Privacy and Information Security In the News -- Week of June 5, 2006
June 5, 2006
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.
Accounting Firm Loses Laptop With Customer Information From Hotels.com
A laptop that was stolen in late February from the locked car of an employee of the accounting firm Ernst & Young contained names, addresses and credit card numbers of about 243,000 customers of the online reservations firm Hotels.com. The computer was reportedly password protected. Ernst & Young conducts the audit of Hotels.com. This report raises several questions. Why, for example, did the employee have confidential customer information on a laptop in the first place? What kind of controls does Ernst & Young place on the security of its laptop computers? Why wasn't the data encrypted? And, why did Ernst & Young wait until May 3 to inform Hotels.com of the theft of its customer information, which occurred in February? When a company's contract with a third party gives that third party access to confidential data, the contract should require the third party to notify the company as soon as it learns of a data breach. "Laptop theft exposes Hotels.com data," http://seattlepi.nwsource.com/local/6420AP_WA_Hotelscom_Data_Theft.html
Stolen VA Computer Had Records on Active-Duty Soldiers and Sailors
Over the weekend, the Associated Press reported that among the 26.5 million records of soldiers and sailors on a laptop stolen from the home of an employee of the Department of Veterans Affairs, perhaps 50,000 related to members of the Navy and the National Guard currently on active duty. Previously, the Department of Veterans Affairs had reported that the records on the stolen computer related only to soldiers and sailors who had been discharged and a few of their spouses. "Theft of Data Went Further, V.A. Discloses," http://www.nytimes.com/2006/06/04/washington/04vets.html?_r=1&oref=slogin
HHS Criticized for LAX Enforcement of HIPAA
The Washington Post reports that in the three years since the privacy provisions of the Health Insurance Portability and Accountability Act ("HIPAA") have been in effect, the government has failed to impose a civil fine in response to any of the 19,420 grievances it has received. In that time the federal government has brought only two criminal cases, although the Department of Health and Human Services has referred 309 cases to the Department of Justice to investigate potential criminal wrongdoing. According to the Post:
The government has "closed" more than 73 percent of the cases—more than 14,000—either ruling that there was no violation, or allowing health plans, hospitals, doctors' offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.
Industry groups praise the administration's emphasis on voluntary compliance. The Post quotes Lawrence Hughes of the American Hospital Association, who says, ""It has been an opportunity for hospitals to understand better what their requirements are and what they need to do to come into compliance." Privacy advocates, on the other hand, say that the lack of enforcement has led medical care providers to be lax in their efforts to comply. The Post quotes William R. Braithwaite of the eHealth Initiative and Foundation, an independent, nonprofit research and advocacy organization based in Washington, who says, "No one is afraid of being fined or getting bad publicity. . . . As long as they respond, they essentially get amnesty." "Medical Privacy Law Nets No Fines," http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400672.html?referrer=email&referrer=email
June 6, 2006
FTC Warns Vets of Scams Arising Out of Data Breach
The Federal Trade Commission is warning veterans to be wary of e-mail and phone scams that seek to take advantage of their concerns arising out of the theft of a computer containing sensitive information on 26.5 million vets and active-duty service members. Noting that "[i]n the past, fraudsters have used events like this to try to scam people into divulging their personal information by e-mail and over the phone," the FTC is telling veterans and their families to watch out for phishing attacks and bogus phone calls purporting to be from the agency.
The FTC advises veterans:
Do not give out your personal information over the phone, through the mail, or over the Internet unless you initiated the contact and know – or can verify – who you are dealing with.
Never click on links sent in unsolicited e-mails. Instead, type in a Web address you know to be accurate.
The VA, other government agencies, and legitimate businesses do not contact people by e-mail or telephone either to ask them for – or to confirm – social security numbers or other personal information.
Good advice for everyone. "FTC Warns Veterans to Delete Unsolicited E-mails," http://www.ftc.gov/opa/2006/06/fyi0632.htm
June 8, 2006
Data on Lost Laptop Included Information on 2.2 Million Active-Duty National Guard and Reserve Troops
On Monday of this week, In the News linked to an article that reported that the Department of Veterans Affairs acknowledged that sensitive information about approximately 50,000 active duty personnel was among the data on a stolen laptop that the VA had previously said contained records only with respect to persons who had been discharged. Yesterday, the VA revised that statement, indicating that as many as 2.2 million active-duty National Guard and Reserve troops were affected by the breach. "Personal info on 2.2M troops part of VA data theft," http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000992&taxonomyId=17
IRS Employee Loses Laptop With Employee and Applicant Information
The Washington Post this morning reports that an employee of the Internal Revenue Service lost a laptop that contained the unencrypted names, birth dates, social security numbers and fingerprints of 291 employees and applicants of the agency. The employee checked the computer with his luggage when boarding a plane, but never showed up at his destination. While not encrypted, the IRS stressed that the data was protected by two levels of passwords. "IRS Laptop Lost With Data on 291 People," http://www.washingtonpost.com/wp-dyn/content/article/2006/06/07/AR2006060701987.html?nav=rss_nation
Nine Steps to Protect Data on Mobile Devices
Computerworld is running a timely article that suggests nine steps a company can take to protect the data on mobile devices, which are proliferating. While the recent data breaches in the news have involved the loss of laptops, the article notes that "while executives may only take laptops with sensitive data out of the office occasionally, they probably will carry their mobile devices with them every day, everywhere. These devices are very vulnerable to loss, ranging from just being left behind on a restaurant table or cab seat to being stolen from a jacket pocket or being snatched with a purse." "The top 9 ways to secure mobile devices," http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9000996&taxonomyId=17
According to Eugene Spafford, Director of the Purdue University Center for Education and Research in Information Assurance and Security, the use of mobile devices has resulted in a "softening" of the network security perimeter. In a recent interview on information security, Spafford, who listed this softening among the top three risks to information security, explained:
For a long time, we were able to get some semblance of securing the enterprise by establishing firewalls and [demilitarized zones] and maintaining the somewhat guarded perimeter. Now with BlackBerries, PDAs, wireless, executives traveling and using the Internet in hotel rooms, and people with VPN access from home systems, the perimeter is an illusion. But security policies and technologies have not kept up with that change. A big vulnerability in many environments is that you still have policies and people viewing the enterprise as protected with a firewall, and that's simply not the case.
Later in the interview Spafford discussed a change in mind-set that must occur to address softening:
Regarding the disappearance of the network perimeter, they have to change their mind-sets to protecting the individual hosts or to building well-defined enclaves. The whole enterprise is no longer an island; it's an archipelago of islands that need to be protected individually, even down to the single-machine level. This means that you have to treat all of those machines as outside your perimeter for purposes not only of protecting them but of protecting your other machines from them. So when somebody comes back in with a laptop after they've been off-site, you can't trust it simply because it's a company-issued laptop unless you have applied specific control measures. This mode of thinking has to go down to the individuals who are using the systems.
"Security expert recommends 'Net diversity'," http://www.networkworld.com/news/2006/052206-purdue-spafford.html?page=1
Analyst Says Encryption Far Cheaper than Recovering from a Data Breach
According to the research firm Gartner, cleaning up after a data breach is 15 times more expensive than encrypting the data to protect it against disclosure. In a written statement accompanying her testimony before a Senate committee looking into the data breach at the Department of Veterans Affairs, Gartner analyst Avivah Litan wrote that
A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined."
Litan wrote that the average expenditure when data security is breached is $90 a customer. "Cleaning Up Data Breach Costs 15x More Than Encryption," http://www.techweb.com/wire/security/188702019
June 9, 2006
Second Report This Week of Laptop in Luggage Lost by Airline
Computerworld reported earlier this week that information about an undisclosed number of retirees from East Coast grocer Ahold USA was contained on a computer that was lost by an airline. The computer belonged to an employee of Electronic Data Systems Corp., which provides data processing services to the Ahold's pension plan. According to EDS, the employee violated company policy when the employee complied with an airline employee's request that the EDS employee check the computer rather than carrying it onboard the plane. "Ahold USA pension data lost when laptop disappears," http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000953&source=rss_topic84 Yesterday, In the News linked to a similar story about a laptop lost by an airline when it was checked by an employee of the Internal Revenue Service.
Documents Stolen From U of M Credit Union Storeroom Lead to Identity Theft
On Thursday, the University of Michigan Credit Union confirmed that someone stole documents containing sensitive information about 5,000 of the credit union's members from a storage room last summer. The theft was apparently not discovered until March of this year. The documents were being stored before they were to be imaged and shredded, but someone stole them before that could happen. The theft was discovered when the Michigan State Police found the documents in a home that they raided in Detroit. Although the credit union notified the affected customers in March, the theft was not apparently made public until this week. Police reportedly suspect that a former employee is the culprit. "Univ. of Michigan credit union warns of stolen data," http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001052&taxonomyId=17
VA Takes Steps to Prevent Future Breaches
The Department of Veterans Affairs has prohibited employees from using their own laptop computers at work and has prohibited some workers from working remotely. Govexec.com reports that employees are being prohibited from taking claim files out of the office. In addition, "employees no longer will be allowed to access the agency's VPN from personal computers. Every 30 days the VPN settings will change, forcing laptop users to return to the agency for updates and security screening." "VA cuts telework, bans employee-owned computers," http://www.govexec.com/dailyfed/0606/060806p2.htm
Current and past issues of In the News
are now available online at this link
This message is provided by the Privacy and Information Security Task Force at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full-service law firm with four offices in Michigan. Our Privacy and Information Security Task Force includes lawyers from across the Firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Task Force at Warner Norcross & Judd LLP, e-mail Rodney Martin at firstname.lastname@example.org or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.