CIPP Information Privacy & Security News

"On January 20, 2009, Heartland Payment Systems reported discovering malicious software in its payment processing system, a security breach of potentially massive magnitude given that the company's handles 100 million transactions per month for more than 250,000 businesses. While the monetary and data loses following from the penetration of Heartland's systems -- the compromise that lasted for months -- are still being determined, the financial impact on Heartland's stock price alone was devastating. " The breach, in conjunction with the economic downturn, led to the loss of about $500 million in shareholder value, more than three-quarters of the company's market capitalization, two months after the news was announced. And then there's the cost of more than several dozen breach-related lawsuits filed against the company this year and related expenses. According to slides presented in August at a National Retail Federation Conference by Robert O. Carr, Heartland's founder, chairman and CEO, the breach cost the company $32 million in legal fees, fines, settlements, and forensics during just the first half of the year.

"On October 6, 2009, the Federal Trade Commission ("FTC") announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program. In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed. The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program. The six enforcement actions are significant as they mark a considerable uptick in the FTC's enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action. The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide "adequate" protection for personal data. Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU. To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU's adequacy standard. To maintain its certification to the Safe Harbor

"Professors from the University of California - Berkeley and the University of Pennsylvania have released the results of a joint study which indicates that young people and old are concerned about private information getting into the wrong hands. They found that approximately two-thirds of all consumers polled said they did not want tailored content if that meant they would be tracked via the Internet. Other interesting findings include: * 66% of respondents reported that tailored/targeted ads 'did not appeal' * 55% of 18-24 year olds reported not wanting tailored ads and 37% reported not waiting tailored discounts * 54% of 18 - 24 year olds report not wanting tailored news * For those over age 65, 82% report not wanting tailored ads and 68% report not wanting tailored news"

"The inspector general of the National Archives and Records Administration is investigating a potential data breach affecting tens of millions of records about U.S. military veterans, Wired.com has learned. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. The incident was reported to NARA's inspector general by Hank Bellomy, a NARA IT manager, who charges that the move put 70 million veterans at risk of identity theft, and that NARA's practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America's record-keeping agency."

The House Energy and Commerce Committee is slated to vote Wednesday on legislation that would require strong security policies from firms that collect and store individuals' sensitive information and provide for nationwide notification in the event of a data breach. The bill was sponsored by House Energy and Commerce Commerce, Trade, and Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill., and was tweaked to win his panel's approval in June, but more revisions are expected.

The House Energy and Commerce Committee is slated to vote Wednesday on legislation that would require strong security policies from firms that collect and store individuals' sensitive information and provide for nationwide notification in the event of a data breach. The bill was sponsored by House Energy and Commerce Commerce, Trade, and Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill., and was tweaked to win his panel's approval in June, but more revisions are expected.

ABOUT two-thirds of Americans object to online tracking by advertisers - and that number rises once they learn the different ways marketers are following their online movements, according to a new survey from professors at the University of Pennsylvania and the University of California, Berkeley.

ABOUT two-thirds of Americans object to online tracking by advertisers - and that number rises once they learn the different ways marketers are following their online movements, according to a new survey from professors at the University of Pennsylvania and the University of California, Berkeley.

The Federal Bureau of Investigation is expanding beyond its traditional fingerprint-focused collection practices to develop a new biometrics system that will include DNA records, 3-D facial imaging, palm prints and voice scans, blended to create what's known as "multi-modal biometrics." Slideshow: The changing face of biometrics How the Defense Department might institutionalize war-time biometrics "The FBI today is announcing a rapid DNA initiative," said Louis Grever, executive assistant director of the FBI's science and technology branch, during his keynote presentation at the Biometric Consortium Conference in Tampa. The FBI plans to begin migrating from its IAFIS database, established in the mid-1990s to hold its vast fingerprint data, to a next-generation system that's expected to be in prototype early next year. This multi-modal NGI biometrics database system will hold DNA records and more.

Imagine this nightmare scenario: You've contracted with a vendor to enter personnel data into a new computer system. You give the vendor confidential data regarding your employees, including their Social Security numbers, addresses, names of dependents, health records and bank account routing numbers. Then the vendor notifies you that employee data was somehow stolen or lost. What do you do? It happens more often than anyone would like to admit. The Federal Trade Commission estimates that 9 million Americans have their identities stolen each year. More than 262 million records have been breached since January 2005

The website for the popular children's television show "Curious George" was compromised this week to serve malware to visitors, according to researchers at web security vendor Purewire. The site, which is run by the Public Broadcasting Service (PBS), was propagating malware from at least Monday until Thursday, Nidhi Shah, research scientist at Purewire, told SCMagazineUS.com on Friday. It is not clear how hackers were able to break into the site, but it is possible that they obtained the credentials to an FTP account or exploited an SQL injection vulnerability, Shah said.

Health IT industry leaders and privacy advocates are watching carefully to see how the federal government will enforce expanded health data breach notification rules set to take effect this week, Federal Computer Week reports. HHS' breach-notification rule, which applies to HIPAA-covered entities and business associates, is scheduled to take effect tomorrow. The Federal Trade Commission's companion rule, which applies to personal health record vendors and other non-HIPAA-covered entities, is scheduled to take effect Thursday. The federal economic stimulus package mandated the creation of both rules.

In this video, Andre Gold, vice president and CISO of MoneyGram International, will discuss the basics of disaster recovery and business continuity planning, and define several general terms associated with disaster recovery and business continuity planning to help organizations develop a more accurate understanding. The text transcript of Gold's comments is included below. Andre Gold: Over the past four to five years, I've spent a lot of time in disaster recovery and business continuity planning as part of my role as the chief risk officer as well as the CISO for a couple major organizations. During that time, in working with those firms, I've had a greater appreciation of disaster recovery and business continuity planning, and I've learned that although BCP and DR are very important to firms, when its actually time to execute upon those respected strategies, many firms fail, and they fail fundamentally because they lose sight of the core elements of disaster recovery and business continuity planning. And with that, it's those core elements that we will be discussing today.

Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven't made investments to comply with the Payment Card Industry's Data Security Standard (PCI DSS), according to a new survey. The survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It's an industry standard created by major credit card companies that's designed to protect customer payment data. The survey found that 55 percent of organizations only secured credit card information but not other data such as Social Security and driver's license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70 percent of large merchants with 75,000 or more employees that claimed they're compliant.

Personal profiles on Facebook and other social-networking sites are a trove of inappropriate and embarrassing photographs and discomfiting breaches of confidentiality. You might expect that from your friends and even some colleagues - but what about your doctor? A new survey of medical-school deans finds that unprofessional conduct on blogs and social-networking sites is common among medical students. Although med students fully understand patient-confidentiality laws and are indoctrinated in the high ethical standards to which their white-coated profession is held, many of them still use Facebook, YouTube, Twitter, Flickr and other sites to depict and discuss lewd behavior and sexual misconduct, make discriminatory statements and discuss patient cases in violation of confidentiality laws, according to the survey, which was published this week in the Journal of the American Medical Association. Of the 80 medical-school deans questioned, 60% reported incidents involving unprofessional postings and 13% admitted to incidents that violated patient privacy. Some offenses led to expulsion from school.

A privacy researcher is urging Netflix to cancel its next research contest, before it results in potentially millions of dollars in damages for invasion of its customers' privacy. "Netflix should cancel this new, irresponsible contest," Paul Ohm wrote in a blog affiliated with Princeton University's Center for Information Technology Policy. On Monday, the company awarded $1 million to the winners of its first competition, aimed at developing technology to improve its ability to predict what movies its customers will like. Ohm worries the information the company is about to release as test data for the second contest isn't as anonymous as Netflix may think.

Federal Communications Commission Chairman Julius Genachowski will unveil in a speech on Monday new proposals that would force Internet providers to treat the flow of content equally, sources familiar with the speech said on Friday. The concept, referred to as net neutrality, pits open Internet companies like Google Inc against broadband service providers like AT&T Inc, Verizon Communications Inc, and Comcast Corp, which oppose new rules governing network management. Advocates of net neutrality say Internet service providers must be barred from blocking or slowing traffic based on content. Providers say the increasing volume of bandwidth-hogging services like video sharing requires active management of their networks and some argue that net neutrality could stifle innovation. "He is going to announce rulemaking," said one source familiar with his speech about broadband, to be delivered at the Brookings Institution, a public policy think tank. "The commission will have to codify into new regulations the principle of nondiscrimination." The FCC could formally propose the rules aimed at applying to wireless and landline platforms at an open meeting in October.

A rule requiring healthcare providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals of a breach of their unsecured protected health information will become effective September 23, 2009. The "breach notification" regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA). The new "breach notification" regulations apply to HIPAA-covered entities and their business associates. HIPAA covered-entities include health plans, healthcare clearinghouses, and healthcare providers. A business associate is a person or entity (such as a healthcare benefits broker) who, on behalf of the covered entity, performs a function involving the use or disclosure of individually identifiable health information.

The Federal Trade Commission is planning three public discussions, starting in December, devoted to technology and consumer privacy. According to the FTC, the roundtables will address topics such as social networking, cloud computing, online advertising and mobile marketing, the goal being "to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Behavioral advertising, in particular, has come under fire by privacy groups. Earlier this month, Electronic Frontier Foundation, Consumers Union and other related organizations called for stronger rules limiting what kinds of personal information are collected by marketers and how long they can hold on them.

On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account. The attack on Downeast Energy bears all the hallmarks of online thieves who have stolen millions from dozens of other businesses, schools and counties over the past several months. In every case, the thieves appeared more interested in quick cash than in pilfering their victims' customer databases. Nevertheless, the intrusions highlight an additional cost for victims of this type of crime: complying with state data breach notification laws. "This is something new to us, fortunately, but we have responsibilities under Maine statute to report these things to our customers and employees," said the company's president, John Peters, in an interview with Security Fix. At least 44 other states and the District of Columbia have similar data breach notification laws. Sometime prior to September, attackers planted keystroke logging malware on Downeast's computer systems, and stole the credentials the company uses to manage its bank accounts online. Then, on or around Sept. 2, the hackers used that access to initiate a series of sub-$10,000 money transfers out of the company's account to at least 20 individuals around the United States who had no prior business with Downeast Energy. This type of crime is impossible without the cooperation of so-called "money mules," willing or unwitting individuals typically hired via Internet job search Web sites to act as "local agents" or "financial agents" responsible for moving money on behalf of a generic-sounding international corporation, legal experts say.The mules are then instructed to withdraw the cash and wire it via Western Union or Moneygram to fraud gangs overseas, typically in Eastern Europe.

What companies do you trust to guard your privacy? According to a Wednesday study from the Ponemon Institute and TRUSTe, eBay is the most trusted company for privacy, followed by Verizon and the U.S. Postal Service. Facebook, meanwhile, cracked the study's top ten for the first time. To reach its conclusions, Ponemon and TRUSTe first polled more than 6,000 adults on their "most trusted" brands. An expert review panel then compared those results against the companies' privacy statements, notices, to what levels they accessed account information, their cookie management, in- and out-of-network data sharing practices, and the availability of customer service staff. Of the top 10 companies, seven of them were technology-related. The entire list includes eBay, Verizon, the U.S. Postal Service, WebMD, IBM, Procter & Gamble, Nationwide, Intuit, Yahoo, and Facebook. "With the banking industry at the center of a national financial crisis, it's no surprise to see a loss of trust reflected in the rankings of even those top performers on this list," Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. "Meanwhile, the continued strong showing of e-businesses such as eBay, WebMD, Yahoo, and Facebook seems to demonstrate consumers' growing comfort with doing business online."

Goodwin Procter Experts Discuss Data Privacy and Security Best Practices at IAPP Privacy Academy BOSTON, Sept. 15 /PRNewswire-USNewswire/ -- According to a new survey conducted by Goodwin Procter LLP and the International Association of Privacy Professionals (IAPP), companies face three significant challenges - cost, time and number of vendors involved - in complying with new data security rules issued by the Commonwealth of Massachusetts earlier this year. The Commonwealth of Massachusetts has issued rules, which take effect on March 1, 2010, that impose significant data security requirements on entities possessing personal information of state residents, including entities based outside Massachusetts. The intent of the rules is to protect sensitive data and safeguard the public's privacy.