire Calls for accountability--and with it, transparency--are becoming the new norm, and the financial services industry is on the frontline, given the furor over bonuses for bailed-out bank executives, and President Obama's pledge to crack down on international tax havens. Not even Swiss banks, legendary for their secrecy, are immune. Last year, federal authorities charged several cross-border private banking executives at UBS, Switzerland's largest bank, with helping American citizens hide an estimated $20 billion in offshore accounts. That, plus the recent threat of indictment for all of the bank's executives, saw UBS, the largest bank in Switzerland, recently admit to defrauding the IRS. The bank agreed to pay a $780 million fine and release the names of American accountholders.
Parliament expenses scandal Perhaps the lesson is this: With notions of transparency and accountability on the rise, companies hide behind secrecy laws at their peril. In the UK, members of Parliament (MPs) learned that the hard way, after details of their expenses revealed that many had abused the system to pay for things not related to their duties as an MP, such as moat cleaning and tennis court repairs. The expenses, which the Labor majority in Parliament battled for five years to keep private, came to light after courts upheld a journalist's right to obtain the information under Britain's relatively new Freedom of Information Act. The irony of MPs who abused and hid their expenses--during a recession, no less--while pushing a national ID card, building a network of millions of CCTV cameras, and regularly losing large amounts of sensitive or classified data has brought British voters to the boiling point. The government and even forms of representational government are facing their biggest shakeup in more than 100 years, with citizens demanding further transparency and accountability, including proportional representation.
Life after "keep everything" Interestingly, resistance is also growing to the UK government's "collect and keep everything" approach to data. One recent study branded the country as a "database state," and estimated that 25 percent of all government databases contained illegal information and should be scrapped. Likewise, courts recently ruled that the UK police practice of photographing everyone who attends a demonstration violated people's liberty, and instructed police to cease such practices and purge all such images from their databases. The UK offers an insightful case study: If a society has gone to the brink of the "more is better" approach to collecting and retaining private data, while demanding little accountability from those in power, what happens next? In fact, the outgoing UK Information Commissioner Richard Thomas recently predicted that collecting less personal information will become the new norm, to better balance security and liberty when government agencies collect and share data to do everything from spotting child abuse to discovering potential terrorists. "If you're looking for a needle in a haystack, it does not make sense to make the haystack bigger," he said. Collect data, but collect it smarter, and retain only what you need? And know that your job is on the line if improper data gets collected, abused, or lost, or if people's rights get trampled? Those are words to live by in what is arguably our new culture of accountability.

Wednesday, June 24, 2009

45,000 Cornell University Records Exposed

Retailer TJX will pay $9.75 million to settle charges related to its 2007 data breach that exposed the financial details of thousands of customers, reports It is the farthest-reaching data breach settlement to date.

As stunning a piece of news as that is I am even more saddened by the following news from Cornell University. After years of hammering the point, laws passed, all of the white papers, and articles written about personal data safety and enterprize liability, why are we still seeing this kind of news? EVERY entity that maintains personal data of ANY kind needs to take care of business. There are no excuses and no arguments to the contrary. Business owners, what more do you need? Cornell just offered to pay at least $1,125,000 for credit monitoring alone at the current going rate. That is a small fraction of what this breach will eventually cost the school.

Cornell University announced that police are investigating the theft of a school laptop containing the personal information--including Social Security numbers--of approximately 45,000 students, alumni, faculty and staff. The Associated Press reports that the laptop was stolen from a Cornell technician and there are, so far, no known misuses of the data. The university sent a letter to those individuals whose records were on the computer, offering a free year of credit services. It has also set up an FAQ page on the Cornell Web site. Full Story