The key issue in the case is whether medical practices should be considered "creditors" under the Red Flags Rule and the Fair and Accurate Credit Reporting Act (FACTA or the FACT Act).  The case follows lawsuits filed beginning in 2009 by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA) to exclude lawyers and accountants from the scope of the new rules.  In October 2009, Judge Walton ruled that lawyers were not "creditors" subject to the Red Flags Rule.  The FTC has appealed the order and the Unites States Court of Appeals for the District of Columbia Circuit is expected to issue a decision clarifying the scope of the law.

In the recently approved stipulation, the AMA and the FTC have agreed to stay their dispute until the Court of Appeals issues its opinion.  The FTC has also agreed to delay enforcement of the Red Flags Rule for 90 days after the Appeals Court issues its ruling.

According the CDT's complaint, Spokeo is in violation of the Fair Credit Reporting Act, which requires "consumer reporting agencies" to take certain actions to protect consumer privacy, including allowing consumers the right to access information about themselves, to correct mistakes and to be advised of adverse decisions made based on Spokeo's data.  The FCRA also strictly limits the disclosure of consumer data to a limited number of "permissible purposes," yet the CDT complaint does not appear to raise claims regarding Spokeo's disclosure of consumer data to its users.  The complaint does allege that Spokeo's actions amount to unfair and deceptive acts in violation of the FTC Act.

The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access the Twitter accounts of high-profile users, including Barack Obama.  (Under hacker control, President Elect Obama's Twitter account apparently "offered his more than 150,000 followers a chance to win $500 in free gasoline.")  Twitter candidly announced the first security incident in January 2009 and blogged about a second incident in April 2009.

The FTC Complaint (.pdf) lists the following security flaws among Twitter's failings:

• Twitter allegedly did not have policies that required their administrators to select hard-to-guess passwords and instead, administrators were permitted to use "weak, lowercase, letter-only, common dictionary word[s]" as administrative passwords.
   
• Twitter employees were allowed to store administrative passwords in plaint text form, so that once hackers broke into their accounts, the hackers had full administrative access to other users' accounts.
   
• Twitter did not disable administrative accounts after a number of unsuccessful attempts, allowing hackers easily run automated tools to break into the accounts.
   
• Twitter administrators were not required to change their passwords regularly.
• Twitter did not limit administrative access to user accounts to those employees that needed such access.
   
• Twitter did not do enough to restrict administrative access to authorized individuals, including by requiring administrators to log into a separate employee website or restrict administrator access to specific IP addresses.

What may be a key issue for many online businesses developing social networking sites is that, according to the FTC, users' privacy settings may impose an implicit duty on the website operator to take certain security precautions in order to preserve the user's settings. In Twitter's case, the site allowed users to make some "tweets" (short user messages/postings) private and the alleged lack of security allowed hackers to access those private messages.  The FTC Complaint (.pdf) claims that "Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic."  According to the FTC, the lack of security was so severe that Twitter's claim that user's privacy was protected amounted to a deceptive act under the FTC Act. 

In its Agreement (.pdf) with the FTC, Twitter consented to adopt a comprehensive information security program and submit independent security assessments to the FTC every other year for the next 10 years.  In today's blog posting, Twitter indicated that "[e]ven before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."

(1:41:12 PM) Bradley Manning: hi
(1:44:04 PM) Manning: how are you?
(1:47:01 PM) Manning: im an army intelligence analyst, deployed to eastern baghdad, pending discharge for “adjustment disorder” [. . .]
(1:56:24 PM) Manning: im sure you’re pretty busy…
(1:58:31 PM) Manning: if you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?

The culprit for this unintentional optimism appears to be a "clickjacking" worm that exploited a vulnerability in web browsers used to access the victim's Facebook account.  While the victim is logged in to Facebook, his or her account will spontaneously "Like" web links with titles such as "LOL This girl gets OWNED after POLICE OFFICER reads her STATUS MESSAGE."  As a result, a user's Facebook friends are encouraged to visit the sites.  Clicking the link will take users to a website that states "Click here to continue" and clicking the message apparently causes subsequent users' accounts to begin the same automatic referrals to their friends. 

If you have begun to notice that you are "Like"-ing websites more than usual, Sophos makes the following recommendation to users who have been infected:

If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your "Likes and interests" section.

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

The FTC's Red Flags Rule is a set of regulations that require financial institutions and creditors to adopt written identity theft prevention programs.  The FTC sparked considerable controversy when it announced that the Rule applies broadly to a range of businesses unused to being subjected to financial industry regulation (i.e., any individual or company that bills its customers after it provides goods or services).  As a result, a number of industry groups have filed lawsuits to challenge the FTC's application of the Red Flags Rules to lawyers, accountants and, most recently, medical professionals.

As Tuesday approaches, we look to the FTC to announce whether the agency is ready to begin enforcement of the Red Flags Rule.

Among the many provisions of the draft bill is the requirement that any entity that collects information on individuals such as name, address, email address and telephone number, maintain "appropriate administrative, technical, and physical safeguards" to secure the personal information.  The draft bill would also require the FTC to implement new privacy rules and police the new safeguards. 

The bill is also available from Rep. Boucher's website.

Facebook rolled out its Facebook Chat feature in February of this year.  The service allowed users to send live text messages to other Facebook users on their "Friends" list.  The flaw apparently allowed users to listen in on these conversations, as well as see other private information about friends' Facebook accounts.

Once Facebook was informed of the exploit, Chat services quickly became unavailable.  A few hours later, Facebook provided the following statement:

For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.

This is an ironic twist in Facebook's recent efforts to combat criticism of the service by adding more advanced privacy features; however, the problem appears to have been resolved. 

Unfortunately for U.S. businesses, the survey found that data security breaches In the U.S. were more expensive that in other countries, $204 per customer on average.  The survery found that the existence of breach notification laws, such as the 45 state notification laws adopted in the U.S., correspond to substantially increased costs of data breaches.

The survey's other findings include:

• The most expensive breach remediation cost one U.S. company $31 million, while the least expensive was $750,000.
• 35% of all breaches involved outsourced data provided to third parties, while 36% of breaches were caused by hackers.
• Businesses that have a Chief Information Security Officer (CISO) incurred reduced costs for data breaches, 21% less on average.

The Fair Use Doctrine is derived from Section 107 of the Copyright Act, which reads:

[T]he fair use of a copyrighted work . . . for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.

The CCIA Report examines industries that benefit from the Fair Use Doctrine, particularly Internet search engines, software developers and the makers of music and media players, and concludes that "exceptions to copyright protection . . . promote innovation and are a major catalyst of U.S. economic growth."  The report cautions that these findings do not necessarily call for scaling back copyright protections:

Certainly, copyright protection provides an incentive for the production of creative works and these works have a positive impact on the U.S. economy.  The positive aspects of copyright protection should not, however, obscure that fair use is also a vital economic driver.

The CCIA report does not explain in detail what "fair use" helped drive the growth of MP3 players, but everyone should keep in mind that, as far as current caselaw is concerned, we still need to pay for songs downloaded from iTunes. 

Digati was arrested on March 8, 2010 for violations of 18 U.S.C. Sec. 875(d), which prohibits extortionate communications "containing any threat to injure the property or reputation of the addressee."

The resident of Chino, California, was a former agent and manager at New York Life, but the relationship apparently soured after Digati purchased a variable universal life insurance policy.  When Digati was disappointed by the financial returns on his investment, he began to demand a refund a refund of the $49,576 in premiums he had paid. These demands apparently escalated to around $200,000 and then $3 million.

When his demands were denied, Digati allegedly registered the www.newyorklifeproducts.com domain and threatened to use the site, along with his presence on social networking sites and spam email sent to millions of potential customers to smear New York Life.  The indictment provides some colorful excerpts from Digati's threats, including:

At this point, you're probably asking yourselves why should I even listen to this crazy fool, what can he do and why should I pay him.  NUISANCE VALUE is why, I am going to cause you millions of dollars in lost revenue, good faith and general trust in your company.

I have 6 MILLION emails going out to couples with children age 25-40, this email campaign is ordered and paid for.  2 million go out on the 8th and every two days 2 million more for three weeks rotating the list.  Of course it is spam, I hired a spam service, I could care less, The damge [sic] will be done.

I am huge social networker, and I am highly experienced.  200,000 people will be directly contacted by me through social networks, slamming your integrity and directing them to this website within days.

New York Life turned Digati's emails over to the FBI, who investigated and ultimately arrested him in California.  Digati faces a maximum sentence of 2 years in prison and $250,000 fine. 

So it's no surprise that Google, like other technology and telecommunications companies, regularly receives demands from government agencies to remove content from our services. Of course many of these requests are entirely legitimate, such as requests for the removal of child pornography. We also regularly receive requests from law enforcement agencies to hand over private user data. Again, the vast majority of these requests are valid and the information needed is for legitimate criminal investigations. However, data about these activities historically has not been broadly available. We believe that greater transparency will lead to less censorship.

The issue has been somewhat controversial in the wake of the expansion of government requests in recent years.  The Google Tool maps the number of data requests and removal requests that Google received between July 1, 2009 and December 31, 2009.  Google indicates that it will be updating this data every six months.

The GLBA regulations issued by these agencies require financial institutions to provide initial and annual privacy notices to customers.  On December 1, 2009, the agencies adopted a Model Form (.pdf) based on length quantitative testing and research to provide financial institutions with a safe harbor for compliance with the privacy notice requirement.  Financial institutions are still free to draft their own privacy notices, but are responsible for making sure that their own notices contain all the required elements. 

The online form builder consists of a linked set of instruction (.pdf) that leads financial institutions to one of four forms that are filled out depending on whether the company is providing customers with a right to opt-out or elects to allow affiliate marketing. 

GLBA Privacy Notice Forms:

• Privacy Notice Form 1 (.pdf): if you provide an opt out and you want to include affiliate marketing
   
• Privacy Notice Form 2 (.pdf): if you provide an opt out and you do not want to include affiliate marketing
   
• Privacy Notice Form 3 (.pdf): if you do not provide an opt out and you want to include affiliate marketing
   
• Privacy Notice Form 4 (.pdf): if you do not provide an opt out and you want to include affiliate marketing
   

The 14-page indictment (.pdf) alleges that in 2005 Drake received Gorman's contact information from "Person A," an unnamed congressional staffer that had a "close, emotional friendship" with Drake.  Drake allegedly obtained an anonymous email account with Hushmail and contacted Gorman to "volunteer[ ] to disclose information about NSA." 

After Gorman obtained her own Hushmail account, Gorman allegedly emailed her hundreds of times with information about the NSA and its Signals Intelligence (SIGINT) activities.  Drake is also accused of smuggling classified documents out of the NSA, including his own handwritten notes, and doctoring documents so he could provide them to Gorman without the markings that identified the information as classified.  Based on these emails, Gorman published a series of articles between 2006 and 2007 that federal prosecutors claim contain classified information.  Drake is charged with violations of the Espionage Act, as well as lying to FBI agents, destroying evidence and obstructing the investigation of his activities. 

In its press release on Thursday, the U.S. Department of Justice stated that:

As alleged, this defendant used a secret, non-government e-mail account to transmit classified and unclassified information that he was not authorized to possess or disclose. As if those allegations are not serious enough, he also allegedly later shredded documents and lied about his conduct to federal agents in order to obstruct their investigation

The federal public defender representing Drake, James Wyda, told the New York Times that “Mr. Drake loves his country.  We look forward to addressing these matters in a public courtroom.”

Hushmail is an encrypted email service that allows users a certain level of anonymity.  Hushmail's website states:

Hushmail can protect you against eavesdropping, government surveillance, unauthorized content analysis, identity theft and email forgery. But using Hushmail does not put you above the law.

and

We are committed to the privacy of our users, and will absolutely not release user data without an order that is legally enforceable under the laws of British Columbia, Canada, which is the jurisdiction where our servers are located.

From the face of the indictment in the Drake case, it appears that the FBI and federal prosecutors managed to obtain a court order in Canada to obtain the release of Drake's email archives.

The breach itself occurred in December 2007 when hackers used a "SQL injection" attack to obtain data on over 100,000 Davidson's customers from the firm's online account system.  (FINRA's announcement alleges that the breach affected 192,000 customers, but court filings and the hackers'  own claims put the number as high as 300,000).  Davidson remained unaware of the breach until January 2008, when they received an email from Robert Borko, an Eastern European man, who demanded that Davidson pay him $80,000 for the return of the data and a "security consultation."  Borko suggested in broken English that Davidson did "not want to involve FBI here and we can have agreement like businesman.”

Davidson instead worked with the U.S. Secret Service to snare the hackers / "security consultants" behind the breach.  Ultimately, this led to the indictment of not only Borko, but also Aleksandrs Hoholko, Jevgenijs Kuzmenko and Vitalkijs Drozdovs, three Latvian men who attempted to pick up Davidson's blackmail payment in a Western Union in the Netherlands.  Hoholko, Kuzmekno and Drozdovs were arrested in February 2008 by the Netherlands High Tech Crime Unit and extradited to the United States, where they have pled guilty to extortion charges.  [These and other colorful details of the breach and blackmail attempt can be pulled from the filings in the criminal case against the Latvian men, including the defendant's motion to dismiss (.pdf) and the government's response (.pdf).]

Davidson spent $1.3 million on credit monitoring for its customers and settled a class action last year by agreeing to pay up to $1 million for any harm to its customers [see the Davidson settlement site].  At present, Davidson reports that no customer has been the victim of identity theft as a result of the intrusion.

According to the FINRA press release and the parties' April 9, 2010 letter of consent (.pdf), FINRA claims that Davidson failed to adopt the minimum security measures required by Regulation S-P, when it made its customer database available over the Internet.  In particular, FINRA found that Davidson violated Reg S-P because the firm:

• did not encrypt the customer database;
   
• did not review web server logs which identified the SQL injection attacks;
   
• did not regularly review perimeter security logs (even though "the attacks were not visible on those logs");
   
• did not have any written procedures in place for the review of web server logs;
   
• did not have an intrusion detection system in place; and
   
• did not have any written procedures "setting forth an information security program designed to respond to intrusions."

FINRA specifically found it a compelling that that Davidson had retained independent security consultants in 2006 and 2007 and implemented the majority of the consultants' recommendations, but had failed to put in place the recommended intrusion detection system.  Even without the system, the security consultants were apparently unable to breach Davidson's security.

Regulated broker-dealers and other financial institutions subject to Regulation S-P or other Gramm Leach Bliley Act (GLBA) regulations, including the FTC's Safeguards Rule, should take note of the alleged violations in this case.  Regulated entities with online customer accounts should consider whether they have implemented intrusion detection systems, routinely monitor web server logs, and have adopted written incident response procedures.

The federal court sentencing entries states that after Gonzalez serves his 240-month sentence, he will be subject to 3 years of supervised release, fines and substantial restitution, to be determined at hearings scheduled in June.  The Department of Justice press release (.pdf) details some of Gonzalez's activities, which included:

• Wardriving: "driving around in a car with a laptop computer looking for unsecure wireless computer networks of retailers."
• Installation of sniffer programs to capture credit and debit card numbers used at retail stores.
• Selling credit and debit card numbers to others for fraudulent use.

The DOJ press release also indicates that while six of Gonzalez's co-conspirators have been captured (as far away as in Germany and Turkey), Gonzalez's activities may have compromised "tens of millions of credit and debit card numbers, affecting more than 250 financial institutions."

In January, we posted details from the debate during Gonzalez sentencing including his claim that he suffered from "internet addiction."  At that time, Gonzalez's attorneys requested a sentence of 15 years for his crimes. 

Apparently the dealership installed the GPS-enabled devices so that cars can be immobilized and repossessed when a customer fails to make scheduled payments. The web-based system developed by Pay Technologies apparently lets auto dealerships trigger the horn and disable the car's ignition system from the relative safety of the Internet.  (Something you may want to be aware of if you are financing a car these days.)

Ramos-Lopez was laid off from Texas Auto Center in February (Wired reports this event as a "workforce reduction") and apparently retained a username and password to the dealership account.  Weeks later, he used the credentials from home to access the account and trigger the immobilization devices.  His reign of terror, which included changing customer names to "Tupac," was apparently somewhat modest.  While he had access to all 1,100 cars in the system, the 100 cars affected were the result of Ramos-Lopez going through the customer database in alphabetical order.  Austin's High Tech Crime Unit arrested Ramos-Lopez on Wednesday after police traced the IP address he used to his home.

• IC3 received 336,655 complaints in 2009, an increase of 22% over the prior year.
   
• The dollar loss caused by incidents reported to IC3 increased more than 100% to $559.7 million.
   
• 146,663 complaints were referred to local, state and federal law enforcement agencies.
   
• Complaints were typically not referred to authorities when "there was no documented harm or loss (e.g., a complainant received a fraudulent solicitation email but did not act upon it)" or when there was no jurisdictional tie to the United States.
   
• 16.6% of all complaints involved fraudsters pretending to be affiliated with the FBI.
   
• 11.9% of all complaints involved a seller's failure to deliver items purchased online or a buyer's failure to pay for goods delivered.

The IDF has apparently begun distributing posters depicting a fake Facebook page with friend requests from Iranian and Syrian presidents as well as a Hezbollah chief with the question: "You think everyone is your friend?"