FTC "Reminder" About ID Theft Red Flag Compliance

Our recent Advisory Bulletin recounts how the FTC recently issued issued a gentle reminder that companies should be well along in getting their Identity Theft Red Flag programs in place in anticipation of the November  2008 compliance deadline.  The FTC's notice announced that it also has launched an outreach effort to explain the rules, which included publication of a very general alert on what the rules require and what types of businesses must comply.

Continue Reading...

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted by Ronald London

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC's view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers' credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.

Continue Reading...

Identity Theft Enforcement and Restitution Act of 2007 Introduced

Posted By Joe Addiego

The Identity Theft Enforcement and Restitution Act of 2007 recently was introduced to the Senate Committee on the Judiciary by Senator Patrick Leahy, the Chair of that Committee. The purpose of the bill is “to enable increased federal prosecution of identity theft crimes and to allow for restitution to victims of identity theft.”

The bill is aimed at “malicious spyware, hacking and keyloggers,” as well as “cyber-extortion,” and it offers a number of remedies that may be pursued by both the government and individuals in response to occurrences of identity theft. For example, if passed into law, any use of spyware or keylogging that causes damages to 10 or more computers would be punishable as a felony.   The government also would be able to pursue more incidents of such cybercrime, as the bill would allow prosecution where the victim and alleged cyber-criminal are residents of the same state (the current version of the law would require the theft to occur over interstate or international borders). Further, victims of identity theft would have the right to seek “criminal restitution” from the perpetrator for the time and expense related to the victim’s efforts to restore their credit that was damaged as a result of identity theft. The bill has not yet been scheduled for debate or vote.

The concept behind the bill, particularly allowing victims to seek restitution, has merit, but if it ultimately is passed into law, the real questions will be how many victims will attempt to take advantage of that provision, and whether, practically speaking, they will be able to track down and actually recover monies from the identity thieves.

Purloined postage and privacy problems

Posted by Bruce E.H. Johnson

The Seattle Times, in Saturday's newspaper, reports an unusual privacy scam. In July 2007, a federal grand jury charges, three LA men left LA and went to Seattle to buy 3,200 books of postage stamps worth more than $24,000.

As the Times noted:

Following a pattern that Postal Service investigators have uncovered in at least five Western states, the men made mass purchases of stamps after normal working hours from automated postal machines, which are accessible 24 hours a day in the lobbies of many post offices around the country, prosecutors allege.

The illegal stamp-buying scheme appears to be a novel breed of identity theft, one that blends high-tech thievery, online commerce and the retro currency of the U.S. mail.

Continue Reading...

FTC Testimony Stresses Importance of Government Agencies Protecting Social Security Numbers

Posted by Ronald London

Recently, the Federal Trade Commission offered testimony before the Ohio state legislature’s Privacy and Public Records Access Study Committee regarding the part government agencies play in identity theft. The FTC told the Committee that public agencies can “play a key role in reducing the incidence and impact of identity theft.”  They can do so, said Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection, by limiting the amount of personally identifiable information they collect, restricting access to the information, and implementing procedures to respond to data breaches.

Continue Reading...

Twenty-six IRS Tapes Missing in Kansas City

Posted by Kaustuv M. Das

On Friday, January 19, 2007, The Kansas City Star reported that twenty-six Internal Revenue Service tapes had gone missing from City Hall in Kansas City, Missouri. The IRS had provided the tapes to the municipality of Kansas City as part of “a regular information-sharing agreement between the IRS and the city.” Kansas City uses federal taxpayer information to enforce a local earnings tax paid by people who live or work in the city.

Continue Reading...

FinCEN Publishes Updated SAR Statistics

Posted by Peter Mucklestone and Kevin Tu

The Financial Crimes Enforcement Network (FinCEN) recently published the seventh issue of the SAR Activity Review – By the Numbers. The publication compiles and updates numerical data gathered from all suspicious activity reports (SARs) filed with FinCEN. The most recent compilation covers the over 3.6 million SARs filed with FinCEN on or before June 30, 2006. Depository institutions, certain money services businesses, casinos and card clubs, and certain segments of the securities and futures industries must file SARs with FinCEN.   A review of the compiled data highlights certain statistics and general observations with respect to each type of SARs filing, as follows:

Continue Reading...

FinCEN Issues Guidance on Mutual Fund SAR Compliance

Posted by Peter Mucklestone

The Financial Crimes Enforcement Network (FinCEN) recently issued guidance in question and answer format designed to help mutual funds in meeting their obligations to file suspicious activity reports (SARs). SARs are reports that identify and describe transactions that raise suspicions of illegal activity. Mutual funds must commence filing SARs with FinCEN with respect to transactions occurring after October 31, 2006.

The mutual fund SAR reporting requirement applicable to mutual funds is intended to be uniform with reporting requirements already established for other financial institutions, such as banks, broker-dealers, casinos, and money services businesses.

Continue Reading...

Feds Not Yet Required to Notify Individuals of Data Breaches, But They Should Be, and Soon

Posted by Joe Addiego

The San Francisco Chronicle recently reported that since 2003, nineteen different federal agencies have suffered the loss or theft of confidential data pertaining to individuals, yet few, if any, of these agencies reported the breaches. The reason? There are no data breach reporting requirements applicable to the federal government, which begs the question, why not? This lack of accountability for the feds is particularly troubling, since thirty three different states already have passed data breach notification laws.

Continue Reading...

Lost Your Identity? Talk to HR

Posted by Joseph Vance

A growing number of employers are offering employees a new type of benefit: identity theft resolution services. According to a recent Wall Street Journal article, Rite Aid Corp, Reed Elsevier PLC, and Qwest Communications International Inc. are among the companies that have recently started offering identity-theft resolution services to their employees as a workplace benefit.

Continue Reading...

Stalemate in the Battle to Protect Against Internet Credit Card Fraud

Posted by Peter Mucklestone and Stuart Louie

High ranking security experts at both Visa USA Inc. and MasterCard International Inc., two of the world's largest credit-card associations, have suggested that the struggle to protect against the fraudulent use of credit card and accountholder information has reached a stalemate, and those tasked with enforcement are in danger of losing ground. According to recent data compiled by the F.B.I., in 2004, the incidents of internet-related credit card crimes increased by sixty-six percent (66%) and the average reported loss associated with each such incident tripled to $2,400.00.

Continue Reading...

California Court Rules that Personal Notification Not Required in CardSystems Data Breach Case

Posted by K.M. Das

In one of the first tests of the notice provisions of California's data breach statute — Senate Bill 1386 (codified at California Civil Code § 1798.82) — San Francisco Superior Court Judge Richard Kramer ruled that Visa and MasterCard do not have to send individual notices to thousands of their customers in California based on the CardSystems data breach that occurred between August 2004 and May of this year.

Continue Reading...

Cops get ChoicePoint Data?

SiliconValley.com reports that a Miami-Dade County police officer has been relieved of duty and is under investigation for allegedly obtaining unauthorized access to Social Security numbers and other personal data on 4,689 people maintained by ChoicePoint Inc. The company reported that the Secret Service was investigating the matter -- at this point, it does not appear that any identity thefts have occurred.

Continue Reading...

Financial Aid Files Compromised in Cal State Database Breach

On August 26, in accordance with California Information Practice Act (SB 1386), California State University sent a letter to 154 students and administrators notifying them of a potential data breach involving student financial aid records housed in the university chancellor's office.

Continue Reading...

Cancelable Biometrics -- Outsmarting Gummy Bear Attacks and Enhancing Privacy

The Associated Press is reporting today on the use of sophisticated algorithms to alter biometric snapshots to provide an extra layer of protection against breaches of biometric authentication systems, with the added benefit of limiting the potential invasion of privacy that such systems may represent.

Continue Reading...

Most Computer Crimes Against U.S. Citizens Are Perpetrated by U.S. Criminals

There have been several reports of thefts of bank card data that appear to have originated in non-U.S. countries. For example, a recent investigation of a particularly malicious type of keylogger software that was surreptitiously installed on numerous home computers and sent bank account numbers and passwords to a server, showed that the server's domain was registered in China. Another group of data thieves, who use pop-up ads to download Trojans to steal bank card data, were reported to be based in South America.

Continue Reading...

MMORPG Worm A Threat to Virtual Swag

The trading of virtual objects for real-world cash is a well-established practice in the world of Massively Multiplayer Role-Playing Games (MMORPGs), and this virtual market by some estimates may be worth nearly a billion dollars (US). There are now reports of a new worm that targets players in one such MMORPG and is designed to allow crooks to steal those players' virtual assets.

Continue Reading...

Potential Business Liability for Failure to Secure Consumer Data

In the first seven months of 2005, the personal information of more than 50 million individuals in the U.S. has been stolen by data thieves or lost by U.S. businesses. That's 10 times the number affected by data breaches in all of 2003, the last period for which comparable figures are available. DWT attorney Randy Gainer discusses the causes of the dramatic increase in the number of data breaches and the lawsuits that have been filed because of the data thefts in a recent article available here.

Data Security and the Risk of Outsourcing

In separate, recent incidents, British and Australian journalists were able to purchase customer data including bank account, credit card, passport and driver's license details of U.K. and Australian customers from an Indian call center. The call center was used by a U.K. bank and an Australian telemarketing company.

Continue Reading...

Beyond Phishing: Pharming and Crimeware Attacks

In a recent study conducted by the Anti-Phishing Working Group, a global association of ISPs, banks, law enforcement agencies and other concerned parties, it was noted that incidents of phishing (or the use of fraudulent emails to dupe people into sharing personal information such as back account passwords, PIN number and/or credit card information), while still rampant on the internet, are increasing at a slower rate.

Continue Reading...

ATM Card Phishing

A report issued August 2, 2005, by Gartner, Inc. describes how thieves have stolen more than $2.75 billion by using phishing scams to obtain debit card account numbers and PINs from unsuspecting consumers. The thieves use the account numbers to create fake cards, then use the cards and PINs to drain consumers' accounts, leaving consumers to deal with the bounced checks and the banks to reimburse the victims, as described in more detail here. The debit cards of some banks, such as Bank of America, are not targets because the banks take advantage of a second track on the magnetic strips on their cards to embed additional security codes that consumers -- and therefore data phishing thieves -- don't know about. Banks whose debit cards have been hard hit by these attacks have begun using the second track on the magnetic strips on their cards and have beefed up their security codes in order to prevent the attacks.

Posted by Randy Gainer

Congress Considers Security Breach and Data Security Bills

Last week, the Senate's Commerce, Science and Transportation Committee unanimously approved an identity theft bill, entitled the "Identity Theft Protection Act of 2005" (S. 1408), designed to "set[] national standards to safeguard individual personal information, to notify consumers of data breaches, to require businesses to improve their safeguards for sensitive consumer information, to give consumers the right to freeze their credit reports to thwart identity theft, and to limit the solicitation of social security numbers by commercial entities." If enacted, the bill would authorize the Federal Trade Commission to specify "physical and technological safeguards" that business and other entities that collect personal information would be required to put in place.

Continue Reading...