CIPP Information Privacy & Security News

Data Privacy Trends: Randy Sabett, Information Security Attorney March 26, 2009 Activity at the State Level Points Toward a Federal Data Breach Notification Law Data privacy legislation -- the trend started in California and is being discussed heatedly in Massachusetts today. Data breach notification and privacy laws have now been enacted in 40 separate states, and government observers think we're close to seeing federal legislation proposed. In an exclusive interview, Randy Sabett, a noted privacy/information security attorney, discusses: Trends in state data privacy legislation; What these laws mean to businesses; The Obama Administration's approach to data privacy; Trends to keep an eye on throughout 2009. Randy V. Sabett, CISSP, is a partner in the Washington, D.C. office of Sonnenschein Nath & Rosenthal LLP, where he is a member of the Internet, Communications & Data Protection Practice. He counsels clients on information security, privacy, IT licensing, and patents, dealing with such issues as Public Key Infrastructure (PKI), digital and electronic signatures, federated identity, HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley, state and federal information security and privacy laws, identity theft and security breaches. He served as a Commissioner for the Commission on Cyber Security for the 44th Presidency.

Privacy Issues and Education: Peter Kosmala, International Association of Privacy Professionals April 1, 2009 From the Heartland data breach to the new Massachusetts data protection law, privacy is the hot topic in business and government. In an exclusive interview, Peter Kosmala, assistant director of the International Association of Privacy Professionals (IAPP), discusses: The top privacy topics in business and government; How organizations are tackling these issues; The potential impact of state and federal privacy legislation; The value of the Certified Information Privacy Professional (CIPP) credential. Kosmala oversees product management for the IAPP with specific oversight of distance learning products, privacy certifications and industry awards programs. He also manages business development efforts between the IAPP and peer organizations in the information security, information auditing and legal compliance arenas as well as organizations based in the Asia-Pacific region. The IAPP, based in York, Maine, was founded in 2000 with a mission to define, promote and improve the privacy profession globally.

Government Information Security Podcasts As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Insights on the Insider Threat: Randy Trzeciak of Carnegie Mellon's CERT February 25, 2009 We all know the risk of the insider threat is high, but what are the specific vulnerabilities for which organizations should be particularly vigilant? In an exclusive interview, Randy Trzeciak of Carnegie Mellon's CERT program discusses recent insider threat research, including: Patterns and trends of insider crimes; Motives and means displayed in real insider cases; What employers and staffs can do to prevent and detect crimes. Trzeciak is currently a Senior Member of the Technical Staff for the Threat and Incident Management Team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. He is a member of a team in CERT focusing on insider threat research, including insider threat studies being conducted with the US Secret Service National Threat Assessment Center, DOD's Personnel Security Research Center (PERSEREC), and Carnegie Mellon's CyLab.

Anatomy of a Data Breach Investigation: Alain Sheer, FTC Attorney February 17, 2009 The Heartland Payment Systems data breach is on everyone's mind, and the case is in the hands now of the Federal Trade Commission (FTC) if it chooses to investigate. While the FTC will neither confirm nor deny a Heartland investigation, staff attorney Alain Sheer does offer his insight on: How the FTC investigates data breaches like Heartland's; The timeline and milestones of such an investigation; Details of the CardSystems data breach - which closely resembles Heartland's.

Welcome to GovInfoSecurity.com We have a new President, a new Administration, a new session of Congress ... and a new national mission throughout government to secure personal data and protect our borders from cyber threats. Information security has never been more important to the federal government - or to all of us, as we conduct personal and professional business in this electronic world. To track the progress of this new security-savvy Administration - and to give you the information and opportunity to present your opinions - we're pleased to introduce GovInfoSecurity.com, a new site dedicated to providing interactive news, views and training on all facets of federal government security.

As health care providers determine how they will take advantage of the $19 billion allocated in the stimulus package to help jumpstart advances in health information technology (HIT), consumer appetite for electronic health records (EHRs), online tools and services is also growing, according to the results of the 2009 Deloitte Survey of Health Care Consumers (www.deloitte.com/us/2009consumersurvey). While only 9 percent of consumers surveyed have an electronic personal health record (PHR), 42 percent are interested in establishing PHRs connected online to their physicians. Fifty-five percent want the ability to communicate with their doctor via email to exchange health information and get answers to questions. Fifty-seven percent reported they'd be interested in scheduling appointments, buying prescriptions and completing other transactions online if their information is protected. Technologies that can facilitate consumer transactions with providers and health plans, like integrated billing systems that make bill payment faster and more convenient, are also appealing to nearly half (47 percent) of consumers surveyed. The survey of more than 4,000 U.S. consumers 18 and over was released today at the Healthcare Information and Management Systems Society (HIMSS) Annual Conference held in Chicago. It is the second annual study examining health care consumers' attitudes, behaviors and unmet needs conducted by the Deloitte Center for Health Solutions offering health care industry leaders and policymakers a timely look at how health care consumerism is evolving. "Consumers are increasingly embracing innovations that enhance self-care, convenience, personalization and control of personal health information," said Paul H. Keckley, Ph.D., executive director, Deloitte Center for Health Solutions. "Consumers want a bigger say in their health care decisions. Consumer demand for HIT and its potential impact on reforming the system has never been stronger." Despite strong con

Privacy is Dead. Long Live Privacy? at the 2007 Battle of Ideas conference hosted by the Institute of Ideas.New technology seems to have changed the meaning of privacy, affording individuals the possibility of sharing details of their hitherto private lives in unprecedented ways, from personal blogs to picture sharing and even 'social bookmarking'. For many of us, divulging intimate details of our private lives via social networking websites like MySpace and Facebook has become the norm. But information and communication technologies have also facilitated surveillance and data gathering by government and big businesses. While in some contexts we seem so ready to give up our privacy, in others we seem increasingly anxious to protect it.To what extent are new technologies responsible for the death of privacy? Are privacy concerns simply technophobic, or are we right to worry about a loss of control over personal information? Have new technologies and our enthusiastic adoption of them actually transformed our notions of public and private, and blown apart the wall dividing the two? Why do we worry about Tesco monitoring what we buy, when, according to Sun Microsystems CEO Scott McNealy: 'You have zero privacy anyway. Get over it'? - IoI

Internet scams, phishing, identity theft and other attacks that exploit your personal data are always a threat when you shop online, set up an email account, use a credit card, manage an online bank account or carry your Social Security card. There is hope, however, for fighting these threats, and you can start by taking back control of all of your personal data. The 50 tips and tools in this list will help you understand how these scams originate, how to protect yourself online and offline, and how to track down your personal data on the Internet. Web Privacy Protect yourself and your data online by choosing a secure Web browser, understanding the dos and don'ts of wireless security, and correctly managing passwords.

Parents of 18,541 Metro Nashville students will receive letters next week outlining a security breach that put their children's Social Security numbers online for three months. Advertisement Boston-based Public Consulting Group Inc., which holds a five-year, $2.6-million-a-year contract with the state to collect student data from various districts, corrected the error March 31 after a parent using Google to search her daughter's name found it - along with personal data for the students and 6,000 parent names. Art Staehling learned Wednesday that his teenage daughter was on the list and said he's concerned what could happen to her identity. "I find it hard to believe that an established company had a problem of this magnitude," Staehling said. The consulting group will pay for parents of affected children to check all family members' credit reports through Experian and for a year of monitoring. One of the group's owners, Stephen Skinner, said the error happened when workers running a test Dec. 28 on random student data inadvertently stored a file to an insecure directory. They discovered the error March 5 and took down the file, which contained student names, gender, race or ethnicity, date of birth, Social Security number and, in some cases, parent names. But they were unaware Google's search engine had already found the file and indexed it. That's how the parent, who is also a Metro schools employee, found out about the breach weeks later. Public Consulting Group worked with Google to take the information down.

Purdue University last month reported its seventh data breach in the past four years. But Purdue is hardly alone. According to my records, over 300 publicized privacy incidents have occurred at U.S. institutions of higher learning since 2001, with at least 53 colleges and universities experiencing multiple breaches (see table at end of article). The regular stream of university data-breach reports has prompted Adam Dodge, assistant director for information security at Eastern Illinois University, to devote a blog - Educational Security Incidents - to the topic. When I last covered the issue four years ago (see "Security breaches challenge academia's 'open society' "), universities were the leading sector for publicized breaches. The same is true today. What's going on? Why haven't things changed? John Correlli of Los Angeles-based JMC Privacy Consulting Group has some answers. Correlli recently published a detailed analysis of the topic, "Breaches in the Academia Sector." Correlli identifies the top three root causes of university breaches: unauthorized access, usually inside jobs; accidental online exposures; and stolen laptops. "Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn't a priority until it's a problem," Correlli told me.

Laws in Canada and other countries are increasingly helping technology force people to identify themselves where they never had to before, threatening privacy that allows people to function effectively in society, a new study has found. "What we're starting to see is a move toward making people more and more identifiable," University of Ottawa law professor Ian Kerr said Wednesday. His comments followed the launch of Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society, a book summing up the study's findings, at a public reading in downtown Ottawa hosted jointly with the Privacy Commissioner of Canada. Kerr led the study with University of Ottawa criminology professor Valerie Steeves. They collaborated with 35 other researchers in Canada, the U.S., the U.K., the Netherlands and Italy. The researchers reported that governments are choosing laws that require people to identify themselves and are lowering judicial thresholds defining when identity information must be disclosed to law enforcement officials. That is allowing the wider use of new technologies capable of making people identifiable, including smartcards, security cameras, GPS, tracking cookies and DNA sequencing. Consequently, governments and corporations are able to do things like: * Embrace technologies such as radio frequency identification tags that can be used to track people and merchandise to analyze behaviour. * Boost video surveillance in public places. * Pressure companies such as internet service providers to collect and maintain records of identification information about their customers. While Canada, the U.K., the Netherlands and Italy all have national laws protecting privacy - that is, laws that allow citizens to control access to their personal data - such legal protection does not exist for anonymity, Kerr said. "Canada is quite similar [to other countries] with respect to anonymity. Namely, it's shrinking here just as it is there.

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, the Wall Street Journal reported on Wednesday. The spies came from China, Russia and other countries, and were believed to be on a mission to navigate the U.S. electrical system and its controls, the newspaper said, citing current and former U.S. national security officials. The intruders have not sought to damage the power grid or other key infrastructure but officials said they could try during a crisis or war, the paper said in a report on its website. "The Chinese have attempted to map our infrastructure, such as the electrical grid," a senior intelligence official told the Journal. "So have the Russians." The espionage appeared pervasive across the United States and does not target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official told the paper, referring to electrical systems. "There were a lot last year." The administration of U.S. President Barack Obama was not immediately available for comment on the newspaper report. Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on." Officials said water, sewage and other infrastructure systems also were at risk.

The new Obama Administration and a stronger Democratic party control of Congress set in the midst of a struggling economy and foreign policy issues, has created an interesting environment for legislation and regulations affecting customer interactions both federally and at state levels. While contact center-and-direct marketing-affecting issues such as offshoring, privacy, and telemarketing may haven been pushed offstage, they are not out of the hall. Ironically, economic pressures may shove them back into the spotlight as governments, especially states, seek ways to keep jobs and revenue sources, which contact centers provide. Federal Legislation Here is an examination of federal industry issues that lawmakers and regulators are and may be addressing in 2009: * Offshoring Federal lawmakers may reintroduce a bill similar to HR 1776, The Call Center Consumer's Right to Know Act, which would require contact center agents to disclose the physical location of such employee at the beginning of inbound and outbound calls. Firms would also have to annually certify to the Federal Trade Commission (FTC (News - Alert)) their compliance with such requirement. HR 1776 is an attempt to restrict offshoring by making customers aware that their calls may be going to or originating out of country. The bill's supporters hope customers and negative publicity would pressure firms to bring such jobs back to the U.S. The downsides are that such bills may significantly add to contact center costs in both onshoring and time spent location disclosing and in compliance, which would ultimately be paid for by consumers. In doing so bills like it that hike contact center expenses may also be self-defeating as they may result in fewer domestic jobs. "The particular type of disclosure contemplated by HR 1776 is a burdensome additional disclosure without clear benefit to the consumer," American Teleservices Association (ATA) CEO Tim Searcy told the House Energy and Commerce subcom

On Monday, U.K.-based digital rights organization Open Rights Group submitted an open letter to major online media players, urging them to prevent ISP-level behavioral targeting firm Phorm from tracking user interactions on their Web sites. The letter, sent to Google, AOL, Microsoft, Facebook, Yahoo, Amazon and Ebay, said, "[ORG] believes that it is clearly in your company's interest, it is in the interests of all of your customers, and it will serve to protect your brand's reputation, if you insist that the Phorm/Webwise system does not process any data that passes to or from your website." "We have received the letter and are giving it careful consideration from privacy and business perspectives," a spokesperson for AOL and its social network Bebo told ClickZ News. Similarly, in reference to the ORG correspondence, a Google spokesperson told ClickZ, "We've received the ORG's letter, but we're still considering the points they raised, so we don't have a response to make at this time." According to information published on the British Telecom Web site (one of Phorm's ISP-partners,) site owners can specifically request that their properties are not "scanned" by Phorm's technology, by contacting the firm directly. Phorm announced deals with three major U.K. ISPs over a year ago, but its technology is still yet to be fully deployed. BT has, however, carried out live trials of the platform with some of its customers. Phorm's CEO, Kent Ertugrul, claims that BT will implement his company's technology by the end of the year, but BT itself remains less committed to that timeline. Both AOL and Google have vested interests in the behavioral targeting space, although not in the controversial area of deep packet inspection (DPI), in which Phorm's technology lies. AOL-owned Tacoda targets ads based on users' activity across a range of partner sites, but does not directly intercept ISP-data. Google also announced this month that it will begin testing similar behavioral targe

Facebook has gone a long way to protect the privacy of users on its own site. But what happens when users share their Facebook profiles and friend lists with other sites? Are social networks responsible for defending data its members decide to take elsewhere? Those questions have taken on added urgency following the introduction of tools by leading social networks, including Facebook and News Corp.'s (NWS) MySpace, that let users interact with their friends on partner sites. Facebook Connect, for example, lets a user instantly share a movie rating on Netflix (NFLX) with all or some of his or her pals on Facebook. Privacy advocates warn that these services pose a whole new set of concerns about how user data are collected and shared among sites on the Web. Using these open-networking tools, thousands of companies can unearth a trove of new data about a visitor-age, gender, location, interests, and even what a person looks like. "I'm wondering if people really understand when they're using Facebook Connect that other sites get access to their whole user profile and social graph," says Pam Dixon, executive director of the World Privacy Forum. Announced last July, Facebook Connect has already signed up more than 8,000 partner sites, many of which plan to use data collected on Facebook members for their own purposes. Joost, a video-viewing site that integrated with Facebook Connect in December, checks the ages of viewers entered on their Facebook profiles to give its own content partners-CBS (CBS), for example-a better idea of which Joost users are watching CBS programming. Digg.com will let users display their Facebook profile photos alongside comments they make on the social news-sharing site.

Customers of CVS' pharmacy will be able to import their prescription records into a Google Health account as a result of an expanded deal between the two companies. The deal was announced Monday. An earlier deal already allowed workers whose company uses CVS Caremark to handle drug benefits to use Google Health to store their drug records. The new deal expands this to customers of CVS' network of retail pharmacies. "We now offer all of our consumers the ability to download their prescription and medication history into their Google Health Personal Health Record, whether they are CVS/pharmacy customers, CVS Caremark plan participants or visitors to our MinuteClinic locations," said CVS Caremark Executive Vice President Helena Foulkes in a statement. "By enabling patients to download their prescription information directly into their personal health record, we are helping to close the gap in today's fragmented health care system and provide a full view of a patient's health." To use the tool, the companies said, consumers need to sign up for the prescription management feature on CVS.com as well as be authenticated. With the latest deal, Google said it now believes more than 100 million Americans will have the option of viewing their drug history within Google Health. Microsoft, which is also trying to sign consumers up for its HealthVault service, announced a deal with New York-Presbyterian Hospital on Sunday which will allow patients of that hospital system to export their records to a HealthVault account.

The International Dimensions of Securing Cyberspace with Seymour Goodman, Professor of International Affairs and Computing at Georgia Tech.Hudson Institute hosts the fourth installment of its Telecommunications, Information, and Security Policy Seminar series. Drawing on his experience in the international dimension of cyberspace, Goodman leads a discussion on the extent of the internationalization of cyberspace, specific international problems and weaknesses that add to cyberspace insecurity, especially relating to Africa, and also discusses some forms of international cooperation that might help alleviate these problems.

A Constitutional History Lesson with David Bisno.Protection of individual rights from government abuse has been at the center of constitutional debates since the country's founding, but scholars and politicians have stopped short of claiming an explicit "right to privacy" until recently. Bisno, an M.D. turned "silver-haired scholar," discusses the history of privacy in the Constitution.

Traditionally, we trust doctors with confidential information about our health in the knowledge that it�s in our own interests. Similarly, few patients object to the idea that such information may be used in some form for medical research. But what happens when this process is subject to scrutiny?How explicit does our consent have to be? Since the introduction of the Data Protection Act 1998 medical researchers have raised concerns over the increasing barriers they face to accessing patient data.These concerns have heightened amongst some researchers since the passing of the Human Tissue Act 2004 introduced in the wake of the Alder Hey and Bristol Royal Infirmary scandals. When scientific advances are unraveling the secrets of DNA and the decoding of the human genome has opened up substantial new research opportunities.Clinical scientists and epidemiologists argue that the requirements being placed upon them are disproportionate to the use they are making of either datasets or tissues samples and, besides, their work is in the public interest.At the heart of the debate lie key questions over trust and consent and how these can best be resolved.To complicate things, it is no longer just medical researchers, but also public health bureaucrats who are keen to have access to our data.Quasi-official bodies have been charged with persuading individuals to change their behaviour and lifestyles in connection with all manner of issues such as diet, exercise, smoking and alcohol consumption.Social Marketing � the borrowing of commercial marketing techniques in the pursuit of 'public goods' � is in vogue amongst public health officials. Empowered by advanced data collection and computing techniques, armed with the latest epidemiological research, and emboldened by a mission to change unhealthy behaviour, public health officials are keen to target their messages to specific 'market segments' in most need of advice.Are government researchers abusing patients' trust? Can an

Is the price to safeguard America's information systems and networks on a collision course with efforts to rescue the economy? One would hope not, but the $789 billion stimulus package that contains nearly $10 billions for IT-related projects offered very little for cybersecurity. Still, the president sees protecting government and private-sector information systems as crucial to the economic vitality of the country. So, when Acting Senior Director for Cyberspace Melissa Hathaway hands the President her recommendations on securing the nation's information infrastructure later this month, a sharper picture should emerge on how much money the government will need to spend to do just that. What Price Security? The government isn't a spendthrift in protecting its IT networks; it earmarked $6.8 billion a year on cybersecurity this fiscal year, up from $4.2 billion five years ago, according to the White House Office of Management and Budget. But is that enough? Appropriating money to find new and innovative ways to protect our critical information infrastructure doesn't seem to be a government priority, at least not yet. Of the $147 billion the government planned to spend on all types of research and development this fiscal year, only $300 million or 0.2 percent was slated for cybersecurity, according to the Securing Cyberspace in the 44th Presidency report issued by the Center for Strategic and International Studies. By comparison, the budget contained five times as much money $1.5 billion for nanotechnology R&D.