CIPP Information Privacy & Security News

Heartland Payment Systems CEO discusses breach, previews speech Not a week had passed after the announcement of what some have described as the largest data breach ever, when the CEO of Heartland Payment Systems, Robert Carr, began calling for better industry cooperation and new efforts directed at preventing future breaches. Recently, Carr announced that trials will begin late this summer on an end end-to-end encryption system Heartland is developing with technology partners. It is expected to be the first system of its kind in the U.S. The company is also pushing for an end-to-end encryption standard. At the upcoming Practical Privacy Series in Silicon Valley, Carr will discuss the Heartland breach and the role industry, including privacy professionals, must play to prevent future breaches. Here's a preview: IAPP: Many companies have experienced breaches. What made yours different? Ours was different because we are a processor and had passed six years of PCI audits with no problems found. Yet, within days of the most recent audit, the damage had begun. IAPP: Did you have a chief privacy office or a privacy professional on staff before your breach? Do you now? Ironically, when we learned of the Hannaford's breach, we hired a Chief Security Officer who started just three weeks before the breach began. IAPP: In the era of mandatory breach reporting, what is the trajectory of consumer reaction? As a processor it is difficult to really know this. Our customers are merchants who accept card payments. IAPP: Do you think consumers will become numb to breach notices? I believe that many are numb to so many intrusion notices. IAPP: Are breach notices good public policy? Do the notices provide an incentive for companies to change or improve practices? I don't think so. Nobody wants to get breached and the damage caused by a breach is sufficient reason for most of us to do everything we can to prevent them. IAPP: What has Heartland done differentl

Taking a step toward creating more formal standards, the Interactive Advertising Bureau Monday released a set of best practices for social media advertising covering key terms, creative elements, and user privacy, among other topics. The guidelines unveiled at the IAB's Social Media Marketplace conference in New York are intended to encourage the growth of social advertising by giving marketers, agencies and social networks preliminary rules to navigate a category that now spans hundreds of millions of users. "Industry standards are essential to making social media easy, safe and scalable for advertisers," said Seth Goldstein, CEO of Socialmedia.com and co-chair of the IAB's UGC Social Media Committee, in a statement. "The new IAB framework is a critical first step in this direction and we are excited to help enable the next generation of social advertising." While marketers have been eager to experiment with social media, a lack of standard ad formats and metrics and privacy concerns remain obstacles to more rapid advertising growth on social sites. Even so, Forrester Research projects that social media marketing will increase nearly 60% this year to $716 million.

Federal authorities are investigating the loss of a computer hard drive containing a huge quantity of personal information from Bill Clinton's presidency in an apparent security breach at a National Archives record center, government officials said Tuesday. Government officials briefed on the matter said the breach, which was confirmed in April, involved the loss of a drive containing a terabyte of computerized data, which could include millions of individual pieces of information, including personal information about one of then Vice President Al Gore's three daughters. The missing information included Social Security numbers and home addresses of numerous people who visited or worked at the White House, along with other material related to security procedures used by the Secret Service at the White House in the Clinton years. The National Archives and Records Administration said Tuesday in a statement that the agency "takes very seriously the loss of an external hard drive that contained copies of electronic storage tapes from the executive office of the president of the Clinton administration."

A majority of business executives believe that they have a right to know what their employees are doing on social-networking sites, but most workers say it's none of their bosses' business, according to a new survey by Deloitte. The survey was conducted in April with about 2,000 U.S. adults. Of the 500 respondents with managerial job titles (vice president, CIO, partner, board member, etc.), 299, or 60%, agreed that businesses have a right to know how employees portray themselves or their companies on sites like Facebook and MySpace. But 53% of employee respondents said their profiles are none of their employers' business, and 61% said that they wouldn't change what they were doing online even if their boss was monitoring their activities. That disagreement, says Sharon Allen, chairman of Deloitte's board and the sponsor of the survey, is one that companies need to address, particularly as these sites have become part of younger workers' lives. "It does, in fact, tee up the challenging debate or discussion that needs to take place to try to resolve both of their concerns," she said. Few businesses are having that conversation, according to the survey, though many executives indicated that it was on their minds. When asked what their company's policy was regarding social-networking use, roughly a quarter (26%) of employees said they knew of specific guidelines as to what they could and couldn't post. Similar numbers said their office didn't have a policy or they didn't know if their company had a policy - 23% and 24%, respectively.

Is it time for Web publishers and their users to have the privacy talk? At most Web sites, privacy policies are ridiculously long and convoluted scrolls of legalese that only a hearty privacy watchdog would read. For most users it remains a mystery just how publishers collect, use and share the data trails consumers leave behind while traversing a site. But publishers now are partnering more deeply with third party ad networks who plant their own cookies in their users' browsers and hit them again with ads out on their own networks with other publishers. How should a site broach the topic of privacy and ownership of data with its own customers? The industry-funded Future of Privacy Forum is hoping to get at this issue in a new research initiative that explores different ways sites can communicate with users about their online advertising experience and how a use's data trail is recorded and used. The study will try to find ways that publishers can raise user awareness about the use of online behavioral data and be more transparent about how it is harvested and shared.

Google never fails to surprise. It's the scope and scale of their ambitions that impresses me ranging as they do from relatively simple applications that are just way cool such as Sky Map, through their Chrome Web browser (which is now looking pretty stable), to the subject of this newsletter: Google Health. Google Health, which was launched as a beta (of course) in spring 2008, is a free repository for your personal health information. Using the service you can create online health profiles for yourself, family members or others you care for (these profiles can include health conditions, medications, allergies and lab results), you can import medical records from hospitals and pharmacies, share your health records with "your care network" (which may include family members, friends and doctors), and browse an online health services directory to find services that are integrated with Google Health. After you sign up you can import your medical records from Allscripts, Anvita Health, The Beth Israel Deaconess Medical Center, Blue Cross Blue Shield of Massachusetts, The Cleveland Clinic, CVS Caremark, Healthgrades, Longs Drugs, Medco Health Solutions, Quest Diagnostics, RxAmerica and Walgreens. What you'll wind up with if you update all of the sections is a pretty complete health profile, which means that privacy has to be a concern. Interestingly, because becoming a subscriber is voluntary it appears that the service is exempt from the provisions of the Health Insurance Portability and Accountability Act of 1996.

Maryland is poised to jump ahead of the rest of the nation in health information technology on Tuesday when Gov. Martin O'Malley signs a bill intended to coax doctors into using electronic medical records. The computerized files are seen as the foundation of a national health information network that proponents say will improve care, advance medical knowledge and save the country tens of billions of dollars annually. But with the startup costs to individual doctors in the tens of thousands of dollars, many smaller practices have been slow to move from clipboard to computer screen. With today's bill signing, Maryland will become the first state requiring private insurance companies to offer doctors financial incentives to adopt the technology, state officials say. Doctors who do not bring an electronic medical records system on line by 2015 could face penalties. "This is where government and private health care providers can come together to really improve not only the quality of care but also, hopefully, create some costs savings as well," O'Malley said. "Health IT is the future of health care in our country, and we want Maryland to lead the way."

Online targeted advertising and the collection of consumer data are the fuel of Internet commerce, not the major privacy problems described by some advocates and U.S. lawmakers, according to a new paper. "The use of such data permits firms to target their marketing messages to consumers' interests, pays for a wealth of content on the Internet, and helps protect consumers from a variety of online threats," said the paper, released Monday by the Technology Policy Institute (TPI), an antiregulation think tank. "It forms the basis for many of the business models that are fueling the growth of the Internet." Privacy groups want a "free lunch" online, with strong privacy controls that make it tougher for advertising to work online, the paper said. "Privacy advocates have provided little detail on the benefits of more privacy and have typically ignored the costs or trade-offs associated with increasing privacy," the paper said. Data collection delivers ads that people want and that advertising pays for a multitude of free services online, said the paper, co-authored by TPI President Thomas Lenard and Emory University law and economics professor Paul Rubin.

The U.S. Supreme Court Monday accepted an appeal by several groups that brought a constitutional challenge to the Public Company Accounting Oversight Board created by 2002 changes in federal accounting laws. The free-enterprise groups and a Nevada accounting firm sued to stop the Securities and Exchange Commission from naming members of the accounting board, set up by Congress to oversee public-company accountants. "In creating the board, Congress deliberately sought to test the outer boundaries of its ability to reduce presidential power," the groups said in the appeal. The groups, in their lawsuit, claimed the U.S. Constitution required board members to be appointed by the president or the SEC chairman, rather than the entire commission for the securities agency. The Supreme Court's decision to hear the appeal breathes new life into the case, which didn't get much traction in lower courts. The U.S. Solicitor General's office, in court briefs, had urged the high court to reject the appeal, calling it a "poor vehicle" to resolve the constitutional issues raised by the challengers. "The president's control over the SEC is constitutionally sufficient and the act in turn grants the SEC complete and pervasive control over every aspect of the board's authority," Solicitor General Elena Kagan wrote. A U.S. federal judge dismissed the lawsuit in 2007 and the Washington-based U.S. Federal Circuit Court of Appeals also rejected the challenge in a 2-1 decision last year. The private, nonprofit board is charged with inspecting and disciplining public company accountants. The case is the Free Enterprise Fund vs. the Public Company Accounting Oversight Board, 08-861. Oral arguments will be held in the fall, and a decision is expected by July 2010.

California regulators have fined Kaiser Permanente Bellflower (Calif.) Medical Center $250,000 for failing to keep workers from peeking at the electronic health records of Nadya Suleman, who gave birth to octuplets at the hospital in January. The fine is the first under a new state law, which took effect in January, aimed at protecting patient medical records at hospitals and carries the maximum penalty allowable. Twenty-three unauthorized staff and physicians accessed the medical records, including some at other Kaiser facilities. Seven people viewed the records more than once, according to the California Public Health Department, which licenses hospitals in the state. Kaiser fired one person who peeked at Suleman's records, 14 others resigned and eight were disciplined.

Two U.S. Securities and Exchange Commission employees are under investigation by federal criminal authorities for allegedly using insider information to trade stocks, a source familiar with the matter said on Thursday. A report by the SEC's internal watchdog alleges that the two SEC lawyers traded in stock of a large financial services company despite being told by another SEC employee of ongoing investigations of that company, CBS News reported. The SEC inspector general report said one SEC attorney under investigation works in the Office of the SEC's Chief Counsel and has access to a tremendous amount of nonpublic information, CBS News said. An SEC spokesman said: "We take seriously even the suggestion that any SEC employee would engage in insider trading. We note that the inspector general report neither accuses any SEC employee of insider trading nor concludes that any such conduct took place." Calls to the SEC's inspector general and Federal Bureau of Investigation were not immediately returned.

As online shopping becomes a greater force each year, the behavior of online shoppers becomes more and more scrutinized. Ad net AudienceScience, a key scrutinizer, announced today the findings of a commissioned study conducted on its behalf by JupiterResearch designed to measure the receptiveness of online shoppers to behavioral targeting. And the survey says: They like it -- at least that they are more responsive to ads that are behaviorally targeted than those that are contextually targeted. And they were pretty clear about it, with 65 % responding that they are more receptive to BT, and only 35% saying they paid more attention to contextual ads. "Since its inception, behavioral targeting has been an evolution of contextual advertising, and these findings are testament to its power to more effectively engage with consumers on their own level," said Marla R. Schimke, VP of Marketing, AudienceScience. "If we conduct the same study in a year, five years, ten years, I believe we'll see this already substantial gap between the two continue to widen as more and more brands and marketers realize that they can use behavioral targeting to specifically target their ideal customer."

All but one of the legal claims filed against Hannaford Bros. -- the Maine-based retailer that suffered a security breach exposing some four million credit and debit cards -- has been dismissed. U.S. District Court Judge Brock Hornby threw out the civil claims against the grocer for its alleged failure to protect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims, Hornby ruled that without any actual and substantial loss of money or property, consumers could not seek damages. The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account following the Hannaford breach.

Johns Hopkins is alerting more than 10,000 of its hospital patients that they may have been victims of identity theft. An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia, according to this letter from Baltimore-based Hopkins to the Maryland attorney general's office. Most of the patients are at very low risk, the letter says - they're included because the former employee accessed their records in the course of her work. But a few dozen have already been identified as likely victims, and a few hundred who have Virginia mailing addresses and whose records were accessed by the former employee may also be at risk. Hopkins is offering those patients credit monitoring, fraud resolution and identity-theft reimbursement for certain expenses.

The Data Protection Directive is old-fashioned and out of date, a report published by the UK's privacy regulator the Information Commissioner's Office (ICO) has said. Commissioner Richard Thomas said that the European Union must change its legislation. The ICO commissioned RAND Europe to investigate whether or not 1995's EU Data Protection Directive was a good basis for Europe-wide data protection law. The research concluded that the law was flawed and needed to be updated. It found that the law must be clearer about what it seeks to achieve, that it should be better at forcing organisations to protect personal data in their charge, that it should encourage a more strategic approach to enforcement and that it does not deal well enough with the export of personal data outside the EU. Thomas said that the Directive, on which the UK's Data Protection Act is based, is outmoded. "The Directive is showing its age. Modern approaches to regulation mean that laws must concentrate on the real risks that people face in the modern world, must avoid unnecessary burdens, and must work well in practice," he said. "Organisations must embed privacy by design and data protection must become a top level corporate governance issue." RAND said that the Directive would be improved by its fundamental approach to ensuring data privacy being changed. It said that the law should focus on the protection of individuals and the security of their data, and not on the processes that lead to that. "The stronger, results oriented approach described in this report aims to protect data subjects against personal harm resulting from the unlawful processing of any data, rather than making personal data the building block of data protection regulations," said the report. "It would move away from a regulatory framework that measures the adequacy of data processing by measuring compliance with certain formalities, towards a framework that instead requires certain fundamental principles to be respected

Here are five interesting factoids regarding information security culled from documents and statements accompanying President Obama's fiscal year 2010 budget: The current number of positions filled in the federal IT workforce totals 17,785, with 8,407 of them - or 47 percent - deemed IT security. The Department of Homeland Security seeks $75.1 million more in the coming year to develop and deploy cybersecurity technologies for the entire government to counter continuing, real-world national cyber threats and apply effective analysis and risk mitigation strategies to detect and deter threats. Homeland Security also seeks $37.2 million, a $6.6 million increase, to address critical capability gaps identified in the government's Comprehensive National Cybersecurity Initiative. Specifically, says DHS Secretary Janet Napolitano, this effort would seek and/or develop technologies to secure the nation's critical information infrastructure and networks. Nearly half of the federal workforce - 2.7 million individuals - have been issued credentials that provide for digital signature, encryption, archiving of documents, multi-factor authentication and reduced sign-on to improve security and facilitate information sharing. The total federal IT budget for 2010, including funds earmarked to secure data and systems, tops $75.8 billion, up $5.1 billion or 7.2 percent from the current fiscal year.

Companies in the technology, media and telecommunications industries (TMT) significantly reduced investment in security spending in 2008, according to a new survey from Deloitte Touche Tohmatsu. The third edition of the Deloitte TMT Global Security Survey reveals that 32 percent of respondents reduced their information security budgets, while 60 percent of respondents believe they are "falling behind" or still "catching up" to their security threats -- a significant increase from 49 percent over the previous year. "This year's results indicate companies are explicitly scaling back. With funding decreasing and the threats increasing, it is more important than ever for TMT companies to be highly cost efficient in addressing their security risks," said Irfan Saif, a principal in Deloitte & Touche LLP's Audit and Enterprise Risk Services practice. "Companies that do not have a sound understanding of their security risk profile, or who under-invest in security now, may find themselves exposed to significant and increasingly sophisticated threats that they are not equipped to mitigate." With the proliferation of digitized assets, security should claim a significant portion of a company's overall IT budget. However, only 6 percent of respondents allocate 7 percent or more of their total budget to IT security. This year represents a significant decline from the previous edition of the survey, which showed that 36 percent of the respondents allocated 7 percent or more of their budget to IT security. The survey also indicates that declining security investment is hindering adoption of new security technologies, with only 53 percent of respondents considering their organizations to be early adopters, or part of the early majority, down from 67 percent in 2007. Companies are focusing more effort on optimizing solutions that are already in place rather than investing in cutting-edge technology that can be capitalized upon during economic recovery.

Enterprise role management is key in efficiently managing user access rights and enforcing access policies such as segregation of duties. Roles help companies group coarse- and fine-grained access rights (like access to and functionality within a financial accounts application) into groups, called enterprise roles. These enterprise roles map to job functions and are only allowed access rights that don't violate segregation of duties. For instance, a financial clerk role can't contain fine-grained access rights that allow someone in the role to access the accounts receivable and accounts payable parts of the financial application. The processes and tools necessary for effective role management consist of role mining and design (automatic discovery and management of roles based on existing access rights and entitlements data), role recertification (a process performed typically every six months when a business role custodian certifies what access rights should belong to a role), and access recertification (a process performed typically every 3-6 months to ensure all user access is understood and was granted in an audited way).

The European Commission on Tuesday set a code of conduct for companies using RFID (radio frequency identification) tags that it hopes will safeguard citizens' privacy and allow the quick rollout of the new technology. Around 2.2 billion RFID tags were sold worldwide last year, a third of them in Europe, and were installed in a wide range of products including shipping containers and smart cards used in highway toll booths. The Commission expects the use of RFID tags to grow to five times the current level over the next decade, as tags are added to common consumer items such as bus passes, refrigerators and even clothes. There is "clear economic potential" in using RFID chips to allow communication between objects, said information society commissioner Viviane Reding in a statement. But she added that European citizens "must never be taken unawares by the new technology."

IT practices such as identity management, email and URL filtering, virus scanning and electronic monitoring of employees can get companies that do business globally into a heap of trouble if deployed without an understanding of global data privacy laws. The warning was one of several alarms raised in a presentation on global privacy best practices by Gartner Inc. analysts Arabella Hallawell and Carsten Casper at the recent Gartner Risk Management and Compliance Summit in Chicago. Always a thorny issue, the protection of personally identifiable information (PII) is made more complicated in a world where there is limited agreement on how best to do that. According to the Gartner analysts, the world is divided into three parts when it comes to data privacy laws: countries with strong, moderate or inadequate legislation. The European Union, under the European Union Directive on Data Protection, possesses the strongest privacy regulations, followed by Canada and Argentina; Australia, Japan and South Africa have moderate to strong, recent legislation; laws in China, India and the Philippines are the least effective or laxly enforced. The United States has the dubious distinction of occupying two categories -- the strong column, due to the 45 state breach notification laws on the books, and the weak column, because of the lack of a federal law. Even among the three categories, nuances abound. Under the European Union Directive, member countries enact their own principles into legislation, and some laws (like Italy's) are more stringent than the directive's standards. Russia's very recent law is modeled after the strong EU laws, but how it will be enforced remains questionable. And in the U.S., state breach notification laws vary, with Nevada and Massachusetts proposing the most prescriptive data privacy legislation to date.