November 21, 2005
Note: Privacy and Information In the News will not be published on
November 24 and 25
Final Regulations on Using or Sharing Medical Information by Lenders
Federal bank, thrift and credit union regulators have issued final rules governing the use and sharing of medical information by lenders under the Fair Credit Reporting Act. The rules, which replace interim rules published in June, become effective on April 1, 2006. The rules prohibit a person from obtaining or using medical information about a consumer in determining a consumer’s eligibility, or continued eligibility, for credit. The rules also prohibit sharing medical information with an affiliate except in limited circumstances. The final rules do not differ in substance from the interim rules. Joint Press Release: “Agencies Finalize FACT Act Rules on Medical Information,” http://www.federalreserve.gov/boarddocs/press/bcreg/2005/20051117/default.htm
Sensitive Data Lost on Stolen Laptop and Lost Thumb Drive
Two new instances have been reported of companies losing sensitive data when mobile media have been lost or stolen. Boeing Corporation announced that a stolen laptop computer held sensitive information on 161,000 current and past employees. The information included employees’ names, addresses, social security numbers and, in some cases, bank account numbers. The computer was password protected but the data was not encrypted. “Stolen Boeing laptop held ID data on 161,000 people,” http://seattlepi.nwsource.com/business/249011_idrisk19.html.
According to MSNBC.Com, a hospital in Hawaii last month reported that sensitive records, including names, social security numbers and, in some cases, medical records of 120,000 current and former patients were contained on a thumb drive that had come up missing. The article reports that lost or stolen laptops, PDAs, Blackberries, thumb drives and other so-called “endpoints” are the number one source of data loss, according to a recent study by the FBI. MSNBC cites a survey that found that on average, a company with 1,000 employees loses one laptop a week, of which only 18% are ever recovered. “Your life secrets, left in a taxi,” http://msnbc.msn.com/id/10098303/
Six Plead Guilty in Internet Identity Theft Conspiracy
Six people pleaded guilty last week to conspiracy to commit credit and bank card fraud and ID document fraud. They were among 19 arrested a year ago in a Secret Service investigation of a website known as shadowcrew.com. The website was a members-only site where thieves trafficked in stolen credit card numbers, debit card and PIN numbers, fake IDs and stolen identity information, including Social Security numbers. It was alleged that they had dealt in 1.5 million credit and debit card numbers and caused losses in excess of $4 million. “Guilty Pleas in ID Theft Bust,” http://www.wired.com/news/infostructure/0,1377,69616,00.html.
Spyware Bill Passes in Senate Committee
The Senate Commerce, Science and Transportation Committee last week voted in favor of a bill to address the problem of spyware. According to InternetNews.com, the bill – known as The “Spy Block Act” – “targets three main consumer harms: taking control of a user's computer; software that triggers advertising out of context with the use of the computer; and undisclosed collection of personal information.” “A Senate Shot at Anti-Spyware,” http://www.internetnews.com/bus-news/article.php/3565481
November 22, 2005
PATRIOT Act Provisions Questioned
Bruce Schneier is Chief Technology Officer of Counterpane Internet Security and a frequent commentator on data security issues. The Minneapolis Star Tribune has published an opinion piece in which Schneier argues that the U.S. government is too unfettered in its ability to spy on ordinary citizens who have no connection with terrorism. He draws attention to the frequency with which the FBI issues national security letters under the USA PATRIOT Act. He argues that the government’s ability to gather information on ordinary citizens should be governed by four principles:
- Oversight – police should be required to obtain a warrant based on a showing of probable cause;
- Minimization – police should not be permitted to conduct fishing expeditions but should be limited to the specific information needed by the police;
- Transparency – the public should know at some point what information the police are getting and how it is being used; and
- Destruction – the police should be required to destroy any information they obtain after the purpose for which a court authorized the search is achieved.
Schneier writes, “As more of our lives become digital, we leave an ever-widening audit trail in our wake. This information has enormous social value – not just for national security and law enforcement, but for purposes as mundane as using cell-phone data to track road congestion, and as important as using medical data to track the spread of diseases. Our challenge is to make this information available when and where it needs to be, but also to protect the principles of privacy and liberty our country is built on.” “The erosion of freedom,” http://www.startribune.com/stories/562/5740270.html
Renewal of certain USA PATRIOT Act provisions is now stalled because of a concerns raised by a bipartisan group of six senators The six want to tighten the standard for seizing business records and issuing national security letters, requiring that the government demonstrate some connection between the records wanted and terrorism. See “Patriot Act Amendments Stalled,” In the News, November 18, 2005.
Sony Sued by Texas; Sales Unaffected by Controversy
More trouble for Sony. The Attorney General of Texas has sued Sony BMG for violating Texas’s antispyware statute. The complaint seeks an order enjoining Sony from selling any CDs that violate the antispyware statute and asks for damages of $100,000 for each violation of the statute. This is the third lawsuit so far arising out of Sony’s use of a rootkit, software typically used by hackers, to mask its anti-piracy software. In addition, the Electronic Frontier Foundation announced on Monday that it will be filing yet another class action against Sony. “EFF, Texas Attorney General Sue Sony,” http://blogs.washingtonpost.com/securityfix/2005/11/texas_attorney_.html; “Sony BMG Faces Civil Complaint Over CD Software,” http://online.wsj.com/article/SB113259581938503230.html?mod=rss_whats_news_technology.
Michael Geist, a member of the Faculty of Law at the University of Ottawa and a frequent commentator on Internet and eCommerce law, has a column in the Toronto Star that summarizes the three-week history of the Sony rootkit issue and suggests lessons that should be learned by policy makers. He argues that while some policy makers have been moved to promote legislation that would provide legal protections to technological protection measures like Sony used, “the real need is to protect against the misuse of this technology.” He concludes that “with consumer backlash against deceptive CDs and licensing agreements, policy maker worries about privacy and security . . . and the courts’ concerns for personal privacy rights, the Sony rootkit case is destined to resonate long after the dangerous CDs disappear from store shelves. “Sony incident wake-up call for regulators,” http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1132527022374&call_pageid=971794782442&col=971886476975.
There may be one flaw in Geist’s assumptions. The consumer backlash does not seem to have materialized. Cnet News.com reports that, even in light of the lawsuits and the controversy, Sony’s sales of CDs have appeared to have suffered little if any decline. “Sony sailing past rootkit controversy,” http://news.com.com/Sony+sailing+past+rootkit+controversy/2100-1027_3-5965243.html.
Antivirus, Data Backup and Firewall Programs Among Most Vulnerable Programs
The SANS Institute this morning issued its updated list of “The Twenty Most Critical Internet Security Vulnerabilities,” http://www.sans.org/top20/#c2. Among the most critical vulnerabilities, SANS lists antivirus programs, data backup programs, and firewall applications. “During the past year,” the SANS report says, “there has been a shift in focus to exploit security products used by a large number of end users. This includes anti-virus and personal firewall software.” This represents a shift that, according to the Washington Post, has SANS officials worried, “because businesses and government agencies are not conditioned to look for problems in some of the targeted software, as they are with operating systems, Internet browsers and e-mail, which for years have drawn the most attacks.” “Hackers Targeting Security Programs,” http://www.washingtonpost.com/wp-dyn/content/article/2005/11/21/AR2005112101424.html
November 23, 2005
Sharing of Airline Passenger Lists May Violate European Union Law
Speaking in Grand Rapids, Michigan, on November 15, former Secretary for Homeland Security Tom Ridge said that among the most significant tools the United States has to protect itself from terrorists is the cooperation of the European Union in providing us with information on the passengers of all planes leaving Europe for the United States before departure. That tool may now be in jeopardy. The Advocate General to the European Court of Justice has concluded that the European Commission “had no appropriate legal basis” for concluding that EU law allowed such a data transfer. The Advocate General says the Commission relied upon the wrong body of law in concluding that the United States Bureau of Customs and Border Protection would adequately protect the information. The European Court of Justice will rule on the matter in the coming year. It is reported that the court typically relies upon the advice of the Advocate General. If it does, the data transfers to U.S. Customs will have to stop. “EU urged to drop airline data sharing,” http://news.zdnet.com/2100-1009_22-5967958.html
Foreign States Pose Greatest Threat to UK National Infrastructure
The National Infrastructure Security Coordination Centre (“NISCC”), which is charged with defending the critical national infrastructure of the United Kingdom, has identified foreign countries as the most significant threat it faces. The UK’s critical national infrastructure includes financial institutions, critical transport, telecommunication and energy networks, and the government. The director of the NISCC describes a “malicious marketplace” in which attackers seek to gather commercially and economically valuable information. The director says that foreign governments are the most significant players in this marketplace followed by criminals, hackers, and, posing the smallest threat, terrorists. While foreign states currently pose the greatest threat, the director predicts that criminals will threaten nation states for the dubious honor of posing the greatest threat. “Foreign powers are 'main cyberthreat' to UK,” http://news.zdnet.co.uk/0,39020330,39237451,00.htm
MasterCard Chief Risk Officer Discusses Root Causes of Stolen Card Problem
The chief risk officer of MasterCard International, Christopher Thom, says that indications are that there was “little fraud” that actually ensued from the data breach reported in June at CardSystems Solutions, a merchant processor of debit and credit card receipts. That data breach was said to have exposed information on 40 million accounts to potential theft. In a roundtable reported in today’s American Banker, Thom says that only about 2% of those cards were in fact identified as stolen or possibly stolen. That’s still 800,000 accounts.
Thom identifies two “root causes” of the problem of stolen credit card information. The first is that “there’s far too much data stored unnecessarily in the whole system, and stored insecurely.” He says that MasterCard has written every third-party MasterCard processor regarding security standards, but that with the 23 million merchants that accept MasterCard, “there’s a long way to go.”
The second root cause, says Thom, is the fact that the credit card system is based on the magnetic strip, which is easily and inexpensively compromised. He says a system of “rules-based models, neural networks, and general predictive fraud modeling,” are all “supporting the weakness of the magnetic strip itself.” Thom argues for moving away from the magnetic strip to a system in which each transaction is uniquely identified so that fraudulently obtained information could not be used in a subsequent transaction. “Data Security Roundtable: The Threats to Data Security - What's Here, What's Ahead,” http://www.americanbanker.com/article.html?id=20051122AEL6NHJK&from=technology (subscription required)
Note:Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at email@example.com or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49506.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.