March 27, 2006
Publication Note: We will taking a short spring break from publishing In the News. We will resume publishing the weekly edition on Friday, April 14, 2006.
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.
New Trojan Steals Bank Customer Passcodes
The Register reports the discovery of a new Trojan that can be used to steal the passcodes generated by the security tokens of customers of two major German banks. Many European banks have begun giving their customers tokens that generate a random passcode as a second level of security. (Banks in the United States will be implementing two-factor authentication later this year.) The report of the new Trojan shows that the criminal element is already working to address new security measures. According to The Register, when a customer enters the code from his or her token into an infected machine, the computer returns an error code. When this happens, the criminal hacker behind the Trojan has a brief opportunity to intercept the code and enter it himself to gain access to the customer’s account. “Trojan intercepts bank tokens,” http://www.theregister.co.uk/2006/03/24/trojan_captures_token/
Clinic’s Medical Records Found Curbside in Trash
At least six boxes filled with medical records were found sitting with other trash on a curb in Memphis, Tennessee. The records belonged to a women’s health clinic that went bankrupt in December, 2005. The records contain a history of all the procedures that the clinic’s doctor performed on patients, who are identified by name and address. It was not clear whether the records were placed in the trash by the doctor who operated the clinic or by the doctor’s landlord. “Medical records found with other trash on Memphis Street,” http://www.wmcstations.com/Global/story.asp?S=4674683
California Sends Tax Information and SSNs to Wrong Addresses
The State of California’s Employment Development Division has acknowledged that it sent out about 64,000 1099 tax forms containing Social Security numbers and income information to the wrong addresses. The state blamed a “software glitch.” “State lets out private data,” http://www.mercurynews.com/mld/mercurynews/business/14176227.htm
State of Florida’s Payroll Records Compromised
Florida has notified state employees that their personal information may have been compromised when the state’s payroll and human resources was improperly subcontracted to a company in India. An estimated 108,000 current and former employees who worked for the state during an 18 month period between Jan. 1, 2003 and June 30, 2004 may have been affected. The state had outsourced the payroll and HR systems to an outsourcing service provider who, the state says, subcontracted the work, in breach of its $350 million contract, to a Denver firm who, in turn, subcontracted the work to a firm in India. “Offshoring cited in Florida data leak,” http://www.networkworld.com/news/2006/032406-offshore-outsourcing-florida-data-leak.html
March 29, 2006
Seven Arrested for Trafficking in Consumer Information Online
The New York Times reports this morning that the Secret Service has arrested seven people in five states and the District of Columbia who were selling stolen consumer information in online forums. The agency says that, in the last three months, 21 people in the U.S. and Britain have been arrested in an undercover investigation, known as Operation Rolling Stone. The Times reports that some of the people arrested are allegedly connected to the recent theft of debit card numbers and PIN numbers. “U.S. Arrests 7 on Charges of Credit Data Trading,” http://www.nytimes.com/2006/03/29/technology/29theft.html.
The Weakest Link in Security? You Employees
The Department of Trade and Industry in the United Kingdom will issue its biennial Information Security Breaches Survey next month. The survey looked at security breaches in corporate IT systems at 1,000 UK companies. According to a story at VNUnet.com, the Survey found that 41 per cent of the worst incidents involved staff accessing "inappropriate websites," including child pornography sites. VNUnet.com quotes a software executive who says, “Despite an increased awareness of the issue, employees are still the weakest link in the security chain." Techworld reports that the survey found that 63 percent of the surveyed companies had an acceptable usage policy in 2005, up from 43 percent the year before. Among large businesses in the survey, 89 percent had an acceptable usage policy. “Employees the 'weakest link' in IT security,” http://www.vnunet.com/vnunet/news/2152878/employees-weakest-link-security; “Porn surfing blamed for security woes,” http://www.techworld.com/security/news/index.cfm?NewsID=5661&inkc=0
The Politics of Data Security
The privacy battle is heating up in Congress as legislative committees consider several variations of federal data breach legislation. The financial services industry is hoping that federal legislation will establish a national standard that governs when a company must notify its customers of a data breach. Currently, companies that do business nationwide must comply with over 20 state breach notification laws, all of which are slightly different. Declan McCullagh, at CNet News.com interviewed Ed Mierzwinski, of U.S. PIRG, a consumer lobby, about the proposed legislation. U.S. PIRG opposes federal legislation that would preempt state breach notification statutes. In the interview, Mierzwinski argues that the bill passed by the House Committee on Financial Services on March 16 would weaken the protections currently afforded consumers by state legislation. Says Mierzwinski, “I don't want a bill. We don't need a bill. I think we have constructive compliance on a national basis with the California law. Trying to pass a federal bill that's weaker results in no responsibilities.” “Newsmaker: The politics of data security,” http://news.com.com/The+politics+of+data+security/2008-7348_3-6053898.html
March 30, 2006
House Committee Approves Data Security Bill Opposed by Banks
The Energy and Commerce Committee of the United States House of Representatives yesterday unanimously passed a bill that would give the Federal Trade Commission wide ranging authority to regulate companies that sell personal information about consumers. The bill would require data brokers to adopt policies on data security and to notify consumers in the event of a breach. The Federal Trade Commission would be authorized to audit companies that experience a breach. Consumers would have a right annually to see the data that is being kept about them and to require that incorrect information be corrected. According to the ranking member of the Committee, John Dingell, the bill sends a clear message: “If you can't protect it, don't collect it.” “House panel approves data protection bill,” http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,110042,00.html.
According to the American Banker, the bill is opposed by the financial services industry which objects to giving the Federal Trade Commission the authority to enforce the statute against banks. Banks argue that they are already regulated by the federal bank regulators and do not need another layer of enforcement. “Commerce Data Bill Advances,” http://www.americanbanker.com/article.html?id=20060329SDVGQDLY&from=washregu (subscription required).
IRS Criticized for Lax Data Security
The Government Accountability Office has issued a report indicating that the computer systems that the Internal Revenue Service uses to collect taxes, process returns and enforce the tax laws do not adequately protect against the unauthorized disclosure, modification or loss of personal information. The report noted some improvements but indicated that until the IRS makes further progress its data security systems will remain inadequate. The GAO summarized its conclusions as follows: “Although IRS has made progress, controls over its key financial and tax processing systems located at two sites were ineffective. In addition to the 40 previously reported weaknesses for which IRS has not completed actions, GAO identified new information security control weaknesses that threaten the confidentiality, integrity, and availability of IRS’s financial information systems and the information they process.” “GAO knocks the IRS for gaps in computer system security,”
http://www.govexec.com/story_page.cfm?articleid=33712&dcn=todaysnews. To see the whole report, go to http://www.gao.gov/new.items/d06328.pdf.
Police Agencies Convene to Discuss Laptop Thefts
The San Jose Mercury News reports that the theft of laptops has become such a problem in Silicon Valley that a dozen law enforcement agencies, among them the FBI and Secret Service, met last week to talk about the problem. Palo Alto police said that since January 2005, 65 laptops have been stolen in their jurisdiction alone. A spokesperson for the department said that typically the thief erases the data and sells the laptop. He said the Palo Alto police have not had any reports of personal information from a stolen laptop being misused. But you have to wonder how long it will be before the laptop thieves will understand that the information on the computer may be of great value to identity thieves. “Laptop thefts growing,” http://www.mercurynews.com/mld/mercurynews/business/technology/personal_technology/14203718.htm?source=rss&channel=mercurynews_technology
Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at email@example.com or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.