On August 26, in accordance with California Information Practice Act (SB 1386), California State University sent a letter to 154 students and administrators notifying them of a potential data breach involving student financial aid records housed in the university chancellor's office.
Continue Reading...In a recent report to a subcommittee of the Committee on Homeland Security and Governmental Affairs on data mining (i.e., the extraction of pertinent information from large volumes of data), the Governmental Accountability Office concluded that none of five agencies the GAO audited "followed all the key procedures" for the protection of personal information. The particular agency projects were chosen for review in part because they involved one of the following goals: (1) analysis of intelligence and detection terrorist activities; (2) detection of criminal activity; (3) identification of fraud, waste or abuse; or (4) efforts to improve service or performance.
Continue Reading...A fascinating article (site pass req'd) about the possible evolution of the surveillance culture in the August edition of Salon, by science fiction writer and scientist David Brin. In it, Brin anticipates flocks of miniature flying cameras providing video feeds from remote locations, wearable augmented reality devices providing real-time information to users about their environment, subvocal speech systems (a precursor to "tech-mediated telepathy"), and ubiquitous geographic location awareness (for people and devices).
Continue Reading...The Associated Press is reporting today on the use of sophisticated algorithms to alter biometric snapshots to provide an extra layer of protection against breaches of biometric authentication systems, with the added benefit of limiting the potential invasion of privacy that such systems may represent.
Continue Reading...As reported previously, on July 22, 2005, the Government Accountability Office issued a report stating that the Transportation Security Administration (TSA) violated the Privacy Act during testing of the Secure Flight program by exceeding the scope and objectives of the commercial data testing described in their Public Disclosure Notices. Despite this violation, the Department of Homeland Security (DHS) is proposing changes to next year's homeland security funding bill that would allow the Secure Flight program to use background checks and profiling to help determine if an airline passenger is a terrorist, even if he or she is not on a terror watch list. The proposal would also allow the Secure Flight program to be implemented in U.S. airports after approval by the Head of DHS (the current bill requires independent congressional investigators to evaluate it).
Posted by Brian Bennett
The Los Angeles Times reports that the Los Angeles County Metropolitan Transportation Authority ("MTA") has approved almost $7 million to install state-of-the-art digital cameras on Los Angeles' subway and light-rail trains.
Continue Reading...There have been several reports of thefts of bank card data that appear to have originated in non-U.S. countries. For example, a recent investigation of a particularly malicious type of keylogger software that was surreptitiously installed on numerous home computers and sent bank account numbers and passwords to a server, showed that the server's domain was registered in China. Another group of data thieves, who use pop-up ads to download Trojans to steal bank card data, were reported to be based in South America.
Continue Reading...On the heels of the well-publicized litigation brought by Apple against bloggers who posted information about an upcoming product release on their sites (see reports here and here), another cautionary tale. Sony Eriscsson recently sent a cease and desist letter to the owners of the website Ubergizmo, based in Palo Alto, California, concerning pictures of the "Hermione" mobile phone that were posted on the site.
Continue Reading...Canada's federal cabinet will review legislation that would allow police and security agencies to intercept emails, text messages and possibly even financial transaction information found in websites that are protected by secure passwords.
Continue Reading...The trading of virtual objects for real-world cash is a well-established practice in the world of Massively Multiplayer Role-Playing Games (MMORPGs), and this virtual market by some estimates may be worth nearly a billion dollars (US). There are now reports of a new worm that targets players in one such MMORPG and is designed to allow crooks to steal those players' virtual assets.
Continue Reading...On Monday, August 22, Google released a beta version of its Desktop 2 search program as a free download. Like the predecessor Desktop program, this program allows users to search their desktop as well as network folders and drives. Additionally, the beta version includes a Sidebar panel that displays information based on users' browsing habits. Sidebar not only aggregates e-mail messages from a variety of e-mail accounts, including Google's own Gmail, but it also pulls Really Simple Syndication (RSS) feeds from websites that a user has visited (assuming that website offers RSS feeds).
Continue Reading...Posted by Kraig Baker
The LA Times reported another Paparazzi incident today. This time Scarlett Johansson hit a car carrying a family while trying to elude paparazzi who followed her home. Last month someone from Britney Spears' house shot a paparazzi with a pellet gun. Two months ago a celebrity photographer rammed Lindsay Lohan's car. With the voracious American appetite for all things celebrity and the intense competition among celebrity magazines, it's inevitable that we will have additional incidents. More to the point from a privacy perspective, look for additional anti-paparazzi legislation in California and other states within the next year.
Continue Reading...In the first seven months of 2005, the personal information of more than 50 million individuals in the U.S. has been stolen by data thieves or lost by U.S. businesses. That's 10 times the number affected by data breaches in all of 2003, the last period for which comparable figures are available. DWT attorney Randy Gainer discusses the causes of the dramatic increase in the number of data breaches and the lawsuits that have been filed because of the data thefts in a recent article available here.
This is a legal blog, not one of those you might find at a domain ending in .xxx (oh, wait, those are on hold by White House request), so get your mind out of the gutter (but if you can't, see this recent report). The type of blindness we're talking about here is the kind that occurs when you've become so immersed in the daily routine of blogging that you've forgotten - or perhaps you never fully understood? - the legal concerns that blogging can raise. Over the next few months, on a quasi-regular basis, we'll be looking at some of the legal issues related to blogging that fall loosely under the umbrella of privacy and security law.
Continue Reading...In separate, recent incidents, British and Australian journalists were able to purchase customer data including bank account, credit card, passport and driver's license details of U.K. and Australian customers from an Indian call center. The call center was used by a U.K. bank and an Australian telemarketing company.
Continue Reading...In an attempt to battle against the neverending surge of phishing attacks, some employers have taken the unusual measure of devising and sending their own fake emails to employees.
Continue Reading...In a recent study conducted by the Anti-Phishing Working Group, a global association of ISPs, banks, law enforcement agencies and other concerned parties, it was noted that incidents of phishing (or the use of fraudulent emails to dupe people into sharing personal information such as back account passwords, PIN number and/or credit card information), while still rampant on the internet, are increasing at a slower rate.
Continue Reading...Philip R. Zimmerman, the creator of Pretty Good Privacy("PGP"), unveiled a prototype for encrypting data carried on VoIP (Voice over Internet Protocol) at the Black Hat Security conference in Las Vegas in late July. The prototype, called zFone, will be written in Python mainly because it is built to run off the open-source Shtoom, which is also written in Python. Currently, zFone runs on the Mac OS X and Zimmerman hopes to make the prototype available for download by the end of August.
Continue Reading...What do you get when you put together New York subway riders, random searches, the Fourth Amendment to the U.S. Constitution, and a "War on Terror"? Why, a lawsuit of course. Just last week, the New York chapter of the ACLU filed suit in U.S. District Court in Manhattan on behalf of five New York subway riders to contest the policy in New York City, since July 21, to have police conduct random searches of riders' bags and packages. The plaintiffs claim such searches violate their right to be free from unwarranted searches and seizures under the Fourth Amendment. A link to the story can be found here.
Continue Reading...The FCC has issued a press release announcing that it will now require certain providers of broadband and Voice-over-Internet Protocol (VoIP) to build backdoor into their networks to accommodate law enforcement wiretaps.
Continue Reading...It may have taken the better part of two years, but Congress and President Bush, by respectively passing and signing the Junk Fax Prevention Act of 2005 to make it law last month, reversed the 2003 change in Federal Communications Commission "junk fax" rules that otherwise would have required businesses to obtain written permission from recipients before sending unsolicited fax advertisements. Under the new law and rules the FCC will adopt to implement it, companies instead will be required to maintain and honor an in-house "do-not-fax" list, similar to the internal "do-not-call" list businesses that telemarket must keep, and must refrain from sending unsolicited commercial materials to recipients who have opted out of receiving such faxes.
Continue Reading...The US Government Accountability Office ("GAO") recently issued a report stating that the Department of Homeland Security Transportation Security Administration ("TSA") did not act in accordance with the Privacy Act while testing its Secure Flight Program, which is designed to compare airline passengers against a terrorist watch list.
Continue Reading...The data security plans of many organizations are largely focused on technical measures to guard against efforts by outsiders to gain unauthorized access to the organization's networks, computers and data. Studies and news reports continue to show, however, that the greatest risks to most organizations' sensitive data are really internal and come from insiders - disgruntled current or former employees or contractors.
Continue Reading...The Sunday New York Times "Week in Review" has an interesting article (subscription req'd), comparing the very different legal frameworks for privacy protection in the US and the EU (and much of the rest of the world ).
The article suggests that, in the US, 2005 is the "year of the consumer privacy breach" -- as the "personal information" for 50 million consumers "has been lost, stolen and even sold to thieves."
Continue Reading...A simmering battle between airports authorities and airlines over management of wireless networks has boiled over at Logan International Airport in Boston, and the FCC has been asked to intervene.
The dispute stems from a Continental Airlines program that provides free wi-fi service to passengers in its President's Club lounges. While some airport authorities also provide free wi-fi within passenger terminals, at Logan travelers must pay a daily fee of $7.95 for the service. Continental frequent fliers, however, can step into the airline's lounge and avoid that fee.
Continue Reading...Business managers responsible for data security may be investigating what they can do to avoid the fate of BJ's Wholesale Club. The Federal Trade Commission issued a complaint against BJ's for failing to safeguard data regarding credit and debit cards that BJ's customers used at its stores. The FTC alleged that BJ's lax security, which included BJ's transmission of unencrypted payment card data within its stores over WiFi systems, was an unfair practice.
Continue Reading...A Government Accountability Office report published recently found that financial market organizations still need better information security, particularly restrictions on access to their networks and systems. The report, which studied the practices of seven unnamed financial market organizations, found that all of the organizations had implemented five key elements of a sound information security program. In addition to general access restrictions, the GAO identified specific areas where security could be improved. The report is available here, and an abstract is available here.
Posted by Brian Wong
In the first case of its kind in the UK, a man has been prosecuted for hijacking a wireless broadband connection and has been fined 500 pounds and sentenced to twelve months's conditional discharge. While there have been several convictions for theft of credit card information over wireless networks, this case involved the theft of wifi signals for something as pedestrian as browsing the Internet. Considering the fact that in the United States there are millions of wifi users and that it is relatively easy to use a neighbor's signal even for users who have virtually no technical expertise, it may only be a matter of time before a litany of cases like this appear in U.S. courts.
Posted by Steve Chung
A report issued August 2, 2005, by Gartner, Inc. describes how thieves have stolen more than $2.75 billion by using phishing scams to obtain debit card account numbers and PINs from unsuspecting consumers. The thieves use the account numbers to create fake cards, then use the cards and PINs to drain consumers' accounts, leaving consumers to deal with the bounced checks and the banks to reimburse the victims, as described in more detail here. The debit cards of some banks, such as Bank of America, are not targets because the banks take advantage of a second track on the magnetic strips on their cards to embed additional security codes that consumers -- and therefore data phishing thieves -- don't know about. Banks whose debit cards have been hard hit by these attacks have begun using the second track on the magnetic strips on their cards and have beefed up their security codes in order to prevent the attacks.
Posted by Randy Gainer
Yesterday, August 2nd, the U.S. Court of Appeals for the Fifth Circuit issued a decision in the case of White Buffalo Ventures, Inc. v. University of Texas at Austin, holding that the University of Texas didn't violate the constitutional rights of an online dating service when it applied UT's general anti-solicitation policy and blocked thousands of unsolicited emails.
Continue Reading...Companies in almost every business niche are spending unprecedented amounts of money on software and other solutions to enhance the security of their computer systems. But this recent NY Times article (subscription req'd) is another good reminder that data security requires assessment, and employee vigilance, on many different levels.
Posted by Merrill Baumann
With the continuing escalation of data breaches, many believe that private litigation in this area will explode over the coming months. In a recent decision in New York, however, a federal judge ruled that JetBlue Airlines passengers will not be able to recover based on the Airlines' unauthorized disclosure of passenger data to companies working on a federally-funded study of aviation security. The court held that, even though JetBlue violated its own privacy policy, passengers would still be required to show that they suffered harm as a result of the breach . . . and in this case they could not, the court concluded.
Posted by Merrill Baumann
Despite the claims of RFID tag makers that RFID tags are benign and unlikely to be used to create a surveillance society, three new developments suggest that RFID tags and data mining continue on their way to becoming both ubiquitous and used for general surveillance of customers, visitors, and citizens going about their daily lives. In a bid to help prevent kidnapping of children (and teen-agers from sneaking out of the house?), the Target chain of retail stores announced that it is purchasing pajamas from Lauren Scott of California that have RFID tags sewn into the hems. Readers positioned at various points through the house will set off an alarm if the pajamas pass the boundaries.
Continue Reading...Last week, the Senate's Commerce, Science and Transportation Committee unanimously approved an identity theft bill, entitled the "Identity Theft Protection Act of 2005" (S. 1408), designed to "set[] national standards to safeguard individual personal information, to notify consumers of data breaches, to require businesses to improve their safeguards for sensitive consumer information, to give consumers the right to freeze their credit reports to thwart identity theft, and to limit the solicitation of social security numbers by commercial entities." If enacted, the bill would authorize the Federal Trade Commission to specify "physical and technological safeguards" that business and other entities that collect personal information would be required to put in place.
Continue Reading...On Friday, July 29th the Senate voted in favor of making permanent the major provisions of the USA Patriot Act, following similar action by the House of Representatives earlier this year. Whereas the House version included 10-year sunset provisions on some of the controversial provisions (such as those involving roving wiretaps and library and medical records), the Senate version includes only 4-year moratoriums. These and other differences between the two bills will have to be resolved in the fall before a final version wends its way to President Bush for signature.
Continue Reading...Last week the U.S. Congress concluded its summer session amid a flurry of activity in connection with privacy and security matters, including a Senate vote to extend the USA Patriot Act and committee action on several identity theft bills. The congressional response to the widely-reported security breaches over the past several months follows action in a number of state legislatures, most notably California.
More specifics on what Congress is doing in our next posts...
Thus far, this has been the year of massive security breaches, including those at ChoicePoint and CardSystems. As a result, 2005 appears to be shaping up as a national rude awakening to the reality of identity theft, something security experts have been expecting for some time. Some of these breaches have been surprisingly low-tech, such as the physical theft of data storage devices.
A recent article in the Washington Post about the loss of mobile electronic devices reminds us that businesses must literally examine every potential chink in their security armor to assess the risk of data theft.
Posted by Lance Koonce
Today marks the launch of Davis Wright Tremaine LLP's privacy and security blog - thanks for dropping in. Several years ago, a small group of attorneys at our firm recognized that issues surrounding the electronic collection and protection of sensitive information were throwing off new legal questions at an accelerating rate. Thus was born the Privacy and Security Group at DWT, and that original core group of attorneys has now grown to almost 40 professionals spread across seven offices, advising clients on every aspect of privacy and security.
While we share our expertise with our clients every day, this blog is an opportunity to contribute to the broader discussion on these constantly evolving topics. We welcome your comments and suggestions, and hope that we can serve a useful role in the public debate.
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.