Group items tagged

Identity thieves are getting more clever and are increasingly using stolen information to get driver's licenses, employment and government assistance, according to a new report. The survey by the Identity Theft Resource Center also found that the greater awareness of this problem by the public has led to more people discovering they are victims themselves, through monitoring of their bank accounts and credit card statements. Typically, victims learned of their identity theft when they were denied a job or credit or were informed by law enforcement. "Most of our information is beyond our control," said Linda Foley, co-founder of the Identity Theft Resource Center, which surveys victims each year to see how identity theft is changing. "If a thief wants to get it, he will find a way to get it." The report covers the experiences of around 100 of the 1,500 people who were victimized in 2008 and contacted the center, a nonprofit that helps people recover from identity theft. Stolen personal information is now cheap - identities may sell on the black market for as little as 60 cents each - and thieves churn through them quickly to lower their chances of getting caught, Foley said. Rather than opening 10 or 20 credit card accounts in a victim's name, they now open two or three, charge as much as they can and move on to the next person. This raises the cost of identity theft to businesses, whose average loss to fraud nearly doubled last year to $90,107, up from $48,941 the year before.

More than 6 million current and former customers of online brokerage TD Ameritrade Holding Corp. will be able to benefit from the settlement of a class-action lawsuit filed over the theft of client contact information. Formal notice of a settlement agreement will be sent to people who used TD Ameritrade's services before mid-September 2007. U.S. District Judge Vaughn Walker in San Francisco approved a revised version of the settlement agreement earlier this month despite some misgivings about it. Last summer, Walker rejected an earlier version of the deal. Anyone who held an Ameritrade account or provided an e-mail address to the company before Sept. 14, 2007, could benefit from the lawsuit. The database that was breached included information on 6.2 million people. The plaintiffs in the lawsuit said they received unwanted e-mail ads about certain stocks. The ads appeared to be designed to manipulate the value of thinly traded stocks. Ameritrade officials and one of the lead plaintiff's attorneys, Scott Kamber, have said the data theft has not been linked to cases of identity theft. As part of the proposed settlement, the Omaha-based company will pay nearly $1.9 million in legal fees and cover the cost of one year of anti-spam service for the victims. Ameritrade also promised to better protect customer data. Those terms have not changed from the original proposed settlement. But the new agreement will more clearly state that Ameritrade customers were at risk of identity theft, and it will preserve customers' ability to pursue identity theft claims against Ameritrade. Most of the changes to the agreement happened because the Texas Attorney General's Office and a former named plaintiff objected to the previous deal. In his order, the judge questioned whether the settlement does enough to benefit Ameritrade clients whose information was stolen. "The court is particularly concerned that TD Ameritrade has agreed to pay the class counsel $1.87 million and yet the

Raises some realistic questions about the American approach to privacy law & regulation. Unfortunately, the article tends to point at the misapplication of laws more heavily than offering the reader an account of the abuses that led us to where we are now. Businesses & government, including the medical industry, freely shared details - or spied on Americans with impunity for decades. The article reminds us that work needs to continue to balance our approach. A Federal law, that sets a floor for privacy requirements, could help reduce conflicting requirements caused by almost every state writing seperate laws because there was a lack of leadership from Washington. American privacy regulations are implemented sectorally - at the industry or State level for example. This leads to many different, and conflicting laws. Privacy is a difficult subject with complex considerations touching aspects of life that have not been questioned for years. This article provides more con than balance, but it reminds us that extreme positions rarely serve anyone well.

Special interest groups and lawyers claim they are defenders of individual privacy. But all that red tape is causing more harm to consumers than good. In a world of tight budgets and sacrificed programs, one sector has continued to grow with the speed and choking effectiveness of kudzu: regulations around privacy. More than 300 privacy-related laws are on the books, in both Washington, D.C. and state capitals. Privacy-related consulting services provided by law and accounting firms are a $500-million-a-year business and have been growing at double digits.

The state's highest court told Bergen County yesterday to release 8 million pages of real estate documents -- including mortgage information -- to fulfill a request filed under the state's public records law, but that Social Security numbers included in them must be kept private. The justices also said the company requesting the information should pay the $460,000 it will cost the county to remove the Social Security numbers from records spanning more than two decades. The court unanimously agreed that the documents, requested by a business that wants to sell electronic access to this information, are public records under the state's Open Public Records Act. But it stressed some of the personal information, if released, would hurt residents. "The request was made on behalf of a commercial business planning to catalogue and sell the information by way of an easy-to-search computerized database. Were that to occur, an untold number of citizens would face an increased risk of identity theft," Chief Justice Stuart Rabner wrote for the court. Bergen County officials called the decision a victory for all New Jersey residents concerned about identity theft.

In all of 2008, 40 banking institutions failed - 25 banks and 15 credit unions. So far in 2009, 72 institutions have either been closed or taken over by regulators, including 7 banks just this past weekend. The Federal Deposit Insurance Corporation (FDIC)'s troubled bank list, now at 305, has more than doubled from last year's total, when 117 banks were listed. Which begs the questions: Where and why are all these institutions failing, and how many more closures will we see by year's end? Failures by the Numbers Analysis of this year's bank/credit union failures (see interactive map) reveals some interesting facts: * Total Failed Banks: 64 * Total Failed Credit Unions: 8 o Top States For Failures: o Georgia - 16 banks o Illinois - 12 banks o California - 8 banks, 3 credit unions o Florida - 3 banks * Largest Failure BankUnited, Coral Gables, FL., $12.8 billion in assets, * Total Cost to FDIC Insurance Fund: $13.553 billion

The problem with securing data and insuring its safety is that there is simply so much more stored electronically these days that opportunities for outside hackers or insiders to steal valuable, confidential information off a company's computer systems are growing exponentially, according to those in the insurance industry who make it their business to cover this expanding exposure. Indeed, "you can take out more data in a thumb drive now than people could take out in a super-computer 10 years ago," according to Kevin Kalinich, co-national managing director for Professional Risk Solutions at Aon. The risk of a data breach is very real for companies large and small across almost any industry, noted Mr. Kalinich. He cited a report from the University of California, Berkeley, that more data has been aggregated and stored in the last three years than in the entire history of mankind. He also noted that between 75 and 85 percent of Fortune 2000 companies have suffered a "material data breach," meaning there is a growing market for those selling insurance coverage for liability and repair costs, as well as loss control services. Companies that take an "it won't happen to me" approach to securing data need only look at news headlines to see that organizations are often hit by breaches, and as more data is being stored electronically, the potential for, and impact of possible breaches increase. Princeton, N.J.-based credit and debit processing company Heartland Payment Systems reported that it had been compromised in 2008 in a breach that involved up to 100 million records, which would be tops for number of records accessed in a breach. The Heartland incident would displace the 2007 breach of TJX, in which over 45.6 million credit and debit card numbers were stolen. The TJX breach, in turn, took the record set by a breach of CardSystems Solutions in 2005.

Opinion: Privacy columnist Jay Cline says the time is ripe for a global privacy standard to replace the hodgepodge of privacy principles that multinational businesses must cope with. The first step is to agree on what privacy really means. Whenever I've mentioned to chief privacy officers the idea of having a single set of privacy rules for their companies to abide by worldwide, their response has been unanimous: Bring it on. Why? The legal and technical costs of complying with an expanding patchwork of state, federal and foreign privacy laws are mounting for multinationals. Having one set of rules would improve the bottom line. Data-protection commissioners from many world governments are singing the same tune. At a November conference in London, they issued a communique urging the United Nations to launch an international privacy convention toward this end. > You and I as customers and employees would also benefit from one set of rules that we could come to know and understand - instead of the vast array of obtusely worded privacy notices that we see on Web sites and find in our mailboxes. It's hard to imagine a major constituency, outside of the Idaho and Michigan militias, that would be against the concept of a global privacy agreement, if it was properly worded. So, what's the holdup?

The offshoring of business processes has become increasingly popular. Fueled by advancements in technology, the benefits of offshoring are primarily attributable to the savings from lower personnel costs at foreign locations. According to the Global Financial Services Offshoring Report 2007 by Deloitte & Touche U.SA LLP, over 75% of major financial institutions report offshoring a portion of their operations. Some economists estimate that up to one-third of total U.S. employment in services may ultimately be offshored (Steve Lohr, "At IBM, a Smarter Way to Outsource," The New York Times, July 5, 2007). Offshore entities often operate in developing countries such as India, China, Pakistan, the Philippines, and Vietnam. The offshoring of business processes generally takes two forms: outsourcing to an unaffiliated offshore entity (offshore outsourcing), or ownership and operation of an affiliated offshore entity (AOE). Many multinational companies have AOEs. For example, Accenture has more employees in India than in the United States; IBM is projected to have more than one-quarter of its workforce in India by 2010; and companies like General Electric, Eli Lilly, Google, and Microsoft are expanding their R&D centers in India and China (House Committee on Science and Technology, June 12, 2002). Offshoring and the Auditing Profession The potential benefits of offshoring have not been ignored by the accounting profession. In past years, several large public accounting firms began using AOEs to perform certain nonaudit procedures for their U.S.-based clients. For example, Ernst & Young uses AOE employees to prepare client tax returns (Vanessa Houlder, "E &Y Sends Compliance Work Offshore," Financial Times, July 11, 2007), and a number of accounting firms use AOEs to print documents for delivery to clients. The largest international public accounting firms have recendy begun testing the offshoring of certain auditing procedures on very large U.S. audit engagements to thei

On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account. The attack on Downeast Energy bears all the hallmarks of online thieves who have stolen millions from dozens of other businesses, schools and counties over the past several months. In every case, the thieves appeared more interested in quick cash than in pilfering their victims' customer databases. Nevertheless, the intrusions highlight an additional cost for victims of this type of crime: complying with state data breach notification laws. "This is something new to us, fortunately, but we have responsibilities under Maine statute to report these things to our customers and employees," said the company's president, John Peters, in an interview with Security Fix. At least 44 other states and the District of Columbia have similar data breach notification laws. Sometime prior to September, attackers planted keystroke logging malware on Downeast's computer systems, and stole the credentials the company uses to manage its bank accounts online. Then, on or around Sept. 2, the hackers used that access to initiate a series of sub-$10,000 money transfers out of the company's account to at least 20 individuals around the United States who had no prior business with Downeast Energy. This type of crime is impossible without the cooperation of so-called "money mules," willing or unwitting individuals typically hired via Internet job search Web sites to act as "local agents" or "financial agents" responsible for moving money on behalf of a generic-sounding international corporation, legal experts say.The mules are then instructed to withdraw the cash and wire it via Western Union or Moneygram to fraud gangs overseas, typically in Eastern Europe.

Goodwin Procter Experts Discuss Data Privacy and Security Best Practices at IAPP Privacy Academy BOSTON, Sept. 15 /PRNewswire-USNewswire/ -- According to a new survey conducted by Goodwin Procter LLP and the International Association of Privacy Professionals (IAPP), companies face three significant challenges - cost, time and number of vendors involved - in complying with new data security rules issued by the Commonwealth of Massachusetts earlier this year. The Commonwealth of Massachusetts has issued rules, which take effect on March 1, 2010, that impose significant data security requirements on entities possessing personal information of state residents, including entities based outside Massachusetts. The intent of the rules is to protect sensitive data and safeguard the public's privacy.

TJX Companies Inc. has agreed to pay $525,000 to settle a lawsuit brought by several banks in connection with the massive data breach disclosed by the retailer in January 2007. The money will reimburse AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union, and Trustco Bank a portion of the expenses they incurred in connection with the breach, TJX said in a statement. As part of the agreement, the banks will drop all other claims against TJX. The discount retailer admit no wrongdoing. The settlement money is part of the $118 million the company had set aside in the second quarter of 2007 to cover breach related costs.

"The school's policy seems to violate the Genetic Information Nondiscrimination Act (GINA), says Susannah Baruch of the Genetics and Public Policy Center at Johns Hopkins University. "Most generally," she says, "GINA prohibits health insurers and employers from using your genetic information against you." The law went fully into effect Nov. 21, and it prevents health insurers from collecting genetic information to make decisions about the insurance people get or how much it costs. The law also says an employer can't use it to make decisions about hiring, firing or job promotions. There are a few exceptions. The law doesn't apply to employers with fewer than 15 workers. And while it covers health insurance, it doesn't apply to life or long-term care insurance."

The concept of mixed-mode surveys is nothing new, but it seems to be gaining traction in the research community. Among the issues pressing the use of mixed-mode survey designs are the need to reduce coverage bias, increase response rates and lower costs.

A Swiss insurance worker lost her job after surfing popular social network site Facebook while off sick, her employer said Friday. The woman said she could not work in front of a computer as she needed to lie in the dark but was then seen to be active on Facebook, which insurer Nationale Suisse said in a statement had destroyed its trust in the employee. "This abuse of trust, rather than the activity on Facebook, led to the ending of the work contract," it said. The unnamed woman told the 20 Minuten daily she had been surfing Facebook in bed on her iPhone and accused her employer of spying on her and other employees by sending a mysterious friend request which allows access to personal online activity. Nationale Suisse rejected the accusation of spying and said the employee's Facebook activity had been stumbled across by a colleague in November, before use of the social network site was blocked in the company.

The Government Accountability Office issued another scathing report saying that federal agencies still don't do enough to secure government IT assets. "Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies," Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. "Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft." In a written response accompanying the report, federal CIO Vivek Kundra said OMB is committed to the vision of a secure federal government, and are taking steps to make that vision a reality. OMB, he said, has initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. OMB also is working with the CIO Council and the Council of Inspectors General on Integrity and Efficiency to improve guidance to agencies. The GAO report also said that nearly all of the 24 major federal agencies last year had weaknesses in information security controls. "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," Wilshusen said. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise."

1. You get what you pay for. 2. Americans do not take information or security as seriously as they do their love for profit & cost savings. If one does not value what they are trying to protect accurately, the investment one is prepared to make will always be insufficient. Then there are hindsight and rationalization (a.k.a. politicians) - Karl The Government Accountability Office issued another scathing report saying that federal agencies still don't do enough to secure government IT assets. "Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies," Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. "Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft." In a written response accompanying the report, federal CIO Vivek Kundra said OMB is committed to the vision of a secure federal government, and are taking steps to make that vision a reality. OMB, he said, has initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. OMB also is working with the CIO Council and the Council of Inspectors General on Integrity and Efficiency to improve guidance to agencies. The GAO report also said that nearly all of the 24 major federal agencies last year had weaknesses in information security controls. "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," Wilshusen said. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their inf