Thursday, March 31, 2005

AFLAC!! AFLAC!! Insurer Loses Customer Information

American Family Life Assurance Co., also known as AFLAC, is reporting that it has lost reels of magnetic tape containing the personal data of 17,000 policyholders.

It said the information was probably discarded by mistake.

An AFLAC official said, "There is a high possibility that the tapes have been scrapped within our company, along with other unnecessary magnetic media."

The firm said it had not detected any sign that the personal information was obtained by a third party.

The data on the holders of group insurance policies comprise the names, birth dates, amounts of premiums and code numbers denoting policy types of the policyholders, including those who belong to an incorporated foundation in Hyogo Prefecture, the company said. The data were stored in four volumes.

Officials in charge of the computer system at the Tokyo-based head office of AFLAC's Japanese subsidiary noticed on March 15 that the volumes were missing.

Mizuho Banks Loses Data on 270,000 Customers

Mizuho Bank and Mizuho Trust & Banking Co. are reporting that they have lost data on 270,000 customers. They said the information was probably discarded by mistake.

Mizuho Bank said the lost data include depositors' names, account numbers and savings balances. The data were stored on microfilm, card loan application forms from about 980 people and other data-recording media at 167 of the bank's outlets nationwide.

The banks said they have not detected any sign that a third party has the information.

A Mizuho Bank official said: "Our in-house investigation has found that the possibility is extremely low that the information in question has been illicitly taken outside of the bank. We are sorry for the incident, and we will take thorough measures to protect information in order to prevent a recurrence of similar incidents."

Wednesday, March 30, 2005

DHS Privacy Committee to Hold its First Meeting April 6

The Department of Homeland Security has announced that it will the first meeting of its Data Privacy and Integrity Committee April 6, 2005.

It will be held from 8:30 am to 4:30 pm at the Mayflower Hotel, on 1127 Connecticut Avenue, in Washington, D.C.

The session between 11:45 a.m. and 2:15 p.m. will be closed in order to permit the Privacy Advisory Committee members to receive administrative briefings concerning travel, ethics and security matters that pertain to their membership.

The Chief Privacy Officer of DHS will welcome and introduce the members of the Privacy Advisory Committee.

DHS component offices will provide an overview of information about the Department.

The Privacy Advisory Committee will then discuss areas of focus for its initial work on privacy issues within DHS.

At the end of the meeting, between 3:45 p.m. and 4:30 p.m., public comments will be accepted.

Public Sessions

Colonial Ballroom
8:30 a.m. - 11:30 a.m
2:15 p.m. - 4:30 p.m.

Public Comments
3:45 p.m. to 4:30 p.m.

The DHS Privacy Advisory Committee will be accepting statements from the audience. Individuals who wish to testify should indicate this when they register to attend. In order to permit as much public participation as possible, speakers should limit their remarks to two minutes. Individuals also may submit written comments by following the instructions in the meeting’s Federal Register Notice.

Registration & Attendance

Members of the public who wish to attend should register in advance, as directed above, and will be accommodated as registrations are received on a first-come, first-serve basis.

Attendees should arrive by 8:15 a.m. or by 2:00 p.m. for the respective open sessions.

People who wish to participate should contact:

The DHS Privacy Advisory Committee
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528

Email: PrivacyCommittee@dhs.gov
Phone: 202-772-9848
Fax: 202-772-5036

Tuesday, March 29, 2005

Information Stolen From California Berekely

According to news reports, personal information on 100,000 alumni, graduate students and past applicants, of California Bekeley is in the hands of a thief who stole a laptop containing the information.

The university has set up a hotline, 1-800-372-5110, and a Web site, to answer questions about the laptop theft.

The University is yet another California organization obliged to the report the theft under the state's security breach law. This will help the push for such laws at the state and federal level.

Monday, March 28, 2005

TSA Misled the Public and Congress on Privacy

A report released on Friday by the Dept. of Homeland Security's Acting Inspector General Richard Skinner, said the agency misled airline passengers, Congress and the media in 2003 and 2004 regarding its role getting personal information about airline passengers. The TSA used the personal information, (of about 12 million people) obtained without permission and in violation of some airlines' privacy policies, to test a new screening system

QUOTE:

"TSA officials made inaccurate statements regarding these transfers that undermined public trust in the agency. These misstatements were apparently not meant to mischaracterize known facts. Instead, they were premised on an incomplete understanding of the underlying facts."

The report cites specific times when TSA officials made inaccurate statements about passenger data:

•In September 2003, the agency's Freedom of Information Act staff received requests from JetBlue passengers asking if the TSA had their records, as a result of publicity surrounding JetBlue. The TSA Web site stated that that it had no JetBlue passenger data. the notice stayed on the Web site for more than a year, even though by May TSA had found JetBlue passenger records.

•In November 2003, TSA chief James Loy told the Governmental Affairs Committee that certain kinds of passenger data were not being used to test passenger prescreening, when, in fact, they were.

• In September 2003, in response to a question from reporter, a TSA spokesman said only fake data were used to test the TSA screening system. Those responses "were not accurate," the report said.

In addition, the report concluded that Between February 2002 and June 2003, TSA was involved in the transfer of personal information from airlines 14 times, involving 12 million records from America West, American Airlines, Continental, Delta, Frontier and JetBlue.

Friday, March 25, 2005

New Security Breach Notification Rules

Financial institutions covered by Gramm-Leach-Bliley will have to notify customers in the event of a security breach and it is likely that their information could be misused, under new rules announced yesterday.

Four agencies will enforce the rules: the FDIC., the Federal Reserve, the Office of the Comptroller of the Currency and the Office of Thrift Supervision.

Companies will be allowed to conduct an internal investigation for a likelihood of misuse before reporting the security breach.

This announcement follows highly publicized security breaches and calls for more state laws and a national law like the California security breach notification law.

Thursday, March 24, 2005

Electronic Frontier Foundation Appeals Apple Ruling

The EFF has appealed the lower court ruling in California that approves Apple's subpoena of certain web site writers.

Apple wants to know who has been disclosing information they say are trade secrets about a new Apple product called Asteroid. The information was on a news site called PowerPage.org. The EFF says the writers and their sources should be protected under the First Amendment and California's journalistic shield law.

Apple subpoened Nfox, the ISP for PowePage, for information about e-mails sent using Nfox.

The Superior Court judge rules that the information were trade secrets, regardless of whether the writers were journalists or not.

Wednesday, March 23, 2005

New Utah Spyware Law

I neglected to mention last week that on March 17 Utah enacted House Bill 104, creating a new Utah Spyware law.

The spyware law enacted in 2004 defined “spyware" as software residing on a computer that monitored the computer's usage, or sent information about the computer's usage to a remote computer or server, or used a context based triggering mechanism to display an advertisements.

The new Utah spyware law defines "spyware" as software on the computer of a user who resides in Utah that collects information about an website at the time the website is being viewed in Utah, and uses that information to display
pop-up advertising on the computer.

The new law forbids pop-up ads created by spyware if the advertisement is displayed in response to a registered trademark or specific website address.

The new law also states a company that places spyware on someone else's computer can comply with the Utah law by asking if the computer user lives in Utah. If they say no, the law doesn't apply. This is to get around the Commerce Clause problems.

Of course, last year, Utah surprised a lot of people by becoming the first state to enact an anti-Spyware law. The law was enacted rather hastily, when a company in Utah, 1-800Contacts.com, alleged that a company called WhenU was using spyware to divert customers from its web site. Many experts have said the law was poorly written, not to mention a violation of the Commerce Clause, and an injunction was issued against enfocement of the law in 2004.

Utah legislators have acted relatively quickly in response to the criticisms, although doubts remain about their latest effort.

Last Septmeber, Governor Schwarzenegger signed the Consumer Protection Against Spyware Act, making California still the only other state to have a spyware law. That law makes it illegal to, with actual knowledge, or willfully, cause software to be copied onto someone else’s computer open certain advertisements.

Privacy advocates say the California law does not go far enough.

Tuesday, March 22, 2005

Personal Information Stolen From California State University

According the The Associated Press, hackers have stolen the personal information of 59,000 people affiliated with California State University, Chico.

Apparently about three weeks ago hackers gained access to students, faculty, and employee's names and Social Security numbers.

Some of the people affected were prospective students. Do you think they'll go to the school now?

In April of 2004, hackers broke into the computer system of the University of California, San Diego, compromising confidential information on about 380,000 students, teachers, employees, alumni and applicants.

The hackers may not have been identity theives, but still, this latest high profile incident will increase calls in Congress, and in California, already the ground zero for privacy law, for more laws protecting personal information, I'm sure.

Monday, March 21, 2005

National Security Breach Rule Approved

Federal Deposit Insurance Corporation (FDIC) regulators voted on Friday, March 18, to require banks to notify consumes when the banks the bank determines that it is "reasonably possible" that their personal information had been misused following a security breach.

The language is designed to avoid too many false alarms, but there should be no doubt that privacy advocates will press for stronger rules from Congress.

Friday, March 18, 2005

Westlaw Changes Business Practices

The New York Times is reporting that Westlaw has agreed to limit its sale of personal information, including Social Security Numbers. Their change in policy comes, of course, in the wake of numerous highly publicized privacy breaches, hearings on Capitol Hill, and pressure from lawmakers like Sen. Charles Schumer of New York. Pressure will no doubt follow for LexisNexis and ChoicePoint to do the same thing.

Chuck Schumer held a press conference the other day where he showed how his staff was able to easily get personal information from Westlaw, including SSNs, (thankfully blanked out) on famous people like Paris Hilton and Vice President Dick Cheney. Obviously Westlaw did not like the attention.

Quote of the Day:

"The events of the past months illustrate the importance of tougher controls, and we're pleased to be a part of a broader and ongoing effort that supports both individual privacy and homeland security concerns."

–– Peter Warwick, president and chief executive of Thomson West.

Thursday, March 17, 2005

Privacy Officer Repeal Effort

As promised, Representative Tom Davis (R-VA) has introduced a bill (H.R. 1271) which would repeal the provision in the 2005 Consolidated Appropriations Act which requires every federal agency to have a Privacy Officer. Davis has urged getting rid of the requirement, saying it is unnecessary and may overlap with the job of the technology officer.

Wednesday, March 16, 2005

Congress Holds Privacy Hearings

Hearings were held yesterday on Capitol Hill which could lead to laws affecting those who buy and sell personal information.

Representatives heard from executives from ChoicePoint, LexisNexis, and Bank of America, as well ID theft victims and privacy advocates. Members of Congress suggested sweeping laws may be necessary

Rep. Edward Markey, (D-Massachusetts) has introduced the "Information Privacy and Security Act," which would require the FTC to develop rules for data brokers, including methods of protecting personal data, ways for individuals to check if their personal data is held by a data broker, and a way for individuals to correct mistakes in data held by data brokers.


Quote of the Day

"In my mind, invading a personal computer is not different from breaking and entering into a person's home. I want the FTC to go after these spyware folks and ... go after them with a vengeance."

–– Rep. Joe Barton, R-Texas.

Tuesday, March 15, 2005

House and Senate Hold Hearings

The House and Senate held hearings today on data privacy. More later....

House Panel:

Mr. Kurt P. Sanford
President and CEO, U.S. Corporate and Federal Government Markets
LexisNexis

Mr. Derek Smith
Chairman and Chief Executive Officer
ChoicePoint, Inc.

Mr. Joseph Ansanelli
Chief Executive Officer
Vontu, Inc.

Mr. Marc Rotenberg
Executive Director
Electronic Privacy Information Center

Senate Panel
 
Mr. Don McGuffey, Vice President, ChoicePoint Services, Inc.
 
Mr. Evan Hendricks, Editor, Privacy Times

Ms. Barbara J. Desoer, Executive Vice President, Global Technology, Service and Fulfillment Executive, Bank of America Corporate Center

Monday, March 14, 2005

Theft of Information on 9,000 People From Nevada DMV

According to MSNBC, over this weekend thieve stole files on 9,000 people from a Nevada Department of Motor Vehicles office in Las Vegas.

Information stolen included Social Security numbers, signatures and photo, as well as 1,700 blank licenses and license-making equipment. Apparently the thieves broke into the building.

The data was apparently not encrypted.

Friday, March 11, 2005

Senate Hearing Postponed

The Senate Banking Committee, scheduled to hear from ChoicePoint and Bank of America executives, was postponed due to votes on the bankruptcy bill.

Key quotes:

"In my mind, what bank robbery was to the Depression Era, identity theft is to the Information Age," Schumer said. Saying that Congress needs to learn from the example of ChoicePoint to "replace the current patchwork of state and federal laws with a real security blanket -- one that protects privacy, keeps Social Security numbers private, and prevents fraud and identity theft."
–– Sen. Charles Schumer (D-N.Y.),

"Make no mistake about it, identity theft poses a very real threat to our economy and it is on the rise," Corzine said. "In fact, it's our nation's fastest growing crime. And last year, identity theft complaints to the Federal Trade Commission grew by 50 percent since 2002. With so many instances of fraudsters seeking to abuse an individual's good name, it is clear that more must be done to prevent the proliferation of identity theft."
-- Sen. John Corzine (D-N.J.).

Sen. Corzine said he would propose a bill which would require companies, including financial institutions and other commercial entities such third-party data collectors, such as ChoicePoint to have security systems to safeguard cconsumer's personal information.

A company's chief compliance officer or its CEO, would have to personally attest that the required safeguards were in place (as in Sarbanes-Oxley).

Leahy Suggests Big Changes in Privacy Law

Senator Patrick Leahy, aDemocrat on the Judiciary committee, advocated on Wednesday a "comprehensive rethinking" of the laws regulating companies that compile personal information on consumers.

"It's not a conservative or liberal issue," Leahy said at the Center for Democracy and Technology's 10th anniversary dinner. "We're going to explore these issues--something that's long overdue."

Leahy was one of the the Bank of America customers whose personal information was recently lost.

A Senate Banking committee hearing scheduled for Thursday is titled "Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information."

Leahy and experts from the U.S. Secret Service, Bank of America and ChoicePoint are scheduled to testify.

Thursday, March 10, 2005

DHS Privacy Officer On National ID

DHS privacy chief wary of national IDs

Washington Technology magazine

By Alice Lipowicz
Staff Writer

The chief privacy officer for the Homeland Security Department is not a supporter of a national identification card.

“I’m not a fan,” Nuala O’Connor Kelly said at a March 8 cybersecurity conference sponsored by Government Computer News, a sister publication of Washington Technology.

“We have huge issues with managing identification and getting identification right,” Kelly added. For example, she said, there are many risks to privacy from possible misuses of “breeder documents” — birth certificates and drivers’ licenses issued by state and local agencies that are used to apply for U.S. passports.

“You have to be very vigilant and concerned,” Kelly said.

Proposals for secure national ID card systems have gained supporters, but civil libertarians say any security gains would be overshadowed by the risks of “Big Brother” infringements upon personal rights and freedom.

Congress is considering legislation (H.R.418) introduced by Rep. James Sensenbrenner (R-Wis.), chairman of the House Judiciary Committee, that would give the DHS secretary authority to control states’ drivers’ licenses and identification cards, set up a national database to share drivers’ license information and loosen privacy regulations approved by Congress in 2004.

Kelly told the crowd of industry and government officials that new information technologies, specifically “biometrics, RFID, data mining, data sharing and data technologies,” are keeping federal privacy officers busy.

“It’s boom time for privacy,” Kelly said. “This is a terrific time to be a privacy officer. You’ll see more of us.”

Asked if privacy officers need to be tech-savvy, Kelly said that IT knowledge is essential to the job. Technological expertise represents about “20 percent of my knowledge base [and] 20 percent of my job,” she added.

However, Kelly said, people often make the mistake of believing privacy’s only challenges are technological, when in fact privacy is based on “values, compliance, legal and policy issues.”

Wednesday, March 09, 2005

ChoicePoint Hires Privacy Officer

The Associated Press
Wednesday, March 09, 2005
ATLANTA -- The data broker ChoicePoint Inc., whose massive consumer information file was recently breached, said yesterday it has hired a top official at the government agency that oversees airport screening to review how the company screens its customers.

The Alpharetta, Ga.-based company said Carol A. DiBattiste, deputy administrator of the Transportation Security Administration, has been appointed as the company's chief credentialing, compliance and privacy officer.

Privacy Breach at Seisint

Consumer Data Stolen from Reed Elsevier U.S. Unit

Reuters Internet Report

By Jeffrey Goldfarb

Hackers have gained access to sensitive personal details of about 32,000 U.S. citizens on databases owned by publisher Reed Elsevier, fueling fears about identity theft and efforts to curb the sale of such information.

The U.S. Federal Bureau of Investigation and the Secret Service arm of the U.S. Department of Homeland Security are investigating the breach, a company spokeswoman said on Wednesday.

Anglo-Dutch Reed Elsevier said a billing complaint by a customer of its Seisint unit in the past week led to the discovery that an identity and password had been misappropriated.

The information accessed included names, addresses, social security and driver's license numbers, but not credit histories, medical records or financial information.

Reed Elsevier said it is contacting the 32,000 people affected and offering them credit monitoring and other support to detect any identity theft.

"Law enforcement officials have asked us to keep all this information close, because they're hoping to catch up with some of these people," the spokeswoman said.

In recent weeks, Seisint rival ChoicePoint, financial group Bank of America Corp. and discount store owner Retail Ventures Inc all have reported similar problems of stolen or lost customers' personal information.

A U.S. Senate committee has a scheduled hearing on identity theft for Thursday amid promises from lawmakers to enact new rules to protect data and limit companies from selling such information.

Seisint, based in Boca Raton, Florida, collects information from government agencies to build large databases.

A Seisint-created criminal information database called Matrix came under fire after it drew up a list of people with terrorist profiles, which then led to some arrests.

Many of the company's customers are law enforcement agencies and financial institutions.

"There are advantages to attacking those kinds of companies because the information is quite valuable," said Paul Beechey, an information technology security specialist who simulates hacker techniques for UK defense group QinetiQ.

"As the value of what you're trying to steal increases, so does the effort that the bad guys will put into it," he said.

RIVAL'S SIMILAR SITUATION

ChoicePoint Inc., which also sells personal data, said last month it experienced a wider theft of about 145,000 consumer profiles. It is under investigation by U.S. authorities for the breach as well as for compliance with federal consumer information security laws. Identity thieves set up roughly 50 fraudulent business accounts to gain access to ChoicePoint's data. Law enforcement officials said earlier this month they had found attempts were made to compromise the identities of about 750 consumers.

Reed Elsevier bought Seisint in July 2004 for $745 million and housed it inside its LexisNexis unit. It reaffirmed annual and longer-term financial targets in the wake of the theft.

"The financial implications are expected to be manageable within the context of LexisNexis's overall growth," the company said in a statement.

The company's shares in London were down 1.73 percent to 538 1/2 pence at 1444 GMT.

Though Seisint represents only about 1.5 percent of Reed Elsevier's revenues, analysts said the situation could have other detrimental affects.

"This will harm management's credibility and acquisition track record," analyst Gert Potvlieghe at brokerage Petercam wrote in a morning note to clients.

Seisint has weathered some controversy in recent years.

In December, Seisint founder Hank Asher sued ChoicePoint executives for $1.8 billion, accusing them of undermining him when he was trying to sell the business. ChoicePoint had previously sued Seisint.

Asher resigned from the board before the company was sold after a state investigation disclosed findings that he had piloted planes containing cocaine from Colombia to the United States in the early 1980s.

Following the Sept. 11, 2001, attacks, Seisint's Matrix technology, or Multistate Anti-Terrorism Information Exchange, drew sharp criticism from privacy groups when it provided government officials the names of 120,000 people whose personal information supposedly fit the profile of a terrorist.

FTC Spyware Report Released

FTC Releases Staff Report on Spyware Workshop

The Federal Trade Commission has released a staff report summarizing the issues and drawing some conclusions from its April 2004 workshop, “Monitoring Software on Your PC: Spyware, Adware, and Other Software.” The report, a transcript of the day-long session, a list of participants and their presentations, and comments filed with the Commission can be found at
http://www.ftc.gov/bcp/workshops/spyware/index.htm

Based on discussions at the workshop and more than 750 comments submitted to supplement the workshop record, the FTC staff has concluded that spyware is a real and growing problem and that spyware can impair the operation of computers and create substantial privacy and security risks for consumers’ information.

According to the report, the FTC staff also has concluded that the problems caused by spyware can be reduced if the private sector and the government take action. The report suggests that technological solutions - firewalls, anti-spyware software, and improved browsers and operating systems - can provide significant protection to consumers from the risks related to spyware. The report recommends that industry identify what constitutes spyware and how information about spyware should be disclosed to consumers; expand efforts to educate consumers about spyware risks; and assist law enforcement. The report further recommends that the government increase criminal and civil prosecution under existing laws of those who distribute spyware and increase efforts to educate consumers about the risks of spyware.

“The FTC workshop provided valuable insight into the nature of spyware, the problems it causes, and potential solutions for those problems. Addressing the problems associated with spyware will require a coordinated and sustained effort by the private sector and government officials,” the report states.

ID Thief Sentenced to 5 1/2 Years

NEW YORK (CNN/Money) - A California man who used personal information from ChoicePoint Inc. and other companies to steal thousands of identities has been sentenced to 5-1/2 years in prison, according to the United States Attorney's office.

Adedayo Benson, a 38-year-old Nigerian national, was sentenced Monday after pleading guilty last November to using and conspiring to use fraudulently obtained credit cards, according to the U.S. Attorney's office in Los Angeles, Calif.

Benson was also ordered to pay nearly $155,000 in restitution to several financial institutions.

Benson's sister, Bibiana Benson, was sentenced to 54 months in federal prison after she pleaded guilty in 2002 to unlawful use of identification, according to federal authorities.

The brother-and-sister team operated a nationwide credit-card fraud scheme, authorities said. Posing as a real estate agent, Bibiana Benson fraudulently opened accounts with several public records database firms, including ChoicePoint Services, Advantage Financial and Equifax.

With access to the companies' databases, Bibiana Benson was then able to obtain personal information on thousands of individuals.

Adedayo Benson opened " mail drops" in Beverly Hills and Encino, Calif., where he would redirect mail from victims' credit card companies. Once he obtained victims' credit card numbers from his sister, Benson could make purchases and get cash advances, according to the authorities.

ChoicePoint recently announced that the Securities and Exchange Commission has opened an informal inquiry and the Federal Trade Commission has begun a separate inquiry into the theft of more than 100,000 consumer profiles.

Tuesday, March 08, 2005

Health Privacy Survey Results

U.S. PUBLIC SHARPLY DIVIDED ON PRIVACY RISKS OF ELECTRONIC MEDICAL RECORDS


February 23, 2005//Hackensack, NJ:U.S. adults are divided right down the middle on whether the potential privacy risks associated with a patient electronic medical record system outweigh the expected benefits to patients and society, according to Dr. Alan F. Westin, Professor of Public Law & Government Emeritus, Columbia University and Director of a new Program on Information Technology, Health Records & Privacy at Privacy & American Business (P&AB).

In testimony given today before the National Committee on Vital and Health Statistics of the Department of Health and Human Services, Dr. Westin released the results of a new national Harris Interactive® survey on the American public and what are known as Electronic Medical Records (EMR).

This telephone survey was conducted in conjunction with the new Westin Program and was fielded February 8-13, 2005.

Major Findings

* Half of U.S. adults — 48% — say the benefits to patients and society of a patient Electronic Medical Record system outweighs risks to privacy but 47% say the privacy risks outweigh the expected benefits. Four percent said they weren’t sure.


* Majorities — between 62 and 70% of adults — are worried that sensitive health information might leak because of weak data security; that there could be more sharing of patients’ medical information without their knowledge; that computerization could increase rather than decrease medical errors; that some people won’t disclose necessary information to health care providers because of worries that it will go into computerized records; and that existing federal health privacy rules will be reduced in the name of efficiency.


"I am convinced that how the public sees the privacy risks and responses from EMR managers will be absolutely critical to the EMR system’s success — or will be a major factor in its failure," Dr. Westin said. "That is the reality that program advocates will need to consider, respond to, and overcome by implementing a range of laws, rules, practices, technology arrangements, privacy education, and positive patient experiences — if EMRs are to win majority public support and high patient participation," Dr. Westin added.