A Port Washington medical practice was defrauded of nearly $250,000 by a former employee who for four years paid her credit card bills with automatic debits from a doctor's checking account, Nassau police said. Debra Camilo, 42, of 110 Malba Dr., Whitestone, began the transfers in the spring of 2004 and even though she was fired a year later -- for reasons unrelated to the fraud -- she continued until July 2008, police said. All told, the former office manager made more than 80 unauthorized debit transfers to her Visa credit card amounting to $241,341, police said. Crimes against property bureau detectives arrested Camilo Thursday afternoon in Manhasset and charged her with grand larceny, identity theft and fraud. She was scheduled for arraignment Friday in First District Court, Hempstead.

For the second time in the same case, law enforcement in Denver turned away a key component in hundreds of instances of identity theft. The first time, it was a box full of stolen documents found in a storage unit, turned away by a Denver Police officer. This time, it was the main suspect, turned away by the Denver Sheriff's Department. The Denver Sheriff's Department admits the man believed to be at the center of an identity theft operation, 46-year-old Paul Simmons, tried to turn himself in at the Denver City Jail 16 hours before police arrested him. A warrant had been issued for his arrest and was entered into the system at 10:15 a.m, according to Sonny Jackson, Denver Police Spokesman. Sheriff's spokesperson Capt. Frank Gale told 9Wants to Know Tuesday that Simmons walked into the Denver City Jail around 8 p.m. Monday night. The Denver Sheriff's Department runs the city jail. It is not staffed by the Denver Police Department. Gale says Simmons told a sheriff's deputy he had received a call from an investigator with Denver Police saying he was wanted for questioning in connection with the identity theft case featured on 9NEWS. Gale says the sheriff's deputy then told Simmons there was not a record of him being wanted in the computer, but sent Simmons to check in with the Denver Police Department housed in a separate building across the courtyard at 1331 Cherokee St. Gale said the deputy did not know if Simmons ever made it to the Denver Police building. Denver Police spokesperson Sonny Jackson said Simmons never did. "We really wish he would have taken the 50 steps across the courtyard and talked to us, that would have saved us a lot of time today." Jackson said. "If he [Simmons] really wanted to turn himself in we would have been more than happy to take him into custody."

Perhaps Mark Z is surprised that people actually read terms of service. Arrogant twit. He's a multi-millionaire who cares about the little people (stage direction: Mark Z looks sincerely into web cam as he wipes away tear with hundred dollar bill). Perhaps the Tweens don't understand what social networking sites really sell; looks like some grown ups started asking where all their personal information is going and when it might inconveniently show up in some ad campaign.

A couple of weeks ago, we revised our terms of use hoping to clarify some parts for our users. Over the past couple of days, we received a lot of questions and comments about the changes and what they mean for people and their information. Based on this feedback, we have decided to return to our previous terms of use while we resolve the issues that people have raised. Many of us at Facebook spent most of today discussing how best to move forward. One approach would have been to quickly amend the new terms with new language to clarify our positions further. Another approach was simply to revert to our old terms while we begin working on our next version. As we thought through this, we reached out to respected organizations to get their input. Going forward, we've decided to take a new approach towards developing our terms. We concluded that returning to our previous terms was the right thing for now. As I said yesterday, we think that a lot of the language in our terms is overly formal and protective so we don't plan to leave it there for long. More than 175 million people use Facebook. If it were a country, it would be the sixth most populated country in the world. Our terms aren't just a document that protect our rights; it's the governing document for how the service is used by everyone across the world. Given its importance, we need to make sure the terms reflect the principles and values of the people using the service. Our next version will be a substantial revision from where we are now. It will reflect the principles I described yesterday around how people share and control their information, and it will be written clearly in language everyone can understand. Since this will be the governing document that we'll all live by, Facebook users will have a lot of input in crafting these terms. You have my commitment that we'll do all of these things, but in order to do them right it will take a little bit of time. We expect to complete this in the next few we

The Department of Homeland Security's Data Privacy and Integrity Advisory Committee has offered DHS Secretary Janet Napolitano 16 recommendations on how to best address privacy issues currently facing the department. The panel stressed that "the need to update the government's legal authority to protect and defend cyberspace in the U.S. classified intelligence systems raise specific and sometimes significant privacy issues, including the conflict between transparency and redress." The committee has asked that each DHS component - such as the Federal Emergency Management Agency and Office of Intelligence and Analysis - have a designated privacy officer that would report to the head of the section. The committee also "encourages DHS to continue to work toward policy and functional interoperability in the development of new systems and when making major modifications to existing systems," according to a letter from the committee hand delivered to Napolitano. Additionally, the panel said the 1974 Privacy Act has "not kept pace with the evolution of technology and developments in how data is collected, used, shared and stored. To the extent the Secretary is asked to submit recommendations to Congress for making the act more relevant and effective, the committee recommends that the secretary seek guidance from the Privacy Office staff, who are experts in applying the Act's provisions throughout the department." For more on the recommendations, read the committee's letter here.

A group of U.S. companies, led by technology giants Microsoft, Hewlett-Packard and eBay, is set to outline recommendations for new federal data-privacy legislation that could make life easier for consumers and lead to a standard federal breach-notification law. The recommendations, which were developed by a group of industry players called the Consumer Privacy Legislative Forum, are set to be released at an upcoming privacy conference six weeks from now, according to Peter Cullen, Microsoft's chief privacy officer. The companies have been working for the past three years to encourage the adoption of federal consumer data-privacy laws and to answer the question of what federal legislation should look like, Cullen said in an interview. Other forum members include Google, Oracle, Procter & Gamble and Eli Lilly. One idea is that laws should make it easier for consumers to understand what they're getting into when they share their personal data with Web sites, Cullen said. "The whole focus on consent really puts an unfair burden on the consumer," he said. "My mom doesn't know what an IP address is." The recommendations will cover rules around data use and the ability of consumers to correct inaccurate data. And they will cover data breach notification, which is now covered by a patchwork of state laws. Simplifying breach-notification laws by creating a single federal standard is important, Cullen said Wednesday while speaking at a discussion of privacy policy in San Francisco. "It's not that there is no privacy law. There's actually too much privacy law," he said. "If you think about data-breach notification laws just as an example, there are 38 state laws, many of them very different." "We need to think about much more of a framework approach." Congress has passed some laws covering consumer data privacy, such as the 1996 Health Insurance Portability and Accountability Act (HIPAA), but existing laws do not comprehensively cover consumer privacy in general.

Last week, a commercial Twitter spamming tool (tweettornado.com) pitching itself as a "fully automated advertising software for Twitter" hit the market, potentially empowering phishers, spammers, malware authors and everyone in between with the ability to generate bogus Twitter accounts and spread their campaigns across the micro-blogging service. TweetTornado allows users to create unlimited Twitter accounts, add unlimited number of followers, which combined with its ability to automatically update all of bogus accounts through proxy servers with an identical message make it the perfect Twitter spam tool. TweetTornado's core functionality relies on a simple flaw in Twitter's new user registration process. Tackling it will not render the tool's functionality useless, but will at least ruin the efficiency model. Sadly, Twitter doesn't require you to have a valid email address when registering a new account, so even though a nonexistent@email.com is used, the user is still registered and is allowed to use Twitter. So starting from the basics of requiring a validation by clicking on a link which will only be possible if a valid email is provided could really make an impact in this case, since it its current form the Twitter registration process can be so massively abused that I'm surprised it hasn't happened yet. Once a Twitter spammer has been detected, the associated, and now legitimate email could be banned from further registrations, potentially emptying the inventory of bogus emails, and most importantly making it more time consuming for spammers to abuse Twitter in general. If TweetTornado is indeed the advertising tool of choice for Twitter marketers, I "wonder" why is the originally blurred by the author Twitter account used in the proof (twitter.com/AarensAbritta) currently suspended, the way the rest of the automatically registered ones are? Pretty evident TOS violation, since two updates and 427 followers in two hours clearly indicat

Current government rules do too little to protect the privacy of people's personal health information and also hinder the use of health data in medical research, a panel of experts reported on Wednesday. A committee of the Institute of Medicine, which provides advice to U.S. policymakers, urged Congress to take an entirely new approach to protecting personal health data in research. Federal standards for protecting privacy of personal health data under the Health Insurance Portability and Accountability Act of 1996, or HIPAA, are not doing the job, the panel said. Congress and the Obama administration are planning major changes this year to the U.S. health care system. Regarding the privacy rules, Congress should either start from scratch or thoroughly overall HIPAA's privacy provisions, the panel said. Better data security is needed, with greater use of encryption and other security techniques, the panel said. Encryption should be required for laptops, flash drives and other devices containing such data, it said. "Both privacy and health research are important. And we feel that we can strengthen privacy protections for people who participate in research while also allowing important research to proceed without unnecessary impediments," Dr. Bernard Lo of the University of California San Francisco, a member of the panel, told reporters. HIPAA governs how personally identifiable health information can be used and disclosed by health plans, health care providers and others. The intention is to protect personal health information while permitting the flow of information for health-related research and medical care. Lo said HIPAA has burdensome and confusing procedures for people to consent to have their health data used in medical research, dissuading people from taking part in such research.

Do you know where your friends are? If not, Google wants to help you find them. Today, Google introduced Latitude, a new opt-in feature that lets smartphone and laptop users share their location with friends and allows those friends to share their locations in return. Although not pinpoint accurate, Latitude can display your general location based on information from GPS satellites and cell towers. Latitude works on both mobile devices and personal computers. What Latitude can do Once you and your friends have opted in to Latitude, you can see your friends' Google icon displayed on Google Maps. Clicking on their icon allows you to call, email or IM them, and you can even use the directions feature on Google Maps to help you get to their location. Google says Latitude works in 27 countries and with many mobile platforms including iGoogle with your computer. The list of compatible phones are: *Android-powered devices, such as the T-Mobile G1 *iPhone and iPod touch devices (coming soon) *most color BlackBerry devices *most Windows Mobile 5.0+ devices *most Symbian S60 devices (Nokia smartphones) *many Java-enabled (J2ME) mobile phones, such as Sony Ericsson devices (coming soon)

Until now, lawsuits seeking to recover significant damages based on the loss of, or unauthorized access to, sensitive personal information have not been especially successful for plaintiffs. Most companies suffering data breaches have escaped by offering affected consumers inexpensive credit monitoring services. But two recent cases show plaintiffs a way to expose many previously safe companies to substantial claims for damages. Any company that thinks there are no risks in employing less than best practices for data privacy and security needs a wake up call. The headlines are all too familiar. Some well known consumer services company (or less known wholesale data processor) announces that millions of individual records containing names, Social Security numbers, account numbers and other sensitive information were left in a dumpster, saved to a stolen, unencrypted laptop, or stored on a misplaced USB drive or backup tape. The press is terrible, the company's stock takes a temporary plunge, and sometimes the Federal Trade Commission enters into a consent decree where the company promises to never do it again. But when affected individuals or groups of consumers tried to sue for damages, they seldom recover significant amounts. These cases have not often succeeded because the plaintiffs have been unable to prove actual pecuniary losses resulting from the security breach. Sure, if identify theft occurs the affected individuals can suffer significant emotional trauma, loss of time, etc. But Courts have been unwilling to award damages for anxiety, fear, and other emotional harm that can result from a data breach, for the risk of future identify theft, or for actual identity theft when the plaintiff could not prove that the theft occurred as a direct result of a data breach at a particular source. Most companies facing claims based on data breaches have been able to settle cheaply by offering to provide credit monitoring services, which most consumers do not use, resu

A recurring problem in modern litigation is the inadvertent disclosure of materials subject to the attorney-client privilege or the attorney work product protection. New Federal Rule of Evidence 502 changes the rules concerning waiver of privilege in all Federal and many State court cases, thereby reducing the risk that inadvertent disclosures will constitute a wavier of attorney client privilege or work product protection. But the new rule requires careful application. Important risks remain. Inadvertent disclosure of privileged or protected information too easily occurs when massive numbers of documents or files make it impractical or prohibitively expensive to review every item individually. The proverbial privileged document needle gets lost in the e-discovery haystack and is overlooked. Later, when opposing counsel recognizes that she has a potentially privileged document and brings this to the attention of disclosing counsel, there may be a fight as to whether the document will be returned, or whether the disclosure constitutes a wavier of any privilege related to the information. Under existing State and Federal law, release of privileged or protected information to an adversary, even if inadvertent, may constitute a waiver of the privilege or protection with regard to the information or document disclosed or, worse, to all documents and other information related to the same topic. Invoking the "claw" Amendments to Federal Rule of Civil Procedure 26(b), adopted in December 2006, were aimed at reducing the risks of waiver from inadvertent disclosures. Rule 26(b) provides that if privileged information is produced, the party making the claim of privilege may notify any party that received the information of the privilege claim and the basis for it. After being notified, a party must promptly return, sequester, or destroy the specified information and any copies it has, must not use or disclose the information until the privilege claim is resolved; must t

Affixing a dollar cost to a problem has immense benefit, and The Ponemon Institute goes to great lengths to arrive at the figures for its Annual Cost of a Data Breach Study. We painstakingly analyzed the financial impact a data breach has on a company by examining 43 different companies from a cross section of industries, all of which experienced a significant data breach affecting a range of data records representative of the norm. And knowing that a data breach may cost your company $6.65 million dollars may be all the information that is needed for a company to assign an appropriate budget to those tasked with information security. In 2008 the average total cost of a data breach was $6.65 million, up from $6.35 million last year and $4.54 in 2005. In 2008, the per-victim cost of a data breach was $202, up from $197 in 2007, and from $138 when the study was launched in 2005. Breaches involving a third party to which data had been outsourced bore a per-victim cost of $231, whereas self contained breaches bore a per-victim cost of $179. Breaches that were the result of a malicious act bore a per-victim cost of $225, whereas breaches that were the result of negligence bore a per-victim cost of $199. Breaches that were the result of a lost of stolen laptop computer bore a per-victim cost of $249, whereas breaches that did not involve a lost or stolen laptop computer bore a per-victim cost of $177. If the data breach was a first-time event for the company the per victim cost was $243, but if the company had experienced a breach previously the per victim cost was $192. The simple conclusion to these numbers is clear: the financial impact for a company that experiences a data breach is significant and rising. That finding alone may be alarming, but it seems to merely quantify what most people already knew to be true. The "wow" factor comes when you realize that we haven't simply identified the cost of an inevitable outcome, as if to tell the world, "buckle up and brac

It is hard work looking for a job, Matt Sawyer said. "Well with the economy being down right now, it's pretty hard," said Sawyer. Like most job hunters, Matt is posting his resume on various online job sites. But you have to be careful when sending out your personal information over the Internet, privacy expert Pam Dixon said. "The problem is, if you don't use it correctly, it can come back to haunt you," she said. Dixon runs the World Privacy Forum and warns job hunters to be cautious with their personal information when posting their resume. "In fact any competent job site will give you the option of hiding your personal information," said Dixon. Scam artists have been known to steal personal information from resumes and use it to apply for credit. That is why Dixon said you should only include your first initial and last name, no full names, when writing your resume. She also said not to include your phone number or address. Dixon said you should create an email address that is temporary and just use it for your job search. Dixon said scam artist will even call people from their resume and ask for detailed information like a copy of their driver's license or social security number or even their credit card information. The scammers will claim it's for a background check but it's only to steal from the job seeker. Matt admits if he was approached for a job he might give away too much information. "I think when people first get that call and they're real excited about it, they might just jump into it and go ahead and do it," he said.

A nationwide ATM heist late last year netted thieves $9 million in cash in one day, according to published reports. The coordinated attack stemmed from a computer intrusion at payment processor RBS WorldPay. Atlanta-based RBS WorldPay announced on Dec. 23 that hackers had broken into its database and made off with personal and financial data on 1.5 million customers of its payroll cards business. Some companies use payroll cards in lieu of paychecks by depositing employee salaries or hourly wages directly into payroll card accounts, which can then be used as debit cards at ATMs. RBS said that thieves also might also have accessed Social Security numbers of 1.1 million customers. New York's Fox 5 cites FBI sources as saying that thieves used the stolen payroll cards recently to withdraw $9 million from ATMs from 49 cities, including Atlanta, Chicago, New York, Montreal, Moscow, and Hong Kong. Steve Lazarus, a spokesman for the FBI's Atlanta field office, said the withdrawals were carried out by a small army of so-called "cashers," or people who work with cyber thieves and fabricated cards to pull money out of compromised accounts. From the Fox piece: "Shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack of ATM machines around the world."

It's often the security issue that dogs Google, Microsoft and other purveyors of personal health records (PHR): How will so much personal medical data be kept safe? A tangential question for Google, however -- one that has dogged the search giant since its Google Health offering was first made available in May 2008 -- is whether Google's search-based advertising platform creates a conflict with storing personal health data. Speaking at the Mastermind Session at Everything Channel's Healthcare Summit in San Diego in November,Google Vice President of Research and Special Initiatives Alfred Spector told health care CIOs, solution providers and other attendees that Google intended Google Health as an extension of the Google brand, and it was and would continue to be entirely separate from Google's main advertising platform. Watchdog organizations have taken Google to task over that claim, however, with one, Consumer Watchdog, even accusing Google of trying to lobby Congress to allow it to sell medical records by loosening regulatory language in the stimulus bill. "The medical technology portion of the economic stimulus bill does not sufficiently protect patient privacy, and recent amendments have made this situation worse," wrote Jerry Flanagan of Consumer Watchdog in a Jan. 27 open letter to Congress. "Medical privacy must be strengthened before the measure's final passage, rather than allowing corporate interests to take advantage of the larger bill's urgency." Flanagan in the letter states that, "Google is said to be lobbying hard ... to weaken the ban currently in the draft measure on the sale of our private medical records." While Consumer Watchdog did not cite specific evidence of Google pushing for softer restrictions, Google responded to the group's claims on its Public Policy Blog last week. "The claim -- based on no evidence whatsoever -- is 100 percent false and unfounded," wrote Pablo Chavez, Google's Senior Policy Counsel. "Google does not sell health

A complaint filed with the Federal Trade Commission by consumer groups seeking greater privacy protection for mobile Internet users could become a crucial test for the Obama administration's commitment to Internet privacy, a researcher has said. A policy statement published on then-President-elect Barack Obama's transitional Web site said he plans to "strengthen privacy protections for the digital age." Need to review your privacy policy or guide your clients in preparing a privacy framework? Download a copy of the Generally Accepted Privacy Principles.

The whole idea of privacy has become a joke. On one hand we have consumers who will give away their personal details to random Web sites (as well as to Mrs. Sikiratu Seki Adam, "a widow to Late Saheed Baba Adams") at the drop of a virtual hat, and on the other we have businesses losing personally identifiable information and transaction data with wild abandon … yes, I'm talking about you Heartland Payment Systems. (Heartland lost data on more than 100 million transactions although it is hardly alone - check out the data loss database at the Open Security Foundation). This widespread carelessness has compromised the privacy of tens of millions of consumers and businesses. While carelessness is the cause, what has allowed it to go unchecked are a number of factors: The Internet making transactions easier and faster; the systems we use on the Internet (particularly Windows PCs) being as secure as the First Little Pig's house of straw; organizations not taking security seriously enough; naive consumers; and inadequate regulation of the companies that hold private data. What got me thinking about this privacy void was a letter my wife received from Nordstrom Bank yesterday. My wife has a Nordstrom credit card and the company sent us, for what seems like the 1,000th time, its latest privacy policy. This version was one page of small text that more or less says what every other privacy notice from financial services companies say (we average about one of these "revised" policies every couple of weeks).

The new year has come and gone on the Gregorian calendar. But the new year for legal technology is still in progress at LegalTech New York, where vendors are unveiling their new products and services and attendees are helping them celebrate. LegalTech attendees should revel in the number of vendor initiatives aimed at reducing e-discovery costs from acquisition to review and production. And, like last year, EDD vendors continue to design and manufacture their products for international litigation. But LegalTech is not all about e-discovery. There were still plenty of vendors with products outside the Electronic Data Reference Model. EDD PARTIES Readers should be aware that Index Engines can access and extract data from tape and tape libraries -- and can do so really fast. But now they can also extract data from network storage systems, file shares, forensic images and hard drives and still provide users a single point of access to it -- via a Web browser. Index Engines first indexes data on disparate resources. Once the index is compiled, data can be deduped, searched, reviewed and extracted on demand. Also note that Index Engines can now filter unwanted file types such as EXE, DLL, etc., during the indexing process to reduce the time it takes to review the data. Read LegalTech New York 2009 Coverage on Legal Blog Watch In preparation for the new year, Kazeon Systems introduced new pay-as-you-go pricing models that augment their current standard software licensing option and focus on case matters. Kazeon hopes the new pricing models allow customers to implement an e-discovery solution that does not require a major financial investment or lengthy rollout. Vendors are starting to "go left" of the EDRM to provide organizations a better view of the end of litigation via early case assessment tools. In fact, KPMG promoted the concept with a T-shirt emblazoned with "go left." Toward that end, Daticon EED announced the availability of its Early Case Assessment servic

The fuss over Facebook's attempt to modify the contract with its millions of users has died down for the moment, and I haven't noticed any of my friends closing their account or even significantly changing their behaviour in protest despite the widespread coverage. The problem started in early February when Facebook updated the section on its site which establishes the legal agreement with its users. Like most people who use it I didn't notice the change, and even though Facebook clearly knows who I am and how to contact me I didn't get a message or see a notification in my news feed about it. This is pretty common practice on the web, where long legal contracts are agreed with a click of a mouse and sites update them at will because they contain a clause saying that you accept the changes if you carry on using the site. Term paper Unlike laws passed by Parliament, which have to be properly promulgated to those affected, contracts can evidently be changed without any proper notice.

Social media is on the rise, and so are the privacy and security risks. Is it time to dial back on the whole Web 2.0 'friend' thing? The social media honeymoon is officially over. While it may not yet be time to fly to Reno for a quickie divorce, you might want to start thinking about sleeping in separate bedrooms for a while. Example du jour: Over the weekend, a rogue application spread across Facebook, warning users about bogus errors in their profiles. Clicking on the "Error Check System" app causes it to send false warnings to your entire FB posse, per the unofficial AllFacebook blog. There doesn't seem to be any payload associated with that app besides driving traffic, but the potential for abuse is obvious. But a bigger problem on social nets is an old familiar one: spam. So far, spam only accounts for about 5 to 25 percent of all e-mail passed on social networks, versus 90 percent of regular e-mail, says Adam O'Donnell, director of emerging tech for Cloudmark, which filters spam for some large social nets (but won't identify which ones). As more people start tweeting about what their cats ate for lunch and share their Facebook profiles with near-total strangers, though, that number will only grow. The type of spam on social networks is different too, says O'Donnell. Think fewer fake Viagra come-ons, more social engineering scams. In other words, the junk you get on social networks is more likely to be aimed at stealing your credentials or your identity -- and thus much more dangerous than garden-variety spam.

Securing our Nation against cyber attacks has become one of the Nation's highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against external attacks. Furthermore, for those external attacks that are successful, defenses must be capable of thwarting, detecting, and responding to follow-on attacks on internal networks as attackers spread inside a compromised network. A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that 'offense must inform defense'. In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting FISMA 2008.