Incident(s) of the Week: Recent Updates from Prior Incidents
1. The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster
This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas. The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program. We first posted on this case a year ago, after the FTC filed its complaint (.pdf).
In addition to the dumping of consumer financial information, the FTC alleging that Navone had failed to implement physical and electronic security procedures and or take reasonable steps to secure the customer records he stored at home in his garage. According to the FTC, these activities violated the FTC Act, the Federal Credit Reporting Act (FCRA) and Navone's own information security policy which read:
We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.
(See Complaint (.pdf), Para. 9). Everyone subject to document destruction laws may want to note this case and keep in mind that $35,000 is the fine imposed on an individual / small business.
2. Fight Breaks Out Over Whether Hacker Responsible For Largest Data Breach In History Suffers From "Internet Addiction"
In December, Albert Gonzalez, aka "segvec," "soupnazi" and "j4guar17" pled guilty to charges that he masterminded the theft of over 100 million consumer credit card numbers and other financial information from Heartland Payment Systems, 7-Eleven and other companies. We posted on his indictment last August and again on his curious role as government informant. The public recently gained a new window on Gonzalez's soul from filings made by defense attorneys that portray the hacker as an "Internet addicted" youth compelled to commit cybercrime. Collecting statements from Gonzalez's psychologist, family members and a former girlfriend, the defendant's sentencing memorandum (.pdf) provides an interesting point of view on the life of the hacker:
As a young boy, Gonzalez was an outwardly normal enough kid -- he had friends, engaged in activities, worked alongside his father, received good grades in school, and was part of a warm and loving family which continues to stand by him. In middle school, things began to change, and by high school Gonzalez had become a different person -- a loner, without friends, who passed up normal teenage activities, including dating, to devote himself to his new-found and rapidly escalating obsession: computers.
* * *
Seeking to break Gonzalez of his computer habit, his mother periodically sought to deny him access to his computer or to at least curtail his usage, once putting it in his sister's room. Rather than be deprived of access to his computer, Gonzalez would go to his sister's room in the middle of the night to use it. Gonzalez's social contacts narrowed to computer chat rooms where he communicated with others with knowledge of computers and to meetings of other computer-savvy individuals, many of whom were hackers and from whom he learned much that we would, unfortunately, later convert to unlawful purposes.
* * *
[B]y [ ] early 2002 -- Gonzalez, age 21, had developed a serious drug and alcohol problem . . . which played a substantial role in the subsequent course of his life. This is not to say that his substance abuse affected Gonzalez' [sic] ability to tell right from wrong. It did not, and he knew when he turned to cyber-crime that it was wrong. What it did do, however, was contribute to his inability to stop himself. What developed over time was a destructive cycle of using drugs to permit him to stay awake and alert for long hours at the computer but also using them to try to get away from the computer . . . .
* * *
Computers . . . had become the center of his life, his raison-d'etre, if you will. He and his computer in many ways became one: he though in computer-speak instead of normal words, and, when his computer was infected by a virus, [he] referred to the event as if it were he, himself, who had gotten the virus.
Describing Gonzalez as unable to stop his urge to commit cybercrime, defense counsel has asked the Court to sentence him to 15 years in prison, the minimum sentence permitted. Last week, federal prosecutors renewed their request to have a government psychologist examine Gonzalez to combat the defendant's claim that his "internet addiction" merits leniency within the 15 to 25 year sentencing range.
