Group items matching

in title, tags, annotations or url

It was only a matter of time! Auditor accuracy being examined in lawsuit may signal change in PCI and other compliance processes.

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor's report. In theory, CardSystems should have been safe. The industry's primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems' auditor, Savvis Inc, had just given them a clean bill of health three months before. Yet, despite those assurances, 263,000 card numbers were stolen from CardSystems, and nearly 40 million were compromised. More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices. They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies. "We're at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it," says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania's Wharton School who specializes in information security issues. "For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits." The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secur

In a decision that has privacy advocates and others scratching their heads, a federal judge has ruled that LifeLock has been breaking California law for years by placing fraud alerts on its customer's credit profiles. The decision is a blow to the burgeoning identify-theft protection industry, and means that companies that experience data breaches may no longer be able to offer victims free subscriptions to such services - a standard damage-control tactic in recent years. Consumers can still place fraud alerts by contacting one of the three U.S. credit reporting agencies directly. Bo Holland, founder and CEO of Debix, a competitor of LifeLock, called the ruling "dramatic and unexpected." "It causes a real shift in the industry," he told Threat Level. The pre-trial partial summary judgment comes in a lawsuit filed last year against LifeLock by Experian, one of the nation's three credit reporting bureaus. Experian claimed LifeLock is trying to "game the system" of fraud alerts to make a profit.

The European Commission on Tuesday set a code of conduct for companies using RFID (radio frequency identification) tags that it hopes will safeguard citizens' privacy and allow the quick rollout of the new technology. Around 2.2 billion RFID tags were sold worldwide last year, a third of them in Europe, and were installed in a wide range of products including shipping containers and smart cards used in highway toll booths. The Commission expects the use of RFID tags to grow to five times the current level over the next decade, as tags are added to common consumer items such as bus passes, refrigerators and even clothes. There is "clear economic potential" in using RFID chips to allow communication between objects, said information society commissioner Viviane Reding in a statement. But she added that European citizens "must never be taken unawares by the new technology."

Raises some realistic questions about the American approach to privacy law & regulation. Unfortunately, the article tends to point at the misapplication of laws more heavily than offering the reader an account of the abuses that led us to where we are now. Businesses & government, including the medical industry, freely shared details - or spied on Americans with impunity for decades. The article reminds us that work needs to continue to balance our approach. A Federal law, that sets a floor for privacy requirements, could help reduce conflicting requirements caused by almost every state writing seperate laws because there was a lack of leadership from Washington. American privacy regulations are implemented sectorally - at the industry or State level for example. This leads to many different, and conflicting laws. Privacy is a difficult subject with complex considerations touching aspects of life that have not been questioned for years. This article provides more con than balance, but it reminds us that extreme positions rarely serve anyone well.

Special interest groups and lawyers claim they are defenders of individual privacy. But all that red tape is causing more harm to consumers than good. In a world of tight budgets and sacrificed programs, one sector has continued to grow with the speed and choking effectiveness of kudzu: regulations around privacy. More than 300 privacy-related laws are on the books, in both Washington, D.C. and state capitals. Privacy-related consulting services provided by law and accounting firms are a $500-million-a-year business and have been growing at double digits.

Is it time for Web publishers and their users to have the privacy talk? At most Web sites, privacy policies are ridiculously long and convoluted scrolls of legalese that only a hearty privacy watchdog would read. For most users it remains a mystery just how publishers collect, use and share the data trails consumers leave behind while traversing a site. But publishers now are partnering more deeply with third party ad networks who plant their own cookies in their users' browsers and hit them again with ads out on their own networks with other publishers. How should a site broach the topic of privacy and ownership of data with its own customers? The industry-funded Future of Privacy Forum is hoping to get at this issue in a new research initiative that explores different ways sites can communicate with users about their online advertising experience and how a use's data trail is recorded and used. The study will try to find ways that publishers can raise user awareness about the use of online behavioral data and be more transparent about how it is harvested and shared.

New rules will protect consumers, harmonize regulation, and enshrine net neutrality. But a late amendment left the legislation in limbo The European Parliament has voted through a massive tranche of reforms for the European telecommunications sector, including a significant net-neutrality amendment. The 'Telecoms Package' of laws was voted into force on Wednesday with a large majority, and must now be ratified by the Council of Telecoms Ministers. The vote marks the first time that internet access has been recognised in European law as a fundamental right on a par with freedom of expression. The legislation also compels European telecoms and internet service providers (ISPs) to notify their customers of any personal data breaches, the first time they have been required to do so.

It's become the familiar refrain this year. Each time we see a major data breach related to payment card data, the breached entity says 'Gee, well we were told we were PCI compliant - how could this happen?' The PCI marketing machinery then gets into motion, reminding us all that PCI compliance is but a snapshot in time - not a warrantee against future breaches. Meanwhile, tens of thousands of consumers have their personal information exposed to potential compromise. They probably don't know or care what PCI is. They just want to know 'Why wasn't I protected?' Fair question, and it deserves an answer.

Consumers, who become victims of identity theft through access to public records, do not have a clue as to how they became a victim. They cannot know unless the fraudster who "legally accessed" the public information is caught and confesses that they used or sold the information for identity theft. Most often end users of stolen identities are caught, not the kingpins. Illegal immigrants who purchase identities on the street sometimes for hundreds of dollars do not know the source. * What can an identity thief do with a name and SSN? Here is a short list. * Make a fake Social Security Card (see image below) * Make a fake Medicare Card and get medical treatment and Medicare benefits * Use the fake Social Security Card to get a driver's license or passport * Get a job and government benefits. * Get credit and open new financial accounts * Get housing, utilities and phone service * Get insurance * Thieves use fake ID to elude law enforcement by pretending they are you.

Some American Express card members' accounts may have been compromised by an employee's recent theft of data, the company said Thursday. American Express Co. spokeswoman Susan Korchak said a "relatively small portion" of card members was involved, but declined to be more specific. The former employee has been arrested and the company is investigating how the data was obtained, she said. The company is in the process of notifying affected card members by letter. In one such letter sent last week, American Express Privacy Officer Alfred Silipigni said he was informing the member of "an unfortunate issue" concerning his card. "We recently learned that certain account data was acquired without authorization by an employee who is no longer with the company," he wrote. "The former employee has been arrested, and we are cooperating with law enforcement authorities with their ongoing investigation." American Express declined to disclose any more details about the incident beyond what was in the letter. The company has put additional fraud monitoring and protection controls on the accounts at issue, Korchak said. American Express has about 39 million corporate, small business and consumer cards in force in the United States.

Difficult economic times can be the breeding ground for increased fraudulent activities. In July 2009, the Financial Crimes Enforcement Network (www.fincen.gov) published its 12th edition of The SAR Activity Review - By the Numbers. SARs (Suspicious Activity Reports) are one key aspect of FinCEN's efforts related to its responsibility for regulatory administration of the Bank Secrecy Act of 1970. Many different financial industries such as banks, credit unions, insurance companies, check-cashing services, broker/dealers, and casinos are required to complete and file SARs. According to FinCEN's press release on the SAR Activity Review, "The report reveals that of the 20 different violation types tracked, seven of the categories relate specifically to fraud and all seven showed an increase in SAR filings during the year. While these categories represent one-third of the possible violation types, they accounted for nearly half of the increase in total SAR filings from 2007 to 2008, with all of the fraud categories seeing double-digit increases in percentage of filings in 2008. These categories are: check fraud, mortgage loan fraud, consumer loan fraud, wire transfer fraud, commercial loan fraud, credit card fraud, and debit card fraud." Could any of this apply to you? Are your control and monitoring processes able to identify these examples of common patterns of suspicious activity that FinCEN has identified?

Wharton School professor Andrea Matwyshyn has attended Defcon for the past five years. This year, her radar is pointing to corporate disclosure of computer security threats. Most consumers, she says, find out about them primarily through news reports and after-the-fact data breach notifications. Big business, Matwyshyn says, needs to do a much better job of keeping customers abreast of how they're dealing with big security threats. "Companies need to be aware that their customers are going to start asking questions about their security and what they're doing," she told Forbes.

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009. The Red Flags Rule is an anti-fraud regulation, requiring "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect, and respond to the warning signs, or "red flags," that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA's definition of "creditor" includes any entity that regularly extends or renews credit - or arranges for others to do so - and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. "Financial institutions" include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

Hunch.com helps users search for answers -- but first, it performs a detailed search on the users themselves. Launching today after a year in development, Hunch aims to supply users with computer-generated advice on thousands of lifestyle and consumer questions: What kind of dog should I buy? What should I get dad for Father's Day? Which book by George Orwell would I like? Most important, though, Hunch is not a search engine. Rather than scouring the open Web for information, as Google, Microsoft's new Bing and scores of others do, or collating written opinions, as Amazon.com does, Hunch computes answers by comparing what it knows about you to what it knows about people like you. "Ultimately, what we're doing is providing a kind of shortcut through human expert systems," said Hunch founder Caterina Fake, who also started Flickr.com, the popular photo-sharing site that was acquired by Yahoo in 2005. By first inviting users to answer as many as 1,500 questions about themselves -- an addictive kind of personality test that involves such diverse questions as political orientation, relationship status and whether you believe in UFOs and keep your closet organized -- Hunch looks to assemble a demographic profile whose depth could rival anything in the commercial universe. The New York company also believes that users stand to benefit from this kind of large-scale data farming -- not just from getting better answers, but also from discovering the many microdemographics to which they belong. Hunch also says it will not sell user data to marketers. But this promise, written into the site's privacy policy, is not precisely a legal contract, said Siva Vaidhyanathan, a new-media scholar at the University of Virginia, and the difference leaves the data it collects in a fuzzy domain.

Yahoo Tuesday announced that has developed a feature that will allow users to opt out of behavioral targeting on mobile devices. "We believe the mobile experience should offer the same privacy protections consumers expect to find on the PC," Yahoo said in a blog post announcing the feature. "Furthermore, management of privacy protections should be available via any mobile device, whether that's an iPhone or a Blackberry." Many companies that track people's Web activity on PCs and send them ads notify users about the practice and allow them to opt out. But it's still unusual for behavioral targeting companies in the mobile space to let people opt out. At least a dozen companies say they offer some form of mobile behavioral targeting. But only two appear to allow users to opt out, according to Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum.

Another test of who owns what data, what can be done with it and the power of State's Rights.

IMS Health (RX) has built a lucrative niche collecting data on which drugs physicians prescribe, then selling the information to pharmaceutical companies. But legislators in more than 20 states have questioned whether the company has a constitutional right to do so. The Supreme Court could shine a spotlight on this topic in the next few weeks if it decides to hear a closely watched case IMS has been fighting in New Hampshire. The court's ruling would quickly reverberate beyond the pharmaceutical industry, affecting virtually any business that uses information about consumer buying behavior to guide its sales strategies.

Privacy and civil liberties advocates are urging lawmakers working on the forthcoming economic stimulus package to ensure that any language to spur adoption of electronic medical records includes meaningful security safeguards. The American Civil Liberties Union, Consumer Action, the National Association of Social Workers, Patient Privacy Rights and others sent letters to House Speaker Nancy Pelosi, Senate Majority Leader Harry Reid and President-elect Barack Obama Wednesday asking them to ensure individuals can control the use of their medical records and protect them from what they believe is a thriving industry of firms that share and sell medical data. "We all want to innovate and improve health care, but without privacy our system will crash as any system with a persistent and chronic virus will," Patient Privacy Rights executive director Ashley Katz said at a Capitol Hill briefing. Katz said her group has been pleased with progress that the House Energy and Commerce, and Ways and Means committees made last year.

As if banks didn't have enough on their plates with compliance and regulation on the federal front, come May 1, they will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope. During a teleconference, attorneys from the privacy and data security practice of the law firm Goodwin Procter (Boston) described this very detailed, all-encompassing set of rules designed to keep consumers' personal data safe. They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information. "Personal information," for the purposes of the regulation, is described as someone's first and last name or first initial and last name, in combination with Social Security Number, driver's license number or financial account number. At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules. According to partner Deborah Birnbach, this is some of the most intrusive legislation as it relates to the operation of businesses. "It requires

Naturally, privacy watchdogs answer the question in this post title with a resounding "Yes!" The answer is so emphatic, in fact, that the Center for Digital Democracy and U.S. Public Interest Research Group are filing a 52-page complaint with the FTC today alleging that mobile marketers collect so much "non personally identifiable information" that it infringes on users' privacy-and are "unfair and deceptive." Mobile devices, which know our location and other intimate details of our lives, are being turned into portable behavioral tracking and targeting tools that consumers unwittingly take with them wherever they go. (Shh! Don't tell them the FBI can remotely turn on the microphone of several cell phone brands and convert your phone into a roving bug, even when it's off!) But is the Internet private-and should it be? Is a profile that states that you are interested in outdoor rec and currently in the Santa Clara, CA, area an invasion of your privacy? And if so, should we ban all outdoor rec stores and centers in Santa Clara from collecting personally identifiable information like, say, a picture of you when you walk in their lobby? Should we prohibit all employees from asking your name and if you slip and mention it, make sure they never call you by it?

The federal government would subsidize up to 65% of COBRA health insurance payments for many individuals who have lost their jobs since Sept. 1, 2008, under an $825 billion stimulus package unveiled by House Democrats. COBRA provisions are supported by health insurance groups, including America''s Health Insurance Plans and the National Business Group on Health. However, AHIP said other parts of the plan tying increased investment in health information technology to stricter scrutiny of how health IT records are handled would make it more difficult for plans to coordinate care and streamline administrative costs. Dubbed the American Recovery and Reinvestment Act, the House bill allocates $39 billion to aid individuals attempting to continue paying health insurance premiums through the 23-year-old Consolidated Omnibus Budget Reconciliation Act program. COBRA allows employees who are terminated or leave their jobs voluntarily to remain in their former employer''s group health plan for up to 18 months, which can be extended to 36 months for those with extenuating life circumstances. However, because COBRA enrollees can be charged up to 102% of the full cost of coverage, many find the plans prohibitively expensive and, according to Hewitt Associates Inc., only about 20% enroll. A recent report by the consumer group Families USA found monthly COBRA premiums for family coverage were $1,069, or 83.6% of the average monthly unemployment insurance benefit of $1,278. In nine states, average COBRA payments exceeded unemployment benefits, the group found. Health groups have been largely supportive of the proposal, with AHIP President Karen Ignagni writing in a letter to House Speaker Nancy Pelosi that the group believes the move would "help ensure continuity of coverage and serve as an important lifeline for many workers who do not qualify for Medicaid, but still need help paying their health insurance premiums."

What companies do you trust to guard your privacy? According to a Wednesday study from the Ponemon Institute and TRUSTe, eBay is the most trusted company for privacy, followed by Verizon and the U.S. Postal Service. Facebook, meanwhile, cracked the study's top ten for the first time. To reach its conclusions, Ponemon and TRUSTe first polled more than 6,000 adults on their "most trusted" brands. An expert review panel then compared those results against the companies' privacy statements, notices, to what levels they accessed account information, their cookie management, in- and out-of-network data sharing practices, and the availability of customer service staff. Of the top 10 companies, seven of them were technology-related. The entire list includes eBay, Verizon, the U.S. Postal Service, WebMD, IBM, Procter & Gamble, Nationwide, Intuit, Yahoo, and Facebook. "With the banking industry at the center of a national financial crisis, it's no surprise to see a loss of trust reflected in the rankings of even those top performers on this list," Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. "Meanwhile, the continued strong showing of e-businesses such as eBay, WebMD, Yahoo, and Facebook seems to demonstrate consumers' growing comfort with doing business online."