CIPP Information Privacy & Security News

For the second time in the same case, law enforcement in Denver turned away a key component in hundreds of instances of identity theft. The first time, it was a box full of stolen documents found in a storage unit, turned away by a Denver Police officer. This time, it was the main suspect, turned away by the Denver Sheriff's Department. The Denver Sheriff's Department admits the man believed to be at the center of an identity theft operation, 46-year-old Paul Simmons, tried to turn himself in at the Denver City Jail 16 hours before police arrested him. A warrant had been issued for his arrest and was entered into the system at 10:15 a.m, according to Sonny Jackson, Denver Police Spokesman. Sheriff's spokesperson Capt. Frank Gale told 9Wants to Know Tuesday that Simmons walked into the Denver City Jail around 8 p.m. Monday night. The Denver Sheriff's Department runs the city jail. It is not staffed by the Denver Police Department. Gale says Simmons told a sheriff's deputy he had received a call from an investigator with Denver Police saying he was wanted for questioning in connection with the identity theft case featured on 9NEWS. Gale says the sheriff's deputy then told Simmons there was not a record of him being wanted in the computer, but sent Simmons to check in with the Denver Police Department housed in a separate building across the courtyard at 1331 Cherokee St. Gale said the deputy did not know if Simmons ever made it to the Denver Police building. Denver Police spokesperson Sonny Jackson said Simmons never did. "We really wish he would have taken the 50 steps across the courtyard and talked to us, that would have saved us a lot of time today." Jackson said. "If he [Simmons] really wanted to turn himself in we would have been more than happy to take him into custody."

It is hard work looking for a job, Matt Sawyer said. "Well with the economy being down right now, it's pretty hard," said Sawyer. Like most job hunters, Matt is posting his resume on various online job sites. But you have to be careful when sending out your personal information over the Internet, privacy expert Pam Dixon said. "The problem is, if you don't use it correctly, it can come back to haunt you," she said. Dixon runs the World Privacy Forum and warns job hunters to be cautious with their personal information when posting their resume. "In fact any competent job site will give you the option of hiding your personal information," said Dixon. Scam artists have been known to steal personal information from resumes and use it to apply for credit. That is why Dixon said you should only include your first initial and last name, no full names, when writing your resume. She also said not to include your phone number or address. Dixon said you should create an email address that is temporary and just use it for your job search. Dixon said scam artist will even call people from their resume and ask for detailed information like a copy of their driver's license or social security number or even their credit card information. The scammers will claim it's for a background check but it's only to steal from the job seeker. Matt admits if he was approached for a job he might give away too much information. "I think when people first get that call and they're real excited about it, they might just jump into it and go ahead and do it," he said.

It's often the security issue that dogs Google, Microsoft and other purveyors of personal health records (PHR): How will so much personal medical data be kept safe? A tangential question for Google, however -- one that has dogged the search giant since its Google Health offering was first made available in May 2008 -- is whether Google's search-based advertising platform creates a conflict with storing personal health data. Speaking at the Mastermind Session at Everything Channel's Healthcare Summit in San Diego in November,Google Vice President of Research and Special Initiatives Alfred Spector told health care CIOs, solution providers and other attendees that Google intended Google Health as an extension of the Google brand, and it was and would continue to be entirely separate from Google's main advertising platform. Watchdog organizations have taken Google to task over that claim, however, with one, Consumer Watchdog, even accusing Google of trying to lobby Congress to allow it to sell medical records by loosening regulatory language in the stimulus bill. "The medical technology portion of the economic stimulus bill does not sufficiently protect patient privacy, and recent amendments have made this situation worse," wrote Jerry Flanagan of Consumer Watchdog in a Jan. 27 open letter to Congress. "Medical privacy must be strengthened before the measure's final passage, rather than allowing corporate interests to take advantage of the larger bill's urgency." Flanagan in the letter states that, "Google is said to be lobbying hard ... to weaken the ban currently in the draft measure on the sale of our private medical records." While Consumer Watchdog did not cite specific evidence of Google pushing for softer restrictions, Google responded to the group's claims on its Public Policy Blog last week. "The claim -- based on no evidence whatsoever -- is 100 percent false and unfounded," wrote Pablo Chavez, Google's Senior Policy Counsel. "Google does not sell health

Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations. The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates. "While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," U.S. Sen. John Cornyn, a Texas Republican, said at a press conference on Thursday. "Keeping our children safe requires cooperation on the local, state, federal, and family level." Joining Cornyn was Texas Rep. Lamar Smith, the senior Republican on the House Judiciary Committee, and Texas Attorney General Greg Abbott, who said such a measure would let "law enforcement stay ahead of the criminals."

Mixed receptionThe state hopes changes to Massachusetts' data privacy regulation plan will calm business community fears over the cost of the new controls, but watchers of the process say the government may have made things worse. One thing seems certain: the recent changes aren't likely to be the last word on regulating sensitive data in the Bay State. The regulations mandate all "personal information" belonging to Massachusetts residents be encrypted whenever it is stored on portable devices, transmitted wirelessly or shared on public networks. Changes enacted just in time to beat a deadline of Thursday, Feb. 12, pushed the effective date back eight months, from May 1 to Jan. 1, 2010. They also removed a requirement that businesses certify third-party vendors' compliance. The latter move was aimed to address an issue raised in a public hearing with business leaders held Jan. 15 at the State House. The change was designed to make the third-party regulations more adaptable to companies of various sizes and business models, said Massachusetts Consumer Affairs undersecretary Daniel Crane.

At first glance, Chicago's latest crime-fighting strategy seems to be plucked from a Hollywood screenplay. Someone sees a thief dipping into a Salvation Army kettle in a crowd of shoppers on State Street and dials 911 from a cellphone. Within seconds, a video image of the caller's location is beamed onto a dispatcher's computer screen. An officer arrives and by police radio is directed to the suspect, whose description and precise location are conveyed by the dispatcher watching the video, leading to a quick arrest. That chain of events actually happened in the Loop in December, said Ray Orozco, the executive director of the Chicago Office of Emergency Management and Communications. "We can now immediately take a look at the crime scene if the 911 caller is in a location within 150 feet of one of our surveillance cameras, even before the first responders arrive," Mr. Orozco said. The technology, a computer-aided dispatch system, was paid for with a $6 million grant from the Department of Homeland Security. It has been in use since a trial run in December. "One of the best tools any big city can have is visual indicators like cameras, which can help save lives," Mr. Orozco said. In addition to the city's camera network, Mr. Orozco said, the new system can also connect to cameras at private sites like tourist attractions, office buildings and university campuses. Twenty private companies have agreed to take part in the program, a spokeswoman for Mr. Orozco said, and 17 more are expected to be added soon. Citing security concerns, the city would not say how many cameras were in the system. Mayor Richard M. Daley said this week that the integrated camera network would enhance regional security as well as fight street crime. Still, opponents of Mr. Daley's use of public surveillance cameras described the new system as a potential Big Brother intrusion on privacy rights. "If a 911 caller reports that someone left a backpack on the sidewalk, wil

The row over the changes Facebook made to its terms has thrown the light on the rights people surrender when they sign up to use a website. It is likely though that until the row over Facebook's Terms and Conditions went public, few people knew what rights sites claim over the content that their members upload and share. "Less than 25% of users are making a specific point of going to the privacy settings and making changes," said Simon Davies, head of digital rights group Privacy International. Most, he said, are so keen to get using a site after registering that they do not take time to learn what will happen to any data that they are surrendering. Only later do they go back and adjust what happens to their data. "A lot of sites do have strong privacy controls," said Mr Davies. Tweaking these settings can help cut down on how much of a person's data is distributed. "It can make a difference," said Mr Davies, "particularly if the default is set in terms of maximum information flow." Blogger Amanda French looked through the pages where sites such as Facebook, MySpace, Flickr, YouTube and others spelled out their policies with regard to the data that members upload. Although the wording was different, she found that sites such as MySpace, Yahoo, Google and Twitter explicitly backed away from claiming ownership over uploaded content. A brief survey of Europe's Top 5 social sites found a similar situation. The text of the terms available on the UK sites of Facebook, Bebo, MySpace, Friends Reunited and Windows Live all back away from claiming ownership. By contrast, she wrote, the changes Facebook made to its terms were "extraordinarily grabby and arrogant".

One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain't easy!" "Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual's right to privacy and if I violate that I've violated a public trust. That's a level of responsibility that most computer security people don't have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later." Stanford's Mucha said that his security infrastructure was built on a two-tiered approach using identity management and enterprise access control. Mucha said that the movement to computerize heath records nationwide was moving along in fits and starts, as shown by proposed systems likeMicrosoft (NSDQ: MSFT)'s Health Vault and Google (NSDQ: GOOG)'s Personal Health Record. "The key problem is who is going to pay for the computerized of health records. It's not as much of a problem at Stanford as it is at a lot of smaller hospitals, but it's still a huge problem." Mucha said that from his perspective security service providers in the cloud and elsewhere are dealing with a shrinking security parameter or fence, which is progressing from filing cabinets, to devices, to files, and finally to the individual, who under the latest Health Insurance Portability and Accountability Act (HIPAA) privacy rules has certain rights, including rights to access and amend their health information and to obtain a record of when and why their Protected Health Information (PHI) record has bee

Incident demonstrates that even agencies that put in security controls are still vulnerable The Federal Aviation Administration was doing such a good job at protecting data in its computer systems that the Office of Management and Budget chose it in January to be one of four agencies to guide other federal agencies in their cybersecurity efforts. Just a month later, FAA officials had to admit that hackers breached one of the agency's servers, stealing 48 files. Two of the files contained information on 45,000 current and former FAA employees, including sensitive information that could potentially make them vulnerable to identity theft. The security breach, although significant and potentially far reaching, is not necessarily a reflection on FAA's security measures. Rather, it demonstrates the problems of securing federal computer systems and difficulty in evading every potential attack. "Every agency is living through the same problems," but most are being less forthcoming about reporting them, said Alan Paller, director of the SANS institute. "FAA should get kudos for rapid action. Slamming them shows a complete lack of understanding about the state of security in federal agencies."

Six out of every 10 employees stole company data when they left their job last year, said a study of US workers. The survey, conducted by the Ponemon Institute, said that so-called malicious insiders use the information to get a new job, start their own business or for revenge. "They are making these judgements based out of fear and anxiety," the Institute's Mike Spinney told BBC News. "People are worried about their jobs and want to hedge their bets," he said. "Our study showed that 59% of people will say 'I'm going to take something of value with me when I go'." The Ponemon Institute, a privacy and management research firm, surveyed 945 adults in the United States who were laid-off, fired or changed jobs in the last 12 months. Everyone that took part had access to proprietary information such as customer data, contact lists, employee records, financial reports, confidential business documents, software tools or other intellectual property.

From 2003 to 2007, there were 10 bank failures in the U.S. In 2008 that number more than doubled, reaching 25. 2008's lowlight was the collapse of Washington Mutual on September 25--the biggest bank failure in American history. Thus far, 13 banks have failed in 2009.

Mary Kay Hoal tried everything she could to keep her daughter off of MySpace. She put password locks on the computer and blocked the site. Still, her daughter found ways to log on. Hoal's concerns stemmed from statistics that showed 29,000 registered sex offenders were on MySpace, one out of every five kids are sexually solicited online, and nine out of ten children are exposed to pornography online. When she looked for alternative safe sites for kids, she found none, so she decided to do something about it. Story continues below ↓advertisement | your ad here Click Here! The result is www.yoursphere.com, the only social networking site for kids and teens that's backed by the Federal Trade Commission through the site's Privacy Vaults approval. The site's Chief Technology officer worked at the California Department of Justice tracking anonymous online sex offenders, as well as the Megan's Law database. Moreover, it requires verified parental consent for a minor to join. Other features include: -- Requires verifiable parental consent to join -- Confirms the identity of the parent providing consent -- Confirms that the parent or guardian providing consent is not a registered sex offender -- Is exclusively for kids and teens through age 18. -- Exceeds COPPA (Children's Online Privacy Protection Act) and Federal Trade Commission (FTC) guidelines for protecting kids online through our approval by Privacy Vaults Inc. -- Whose policy is "no creepers allowed" -- lurkers are removed and banned. -- No fake profiles. (No one is anonymous on Yoursphere.com) "The bottom line is that we're the only place in the online world that that has taken extraordinary measures to help ensure the safety of its members and meets or exceeds standards set by the government," Hoal said. "Our opinion is that if it's a behavior that is illegal, immoral or unacceptable offline, then it's unacceptable online." About Mary Kay Hoal After researching the disturbing la

With so many workers being axed, the threat to sensitive customer, corporate, military information should be examined. Once workers leave with sensitive information, good luck controlling exposure. Cross International borders and the issue potentially expands into an national "incident" with dire consequences for corporate reputation. Protectionism vs Patriotism. Issues raised in the Great Depression revisited with more impact due to expansion of the economy to global status.

Microsoft Corp.'s plan to eliminate U.S. workers after lobbying for more foreigner visas is stirring resentment among lawmakers and employees. As many as 5,000 employees are being shown the door at Microsoft, which uses more H1-B guest-worker visas than any other U.S. company. Some employees and politicians say Microsoft should get rid of foreigners first. "If they lay people off, are they going to think of America first or are they going to think of the world first?" Chuck Grassley, a Republican Senator from Iowa, said in an interview. He sent a letter to Microsoft Chief Executive Officer Steve Ballmer the day after Microsoft announced the job cuts last month, demanding Ballmer fire visa holders first. Across the technology industry, some of the biggest users of H1-B visas are cutting jobs, including Intel Corp., International Business Machines Corp. and Hewlett-Packard Co. The firings at Microsoft, the world's largest software maker, came less than a year after Chairman Bill Gates lobbied Congress for an expansion of the visa program. Even before Microsoft announced the cuts, its first-ever companywide layoffs, comments on a blog run by an anonymous Microsoft worker angrily debated getting rid of guest workers first. The author of the Mini-Microsoft blog eventually had to censor and then completely block all arguments about visas, after the conversation "got downright nasty."

Following on the heels of Facebook's decision to rescind a highly controversial move to store all content posted on the social network, new data has emerged to support consumers' increasing alarm over online privacy. The vast majority--80.1%--of Web surfers are indeed concerned about the privacy of their personal information such as age, gender, income and Web-surfing habits, according to a survey of some 4,000 Web users administered and analyzed by Burst Media. More worrisome, perhaps, is the finding that privacy concerns are prevalent among all age segments, including younger demographics that are coming of age online. Still, privacy concerns do appear to increase with age, from 67.3% among respondents ages 18-24 to 85.7% of respondents 55 years and older. "Online privacy is a prevailing concern for web surfers," said Chuck Moran, vice president of marketing for Burst Media. The survey was administered by Burst with the purpose of better understanding how privacy is impacting Web users' experiences online, as well as its impact on advertisers. "Advertisers must take concrete actions to mitigate consumers' privacy concerns and at the same time continue to deliver their message as effectively as possible," Moran added. "In addition, and as recently seen in the news flare up regarding Facebook's privacy controversy, publishers need to be completely transparent about their privacy policies." Facebook recently changed its terms of use agreement, which gave the Palo Alto, Calif.-based company the ability to store user-posted photos and other content, even after it was deleted by users themselves. Earlier this week, however, the company reverted to a previous version of its legal user guidelines after thousands of members protested that Facebook was claiming ownership over the content. In addition, the Burst survey found that most Web users believe Web sites are tracking their behavior online. Three out of five--62.5%--respondents indicated it is likely that a W

The first sign that something was wrong seemed harmless: A new Dell credit card arrived in my mail one afternoon. More landed in the mailbox the next day. Macy's. Bloomingdale's. Crate and Barrel. Radio Shack. Then later: Visa Sony, Toys R Us and Lowe's cards turned up. I didn't request any of these cards. My first call to Dell revealed what I suspected. Someone had applied for a credit card using my name. I felt violated and vulnerable. Then, it hit me: I've become a statistic, a victim of identity theft. A thief had taken my name, my credit and my identity and managed to spend more than $8,000 (money that, I'm grateful, I didn't have to pay). I still don't know who the culprit was or how it happened. All I know is that if this happened to me - a Sun Sentinel consumer affairs and watchdog reporter - it can happen to anybody. Thieves move quickly Identity theft is the fastest growing crime in the United States, according to the Federal Trade Commission, which enforces identity theft laws. Experts estimate 10 million Americans become victims of identity fraud each year. Last year, businesses lost $56.6 billion to ID theft, the commission said. I've spent hours on the phone talking to fraud investigators, credit bureaus and bank staff as I've tried to sort out the mess that is now mine to clean up. I was exhausted every time a call ended. Individual investigations, conducted by fraud departments for each of the credit card companies that issued accounts in my name, took months to complete before concluding I was a victim of ID fraud. But there is a bright side to this story. I thought I knew how to protect myself. But what I've learned through this experience has taught me that you can never be too careful. I also learned some hard lessons along the way about how best to safeguard my personal information in the future - and respond, if my identity is targeted again.

Two Philadelphia law firms have filed class action suits on behalf of all cardholders in the U.S. who had their credit or debit card data stolen in the Heartland Payment System (HPY) data breach. This brings to three the total number of class action lawsuits filed against the Princeton, NJ-based payments processor. The law firm of Berger & Montague filed a class action suit in the U.S. District Court for the District of New Jersey, alleging Heartland's failure to safeguard cardholder data when the company's computer systems were hacked and cardholder data was stolen. Heartland says last year it processed 100 million card transactions per month, but an unknown number of cards were impacted by the breach. The law firm says fraudulent activity has occurred on some of those cards. The law firm alleges that Heartland's security measures and intrusion detection systems were inadequate. "Because of Heartland's inadequate data security, cardholders have had their card information compromised, have been exposed to the risk of fraud, have spent and will spend time to monitor their accounts and dispute fraudulent charges, and have suffered other economic damages," the law firm says in its statement regarding the suit. Berger & Montague were also co-lead counsel in the consumer class action suit brought against TJX Companies, which resulted in a $200 million settlement. The third class action lawsuit filed in February against Heartland comes from Sheller P.C. of Philadelphia, PA. Sheller's suit against Heartland has similar charges against the payment processor. Sheller P.C. also filed its class action lawsuit in the U.S. District Court for the District of New Jersey. Sheller P.C. has also filed a consumer class action suit against RBS WorldPay for its security breach that was made public on Dec. 23, 2008. Previously, Chimicles & Tilellis LLP of Haverford, PA filed suit in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Co

Times are tough, and we all continue to hear about the heightened risk of the insider threat. Granted, unauthorized insider access to data has always been a concern. But the concern is increased now because of the tremendous changes that we are seeing in the economy. The term "disgruntled employee" now has a whole new meaning because there are more and more folks concerned about 'What if my job disappears? What kind of information can I keep? What kind of information can I have access to?' As one who's dealt with the insider threat, I have some questions of my own: What do you really mean by an insider? In our borderless world, the terms "insider" and "outsider" overlap. "Insiders" are not just employees and staff, but also service providers, business partners, consultants, contractors -- any number of parties who may work for companies we deal with. What do we really mean by an authorized versus an unauthorized insider? If you take a look at the Societe Generale situation, allegedly a fraud was committed by an authorized user with privileges he was not supposed to have. How? Well, the horribly overused cliché is that if you work with a company long enough, eventually you will have access to everything, and no one will know it. Bottom line: As people change jobs within a company, we are not good at updating their roles and responsibilities. If you look at all the efforts that have been spent on identity and access management products, the biggest challenge is trying to understand: What are the roles and responsibilities you are trying to apply to people? How do you develop these roles and responsibilities and how do group them? How do you really deal with people who have to change roles and responsibilities? How do you add and delete roles and responsibilities as people change jobs?

An Italian judge on Wednesday gave the go-ahead to a case in which Google (GOOG) could be held responsible for content it hosts but does not produce. The case centers on a 2006 video of four Italian youths taunting a child with Down syndrome. In the video, one of the youths incorrectly claims to be part of a small Down syndrome advocacy group called Vivi Down. The video was uploaded to the Google Video site, where it stayed for two months. Prosecutors have filed charges against five Google executives, saying they were in violation of Italian privacy laws and of contributing to the defamation of Vivi Down. At the heart of the case are two main questions: Should sites such as Google Video be held responsible for the content they host? And should such non-brick-and-mortar New Economy companies be subject to the laws in countries where they are not based? "The outcome of this will be to determine how big companies like Google should be expected to act," said Raffaele Zallone, a former chief counsel for IBM's Italian offices and the attorney representing a woman seeking damages in a secondary case tacked onto the main charges. FIND MORE STORIES IN: Italy | Google Inc | International Bus. Machines | Milan | New Economy Zallone, along with Milan prosecutors, the city's ombudsman and an attorney for Vivi Down, the advocacy group, say Google should have become aware of the offending video sooner and removed it sooner. Guglielmo Pisapia, Google's lead attorney in the case, denies any wrongdoing and says Google could not have acted differently. "Google did not produce the video, and when they received an official complaint, they removed it within five hours," said Pisapia, a former member of the Italian parliament. "If the argument is that they should have evaluated the video before it was posted, then that is a dangerous precedent." Oliviero Rossi, an author and commentator on technology issues, says unusual cases that push the limits of the law as this one does are

Facebook has been in the news a lot lately, and that's not good news for Chris Kelly, who is the chief privacy officer for Facebook, and - as we've reported - is quietly exploring a possible run for the Democratic nomination for state attorney general. Kelly was at the center of a firestorm this week regarding changes in Palo Alto-based Facebook's terms of service, which critics argued gave the social-networking site control over members' uploaded material, including photos, seemingly forever. On Wednesday, Kelly told CNN that the company will listen to complaints. The company's official blog now outlines how it has pulled back but Facebook has faced other problems that could hamper Kelly's efforts to run for a California political post. Last year, as Cnet reported, the firm reached an agreement with New York Attorney General Andrew Cuomo after an investigation of complaints that Facebook hadn't addressed consumers' complaints of "harassment and inappropriate conduct" regarding underage members. Facebook officials have said they are cooperating with law enforcement to protect their users from predators. But with the Democratic AG race already looking crowded - with San Francisco District Attorney Kamala Harris and Los Angeles City Attorney Rocky Delgadillo in the mix, among others - Democratic consultants are watching with great interest. Poke this, friends: Could this be the juicy stuff of television ads in a Democratic law-and-order race in California?

Woonsocket-based CVS Caremark Corp., the largest U.S. drugstore chain, has agreed to pay $2.25 million to settle federal charges that company employees compromised customer privacy by throwing prescription records and drug bottles into open trash bins. The Federal Trade Commission said its investigation with the Health and Human Services Department followed media reports that trash bins behind CVS pharmacies contained pill bottles bearing patient names, credit-card and insurance information, and Social Security numbers. The company also did not have adequate policies for disposing of that information, and did not sufficiently train employees to dispose of the information properly, the agencies said. The items that were not properly discarded included pill bottles, medication instruction sheets, computer order forms, payroll information, job applications and credit-card and insurance information. Those labels and forms contained personal information including Social Security numbers and credit card and insurance information, and in some cases, driver's license numbers and account numbers. Names of the patients' doctors were also included. The settlement "will restore appropriate privacy protections to tens of millions of people across the country," FTC chairman William Kovacic said in a statement. "It also sends a strong message" that organizations "are required to secure consumers' private information," he said.