Friday, May 26, 2006

Hawaii Enacts Security Breach; Shredding; Credit Freeze Laws

On May 26 Hawaii enacted several laws relating to ID theft.

The state becames the latest to enact a security breach notification law.

Also enacted was a law requiring requires businesses to shred, or otherwise destroy, documents containing personal information before disposing it.

The state also enacted a law allowing victims of ID theft to place a freeze on access to their credit reports.

The laws take effect January 2007.

Illinois Credit Freeze Law

Illinois has enacted a law allowing all people, not just victims of ID theft, to freeze their credit reports.

The law, enacted on Wednesday, allows agencies to chage a $10 fee to add or remove a credit freeze, with some exceptions for the elderly and low-income consumers.

Veterans Affairs Secretary Testifies Before Congress

Veterans Affairs Secretary James Nicholson and the department's Inspector General testified about the security breach to a Congressional Committee yesterday.

Chief among his revelations, although perhaps the least surprising, was that the employee in question had been taking this kind of information home for at least three years.

This is just what I expected. It also suggests that, in spite of what the VA has said about their rules, he had de facto approval to work from home.

"He said that he routinely took such data home to work on it, and had been doing so since 2003," said the Inspector General, George Opfer.

The Inspector General said the employee's supervisors have all said that they did not know that the employee took all the information home with him.

But did they ask? Did they know what he was working on? Did they know he was working at home? How else did they think he was getting his work done? And if they had known, would they have done anything about it?

This is not an advocacy site. But the questions are important from a factual and legal perspective.

Mr. Nicholson said the employee who took the data home had broken no law "as near as I can tell," but said the employee had violated VA policies.

The Secretary did not find out about the loss of the data for almost 2 weeks. Senators said the delay was "baffling," "mind-boggling" and "just unbelieveable."

Senators said security was too lax at the VA. "How is it that VA's computer system permits one person to download the records of 26 million individuals and no one is alerted?" said Sen. Larry Craig, chairman of the Senate Committee on Veterans Affairs.

Nicholson defended himself from criticism and calls for his resignation, and said there is an "embedded cultural resistance" to change at the VA.

He even suggested Congress might want to consider enacting laws making it unlawful to take records with sensitive information home.

The VA is planning on notifying every affected person by mail. But the Inspector General pointed out "we don't have 26 million envelopes."

He said the the costs of buying, addressing and mailing the envelopes would probably be $10 million to $11 million.

He said costs to the Department could be as high as $500 million.

Wednesday, May 24, 2006

Congress to Hold Hearings on Veterans Agency Security Breach

Congress is planning on holding hearings on the loss of personal information on 26 million veterans. Two hearings, one in the House and one in the Senate, are scheduled for Thursday morning.

Senator Larry E. Craig (R-Idaho), chairman of the Veterans Affairs Committee, said he will would hold an emergency hearing Thursday and call on Secretary Jim Nicholson to testify.

The House Veterans Affairs Committee has scheduled a hearing for 9 a.m. Thursday.

"We just want to make sure sensitive material is handled somewhat similarly to top-secret data," said Jeff Schrade, spokesman for the U.S. Senate Committee on Veterans' Affairs.

In a written statement, the Veterans Affairs Inspector General, Jon Wooditch, has expressed his opinion that agency did not appear to do enough to prevent the loss of personal information.

The Inspector General has warned Veterans Affairs officials that security control was a "material weakness."

A spokesman for the Disabled American Veterans said "The VA, quite frankly, has fallen down on the job on this one."

Tuesday, May 23, 2006

Suit Filed Against AT&T for NSA Spying

Several individuals, including the famous author Studs Terkel, assisted by the ACLU, have filed a lawsuit against AT&T for giving giving customer phone records to the
National Security Agency without a court order.

The suit, filed in Federal court in Illinois, claims AT&T violated the federal Electronic Communications Privacy Act.

The plaintiffs want to include all Illinois customers of AT&T as plaintiffs in a class action.

Monday, May 22, 2006

Information on 26 Million Veterans Stolen

According to Reuters, "Personal data on about 26.5 million U.S. military veterans was stolen from the residence of a Department of Veterans Affairs data analyst who improperly took the material home, Veterans Affairs Secretary Jim Nicholson said Monday."

This sounds like another laptop was stolen from a home, although the story does not make that clear. More incidents like these may result in stricter measures regarding the use of laptops. Although this may also give businesses a chance to tell the government, "fix your own house."

Interestingly, Secretary Nicholson said the employee "took home a considerable amount of electronic data from the VA which he was not authorized to do. It was in violation of our rules and regulations and policies."

News reports say the information included names, Social Security numbers and dates of birth, but "there is no indication at this time" that identity theft has occurred as a result.

Most likely it will not, but out of 26 million people, some will surely be victims of identity theft soon enough, and who will be able to say what the cause will be?

Secretary Jim Nicholson said the FBI, local law enforcement authorities and the Veteran's Affairs Inspector General were all investigating what appears to be an ordinary burglary.

He also said: "The employee has been placed on administrative leave pending the outcome of the investigation. We have a full-scale investigation going on in this."

Wednesday, May 17, 2006

FTC Settles Safeguards Rule, Privacy Charges

The FTC has settled charges with a small real estate title company that it failed to provide reasonable and appropriate security to protect customer's personal information, in violation the FTC’s Safeguards Rule.

The complaint also alleged that the company's privacy policy claims were deceptive because of these failures, in violation of the FTC’s Privacy Rule and the FTC rules prohibiting unfair or deceptive practices.

The FTC alleged that the title company, NHC, based in Kansas City, promised consumers that it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but discarded consumer home loan applications in an open dumpster.

According to the complaint, a hacker exploited these failures by using a common Web site attack to gain access to NHC’s computer network. In addition, a Kansas City television station found documents containing sensitive consumer information discarded in NHC’s and NTA’s unsecured dumpster.

Specifically, the FTC charges that they failed to:

* Assess risks to the information they collected and stored, both online and offline;

* Implement reasonable policies and procedures in key areas such as employee screening and training and the collection, handling, and disposal of personal information;

* Implement simple, low-cost, readily available defenses to common Web site attacks or implement reasonable measures to prevent hackers from gaining access to their computer network;

* Employ reasonable measures to detect and respond to unauthorized access to the data or to conduct security investigations; and

* Provide reasonable oversight for the handling of personal information by service providers, such as third parties employed to process the information and assist in real estate closings.

The Settlement

The settlement bars misrepresentations about the extent to which the company and its affiliates protect the privacy, confidentiality, or integrity of any personal information collected from or about consumers. It requires that they establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to get an audit from a qualified, independent, third-party professional every two years for the next 20 years. The compnaies must also comply with standard bookkeeping and record-keeping provisions. The settlement also bars future violations of the Safeguards Rule and Privacy Rule, as well as the FTC’s Disposal Rule. The Disposal Rule, which took effect on June 1, 2005, requires companies to dispose of credit reports and information from credit reports in a safe and appropriate manner.

"Careless handling of consumers’ sensitive financial information is an open invitation to identity thieves. Enforcing the laws designed to protect consumers’ sensitive financial data is a priority at the FTC. This is the thirteenth case challenging faulty data security practices, and we will bring more cases if companies continue to fail consumers," said Deborah Platt Majoras, Chair of the FTC.

Tuesday, May 16, 2006

FCC Commissioner Calls for Probe of NSA

An FCC Commissioner says the FCC should investigate the NSA telephone spying program.

Michael J. Copps, an FCC Commissioner, and a Democrat, said that the program may violate the federal law.

"We need to be certain that the companies over which the FCC has public-interest oversight have not gone – or been asked to go – to a place where they should not be," he said.

Copps also said in a statement:

"There is no doubt that protecting the security of the American people is our government's No. 1 responsibility. But in a digital age where collecting, distributing and manipulating consumers' personal information is as easy as a click of a button, the privacy of our citizens must still matter."

In other news, BellSouth has denied providing phone records to the NSA.

Thursday, May 11, 2006

Bush Responds on NSA Spying

The newspaper USA Today has a story today about the NSA secretly collecting information about phone calls made by tens of millions of Americans.

USA Today reports that a number of telephone companies were asked by the NSA make available to them millions of phone records. AT&T, Verizon and BellSouth agreed.

The program can track numbers for all outgoing and incoming calls.

President Bush attempt to clairfy the issue, stating, "We are not mining or trolling through the personal lives of innocent Americans," and said Americans' privacy is being "fiercely protected."

The deputy White House press secretary, said "The intelligence activities undertaken by the United States government are lawful, necessary and required to protect Americans from terrorist attacks."

Businesses would not comment beyond assurances that they complying with the law.

"We have been in full compliance with the law and we are committed to our customers' privacy," said Bob Varettoni, a spokesman for Verizon.

Democratic Senator Patrick Leahy of Vermont, said Congress should investigate. "It is our government, it's not one party's government. It's America's government. Those entrusted with great power have a duty to answer to Americans what they are doing," he said.

Republican Senator Arlen Specter, the chairman of the Senate Judiciary Committee, appears to be angry, and said he would subpoena executives from telecommunications companies "to find out exactly what is going on."

Senator Richard Durbin, from Illinois, said American's privacy was being threatened.

"We need more. We need to take this seriously, more seriously than some other matters that might come before the committee because our privacy as American citizens is at stake," Durbin said.

Tuesday, May 09, 2006

Wells Fargo Security Breach

Wells Fargo has announced a possible security breach involving the personal information of an unknown number of customers.

The company is missing a computer containing information such as names, addresses, Social Security numbers and mortgage loan deposit numbers

They have notified their customers and will be giving the potentially affected individuals one year of credit monitoring, which is increasingly becoming the industry standard in such instances.

Friday, May 05, 2006

Arizona Enacts Security Breach Law

Arizona has enacted a security breach notficiation law.

The governor has signed Senate Bill 1338, which requires that:

"When a person that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information, the person shall conduct a reasonable investigation to promptly determine if there has been a breach of the security system."

If the investigation results in a determination that there has been a breach in the security system, the person shall notify the individuals affected. The notice shall be made in the most expedient manner possible and without unreasonable delay..."

This law is worded a little differently from other recently enacted security breach laws.

"Security Breach" means "an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information... and that causes or is reasonably likely to cause substantial economic loss to an individual."

Tuesday, May 02, 2006

Colorado Enacts Security Breach Law

Colorado has enacted a security breach law. House Bill 1119 was signed into law on April 24.

The new law requires to businesses to conduct, in good faith, a reasonable and prompt investigation into a security breach, and unless it determines that misuse of the personal information has not occurred and is not reasonably likely to occur, it must to notify the individual in the most expedient time possible and without unreasonable delay.

Effective September 1, 2006.