Thursday, June 29, 2006

Veteran's Affairs Recovers Stolen Laptop

Looks like the VA has recovered the most famous stolen laptop in America.

No doubt there are huge sighs of relief down at Veteran's Affairs, given the scrutiny this incident has created. The VA is more fortunate than most private businesses in that they had marshalled all the resources of the federal government, including the FBI.

Secretary Jim Nicholson made the announcement on Thursday on Capitol Hill, where he going testify again on the security breach.

He didn't say how the computer or disks were recovered.

"There is reason to be optimistic. It's a very positive note in this very tragic incident, he said.

Veteran's Affairs Recovers Stolen Laptop

Looks like the VA has recovered the most famous stolen laptop in America.

No doubt there are huge sighs of relief down at Veteran's Affairs, given the scrutiny this incident has created. The VA is more fortunate than most private businesses in that they had marshalled all the resources of the federal government, including the FBI.

Secretary Jim Nicholson made the announcement on Thursday on Capitol Hill, where he going testify again on the security breach.

He didn't say how the computer or disks were recovered.

"There is reason to be optimistic. It's a very positive note in this very tragic incident, he said.

Wednesday, June 28, 2006

Privacy International Challenges Swift Data Transfers

Privacy International has announced that it has filedl complaints in 32 countries against Society for Worldwide Interbank Financial Telecommunications (Swift), claming the that it when it shared financial information with the United States it violated European and Asian data protection laws.

Complaints were also filed in Australia, New Zealand, Canada, Switzerland, and Hong Kong.

"Swift appears to have violated data protection rules in Europe by making
these transfers without the consent of the individuals involved, and without
the approval of European judicial or administrative authorities. The scale of the operation, involving millions of records, places this disclosure in the realm of a fishing exercise rather than a legally authorized investigation," said Simon Davies.
the largest and most influential bloc in the European Parliament,

A transfer of personal information from Europe to the U.S., which does not have a comprehensive data protection law, generally requires consent.

Thursday, June 22, 2006

VA to Offer Veterans Free Credit Monitoring

As has been noted here before, the standard response to a large data breach is to offer the victims" a year of free credit monitoring.

However, with 26 million people, that could be quite expensive. On the other hand, the federal government can probably afford it.

Department of Veteran Affairs has announced it will offer free credit monitoring for veterans affected the recently security breach.

So at least the credit agencies will make some money.

Unsurprisingly, there are not actually 26.5 million individuals affected, but even a fraction of that will require some financial scrambling.

The VA has already spent $25 million on an initial mailing and $200,000 per day on call centers.

The VA is also hiring a special adviser on information security, accelerating security and privacy training, and reviewing procedures for accessing and storing sensitive data. All this plus the credit monitoring shows the true costs of poor data security.

Wednesday, June 21, 2006

Equifax Laptop Stolen

Equifax is reporting one of their laptop computers has been stolen -- fortunately, though, it appears that it does not contain any actual credit report information.

Apparently a laptop containing Equifax employee names and Social Security numbers was stolen from a worker traveling on a train in Europe. Apparently the theft, which took place on May 29, may affect nearly all of Equifaxes 2,500 U.S.-based employees.

Given that they are a credit reporting agency, and these are their employees, one suspects that at the very least they can offer them a year or two of their credit monitoring service, if they don't already.

Friday, June 16, 2006

Hillary Clinton Proposes "Privacy Bill of Rights" Includes "Opt In" for Financial Information

This morning Senator Hillary Clinton proposed a "Privacy Bill of Rights" -- in other words, federal legislation addressing a number of privacy issues.

The proposal will be called the Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, or "PROTECT Act."

The bill would:

* Require that consumers affirmatively "opt in" before their information could be shared by credit card companies, banks and other financial insitutions.

* Require notification when consumer's information is sent to another country.

* Create a national requirement for immediate security breach notification

* Provide for a national credit freeze standard, and allow consumers to sue in federal court for privacy violations.

* Create a right for a free annual credit report.

* Limit cell phone numbers and call records disclosure.

* Create a "privacy czar" within the Office of Management and Budget.

* Create more penalites for HIPPA violations.

New Jersey Subpoenas Phone Companies. Federal Government Sues to Block the State

The New Jersey Attorney General, Zulima V. Farber, has issued subpoenas to AT&T, Verizon, Qwest, Sprint, Nextel, and Cingular Wireless, demanding to know if they have turned over customer phone records to the NSA.

The United States federal government filed a lawsuit yesterday in federal court to block New Jersey's subpoenas, saying that forcing the companies to reveal the information would endanger national security.

"People in New Jersey and people everywhere have privacy rights. What we were trying to determine was whether the phone companies in New Jersey had violated any law or any contractual obligations with their consumers by supplying information to some government entity, simply by request, and not by any court order or search warrant," said Farber.

Thursday, June 15, 2006

Stolen Server May Result in Security Breach at AIG

NBC news is reporting that sources tell them that recently a thief broke into an office and stole a computer server belonging to the insurer AIG. They report that names, Social Security Numbers, and medical records on 930,000 Americans may have been lost.

The 930,000 people were potential customers.

They will probably be less inclined to do business with AIG after they receieve their security breach notices.

Tuesday, June 13, 2006

Vermont Enacts Security Breach Notification Law

Vermont has enacted a Security Breach Notification law. (Senate Bill 284).

There are now 34 states with such laws.

The law provides that notification does not have to be made if misuse of the exposed personal information is not reasonably possible. The following is from the text of the bill as enacted.

"Notice of a security breach pursuant to subsection (b) of this section is not required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination that the misuse of the personal information is not reasonably possible pursuant to the requirements of this subsection. If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration in the event that the data collector is a person or entity licensed or registered with the department under Title 8 or this title."

Thursday, June 08, 2006

Lost VA Laptop Possibly Linked to Case of Identity Theft

Channel 4 News is Pittsburgh has reported that a local veteran is a victim of identity theft. That was to be predicted, of course, but the the identity thief tried to get access to his VA funds.

He had reported a case of identity theft to the FTC. He then received a call from the FTC asking him for more information.

But the call was not real -- the FTC does not call victims.

This incident is probably not related to the lost laptop. Still, it could be, and demonstrates the concern people have, and likely reactions in the media.

All veterans and active service members should vigilant to signs of ID theft and requests for information, a good practice in any case.

Wednesday, June 07, 2006

Veterans Theft Affects 2 million Active-Duty Soldiers

The government now admits that the stolen laptop contained information on 2.2 million active-duty members of the military.

At first, they said that only 50,000 active-duty soldiers were affected.

They have revised that estimaete to 1.1 million active-duty service members, 430,000 National Guardsmen and 645,000 members of the Reserves.

Tuesday, June 06, 2006

Veterans Sue Over Loss Of Data

A group of veterans have filed a suit against the VA in U.S. District Court in Washington. They are seeking $1,000 in damages per person, ($26.5 billion). They also are asking for more stringent security procedures at the VA.

The suit cites the 1974 Privacy Act, which applies to the federal government.

"The VA arrogantly compounded its disregard for veterans' privacy rights by recklessly failing to make even the most rudimentary effort to safeguard this trove of the personally identifiable information from unauthorized disclosure," the complaint claims.

"Laptop Stolen, Information Lost" - Could You Be More Specific?

* Department of Veteran's Affairs computer stolen, information lost on 26.5 million U.S. veterans.

* Ohio Medicaid laptop stolen, personal information on 72,000 recipients lost.

* Hotels.com laptop stolen, credit card data of 243,000 customers lost.

* YMCA laptop stolen, bank account numbers, credit card information and names,
addresses and personal family and medical details, on 65,000 members lost.

* Supermarket chains laptop computer stolen, pension data of former employees lost.


This is just the past week. Sensing a patten?

Thursday, June 01, 2006

Government Wants ISPs to Track Users

The Justice Department has confirmed that Attorney General Gonzales and the FBI asked the country's largest ISPs to keep certain customer information for two years. This includes the user's IP address and usage history.