Tuesday, March 30, 2010
Personal Information of 3.3 Million Stolen
A student loan firm is providing credit monitoring and protection services to some 3.3 million people affected by a data breach, the Washington Post reports. A spokesman for Educational Credit Management (ECMC), a nonprofit student loan guaranty agency headquartered in Minnesota, said portable media containing personally identifiable information was stolen in an "old-fashioned theft" from company headquarters. The stolen information included names, addresses, birth dates and Social Security numbers, but no banking information, an ECMC press release said.
Wednesday, March 10, 2010
"When you protect the information on others you are protecting them, when someone else does it they are protecting you."
Copy Machines Pose Privacy Risks
Boston's WBZ-TV reports on a privacy threat looming in homes and offices: copy machines. Security expert John Juntunen demonstrated how easily accessible a copy machine's stored data can be, connecting his laptop to a copier and downloading a child support document and one woman's IRA application containing her address, Social Security number and date of birth. Another hard drive produced contact information for Caroline Kennedy. Though companies are supposed to wipe used hard drives clean before selling a machine, that isn't always executed, the report states. "I think it's an issue that's going to have major ramifications," says security expert Sean O'Leary.
Tuesday, March 9, 2010
Federal Trade Commission Chairman Jon Leibowitz and Illinois Attorney General Lisa Madigan announced a settlement today that requires LifeLock, Inc., to pay a total of $12 million to settle charges that its claims of providing comprehensive identity theft protection were false. According to the FTC, LifeLock did offer some protection against specific types of ID theft, but the company's practice had no effect on the most common form: the misuse of existing credit card and bank accounts. "While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it," Leibowitz said.
I have many clients who had a Lifelock plan until I explained to them what they are not getting in the bargain. Please read the fine print before you buy!
Friday, March 5, 2010
A new survey from the Ponemon Institute shows that nearly six percent of American adults have been victims of medical identity theft, with an average cost per victim of $20,160. The cost comes from the efforts victims face to sort out what happened with concerned parties such as doctors, hospitals, insurance companies and credit agencies, the San Francisco Chronicle reports. "The National Study on Medical Identity Theft" is based on findings from 156,000 people who agreed to discuss the general topic of identity theft, with 5.8 percent confirming they had been the targets of medical ID theft. Based on those statistics, the study estimates that 1.42 million adults in the U.S. may have experienced the theft of their medical identification information.
Tuesday, March 2, 2010
The theft of 57 unencrypted hard drives from BlueCross-BlueShield of Tennessee has given thieves access to personal data on upwards of 500,000 customers and is costing millions to fix, PCWorld reports. The drives contained recordings of more than one million customer support calls as well as 300,000 screen shots, which in some cases included names, birthdates and Social Security numbers. BlueCross is now auditing its security practices, the report states. The process of investigating the breach and notifying customers has cost more than $7 million so far. According to Michael Spinney of the Ponemon Institute, while the average data breach costs $6.75 million, the company could be paying much more due to the complexity of the breach.
On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC. The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms. The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act. In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The program must be designed to detect, prevent and mitigate the risk of identity theft. Prior to the district court’s decision, the FTC had taken the position in publications and numerous panels that attorneys and law firms meet the Rule’s definition of “creditor” because they allow clients to pay for legal services after the services are rendered.
View the FTC’s notice of appeal notice last week stating its intention to appeal the court's judgment notice
Wednesday, February 24, 2010
Can anyone think of a reason to NOT have identity theft protection and restoration services when this sort of thing can and does happen almost daily? There is only one such service that provides complete restoration for all types of identity theft issues. The one I am proud to represent.
Tuesday, February 9, 2010
Instead I will report the following...
Good intentions aside, many companies are missing the opportunity to effectively train employees on data protection. "Many corporations have adopted a check-box approach toward compliance" with the obligations set out in various data protection regulations, says Jay Cline, CIPP, in a Computerworld article. Cline says common mistakes that companies make include separating rather than melding privacy, security and records management and ethics training; using too few communications channels; and failing to measure training effectiveness. "Employee training is probably the most important component of an information risk management process," he writes. "Yet few companies actually measure..."
Tuesday, January 26, 2010
I recently had a conversation with a mortgage broker that was not aware of the importance of security is to client transactions other than a vague awareness of the risk of identity theft. There are numerous business sectors that simply do not understand their responsibilities and liability when it comes to protecting their clients' personal information. Chief among them are mortgage and legal professionals.
A mortgage broker charged with improperly disposing of consumers' personal financial records has paid a $35,000 settlement to the Federal Trade Commission (FTC). Gregory Navone, of Las Vegas, disposed of about 40 boxes of sensitive consumer records in a public dumpster, according to the December 2008 FTC complaint. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers' licenses and at least 230 credit reports. The settlement also requires Navone to employ an information security program for sensitive consumer information, and to hire an independent, third-party security professional to conduct compliance audits annually for the next 10 years.
Thursday, January 21, 2010
"Identity theft happens when your personal information is accessed by someone else without your explicit permission."• "Identity fraud occurs when criminals take that illegally obtained personal information and misuse it for their financial gain, by making fraudulent purchases or withdrawals, creating false accounts, or attempting to obtain services such as employment or healthcare. Personally identifying information such as your Social Security number, bank or credit card account numbers, passwords, telephone calling card number, birth date, name, address and so on can be used by criminals to profit at your expense."• "Almost 10 million Americans learned they were victims of identity fraud in 2008, up from 8.1 million victims in 2007.
"Identity theft also falls into this category [of financial fraud]; cases classified under this heading tend to be those where the perpetrator possesses the complainant's true name identification (in the form of a Social Security card, driver's license, or birth certificate), but there has not been a credit or debit card fraud committed."
Tuesday, January 19, 2010
I wonder how any victims of identity theft resulting from those breaches feel? While it is reported here that the number of breaches is on a decline the number of breached records is increasing and the number of ID theft victims holds steady. vIts all in the numbers.
ITWire.com reports that the number of data breaches reported to the media has declined significantly over the past 18 months. The article cites an Open Security Foundation blog post that says the number of breaches reported in global media has dropped from about 1,000 per month between 2005 and 2008, to about 500 per month. The blog speculates that boredom in the press may be a cause. "Just another data breach" isn't news anymore, the report states.
Friday, January 15, 2010
Thursday, January 7, 2010
When you look at the practical percentages of theft surrounding your personal data you can see that the odds are lower of your stuff being stolen and used, than is widely perceived. Currently there are roughly 10 million domestic identity theft victims each year according to FTC and Ponemon Institute estimates. A little over 60% of those cases are the result of data theft from a public or private entity. But that doesn't mean that it is any less devastating. The problem is that when you entrust the data keeper to report the loss to you, or to fix a breach weak link, or frankly do anything for you after the fact, you are dreaming. No breached entity will tell you that the breach will likely result in identity theft. They will run damage control instead, meaning that they will downplay that aspect to protect their public image. The problem with that is that time is now on the side of the thieves to sell or use your personal information. A breached entity can take months or in some cases years to notify you of the loss. Sometimes not at all if the breach doesn't rise to the threshold the states' reporting laws have in place.
In light of that reality why then can't we all empower ourselves to be our own first line of defense when it comes to our personal data? With the power to act in our hands we are able to react to incidents of breach and identity theft much faster and with greater precision than is possible from the university, government agency, employer, or hospital, etc, that lost it in the first place. A professional agency dedicated to notifying us when our information is misused and report that misuse within hours is our best line of personal defense. If that agency can not only report these incidents to you in a timely way but also act as your proxy to correct the errors and false records entries on your behalf when it does occur is the most direct way to protect ourselves.
Tangentially, by having such a representative we are lowering the value of the data to the thieves. Illicit data brokers and identity thieves rely on time being on their side to profit from the misuse of your information. They need days or weeks to actually use the data to make purchases or obtain insurance, file false claims, get employment, etc. Draining bank accounts or running up credit purchases, while pretty awful, are largely handled by the banks and credit card companies themselves. With timely reporting a bank generally will help the victim but only with timely reporting. That means within hours or a day or so at the longest. Beyond a few days a banks' responsibility is much reduced. If you are not aware of the misuse you cannot report it to the bank. An agency that can notify the client within hours of an identity theft episode can shut down the misuse and render that identity information nearly useless almost immediately. The client is isolated from the incident, identified as a victim of identity theft, and the agency then can begin the restoration of the records or credit files affected. They will also look for other misuse within other databases in the event the incident is more widespread than the original incident. This can all take place within hours of the incident. Not a bad timely response to the attack in my opinion.
Wednesday, January 6, 2010
Navy's InfoSec Chief Suffers Sixth Breach
The Navy's Chief Information Officer Robert Carey recently received notification of a compromise of his personally identifiable information (PII), reports govinfosecurity.com. For Carey, it was the sixth such notification, and came from the Army--where he hasn't worked in 24 years. Carey used the event to describe his philosophy on data protection and enumerate a seven-point summary of his department's efforts to reduce the risk of a breach within the Department of the Navy. "In today's Information Age, PII must be treated with extreme care because unauthorized access to someone's digital identity can and does cause grave consequences," Carey wrote.
Three Breaches Compromise 30,000 at Penn State
The Pittsburgh Post-Gazette reports that Penn State has begun the process of notifying nearly 30,000 individuals that their personally identifiable information (PII), including Social Security numbers, may have been compromised as a result of three separate malware infections discovered in late December. The school said it has no evidence that the individual or organization behind the malware gained access to the PII, but has decided to notify as a precautionary measure. "We do not have any indication that it was accessed by unauthorized parties. We prefer to err on the side of caution," said spokesperson Annemarie Mountz. The event was the second known breach at Penn State in 2009.
Does it occur to anyone that for as long as we have been entrusting our personal information to others they have been losing it, a lot? One of life's principals is that "Continuing to do the same things while hoping for different results" is a hopeless waste of time. If they continue to lose our personal information why then do we continue giving it to them without any sort of check and balance? Certainly all of the laws passed have not had any nulling effect, nor any of the so-called procedures and software "solutions". This is not a problem that we have to accept as a given that requires a highly technical or overly complex set of controls. This is a very basic condition that if we, as the actual owners of the prize were to take into our own hands, could quite well nip in the bud. Think about it. Do we all put our prized silver in a big building or a bunch of buildings and then hire people to guard it or do we keep our own at home and watch it our selves?
The examples above are not isolated cases unless you consider the US Navy and Penn State to be marginal. This is big time mainstream stuff.
Oh, Happy New Year!