Tuesday, May 31, 2005

IBM Touts Business Privacy Software

Not exactly legal news, but IBM is pushing new privacy-oriented software. This is a positive development, though I have no idea if it works. This is also an indicator of how much salience the privacy issue currently has.

The software is called "DB2 Anonymous Resolution" and is advertised with the line:

"Share data while protecting the privacy of customers, employees, partners and citizens when you know "Who is Who & Who Knows Who... Anonymously?"

According to IBM:

"DB2 Anonymous Resolution software enables multiple organizations to compare proprietary data in a manner that never exposes sensitive data values, while still identifying relationships and developing leads. DB2 Anonymous Resolution enables an organization to compare customer lists with partners, to cross-reference identity records with watch lists, and to determine the amount of customer overlap in a merger and acquisition process - and to do so anonymously.

This allows organizations to share only the data that is pertinent to the specific application. With DB2 Anonymous Resolution, organizations can "take the gloves off" these processes and apply such applications with a level of security and privacy that has never before been available."

They also say that DB2 Anonymous Resolution will:

* Enable the exchange and correlation of information where it has not been possible in the past.
* Enhance protections against unintended information disclosure.
* Enable multi-party, multi-system discovery without information disclosure.
* Protect anonymity of sensitive data.
* Prevent data re-purposing.
* Permit data to remain in the control of the data owner.
* Protect the privacy of customers and employees.
* Reduce exposure to privacy violations, both regulatory and corporate-based.
* Uncover the true customer value and/or risk of a merger or acquisition.
* Achieve a balance between homeland security missions and privacy interests.
* Enable safe & selective data sharing.

Friday, May 27, 2005

Lexis "Hacked" by Clever Teens?

It is an iron law among security and privacy experts that the weakest security links are human beings.

According to news reports, clever teens may have exploited that weakness to gets thousands of personal records from Lexis and get Paris Hilton's phone number from T-Mobile.

Clearly, the mention of Paris Hilton is amusing, but there is very little to laugh about how easy it was for youngsters to get what is allegedly secure information.

According the Washington Post,

"the Hilton caper started the afternoon of Feb. 19, when a group member rang a T-Mobile sales store in a Southern California coastal town posing as a supervisor from T-Mobile inquiring about reports of slowness on the company's internal networks.

The conversation -- which represents the recollection of the hacker interviewed by washingtonpost.com -- began with the 16-year-old caller saying:

"This is [an invented name] from T-Mobile headquarters in Washington. We heard you've been having problems with your customer account tools?"

The sales representative answered:

"No, we haven't had any problems really, just a couple slowdowns. That's about it."

Prepared for this response, the hacker pressed on:

"Yes, that's what is described here in the report. We're going to have to look into this for a quick second."

The sales rep acquiesced: "All right, what do you need?"

When prompted, the employee then offered the Internet address of the Web site used to manage T-Mobile's customer accounts -- a password-protected site not normally accessible to the general public -- as well as a user name and password that employees at the store used to log on to the system."

Thursday, May 26, 2005

New Texas Law Forbids Denial of Credit to ID Theft Victims

On May 20 the Governor of Texas signed Senate bill 99, which forbids denial of credit to a person because they have been a victim of identity theft.

The law states:

"A person who has been notified that an individual . . . has been the victim of identity theft may not deny the individual an extension of credit, including a loan, in the individual's name or restrict or limit the credit extended solely because the individual has been a victim of identity theft."

"This subsection does not prohibit a person from denying an individual an extension of credit for a reason other than because the individual has been a victim of identity theft."

In the law the term "victim of identity theft" means an "individual who has filed a criminal complaint alleging the
commission of an offense."

Wednesday, May 25, 2005

Why Do Companies Keep Losing Personal Information?

Interesting Article from FORTUNE:

"The Great Data Heist
Why can't corporations keep their customers' personal data secure? Inside the world of identity theft."

By Daniel Roth and Stephanie Mehta and

"The press release was written just seven months ago, yet it already sounds quaint. "U.S. announces guilty plea in largest identity-theft case in nation's history," declared the U.S. Attorney's office. The thief in question, a 35-year-old British immigrant named Philip Cummings, had admitted his central role in using information he had learned at work to pull off what the government declared to be "a massive scheme to steal the identities of up to 30,000 people."

Turns out Cummings was bush league. In February data aggregator ChoicePoint acknowledged that identity thieves had stolen vital information on 145,000 people. Less than two weeks later Bank of America admitted it had lost backup tapes that held the account information of 1.2 million credit card holders. In March shoe retailer DSW said its stores' credit card data had been breached; the U.S. Secret Service estimated that at least 100,000 valuable numbers had been accessed. More than a month later DSW released the real number: 1.4 million. Reed Elsevier's LexisNexis, a ChoicePoint rival, followed suit, revealing first that unauthorized users had compromised 32,000 identities, then upping the number to 310,000.

And those are just the headliners. Companies were admitting scores of smaller breaches. On April 8, the San Jose Medical Group announced that someone had stolen one of its computers and potentially gained access to 185,000 patient records. A few days later customers of Polo Ralph Lauren learned that a hacker had gained access to 180,000 HSBC credit cards used at its stores. Then, on April 20, Ameritrade blamed its shipping vendor for losing a backup tape containing personal information on 200,000 clients.....

For the Full Article, see FORTUNE online at:


House Passes Spyware Bills

On Monday, May 23, The U.S. House of Representatives passed two bills aimed at limiting spyware.

A number of U.S. states have already enacted such laws, including California.

The SPY-ACT Act, (Securely Protect Yourself Against Cyber Trespass Act,) passed by a vote of 393-4

The bill (H.R. 29) would limit unauthorized access of a computer, and forbids transmission to a protected computer, any "information collection program," without notice and consent.

An "information collection program," is a program which collects personally identifiable information and sends such information to a person other than the owner or authorized user of the computer, or uses such information to deliver advertising.

The I-SPY Act (Internet Spyware Prevention Act), passed 395-1

The I-SPY bill would applie criminal penalties for intentionally accessing a computer without authorization for the purpose of planting unwanted software.

The U.S. Senate will now consider the bills.

Said Rep. Cliff Stearns (R-Fla.), "We passed this bill once before. Now, we've got to appeal to the
Senate to move it."

Monday, May 23, 2005

Four Banks Involved in Security Breach

Bank of America, Wachovia, Commerce Bank and PNC Financial Services Group Inc. are cooperating with authorities in a purposeful theft of account information of more than 670,000 customers. The number of accounts targeted may be over 1 million.

Some are calling it "the biggest security breach to hit the banking industry."

I have been following this case, and indeed it is disturbing that bank employees, who are trusted with access to customers' accounts (and all that cash) sold customer account information, according to police.

Bank employees, including high-level employees, were paid $10 per account.

So all that tight security was defeated by a piece of paper with Alexander Hamilton's face on it.

Thus far, though, it is not clear if identity theft has resulted, since the information was apparently ultimately sold to collection agencies.

Wachovia customers whose account information was stolen will receive complimentary one-year credit monitoring service and each account will also be monitored by the bank, according to Wachovia, which is certainly a good idea.

A Bank of America spokeswoman said the bank would notifying all the customers whose information was compromised.

It may well turn out there is little risk of a loss of funds or identity theft, but, given the fact that the bank's own employees may have been directly responsible for the theft, it might be a good idea for all banks to go the extra mile for their customers.

If you can't trust your bank, who can you trust?

And if you can't trust your bank, why should you keep your money there?

Colorado Security Freeze Law

On May 23 Colorado Senate Bill 137 passed both the House and Senate and was sent to the Governor, who is expected to sign it.

The bill would give consumers the right to freeze access to their credit reports. Consumers do not have to be victims of identity theft to place the freeze.

The bill would prohibit credit agencies from making changes to information such as name and address while the freeze is in place.

The bill allows insurers to acccess credit information even with a freeze in place.

A provision requiring all businesses to notify consumers in the event of a security breach was removed to prevent a veto by the Governor.

Friday, May 20, 2005

Washington Enacts Spyware Law

Washington has become the latest state to enact a law against spyware. On May 17 Governor Christine Gregoire signed House Bill 1012, which will allow the state Attorney General to seek damages up to $100,000 per violation or actual damages, whichever is greater. The new law will also allow business victims of spyware attacks to sue spyware purveyors.

"Computer users expect their property and privacy to be protected from criminals who would steal their personal information or trespass on their computers. This new law sends a clear warning that secretly implanting spyware and other unwanted programs will be punished," said Rep. Jeff Morris, the sponsor of the spyware bill and chair of the House Technology, Energy and Communications Committee.

The law provides tha "It is unlawful for a person who is not an owner or operator to transmit computer software to the owner or operator's computer with actual knowledge or with conscious avoidance of actual knowledge and to use such software to do any of the following:
(1) Modify, through intentionally deceptive means, settings that control any of the following:
(a) The page that appears when an owner or operator launches an internet browser or similar computer software used to access and navigate the internet;
(b) The default provider or web proxy the owner or operator uses to access or search the internet; and
(c) The owner or operator's list of bookmarks used to access web pages;
(2) Collect, through intentionally deceptive means, personally identifiable information:
a) Through the use of a keystroke-logging function that records all keystrokes made by an owner or operator and transfers that information from the computer to another person;
(b) In a manner that correlates such information with data respecting all or substantially all of the web sites visited by an owner or operator, other than web sites operated by the person collecting such information; and
(c) Described in section 1(9) (d), (e), or (f)(i) or (ii) of this act by extracting the information from the owner or operator's hard drive;
(3) Prevent, through intentionally deceptive means, an owner or operator's reasonable efforts to block the installation or execution of, or to disable, computer software by causing the software that the owner or operator has properly removed or disabled automatically to reinstall or reactivate on the computer;
(4) Intentionally misrepresent that computer software will be uninstalled or disabled by an owner or operator's action; and
(5) Through intentionally deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus computer software installed on the computer.

It is unlawful for a person who is not an owner or operator to transmit computer software to the owner or operator's computer with actual knowledge or with conscious avoidance of actual knowledge and to use the software to do any of the following:

(1) Take control of the computer by:

(a) Accessing or using the modem or internet service for such computer to cause damage to the computer or cause an owner or operator to incur financial charges for a service that is not authorized by the owner or operator;
(b) Opening multiple, sequential, stand-alone advertisements in the owner or operator's internet browser without the authorization of an owner or operator and that a reasonable computer user cannot close without turning off the computer or closing the internet browser;
(2) Modify any of the following settings related to the computer's access to, or use of, the internet:

(a) Settings that protect information about the owner or operator in order to steal the owner or operator's personally identifiable information; and
(b) Security settings in order to cause damage to a computer; and

(3) Prevent an owner or operator's reasonable efforts to block the installation of, or to disable, computer software by doing any of the following:

(a) Presenting the owner or operator with an option to decline installation of computer software with knowledge that, when the option is selected, the installation nevertheless proceeds; and
(b) Falsely representing that computer software has been disabled.

It is unlawful for a person who is not an owner or operator to do any of the following with regard to the owner or operator's computer:

(1) Induce an owner or operator to install a computer software component onto the computer by intentionally misrepresenting the extent to which installing the software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content; and

(2) Deceptively cause the execution on the computer of a computer software component with the intent of causing the owner or operator to use the component in a manner that violates any other provision of this section.

Thursday, May 19, 2005

Illinois Security Breach Law

The Illinois Security Breach law has passed both the Assembly and Senate, and the Governor is expected to sign the legislation.

The proposed law would require any data collector that owns or licenses personal information concerning an Illinois resident to notify the resident that there has been a breach of the security of the system data following discovery or notification of the breach.

The disclosure notification would have to made in "the most expedient time possible and without unreasonable delay." consistent with any measures necessary to determine the scope of the breach.

The law would also apply to any data collector that maintains computerized data that includes personal information that the data collector does not own or license the data.

Violation of the law would constitute an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act.

Massachusetts Governor Proposes Notification Law

The headline at the website for Republican Massachusetts Governor Mitt Romney says:


Almost right.

Romney has proposed a set of laws which would address identity theft including requiring companies to notify their customers if they suspect an unauthorized individual has acquired their personal information through their systems or databases.

The bill would also allows consumers to flag or freeze access to their credit reports from credit-reporting bureaus if they suspect their personal information has been stolen.

Naturally, the bill is framed as addressing terrorism, and Romney has a waging a battle for "homeland security." According to the Governor's office, "a false identity could enable a terrorist to enter the country, board an airplane, obtain weapons or gain access to facilities that are part of our critical infrastructure."

And of course, "Identity theft is a principal means to commit other crimes such as credit card theft and money laundering that facilitate terrorist operations.  Information included in Al Qaeda training manuals detailed the importance to terrorists of obtaining fraudulent identification documents."

To that end, the Governor proposes making ID theft and certain related act felonies, including:

·  Using or conspiring to use personal identifying information about  another person or deceased person with the intent to defraud or commit any crime;

· Possession of a false identification document;

· Providing a false identification document to a police officer;

· Using the seal of a department or agency without authority;

· Concealing material facts to obtain a valid identification card;

· Possession of document-making implements with the intent to use such implements for the production of false documents; and

· Possession of five or more false identification documents, with the intent to use or transfer them unlawfully.

Wednesday, May 18, 2005

H.R. 98 - Social Security Card Requirement

Currently pending in Congress, House Resolution 98, the "Illegal Immigration Enforcement and Social Security Protection Act of 2005," sponsored by Rep. David Dreier, Republican, would require all people seeking employment in the U.S. to obtain a Social Security Card.

The law would require Social Security Cards to have an encrypted, machine-readable strip that can be read by employers, and to have security features to prevent counterfeiting and tampering. All cards would also have a digitized photograph.

So individuals would have to carry around this card, plus their driver's license as mandated by the REAL ID act, if this law were enacted.

Employers would have to ask for the card and possess some kind of machine capable of reading the magnetic strip, or some other process to verify its validity.

The bill is currently before the House Judiciary Committee’s Subcommittee on Immigration.

Tuesday, May 17, 2005

Georgia Cell Phone Privacy Law Enacted

Georgia has enacted a law preventing cell phone numbers from being put in a directory without consent.

The Governor of Georgia, Sonny Perdue, signed Senate Bill 46, also called "The Wireless Privacy Act, on Tuesday.

The law requires wireless telehone service providers to obtain a a customer's express consent
before including his or her name and phone number in any wireless phone number directory or database.

"With the prevalence of mobile phones, there is a need to protect Georgians from unsolicited mobile calls by telemarketers and others." It only adds insult to injury when you have to pay to receive a junk phone calll," the Governor said.

Consumers have a private right of civil legal action if their number is listed unlawfully.

The bill is effective immediately.

Monday, May 16, 2005

FTC Wants Comments on CAN-SPAM

The FTC has published a Notice of Proposed Rulemaking relating to the CAN-SPAM Act.

This is the federal law attempting to limit spam.

The FTC will address 5 topics:

(1) defining the term “person,” a term used repeatedly throughout the Act but not defined there.

(2) modifying the definition of “sender” to make it easier to determine which of multiple parties advertising in a single e-mail message will be responsible for complying with the Act’s “opt-out” requirements.

(3) clarifying that Post Office boxes and private mailboxes established pursuant to United States Postal Service regulations constitute "valid physical postal addresses" within the meaning of the Act.

(4) shortening from ten days to three the time a sender may take before honoring a recipient's opt-out request.

(5) clarifying that to submit a valid opt-out request, a recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page.

Comments filed in electronic form can be submitted by going to: https://secure.commentworks.com/ftc-canspam/

Comments must be received by JUNE 27, 2005.

Friday, May 13, 2005

Washington Enacts Security Freeze Law

The State of Washington has become the latest state to enact a "security freeze" law, a useful option for victims of identity theft.

A "security freeze" allows individuals to "freeze," or prevent, anyone from accessing their credit reports created by one of the big three credit reporting agencies.

California was the first state to enact a "security freeze" option.

By mid-2005, California, Texas, Louisiana and Vermont (and now Washington) will all have laws in force allowing consumers to restrict access to their credit reports.

Federal law provides for fraud alerts, but not a right to apply a “security freeze,” so state laws like Washington's, allowing for a security freeze, will not be preempted.

Governor Gregoire of Washington signed Senate Bill 5418 on May 9, 2005.

The bill allows vicitims of identity theft who have filed a police report, and made a request in writing to the credit reporting agency, to freeze accesss to their report.

Agencies must comply within 3 days.

The freeze must remain in place until the consumer requests that it be removed.

The law also provides that if a security freeze is in place, a consumer reporting agency may not change any of the following official information in a consumer credit report without sending a WRITTEN confirmation of the change to the consumer within thirty days of the change being posted to the consumer's file:

* Name
* Date of birth
* Social security number
* Address

* In the case of an address change, the written confirmation must be sent to BOTH the new address and to the former address.

* A consumer reporting agency is not required to place a security freeze in a consumer credit report if it acts only as a reseller of credit information by assembling and merging information contained in the data base of another consumer reporting agency and does not maintain a permanent data base of credit information.

* A consumer reporting agency MUST honor any security freeze placed on a consumer credit report by another consumer reporting agency.

The following entities are not required to place a security freeze in a credit report:

* Check services or fraud prevention services companies
* Deposit account information service companies

Thursday, May 12, 2005

Clinton and Gingrich Team Up on Electronic Health Records

New York Senator Hillary Clinton and former Speaker of the House Newt Gingrich held a joint press conference on Wednesday to call for more federal efforts to move toward the use of electronic health records.

The conference was to support a bill Rep. Patrick Kennedy,a Democrat and and Rep. Tim Murphy, a Republican.

The bill would fund regional planning for electronic record keeping and increase reimbursement rates paid to doctors who participate in the networks.

This issue has been talked about a great deal for the last seveal years, with both George Bush and Al Gore endorsing a move to electronic health records as a means creating greater efficiency in the U.S. medical system. After all, this is, in large part, was HIPAA was and is all about.

Clinton said she is working a bill to be introduced in the Senate, possibly with Bill Frist, the majority leader and a doctor.

Rumor has it that Clinton, Frist, and Gingrich are all thinking of running for President. Should they be getting along like this?

"He and I have a lot in common in the way we see these problems we have to deal with in order to have a 21st century health care system," Hillary said about Newt.

Newt Gingrich said 8,000 patients a year die as a result of taking the wrong, while another 44,000 because of medical errors. He said: "The time is right this year to do something dramatic."

New Presidential Slogan: "Because HIPAA Just Wasn't Enough"


Wednesday, May 11, 2005

LexisNexis & ChoicePoint Support New Privacy Laws

After more hearings in Congress, executives from LexisNexis, owner of Seisint, and ChoicePoint advocated more federal privacy laws on May 10.

The both said they would support:

* A National Security Breach Law
* Consumer Access to their Information

Earlier this year ChoicePoint announced they had mishandled data on 145,000 people, while Lexis subsidiary Seisint gave information on 300,000 people to potential identity thieves.

ChoicePoint said on Tuesday that the number of consumers whose information was accessed by unauthorized people is likely to be higher than 145,000.

Florida Will Try Again With Seisint's Matrix

The Florida Department of Law Enforcement's is going to give it another try with MATRIX, owned and run by Seisint.

MATRIX is the The Multistate Anti-Terrorism Information Exchange, which was promoted heavily after September 11, is a system by which police can access many linked databases at once, inlcuding commerically held data. Normally police would need a subpoena for such information.

Federal funding for Matrix ran out in April. Most states have abandoned the Matrix experiment. But then again, Seisint in based in Florida.

Tuesday, May 10, 2005

Cisco Security Breach

Reports are developing that a security breach of Cisco passwords in 2004 was part of a large, organized, and apparently successful effort to break into thousands of allegedly secure systems.

The effort, probably based in Europe, is being investigated in the U.S. and Europe. Government and private computer systems were breached, and there is no clear information on how much private information and data may have been stolen.

Apparently the people involved explpoited links in Internet-connected computers, and conducted attacks using computers in seven different countries. The hackers apparently were able to install a Trojan horse progam over existing programs. The hackers were then able to get access to passwords to systems, and this grew as the program was shared. At some point, programming instrcutions to Cisco were accessed.

States May Disobey Congress on REAL ID

According to the Associated Press, "States are threatening to challenge in court and even disobey new orders from Congress to start issuing more uniform driver's licenses and verify the citizenship or legal status of people getting them."

The story includes this quote:

"Governors are looking at all their options. If more than half of the governors agree we're not going down without a fight on this, Congress will have to consider changing this unfunded federal mandate,''
-- Arkansas Gov. Mike Huckabee, vice chairman of the National Governors Association.

"What passed is something that will be an enormous amount of work and it's questionable what it's going to yield. "Is it going to yield national security or is it going to be hassle for people already complying with the law?''
-- Matt Dunlap, Maine's secretary of state (Democrat).

The AP writes:

"Another concern for states is preventing identity theft if licenses carry more information, said Michael Balboni, a Republican New York state senator. Balboni and Dunlap represented the National Conference of State Legislatures on a now defunct panel Congress created in December to design new driver's license rules. The conference opposes the new rules.

"What's so ironic about this bill is everybody agrees with the concept, one person, one driver's license,'' Balboni said. ``How you get there is really the tough issue.''

Monday, May 09, 2005

Georgia Security Breach Notification Law Enacted

Georgia has become the latest state, along with California, Arkansas, and Washington state, to enact a security breach notification law.

On Thursday, May 5, 2005, Governor Sonny Perdue signed Senate Bill 230 into law.

The law only applies to "information brokers," such as ChoicePoint, so it is not as comprehensive as other state bills.

According to the law, 'Information broker' means any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties."

The law requires that "Any information broker that maintains computerized data that includes personal information of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

"The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. . . . "

The law also applies to "any person or business that maintains computerized data on behalf of an information broker."

The law is effective immediately.

** New York's Security Breach notification bill, Assembly Bill 4254, passed the Assembly on May 4.**

REAL ID Act Passes House of Representatives

Last Thursday, May 5, as part of an $82 billion Emergency Supplemental Appropriations bill for Iraq and Afghanistan, the U.S. House approved the REAL ID Act as well.

The REAL ID Act (H.R. 418) was approved by the House in February of 2005, but as part of the funding bill, the bill will most likey be easily approved by the Senate and the President, so the REAL ID Act will almost certainly soon become the law of the land.

Is this the first step toward a National ID Card? It depends who you ask.

The law is described as an anti-terror bill:

“This sensible legislation is aimed at preventing another 9/11-type attack by disrupting terrorist travel and bolstering our border security."

Beginning 3 years after enactment, no federal agency may accept, for any official purpose, a driver's license or identification card issued by a State unless the State is meeting the requirements of the law.

* States will have to get proof of legal residency before issuing a driver's license.
* Before issuing a driver's license, states would have to get from applicants a photo ID, a birth certificate, proof of their Social Security number and a document showing their full name and address.

This information would be crosss-referenced with federal databases.

The sponsor, Jim Sensenbrenner, states:

"Giving state drivers’ licenses to anyone, regardless of whether they are here legally or illegally, is an open invitation for terrorists and criminals to exploit." 

The federal government could no longer accept as proof of identification state driver's licenses or other ID cards that do not meet certain minimum requirements. This means people will need to carry around an ID Card with some very specific features to board a plane, open a bank account, enter secure buildings, interact with the government, collect Social Security, and prove they are in the country legally.

States will now have to require:

(A) photo identity document, except that a non-photo identity document is acceptable if it includes both the person's full legal name and date of birth.

(B) Documentation showing the person's date of birth.

(C) Proof of the person's social security account number or verification that the person is not eligible for a social security account number.

(D) Documentation showing the person's name and address of principal residence.

State must retain paper copies of source documents for a minimum of 7 years or images of source documents presented for a minimum of 10 years.

New ID features include:

* A Digital photo of individual
* Name, date of birth, sex, address, and signature
* Driver's license number or ID Number
* Machine-readable technology with certain minimum elements
* Physical security features designed to prevent tampering, counterfeiting, or duplication of the document for fraudulent

Section 203 of the bill, titled "LINKING OF DATABASES" will require states, if they get federal funding, to:

"Participate in the interstate compact regarding sharing of driver license data, known as the `Driver License Agreement', in order to provide electronic access by a State to information contained in the motor vehicle databases of all other States."

The shared database would have to include:

(1) All data fields printed on drivers' licenses and identification cards issued by the State.
(2) Motor vehicle drivers' histories, including motor vehicle violations, suspensions, and points on licenses.

The ACLU objects to the bill, saying it will reduce Americans' freedom.

They also object that the new databases could lead to identity theft, and and that the law would harm immigrants and asylum seekers.

For a non-PDF version of the bill, go to:


Friday, May 06, 2005

The Safe ID Act

A brief summary of both privacy anti-offshoring bills pending on Capitol Hill, one sponsored by Hillary Clinton, the other by Congressman Edward Markey




Senate Bill 810

• Businesses cannot transfer personal information to a foreign country without offering consumers notice and an opt-out choice.

• Business cannot discriminate if a consumer opts-out.

• Health care businesses must not terminate a relationship if a consumer opts-out.

• Businesses are liable for any improper storage or misuse of information.

Additional measure for Health and Financial information (adds HIPAA and GLB requirements.)



House Resolution 1653

• If a county has “adequate privacy protection,” consumers must be offered an “opt-out.”

• If it is a country “without adequate privacy protection,” consumers must affirmatively “opt-in.”

• The Federal Trade Commission must certify those countries which have adequate privacy protection.

• The FTC should consider the adequacy of the country's infrastructure for detecting, evaluating, and responding to privacy

• The FTC MUST assume a country is inadequate if its laws are less protective that federal or that of ANY STATE.

Secure Flight to take Wing

The Transportation Security Administration plans to require airlines to ask passengers for their names and birthdates, to avoid confusion with people who have similar names and are on the terror watch list.

This is part of TSA's new computerized passenger screening program, Secure Flight.

Wednesday, May 04, 2005

Washington Enacts Security Breach Notification Law

Governor Christine Gregoire has signed Senate Bill 6043, making Washington yet another state since California to enact a security breach notification law.

At this site we stated that this trend would very difficult to resist in the wake of numerous breaches involving consumers' personal information, particularly ChoicePoint, which informed California residents of the breach first.

Washington's new law is based on California's law.

The new law requires that:

"Any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3) of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."

The law states that " "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure."

"Personal information" refers to:

An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

-- Social security number
-- Driver's license number
–– Washington state identification card number
-- Account number or credit or debit card number, when in combination with a security code, access code or password that would permit access to an individual's financial account.

The law also states that:

"A person or business under this section shall not be required to disclose a technical breach of the security system that does not seem reasonably likely to subject customers to a risk of criminal activity."
The consumer group the Washington Public Interest Research Group decided not to support the bill because technical breaches are not covered.

The Washington Bankers Association, said it the provision was necessary to keep consumers from being inundated with notices every time a hacker makes it through a single security layer before being stopped by additional security measures.

** Other States **

On March 31, the Arkansas Governor signed Arkansas Senate Bill 1167 which will require, like California's law, that consumers be notified of unauthorized disclosures of their personal information. The new law will also require regular
reasonable information security measures.

** Update **

Georgia has become the latest state, along with California, Arkansas, and Washington state, to enact a security breach notification law. On Thursday, May 5, 2005, Governor Sonny Perdue signed Senate Bill 230 into law. The law only applies to informatio brokers, like ChoicePoint.

New York's Security Breach notification bill, Assembly Bill 4254, passed the Assembly on May 4.

Tuesday, May 03, 2005

Time Warner Loses Information on 600,000 employees

Time Warner reported on Monday, May 2, that they are missing computer tapes containing Social Security Numbers and other personal information on 600,000 current and former employeees.

Apparently the tapes were lost while being transported by the data-storage company Iron Mountain.

The tapes include personal information on employees, and their dependents and relatives, dating back to 1986.

Time Warner is investigating, and apparently so is the Secret Service, although the tapes, could, of course, simply be lost.

This incident reveals yet again the need for security when handling and transporting backup tapes, and possibly the need for higher standards in this area.

Federal laws or rules regarding information security could cost businesses much more than simple information privacy laws, making it all the more important that businesses get a handle on this problem themselves, now, before the government steps in.