Privacy and Information Security In the News -- Week of April 24, 2006

April 24, 2006

Banks Quietly Reissuing Debit Cards in Data Heist

For months now, news about a major data breach involving debit cards has been trickling out. Arrests have been made (see “Debit Card Ring Busted in New Jersey,” In the News, March 14, 2006) and rumors have spread about a national retailer who suffered the breach, but to date we still have few details about the event. News outlets this weekend ran stories reporting that banks are replacing the affected debit cards but offering little information about the breach.

According to the Orlando Sentinel, banks around the country are replacing customers’ debit cards because what the paper calls “the biggest cyber-heist of customer debit-card numbers to date.” The paper cites estimates that over 350,000 cardholders have been affected and over $10,000,000 in loses have occurred to date. The Sentinel says that banks are sending new debit card with a letter saying that the cardholder may have been exposed to debit-card fraud because of a “third-party” security breach. “Banks scramble after cyber-breach,” http://www.orlandosentinel.com/orl-cardbreach2106apr21,0,7722674.story

An ABC News report quotes a representative of Consumers Union, who says, “The letters seem to be pretty vague. They’re not being told where the breach occurred. The notices tell them that something happened, but it won’t tell them were or how. . . If you’re a consumer, it would help to know which retailer made your information available, because you wouldn’t want to shop there again.” “Cyber Heist Could Cost Consumers,” http://abcnews.go.com/Business/story?id=1872428&page=1&business=true

http://www.technologynewsdaily.com/node/2536 Nonetheless, the banks that issued the stolen debit card numbers can avoid providing a more detailed breach notification since the breach occurred at a third party. For more information on how banks avoid having to make more detailed disclosures see “Breach Notification Laws Allow Companies to Avoid Disclosure of Debit Card Thefts,” In the News, March 21, 2006.

The financial services industry would argue that widespread notice is not necessary in this instance. Federal law limits the liability of debit card holders for the wrongful use of their debit cards and some banks have reportedly held their customers harmless from any losses in this data breach. Because there is little likelihood that the customer will suffer a loss, notice, it is argued, would cause needless concern among consumers.

Security expert Bruce Schneier would not agree with that assessment. Writing at Wired Magazine, Schneier looks at efforts to pass a federal breach notification law. He argues that required breach notification is important because:

One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information -- or to refrain from collecting it in the first place.

Schneier argues that the bills that are being considered by Congress too narrowly define “personal information” and “breach of security” to offer adequate protection to customers. Moreover, he says, the federal legislation “would make things worse, not better,” because it would preempt existing state laws Schneier believes are more protective of consumers. “The Anti-ID-Theft Bill That Isn't,” http://www.wirednews.com/news/columns/0,70690-0.html?tw=wn_story_page_prev2

RFID Industry Battles State Laws

Cnet News.Com is reporting that the RFID industry has been engaged in a legislative battle in at least twelve states attempting to fend off laws that would prohibit or regulate the use of radio frequency identification (“RFID”) tags. “Tech industry attacks state anti-RFID laws,” http://news.com.com/Tech+industry+attacks+state+anti-RFID+laws/2100-1028_3-6062985.html The battles tend to be focused on the use of RFID tags in personal identification documents. Last week, In the News linked to a story about legislation passed by the lower house of the New Hampshire legislature that would prohibit the state from participating in the federal Real ID program. “Real ID Revolt,” In the News, April 19, 2006.

To address misconceptions about RFID technology and privacy, the Massachusetts Institute of Technology has established a new website called, “RFID and Privacy.” http://rfidprivacy.mit.edu/access. The website offers a “What, Why, Who, How, and Where roadmap” to provide information to visitors of the site “about RFID technology, how it works, who is using it and why it is an important and beneficial technology.” The site includes a page that tracks proposed state and federal legislation affecting RFID technology. http://rfidprivacy.mit.edu/access/happening_legislation.html.

April 26, 2006

Biz School at University of Texas Suffers Second Data Breach in Three Years

Someone gained access to the sensitive personal information of 197,000 current students and faculty, alumni, prospective students and corporate recruiters at the University of Texas McCombs School of Business. Computer administrators at the school first detected the breach last Wednesday, when they noticed increased activity on the site and requests to download data that “bogged down the system.” An initial investigation indicated that the data had begun being accessed on April 1. The data accessed included names, birthdates, zip codes and Social Security numbers. This is the second time in three years data on the business school’s system was found to be hacked. “UT investigates major computer breach,” http://www.chron.com/disp/story.mpl/tech/news/3813790.html

Security Breaches Down in UK but Cost of Breaches Grows

According to a biennial study conducted by PriceWaterhouseCoopers for the United Kingdom’s Department of Trade and Industry, the number of security breaches at UK companies declined in 2005, but the cost of security breaches increased by 50 percent. The survey, which included 1,000 companies, concluded that security incidents in 2005 cost businesses in the United Kingdom $17.9 billion dollars

“UK enterprises suffer costly breaches,” http://www.computerworld.com/securitytopics/security/story/0,10801,110863,00.html

Canadian Data Processors See Privacy as Their Competitive Edge

Terry McQuay, blogging at blog*on*nimity, writes that Canadian data processing companies are using privacy to their advantage when competing against firms that house data in the United States. McQuay writes, “Canadian service providers are finding themselves with a competitive advantage simply because they keep their customers’ data in Canada. Conversely, US-based service providers are finding themselves at a disadvantage, often scrambling to move their data processing to Canada.” “Privacy is Changing Outsourcing in Canada,” http://www.anonequity.org/weblog/archives/000280.php The source of the advantage is recent decisions of the Canadian Officer of the Privacy Commissioner that conclude that Canadian privacy laws cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in the United States. (See “Canadian Treasury Board Issues Recommendations to Protect Data from Disclosure under the USA PATRIOT Act,” In the News, April 10, 2006.)

McQuay says that Canadian companies who are looking for a data processor now consider the location of data a key factor in their decision. According to McQuay, “[m]any, if not most, government organizations are demanding personal information remain in Canada. Banks, insurance companies and healthcare providers are pressuring their current suppliers to keep personal information in Canada, and selecting new suppliers that keep their data in Canada.”

McQuay has a vested interest in privacy. His blog states that he is president of a “privacy research firm that provides privacy training, risk mitigation subscription solutions and research services for corporations and not-for-profit organizations.”

Spyware Companies Trying to Reform

Hiawatha Bray writes in the Boston Globe about the efforts of spyware companies to go legit. Spyware – stealthy programs that track a person’s Internet usage, share it with advertising companies and cause those vile pop-up ads – is the focus of proposed federal legislation. Already California, Arizona, and Utah have enacted anti-spyware statutes. Bray says that spyware companies are trying to reform their practices to avoid federal legislation and to attract a higher class of advertiser. “Spy vs. Spy,” http://www.boston.com/business/technology/articles/2006/04/24/spy_vs_spy/

April 27, 2006

Grading Universities on Privacy

Eric Sinrod, writing for Cnet News.com, reports that a review of the online privacy policies of 236 colleges and universities shows that educational institutions need to pay heightened attention to privacy issues. The study showed that every website reviewed had at least one data collection page that was not a secure page. In addition, virtually 100 percent of the institutions had at least one data collection page that used a method called the “GET” method. The GET method poses a security risk because, in some circumstances, it is vulnerable to hacking. “Universities need a privacy refresher course,” http://news.com.com/Universities+need+a+privacy+refresher+course/2010-1029_3-6065085.html?tag=html.alert

¿Comó Se Dice “Phishing” en español?

A report from RSA Security’s Anti-Fraud Command Centre says that nearly 40 percent of all phishing targets are now outside the English-speaking world. Phishing has primarily focused on targets in English speaking countries, like the United States, the United Kingdom, Australia and Canada. But RSA says that over the last six months Spain, German, and Italy have increasingly become targets, along with the Netherlands, France, and Scandinavian countries. "Crooks are looking for the next tier down with targeted attacks in specific languages. An RSA spokesperson explained, “Fraudsters are essentially crooked entrepreneurs; they are constantly looking for the greatest return for the smallest investment, and financial institutions in relatively untapped markets with users unfamiliar with phishing attacks are an attractive target. Banks and customers who have been fortunate enough to avoid attracting the attention of the fraudsters so far now need to be on their guard and take preventative, proactive measures wherever possible." “Phishing goes international,” http://www.theregister.co.uk/2006/04/26/international_phishing_survey/

UK Study Points to Security Challenges

A study conducted for the United Kingdom’s Department of Trade and Industry highlights two challenges for the privacy efforts of businesses. The study found that over half of the companies surveyed do nothing to secure peripheral devices, such as smart phones, iPods, and USB memory sticks that are an increasingly popular way for employees to store and transfer data. The study found that only 10% of companies interviewed encrypt confidential data stored on such devices. “Warnings over USB memory sticks,” http://news.bbc.co.uk/1/hi/technology/4946512.stm. In the News recently linked to articles that discussed the security risk posed by flash memory sticks. “Stolen Disk Drives in Afghanistan Highlight Concern for All Businesses,” In the News, April 14, 2006.

The UK study also found that the more IDs and passwords an employee had to remember, “the more likely the business is to have had unauthorized access” to its data. The study found that on average, users must remember three different user IDs and passwords. “Password overload hurts security, survey finds,” http://news.com.com/Password+overload+hurts+security%2C+survey+finds/2100-7355_3-6064668.html?tag=html.alert

April 28, 2006

Did You Change Your Password This Month? Spafford Asks, “Why Bother?”

Eugene Spafford, Director of the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS), has written a piece debunking the notion that policies that require users to change their passwords periodically improve security. Spafford calls such policies “infosec folk wisdom.” Spafford analyzes the various ways that a password may be compromised – through disclosure, inference, exposure, loss, guessing, cracking, and snooping – and concludes that a requirement to change passwords periodically is effective against only guessing and weak hacking attempts. Spafford concludes that “forcing periodic password changes given today’s resources is unlikely to significantly reduce the overall threat — unless the password is immediately changed after each use. This is precisely the nature of one-time passwords or tokens, and these are clearly the better method to use for authentication, although they do introduce additional cost and, in some cases, increase the chance of certain forms of lost ‘password.’”

In his article, Spafford makes an excellent point for anyone with responsibility for maintaining information security. He writes:

Policies should always be based on a sound understanding of risks, vulnerabilities, and defenses. “Best practice” is intended as a default policy for those who don’t have the necessary data or training to do a reasonable risk assessment.

“Security Myths and Passwords,” http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/

Schneier Dismisses Claims that National ID Card Will Reduce Identity Theft

Security consultant Bruce Schneier argues that the United Kingdom’s move to a single national identification card will only worsen the problem of identity theft. Schneier told ZDNet UK that, "ID theft is fraud due to impersonation. If you have a centralised ID card, you are making that ID that much more valuable to criminals." Schneier says the threat of identity theft in a system with a single national identification is “severe” since it will increase the value to the identify thief of stolen IDs. Schneier also dismisses claims from the British government that the new national ID card will help in the fight against terrorism, saying, "ID can be hijacked, and cards can be faked. All of the 9/11 terrorists had fake IDs, yet they still got on the planes. If the British national ID card can't be faked, it will be the first on the planet." “Schneier: ID cards will worsen ID theft,” http://news.zdnet.co.uk/internet/security/0,39020375,39265743,00.htm

Another Laptop Stolen from Parked Car

The health insurer Aetna reports that a laptop containing sensitive personal information, including Social Security numbers, regarding 38,000 employees of two companies who are Aetna’s customers. The computer was stolen from an Aetna employee’s car parked in a public parking lot. Aetna will not disclose the city in which the computer was stolen nor the name of the two companies whose employees were affected. “Aetna says laptop with member data stolen,” http://news.com.com/Aetna+says+laptop+with+member+data+stolen/2100-1029_3-6066078.html?tag=cd.top

Security Breach at the University of Alaska

The University of Alaska at Fairbanks has reported that someone breached their security and gained access to computer databases with sensitive information about current and former staff, faculty and students, including nearly 39,000 names, e-mail addresses and Social Security numbers. The security breaches apparently began in February 2005, but were not discovered until March 30 of this year. “UAF computer in Bethel hacked; personal info was compromised,” http://www.adn.com/news/alaska/university/story/7659788p-7571409c.html

Current and past issues of In the News are now available online at this link.

This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.

Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.

"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.

Should you ever wish to stop receiving "In the News," simply to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.