CIPP Information Privacy & Security News

"Rep. Loretta Sanchez, Chair, House Armed Services Subcommittee on Terrorism, Unconventional Threats and Capabilities With many committees and subcommittees having oversight over government cybersecurity, Rep. Loretta Sanchez thinks it would be a good idea to gather them together to map out steps Congress can take to help secure government IT."

US Government agencies collaborate to help secure information assets & protect our infrastructure and citizens? What an idea!

""So many people in America think this does not affect them. They've been convinced that these programs are only targeted at suspected terrorists. … I think that's wrong. … Our programs are not perfect, and it is inevitable that totally innocent Americans are going to be affected by these programs," former CIA Assistant General Counsel Suzanne Spaulding tells FRONTLINE correspondent Hedrick Smith in Spying on the Home Front. 9/11 has indelibly altered America in ways that people are now starting to earnestly question: not only perpetual orange alerts, barricades and body frisks at the airport, but greater government scrutiny of people's records and electronic surveillance of their communications. The watershed, officials tell FRONTLINE, was the government's shift after 9/11 to a strategy of pre-emption at home -- not just prosecuting terrorists for breaking the law, but trying to find and stop them before they strike. President Bush described his anti-terrorist measures as narrow and targeted, but a FRONTLINE investigation has found that the National Security Agency (NSA) has engaged in wiretapping and sifting Internet communications of millions of Americans; the FBI conducted a data sweep on 250,000 Las Vegas vacationers, and along with more than 50 other agencies, they are mining commercial-sector data banks to an unprecedented degree."

It affects each & every US citizen in one way or another. Good video on privacy & security.

"Ordering Pizza in 2015"

Links to information about the companies that are watching what you click and browse.

Who's watching while you visit that job hunting, porn or shopping site?

"Scott Fortnum had put in almost a full day of work at his Markham, Ont., office when he decided to "check in" on Foursquare, a location-based social network where users log the names and co-ordinates of the places they visit with a time stamp. The 44-year-old's check-in was marked with a small coral balloon on an embedded Google Map and instantly viewable by the 12 friends he lists on Foursquare - and millions of others. His check-in found its way onto pleaserobme.com, a recently launched website with a mischievous mandate: "listing all those empty homes out there." With March break approaching, many impending vacationers are installing automatic timers on their lights and putting their newspaper subscriptions on hold to deter burglars. Many are also posting on Twitter about when they're leaving and touting their week-long getaway to Jamaica on Facebook - unwittingly letting the online world know exactly when they're away. Mr. Fortnum's check-in appeared this way on Please Rob Me: @sfortnum left home and checked in 30 minutes ago: I'm at ALS Canada (3000 Steeles Ave. E. #200, DVP & Steeles, Toronto.) http://4sq.com/4MmX51 Many Foursquare users such as Mr. Fortnum cross-post their check-ins to Twitter, where they are easy to find through the search function. With some simple coding, Please Rob Me's creators are able to collect those millions of public tweets on their site in real time, highlighting one of the many security concerns that springs from broadcasting one's whereabouts online. Frank Groeneveld, one of the three students from the Netherlands who designed Please Rob Me, says he co-created the site to give members of social networks a wake-up call."

Finally a site that might make someone a profit!

"There's a known weakness in browsers which we wrote about in the book. Every time we talked with someone about it, they'd ask us why we didn't start a company that took advantage of the loophole, and the answer was, well, it's creepy. The loophole basically lets you see where else your visitors have been on the Internet. Well, it's now out in the open, in two forms: Beencounter, and Haveyourfriendsbeenthere. To be perfectly clear, the site won't show you everything your visitors surf-just whether or not they've been to a set of sites you define. Here's how it works:"

"It was fascinating to read your thoughts about our recent conversation in CSO (see The Many Challenges of Finding Work as a CISO/CSO"). And when I say "fascinating," I mean in the sense of watching Nascar: a lot of predictable left turns and some really embarrassing, squirm-inducing shots of the fans. I do like you, I think you're a nice guy, and so I wanted to give you some feedback about the interview process and what you're going to need to change to be successful. I don't think you're going to enjoy reading this. But maybe some of those hours that you're spending maintaining that "vast database" of yours could be better spent understanding why we hired someone who understands they're an engineer."

One of the most enlightening articles I have seen on the value of security to corporate America.

"In a case that could prove to be one of the most important privacy rights battles of the modern era, the 3rd U.S. Circuit Court of Appeals will hear argument this week on the proper legal standard to apply when prosecutors demand cell phone location data. The data, which are recorded about once every seven seconds whenever a cell phone is turned on, effectively track the whereabouts and the comings and goings of every cell phone user. Justice Department lawyers argue that, by statute, they need only show "reasonable grounds" to believe that such records are "relevant and material to an ongoing criminal investigation." But a federal magistrate judge in Pittsburgh strongly disagreed in February 2008, issuing a 52-page opinion that said the prosecutors must meet the "probable cause" standard. "This court believes that citizens continue to hold a reasonable expectation of privacy in the information the government seeks regarding their physical movements/locations -- even now that such information is routinely produced by their cell phones -- and that, therefore, the government's investigatory search of such information continues to be protected by the Fourth Amendment's warrant requirement," U.S. Magistrate Judge Lisa Pupo Lenihan wrote."

Turn the cell phone off and put on your tin foil hat so the government and aliens can't track you!

"A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises. The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano. In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital. Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures. PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." In its complaint, the bank noted that it had made every effort to recover the stolen money."

Bank sues theft victim in pre-emptive strike

Tomorrow is Data Protection and Privacy Day. Events around the world will mark the occasion. In Brussels, the European Parliament, European Commission and EDPS will host a variety of workshops and the winners of the "Think Privacy," competition will be unveiled. In Canada, events will be held in Newfoundland and Labrador, Ontario, Alberta and elsewhere, with regulators and companies hosting various forums. For a comprehensive list of global events, visit the Data Privacy Day Web site. After hours, privacy pros will gather in cities across the world for IAPP Privacy After Hours events. Click here to find an event near you.

Data Protection & Privacy Day Tomorrow

"If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures. Companies continued to be felled more by usual issues such as lost laptops, un-patched or poorly coded software, inadvertent disclosures and rogue insiders, rather than by sneaky new attack techniques or devastating new hacker tools. "

Preventable data loss damages customer trust and corporate trust.

"The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute's annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. "

Cost of data breaches continue to increase while IT looks the other way.

"A UN watchdog has called for a new international agreement on privacy following a review of the expanding global array of surveillance measures and databases advanced by governments in the cause of counter-terrorism. The special rapporteur on human rights, Martin Scheinin, said the UN should create a "a global declaration on data protection and data privacy" in response. His report, delivered to the UN's Human Rights Council, describes the expansion of watchlists, border checks, financial data sharing, interception of communications, biometrics and ID registers in recent years. "States no longer limit exceptional surveillance schemes to combating terrorism and instead make these surveillance powers available for all purposes," he added."

"You probably don't analyze the chatter or quality of your social media connections, but creditors may be doing just that. In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it's really being used."

The social media outlets you use may affect credit offers!

"A Concord, New Hampshire, financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers."

Shared administrative passwords lead to privacy breach notification of 1.2 million customers. Nobody out there still using such bad process! Right?

"A privacy watchdog's criticisms of Facebook appear to have captured the attention of the Federal Trade Commission. In a letter dated Jan. 14, David Vladeck, head of the FTC's Bureau of Consumer Protection, told the Electronic Privacy Information Center that its complaint about recent privacy changes at Facebook "raises issues of particular interest for us at this time." Vladeck added that he has asked an official to arrange a followup meeting with EPIC, but also said he can't currently confirm or deny whether the FTC has opened an investigation. FTC investigations are not public until the agency either issues a complaint or closes the matter. The FTC's consumer protection chief also said in his letter to EPIC that the commission plans to focus on privacy issues raised by social networks at the next roundtable, scheduled to be held in Berkeley, Calif. on Jan. 28. "

FTC may investigate privacy issues on FaceBook? Equal bang for the buck by identifying and educating users who post way too much personal information.

"Web users are not yet deleting Flash cookies as often as they shed more traditional cookies, but that doesn't mean it's a good idea to use Flash technology to track consumers online. That's according to a new report commissioned by media audit company BPA Worldwide. The report, authored by analytics expert Eric Peterson, warns that the use of Flash cookies, also called "local shared objects," to override consumers' choices could invite new privacy laws. "With the attention given to consumer privacy on the Internet at both individual and governmental levels, we believe that companies making inappropriate or irresponsible use of the Flash technology are very likely asking for trouble, (and potentially putting the rest of the online industry at risk of additional government regulation)," writes Peterson, CEO and principal consultant at Web Analytics Demystified. "

Flash cookies may draw additional legislation for the online advertising industry.

Marcia Angell MD is a well-known, respected physician, long-time editor of NEJM. So it was a bit of a shock today when Amy Romano, blogger for Lamaze International, sent me this quote: "It is simply no longer possible to believe much of the clinical research that is published, or to rely on the judgment of trusted physicians or authoritative medical guidelines. I take no pleasure in this conclusion, which I reached slowly and reluctantly over my two decades as an editor of The New England Journal of Medicine".

Interesting quote by former editor of the New England Journal of Medicine

"Medical records for about 15,500 Northern California Kaiser patients - about 9,000 of them in the Bay Area - were compromised after thieves stole an external drive from a Kaiser employee's car last month, Kaiser officials said Tuesday." Kaiser officials said the electronic device contained patients' names, medical record numbers and possibly ages, genders, telephone numbers, addresses and general information related to their care and treatment. No Social Security numbers or financial information was contained on the drive, and Kaiser officials said there's no evidence that the information has been used inappropriately. The device was not encrypted, but some of the information was password protected. Kaiser has sent letters to the 15,500 members and the employee, who Kaiser would not identify, has been fired.

Another hospital employee fired for inappropraite access of medical records. More damage to a medical group reputation because someone failed to get the message.

"For five days as her husband lay in his hospital bed suffering from kidney cancer, Regina Holliday begged doctors and nurses for his medical records, and for five days she never received them. On the sixth day, her husband needed to be transferred to another hospital -- without his complete medical records. "When Fred arrived at the second hospital, they couldn't give him any pain medication because they didn't know what drugs he already had in his system, and they didn't want to overdose him," says Holliday, who lives in Washington. "For six hours he was in pain, panicking, while I ran back to the first hospital and got the rest of the records." Despite a federal law requiring hospitals and doctors to release medical records to patients who ask for them, patients are reporting they have a hard time accessing them leading to complications like the ones the Holliday family experienced. 'What part of "Give us our damn data" do you not understand?'"

Privacy law matters in ways not readily apparant until they hit home.