Friday, April 29, 2005

Auto "Black Box" Law Enacted in North Dakota

North Dakota has enacted a law limiting access to information in automobile "black boxes." It is the first law of its kind enacted in the United States.

North Dakota has long been a state with strict privacy laws, and at one time had the only opt-in privacy law in the country.

The bill, Senate bill 2200, was signed into law on Wednesday, April 27, by Governor John Hoeven.

The new law provides that owners of the vehicle are the owners of the information stored in the car's "black box," or data recorder.

Insurance companies opposed the law.

Non-owners could only access the information with consent, a court order, or to improve safety, or as part of vehicle repair or maintenance.

California RFID Law Proposed

California State Senator Joe Simitian, a well known privacy advocate, has a proposed an anti RFID law called the "Identity Information Protection Act of 2005" (Senate Bill 682).

The bill would make it illegal for any unauthorized person to use an electronic device to obtain information from an RFID chip without the knowledge of the person carrying the chip. This has long been a concern of privacy advocates.

It would also limit the use of RFID technology in by the state, for example, driver's licenses, student ID cards, medical cards and state employee cards. This was partly in response to the well-publicized incident recently in which students in a California elementary school were required to wear badges with RFID chips at all times. The project has been dropped, as a result of bad publicity and complaints by parents.

On Tuesday, April 26, the bill passed out of the state Senate Judiciary Committee by a vote of 6 to 1.

Thursday, April 28, 2005

Seisint Security Breach Archive Archive

Seisint Security Breach Archive Archive

The following are recent stories from The Privacy Law Site relating to Seisint, security breaches in general, information brokers, identity theft, and government actions in direct response to security breaches in the news.

(See Monthly Archives)

Thursday, May 19, 2005

Massacusetts Governor Proposes Notification Law

Friday, May 13, 200

Washington Enacts Security Freeze Law

Wednesday, May 11, 2005

LexisNexis & ChoicePoint Support New Privacy Laws

Florida Will Try Again With Seisint's Matrix

Friday, April 22, 2005

Seisint: Update on Help for Victims and Security Procedures

Wednesday, April 20, 2005

ID Theft Update: Congressman Barton’s Letter to The New York Times

Friday, April 15, 2005

Seisint: What Happened

Wednesday, April 13, 2005

General Motors MasterCard Privacy Breach

Lexis Nexis CEO Apologizes to Congress

Seisint Breach Will Lead to New Federal Laws

Schumer - Nelson Comprehensive Privacy Bill

Tuesday, April 12, 2005

Seisint: More Privacy Breaches

Monday, April 11, 2005

Security Breach Law Enacted in Arkansas

Thursday, March 31, 2005

AFLAC!! AFLAC!! Insurer Loses Customer Information

Mizuho Banks Loses Data on 270,000 Customers

Tuesday, March 29, 2005

Information Stolen From California Berekely

Friday, March 25, 2005

New Security Breach Notification Rules

Tuesday, March 22, 2005

Personal Information Stolen From California State University - Chico

Friday, March 18, 2005

Westlaw Changes Business Practices

Wednesday, March 16, 2005

Congress Holds Privacy Hearings

Tuesday, March 15, 2005

House and Senate Hold Hearings

Monday, March 14, 2005

Theft of Information on 9,000 People From Nevada DMV

Friday, March 11, 2005

Senate Hearing Postponed

Leahy Suggests Big Changes in Privacy Law

Wednesday, March 09, 2005

ChoicePoint Hires Privacy Officer

Privacy Breach at Seisint

ID Thief Sentenced to 5 1/2 Years

Tuesday, April 26, 2005

DSW Loss Affects 1.4 million

DSW is now stating that a security brach has resulted in the unauthorized exposure of personal information of Now they have 1.4 million customers. DSW spokespeople have said that customer information revealed included cusotmer names, and credit card, bank account and
driver's license numbers.

Friday, April 22, 2005

Seisint: Update on Help for Victims and Security Procedures

What is Seisint doing to assist people whose identity may have been stolen as a result of recent security breaches? And what are they doing to prevent another massive security breach? Here is some updated information:

Helping Victims

LexisNexis, the company that owns Seisint, says it is in the process of notifying every individual whose whose personal information may have been accessed by identity thieves.

LexisNexis says it will provide all affected individuals with a consolidated report containing information from the three major credit bureaus, TransUnion, Equifax, and Experian.

LexisNexis says they will provide all affected individuals credit monitoring service for one year. This is a useful service, although some people think one year of monitoring is not enough.

LexisNexis says that, for anyone who is, or becomes a victim of Identity theft, the company will that person help from ID theft counselors, who can assist in them in the process of clearing their credit reports of any information related to fraudulent activity.

Security Procedures

LexisNexis says it is in the process of tightening its security procedures to prevent massive security breaches from happening again. (It should be noted the recent publicized breaches happened before LexisNexis purchased Seisint.)

LexisNexis claims it has a multi-layer process in place to screen potential customers, to ensure that only legitimate customers have access to individual personal information.

They say that they have a detailed authentication process to determine the validity of business licenses, memberships in
professional societies and other credentials, and that they authenticate the documents to ensure they have not been tampered with or forged.

They also state that customers requesting access to sensitive information must go through a multi-step application and approval process, and that only customers with a permissible purpose under federal law are granted access to sensitive data such as driver’s license information and information and social security numbers.

LexisNexis points out that their customers are required to make express representations and warranties regarding access and use of sensitive information.

Clearly, these procedures are not enough, since it was through businesses with apparently legitimate access to Seisint information that the latest security breaches occurred. Often, it appears, employees of companies with access used the information for illegitimate reasons.

LexisNexis has announced that they plan to restrict access even more to the most sensitive personal information Seisint gathers, including Social Security Numbers and Driver’s License Numbers. They say they will do this by extending LexisNexis’ current more restrictive SSN truncation policy to Seisint. (Could they not have done this earlier?)

They are also planning a policy of “masking” driver’s license numbers.

They also say they are conducting an on-going review of all it’s security practices, authorization and verification procedures, and privacy policies across its businesses.

LexisNexis also says that they are reviewing their verification and security procedures, at both LexisNexis and Seisint.

This would include:

• Enhancing ID and password administration procedures.
• Enhancing security requirements applied to their customers.
• Working with law enforcement and outside consultants to establish new procedures and techniques to thwart criminal activity.

Thursday, April 21, 2005

FTC Seeks COPAA Comments

The FTC is seeking comments on certain aspects of their rules relating to the Children's Online Privacy Protection Act, also known as COPPA.

Comments are due June 27, 2005.

Their web address is:

The Federal Trade Commission is seeking public comment on its implementation of the Children’s Online Privacy Protection Act (COPPA) through the Children’s Online Privacy Protection Rule.

They are also seeking additional comment on the COPPA Rule’s sliding scale approach to obtaining parental consent, which takes into account how information gathered from children will be used.

COPPA affects Web sites or online services which are directed to children under 13 years old and Web sites or online services that have actual knowledge that they are collecting personal information from a child under 13 years old.

The rules have been somewhat controversial in the online, business, and privacy community.

The FTC is taking comments on all aspects of the rules, and is specifically seeking comments on the Rule’s effect on:

* Practices relating to the collection and disclosure of information relating to children

* Children’s ability to obtain access to information of their choice online

* The availability of Web sites directed to children.

The agency also is seeking comments on four additional issues on which public comment would be especially useful:

* Whether factors such as the subject matter of the site, visual or audio content, age of models, language used, and target audience should be clarified or supplemented.

* Whether the term “actual knowledge” is sufficiently clear and whether Web site operators are encouraging children to back-button and change their age.

* The use of credit cards as a means of obtaining verifiable parental consent.

* The COPPA safe harbor program.

The Commission will report to Congress on the results of this review of the COPPA Rule, as well as commence rulemaking proceedings, if warranted, in response to the comments received.

The FTC is also seeking additional comment on the COPPA Rule’s sliding scale mechanism for obtaining verifiable parental consent.

Operators of Web sites and online services that collect children’s personal information solely for internal use can obtain parental consent through the use of an e-mail to the parent plus an additional step to provide assurance that the person providing the consent is actually the parent. Operators that wish to disclose children’s information publicly or to third parties must employ more reliable methods of obtaining parental consent, such as using a print-and-send consent form; a credit card transaction; a toll-free telephone number staffed by trained personnel; a digital certificate using public key technology; or an e-mail with a password or PIN obtained by one of the above methods.

In 2002, the Commission extended the sliding scale approach until April 21, 2005.

Anyone who filed comments on the sliding scale issue need not do so again after January 2005 does not have to do so again.

Wednesday, April 20, 2005

ID Theft Update: Congressman Barton

Representative Joe Barton, the Chairman of the House Energy and Commerce Committee, signals not just his willingness, but his eagerness, to be seen as at the forefront of federal legislative action to combat ID theft in a letter to The New York Times printed this morning.

Here it is:

Washington, April 18, 2005

To the Editor:

Your take on a leading cause of identity theft was exactly right: nobody should have his or her Social Security number sold without permission.

Some say otherwise, and they've been pleading their case before my committee lately. But the plain fact is that in our society, our Social Security numbers are the keys to the bank vault for swindlers.

I'm probably going to be a lot more careful about imposing regulation on business and the economy than you would like, but if it takes action to stop the buying and selling of Social Security numbers without the knowledge and agreement of consumers, count me in.

Joe Barton
Chairman, House
Energy and Commerce Committee
Washington, April 18, 2005

Monday, April 18, 2005

HHS Proposes New Rules on HIPAA Violations

On April 18, 2005 the Department of Health and Human Services published a Notice of Proposed Rulemaking in the Federal Register which proposes the bases and procedures for imposing civil money penalties on covered entities that violate any of the HIPAA Administrative Simplification Rules (based on HIPAA, the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191.)

Comments from the public are requested, and are due by JUNE 17.

The NPRM is entitled: "Civil Money Penalties: Policies and Procedures for Investigations, Imposition of Penalties, and Hearings."

The proposed rule would amend the existing rules relating to the investigation of noncompliance to make them apply to all of the HIPAA Administrative Simplification rules, rather than exclusively to the privacy standards. It would also amend the existing rules relating to the process for imposition of civil money penalties. Among other matters, the proposed rules would clarify and elaborate upon the investigation process, bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeal process.

For the Full Text, go to:

Friday, April 15, 2005

Seisint: What Happened

What really happened with Seisint, LexisNexis, and Accurint?

Last year LexisNexis (based in Ohio, and owned by Reed Elsevier, based in London) bought the well known information broker Seisint, (based in Boca Raton, Florida, and which previously had been associated with the MATRIX debacle).

Seisint has a subsidiary called Accurint. These companies sell the personal information on Americans to companies that use them for all kinds of reasons, especially marketing. They sell names, addresses, zip codes, phone numbers, dates of birth, and even the full Social Security Numbers.

LexisNexis and Seisint have 30 billion records on individuals. Information they hold includes birth and death records, marriage and divorce records, motor vehicle information, property holdings, tax assessments, deeds, mortgages, criminal information, bankruptcies, judgments, liens, and court settlements, among other information.

As information brokers, they are not as highly regulated as credit reporting agencies.

Companies buy access to this information for a fee. They can use a code, or ID and password, to gain access to the database online. These companies are only supposed to grant access for certain permitted uses. Not just anybody can gain access to the database. Uses include for law enforcement, and by certain other government, as well as collection agencies, private investigators, and others. Of course employees of these companies and agencies can gain access to the database.

LexisNexis is now looking into the possibility that unauthorized people have been able to gain access to information held in the Accurint database, using passwords that were given out to businesses that paid the required fee. They say it may have happened as much as 59 times over the past two years, involving the personal information of over 310,000 people.

It is not clear how this happened, or what security measures were in place. The 59 incidents are apparently not all related.

LexisNexis says it is the process of notifying the affected people, and also that it has limited the sale of Social Security Numbers.

Wednesday, April 13, 2005

General Motors MasterCard Privacy Breach

As if all the other news wasn't disturbing enough, CNN is announcing a privacy breach involving GM MasterCards and bank HSBC.

Looks like 2005 really is going to be Year of the Privacy Breach

NEW YORK (CNN) - As many as 187,000 GM MasterCard customers may have had their personal information compromised, officials with card issuer HSBC Holdings said Wednesday.

About 6 million HSBC (Research) customers hold GM-branded MasterCards, according to the automaker, and letters have been sent so far to 1,200 telling them their information may have been compromised when they shopped with an undisclosed retailer.

The remaining 185,800 cardholders affected will be notified between now and mid-May, according to HSBC.

HSBC insisted the bank is not to blame for the security breach. "This is not an issue with our card," said Tom Nicholson, a spokesman for HSBC. "It's an issue with the retailer."

HSBC said it was notified by MasterCard's Fraud Management Department in March about the breach, but was not provided with details on the unnamed retailer.

GM MasterCard, in a letter to customers, said it did not know the merchant involved and urged customers to replace their credit cards as soon as possible "due to the serious nature of this situation," the Boston Globe reported.

The security breach is the latest example of private financial information being improperly accessed in recent weeks by companies that compile an sell personal information about millions of Americans.

Lexis-Nexis said Tuesday that data on 310,000 people nationwide may have been stolen -- 10 times its estimate of just a month earlier.

Household Bank, acquired by HSBC in 2002, began issuing the GM MasterCard Rewards card in 1992.

Customers earn points towards the purchase or lease of GM vehicles, and GM says more than 4 million GM cars have been bought or leased by Rewards customers since the card was launched.

-- From Caleb Silver of CNN Business News  

Lexis Nexis CEO Apologizes to Congress

According to the Associated Press, Kurt P. Sanford, the President of LexisNexis, which owns Seisint, and which is itself owned by Reed Elsevier, apologized for the possible lose to identity thieves of personal information on 300,000 people, security breach, when he testified today before the Senate Judiciary Committee.

"We sincerely regret these incidents and any adverse impact they may have on the individuals whose information may have been accessed," he is quoted as saying.

Seisint Breach Will Lead to New Federal Laws

In the wake of the yet another scandal involving the loss of consumer’s personal information by a business, again from Seisint, this time numbering, so far, 310,000 additional people, Congress is primed to act.

Unlike many other political issues which seem to automatically cleave along party lines, Democrats and Republicans seem not only united in their outrage, but determined to do something about it.

Consider this quote from Congressman Joe Barton, a Republican who heads the Energy and Commerce Committee: "Once again we're forced to ask, why should it continue to be legal to sell a person's Social Security number without permission? If it takes a new law to protect people from identity thieves, so be it."

Senator Dianne Feinstein, a well known liberal Democrat, said flat out: "Not doing anything is not an option."

Of course, the Republican party controls both houses of Congress and the White House. But it seems that no amount of furious lobbying by information brokers will be able to completely forestall legislation. Given the rate of ID theft, this certainly will look good to the people back home when Senators and Representatives are running for reelection. Even more so for Republicans, who are generally seen as a little more pro-business, and anti-consumer -- this is chance to show that they do believe that sometimes government can be a force for good.

Information brokers can still make their case to influence what kind of laws will be passed. In addition, there will be horse trading and compromising as different members of Congress make their case for their proposals.

The Senate Judiciary Committee will be holding hearings on Wednesday, April 13, on the practices of information brokers.

Two Democrats, Senators Chuck Schumer of New York and Bill Nelson of Florida, on Tuesday introduced "The Comprehensive Identity Theft Prevention Act." See the previous Privacy Law Site posting for more information about the bill.

Senator Feinstein's proposal would enact a federal version of California's law requiring that consumers be notified in their information may have accessed by unauthorized individuals.

Her proposed bill serves as a reminder that state laws can also have an effect on businesses, and can drive federal legislation.

Schumer - Nelson Comprehensive Privacy Bill

On the same day that Seisint, the division of LexisNexis, disclosed that there had a been a breach of the database, involving the exposure of the personal information of 310,000 people, Chuck Schumer and Bill Nelson, both Democrats, proposed what they call a comprehensive ID Theft bill.

According their press release:

"Sen. Schumer is a member of almost all the committees that would have jurisdiction over this bill including the Finance, Judiciary, and Banking Committees, and Sen. Nelson is a member of the Commerce Committee, which also has jurisdiction."

Schumer said, “What bank robbery was to the Depression Age, identity theft is to the Information Age. Identity theft has become so pervasive and so out-of-hand, that we must make a real effort to prevent it before it happens. When a company like Lexis-Nexis so badly underestimates its own ID theft breaches, it is clear that things are totally out of hand.”

“This bill not only will help stop the erosion of privacy,” said Nelson, a longtime champion of consumer privacy. “But it also will cut through the red tape identity theft victims now face when they try to restore their credit.”

Schumer continued, “Everyone knows that once your identity has been stolen, you can’t get it back. That is why our comprehensive measure focuses on making sure that your personal information isn’t surfing the Internet without your permission and that companies handling your Social Security number and other sensitive information should come under the watchful eye of the Federal Trade Commission immediately.”


Create an FTC Office of Identity Theft to help the millions of victims of ID theft each year to get their identity back through an easily accessible website, toll free phone number and consumer-service teams, and authorizes $60 million a year, for five years for this office.

Regulate data merchants (akin to regulation of credit bureaus) by:

- Make them register with the FTC;
- Institute safeguards to prevent fraudulent access by unauthorized parties;
- Develop authentication process for their customers with individualized passwords;
- Users allowed these passwords are people who have passed a reasonably effective background check;
- Data Merchant should track who accessed what records and for what lawful purpose they were accessed;
- Allow consumers, like with their credit reports, to obtain reports showing which data-merchants have their information and mandates a correction process to fix errors;
- Demands accuracy standards for their information;
- Regulates Credit Bureaus only if, and as far as, they sell credit header information currently unregulated by the Fair Credit Reporting Act and its amendments.

Disclosure Box:
Any company that is collecting your sensitive personal information and plans to sell or transfer your information to an unaffiliated third party, must put a “Disclosure Box” on it, which lets the consumer know in PLAIN ENGLISH that “this information may be sold or given to an unaffiliated third party without your additional consent.”

Notification provisions in the case of an information breach are very similar to current California law (the law that forced ChoicePoint to notify consumers). But there is a new provision, allowing any consumer who is notified of a breach of their information to request, in writing, that their information be completely expunged from the company’s database.

Every company required to take “Reasonable Steps” to protect sensitive personal information they are storing.

Social Security Number Specific Provisions:
- Prohibits any company from asking for a Social Security number unless they actually need it in the normal course of business;
- Prohibits SSN’s displayed on employee IDs and prohibits inmates in prison from having any access to them as part of their prison jobs;
- Bans SSN purchase and sale, except for law enforcement, national security and fraud purposes;
- Grants U.S. Attorney General the ability to further define the exemptions as situations arise and exempt more if needed.

Would also require the FTC to:
- Study national, state and local governments’ public postings of Social Security numbers, come up with recommendations and forward them on to the relevant national, state and local governments;
- Require a thorough annual report each year on ID theft;
- For each section there’s a maximum penalty, usually $1,000 per individual record per violation, which can be administered by the FTC or Attorneys General.
- Study international identity theft and determine ways to combat it;
- Create a blue-ribbon working group representing both industry and consumer groups to find the best ways for private entities to protect consumer data;

Stop public postings of private financial account numbers (i.e. mutual fund companies posting shareholder information on Internet).

Preempts state law to the extent that it is inconsistent with the provisions of this bill and then only to the extent of the inconsistency. If the statute offers greater consumer protections than this bill, it shall not be preempted by this bill.

Create an Assistant Secretary for Cyber Security in the Department of Homeland Security, which is what an earlier Schumer amendment to the 9-11 bill and a bi-partisan house bill in the 108th would have done.

SOURCE: Press Release by Senator Schumer, April 12, 2005.

Tuesday, April 12, 2005

Seisint: More Privacy Breaches

Seisint is reporting even more privacy breaches, already reported previously on The Privacy Law Site. Lexis-Nexis bought out Seisint in 2004.

The company now says that identity thieves stole personal information, including Social Security Numbers, names, addresses, and driver's license numbers, (but not, they claim, not credit histories, medical records or financial information) on 310,000 Americans, which is 10 times more than its previous guess last month.

Apparently thieves hacked into Seisint databases 59 times over the past two years.

Naturally, this has already led to more calls for legislation to regulate information brokers like Seisint, which include ChoicePoint, Axciom, and others.

Senator Charles Schumer said, "When a company like LexisNexis so badly underestimates its own ID theft breaches, it is clear that things are totally out of hand.''

The CEO of LexisNexis, Kurt Sanford, is supposed to testify in front of the Senate Judiciary Committee on Wednesday, April 13, along with executives from ChoicePoint and Acxiom.

This latest news may or may not be related to his scheduled testimony, but look for this latest breach admission to weaken any remaining resistance on Capitol Hill, or in the industry, to tighter controls.

The issue now is not if there will be new laws, but what they will be.

HIPAA Security Rule Deadline: April 20

According to a story by Jaikumar Vijayan in COMPUTERWORLD, most health care companies covered by the HIPAA security rule created by HHS will not be ready by the compliance date of April 20, 2005. He cites surveys by HIMSS and AHIMA

In article by M.L. Baker, from Ziff Davis Internet, covered companies will be ready by the April 20 deadline. "Most" companies, he says, are well on their way.

Baker provides a number of useful sources for compliance advice, including an April 13 conference call, at 2 p.m. ET, hosted by the Centers for Medicare & Medicaid Services. The call in number is (877) 203-0044, and the identification number is 4587639.

You can also check with HHS and the AHA.

Monday, April 11, 2005

Security Breach Law Enacted in Arkansas

It hasn't taken long for states to enact laws like California's Security Breach notification law, which got so much free publicity after Choicepoint unwisely chose to notify California residents first about the massive use of their data by ID theives.

Numerous states have such laws pending -- see the recent newsletter of Privacy and American Business, and today's Washington Post.

On March 31, the Arkansas Governor signed Arkansas Senate Bill 1167 which will require, like California's law, that consumers be notified of unauthorized disclosures of their personal information. The new law will also require regular reasonable information security measures.

** Update -- May 4, 2005 **

Those interested in the above story might want to know that Washington State Governor Christine Gregoire has signed Senate Bill 6043, also a security breach notification law.

Friday, April 08, 2005

Rosenzweig Chosen as Privacy Committee Chair

Paul Rosenzweig will be the chairman of the the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. Rosenzweig, is a senior legal research fellow at the Heritage Foundation. In the past he has supported the DOD project Total Information Awareness and other initiatives, for which he will be criticized by privacy advocates.

Still, it is the President's Committee. What did people expect?

The Committee unanimously selected Lisa Sotto, partner and leader of the Regulatory Privacy and Information Management Practice Group at Hunton and Williams as the committee’s vice chairwoman.

Rosenzweig said he wants tol maximize security and privacy as much as possible. Lisa Sotto said she would not compromise U.S. security. But "our national security must not come at the ultimate cost of the freedoms we cherish so much."

Wednesday, April 06, 2005

New Google Feature Lets You Be a Satellite Spy

Google has announced a new feature which will allow people to get satellite maps of an area by typing in an address. Google bought a digital mapmaker called Keyhole, which had this technology, allowing people to zoom in on certain areas. This raises privacy concerns, predictably, (so says CNN) but violates no laws I can think of.

In fact, I remember Yahoo allowed people to do this years ago, and I was able to get photos of my friend's houses as well as mine, but it was discontinued after Sept. 11, if memory serves.

Tuesday, April 05, 2005

Senate To Hold Hearings on USA Patriot Act

The Senate Judiciary Committee will hold hearings on whether or not to renew the USA Patriot Act this week. Parts of the controversial law are set to expire at the end of December 2005. Hearings will begin April 5.

Friday, April 01, 2005

Utah Creates Adult Registry

The Governor of Utah has signed a bill which creates an internet adult content registry. Businesses affected must begin compliance by January 1, 2006. The bill the Governor signed, House Bill 260, requires the state to create an “adult content registry,” consisting of URLs and IP addresses which contain content harmful to minors. The state will decide if the content is harmful.

The law requires that "upon request by a consumer, a service provider shall filter content to prevent the transmission of material harmful to minors to the consumer.”

The law also requires that “upon request by the consumer, a service provider may not transmit material from a content provider site listed on the adult content registry," to the consumer.

Michigan enacted a similar law in 2004.

Is this the beginning of a "Do Not Call" style trend for online addresses?

How will businesses handle this? We shall see.