April 17, 2006
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.
State Records Sent Out for Archival Stolen
Officials from the State of Hawaii sent out letters last week warning members of the Hawaii Government Employees Association and United Public Workers that their names and social security numbers were stolen when the state sent the data to a third-party vendor to download to a compact disc for storage. Someone at the vendor apparently made and retained a copy of the records. Over 40,000 citizens of Hawaii were estimated to have been affected. “State warns of mass identity record theft,” http://starbulletin.com/2006/04/14/news/story01.html
Court Rules Against Plaintiffs Who Sued Bank for Emotional Stress Following Data Breach
A Minnesota court has thrown out a class action brought against Wells Fargo by two people who alleged the bank’s failure to require its third-party vendor that printed the bank’s statements to encrypt data while in its possession. Customer data was on computers stolen from the offices of the third-party vendor in 2004. The court said there was no evidence that anyone has ever used the data from the computers to steal the identity of, or otherwise cause harm to, any Wells Fargo customer. The plaintiffs sued Wells Fargo, claiming that they had suffered emotional distress as a result of the theft and had expended time and money monitoring their credit reports. The court dismissed the plaintiff’s claims on summary judgment, saying, "Plaintiffs have shown no present injury or reasonably certain future injury to support damages for any alleged increased risk of harm." The court explained its decision as follows: “"Plaintiffs contend that the time and money they have spent monitoring their credit suffices to establish damages. However, a plaintiff can only recover for loss of time in terms of earning capacity or wages. Plaintiffs have failed to cite any Minnesota authority to the contrary. Moreover, they overlook the fact that their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that has not materialized.” “Police blotter: Wells Fargo not required to encrypt data,” http://news.com.com/Police+blotter+Wells+Fargo+not+required+to+encrypt+data/2100-1030_3-6061400.html?tag=html.alert
Law Firms’ Documents Lost in Storm
When a storm rolled through Indianapolis last week it caused significant damage to the Indiana Square Building, home to several law firms. Windows were blown out and thousands of confidential documents escaped to blow about the city. Employees of at least two law firms combed the streets trying to recover the documents. Both law firms said the lost documents were not likely to include personal information, since each firm specializes in corporate law. Nonetheless, said the managing partner of one firm, "there's an attorney-client privilege, and clients would not want their confidential information blowing through downtown." Both firms alerted their clients about the missing documents. “When wind hit, privacy flew out the window,” http://www.indystar.com/apps/pbcs.dll/article?AID=/20060414/BUSINESS/604140425/-1/ZONES04
April 19, 2006
Real ID Revolt
DeClan McCullagh writes at CnetNews.com about a rebellion brewing among the states over the requirements of the federal Real ID Act. The Real ID Act requires each state to adopt electronically readable ID cards that comply with federal standards. If they don’t, their citizens will need a passport to do things like boarding a plane, opening a bank account, or applying for Social Security. New Hampshire appears to be leading the rebellion. Last week the New Hampshire House of Representatives passed, by a vote of 217 to 84, a bill that would prohibit the state from participating in the Real ID system. (The Senate has yet to consider the bill.) McCullagh applauds the effort but bemoans the fact that the states would most likely not rebel if the federal government footed the bill for the new ID cards. Writes, McCullagh:
There are no rules governing what data that private companies (hotels, retailers, employers) will be able to extract from the Real ID when it's swiped or placed next to an RFID reader. Will information like a home address and Social Security number be disclosed? Will a federal database be alerted whenever the card is swiped or read? And can an RFID'ed license be read from 20 or 30 feet away?
Unanswered questions like those are why it's important that state legislators stand up to bullying by Washington.
For McCullagh’s column see “Perspective: The Real ID rebellion,” http://news.com.com/The+Real+ID+rebellion/2010-1028_3-6061578.html. For additional background on the Real ID Act, see “States Struggle to Prepare for Real ID,” In the News, Week of January 16, 2006.
Firms Increase Vulnerability by Failing to Apply Patches Promptly
The BBC reports that the Internet security firm McAfee has issued a report indicating that businesses in Europe open themselves to increased vulnerabilities by failing promptly to apply software patches. According to McAfee’s report, 19% of the companies take more than a week to apply a patch once it is released. Another 27% took two days to do so. The article quotes earlier research that indicated that “85% of the damage done by automated attacks occurs during the first 15 days after vulnerabilities become known.” “Firms slow to fix security flaws,” http://news.bbc.co.uk/1/hi/technology/4907588.stm.
McAfee Says Rootkits Growing in Complexity
McAfee has issued a report that says that the number of rootkit components submitted to in the first quarter of 2006 grew by 900% over the same period last year. A rootkit, according to McAfee, is malware “that actively conceals its existence and actions from users and other system processes.” McAfee predicts that in the next two to three years, the growth rate in rootkits for the current version of Windows will be at least 650%.
“Rootkits Part 1 of 3: The Growing Threat,” http://download.nai.com/products/mcafee-avert/WhitePapers/AKapoor_Rootkits1.pdf
April 20, 2006
Removing Sensitive Information from Public Documents
Last week, we linked to a story about the availability of sensitive personal information on governmental sites that post documents such as birth certificates and recorded deeds. “Online Records of Florida County a Treasure Trove for Identity Thieves,” In the News, April 11, 2006. In that story, Broward County, Florida, maintained that it is not currently authorized under state law to redact sensitive personal information from public documents without a written request from an affected person. A new Florida statute will grant that authority at the end of the year. The legislature in Tennessee has also acted to address the issue. Faced with a strong lobbying effort by local officials, the legislature unanimously passed legislation to grant county registers the authority to begin removing sensitive information from public documents. “Government Web Site Will Remove Social Security Numbers,” http://www.wreg.com/Global/story.asp?S=4790936.
Do RFID Chips in New U.S. Passports Threaten Privacy?
According to a blog at Inforworld, the Department of Homeland Security’s specifications for the RFID tags that are to be included in United States passports issued beginning in October 2006 call for the tags to be readable “under circumstances that include the device being carried in a pocket, purse, wallet, in traveler's clothes, or elsewhere on the person of the traveler” and to permit “all tokens carried by travelers seated in a single automobile, truck, or bus [to be read] at a distance up to 25 ft while moving at speeds up to 55 mph.” The author of the blog asks “what's to prevent these tags from being read and personal information stolen by hidden sensors in the hands of criminals or terrorists?”
A response discounts that risk, saying that the RFID tags used in the passports will only carry a unique identification number that must be matched up with a government database. To obtain personal information, says the respondent, would require a data thief not only to intercept information from the tag, but also to hack into the government’s database to retrieve the information. The respondent says the greater risk is that someone would intercept the unique identification number and make counterfeit IDs using the stolen information. “RFID travel cards' privacy threat,” http://weblog.infoworld.com/techwatch/archives/005993.html. For more information see, “New RFID travel cards could pose privacy threat,” http://news.com.com/New+RFID+travel+cards+could+pose+privacy+threat/2100-1028_3-6062574.html?tag=html.alert.
April 21, 2006
Director of National Intelligence Appoints Civil Rights Protection Officer
The U.S. Office of the Director of National Intelligence has appointed a civil rights protection officer. The appointment comes after a controversy arose over the National Security Agency’s domestic surveillance program, in which the NSA monitors communications of persons in the United States with persons outside the country thought to be involved in terrorist organizations. The administration has defended the program, saying it is an essential tool in the fight against terrorism. The appointment follows similar appointments at the Department of Justice and the Department of Homeland Security. “New U.S. Post Aims to Guard Public's Privacy,” http://online.wsj.com/public/article/SB114549771456130732-fNMKc3AWRNO7Kt58oXWNzzR_pms_20060519.html?mod=tff_main_tff_top
County Mandates Security of Wireless Networks
A county in New York has passed a law that requires local businesses to implement special security precautions if they use a wireless network to communicate a customer’s credit card number or other financial information. The failure to secure a wireless network was one factor in the case brought against BJ Wholesales Clubs by the FTC last year and contributed to the theft of consumer information that resulted in about $13 million in unauthorized credit card transactions. See, “BJ'S Wholesale Club Settles FTC Charges,” http://www.ftc.gov/opa/2005/06/bjswholesale.htm. Under the New York county’s new ordinance, a business that offers Internet access – such as the local Starbucks – must post signs that read, “For your own protection and privacy, you are advised to install a firewall or other computer security measure when accessing the Internet." Businesses have six months to comply with the new law. “N.Y. County Enacts Law to Limit ID Theft,” http://hosted.ap.org/dynamic/stories/W/WIRELESS_SECURITY?SITE=CATOR&SECTION=HOME&TEMPLATE=DEFAULT
Network Administrator Charged with Hacking University Database
A 25-year old network administrator has been charged by federal prosecutors with hacking into the computer systems at the University of Southern California. The incident happened in June 2005. The hacker gained access to a password-protected database with information – including social security numbers – about more than 275,000 applicants, going back to 1997. The Assistant United States Attorney said that "Universities are becoming bigger and bigger targets to the hacker community because they are large institutions...and hackers always want to see if they can beat the technical people on the other side," “Man charged with hacking USC database,” http://news.com.com/2100-7350_3-6063470.html?part=rss&tag=6063470&subj=news
Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at email@example.com or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.