Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Information Security & Protection : Data Breach : Security, Privacy and The Law

Jail Time for Man Who Accessed Computer of a Competing Medical Practice

Posted on January 24, 2012 by Colin J. Zick

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients. The individual made this improper access in order to send marketing materials to patients at the other practice.

The individual worked as an information technology specialist for a perinatal medical practice in Atlanta. He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building. He then used his home computer to hack into his former employer's patient database. He downloaded the names, telephone numbers, and addresses of his former employer's patients and then deleted all the patient information from their system. He subsequently used the patient names and contact information to launch a direct-mail marketing campaign for the benefit of his new employer. Even so, there was no evidence that patient medical information was accessed or misused.

Tags: Cybersecurity & Cybercrime, Data Breach, Government Enforcement, HIPAA, Healthcare Industry Spotlight, computer, download, medical practice

"Performing Due Diligence Before Signing a Cloud SLA"

Posted on January 5, 2012 by Colin J. Zick

My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."

* * *

No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall -- in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud.

General areas of concern surrounding the cloud are similar to those of traditional IT:

Data security during transmission and storage;
Data privacy and confidentiality;
Rights of access in general as well as access for local governments and e-discovery;
Data ownership;
Suspension and termination of service;
Forming and negotiating service-level agreements (SLAs) with cloud providers.

Tags: service-level agreement, Cybersecurity & Cybercrime, Data Breach, Google, Retail Industry & Customer Information Spotlight, SLA, cloud computing, due diligence

"Once More Unto the Breach, Dear Friends, Once More": The Increasing Recognition of Complexity in Data Breach Response and Reporting

Posted on December 19, 2011 by Colin J. Zick

In an article in today's New York Times, we get some real-life insight into the difficulties in responding to a data breach. Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.

The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee's car was broken into and a company laptop stolen. The ramifications included:

spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees;
devoting 600 person-hours of staff time to the breach;
hiring a crisis team of lawyers and customers and a chief security officer;
hiring a private investigator to scour local pawnshops and Craigslist for the stolen laptop; and
notifying some of the affected patients and offering them free credit monitoring.

The eHealth Collaborative's Executive Director, Micky Tripathi, first outlined the breach and critiques the article in his blog.

Tags: Data Breach, Government Enforcement, Healthcare Industry Spotlight, Massachusetts eHealth Collaborative, Micky Tripathi, breach, disclosure

Waiters at High-End Steakhouses Arrested for Stealing Customer Credit-Card Numbers

Posted on December 1, 2011 by Colin J. Zick

by Brian P. Bialas

At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number. But if you ever have been to a Legal Sea Foods restaurant, you will notice that the waiter brings a handheld electronic device to your table to swipe your credit card when you are ready to pay the bill. The credit card never leaves the customer’s sight.

The recent experiences of customers at certain high-end steakhouses show why all restaurants should consider adopting the table-side charge method. Seven waiters at Smith & Wollensky’s, the Capital Grille, and other high-end restaurants were arrested along with many other co-conspirators, for copying the credit card numbers of restaurant customers with handheld, high-tech “skimmers” and then using those numbers to buy luxury goods that they resold. The waiters targeted credit cards with high or no spending limits so that big purchases would not be flagged.

The Payment Card Industry Data Security Standard (PCI-DSS) quick reference guide for merchants does not provide any clear guidelines for card handling. Nevertheless, this incident should serve as a wakeup call for all restaurants to adopt table-side systems to reduce the potention for misuse of customer credit cards. It also serves as a reminder to anyone dealing with sensitive information to continually review handling procedures and processes and look for ways transmissions can be made more secure.

Tags: Data Breach, PCI-DSS, Payment Card Industry Data Security Standard, Retail Industry & Customer Information Spotlight, Security Programs & Policies, credit card, quick reference guide for merchants, restaurants, skimmers, waiter

Consumer Response to Data Breach: Let's Sue!

Posted on November 2, 2011 by Colin J. Zick

Interesting findings in the Unisys Security Index for the United States regarding what Americans say they would do in the event that they learned of a security breach suffered by an
organization with which they were dealing:

Change passwords on that organization’s website and other sites (87%)
Stop dealing with that organization entirely (76%)
Publicly expose the issue (65%)
Take legal action (53%)
Continue dealing with the organization but not online (31%)

Thanks to Ted Julian of Co3 Systems for bringing this report to my attention.

Tags: Data Breach, legal action, password, security, security breach

"Securing profits: Venture capitalists betting online security will be big money-maker"

Posted on October 31, 2011 by Colin J. Zick

There is an interesting article in this week's Boston Business Journal on venture capital in the data security space: "Securing profits: Venture capitalists betting online security will be big money-maker."

Tags: Cybersecurity & Cybercrime, Data Breach, Venture capitalists, online security

Credit Card Replacement Costs and Identity Theft Insurance Are Compensable Damages for Data Breach

Posted on October 25, 2011 by Colin J. Zick

by Brian P. Bialas, Esq.

Late last week, the U.S. Court of Appeals for the First Circuit ruled that victims of a data breach could pursue compensation from the merchant whose systems were breached for their costs of credit card replacement and identify theft insurance, under theories of breach of implied contract and negligence. See Anderson v. Hannaford Brothers Co., --- F.3d ---, 2011 WL 5007175 (1st Cir. Oct. 20, 2011).

As alleged by the plaintiffs in their class-action complaint, the Hannaford Brothers grocery store chain suffered a data breach resulting in 1800 fraudulent charges worldwide and hackers stealing up to 4.2 million credit and debit card numbers, expiration dates, and security codes of its customers. Id. at *1. Plaintiffs claimed they were victims of the breach and brought various claims against the chain, alleging they suffered losses including replacement card fees, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud. Id. at *2. The lower court rejected these claims and entered judgment for Hannaford. Id. at *3.

On appeal, the First Circuit held that plaintiffs could proceed on two of their claims: breach of implied contract and negligence. Id. at *5, *13. In particular, “a jury could reasonably find an implied contract between Hannaford and its customers that Hannaford would not use the credit card data for other people’s purchases, would not sell the data to others, and would take reasonable measures to protect the information.” Id. Further, on the question of damages, the Court ruled that Maine law allowed recovery of nonphysical damages that were reasonably foreseeable, and incurred during a reasonable effort to mitigate, so long as the efforts constituted a legal injury, such as actual money lost, rather than time or effort expended. Id. at *8-*9. The Court concluded that it was foreseeable, “on these facts, that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data.” Id. *11. It also was deemed foreseeable “that a customer who had experienced unauthorized charges to her account . . . would reasonably purchase insurance to protect against the consequences of data misuse.” Id.

Tags: Anderson, Data Breach, First Circuit, Hannaford, Retail Industry & Customer Information Spotlight, credit card, foreseeable, identify theft, implied contract, insurance, negligence, replacement

Most Recent Sony Breach Illustrates the Cascading Effect of Data Breaches

Posted on October 14, 2011 by Colin J. Zick

By Michael V. Dowd

It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches.

Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys to open the front door. According to a statement by Sony, the attackers tested a “massive set” of log-in credentials, consisting of pairs of user IDs and passwords, against accounts on three of its networks. Even though the “overwhelming majority” of the log-in attempts failed, they successfully breached about 93,000 user accounts. This indicates that the attackers used stolen log-in credentials, and did not resort to brute force or dictionary attacks.

How did the attackers obtain this trove of log-in information? Sony says it is “likely” they were stolen from elsewhere and not from its own networks, based on the low success rate. This may well be true, given the numerous incidents reported of late, some of which gave rise to our post referring to 2011 as The Year of the Breach.

If that scenario holds, it highlights the secondary effects of data breaches, and the relationship among user accounts on different on-line services. It has long been known that individuals often reuse the same username and/or password across multiple on-line services. As a result, if any one of those services suffers a breach that exposes its log-in information, corresponding accounts on the other services become open to the attackers. It is very much a “weakest link” situation.

This risk was also raised in the immediate aftermath of the data breaches at Sony this past Spring. The company initially reported the loss of unencrypted account passwords, which could have had the same cascading effect on its users’ other accounts. Sony later stated that the passwords were in fact hashed. As we described at the time, “hashing” differs from “encryption,” but storing passwords in a hashed form can be an effective way to keep an attacker from seeing or using the plain-text passwords of account holders. Password hashing is a known security technique that apparently was not in place at the “weak link” among the on-line services shared by those 93,000 users.

Tags: Customer, Data Breach, Encryption, Industry, Information, PlayStation, Retail Industry & Customer Information Spotlight, SOE, Sony, Spotlight, account, breach, data, hashed, password, retail

Upcoming Webinar: "Data Breaches & Compliance: Understanding The Law and How You Can Prepare"

Posted on October 13, 2011 by Colin J. Zick

Please join me and my friends at Co3 Systems for a free webinar,"Data Breaches & Compliance: Understanding The Law and How You Can Prepare" to be held on Thursday, October 20, 2011 1:00 p.m. - 2:00 p.m. EDT. To add this webinar and the call-in information to your Outlook calendar, click here. I will be presenting with Ted Julian of Co3; Ted brings a wealth of experience from working at Arbor Networks, Application Security, Inc. and @stake (which was acquired by Symantec), and he helped spearhead security practices with Forrester, IDC and Yankee Group.

Tags: Co3 Systems, Data Breach, Data Breaches, Security Programs & Policies, compliance, webinar

Advanced Cyber Security Center Launched

Posted on September 21, 2011 by Colin J. Zick

As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20. The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley. As described by MassHighTech:

Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the government, industry and academia, the ACSC is also hosted at the five universities that make up the Massachusetts Green High Performance Computing Center – MIT, Harvard University, Boston University, Northeastern University and the University of Massachusetts.

The driving force behind the ACSC is Mass Insight Global Partnerships, and that organization’s president and founder William Guenther opened the event and acted as master of ceremonies during the day. But it was Gov. Deval Patrick who started the day off on a practical note, talking about jobs.

“The center represents an incredible employment opportunity for Massachusetts,” Gov. Patrick said. “I want you to see the opportunity.”

Foley Hoag is counsel to the ACSC and Foley Hoag partner Michele Whitham serves on its Strategic Advisory Board. Conference materials and related security resources are available on the Foley Hoag website.

Tags: ACSC, Advanced Cyber Security Center, Cybersecurity & Cybercrime, Data Breach, Foley Hoag, Government Enforcement, Security Programs & Policies, cyber security

More Consumer Data Security and Privacy Legislation Introduced

Posted on September 12, 2011 by Colin J. Zick

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal's bill, "The Personal Data Protection and Breach Accountability Act," would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the Justice Department to levy fines of $5,000 per violation per day, up to a total of $20 million per violation. The bill also includes federal data breach notification requirements.

Given the large numbers of such bills pending, the Senator's junior status, and the fact that his bill has no co-sponsors, it is unlikely that this particular bill will be adopted. At present, at least 15 bills contain the phrase "data security" pending in Congress:

Data Security Act of 2011 (Introduced in Senate - IS)[S.1434.IS]
e-KNOW Act (Introduced in Senate - IS)[S.1029.IS]
BEST PRACTICES Act (Introduced in House - IH)[H.R.611.IH]
To facilitate implementation of title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, promote regulatory coordination, and avoid market disruption. (Reported in House - RH)[H.R.1573.RH]
Personal Data Privacy and Security Act of 2011 (Introduced in Senate - IS)[S.1151.IS]
To facilitate implementation of title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, promote regulatory coordination, and avoid market disruption. (Introduced in House - IH)[H.R.1573.IH]
Data Security and Breach Notification Act of 2011 (Introduced in Senate - IS)[S.1207.IS]
SAFE Data Act (Introduced in House - IH)[H.R.2577.IH]
U.S. Postal Service Improvements Act of 2011 (Introduced in Senate - IS)[S.353.IS]
METRICS Act (Introduced in Senate - IS)[S.1464.IS]
Data Accountability and Trust Act (DATA) of 2011 (Introduced in House - IH)[H.R.1841.IH]
Reform the Postal Service for the 21st Century Act (Introduced in House - IH)[H.R.1262.IH]
Data Accountability and Trust Act (Introduced in House - IH)[H.R.1707.IH]
Protecting the Privacy of Social Security Numbers Act (Introduced in Senate - IS)[S.1199.IS]
Postal Reform Act of 2011 (Introduced in House - IH)[H.R.2309.IH]

Given how many similar bills are pending, it seems likely that something like Sen. Blumenthal's bill will be adopted before this session of Congress is over.

Tags: Blumenthal, Data Breach, Financial Industry Spotlight, Government Enforcement, Identity Theft, Legislation & Regulation, Retail Industry & Customer Information Spotlight, Security Programs & Policies, data security, legislation

"What Every In-House Counsel Needs to Know About Data Security and Privacy"

Posted on September 7, 2011 by Colin J. Zick

I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy." The program slides can be found at this link.

Tags: Association of Corporate Counsel, Cybersecurity & Cybercrime, Data Breach, Financial Industry Spotlight, Government Enforcement, Legislation & Regulation, Retail Industry & Customer Information Spotlight, Security Programs & Policies, What Every In-House Counsel Needs to Know About Data Security and Privacy, webinar

Pulling Out Your Hair Over Wrongfully Disclosed Records?

Posted on September 2, 2011 by Colin J. Zick

A recent Massachusetts case shows that even prisoners have a right to privacy in their medical records. In this case, Alexander v. Clark, Suffolk Superior Court, Civil Action No. 0905456-H 28 Mass. L. Rptr. No. 14, 291 (May 30, 2011), the court sided with the claim of a prisoner that her health information had been wrongfully disclosed. In particular, the prisoner, Christine Alexander, sued several correction officials because those officials had sent documents regarding her “request for Propecia for hair loss” to another inmate without her permission.

The court found that the inmate-patient had a claim under the Massachusetts Privacy Statute, Mass. Gen L. ch. 214, § 1(b), and held that her claim was “arguably substantial and serious.” This holding came was even though “the release of information was not extensive and may have been done without malice.” The Court also held that although the inmate-plaintiff had no claim for damages, the inmate-plaintiff could sue for injunctive relief (however, since the harm has already been done, and the hair lost, it is unclear just what that injunctive relief would be).

Curiously, given the nature of the claim, the inmate-plaintiff sued in her own name (not an alias) and the decision was apparently issued without any consideration of redacting her name, thereby compounding her original concern about her loss of privacy.

Tags: Alexander v. Clark, Data Breach, Data Breach, Healthcare Industry Spotlight, Mass. Gen L. ch. 214, § 1(b), Massachusetts Privacy Statute, injunctive relief, medical records, prisoners, right to privacy

New Database Allows Review of Past History of Data Breaches

Posted on July 13, 2011 by Colin J. Zick

The Privacy Rights Clearinghouse has created in an interesting tool, a "Chronology of Data Breaches." It doesn't promise that it is comprehensive; what it does say is that it is a "useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches."

Tags: Chronology of Data Breaches, Data Breach, Privacy Rights Clearinghouse, breach reporting

HIPAA Breaches Reported to OCR Near 300

Posted on July 11, 2011 by Colin J. Zick

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265. This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed. Given that the last reported date of breach on the OCR's list is May 8, there are surely over 300 breaches that have now been reported.

Tags: 500, Data Breach, HIPAA, Healthcare Industry Spotlight, Legislation & Regulation, OCR, breach

Another Big HIPAA Settlement: The UCLA Health System Settles for $865,000

Posted on July 8, 2011 by Colin J. Zick

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital's $1 million settlement with OCR.

The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without legitimate reasons looked at the electronic protected health information of these patients. OCR's subsequent investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.

The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years. All in all, a very expensive proposition for UCLAHS.

Tags: Data Breach, Government Enforcement, HIPAA, Healthcare Industry Spotlight, Legislation & Regulation, Retail Industry & Customer Information Spotlight, UCLA, breach, celebrity, employee, privacy, security

Hackers Hit the Headlines

Posted on June 28, 2011 by Colin J. Zick

Interesting article in The Economist, focusing on hackers like Anonymous and Lulz Security.

Tags: Data Breach, Financial Industry Spotlight, Government Enforcement, Retail Industry & Customer Information Spotlight

Is Teamwork the Answer to Data Security?

Posted on June 19, 2011 by Colin J. Zick

Increasingly, alliances are viewed as an important way to improve data security. The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries. We have previously noted two other initiatives: the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program. One of the oldest and best examples of successful collaboration is PCI, the credit card industry's security program.

Tags: ACSC, Advanced Cyber Security Center, Cybersecurity & Cybercrime, Data Breach, FBI, Foley Hoag, Government Enforcement, InfraGuard, NSA, National Security Agency, PCI, Programs, cybercrime, cybersecurity, policies, security

2011: The Year of the Breach

Posted on June 19, 2011 by Colin J. Zick

We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:

· Epsilon: breach of customer email addresses;

· RSA: compromise of security tokens (possibly impacting Lockheed Martin);

· Citigroup: breach of credit card numbers:

· Sony: multiple thefts of customer data;

· Sega: customer data theft; and

· ADP: breach of its benefits-administration business.

What does this mean? First, there are simply more breaches to report. Second, companies are being more open about reporting breaches, both because they are legally required to and because such disclosures are expected by consumers and regulators. Third, these breaches and the resulting publicity will bring legal and corporate reactions.

On a legal/regulatory level, we are even more likely to see federal data security legislation and stepped-up enforcement. On the corporate side, more and more resources are going to be poured into prevention of breaches. For corporate CIOs, it’s the best of times and the worst of times: they are getting access to more resources, but are facing more and different challenges.

Tags: 2011, ADP, CIO, Cybersecurity & Cybercrime, Data Breach, Epsilon, Government Enforcement, Identity Theft, Legislation & Regulation, Lockheed, Retail Industry & Customer Information Spotlight, Sega, Sony, breach

Does Briar Group's Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?

Posted on May 22, 2011 by Colin J. Zick

By Brian Bialas

A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.

The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar Group violated Massachusetts’s Consumer Protection Statute by failing to comply with the Payment Card Industry Data Security Standards (PCI DSS), standards created by the Payment Card Industry Security Standards Council that apply to all organizations that collect payment card data. To settle this suit, the Briar Group entered into a consent judgment pursuant to which it would pay $110,000 in civil fines.

What is interesting about this settlement is that it requires the Briar Group to “maintain PCI DSS compliance,” over and above Massachusetts’ own strict legal requirements. Does the AG’s action against the Briar Group signify that all merchants are legally required to comply with both state regulations and PCI DSS? It’s too early to tell.

Tags: Briar Group, Data Breach, Government Enforcement, Legislation & Regulation, Massachusetts Attorney General, PCI DSS, Retail Industry & Customer Information Spotlight, consumer protection, regulation, security, statute

Consumer Class Action Filed Against Sony for Data Breach

Posted on May 9, 2011 by Colin J. Zick

On May 5, a consumer class action was filed against Sony, relating to the data breaches in its Sony PlayStation and related services. The complaint alleges negligence, invasion of privacy and misappropriation of confidential financial information, as well as breach of express and implied contract. No specific damages were alleged.

Tags: Data Breach, Retail Industry & Customer Information Spotlight, Sony, class action, consumer, lawsuit

Sony Breach Update: The Scope Expands, While Consumers Wait for Answers About How and Why It Happened

Posted on May 8, 2011 by Colin J. Zick

By Michael V. Dowd

The scope of the Sony data breach is growing, but the public focus continues to be on Sony’s actions following the breach, rather than on steps to prevent or mitigate events like these in the first place. As we noted earlier, this focus emphasizes a de facto burden-shifting, in which consumers bear the risk of using on-line or other services, and also are left to face the consequences of any resulting identity theft.

Sony last week announced that 77 million PlayStation and Qriocity accounts had been accessed by hackers in mid-April. This week, Sony discovered that an additional 24.7 million Sony Online Entertainment (SOE) accounts were compromised during the same timeframe. In the SOE breach, Sony confirmed that the compromised information included the bank account, credit card and debit card numbers of thousands of non-U.S. account holders.

It is now up to account holders to deal with the consequences. Sony’s response to the SOE breach has been to engage a third-party email distributor to send a Customer Service Notification. The notice places the onus on account holders to look out for email and other scams, to obtain credit reports, to consider contacting U.S. credit bureaus in order to place a “fraud alert” on their credit file, and to contact various federal and state agencies for information about preventing identity theft. This repeats Sony’s previous advice to its PlayStation and Qriocity users.

Tags: Data Breach, Encryption, PlayStation, Qriocity, Retail Industry & Customer Information Spotlight, SOE, Sony, account, hashed, password

EU Chimes in on Sony Data Breach

Posted on May 4, 2011 by Colin J. Zick

The EU's Justice Commissioner has chimed in on the Sony data breach, stating that Sony must "take the relevant technical and organizational measures to guarantee protection against data loss or an unjustified access."

Tags: Data Breach, EU, Justice Commissioner, Sony, breach

Sony Mega-Breach Spotlights Data "Security" Myths

Posted on May 2, 2011 by Colin J. Zick

By Michele A. Whitham

Sony’s unenviable status as the victim of the record theft of 77,000,000 individuals’ personal information underscores a reality that the on-line business community would like its army of customers to forget: it’s not just that the so-called “hackers” can be very good at what they do, it’s that the appointed guardians of legally protected personal information are not necessarily awake at the switch. Two weeks after this “illegal and unauthorized” intrusion -- which took place sometime between April 17 and April 19, there is still no confirmation that Sony’s PlayStation and its related service, Qriocity, had adequate (or any) security.

There have been numerous suggestions that the PlayStation’s basic encryption of protected personal information was weak or non-existent. What other explanation could there be for Sony blogging to its customers that it might be able to restore “some services within a week” than an apparent mad scramble at Sony to create a secure platform for its popular on-line gaming services, or at best fix a platform that was demonstrably flawed?

Sony’s public silence on the matter is troubling, yet it underscores the peculiar burden-shifting regime that seems to be emerging by default. While the plethora of statutes regulating the protection of sensitive personal data require hacked companies like Sony promptly to notify their customers and provide such benefits as credit monitoring services, there has been little action by enforcement authorities to regulate companies before a breach, in a manner that would require implementation of sophisticated, upfront securitization of the protected personal information companies collect and thereby avoid preventable breaches.

Tags: Data Breach, PlayStation, Qriocity, Sony, breach

Big HIPAA Breaches Now Number 265

Posted on May 2, 2011 by Colin J. Zick

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR's website. It's safe to expect these figures will continue to climb for the foreseeable future.

Tags: 500, Data Breach, HIPAA, Healthcare Industry Spotlight, Legislation & Regulation, OCR, breach

"Pressure Point: Online Privacy -- Privacy is Potentially a Costly Workplace Issue"

Posted on April 29, 2011 by Colin J. Zick

In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy --
Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers:

“Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. It comes down to someone doing something stupid,” said Colin Zick, a partner in the Boston office of Foley Hoag. “In the Mass General case, an employee took some records on the Red Line and lost them.”
“When companies are bombarded with phishing emails, it’s akin to the notion of fighting off terrorism,” Zick says. “You only have to miss once to have a privacy breach. Education is important because the creativity of human beings often outpaces technology defenses.”

A subscription is required to access the entire article.

Tags: Boston Business Journal, Cybersecurity & Cybercrime, Data Breach, Retail Industry & Customer Information Spotlight, Security Programs & Policies, employer, privacy, security, workplace

TripAdvisor Reports Data Breach

Posted on March 25, 2011 by Colin J. Zick

If you are like me, you may have received an email from TripAdvisor, alerting you that "an unauthorized third party had stolen part of TripAdvisor's member email list." The text of that email was as follows:

To our travel community:
This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list. We've confirmed the source of the vulnerability and shut it down. We're taking this incident very seriously and are actively pursuing the matter with law enforcement.
How will this affect you? In many cases, it won't. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.
The reason we are going directly to you with this news is that we think it's the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.
I'd also like to reassure you that TripAdvisor does not collect members' credit card or financial information, and we never sell or rent our member list.
We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologize for this incident and appreciate your membership in our travel community.
Steve Kaufer
Co-founder and CEO

We all get these notices from time to time, but this one seems worth highlighting, for the forthright way in which it addresses the issue, without being alarmist, and answers all your questions without resorting to jargon.

Tags: Customer, Data Breach, Incident of the Week, Retail Industry & Customer Information Spotlight, TripAdvisor, notice

Health Net Announces Second Major Breach in Two Years; Creates Potential for Largest Ever Penalty

Posted on March 16, 2011 by Colin J. Zick

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information. According to California regulators, these servers appear to contain the data of 1.9 million people nationwide:

The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare..

Since this is the second incident in two years for the company (see "Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit"), it will be interesting to see what kind of penalty Health Net could face from the federal government. In that regard, consider that the loss of 192 records just cost Massachusetts General Hospital $1 million. If a penalty in the same proportion were applied to this breach, Health Net could face a penalty of over $9 billion.

Tags: California, Data Breach, Government Enforcement, Health Net, Healthcare Industry Spotlight, Incident of the Week, breach, penalty, protected health information, server

What Is Inside Mass General's $1 Million HIPAA Settlement?

Posted on March 13, 2011 by Colin J. Zick

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement and Corrective Action Plan with the Department of Health and Human Services' Office of Civil Rights. This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals." There was, however, no indication that any of the PHI was ever used in any way.

While the $1 million penalty is an attention-grabber, the elements of the Corrective Action Plan are also likely to be at least as costly and will be very burdensome. They include:

three (3) years of reporting obligations from MGH to OCR;
adoption of new policies that OCR must review and approve;
training on these new policies that OCR must review and approve;
retention of a monitor who will conduct:
- unannounced site inspections of MGH’s locations/departments/practices;
- interviews with any members of the workforce who use PHI;
- interviews with any members of the workforce involved in implementing the safeguards required by the CAP;
- inspection of a sample of laptops and USB flash drives that contain ePHI and are under the control of workforce members to ensure that such devices satisfy all applicable requirements of the Policies and Procedures; and
- inspection of relevant documents and interviews with workforce members for the purpose of confirming consistent training, implementation, and enforcement of the Policies and Procedures among workforce members.
submission of semi-annual monitor reports;
self-reporting of any "significant violations" of the CAP;
submission of an implementation report after 120 days of the CAP; and
annual reports to the monitor, which will be passed on to OCR.

This is a pretty heavy burden to carry around for three years. In fact, the CAP looks much more like a Corporate Integrity Agreement of the type entered into by a pharmaceutical manufacturer after a health care fraud settlement. I suspect that is precisely the message that OCR wanted to send.

Tags: Corrective Action Plan, Data Breach, Government Enforcement, HHS, HIPAA, Healthcare Industry Spotlight, Legislation & Regulation, MGH, Mass General, Massachusetts General Hospital, OCR, Office of Civil Rights, Resolution Agreement

Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy

Posted on March 2, 2011 by Colin J. Zick

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:

§Resolution Agreement with Providence Health & Services--July 16, 2008
Settlement: $100,000
§Resolution Agreement with CVS Pharmacy, Inc.--January 16, 2009
Settlement: $2.25 million
§Resolution Agreement with Rite Aid Corporation--July 27, 2010
Settlement: $1 million
§Resolution Agreement with Management Services Organization Washington, Inc.--December 13, 2010 Settlement: $35,000
§Civil Money Penalty issued to Cignet Health of Prince George's County, MD--February 4, 2011
Civil penalty: $4.3 million
§Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011
Settlement: $1 million

Tags: CMP, Data Breach, Government Enforcement, OCR, breach, compliance, privacy, security, settlement

FTC Publishes Copier Data Security Guide

Posted on February 25, 2011 by Colin J. Zick

As we noted back in May, digital copiers have caught the eye of government privacy enforcers. If you have a digital copier at your business, you should review the FTC's Copier Data Security:
A Guide for Businesses. In that Guide, the FTC suggests that "your information security plans . . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft."

Tags: Copier, Data Breach, FTC, Government Enforcement, Guide, Retail Industry & Customer Information Spotlight, Security Programs & Policies, data, security

You Call That a Password? Passwords Used to Protect Personal Health Information in Clinical Trials Are Cracked More Than 90% of the Time

Posted on February 23, 2011 by Colin J. Zick

In a recent article in the Journal of Medical Internet Research, the strength of passwords in clinical trials was analyzed. In all cases that were examined, "the recovered passwords were poorly constructed, with names of local locations (e.g., “ottawa”), names of animals (e.g., “cobra”), car brands (e.g., “nissan”), and common number sequences (e.g., “123”)."

This result comes as no real surprise. These conclusions build on prior studies which have repeatedly shown that password strength is weak. It is perhaps the easiest and cheapest way to increase IT security and yet it continues to receive short shrift.

The study also noted that "the files in [the] sample used the default weak encryption methods. Therefore, an adversary had two different ways to extract the PHI: by attacking the weak algorithm itself or by attacking the weak password."

The study's recommendations? Fairly simple: "use the built-in password protection capabilities available in tools for common file formats (such as WinZip and Microsoft Office) and then transmit the encrypted files" and "using PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions)."

Tags: Clinical Trials, Data Breach, Encryption, Healthcare Industry Spotlight, Personal Health Information, Protect, password

500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR

Posted on February 21, 2011 by Colin J. Zick

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged: the Office of Civil Rights does not have the resources to review all reported breaches of health information. In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than 500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled for future reporting
to Congress; however they are treated as discretionary and only investigated if resources
permit.

While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed. According to that same budget report, "[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals)." That's a mere 2% of all breaches that have OCR's full attention. The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.

Tags: 2012, 500, Data Breach, Government Enforcement, HHS, Healthcare Industry Spotlight, Legislation & Regulation, OCR, Office of Civil Rights, breach, budget, report

Apparent HIPAA Violations in Hospital Treating Tucson Shooting Victims

Posted on January 16, 2011 by Colin J. Zick

As so often happens following a hospital's involvement in a high profile event, the Tucson hospital treating the victims of the recent shooting is reported to have fired several staff, presumably for looking at patient records they should not have looked at:

Katie Riley, the Director of Media Relations in the Office of Public Affairs at the
Arizona Health Sciences Center said in a statement:

"University Medical Center takes the privacy of all patients very seriously. The hospital has terminated three clinical support staff members this week for inappropriately accessing confidential electronic medical records, in accordance with UMC's zero tolerance policy on patient privacy violations.

"A contracted nurse also was terminated by the nurse's employer. We are not aware of any confidential patient information being released publicly.

"The families of all patients whose information was accessed have been notified. Any potential breaches of patient privacy by UMC staff will be investigated and appropriately addressed."

The lesson, of course, is that curious people are all around us and many of them are looking for data they have no right to see. Our information systems have to be designed to guard against them.

Tags: Arizona Health Sciences Center, Data Breach, Tucson, breach, electronic medical records, fired

If You Haven't Changed Your Password Since Our Last Blog Entry About Passwords, It's Time You Did

Posted on December 15, 2010 by Colin J. Zick

In January, we provided some helpful hints about passwords, in our entry: Is Your Password Still "123456"? If So, It's Time for a Change.

It's been nearly a year, so it's time to change your password again. In case you need some help, we liked the guidance provided by the public radio program, Marketplace, in a recent broadcast. Ironically, these recommendations come from an expert whose company's password databases had just been hacked.

If you want to test the strength of your password, the expert recommended sites like Lastpass or 1Password.

Tags: 1Password, Data Breach, Identity Theft, Lastpass, Security Programs & Policies, hack, password, strength

Website Privacy Policies - an extensive primer.....

Posted on December 1, 2010 by Colin J. Zick

This is a cross-posting of an interesting November 29 entry in Foley Hoag's Emerging Enterprise Center blog, by Patrick Connolly and Prithvi Tanwar:

If your start-up's website will collect user information.... and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website privacy policy is a "one size fits all, grab an example from a well know e-retailer or established company web-site that appears to have a similar business model, snip here, paste there and you're all set" deal. My wide eyed stare of horror in reaction to this is mostly dismissed as symptomatic of the overly cautious view of life that seemingly plauges my profession. I have discussed this with a colleague Patrick Connolly and he had the great idea to write a primer on the issue of Privacy Policies for websites. Now let me warn you, Patrick's primer is not short and it isn't meant to be because it highlights the issues that we step through and the risks and possible reprisals that we consider when we draft a privacy policy for a particular start-up. So without further ado, here's Patrick's well thought out "Primer on the Website Privacy Policies", hopefully once your done reading you'll agree that your privacy policy is not something to be taken lightly.

Tags: COPPA, Data Breach, OPPA, Privacy Policy, Retail Industry & Customer Information Spotlight, Security Programs & Policies, website

Gone Baby Gone: More Massachusetts Medical Records Go Missing

Posted on September 9, 2010 by Colin J. Zick

Following on the heels of the discovery of hospital records in a town garbage dump, today's Boston Globe reported that "computer files that possibly contained personal information on about 800,000 people connected to South Shore Hospital are 'unrecoverable.'" However, the investigation into this breach determined that there was a low of harm risk to those individuals whose records were lost, given that the tapes in question "would require specialized equipment and software to read the information."

Interesting, South Shore Hospital originally planned to give individual notice, but changed plans and went with the Boston Globe ad. The Attorney General’s Office "has objected to South Shore Hospital’s revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss."

The confluence of these events is building the pressure on state regulators to beef up existing laws and regulations about the disposal of health information -- even beyond what is already required by HIPAA and a robust set of state rules. A particular focus of any future crackdown may be the vendors that perform much of the disposal.

Tags: Data Breach, breach, disposal, dump, medical records

TJX Settles Investor Lawsuit Related to Data Breach

Posted on July 7, 2010 by Colin J. Zick

According to a report in the Boston Globe, TJX has settled a lawsuit brought by the Louisiana Municipal Police Employees’ Retirement System, a TJX stockholder, which had alleged that the TJX board of directors failed to protect customers’ personal data, apparently in connection with Alberto Gonzalez breach. Bloomberg News has reported the case was settled for $595,000 in legal fees and an agreement regarding enhanced oversight of customer files. There is no reference to this suit in TJX's most recent Form 10-Q.

Tags: Alberto Gonzalez, Data Breach, Louisiana Municipal Police Employees' Retirement System, TJX, breach

Ponemon Study Finds Average Cost of Data Breach Was $3.4 million in 2009

Posted on May 3, 2010 by Gabriel M. Helmer

Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports]. The highlights of the survey were announced in PGP's press release. Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009, the average cost of a data breach was $3.4 million. That is $142 per customer affected by the breach.

Unfortunately for U.S. businesses, the survey found that data security breaches In the U.S. were more expensive that in other countries, $204 per customer on average. The survery found that the existence of breach notification laws, such as the 45 state notification laws adopted in the U.S., correspond to substantially increased costs of data breaches.

The survey's other findings include:

The most expensive breach remediation cost one U.S. company $31 million, while the least expensive was $750,000.
35% of all breaches involved outsourced data provided to third parties, while 36% of breaches were caused by hackers.
Businesses that have a Chief Information Security Officer (CISO) incurred reduced costs for data breaches, 21% less on average.

Tags: Cost of Data Breach, Cybersecurity & Cybercrime, Data Breach, PGP Corporation, Ponemon, study, survey

One Million Impacted by Blue Cross Blue Shield of Tennessee Data Breach: How Do You Remediate on that Scale?

Posted on April 13, 2010 by Colin J. Zick

Blue Cross Blue Shield of Tennessee announced last week that nearly 1 million of its members have been affected by the theft of hard drives containing unencrypted personal data. BCBSTN had previously announced in January that 1.6 million files with unencrypted personal and protected health information of about 500,000 members in 32 states were breached in October 2009, due to a theft of 58 hard drives.

While the breach itself is significant for its size, the subsequent remediation efforts are also worthy of note. As of April 2, a total 998,422 current and former BCBSTN members have been identified and 550,873 notifications have been sent indicating that their personal information was included on the stolen hard drives.

BCBSTN has published a detailed analysis that explains how it has gone about remediating the breach. The affected individuals have been broken into tiers. There are 238,589 members in the Tier 3 category – who had the most data on the stolen hard drives (their name, address, Blue Cross member ID number, diagnosis, Social Security number and/or date of birth). Those in Tier 3 have been sent a notification detailing the services available to them through BCBSTN. They will receive free credit monitoring for one year, free identity monitoring and access to the Kroll ID TheftSmart program free for one year.

Another 312,284 current and former members fell into the Tier 2 category (they had their name, address, Blue Cross member ID number, date of birth and/or diagnosis on the hard drives). An additional 447,549 current and former members were placed in the "lowest" category – Tier 1 -- for having their name, address, Blue Cross member ID number and/or date of birth on the hard drives. Those current and former members in Tiers 1 and 2 will receive access to the Kroll ID TheftSmart program free for one year.

Tags: Blue Cross Blue Shield of Tennessee, Data Breach, breach, monitoring, remediation

Microsoft No Longer Seeking Removal of Cryptome or Leaked Compliance Handbook

Posted on March 5, 2010 by Gabriel M. Helmer

Last week, lawyers from Microsoft issued a demand under the Digital Millennium Copyright Act (DMCA) seeking the removal of leaked copies of Microsoft's "Global Criminal Compliance Handbook" that pulled website Cryptome.org from the Internet, at least temporarily. The DMCA provides copyright owners with the ability to request that internet service providers remove infringing materials from websites. Microsoft's DMCA demand to Cryptome's service provider, Network Solutions, apparently resulted in removing Cryptome from the Web entirely, until Microsoft attorneys sent an email withdrawing the DMCA takedown demand.

Microsoft made this public statement:

Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal.

Cryptome advertises itself as a site that "welcomes documents for publication that are prohibited by governments worldwide." The site also promises that "[d]ocuments are removed from this site only by order served directly by a US court having jurisdiction."

The Microsoft Compliance Handbook, dated March 2008, is a guide for law enforcement officers seeking to investigate users of Microsoft services such as Hotmail email, IM, Windows Live and other services. The Handbook outlines the data Microsoft keeps with respect to its users and provides law enforcement with instructions on what legal process is necessary for investigators to gain access to specific information. In the Handbook, Microsoft offers to provide the following information to investigators in response to a subpoena:

Basic subscriber information includ[ing] name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old . . . .

This provision contrasts with Microsoft's limits on access to other user data, such as recent email, "e-mail address book, Messenger contact lists, . . . [and] internet usage logs." According to the Handbook, Microsoft will release this data in response to a search warrant or court order which, unlike a subpoena, must be approved by a judge after the government presents sufficient evidence.

Posts at Cryptome, as well as CNet, Tom's Hardware, The Register,describe the Handbook variously as a "spy guide" and "wiretap guide." Cooperation with government agencies has been a touchy subject for privacy advocates and service providers in the wake of alleged abuses by some that occurred after the 2001 terrorist attacks. However, the heart of the controversy generally has been the disclosure of customer information without any legal process or court involvement. In this case, Microsoft's Handbook merely identifies what data is available in response to formal legal process, such as subpoenas, warrants and court orders.

Tags: Cryptome.org, DMCA, Data Breach, Global Criminal Compliance Handbook, Microsoft, Network Solutions

HHS Reports 35 Breaches Impacting 500 or More People

Posted on March 2, 2010 by Colin J. Zick

At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals. OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 individuals, due to the theft of a laptop to 501 individuals impacted by the theft of a portable USB device).

This posting by OCR was required by the August 2009 Interim Final Rule, which was issued pursuant to the HITECH Act. In particular, § 164.408 of this breach notification interim final rule implements § 13402(e)(3) of the HITECH Act. The rule became effective September 23, 2009.

Under this rule, breaches that affected 500 or more individuals must be reported to OCR within 60 days, via an OCR online notification form. Training materials and related guidance on breach notification can be found on the OCR web site.

Tags: August 2009 Interim Final Rule, Data Breach, HHS, HITECH, OCR, breach notification, unsecured health information

Incident(s) of the Week: Recent Updates from Prior Incidents

Posted on January 22, 2010 by Gabriel M. Helmer

1. The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas. The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program. We first posted on this case a year ago, after the FTC filed its complaint (.pdf).

In addition to the dumping of consumer financial information, the FTC alleging that Navone had failed to implement physical and electronic security procedures and or take reasonable steps to secure the customer records he stored at home in his garage. According to the FTC, these activities violated the FTC Act, the Federal Credit Reporting Act (FCRA) and Navone's own information security policy which read:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.

(See Complaint (.pdf), Para. 9). Everyone subject to document destruction laws may want to note this case and keep in mind that $35,000 is the fine imposed on an individual / small business.

2. Fight Breaks Out Over Whether Hacker Responsible For Largest Data Breach In History Suffers From "Internet Addiction"

In December, Albert Gonzalez, aka "segvec," "soupnazi" and "j4guar17" pled guilty to charges that he masterminded the theft of over 100 million consumer credit card numbers and other financial information from Heartland Payment Systems, 7-Eleven and other companies. We posted on his indictment last August and again on his curious role as government informant. The public recently gained a new window on Gonzalez's soul from filings made by defense attorneys that portray the hacker as an "Internet addicted" youth compelled to commit cybercrime. Collecting statements from Gonzalez's psychologist, family members and a former girlfriend, the defendant's sentencing memorandum (.pdf) provides an interesting point of view on the life of the hacker:

As a young boy, Gonzalez was an outwardly normal enough kid -- he had friends, engaged in activities, worked alongside his father, received good grades in school, and was part of a warm and loving family which continues to stand by him. In middle school, things began to change, and by high school Gonzalez had become a different person -- a loner, without friends, who passed up normal teenage activities, including dating, to devote himself to his new-found and rapidly escalating obsession: computers.

*    *    *

Seeking to break Gonzalez of his computer habit, his mother periodically sought to deny him access to his computer or to at least curtail his usage, once putting it in his sister's room. Rather than be deprived of access to his computer, Gonzalez would go to his sister's room in the middle of the night to use it. Gonzalez's social contacts narrowed to computer chat rooms where he communicated with others with knowledge of computers and to meetings of other computer-savvy individuals, many of whom were hackers and from whom he learned much that we would, unfortunately, later convert to unlawful purposes.

*    *    *

[B]y [ ] early 2002 -- Gonzalez, age 21, had developed a serious drug and alcohol problem . . . which played a substantial role in the subsequent course of his life. This is not to say that his substance abuse affected Gonzalez' [sic] ability to tell right from wrong. It did not, and he knew when he turned to cyber-crime that it was wrong. What it did do, however, was contribute to his inability to stop himself. What developed over time was a destructive cycle of using drugs to permit him to stay awake and alert for long hours at the computer but also using them to try to get away from the computer . . . .

*    *    *

Computers . . . had become the center of his life, his raison-d'etre, if you will. He and his computer in many ways became one: he though in computer-speak instead of normal words, and, when his computer was infected by a virus, [he] referred to the event as if it were he, himself, who had gotten the virus.

Describing Gonzalez as unable to stop his urge to commit cybercrime, defense counsel has asked the Court to sentence him to 15 years in prison, the minimum sentence permitted. Last week, federal prosecutors renewed their request to have a government psychologist examine Gonzalez to combat the defendant's claim that his "internet addiction" merits leniency within the 15 to 25 year sentencing range.

Tags: 7-Eleven, Albert Gonzalez, Cybersecurity & Cybercrime, Data Breach, FTC, Government Enforcement, Gregory Navone, Heartland Payment Systems, Incident of the Week

Is Your Password Still "123456"? If So, It's Time for a Change

Posted on January 21, 2010 by Colin J. Zick

If you or your co-workers use any of the passwords listed below, you are asking to be hacked. According to a report from the consulting firm Imperva, this list reflects an analysis of some 32 million passwords that an unknown hacker stole in December 2009 from RockYou, a company that makes software for users of social networking sites. Somewhat shockingly, the password "123456" was used by nearly 1% of all RockYou users; the "top 20" RockYou passwords are reproduced below:

1.    123456
2.    12345
3.    123456789
4.     Password
5.     iloveyou
6.    princess
7.    rockyou
8.    1234567
9.    12345678
10.   abc123
11.   Nicole
12.   Daniel
13.   babygirl
14.   monkey
15.   Jessica
16.   Lovely
17.   michael
18.   Ashley
19.   654321
20.   Qwerty

Hackers around the world now have this list of 32 million passwords and are using it to make brute force attacks on accounts and networks. How can you defend yourself? Change and toughen your passwords, lengthening them and adding a mix of letters and numbers. If you are trying to defend your company's network, you need to adopt and enforce more rigorous password policies. Tougher passwords will not make you or your networks hack-proof, but they will put you ahead of the thousands of people who still use "123456."

Tags: 123456, Data Breach, Imperva, RockYou, brute force, hack, password

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit

Posted on January 13, 2010 by Colin J. Zick

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach. AG Blumenthal is also seeking a court order to require Health Net to encrypt any protected health information (“PHI”) contained on a portable electronic device.

The AG’s suit stems from events that occurred in May 2009, when he alleges Health Net learned that a portable computer disk drive disappeared from a company office. The disk contained protected health information, Social Security numbers, and bank account numbers for approximately 446,000 of its past and present Connecticut enrollees. AG Blumenthal further alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing information. The missing information is said to include 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.

According to an investigative report by Kroll Inc., a computer forensic consulting firm hired by Health Net, the data was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties, but rather was viewable through the use of commonly available software. The Connecticut Attorney General alleges that it was not until six months after Health Net discovered the breach that it posted a notice on its website, and then sent letters to consumers on a rolling mailing basis beginning on November 30, 2009.

Tags: Attorney General, Connecticut, Data Breach, Encryption, Health Net, breach

HIPAA Breach Notification Made Simple -- Just Fill in the Blanks

Posted on December 7, 2009 by Colin J. Zick

The Department of Health and Human Services’ Office of Civil Rights (“OCR”) has tried to make a HIPAA security breach easy to report, with its newly-released online “Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information.”

The online form is straightforward, featuring pull-down options tied to the new HITECH rules: it will let you report whether your breach is for more than 500 individuals (or fewer than that), the type and location of the breach, etc. OCR estimates the form will take 15-30 minutes to complete.

Interestingly, the form does not require a statement on penalty of perjury from the submitting party, only a statement that “I attest, to the best of my knowledge, that the above information is accurate.” This could be seen to be an attempt to encourage reporting, by not saddling breach reporters with potential liability for making false statements to the government. However, it would also seem to encourage anonymous reporting, via the use of an alias.

Tags: Data Breach, HIPAA, OCR, breach reporting

Congressional Aide Shares Secret Ethics List With The World

Posted on November 1, 2009 by Colin J. Zick

Last week, it was learned that a secret report of the U.S. House of Representatives Ethics Committee was disclosed -- apparently inadvertently -- by a junior committee staff member. This staff apparently stored the file on a home computer that also ran a "peer-to-peer" file-sharing service. Just as peer-to-peer services let you share music and games, they also can give outside users access to other files on your computer, including in this case secret Congressional reports. The 22-page "Committee on Standards Weekly Summary Report" contained summaries of ethics investigations of dozens of House members and some of their staff.

Although "peer-to-peer" services have caused breaches of sensitive financial, defense-related and personal data from government sites in the past, it seems like the federal government has not learned its lesson (even as it tries to impose Fed Flags rules and the HITECH Act on the private sector).

Tags: Congress, Data Breach, peer-to-peer

Incident of the Week: ChoicePoint Settles FTC Charges That It Failed To Turn On "Key Monitoring Tool"

Posted on October 23, 2009 by Gabriel M. Helmer

This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. According to the FTC, the breach occurred because ChoicePoint implemented a security tool designed to detect unauthorized access to its databases, but "failed to detect that the security tool was off" for a period of four months. Apparently, during this outtage, "an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers." The unauthorized access apparently occurred between August 8, 2008 and September 8, 2008. According to ChoicePoint, the incident occurred because "a former ChoicePoint government customer failed to properly safeguard one of its user IDs." (See ChoicePoint's news release.) ChoicePoint voluntarily approached the FTC when it discovered the breach.

ChoicePoint, which suffered a more significant breach in 2005, was already subject to a 2006 order requiring that the company implement a comprehensive information security program. (See the FTC's materials on the prior breach.) The FTC and ChoicePoint dispute whether the current breach was the result of failing to meet its security obligations under the 2006 order. The supplemental stipulated judgment entered this week (.pdf) provides that ChoicePoint will pay $275,000 into a fund to redress potential harm to consumers and submit to biennial security assessments.

This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools. In practice, many companies react to information security regulations by purchasing a suite of security products. But are these tools being utilized effectively? At least according to the FTC, companies may face sanctions if their adopted security measures are not turned on and managed appropriately.

Links:

Tags: ChoicePoint, Cybersecurity & Cybercrime, Data Breach, FTC, Incident of the Week, information security program

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

Posted on October 8, 2009 by Jeff Bone

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected. According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com. The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected. The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack. But more information is surfacing that indicates that the breach is much larger than many first thought.

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that . These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered. Exactly how many passwords have been compromised, and from how many companies? Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online? Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

Tags: Cybersecurity & Cybercrime, Data Breach, Incident of the Week, Microsoft, aol, comcast, earthlink, email, hotmail, password, phishing, yahoo

Incident(s) of the Week: Double Feature

Posted on October 1, 2009 by Jeff Bone

Incident 1: UNC Data Breach Exposes Information On Over 100,000 Women Listed In Mammogram Registry

The University of North Carolina at Chapel Hill recently disclosed a data breach that exposed information on 160,000 women, including the Social Security Numbers of 114,000. Original reports estimated that more than 200,000 women were affected. The source of the breach was a computer intrusion into a server housing the Carolina Mammography Registry, which is "a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina."

Evidently, the breach was discovered in July, but it may have occurred over two years ago. According to Matt Mauro, chairman of the UNC Department of Radiology, traces of computer viruses were found on a UNC School of computer server dating back to 2007 were found on the server. The school delayed in notifying those affected while it conducted a forensic investigation to determine exactly who was affected. To this point, however, the school still does not know who committed the breach or where the attack originated from, how the server (which had all required security measures) was breached, or whether any data was actually downloaded.

Links:

Incident 2: Massachusetts Inmate Pleads Guilty to Charges that He Hacked Prison Computer While Incarcerated, Accessed Personal Information On 1,100 Correctional Officers

On September 14, 2009, Francis G. Janosko pled guilty to charges that he hacked a legal research computer provided to inmates in the Plymouth County Correctional Facility. A highly restricted computer terminal was provided to inmates for the sole purpose of allowing them access to legal research resources. Janosko apparently circumvented security measures restricting the computer to legal research tools and obtained accessed the administrator's username and password, the prison's internal network, and a report listing the names, birthdays, Social Security Numbers and contact information for 1,100 current and former prison personnel. He also used the computer to send email and download publicly-available photographs and videos.

A grand jury in Boston indicted Janosko for these activities about a year ago in a sealed indictment (.pdf). In the plea agreement (.pdf) recently reached with the U.S. Attorney's Office in Boston, federal prosecutors have agreed to dismiss the original charge of aggravated identity theft in exchange for Janosko's guilty plea to charges under the Computer Fraud and Abuse Act. Janosko has agreed to accept an additional incarceration of 18 months for the hack. Sentencing in the case is scheduled for December 15th.

Tags: Chapel Hill, Correctional Facility, Cybersecurity & Cybercrime, Data Breach, Francis G. Janosko, Healthcare Industry Spotlight, Incident of the Week, Plymouth County, Social Security Number, UNC, University of North Carolina, cybersecurity, hacker

California Hospital Fined $187,500 For Octuplet Mom Breach

Posted on July 17, 2009 by Colin J. Zick

As we reported on April 2, a California hospital breached the privacy of the infamous "OctoMom," Nadya Suleman. When the breach was discovered, Kaiser Permanente’s hospital in Bellflower, California fired 15 employees. These violations also were reported by Kaiser to the California Department of Public Health, which has announced a $187,500 administrative penalty against Kaiser. CDPH has determined that the hospital "failed to prevent unauthorized access to patients’ medical information, as required by Section 1280.15 of the Health and Safety Code. The hospital compromised the privacy of four patients when eight employees improperly accessed records."

The penalty amount of $187,500 represents "$100,000 for the first breach of four individual’s medical record and $87,500 for five additional breaches of those medical records after the first." In addition to the penalty, the Kaiser facility is required to submit a plan of correction to CDPH within 10 working days and implement a plan of correction to prevent future incidents.

Tags: California Department of Public Health, Data Breach, Kaiser, Nadya Suleman, octuplets

Garbage Dump in Ghana A Gold Mine For Sensitive Information

Posted on July 7, 2009 by Aaron Wright

In June, a team of researchers investigating the disposal of electronics in Ghana for PBS series Frontline discovered that computers dumped in Ghana still contained highly sensitive data from their prior owners. The researchers procured seven hard drives from the dump in Ghana and they contained credit card numbers and resumes. The highlight of the investigation was when they discovered unencrypted information from government contractor Northrop Grumman. The hard drives were was obtained by Frontline for $40.

Northrop Grumman said in a statement to IT World, that it believes the hard drive was stolen from an unidentified contractor hired to dispose of the computer, though that does not appear to explain how the hard drive ended up in a dump in Ghana with its information intact. Apparently, sources in Ghana indicated to the Frontline team that "data thieves" routinely search through disposed electronics for valuable information.

The moral of this story is that electronic media, even hard drives that have been wiped of sensitive data, may retain residual information. When disposing of them, care should be taken to ensure that information is no longer recoverable. Some suggest physically destroying hard drives containing sensitive information before disposing of them. The FTC provides a more detailed list of disposal recommendations at their OnGuradOnline website.

Links:

Frontline
Northrop Grumman
OnGuardOnline, “Computer Disposal”
Robert McMillan, IT World, 6/24/09 “Reporters Find Northrop Grumman Data in Ghana Market”
Story via: Cory Doctorow, BoingBoing, 6/25/09 “Illegal e-waste dumped in Ghana includes unencrypted hard drives full of US security secrets”

Tags: Data Breach, FTC, Frontline, Ghana, IT World, Northrop Grumman, PBS, Robert McMillan, data loss, security

AMA Adopts Principles on EMR Breach

Posted on June 22, 2009 by Colin J. Zick

In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient's electronic medical record were to be breached. The new AMA guidelines ask physicians to:

ensure patients are properly informed of the breach and the potential for harm;
follow ethically appropriate procedures for disclosure, including:
a) confidential disclosure of the breach in a timely manner; and
b) describing what information was subject to the breach, how the breach happened, corrective actions that have been taken, and steps the patient can take to further minimize adverse consequences;
support responses to security breaches that place the interests of patients above those of physician, medical practice or institution; and
to the extent possible, provide information to patients to enable them to diminish potential adverse consequences of the breach of personal health information.

The report itself states that the "suggestions are not intended to be comprehensive" and its right -- these general rules raise more questions than they answer:

i) do these suggestions conflict with federal or state law?
ii) might disclosure to a mentally fragile patient not be in the patient's best interest?
iii) how is a physician to know the "potential for harm"?

In particular, that third element -- placing the interests of patients above those of physicians, their practice or hospital -- is going to make this difficult for physicians in the real world to adopt. What about when the interests are not clear, or the interests of patients conflict? No answers to these questions are provided by the AMA.

It's not clear why the AMA felt compelled to jump into the EMR fray, given that there's no lack of state or federal regulation or attention at this point. It's even less clear whether physicians will pay any attention or be able to make sense out of these suggestions.

Tags: AMA, Data Breach, EMR, physicians

Update on Hackers Ransom Demand for Virginia Prescription Database

Posted on June 8, 2009 by Colin J. Zick

Last month, an unusual ransom demand was made on the Commonwealth of Virginia. See Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database, May 5, 2009. In a posting late last week, the Virgina Department of Health Professions announced that it had sent a letter to affected individuals ("persons whose PMP records contained a nine-digit number that could be a social security number"). If you are crafting such a notice for your own use, this letter is of particular note. While it isn't a universally-approved model, it would seem like a pretty good initial response to a claim of inadequate notice that you used the same form that the Commonwealth of Virginia used.

Tags: Data Breach

Interview with M. Eric Johnson, Part 3

Posted on May 13, 2009 by Aaron Wright

In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also talks about the specific problems associated with data security on peer-to-peer file sharing networks.

Tags: Dartmouth, Data Breach, Healthcare Industry Spotlight, Inadvertent disclosures, M. Eric Johnson, Tuck School of Business, peer-to-peer, personal information

Interview with M. Eric Johnson, Part 2

Posted on May 7, 2009 by Aaron Wright

In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.

Tags: Dartmouth, Data Breach, Healthcare Industry Spotlight, Inadvertent disclosures, M. Eric Johnson, Tuck School of Business, peer-to-peer, personal information

Interview with M. Eric Johnson, author of "Data Hemorrhages in the Health-Care Sector"

Posted on April 28, 2009 by Aaron Wright

I recently had the chance to sit down with M. Eric Johnson, Director of Tuck’s Glassmeyer/McNamee Center for Digital Strategies and Professor of Operations Management at the Tuck School of Business, Dartmouth College, to talk about his recent paper “Data Hemorrhages in the Health-Care Sector” (.pdf). The results of Dr. Johnson’s study were startling. For instance, his finding that a great deal of personal patient information is openly available on Peer-to-Peer (P2P) file sharing networks resulted in a great deal of media attention from publications dealing with privacy like SC Magazine, technology publications like Wired, and general interest publications like USA Today. We are thrilled that Dr. Johnson agreed to do a full interview with Security, Privacy, and The Law.

Because the interview is long and covers a number of important topics of interest, we will post the interview in three parts. The first installment of the interview follows below. In this part of the interview, Dr. Johnson discusses how he came to be interested in information security, how he conducted his research, and his findings about just how much personal health information is available on P2P networks.

Tags: Dartmouth, Data Breach, Healthcare Industry Spotlight, Inadvertent disclosures, M. Eric Johnson, Tuck School of Business, peer-to-peer, personal information

Big Bump in Federal Cybersecurity Spending?

Posted on April 7, 2009 by Aaron Wright

The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation's computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to be in the billions of dollars annually and that future attacks could cause physical harm or serious financial chaos.

While future spending levels will not be set until after the White House's 60-day review of the nation's information infrastructure is completed, the potential move has sent major defense contractors and consulting groups scrambling to capture a share of the potential spending. The Journal reports that defense contractors are adding, growing, and consolidating their cybersecurity capabilities and bumping up against already established consulting firms in the process. Foreign defense contractors are also apparently looking to become involved and are buying smaller firms and making strategic hires to position themselves.

Links:

Tags: 60-day review, Cybersecurity & Cybercrime, Data Breach, Wall Street Journal, government

OPSEC, Data Security and A-Rod

Posted on March 31, 2009 by Andrew Orsmond

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players, but numerous athletes from other sports whose drug test results were seized by government investigators in 2004. Yet the entire story might never have existed had good OPSEC practices been in place.

OPSEC – an acronym for Operations Security – is one of the cornerstones of counterintelligence strategy. The Department of Defense definition of OPSEC (.pdf) is “a process of identifying critical information and analyzing friendly actions . . . and other activities to (1) identify actions that can be observed by adversary intelligence systems, (2) determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries, and (3) selecting and executing measures that eliminate or reduce… the vulnerabilities of friendly actions to adversary exploitation.” But OPSEC does not just apply to military organizations. It should be a foundational principle for all security architecture.

Tags: A-Rod, Alex Rodriguez, BALCO, Bay Area Laboratory Co-operative, Comprehensive Drug Testing, Cybersecurity & Cybercrime, Data Breach, MLB, Major League Baseball, OPSEC, Quest Diagnostics, Security Programs & Policies, drug testing

Data Breach: Not Only Can Happen to You, and Your Competitors (but Now It's Being Publicly Reported)

Posted on March 28, 2009 by Colin J. Zick

As state data breach reporting regimes develop, we are going to be seeing more reporting of breaches to law enforcement authorities. If you want to see what this abstract concept of “reporting” looks like (and how your own reports might be listed for the public to see), go to the web site of the New Hampshire Attorney General. On that site, you can read about 20 New Hampshire breaches that have been reported thus far in 2009 for that modestly sized state. And if you want to get a feel for the national scope of data breaches, check out the Identify Theft Resource Center. As of last week, they list 121 breaches and some 1,552,273 exposed records. That's more than a breach per day (and over 17,000 exposed records per day).

Tags: Data Breach, Identity Theft, reporting

Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama's Passport Records

Posted on March 25, 2009 by Aaron Wright

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers, phone numbers, emergency contact information, and photographs.

Tags: 'Department, Barack Obama, CFAA, Cybersecurity & Cybercrime, Data Breach, Dwayne Cross, Gerald Leuders, Government Enforcement, Lawrence Yontz, State", of, passport, personal information

Departing Employees Are Increasingly Stealing Company Information

Posted on March 19, 2009 by Jeff Bone

As discussed by Mike Rosen on Foley Hoag's Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company information also admitted that they used that information to leverage a new job.

As I posted back in early February, another recent report, this one from McAfee, concluded that the shrinking economy and growing ranks of unemployed were increasing incentives for insiders to steal confidential information. The Ponemon report seems to bear this out.

What's troubling is that the Ponemon report found that only "15% of respondents' companies review or perform an audit of the paper and/or electronic documents employees are taking. If they conduct a review, 45% say it was not complete and 29% say it was superficial." According to the McAfee report, however, 68% of the senior IT decision-makers surveyed cited insider threats as the top threat to essential information. Taking these two reports together, it appears that companies understand that their (and their customers') confidential information is vulnerable to insider threats, yet they are not taking the necessary steps to secure that information from departing employees. In this current climate, where data breaches are expanding (both in terms of numbers and size), it is imperative for companies to adopt and implement comprehensive approaches to ensure the security of proprietary information accessible to a departing employee and to minimize the accessibility of such information.

Links:

The Washington Post Article "Data Theft Common by Departing Employees" can be found here.
The cnn.com article can be found here.
The Ponemon report is available for download here (requires registration).
The post on the Ponemon report at the Massachusetts Noncompete Law Blog can be found here.

Tags: Cybersecurity & Cybercrime, Data Breach, Ponemon Institute, Symantec, employee, survey, theft

Highlights from the IAPP Privacy Summit - March 11-13, 2009 Washington, D.C.

Posted on March 15, 2009 by Gabriel M. Helmer

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials. Read some of the highlights below.

Tags: Articles, Bruce Schneier, Data Breach, FDIC, Frank W. Abagnale, Google, Government Enforcement, IAPP, Identity Theft, Jeffrey M. Kopchik, Legislation & Regulation, Microsoft, Peter Cullen, Privacy Summit, Salesforce.com

Has the Consumer Privacy Legislative Forum Decided to Abandon Efforts to Draft Federal Privacy Legislation?

Posted on March 2, 2009 by Jeff Bone

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S. privacy legislation” and is instead “now focused on crafting an industry-wide self-regulatory framework that can be tested over time with a broad range of organizations.” The group has also changed its name to the Business Forum for Consumer Privacy, although it “is still working out legal issues involved with officially becoming a new organization.”

Tags: Articles, Data Breach, Federal Legislation, IAPP, Legislation & Regulation, Privacy Summit, Security Programs & Policies

$150,000 Penalty for Disclosure of Physician Information

Posted on March 1, 2009 by Colin J. Zick

This settlement is particularly interesting, given that it appears to stem from a voluntary disclosure, without any prejudice to any of the physicians whose information was disclosed. Despite those mitigating factors, the disclosure still resulted in a six-figure penalty. As such, this is another suggestion that the days of soft enforcement of health-related information confidentiality are over.

The Queen's Medical Center ("QMC") of Hawaii recently agreed to pay $150,500 in civil money penalties for allegedly violating the confidentiality requirements applicable to National Practitioner Data Bank ("NPDB") information. OIG alleged that QMC improperly disclosed confidential information.

<>According to the settlement documents, QMC obtained the NPDB information and disclosed it to QMC’s captive insurance carrier, which in turn disclosed to its insurance broker.

Tags: Data Breach, National Practitioner Data Bank, physicians

Text of American Recovery and Reinvestment Act, security and privacy provisions

Posted on February 25, 2009 by Colin J. Zick

For those who want to see the source document, we have provided this link to the text of the American Recovery and Reinvestment Act of 2009. The health security and privacy provisions start at Section 13000, around page 112.

Tags: ARRA, Data Breach, Legislation & Regulation, recovery

Adding to the Patchwork: HITECH Act Sets New "Floor" for Data Breach Notification of Certain Patient Information

Posted on February 19, 2009 by Ramzi Ajami

On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations to non-HIPAA-covered vendors of personal health records and their business partners.

If you are hoping that federal lawmakers have used the HITECH Act to finally set a national standard for patient medical information, however, you will be disappointed.

The HITECH Act, like HIPAA, preempts any contrary state laws, but leaves intact any state laws and regulations that impose stricter requirements on the handling of patient information. As a practical matter, this means that if you are covered by HIPAA and the HITECH Act you must meet new minimum standards while continuing to monitor and comply with the ever-increasing patchwork of laws governing patient information in every state in which you operate.

What follows is a more detailed discussion of the provisions of the HITECH Act and how it attempts to provide additional security for patients' health information.

Tags: Data Breach, Federal Legislation, HIPAA, HITECH Act, Healthcare Industry Spotlight, Identity Theft, Legislation & Regulation, State Legislation, protected health information

ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations

Posted on February 13, 2009 by Gabriel M. Helmer

On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010.

The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal information, including social security numbers, state identification numbers and financial account information, about any Massachusetts residents. Under amended regulations filed Thursday, individuals and businesses covered by the regulations must evaluate existing security measures and implement written information security programs on or before January 1, 2010.

In the OCABR press release, Daniel C. Crane, undersecretary of the OCABR, indicated that the new deadline acknowledges that many businesses are having trouble complying with the new regulations in the wake of recent economic pressures. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”

The new deadline makes clear that the OCABR is willing to give businesses additional time to improve information security measures, but also that regulators want all affected businesses to meet the new security standards by 2010. For most affected businesses, the new deadline does not mean they should delay their compliance efforts. Many businesses will need the additional time to analyze existing security threats and implement the necessary administrative, physical and electronic security measures.

Links:

The OCABR homepage
The OCABR's February 12, 2009 announcement
The amended Massachusetts Identity Theft Regulations (17 C.M.R. 17.00-17.05) are available here (.pdf) or from the OCABR's website here (.pdf)

Tags: Articles, Daniel C. Crane, Data Breach, Identity Theft, Massachusetts, OCABR, Security & Privacy Alerts, deadline, identity theft regulations

A bad week for the government - data breaches at federal organizations on the rise

Posted on February 12, 2009 by Aaron Wright

It has been a bad week for the federal government's own information security track record.

The first story comes from the FAA where hackers broke into the agency’s computer systems and stole personal information on some 45,000 individuals. The second story comes from Los Alamos National Laboratory, which confirmed the theft of 67 computers, 13 in the past year alone. In both instances the American people appear to have dogged a bullet. The electronic intrusion into the FAA appears to have been limited to a raid of personal information and did not interfere with air traffic control systems. Also, the physical thefts at Los Alamos apparently did not result in the disclosure of any classified data (e.g., information on the U.S. nuclear stockpile), though what information was taken is still unknown. In both cases governmental entities that we hope would be heavily secured against both electronic and physical thefts appear to have suffered embarassing breaches. The moral (one hopes) is that while there may be no such thing as perfect security, all of us - including our friends in the government - may need to be working a bit harder and should have a plan in place ahead of time for managing any incidents that eventually arise.

Links:

Federal Aviation Administration website

AP/U.S News & World Report article on the FAA breach
Newsweek article
Security Focus article

Los Alamos National Laboratory website

AP/Yahoo report on Los Alamos thefts

Tags: Data Breach, FAA, Identity Theft, Los Alamos National Laboratory, computer theft, cybercrime, government, hacking, national security, personal information

Trends in Data Breach Incidents, Part 2: Avoiding Accidental Exposure

Posted on February 8, 2009 by Aaron Wright

According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.” [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 data breaches in 2008.

ITRC considers “accidental exposure” to be those breaches caused by “inadvertent internet/web posting.” For example, consider the accidental exposure the ITRC labels as “ITRC20080709-02”. In this highly publicized case, an employee at Wagner Resource Group installed the peer-to-peer file sharing software, LimeWire, on a computer that contained personal information relating to the company’s clients. Presumably, the employee installed the software because he wanted to download an MP3, a movie or some piece of software (in violation of copyright law). However, by failing to properly configure the software, the employee inadvertently opened up company files on the computer to any LimeWire user on the Internet. This turned out to be especially disastrous from a public relations standpoint: the data exposed included a number of powerful Washington D.C. area attorneys as well as Supreme Court Justice Stephen Breyer. The story was published on the front page of the Washington Post and received attention from other national papers, such as the L.A. Times. While the breach exposed data involving only a relatively modest number of people, 2,000 individuals, the fact that the lapse involved some high profile victims created substantial bad press. Referring to the file-sharing software, Wagner Resource Group founder Phylyp Wagner stated "I didn't even know what peer-to-peer was. I do now."

Because accidental exposures are caused by human error, a prime problem with this type of breach is that they generally make the company look much worse than a breach caused by a hacker or an ill-intentioned insider. A consumer can understand a company being outsmarted by a thief, even being compromised by a disgruntled ex-employee, but there is often much less forgiveness for companies who appear to have disclosed their information through sheer carelessness. (See the link for the Breach Blog’s candid response to the news that personal data may have been exposed by an employee of Vonage placing it online in a Google Notebook).

Protecting against accidental exposure usually does not require expensive solutions. An appropriate computer usage policy prohibits the installation of unauthorized software, like LimeWire and other peer-to-peer file sharing programs that have come under intense fire from the recording and motion picture companies in the last decade. Educating staff, whether through training programs or the occasional reminder, about what to do and what not to do may often be the least expensive solution to accidental exposure. In addition, system administrators need to make sure they are taking appropriate steps to block or monitor peer-to-peer network traffic originating from inside the company network.

Links:

Tags: Data Breach, Financial Industry Spotlight, Identity Theft, LimeWire, Phylyp Wagner, Stephen Breyer, Wagner Resource Group, cybercrime, peer-to-peer

Economy Delivers A Perfect Storm In Information Security: Data Crimes Rising As Economy Stumbles

Posted on February 6, 2009 by Jeff Bone

According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers.

The McAfee Report makes four key findings:

Increasingly, important digital information is being moved between companies and across continents and is being lost.
The global economic crisis is increasing pressure on companies to cut spending across the board, including spending on data security, which leads to increased opportunities from outside threats of cybercriminals. Moreover, increasing layoffs are increasing incentives for insiders to steal confidential information.
Elements in certain countries are emerging as the main threats to data security. According to the report, “[g]eopolitical perceptions are influencing data policy reality, as China, Pakistan, and Russia were identified as trouble zones for various legal, cultural and economic reasons.”
Cybercriminals have evolved beyond basic hacking and stealing of data. They are becoming more organized and sophisticated.

In many ways, the global economic crisis could not have come at a worse time for companies attempting to keep their data secure. As layoffs fueled by the troubled economy increase, the number of employees with the motive, means and opportunity to steal valuable data or to sabotage their employer with a damaging data breach are clearly on the rise. According to the McAfee Report, 68% of those surveyed cited “insider threats” as the top threat to essential information. “Data thefts by insiders tend to have greater financial impact given the higher level of data access.”

Coinciding with the increased threat from insiders is a growing and increasingly sophisticated threat from outside groups of cybercriminals. For example, the McAfee report notes that “malware writers now have R&D departments and test departments” and that malware programs are “regularly updated by its developers as to which vulnerabilities to exploit.” According to one source, the number of malicious programs on the internet tripled in September 2008.

And while the expansion of information crime has led to increased government regulation, it is clear that the complex demands of various state and federal regulatory schemes are increasing the burden on companies already struggling in the weakening global economy. According to the National Conference of State Legislatures, 44 states have enacted legislation requiring notification of security breaches. This leaves companies with the unenviable task of determining what state laws apply and how to make sure they are complying with scores of overlapping, potentially inconsistent state rules. This quagmire has led to calls for Congress to set a single federal standard for information security. A group called the Consumer Privacy Legislative Forum, which includes companies such as eBay, Microsoft and Hewlett Packard, released a statement calling for “comprehensive harmonized federal privacy legislation” and will be outlining recommendations for such legislation next month. The FTC also has recommended in its recent report on Social Security numbers that Congress set federal standards for information security.

Between the increasing threats to information assets and the confusing morass of new regulations governing information security, business are stuck between a rock and a hard place while the funds and personnel needed to address the threats and comply with increased regulation are dwindling. Given recent reports that “[o]rganizations that experienced a data breach in 2008 paid an average of $6.6 million last year to rebuild their brand image and retain customers,” the only way through this perfect storm may be to push ahead with efforts to evaluate the increasing security threats and adopt reasonable measures to combat these threats, as regulators appear to be demanding.

Links:

Tags: Articles, Data Breach, FTC, Identity Theft, Security Programs & Policies, cybercrime, legislation

Data Privacy and Security Meets Winnie-the-Pooh: Using Honey Pots to Protect Your Data

Posted on January 30, 2009 by Colin J. Zick

Most of us remember fondly the Winnie-the-Pooh stories by A.A. Milne from our childhood. One that is memorable for me is “Piglet Meets a Heffalump.” In that story, Winnie-the-Pooh and Piglet plot to catch the new animal they believe is living in the Hundred Acre Wood. They have named this animal the Heffalump. They set a trap for the Heffalump, but instead of catching it, Pooh instead becomes trapped in the hole he had dug to catch the Heffalump. To add insult to injury, Pooh gets his head stuck in a pot of honey that he had attended to attract the Heffalump to the trap.[1]

Now, you may be asking what this has to do with data privacy and security. One of the new trends in the data privacy and security field is the use of what is colloquially called “honey pots.” These are attractive bits of false data or decoy computer systems intended to entice individuals to looking at things they should not be looking at and enabling you to track those events. Should you use honey pots? Are there risks involved?

Before you set up a honeypot, you will want to have clear approval among the executive leadership of your organization, because there could be loud noises that result from someone unexpectedly getting stuck in one of these honeypots. This includes Information Technology and Human Resources, which may be required to take quick action if someone is caught. Legal counsel also should review the entire honeypot program -- once you catch someone, you want to make sure the evidence will be sufficient to allow you to terminate his or her employment. You may also want to consider how you would use the information to make a referral to law enforcement. Even more importantly, you want to make sure that you are doing something that is legal, and you want to make sure your honey pot does not hurt someone unintentionally.

[1]Winnie-the-Pooh, A.A. Milne (1926)

Tags: Data Breach, cybercrime, honey pot

Trends in Data Breach Incidents, Part 1: Identity Theft Resource Center (ITRC) Reports Breaches Up 47% in 2008, Hackers Only Responsible for 13.9% of All Incidents

Posted on January 20, 2009 by Aaron Wright

On January 2, 2009, the Identity Theft Resource Center (ITRC) released its report(.pdf) on data breaches in the United States in 2008 (you can read the Washington Post’s primer on the ITRC’s findings here). The raw numbers are headline grabbing — 656 data breaches in 2008, a 47% increase from 2007. The sharp increase in numbers from 2007 to 2008 could be a result of an increase in data breach incidents, and most of the reporting on the ITRC’s report take this view, but it could also be due to increased media interest, new mandatory reporting laws, and a greater public interest in the issue. As in 2007, the ITRC relied on public reporting of breaches to compile its list, so the ITRC’s findings should be expected in increase as public reporting of data breach incidents increase.

The ITRC also reports that over 35.5 million personal and/or financial records are known to have been exposed in 2008. This number includes only those breaches where a public report indicated how many records were actually exposed, 402 of the 656 reported breaches including the 16 breaches where no records were actually exposed as they were encrypted or in some other way protected, and does not include any of the 254 breaches where an unknown number of records were exposed. So the actual number of exposed records is likely much higher, possibly in the range of 58 million records exposed (assuming that the breaches where the numbers are known are representative, and that the underlying math was done correctly).

Tags: CardSystems Solutions, Data Breach, Data Processors International, Heartland Payment Systems, ITRC, Identity Theft, TJX, cybercrime, hacking

Senator Feinstein Introduces Two New Security/Privacy Bills

Posted on January 16, 2009 by Jeff Bone

On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” as including “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” In addition to requiring notice to the affected individual(s), the bill requires that notice be provided to “major media outlets” within a state if the number of state residents affected by the breach exceeds 5,000, and also requires that notice be given to the Secret Service if the number of affected individuals exceeds 10,000 or if the affected database contains information of more than 1,000,000 individuals. The bill provides for limited exceptions for law enforcement or national security purposes.

The bill requires that the notice include (1) a description of the categories of information that was acquired by an unauthorized person, (2) a toll-free number that the individual may use to contact the agency or business and learn what types of information the agency or business maintained about the individual, and (3) the toll-free contact telephone numbers and addresses of major credit reporting agencies. The first requirement of the notification’s content is particularly interesting, as several states (including Massachusetts) currently forbid the notification to include the nature of the breach. Bill S. 139 states that it does not provide a private right of action, meaning that a private individual may not bring suit under the bill. Finally, the bill provides that its provisions “shall supersede any other provision of Federal law or any provision of law of any state relating to notification by a business entity . . . or agency.”

Senator Feinstein introduced a similar bill in 2007 which failed to pass the Senate. This year’s version, which has no co-sponsors, has been referred to the Judiciary Committee.

Bill S. 141, entitled the “Protecting the Privacy of Social Security Numbers Act,” is co-sponsored by Senators Judd Gregg (R-NH) and Olympia Snowe (R-ME). It prohibits any person from displaying, selling, purchasing an individual’s Social Security number without the affirmative, express consent of the individual, subject to a number of exceptions (e.g., for national security, law enforcement, or public health purposes, or if the display is required, authorized, or excepted under any Federal law). The bill also would prohibit any federal, state, or local government from displaying Social Security numbers on public records posted on the Internet or from printing them on government checks. [These provisions parallel recent recommendations from the FTC as we Further, the bill prohibits any federal, state, or local agency from employing inmates in any position that would give the inmate access to Social Security numbers of other individuals. Finally, the bill would provide limits on when businesses may ask customers for their Social Security numbers.

Unlike the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act provides for a private right of action, allowing any aggrieved individual to sue for an injunction or monetary damages (which could be tripled if a court finds a willful and knowing violation). As with the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act has been referred to the Judiciary Committee.

Given the many challenges facing the federal government this upcoming year as it transitions into the Obama administration, it is difficult to predict whether Senator Feinstein’s bills will face resistance. However, all signs point to a recession driven boom of cybercrime, identity theft and security breaches that will continue to expand in 2009 as it did in 2008. Given this environment, Congress will probably enact some version of these proposals sooner rather than later.

Links:

Tags: Articles, Bill S. 139, Bill S. 141, Data Breach, Data Breach Notification Act, Dianne Feinstein, Identity Theft, Legislation & Regulation, Protecting the Privacy of Social Security Numbers Act, Social Security Numbers, cybercrime, notification

Massachusetts Businesses Ask For More Time To Comply With State Identity Theft Regulations

Posted on January 16, 2009 by Gabriel M. Helmer

A number of high-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs. This comes as a prelude to the public hearing scheduled today before the Massachusetts Office of Consumer Affairs and Business (OCABR) regarding the upcoming May 1, 2009 deadline for businesses to comply with recent Massachusetts identity theft regulations (201 C.M.R. 17.00 et seq.). The companies and organizations signing the letter included the Massachusetts Business Roundtable, the Massachusetts Package Store Association, the Massachusetts Hospital Associations, Google, Comcast, CitiGroup, AOL, Microsoft, The Gap, Verizon and Wal-Mart.

Mass High Tech's story on this event can be found here.

Testimony of the Greater Boston Chamber of Commerce at the January 16, 2009 hearing can be found here.

The Privacy & Security Law Report reports that, at the hearing, representatives of employers, small businesses, financial institutions and universities asked the OCABR to extend the deadline for compliance beyond May 1st. According to these representatives, it will be “virtually impossible” for most of the covered entities to reach compliance by May 1, 2009. In addition, they urged the OCABR to review the new regulations again and make changes. Whether the OCABR will be swayed by the views of those attending the hearing remains to be seen. Given the economic climate the costs associated with upgrading systems to meet the new regulations, it is a safe bet that most covered entities would breathe a sigh of relief if the OCABR decides to extend the compliance deadline.

2.13.2009 UPDATE: As we report in our alert, OCABR has responded to this request by filing amended regulations that postpone the compliance deadline by eight months, to January 1, 2010.

Tags: Articles, Data Breach, Identity Theft, Legislation & Regulation, Massachusetts, Recent Legislation, Security Programs & Policies

FTC Issues Guidance to Businesses on How To Handle Social Security Numbers

Posted on January 15, 2009 by Gabriel M. Helmer

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers - SSNs and ID Theft. The new report articulates a series of FTC recommendations with respect to the handling of Social Security numbers (SSNs) based upon the work of the President’s Identity Theft Task Force, which was established in May 2006 and led to an extensive fact finding effort summarized in the FTC’s November 2007 staff summary report (which can be found here [.pdf]). For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, when the FTC will begin enforcing federal identity theft regulations.

The FTC Report first makes two key recommendations that should be considered when developing an identity theft prevention programs:

Tags: Articles, Data Breach, FTC, Identity Theft, Identity Theft Task Force, Legislation & Regulation, Red Flags Regulations, Security Programs & Policies, Social Security Numbers, information security programs, legislation

ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations

Posted on November 15, 2008 by Gabriel M. Helmer

In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009.

On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009.

In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:

Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.

“Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.

Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.

Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.

The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software.

The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.

2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.

Tags: Articles, Data Breach, Identity Theft, Legislation & Regulation, Massachusetts, OCABR, Security & Privacy Alerts, Security Programs & Policies, deadline

ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC "Red Flags" Regulations

Posted on October 23, 2008 by Gabriel M. Helmer

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance. This delay does not apply to users of consumer reports handling notices of address discrepancies, which still has a November 1, 2008, deadline. Likewise, enforcement against banks, credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC’s action.

The “Red Flag” rules had their genesis in 2003, when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (“FACTA”). FACTA required the FTC and a group of other regulatory agencies and committees to adopt regulations to help consumers avoid the growing epidemic of identity theft. Under the final “Red Flags” regulations that came into effect on January 1, 2008, U.S. companies that maintain customer accounts used to make periodic payments, transfers or transactions were initially given until November 1, 2008 to develop formal policies to detect the warning signs or “Red Flags” of potential identity theft and set up procedures to prevent and mitigate the harm caused by identity theft. The FTC’s latest announcement provides businesses with an additional seven months, until May 1, 2009, to assess whether they are covered by the “Red Flags” regulations and put in place a compliant Identity Theft Prevention Plan.

While the language of the regulations covers “financial institutions” and “creditors” maintaining “covered accounts,” the FTC has made clear that the “Red Flag” regulations are intended to cover a broad range of businesses, many of which may not consider themselves traditional “financial institutions”. In particular, the FTC maintains that the new regulations apply to: (1) businesses that maintain any type of account that permits multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft, (2) credit card issuers, and (3) companies that use or receive consumer credit reports.

The FTC estimates that the new regulations apply to over 11 million businesses in the U.S., including lenders, mortgage brokers, and brokerage firms, but also automobile dealers, utilities and telecommunications companies, collection agencies and other businesses that participates in credit decisions about their customers. Any business that provides customers with any type of account that permits the customer to make repeated payments or enter into regular financial transactions needs to assess whether they are subject to the new “Red Flags” regulations.

If your business is covered by the new “Red Flag” regulations, you will need to develop an Identity Theft Prevention Plan containing procedures to:

Identify any indicators of a possible risk or existence of identity theft in their business — what federal regulators are calling “Red Flags” — such as discrepancies in customer information and suspicious account activity.
Respond appropriately to any Red Flags in order to prevent identity theft from occurring, including by monitoring suspicious activity, contacting customers and notifying law enforcement.
Continually assess the identity theft risks to customers and update the company’s Identity Theft Prevention Plan as necessary.

In addition, the new Red Flag regulations require an affected business to obtain approval from its board of directors for the Identity Theft Prevention Plan, train staff to administer the program and exercise oversight over any service providers retained to manage customer accounts and information.

At present, it is still unclear what form the FTC’s enforcement of the “Red Flags” regulations will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but do not provide individuals with a right to sue for failure to comply with the new rules.

Tags: Articles, Data Breach, FTC, Identity Theft, Legislation & Regulation, Red Flags Regulations, Security & Privacy Alerts, Security Programs & Policies, deadline