Group items tagged

Don't expect a letter from Monster or Heartland Payment Systems letting you know they've lost your data. The breaches at Monster.com and Heartland Payment Systems are raising questions about the efficacy of data-loss disclosure laws enacted in at least 45 states. Back in 2007 we wrote about how the financial services industry lobbied hard to block proposed federal rules requiring organizations to notify individuals whose data they lose, and to permit consumers to freeze their credit histories. States such as California and Massachusetts have passed laws giving consumers these rights. But the Monster and Heartland capers have brought weaknesses in the legislation to center stage. I asked Lisa Sotto, head of privacy and information management at law firm Hunton & Williams, about this: Q: Heartland and Monster told me they intend to comply with all state laws. That said, they have not announced plans to notify individual victims. Is that OK? A: In the state breach notification laws, it is permissible to delay notification if a law enforcement agency determines that notification would impede a criminal investigation. If such a delay is requested by law enforcement, notification must be made after the law enforcement agency determines that notice would not compromise the investigation. I do not know if these companies received a delay request from a law enforcement agency. Q: Monster says it chose not to email individual victims because the bad guys could then replicate that message and use it as a phishing template. That makes sense. But is that allowed by state consumer protection laws? A: There are now 45-plus state laws and they are not uniform. Typically, notice is provided via first class mail, but there are provisions in the state laws allowing for electronic notice as well. Q: The only official notices from Heartland and Monster so far has been one-page disclosures posted on a web site. Does that cover them? A: There are provisions in the state laws al

We all like to think our privacy is absolute. But if your job involves working across borders, you'll want to talk about privacy as a matter of degree rather than as an uncompromising right. Why? Not only do you want to be seen as someone who can get things done globally, but you also may personally want to be part of advancing social objectives that are arguably as important as privacy. Have you ever had to re-architect your global rollout of PeopleSoft or Lawson because of European Union privacy concerns? Or adjust how your company offers technical support to medical products sold in Europe? Have you ever been part of acquiring a failing European company where the privacy of employee data was a final sticking point? If you've seen projects with obvious social benefit get held up by seemingly minor data-related questions, then you might have been running up against this notion of "nothing trumps privacy." It's a popular idea. The half-billion people of Europe do view privacy as a human right. And they're not the only ones. As one of the first acts of the UN, Eleanor Roosevelt and the U.S. delegation in 1948 lobbied for the global adoption of the Universal Declaration of Human Rights(UNDHR), whose Article 12 states, "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation." With Europe and the UN using absolute-sounding language to describe a right to privacy, it's no wonder we have all of these delayed and downsized corporate projects. People are legitimately concerned about our sometimes reckless march into the Information Age, and they want to put some brakes on it. But does privacy trump all foes? I can think of at least six other equally important social objectives that regularly put limits on privacy: 1. Personal health. We all want to stay healthy - even when we lose the ability to communicate and give consent. Emergency-room personnel need access t

Payment processor Heartland Payment Systems has been sued over a data breach it disclosed publicly on Inauguration Day last week. The lawsuit, filed on Tuesday in U.S. District Court in Trenton, N.J., alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud. In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion only in the previous week and immediately notified law enforcement and credit card companies. Heartland was alerted in late October to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, said Robert H.B. Baldwin Jr., chief financial officer of Heartland, last week. The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history. Heartland executives have declined to specify how many consumers or accounts were affected. The company handles 100 million transactions per month for more than 250,000 merchants. The lawsuit, first reported by SearchSecurity news site, also accuses Heartland of negligence in taking more than two months to determine the existence and scope of the breach and criticizes the company for failing to identify which merchants were affected by the breach. The suit was filed on behalf of Woodbury, Minn., resident Alicia Cooper, who was notified last week by her credit union that a card associated with her account was included in the breach. It seeks class action status. A Heartland spokesman said the company could no

This tip is part of SearchSecurity.com's Data Protection School lesson, E-discovery and security in the enterprise. Visit the E-discovery and security in the enterprise lesson page for additional learning resources. Most information security pros have a handle on the major data types found in their environments, but they also know that there is a whole lot more data lurking around the edges. These unknown data types can include documents used by individuals, or whole applications owned by departments that have quietly become essential to the business. Most of the time, focusing on the squeaky wheels is an acceptable strategy; if there's no "squeak" then there's no need to worry. But when it comes to litigation, and especially managing the electronic discovery process, what you don't know can hurt you. There are four major types of data in use today: paper documents; structured data sets, like databases; semi-structured applications, like email and image stores; and unstructured repositories, like file servers. Comprehending the vast volume of these varied records can be a challenge for everyone involved, which includes information technology, records management, legal staff, and even the data owners themselves. But since almost all business information is stored in digital formats today, electronic storage systems are the most popular target for the discovery motions filed as part of legal proceedings. It is most efficient for a litigator to head straight for your email, spreadsheets and applications, looking for what they term electronically stored information (ESI). Making matters worse for IT administrators, new rules for civil litigation enacted at the end of 2006 (called the Federal Rules of Civil Procedure, or FRCP) have pushed up the timetable of electronic discovery. What was once a delayed and informal process has become much more structured, with lawyers meeting to discuss available ESI, typically just a few weeks after legal action commences. When l

Abortion has long been a misguided litmus test for the Supreme Court - but privacy rights?

Supreme Court nominee Judge Sonia Sotomayor's views on abortion and privacy rights are coming into the spotlight as attention turns to her confirmation. NARAL Pro-Choice America is urging senators to make sure Sotomayor is questioned on Roe v. Wade and privacy rights during her confirmation hearings. President Barack Obama is pro-choice, but Sotomayor's views are not known. The White House was asked yesterday if the president asked Sotomayor about abortion or privacy rights. A spokesman says the president did not specifically ask that question. The discussion comes as supporters and opponents of Sotomayor's nomination are taking their message to the airwaves. A coalition of liberal groups has unveiled a television advertisement in favor of Sotomayor's confirmation touting her extensive resume, while a conservative group calling itself the Judicial Confirmation Network has put out its own ad, charging Sotomayor will push a liberal agenda based on her gender and racial background. The White House is hoping Sotomayor will get the green light before the Senate goes on recess in August. Republicans are signaling they will not delay Sotomayor's confirmation, but will scrutinize her legal philosophy and some of her past decisions as a judge.

Defunct behavioral targeting company NebuAd did not just spur complaints by lawmakers and privacy advocates. This week, NebuAd's defense lawyers filed papers with the federal district court in San Francisco asking to withdraw as counsel in a privacy lawsuit. In a motion dated Monday, attorney Thomas Gilbertsen alleges that NebuAd is behind on its legal bills -- in some cases by more than 45 days. He also argues that because NebuAd is out of business, no officers or employees are available to help with the defense. "Because NebuAd has essentially ceased to exist, it can no longer participate in this case," states the motion. Gilbertsen also asked that the case be delayed pending NebuAd's liquidation and the resolution of creditors' claims. Gilbertsen also says in court papers that counsel and NebuAd have "irreconcilable differences." He did not elaborate in the motion or return messages seeking comment.

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009. The Red Flags Rule is an anti-fraud regulation, requiring "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect, and respond to the warning signs, or "red flags," that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA's definition of "creditor" includes any entity that regularly extends or renews credit - or arranges for others to do so - and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. "Financial institutions" include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

Beyond PCI: Other Regulations to Look For in 2009 Just a few days ago, the Federal Reserve, the Office of Thrift Supervision and the National Credit Union Administration announced the enactment of comprehensive new rules regarding card practices. These rules, which will not take effect until July 1, 2010, impose restrictions on a number of controversial issuer practices, including interest rate increases, late fees and double-cycle billing. Many industry observers predict that the rules will result in less credit being made available, and on stricter terms, than has been the case over the last several years. These rules may not be the end of the matter. Rep. Carolyn Maloney (D-NY), who in 2008 introduced the Credit Cardholders' Bill of Rights Act of 2008 (which sought to regulate many of the same practices as the then-proposed Fed rules), stated that she was disappointed in the delayed effectiveness of the Fed rules and promised to revive the Credit Cardholders' Bill of Rights in 2009 to, as she put it, "bridge the gap" between now and the effective date of the Fed rules.

The ranking member of the Senate Homeland Security and Governmental Affairs Committee told the chief executive of Heartland Payment Systems that she was "astonished" a breach the company's information system lasted for nearly 1½ years without being detected. At a panel hearing Monday on protecting industry against growing cyber threats, Sen. Susan Collins, R.-Maine, asked Heartland CEO Robert Carr to explain how this delay happened. Carr responded that a breach is usually detected when the processing payer is notified of fraudulent use of cards, and that didn't occur until the end of 2008. "Isn't there software in the systems to detect such a breach?" Collins asked.

Americans are about to re-learn that bank deposit insurance isn't free, even as Washington is doing its best to delay the coming bailout. The banking system and the federal fisc would both be better off in the long run if the political class owned up to the reality. We're referring to the federal deposit insurance fund, which has been shrinking faster than reservoirs in the California drought. The Federal Deposit Insurance Corp. reported late last week that the fund that insures some $4.5 trillion in U.S. bank deposits fell to $10.4 billion at the end of June, as the list of failing banks continues to grow. The fund was $45.2 billion a year ago, when regulators told us all was well and there was no need to take precautions to shore up the fund.

Mixed receptionThe state hopes changes to Massachusetts' data privacy regulation plan will calm business community fears over the cost of the new controls, but watchers of the process say the government may have made things worse. One thing seems certain: the recent changes aren't likely to be the last word on regulating sensitive data in the Bay State. The regulations mandate all "personal information" belonging to Massachusetts residents be encrypted whenever it is stored on portable devices, transmitted wirelessly or shared on public networks. Changes enacted just in time to beat a deadline of Thursday, Feb. 12, pushed the effective date back eight months, from May 1 to Jan. 1, 2010. They also removed a requirement that businesses certify third-party vendors' compliance. The latter move was aimed to address an issue raised in a public hearing with business leaders held Jan. 15 at the State House. The change was designed to make the third-party regulations more adaptable to companies of various sizes and business models, said Massachusetts Consumer Affairs undersecretary Daniel Crane.