Privacy and Information Security In the News -- Week of April 10, 2006

Designing a New Financial Privacy Notice

The federal regulators who enforce the financial privacy requirements under the Gramm-Leach-Bliley Act last week issued a 384-page report regarding their findings regarding the first phase of a review of the effectiveness of financial privacy notices. “Evolution of a Prototype Financial Privacy Notice,” http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf. The report concluded, based on a 12-month study which included focus groups and in-depth interviews, that it is possible to provide the required information in a short document that consumers can readily understand. The agencies found that sample notices that arranged the information in a tabular format improved the ability of consumers to read, understand, and use the notices, and to compare the privacy practices of different financial institutions.

The regulators are now moving to the second phase of the project, which will expand the number of consumers who are shown the prototype notice to measure its effectiveness. No changes will be made to the notices required under the Gramm-Leach-Bliley act until the second phase of the project is completed. Press Release: “Report Issued on Improving Financial Privacy Notices for Consumers,” http://www.federalreserve.gov/boarddocs/press/bcreg/2006/20060331/default.htm

Canadian Treasury Board Issues Recommendations to Protect Data from Disclosure under the USA PATRIOT Act.

Last fall, In the News linked to an article about a ruling by the Canadian Office of the Privacy Commissioner, in which the Commissioner ruled that the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) “cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in Canada or in the United States, nor can it force Canadian companies to stop outsourcing to foreign-based service providers. What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means.” See, “Canadian Privacy Commissioner Okays Cross-Border Sharing,” In the News, October 21, 2005.

The Canadian government has issued a new report on privacy concerns about cross-border sharing of personal information. The Secretariat of the Treasury Board of Canada reports that “most federal institutions have indicated ‘zero to low risk’ of Canadians’ personal information or other sensitive information – such as commercial confidential and security-related information – being accessed under the USA PATRIOT Act.” “Report on Assessment of Privacy Concerns Related to USA PATRIOT Act,” http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/usapa/introduction_e.asp. The Secretariat also issued a “Federal Strategy” regarding cross-border data sharing and recommendations for Canadian institutions to follow to protect data when they are considering outsourcing data processing to the United States, in order to assure maximum protection under Canada’s privacy laws. “Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows,” http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/pm-prp/pm-prp_e.asp, “Guidance Document: Taking Privacy into Account Before Making Contracting Decisions,” http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/gd-do/gd-do01_e.asp The Secretariat also has published a set of answers to frequently asked questions for Canadians regarding the USA PATRIOT Act.

April 11, 2006

Americans Report Internet Fraud Up $183 Million in Internet Fraud Last Year

According to Internet Crime Complaint Center, Americans said they lost $183 million in Internet fraud schemes in 2005, an increase of 169 percent over the previous year. The largest average losses occurred in so-called Nigerian 419 fraud schemes, in which the fraudster sends an unsolicited e-mail message posing as a public official who is seeking the recipient’s help in transferring millions of dollars out of a purportedly corrupt country. The recipient is asked to facilitate the scheme by paying certain transaction costs in return for a share of the millions. Of course, those who fall for the scheme never see a penny in return. But the Center reports that those who were duped in 2005 lost on average of $5,000. “Nigerian 419 scam stole the most money off Internet,” http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/04/09/BUG4CI5U4F1.DTL&type=business

Online Records of Florida County a Treasure Trove for Identity Thieves

According to Computerworld, the social security numbers, bank account numbers and other sensitive information of perhaps millions of current and former residents of Broward County Florida are available online where the county posted documents without redacting them. The documents include property records and family court documents filed with the county going back to 1978. The county says that is in compliance with current laws but will redact information if requested to do so in writing by an affected person. A new law that goes into effect on January 1, 2007 will require the Florida counties to redact sensitive information before putting it on line. “Florida county posts residents' sensitive data on public Web site,” http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,110389p2,00.html.

April 12, 2006

Guarding Against Lost Laptops

Dean Takahashi of the San Jose Mercury News writes about what companies are doing to protect themselves from what seems to be a surge in reported laptop thefts. Takahashi cites an FBI statistic that says that 97% of stolen laptops are never recovered. He explores policies that companies have begun physical and technological safeguards on their data. “Don't let your data fall into the wrong lap,” http://www.mercurynews.com/mld/mercurynews/business/technology/14307346.htm.

One interesting service mentioned by Takahashi is offered by a company called Everdream. Everdream says that its service will automatically encrypt or delete data on a stolen laptop if the thief connects the laptop to the Internet. The service also gathers information about the location of the stolen laptop that can be passed along to law enforcement. “Service remotely encrypts or deletes data,” http://news.zdnet.com/2100-1009_22-6060142.html.

Latest 419 Scam

Yesterday, we linked to an article that reported that so-called “419” scams were the most profitable email scam in 2005, netting on average $5,000 per victim. SC Magazine reports on the latest 419 scam email. This one claims to need the recipient’s help in getting $41 million out of a bank account of a family killed in the crash of the Concorde in Paris in 2000. To give a touch of reality to the scam, the email links to actual news accounts of the family’s deaths. “Phishers use Concorde crash in scam,” http://www.scmagazine.com/asia/news/index.cfm?fuseaction=XCA.News.Article&nNewsid=553253

Oh, If It Were Only That Easy

"This is filing season. There are thousands of documents being sent out and mistakes happen." That’s how the Canadian Revenue Agency (Canada’s IRS) explained the fact that it had sent a taxpayer’s tax information she requested to the wrong address. If only the government were so understanding when mistakes happen in private industry. “'Mistakes happen,' tax agency explains,” http://torontosun.com/News/TorontoAndGTA/2006/04/11/1529498-sun.html. (Thanks to David T.S. Fraser of the Canadian Privacy Law Blog for pointing us to this article.)

“Data Breach. Clean Up on Aisle Three”

Kroger Co. has announced that it will begin selling identity theft services at its grocery stores in Houston and Dallas. The service, called PrivacyWatch, offers daily monitoring, identity fraud support and identity theft insurance. “Kroger to market privacy protection,” http://www.bizjournals.com/cincinnati/stories/2006/04/10/daily14.html,

April 13, 2006

The Prospects Dim for Federal Breach Legislation this Year

The Financial Times is running a story that discusses the prospects for federal legislation that addresses privacy breaches. Currently, twenty-three states have breach notification laws, creating a patchwork of requirements with which a company must comply if it operates nationwide. Business is lobbying Congress to establish a single national standard. But, the Financial Times notes, many already feel that time is running out for any federal legislation this year, because of the upcoming elections. “If it’s not done in the next few weeks, it’s dead,” according to a member of the Cyber Security Industry Alliance. Professor Peter Swire, who was the chief privacy officer in the Clinton Administration, agrees. Noting that the four bills that have already been adopted by Congressional committees each contain different controversial provisions, Swire says “[t]here may not be enough time in an election year to work out a four-way compromise.” “Federal data security law reaches turning point in Congress,” http://news.ft.com/cms/s/49315c58-ca6b-11da-852f-0000779e2340.html.

Schneier Pans Two-Factor Authentication Once Again

Security expert Bruce Schneier argues that two-factor authentication, which U.S. banks are required to implement this year for debit card and online transactions, does not adequately address the security risk in online transactions. Schneier maintains that two-factor authentication is ineffective against so-called “man-in-the-middle attacks” and Trojan programs that allow a hacker to follow a consumer in real time into the bank’s real website. Says Schneier, "The real threat is fraud due to impersonation, and the tactics of impersonation will change in response to the defences. Two-factor authentication will force criminals to modify their tactics, that's all." “Banks 'wasting millions' on two-factor authentication,” http://www.channelregister.co.uk/2005/03/15/2-factor_auth_is_pants/ For background on the requirement for U.S. Banks to adopt two-factor authentication, see “Bank Agencies Say Single Factor Authentication Not Enough,” In the News, October 14, 2005.

Retailer Announces Security Breach Affecting Credit Card Applicants

Multi-channel retailer Ross-Simons has disclosed that a security breach may have exposed personal financial information of persons who have applied for a Ross-Simons private-label credit card. The company has not released details of how the breach occurred or how many people may have been affected. In a notice posted on the Internet, the company says that it has “corrected the problem that allowed the unauthorized access to occur,” and engaged a third-party security firm to audit the company’s security policies and procedures. “Ross-Simons says security breach exposes customers,” http://www.computerworld.com/industrytopics/smallenterprise/story/0,10801,110425,00.html.

Research Hack RFID Tags

Researchers in Australia have demonstrated that, with an inexpensive radio transmitter, a hacker can launch a denial-of-service attack on “Generation One” RFID tags causing a tag to enter an error state and allowing the hacker to alter information on the tag. According to an article in Computerworld, Generation One RFID tags are used extensively by the United States military. The article notes that Generation Two tags have greater security but, according to researchers, are still vulnerable to attack. “Australian researchers confirm RFID DOS attacks,” http://www.computerworld.com/securitytopics/security/holes/story/0,10801,110424,00.html.

Terrorist Groups Advise Members on Internet Security

This morning’s Washington Post has an interesting article about heightened concerns for Internet privacy . . . by terrorist groups. The article recounts some of the information that appears on jihadist websites advising users how to protect their anonymity and avoid detection. "Beware of Google!!!," warns one website. Another advises users that "[i]t is preferable to use long and difficult passwords, and that it should be changed every now and then." “Terrorists' Web Chatter Shows Concern About Internet Privacy,” http://www.washingtonpost.com/wp-dyn/content/article/2006/04/12/AR2006041201968.html.