CIPP Information Privacy & Security News

Now that behavioral targeting has become more pervasive (and more effective), it is being talked about not only by publishers and advertisers, but also by privacy advocates -- organizations like the NAI and IAB and, in Washington, the FTC. At issue is if BT players are doing enough to disclosure to consumers how BT works and offering them the opportunity to opt out of being tracked by BT vendors and publishers. There has been much discussion about how to regulate behavioral marketers; but no solution that satisfies everyone. The BT industry so far has contended that website privacy policies are sufficient disclosure since many of them contain links to opts out opportunities like the NAI site. Google and Bluekai have announced 'preference pages' or registries that allow Web users to say what type of BT they are interested in receiving. But, the other, more common option is to put that information in the Privacy Policy of the site. But the problem with that is that no matter where disclosures are placed on the service provider's site, most people won't ever see them. How will a customer visiting Retail SiteX know that Company Y is going to use their browsing behavior to later display relevant ads to them as they surf the Web on Network Z? The average customer won't. The only way a customer will know what forms of BT advertisers are using is if the advertisers themselves tell them. I think that it's time for advertisers to step up in this privacy debate. Thus far the pressure for disclosure has been placed on networks, behavioral marketing providers and publishers. The key players in those industries have done a good job of becoming more transparent (though there is still work ahead of us), while advertisers haven't been asked to do anything. Advertisers are clearly benefiting from behavioral marketing, and its time they disclosed what type of behavioral marketing they participate in, and allow customers to opt-out. How they do this is open for discussion: Tag each

Some consumers say they like the way Internet retailers will suggest new purchases to them based on what they've bought previously. Others feel creeped out when a banner ad seems to know a bit too much about their Web surfing habits. It's called behavioral advertising, and it's central to the business success of all manner of Internet commerce, from bookstores to newspapers. The practice needs regulation, says Rep. Rick Boucher , the Virginia Democrat who chairs the House Energy and Commerce Subcommittee on Communications, Technology and the Internet. Boucher says legislation to protect consumer privacy online will spur people to surf more. But Internet advertising companies are not happy about regulation, especially because Boucher's plan would require, in some cases, that consumers agree in advance before their surfing habits could be tracked. Such an approach "would really be a sea change in the U.S. regulatory framework," says Mike Zaneis, vice president for public policy at the Interactive Advertising Bureau. Virtually all consumer protection laws, he says, permit people to opt out of solicitation, for instance, with a "do not call" registry. For the Internet, Congress has done almost nothing. "To suddenly move toward a draconian opt-in standard," he says, "would really be damaging not just to businesses but consumers." Zaneis, whose group includes such news heavyweights as the New York Times Co. and Conde Nast Publications, says now is not the time to upend Internet companies' business models, right when the economy is in the tank and print advertising is drying up. He argues further that new Web browsers make the issue moot by giving consumers the ability to easily block the electronic "cookies" that track their online movements. The issue promises to be a lobbying extravaganza. Last year, when the Federal Trade Commission (FTC) was developing self-regulatory guidelines for Web companies engaging in behavioral advertising, it

WASHINGTON -- For more than a year, the nation's largest cable companies have been staking their hopes to thrive in a data-driven, interactive advertising market on Canoe Ventures. Born Project Canoe, the venture aims to cull the vast troves of data that cable companies have about their customers, from subscriber demographics to the clicks of a remote control, to bring Web-like ad targeting to the television platform. Here at the Cable Show, the annual conference hosted by the National Cable and Telecommunications Association, Canoe CEO David Verklin proclaimed that his firm is ready for prime time, with its first product set to roll out in the next six weeks. "We're going to turn television into a platform," Verklin said in a panel discussion with several cable executives. Canoe's forthcoming product, called community addressable messaging, will enable an advertiser running a national TV campaign to customize it with local insertions to reach targeted demographics defined by data supplied from the cable providers. Verklin hailed it as the first application of local insertion technology to a national campaign.

Three out of four Americans believe that individuals are responsible for protecting their own privacy online. That's the bottom line of a new survey conducted by TRUSTe, a company that certifies the compliance of websites with privacy standards and statements. Nonetheless, The New York Times reports that the Federal Trade Commission is trying to put more responsibility on website operators: Last month, the F.T.C. revised its suggestions for behavioral advertising rules for the industry, proposing, among other measures, that sites disclose when they are participating in behavioral advertising and obtain consumers' permission to do so. One F.T.C. commissioner, Jon Leibowitz, warned that if the industry did not respond, intervention would be next. "Put simply, this could be the last clear chance to show that self-regulation can -- and will -- effectively protect consumers' privacy," [FTC commissioner Jon] Leibowitz said, or else "it will certainly invite legislation by Congress and a more regulatory approach by our commission." Behavioral advertising, which records individual users' Web usage by inserting cookies into their browsers and keeping a log of where they go and what they do, is the most high-profile privacy issue today. Google-owned DoubleClick is tracks Web users across many sites, combining them into one profile at DoubleClick's end to be used for ad targeting. Some survey respondents use cookie-deleting browsers and anonymizing software to thwart tracking systems. Privacy advocates, TRUSTe, and the FTC all strongly encourage companies to post meticulous privacy statements for online visitors, and to follow them to the letter. Still, only 15 percent of TRUSTe's survey respondents said they actually read privacy statements.

The Federal Trade Commission (FTC) is planning to regulate online viral marketing that uses blogs and social networking sites. Marketers are spending billions worldwide to get the endorsements of key bloggers and groups on social networking sites. One tactic, used by Microsoft and others, is to send products to bloggers on 'long-term loans' on the understanding that they will comment about them on their sites. AdvertisementUnder the new regulations being proposed, such bloggers would be legally liable if they make untrue statements about the products or services. The companies too would face sanctions. "This impacts every industry and almost every single brand in our economy, and that trickles down into social media," Anthony DiResta, an attorney representing several advertising associations, told The Financial Times. This is the first revision of the rules on this kind of advertising by the FTC since 1980 and is needed, according to the organisation, because new forms of communication have opened up new fields to marketing. "The guides needed to be updated to address not only the changes in technology, but the consequences of new marketing practices," said Richard Cleland, assistant director for the FTC's division of advertising practices. " Word-of-mouth marketing is not exempt from the laws of truthful advertising." Advertisers are resisting the changes, however, which threaten a highly effective form of marketing new products and services. "Regulating these developing media too soon may have a chilling effect on blogs and other forms of viral marketing, as bloggers and other viral marketers will be discouraged from publishing content for fear of being held liable for any potentially misleading claim," Richard O'Brien, vice president of the American Association of Advertising Agencies, said in an advisory to the FTC.

The Federal Trade Commission (FTC) is getting tough on online viral marketing using blogs and other social networking sites. The proposed rules would make bloggers legally liable if they make untrue statements about products or services. Companies would face sanctions, too, if they use blogs and social networking sites to make untrue claims. "This impacts every industry and almost every single brand in our economy, and that trickles down into social media," Anthony DiResta, an attorney representing several advertising associations, told vnunet.com. The rules have been a long time coming. It's the first revision of the FTC's advertising rules since 1980. New kinds of marketing have sprouted in the last 30 years, but this is the first time the FTC is paying attention to these kinds of advertising practices. Not everyone agrees that this is a good idea. Richard O'Brien, vice-president of the American Association of Advertising Agencies, told the website, "Regulating these developing media too soon may have a chilling effect on blogs and other forms of viral marketing, as bloggers and other viral marketers will be discouraged from publishing content for fear of being held liable for any potentially misleading claim."

With the Federal Trade Commission (FTC) promising to begin enforcing the "Red Flags Rules" on May 1, the FTC launched on Thursday a website aimed at helping entities adhere to the requirements. The rules, designed to reduce identity theft, requires that creditors and financial institutions create and implement an identity theft prevention program. The website describes the entities covered by the rule and provides information, articles and guidance to help entitles develop ID theft prevention programs, the FTC said in a news release. One of the resources on the site is a how-to guide that provides tips for identifying and stopping ID theft. The rules became effective Nov. 1 but will not be enforced by the FTC until May 1. Last October, the FTC extended the original Nov. 1 enforcement deadline because many companies were not prepared to meet the original requirements, the FTC said. Eduard Goodman, general counsel and chief privacy officer for vendor Identity Theft 911, told SCMagazineUS.com Friday that the FTC has been tight-lipped about how the rule is going to be enforced -- likely because they don't want companies looking for ways to get around it. Goodman said that based on his conversations with those in the industry, the FTC will likely enforce the rule on a case-by-case basis. The FTC maintains a database that tracks all identity theft cases reported to the agency. If they hear of instances of identity theft associated with a company, the FTC may ask for a copy of the company's identity theft prevention program, if any, Goodman said. If the entity has a program in place, the FTC will make a determination of whether it's adequate. The May 1 enforcement deadline extension applies to entities under the FTC's jurisdiction, which includes state-chartered credit unions. The extension did apply to the the majority of the estimated 11 million businesses that must comply with the requirements, Goodman has said

Hundreds of medical records kept by a longtime Acton family doctor who abruptly closed his practice last year are about to be destroyed, leaving patients without crucial information and exposing a gap in state law about who owns abandoned medical records. On April 8, a Lynn storage company is scheduled to discard the records and auction the equipment left by Dr. Ronald T. Moody, who was evicted from his office last September as state regulators pursued him, saying he was practicing without a license. Many of Moody's former patients have no idea that their records are slated for destruction: None has been notified, nor does the law require such notice. "We throw people's lives away on a daily basis, and, believe me, we go out of our way to try and find someone" to salvage belongings, said Jim Appleyard, owner of the storage company that was hired by Moody's former landlord to clean out the office and store the items for six months, as required by law. But the idea of dumping hundreds of patients' files without them knowing about it bothered Appleyard. Unable to find Moody, he contacted the state Board of Registration in Medicine and pleaded to take the dozens of boxes of records. The board regulates doctors and administers rules governing medical records of physicians in private and group practices.

Reform legislation is expected to be introduced this spring to update the Federal Information Security and Management Act, known as FISMA. A major complaint about FISMA is that complying with its rules does not necessarily guarantee departmental and agency information systems are secure. In this exclusive interview, Sen. Tom Carper, chairman of the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, discusses: Key provisions in the bill to improve ways to measure and determine the security of federal government information systems; Efforts to create a government-wide Chief Information Security Officer Council; His views on the most pressing cybersecurity challenges facing the nation: identity theft and the viability of financial institutions and threats by foreign nations to federal information systems.

Premier Election Solutions (formerly Diebold Election Systems) admitted in a state hearing Tuesday that the audit logs produced by its tabulation software miss significant events, including the act of someone deleting votes on election day. The company acknowledged that the problem exists with every version of its tabulation software. The revelation confirmed that a problem uncovered by Threat Level in January, and reiterated in a report released two weeks ago by the California secretary of state's office, has widespread implications for election jurisdictions around the country that use any version of the company's Global Election Management System (GEMS) software to tabulate votes. "Today's hearing confirmed one of my worst fears," said Kim Alexander, founder and president of the non-profit California Voter Foundation. "The audit logs have been the top selling point for vendors hawking paperless voting systems. They and the jurisdictions that have used paperless voting machines have repeatedly pointed to the audit logs as the primary security mechanism and 'fail-safe' for any glitch that might occur on machines. To discover that the fail-safe itself is unreliable eliminates one of the key selling points for electronic voting security."

A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers. Judge D. Brock Hornby heard arguments on Wednesday at U.S. District Court. Attorneys for Hannaford asked the judge to dismiss the lawsuit, which was filed against the Scarborough-based company last year. Attorneys for the plaintiffs said Hornby should certify the case as a class-action suit and let it proceed toward trial. The upcoming ruling will determine whether parts or all of the suit will go forward. The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen? "These are fascinating and difficult issues," Hornby said after hearing the arguments Wednesday. "I'll get a written decision out to you as soon as I can." Between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. The grocery chain operates more than 200 stores under various names in New England, New York and Florida. More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made.

US senators have drafted legislation that would give the federal government unprecedented authority over the nation's critical infrastructure, including the power to shut down or limit traffic on private networks during emergencies. The bill would also establish a broad set of cybersecurity standards that would be imposed on the government and the private sector, including companies that provide software, IT work or other services to networks that are deemed to be critical infrastructure. It would also mandate licenses for all individuals administering to strategically important networks. The bill, which is being co-sponsored by Senate Commerce Committee chairman John Rockefeller IV and Senator Olympia Snowe, was expected to be referred to a senate committee on Wednesday. Shortly after a working draft of the legislation began circulating, some industry groups lined up to criticize it for giving the government too much control over the internet and the private companies that make it possible. "This gives the president too much power and there's too little oversight, if there's any at all," said Gregory Nojeim, senior counsel at the Center for Democracy and Technology. "It gives him the power to act in the interest of national security, a vague term that has been broadly defined." Nojeim was pointing to language in the bill that permits the president to "order the limitation or shutdown of internet traffic to and from any compromised federal government or United States critical infrastructure information system or network" after first declaring a national cybersecurity emergency. A separate provision allows the executive in chief to "order the disconnection of any federal government or United States critical infrastructure information systems or networks in the interest of national security." "It applies to any critical infrastructure," Nojeim added. "Surely, the internet is one." The bill would also require NIST, or the National Institute of Standards and Techn

Physician groups press FTC for exemption from Red Flag Rules With a May 1 deadline for compliance looming, the American Medical Association (AMA) has asked the Federal Trade Commission (FTC) to suspend the application of the Red Flag Rules to physicians and publish a new rule so that physicians have an opportunity to provide comments. In a March 9 letter to the FTC, AMA Executive Vice President Michael D. Maves wrote that the AMA "strongly believes that the FTC did not provide physicians with an opportunity to review and comment on this Rule." Controversy. Under the Red Flag Rules, which were finalized in October 2007 under the Fair and Accurate Credit Transactions Act (FACTA), financial institutions and creditors must develop and implement written identity theft prevention programs. FACTA provides a broad definition of "creditor" as "any entity that regularly extends, renews or continues credit." The FTC has interpreted this definition to include health care providers and physicians. The AMA and several other medical trade associations have taken the position that physicians were not intended to be subject to the Red Flag Rules, but the FTC has held firm in its interpretation, in spite of the objections. In a Feb. 4 letter to the AMA, the FTC reiterated its position that "the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services." The FTC also has taken the position that application of the Red Flag Rules to physicians will reduce the incidence of medical identity theft and will not impose a heavy burden on health care professionals. Rulemaking process. In addition to its claim that health care providers should not be classified as creditors, the AMA also has argued that the physician community was not informed that it would be subject to the Red Flag Rules.

Though Facebook has sometimes been criticized for sacrificing the privacy of its users in order to monetize the service, Chris Kelly, Facebook's chief privacy officer, has presided over the social network's efforts to build out the most sophisticated privacy options in the industry. On a granular level, Facebook users can now control what bits of information they share with each individual friend, group or network. Facebook users have taken notice. According to an annual study by the Ponemon Institute, a privacy research firm, Facebook ranks within the top 20 (15th) most trusted companies for privacy as rated by U.S. consumers. Kelly's job sometimes appears tricky, however. He must ensure that users feel they have control over their information, while weighing that need against Facebook's business model, which relies heavily on a culture of openness and sharing. Here is the full interview CIO conducted with Kelly during our reporting for a special feature on social networks and privacy. Kelly talked about what constitutes Facebook's overall view towards privacy, and how that affects its ability to serve up ads.

SAN JUAN, Puerto Rico-An identity-theft ring that catered to illegal immigrants seeking to establish themselves in the U.S. stole the personal data of 7,000 public school children in Puerto Rico, officials said Tuesday. Members of the ring broke into about 50 schools across the U.S. island territory over the past two years to steal birth certificates and Social Security numbers to sell to the illegal immigrants, the FBI and other agencies announced at a news conference. The victims were largely unaware their information had been stolen-and likely would not have learned of the thefts until they became adults and tried to buy something on credit, said assistant U.S. Attorney Julia Diaz Rex. "A kid is going to have a perfect credit history," Diaz said. "They reach 18, 20 years of age. They go buy a car and their credit is damaged." The authorities did not disclose how they uncovered the ring but said seven people have been arrested and one more is being sought. At least some of them were illegal immigrants from the Dominican Republic. Investigators determined the birth certificates and Social Security numbers were sold as a package in a number of states including Texas, Alaska and California, for up to $250, authorities said. Two suspects are accused of possessing nearly 6,000 birth certificates and Social Security cards. One was accused of intending to sell 40 Social Security cards for nearly $3,000, while another was seeking the same amount for 12 cards. The suspects in custody were being held on charges that include aggravated identity theft and social security fraud and face up to 15 years in prison, said U.S. Attorney Rosa Emilia Rodriguez. One suspect had been previously arrested for the kidnapping of a Dominican man last year that led to the shooting of a police officer during an FBI raid, said Luis Fraticelli, special FBI agent in charge of Puerto Rico. It is unclear if other members of the ring are at large, and whether they received help from sch

1:53:26 - Jun 29, 2007 Recorded at the 8th www.ToorCon.org Information Security Conference, Sept 30th and Aug 1st, 2006 in San Diego, California. Content produced by www.MediaArchives.com --- PRIVACY IS DEAD - GET OVER IT, with Steven Rambam. This talk will include numerous examples of actual data and investigative online resources and databases, and will include an in-depth demonstration of an actual online investigation done on a volunteer subject. (The subject is Rick Dakan, a noted author, who will be present.) (From CNN: "...Rambam was scheduled to discuss how he dug up -- in just over four hours of searching private and public databases -- more than 500 pages worth of data on Rick Dakan, who was attending the conference and had agreed to participate in the project. "All I had given him was my e-mail and name," Dakan said. "He knew everywhere I'd lived, every car I had driven, and even someone else in Alabama who was using my Social Security number since 1983.Emphasis will be placed on discussing the "digital footprints" that we all leave in our daily lives, and how it is now possible for an investigator (or government Agent) to determine a person's likes and dislikes, religion, political beliefs, sexual orientation, habits, hobbies, friends, family, finances, health and even the person's actual physical whereabouts at any given moment, solely by the use of online data and related activity

(March 31, 2009) First Data Corp. announced on Tuesday it will use technology from Inside Contactless, a French chipmaker, for its Go-Tag product, a sticker that can be affixed to mobile phones to make them work like contactless-payment devices. Under the three-year agreement, Inside Contactless will supply so-called prelams, or chip-and-antenna elements, that card manufacturers can use to manufacture the stickers for First Data. Up to now, Go-Tags have been proprietary devices for use in so-called closed-loop networks involving individual merchants, but with Inside Contactless's technology the product will likely be usable by mid-year on the payWave and PayPass contactless platforms operated by Visa Inc. and MasterCard Inc., pending certification on those systems, according to industry sources. A First Data spokesperson will not comment beyond Tuesday's announcement concerning the company's arrangement with Inside Contactless to provide prelams for Go-Tags. In addition, CPI Card Group, a card manufacturer based in Littleton, Colo., last fall said it expected to ship millions of contactless stickers based on prelams from Inside Contactless (Digital Transactions News, Oct. 15, 2008). CPI's customers are financial institutions interested in using the stickers to permit contactless transactions on payWave and PayPass. CPI is a manufacturer of Go-Tags, but will not comment on any plans for that product. First Data's deal with Inside Contactless follows by one day an announcement by Blaze Mobile Inc., an Alameda, Calif.-based provider of applications for mobile devices, that it is introducing a similar sticker that will work on the PayPass platform. The product works with the Blaze Mobile Wallet, a service the 4-year-old company launched a year ago when it was known as Mobile Candy Dish Inc. (Digital Transactions News, April 10, 2008). The stickers link to prepaid accounts managed by MetaBank, a Storm Lake, Iowa-based unit of Meta Financial Group Inc. Devel

Government Information Security Podcasts Credit Eligible As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Lessons Learned from TJX: Eric Fiterman, Cyber Crime Expert August 13, 2008 Interview with Cyber Crime Expert Eric Fiterman In the wake of the arrests of 11 hackers tied to the TJX data breach, security experts everywhere are warning of bigger, bolder threats to come. So, what should banking institutions have learned from TJX-style breaches, and what can they do now to protect their customers and critical financial/informational assets? In this interview, former FBI agent Eric Fiterman, founder of Methodvue, offers: Insights on the TJX and other breach investigations; How banking institutions can better protect their assets; The types of crimes institutions need to look out for in the months ahead.

Government Information Security Podcasts Credit Eligible As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Heartland Breach -- What it Means to Banking Institutions: James Van Dyke, Javelin Strategy & Research January 29, 2009 The Heartland Payment Systems data breach - it's the first major security incident of 2009. But how big is it really? What are the key takeaways for banking institutions left explaining this breach to their customers? In an exclusive interview, James Van Dyke, Founder and President of Javelin Strategy & Research, discusses the implications of the Heartland case, offering insight on: Conclusions we can draw from the Heartland breach; How banking institutions should communicate with their customers; Vulnerabilities we should watch to avoid the next big breach. Van Dyke is founder and president of Javelin Strategy & Research. Javelin is the leading provider of independent, quantitative and qualitative research for payments, multi-channel financial services, security and fraud initiatives. Javelin's clients include the largest financial institutions, card issuers and technology vendors in the industry.

Government Information Security Podcasts As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Probing Federal IT Security Programs: Gregory Wilshusen, GAO February 23, 2009 Government Accountability Office auditors will have a busy spring, examining a number of federal government programs aimed at securing government information systems and data. In an interview with GovInfoSecurity.com, Gregory Wilshusen discusses how the GAO is looking at how private industry and two dozen federal agencies employ metrics to measure the effectiveness of information security control activities. Other current GAO information security investigations he discusses include: Federal Desktop Core Configuration intended to standardize security features on personal computers purchased by the government. Trusted Internet Connection initiative aimed at slashing government Internet connections to fewer than 100 from more than 2,000. Einstein automated networking monitoring program run by U.S Computer Emergency Readiness Team. Gregory Wilshusen is director of information security issues at GAO, where he leads information security-related studies and audits of the federal government. He has more than 26 years of auditing, financial management and information systems experience. Before joining GAO in 1997, Wilshusen served as a senior systems analyst at the Department of Education as well as the controller for the North Carolina Department of Environment, Health and Natural Resources.