CIPP Information Privacy & Security News

The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom by Thursday for the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database. The hackers claim to have accessed 8 million patient records and 35 million prescriptions collected by the Prescription Monitoring Program. "This was an intentional criminal act against the commonwealth by somebody who was trying to harm others," Gov. Timothy M. Kaine (D) said. "There are breaches that happen by accident or glitches that you try to work out. It's difficult to foil every criminal that may want to do something against you." Although the hackers had threatened to sell the data if they did not receive payment by Thursday, the deadline passed with no immediate sign that they followed through. ad_icon State officials say it is unclear whether the hackers were able to view the patient records, as they have claimed. If the theft is real, it would be the most serious cybercrime the state has faced in recent history.

New rules will protect consumers, harmonize regulation, and enshrine net neutrality. But a late amendment left the legislation in limbo The European Parliament has voted through a massive tranche of reforms for the European telecommunications sector, including a significant net-neutrality amendment. The 'Telecoms Package' of laws was voted into force on Wednesday with a large majority, and must now be ratified by the Council of Telecoms Ministers. The vote marks the first time that internet access has been recognised in European law as a fundamental right on a par with freedom of expression. The legislation also compels European telecoms and internet service providers (ISPs) to notify their customers of any personal data breaches, the first time they have been required to do so.

A security breach at credit card processor and payroll services administrator Heartland Payment Systems Inc. has proven costly, driving the company to a first-quarter loss. The nation's sixth-largest payment processor reported a loss of $2.5 million, or 6 cents a share, compared with a profit of $9 million, or 23 cents a share, the year before. The results included expenses and accruals of $12.6 million, or 20 cents a share, resulting from a security breach in which criminals secretly installed spying software on its computer network.

There is pervasive fear of identity theft. Victims spend an extraordinary amount of time and money recovering from it. The government is doing something about it, but businesses may not be pleased to hear that the government's latest action is another unfunded mandate. New rules concerning identity theft prevention at financial companies go into effect on Friday May 1, 2009, but for most organizations, complying with the FTC's Red Flags Rule could be as simple as writing down rules and procedures already in place and having them certified by the Board. The rules are about procedures, not about data security, said Tiffany George, attorney for the division of privacy and identity protection at the FTC. She spoke on Tuesday at the FTC's workshop for businesses held on the campus of Fordham University in New York City. "The Red Flags Rule covers what to do when, despite our best efforts, thieves steal data," she said. As new regulations go, the FTC's Red Flags Rule will be less painful than many other recently enacted rules. For example, while Sarbanes-Oxley is considered a burden to many public companies, requiring several full-time staff, the Red Flags Rule can likely be handled by legal or compliance staff already in place.

A former IT analyst at the Federal Reserve Bank of New York and his brother were arrested Friday on charges that they took out loans using stolen information, including sensitive information belonging to federal employees at the bank. Prosecutors allege that Curtis Wiltshire, 34, took out student loans totalling US$73,000 using the stolen information. His brother, Kenneth Wiltshire, 40, is charged with using the identities of two federal employees to try and obtain a loan for a 2006 Sea Ray 340 Sundancer speedboat. The charges (pdf) come two months after federal investigators found two 2006 student loan applications on a thumb drive attached to the work computer of Curtis Wiltshire, who had worked at the Reserve Bank for nearly eight years as an information and technical analyst. According to court documents, that investigation was unrelated to the fraud charges. Wiltshire was dismissed soon after the drive was found on around Feb. 15, prosecutors said. The charges were filed in the federal court in Manhattan. The two men could not be reached for comment Friday and the names of their lawyers were not included in the court documents. Curtis Wiltshire had "access to computer files containing information about employees of the [federal bank], including their names, dates of birth, Social Security numbers, and photographs," U.S. Federal Bureau of Investigation Special Agent Cordel James said in an affidavit filed in the case. Curtis Wiltshire was charged with bank fraud and identity theft and faces more than 30 years in prison if convicted. His brother was charged with mail fraud and identity theft and faces a maximum of 22 years in prison.

We've all heard the argument before: "Why should you worry about the government looking into your personal records if you have nothing to hide?" Daniel J. Solove, an associate professor of law at The George Washington University Law School, analyzes that argument in a recently published paper titled "I've Got Nothing to Hide and Other Misunderstandings of Privacy." Solove argues that "the question assumes faulty assumptions about privacy and its value." Those who make the "nothing to hide" argument fail to understand the chilling effect that surveillance has on public discourse, the fact that small bits of private data (which an individual may not object to being uncovered) when put together form a larger and more intimate profile (which an individual may object to), and the mistake of having one's profile mistakenly associated with a group that is labeled as threatening. Here's an excerpt from the paper, which was published in the latest issue of the San Diego Law Review: [T]he problem with the "nothing to hide" argument is that it focuses on just one or two particular kinds of privacy problems - the disclosure of personal information or surveillance - and not others. It assumes a particular view about what privacy entails, and it sets the terms for debate in a manner that is often unproductive. It is important to distinguish here between two ways of justifying a program such as the NSA surveillance and data mining program. First is to not recognize a problem. This is how the "nothing to hide" argument works. It denies even the existence of a problem. The second manner of justifying such a program is to acknowledge the problems but contend that the benefits of the NSA program outweigh the privacy harms. The first justification influences the second, for the low value given to privacy is based upon a narrow view of the problem. The key misunderstanding is that the "nothing to hide" argument views privacy in a particular way - as a

The state's highest court told Bergen County yesterday to release 8 million pages of real estate documents -- including mortgage information -- to fulfill a request filed under the state's public records law, but that Social Security numbers included in them must be kept private. The justices also said the company requesting the information should pay the $460,000 it will cost the county to remove the Social Security numbers from records spanning more than two decades. The court unanimously agreed that the documents, requested by a business that wants to sell electronic access to this information, are public records under the state's Open Public Records Act. But it stressed some of the personal information, if released, would hurt residents. "The request was made on behalf of a commercial business planning to catalogue and sell the information by way of an easy-to-search computerized database. Were that to occur, an untold number of citizens would face an increased risk of identity theft," Chief Justice Stuart Rabner wrote for the court. Bergen County officials called the decision a victory for all New Jersey residents concerned about identity theft.

Data security represents both a new market opportunity to sell insurance coverage and a new risk - especially for independent insurance agencies that may not be compliant with data security laws or have plans in place to protect their own companies from data breaches. While data security is an evolving issue, failing to protect data can have a huge financial impact on a company. The average total per-incident cost of a data security breach was $6.65 million, compared to an average per-incident cost of $6.3 million in 2007, according to the "U.S. Cost of Data Breach Study" conducted by data protection company PGP Corp. and information management research firm The Ponemon Institute. The PGP/Ponemon study indicated that data breach incidents cost U.S. companies $202 per compromised customer record in 2008, meaning that companies incur additional costs with an abnormal churn in lost customers. More than 84 percent of data breach cases in 2008 involved organizations that had more than one data breach. And, more than 88 percent of all cases in the study involved insider negligence. The cost of lost business continued to be the most costly effect of a breach, averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study. "After four years of conducting this study, one thing remains constant: U.S. businesses continue to pay dearly for having a data breach," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy." Includes video: Data Security Creating Insurance Agent Sales Opportunities

First quarter federal reports show Google lobbied on the electronic medical records provisions of the federal economic stimulus act, contradicting the Internet giant's earlier claims that Consumer Watchdog's report of its effort was "100 percent false." Google's report shows a total expenditure of $880,000 on lobbying during the period including on "online health-related initiatives; issues relating to online personal health records, including in connection with H.R. 1: American Recovery and Reinvestment Act of 2009." Google also contracted with an outside firm, the Podesta Group, which independently reported lobbying for Google on "health information technology" and "online privacy." King and Spalding LLP also independently reported lobbying for Google on "online health-related initiatives, including health information technology provisions in H.R. 1, The American Recovery and Reinvestment Act." After the nonprofit, nonpartisan Consumer Watchdog reported the "rumored" lobbying in January, Google contacted a charitable foundation about withdrawing Consumer Watchdog's funding. In a letter to Google CEO Eric Schmidt released today, Consumer Watchdog said the company owes the group an apology. Read Consumer Watchdog's letter here: http://www.consumerwatchdog.org/resources/LtrSchmidt042209.pdf. "It is now clear from public records that Google was lobbying Congress relating to online personal health records in connection with the economic stimulus act... What else could Google have been seeking except to be excluded from the Health Insurance Portability and Accountability Act (HIPAA) provisions on privacy and forbidding sale of records? Please tell us," wrote Jamie Court, Consumer Watchdog president and John M. Simpson, consumer advocate. "There is a simple way to resolve this," the letter said. "Publicly release all the substance of Google's lobbying efforts on H.R. 1. Google knows the drill: organize the information and make it universally accessible and useful."

URAC, the leading health care accreditation and education organization, announced today the recent Healthcare Information and Management Systems Society (HIMSS) annual conference raised important questions about consumer privacy and security around electronic health records (EHR). (Logo: http://www.newscom.com/cgi-bin/prnh/20030501/URACLOGO ) "There is no doubt that electronic health records are coming. The question is whether or not consumers' privacy is a key issue or an afterthought," said Alan P. Spielman, President and CEO of URAC. "A lot of forces are driving the push for EHR. However, it is important that standards go hand-in-hand with policy so that it doesn't become the Wild West with every vendor and health care provider using different terms." The rules set by the Health Insurance Portability and Accountability Act (HIPAA) are integral to the widespread adoption of EHR. However, the rules can be confusing for consumers and providers. URAC was the first organization to offer HIPAA Privacy Accreditation. The organization now offers comprehensive standards for both HIPAA Privacy and HIPAA Security accreditation. These standards are applicable to all personal health information storage formats and exchanges claims transactions and are designed for many different types of health care organizations including both Covered Entities (CE) and Business Associates (BA). They also require an ongoing compliance program that identifies, tracks and makes the necessary changes in response to a federal or state regulatory change.

The Supreme Court upheld a U.S. government crackdown on profanity on television, a policy that subjects broadcasters to fines for airing a single expletive blurted out on a live show. In its first ruling on broadcast indecency standards in more than 30 years, the high court handed a victory on Tuesday to the Federal Communications Commission, which adopted the crackdown against the one-time use of profanity on live television when children are likely to be watching. The case stemmed from an FCC decision in 2006 that found News Corp's Fox television network violated decency rules when singer Cher blurted out an expletive during the 2002 Billboard Music Awards broadcast and actress Nicole Richie used two expletives during the 2003 awards. No fines were imposed, but Fox challenged the decision. A U.S. appeals court in New York struck down the new policy as "arbitrary and capricious" and sent the case back to the FCC for a more reasoned explanation of its policy.

A data protection group has warned that opting out of Phorm will not prevent the technology from processing data that users enter through web site search portals. Companies such as Amazon, Wikipedia and LiveJournal have taken the decision to block the controversial advertising technology from scanning their sites because of the privacy implications. However, Open Rights Group executive director Jim Killock has since admitted that, even if web sites opt out of the programme, ISPs supporting Phorm will still be able to profile users visiting those sites. "This is because Phorm can scan search requests entered in those sites, even if it cannot detect the web site pages users are viewing," Killock said. "For example, even if Google opts out of Webwise, when a user types in a Google query and they are using BT, it will still go through Phorm before it reaches BT." Killock added that Phorm does not gain permission from either senders or receivers of the information before it processes the data. Phorm uses browsing information to serve accurately targeted advertisements, and is soon to be rolled out under the Webwise brand by internet service providers BT, Virgin Media and TalkTalk. However, as the time for deployment nears, the controversy surrounding the technology only seems to be increasing.

The California State Senate approved today SB 20, legislation by State Senator Joe Simitian (D-Palo Alto), which aims to strengthen existing privacy protection laws for California consumers. The new law builds on legislation authored by Simitian in 2002 that requires a business or government agency that incurs a data breach to provide notice to the individual(s) whose information was compromised. More than 40 states have adopted similar legislation since that time, largely based on the California measure. "No one likes to get the news that information about them has been stolen," said Simitian, "but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next." "The premise is simple," added Simitian. "What you don´t know can hurt you. Ignorance is not bliss. And you can´t protect yourself if you don´t know you´re at risk." Simitian said his latest proposal (SB 20), "is designed to make a good law even better." California´s current security breach notification law (AB 700, Simitian -2002) requires notice to consumers when their information has been compromised, but does not require data holders to provide any standard set of information about the nature of the breach. SB 20 will enhance consumer knowledge about security breaches by requiring that the notification contain specified information, including the type of personal information breached and the date of the breach.

Do you know what your data did last night? Almost none of more than 27 million people who took the RealAge quiz realized that their personal health data was sold to drug companies, who in turned used that information for targeted e-mail marketing campaigns. There's a basic consumer protection principle at work here, and it's the concept of "unfair and deceptive" trade practices. Basically, a company shouldn't be able to say one thing and do another: sell used goods as new, lie on ingredients lists, advertise prices that aren't generally available, claim features that don't exist, and so on. RealAge's privacy policy doesn't mention anything about selling data to drug companies, but buried in its 2,400 words, it does say that "we will share your personal data with third parties to fulfill the services that you have asked us to provide to you." They maintain that when you join the website, you consent to receiving pharmaceutical company spam. But since that isn't spelled out, it's not really informed consent. That's deceptive. Cloud computing is another technology where users entrust their data to service providers. Salesforce.com, Gmail, and Google Docs are examples; your data isn't on your computer -- it's out in the "cloud" somewhere -- and you access it from your web browser. Cloud computing has significant benefits for customers and huge profit potential for providers. It's one of the fastest growing IT market segments -- 69% of Americans now use some sort of cloud computing services -- but the business is rife with shady, if not outright deceptive, advertising.

Companies that track consumer behavior on the Web for targeted advertising without proper consent are near their "last chance" to self-regulate, the head of the U.S. Federal Trade Commission said on Monday. Privacy advocates say regulations on big phone and Internet companies, such as AT&T Inc and Google Inc, are too lax, giving the firms excessive control over consumers' personal information. "From my perspective, the industry is pretty close to its last clear chance to demonstrate" that it can police itself, FTC Chairman Jon Leibowitz told the Reuters Global Financial Regulation Summit in Washington. Earlier this year, the FTC issued new guidance urging websites to tell consumers that data is being collected during their searches and to allow them to opt out. If companies fail to do a better job of making their privacy policies understandable to the average person, momentum will keep building for greater regulation, Leibowitz said. "It's really up to industry."

A top affliction of privacy professionals is the growing complexity of privacy laws. The number of jurisdictions regulating data privacy and the number of other laws in which privacy provisions are tucked has increased with no letup since 2000. Like the Lilliputians in Gulliver's Travels, the tiniest jurisdictions are now lassoing their privacy ropes around the mightiest of corporations. Where does this leave those who are charged with keeping their organizations privacy-compliant? Desperately looking for a way to organize news about all of these developments. I recently surveyed the landscape of possible solutions to this problem. What did I find? Three different approaches: free Web sites, newsletters and news feeds; fee-based periodicals; and fee-based databases, such as Nymity's PrivaWorks, Cecile Park Publishing's DataGuidance and law firm Morrison and Foerster LLP's Summit Privacy. What were the pros and cons of each approach? Free sources Privacy leaders with no budget will want to exploit what's free, including these options: * Morrison & Foerster's Privacy Library, probably the most comprehensive and current free online listing of privacy laws in 95 countries. * Law firm Baker & McKenzie's annual Global Privacy Handbook, which is distributed to clients and friends. * Computerworld's own Security Newsletter, which offers a regular look at news about the technical threats to personal data. * The International Association of Privacy Professionals' Daily Dashboard, Canada Dashboard Digest and monthly Inside 1to1: Privacy. These are the best available free news feeds on privacy.

When ethical hackers track down computer criminals, do they risk prosecution themselves? Security researchers at this week's Usenix conference in Boston believe this is a danger, and that ethical hackers have to develop a uniform code of ethics for themselves before the federal government decides to take action on its own. One such researcher introduced himself by saying "Hi, I'm Dave Dittrich, and I'm a computer criminal." Dittrich, senior security engineer and researcher at the University of Washington's Information School, has not been unlucky enough to be prosecuted. But ten years ago, he took actions to disrupt distributed denial-of-service attacks which he says could have been construed as criminal, he says. Working within the University of Washington Network, Dittrich says he "copied files from one host in Canada that was caching malicious software and logs of compromised hosts," allowing him to gain a fuller understanding of the nascent distributed denial-of-service tools, and to inform the operators of infected Web sites that a problem existed.

An eBay Inc. effort to broaden communication through the popular Twitter Web-messaging service highlights the hurdles facing corporate users of online social media. The growing Twitter audience also attracted the attention of eBay's lawyers, who last month required Mr. Brewer-Hay to include regulatory disclaimers with certain posts. Some followers think the tougher oversight is squelching Mr. Brewer-Hay's spontaneous, informal style. His experience shows the tension that can arise as more companies tap social media to reach investors, customers and others. Eighty-one Fortune 500 companies sponsor public blogs, including Wal-Mart Stores Inc., Chevron Corp. and General Motors Corp., according to the Society for New Communications Research. Of those blogs, 23 link to corporate Twitter accounts. On Thursday, a Johnson & Johnson executive reported for the first time on the health-care giant's annual meeting via Twitter, which allows users to post "tweets" of as many as 140 characters via text messages and the Web. Such efforts raise thorny questions. Blogs and tweets can run afoul of Securities and Exchange Commission regulations on corporate communications. But sanitizing such posts risks hurting credibility with online audiences. The online auctioneer launched a corporate blog in April 2008. Two months later, blogger Richard Brewer-Hay began "tweeting" -- posting updates on Twitter -- about Silicon Valley technology conferences, eBay's quarterly earnings calls and other topics.

eBook: Compliance 2.0: Comprehensive, Scalable and Sustainable Systems http://go.techtarget.com/r/6705298/226727/1 Enterprises are moving towards a top-down approach to compliance that starts with risk assessment and prioritization, experts agree. In this expert e-book gain insight from senior IT and security officers who are taking a holistic approach to compliance for long-term sustainability and cost reduction. Learn which quantitative tools you can use to prioritize your efforts, maximize your investments and get key business executives to support your next project. Learn how to: ** Bring your data into governance ** Understand and manage your risk exposure ** Get the right people on board to support your strategy and policies Start building your true compliance infrastructure: http://go.techtarget.com/r/6705299/226727/2

Legislation to reform the Federal Information Security Management Act of 2002 will be introduced in the Senate on Tuesday, a Senate staffer who helped draft the bill told a panel at the RSA Conference in San Francisco on Thursday. Erik Hopkins' presentation provided further evidence that the White House could assume greater control in coordinating federal government security. In the panel - The New FISMA: Security Finally Transcends Compliance - Hopkins offered a diagram illustrating the bill that showed a cyber office reporting directly to the president. Hopkins, who works for the Senate Committee on Homeland Security and Governmental Affairs, was the third federal official addressing conference attendees to suggest the White House will be given more authority in safeguarding federal government information systems. On Wednesday, Obama administration cybersecurity advisor Melissa Hathaway - who last week submitted to the president an assessment of federal cybersecurity policy - said the White House must lead federal government cybersecurity efforts. A day before, National Security Agency Director Keith Alexander said NSA would not lead the nation's cybersecurity efforts, suggesting a greater role for the White House. Hopkins said the benefits of FISMA reform includes improved coordination of security efforts, better economies of scale and greater situational awareness of security threats such as knowing where they originate and how the government will respond.