The Privacy Law Site

Supreme Court Rules for Federal Question Jurisdiction Under TCPA

2012-01-22T15:34:00.000-08:00

The U.S. Supreme Court has found the TCPA allows for federal question jurisdiction. The case is Mims v. Arrow Financial Services (Jan. 18, 2012)

The court held that "the District Court retains § 1331 jurisdiction over Mims's complaint unless the TCPA, expressly or by fair implication, excludes federal-court adjudication."

The court found that just because the TCPA grant jurisdiction to state courts, the removed federal jurisdiction. The TCPA's "language may be state-court oriented, but 'the grant of jurisdiction to one court does not, of itself, imply that the jurisdiction is to be exclusive'"

"Congress arguably gave States leeway they would otherwise lack to decide whether to entertain TCPA claims," the court wrote.

The court found Arrow's reliance on statements by Senator Ernest Hollings, the TCPA's sponsor, "is misplaced. The remarks nowhere mention federal-court jurisdiction or otherwise suggest that" the TCPA "is intended to divest federal courts of authority over TCPA claims."

"Even if Hollings and other TCPA supporters expected private actions to proceed solely in state courts, their expectation would not control this Court's judgment on § 1331's compass."

Subcommittee Approves H.R. 2577

2011-07-20T20:05:00.000-07:00

The House subcommittee on Commerce, Manufacturing and Trade voted out H.R. 2577. The bill, sponsored by Rep. Mary Bono, would require organizations to notify customers if there was a “reasonable risk” their personal data may have been breached. It would preempt state laws as well.

Third Circuit Finds Federal Diversity Jurisdiction Under TCPA

2011-04-05T19:47:00.000-07:00

Landsman & Funk v. Skinder-Strauss Associates (3rd Cir. April 4, 2011)

The Third Circuit has addressed the often confusing issue of whether federal courts have diversity jurisdiction over lawsuits filed by individuals for TCPA violations - In this case, as in so many others, for receiving junk faxes. The law specifically permits claims under the federal law to be heard in state courts - but does that mean that federal courts can't hear TCPA claims, or that both state and federal courts can? In other words, is state jurisdiction exclusive?

The Third Circuit held it was not:

"We hold here that Congress did not intend for exclusive state court jurisdiction. The TCPA does not strip federal courts of diversity jurisdiction over actions brought under § 227(b)(3)."

The statute reads:

A person or entity may, if otherwise permitted by the laws or rules of court of a State, bring in an appropriate court of that State —

47 U.S.C. Section 227(b)(3)

Most, but not all, federal appellate courts have found that federal courts do not have federal question jurisdiction over TCPA claims. (Including the 3^rd). The ^rd circuit in this case found that while Congress did not specifically grant federal question jurisdiction over such cases, it did not specifically strip away diversity jurisdiction either.

Since 28 U.S.C. 1332 permits class action suits in federal courts with minimal diversity and $5 million in controversy, diversity jurisdiction prevails unless the law (in this case, the TCPA) takes it away.

There was no such clear directive from Congress. Congress did give state courts jurisdiction, but that does mean such suits can only be heard in a state court. In fact, the court noted, Congress seems to have allowed claims to be filed in state court in an effort to help plaintiffs with small claims representing themselves. The 3^rd Cir. joined the majority of courts and upheld diversity jurisdiction for TCPA claims.

Second Circuit Grants Standing to Challenge to FISA

2011-03-21T19:00:00.000-07:00

New York (AP) -- A lawsuit challenging a law that lets the United States eavesdrop on overseas communications more widely and with less judicial oversight than in the past was reinstated Monday by a federal appeals court that said new rules regarding surveillance had put lawyers, journalists and human rights groups in a "lose-lose situation."

The 2nd U.S. Circuit Court of Appeals said it took no position on the merits of the lawsuit brought by those in jobs that require them to speak with people overseas, saying only that the plaintiffs had legal standing to bring it against the latest version of the Foreign Intelligence Surveillance Act.

Google Fined by CNIL Over Street View

2011-03-21T18:56:00.000-07:00

CNIL, the French data privacy agency, fined Google 100,000 for collecting personal information such as passwords and e-mails when taking images for its Street View project.

Supreme Court Rules Corporations Don't Have Personal Privacy Rights Under FOIA

2011-03-01T17:40:00.000-08:00

The U.S. Supreme Court today held, 8-0, that corporations do not have "personal privacy" for the purposes of the exemption from disclosure of records under FOIA. Justice Roberts totally rejected the idea that because a corporation can be considered a "person" under the law, a federal agency can and should withhold records that might be an unwarranted invasion of the corporation's personal privacy. Citing the context of the FOIA exemption, Congress' intent, longstanding interpretation of the law, the dictionary, and general understanding of the term "personal" when used with the word "privacy," Roberts ruled that the exemption was meant to protect people, not entities. The case is FCC v. AT&T.

Companies can still protect their trade secrets and other confidential information, so what does this mean? This does not change existing law, but business may want to consider that what is disclosed to an agency (in this case, in the course of contractual dispute with the FCC) can be disclosed to a business' competitors (as in this case).

Computerworld Names Top Privacy Advisors

2011-02-08T03:20:00.000-08:00

It's a survey of 146 privacy professionals.

Hunton & Williams apparently got the most votes by far. I was not asked, but probably would have gone with H&W also.

FCRA Jurisdiction Under 29 USC 1346(a)(2)

2010-11-16T18:41:00.000-08:00

In Bormes v. United States the Court of Appeals for the Federal Circuit held that FCRA is a money-mandating statute that supports jurisdiction under 28 U.S.C. § 1346(a)(2).

See also Bormes v. United States, 638 F. Supp. 2d 958 (N.D. Ill. 2009).

NY Daily News Calls Online Privacy Rules

2010-11-15T19:44:00.000-08:00

The NY Daily News has published an editorial titled:
"The time has come to set some strict rules governing personal privacy on the Internet"

"The Obama administration has ordered the Commerce Department to find strategies for protecting Americans' information, and is creating a task force to develop concrete policies.

It is an important mission and must be executed to enhance privacy without crimping valuable innovation. Because living in the modern world should not feel like falling down a rabbit hole."

FCC Look at Google WiFi Collection

2010-11-11T19:37:00.000-08:00

According to the Wall Street Journal, the Federal Communications Commission is investigating whether Google Inc. broke federal laws when its street-mapping service collected consumers' personal information, joining a lengthy list of regulators and lawmakers probing what Google says was the inadvertent harvesting of private data sent over wireless networks.

U. of Hawaii Posted Student Info or a Year

2010-10-31T12:10:00.000-07:00

HONOLULU – The Social Security numbers, grades and other personal information of more than 40,000 former University of Hawaii students were posted online for nearly a year before being removed this week, The Associated Press has learned.

University officials told the AP that a faculty member inadvertently uploaded files containing the information to an unprotected server on Nov. 30, 2009, exposing the names, academic performance, disabilities and other sensitive information of 40,101 students who attended the flagship Manoa campus from 1990 to 1998 and in 2001. A handful of students from the West Oahu campus were included in the security breach.

FTC Ends Google Street View Inquiry

2010-10-27T20:43:00.000-07:00

FEDERAL TRADE COMMISSION

WASH[NGTON. D.C. 20580

October 27, 2010

1201 Third Avenue, Suite 4800

Seattle, WA 98101-3099

Dear Mr. Gidari:
I am writing regarding your client Google's announcement about its collection of consumer data transmitted over unsecured wireless networks. According to Google's announcement, in 2007, the company installed software on its "Street View" cars1 to collect data about consumers' wireless network access points for the purpose of improving its location-based services. Earlier this year, in response to a request from the data protection authority in Hamburg, Germany, Google discovered that the software on the Street View cars had also been collecting some "payload" data contents of communications sent over unsecured wireless networks. The company stated that the collection of payload data was inadvertent and that the company did not use the payload data in any Google product or service.2
FTC staff has concerns about the internal policies and procedures that gave rise to this data collection. As noted above, the company did not discover that it had been collecting payload data until it responded to a request for information from a data protection authority.
This indicates that Google's internal review processes - both prior to the initiation of the project to collect data about wireless access points and after its launch - were not adequate to discover that the software would be collecting payload data, which was not necessary to fulfill the project's business purpose. These review processes are necessary to identify risks to consumer privacy posed by the collection and use of information that is personally identifiable or reasonably linkable to a specific consumer. For any such information, Google should develop and implement reasonable procedures, including collecting information only to the extent necessary to fulfill a business purpose, disposing of the information no longer necessary to accomplish that purpose, and maintaining the privacy and security of information collected and
stored.
Chairman Leibowitz highlighted some of these issues in his testimony before the Senate Commerce Committee on July 27,2010.3 As you know, the FTC has undertaken a project to reexamine its approach to consumer privacy in light of changing technologies and business practices.4 During a series of public roundtables, panelists raised concerns about companies' collecting more consumer information than necessary to fulfill a legitimate business need.

A related concern was that companies are storing consumer data for longer periods (at lower cost) and will find new uses for it that consumers may not have contemplated at the time of collection.
Accordingly, panelists and commenters discussed the need for companies to build strong privacy protections into their products and business operations at the outset.
To this end, we note that Google has recently announced improvements to its internal processes to address some of the concerns raised above, including appointing a director of privacy for engineering and product management; adding core privacy training for key employees; and incorporating a formal privacy review process into the design phases of new initiatives. The company also publicly stated its intention to delete the inadvertently collected payload data as soon as possible.5 Further, Google has made assurances to the FTC that the company has not used and will not use any of the payload data collected in any Google product or service, now or in the future. This assurance is critical to mitigate the potential harm to consumers from the collection of payload data.6 Because of these commitments, we are ending our inquiry into this matter at this time.
We ask that the company continue its dialogue with the FTC about how best to protect consumer privacy as it develops its products and services.
Sincerely,
David C. Vladeck

1 Google's Street View program provide street-level imagery of locations through the company's Google Maps product. The images are collected primarily by Street View cars, which include directional cameras to capture 3600 views, a GPS unit for positioning and laser range scanners. See Google Maps with Street View, Behind the Scenes, available at http://maps.google.comlhelp/maps/streetviewlbehind-the-scenes.htmI#vehicles.

2 See Official Google Blog, WiFi Data Collection: An Update (May 14, 2010), available at http://googleblog.blogspot.com/20 1 0105/wifi-data-colIection-update.html.

Google, Inc.

3 See Prepared Statement of the Federal Trade Commission on Consumer Privacy before the Committee on Commerce, Science, and Transportation, United States Senate, at 22 (July 27, 2010), available at http://www.ftc.gov/os/testimony/100727consumerprivacy.pdf.

4 See http://www.ftc.gov/bcp/workshops/privacyroundtables/index.shtml.

5 See Official Google Blog, Creating Stronger Privacy Controls Inside Google (Oct. 22, 2010), available at http://googleblog.blogspot.comI20 1 0/101 creating -stronger-privacy-controls.html.

6 See id

Rockefeller Pressures Facebook and MySpace

2010-10-26T18:26:00.000-07:00

WASHINGTON, D.C.—Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, today sent letters to Facebook CEO Mark Zuckerberg and MySpace President Michael Jones requesting more information about privacy breaches reported in the Wall Street Journal.

Dear Mr. Zuckerberg:

Last week, an article in the Wall Street Journal revealed the apparent widespread practice of Facebook applications (or “apps”) transferring users’ personal information to marketing firms and tracking companies. I found the details of the Journal’s article troubling and write this letter to request further information on Facebook’s enforcement efforts with regard to the company’s Privacy Policy.

Facebook’s Privacy Policy makes clear that apps must not share personal information with outside parties. Section 4 states that when users connect to a Facebook app or website, “it will have access to General Information” about users, which includes “names, profile pictures, gender, user IDs, [and] connections.” The policy also declares: “Prior to allowing [applications and websites] to access any information about you, we require them to agree to terms that limit their use of your information (which you can read about in Section 9 of our Statement of Rights and Responsibilities)”. Next, Section 9 of the referenced Statement of Rights and Responsibilities states the requirements and obligations by which “Developers/Operators of Applications and Websites” must abide.

Congressmen Send Questions on Privacy to Zuckerberg

2010-10-20T19:10:00.000-07:00

Via CNET:
Facebook CEO Mark Zuckerberg is, once again, being forced to fend off pointed privacy questions from Washington politicians. In a letter sent this week to the 26-year old executive, two prominent members of the U.S. House of Representatives demanded answers about the company's latest privacy breach, which allowed third party applications to gather personally identifiable information. It's not clear, as CNET noted, that Facebook knew that some of these third-party companies, including extremely popular ones like FarmVille manufacturer Zynga, were allegedly selling data to advertisers and tracking companies in violation of Facebook's terms of use. That was reported by the Wall Street Journal on Monday.

Reps. Ed Markey, a Massachusetts Democrat, and Joe Barton, a Texas Republican, directed their questions at Zuckerberg. They posed 18 questions, including: What guidelines does Facebook have in place for third party applications to protect its users from advertent or inadvertent privacy breaches? And: Please identify the officials within Facebook who are responsible or ensuring that third party applications satisfy Facebook's terms and conditions.

Facebook Breaches Privacy, Wall Street Journal Reports

2010-10-18T20:14:00.000-07:00

Facebook Apps Send User Data to Advertisers, WSJ Says

Oct. 18 (Bloomberg) -- Facebook Inc.’s top 10 applications have been transmitting data that can be utilized to identify users to advertising and Internet-tracking firms, the Wall Street Journal reported, citing its own investigation. The applications, known as apps, have been providing users’ “Facebook ID” numbers, which can be used to obtain such information as people’s names, to the third-party companies, the newspaper said today. The apps include Zynga Game Network Inc.’s FarmVille, Texas HoldEm Poker and FrontierVille, it said. Passing on the information, which affects tens of millions of app users, including people who set their profiles to the site’s strictest privacy settings, breaks Facebook’s rules and renews questions about its ability to keep personal information secure, the Journal said.

Supreme Court Punts in Quon v. City of Ontario

2010-06-18T18:15:00.000-07:00

The Supreme Court unanimously punted in Quon, making you wonder why they bothered to take it up. (Although Scalia strongly suggested he would have be willing to issue a definitive ruling on the privacy of pager messages).

The court frankly announced they were unwilling to rule on Quon's expectation of privacy because they felt such a ruling, even from the Supreme Court, would be both unlikely to get it exactly right and would be outpaced by future changes in attitudes towards technology and its use, by employees, employers, and the legal community.

"Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior. At present, it is uncertain how workplace norms,and the law’s treatment of them, will evolve."

As to the actual ruling, the court found it was reasonable to review the text messages because all the city was tying to do was find out why they guy kept going over the character limit, they only read a few texts sent during work hours, and the pager was owned by the city and he was a police officer.

The court also ruled the Ninth Circuit was wrong to require the city to use the least intrusive means to inquire about the character limit, which may be the most important thing to come out of the Quon ruling.

Petitioners’ warrantless review of Quon’s pager transcript was reasonable under the O’Connor plurality’s approach because it was motivated by a legitimate work-related purpose, and because it was not excessive in scope. See 480 U. S., at 726.

Reviewing the transcripts was an efficient and expedient way to determine whether either of these factors caused [ Quon to go over the character limit ]

Supreme Court Overturns 2nd Circuit in TCPA Case

2010-04-21T18:36:00.001-07:00

In Holster v. Gatco, Inc. (U.S. Apr. 19, 2010) the Supreme Court vacated dismissal of of Telephone Consumer Protection Act Suit for further consideration in light of a 2010 Supreme Court ruling.

The plaintiff filed a class action suit in federal court over unsolicited faxes. The TCPA does not allow for suits in federal court, but permits suits in state court.

The district court, hearing the case in diversity, applied the Erie doctrine and found that New York law CPLR 901(b) does not permit such suits. The court dismissed the case for lack of subject-matter jurisdiction. The Court of Appeals for the Second Circuit affirmed.

After Bonime was decided the U.S. Supreme Court decided Shady Grove Orthopedic Associates, in which the court found that 901(b) does not apply to state law claims in federal court.

HSBC Admits Large Swiss Data Theft

2010-03-14T11:32:00.000-07:00

BBC News

About 24,000 clients of HSBC's private banking operation in Switzerland had personal details stolen by a former employee, the company has admitted.

In December, HSBC said that just 10 account holders were affected by the theft, which happened three years ago.

The information stolen concerns 15,000 accounts that are still active. Another 9,000 accounts have been closed since the theft.

HSBC says that it does not think the data can be used to access accounts.

"We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy," said Alexandre Zeller, chief executive of HSBC Private Bank (Suisse).

"We are determined to protect our clients' interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts," he said.

"The Hurt Locker" - Invasion of Privacy?

2010-03-05T07:04:00.000-08:00

A soldier specializing in bomb disposal has sued the makers of "The Hurt Locker" for a number of torts, including invasion of privacy, misappropriation, defamation and false light. Apparently the screenwriter, who was embedded in his unit, wrote a non-fiction piece about the soldier for Playboy. Although the main character in the movie has a different name, there are substantial similarities between the real soldier, the soldier as depicted in Playboy, and the fictional movie version.

A quote from the complaint:

For the reasons more fully explained below, the production, release, distribution, and publication of the motion picture film “The Hurt Locker”, and the motion picture DVD “The Hurt Locker”, are hardly the “literary” or “artistic” works of Defendants as the Defendants themselves have proclaimed. Instead, “The Hurt Locker” motion picture film and DVD are nothing more than the exploitation of a real life honorable, courageous, and long serving member of our country’s armed forces, by greedy multi-billion dollar “entertainment” corporations, which engaged in the very simple - though unconscionable and unlawful – act of plagiarizing the name, likeness, mannerisms, habits, and intimate and personal life story of Plaintiff Staff Sgt. Jeffrey S. Sarver, for the sole commercial purpose of unjustly enriching the Defendants in the amount of multiple millions of dollars.

After unlawfully using Plaintiff’s name and likeness – without his consent – to make, produce, and distribute a movie about the Plaintiff personally, Defendants further violated the law by unlawfully invading Plaintiff’s privacy and defaming the Plaintiff in several scenes of the movie.

Google Exectives Convicted in Italy YouTube Case

2010-02-24T05:34:00.001-08:00

David Drummond, Google’s chief legal officer, Peter Fleischer, Google's global privacy counsel, and George Reyes, a former chief financial officer, were given six-month suspended prison sentences after being found guilty of violating the Italian privacy code in the case involving a video on YouTube of a child being bullied.

Judge Excludes Tannin E-Mail

2009-10-28T15:08:00.001-07:00

The U.S. District Court Judge presiding over the Bear Stearns Asset Management fraud case (U.S. v. Cioffi) has excluded from evidence an e-mail written by Matthew Tannin using his personal account because "the warrant did not, on its face, limit the items to be seized from Tannin’s personal email account to emails containing evidence of the crimes charged in the indictment, or, indeed, any crime at all. It was, therefore, unconstitutionally broad under George." (United States v. George, 975 F.2d 72, 75 (2d Cir. 1992).

$37,500 for Cell Phone Calls

2009-10-27T20:10:00.000-07:00

Magistrate judge orders judgment of $37,500 for 75 unsolicited marketing calls made to plaintiff's cell phone.

LAWRENCE M. SCLAFANI v. I.C. System

Court rejects TD Ameritrade class-action settlement

2009-10-26T19:04:00.000-07:00

Omaha, Neb. (AP) -- A federal judge has refused to approve a class-action settlement over contact information stolen from
online brokerage TD Ameritrade Holding Corp.

U.S. District Judge Vaughn Walker in San Francisco says the
deal offers little significant benefit to the more than 6 million
current and former customers affected.

Supreme Court Rules on School Strip Search Case

2009-07-18T11:55:00.000-07:00

U.S. Supreme Court Holds Strip Search of Student Suspected of Carrying Prescription Drugs Violates Fourth Amendment Safford Unified School

See: District #1 v. Redding U.S. June 25, 2009)

Click on "Privacy & Information"

Supreme Court Limits Search Incident to Arrest to Area Within Reaching Distance

2009-05-23T13:44:00.000-07:00

The U.S. Supreme Court has clarified Belton, holding that police may condict a search incident to arrest only the area within reaching distance. The court rejected a bright-line rule permitting searches of a vehicle when arresting a driver or passenger. To read more, go to Privacy & Information May 2009.

****************************************

Bounty Hunters and the Fourth Amendment

2009-04-25T12:57:00.000-07:00

Are bounty hunters covered by the Fourth Amendment?

See Privacy & Information - April 2009

Employee Bonus Information Not Private

2009-04-14T20:32:00.000-07:00

A New York State trial court has rejected claims by Bank of America
and Merrill Lynch to keep employee bonus information confidential, related to an investigation by Attorney General Andrew Cuomo.

For a detailed discussion of the case, see Privacy and Information.

FISA Court of Review Approves Warrantless Wiretapping

2009-02-09T02:44:00.000-08:00

The Foreign Intelligence Surveillance Court of Review, in one
of its rarely published but still redacted decisions, declined to find wiretapping on foreign intelligence targets conducted without a warrant, purusant to the Protect America Act. The court found the
searches fell under the special needs exception to the need obtain a warrant under the Fourth Amendment.

For a full discussion of the decision, go here, and choose Privacy
and Information - February

District Court Issues Protective Order Preventing Disclosure of Satellite Company’s Customer List

2008-11-23T16:54:00.000-08:00

In a suit brought by Echostar Satellite LLC against satellite receiver manufacturer Freetech Inc. under the Digital Millennium Copyright Act the U.S. District Court for the Northern District of California granted Freetech’s motion for an order protecting the identities of its customers from discovery by Echostar.

District Court Refuses to Grant Summary Judgment on FCRA
and State Law Claims Brought against Credit Reporting Agencies,
Dismisses Claims against Furnishers of Allegedly Incorrect
Credit Information

The District Court for the Eastern District of California declined to dismiss claims against Equifax and Trans Union under FCRA, as well as claims for negligent misrepresentation, negligence, tortious interference with prospective economic advantage, defamation, and false light invasion of privacy related to an alleged failure to correct errors in a credit report.

For more information, click here for the Bloomberg Privacy and Information Law Report

Do Federal Courts have Jurisdiction in Suits involving the Telephone Consumer Protection Act?

2008-11-12T07:26:00.001-08:00

It's an interesting question. One District Court in Ohio says yes, another says no. The TCPA permits suits to be brought in state court, but does not prohibit cases to be heard in federal court.

To read more about the two recent decisions, click on Bloomberg Privacy and Information Law Report, and choose Privacy and Information Law "November 2008."

Will Obama Administration Reveal Extent of Wiretapping?

2008-11-11T06:10:00.000-08:00

Bush Spy Revelations Anticipated When Obama Is Sworn In

Privacy Advocates Expect Whistleblowers to Share Warrantless Wiretap Info After Inauguration Day
By RYAN SINGEL
ABC News
Nov. 11, 2008

When Barack Obama takes the oath of office on January 20, Americans won't just get a new president; they might finally learn the full extent of George W. Bush's warrantless domestic wiretapping. Since The New York Times first revealed in 2005 that the NSA was eavesdropping on citizens' overseas phone calls and e-mail, few additional details about the massive "Terrorist Surveillance Program" have emerged. That's because the Bush administration has stonewalled, misled and denied documents to Congress, and subpoenaed the phone records of the investigative reporters.

Now privacy advocates are hopeful that President Obama will be more forthcoming with information. But for the quickest and most honest account of Bush's illegal policies, they say don't look to the incoming president. Watch instead for the hidden army of would-be whistle-blowers who've been waiting for Inauguration Day to open the spigot on the truth.

"I'd bet there are a lot of career employees in the intelligence agencies who'll be glad to see Obama take the oath so they can finally speak out against all this illegal spying and get back to their real mission," says Caroline Fredrickson, the ACLU's Washington D.C. legislative director.

New Yorker investigative reporter Seymour Hersh already has a slew of sources waiting to spill the Bush administration's administration's darkest secrets, he said in an interview last month. "You cannot believe how many people have told me to call them on January 20. [They say,] 'You wanna know about abuses and violations? Call me then.'"

Virginia Strikes Down Anti-Spam Law

2008-10-23T15:14:00.000-07:00

Virginia Supreme Court Finds State Anti-Spam Law Unconstitutionally Overbroad in Violation of First Amendment (Back to Top)

In a rehearing of an earlier decision, the Virginia Supreme Court struck down as unconstitutional the anti-spam e-mail provisions of the Virginia Computer Crimes Act. The court held that the law was unconstitutionally overbroad on its face because it prohibited the anonymous transmission of all unsolicited bulk e-mails, including those that contained anonymous political, religious, or other expressive speech.

A North Carolina resident who was convicted under Virginia’s anti-spam law after sending batches consisting of more than 10,000 unsolicited commercial e-mails on multiple occasions to customers of America Online, Inc....

To read more, click HERE, and select Privacy & Information, October 2008.

Privacy News - October 2008

2008-10-14T06:22:00.000-07:00

TELECOM IMMUNITY BILL PASSES SENATE

2008-02-12T11:46:00.000-08:00

New York Times:

The Senate rejected a series of amendments that would have restricted the government’s surveillance powers and eliminated immunity for the phone carriers, and it voted in convincing fashion — 69 to 29 — to end debate and bring the issue to a final vote. That vote is expected later this afternoon, with the result all but assured.

...supporters of the plan said the phone carriers acted out of patriotism after the Sept. 11 attacks in complying with what they believed in good faith was a legally binding order from the president.

The House has already rejected the idea of immunity for the phone companies, and Democratic leaders reacted angrily to the Senate vote. But Congressional officials said it appeared that the House would ultimately be forced to accept some sort of legal protection for the phone carriers in negotiations between the two chambers this week.

Beyond the immunity provision, the Senate measure would also widen the executive branch’s surveillance powers by allowing the National Security Agency and intelligence agencies to use broad orders — without getting court orders in advance — to eavesdrop on groups of overseas targets, rather than using individualized warrants.
FULL STORY

WACHOVIA EMPLOYEES KNEW OF FRAUD

2008-02-06T18:38:00.000-08:00

Recently released documents strongly suggest employees at Wachovia Bank not only knew that marketers were stealing from accounts at the bank, but that they bank solicited business from those companies. Executives at Wachovia have denied knowledge of the thefts.

From the New York Times:

Papers Show Wachovia Knew of Thefts

By Charles Duhigg

Last spring, Wachovia bank was accused in a lawsuit of allowing fraudulent telemarketers to use the bank’s accounts to steal millions of dollars from unsuspecting victims. When asked about the suit, bank executives said they had been unaware of the thefts.

But newly released documents from that lawsuit now show that Wachovia had long known about allegations of fraud and that the bank, in fact, solicited business from companies it knew had been accused of telemarketing crimes.

Internal Wachovia e-mail, for example, show that high-ranking employees at the nation’s fourth-largest bank frequently warned colleagues about telemarketing frauds routed through its accounts.

Link to the Full Story

Is Privacy Still Privacy?

2007-11-12T13:37:00.000-08:00

Donald Kerr, the U.S. deputy director of national intelligence, is being reported as calling into question the tradition definition of information privacy. In this age of terrorism, Kerr said that individual privacy can no longer can mean anonymity, but should instead mean that government and businesses will properly safeguard people's private communications and financial information.

This redefinition, if one can call it that, has been a long time in the making. Both businesses and governments often seen no difference between privacy their holding close their customer's or citizen's personal information. Of course, the corporate circle has a tendency to expand, to include affiliates, third party affiliates, third parties who are also customers, third parties who really, really need the information, to third parties who promise to keep the information private. Until, of course, someone else needs it.

In the case of HIPAA, sharing medical information with other doctors, within a hospital, with laboratories and even family members and friends makes sense. Sharing financial information, or buying habits with advertisers, less so.

In the business world, it is easy to convince one's self that sharing information is always in the customer's interest, (as is easy access one's credit report). The government, too, no doubt, views itself as having only benign motives. This is the dilemma of privacy. Possession, and even use of, information can often be nearly harmless.

But it is surely a stretch to redefine privacy as every organization merely safeguarding personal information from every other organization, or at least make them promise to safeguard it - until they need to share it.

Congressmen Blasts Yahoo Executives in Chinese Dissident Case

2007-11-06T14:03:00.000-08:00

Yahoo CEO Jerry Yang and Yahoo's General Counsel, Michael Callahan, were harshly criticized today by Congressmen who accused Yahoo of deceiving Congress and of complicity with efforts by the government of China to suppress human rights.

Yahoo initially received an official demand (citing "illegal provision of state secrets") for information they had about a pro-democracy dissident named Shi Tao over to the Chinese government. Yahoo turned the information over to the government. Shi Tao was sentenced to 10 years in prison.

Callahan defended Yahoo’s actions. "I cannot ask our local employees to resist lawful demands and put their own freedom at risk, even if, in my personal view, the local laws are overbroad," he said.

Congressman Tom Lantos said, "I do not believe that America's best and brightest companies should be playing integral roles in China's notorious and brutal political repression apparatus," he said.

He also said, "While technologically and financially you are giants, morally you are pygmies.”

Rep. Chris Smith compared Yahoo's cooperation with the Chinese government to cooperating with Nazi Germany during World War II.

Members also criticized Callahan for not informing Congress of the demand when if occurred. Callahan has issued a statement saying that he learned about it after he testified in February 2006 testimony, and that he regretted not alerting the committee to it once he knew about it.

It is unclear what Yahoo’s policy is now with regard to turning customer information over to host governments.

USING GPS TO TRACK YOUR FRIENDS AND LOVED ONES

2007-10-25T07:47:00.000-07:00

Clearly, one of the next developments in technology and privacy are GPS enabled and other small devices. We've heard about how useful it can be for prisoners, children, and the elderly (not to lump them all together).

Laura M. Holson of CNET address it here.

Holson writes about Loopt, a service by Sprint Nextel. For $2.99 a month, a use can she can see the location of friends who also have the service, represented by dots on a map on the user's phone, with labels identifying their names.

She writes:
"And for teenagers and twentysomethings, who are fond of sharing their comings and goings on the Internet, youth-oriented services like Loopt and Buddy Beacon are a natural next step.

Sam Altman, the 22-year-old co-founder of Loopt, said he came up with the idea in early 2005 when he walked out of a lecture hall at Stanford.

"Two hundred students all pulled out their cell phones, called someone and said, 'Where are you?'" he said. "People want to connect."

"There are massive changes going on in society, particularly among young people who feel comfortable sharing information in a digital society," said Kevin Bankston, a staff lawyer at the Electronic Frontier Foundation based in San Francisco.

"We seem to be getting into a period where people are closely watching each other," he said. "There are privacy risks we haven't begun to grapple with."

For a segment of the younger generation, this may be somewhat compelling.

As the author correctly points out, though, the interesting questions arise when the service is involuntary, or semi-voluntary (Employer-Employee). Who would feel comfortable with anyone, including an employee, knowing where you are at all times?

MICROSOFT BUYS STAKE IN FACEBOOK

2007-10-25T07:43:00.000-07:00

Microsoft has finalized plans to take a $240 million equity stake in Facebook during its next round of financing. Thel deal will give Microsoft a 1.6 percent stake in the Facebook, giving the social networking website a highly theoretical, paper value of somewhere in the neighborhood of $15 billion.

Paper or otherwise, a respectable neighborhood.

AMERIQUEST FILES FOUND IN DUMPSTER

2007-10-19T11:49:00.000-07:00

According to ABC news, "police in Atlanta Georgia are investigating how the personal files of 1,200 Ameriquest Mortgage customers" turned up in a dumpster at an apartment complex.

"Police say the 40 boxes of records contain sensitive financial information, including customers' credit histories, bank account information, tax and salary records and social security numbers."

The boxes appeared last month, but oddly, the three Ameriquest offices in the Atlanta area closed in 2005.

Police say the files involved mortgage customers from a number of different states, including Georgia, Florida and Mississippi.

Authorities plan to alert customers identified from the documents so that they can check their records to confirm they were not fraud victims.

An Ameriquest representative has reviewed some of the documents, and spokesman Chris Orlando says the company believes they were stolen from Ameriquest in late 2002.

According to Orlando, "We take the security of our records very seriously...and have been working to locate the person or persons responsible for the theft. We are pleased that the files have now been secured by authorities in DeKalb County, and we are working with local law enforcement to determine what information is contained in the files and who stole them."

It would be interesting to see if Ameriquest filed a police report for stolen files back in 2002.

Deputy Chief Burrows says so far his department has uncovered no evidence that the files were stolen from Ameriquest.

Deputy Chief Mike Burrows of the DeKalb County Police Department told the Blotter on ABCNews.com that the documents would have been a treasure trove to identity theft criminals."

According to Burrows, "If anyone finds it, they can delve into the files and assume people's identity and obviously open credit accounts and obtain loans on vehicles, mortgages -- the general financial identity fraud situation that the whole country's facing."

LEAHY - SPECTER INTRODUCE ID THEFT BILL

2007-10-17T09:01:00.000-07:00

Leahy and Specter have introduced another ID theft bill.

This bill, The Identity Theft Enforcement and Restitution Act of 2007 would, would:

* Give ID theft victims the right to seek compensation for they time lost and expenses they incur in correcting their credit history.

* Criminalizing the act of threatening to obtain or release information from a protected computer.

* Eliminate a requirement that the loss resulting from damage to a victim's computer must exceed $5,000 for prosecution (violations resulting in less than $5,000 damage would be catergorized as misdemeanors)

* Expand federal computer fraud statutes to cover small businesses and corporations.

* Allowing for federal prosecutions of cases in which both the identify thief's computer and the victim's computer are located in the same state.

* Make it a felony to use spyware or keyloggers to damage 10 or more computers;

* Expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer.

"Cybercriminals are getting smarter and more effective in their online efforts to strip Americans of their privacy and their property.

"Protecting American consumers from identity theft and fraud should be one of the Senate's top priorities. Cyber criminals are getting smarter and more effective in their online efforts to strip Americans of their privacy, and their property," Leahy said in a statement.

"In 2006, some 8.4 million Americans became victims to identity theft. Victims are often left with a bad credit report and must spend months and even years regaining their financial health. In the meantime, victims have difficulty getting credit, obtaining loans, renting apartments, and even getting hired," Arlen Specter said.

COMCAST INTERNAL HANDBOOK SHOWS CONCERN FOR PRIVACY

2007-10-16T08:42:00.000-07:00

DeDeclan McCullagh, writer for CNET, reports that "Comcast's confidential "Law Enforcement Handbook" was publicly disclosed on Monday."

MuCullagh's article is titled: "Secret manual shows Comcast (gasp!) protects customers' privacy."

I haven't read that manual myself, but Declan reports that is demonstates concern for their customer's privacy. This is isn't entirely surprising, and is an interesting development, given what we've recently about other telecoms and their cooperation with the Bush administration's wiretapping.

McCullagh writes:

"It turns out to be a 35-page manual dated September 2007 for police and intelligence agencies to use when they're trying to extract information out of Comcast about subscribers. The company's Internet service, VoIP telephone service and cable TV service are all covered.

What's perhaps most interesting, though, is that the leaked handbook shows that Comcast seems to be trying to protect its customers' privacy. I didn't see anything in the document offering to divulge more information than the law permits. Instead, the company repeatedly stresses that police follow legal requirements, and even attaches the text of two federal privacy laws as appendixes."

For more, click here: Declan McCullagh on Comcast's confidential "Law Enforcement Handbook."

EU WILL TAKE MONTHS ON GOOGLE

2007-10-15T13:04:00.000-07:00

According to Reuters, the EU will take several more months examining whether Google, and other search engines, are violating EU privacy law.

"We have written to Google to say that we are continuing our work, that it is not limited to Google, and that we will adopt an opinion at the beginning of 2008," Reuters quotes an official as saying after, after Article 29 committee met last week.

QWEST CEO CLAIMS RETALIATION FOR REFUSAL TO SPY ON CUSTOMERS

2007-10-11T11:19:00.000-07:00

Sara Burnett and Jeff Smith, report in the Rocky Mountain News that documents suggest that the National Security Agencym and other government agencies, retaliated against Qwest by not giving the company lucrative government contracts because Qwest would not cooperate with the federal government's possibly illegal phone surveillance program.

The documents were under seal until Wednesday, part of the trial of former Qwest CEO Joseph Nacchio for insider trading.

Nacchio, it appears, wanted to raise a defense related to the possibility that in 2001 Qwest was about to get a $100 million contract from the NSA. They didn't get the contract, and as we know, Qwest -- unlike AT&T and Verizon -- refused to track their customers phone calls without a warrant. The suggestion is that the program was raised at the same meeting in which the contract was discussed.

Nacchio also apparently was going to argue that he was in line for a $2 billion contract to build an Internet network which would be safe from terrorist attack, but that never happened.

Google, Yahoo, Microsoft Change Privacy Policies

2007-07-30T14:20:00.000-07:00

Google, Yahoo, and Microsoft have all recently changed their privacy policies due pressure from certain groups, not the least of which is the European Union, which is, among other activities, scrutinizing the possible merger of Google and Doubleclick.

Among the changes:

Yahoo - all search log data will be anonymous after 13 months.

Microsoft - all user search data anonymous after 18 months.

Google - data stored about end users in its server logs anonymous after 18 months.

GONZALEZ TESTIMONY HINTS AT DATA MINING

2007-07-28T14:55:00.001-07:00

AG Alberto Gonzalez testified this week there was dispute about Justice Dept. activities, but that it did not involve what he called the "terrorist surveillance program."

He may have been referring to large scale searches of electronic databases of domestic phone call and e-mail records, or data mining, according an article in the New York Times.

That the government can do this is well-known, utilizing the NSA's ability to intercerpt electronic traffic.

In 2004 there was disagreement within the Department of Justice over a program, but Gonzalez refuses to discuss it, and President Bush will not confirm its existence.

It may have involved Justice Dept. disagreements with the White House over the President's power to access large volumes of domestic records of phone calls and internet usage, looking for specific patterns or combinations of words, rather than usage by a person or group.

****************************************************************************

Raul Touts Work of White House Privacy Board

2007-07-25T13:55:00.000-07:00

The Privacy and Civil Liberties Oversight Board based out of the White House has long been regarded as toothless at best - recall Democrat Lanny Davis quit - and recent remarks by it's vice chair will do nothing to disabuse that impression.

Alan Raul told a House of Representatives Judiciary subcommittee that he opposed pending bill which would give the board more power, and more importantly, separate it from the White House. Davis quit out of concerns that the White House interfered with the Board and edited it's final report.

Raul claimed that the Board meets frequently and evaluated the privacy implications of areas of the federal government such as the NSA, the State Dept., and Treasury.

ChoicePoint Settles Breach Case With 44 States

2007-06-01T12:13:00.000-07:00

ChoicePoint has settled with all 44 states which sued the company over its 2005 security breach.

ChoicePoint agreed to adopt stronger security measures and pay $500,000 to the states, according to Connecticut Attorney General Richard Blumenthal.

Considering the company had 44 state AGs suing it, over a very highly publicized privacy breach, a settlement for $500,000 and tighter security procedures, which they were going to do anyway, is a very good deal for ChoicePoint.

The security measures are designed to make sure that their third party customers are using the personal information ChoicePoint markets for legitimate reasons. This will apparently include getting written certification from their customers, or even onsite visits to those customers by ChoicePoint.

ChoicePoint also agreed to conduct periodic audits of companies getting consumers' personal information to ensure that they are not using the information for illegitmate purposes.

Top Spammer Arrested

2007-05-31T09:31:00.000-07:00

According the Associated Press, the federal government has arrested a man they describe as being one of the top spammers in the world. They even claim users could notice a decrease in spam because of his arrest.

They accuse of 27 year-old Robert Alan Soloway using other people's computers to send out spam without their knowledge - so called "zombie computers". Apparently, a federal grand jury has already indicted him on several charges, including mail fraud, wire fraud, and aggravated identity theft. The government stated that this is the first time the federal government has charged a spammer with violating laws against identity theft.

Soloway has pleaded not guilty to all the charges.

Microsoft, which has been aggressive in going after spammers, won a $7 million civil judgment against him back in 2005, and the operator of a small Internet service provider in Oklahoma won a $10 million judgment. The article quotes Tim Cranton of Microsoft saying, "He's one of the top 10 spammers in the world."

NYT: Online Ads vs. Privacy

2007-05-12T04:53:00.000-07:00

The New York Times has an article today titled "Online Ads vs. Privacy" written by Dan Mitchell. It briefly looks at the issue of gathering personal information online.

"For advertisers, and in many ways for consumers, online advertising is a blessing. Customized messages rescue advertisers from the broad reach of traditional media. And consumers can learn about products and services that appeal directly to them.

But there are huge costs, and many dangers, warns Jennifer Granick, the executive director for the Stanford Law School Center for Internet and Society (wired.com). To approach individuals with customized advertising, you have to know who they are. Or at least, you have to gather enough personal information about them that their identity could be easily figured out."

For Full article, go here Online Ads vs. Privacy

Federal Council Recommends Fair Information Practices in U.S. Privacy Law

2007-05-08T08:07:00.000-07:00

The National Research Council has issued a voluminous report calling for sweeping changes in U.S. attitudes and approaches toward information privacy, by businesses and government. Essentially it calls for a more comprehensive, European or Canadian approach to information privacy.

The report is titled "Engaging Privacy and Information Technology in a Digital Age." To read about the report, go here:
To buy a copy of the full report, or read a summary of the report, go here and go to "Download Free":

This may be the most authoritative and respected federal body to issue such recommendations. In fact, given their mandate, and the nature of the issues they were addressing, their their recommendations are not all that surprising.

The report is likely to provoke discussion, and probably prompt some action at the margins. Nevertheless, it is not likely that we are going to see great changes in private sector practices or federal law as result of this report.

My description of their recommendations based on a reading of the Executive Summary:

* Application of Fair Information Practices by businesses when collecting and using personal information.

* Greater individual control over use of their personal information.

* Individual choice and consent of the use of their information.

* Mechanisms for choice and consent which genuinely inform the individual, and genuinely demonstrate their true desires regarding privacy, taking into account then tendency not to opt-out.

* Greater specific federal regulation of businesses which gather personal information on people.

* A Federal Privacy Commissioner or Privacy Commission.

* State and local privacy commissioners.

* Greater government action to protect individual information privacy.

Mental Health Privacy and Guns

2007-05-02T07:39:00.000-07:00

According to a story in the New York Times, Congress is, unsurprisingly, looking at revising mental health privacy laws in the wake of the Virginia Tech shooting.

New York Times(By Michael Luo)

"Momentum is building in Congress behind a measure that would push states to report their mental health records to the federal database used to conduct background checks on gun buyers.

But a thicket of obstacles, most notably state privacy laws, have thwarted repeated efforts to improve the reporting of such records in the past and are likely to complicate this latest effort, even after the worst mass shooting in United States history at Virginia Tech last month.

Federal law prohibits anyone who has been adjudicated as a “mental defective,” as well as anyone involuntarily committed to a mental institution, from buying a firearm. But only 22 states now submit any mental health records to the National Instant Criminal Background Check System, against which all would-be gun purchasers must be checked. "

See: http://www.nytimes.com/2007/05/02/us/02guns.html?_r=1&hp=&oref=slogin&pagewanted=print

Connecticut Sues Telemarketers for Violating Do-Not-Call law

2007-04-27T11:46:00.000-07:00

The Attorney General of Connecticut is suing three companies for violating the state Do Not Call law. According the AG’s press release, “Tri-State Home Improvement, LLC, of Branford, First National Mortgage Group, Inc., of Orange and Craftmasters Windows and Siding, LLC, of East Hartford called consumers on the do-not-call list and, in some instances, continued calling even after recipients said they were on the list.”

Blumenthal filed the suit charging violations of the Connecticut Unfair Trade Practices Act. He can seek up to a $5,000 fine per violation, disgorgement of any ill-gotten gains and reimbursement of the state's litigation expenses. Blumenthal is also seeking orders allowing consumers to void contracts they signed as a result of the illegal phone solicitations.

Attorney General Richard Blumenthal is quoted as saying:

"These companies harassed consumers with unwanted and unwelcome sales pitches - effectively breaking into their homes - exactly what the do-not-call list statute should stop. Even when told numbers were on the do-not-call list, the companies continued calling them, invading consumers' privacy and wasting their time."

"The message to telemarketers: Do not call means do not call. What part of 'no' don't you understand? We will fight intrusive, infuriating calls at home - still all too common. Consumers have legal rights to stop unsolicited telemarketing calls. Companies must be held accountable for flagrant, frequent violations of the state's telemarketing safeguards. Remedies should enable consumers to collect money and void unwanted contracts when these telemarketers break into their homes."

See: Connecticut Attorney General Sues Telemarketers

Google Buys Doubleclick for $3.1 Billion

2007-04-14T12:49:00.000-07:00

Google has agreed to buy Doubleclick for $3.1 billion, one of many recent big purchases for Google, as they seek to expand their operations. Doubleclick is the major online advertiser which became one of the first businesses to appoint a Chief Privacy Officer, as a result questions arising from their own purchase of an offline target maketer. In early 2000 Doublclick bought an offline marketer, Abacus Direct. The company compiled information on consumers such as names and addresses, which Doubleclick planned on combining with information it had learned about consumers web surfing habits. There was an outcry, and Doubleclick dropped its plans.

Google is clearly trying to beef its advertising, which is a major source of income.

Randall Rothenberg, is quoted in the New York Times as saying: “You can dive deep into that data and say who were those people, where do they live, what were they doing when they looked at those ads? You can protect privacy and provide great insights for advertisers.”

The investigation began in February 2000 after the company announced plans to combine consumer information collected online with personally identifiable customer data from its newly merged subsidiary, Abacus Direct. The point of compiling such dossiers is to better target advertisements to consumers as they surf the Web.

The government agency issued a letter Monday to DoubleClick's lawyers notifying them of the investigation's end. The investigation was launched primarily to determine whether DoubleClick, in its collection of online consumer habits, or "clickstream data," merged sensitive information from its subsidiary in violation of its privacy policy.

"The issue that triggered the investigation was a report that they were planning to combine offline information from Abacus with their clickstream data. However, this never took place," said FTC spokesman Eric London. "As a result, there was no violation of their privacy policy."

Google Buys an Online Ad Firm for $3.1 Billion

By LOUISE STORY and MIGUEL HELFT

Google agreed to its largest acquisition yesterday, reaching a deal to purchase DoubleClick, the online advertising company, from two private equity firms for $3.1 billion in cash, almost double what it paid for YouTube last year. And perhaps just as important, the deal kept DoubleClick from the hands of Microsoft.

***************************************************************************

TJX Reveals Even More Information Exposed

2007-03-29T17:17:00.000-07:00

TJX has stated in a regulatory filing yesterday that another 455,000 of their customers had their personal data taken by hackers. TJX first revealed the massive breach earlier in the year.

Reportedly 45.7 million credit and debit card numbers have been by hackers from TJX over a period of years.

CHARGES AGAINST PATRICIA DUNN DISMISSED

2007-03-15T05:14:00.000-07:00

A California state judge has dismissed all the charges against Patricia Dunn in the Hewlett Packard pretexting scandal. Dunn, the former Chairman of the Board, had been charged with several felonies relating to actions taken at HP to gain access to phone records of members of the Board.

Charges against other HP employees and data brokers were not dismissed.

FTC Investigating TJX Breach

2007-03-14T17:13:00.000-07:00

According to a story in the Boston Globe, the FTC is investigating a reported security breach at TJX, a large retailer which operates more than 2,000 stores, including T.J. Maxx and Marshalls.

In January of 2007, TJX announced that a breach of consumer data occurred in 2006, then later amended that to say that hackers had broken into their computers as early as July 2005.

Link: Boston Globe

Hewlett-Packard Puts New Safeguards in Place

2007-03-07T18:49:00.000-08:00

Hewlett-Packard has put new safeguards to prevent the kinds of problems that developed at the company in its Board of Directors leak investigation.

According to an article by Anne Broache of CNET News, Jonathan Hoak, HP's chief ethics and compliance officer, thoroughly vets outside companies before using them to conduct investigations. Chief Privacy Officer Scott Taylor and CEO Mark Hurd said they are committed to "building a world-class ethics and compliance program."

See: CNET

T.J. Maxx Reports Security Breach

2007-01-19T17:06:00.000-08:00

T.J. Maxx is reporting a security breach in the form of unauthorized access to its computer systems.

This appears to be a form of hacking, and law enforcement is investigating.

Some credit card companies are already notifying customers who have shopped at T.J. Maxx recently, canceling their cards, and issuing them new ones.

Military and CIA Seize Personal Records of Americans

2007-01-13T13:32:00.000-08:00

The New York Times has an article today about the military and the CIA using little-known powers to obtain records about Americans and American companies.

Authors Eric Lichtblau and Mark Manzetti write:

"The Pentagon has been using a little-known power to obtain banking and credit records of hundreds of Americans and others suspected of terrorism or espionage inside the United States, part of an aggressive expansion by the military into domestic intelligence gathering.

The C.I.A. has also been issuing what are known as national security letters to gain access to financial records from American companies, though it has done so only rarely, intelligence officials say.

Banks, credit card companies and other financial institutions receiving the letters usually have turned over documents voluntarily, allowing investigators to examine the financial assets and transactions of American military personnel and civilians, officials say.

The F.B.I., the lead agency on domestic counterterrorism and espionage, has issued thousands of national security letters since the attacks of Sept. 11, 2001, provoking criticism and court challenges from civil liberties advocates who see them as unjustified intrusions into Americans’ private lives."

************************************************************************

Presidential Identity Theft Task Force Seeks Comments

2007-01-04T14:19:00.000-08:00

The Presidential Identity Theft Task Force is taking public comments on how to combat identity theft. Any ideas out there?

The task force is nominally chaired by Attorney General Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras,

Take it for it what it's worth.

Comment by January 19 at www.usdoj.gov/ittf/

UCLA Reports Data Breach Affecting 800,000

2006-12-13T06:49:00.000-08:00

UCLA has announced a security breach which may have allowed hackers to access personal information on 800,000 former and current students, parents of students, staff and faculty.

Given that this appears to be a deliberate attempt to access information held by the school from the outside, it raises more concern that the average lost laptop or other security breach. The school even said that the hackers seemed to looking for names and Social Security Numbers. UCLA said the FBI is investigating.

UCLA is notifying all the people involved. Many businesses in this situation offer the people notified free credit monitoring, but UCLA may consider that expensive. They are not required to do so by law.

U.S. Senate Passes Pretexting Bill

2006-12-11T15:23:00.000-08:00

The Senate has passed a relatively uncontroversial bill which would criminalize obtaining another person's phone records without authorization.

This kind of so-called "pretexting" has been in the news lately, due to the scandal at Hewlett Packard.

A House version provides for fines of $250,000 and 10 years in prison, while the Senate bill provides for 10 years and $500,000.

Not in the bill are requirements to protect customer information or protections for other kinds of customer information.

Link to New York Times story:

http://www.nytimes.com/2006/12/09/business/09pretext.html?th&emc=th

Hewlett-Packard Settles Privacy Charges with California for $14.5 Million

2006-12-07T16:43:00.000-08:00

Hewlett-Packard will settle with the state of California charges that it violated the privacy of Board members. The company will pay $14.5 million in a settlement with the California attorney general over the company’s use of private detectives to

Certain executives authorized company employees to access phone records of members of the Board of Directors and journalists, while investigating alleged leaks of Board meetings and discussions.

Some former and current executives still face criminal charges in California for obtaining private phone records illegally, via pretexting,

Federal agencies are still investigating the company as well.

FTC Settles Spyware Case For $3 Million

2006-11-08T06:48:00.000-08:00

Zango, a creator of pop-up online ads, has agreed to settle an "unfair and deceptive practices" case with the Federal Trade Commission and pay a $3 million fine.

The FTC alleged that the company, formerly known as 180Solutions, placed software enabling pop-up ads on the hard drives of users, who were accessing free software for games or screensavers, without their knowledge. The FTC also argued that the company made it difficult to get rid of the software.

"Consumers' computers belong to them, and they shouldn't have to accept any content they don’t want. If consumers choose to receive pop-up ads, so be it. But it violates federal law to secretly install software that forces consumers to get pop-ups that disrupt their computer use," said Lydia Parnes, Director of the FTC's Bureau of Consumer Protection.

The settlement agreement also requires the company to"give clear and prominent disclosures and obtain consumers’ express consent before downloading software onto consumers’ computers." Consent must be more explicit than a click through or EULA.

The FTC argued that the company downloaded the adware onto 70 million computers and caused 6.9 billion ads to pop-up.

"This is a landmark settlement, and one that sends an important message to companies that have built their businesses on the backs of internet users without any concern for what those users want. With this action, the FTC has again made clear that it is prepared to go after companies, regardless of size or market position, that engage in unfair and deceptive practices to distribute their products," said Ari Schwartz Deputy director of the Center for Democracy & Technology.

District Court Dismisses Personal Information Lawsuit Against Acxiom

2006-10-13T13:18:00.000-07:00

U.S. District Judge William Wilson, based in Arkansas, has dismissed a class action privacy lawsuit against Acxiom, because the plaintiffs could not demonstrate damages, and therefore did "not have standing under the case-or-controversy requirement."

Plaintiffs sued Axciom after an incident in 2003, when a third party accessed millions of personal records from the company, and argued that Acxiom was negligent for not protecting customer information.

The decisions further suggests that plaintiffs must have suffered some form of damage in order to sue based on unauthorized access of personal information.

FTC Gets $1 million For COPPA Violation

2006-09-22T10:53:00.000-07:00

The FTC has accepted a settlement of a $1 million civil penalty for alleged COPPA violations from Xanga.com, which is highest amount yet for an alleged COPPA violation.

State Security Breach Notification Laws

2006-09-15T12:39:00.000-07:00

Currently, thirty-four states have security breach notification laws:

Arizona
Arkansas
California
Colorado
Connecticut
Delaware
Florida
Georgia
Hawaii
Idaho
Indiana
Illinois
Indiana
Kansas
Louisiana
Maine
Minnesota
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New York
North Carolina
North Dakota
Ohio
Pennsylvania
Rhode Island
Tennessee
Texas
Utah
Vermont
Washington
Wisconsin

POSSIBLE PRIVACY BREACH AT HEWLETT-PACKARD

2006-09-08T15:05:00.000-07:00

According to Reuters, a former Hewlett-Packard board member, Thomas Perkins, has asked the U.S. Attorney for Northern California, the U.S. Attorney for Southern District of New York, the FTC and the FCC to look a into possible deliberate privacy breach at the company.

Apparently directors' and journalists' private phone records were accessed, according to Perkins' lawyer, Viet Dinh.

The California Attorney General is investigating.

Hewlett Packard had no comment.

Bank to Pay $50 Million for Violating Drivers' Privacy

2006-09-07T13:11:00.000-07:00

According to EPIC, a bank has been ordered to pay $50 million by a federal District Court for violating the Drivers Privacy Protection Act.

EPIC states that frmo 2000 to 2003, Fidelity Federal Bank & Trust bought 656,600 names and addresses for use in direct marketing from the from the Florida Department of Highway Safety and Motor Vehicles.

In 2004, the District Court ruled the plaintiff had to show actual damages in order to receive DPPA. The 11th Circuit Court of Appeals overturned that finding.

Federal Judge Rules NSA Program Unconstitutional

2006-08-17T10:22:00.000-07:00

U.S. District Court Judge Anna Diggs Taylor, of the Eastern District of Michigan, issued a ruling today that finds that federal warrantless wiretapping program violates the U.S. Constitution.

The Judge found the program in violation of the FISA, Title III, Fourth Amendment, the First Amendment, and the Separation of Powers. She also the no inherent powers, practical justifications, or the Authorization Military Force justify the program.

Judge Diggs:

"...this court is constrained to grant to Plaintiffs the Partial Summary Judgment requested, and holds that the TSP violates the APA; the Separation of Powers doctrine; the First and Fourth Amendments of the United States Constitution; and the statutory law."

"In this case, the President has acted, undisputedly, as FISA forbids. FISA is the expressed statutory policy of our Congress. The presidential power, therefore, was exercised at its lowest ebb and cannot be sustained."

The Judge granted an injunction against the program.

Ninth Circuit: No Right to Privacy to Computer at Work

2006-08-10T13:21:00.000-07:00

The Ninth Circuit Court of Appeals has ruled that an employee in a workplace which has stated that they monitor employee's computer use have no expectation of privacy for their computer.

In a criminal investigation, police gained access to the computer through the employer, without a search warrant. The defendant argued the evidence should not be admissible.
The court agreed with the prosecution, ruling there is not expectation of privacy when the employees have been told that they should not use computers for personal use and that usage was monitored.

The court also cited "social norms."

"Social norms suggest that employees are not entitled to privacy in the use of workplace computers, which belong to their employers and pose significant dangers in terms of diminished productivity and even employer liability," said Judge Diarmuid O'Scannlain.

Veterans Affairs Missing Another Computer

2006-08-08T09:10:00.000-07:00

According to a Department of Veterans Affairs press release, a subcontractor has lost a desktop computer containing personal information on some veterans

The VA says it was notified on Thursday, August 3, by the subcontractor, Unisys Corporation, that the computer was missing from its Reston, Va., offices.

They estimate the computer held information on 16,000 living patients, with an additional 20,000 a possibility.

The desktop computer apparently contained patients' names, addresses, Social Security Numbers, dates of birth, insurance carriers and billing information, dates of military service, and claims data that may include some medical information.

According to the VA, personnel took immediate steps to notify the appropriate senior VA leadership, including the Secretary and Deputy Secretary, appropriate congressional offices and committees, VA's Office of the Inspector General and other law enforcement authorities, including the FBI and the Department of Homeland Security's Computer Emergency Response Team.

AT&T, Department of Justice, Appeal to Ninth Circuit

2006-08-03T08:05:00.000-07:00

AT&T is appealing the decision not dissmiss the EFF's suit against it to the Ninth Circuit Court of Appeals

The Electronic Frontier Foundation is suing over the company's alleged provision of personal customer information to the NSA.

AT&T and the federal government moved to dismmiss the suit, on the grounds that a trial would reveal classified information, and that AT&T is protected from lawsuits when cooperating with the goveernment. The motion was denied.

Judge Walker wrote that "dismissing this case at the outset would sacrifice liberty for no apparent enhancement of security."

AT&T wrote:

"If the state secrets privilege was properly invoked by the United States, then plaintiffs cannot prove that they were injured by the government's intelligence activities or AT&T's alleged involvement in those activities, because they would be unable to obtain any information concerning the identities of government surveillance targets. If the named plaintiffs cannot prove that their information has been divulged to the government, they cannot establish that they have suffered any injury whatsoever from the alleged surveillance program and their complaint must be dismissed."

The Justice Department wrote:

"The decision on whether to grant access to classified information rests with the Executive Branch, and any order by the Court appointing such an expert to review and assess the status of classified information would raise profound separation of powers concerns that should be avoided."

Homeland Security Names New Privacy Officer

2006-07-28T10:17:00.000-07:00

The Department of Homeland Security has named one of their lawyers, Hugo Teufel III, as their new Chief Privacy Officer.

Hugo Teufel was associate general counsel at the Homeland Security Department, and also worked at the Department of the Interior.

Michael Chertoff Teufel was "highly regarded throughout the department and the legal community for his expertise on privacy, employee relations and civil rights issues."

In an interview with Government Executive magazine, Teufel said, "It's important to have someone in this position that can go to the deputy secretary or the secretary and say, 'That's probably not a good idea,'. "If I thought something
were amiss, I would advise the deputy secretary and the secretary. And I would not hesitate to do so."

He also said, "I am looking forward to making use of my experience at the department in order to make the office more effective and get the office more plugged in earlier with the various programs that our offices are involved in that impact privacy."

Teufel is replacing the CPO Maureen Cooney, who will leave in September to take a position as a senior policy adviser for global privacy strategies at Hunton & Williams.

Before her, Nuala O'Connor Kelly, was the first CPO for DHS. She now works at General Electric.

Privacy adovcates wanted someone with more experience in privacy than Teufel, who prior to Interior worked for Gale Norton in Colorado, and would prefer someone they know is a forecful advocate for privacy.

"This is not an appropriate appointment. He lacks the relevant experience," said, said Marc Rotenberg, head of EPIC.

"He doesn't have much of a background to be a privacy officer. He seems to have no experience in privacy matters," said Caroline Fredrickson, with the ACLU in Washington.

Feds Propose Banking ID Theft Rules

2006-07-20T09:12:00.000-07:00

In a joint announcement from the board of governors of the Federal Reserve, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency and the Office of Thrift Supervision, the federal government proposed new identity theft rules for all financial institutions.

The rules would require financial institutions and creditors to create programs to prevent and deal with identity thet. This would include steps to verify an individual's identity, and spotting possible ID theft.

These agencies all are taking comments the Proposed Rulemaking.

The proposed rules can be found at:

Washington Post Editorializes Against Specter Bill

2006-07-18T13:35:00.000-07:00

The Washington Post has written an editorial urging that the bill brokered between Arlen Specter and the White House regarding NSA spying not be enacted. Here is a short excerpt.

From The Washington Post:

"This bill is not a compromise but a full-fledged capitulation on the part of the legislative branch to executive claims of power. Mr. Specter has not been briefed on the NSA's program. Yet he's proposing revolutionary changes to the very fiber of the law of domestic surveillance -- changes not advocated by key legislators who have detailed knowledge of the program. This week a remarkable congressional debate began on how terrorists should face trial, with Congress finally asserting its role in reining in overbroad assertions of presidential power. What a tragedy it would be if at the same time, it acceded to those powers on the fundamental rights of Americans."

California High Court Bans All Secretly Recorded Calls

2006-07-18T13:12:00.000-07:00

The California Supreme Court ruled last week that no one, even those outside the state, may record a phone call with a person in California without their knowledge.

California law requires all callers to inform the other party before taping a call with a California resident.

Two California residents filed suit against Salomon Smith Barney (now Smith Barney) for secretly recording their calls made from Atlanta in 1998. Georgia law allows such calls.

The decision was unanimous, but no damages were awarded.

11 states requires consent before a telephone conversation may be recorded.

Possible Deal Reached to Legalize NSA Surveillance Program

2006-07-14T07:35:00.000-07:00

Reports are coming out that Sen. Arlen Specter has made a deal with the White House which bring the government's broad surveillance program back under some outside supervision.

He is saying that the White House has agreed to legislation that would give the FISA Court (created by the 1978 Foreign Intelligence Surveillance Act) review the Constitutionality of the NSA program and oversee they way it is conducted.

But the law would also allow for more wiretaps without a warrant and for roving wiretaps. to judge whether the National Security Agency's domestic eavesdropping program is allowed under the Constitution.

Class Action Suit Against Union Pacific

2006-07-06T09:27:00.000-07:00

A class action lawsuit has been filed in Iowa state court against Union Pacific railroad, alleging negligence due to a loss of personal information.

The lawsuit alleges that Union Pacific was negligent by failing to
protect employees' Social Security numbers, and for using SSN to identify employees.

In April, a laptop was stolen with the names and Social Security numbers of 30,000 current and retired Union Pacific employees.

UP notified the employees and for a year credit monitoring. In addition, the employee allegedly violated company policy when he transferred work files to a his computer at home.

Veteran's Affairs Recovers Stolen Laptop

2006-06-29T08:22:00.001-07:00

Looks like the VA has recovered the most famous stolen laptop in America.

No doubt there are huge sighs of relief down at Veteran's Affairs, given the scrutiny this incident has created. The VA is more fortunate than most private businesses in that they had marshalled all the resources of the federal government, including the FBI.

Secretary Jim Nicholson made the announcement on Thursday on Capitol Hill, where he going testify again on the security breach.

He didn't say how the computer or disks were recovered.

"There is reason to be optimistic. It's a very positive note in this very tragic incident, he said.

Veteran's Affairs Recovers Stolen Laptop

2006-06-29T08:22:00.000-07:00

Privacy International Challenges Swift Data Transfers

2006-06-28T11:49:00.000-07:00

Privacy International has announced that it has filedl complaints in 32 countries against Society for Worldwide Interbank Financial Telecommunications (Swift), claming the that it when it shared financial information with the United States it violated European and Asian data protection laws.

Complaints were also filed in Australia, New Zealand, Canada, Switzerland, and Hong Kong.

"Swift appears to have violated data protection rules in Europe by making
these transfers without the consent of the individuals involved, and without
the approval of European judicial or administrative authorities. The scale of the operation, involving millions of records, places this disclosure in the realm of a fishing exercise rather than a legally authorized investigation," said Simon Davies.
the largest and most influential bloc in the European Parliament,

A transfer of personal information from Europe to the U.S., which does not have a comprehensive data protection law, generally requires consent.

VA to Offer Veterans Free Credit Monitoring

2006-06-22T10:49:00.000-07:00

As has been noted here before, the standard response to a large data breach is to offer the victims" a year of free credit monitoring.

However, with 26 million people, that could be quite expensive. On the other hand, the federal government can probably afford it.

Department of Veteran Affairs has announced it will offer free credit monitoring for veterans affected the recently security breach.

So at least the credit agencies will make some money.

Unsurprisingly, there are not actually 26.5 million individuals affected, but even a fraction of that will require some financial scrambling.

The VA has already spent $25 million on an initial mailing and $200,000 per day on call centers.

The VA is also hiring a special adviser on information security, accelerating security and privacy training, and reviewing procedures for accessing and storing sensitive data. All this plus the credit monitoring shows the true costs of poor data security.

Equifax Laptop Stolen

2006-06-21T12:55:00.000-07:00

Equifax is reporting one of their laptop computers has been stolen -- fortunately, though, it appears that it does not contain any actual credit report information.

Apparently a laptop containing Equifax employee names and Social Security numbers was stolen from a worker traveling on a train in Europe. Apparently the theft, which took place on May 29, may affect nearly all of Equifaxes 2,500 U.S.-based employees.

Given that they are a credit reporting agency, and these are their employees, one suspects that at the very least they can offer them a year or two of their credit monitoring service, if they don't already.

Hillary Clinton Proposes "Privacy Bill of Rights" Includes "Opt In" for Financial Information

2006-06-16T09:10:00.000-07:00

This morning Senator Hillary Clinton proposed a "Privacy Bill of Rights" -- in other words, federal legislation addressing a number of privacy issues.

The proposal will be called the Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, or "PROTECT Act."

The bill would:

* Require that consumers affirmatively "opt in" before their information could be shared by credit card companies, banks and other financial insitutions.

* Require notification when consumer's information is sent to another country.

* Create a national requirement for immediate security breach notification

* Provide for a national credit freeze standard, and allow consumers to sue in federal court for privacy violations.

* Create a right for a free annual credit report.

* Limit cell phone numbers and call records disclosure.

* Create a "privacy czar" within the Office of Management and Budget.

* Create more penalites for HIPPA violations.

New Jersey Subpoenas Phone Companies. Federal Government Sues to Block the State

2006-06-16T07:54:00.000-07:00

The New Jersey Attorney General, Zulima V. Farber, has issued subpoenas to AT&T, Verizon, Qwest, Sprint, Nextel, and Cingular Wireless, demanding to know if they have turned over customer phone records to the NSA.

The United States federal government filed a lawsuit yesterday in federal court to block New Jersey's subpoenas, saying that forcing the companies to reveal the information would endanger national security.

"People in New Jersey and people everywhere have privacy rights. What we were trying to determine was whether the phone companies in New Jersey had violated any law or any contractual obligations with their consumers by supplying information to some government entity, simply by request, and not by any court order or search warrant," said Farber.

Stolen Server May Result in Security Breach at AIG

2006-06-15T13:27:00.000-07:00

NBC news is reporting that sources tell them that recently a thief broke into an office and stole a computer server belonging to the insurer AIG. They report that names, Social Security Numbers, and medical records on 930,000 Americans may have been lost.

The 930,000 people were potential customers.

They will probably be less inclined to do business with AIG after they receieve their security breach notices.

Vermont Enacts Security Breach Notification Law

2006-06-13T09:27:00.000-07:00

Vermont has enacted a Security Breach Notification law. (Senate Bill 284).

There are now 34 states with such laws.

The law provides that notification does not have to be made if misuse of the exposed personal information is not reasonably possible. The following is from the text of the bill as enacted.

"Notice of a security breach pursuant to subsection (b) of this section is not required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination that the misuse of the personal information is not reasonably possible pursuant to the requirements of this subsection. If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration in the event that the data collector is a person or entity licensed or registered with the department under Title 8 or this title."

Lost VA Laptop Possibly Linked to Case of Identity Theft

2006-06-08T15:35:00.000-07:00

Channel 4 News is Pittsburgh has reported that a local veteran is a victim of identity theft. That was to be predicted, of course, but the the identity thief tried to get access to his VA funds.

He had reported a case of identity theft to the FTC. He then received a call from the FTC asking him for more information.

But the call was not real -- the FTC does not call victims.

This incident is probably not related to the lost laptop. Still, it could be, and demonstrates the concern people have, and likely reactions in the media.

All veterans and active service members should vigilant to signs of ID theft and requests for information, a good practice in any case.

Veterans Theft Affects 2 million Active-Duty Soldiers

2006-06-07T09:57:00.000-07:00

The government now admits that the stolen laptop contained information on 2.2 million active-duty members of the military.

At first, they said that only 50,000 active-duty soldiers were affected.

They have revised that estimaete to 1.1 million active-duty service members, 430,000 National Guardsmen and 645,000 members of the Reserves.

Veterans Sue Over Loss Of Data

2006-06-06T09:58:00.000-07:00

A group of veterans have filed a suit against the VA in U.S. District Court in Washington. They are seeking $1,000 in damages per person, ($26.5 billion). They also are asking for more stringent security procedures at the VA.

The suit cites the 1974 Privacy Act, which applies to the federal government.

"The VA arrogantly compounded its disregard for veterans' privacy rights by recklessly failing to make even the most rudimentary effort to safeguard this trove of the personally identifiable information from unauthorized disclosure," the complaint claims.

"Laptop Stolen, Information Lost" - Could You Be More Specific?

2006-06-06T09:17:00.000-07:00

* Department of Veteran's Affairs computer stolen, information lost on 26.5 million U.S. veterans.

* Ohio Medicaid laptop stolen, personal information on 72,000 recipients lost.

* Hotels.com laptop stolen, credit card data of 243,000 customers lost.

* YMCA laptop stolen, bank account numbers, credit card information and names,
addresses and personal family and medical details, on 65,000 members lost.

* Supermarket chains laptop computer stolen, pension data of former employees lost.

This is just the past week. Sensing a patten?

Government Wants ISPs to Track Users

2006-06-01T09:28:00.000-07:00

The Justice Department has confirmed that Attorney General Gonzales and the FBI asked the country's largest ISPs to keep certain customer information for two years. This includes the user's IP address and usage history.

Hawaii Enacts Security Breach; Shredding; Credit Freeze Laws

2006-05-26T10:20:00.000-07:00

On May 26 Hawaii enacted several laws relating to ID theft.

The state becames the latest to enact a security breach notification law.

Also enacted was a law requiring requires businesses to shred, or otherwise destroy, documents containing personal information before disposing it.

The state also enacted a law allowing victims of ID theft to place a freeze on access to their credit reports.

The laws take effect January 2007.

Illinois Credit Freeze Law

2006-05-26T10:15:00.000-07:00

Illinois has enacted a law allowing all people, not just victims of ID theft, to freeze their credit reports.

The law, enacted on Wednesday, allows agencies to chage a $10 fee to add or remove a credit freeze, with some exceptions for the elderly and low-income consumers.

Veterans Affairs Secretary Testifies Before Congress

2006-05-26T08:35:00.000-07:00

Veterans Affairs Secretary James Nicholson and the department's Inspector General testified about the security breach to a Congressional Committee yesterday.

Chief among his revelations, although perhaps the least surprising, was that the employee in question had been taking this kind of information home for at least three years.

This is just what I expected. It also suggests that, in spite of what the VA has said about their rules, he had de facto approval to work from home.

"He said that he routinely took such data home to work on it, and had been doing so since 2003," said the Inspector General, George Opfer.

The Inspector General said the employee's supervisors have all said that they did not know that the employee took all the information home with him.

But did they ask? Did they know what he was working on? Did they know he was working at home? How else did they think he was getting his work done? And if they had known, would they have done anything about it?

This is not an advocacy site. But the questions are important from a factual and legal perspective.

Mr. Nicholson said the employee who took the data home had broken no law "as near as I can tell," but said the employee had violated VA policies.

The Secretary did not find out about the loss of the data for almost 2 weeks. Senators said the delay was "baffling," "mind-boggling" and "just unbelieveable."

Senators said security was too lax at the VA. "How is it that VA's computer system permits one person to download the records of 26 million individuals and no one is alerted?" said Sen. Larry Craig, chairman of the Senate Committee on Veterans Affairs.

Nicholson defended himself from criticism and calls for his resignation, and said there is an "embedded cultural resistance" to change at the VA.

He even suggested Congress might want to consider enacting laws making it unlawful to take records with sensitive information home.

The VA is planning on notifying every affected person by mail. But the Inspector General pointed out "we don't have 26 million envelopes."

He said the the costs of buying, addressing and mailing the envelopes would probably be $10 million to $11 million.

He said costs to the Department could be as high as $500 million.

Congress to Hold Hearings on Veterans Agency Security Breach

2006-05-24T08:51:00.000-07:00

Congress is planning on holding hearings on the loss of personal information on 26 million veterans. Two hearings, one in the House and one in the Senate, are scheduled for Thursday morning.

Senator Larry E. Craig (R-Idaho), chairman of the Veterans Affairs Committee, said he will would hold an emergency hearing Thursday and call on Secretary Jim Nicholson to testify.

The House Veterans Affairs Committee has scheduled a hearing for 9 a.m. Thursday.

"We just want to make sure sensitive material is handled somewhat similarly to top-secret data," said Jeff Schrade, spokesman for the U.S. Senate Committee on Veterans' Affairs.

In a written statement, the Veterans Affairs Inspector General, Jon Wooditch, has expressed his opinion that agency did not appear to do enough to prevent the loss of personal information.

The Inspector General has warned Veterans Affairs officials that security control was a "material weakness."

A spokesman for the Disabled American Veterans said "The VA, quite frankly, has fallen down on the job on this one."

Suit Filed Against AT&T for NSA Spying

2006-05-23T11:16:00.000-07:00

Several individuals, including the famous author Studs Terkel, assisted by the ACLU, have filed a lawsuit against AT&T for giving giving customer phone records to the
National Security Agency without a court order.

The suit, filed in Federal court in Illinois, claims AT&T violated the federal Electronic Communications Privacy Act.

The plaintiffs want to include all Illinois customers of AT&T as plaintiffs in a class action.
___

Information on 26 Million Veterans Stolen

2006-05-22T13:05:00.000-07:00

According to Reuters, "Personal data on about 26.5 million U.S. military veterans was stolen from the residence of a Department of Veterans Affairs data analyst who improperly took the material home, Veterans Affairs Secretary Jim Nicholson said Monday."

This sounds like another laptop was stolen from a home, although the story does not make that clear. More incidents like these may result in stricter measures regarding the use of laptops. Although this may also give businesses a chance to tell the government, "fix your own house."

Interestingly, Secretary Nicholson said the employee "took home a considerable amount of electronic data from the VA which he was not authorized to do. It was in violation of our rules and regulations and policies."

News reports say the information included names, Social Security numbers and dates of birth, but "there is no indication at this time" that identity theft has occurred as a result.

Most likely it will not, but out of 26 million people, some will surely be victims of identity theft soon enough, and who will be able to say what the cause will be?

Secretary Jim Nicholson said the FBI, local law enforcement authorities and the Veteran's Affairs Inspector General were all investigating what appears to be an ordinary burglary.

He also said: "The employee has been placed on administrative leave pending the outcome of the investigation. We have a full-scale investigation going on in this."