Thursday, June 30, 2005

Congress Changes "Do Not Fax" Law

Congress has approved changes to existing "Do Not Fax" law.

The changes relate to an FCC ruling 2003 which requires businesses to get prior written approval before sending an unsolicited commercial fax.

The law passed by Congress this week (and sent to President Bush) allows businesses to send unsolicited faxes to organizations with whom they have an "established business relationship."

Wednesday, June 29, 2005

FDIC Releases Study of ID Theft

On June 27, the FDIC released a study of identity theft and account hijacking. It supplements a paper released in December of 2004.

Different financial institutions may choose different solutions, or a variety of solutions, based on the complexity of the institution and the nature and scope of its activities. The FDIC does not intend to propose one solution for all, but the evidence examined here and in the Study indicates that more can and should be done to protect the security and confidentiality of sensitive customer information in order to prevent account hijacking.

The FDIC recommends that financial institutions perform information security risk assessments and analyze (a) whether the institution needs to implement more secure customer authentication methods and, if it does, (b) what method or methods make most sense in view of the nature of the institution’s business and customer base.

The FDIC also states that if an institution offers retail customers remote access to Internet banking or any similar product that allows access to sensitive customer information, the institution has a responsibility to secure that delivery channel.

"More specifically," they write, "the widespread use of user ID and password for remote authentication should be supplemented with a reliable form of multifactor authentication or other layered security so that the security and confidentiality of customer accounts and sensitive customer information are adequately protected."

Wednesday, June 22, 2005

Feds Turned Over Social Security Info

According to the New York Times, after September 11, 2001, the Social Security Administration "relaxed its privacy restriction"s and s"earched thousands of its files at the request of the F.B.I."

But this was apparently in violation of their privacy policy, which forbids the sharing of the personal information they disclosed. According to the Times, data "senior officials at the Social Security agency agreed to an "ad hoc" policy that authorized the release of information to the bureau" because officials saw a "life-threatening" emergency.

Don't you wish your business could decide to violate the law on an "ad hoc" basis?

Actually there is a serious point here. What if this were a private business, such as an airline, and they were asked to turn over information in violation of the law or their privacy policy? Are they liable if they do? Should they wait for a subpoena? Should they seek some kind of "permission" from the government? Could they be liable if they DON'T turn the the information over?

All interesting questions...

Tuesday, June 21, 2005

New York Times Bashes "Smug, Self-Regulated, Industry"

"The New York Times" today comes out swinging at holders of personal information that resist all regulation and have a cavalier attitude toward safeguarding personal information. They basically endorse a national security breach notification law and further regualtion along the lines of the Schumer-Nelson bill, previously discussed here.

Editorial: "The New York Times"

June 21, 2005


"The breathtaking success of data thieves in exposing 40 million credit cardholders to the risk of fraud is only the latest evidence that Congress urgently needs to force standards and safeguards on the feckless world of consumer-data gathering. Roughly 200,000 of the accounts were reported stolen outright after a credit card processing company, CardSystems Solutions, improperly retained masses of data in vulnerable files as filchers moved in. The explanation from this member of a smug, self-regulated industry: "We should not have been doing that."

Horror stories grow by the day. CitiFinancial disclosed that unencrypted computer tapes for 3.9 million customers were lost by a package deliverer. Crooks were easily able to buy the data of 145,000 consumers from ChoicePoint, the nation's largest broker of personal information. In the hands of thieves, consumer data becomes liquid assets and must be guarded as such by companies that are now far too phlegmatic about security.

If it were not for California's pioneering law requiring notice to affected consumers, the rest of the nation might not have even heard warnings of how their assets and identities are increasingly at risk. Senator Dianne Feinstein, Democrat of California, is proposing a national requirement for consumer notification, with civil damages for negligent companies. Her bill is a good start in conjunction with a comprehensive measure by Senators Charles Schumer of New York and Bill Nelson of Florida to begin regulating data merchants by requiring registration with the Federal Trade Commission. It would adopt stronger safeguards, stop the easy access to Social Security numbers and help identity theft victims regain their fiscal balance.

Credit-card companies and information brokers - not consumers and merchants - bear prime responsibility for the ravages of data thieves."

Monday, June 20, 2005

CardSystems Security Breach

By now it is old news that there has been yet another massive security breach reported, this time of the personal information of a record 40 million people. Worse, the information was not simply lost, misplaced, or breached, but known to have been taken by thieves.

Although MasterCard has been mentioned in news reports, the company involved in an information processor called CardSystems Solutions.

In the New York Times the Chief Executive is quoted as saying the data was only being held for research purposes, should probably not have been held at all, and was not properly secured.

MasterCard requires processors not to retain such personal information, and is "investigating" to find out what happened.

Apparently information from consumers' Visa and other accounts were also compromised.

Observers point out that information processors that fail to secure information can represent a great risk.

In fact, they may be the greatest risk when it comes to personal privacy, whether we are talking about account, financial, medical or other forms of personal information. What standards do they have? What rules must they follow? Who verfies what they do?

This is a peculiar line in the New York Times:

"Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said."

What does that mean? "Never"? Then why was MasterCard doing business with them?

Interestingly, MasterCard discovered the problem by noticing unsually high fraudulent charges on accounts.

This oviously indicates that the thieves have already used the breach of security to commit identity theft.

In this situation businesses sometimes offer free credit monitoring services, but with 40 million people, that might be asking a lot of CardSystems.

Maybe if anyone needs the much touted "Identity Theft Insurance," it's the processing and card issuing companies, not the people.

Tuesday, June 14, 2005

Maine Security Breach Law Enacted

Maine has become the latest state to enact a security breach law, in the wake of numerous publicized security breaches around the country. These became known as a result of California's security breach law.

The Governor signed LD 1671 on June 10.

The new law requires any business that owns or licenses electronic data containing personal information, following the discovery of a security breach, "to notify a subject person whose unencrypted personal information was, or is REASONABLY BELIEVED to have been, acquired by an unauthorized person."

"Security breach" means the compromise of the security, confidentiality or integrity of computerized data that results in unauthorized acquisition of and access to personal information maintained by a business or that creates a
reasonable basis for the conclusion that such acquisition has occurred.

"Security breach" does not include the good faith acquisition of personal information by an employee or agent of a business for the purposes of that business if the personal information is not used or subject to further unauthorized disclosure.

Failure to follow the law can result in fines of up to $25,000 per day.

"Personal information" means "an individual's last name in combination with one or more of the following data elements, when either the name or the data elements are not encrypted:

A. Social security number

B. Driver's license number or state identification number

C. Account number or credit or debit card number in
combination with any required security code, access code or
password that would permit access to an individual's account
or financial records as defined in Title 9-B, section 161.

Monday, June 13, 2005

Colorado Enacts Security Freeze Law

Colorado has enacted a security freeze law.

The law allows consumers to place a security freeze on their consumer report whether or not they have been the victim of identity theft. Agencies must place the freeze within five days of receiving the request. Agencies may not charge a fee to the consumer for a first request.

The rest of the language is fairly standard.

There are exceptions for entities that "own a financial obligation owing by the consumer . . . ." and insurance underwriting.

See Senate Bill 05-137.

Friday, June 10, 2005

Senate to Hold Security Breach and ID Theft Hearings

The Senate Committee on Commerce, Science and Transportation will hold hearings on identity theft on Thursday, June 16 2005, at 10:00 AM in Washington, D.C.

The Committee hearing will examine federal legislative solutions to data breach and identity theft.

Senator Gordon Smith (R-Ore.) will preside.

Panel 1:

The Honorable Deborah Majoras
Chairman, Federal Trade Commission

The Honorable Orson Swindle
Commissioner, Federal Trade Commission

The Honorable Thomas B. Leary
Commissioner, Federal Trade Commission

The Honorable Pamela Harbour
Commissioner, Federal Trade Commission

Mr. Jon Leibowitz
Commissioner, Federal Trade Commission

Panel 2:
The Honorable William Sorrell
Vermont Attorney General, and President of the National Association of Attorneys General

The hearing will be in Room 253 of the Russell Senate Office Building

Thursday, June 09, 2005

Minnesota Enacts Security Breach Law

Minnesota has enacted a Security Breach law.

On June 2, the Governor signed H.F. 2121, a security breach notification law.

The law requires that:

“Any person or business that conducts business in [Minnesota] and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay . . . .”

The law defines “breach of the security of the system" as:

“Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”

The law also states that:

“Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security system, provided that the personal information is not used or subject to further unauthorized disclosure.”

The law defines “personal information” as:

“an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements is not encrypted:

(1) Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.”

The law is effective January 1, 2006.

NY Times Article on Security Breaches

The New York Times has an interesting article today on recent security breaches and legislative responses. The article mentions the recent Citigroup / UPS fiasco.

The article is titled: "The Scramble to Protect Personal Information," by Tom Zeller, Jr.

The best line comes from Bruce Schneier, author of "Secrets and Lies: Digital Security in a Networked World."

"There are social expectations about security that can't be met. But the practices are still so shoddy."

-- Bruce Schneier, NYT, June 9, 2005.

Wednesday, June 08, 2005

Bush Administration Weakens HIPAA

The Bush Department of Justice has issued a controversial interpretation of HIPAA that significantly weakens it. This is good or bad news depending on your point of view. This is a political move or a run-of-the-mill ruling, depending on who you talk to.

What the DOJ said:

Only covered entities -- like health plans, health care clearinghouses, and health care providers -- can be prosecuted for violating the criminal provisions of HIPAA. (In addition, it is possible for certain corporate officers to be prosecuted.)

This would then include doctors, other health care providers, some officers, and legal persons -- entities like insurers and hospitals, but not necessarily their employees.

This is true, even if, in all other respects, that employee violated the letter of HIPAA.

I have often wondered about who is and who is not covered by HIPAA. Now we have some more guidance.

42 USC 1320d-6(a) reads:

"A person who knowingly and in violation of this part . . .

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,

person, shall be punished as provided in subsection (b) of this section."

This could be read as covering all people who commit any of the above acts. The DOJ disagrees.

Their decision turns on their interpretation of the phrase "this part."

The DOJ takes it to means the statute itself, and therefore finds that the criminal penalties can only apply to specifically "covered entities."

This interpretation would seemingly subvert the federal government's own prosecution last year of an employee for stealing information from a patient.

On person who disagrees with the interpretation is Peter Swire, professor at Ohio State University and former chief counselor for privacy in the Clinton Administration. He argues that the criminal penalties are distinct from the civil penalties, and were specifically written by Congress is such a way so as to cover any violation of the statue.

He may or may not be correct, but he is certainly right that at HIPAA conferences and in articles written about HIPAA one almost always hears about the potential for "10 years in prison."

While that could still happen for covered entities and actors, employees should breathe a little easier now.

Monday, June 06, 2005

Citigroup, UPS Lose Information on 3.9 million consumers

Citigroup said Monday that personal information of 3.9 million of its consumers has been misplaced. Experts are calling this the single largest loss of personal information by any company yet.

The information, which was not encrypted, was stored on tapes and being sent to a credit bureau via UPS, which apparently has lost track of the package containing the tapes.

Both Citigroup and UPS have apologized for the loss of information.

There have no reports of identity theft as result of the breach, yet.

Citigroup has sent its customers a letter saying the lost tapes included Social Security numbers, names, account history and loan information.

Citigroup believes that the risk of identity theft is small for these consumers, who were applying for loans.

The company also stated that: "Beginning in July, this data will be sent electronically in encrypted form."

Better late than never.

Friday, June 03, 2005

North Carolina Security Freeze & Security Breach Law

A North Carolina bill which would require notification in the event of security breach and allow for a security freeze has passed the State Senate and the State House.

The bill, (House Bill 1248; Senate Bill 1048) would allow a "consumer or the consumer's attorney-in-fact" to place a security freeze on the consumer's credit report by making a request in writing to a consumer reporting agency. Consumers would not have to be victims of identity theft to request the freeze.

The bill would also require that "any business that maintains or otherwise possesses personal information of residents of North Carolina or any business that conducts business in North Carolina that maintains or otherwise possesses personal information of consumers in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach."

"Security breach" is defined as "an incident of unauthorized access to and acquisition of records or data containing personal information where unauthorized or illegal use of the personal information has occurred or is reasonably likely to occur. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure."

Thursday, June 02, 2005

Seventh Circuit: Creditors Do Not Have to Contact Individuals Under FCRA

The Seventh Circuit Court of Appeals has found that the FCRA does not require a creditor to contact an individual who disputes information which the creditor has reported to a credit reporting agency.

The court held that a credit union's failure to contact an individual, who disputed information they reported to a credit reporting agency, and who claimed he was a victim of identity theft, was reasonable under FCRA. This was the case even though the plaintiff has provided information providing evidence of identity theft to the credit reporting agency, Trans Union. Trans Union did provide this information to the creditor, apparently.

The plaintiff alleged, under FCRA, that the defendant, a credit union, failed to conduct a reasonable investigation of fraudulent activity on a credit report. The plaintiff was appealing a ruling of summary judgment against him.

It is important to note that the court specifically stated that the efforts of the credit union were reasonable given the "scant information" provided to it by Trans Union.

While contacting the plaintiff "would have undoubtedly helped matters in this case," the court wrote, requiring creditors to contact every single individual who disputes a charge would be "terribly inefficient," and is not required by the FCRA.

See: Westra v. Credit Control of Pinellas, No. 04-3139 (7th Circuit, May 27, 2005)

FACT Act In Effect

Regulations relating the FACT Act come into effect on Wednesday, June 1.

Given the fact that the reports of identity theft and loss of personal information by large companies appears to be increasing, the regulations seem timely and relatively unobjectionble.

All employers must actively destroy, in a way that makes them unreadable, before discarding, information about employees if that information was received from credit reporting agency. Shredding is the preferred method, but not the only one. The rule also applies to computer hard drives and disks -- potentially a bigger risk that everyday trash.

Shredding, should of course, be a part of every business' routine operation, for their own security, if not their employees.