CIPP Information Privacy & Security News

There are three reasons for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law - "They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing" - is just wrong. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, it forces companies to improve their security. That last point needs a bit of explanation. The problem with companies protecting your data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control - or even knowledge - of the company's security practices. The idea behind such laws, and how they were sold to legislators, is that they would increase the cost - both in bad publicity and the actual notification - of security breaches, motivating companies to spend more to prevent them. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.

The Department of Homeland Security's Data Privacy and Integrity Advisory Committee has offered DHS Secretary Janet Napolitano 16 recommendations on how to best address privacy issues currently facing the department. The panel stressed that "the need to update the government's legal authority to protect and defend cyberspace in the U.S. classified intelligence systems raise specific and sometimes significant privacy issues, including the conflict between transparency and redress." The committee has asked that each DHS component - such as the Federal Emergency Management Agency and Office of Intelligence and Analysis - have a designated privacy officer that would report to the head of the section. The committee also "encourages DHS to continue to work toward policy and functional interoperability in the development of new systems and when making major modifications to existing systems," according to a letter from the committee hand delivered to Napolitano. Additionally, the panel said the 1974 Privacy Act has "not kept pace with the evolution of technology and developments in how data is collected, used, shared and stored. To the extent the Secretary is asked to submit recommendations to Congress for making the act more relevant and effective, the committee recommends that the secretary seek guidance from the Privacy Office staff, who are experts in applying the Act's provisions throughout the department." For more on the recommendations, read the committee's letter here.

Richard Acton-Maher of San Francisco was in nearby Berkeley last month and wanted to meet friends for lunch. Instead of making calls to see who was around, he looked at a digital map on his iPhone that plotted their locations. "One of my friends was also there," said Acton-Maher, 24, who used a service from a startup company called Loopt Inc. "I gave him a call and met him for lunch. It just enhances the communications tools that I already have." Google Inc., encouraged by people's willingness to share their personal lives on sites like Facebook, is betting more people like Acton-Maher will post their whereabouts online. The owner of the most popular search engine started a program this month called Latitude, seeking to compete with mobile networking services such as Loopt, Match2Blue, Whrrl and Limbo. Besides competition, Google's effort to turn mobile phones into tracking devices faces criticism from privacy advocates. Useful for friends and family, location data would also be valuable to the government, said Kevin Bankston, an attorney with the San Francisco-based Electronic Frontier Foundation, a not-for-profit organization focused on civil-liberties. "This is certainly valuable information to investigators and potentially to civil litigants," Bankston said. "This type of location information presents a very new sensitive data flow." Google says its privacy settings address such concerns. People using Google's mobile maps can opt not to use Latitude and choose whom they share their information with. The program also only stores the user's last known location, not a full history of their travels, said Steve Lee, a Google product manager. 'Ephemeral Data' While Google doesn't plan to store the data, the government could still go to court to ask for the company's help in tracking someone during an investigation, Bankston said.

Up to 21,000 Floridians may have been affected by a data breach at Wyndham Hotels & Resorts last year, prompting Attorney General Bill McCollum to ask consumers to keep a close eye on their credit statements. According to a statement released today, Wyndham reported to the Attorney General's Office that it contacted affected consumers in December and notified them that unauthorized access to Wyndham systems had potentially compromised their personal data on their debit and credit cards. The data breach has since been disabled. McCollum encouraged consumers to report any suspicious activity on their accounts to law enforcement. Affected consumers are encouraged to take precautionary steps, including obtaining a free fraud alert from one of the credit reporting agencies. Anyone who believes they may be a victim of identity theft should also request that the national credit bureaus place a fraud alert on their credit reports. Consumers should notify banks and creditors involved of questionable charges or accounts, keep records of all telephone calls and follow up in writing with credit bureaus, banks and creditors.

It's never been easier to get information on the run. Smart devices such as the G1 and Apple iPhone let you put the Internet in your pocket and go - down the block or across the country. But this convenience could cost plenty in lost privacy, consumer advocates and tech analysts say. Once data have been collected and warehoused, you lose control of it forever. "The Big Brother aspect of it is troubling," says Rep. Edward Markey, D-Mass., former chairman of the powerful House Subcommittee on Telecommunications and the Internet. Mobile consumers are especially vulnerable, Markey says. Unlike PCs, cellphones tend to be used by one person exclusively. The information they telegraph - on Web browsing, lifestyle and more - tends to be "highly personalized." That's the main reason mobile data are so prized: The information is incredibly accurate. It's also why Markey and other privacy advocates say the debate about online privacy will become even more intense as advertising migrates to the mobile Web. Mobile advertising is still relatively new - G1 users, for now, get ads only through search results, for instance - but it's clearly a hot spot. The market is expected to reach $2.2 billion by 2012, from about $800 million now, according to JupiterResearch. Ultimately, it could surpass the traditional Web, now a $20 billion ad market. Yahoo, Microsoft and other ad-supported search engines collect information as Google does. But the sheer size and scope of Google's data-mining operation - the Web giant performs more than 80% of all desktop searches worldwide - makes it a uniquely pervasive presence, says Chester. Google and Yahoo, the two biggest players in search advertising, say their self-imposed privacy policies are sufficient to protect consumers, noting that they do not collect or store information in a way that can be directly tracked to an individual. Peter Fleischer, global privacy counsel for Google, says Google tries to make privacy language as

The Senate and House appear headed for a clash over competing visions of how to protect the privacy of patients' electronic medical records, with the House favoring strict protections advocated by consumer groups while the Senate is poised to endorse more limited safeguards urged by business interests. President Obama has called creation of a nationwide system of electronic medical records fundamental to health-care reform, and both chambers of Congress have included about $20 billion to jump-start the initiative as part of their stimulus bills. But as with much in the stimulus package, it is not just the money but the accompanying provisions that groups are trying to influence. The effort to speed adoption of health information technology has become the focus of an intense lobbying battle fueled by health-care and drug-industry interests that have spent hundreds of millions of dollars on lobbying and tens of millions more on campaign contributions over the past two years, much of it shifting to the Democrats since they took control of Congress. At the heart of the debate is how to strike a balance between protecting patient privacy and expanding the health industry's access to vast and growing databases of information on the health status and medical care of every American. Insurers and providers say the House's proposed protections would hobble efforts to improve the quality and efficiency of health care, but privacy advocates fear that the industry would use the personal data to discriminate against patients in employment and health care as well as to market the information, often through third parties, to generate profits.

Kaiser Permanente says that the personal information of 29,500 employees in Northern California may have been exposed in a security breach. "A handful" of employees have reported identify theft, the Oakland, Calif.-based managed-care giant said. Police in San Ramon, Calif., seized a computer file containing the employee information from a suspect who was arrested. The suspect was not a Kaiser Permanente employee, and officials declined to provide further details. The file contained the names, addresses, phone numbers, Social Security numbers and dates of birth of the Kaiser workers. No health plan member information or personal health information was involved in the data breach, according to Kaiser officials. "We regret that this unfortunate incident occurred, and we understand the anxiety and worry that some employees may feel," said Gay Westfall, senior vice president for human resources at Kaiser Foundation Health Plan and Hospitals, Northern California, in a written statement. Kaiser is providing one year of free credit-monitoring to workers whose information was in the file.

Last week, a commercial Twitter spamming tool (tweettornado.com) pitching itself as a "fully automated advertising software for Twitter" hit the market, potentially empowering phishers, spammers, malware authors and everyone in between with the ability to generate bogus Twitter accounts and spread their campaigns across the micro-blogging service. TweetTornado allows users to create unlimited Twitter accounts, add unlimited number of followers, which combined with its ability to automatically update all of bogus accounts through proxy servers with an identical message make it the perfect Twitter spam tool. TweetTornado's core functionality relies on a simple flaw in Twitter's new user registration process. Tackling it will not render the tool's functionality useless, but will at least ruin the efficiency model. Sadly, Twitter doesn't require you to have a valid email address when registering a new account, so even though a nonexistent@email.com is used, the user is still registered and is allowed to use Twitter. So starting from the basics of requiring a validation by clicking on a link which will only be possible if a valid email is provided could really make an impact in this case, since it its current form the Twitter registration process can be so massively abused that I'm surprised it hasn't happened yet. Once a Twitter spammer has been detected, the associated, and now legitimate email could be banned from further registrations, potentially emptying the inventory of bogus emails, and most importantly making it more time consuming for spammers to abuse Twitter in general. If TweetTornado is indeed the advertising tool of choice for Twitter marketers, I "wonder" why is the originally blurred by the author Twitter account used in the proof (twitter.com/AarensAbritta) currently suspended, the way the rest of the automatically registered ones are? Pretty evident TOS violation, since two updates and 427 followers in two hours clearly indicat

Current government rules do too little to protect the privacy of people's personal health information and also hinder the use of health data in medical research, a panel of experts reported on Wednesday. A committee of the Institute of Medicine, which provides advice to U.S. policymakers, urged Congress to take an entirely new approach to protecting personal health data in research. Federal standards for protecting privacy of personal health data under the Health Insurance Portability and Accountability Act of 1996, or HIPAA, are not doing the job, the panel said. Congress and the Obama administration are planning major changes this year to the U.S. health care system. Regarding the privacy rules, Congress should either start from scratch or thoroughly overall HIPAA's privacy provisions, the panel said. Better data security is needed, with greater use of encryption and other security techniques, the panel said. Encryption should be required for laptops, flash drives and other devices containing such data, it said. "Both privacy and health research are important. And we feel that we can strengthen privacy protections for people who participate in research while also allowing important research to proceed without unnecessary impediments," Dr. Bernard Lo of the University of California San Francisco, a member of the panel, told reporters. HIPAA governs how personally identifiable health information can be used and disclosed by health plans, health care providers and others. The intention is to protect personal health information while permitting the flow of information for health-related research and medical care. Lo said HIPAA has burdensome and confusing procedures for people to consent to have their health data used in medical research, dissuading people from taking part in such research.

Do you know where your friends are? If not, Google wants to help you find them. Today, Google introduced Latitude, a new opt-in feature that lets smartphone and laptop users share their location with friends and allows those friends to share their locations in return. Although not pinpoint accurate, Latitude can display your general location based on information from GPS satellites and cell towers. Latitude works on both mobile devices and personal computers. What Latitude can do Once you and your friends have opted in to Latitude, you can see your friends' Google icon displayed on Google Maps. Clicking on their icon allows you to call, email or IM them, and you can even use the directions feature on Google Maps to help you get to their location. Google says Latitude works in 27 countries and with many mobile platforms including iGoogle with your computer. The list of compatible phones are: *Android-powered devices, such as the T-Mobile G1 *iPhone and iPod touch devices (coming soon) *most color BlackBerry devices *most Windows Mobile 5.0+ devices *most Symbian S60 devices (Nokia smartphones) *many Java-enabled (J2ME) mobile phones, such as Sony Ericsson devices (coming soon)

Perhaps Mark Z is surprised that people actually read terms of service. Arrogant twit. He's a multi-millionaire who cares about the little people (stage direction: Mark Z looks sincerely into web cam as he wipes away tear with hundred dollar bill). Perhaps the Tweens don't understand what social networking sites really sell; looks like some grown ups started asking where all their personal information is going and when it might inconveniently show up in some ad campaign.

A couple of weeks ago, we revised our terms of use hoping to clarify some parts for our users. Over the past couple of days, we received a lot of questions and comments about the changes and what they mean for people and their information. Based on this feedback, we have decided to return to our previous terms of use while we resolve the issues that people have raised. Many of us at Facebook spent most of today discussing how best to move forward. One approach would have been to quickly amend the new terms with new language to clarify our positions further. Another approach was simply to revert to our old terms while we begin working on our next version. As we thought through this, we reached out to respected organizations to get their input. Going forward, we've decided to take a new approach towards developing our terms. We concluded that returning to our previous terms was the right thing for now. As I said yesterday, we think that a lot of the language in our terms is overly formal and protective so we don't plan to leave it there for long. More than 175 million people use Facebook. If it were a country, it would be the sixth most populated country in the world. Our terms aren't just a document that protect our rights; it's the governing document for how the service is used by everyone across the world. Given its importance, we need to make sure the terms reflect the principles and values of the people using the service. Our next version will be a substantial revision from where we are now. It will reflect the principles I described yesterday around how people share and control their information, and it will be written clearly in language everyone can understand. Since this will be the governing document that we'll all live by, Facebook users will have a lot of input in crafting these terms. You have my commitment that we'll do all of these things, but in order to do them right it will take a little bit of time. We expect to complete this in the next few we

Until now, lawsuits seeking to recover significant damages based on the loss of, or unauthorized access to, sensitive personal information have not been especially successful for plaintiffs. Most companies suffering data breaches have escaped by offering affected consumers inexpensive credit monitoring services. But two recent cases show plaintiffs a way to expose many previously safe companies to substantial claims for damages. Any company that thinks there are no risks in employing less than best practices for data privacy and security needs a wake up call. The headlines are all too familiar. Some well known consumer services company (or less known wholesale data processor) announces that millions of individual records containing names, Social Security numbers, account numbers and other sensitive information were left in a dumpster, saved to a stolen, unencrypted laptop, or stored on a misplaced USB drive or backup tape. The press is terrible, the company's stock takes a temporary plunge, and sometimes the Federal Trade Commission enters into a consent decree where the company promises to never do it again. But when affected individuals or groups of consumers tried to sue for damages, they seldom recover significant amounts. These cases have not often succeeded because the plaintiffs have been unable to prove actual pecuniary losses resulting from the security breach. Sure, if identify theft occurs the affected individuals can suffer significant emotional trauma, loss of time, etc. But Courts have been unwilling to award damages for anxiety, fear, and other emotional harm that can result from a data breach, for the risk of future identify theft, or for actual identity theft when the plaintiff could not prove that the theft occurred as a direct result of a data breach at a particular source. Most companies facing claims based on data breaches have been able to settle cheaply by offering to provide credit monitoring services, which most consumers do not use, resu

A recurring problem in modern litigation is the inadvertent disclosure of materials subject to the attorney-client privilege or the attorney work product protection. New Federal Rule of Evidence 502 changes the rules concerning waiver of privilege in all Federal and many State court cases, thereby reducing the risk that inadvertent disclosures will constitute a wavier of attorney client privilege or work product protection. But the new rule requires careful application. Important risks remain. Inadvertent disclosure of privileged or protected information too easily occurs when massive numbers of documents or files make it impractical or prohibitively expensive to review every item individually. The proverbial privileged document needle gets lost in the e-discovery haystack and is overlooked. Later, when opposing counsel recognizes that she has a potentially privileged document and brings this to the attention of disclosing counsel, there may be a fight as to whether the document will be returned, or whether the disclosure constitutes a wavier of any privilege related to the information. Under existing State and Federal law, release of privileged or protected information to an adversary, even if inadvertent, may constitute a waiver of the privilege or protection with regard to the information or document disclosed or, worse, to all documents and other information related to the same topic. Invoking the "claw" Amendments to Federal Rule of Civil Procedure 26(b), adopted in December 2006, were aimed at reducing the risks of waiver from inadvertent disclosures. Rule 26(b) provides that if privileged information is produced, the party making the claim of privilege may notify any party that received the information of the privilege claim and the basis for it. After being notified, a party must promptly return, sequester, or destroy the specified information and any copies it has, must not use or disclose the information until the privilege claim is resolved; must t

The new year has come and gone on the Gregorian calendar. But the new year for legal technology is still in progress at LegalTech New York, where vendors are unveiling their new products and services and attendees are helping them celebrate. LegalTech attendees should revel in the number of vendor initiatives aimed at reducing e-discovery costs from acquisition to review and production. And, like last year, EDD vendors continue to design and manufacture their products for international litigation. But LegalTech is not all about e-discovery. There were still plenty of vendors with products outside the Electronic Data Reference Model. EDD PARTIES Readers should be aware that Index Engines can access and extract data from tape and tape libraries -- and can do so really fast. But now they can also extract data from network storage systems, file shares, forensic images and hard drives and still provide users a single point of access to it -- via a Web browser. Index Engines first indexes data on disparate resources. Once the index is compiled, data can be deduped, searched, reviewed and extracted on demand. Also note that Index Engines can now filter unwanted file types such as EXE, DLL, etc., during the indexing process to reduce the time it takes to review the data. Read LegalTech New York 2009 Coverage on Legal Blog Watch In preparation for the new year, Kazeon Systems introduced new pay-as-you-go pricing models that augment their current standard software licensing option and focus on case matters. Kazeon hopes the new pricing models allow customers to implement an e-discovery solution that does not require a major financial investment or lengthy rollout. Vendors are starting to "go left" of the EDRM to provide organizations a better view of the end of litigation via early case assessment tools. In fact, KPMG promoted the concept with a T-shirt emblazoned with "go left." Toward that end, Daticon EED announced the availability of its Early Case Assessment servic

The whole idea of privacy has become a joke. On one hand we have consumers who will give away their personal details to random Web sites (as well as to Mrs. Sikiratu Seki Adam, "a widow to Late Saheed Baba Adams") at the drop of a virtual hat, and on the other we have businesses losing personally identifiable information and transaction data with wild abandon … yes, I'm talking about you Heartland Payment Systems. (Heartland lost data on more than 100 million transactions although it is hardly alone - check out the data loss database at the Open Security Foundation). This widespread carelessness has compromised the privacy of tens of millions of consumers and businesses. While carelessness is the cause, what has allowed it to go unchecked are a number of factors: The Internet making transactions easier and faster; the systems we use on the Internet (particularly Windows PCs) being as secure as the First Little Pig's house of straw; organizations not taking security seriously enough; naive consumers; and inadequate regulation of the companies that hold private data. What got me thinking about this privacy void was a letter my wife received from Nordstrom Bank yesterday. My wife has a Nordstrom credit card and the company sent us, for what seems like the 1,000th time, its latest privacy policy. This version was one page of small text that more or less says what every other privacy notice from financial services companies say (we average about one of these "revised" policies every couple of weeks).

A complaint filed with the Federal Trade Commission by consumer groups seeking greater privacy protection for mobile Internet users could become a crucial test for the Obama administration's commitment to Internet privacy, a researcher has said. A policy statement published on then-President-elect Barack Obama's transitional Web site said he plans to "strengthen privacy protections for the digital age." Need to review your privacy policy or guide your clients in preparing a privacy framework? Download a copy of the Generally Accepted Privacy Principles.

Hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and national identification numbers of 45,000 employees and retirees, a union leader says. Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials briefed union leaders Monday about the security breach. FAA spokeswoman Laura Brown confirmed the agency's computers were hacked last week. Story continues below ↓advertisement | your ad here Waters said union leaders were told hackers gained access to two files. One file had the names and Social Security numbers of 45,000 employees and retirees on the FAA's rolls as of February 2006. Social Security is the U.S. government-directed pension system, and in the absence of a national identity card, other people's social security numbers can be used to steal identities for illicit purposes. Waters said the other file contained medical information that was encrypted. "These government systems should be the best in the world, and apparently they are able to be compromised," said Waters, an FAA contracts attorney. "Our information technology systems people need to take a long hard look at themselves and their capabilities. This is malpractice in their world." FAA officials told union leaders the incident was the first of its kind at the agency. But Waters said his union complained about three or four years ago about an incident in which employees received anti-union mail that used names and addresses that appeared to be generated from FAA computer files.

Affixing a dollar cost to a problem has immense benefit, and The Ponemon Institute goes to great lengths to arrive at the figures for its Annual Cost of a Data Breach Study. We painstakingly analyzed the financial impact a data breach has on a company by examining 43 different companies from a cross section of industries, all of which experienced a significant data breach affecting a range of data records representative of the norm. And knowing that a data breach may cost your company $6.65 million dollars may be all the information that is needed for a company to assign an appropriate budget to those tasked with information security. In 2008 the average total cost of a data breach was $6.65 million, up from $6.35 million last year and $4.54 in 2005. In 2008, the per-victim cost of a data breach was $202, up from $197 in 2007, and from $138 when the study was launched in 2005. Breaches involving a third party to which data had been outsourced bore a per-victim cost of $231, whereas self contained breaches bore a per-victim cost of $179. Breaches that were the result of a malicious act bore a per-victim cost of $225, whereas breaches that were the result of negligence bore a per-victim cost of $199. Breaches that were the result of a lost of stolen laptop computer bore a per-victim cost of $249, whereas breaches that did not involve a lost or stolen laptop computer bore a per-victim cost of $177. If the data breach was a first-time event for the company the per victim cost was $243, but if the company had experienced a breach previously the per victim cost was $192. The simple conclusion to these numbers is clear: the financial impact for a company that experiences a data breach is significant and rising. That finding alone may be alarming, but it seems to merely quantify what most people already knew to be true. The "wow" factor comes when you realize that we haven't simply identified the cost of an inevitable outcome, as if to tell the world, "buckle up and brac

In Deloitte's sixth annual Global Security Survey, people are the problem. "[P]eople continue to be an organization's greatest asset as well as its greatest worry," Adel Melek, global leader of security and privacy services at Deloitte Touche Tohmatsu, said in the report. "That has not changed from 2007. What has changed is the environment. The economic meltdown was not at its peak when respondents took this survey. If there was ever an environment more likely to facilitate an organization's people being distracted, nervous, fearful, or disgruntled, this is it. To state that security vigilance is even more important at a time like this is an understatement." On one level, that couldn't be more obvious: It's not as if anyone worries about squirrels hacking servers; security has always been about people. (Robots, the report says, are unlikely to replace the human workforce during the lifetime of anyone reading the report. Finally, some good employment news.) Yet despite the obviousness of the problem, the obvious solution -- complete denial of access -- doesn't work. People use computers and computers are more useful when connected and it just gets worse from there. That may explain why identity and access management remained top of mind for survey respondents. Deloitte's survey, drawn from major financial companies around the globe, focuses on governance, investment, risk, use of security technologies, quality of operations, and privacy. It includes some good news -- external breaches have declined sharply over the past year -- and troublesome news -- fewer companies say they have the commitment and funding to address regulatory compliance. In terms of risk, specifically information systems failure, people are identified as the most significant vulnerability. "Human error is overwhelmingly stated as the greatest weakness this year (86%), followed by technology (a distant 63%)," the report states. It attributes the rising risk to increased adoption of new techno

A Port Washington medical practice was defrauded of nearly $250,000 by a former employee who for four years paid her credit card bills with automatic debits from a doctor's checking account, Nassau police said. Debra Camilo, 42, of 110 Malba Dr., Whitestone, began the transfers in the spring of 2004 and even though she was fired a year later -- for reasons unrelated to the fraud -- she continued until July 2008, police said. All told, the former office manager made more than 80 unauthorized debit transfers to her Visa credit card amounting to $241,341, police said. Crimes against property bureau detectives arrested Camilo Thursday afternoon in Manhasset and charged her with grand larceny, identity theft and fraud. She was scheduled for arraignment Friday in First District Court, Hempstead.