If you can take it with you, someone else can take it from you

Posted by Brian Wong

Even a no-longer-cutting-edge BlackBerry or mobile phone holds enough data to be a major security breach when lost. Many devices already include password protection and automatic locks, and some software gives system administrators the ability to wirelessly transmit a command to erase data when a device is lost.

Continue Reading...

California Court Orders Discovery To Determine Whether Visa and MasterCard Fall Under California's Data Breach Notification Statute

Posted by Min Lee

San Francisco Superior Court Judge Richard Kramer has ordered Visa and MasterCard to disclose the nature of their relationship with CardSystems, the payment processor whose computer systems were breached sometime between August 2004 and May of this year, exposing about 40 million credit and debit accounts to potential abuse. The Judge explained that the information would clarify whether the two credit card companies are subject to the individual notification requirements of California's data breach statute, California Civil Code ㋔ 1798.82, which obligates "[a]ny person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security of the system following discovery ... to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Cal. Civ. Code ㋔ 1798.82(a).

Continue Reading...

Health Privacy Compromised, But When Is It Okay To Share?

Posted by Peerapong Tantamjarik

While not involving computer hackers, here's a story about an old-fashioned invasion of privacy. The Kansas City Star reported on September 28th that a University of Missouri hospital faces a class-action lawsuit after allegedly releasing confidential medical records for hundreds of patients to a company it hired to solicit business. The suit was filed earlier this year on behalf of approximately 800 patients with liver diseases, including hepatitis C. The complaint alleges that records were turned over by University Hospital's internal medicine chairman to a home health care provider dba Option Care, who then allegedly called the patients in an effort to sell them antiviral drugs and keep them in the hospital network. The Option Care nurse who contacted the patients using the list from the hospital stated that the calls were not for solicitation, but for patient safety.

Continue Reading...

The Federal Government Updates its Guide to Federal Privacy Act -- and Its Free!

Posted by Tom Burke

Said to be "one of the most widely read congressional committee reports in history," this manual explains how to use the federal Freedom of Information Act and the federal Privacy Act of 1974 to request records from the federal government. It includes practical forms. One of the most useful items the federal government publishes; last updated in 2003.

Too Many Passwords?

Posted by Lance Koonce

RSA Security today released the results of a survey of 1700 technology end users in the United States about their password management habits. The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques such as listing passwords on post-it notes (you know who you are) or on computer spreadsheets, and also creates a drain on productivity by taxing the resources of IT help desks. Corporate requirements of frequent password changes further exacerbates the problem.

Continue Reading...

Stalemate in the Battle to Protect Against Internet Credit Card Fraud

Posted by Peter Mucklestone and Stuart Louie

High ranking security experts at both Visa USA Inc. and MasterCard International Inc., two of the world's largest credit-card associations, have suggested that the struggle to protect against the fraudulent use of credit card and accountholder information has reached a stalemate, and those tasked with enforcement are in danger of losing ground. According to recent data compiled by the F.B.I., in 2004, the incidents of internet-related credit card crimes increased by sixty-six percent (66%) and the average reported loss associated with each such incident tripled to $2,400.00.

Continue Reading...

Think Your Anonymizer is Foolproof?

Posted by Lance Koonce

Those who rely on anonymizers to surf and transact business on the web may soon have their identities laid bare, if the National Security Agency has anything to say about it. According to World Net Daily, a new patent filed by the NSA,

describes a process based on latency, or time lag between computers exchanging data, of "numerous" known locations on the Internet to build a "network latency topology map" for all users. Identifying the physical location of an individual user, reports CNET News.com, could then be accomplished by measuring how long it takes to connect to an unknown computer from numerous known machines, and using the latency response to display location on a map.

Secret-Decoder Ring Inventors Beware

Posted by Tom Burke

Inventors of devices that may be of interest to the security-focused federal government might take note of Crater v. Lucent, a recent decision of the Federal Circuit Court of Appeals. The case features a fascinating discussion of the "state secrets privilege," used in this case to dismiss a civil lawsuit filed by an inventor who, inspired by the symmetrical halves of a tennis ball, created a coupler for connecting pipes without threads or bolted flanges. The problem? The invention had military applications which ultimately led to the dismissal of the inventor's infringement action on national security grounds. See Kevin Poulsen of Wired who followed this interesting case.

Secure Flight Will Not Use Commercial Databases

Posted by Brian Bennett

The Transportation Security Administration ("TSA") has scrapped plans to use commercial data to check the identities of airline passengers in "Secure Flight," the government's proposed passenger prescreening system. As envisioned by the TSA, Secure Flight would be used by the government to compare passenger name records against information compiled by the Terrorist Screening Center, including "no fly" lists. The TSA would also use Secure Flight to detect suspicious travel behavior. The TSA intended to use information collected in commercial databases, such as data related to drivers and credit history, to verify the accuracy of information provided by travelers. Shortly after the TSA made the decision not to use commercial data, a working group of experts appointed by the TSA issued a confidential report on September 19, 2005, that criticized the privacy impacts of the Secure Flight program.

Bruce Schneir, who was one of the members of the working group that released the report, further discusses these issues on his blog.

California Court Rules that Personal Notification Not Required in CardSystems Data Breach Case

Posted by K.M. Das

In one of the first tests of the notice provisions of California's data breach statute — Senate Bill 1386 (codified at California Civil Code § 1798.82) — San Francisco Superior Court Judge Richard Kramer ruled that Visa and MasterCard do not have to send individual notices to thousands of their customers in California based on the CardSystems data breach that occurred between August 2004 and May of this year.

Continue Reading...

Inadvertent Disclosures in IP Filings: Focus on Patents

Posted by Lance Koonce

As a follow-up to last week's discussion about inadvertent disclosures in intellectual property filings, here's more in-depth information about patent filings to fill in the somewhat superficial explanation we provided previously. This from one of our patent gurus, George Rondeau.

Continue Reading...

Inadvertent Disclosure of Business Secrets Through Intellectual Property Filings

Posted by Lance Koonce

While theft of trade secrets tends to garner more prominent headlines, there are also a number of ways in which a company can lose control of its secrets that are unintentional, and often preventable. A case in point is intellectual property filings.

Continue Reading...

Credit Reporting Companies to Use Coordinated Encryption Standard

Posted by Lance Koonce

Equifax, Experian and TransUnion announced today that they will each adopt a single standard for protection of data provided to them by financial institutions and merchants, in order to protect the massive quantity of sensitive data that the three companies maintain. Published reports on the coordinated effort state that it will involve "the development and adoption of a data-cloaking code built on encrypted algorithm and 128-bit, secret-key technologies."

Continue Reading...

Verizon Sues Telemarketers for Calling Wireless Customers

Posted by Ronnie London

In what is believed to be a first in the U.S., Verizon Wireless filed two separate lawsuits against telemarketers Intelligent Alternatives and Resort Marketing Trends, alleging that the companies violated the Telephone Consumer Protection Act ("TCPA") and state law by transmitting automated and/or prerecorded messages to Verizon Wireless customers. The suits, filed in New Jersey (where Verizon is headquartered) and California (where the largest proportion of the calls were received), seek injunctive relief and damages for what the company claims were more than a million calls by Intelligent Alternatives, and more than 200,000 calls by Resort Marketing to Verizon Wireless subscribers.

Continue Reading...

Court of Appeals Suspends Injunction Lifting Gag Order in National Security Letter Case

Posted by Randy Gainer

The Hartford Courant reports that The Second Circuit has stayed temporarily the injunction issued by U.S. District Court Judge Janet C. Hall granting a Connecticut library's motion to enjoin the government from enforcing a gag order permitted under the Patriot Act in conncection with National Security Letters. Prior reports here and here.

Continue Reading...

But the Miami-Dade Cop is a piker compared with Tesco

Posted by Bruce Johnson

From London, Tuesday's Guardian reports that the supermarket chain Tesco "is quietly building a profile of you, along with every individual in the country - a map of personality, travel habits, shopping preferences and even how charitable and eco-friendly you are. A subsidiary of the supermarket chain has set up a database, called Crucible, that is collating detailed information on every household in the UK, whether they choose to shop at the retailer or not."

Continue Reading...

Cops get ChoicePoint Data?

SiliconValley.com reports that a Miami-Dade County police officer has been relieved of duty and is under investigation for allegedly obtaining unauthorized access to Social Security numbers and other personal data on 4,689 people maintained by ChoicePoint Inc. The company reported that the Secret Service was investigating the matter -- at this point, it does not appear that any identity thefts have occurred.

Continue Reading...

Judge Roberts' Views on Government Searches & Privacy of Records Issues Are Unknown

Judge Roberts' impressive performance answering the questions of Senate Judiciary Committee members has left little doubt that he will be confirmed as the next Chief Justice. As one commentator noted, "The only real question about his prospects, it appears, is how many votes he will get from the Democratic senators."

Much attention has appropriately been given to Judge Roberts' views on the right to privacy at issue in Roe v. Wade and Griswold v. Connecticut. Little attention has been paid to other important issues, however, such as how he will approach his duties regarding the Foreign Intelligence Surveillance Act court and what his philosophy is regarding police and other government agencies' searches of individuals' property.

Continue Reading...

Human Immune System as Model for Intrusion Detection

SearchSecurity.com is reporting on a novel method of fighting attacks on computer systems that borrows a page from the human body's own immune system.

Continue Reading...

Dutch to Track Citizens From Cradle to Grave

The Dutch Ministry of Health has announced that beginning on January 1, 2007, all Dutch citizens will have their personal information maintained and tracked in one database that will include health, education, and family information, as well as police records.

Continue Reading...

Wireless Provider Sues Telemarketing Firms

What can a wireless provider do to stop telemarketers from illegally soliciting their customers? By bringing suit against the telemarking firms for an injunction and monetary damages in the Superior Court in Sacramento, CA and the Superior Court in Somerville, NJ, Verizon Wireless claims that it is "standing up once again for customer privacy rights".

Continue Reading...

Caveat Inventor

Note to all US patent holders: pay your maintenance fees if you value the privacy of your financial information. A recent investigative report (Patent Office Rules Allow Simple Access to Tax, Financial Data, 108 Tax Notes 1079 (Sept. 5, 2005)) reveals that patent holders who fall behind on fee payments with the U.S. Patent and Trademark Office (PTO), and then request a waiver of their payment obligations, may be asked to submit private information to validate claims of financial hardship. While the PTO claims that it never asks for or requires sensitive information, such as Social Security or account numbers, delinquent patent holders may unwittingly submit such information, which then could find its way to the publicly-available patent files. No legislative fix is imminent, but privacy advocates are investigating the issue further, and IRS Commissioner Don Alexander has urged members of the Bush cabinet to push for remedial action.

Posted by Merrill Baumann

Connecticut Judge Bars Enforcement of NSL Gag Order

On Friday, September 9, U.S. District Court Judge Janet C. Hall granted a Connecticut member of the American Library Association's motion for a preliminary injunction. Her ruling enjoined the government from enforcing the part of 28 U.S.C. 2709(c) that prevents the library association from revealing its identity as an organization that received a National Security Letter (NSL) from the FBI in August. The ACLU, which is both a co-plaintiff with the library organization and represents it, hailed the judge's decision, stating "the court has recognized that gagging our client from participating in the Patriot Act debate violates the First Amendment and is profoundly undemocratic." The ACLU's press release is available here.

Continue Reading...

What Does Sarbanes-Oxley Have To Do With Information Security?

Although it has a high profile in corporate America, the Sarbanes-Oxley Act has not been at the center of discussions about the need for corporations to adopt appropriate information security measures. However, a recent article in the August 29th, 2005 issue of the National Law Journal by well-known Chicago trade secrets lawyer R. Mark Halligan persuasively suggests that "... directors and top managers must become actively involved with intellectual asset management and information security, to avoid both civil and criminal liability under Sarbanes-Oxley and shareholder derivative suits for the breach of the fiduciary duty to adequately protect intellectual property assets.", and that this represents a "sea change" in the law.

Continue Reading...

MMORPG Phishing Scams

As an update to our previous post on the keylogger worm that attempts to steal account data from players of Massively Multiplayer Online Role Playing Games, an interesting report at Terra Nova about a phishing scam designed to steal the same type of info.

Posted by Lance Koonce

VoIP Security

Voice over Internet Protocol (VoIP) security is an emerging issue now, but it is only a matter of time before the risk rises to a level which demands action. VoIP is susceptible to the same dangers as data networks that use the Internet. At risk: any telephone conversation traveling on the company network; sensitive information; deals; strategies; and company secrets.

Continue Reading...

The Great Splog Debate: Legal Options?

Recently the blog world has been debating a subject near and dear to our hearts here at the Privacy and Security Blog - splogs and blog spam. The nominal flash point for the recent debate was a blog by Dallas Maverick's owner and blogger Mark Cuban, who railed against the proliferation of blogs that contain no substantive commentary, but exist merely to deliver spam-like advertising messages and drive search engine traffic.

Continue Reading...
Tags: ,

Free Consumer Credit Reports Finally Available to All

The Fair Credit Reporting Act's guarantee of free credit reports took full effect on September 1. The links to the website, previously blocked, are now fully accessible, and reports for residents in States in the Eastern US have finally been made available. Persons may obtain one free report each year from each of the three major credit reporting agencies. For additional information, you may also visit EPIC's Fair Credit Reporting Act Page.

Posted by Merill Baumann

Phishing in the Wake of Katrina

Looters are apparently not to the only persons seeking to benefit from the misery of others. The Salt Lake Tribune recently reported increasing incidents of phising in the wake of Hurricane Katrina. Within hours after Katrina devastated much of New Orleans, a flurry of Katrina-related domain name registrations were reported; many thought to be linked to bogus charities and fund-raising cons. (Example of possible phishing site described here). On eBay, sellers are auctioning Katrina-related domain names "promising" to donate a portion of the proceeds of the sale to flood relief efforts. Even the large financial markets are not immune.

Continue Reading...

Divided Fourth Circuit Upholds FTC Do-Not-Call Rules for Telefunders

Last Friday, the United States Court of Appeals for the Fourth Circuit in Richmond, Va., issued a split 2-1 decision in National Federation of the Blind v. FTC that affirmed a Maryland federal court decision upholding the Federal Trade Commission's rules applicable to calls by for-hire telemarketers on behalf of non-profit entities. The National Federation of the Blind and Special Olympics of Maryland had challenged the rules on constitutional and other grounds, including that they violate the First Amendment and exceed the FTC's statutory authority.

Continue Reading...

Mobile Phone Virus Outbreak Disrupts Company

Mobile phone viruses are not yet a major security problem because the volume of phones that have been effected worldwide is statistically negligible, but anecdotal evidence suggests that the threat posed by them appears to be growing. Anti-virus company F-Secure believes that some 55 mobile phone viruses are in circulation worldwide, and countries where cell phones are the most popular appear to be serving as unfortunate case studies. Two weeks ago, Reuters reported that a mobile phone virus spreading between phones via Bluetooth short-range wireless signals had infected scores of phones at the world athletics championships in Helsinki. Now, there are reports of a small company in Scandinavia dealing with a virus outbreak that spread quickly to some 20 employees within the company.

Continue Reading...

Update: FBI National Security Letter to Library, Authorized by the Patriot Act, Is Challenged by ACLU

The FBI issued a National Security Letter ("NSL") to a library in Connecticut that directs the library to give the FBI "any and all subscriber information, billing information, and access logs of any person related to the following [redacted]." The NSL also warns the library that "Title 18, U.S.C., Section 2709(c), prohibits any officer, employee or agent of yours from disclosing to any person that the FBI has sought or obtained access to information of records under these provisions." The FBI's use of the NSL in Connecticut is the first confirmed use of an NSL against a library, according to the New York Times (subscription req'd). [Editor: Updated to reflect Aug. 31 gag order hearing, discussed below]

Continue Reading...