CIPP Information Privacy & Security News

Look for almost a dozen consumer groups and privacy advocates to launch a full-court press on targeted behavioral advertising and online privacy on Capitol Hill next week. According to a source, those groups on Sept. 1 will release a background paper, letters to House members and other documents to make their case for stronger government oversight of online marketing targeted to kids. "A growing number of child advocacy and health groups have called on the FTC and Congress to prohibit the behavioral targeting of both children and teens, next week, many leading consumer and privacy groups will send a letter to congressional leaders calling for similar safeguards," confirms Jeff Chester, executive director of the Center for Digital Democracy. Chester saidd that 10 groups will be involved in the push, and that they will be "pressing Congress to write legislation that truly protects consumer privacy, but enables online marketing to flourish in a more responsible fashion." The effort comes as Congress prepares to return from its summer break. House Communications Subcommittee Chairman Rick Boucher (D-Va.) has made an online privacy bill a legislative priority in this session of Congress.

The man accused of masterminding the largest identity theft in U.S. history agreed to plead guilty to related charges, according to court papers filed in Boston federal court on Friday. Albert Gonzalez is accused of helping to steal millions of credit card and debit card numbers from major U.S. retail chains, leading to tens of millions of dollars in fraudulent transactions. A former government informant who is already in jail, Gonzalez, 28, agreed to plead guilty to 19 counts in Massachusetts by September 11. The agreement also resolves charges pending in federal court in New York.

A new privacy law in Maine is facing a court challenge from media organizations as well as a coalition of online companies including AOL, News Corp. and Yahoo. The new law, officially titled "An Act To Prevent Predatory Marketing Practices against Minors," prohibits companies from knowingly collecting personal information or health-related information from minors under 18 without their parents' consent. The measure also bans companies from selling or transferring health information about minors that identifies them, regardless of how the data was collected. Wednesday, opponents asked the federal district court in Maine to issue an injunction against the measure, slated to take effect Sept. 12. In its court papers, the groups opposing the law say it has consequences far beyond limiting the marketing of health-care information. They contend the measure would "prevent common marketing practices used to serve teens information on colleges, test prep services, class rings, etc." The groups who are suing include the Maine Independent Colleges Association, Maine Press Association, Reed Elsevier and NetChoice -- a coalition of Web companies like AOL, eBay, Yahoo, IAC, News Corp. and Overstock.com.

Recommend watching this Frontline report on the secret life of credit cards. Interesting: http://www.pbs.org/wgbh/pages/frontline/shows/credit/view/ - Karl ------------------------------------------------------------------------------- Millions of Americans have already seen their credit card limits shrink, and millions more face the same fate as lenders prepare for tougher U.S. consumer protection rules. Since the financial crisis deepened a year ago, credit card companies have been closing millions of inactive accounts, cutting credit limits and raising interest rates to cushion themselves from record loan losses. This is just the beginning of the biggest shake-up in the credit card industry in at least 20 years, analysts said. Credit Suisse analyst Moshe Orenbuch estimated available credit card lines will be cut by about 20 percent, or $1.2 trillion, in coming months, and warned that "further cuts could result from the provisions of the new credit card law."

Millions of Americans have already seen their credit card limits shrink, and millions more face the same fate as lenders prepare for tougher U.S. consumer protection rules. Since the financial crisis deepened a year ago, credit card companies have been closing millions of inactive accounts, cutting credit limits and raising interest rates to cushion themselves from record loan losses. This is just the beginning of the biggest shake-up in the credit card industry in at least 20 years, analysts said. Credit Suisse analyst Moshe Orenbuch estimated available credit card lines will be cut by about 20 percent, or $1.2 trillion, in coming months, and warned that "further cuts could result from the provisions of the new credit card law."

Facebook has agreed to make changes to better protect users' personal information on the social networking site and comply with Canadian privacy laws within one year, Canada's privacy commissioner said Thursday. "These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far better protected," said privacy commissioner Jennifer Stoddart.

Federal Reserve chief Ben Bernanke was among hundreds of victims of an identity fraud ring that stole more than $2.1 million from consumers and financial institutions across the United States, Newsweek magazine reported on its website. The head of the U.S. central bank and his wife were swept up in a case against the ring after her purse, with personal checks inside, was snatched at a coffee shop in August 2008, Newsweek reported, citing recently filed court documents. Someone soon began cashing checks on the Bernanke family bank account, a crime that became part of a wide-ranging federal identity theft investigation that was already underway.

To find out more about the survey, I asked Deloitte LLP chairman of the board Sharon Allen to provide some additional context. Given that my only risk-management concern early this week relates to thunderstorms off the coast of South Padre Island, I asked Sharon to step in as a guest blogger today. Here's what she sent me: When I was a high school student growing up in the small farming community of Kimberly, Idaho, little did I know that a song from that time could serve as an anthem for something happening in the workplace today. The Beatles' 1967 classic "Hello Goodbye" is a study in contrasts, as are the current attitudes about social media. Social media has arrived - and with it, employers and employees are singing very different songs about what constitutes appropriate social networking both on and off the job. Recently, I commissioned the third annual Deloitte LLP "Ethics & Workplace" survey. We polled 500 executives and 2,000 employees outside Deloitte. Our survey found that 60 percent of business executives believe they have a right to know how employees portray themselves and their organizations in online social networks. Perhaps because nearly three-fourths of the employees in our poll agreed that the use of social networks makes it easier to damage a company's reputation. However, more than half of employees polled say their social networking pages are not an employer's concern. That belief is especially true among younger workers, with nearly two-thirds of 18- to 34-year-old respondents stating that employers have no business monitoring their online activity.

Social networking users are more vulnerable than ever and taking more risks with their online privacy. According to the 'Bringing Social Security to the Online Community' poll by AVG, while the social networking community has serious concerns about the overall security of public spaces, few are taking the most basic of steps to protect themselves against online crimes. Participants indicated concern over growing phishing, spam and malware attacks, and nearly half of those surveyed are very concerned about their personal identity being stolen in an online community. Despite widespread use of social networks at home and/or at work, 64 per cent of users infrequently or never change their passwords on a regular basis, while 57 per cent infrequently or never adjust their privacy settings. Further, 21 per cent accept contact offerings from members they do not recognise, more than half let acquaintances or roommates access social networks on their machines, 64 per cent click on links offered by community members or contacts and 26 per cent share files within social networks. As a result of this widespread proliferation of links, files and unsolicited contacts, nearly 20 per cent have experienced identity theft, 47 per cent have been victims of malware infections and 55 per cent have seen phishing attacks.

The Federal Trade Commission, continuing its focus on behavioral advertising practices and online consumer privacy, has hired Harvard researcher Christopher Soghoian as a technical consultant. Soghoian, currently with Harvard's Berkman Center for Internet & Society and a noted researcher and blogger on online privacy, will work with the FTC's Bureau of Consumer Protection, Division of Privacy and Identity Protection. He has been particularly critical about the length of time major Internet service providers and companies keep and use customer data Last month, several marketing and advertising industry associations, including the Direct Marketing Association and the American Association of Advertising Agencies, issued self-regulatory principles to govern the online practices of their members, in an attempt to stave off federal regulation of behaviorally targeted advertising.

With one in 10 information technology products on the market considered counterfeit, and software products developed across the globe at risk of subversion, it is hard to overstate the national security concerns regarding the use of IT products delivered through the global supply chain.

The next wave of hacking into computers and stealing data will not be requests or code coming from remote points across the Web, security experts are warning. Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects and intricate mapping of the chip itself, according to scientists and academics working with the National Institute of Standards and Technology, the White House and the Financial Services Information Sharing and Analysis Center in Dulles, Va. Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts say, because the microchips that run servers have millions to billions of transistors in them. Adding a few hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and escape notice. "You can never really test every single combination on the chip. Testing a billion transistors would take a very long time. It would be very difficult to detect hardware Trojans without having some idea of what you're looking for to begin with," said Scott C. Smith, associate professor of electrical engineering at the University of Arkansas, co-author of a 2007 paper which described a "Hardware Threat Modeling Concept for Trustable Integrated Circuits." Tweaking chips themselves will make them prone to manipulate data, shut down a critical function, or turn a system into a bugged phone that steals and relays vital information, the experts say.

Consumers and companies are vulnerable to hackers and identity thieves even after U.S. authorities arrested a man they said was a master hacker who stole 170 million credit and debit card numbers. Estimates on the total financial impact of breaches vary, but a study by Forrester Research put the cost at $90 to $305 per compromised record when considering the cost of upgrades, notifying customers and legal and marketing expenses. "Under our banking laws, it's the financial institutions that will be stuck paying for fraudulent use of credit cards. We have the consumers responsible for $50 and the rest winds up on the card issuer," said Joel Reidenberg, a professor at Fordham Law School who teaches privacy law. Banks in turn pass along costs to retailers as fines and fees. On Monday, three men were indicted on charges of stealing more than 130 million credit and debit card numbers in what U.S. authorities said they believed was the largest hacking and identify theft case ever prosecuted in the United States

A very heated reaction has followed the interview I conducted yesterday with Robert Carr, CEO of Heartland Payment Systems. One reader even said the resulting Q&A made his "blood boil." Why the outrage? Because Carr did something a lot of people find unacceptable. He threw someone else under the proverbial bus for his company's failure to keep customer credit and debit card numbers out of evil hands. Specifically, he thrust an angry finger at the QSAs who came in to inspect the security controls Heartland had in place to meet the requirements of PCI security. In the article, [Heartland CEO on Data Breach: QSAs Let Us Down] Carr said, "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that." That one comment brought down the house, and not in a favorable way. "I just read Bill Brenner's interview with Heartland Payment Systems' CEO Bob Carr and truthfully, my blood is boiling," Mike Rothman, SVP of strategy at eIQnetworks and chief blogger at Security Incite wrote in a counterpoint piece CSOonline ran today. "Basically, he's throwing his QSA under the bus for the massive data breach that happened under his watch. Basically, because the QSA didn't find anything, therefore he should be off the hook. I say that's a load of crap."

Following complaints from Republicans, the White House has shut down a two-week-old e-mail tip line launched to take reports from citizens of "disinformation about health insurance reform." "An ironic development is that the launch of an online program meant to provide facts about health insurance reform has itself become the target of fear-mongering and online rumors that are the tactics of choice for the defenders of the status quo," wrote White House new media director Macon Phillips in announcing the change. "The White House takes online privacy very seriously," he added. The e-mail tip line, flag@whitehouse.gov, was launched Aug. 4 as part of the White House's Health Insurance Reform Reality Check effort, a campaign-style rapid-response effort reminiscent of the war room Obama for America launched in the summer of 2008 to fight online rumors about the then-senator's patriotism and religion. But coming from the head of state, rather than a political candidate, the new effort quickly sparked concern among Republicans about the propriety of government collecting information on private citizens' political speech.

The U.S. Department of Justice's indictment of Albert Gonzalez on Monday seems to have all the elements of a Hollywood crime drama: A hacker gains access to millions of credit and debit card numbers and has the power to take down a nation. Too bad for Tinseltown, the attack itself was about as sexy and a pile of routers. According to the indictment, Gonzalez, 28, gained a foothold into the systems of credit card processors such as Heartland Payment Systems ( HPY - news - people ) and retailers like OfficeMax ( OMX - news - people ), Barnes & Noble ( BKS - news - people ) and TJX Cos. ( TJX - news - people ) using an amateur hacking technique called "wardriving," which uses wireless access points to find vulnerable networks from which to launch attacks. Once connected to those private networks, Gonzalez used a well-known technique called "SQL injection" to trick Web applications into forking over private information that gave him deeper access into networks. Even though it sounds complicated, techies liken this kind of hack to simply turning the front doorknob to get into a house.

The discipline known as governance, risk, and compliance (GRC) management has come a long way in a short time. Results from Business Finance's 2009 GRC Maturity Study suggest that the majority of companies with formal GRC programs are beginning to derive strategic benefits from their efforts: Two-thirds of survey respondents say that the primary benefit of the GRC programs extends beyond mere compliance to "strategic risk management and decision-making insights" (55 percent) and "superior resilience and long-term shareholder value" (11 percent). Additionally, 81 percent of survey respondents describe their company's GRC capabilities as "strong" (15 percent) or "acceptable" (66 percent); only 18 percent of respondents say that their programs are "in need of improvement." What's more, a remarkable 83 percent of survey respondents (see the "Methodology" side bar) say that their corporate GRC programs were somewhat to very helpful in enabling their organizations to anticipate and respond to the current economic downturn. At many companies, GRC is about much more than compliance these days.

Joshua Corman would seem an unlikely critic of IT security vendors. After all, he works for one. Yet Corman, principal security strategist for IBM's Internet Security Systems division, is speaking out about what he sees as eight trends undermining the ability of IT security practitioners to mount an effective defense against online outlaws. Having worked for the vendor side, Corman says he is uniquely positioned to grasp its weaknesses up close. And so, with a PowerPoint presentation on the "8 Dirty Secrets" of the market in hand, he has traveled to seminars and worked the phones, hoping to motivate a change for the better. Here is the breakdown of those 8 dirty secrets and what Corman sees as practical ways to keep the vendors honest. [Related podcast: The Dark Side of the Security Market] Click here to find out more! Dirty Secret 1: Vendors don't need to be ahead of the threat, just the buyer This is the problem that leads to the seven "dirty secrets" that follow. In essence, Corman said, the goal of the security market is to make money, not to ensure the customer's security. Tom Vredenburg, regional IM manager for Houston-based Wartsila Corp., said Corman's take is consistent with what he has experienced in the trenches. "Not only has security become a phantom deliverable, but the vendors themselves have become equally tough to pin down and evaluate. Are they software sellers or risk managers? Are they service providers or network designers? Am I buying partnerships or licenses? Most of them don't know themselves what they are -- only that they need to sell something that most people don't really want to buy in the first place -- insurance."

It's been repeatedly said that one of the biggest issues our culture is facing right now, and will continue to face in the years to come, is defining and coming to terms with the legality behind privacy issues. As our lives become increasingly wired, connected and monitored privacy becomes an increasingly pressing concern, especially since technology changes much faster than laws can keep up with. While privacy issues are important for adults to be aware of right now, from access to medical records to who can see into our houses, it's probably even more important for the next generation to know what the issues are and how it does and will affect them in the future. Prying Eyes: Privacy in the Twenty-First Century by Betsy Kuhn is a book written for teens and older kids about privacy issues today in America. It looks at new and developing technologies from cameras to RFID chips, the significant laws and court cases throughout our history that have dealt with privacy issues, and how it affects each of us. Kuhn does an excellent job of keeping her subject relevant, but not too focused. Kuhn manages to show how all of these issues matter and affect us without being scary. She never turns technology, corporations or even the government into something frightening. When this is a topic that could easily have been made scary, it's nice that Kuhn managed to walk that line and make this serious without being something to obsess over.

U.S. authorities announced what they believed to be the largest hacking and identity theft case ever prosecuted on Monday in a scheme in which more than 130 million credit and debit card numbers were stolen. Three men were indicted on charges of being responsible for five corporate data breaches in a scheme in which the card numbers were stolen from Heartland Payment Systems, 7-Eleven Inc and Hannaford Brothers Co, federal prosecutors said in a statement. The suspects also hacked two unidentified corporate victims, the U.S. attorney's office in New Jersey said in the statement. Prosecutors allege Albert Gonzalez, 28, of Miami, and two unnamed Russian coconspirators targeted large corporations by scanning the list of Fortune 500 companies and exploring corporate websites before setting out to identify vulnerabilities. The suspects would seek to sell the data to others who would use it to make fraudulent purchases, the statement said.

On September 12, 2009, Maine's Act to Prevent Predatory Marketing Practices Against Minors (the "Act") will take effect. The Act prohibits businesses from knowingly collecting or receiving a minor's health-related information or personal information for marketing purposes without first obtaining verifiable parental consent. Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor. Pursuant to the Act, the use of information in such a manner is a predatory marketing practice, which may be sanctioned as an unfair trade practice. The law also allows individuals subject to unlawful data collection or predatory marketing practices to bring a private right of action against violators. For businesses, the implications of Maine's new data collection and marketing restrictions are far-reaching. The scope of the law covers both online and off-line marketing activities, and the broad definition of personal information includes a minor's name in combination with any information concerning the minor. In light of the Act's restrictive requirements and considerable scope, businesses would be well-advised to evaluate their current marketing practices and age verification mechanisms. The text of the law is available here.