CIPP Information Privacy & Security News

The Interior Department's inspector general has found widespread mishandling and erratic tracking of special passports issued to department officials traveling overseas, alleging that in numerous instances employees violated federal privacy laws by improperly securing passports and passport application forms. In some cases, officials couldn't account for expired passports of former employees, and could not locate a passport once issued to former Interior secretary Gale Norton. The inspector general's report warned that such mismanagement and lax protection could result in cases of fraud or identity theft impacting current and former employees. "Given the risk of misuse that missing and unsecured passports, visas and passport applications pose, we cannot understate the importance of acting swiftly to address these violations and prevent their recurrence," Acting Inspector General Mary L. Kendall wrote in a memo sent with a copy of the report last week to Interior Secretary Ken Salazar.

In a decision that has privacy advocates and others scratching their heads, a federal judge has ruled that LifeLock has been breaking California law for years by placing fraud alerts on its customer's credit profiles. The decision is a blow to the burgeoning identify-theft protection industry, and means that companies that experience data breaches may no longer be able to offer victims free subscriptions to such services - a standard damage-control tactic in recent years. Consumers can still place fraud alerts by contacting one of the three U.S. credit reporting agencies directly. Bo Holland, founder and CEO of Debix, a competitor of LifeLock, called the ruling "dramatic and unexpected." "It causes a real shift in the industry," he told Threat Level. The pre-trial partial summary judgment comes in a lawsuit filed last year against LifeLock by Experian, one of the nation's three credit reporting bureaus. Experian claimed LifeLock is trying to "game the system" of fraud alerts to make a profit.

The United States' 35-year-old federal privacy law and related policies should be updated to reflect the realities of modern technologies and information systems, and account for more advanced threats to privacy and security, according to a report sent today to OMB Director Orszag. In its 40-page paper, the National Institute of Standards and Technology's Information Security and Privacy Advisory Board calls for Congress to amend the 1974 Privacy Act and provisions of the 2002 E-Government Act to improve federal privacy notices; clearly cover commercial data sources; and update the definition of "system of records" to encompass relational and distributed systems based on government use of records, not just its possession of them. The panel included technology experts from industry and academia. The panel wants heightened government leadership on privacy and suggests the hiring of a full-time chief privacy officer at OMB and regular Privacy Act guidance updates from the office. Chief privacy officers should be hired at major agencies and a chief privacy officers' council should be created, much like the Chief Information Officers' Council that is chaired by OMB's e-government and IT administrator.

With identity theft on the upswing, Aram Langhans thought he was simply being prudent when he asked the Yakima Heart Center to remove his Social Security number from its files. "They had my insurance card and my driver's license. What else did they need?" said Langhans, a retired public school teacher insured by Group Health. Langhans said he was initially hooked up to a portable heart monitor that he was to wear for 24 hours, but the disagreement over his Social Security number prompted upper-level personnel to change their minds. He said moments after the device was attached, he was sent to a restroom to remove it and turned away. Shawnie Haas, administrator of the Heart Center, an independent outpatient group practice, declined to discuss the incident. But she said in an e-mail statement that the practice protects patients' privacy. "The Yakima Heart Center is careful to collect data pertinent to ensuring accuracy of our patient's medical record. Routine information collected for all patients includes name, address, date of birth, Social Security number, gender, and other specific information that helps us verify that individual's identity and insurance enrollment or coverage data. We are careful to maintain confidentiality of all patient information in our system." According to state and federal regulators, private insurance companies have moved away from using Social Security numbers for patient identification. But health-care providers in the Yakima Valley say they routinely collect them as "backup" in the event that patients' insurance doesn't pay the claim.

Why Google isn't ready to be an Enterprise vendor

At the Google (NSDQ: GOOG) I/O developer conference this week, Google Inc. will host more than 80 technical sessions on all of the Google apps and platforms we've come to know -- Android, Chrome, App Engine, Web Toolkit, AJAX and others. When reviewing the Google I/O Schedule this morning, I was disappointed by what could not be easily found. The conference will run this week, May 28 to 29, in San Francisco, and Google is expecting more than 2,000 attendees. Unfortunately, a long perusal of the schedule shows plenty of tracks with Search, Scale, and Performance in the title -- but only one track with Security. What about Privacy? Well, there's no tracks highlighting data privacy, either. There is a session that covers federated identity management, Practical Standards-based Security and Identity in the Enterprise. And it looks promising, but federated authentication and authorization is more about making sure applications and people can interact securely, not that an application, itself, is inherently secure.

In New Jersey, and around the country, most doctors still rely on paper records for everything from writing prescriptions to keeping track of their patients' allergies. Only about 1.5 percent of U.S. hospitals have switched to an electronic records systems, and less than 8 percent have even a basic system, according to a recent study by the New England Journal of Medicine.

Hundreds of credit union members are starting their holiday weekend off without their debit cards after a credit compromise forced the Winthrop Federal Credit Union to deactivate customers' cards. The credit union stayed open Friday until 6 p.m. to give cash to affected customers for the weekend. CARDS FROZEN AS A PRECAUTION Credit union officials say its card processer, Metavante, noticed suspicious activity on three of its MasterCard debit cards and notified the credit union about them. While it was not a security breach, the Winthrop Federal Credit Union decided to freeze a block of cards as a precaution, something that Metavante did not advise them to do. "We really know very little. We are working with the credit processor to identify the possible cards," said bank spokeswoman Cathleen Clark. "We always feel it's better to be safe than sorry." Because of the suspected credit compromise, the credit unions says it felt it was necessary to freeze the cards.

Why employers should actually perform background checks.

A former Texas lottery worker was arrested while training for a new job Tuesday - his fourth with the state - and charged with illegally "possessing" personal information on 140 lottery winners and employees, including their names and Social Security numbers. Joseph Mueggenborg was still working for the Lottery Commission in 2007 when he allegedly took the information, which was discovered last year on a state computer at the Comptroller of Public Accounts where he later was employed. He was fired and the information was turned over to criminal investigators. When arrested Tuesday, however, the computer analyst was training for yet another job, at the Texas Department of Licensing and Regulation. Travis County prosecutor Jason English said it was "concerning" that the man was still working for the state after being fired by the comptroller. Susan Stanford, a spokeswoman for the Texas Department of Licensing and Regulation, said the department was unaware Mueggenborg had been fired and was under investigation when he was hired as a systems analyst three weeks ago. He was receiving job-related training at the time of his arrest, she said. The department has secured Mueggenborg's computer and begun a forensic study.

A surprise legal maneuver by the defense in the Sarah Palin hacking case could undermine key charges carrying the stiffest potential penalties. A lawyer for the Tennessee college student charged with hacking into the Alaska governor's Yahoo e-mail account last year says his client couldn't have violated Palin's privacy because a judge had already declared her e-mails a matter of public record. "He's not suggesting that e-mail can't be private," says Mark Rasch, a former Justice Department cybercrime prosecutor. "He's saying this particular e-mail was not private or personal because of who she is and because it wasn't intimate communication. " Additionally, photos that 20-year-old David Kernell allegedly obtained of Palin and her family were not private since the Palins are "the subjects of untold numbers of photo-ops," the lawyer argued last week, in one of a slew of motions and memorandums attacking the government's four-count federal indictment against Kernell.

Creative lawyer. The kid is still stupid. To me, It says more that Palin didn't get in trouble for using a public web mail account for State business. The kid who reads her email is on trial? What a country.

If you can't measure it, you can't manage it. If you don't even know what it is...

Even IT professionals are confused about what constitutes Web 2.0, according to a survey released Wednesday by web security vendor Websense and research firm Dynamic Markets. According to the survey, of 1,300 information technology managers across 10 countries, 17 percent of respondents correctly identified all the items on the survey that can be considered Web 2.0. IT administrators commonly identified the "obvious" Web 2.0 sites -- such as the social networking sites Facebook and LinkedIn, Dave Meizlik, director of product marketing at Websense, told SCMagazineUS.com on Tuesday. They also commonly identified blogs and micro blogs, such as Twitter, as Web 2.0. But, respondents less frequently identified other sites as Web 2.0, including iGoogle and Wikipedia, Meizlik said. Only half of respondents identified video uploading sites, such as YouTube, as part of Web 2.0, the survey found. David Lavenda, vice president of marketing and product strategy at security vendor Worklight, told SCMagazineUS.com on Wednesday that IT administrators know they need to secure the enterprise from Web 2.0 threats, but are not always sure what those threats are. "When you go to organizations where security is really important -- financial and government organizations -- and ask, 'What's your fear of Web 2.0?,' they say, 'I really don't know, but we hear enough stories of people being compromised that we don't want to take a chance.' That's the most common answer." Lavenda said.

An insider at the California Water Service Company in San Jose broke into the company's computer system and transferred $9 million into offshore bank accounts and fled the country. Abdirahman Ismail Abdi, 32, was an auditor for the water company, which delivers drinking water throughout the state and is located in San Jose, Calif. Abdi resigned from his position on April 27. Allegedly, that night he went back to work and made three wire transfers totaling more than $9 million from the company's accounts to an account in Qatar. Abdi was seen by a janitor on the night of the crime, according to the San Jose Mercury News, citing court documents filed Wednesday in the federal court at San Jose. The next morning, the water company discovered what had been done and worked with their bank to have the money returned to their account. The company notified police, who are currently investigating the case, Jose Garcia, public information officer at the San Jose Police Department, told SCMagazineUS.com on Friday.

Internal controls failure.

Twenty-three of the 24 major U.S. government agencies contain weaknesses in their information security programs, potentially placing sensitive data at risk to exposure, according to a government report issued this week. The U.S. Government Accountability Office (GAO) studied how the agencies were responding to the regulations described in the Federal Information Security Management Act of 2002 (FISMA). The mandate requires government entities to develop and implement an agencywide information security program. Inspectors general conduct annual reviews of agency progress. The GAO review, which took place between last December and this month, concluded that, partly based on inspectors general and federal Office of Management and Budget (OMB) reports, that 23 of 24 agencies contain lax controls to ensure that only approved users can access system data. Meanwhile, 22 of 24 agencies described information security as a "major management challenge," according to the report.

Ignorance is bliss!

IT professionals are under pressure from upper level executives to open the floodgates to the latest Web-based platforms, relaxing Web security policy, according to a new survey of 1,300 IT managers. The survey, conducted by independent research firm Dynamic Markets Ltd., was commissioned by Web, DLP and email security vendor Websense Inc. Dynamic Markets conducted interviews with IT managers in Australia, Canada, China, France, Germany, Hong Kong, India, Italy, the U.K. and the U.S. Nearly all those surveyed said they allow access to some Web-based services, such as webmail, mashups and wikis. But more employees are turning to online collaboration platforms; some are turning to Google Apps, which are integrated with Google's Gmail platform, and others are turning to popular social networking sites, such as Twitter and Facebook. Some users are bypassing Web security policy to access the services, according to 47% of those surveyed.

Will monetary value increase the value of user's data on social networks?

Facebook and Twitter have helped make social networking a household word. Now they need to make money. Efforts to monetize the popular Internet services are increasingly a priority within the two companies, with Facebook Chief Executive Mark Zuckerberg and Twitter Co-founder Biz Stone outlining several initiatives at the Reuters Global Technology Summit in New York this week. And analysts and investors, in search of the next Google-like hit, are paying close attention to the breakneck speed at which Facebook and Twitter are adding new users. While the popularity of the two social media firms has yet to translate into the kind of revenue-generating machine that Google Inc developed with its search advertising business, some say Facebook and Twitter have become so central to the Internet experience that they are inherently valuable. "Both are new ways of communicating. And when you have a new way of communicating ... you benefit people enough so that there is going to be value there," said Tim Draper, managing director of venture capital firm Draper Fisher Jurvetson, noting that he regretted not having invested in either firm. In April, Twitter's website attracted 17 million unique visitors in the United States, up sharply from 9.3 million the month before. Facebook grew to 200 million active users in April, less than a year after hitting 100 million users.

A new report from the Progress & Freedom Foundation says that officials in some states want to pass legislation that would extend the Children Online Privacy Protection Act (COPPA) from covering children under 13 to covering teens until they're 18. COPPA, which became law in 1998, requires verifiable parental consent before a child under 13 can provide personally identifiable information to a Web site that caters to children. Expanding the law to cover teens till they're 18, according to the report, would "require Web sites to obtain more information about both minors and their parents, which runs counter to the original goal of the Act: protecting the privacy of minors." Ultimately, say the authors, "this would actually make minors less 'safe online.'" In this podcast, the report's co-author, PFF Senior Fellow Adam Thierer, explains the original COPPA law and why, in his opinion, the expanded law could have a chilling effect on the free speech rights of minors. The podcast runs 11:30

Defunct behavioral targeting company NebuAd did not just spur complaints by lawmakers and privacy advocates. This week, NebuAd's defense lawyers filed papers with the federal district court in San Francisco asking to withdraw as counsel in a privacy lawsuit. In a motion dated Monday, attorney Thomas Gilbertsen alleges that NebuAd is behind on its legal bills -- in some cases by more than 45 days. He also argues that because NebuAd is out of business, no officers or employees are available to help with the defense. "Because NebuAd has essentially ceased to exist, it can no longer participate in this case," states the motion. Gilbertsen also asked that the case be delayed pending NebuAd's liquidation and the resolution of creditors' claims. Gilbertsen also says in court papers that counsel and NebuAd have "irreconcilable differences." He did not elaborate in the motion or return messages seeking comment.

The think tank Future of Privacy Forum announced this week that it tapped ad agency WPP to come up with new ways of notifying Web users about online behavioral advertising. Director Jules Polonetsky hopes that advertising creatives will be able to come up with something more intelligible than the lengthy jargon-filled policies that are all too often incomprehensible. Federal Trade Commission Chair Jon Leibowitz, who has urged Web companies to provide clear and succinct notice about ad targeting, is cheering the project. "I'm very heartened with what the Future of Privacy Forum has announced," he tells MediaPost. "Most current online privacy policies are essentially incomprehensible for even the savviest online users."

Raises some realistic questions about the American approach to privacy law & regulation. Unfortunately, the article tends to point at the misapplication of laws more heavily than offering the reader an account of the abuses that led us to where we are now. Businesses & government, including the medical industry, freely shared details - or spied on Americans with impunity for decades. The article reminds us that work needs to continue to balance our approach. A Federal law, that sets a floor for privacy requirements, could help reduce conflicting requirements caused by almost every state writing seperate laws because there was a lack of leadership from Washington. American privacy regulations are implemented sectorally - at the industry or State level for example. This leads to many different, and conflicting laws. Privacy is a difficult subject with complex considerations touching aspects of life that have not been questioned for years. This article provides more con than balance, but it reminds us that extreme positions rarely serve anyone well.

Special interest groups and lawyers claim they are defenders of individual privacy. But all that red tape is causing more harm to consumers than good. In a world of tight budgets and sacrificed programs, one sector has continued to grow with the speed and choking effectiveness of kudzu: regulations around privacy. More than 300 privacy-related laws are on the books, in both Washington, D.C. and state capitals. Privacy-related consulting services provided by law and accounting firms are a $500-million-a-year business and have been growing at double digits.

Social networking sites are often used by government ministers as an example of the profound way attitudes to privacy have changed. They argue that the young generation invade their own privacy to a far greater extent than the government ever would. The implication is that the older people who object to government intrusion are living in the past. The response to this is that people who use social networking sites voluntarily reveal things about themselves and have a degree of control of over how long information and photographs stay in the public domain, while the government collects and stores information without permission and allows the subject no access to the data held. There is no obvious comparison between the two activities. But this doesn't let the social networking sites off the hook. Most internet companies claim a kind of morality free status when it comes to such issues as privacy and copyright, and Web 2.0 sites are no different. A study published this week by Cambridge PhD students shows that nearly half of all social networking sites retain copies of photographs after being "deleted" by users. The study examined 16 popular websites that host user-uploaded photos, including social networking sites, blogging sites and dedicated-photo-sharing sites. Seven of the 16 sites surveyed were still maintaining copies of users' photos after they had been deleted by the user. The researchers - Jonathan Anderson, Andrew Lewis, Joseph Bonneau and lecturer Frank Stajano - found that by keeping a note of the URL where the photo is actually stored in a content delivery network, it was possible for them to access the photo even after it had been deleted.

Four HIV-positive patients whose records were left behind on an MBTA train by a Massachusetts General Hospital employee are suing the hospital, claiming their privacy has been breached. In March the hospital notified 66 patients who received care at its Infectious Disease Associates outpatient practice that billing records bearing their names, Social Security numbers, doctors, and diagnoses had been lost by a manager who was riding the Red Line. She had brought the paperwork home for the weekend, but left it on the train when she returned to work the morning of Monday, March 9, according to hospital security reports. Last week two patients who are HIV-positive filed a suit in Suffolk Superior Court against the hospital and the unidentified billing manager. The unnamed plaintiffs have been joined by two other HIV-positive people. The legal action was first reported in the weekly newspaper Bay Windows. Their lawyer, John Yasi of the Salem law firm Yasi and Yasi, said in an interview he has filed a motion to make the suit a class action that could cover all 66 patients, a significant number of whom are also HIV-positive. "The damages that jump out are the emotional distress surrounding the loss of obviously very sensitive medical information and secondarily the loss of personal security information," he said. "A Social Security number in reality may lead to identity theft, which we all know is a nightmare."