November 14, 2005
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.
Cutting Through the Hype of Identity Theft
Writing for The Associated Press, Brian Bergstein explores the hype surrounding identity theft and discusses the potential implications for making policy. Bergstein argues that identify theft is too broadly defined and too little understood. Much of what is trumpeted as identity theft results simply from the theft of a credit card, for which federal law caps a consumer's potential loss at $50. According to Bergstein, this is why two-thirds of identity theft victims experience no out-of-pocket costs. Bergstein says that instances in which a criminal uses someone's identity to open a new line of credit is much rarer.
Bergstein probes the commonly cited statistic that 10 million Americans are victims of identity theft each year. He says the statistic comes from a study done for the FTC in 2003, but includes victims of simple credit card theft. When the FTC took those persons into account, the number of identity theft victims fell to 3.2 million.
The larger number, says Bergstein, confuses people about the real risk of identity theft and may drive people way from Internet-based transactions "and into the arms of costly protection vendors." Hyping the risk of identity theft may also cause policy makers to focus on the wrong problem. Bergstein reports that many analysts believe the greater problem of identity fraud involves what is known as "synthetic" fraud. In a synthetic fraud scheme, a criminal creates a fictitious identity, rather than stealing it. Bergstein says some people estimate that three-quarters of the money stolen in identity fraud schemes is the result of synthetic fraud. "Beware the Numbers Hype About ID Theft," http://www.usatoday.com/tech/news/techinnovations/2005-11-13-id-theft-numbers_x.htm
Sony Apologizes; DHS Official Scolds Sony; Microsoft to the Rescue
The Sony Saga continues. Last Friday, Sony BMG announced that it would stop manufacturing CDs with digital rights management software that includes a rootkit to cloak its presence. Sony announced the move after it came to light that hackers had begun distributing viruses that used Sony's rootkit to disguise themselves. (See "Sony Update: Hackers Exploit Sony's Rootkit," In the News, November 11, 2005) and after an official of the Department of Homeland Security criticized Sony's rootkit as a threat to Internet our infrastructure. See "DHS Official Weighs In on Sony," http://blogs.washingtonpost.com/securityfix/2005/11/the_bush_admini.html.
On Saturday, Microsoft announced that it had determined that Sony rootkit was a security risk to personal computers. Following the lead of other security software vendors, Microsoft announced it would update its anti-spyware software to automate the process of removing the rootkit.
"Microsoft will wipe Sony's 'rootkit,'" http://news.com.com/Microsoft+will+wipe+Sonys+rootkit/2100-1002_3-5949041.html.
November 15, 2005
New Surveys Show Impact of Data Breach on Consumers and Detail the Cost to Business of a Handling Data Breach
The Ponemon Institute has conducted two studies regarding data breaches. In the first, a survey of 9,000 people, the Institute found that 12 percent recalled receiving a notification of a data breach in the last year. The study found, not surprisingly, that those customers who received such a notice lost confidence in the company that was maintaining information about them. The study also found that the longer a company delayed in notifying a customer, the more likely it was that the customer would stop doing business with the company. Nineteen percent of the consumers who had received a notice of a data breach said they had terminated doing business with the company. An additional 40% indicated they considered doing so. Only 14% indicated that they were unconcerned about the company after they received a notice.
In the second study, Ponemon surveyed 14 companies that had experienced a data breach since February 2005. Among them, 1.4 million consumer records were exposed. The study found that the average cost of the breach was $140 per lost customer record. This included the direct costs of notifying customers and addressing the breach ($50 per record), the indirect costs of lost employee productivity ($15 per record), and an estimate of the opportunity costs from the loss of customers and difficulty in attracting new customers ($75).
Summaries of studies can be downloaded at http://www.pgp.com/library/ponemon_reg_direct.html (Registration is required.) Brian Krebs discusses the studies in his Security Fix Blog at The Washington Post. "Counting the Cost of Data Loss," http://blogs.washingtonpost.com/securityfix/2005/11/counting_the_co.html
Worldwide Survey Shows Americans Have Greatest Concern for Account Security; Would Move Accounts for Greater Security
In another survey, Unisys polled 8,000 people worldwide (including 1,000 in the United States) to determine consumer attitudes toward security. The survey found that 50% of Americans (45% of respondents worldwide) would consider moving their accounts to a financial institution that offered greater security. Nearly 40 percent of the American respondents indicated they would be willing to pay higher fees for greater security. Americans reported the highest incidence (17%) of being victims of identity theft. It is not surprising, then, that Americans are more concerned about fraud than people worldwide. Seventy-three percent of Americans said they were concerned about the fraudulent use of their credit cards and bank accounts, versus 66% of respondents worldwide.
Unisys has two press releases that discuss the results of the survey:
More Fallout From Sony – And More Disclosures to Come
The fallout continues from the disclosure that Sony BMG included a hacker's tool on its CDs as part of its digital rights management software:
Impact of Privacy Laws on Hotels and Meeting Planners
We tend to think of identity theft and data security to be issues faced primarily by the financial services and health care industries. But the concern should reach to any company that gathers and stores sensitive information about consumers. An article in yesterday's BTNonline.com, the web site for Business Traveler News, discusses the need for hotels and meeting planners to implement stricter security policies to protect consumer information. "Gov. Eyes Data Privacy," http://www.btnmag.com/businesstravelnews/headlines/meetings_display.jsp?vnu_content_id=1001478205
November 16, 2005
Combining to Battle Spyware and Adware
America Online Inc., Yahoo Inc., Cnet Networks Inc., Verizon Communications Inc. and Computer Associates International Inc. have banded together to address the problem of spyware and adware. The five companies will create a "white list" of downloadable programs that meet three criteria: a company that offers a downloadable program must disclose the existence of spyware or adware, the program must provide an easy way to delete the spyware or adware, and the origin of the advertising must be disclosed. The five Internet companies will not distribute or advertise any program not on the white list. The initiative was developed in conjunction with the Federal Trade Commission. "Web Firms Take Stand Against Spyware," http://www.washingtonpost.com/wp-dyn/content/article/2005/11/15/AR2005111501451.html
Can It Get Any Worse for Sony?
Allegations of gaping security holes and widespread infection. And, now, a product recall
Brian Krebs in his Security Fix Blog at The Washington Post is staying right on top of the Sony rootkit story. He made several entries in his blog on Tuesday detailing fast-moving developments. They include:
- A Princeton University professor discovered that the program offered by Sony to remove the rootkit opens a hole in a user's security that allows any future web site the user visits to install and run any code on the user's computer. "Researchers: Sony Patch Opens Huge Security Hole," http://blogs.washingtonpost.com/securityfix/2005/11/sony_uninstall_.html
- An Atlanta-based security company identified another flaw created by the Sony rootkit that would allow an attacker to take control of the user's computer. "Yet Another Sony Flaw Found," http://blogs.washingtonpost.com/securityfix/2005/11/yet_another_fla.html
- Another researcher estimates that the Sony rootkit infects at least 538,000 networks in at least 165 countries. He was able to make this estimate since infected computers continually "phone home" information to Sony about the user's music usage via DNS servers. By searching the caches of the DNS servers, the researcher was able to estimate the number of infected networks. The bulk of the networks were in Japan, followed by the United States. "Researcher: Sony DRM on Half a Million Networks," http://blogs.washingtonpost.com/securityfix/2005/11/researcher_sony.html
Sony yesterday announced that it would recall all discs that included the rootkit, which it estimates to number 5 million discs, including 49 titles by twenty artists. Affected CDs will be pulled from the shelves of retailers, just as we move into the holiday shopping season. Anyone who has purchased an affected CD will be entitled to exchange it. "CD's Recalled for Posing Risk to PC's," http://www.nytimes.com/2005/11/16/technology/16sony.html.
Phone Records of Canadian Privacy Commissioner Easily Obtained From U.S. Data Brokers
Macleans, a Canadian news magazine, decided to do a little investigative reporting about the easy availability of telephone records. So they set out to see what they could dig up on Canada's Federal Privacy Commissioner, Jennifer Stoddart. It wasn't hard. Soon they presented Stoddart with detailed lists of the calls made from her Montreal home, her vacation home, and her government-issued BlackBerry. Macleans was able to purchase the phone records from U.S. data brokers for $200 per order. Macleans was then able to use reverse directories to identify many of the people Stoddart had called. The article notes that it is not clear exactly how data brokers get their hands on telephone data – whether they tap into databases, buy it from insiders, or simply get it by posing as telephone customers. "You are exposed," http://www.macleans.ca/topstories/canada/article.jsp?content=20051121_115779_115779#
Talk About Personal Information! Teen Locates Sperm Donor Dad Using Internet
Oh, what you can find on the Internet. A resourceful 15-year-old whose mother was impregnated with the sperm of an anonymous donor wanted to see what he could learn about his father on the Internet. The youth submitted a DNA sample to a Houston company that maintains a DNA database on 45,000 people who also submitted samples. There were two close matches. Using a birth date and birthplace his mother obtained from the sperm bank, the youth used another online company to research the names of all men born on that date in that place. One on that list had the same name as one of the two from the DNA database. "Found on the Web, With DNA: a Boy's Father," http://www.washingtonpost.com/wp-dyn/content/article/2005/11/12/AR2005111200958_pf.html
Data Theft in India
Four employees of an Indian company that contracted to provide leads to U.S. mortgage lenders have been arrested for stealing leads and providing them to other U.S. mortgage lenders. The crime was discovered when the call center they worked for suddenly showed a decline in productivity. The foursome are alleged to have caused damages of $681,813. "4 held for stealing data worth Rs 3 cr," http://cities.expressindia.com/fullstory.php?newsid=156946; "4 held for stealing data of US firm," http://www.siliconindia.com/shownewsdata.asp?newsno=29927&newscat=Technology
Do As I Say, Not As I Do
One-third of IT professionals report that they do not use passwords or any other security protection on their PDAs and other mobile devices, according to a survey of 173 IT managers conducted for SC Magazine and a mobile encryption company. Yet three out of ten reported that they keep PIN numbers, passwords and other sensitive information on their handhelds. Seventy-eight percent reported that they do not encrypt the data on their handhelds. "IT managers fail to protect mobile devices," http://www.scmagazine.com/uk/news/index.cfm?fuseaction=details&nNewsid=527520.
One might question the data. The sample size is small and the mobile encryption company that sponsored the study has no incentive to find that mobile devices are adequately secured. Nonetheless, many recognize that PDAs and laptop computers present a special problem for securing sensitive information. Last week, In the News linked to a story about the theft of a laptop from a major credit reporting agency. The unencrypted laptop had the records of 3,600 consumers on it. See "Consumer Records Stolen on Credit Reporting Agency's Missing Laptop," In The News, November 10, 2005. The SC Magazine study reported that 22 percent of the survey respondents indicated that they had lost a mobile device. A company that uses mobile devices must assess the risk they pose to the security of the company's confidential information and develop policies and procedures that address that risk.
November 17, 2005
Tentative Agreement on PATRIOT Act Extension
The New York Times reports that a conference committee of the Senate and House has nearly hammered out an extension of provisions of the USA PATRIOT Act that were scheduled to expire. Among them are the provision that allows the FBI to obtain documents without a warrant by issuing a National Security Letter and a provision that allows the FBI to obtain a court order requiring the production of business records it deems "relevant" to an investigation, without a showing of probable cause. This National Security Letter provision has been the subject of a case pending in Connecticut. See "Use of National Security Letters Up 100 Fold; Information Used in FBI Data-Mining," In the News, November 7, 2005.
According to the Congressional Quarterly, the conference agreement modifies the business records provision of the PATRIOT Act (Section 215) to require the FBI to provide "a ‘statement of fact' that would show ‘reasonable grounds to believe' the records sought are ‘relevant' to an authorized investigation." This provision is closer to the Senate version of the bill, which is favored by civil liberties advocates.
The compromise bill also includes provisions that require the Inspector General of the Department of Justice to conduct audits of the issuance of business records requests and national security letters and would require the Justice Department to report to Congress yearly on the number of business records requests and national security letters it issues. Additionally, the compromise bill would permit someone who receives a business records request or a national security letter to hire an attorney and challenge the order under a new judicial review procedure.
The Congressional Quarterly reports that six senators – three from each major party – have threatened to block the conference agreement unless changes are made to adopt provisions closer to the senate version.
For The New York Times article, see "Congress Nears Deal to Renew Antiterror Law," http://www.nytimes.com/2005/11/17/politics/17patriot.html?hp&ex=1132290000&en=23ba511fdda18232&ei=5094&partner=homepage.
For the Congressional Quarterly article see "Democratic, GOP Senators Disrupt Patriot Deal," http://www.cq.com/display.do?dockey=/cqonline/prod/data/docs/html/news/109/news109-000001970312.html (subscription required; trial subscription free)
Other Action on the Hill Today
The Senate Commerce, Science and Transportation Committee will mark up S. 687, a bill to prohibit spyware. The Senate Judiciary Committee is scheduled to mark up two breach notification bills (S. 0751 and S. 1789).
Hackers Write More Targeted Viruses
The BBC says that while only a couple of viruses have received extensive mainstream media coverage in 2005, that doesn't mean the Internet is a safer place to be. Instead, there has been a shift in motivation, leading to a shift in method of operation. Virus writers are now motivated more by money than by publicity. The goal is not to bring down others' computers but to control them. Doing so requires that virus writers avoid publicity and scrutiny. The BBC quotes Art Wong, head of the security response team at Symantec: "Instead of huge pandemic worms being launched, the intent is to launch worms that infect machines without people knowing about them."
Rather than focus on viruses that spread widely and quickly with lots of notoriety, virus writers focus on continually tweaking their viruses, coming up with more and more variants to evade antivirus programs. One security firm reported seeing a record number of new virus variants (1,685) in October alone. Creating a small number of lots of variants allows the hackers to be more focused in their attack and to better manage the information they obtain from infected computers. "Virus creators target their work," http://news.bbc.co.uk/1/hi/technology/4426078.stm
Hackers Using Smaller Botnets
In a related story, Cnet News.com reports that hackers are showing a preference for small botnets – networks of computers infected with a virus that allows the hacker to control them. Smaller botnets are harder to detect. But other factors contribute to this phenomenon as well. Increased competition to control a botnet has made it harder to secure a network of zombie computers. In addition, home users, who are the prime target for "bot herders" as these hackers are known, are increasingly taking steps to secure their computers. "Bots slim down to get tough," http://news.com.com/Bots+slim+down+to+get+tough/2100-7355_3-5956143.html?tag=cd.top
High-End Hotels Offer Smart Room Technology to Return Guests
The New York Times yesterday ran a story about high-end hotels that use technology to make the stay of returning guests more pleasant. The technology collects data about a guest's preferences and then adjusts the room to meet the guest's likes and desires. For example, a hotel may automatically adjust the room temperature, greet the guest with his favorite music, or change the speed dial on the phone to the guest's frequently used telephone numbers. Guest preferences are collected electronically and by an observant staff. The Times reports that some fear that hotels will sell information they collect on their customers, but hotel executives say their only desire is to make the stay more pleasurable to encourage a return stay. "Technology Lets High-End Hotels Anticipate Guests' Whims," http://www.nytimes.com/2005/11/16/technology/16hotels.html.
23-Year-Old Sentenced in $2.75 Million Spam Operation
A 23-year-old spammer from the United Kingdom has been sentenced to spend six years in jail for blackmail and threatening murder, among other charges. The spammer ran a £1.6 million ($2.75 million) spam operation from his bedroom in his father's house. He sent spam to thousands of people offering to register them for a web site on a soon-to-be established Internet domain (.eu), without any authority to do so. When his victims complained that he failed to deliver, he threatened to launch a spam attack on their computer systems. "Spammer jailed for £1.6m net scam," http://news.bbc.co.uk/1/hi/england/cambridgeshire/4442772.stm
November 18, 2005
Judiciary Committee Adopts Comprehensive Data Security Bill
By a vote of 13 to 5, the Senate Judiciary Committee approved S. 1789, the most comprehensive of the data security bills actively being considered in Congress. The bill's sponsor, Senator Arlen Specter, shepherded the bill through committee, allaying concerns of committee members by saying that he would be open at a later date to consider amendments that would preempt state laws and would reduce the circumstances in which a company would have to notify consumers of a data breach. The bill requires a breach notification if the breach creates a "significant risk of harm." Senator Sessions proposed that notification be required only if there is a significant risk of "identity theft." "Postponing Battle, Panel OKs Data Bill," http://www.americanbanker.com/article.html?id=200511175FPWX2RC&from=washregu (subscription required)
Senate Adopts Bill to Encourage Electronic Medical Records
The Senate, by a voice vote, approved a bill (S. 1418) designed to promote the use of electronic medical records. The bill, known as the "Wired for Health Care Quality Act," would do so by offering grants to hospitals, group practices and other health care providers to facilitate the use of electronic medical records. The bill would set up the Office of the National Coordinator of Health Information Technology, which would be charged with coordinating and overseeing programs to develop a nationwide interoperable health information technology infrastructure. The bill would clarify that current privacy laws, including HIPAA, apply to "any health information stored or transmitted in an electronic format." "Senate Passes Health Information Technology Bill," http://www.cq.com/display.do?dockey=/cqonline/prod/data/docs/html/news/109/news109-000001973112.html@allnews&metapub=CQ-NEWS&binderName=cq-today-binder&seqNum=15 (subscription required; trial subscription available)
Patriot Act Amendments Stalled
Vowing a filibuster, a bipartisan group of six senators has continued to stymie a vote of the House-Senate conference committee on the terms of amendments to extend portions of the USA PATRIOT Act that will expire at year's end. The six want to tighten the standard for seizing business records and issuing national security letters, requiring that the government demonstrate some connection between the records wanted and terrorism. The six also want to shorten the period in which the government must notify the objects of so-called "sneak and peak" searches, from 30 days in the bill to 7 days. The six would also shorten the sunset provisions on the business records and roving wiretap provisions of the Act and create a sunset provision for the national security letter authorization. "Senators Oppose Extending Patriot Act," http://www.newsday.com/news/nationworld/nation/la-na-patriot18nov18,0,1438695.story?coll=ny-leadnationalnews-headlines; "Extension of Patriot Act Faces Threat of Filibuster," http://www.nytimes.com/2005/11/18/national/nationalspecial3/18patriot.html
Data Breach at Indiana University
Indiana University is reporting that 5,278 sensitive student records may have been accessed by computer hackers who succeeded in placing malicious software programs on the computer of an instructor at the IU School of Business. The school's director of information technology is quoted as saying, "You're not going to find folks who are not malicious hackers who have access to these programs. They are not something your average computer user would use. They are very cryptic and non user-friendly." "Hacker was threat to records – IU," http://www.indystar.com/apps/pbcs.dll/article?AID=/20051117/NEWS01/51117040/1006
Another Survey Documents Concern Over Identity Theft
Yet another survey. This one probes consumers' concerns for identity theft as we move into the holiday shopping season. IBM surveyed 1,000 American consumers and learned that 66% of the respondents are more concerned about credit card theft and identity theft than they were a year ago. What would alleviate that concern? Forty-nine percent said a fingerprint ID system would make them feel more secure, 40% said better encryption would do so, and 32% said Iris scan technology would ease their minds. IBM's Global Retail Leader commenting on the results said, "Consumers buy from retailers they trust and those retailers who are making security a priority will have a competitive advantage." Press Release: "Fear of Identity Theft and Credit Card Fraud Worry Consumers During the 2005 Holiday Season, According to IBM Survey," http://www-1.ibm.com/press/PressServletForm.wss?MenuChoice=pressreleases&TemplateName=ShowPressReleaseTemplate&SelectString=t1.docunid=7973&TableName=DataheadApplicationClass&SESSIONKEY=any&WindowTitle=Press+Release&STATUS=publish
Planning for Black Friday
This story is not about privacy or data security. But there is a lesson in it nonetheless. Yesterday's New York Times included a story about www.bf2005.com and similar sites that have somehow gotten their hands on advertisements that will come out promoting items on sale on Black Friday, the day after Thanksgiving. For those of you who get up early on Black Friday to fight the crowds, here's a way for you to get a jump on planning your route. No need to wait for Thanksgiving morning to read all the ads that fall out of the paper and into your lap. BF2005.com belongs to an 18-year-old college freshman who gets the fliers from company employees and others who leak the adverts to him. What's the lesson? Actually, I'm not sure. But I am constantly amazed by the creativity spawned by the Internet – and the willingness of some obviously intelligent people to suspend their ethics in exercising that creativity. "Shop-Till-You-Drop Specials, Revealed Here First," http://www.nytimes.com/2005/11/17/business/17shop.html
Note: In the News will not publish on Thursday, November 24, and Friday, November 25. Happy Thanksgiving.
This message is provided by the Privacy and Information Security Task Force at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full-service law firm with four offices in Michigan. Our Privacy and Information Security Task Force includes lawyers from across the Firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Task Force at Warner Norcross & Judd LLP, e-mail Rodney Martin at firstname.lastname@example.org or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Task Force. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9 a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an e-mail message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.