Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

Last week was a tough week for Albert Gonzalez, the so-called "leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government."  Gonzalez received a sentence of 20 years of imprisonment in two separate federal cases against him.  The hacker, known variously as "segvec," "soupnazi" and "j4guar17" pled guilty in the New Jersey and Massachusetts cases for his role as mastermind of the two largest financial data breaches ever, those involving TJX and Heartland Payment Systems. 

The federal court sentencing entries states that after Gonzalez serves his 240-month sentence, he will be subject to 3 years of supervised release, fines and substantial restitution, to be determined at hearings scheduled in June.  The Department of Justice press release (.pdf) details some of Gonzalez's activities, which included:

• Wardriving: "driving around in a car with a laptop computer looking for unsecure wireless computer networks of retailers."
• Installation of sniffer programs to capture credit and debit card numbers used at retail stores.
• Selling credit and debit card numbers to others for fraudulent use.

The DOJ press release also indicates that while six of Gonzalez's co-conspirators have been captured (as far away as in Germany and Turkey), Gonzalez's activities may have compromised "tens of millions of credit and debit card numbers, affecting more than 250 financial institutions."

In January, we posted details from the debate during Gonzalez sentencing including his claim that he suffered from "internet addiction."  At that time, Gonzalez's attorneys requested a sentence of 15 years for his crimes. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data. 

Poorly supervised use of P2P networks have frequently been the subject of unwanted attention, including from the FTC.  For our coverage on P2P security issues, see our prior posts here ("Congressional Aide Shares Secret Ethics List With The World"), here ("Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft") and here ("Rep. Mary Bono Mack Introduces Informed P2P User Act To Combat Inadvertent File Sharing"). 

The danger with P2P filesharing software is that failure to select the proper settings can result in opening up all documents on a computer to anonymous users on the Internet.  As the FTC warned in its press release: "when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network."  The problem commonly arises when a business' staff load P2P filesharing software on company computers to access music or other downloads (which can be illegal in itself), but fail to properly configure the software.

The FTC has provided the following examples of the notification letters it has mailed to entities: FTC Sample Letter A (.pdf), FTC Sample Letter B (.pdf) and FTC Sample Letter C (.pdf).  The FTC has also directed these entities to its newly-unveiled guide to taking proper security measures to prevent unauthorized P2P access.  The FTC has indicated that it "has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks." 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a press release issued last week, Massachusetts Attorney General Martha Coakley announced the opening of a "new, state-of-the-art Computer Forensics Lab in Boston" as part of the Attorney General's Cyber Crime Initiative.  Under the Initiative, the Attorney General's office received funding from the U.S. Department of Justive to "develop a sustainable cyber crime information sharing program in Massachusetts" for the Massachusetts law inforcement community.

According to the press release, the lab "will expand the office's forensic capabilities, allowing it to conduct exams on a variety of digital media such as computers, cell phones, laptops, PDAs and GPS devices."  The lab is 3,000 square feet and is the largest of its size for any attorney general's office in New England.  It will have the latest technology available to forensic investigators to allow them to extract information such as text messages, videos and pictures from mobile devices, and will also have imaging machines that can be used to capture information that cannot be extracted from a device or hard drive.  In addition, lab space will be used to train police officers on how to "bag and tag," using the proper techniques for evidence seizure at a crime scene. 

According to the press release, the Attorney General's Office has trained more than 1,000 Massachusetts law enforcement officers and cyber crime experts from across the nation, focusing primarily on investigation of identity theft.  While it certainly seems that Attorney General Coakley has made prevention of cyber-crime one of her top priorities (indeed, the office recently received and award from the National White Collar Crime Center for its work in cyber crime), it will be interesting to see what happens if she is successful in her candidacy for the U.S. Senate.

Links:

• September 15, 2009 Press Release: Attorney General Martha Coakley Announces Opening of New State-of-the-Art Computer Forensics Lab
• Massachusetts Attorney General Cybercrime Initiative

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It just became a little cheaper and a little easier to access public court filings through PACER (the Public Access to Court Electronic Records), thanks to RECAP, an open-source Firefox plug-in designed to create a free secondary archive of PACER materials.

Court filings contained in PACER are public documents, and are, in theory, open to the public. But, in the past, the fact that these materials were either maintained in individual courthouses or, once digitized, were behind password-protected log-ins and per-page charges generally prevented them from being widely disseminated. Open society advocates have long criticized PACER for charging the public itemized fees to access public court filings, arguing that this pay-as-you-go system effectively removes public filings from the public domain and discourages a fully transparent legal system. 

Princeton University's Center for Information Technology Policy, with assistance from Harvard University's Berkman Center for Internet and Society, unleashed the latest salvo against PACER in the form of RECAP (“PACER” spelled backwards, not by coincidence). RECAP is a free open-source software plug-in for the popular Firefox web browser that automatically uploads all PACER documents a user is viewing onto a growing archive maintained by the non-profit group Internet Archive. When the next RECAP user attempts to view a PACER document that has already been archived, the RECAP plug-in automatically uploads the copy to prevent that user from paying for those materials. This system essentially allows users of PACER to slowly create a secondary archive of these public documents that can be accessed for free.

I have previously discussed the controversy surrounding PACER's security failings and pricing. After the jump, my colleague Aaron Wright and I discuss whether the RECAP plug-in  magnifies or minimizes PACER's security problems and risks of identity theft, the pushback RECAP has received from courts, and RECAP's creators' response to criticism about the plug-in's security and privacy safeguards.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft.  The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network. 

Especially when a household computer is shared between parents and children, the installation of peer-to-peer software may make tax returns, bank statements and other personal information saved on that computer available to everyone else on the peer-to-peer network.  During questioning by state and federal investigators, Wood explained that "kids put Limewire on the computer and the parents don't know."  As a result, Wood was able to obtain personal information from approximately 120 different individuals from Massachusetts, New York, Georgia, Florida, Ohio, Iowa, Louisiana, Oregon and California.  He then used this information to create counterfeit checks and driver's licenses and to open credit accounts in the victim's names.

Note that failing to limit the files shared by peer-to-peer software is not just a problem for household computers. In an earlier post, we discussed the problems caused when an employee installed LimeWire at work.  Also note that LimeWire's user guide and FAQ provide directions on how to make sure you are not sharing personal or sensitive information with the world.

Wood's scheme was discovered after he posted an ad on Craigslist.com purporting to sell a "brand new" Apple MacBook Pro for $1,500 and instead shipped a box containing a book and a glass vase instead of a computer.  Working with Seattle Police, the victim set up a meeting with Wood and he was arrested.  Upon investigation, Seattle Police discovered that Wood possessed a number of counterfeit driver's licenses and sought the assistance of the Social Security Administration's Office of Inspector General.  The Kings County Sherriff's Office, FBI, U.S. Postal Inspection Service and U.S. Secret Service's Electronic Crimes Unit also assisted in the investigation. 

Wood pled guilty to violations of federal laws governing identity theft (18 U.S.C. sec. 1038(A)), wire fraud (18 U.S.C. sec. 1343) and the Computer Fraud and Abuse Act (18 U.S.C. sec. 1030(a)(4)).  He is also required to pay over $25,000 in restitution to a number of parties, including Bank of America, American Express and other financial institutions (for the complete list, see the judgment filed in court earlier this week (.pdf)).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As has been recently reported, researchers from Carnegie Mellon University have announced that they have uncovered a method to accurately predict the Social Security Numbers (SSNs) of individuals by simply knowing two of the most basic and widely-available facts about people today: their dates of birth, and their States of birth. In their paper titled “Predicting Social Security Numbers from Public Data” (.pdf), researchers Alessandro Acquisti and Ralph Gross warn that they have uncovered a distinct and identifiable statistical pattern across SSNs of deceased persons – that, ironically, are made publicly available by the Social Security Administration (SSA or Agency) itself – and have used that pattern to accurately predict the SSNs of live Americans by simply knowing their birthdays and in which States they were born. In other words: “[A]ny third party with internet access and some statistical knowledge . . . [can deduce the pattern of SSN assignment] by analyzing publicly available records in the [Social Security Administration] Death Master File [and] interpolating an alive person’s state and date of birth with the patterns detected across deceased individuals.” 

What has received considerably less media attention, however, is the SSA's muted response to this fiasco, and, quite the opposite, the alarmingly broad set of explanatory guides and almost-complete SSNs that the Agency makes available to the public on their website.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to recent reports from the Wall Street Journal and Computerworld, on June 30 the United States Secret Service, the Italian police and Italian postal service reached an agreement for the establishment of an international task force to fight cybercrime, including identity theft and computer hacking.   Mark Sullivan, the director of the Secret Service, stated that cybercrime "is not a borderless crime and we believe there needs to be a reaction at an international level."  While it may seem odd at first for the Secret Service, whose most obvious mission is to protect members of the U.S. government and visiting heads of state, to be involved in a fight against cybercrime, the agency actually has a dual mission: both to protect heads of state and "to safeguard the nation's financial infrastructure and payment systems to preserve the integrity of the economy.  Moreover, Congress has given the agency authority to investigate offenses under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030(d). 

The task force will be named the European Electronic Crime Task Force, will be based in Rome and, according to Italian police, will be open to other European countries. Its main focus will be to combine the resources and efforts of the United States and European Union nations in order to fortify cyber-defenses for government sites hosting sensitive data. The Italian Postal Service (and, presumably, other entities that decide to contribute) will exchange alerts with the Secret Service, monitor computer networks across Europe using Italian Postal Service software for threats, and coordinate to quickly respond to attacks. According to the articles, the Italian Postal Service now makes more money from banking and insurance services than from traditional sending of letters and packages. Given this shift in focus, it has developed a software that can review electronic monetary transfers for suspcious signs.

Ironically, and as discussed in more detail elsewhere, the announcement of this new task force came just a few days before the Secret Service's website, along with the websites of the Treasury Department and Federal Trade Commission, were paralyzed due to cyberattacks, which government officials speculate originated from North Korea.  Perhaps the Secret Service should have first established a task force with Asia?

Links:

• U.S. and Europe Jointly Establish Cyber-Crime Force, Jennifer Clark, Wall Street Journal, June 30, 2009
• U.S. teams with Italy to fight cyber crime, Phillip Willan, Computerworld, June 30, 2009
• U.S. and South Korea Targeted in Ongoing Denial of Service Attacks, Aaron Wright, securityprivacyandthelaw.com, July 8, 2009
• 18 U.S.C. sec. 1030
• Mission Statement of the U.S. Secret Service

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With the deadline for complying with the Massachusetts identity theft law just six months away, at least one state senator is still seeking changes to that law.  In Senate Bill S173, which until now  has received little public notice, State Senator Michael Morrissey proposes to make it easier for small businesses to comply, by requiring the state's regulations to take account of a business's resources as it requires compliance:  "[S]aid department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources."  This type of language is reminiscent of the HIPAA security rules and their scalability for businesses of different sizes. 

S173 also addresses the issue of what businesses can do with employees who violate the law, by making it easier to fire them:  "A willful violation of this chapter or regulations implementing this chapter, or a written information security plan issued by a person covered by state or federal privacy laws shall provide just cause for the termination of an employee, whether the employee is employed by a private person, public agency or political subdivision of the state."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to "assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking" on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).  Some of the highlights from the FAQ are:

• The agencies clarified that "all banks, savings associations and credit unions are covered by the Red Flags Rules and Guidelines as 'financial institutions,' whether or not they hold a transaction account belonging to a consumer," and including "those whose powers are limited to trust activities;"
   
• Brokers, dealers, investment advisors or investment or insurance companies (including those that are subsidiaries of a bank or savings association) are covered by the Rules and Guidelines if they are a "financial institution" or creditor" under the Fair Credit Reporting Act.
   
• IRAs will generally be considered "covered accounts" and thus subject to the Rules and Guidelines;
   
• The term "covered account" includes accounts established in the United States by non-U.S. residents;
   
• Check forgery or use of a stolen credit card constitutes "identity theft" because it involves a fraud using the identifying information of another person without authority;
   
• The Rules and Guidelines do not require a financial institution or creditor to educate consumers regarding the risk of identity theft, although such programs "may be helpful as part of an overall effort to address the problem of identity theft"
   
• Financial institutions may, but are not required to, use automated systems to detect red flags, but may have to supplement such a systems with non-automated procedures;
   
• The Rules and Guidelines required financial institutions or creditors to oversee all service provider arrangements that relate to the opening or accessing of a covered account, not just those with providers that offer fraud detection services;

While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful.  For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions.   Moreover, much of the guidance given was extremely vauge.  For example, many of the answers to questions regarding covered accounts could be summarized as "it depends on whether the institution determines that there is a foreseeable risk of identity theft."  It would have been helpful for the agencies to provide some examples or other more concrete information.  Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.

Links:

• Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies (.pdf), also available from the FTC here (.pdf)
• June 11, 2009 Joint Release: Agencies Issue Frequently Asked Questions on Identity Theft Rules

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, May 13, 2009, the FTC released a "template" identity theft prevention program (.pdf) to guide businesses subject to a "low risk" of identity theft through the process of complying with federal Red Flags Rules.  The FTC template was first announced on May 1, 2009 when the agency postponed enforcement of the general purpose Red Flags Rules until August 1, 2009 (see our posting here or our more detailed client alert here).

The FTC template is divided into two parts.  The first section outlines how businesses should evaluate whether they are at low risk for identity theft.  Under the FTC's guidance, low risk businesses include:

• Businesses, such as doctor or lawyer practices, that are personally familiar with their customers and therefore are unlikely to be fooled by impostors.
• Businesses that provide services at customers' homes.
• Businesses that have never received a complaint or discovered an incident of identity theft.
• Industries in which identity theft is uncommon.

While the template does not discuss this point, those businesses that do not fall into the category of "low risk" presumably are required to undertake a more in depth review of the risks and implement a substantially more detailed identity theft prevention program. 

The second section of the template is essentially an identity theft prevention program checklist that requires the business to fill in the procedural and administrative blanks.  Anyone using the FTC template should recognize that the template is a guide for performing the assessments required by the federal regulations - it does not excuse low risk businesses from compliance.  For instance, the template requires that a business identify any red flags it is aware of in addition to a mandatory red flag: receiving a notice from a customer or law enforcement.  While the template provides helpful structure to the process of compliance, low risk businesses appear to be subject to the same requirements.  In particular, the template program requires a business to identify applicable red flags, identify procedures it will take to detect these warning signs, identify a coordinator, develop a training program, identify key service providers who will need to be appropriately vetted and keep the program up to date.  The template does help us understand what level of compliance the FTC will be looking for at many smaller businesses.

Links:

• The FTC announcement
• The FTC "template" identity theft prevention program (.pdf), also available from the FTC website here (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009.  Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a "template" identity theft prevention program.  "For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law."  The FTC indicates that it will make the template available through their website.

In delaying enforcement, the FTC continues to maintain that the Red Flags Rules apply broadly to any business that bills its customers (i.e., "all entities that regularly permit deferred payments for goods or services").  In particular, the FTC specifically mentions that the statutory term "creditor" encompasses "businesses that provide services and bill later, including many lawyers, doctors, and other professionals."  The notice conceeds that considerable confusion has surrounded the preliminary question of who is covered under the new rules.  The FTC directs businesses looking for more information to the FTC's new microsite on the Red Flags Rules.

Links:

• FTC's 4.30.2009 Notice delaying enforcement of Red Flags Rules until August 1, 2009
• FTC's microsite on the Red Flags Rules

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC's claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users.  According to the FTC, the the faults in RSS's security amounted to "unfair acts or practices" in violation of the FTC Act.  RRS and Mikkelson were fined $500,000, but the fine was suspended in light of the company's present financial condition. Also, in a move that echos the FTC's past enforcement of information security standards under the FTC Act and foreshadows future enforcement of Red Flags regulations, the terms of the FTC's court order require RRS to develop a "comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers" and submit itself to independent security audits every 2 years until 2029. 

Especially in view of the upcoming May 1, 2009 deadline for compliance with federal Red Flags regulations, this case may be a good example of what we can expect to see from federal and state regulators in enforcing existing and future information security standards, especially with respect to consumer data providers.  Below I will summarize the case and identify the key elements of the information security program that the FTC required.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

As state data breach reporting regimes develop, we are going to be seeing more reporting of breaches to law enforcement authorities. If you want to see what this abstract concept of “reporting” looks like (and how your own reports might be listed for the public to see), go to the web site of the New Hampshire Attorney General. On that site, you can read about 20 New Hampshire breaches that have been reported thus far in 2009 for that modestly sized state. And if you want to get a feel for the national scope of data breaches, check out the Identify Theft Resource Center. As of last week, they list 121 breaches and some 1,552,273 exposed records.  That's more than a breach per day (and over 17,000 exposed records per day).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports.  The proposed legislation would also

• require intelligence and Homeland Security officials to perform vulnerability assessments;
• create a clearinghouse for information sharing between the government and private sector; and
• fund scholarships for those interested in cybersecurity.

The proposed legislation follows on the heels of three incidents where computers in Senator Nelson's office were hacked .  The current draft legislation contains provisions similar to those recommended by the Commission on Cybersecurity for the 44th Presidency, which released a report in December 2008.

Links:

• The post on Senator Nelson's website can be found here.
• The March 23, 2009 CNET News article, "A bill to shift cybersecurity to the White House" can be found here.
• The December 2008 report from the Commission on Cybersecurity for the 44th Presidency is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” -- the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you -- then they probably do.  In this post, we will recap the FTC's recent guidance on who should be complying with the Rules.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers' proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information.  FCC Chairman Michael J. Copps issued a public statement addressing the enforcement action and highlighting that the FCC "continued to mconsumer privacy protection a top priority.  The FCC seeks a $20,000 fine from each of the carriers (around $13 million in total) and has stated that it moderated the amount of the fines because the carriers were small companies and because this was the first year of the certification requirement (certifications were due March 1, 2008).  As the FCC warns in its official Notice, "[t]o the extent that we determine that the proposed forfeiture adpoted herein does not have the intended deterrent effect, future noncompliance will face more severe penalties." 

If you've been looking for signs of how the Obama administration intends to enforce privacy and information security regulations, here is one of a few early signs that federal regulators are under orders to step up enforcement efforts and are begining with the backlog of violations from 2008. 

Links:

• The FCC wesbite and a link to the Enforcement Bureau's page
• The FCC's Omnibus Notice of Apparent Liability is availabe here (.pdf) or from the FCC's website here (.pdf)
• The FCC's press release is available here (.pdf) or from the FCC's website here (.pdf)
• The Electronic Privacy Information Center (EPIC) website and a link to its CPNI page

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Thursday, February 26, 2009, the FTC released its list of top consumer complaints and for the ninth year in a row, identity theft was the number one issue for consumers.  See here for the FTC's release.  Out of 1,223,370 complaints made to law enforcement organizations, identity theft accounted for 313,982 complaints, around 26% or all consumer complaints in 2008.  This represents a 20% increase in identity theft complaints since 2007. 

If the FTC's report is any indication of things to come, it could suggest that the FTC will be moving forward with aggressive plans to enforce federal identity theft regulations on May 1, 2009, as promised.  After Massachusetts revised its identity theft regulations to delay implementation until January 1, 2010 (which we reported here), many businesses have been hoping to see some relief from the looming federal deadline.  Given the sharp uptick in identity theft incidents (which we reported in detail here), indications that the Obama administration wants to aggressively pursue information security (which we reported here), and the fact that the federal regulations are less onerous than those adopted in Massachusetts, the FTC may be less inclined to postpone enforcement beyond May 1st.

Links:

• The FTC chart of top consumer complaints.
• The FTC's detailed report on consumer complaints in 2008 is available here (.pdf) and from the FTC's website here (.pdf)
• The FTC has a wealth of data and analysis from prior years available here. 
  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations to non-HIPAA-covered vendors of personal health records and their business partners.

If you are hoping that federal lawmakers have used the HITECH Act to finally set a national standard for patient medical information, however, you will be disappointed.

The HITECH Act, like HIPAA, preempts any contrary state laws, but leaves intact any state laws and regulations that impose stricter requirements on the handling of patient information. As a practical matter, this means that if you are covered by HIPAA and the HITECH Act you must meet new minimum standards while continuing to monitor and comply with the ever-increasing patchwork of laws governing patient information in every state in which you operate.

What follows is a more detailed discussion of the provisions of the HITECH Act and how it attempts to provide additional security for patients' health information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010. 

The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal information, including social security numbers, state identification numbers and financial account information, about any Massachusetts residents. Under amended regulations filed Thursday, individuals and businesses covered by the regulations must evaluate existing security measures and implement written information security programs on or before January 1, 2010. 

In the OCABR press release, Daniel C. Crane, undersecretary of the OCABR, indicated that the new deadline acknowledges that many businesses are having trouble complying with the new regulations in the wake of recent economic pressures. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.” 

The new deadline makes clear that the OCABR is willing to give businesses additional time to improve information security measures, but also that regulators want all affected businesses to meet the new security standards by 2010. For most affected businesses, the new deadline does not mean they should delay their compliance efforts. Many businesses will need the additional time to analyze existing security threats and implement the necessary administrative, physical and electronic security measures. 

Links:

• The OCABR homepage
• The OCABR's February 12, 2009 announcement
• The amended Massachusetts Identity Theft Regulations (17 C.M.R. 17.00-17.05) are available here (.pdf) or from the OCABR's website here (.pdf)

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

 It has been a bad week for the federal government's own information security track record.

The first story comes from the FAA where hackers broke into the agency’s computer systems and stole personal information on some 45,000 individuals. The second story comes from Los Alamos National Laboratory, which confirmed the theft of 67 computers, 13 in the past year alone. In both instances the American people appear to have dogged a bullet. The electronic intrusion into the FAA appears to have been limited to a raid of personal information and did not interfere with air traffic control systems.  Also, the physical thefts at Los Alamos apparently did not result in the disclosure of any classified data (e.g., information on the U.S. nuclear stockpile), though what information was taken is still unknown. In both cases governmental entities that we hope would be heavily secured against  both electronic and physical thefts appear to have suffered embarassing breaches.  The moral (one hopes) is that while there may be no such thing as perfect security, all of us - including our friends in the government - may need to be working a bit harder and should have a plan in place ahead of time for managing any incidents that eventually arise.

Links:

Federal Aviation Administration website

• AP/U.S News & World Report article on the FAA breach
• Newsweek article
• Security Focus article

Los Alamos National Laboratory website

• AP/Yahoo report on Los Alamos thefts

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.”   [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 data breaches in 2008.

ITRC considers “accidental exposure” to be those breaches caused by “inadvertent internet/web posting.” For example, consider the accidental exposure the ITRC labels as “ITRC20080709-02”. In this highly publicized case, an employee at Wagner Resource Group installed the peer-to-peer file sharing software, LimeWire, on a computer that contained personal information relating to the company’s clients. Presumably, the employee installed the software because he wanted to download an MP3, a movie or some piece of software (in violation of copyright law). However, by failing to properly configure the software, the employee inadvertently opened up company files on the computer to any LimeWire user on the Internet. This turned out to be especially disastrous from a public relations standpoint: the data exposed included a number of powerful Washington D.C. area attorneys as well as Supreme Court Justice Stephen Breyer. The story was published on the front page of the Washington Post and received attention from other national papers, such as the L.A. Times. While the breach exposed data involving only a relatively modest number of people, 2,000 individuals, the fact that the lapse involved some high profile victims created substantial bad press. Referring to the file-sharing software, Wagner Resource Group founder Phylyp Wagner stated "I didn't even know what peer-to-peer was. I do now."

Because accidental exposures are caused by human error, a prime problem with this type of breach is that they generally make the company look much worse than a breach caused by a hacker or an ill-intentioned insider. A consumer can understand a company being outsmarted by a thief, even being compromised by a disgruntled ex-employee, but there is often much less forgiveness for companies who appear to have disclosed their information through sheer carelessness. (See the link for the Breach Blog’s candid response to the news that personal data may have been exposed by an employee of Vonage placing it online in a Google Notebook).

Protecting against accidental exposure usually does not require expensive solutions. An appropriate computer usage policy prohibits the installation of unauthorized software, like LimeWire and other peer-to-peer file sharing programs that have come under intense fire from the recording and motion picture companies in the last decade. Educating staff, whether through training programs or the occasional reminder, about what to do and what not to do may often be the least expensive solution to accidental exposure. In addition, system administrators need to make sure they are taking appropriate steps to block or monitor peer-to-peer network traffic originating from inside the company network. 

Links:

• ITRC website
• LimeWire website
• Wagner Resource Group website

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers.

The McAfee Report makes four key findings:

1. Increasingly, important digital information is being moved between companies and across continents and is being lost.
2. The global economic crisis is increasing pressure on companies to cut spending across the board, including spending on data security, which leads to increased opportunities from outside threats of cybercriminals. Moreover, increasing layoffs are increasing incentives for insiders to steal confidential information.
3. Elements in certain countries are emerging as the main threats to data security.  According to the report, “[g]eopolitical perceptions are influencing data policy reality, as China, Pakistan, and Russia were identified as trouble zones for various legal, cultural and economic reasons.”
4. Cybercriminals have evolved beyond basic hacking and stealing of data.  They are becoming more organized and sophisticated.

In many ways, the global economic crisis could not have come at a worse time for companies attempting to keep their data secure. As layoffs fueled by the troubled economy increase, the number of employees with the motive, means and opportunity to steal valuable data or to sabotage their employer with a damaging data breach are clearly on the rise. According to the McAfee Report, 68% of those surveyed cited “insider threats” as the top threat to essential information. “Data thefts by insiders tend to have greater financial impact given the higher level of data access.” 

Coinciding with the increased threat from insiders is a growing and increasingly sophisticated threat from outside groups of cybercriminals. For example, the McAfee report notes that “malware writers now have R&D departments and test departments” and that malware programs are “regularly updated by its developers as to which vulnerabilities to exploit.” According to one source, the number of malicious programs on the internet tripled in September 2008. 

And while the expansion of information crime has led to increased government regulation, it is clear that the complex demands of various state and federal regulatory schemes are increasing the burden on companies already struggling in the weakening global economy. According to the National Conference of State Legislatures, 44 states have enacted legislation requiring notification of security breaches. This leaves companies with the unenviable task of determining what state laws apply and how to make sure they are complying with scores of overlapping, potentially inconsistent state rules. This quagmire has led to calls for Congress to set a single federal standard for information security. A group called the Consumer Privacy Legislative Forum, which includes companies such as eBay, Microsoft and Hewlett Packard, released a statement calling for “comprehensive harmonized federal privacy legislation” and will be outlining recommendations for such legislation next month. The FTC also has recommended in its recent report on Social Security numbers that Congress set federal standards for information security. 

Between the increasing threats to information assets and the confusing morass of new regulations governing information security, business are stuck between a rock and a hard place while the funds and personnel needed to address the threats and comply with increased regulation are dwindling. Given recent reports that “[o]rganizations that experienced a data breach in 2008 paid an average of $6.6 million last year to rebuild their brand image and retain customers,” the only way through this perfect storm may be to push ahead with efforts to evaluate the increasing security threats and adopt reasonable measures to combat these threats, as regulators appear to be demanding.

• McAfee Unsecured Economies Report
• SA Today Article: Data Scams Have Kicked Into High Gear As Markets Tumble
• National Conference of State Legislatures: State Breach Notification Laws
• CPLF Statement of Support of Comprehensive Consumer Privacy Legislation
• CSO Online Article: Industry Giants Weigh in on Privacy Laws
• FTC Report: Security in Numbers: SSNs and ID Theft
• Washington Post Article: Data Breaches Are More Costly Than Ever

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

* By Stacy Anderson and Gabriel M. Helmer.

Anyone required to comply with the FTC’s Disposal Rule [the text of the rule can be found here], which requires companies to take reasonable steps to dispose of information contained in consumer credit reports, should take note of a recent FTC enforcement action in federal court from the District of Nevada. On December 30, 2008, the FTC filed a complaint against Las Vegas businessman Gregory Navone alleging that he violated the Disposal Rule and the Fair Credit Reporting Act (FCRA) when he discarded forty boxes of documents into a public dumpster behind an office building in Las Vegas. The boxes contained tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and other sensitive customer information collected by Navone’s businesses. The FTC seeks monetary damages and an injunction against further violations under the Disposal Rule and the FRCA for Navone’s alleged failure to take reasonable measures to protect customer information.  Interestingly, the complaint also asserts claims under the FTC Act on the basis that Navone failed to abide by his own customer privacy policy, which stated:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction. . . . From time to time, we enter into agreements with other companies to provide services to us or make products and services available to you. Under these agreements, the company may receive information about you but they must safeguard this information and they may not use it for any other purposes

While the case remains pending, it serves as a reminder from the FTC on the importance of not only taking reasonable steps to protect sensitive customer information, but also living up to customer assurances regarding information security.

Links:

• The text of the FTC's Disposal Rule, 16 C.F.R. Part 682 can be found here (.pdf) or from the FTC's website here (.pdf)
• The complaint filed in FTC v. Navone is available here (.pdf) or from the FTC's website here (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If you are confused about whether you, your company or your clients are subject to federal identity theft regulations, you are not alone. When the Federal Trade Commission (FTC) announced on October 22, 2008 that they were delaying enforcement of the new Red Flags regulations by six months, until May 1, 2009 (which we reported here and here), the FTC admitted that the primary reason for the delay was that many businesses, even whole industries, were “confused” about whether they are governed by the new regulations. (See the FTC’s October 2008 release and Enforcement Policy statement.)

For some industries, this is less a point of confusion and more of a fundamental difference in opinion over whether the federal regulations apply to them at all. For many traditional financial institutions, like banks and credit card companies, there is no dispute because there are specific Red Flags regulations directed at them. See, e.g., 12 C.F.R. Pars 334 & 364. For most other industries, the legal issue at the heart of the matter is whether one can be considered a “creditor” under the general purpose Red Flags regulations, 16 C.F.R. Part 681, and the operative federal statute, the Fair and Accurate Credit Transaction Act of 2003 (FACT Act or FACTA). 

The FTC claims that the term “creditor” applies to any business or entity that allows customers to pay for goods or services after they have been delivered and is has made clear that it intends to enforce the regulations broadly. For example, see the FTC’s October 2008 Enforcement Policy. According to the FTC, virtually anyone that bills its customers is a “creditor” subject to the Red Flags regulations. This means utility companies are covered entities (see the comments to the November 2007 Final Rules [.pdf]), but also consultants, lawyers, doctors, dentists and everyone who gets a check in the mail. The FTC’s construction is so broad, it seems to encompass someone selling an autographed baseball card on eBay who only gets paid after delivery, as well as an employee who receives a paycheck every two weeks in exchange for services rendered.  I'll wager that most of us who receive paychecks did not know that somewhere along the line we have become creditors subject to the Red Flags regulations as well as the federal laws governing lending practices.

The real problem with the FTC's interpretation is that it does not seem to bear legal scrutiny.  If everyone is a "creditor", then everyone is subject a host of legal requirements that are primarily enforced against traditional lending institutions. Because of this FTC's broad interpretation of “creditor” would severely expand federal lending laws, it is unlikely to find much support among federal courts. Two courts of appeals issued key decisions in 1990 and 2002 indicating that the term "creditor" was not intended to apply to everyone, but only to entities that we might consider lenders by trade or practice. These cases discredit the FTC’s underlying legal position and suggest, as industry groups throughout the country have urged, that the Red Flags regulations only apply to more traditional financial institutions and commercial lenders. 

Below, Ramzi Ajami and I explain in greater detail the underlying legal differences in these positions and discuss why the FTC may find itself unable enforce the new regulations as broadly as it has announced.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

* By Stacy Anderson and Gabriel M. Helmer.

As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard, we are also observing a growing insistence that such legislation be consistent with the customer data security requirements of the Gramm-Leach Bliley Financial Modernization Act of 1999 (GLBA) and its implementing regulations. As a result, even industries that are not required to comply with GLBA may wish to become familiar with its requirements.

Section 501(b) of GLBA requires agencies with oversight over financial institutions to establish standards relating to administrative, technical and physical safeguards for three purposes: 1) to insure the security and confidentiality of customer information, (2) to protect against any anticipated threats to the security of customer information, and (3) to protect against unauthorized access or use of customer information. 

In 2001, the Department of Treasury, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information. These guidelines require that financial institutions adopt an information security plan, which must be approved by the institution’s Board. The plan must assess, manage and control threats that could result in unauthorized disclosure of information. The risk guidelines are flexible – they do not require that institutions implement specific risk control or assessment systems, but rather encourage them to adopt measures appropriate to their circumstances. Institutions are then required to monitor the plan and report to the Board annually. In addition, they must also ensure that their service providers implement appropriate measures to secure customer information. In 2005, the Department of the Treasury, the Board of Governors of the Federal Reserve System, and the FDIC issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” This guidance requires that institutions develop a response plan to address unauthorized access to customer information. As part of this process, institutions must notify customers if sensitive customer information has been improperly accessed and misuse of that information has occurred or is likely to occur.

In 2002, the Federal Trade Commission (FTC) issued its “Standards for Safeguarding Customer Information,” commonly referred to as the Safeguards Rule. The rule apples to financial institutions over whom the FTC has oversight and resembles the interagency guidelines for safeguarding customer information. Like those guidelines, the Safeguards Rule affords institutions considerable flexibility in implementing safeguards. Unlike the guidelines, the Safeguards Rule does not require that the information security plan be approved by the institution’s board, and does not contain customer notification requirements such as those set out in the Guidance on Response Programs, although the FTC does encourage entities to consider notifying customers in the event of a breach. In considering these federal regulations, it is worth noting that the FTC’s recently issued Red Flag Rule implements the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), and not GLBA, although the FTC does anticipate that many institutions may have implemented some of the practices required under the Red Flag Rule as part of their efforts to conform with GLBA.

Of course, it remains to be seen whether broad federal legislation governing customer data security will be enacted and if so, whether GLBA requirements will be used as a blueprint for such legislation. Regardless, an understanding of GLBA requirements and their effectiveness can help inform the debate around such legislation.

Links:

• The FTC's webpage In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act
• The FTC publication How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 2, 2009, the Identity Theft Resource Center (ITRC) released its report(.pdf) on data breaches in the United States in 2008 (you can read the Washington Post’s primer on the ITRC’s findings here). The raw numbers are headline grabbing — 656 data breaches in 2008, a 47% increase from 2007. The sharp increase in numbers from 2007 to 2008 could be a result of an increase in data breach incidents, and most of the reporting on the ITRC’s report take this view, but it could also be due to increased media interest, new mandatory reporting laws, and a greater public interest in the issue. As in 2007, the ITRC relied on public reporting of breaches to compile its list, so the ITRC’s findings should be expected in increase as public reporting of data breach incidents increase.

The ITRC also reports that over 35.5 million personal and/or financial records are known to have been exposed in 2008. This number includes only those breaches where a public report indicated how many records were actually exposed, 402 of the 656 reported breaches including the 16 breaches where no records were actually exposed as they were encrypted or in some other way protected, and does not include any of the 254 breaches where an unknown number of records were exposed. So the actual number of exposed records is likely much higher, possibly in the range of 58 million records exposed (assuming that the breaches where the numbers are known are representative, and that the underlying math was done correctly).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” as including “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” In addition to requiring notice to the affected individual(s), the bill requires that notice be provided to “major media outlets” within a state if the number of state residents affected by the breach exceeds 5,000, and also requires that notice be given to the Secret Service if the number of affected individuals exceeds 10,000 or if the affected database contains information of more than 1,000,000 individuals. The bill provides for limited exceptions for law enforcement or national security purposes. 

The bill requires that the notice include (1) a description of the categories of information that was acquired by an unauthorized person, (2) a toll-free number that the individual may use to contact the agency or business and learn what types of information the agency or business maintained about the individual, and (3) the toll-free contact telephone numbers and addresses of major credit reporting agencies. The first requirement of the notification’s content is particularly interesting, as several states (including Massachusetts) currently forbid the notification to include the nature of the breach. Bill S. 139 states that it does not provide a private right of action, meaning that a private individual may not bring suit under the bill. Finally, the bill provides that its  provisions “shall supersede any other provision of Federal law or any provision of law of any state relating to notification by a business entity . . . or agency.”

Senator Feinstein introduced a similar bill in 2007 which failed to pass the Senate. This year’s version, which has no co-sponsors, has been referred to the Judiciary Committee. 

Bill S. 141, entitled the “Protecting the Privacy of Social Security Numbers Act,” is co-sponsored by Senators Judd Gregg (R-NH) and Olympia Snowe (R-ME). It prohibits any person from displaying, selling, purchasing an individual’s Social Security number without the affirmative, express consent of the individual, subject to a number of exceptions (e.g., for national security, law enforcement, or public health purposes, or if the display is required, authorized, or excepted under any Federal law). The bill also would prohibit any federal, state, or local government from displaying Social Security numbers on public records posted on the Internet or from printing them on government checks. [These provisions parallel recent recommendations from the FTC as we Further, the bill prohibits any federal, state, or local agency from employing inmates in any position that would give the inmate access to Social Security numbers of other individuals. Finally, the bill would provide limits on when businesses may ask customers for their Social Security numbers. 

Unlike the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act provides for a private right of action, allowing any aggrieved individual to sue for an injunction or monetary damages (which could be tripled if a court finds a willful and knowing violation). As with the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act has been referred to the Judiciary Committee.

Given the many challenges facing the federal government this upcoming year as it transitions into the Obama administration, it is difficult to predict whether Senator Feinstein’s bills will face resistance. However, all signs point to a recession driven boom of cybercrime, identity theft and security breaches that will continue to expand in 2009 as it did in 2008.  Given this environment, Congress will probably enact some version of these proposals sooner rather than later.

Links:

• Senate Bill 139
• Massachusetts General Law c. 93H, s. 3
• Senate Bill 141
• Washington Post Article: Data Breaches Up Almost 50 Percent

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A number of high-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs. This comes as a prelude to the public hearing scheduled today before the Massachusetts Office of Consumer Affairs and Business (OCABR) regarding the upcoming May 1, 2009 deadline for businesses to comply with recent Massachusetts identity theft regulations (201 C.M.R. 17.00 et seq.).  The companies and organizations signing the letter included the Massachusetts Business Roundtable, the Massachusetts Package Store Association, the Massachusetts Hospital Associations, Google, Comcast, CitiGroup, AOL, Microsoft, The Gap, Verizon and Wal-Mart.

Mass High Tech's story on this event can be found here. 

Testimony of the Greater Boston Chamber of Commerce at the January 16, 2009 hearing can be found here.

The Privacy & Security Law Report reports that, at the hearing, representatives of employers, small businesses, financial institutions and universities asked the OCABR to extend the deadline for compliance beyond May 1st. According to these representatives, it will be “virtually impossible” for most of the covered entities to reach compliance by May 1, 2009. In addition, they urged the OCABR to review the new regulations again and make changes.   Whether the OCABR will be swayed by the views of those attending the hearing remains to be seen. Given the economic climate the costs associated with upgrading systems to meet the new regulations, it is a safe bet that most covered entities would breathe a sigh of relief if the OCABR decides to extend the compliance deadline.

2.13.2009 UPDATE: As we report in our alert, OCABR has responded to this request by filing amended regulations that postpone the compliance deadline by eight months, to January 1, 2010. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, January 14, 2009, the Boston Bar Association’s Privacy Law Committee hosted FTC Chief Privacy Officer Mark Groman for a brown bag lunch presentation entitled “The View from the Federal Trade Commission’s Chief Privacy Officer.” Here are a couple of highlights from the presentation:

•  Mr. Groman views law firms as businesses subject to FTC Red Flags regulations (“we regulate you, too”), so law firms should be developing identity theft prevention programs to comply with the regulations by the May 1, 2009 deadline.
  
•  To comply with FTC’s Red Flags regulations, companies need to use a “risk-based process” to evaluate potential threats and take reasonable and appropriate steps to mitigate them. Every business needs to adopt a written plan, but the FTC will not be talking to us “about particular technology” because there is a consensus that technology moves too quickly for regulators to approve or disapprove of any particular technology or counter-measures. 
  
• The FTC has brought 23 cases relating to information security issues. If you need guidance on what security measures the FTC believes must be implemented to meet federal regulations in specific circumstance, Mr. Groman suggested that we review the decisions in those cases. In particular, Mr. Groman specifically suggested that everyone should be taking what he views as simple and inexpensive measures to protect against the SQL injection exploit, in which an individual attempts to insert computer code into a company’s database using the company’s website. (The FTC website refers to this exploit as one of many “commonly known and reasonably foreseeable attacks” that can be protected against by implementing “simple, free or low-cost, and readily available security defenses.”)
  
• The primary questions businesses should to be asking themselves when they are drafting an identity theft prevention program are: (1) what have you done to date to protect against existing threats?; (2) what is “the technology of the day” used to address those threats?; and (3) “how much does it cost?”
  
• Mr. Groman confirmed that there is no one-size-fits-all solution to adopting an identity theft prevention program, and the FTC does not have a model plan to provide affected companies. “Privacy plans are like pants; they have to be tailored.” 
• The fact that there has been a data breach incident does not mean that a company’s information security program is necessarily at fault. The FTC has investigated “plenty of breaches where the [company’s] security was reasonable” and has also investigated companies that have not had any incidents where the security was insufficient. 
  
• The FTC recognizes that businesses, lawyers and whole industries are confused by what the new Red Flags regulations require. The FTC is likely to issue additional guidance on this topic soon.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers - SSNs and ID Theft. The new report articulates a series of FTC recommendations with respect to the handling of Social Security numbers (SSNs) based upon the work of the President’s Identity Theft Task Force, which was established in May 2006 and led to an extensive fact finding effort summarized in the FTC’s November 2007 staff summary report (which can be found here [.pdf]). For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, when the FTC will begin enforcing federal identity theft regulations. 

 The FTC Report first makes two key recommendations that should be considered when developing an identity theft prevention programs:

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009. 

On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009. 

In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:

• Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.

• “Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.

• Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.

• Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.

• The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software. 

The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.

2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.  This delay does not apply to users of consumer reports handling notices of address discrepancies, which still has a November 1, 2008, deadline. Likewise, enforcement against banks, credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC’s action.

The “Red Flag” rules had their genesis in 2003, when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (“FACTA”). FACTA required the FTC and a group of other regulatory agencies and committees to adopt regulations to help consumers avoid the growing epidemic of identity theft. Under the final “Red Flags” regulations that came into effect on January 1, 2008, U.S. companies that maintain customer accounts used to make periodic payments, transfers or transactions were initially given until November 1, 2008 to develop formal policies to detect the warning signs or “Red Flags” of potential identity theft and set up procedures to prevent and mitigate the harm caused by identity theft. The FTC’s latest announcement provides businesses with an additional seven months, until May 1, 2009, to assess whether they are covered by the “Red Flags” regulations and put in place a compliant Identity Theft Prevention Plan.

While the language of the regulations covers “financial institutions” and “creditors” maintaining “covered accounts,” the FTC has made clear that the “Red Flag” regulations are intended to cover a broad range of businesses, many of which may not consider themselves traditional “financial institutions”. In particular, the FTC maintains that the new regulations apply to: (1) businesses that maintain any type of account that permits multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft, (2) credit card issuers, and (3) companies that use or receive consumer credit reports. 

The FTC estimates that the new regulations apply to over 11 million businesses in the U.S., including lenders, mortgage brokers, and brokerage firms, but also automobile dealers, utilities and telecommunications companies, collection agencies and other businesses that participates in credit decisions about their customers. Any business that provides customers with any type of account that permits the customer to make repeated payments or enter into regular financial transactions needs to assess whether they are subject to the new “Red Flags” regulations.

If your business is covered by the new “Red Flag” regulations, you will need to develop an Identity Theft Prevention Plan containing procedures to:

1. Identify any indicators of a possible risk or existence of identity theft in their business — what federal regulators are calling “Red Flags” — such as discrepancies in customer information and suspicious account activity.
2. Respond appropriately to any Red Flags in order to prevent identity theft from occurring, including by monitoring suspicious activity, contacting customers and notifying law enforcement.
3. Continually assess the identity theft risks to customers and update the company’s Identity Theft Prevention Plan as necessary.

In addition, the new Red Flag regulations require an affected business to obtain approval from its board of directors for the Identity Theft Prevention Plan, train staff to administer the program and exercise oversight over any service providers retained to manage customer accounts and information. 

At present, it is still unclear what form the FTC’s enforcement of the “Red Flags” regulations will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but do not provide individuals with a right to sue for failure to comply with the new rules.

• Email This
• Print
• Comments
• Trackbacks
• Share Link