Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Monthly Archives: October 2007

Hollywood is ‘LOOKing’ in places you don’t suspect

Posted in Marketing and Consumer Privacy

Posted by Tom Jeffry

An article about the upcoming AFI Festival in last Friday’s Los Angeles Times focused on a controversy around one of the film festival’s productions by Adam Rifkin titled “LOOK.” 

The description for this movie set forth in the AFI Festival Guide states: “There are approximately 30 million surveillance cameras in the United States capturing covert images of average Americans as much as 200 times a day. They’re watching in department stores, gas stations, changing rooms, public bathrooms — seemingly no one and nowhere are free from the dispassionate eye of the hidden camera. LOOK pieces together this rush of information, finding several provocative, interwoven storylines amid the noise of life in a random city.” To drive home the point, a photo that accompanies the description depicts two scantly clad young women in a department store dressing room.... Continue Reading

Identity Theft Enforcement and Restitution Act of 2007 Introduced

Posted in Data Protection, Policy and Regulatory Positioning

Posted By Joe Addiego

The Identity Theft Enforcement and Restitution Act of 2007 recently was introduced to the Senate Committee on the Judiciary by Senator Patrick Leahy, the Chair of that Committee. The purpose of the bill is “to enable increased federal prosecution of identity theft crimes and to allow for restitution to victims of identity theft.”

The bill is aimed at “malicious spyware, hacking and keyloggers,” as well as “cyber-extortion,” and it offers a number of remedies that may be pursued by both the government and individuals in response to occurrences of identity theft. For example, if passed into law, any use of spyware or keylogging that causes damages to 10 or more computers would be punishable as a felony.   The government also would be able to pursue more incidents of such cybercrime, as the bill would allow prosecution where the victim and alleged cyber-criminal are residents of the same state (the current version of the law would require the theft to occur over interstate or international borders). Further, victims of identity theft would have the right to seek “criminal restitution” from the perpetrator for the time and expense related to the victim’s efforts to restore their credit that ... Continue Reading

FTC Changes Duration of National Do-Not-Call Registrations

Posted in Policy and Regulatory Positioning

Posted by Ronald London

The Federal Trade Commission today announced through a statement by Chairman Deborah Platt Majoras  and in related testimony before Congress that it will not remove any telephone numbers from the National Do Not Call Registry (“NDNCR”) notwithstanding that it previously stated in adopting the NDNCR rules that such registrations are to last only five years. That decision was the result of deliberative consideration of constitutional and statutory imperatives not to unduly interfere with legitimate telemarketing, how long numbers remain registered on the various state do-not-call lists, and the fact that the telephone subscriber who places a number on this list may well move or otherwise change his or her number, leaving it to be “recycled” to a new subscriber who did not initially placed it on the NDNCR and may or may not want to be listed. Indeed, the record at the time reflected that 16% of all phone numbers change each year, and 20% of all Americans move each year. The FTC decided that, on balance, given the needs of legitimate telemarketing, the frequency with which telephone numbers are recycled, and the fact that not everyone would want their number on the NDNCR, five years was the ... Continue Reading

Nevada passes first law requiring business to encrypt customer personal information during transmission

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

Posted by Charlene Brownlee

Significance of the Law

Nevada has enacted the first data security law that mandates encryption for the transmission of customer personal information. ( NRS 597.970) The law goes into effect on October 1, 2008. While there are several laws that direct organizations in certain industries to consider using encryption and laws that make encryption a factor in decisions regarding breach notifications, no law required the encryption of personal information prior to this Nevada law.... Continue Reading

California Governor Vetoes Proposed Law Imposing Stronger Data Protection Requirements

Posted in Cyber and National Security, Financial Services, Policy and Regulatory Positioning

Posted by Charlene Brownlee

California Governor Arnold Schwarzenegger vetoed AB 779 — legislation that would have amended California’s data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard

AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach.... Continue Reading

Tax Extension Deadline is Another Opportunity for Email Fraudsters

Posted in Technology

Posted by Lance Koonce

Yesterday, my accountant called me to let me know that my 2006 federal tax return was complete, and that I was getting a refund. He then confirmed that he would be filing the return electronically after we finished our call.

This morning, the following email showed up in my inbox:

From:              Internal Revenue Service []

To:                   Koonce, Lance

Subject:            IRS Notification – Tax refund

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $249.30
Please submit the tax refund request and allow us 3-6 days in order to
process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Internal Revenue Service

© Copyright 2007, Internal Revenue Service U.S.A. All rights reserved.

Now, I knew my refund was not for $249.30, unless my accountant did some seriously bad math.  But the proximity of the email after the e-filing almost convinced me this was legit. ... Continue Reading