March 20, 2006
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.
Judge Protects Search Queries in Google Subpoena Case
As expected, a federal judge on Friday ordered Google to provide the government with 50,000 web addresses in the government’s case to defend the constitutionality of the Child Online Protection Act. But in a surprise, the judge refused to require Google to disclose a sampling of keywords customers used to search the Internet. The original subpoena from the government asked for a random sample of 1 million web addresses in Google’s database and all of the search inquiries entered during a one-week period. During a hearing last week, the government reduced its request to 50,000 web addresses and 5,000 web search terms.
Nonetheless, the judge said, many Google users believe that their searches are private and the resulting loss of trust in the Google would be a burden on the company:
The expectation of privacy by some Google users may not be reasonable, but may nonetheless have an appreciable impact on the way in which Google is perceived, and consequently the frequency with which users use Google. Such an expectation does not rise to the level of an absolute privilege, but does indicate that there is a potential burden as to Google's loss of goodwill if Google is forced to disclose search queries to the Government.
“Google must give index data to government,” http://www.pcadvisor.co.uk/news/index.cfm?newsid=5854
Ohio Supreme Court Says HIPAA Does Not Prevent Records Disclosure
The Ohio Supreme Court has held that a state open-records law took precedence over the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”). In the case, the Cincinnati Health Department refused to give the Cincinnati Enquirer access to lead-paint citations covering a 10-year period, saying the records were protected by HIPAA since they included the addresses of homes with lead paint hazards. The opinion of the court noted that the citations did not include any health information. Nor did it include names, ages or other personal information. It merely included the addresses. The court went on to state that even if the personal information had been included, HIPAA would not shield it from disclosure. “The Ohio Public Records Law,” wrote the court, “requires disclosure of these reports and HIPAA does not supersede state disclosure requirements.” “Ohio records law trumps federal health-data secrecy,” http://www.columbusdispatch.com/news-story.php?story=dispatch/2006/03/18/20060318-A1-04.html
Software Program May Be Source of Stolen Debit Card Information
Visa has warned that two software programs used by many merchants to process debit card transactions may store sensitive customer information. The warning comes after reports of a massive theft of debit card information that, according to New Jersey prosecutors, has been linked in part to OfficeMax. OfficeMax, which denies any data breach, uses one of the software programs, which is published by Fujitsu Transaction Solutions. Fujitsu has also issued a statement denying that its software, marketed as RAFT and Globalstore, would save customer data. “Visa warns software may store customer data,” http://news.com.com/Visa+warns+software+may+store+customer+data/2100-1029_3-6051261.html
Credit Reporting Agencies Seek to Thaw State Freeze Laws
A dozen states have enacted credit freeze laws that permit a consumer to lock his or her credit report and prevent a consumer reporting agency from selling it without the consumer’s permission. The New York Times ran a story on Saturday detailing the efforts of the credit reporting industry to pass a law overriding those state laws. “Opening the Door on the Credit Report and Throwing Away the Lock,” http://www.nytimes.com/2006/03/18/business/yourmoney/18money.html?_r=1&oref=slogin
March 21, 2006
Breach Notification Laws Allow Companies to Avoid Disclosure of Debit Card Thefts
David T.S. Fraser at The Canadian Privacy Law Blog pointed us in the direction of an article in Security Focus regarding what is apparently the widespread theft of debit-card information. Writing in Security Focus, Robert Lemos reports that three major incidents are the likely source of widespread debit card fraud. These include a breach related to Sam’s Club that occurred sometime last fall, a breach connected to OfficeMax, and a recent data breach involving an ATM network. While In the News has linked to stories on various aspect of these data breaches, information about these incidents has been sketchy. Lemos says this is because loopholes in state breach notification laws have allowed companies to avoid full disclosure. He writes that in the debit card breaches the companies have taken advantage of three different provisions of current breach notification laws:
A company suffering a data breach can delay notification during a criminal investigation by law enforcement. If the stolen data includes identifiable information--such as debit card account numbers and PINs--but not the names of consumers, then a loophole in the law allows the company who failed to protect the data to also forego notification. Finally, if the database holding the personal information was encrypted but the encryption key was also stolen, then the company responsible for the data can again withhold its warning.
By taking advantage of these exceptions in the notice requirements companies have been able to avoid full disclosure of the extent of the breaches, which Lemos estimates to involve millions of debit cards.
“Debit-card fraud underscores legal loopholes,” http://www.securityfocus.com/news/11381
March 23, 2006
IRS Rule Change Would Permit Tax Preparers to Sell Taxpayers’ Tax Return Information
Your tax preparer would be able to sell information from your tax returns to telemarketers and data brokers if rules proposed by the Internal Revenue Service are adopted. The rules change, which was proposed on December 8, 2005, would allow a tax preparer to sell its customers’ information, but only with the consent of the customer. Notwithstanding the requirement to obtain the customer’s consent, the proposal has drawn criticism this week. A spokesperson from the Consumer Federation argues that the consent requirement is of little worth because, "[t]he normal interaction is that the taxpayer just signs what the tax preparer puts in front of them. They think, 'This person is a tax professional, and I'm going to rely on them.' "
An IRS spokesperson defended the rule change, saying “The heart of this proposed regulation is about the right of taxpayers to control their tax return information. The idea is to emphasize taxpayer consent and set clear boundaries on how tax return preparers can use or disclose tax return information."
“Rule change could allow sale of your tax return,”
Another Stolen Laptop
A laptop computer belonging to Fidelity Investments and storing sensitive personal information about 196,000 current and former employees of Hewlett Packard was stolen last week. The information included employees’ names, addresses, Social Security numbers, dates of birth, and other job-related information. The computer was being used by Fidelity employees at an off-site location. Fidelity said that no passwords required to access HP employees’ accounts were among the stolen information. “Laptop with HP employee data stolen,” http://news.com.com/Laptop+with+HP+employee+data+stolen/2100-7348_3-6052964.html?tag=cd.top
Former Employee Used Blood Donors’ Social Security Numbers to Access Accounts
The American Red Cross sent letters late last week to 8,000 other regular blood donors in Missouri and Illinois informing them that a former employee had used Social Security numbers from the blood bank records to accounts of at least four blood donors. The employee was a “tele-recruiter” who was employed to call previous blood donors to ask them to give again. The Red Cross says that it is working to update its software to increase security. One step would be to ensure that sensitive information – such as Social Security numbers – is not made available to employees who have no need to use it.
“Red Cross records breached,” http://www.semissourian.com/story/1144843.html
Brian Krebs of the Washington Post has an interesting article about a group, called “Shadowserver,” that monitors the activities of botnets. Botnets are networks of computers that have been infected with a virus which enables a “bot herder” to control them. Krebs cites a Ph.D. student at Georgia Tech, who estimates that 13 million PCs worldwide are controlled in botnets. Shadowserver’s network of volunteer cybersleuths scans the Internet to locate botnets and identify who controls them. Writes Krebs:
Most bots spread by instructing new victims to download the attacker's control program from a specific set of Web sites. By stripping out those links, Shadowserver members can begin to build a map of the attacker's network, information which is then shared with several other botnet hunting groups, security volunteer groups, federal law enforcement, and any affected ISPs or Web site hosts.
“Bringing Botnets Out of the Shadows,” http://www.washingtonpost.com/wp-dyn/content/article/2006/03/21/AR2006032100279_pf.html
March 24, 2006
More Details on Debit Card Data Theft
We continue to get more information about the source of the debit card breach that has apparently involved hundreds of thousands of customers’ accounts and resulted in counterfeit debit cards being used at ATMs in Canada, Russia and other foreign countries. The most frequent source of information in the media seems to be Avivah Litan, a research at Gartner, a technology research and advisory company. Bob Sullivan, technology reporter at MSNBC, writes about an interview with Ms. Litan in which she reveals more of how she thinks the breach occurred.
Litan has said that the breach appears to have been enabled by software that merchants use to process debit card transactions. The maker of the software denies that its software stores the pin data, but has acknowledged that it has written a trace utility program that its customers use for diagnostic purposes. Sullivan writes that:
Because of the presence of the trace utility program, the data was inadvertently saved, Litan said. Researchers now believe the data was stolen by a hacker who connected to OfficeMax computers over an open wireless connection, probably by someone using a laptop computer in a nearby parking lot, Litan said.
That alone would not have been enough to place customers at risk for fraudulent ATM withdrawals, because PIN codes are normally encrypted immediately as they are entered by consumers into store PIN pads. But special encryption keys for the data were stored on the same computer file that also stored the encrypted PIN data, Litan said — giving the criminals everything they needed to decode PINs, print fake ATM cards and withdraw money from anywhere in the world.
In her interview with MSNBC’s Sullivan, Ms. Litan said that credit card issuers are concerned that hackers have finally found the weak point in the PIN-based magnetic card system. Litan noted that the PIN-based magnetic card systems were designed to be used at bank-controlled ATM machines, but now are increasingly used by merchants, in part because PIN transactions incur lower fees. Writes Sullivan, “But that's opened the system to millions of additional points of attack. Retailers are generally less security-conscious than banks, [Litan] said. There are concerns, for example, that misused trace utility programs may be common.” “ATM Theft Investigators Eye Software Flaw,” http://msnbc.msn.com/id/11963088/
New York Sues Web Site Operator for Selling Customer Information
New York’s State Attorney General has sued a Web site operator, Gratis Internet Inc., claiming it violated its confidentiality agreements with consumers by selling personal information about them to e-mail marketers. The operator’s websites offered free iPods, CDs, DVDs and video games. The websites’ confidentiality agreements said the operator would not sell personal information obtained on the site. The Attorney General alleges, however, that the operator in fact sold 7 million consumers’ e-mail addresses and other personal information to e-mail marketers. “N.Y. Attorney General sues Gratis, alleges privacy breach,” http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,109822,00.html
Four Charged in $1.2 Million E-mail Scam
Sometimes the bad guys do get caught. A grand jury in Brooklyn has charged four men with wire fraud, mail fraud, and conspiracy in what is known as the “Nigerian” or “419” scam. (The scam takes its name from section 419 of the Nigerian criminal code, which prohibits it.) In the scam, the perpetrators typically send an email or letter promising great sums of money if the recipient will assist in the transfer of an even larger sum of money to an account in the United States. The recipient is asked to front the money to pay the fees for the transaction. The scammers then pocket the front money and disappear into the Internet. According to the indictment, the four scammers didn’t do too badly for themselves. They are alleged to have scammed people out of $1.2 million. “Four men charged in Nigeria e-mail scam,” http://news.com.com/Four+men+charged+in+Nigeria+e-mail+scam/2100-7348_3-6053370.html?tag=cd.lede
Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at email@example.com or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.