Privacy and Information Security In the News -- Week of September 26, 2005
September 26, 2005
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title or author of the article. If you have questions about a link, send us an e-mail by clicking here.
Inside the World of Credit Card Thieves
Joe Light, of The Boston Globe, gives us some insight into the world of credit card thieves. Light used the Internet to locate people who claimed to deal in stolen credit card information, called "dumps." His article explains how disturbingly easy it is to get set up to deal in stolen credit card information and how remunerative it has become. "Stealing Your ID Can Be As Easy As ABC," http://www.boston.com/business/technology/articles/2005/09/25/stealing_your_id_can_be_as_easy_as_abc/?page=1
Judge Refuses to Require Notice to Cardholders in Cardsystems Case
At a hearing on Friday, a judge in California refused to issue a preliminary injunction requiring MasterCard and VISA to send notices to cardholders whose credit and debit card information was exposed in a data breach that was disclosed in June by Cardsystems Solutions, Inc., a payment processor. California was the first state to adopt a law requiring a company to notify consumers when sensitive data maintained by the company was disclosed to unauthorized persons. MasterCard and VISA argued that they should not be required to provide notice, because they do not have a direct contractual relationship with the cardholders. They also argued that there was no significant risk of harm to affected consumers, because federal law limits a consumer's liability for unauthorized use of a credit card and because the cardholder data did not include social security numbers. "Visa, Mastercard Win Battle Over Breach," http://www.businessweek.com/ap/tech/D8CQ94N81.htm?campaign_id=apn_tech_down&chan=tc.
CardSystems to be Bought
It was announced that CardSystems – the company at the center of a data breach involving 40 million cardholders – has entered a letter of intent to sell its assets, Following the data breach, CardSystems' fortunes collapsed as VISA terminated CardSystems' authority to process credit card transactions. "Cybersource Intends To Buy CardSystems Assets," http://today.reuters.com/investing/financeArticle.aspx?type=bondsNews&storyID=2005-09-23T164435Z_01_N23627314_RTRIDST_0_FINANCIAL-CARDSYSTEMS-CYBERSOURCE-UPDATE-2.XML
IRS Loses Checks and SSNs From 30,000 Taxpayers
Forty-five thousand personal checks and vouchers payable to the IRS were recently dumped into San Francisco Bay. An IRS courier truck carrying the checks and vouchers from taxpayers in twelve states was involved in an accident on the San Mateo-Hayward Bridge, dumping the checks into the bay. The IRS reports that 15,000 checks have been recovered. The checks and the IRS 1040-ES form that accompanied them bear the social security number of the taxpayer, increasing the potential for identity theft. "Wreck in Calif. raises questions about ID theft, payments to IRS," http://www.azcentral.com/arizonarepublic/business/articles/0924irs24.html
Phishers Find Way to Emulate a Secure Site
Cyberthieves have begun using self-signed digital certificates to fool people into believing that sites they develop to phish for sensitive information are authentic and secure. The certificates are self-signed, meaning the author of the site, rather than a recognized certificate authority, creates the certificate. It is somewhat akin to issuing your own passport or driver's license. As a result, a person that visits the bogus sight sees the "https:" and the lock icon that are associated with a secure site. When a self-signed certificate is used, the victim will get a warning message that states that the certificate is not recognized. But, the phishers are counting on the fact that a lot of people simply click through such warnings. "New Phishing Scam Deceives With Phony Certificates," http://informationweek.com/story/showArticle.jhtml?articleID=171200010
Trust as a Business Strategy
The Toronto Globe and Mail has an article by Peter de Jager in which he discusses consumer attitudes toward the sharing of information. The article suggests that privacy and security may become critical factors in a consumer's decision regarding with whom the consumer will do business. de Jager suggests that consumers may gravitate toward dealing with fewer companies whom they view as "trusted advisors," giving an advantage to companies that can demonstrate a concern for privacy and security. "The monopolies of trust," http://www.globetechnology.com/servlet/story/RTGAM.20050912.gtdejagersep12/BNStory/Technology/
Once Again Hurricane Brings Out the Worst in Some
Just as in Katrina, criminals have worked quickly to take exploit Hurricane Rita. "Web Scammers Strike Before Hurricane Does," http://www.washingtonpost.com/wp-dyn/content/article/2005/09/23/AR2005092302148.html?referrer=email&referrer=email
September 27, 2005
Small Businesses Slow to Adopt Internet Banking
Entrepreneur magazine has a brief article on its site noting that, while small businesses are heavy users of they Internet, they have been slow to adopt Internet banking. The article speculates that this reluctance is based on concerns for Internet security, especially since businesses do not have the same protections as consumers under federal law. "Net Deposits," http://www.entrepreneur.com/Magazines/Copy_of_MA_SegArticle/0,4453,323389,00.html
Measuring the Impact of a Data Breach
Two studies have been released regarding the impact of a data breach on companies that are the victims of the breach. A survey of consumers conducted by the Poneman Institute for the law firm White & Case LLP measured the responses of consumers who were notified that sensitive information about them had been disclosed in a data breach. The study found 19% of consumers terminated their relationship with the company, while another 40% said they were considering it. Only 8% did not blame the company for the breach. The study found that consumers were much more likely to remain with a company that notified them of the breach by telephone or personalized letters than with a company that used an e-mail or form letter. The results of the study can be found at http://www.whitecase.com/warnernorcrossjudd/media/files/tbl_s5107Materials/FileUpload5837/151/Security_Breach_Survey.pdf
A second study looked at the impact of a data breach on the stock price of eight publicly traded companies that experienced the breach earlier this year, including Polo Ralph Lauren, DSW Shoe Warehouse (RVI), UPS, Citigroup, Bank of America, Wachovia, ChoicePoint and Time Warner. The study concluded that the data breaches had relatively little impact on stock price. The impact was greater where the breach was perceived to be the result of the company's negligence or the breach involved a core business function of the company. "How It's Difficult to Ruin a Good Name: An Analysis of Reputational Risk," http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf.
Pursuing Identity Thieves Online
Yesterday's In the News linked to an article in The Boston Globe by Joe Light, in which he wrote about his encounter with credit card thieves. Monday's Boston Globe has another story by Mr. Light. This one discusses the private and government agents who pursue identity thieves online. "Agents Target Online Criminal Underground," http://www.boston.com/business/articles/2005/09/25/agents_target_online_criminal_underground/
Report Concludes Air Traffic Control System Vulnerable to Hackers
The General Accounting Office has issued a report to Congress regarding the security of the Federal Aviation Authority's air traffic control system. The report concluded that the system was vulnerable to hacking because of "outdated security plans, inadequate awareness training, and questions about whether the FAA could detect intruders and keep the system up during a security breach." "GAO Says IT Systems For Air Traffic Vulnerable," http://today.reuters.com/news/newsarticle.aspx?type=technologyNews&storyid=2005-09-26T220233Z_01_HAR678653_RTRUKOC_0_US-SECURITY-AIRTRAFFIC.xml
September 28, 2005
FTC Promotes Safe Surfing on New Site
The Federal Trade Commission, in cooperation with a number of private entities, has introduced a new web site aimed at educating people on how to use the Internet safely. The site, http://www.onguardonline.gov/, includes information and recommendations regarding spam, phishing, identity theft, and spyware, as well as instructional videos and tutorials on subjects such as activating firewalls and spam filters. FTC Press Release: "FTC and Partners Urge Consumers to Be On Guard Online" http://www.ftc.gov/opa/2005/09/onguardonline.htm
Stolen Laptop Had Information on 9,000 Mortgage Customers
Newsday reports that one of several laptops stolen from North Fork Bank included records on 9,000 mortgage loan customers. The bank sent a letter to the affected customers. According to the letter the computer was password protected, but the bank acknowledged the data was still at risk of being compromised.
"Bank Customers On Alert," http://www.newsday.com/business/local/newyork/ny-bzmort4429754sep17,0,2210016.story
Oops, That's Our Beta Version
A web security firm, Geo Trust, announced on Monday the launch of a new search engine that rates sites not only by relevance but also by trustworthiness. The search engine was designed to alert users to sites that are known to be malicious. "A Search Engine Based on Trust," http://www.redherring.com/Article.aspx?a=13729&hed=A+Search+Engine+Based+on+Trust§or=Industries&subsector=InternetAndServices
Not too long after the announcement, however, it was discovered that the search engine classified at least one fairly obvious phishing site as "verified," raising a question of the site's accuracy. A company representative said the false negative was "rare." "Trusted Search Software Labels Fraud Site As 'Safe,'" http://www.theregister.co.uk/2005/09/27/untrusted_search/
Purported Former Employee Writes Customers About Data Theft
Dain Rauscher, the U.S. securities subsidiary of the Royal Bank of Canada, reports that it has notified all of its customers of a potential data breach. According to a company press release, a small number of the company's customers had received letters from someone purporting to be a former employee who claimed to have stolen personal information about them from the company. There was no indication in the press release what threats the letters' sender made against the customers or the company. "Company Launches Investigation in Partnership With Federal Bureau of Investigation," http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/09-27-2005/0004133213&EDATE=
Vendor Survey Shows Multiple Passwords Lead to Risky Practices
A vendor of data security products has announced the results of a survey it says indicates that computer users in the workplace are frustrated with the need to remember multiple passwords. According to the vendor, this leads users to engage in risky practices, such as creating unsecure lists that are susceptible to discovery by third parties. Press Release: "RSA Security Survey Reveals Multiple Passwords Creating Security Risks and End User Frustration," http://www.rsasecurity.com/press_release.asp?doc_id=6095
European Parliament Rejects Plan to Retain Communications Data
The European Parliament has rejected a plan to require telecommunications companies to retain telephone and e-mail data for three years to assist in terrorism investigations. European laws on data retention by telecommunications companies vary widely. Fifteen European states have no law governing retention of such data. But the effort to establish a standardized rule has been put on hold by the European Parliament's rejection.
"EU Parliament Rejects Data Plan," http://news.scotsman.com/latest.cfm?id=2002772005
Getting Control of Your Company's Data
Managing the enormous volume of e-mails, memos, spreadsheets, and other data generated by businesses large and small presents enormous challenges. A lengthy article in the Sarbanes-Oxley Compliance Journal discusses ways that businesses can add structure to their stored data in order to manage it and assure compliance with data retention requirements imposed by the Sarbanes-Oxley Act and other laws. The article provides a good introduction for nontechnical managers of various alternatives to organizing data. "Unstructured Information," http://www.s-ox.com/feature/detail.cfm?articleID=1069.
More From the CardSystems Notice Case
Last Friday, a California judge refused to issue a preliminary injunction ordering Visa and MasterCard to send notices to cardholders whose credit card numbers were disclosed in the CardSystems data breach. The card companies are not off the hook yet, though. At a hearing on Tuesday, the Judge ordered the card companies to disclose details of their relationships with issuing banks so the judge can determine whether the card companies should be held responsible to provide notice. MasterCard and Visa have argued that they have no relationship with the cardholders and therefore are not required to provide notice under the California breach notification statute. "Judge Looks For Links In Credit Card Case," http://news.zdnet.com/Judge+looks+for+links+in+credit+card+case/2100-1009_22-5884277.html?part=rss&tag=feed&subj=zdnn.
Congress Considers Credit Freeze Legislation
An article in this morning's American Banker, discusses the pros and cons of credit-report freeze legislation. The Senate Commerce Committee has passed and sent to the full Senate a bill that would give consumers a federal right to prohibit a consumer reporting company from selling a copy of the consumer's credit report unless the consumer approves the creditor's request. Twelve states have adopted credit-report freeze laws and another twenty-one (including Michigan) are considering such laws. Consumer groups argue that a right to freeze one's credit report is much-needed protection from identity theft. Industry groups counter that such a right would be costly, would significantly slow the process of obtaining credit, and is unnecessary because of the right of a consumer to put a fraud alert on his or her credit report when identity theft is suspected. The article notes that in California, which has had a credit-report freeze law since 2003, only 9,000 out of 25 million consumers with credit reports have requested a freeze. "Credit-Report 'Freeze' Bills Advance," http://www.americanbanker.com/article.html?id=20050927S3YI2R9P&from=washregu (subscription required)
September 29, 2005
FTC Brings Claims Against Mortgage Company Under the Gramm-Leach-Bliley and FTC Acts
The Federal Trade Commission yesterday announced a settlement with a mortgage company it says failed to adequately protect consumer information and misled consumers about the protections the company took with data submitted by consumers over the Internet. The FTC alleged that the company violated the Safeguards Rule under the Gramm-Leach-Bliley Act by:
- Failing to analyze the risks to customer information for over a year after the Safeguards Rule became effective;
- Failing to employ password policies that limit access to sensitive customer information on the company's systems and in its documents;
- Failing to encrypt sensitive customer information it was sending by e-mail; and
- Failing to ensure that its service providers employed appropriate security for customer information and addressed known security risks in a timely manner.
In addition, the FTC alleged the company had engaged in a deceptive practice by telling visitors to its web site that information submitted via the web site would be encrypted when in fact it was not.
Under the settlement agreement, the company agreed that it would not misrepresent the extent to which personal information is encrypted or the extent to which the company protects the privacy, confidentiality, or security of consumer information it collections. The company agreed to comply going forward with the Safeguards Rule. Every two years for the next twenty years, the company must engage a qualified, independent consultant to conduct an assessment and prepare a report to be submitted to the FTC that:
- Sets forth the specific administrative, technical, and physical safeguards that the company implemented and maintained during the reporting period;
- Explains how the safeguards are appropriate given the size and complexity of the company, the nature and scope of the company's activities, and the sensitivity of the information the company collected from or about consumers;
- Explains how such safeguards meet or exceed the requirements of the Safeguards Rule; and
- Certifies that the company's security program operates "with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of nonpublic personal information is protected."
The complaint is available online at: http://www.ftc.gov/os/caselist/0523136/050928comp0523136.pdf. The settlement agreement is available at: http://www.ftc.gov/os/caselist/0523136/050928agree0523136.pdf
Further Insight Into Eastern European Phishing Gangs
An article posted by the BBC describes the activities of eastern European phishing gangs. The article quotes an expert who estimates that between 50 and 60 eastern European gangs account for 75% of all phishing attacks worldwide. Phishing gangs net, on average, between $100,000 and $300,000 a month. The article describes how phishing gangs are taking one of two divergent paths. One line tries to trick people into providing sensitive personal information at imposter web sites. According to the article, these gangs are more targeted in choosing to whom they send messages. The other line uses malware, such as keyloggers, to steal information. This group supposedly sends a much larger number of messages. "Boom Times For Hi-Tech Fraudsters," http://news.bbc.co.uk/1/hi/technology/4286276.stm
More College Data Found Using Search Engine
A law student at the City University of New York, using a search engine, discovered quite a surprise: the social security numbers of hundreds of law students and employees. The school has acknowledged that the data had been accessed through search engines 217 times between July 1 and September 22.
"New CUNY Security Slip," http://www.newsday.com/news/printedition/newyork/nyc-nycuny284445801sep28,0,5078667.story?coll=nyc-nynews-print
September 30, 2005
Class Action Accuses Hospital of Wrongfully Disclosing Medical Records
A university hospital has been sued in a class action brought on behalf of 800 patients whose medical records were released to a home health care provider. According to the plaintiffs, the hospital provided patient records to the home health care company to solicit patients to stay with the hospital rather than follow their physician, who had left the hospital to establish a private practice. The hospital maintains that it engaged the company to contact patients to ensure their safety. "University Hospital Sued Over Release Of Patient Records," http://www.kansascity.com/mld/kansascity/news/local/12764175.htm
American Bankers Association Poll Shows Consumers Object to Sharing of Information
A poll conducted for the American Bankers Association, and reported in this morning's American Banker, found that consumers would strongly object if their banks shared their personal information with third parties. Ninety-three percent of the respondents said a bank does not have the right to share information with others. Respondents were less concerned when the bank itself analyzed their information. Still, only forty-seven percent felt such a practice was acceptable, and of those people, only thirteen percent agreed that it was acceptable for their banks to do so if the purpose was to sell targeted products and services. The article did not attempt to compare survey responses to the actual responses of consumers to opt-out notices required by the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. "Consumers Shun Third-Party Sharing of Data," http://www.americanbanker.com/article.html?id=20050929AUTY085Y&from=commbank.
Former Employee Says He Accessed Data Because Employer Failed to Change Password
More details are coming to light regarding the data theft from Dain Rauscher (In the News, 9-28-2005). Earlier this week the company, a subsidiary of the Royal Bank of Canada, reported that a former employee had sent a small number of customers letters informing them that the employee had stolen their account information. The Minneapolis Star Tribune obtained a copy of that letter. In it, the author claims to have gained access to customer information because the company failed to change his password on the company's network when they fired him. The author says he has sold the account information. "FBI Checking Theft of Dain Clients' Data," http://www.startribune.com/stories/535/5638740.html
The University of Georgia announced that an "automated source outside the country" hacked into its computer system and obtained the social security numbers of 1,600 employees and other persons receiving payments from the University. The Atlanta Journal Constitution
reports that this is the second time the college's computers have been hacked in the last two years. "Computer Breach Reported at UGA," http://www.ajc.com/metro/content/metro/0905/29ugabreach.html
A Stay of Execution for CardSystems
Visa USA, Inc., has announced that it will wait three months before following through on its intention to terminate its relationship with CardSystems, the card processor that experienced a breach exposing 40 million credit card numbers. Earlier this week, it was announced that CardSystems had entered a letter of intent to sell its assets (In the News, 9-26-2005). Visa said it was delaying in order to allow the transaction to go forward. "Visa USA Delays Plan To Cut Ties With CardSystems," http://www.washingtonpost.com/wp-dyn/content/article/2005/09/29/AR2005092901022.html
This message is provided by the Privacy and Information Security Task Force at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Task Force includes lawyers from across the Firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Task Force at Warner Norcross & Judd LLP, e-mail Rodney Martin at firstname.lastname@example.org or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In The News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Task Force. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9 a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an e-mail message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.