Thursday, February 23, 2006

GLB Does Not Require Encryption

A judge in a trial level federal court ruled recently that Gramm-Leach-Bliley does not require encryption of personal information.

A company employee kept unencrypted cutomer informtion on a laptop that was stolen from his home. The plaintiff argued in a Minnesota federal court that GLB imposes an obligation to protect against unauthorized access to cutomer's personal information (the court agreed) and that it included encryption.

The judge granted a motion to dismiss the lawsuit, stating that GLB does impose a legal duty that "any nonpublic personal information stored on a laptop computer should be encrypted."

Thursday, February 09, 2006

Congress May Crack Down on Data Brokers

The U.S. Congress is continuing its investigation into data brokers, including those who access customer phone records, which became a politically hot topic recently.

Last week that Chair of the House Energy and Commerce Committee, Joe Barton, said at a hearing on data broker practices and "pretexting":

"I can only guess at the excuses that will be offered by people who profit by engaging in an obvious fraud, by invading personal privacy and by assisting criminal behavior."

The committee wants to know all methods used by the data brokers to acquire the information they sell and if any efforts are made to obtain consent from consumers before selling their confidential data.

In particular, the committee aims to find out if the data brokers' employees pose as telephone company customers in order to seek account information, a practice known as "pretexting."

The telephone carriers maintain their customer records are secure and that the data brokers are obtaining the data through pretexting. Current law contains criminal penalties for obtaining another person's financial records under false pretexts, but similar penalties do not exist specifically for telephone records.

The Energy and Commerce Committee sent letters data brokers including First Source Information Specialists and PDJ Services wanting know just how these companies get their information.

The letters suggest that the companies are getting the information illegally.

The letters read in part:

"It is very disconcerting that certain online data broker companies are
exploiting consumers' personal records and selling the information to
whomever pays for the records."

"With the exception of the legitimate activities of law enforcement
authorities, who in any event have legal means for acquiring such
information, we struggle to find any ethical justification for marketing
this data."

"In essence, within literally a matter of hours, someone who purchases such
information from a data broker Web site can gain unauthorized access to an
individual's daily calls and contacts, home and billing addresses, and other
valuable confidential information."

Thursday, February 02, 2006

FCC, FTC Urge Congress to Protect Phone Records

The Chairmans of the Federal Communications Commission testified before Congress on Wednesday, and urged legislators to pass a law to prevent the unauthorized sale or sharing of customer's phone records.

Chairman Kevin Martin told the House Energy and Commerce Committee "The disclosure of consumers' private calling records is a significant privacy invasion."

The issue has been in the news lately, especially since one blogger was able to purchase General Wesley Clark's phone records with ease.

The FCC wants to laws forbidding the sale of customer's phone records, and to give the FCC more power to regulate carriers and protect phone records.

The FCC is investigating a large number of companies for allegedly illegally purchasing a customer's phone records by "pretexting."

An official with the Federal Trade Commission also weighed in. Jon Leibowitz, an FTC Commissioner, said: "Congress can make the commercial sale of phone records illegal and carry liabilities, and secondly, (Congress) can seek to overturn the 10th Circuit Court ruling where customers need to 'opt out' to prevent the sharing of their information to third-party telephone affiliates or joint-venture partners,"

The Chair, Rep. Joe Barton, said he would introduce a bill "very shortly."

"Not only does the leaking of these records assist scam artists in
perpetrating identity theft, but even more shadowy figures such as organized
crime, stalkers, abusive spouses, have co-opted this confidential
information to locate and target their victims."

Personal Information Distributed with Newspaper

Apparently issues of the "The Boston Globe" and the "Worcester Telegram & Gazette" were distributed this past Sunday wrapped in paper containing personal financial information of 240,000 subscribers.

They were given out to 2,000 retailers and several hundred newspaper carriers, according to paper officials.

The information released included credit card numbers, bank account numbers, and even routing information for personal checks.

As companies like Choicepoint and Bank of America have done, the newspaper's corporate parent will offer those whose information was released a year of credit monitoring.

Apparently the information was printed out by an employee, discarded, and then mistaken for recylable paper, used to wrap the newspapers.

The event points to the need to educate employees about handling such information, and the problems that can come from access to compuer databanks of personal information.