Monday, December 31, 2007

2008 Privacy Roundup

Privacy International has released its 2007 International Privacy Rankings. Sadly, the United States ranks last in terms of statutory protections and privacy enforcement of all the countries in the democratic world. Among the points noted about U.S. privacy protection were that state data breach notification laws had proven useful in identifying security faults, but that Congress had approved presidential spying program, and is considering retroactive immunity for telecoms (something I wrote about here, and will almost certainly write more on in the future). One thing I'd like to point out in this is that the problems the report identified (e.g., presidential spying) are coming from the Federal Government, while the bright spots in privacy protection (e.g., data breach notification laws) are implemented at the state level. To my mind, this provides further evidence that we should be cautious in pushing for a federal data breach notification laws, given that they could preempt the state laws which are already in place and have proven to be effective.
(via BoingBoing)

Thursday, December 27, 2007

2008 Budgets Beefed Up for Data Security Expenses

One item that is not getting short shrift in the community bankers' 2008 budgets is expenses for protecting consumer data. While controlling costs has consistently been a top priority for these financial institutions, many report being fearful of an unauthorized infiltration of their bank databases, and are investing security related technology. In an article in the December 21, 2007 American Banker, bankers report that criminals are constantly searching for a weakness in banks' firewalls, and that they must continually monitor such attempts to be certain they have addressed any vulnerabilities. These banks now appear to be keenly aware of the damage to their reputation that could result from a data security breach, particularly where it could be shown that they did not take sufficient preventive steps to stave off an attack. This reputation risk, combined with increased attention being paid to banks' risk management policies and procedures by banking regulators, has caused banks to increase their budgets on fraud detection technology for the coming year. Reports of banks who were unprepared when a hacker "intrusion" occurred, and the resulting financial resources required to address the aftermath, have been a "wakeup call" for many banks. It has been this writer's frustration over the past several years that risk of data security breach has not been taken seriously enough. In the end, however, it appears that it was the plight of these victims of security breaches that finally convinced financial institutions that being penny wise and pound foolish should not be their motto when it comes to securing customer data.

Wednesday, December 19, 2007

Congress Ignores Individual Privacy

"Wider Spying Fuels Aid Plan for Telecom Industry" - that's the headline of this article from the New York Times (via CNET). In a sane world, that type of headline would be appropriate for an article describing legislation designed to help telecoms fight hackers who are spying on their networks, or avoid industrial espionage by unscrupulous rivals. In this world though, the headline is about a plan to grant telecoms retroactive immunity from lawsuits for spying on American citizens. Previously, it had been thought that telecoms had helped the Bush administration spy on American citizens as part of the government's counterterrorism operations - activities that have led to lawsuits being filed (see here for more info). The telecoms, understandably worried about losing in court, lobbied for a bill granting them retroactive immunity from suit. Thanks to some political controversies that I'm not going to get into (though you can get details here), the retroactive immunity bill hasn't gone through - which led to the article about wider spying fueling aid plans for telecoms. Apparently, telecoms weren't just providing information in terrorism investigations, they were providing information on everything. In other words, they were engaging in "wider spying." If I were a senator, I would react with outrage. After all, spying isn't a positive good that should be encouraged. However, I'm not a senator, and the senators we do have apparently feel that wider spying is something to be encouraged, and therefore the wider spying, instead of sinking the telecoms' bid for retroactive immunity, actually aided it, the fact that "wider spying" basically means that individual privacy is routinely violated apparently meaning nothing to our elected representatives. A dark day for people who care about privacy.

PostScript: Happily for supporters of rule of law, the retroactive immunity bill hasn't gone through (again, thanks to the political controversies describes here).

Are Security Breaches the Cause of Identity Theft?

Frequent news reports in 2007 of data security breaches have heightened the public's and business' concern over the risk of identity theft. The FTC estimates that 9 million Americans will have their identity stolen this year, so there is clearly cause for concern. But in what percentage of these reported incidents does an identity thief actually make use of the information that has been compromised? What if the thief was actually a member of the clan?

Most of the breach incidents reported concern lost or stolen laptops containing sensitive personal information, unencrypted backup data tapes, careless document disposal and destruction, and inadequate security procedures related to database and document protection. In fact, most of these breaches have not resulted in identity theft, as reported in recent testimony by the FTC. The greater risk of identity theft, says the FTC, arises in the case of deliberate criminal action, such as insiders who take a bribe to reveal sensitive personal information or to use it themselves. Companies would be well-advised to focus their attention on their internal security processes by restricting access to personal information of their customers, clients and employees, and adopting other measures to prevent insider abuse. According to some reports, one in three cases of identity theft are the work of employee insiders who have taken workplace records, in most cases of a customer or client.

Certain industries are more vulnerable to identity theft than others. The retail industry holds the highest number of incidents of employee theft, where by some estimates nearly 60% of workers steal personal information to commit identity theft. The financial services industry is second, with 22%. The reason for the difference between the two industries is likely due to the safeguards that are mandated by the Gramm-Leach-Bliley Act and government regulations.

Most of the thieves who have been apprehended did not have a prior criminal history, so that background checks would not provide a solution. The FTC recommends that companies take five security measures to help protect information from insider theft:

1) Take stock of what personal information is in company files and track where it goes within the company
2) Reduce wherever possible the personal data of customers and employees that is stored
3) Protect the information kept by the company by both physical and technological controls
4) Dispose of unneeded information using appropriate means
5) Plan ahead for responding to security incidents, closing off threats to personal information, and evaluating whom to notify in case of an incident.
FTC Guidance

Tuesday, December 18, 2007

New North Carolina Privacy Protection Law

North Carolina has a new law protecting individual privacy. The law adds to North Carolina's existing identity theft protection act by making it a violation of the act for any person to
knowingly broadcast or publish to the public on radio, television, cable television, in a writing of any kind, or on the Internet, the personal information of another with actual knowledge that the person whose personal information is disclosed has previously objected to any such disclosure.
Looking at its text, the North Carolina law seems to have been written to actually be enforced by aggrieved individuals. Indeed, the North Carolina law explicitly states that it can be enforced by individuals, rather than limiting the right to bring suit under the law to the state attorney general. Also, the North Carolina law includes a statutory damages provision, which addresses difficulties that individuals have had showing actual damage in previous data exposure cases. See, e.g., here and here.

So what's behind these consumer friendly features of the North Carolina law? I think there are two forces at work. The first is an individual named Glenn Hagele (web site here), who lobbied for this specific law to help address a specific fact pattern - where an individual's personal information was made available on the Internet as a reprisal for that individual's public statements. Without Glenn's work on the law, there is simply no reason to think it would exist. The second force I see is more systemic. Identity theft is still a significant concern for consumers (e.g., this article from the AARP describing identity theft concerns of older Americans) and with a seemingly endless stream of high profile incidents taking place, legislators are probably feeling pressure to do something about it. While data breach notification acts revealed that there is a problem with personal information being revealed, the repeated failures of consumers in court have shown that current law doesn't really give individuals the tools they need to protect themselves. Laws like that in North Carolina, which explicitly give consumers a right to sue for statutory damages, could be a step that more legislatures will take in the future to remedy that situation.

Thursday, December 13, 2007

Privacy Red Tape

One argument I often hear (and not just in the privacy context) is that regulation is just red tape - it imposes costs on businesses, it doesn't achieve it's stated goals, and we'd be better off without it. However, a new study of Chief Security Officers from the University of California-Berkeley School of Law indicates that (at least on the context of security breach notification laws), that argument is simply wrong. Among the study's other findings:

Breach notification laws have significantly contributed to heightened awareness of the importance of information security throughout all levels of a business organization and to development of a level of cooperation among different departments within an organization that resulted from the need to monitor data access for the purposes of detecting, investigating, and reporting breaches. CSOs reported that breach notification duties empowered them to implement new access controls, auditing measures, and encryption. Aside from the organization's own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness.

In any case, probably not a big surprise to those of us who are already concerned about privacy, but something to keep in mind if confronted with arguments that privacy regulation won't help consumers in any case.

Via Schneier on Security.

Wednesday, December 12, 2007

Data Breach Notification Prioritized over Identity Theft Restitution

According to this article from SC Magazine the House Judiciary Committee is likely to give precedence to a bill making it a federal crime to fail to notify law enforcement in the event of a major security breach. The alternative proposal, which is not expected to be voted on before the end of the year, would have made it easier for victims of identity theft to recover compensation and also would have facilitated prosecution of individuals deploying botnets. Based on my understanding of the legislation, I'm not sure that either bill would have any real effect. State data breach notification statutes already have the effect of forcing businesses to disclose when a security breach takes place, so I'm not sure what would be accomplished by having a separate federal law which requires only notification of law enforcement. Regarding the bill which would help victims of identity theft recover compensation, victims of identity theft can get compensation now (or more than compensation, as described here) - assuming they can find the thief. The reason people end up having to eat costs of identity theft isn't because the law won't help them, it's because they can't find the perpetrator. Similarly, when it comes to prosecuting individuals who maintain botnets, I don't see the problem as being one with existing law. Instead, finding people controlling botnets can be difficult, end even if they are found, there is no guarantee they will be within the reach of U.S. courts.

With that having been said, I think the mere existence of these bills is a positive step. The federal government is way behind the states when it comes to protecting privacy, and privacy protection is something that (ideally) should be approached in a manner that isn't limited by state borders.

Tuesday, December 11, 2007

Incredibly Narrow Privacy Protection

In case you were worried about unauthorized disclosure of personal information by a video tape service provider, you will be happy to know that there is a law which is specifically designed to prevent video tape service providers (and those they communicate with) from knowingly disclosing their customers' personally identifiable information. An interesting discussion of how that law might actually be applied can be found here (via BoingBoing).

As a note, while ridiculous, the level of specificity of the law mentioned above isn't unusual. A good example of an even more specific law is 17 USC 110(5)(b)(i)(II), which sets forth specific diagonal screen lengths in inches for equipment that can be used to make an audiovisual display without infringing a copyright.

Monday, December 10, 2007

Children's Online Privacy Protection Act Enforcement in Texas

As described in this article from Computer World, the Texas attorney general has sued two web sites for violations of the Children's Online Privacy Protection Act (COPPA). According to the article, the two sites collected personal information from children under the age of 13 without obtaining sufficient verification of parental consent, and without giving the children the opportunity to review or pull back the data.
There are two things I find particularly interesting about the article. First, this article is another demonstration (to me) that law enforcement in Texas is taking its responsibilities regarding individual privacy relatively seriously. As described previously here, this year the Texas attorney general has repeatedly brought suit based on violations of privacy law, for example, for improper disposal of customer records. Thus, the actions by the Texas attorney general show what can be done if state law enforcement is willing to take an active role. The second thing I found interesting about the article was it stated that this enforcement by the Texas attorney general was the first to be brought under COPPA. COPPA was passed in 1998. To me, that shows just how far we have to go in terms of actually enforcing even the (relatively minimial) privacy protections that the law does provide.

Wednesday, December 5, 2007

The Forgotten Side of the TJX Litigation

As it happens, the TJX litigation isn't only about TJX. That litigation is actually about lawsuits against both TJX and Fifth Third, TJX's bank. The relationship between Fifth Third and TJX was that, when a consumer would make a credit card purchase, the information from that purchase would be sent from TJX to Fifth Third. The information would then be sent to the bank that issued the credit card to the consumer, who would say either yea or nay, then the information would be passed back to TJX through Fifth Third. For some purposes in the litigation, TJX and Fifth Third could be (and were) given the same treatment. However, the unique status of Fifth Third came to the fore when the judge in the TJX litigation decided to deny class certification to the issuing banks in their suit against TJX. For class certification, it was necessary that there be some assurance that the issuing banks would vigorously prosecute the litigation, and that there be no conflict between the members of the class as a whole. The problem raised by Fifth Third's relationship with TJX is that some of the issuing banks suing TJX were also acquiring banks, that is, they functioned in the same capacity for their customers as Fifth Third had for TJX. The result was that the court found that a verdict which imposed liability on Fifth Third could actually be negative for some of the banks filing suit - leading to a conflict between those banks and the banks which only issued credit cards, but did not act as acquiring banks. For the court, that conflict provided an independent reason why class certification in the parallel action against Fifth Third was inappropriate.

Tuesday, December 4, 2007

Bankers' Class Action Rejected

Last Thursday, the judge in the ongoing TJX litigation denied the motion for class certification by financial institutions seeking to recover damages caused by cancelling and reissuing credit cards. The primary reasons given by the court for denying class certification was that the issues of whether any individual banks relied on TJX's maintaining adequate security, and whether any losses for individual banks were caused by TJX's security breach (as opposed to, for example, unrelated fraud) predominated over issues common to the class seeking to sue TJX.

Assuming that the court adheres to its denial of class certification (there is a pending motion to amend the banks' complaint, and there will likely be an appeal of the denial of class certification) the result will be that individual banks will have to either drop their litigation against TJX, or pursue their cases on an individual basis. Realistically, many of the bankers' claims will likely be too small to justify the costs of pursuing individual litigation, meaning that the denial of class certification could effectively end TJX's current legal troubles. Accordingly, this decision should be seen as a big (albeit potentially temporary) win for TJX, and a similarly large setback for those seeking to recover costs caused by that breach.

Sunday, December 2, 2007

TJX Settling Out?

According to this article from Computer World TJX has proposed to pay $40.9 million to banks that issued Visa cards potentially affected by TJX's massive data breach if the affected banks agree not to pursue litigation against TJX. The article describes TJX's offer a move which could save "tens of millions of dollars in lawsuit damages." Actually, that's understating things quite a bit. In paragraph 96 of the fifth amended complaint in the ongoing litigation regarding the TJX breach (case number 1:07-cv-10162), a bankers association seeking class certification alleged that "The cancellation and reissuance of cards resulted in damages and losses to Plaintiff Banks and members of the proposed Class of up to $25 per card." As the first paragraph of that same complaint alleged that "approximately 100 million credit cards were compromised because of TJX's acts and omissions," it seems that there were potentially up to 2.5 billion (25 dollars/card * 100 million cards) dollars in damages. Even assuming that the $25 per card cited as the maximum in the lawsuit is unrepresentative, and the real cost is lower (e.g., the 10 dollars/card quoted in this posting), the cost of canceling and reissuing almost 100 million cards is certainly greater than the $40.9 million offered by TJX. Of course, there's no guarantee that the banks would win if they did pursue litigation. However, if TJX ends up eliminating its litigation risks from banks who had to reissue cards for only $40.9 million, then TJX would dodge a very big bullet at only a (relatively) low cost.

Saturday, December 1, 2007

Study Finds Costs of Data Security Breaches Rising

2007 has not been a good year for consumer data security, if one measures by the size and number of records compromised by data security breaches that have occurred this year. Data security breaches have affected millions of consumers around the globe. Large scale breaches grabbed the headlines, beginning in January, 2007 with the theft of the personal information of 45 million customers of the retailer TJX, and culminating with the loss of personal records of 25 million national insurance and child benefit recipients in the UK by a government agency last month.. In between were reports of breaches at the U.S. Department of Veteran’s Affairs, the U.S. Department of Agriculture,, the State of Ohio, and numerous colleges and universities. The Consumers Union reports that the total number of records of total number of records containing sensitive personal information involved in security breaches in the U.S. is currently 216,251,736, although this number is likely larger since in the case of many breaches, the total number of records compromised is unknown.

A recent study by the Ponemon Institute shows that data breach costs continue to rise. Ponemon Press Release In its 2007 Annual Study: Cost of a Data Breach, it found that in 2007, data breach incidents cost companies an average of $197 per compromised customer record, compared to $182 in 2006. Lost business opportunity, including customer turnover and expenditures to acquire new customers, was the most significant component of the cost increase. Other cost factors include legal, investigative and administrative expenses, reputation management, and costs related to customer support, such as credit monitoring fees and consumer hotlines. The study found that one category of expenditure had decreased from 2006, however; the cost of notification of consumers fell 40 percent, decreasing from $25 per customer in 2006 to $15 per customer in 2007. This may indicate that the data breach notification and security freeze laws enacted in more than 30 states, many of these laws became effective in 2006 and 2007, have allowed for a more certain and measured approach to notification to U.S. residents by companies than in the past.

Consumers have noticed the increase in data security breaches, and consumer confidence in the organizations with which they share their data has declined. In a separate study, the 2007 Consumer Survey on Data Security issued by Vontu and the Ponemon Institute, 62% of respondents indicated that their personal data had been stolen, and 84% of those respondents reported increased anxiety and loss of confidence resulting from the data loss events. Such a loss of trust will likely affect the consumers buying behavior. While consumers may toss the annual privacy notices received from their financial institutions, consumers do read the privacy notices on websites, and truly care about these notifications.

Companies will be wise to make note of the results of these studies. The persistent problem will continue to be how companies deal with data security. Preventing compromises in data security is the surest way to avoid the costs and issues discussed above. The study makes clear that erecting another firewall within the company isn’t the solution, since the confidential data to be protected is actually in the possession of third parties. More than a third of data breaches result from data being shared with third parties in connection with outsourcing arrangements. Companies need to look closely at how they are sharing the data with their third party service providers, what security measures they have imposed on their providers, and work with the providers to make certain the necessary data security strategy that has been agreed upon is in fact in place. Too often, the company hires a company, shifts responsibility for security of the data to be processed by the third party service provider to that party, and never gives it another thought. Requiring periodic audits and reports can help detect weaknesses in the security of the data and perhaps avoid the expense and embarrassment of a security breach.

Friday, November 30, 2007

VA case going to mediation

The case I wrote about here and flagged as interesting and worth watching has gone to mediation (article here). Now, this doesn't mean that the case is necessarily going away (I've been involved in unsuccessful mediations - if the parties are simply too far away, there's very little the mediation can do). However, it does mean that there likely won't be any further developments in the case for the time being. From my perspective as an outside lawyer, that's too bad. As I wrote previously, the case looked interesting and I would have liked to have watch it play out.

Tuesday, November 20, 2007

Cross Border Data Privacy Issues Presented on Both Sides of the Atlantic

In a recent post on the Massachusetts security breach legislation, I explained that the law is applicable to anyone who has control of the personal information of a Massachusetts resident. This would apply to a "person" (used broadly to include individuals and non-individuals) located anywhere, whether within the U.S. or in another jurisdiction. If a security breach occurs that results in the disclosure of the personal information of a Massachusetts resident, the notification and other obligations under the Massachusetts law apply to the offshore company. Similarly, the European Union Privacy Directive 95-46 imposes restrictions on its members with respect to the transfer of personal data of the citizens of EU Member states. See Directive here . Further, each of the member states has enacted privacy legislation following the template provided by the EU Privacy Directive, and in some cases imposing even stricter or more detailed privacy protection requirements that must be adhered to before the data can be transferred out of the EU to another jurisdiction. Essentially, the country into which the data will be transferred must offer "adequate protection." Since the US has not received the "adequate protection" designation from the EU, a US company wishing to effectuate the transfer of personal information from an affiliate or third party service provider located in the EU has several options for meeting the requirements of the EU Privacy Directive and avoiding the fines that can be assessed against violators, including Safe Harbor certification, binding corporate rules, and accepting contractual obligations.

It would appear that the two sides of the Atlantic have yet another difference in their respective approaches to consumer data privacy: the EU countries are focused on preventing data privacy breaches by imposing protective requirements and by limiting cross-border transfer of personal data. On the other hand, the vast majority of US states have faced the inevitability of data security breaches, and have focused on notification requirements and identity theft preventive measures. Meanwhile, reports of data security breaches continue to make headlines on both continents, and there appears to be no end in sight.

Data Exposure Claim Survives Motion to Dismiss

The D.C. District court has issued a noteworthy opinion in the ongoing consolidated litigation related to last year's potential theft of 26.5 million records (article here, case number 1:06-mc-00506). As described in this article, the plaintiffs in the case alleged damages based on "embarrassment, mental distress, emotional trauma and the threat of future identity theft." Some plaintiffs also requested compensation for having to pay for credit monitoring services. As has been noted previously (e.g., here), Plaintiffs alleging those types of damages generally lose. In fact, earlier this year, the D.C. District court dismissed a data exposure case alleging similar damages based on the proposition that "an allegation of increased risk of identity theft due to lost or stolen personal data, without more, is insufficient to demonstrate a cognizable injury." Randolph v. ING, 486 F. Supp. 2d 1, 7 (D.D.C. 2007). Given that history, the court's decision to let the litigation against the department of veteran's affairs seems, at least initially, to be a departure from what had been settled precedent. While it is unclear what effect this decision will have in the future, because of it, the underlying case is definitely worth watching.

Sunday, November 18, 2007

Variation in State Laws: A Problem to be Solved?

Over at the Compliance and Security Connection, there's a post up about potential problems with "The Tangled Web of Data Breach Notification Laws." The post describes the difficulties that had when it experienced a data security breach. According to the post

Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies...The issue is the variation between the different state consumer notification laws.

However, neither the post, nor the article it refers to (link here) explains how the variation in data breach notification laws hurt While the article isn't clear on this point, the fees ended up paying were almost certainly imposed based on's agreements with the credit companies, not on any state data breach notification act. Indeed, many state laws (e.g., Indiana's) are written so that they are enforceable only by an action brought by the state attorney general. Thus, while variation in state laws might be annoying, blaming that variation for fees imposed by credit companies sees a bit unfair.
Similarly, while the post intimated that complying with varying state requirements is more difficult than complying with a single national standard would be, there is no evidence that that is the case. An an analogy, in the area of environmental regulations, California has the authority to enact its own emissions standards, which can be more stringent than those imposed by the EPA. The result, according to automakers, is not a patchwork of different standards - its a single de facto national standard, since a company complying with the more stringent California rules will automatically be in compliance with the less demanding EPA rules (for an article describing some legal consequences of the relationship between California and the EPA, see here). A similar strategy of following the most stringent requirements can be applied to data breach notification laws. For example, by complying with the requirement to notify consumers if there is a breach, a company will automatically comply with a requirement to notify customers if there is a breach combined with a risk of harm.
In general then, I remain unconvinced that variation between state laws presents any real burden. I also think that such variation can be beneficial, as individual states can engage in experimentation to try and appropriately balance the intersts of businesses and consumers. A federal law (such as was called for in the post) might smooth out variation, but it would also cut out the experimentation currently going on between different states - a real drawback that should be considered when evaluating whether such a law should be passed.

Link to the Compliance and Security Connection provided by George Jenkins at I've Been Mugged.

Friday, November 16, 2007

Protecting Against Yesterday's Threats

Over at Bruce Schneier's blog there's a reference to a paper that includes the criticism of security efforts that "Most 'security' efforts are designed to stop yesterday's attacks but fail completely to stop tomorrow's attacks and are of no use in building invulnerable software. These efforts are a distraction from work that does have long-term value." While I understand the frustration the author of the paper must feel from dealing with the aftermath of new attacks which are not prevented by backward looking technology, I think the criticism is misplaced. The systems which are the most vulnerable are not the ones which will be compromised by an innovative new hack - they're the ones that can be compromised using hacks that have been known for years. Case in point: TJX, where the largest data breach in history took place because of TJX's use of Wired Equivalent Privacy which was known to have been compromised years before the breach (article here). If TJX had protected against yesterday's threats, the individuals who hacked it might have moved on to try and find a softer target, rather than trying to develop some innovative new attack technique to get through at TJX.

From a legal perspective, focusing on the threats of the past also makes sense. In many cases, liability will swing on whether some harm was foreseeable or whether an actor exercised reasonable care. In a court case, it's much harder to argue that a risk of a data breach wasn't foreseeable, or your care was reasonable, if you hadn't even protected against yesterday's (i.e., known) threats. This isn't to say that it isn't also important to try and head off threats before they materialize by using good security practices. However, it's important not to let the perfect be the enemy of the good, or to let the value of learning from the past be overlooked.

Thursday, November 8, 2007

Massachusetts Bill Has Universal Applicability

Massachusetts is the latest state to provide its citizens enhanced protection from identity theft. The law, entitled "An Act Relative to Security Freezes and Notification of Data Breaches" (the "Act"), was signed into law on August 2, 2007. the Act It consists of three main weapons: mandatory notification requirements in the event of a data security breach; data disposal requirements; and a "security freeze" procedure. The disposal requirements are effective on February 3, 2008 and the other two were effective October 31, 2007. There is nothing remarkable or new in the Act's requirements, but its expansive coverage sets it apart from the other states' laws. It applies to anyone who holds information relating to Massachusetts residents, and is not limited simply to those who conduct business with Massachusetts residents. This means natural persons, corporations and government agencies all are subject to its requirements, and is not limited to those who do so for business purposes. This could expand the coverage to include not for profit organizations such as PTAs and scout troops which collect personal information of their members, as well as less formal arrangements such as where a child handles financial matters for an aging parent. While the Act is likely to have minimal impact on financial institutions, since federal regulations already impose similar requirements, one wonders what the legislature's intent was in potentially subjecting individuals in a personal or non-commerce relationship to fines and Attorney General enforcement actions. Fortunately, there is no provision for a private right of action, so the Massachusetts court system should not see an increase in inter-family litigation resulting from the Act.

Tuesday, November 6, 2007

Emotional Damages for Data Exposure

About a week ago, a friend of mine (whose name will be withheld unless he or she tells me to reveal it) asked what I thought about the approach to damages taken by the plaintiffs in Pisciotta v. Old National Bancorp (previous blog post about that case is here). In that case, the plaintiffs, in addition to asking for damages to cover credit monitoring costs, also requested compensation for emotional damage caused by elevated risk of identity theft. The problem is that, as in most identity exposure cases, the court dismissed the plaintiffs' cause of action saying that they had suffered no present compensable injury because their identities hadn't actually been stolen. The emotional harm the plaintiffs may have suffered was dismissed as being connected to the potential future harm, rather than to any completed present harm.

My guess is that plaintiffs in the future aren't likely to get much mileage out of emotional harm arguments. Courts have uniformly rejected claims for damages based on exposure of data, and the 7th Circuit in Pisciotta v. Old National Bancorp was simply following the trend. Where plaintiffs may be more successful is cases where they can show that they have suffered some direct out of pocket cost (other than credit monitoring) as a result of a security breach. This includes not only individual consumers who are victims of identity theft, but also other commercial entities, such as banks, who are forced to spend money by the breach itself (e.g., by reissuing credit cards).

Sunday, November 4, 2007

6th Circuit Holds No Right to Privacy in Mug Shot, etc.

In Bailey v. City of Port Huron, the Sixth Circuit held that a person charged with drunk driving does not have a privacy right in her mug shot, name, husband's occupation, or phone number. The U.S. Constitution does not provide a right a privacy for this information.

Dorothy Bailey and her husband, a sheriff's deputy, were involved in a one-car, alcohol-related rollover accident. The police department issued a press release about the incident and provided information to a local television station in response to a Freedom of Information Act (FOIA) request.

After the release of this information, the Baileys faced some harassment, such as being followed by two men in a store that Ms. Bailey recognized as men her husband had investigated. Also, someone deliberately cut their cable line.

Although the court recognized that substantive due process provides some privacy protection, those protections do not apply to one's criminal record. For more on the state of constitutional substantive due process rights, see Daniel O. Conkle's 2006 law review article: Three Theories of Substantive Due Process.

In short, the court concluded: "As a matter of federal constitutional law, a criminal suspect does not have a right to keep her mug shot and the information contained in a police report outside of the public domain - and least of all from legitimate requests for the information from the press."

As we monitor the development of privacy law in civil cases, it remains important to consider how privacy rights are being addressed in criminal matters because they may provide instructive principles or at times require a showing of why civil privacy issues should be distinguished from criminal privacy standards.

Wednesday, October 31, 2007

Merchants Challenged to Comply with PCI Standards

As a follow up to the prior blog post, recent reports from VISA USA illustrate the Faustian choice many merchants are faced with when considering what to do about the requirements for PCI -DSS compliance. Former Level 4 merchants had until September 30, 2007 to demonstrate compliance, with non-compliance carrying stiff penalties. However, the complexity of the standards and the expense of overhauling IT practices have caused many merchants to decide to accept the fines rather than to incur the expense. This is an unfortunate development for the cause of privacy professionals and others who have been advocating tighter security standards as the best preventive steps against data security breaches. The President and CEO of VISA, Philip Coghlin, recently indicated that only 20% of VISA merchants are PCI-DSS compliant. But he also indicated that the industry was advocating even tighter security standards. Such an approach ignores the potential merchant noncompliance with the security standards may have on consumer trust of e-commerce. If the standards are difficult to comply with so that compliance is lagging, consumer confidence in the electronic delivery system could erode. article

Tuesday, October 30, 2007

Security Benefits of Compliance

Computer World has an article (link) up by Dan Sarel, vice president of products at a database security company, in which Mr. Sarel provides his perspective on "Why we still invite data breaches." The article mentions various breaches (e.g., TJX,, Fidelity Information Services), and laments that
It may be impossible to secure enterprise data completely, but as the threat landscape changes, enterprise security has been slow to catch up. For some, new standards such as the credit card industry's PCI-DSS served as a wakeup call. Yet many companies that have gone through the process of complying with new security standards still remain far from securing themselves.

While I think Mr. Sarel's point that many companies are still not secure is basically accurate, I was surprised about his characterization of companies that have gone through the process of complying with the new security standards as "far from securing themselves." Actually complying with the relevant standards can have a significant impact on an organization's security. Case in point: TJX. According to publicly available data, that company's breach was made much worse than it had to have been because TJX had basically no idea what was going on - even to the point that hackers passed encrypted messages to each other over TJX's network. That type of use of a compromised network would have been detected if TJX had been following the 10th requirement of the PCI DSS: track and monitor all access to network resources and cardholder data. Rather than leaving a company far from securing itself, compliance with the applicable regulations (e.g., GLBA, HIPAA, PCI DSS) actually leads to better security. This is something that Mr. Sarel glosses over when lumping compliant and non-compliant entities together, and, in my opinion, is something that weakened his article overall.

Friday, October 26, 2007

Interdepartmental Coordination Key to Effective Data Security Breach Prevention

Two recent reports illustrate the importance of coordination of security measures among various internal functions. A recently released security intelligence report and survey by Microsoft revealed that the failure of various company functions to coordinate security efforts is a primary reason for mismanagement of data, and increases the odds of the occurrence of a data security breach. Microsoft article The survey found that the marketing function, the privacy function, and the security function all tend to think that the IT department is taking care of securing the company's data. Further, security and privacy functions depend on the marketing function to operate in a manner that protects sensitive data. The study found a direct relationship between the incidence of data security breaches and the extent of collaboration among departments. In those companies where there was good collaboration among departments, the incidence of a breach was only 29%, compared to 75% in those companies with poor collaboration. Two recently reported data security breaches by Home Depot Home Depot report and Iron Mountain Iron Mountain report also underscore the importance of various company functions working together to assure that security measures adopted are actually serving the desired purpose. Neither case involved infiltration of the companies' systems, but were the result of either lost or stolen laptop or backup disks. Both companies rushed to reassure potential victims that the data was password protected, and in the case of Home Depot, that it was encrypted. However, even though the IT departments in these cases has properly acted to institute such protections of customer and employee data, it is important to work with the legal function and other senior management to be certain that it is possible to prove that the stolen data in fact can't be tampered with. By working together, a company's collective expertise will provide the optimum protections against data security breaches.

Thursday, October 25, 2007

Bigger Trouble for TJX

Apparently, the TJX breach could have been bigger than previously estimated. According to court papers filed by plaintiff banks and bankers associations seeking class certification (described in this article from Computer World, TJX's breach actually exposed 94 million records, not the 45 million records previously announced. According to the banks, the costs to card issuing companies on Visa accounts alone already total between $68 and $83 million.
So what will the practical effect of all this be for TJX? More bad publicity for one, but that shouldn't be a surprise. There will also be higher legal fees, since more money at stake means that everyone involved will fight more tenaciously. Will TJX be forced to pay the bank's losses? That's a more interesting question. Individuals who try to recover from retailers who suffer from data breaches generally have little success (see, e.g., this post about a case which was thrown out in the seventh circuit). However, the bankers might have better luck. Individuals often lose because courts determine that they can't prove damages from a breach, but the bankers are in a much better position to put actual numbers on the harm they claim to have suffered. On the other hand, the current case is taking place in Boston, and Massachusetts (like every other state in the country except Minnesota) does not have a law which shifts costs of a breach from banks to retailers. This is the case even though Massachusetts was considering such a law earlier this year (see here for an article on that proposed law). My guess is that courts would be reluctant to shift costs from retailers to banks when the legislature considered and rejected such a cost shift itself.
Happily, I'm not personally involved in this case, so I can just watch and see how it shakes out.

Sunday, October 21, 2007

Pro-Consumer Stirrings in Congress

Recently, Congress has been making some pro-consumer noises on the subject of privacy and information security. According to this article from C|NET, a bill has been introduced in the Senate which would "let victims of identity theft seek restitution for money and time they spent repairing their credit history." My thought is that the bill (assuming it passes, which isn't a sure thing) won't have much practical effect. The law already allows identity theft victims to obtain restitution (and more) from identity thieves and I don't see that federalizing remedies will make much difference. However, the fact that Congress even sees the need to grandstand on this issue is a heartening sign to privacy advocates, since generally concerns about information security and data privacy are, at best, used as stalking horses for things people really care about.

Tuesday, October 16, 2007

Schwarzenegger Rejects New Data Breach Law

The proposed legislation I wrote about here and here, which would have made retailers in California liable for the cost of replacing credit cards of individuals whose data is exposed in the event of a security breach was vetoed by Governor Schwarzenegger (details in this article from Computer World). In explaining his veto, Schwarzenegger cited private sector efforts to address the risk of data breaches, such as the PCI DSS, and stated that those efforts showed that private actors were well placed to handle this issue without government involvement. Whether you buy that reasoning or not, the bottom line is that the bill is dead, at least for now (though its proponents have vowed to keep fighting). This leaves Minnesota as the only state with a data breach notification law which shifts costs of card replacement from financial instutions to retailers.

Monday, October 15, 2007

India Trade Group To Research Data Security Standards

The Economic Times reports welcome news from Nasscom, the the IT industry trade organization of India. The Data Security Council of India (DSCI), which was initiated by Nasscom in recognition of the need to address the lack of security standards for the burgeoning Indian business process outsourcing (BPO) business, has formed a steering committee to look into data security standards. see news bulletin For the last several years, Nasscom has been unsuccessful at getting the Indian legislature to enact data protection legislation. Indian law affords minimal protections for the privacy of personal information. Considering that by some accounts, India controls 44% of the global outsourcing and back-office services, India's BPO clients must rely exclusively on contractual assurances that their customers and employees' data security will not be compromised. The 21 member steering committee is charged with reviewing current security status and development of a business model for DSCI. Additionally, the committee will develop draft model contract templates. Nasscom President, Kiran Karnik, said that the DSCI would work with enforcement agencies to conduct training and awareness programs. Should the committee's work produce the intended results, it will provide some welcome relief and additional assurance to the thousands of companies that have contracts in place with Indian BPOs, and perhaps the motivation to revisit their contracts to adopt the standards if they are adequate for their purposes.

Saturday, October 13, 2007

George Clooney and an Object Lesson on HIPAA

My guess is that basically everyone is aware, on at least some level, that George Clooney was involved in a motorcycle accident (if not, the CNN story is here). Normally, this is something that would hold no interest for me, and it certainly wouldn't be worth putting in a blog about information security and data privacy. In this case though, there's a seems that this "news" was broken by personnel at the hospital where Clooney was treated after the crash, with nontreating employees accessing Clooney's medical records and passing them, along with other information like Clooney's girlfriend's phone number to the press (details here). Such a leak is a clear violation of the HIPAA privacy rules (available here, which as a general rule, require consent for the disclosure of personally identifiable health information. 45 C.F.R. 164.508(a)(1) ("Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section."). Of course, it is possible to de-identify information in compliance with HIPAA. However, there is no chance that the information provided about Clooney could be considered properly de-identified.

So what are the consequences of such a blatant violation? So far, 40 employees at the facility where Clooney was treated are under investigation, and more than two dozen have been suspended without pay. A representative from their union said that the punishment is too harsh, but I'm curious what she expected. Under HIPAA, a health care provider "must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart." 45 C.F.R. 164.530(e)(1). Translation: no matter how sorry the employees are, they are still subject to their employer's sanction policy, which the employer is required by law to enforce.

The take home message of all this? Don't disclose personally identifiable health information, especially not to the media. If you do, federal law requires that you be punished.

Wednesday, October 10, 2007

Credit Freeze Option Gaining Ground

As an increasing number of state legislatures adopt credit freeze laws, two of the three major credit reporting agencies have announced that they will also make credit or security freezes available to all consumers nationwide at a nominal fee. For victims of identity theft, there will be no fee.

To date, only 11 states have not enacted some form of credit freeze law. states listing.

A credit freeze is one of the best tools available to a consumer to thwart an identity thief from continuing fraudulent activities involving a consumer's personal information. A credit freeze is an order to a credit bureau to stop sharing information from a credit report without your express authorization.

Beginning October 15, 2007, TransUnion will permit a consumer in those states where no credit freeze laws have been passed to freeze their information for a $10 fee, or for no fee if the consumer is an identity theft victim. Experian has announced they will make the same service available to all consumers for the same fee, effective November 1, 2007. Equifax has announced that it will also offer credit freezes, but has not provided any details.

The state laws vary considerably with respect to fee caps, duration of freeze, and the ability to lift the freeze temporarily, or with respect to a specific creditor. While the credit bureaus' decisions to permit credit freezes are to be applauded, their initial opposition to some of the state legislative efforts prevented this prevention tool from being available to consumers earlier. Many state legislators were subjected to lobbying against these bills by the credit bureaus as well as their customers -- banks, insurance companies, department stores, and big box retailers. Credit bureaus have long counted on the revenue from selling consumers' credit files to third party creditors, and the users didn't want the flow of this valuable source of potential customers to be stemmed. Clearly, the tide has turned in favor of credit freeze laws, with Congress stepping up with credit freeze provisions in the several pending data breach notification bills, which would preempt the state laws.

Tuesday, October 9, 2007

USA PATRIOT Act Violates Fourth Amendment

In Mayfield v. U.S., a federal district judge ruled that the two provisions of the USA PATRIOT Act violate the Fourth Amendment of the United States Constitution because they allow surveillance without probable cause. This decision shows that six year after the Patriot Act passed, privacy concerns still exist regarding its use and scope. Indeed, privacy concerns were raised within a week of the act passing in 2001. In Mayfield, these privacy concerns were somewhat relieved.

Brandon Mayfield is a 38-year old American citizen. He is a former Army office with an honorable discharge and a practicing lawyer. Prior to his arrest based on the Patriot Act, he had never been arrested. Mayfield is Muslim.

In 2004, the FBI began surveillance on Mayfield and his family. The FBI followed them to work, school, the Mosque they attend, and other places. The FBI also placed electronic surveillance devices in their home.

The FBI contends that it took this action because it believer, based on a partial match fingerprint, that Mayfield may have been involved in the terrorists bombings in Madrid, Spain on March 11, 2004. But, the Spanish National Police did not share this conclusion. Regardless, the FBI arrested Mayfield and imprisoned him for two weeks. Mayfield was released when the Spanish National Police informed the FBI that the fingerprint actually belonged to an Algerian, Ouhane Daoud.

While the facts of Mayfield's arrest are interesting, they are not directly relevant to the court opinion because he brought a facial challenge to the two provisions, not an as-applied challenge. In other words, the focus of his claim is that the two provisions at issue always violate the Fourth Amendment, not just in his particular case.

Specifically, Mayfield challenged the way in which the Patriot Act amended FISA. Before the Patriot Act, the government could only get a search warrant from a FISA court if the "primary purpose" was related to gathering national security intelligence. The Patriot Act lowered the standard to allow FISA warrants when merely a "significant purpose" of the warrant was related to national security intelligence. Thus, the Patriot Act allowed the government to obtain FISA court warrants when the primary purpose was to gather evidence related to domestic criminal activity. This lower standard violates the Fourth Amendment's probable cause requirement.

As the Mayfield court stated:

Since the adoption of the Bill of Rights in 1791, the government has been prohibited from gathering evidence for use in a prosecution against an American citizen in a courtroom unless the government could prove the existence of probable cause that a crime has been committed. The hard won legislative compromise previously embodied in FISA reduced the probable cause requirement only for national security intelligence gathering. The Patriot Act effectively eliminates that compromise by allowing the Executive Branch to bypass the Fourth Amendment in gathering evidence for a criminal prosecution.

As a remedy to Mayfield, the court not only found this change in the law unconstitutional, it ruled that the "Executive Branch must destroy or otherwise eliminate" the materials in its files that were the fruits of the unconstitutional search.

In short, the privacy implications of this case relate to the government's ability to conduct surveillance and create and retain databases of information on American citizens using FISA without having to prove probable cause, even when the primary purpose of the surveillance is not related to national security. While this decision is a victory for privacy interests, it is not the last word. Most likely, the government will appeal. Nonetheless, six year after passing the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorists Act (aka USA Patriot Act), privacy concerns seem to be
getting some traction in the courts.

Monday, October 8, 2007

In Which We Learn that the Rule of Law is Optional for Telecoms

As described in this article from Computer World, last week representatives from AT&T, Verizon and Quest appeared before the House Committee on Energy and Commerce to explain how government agencies sought to obtain information on consumer telephone and Internet use. At first blush, this seems odd. After all, the House Committee on Energy and Commerce is part of the House of Representatives - and it would seem that the most direct way for the House of Representatives to find out how some other government personnel were obtaining information would be to simply ask them. However, all is not as it seems with the committee hearings. First, instead of being hearings to rake the telecoms over the coals for violating the privacy of their customers, these hearings are essentially a pity party organized by AT&T (article on some of the behind the scenes maneuvering here) in support of passage retroactively immunizing telecoms for violating the privacy of their customers. So why would AT&T want retroactive liability for violating its customers' privacy? My guess is that AT&T's lawyers have told it that it's likely to lose its case against the electronic freedom foundation which is currently on appeal before the 9th Circuit (details on the ongoing case can be found here). So, where the lawyers fail, the lobbyists swing into action...and we learn that actually obeying the law is completely unnecessary if you have enough money to buy retroactive immunity.

As a note, I am aware that the ACLU, which is normally on the side of the angels when it comes to privacy, has spoken favorably on the house hearings (see, e.g., here). However, I'm still very skeptical. In support of my skepticism, I will cite the position of representative Dingell, who stated that the committee wanted to "examine the difficult position of the phone companies who may have been asked by the government to violate the privacy of their customers without the assurance of liability protections." To me, that sounds like a person who is preparing to step into defend the poor, oppressed telecoms, not a person who is about to exercise some oversight. It's possible that I could be wrong, but I'll wait till AT&T loses at the 9th circuit and no retroactive immunity is granted before I'll conclude that this hearing was about consumer privacy rather than protecting large corporations.

Thursday, October 4, 2007

A Post Having Nothing to do With Information Security or Data Privacy

Recently, I was invited to do some guest posting at Metlin - an eclectic blog run by Karthik Narayanaswami, a multi-talented (quantum physics, programming, mathematics and mountaineering, to name just a few) friend of mine from Cincinnati. My first post can be found here and, as advertised, it has nothing to do with information security or data privacy.

Regularly scheduled programming will resume shortly...

Tuesday, October 2, 2007

Banks Object to Bill Limiting Use of SS Numbers

Two new government initiatives to restrict the use of Social Security numbers have put banks on the defensive. As part of President Bush's Identity Theft Task Force, the FTC has sought comment on the necessity for such a widespread use of Social Security numbers and alternatives. In addition, the House Ways and Means Committee has approved a bill that would strictly limit the "sale, purchase, or display" of Social Security numbers. This bill is expected to be voted on this fall, but a companion bill has not yet been introduced in the House. Analysts say that the banking industry has voiced opposition to any efforts to limit the use of Social Security numbers, since these numbers are an integral part of their customer information files. Bank Technology News However, they are in danger of finding themselves in the midst of a public relations snafu, since it would not reflect well on banks to oppose efforts to protect customers' identity. Further, banks would arguably benefit from limiting the use of Social Security numbers in connection with account relationships, since one category of bank fraud losses, new account fraud, is directly tied to the use of stolen Social Security numbers. But those losses pale in comparison to the costs banks would incur in being required to shift to a different customer idenification number system.

Monday, October 1, 2007

Study Finds TJX Data Theft Was Preventable

According to a study conducted by Canadian privacy authorities, TJX failed to utilize sufficient security precautions which would have prevented the security breach experienced by the retail giant earlier this year. Jennifer Stoddart, the Privacy Commissioner of Canada, commented on the report, identifying TJX's information gathering and retention policies, as well as weak encryption technology, as the reason that the criminal groups were able to carry out the largest data security theft to date. Stoddart cited the TJX incident as a wake up call to other businesses that collect personal information.
<",1000000189,39289645,00.htm ">See this article. The Disposal Rule imposed by U.S. regulations is intended to prevent companies from retaining customers' personal information longer than necessary, but unfortunately it only applies to consumer credit reports. Retailers run the same risk of a security breach as TJX does if they do not heed the "wakeup call." Collecting unnecessary information in connection with a transaction and retaining it indefinitely presents an example of sloppy information management, and can provide criminal groups with a treasure trove of data ripe for resale and abuse.

Sunday, September 30, 2007

Collision of Privacy and Security? has an article up entitled Dot-Name Becomes Cybercrime Haven which discusses security implications of fees which are charged by Global Name Registry, the entity which administers domain names ending in ".name". For most domains (e.g., those ending in ".com") you can easily and without paying any fee find out who has registered the domain. However, with domains ending in ".name", to find out who has registered a domain, it is necessary to pay a fee of $2.00. The wired article makes this sound like a catastrophe for security, quoting one researcher who says that "What they have done is made sure the .name TLD is free haven for bad guys to lurk on...If I need to report 1,000 domains, I'm not going pay $2,000." But is charging $2.00 to learn who registered a domain really such a problem for security? After all, if a black hat hacker registers a .com domain, it seems very unlikely that they'd use their real name and address to do so (something which was pointed out in this comment to the story). Similarly, if Global Name Registry was served with legal papers, they'd almost certainly cough up the registration information without a fight. Thus, charging a gatekeeping fee seems to be just what the president of Global Name Registry said in his own comment to the story: a compromise between protecting the privacy of individuals and the legacy of openness which has been one of the hallmarks of the Whois domain name system.

The problem with that is that Global Name Registry's protestations about caring for individual privacy are totally disingenuous. For example, to sign up for a ".name" domain you have to agree to terms and conditions which include the following privacy policy:

PRIVACY POLICY: You agree and consent that we will make available the domain name registration information you provide or that we otherwise maintain to the following parties: ICANN, the Registry administrator, and to other third parties as ICANN and applicable laws may require or permit (including through web-based and other on-line WHOIS lookup systems), whether during or after the term of your domain name registration services of the domain name. You hereby irrevocably waive any and all claims and causes of action you may have arising from such disclosure or use of such information. Additionally, you acknowledge that ICANN may establish or modify the guidelines, limits and/or requirements that relate to the amount and type of information that we may or must make available to the public or to private entities, and the manner in which such information is made available.
(emphasis added)

In other words, as long as the law doesn't prohibit Global Name Registry from disclosing information, you agree that they'll do so - not exactly the policy of an organization which values its customers' privacy. Instead, it's exactly the policy you'd expect from an organization which wished to maximize its profit.

Tuesday, September 25, 2007

TJX to Pay Settlement (Maybe)

According to this article from ComputerWorld TJX has proposed to settle consumer class actions arising from its massive data breach earlier this year. As part of the settlement, TJX would provide credit monitoring, identity theft insurance, and payment of the cost of credit card replacement for individuals whose personal data may have been stolen during the breach. The company would also agree to hold a 15% off sale at some point in the next year, and to pay for "certain losses from identity theft" for individuals whose driver's license or other ID numbers were the same as their Social Security numbers.

The questions now are whether consumers should take the settlement, and whether the court should bless it as fair. At first blush, it seems like the settlement is almost an insult. After all, large retailers routinely hold sales with discounts greater than the 15% off that TJX is offering, and it is not clear what the "certain losses from identity theft" that TJX would agree to cover would actually entail. On the other hand, the credit monitoring, card replacement and free identity theft insurance are real benefits. True, it might seem like paying these costs is the least TJX should do, but when consumers have tried to use courts to force those payments out of companies which have had a security breach they have generally been unsuccessful. For example, this post discusses a case from the seventh circuit where consumers were thrown (figuratively) out of court because the judges decided that damages from fear of future identity theft weren't real enough to be used as a basis for compensation - even compensation for the cost of credit monitoring. Thus, while the settlement from TJX may seem like a bargain, it could be the best that the consumer plaintiffs can reasonably expect.

Friday, September 21, 2007

DRM: a Threat to Privacy

Via Michael Geist by way of BoingBoing we learn that The University of Ottawa's Canadian Internet Policy and Public Interest Clinic has released a report concluding that DRM pose a significant threat to privacy. From the executive summary:

• Fundamental privacy-based criticisms of DRM are well-founded: we observed
tracking of usage habits, surfing habits, and technical data.
• Privacy invasive behaviour emerged in surprising places. For example, we
observed e-book software profiling individuals. We unexpectedly encountered
DoubleClick – an online marketing firm – in a library digital audio book.
• Many organizations take the position that IP addresses do not constitute
“personal information” under PIPEDA [Personal Information Protection and
Electronic Documents Act] and therefore can be collected, used
and disclosed at will. This interpretation is contrary to Privacy Commissioner
findings. IP addresses are collected by a variety of DRM tools, including
tracking technologies such as cookies and pixel tags (also known as web
bugs, clear gifs, and web beacons).
• Companies using DRM to deliver content often do not adequately document
in their privacy policies the DRM-related collection, use and disclosure of
personal information. This is particularly so where the DRM originates with a
third party supplier.
• Companies using DRM often fail to comply with basic requirements of

This, sadly, should not be a surprise. Copyright organizations have shown themselves to be actively hostile to concerns about information security and data privacy (see, e.g., the discussion of concerns related to watermarking here, or Sony's now infamous fondness for installing rootkits). Indeed, the only time when copyright and information security are (supposedly) aligned is when copyright is trying to piggyback on security concerns to achieve its own ends (e.g., the destruction of P2P networks, as described here).

The happy news though, is that the study came out in the first place. It is possible that this examination of the impact of DRM on privacy could be a reflection of some sort of backlash against the copyright industry's current tactics - something that, if supported by legislation, could result in significant benefits for privacy and security of individual data.

Thursday, September 20, 2007

Quick Roundup

A few links of interest having to do with data privacy and information security. First, there's this article from Computer World which says that Facebook and MySpace users are happy to trade privacy for features. Really, this isn't a big surprise (I blogged here about a Wired story which described the small value most people place on privacy), but it is yet another data point showing just how little most people care about privacy. Also of interest is a current series of posts at the Dunning letter where Jack Dunning lays out his proposal for how individuals can control (and profit from) their personal information. Jack is highly knowledgeable about privacy issues, having worked on the inside as a junk mailer for years, and now working on the outside trying to improve privacy protections for individuals.

However, what has been devouring my internet time of late isn't actually privacy related - it's the "don't tase me bro" story (link to a discussion of the underlying incident here). Hopefully when that has played out, I'll find myself less distracted, and more able to provide some substantive analysis (especially of Jack's recent posts, which certainly deserve careful consideration).

Monday, September 17, 2007

Google in the News

There's a pair of articles about Google and privacy in Information Week. First, Google itself put out a call for a global privacy standard (article here). The initiative is laudable. Google's privacy counsel is quoted in the article as stating that

Yet despite the international scope of even the most ordinary Internet activity, the majority of the world's countries offer virtually no privacy standards to their citizens and businesses. And even if every country in the world did have its own privacy standards, this alone would not be sufficient to protect user privacy, given the Web's global nature. Data may move across six or seven countries, even for very routine Internet transactions. It is not hard to see why privacy standards need to be harmonized and updated to reflect this reality.

However, is Google really the organization to push privacy standards? According to the second article (link here) Canada's privacy commissioner has expressed concerns that Google's streetview product, which includes images of identifiable individuals captured in public places may violate Canadian privacy law. While streetview hasn't been introduced in Canada yet, making Google's legal violation largely hypothetical, the fact that the question is arising at all indicates that Google may still be a bit tone deaf on the issue of privacy, and might not be the right organization to spearhead a call for global standards.

Thursday, September 13, 2007

Search Engines React to EU Resolutions

The difference between the European approach to privacy and that followed in the U.S. has impacted the privacy practices of many search engines. Google has reduced the period after which its server logs will be made anonymous to 18 months, and its cookie retention period was reduced to 2 years. Other search engines quickly followed the lead. Yahoo! and Microsoft met Google's challenge, or implemented even shorter periods. It is likely that these moves were in reaction to the publication of an EU resolution on privacy protection and search engines last November, in which they called on the search engines "to respect the basic rules of privacy...and to change their practices accordingly." In the US, there is no one comprehensive and all-encompassing piece of legislation governing privacy to which all sectors of the economy are subject. Thus, US companies rely more on industry self-regulation and public pressure. Thus, the moves by the big three search engines can be seen as bowing to the concerns of the European public. Search engines are under pressure to deliver more targeted information to marketers, but also realize that customers have to feel comfortable that the information collected will be kept private. Successful search engines' business must start and end with consumer trust.

Major Change to California Law Regarding Security Breaches Coming

Back in July, I wrote about a proposed California law which would require merchants who suffer from data security breaches (think TJX) to reimburse financial institutions for the cost of replacing credit cards for people whose information is stolen (link here). Now, according to this article from Computer World, that bill has passed through the California senate and now awaits signature by governor Schwarzenegger. Though the law has had some changes as it moved through the legislature. For example, a new provision has been added which would allow merchants to excused for some or all of the costs of card replacement if it can show it was in compliance with all security requirements at the time of the breach. However, the main focus of the law - shifting costs from merchants to banks, remains intact. According to the Computer World article, if signed, the law is expected to have the same ripple effect that California's SB 1386 had on security breach notification in general.

Tuesday, September 11, 2007

Presumably, These People had Heard of HIPAA

Computer World has an interesting article up about companies which have, through their own incompetence, run afoul of the HIPAA data security rules. Highly recommended reading, and quite entertaining in a Darwin Award sort of way. My personal favorite was the one where a manager asked an employee to take backup tapes containing unencrypted personal data for patients home with him in order to accomplish the off site data storage requirements of HIPAA. When the tapes were stolen (of course) the employee reported their theft to the authorities and was fired for his trouble. The story doesn't end there though - because the employee was following his company policy and instructions from a supervisor, the employee is potentially protected from retaltiation from his employer. Thus, the employer might have bought itself both a HIPAA nightmare and a suit under the applicable whistleblower protection laws.

However, the bottom line of the article is serious. Too many organizations have been behaving as if HIPAA simply doesn't exist, or as if its requirements had no meaning. While the keystone cops level of competence of some organizations is amusing, it's no joke for the organizations and people involved. So, for HIPAA, know it, read it, do it...otherwise you could find yourself included in the next compilation of HIPAA disasters.

Friday, September 7, 2007

FBI Can't Stop an ISP from Telling Its Customers that the Government Wants Their Data

Yesterday the ACLU won a significant victory as the U.S. district court for the southern district of New York struck down certain provisions of the PATRIOT which information requests by the FBI (the decision can be found here). The basic subject matter of the lawsuit was national security letters (NSLs) which the FBI could send to wire and electronic communication service providers requesting information about their subscribers, such as the subscribers' names, addresses, lengths of service and records of their transactions. Under the challenged provision of the PATRIOT Act, the FBI could also prohibit the recipient of an NSL from disclosing that the FBI had sought or obtained access to information or records using an NSL if the director of the FBI, or his designee, certifies that disclosure "may result in a danger to the national security of the United States, interference with a criminal, counterterrorism, or coutnerintelligence investigation, [or other ennumerated harms]". Thus, not only could the FBI use a NSL to obtain information about an individual's electronic communications, but the FBI could prevent the individual from ever finding out about the NSL by stating that disclosing the NSL "may" pose a danger to certain listed (but generally poorly defined) interests. The judge analyzed the law under the rubric of a license to speak and found that the procedural safeguards necessary for such a licensing regime to survive were not present - a result the ACLU was understandably happy about (their press release can be found here).

The difficulty with this ruling though, is that it might not have any effect on the behavior of private entities. The judge struck down the portion of the PATRIOT act which allowed the FBI to prevent private entities from disclosing that they had received an NSL. However, the behavior of most entities when called on to do the government's bidding indicates that such a prohibition might not be necessary. For example, AT&T is currently in court for (allegedly) assisting the national security agency in illegally violating the rights of AT&T customers (the EFF page on the case can be found here). It doesn't take much imagination to visualize a situation where an entity such as AT&T receives an NSL, and then voluntarily declines to disclose the receipt of that letter (or anything about its contents) to anyone. While there have been some notable instances of businesses resisting the government (e.g., Google), in general, the government has substantial power to convince companies to cooperate even without being able to issue legally binding gag orders. Thus, until there is some indication that ISPs (and other relevant entities) won't simply cooperate with the government and voluntarily maintain their silence upon receipt of an NSL, there is a real danger that the ACLU's recent win may turn out to be a hollow victory.

In completely unrelated news, the Department of Justice has issued a public statement opposing Net Neutrality (link), a principle which would prevent ISPs from charging differential rates for internet traffic. Net Neutrality is generally opposed by telephone companies (e.g., AT&T) who would stand to profit from being able to charge higher rates for preferred access to internet resources link. Proponents of Net Neutrality generally include software companies (e.g., Google) which benefit from low cost internet access link.

Monday, September 3, 2007

Is Privacy Worthless?

Wired has an interesting article what value people put on privacy. The answer is unsurprising, if a bit depressing for people who do care about privacy: people always value even small amounts of money (e.g., a quarter) over the privacy of their personal information, even if that information is highly sensitive (e.g., number of sex partners). However, while the finding that consumers place very little value on privacy was depressing, one of the reasons given for that low value - a lack of understanding of the concrete risks to decreased privacy - was actually cause for hope. For example, consumers are generally highly concerned about identity theft (see, e.g., this article). Using that concern, it would seem that if privacy advocates can connect lack of privacy (i.e., everything you do being monitored and stored) with increased risk of identity theft (i.e., stored information about you being stolen and used for fraud) then they might be able to make a compelling case that consumers place too low a value on the privacy of their information.

Saturday, September 1, 2007

Know Your Pleadings: Electronic Communications Privacy Act

On the 22nd of August, a federal judge ruled that paying a hacker $15,000 to provide you with confidential emails did not lead to liability under the wiretap act or California's invasion of privacy act. The opinion itself can be found here.

So what happened? The judge stated that since the emails were taken from a server, they weren't "intercepted" for purposes of the wiretap act. As set forth in this article from C|NET, that would seem to indicate that the wiretap act simply doesn't cover email communications, since all emails are stored in memory (e.g., RAM), at least temporarily. No damages were available under California's invasion of privacy act because that act was preempted by the federal statute.

Does this mean that there is simply no remedy for someone whose emails have been stolen? Not at all. As the decision made clear, the wiretap act is only half of a larger bill, the electronic communications privacy act (ECPA). ECPA's other half, the stored communications act is designed to "address access to stored wire and electronic communications and transactional records." However, the plaintiffs made their claims under the wiretap act, note the ECPA. The moral of the story? There are two. First: the American legal system seems to have been designed in a deliberately confusing manner with traps for the unwary which can prevent even meritorious claims from being heard. Second: if someone steals your emails, you sue under the ECPA, not the wiretap act.

Sunday, August 26, 2007 Breach Highlights Limitations of Notification Laws

Do you have your resume posted on line? If so, then there's a good chance you've heard about the data breach at, described in this article from C|NET. The breach itself wasn't record breaking...a mere 1.3 million job seekers had their data stolen. While the fact that 1.3 million records seems like a relatively small breach is somewhat troubling in itself, this post isn't written to decry the fact the disturing frequency of data breaches. Instead, it is written to show some of the limits of data breach notification laws as they are currently written. In the breach, the information stolen included names, addresses, phone numbers, and email addresses. No other details such as bank account numbers were uploaded. While most states have laws that require companies to provide notification of unauthorized access to their customers' personal information, those laws don't necessarily cover breaches like that at monster. For example, California's SB 1386 defines "personal information" as

an individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.

In the breach, none of the information set forth in subsections (1)-(3) quoted above was stolen, so the breach itself appears to fall outside the scope of the law. Does this mean that the breach was innocuous? Not at all. According to the C|NET article, the individuals who hacked would send emails attempting to get further information from people whose data had been stolen. The emails would be created using the stolen data, giving them more credibility than they would otherwise have, and making it more likely that the emails' recipients would think they were legitimate. While that type of risk doesn't seem to be one that California's data breach notification law was intended to cover, it is possible that more breaches of the variety will occur, as businesses begin to react to existing law by making it less likely that bank account numbers or other information are available for hackers. If that is the case, state legislatures might consider revisting their existing laws, and revising them as necessary to deal with this newer type of threat.

Friday, August 24, 2007

7th Circuit Says No Private Right of Action for Data Breach

As described in this post on the threat level blog, the seventh circuit court of appeals has ruled against consumer's whose personal data was stolen from a bank database (the opinion can be found here). As described in the opinion, the consumers' data was stolen as the result of an intrusion which was "sophisticated, intentional and malicious." The consumers requested that the court grant them, among other relief, payment for the cost of credit monitoring services - a seemingly reasonable request, given the fact that their personal data was now in the hands of criminals who had likely stolen it for the specific purpose of facilitating identify theft. However, the seventh circuit decided that the harm suffered by the consumers was only potential harm, and therefore was not compensable under the relevant state law. True, the consumers had to pay for credit monitoring, but the court pointed out that they could not show that their identities had been stolen (yet), so the case was thrown out.

What does all this mean for consumers? There are two primary lessons to be drawn. The first is that courts remain an extremely hostile environment for trying to vindicate privacy rights. The (in my opinion) classic case on this subject is In re Northwest Airlines Litigation which found that Northwest's privacy policy was not a contract with customers, and that customer data collected by Northwest belonged to Northwest, not the customers. The new decision from the seventh circuit just confirms what was already clear: consumers should not expect courts to protect privacy. The second lesson to be drawn from the seventh circuit's new decision is that states which wish to provide meaningful privacy protections for their citizens should include private rights of action in their privacy legislation. In finding against the consumers, the seventh circuit referred to the fact that the relevant data breach notification act did not provide a private right of action. Thus, if state legislators want to avoid their citizens being thrown out of court, they should make sure to explicitly create a way (by statute) for the citizens to protect themselves.

Thursday, August 23, 2007

PCI DSS Compliance Makes Slow Progress

The challenges that faced by merchants in their efforts to comply with the Payment Card Industry (PCI) Data Security Standards (DSS) have received a great deal of publicity, especially since Visa U.S.A. had announced its intent to levy penalize noncompliant merchants beginning in October, 2007. see here However, recently Visa has backed off of its aggressive stance, and announced that instead of denying merchants the right to participate in its tiered fee structure, it will simply downgrade noncompliant merchants one tier, and require them to pay higher fees. This softened approach was announced in a memo issued by VISA and Fifth Third Processing Solutions earlier this month. Practicality vs. SecurityThey also announced that merchants who are in compliance by September 30, 2008 may be eligible for lost interchange discounts and other incentives. While the Payment Card Industry is to be lauded for its efforts to increase security and reduce the potential for identity theft and credit card fraud, the draconian measures it attempted to use in order to speed up the DSS compliance process did not recognize the difficulties and costs encountered by merchants in attempting to comply with the 140 requirements for protecting credit card data. Not only are the smaller retailers encountering challenges and obstacles to compliance, but recent estimate indicate that more than half of Visa's top tier merchants have not yet achieved full compliance. Visa and MasterCard must find a way to keep the pressure on, but not such a pace as to hurt retailers financially.