Size of Breach Can Affect ID Theft Risk

In what has been touted as the only comprehensive study performed of data security breaches and incidents of subsequent identity thefts, it was concluded that there is a greater risk of identity theft where an individual or small group is intentionally targeted by identity thieves. In the case of a large data breach, such as the recent theft of backup files of state of Ohio employees and taxpayers, it can be difficult for a fraudster to go through the list, and the publicity of the theft can also serve as a deterrant, since the potential victims have been notified and can closely monitor their bank accounts and credit information for evidence of theft. ID Analytics, an identity-risk management services company, conducted the study of four sizeable data security breaches. According to an article in The Insurance Journal, the study found that among the 500,000+ consumer identities who were victims of the breaches, less than one-tenth of 1% of those persons were also victims of identity theft. Where the theft of data is incidental to the theft of other property such as electronic equipment, the risk of misuse of the data is reduced substantially. However, ID Analytics points out that there remains the risk that the data will be sold on the black market overseas, where sophisticated means are available to retrieve and misuse the data.
>The Insurance Journal

What Can Information Security Learn From Digital Rights Management

Recently, Mircosoft decided not to remove virtualization restrictions from its Vista operating system. According to this article, the probable reason for Microsoft's decision is that Vista's virtualization features have the practical effect of incapacitating Vista's Digital Rights Management (DRM) features. Given that the fundamental purpose of DRM technology - controlling reproduction and use of information - is the same as the fundamental purpose of most information security policies, Microsoft's decision to simply restrict access to a desirable product feature could mean that some technologies, such as virtualization, are simply incompatible with information control. The lesson for businesses seeking to avoid security breaches? The threat from some technologies (e.g., portable mass storage devices) might be so great that they should be kept out of corporate networks all together. Otherwise, until an effective technical solution is found (and Microsoft apparently hasn't been able to develop one yet), some things are just an invitation for trouble.

Court Rules E-Mail Deserves Constitutional Protections

A federal appeals court has unanimously ruled that the federal government violated the 4th Amendment constitutional right against unlawful search and seizure when it searched stored e-mail records without a warrant in a fraud investigation. A three-judge panel of the 6th Circuit Court of Appeals recognized that e-mail communication is an ever-increasing method of communication, and analogized it to telephone conversations in granting it constitutional protection. This decision is an important victory for civil liberties advocates in the emerging field of Internet privacy. The government had argued that there was no expectation of privacy since service providers can filter email records against viruses, spam and pornography. The court distinguished those actions by comparing them to postal workers' screening mail for drugs and explosives. The Court's decision is encouraging, as the federal government has increasingly attempted to expand its rights to obtain personal information without a warrant. To read the opinion, click on Warshak v. United States

Banks v. Merchants

One rift between interest groups which has emerged in the world of information security is between merchants and banks. The basic conflict is driven by banks' fear of exposure based on acts (or failure to act) by merchants. This leads to banks imposing standards (e.g., the payment card industry data security standard) on merchants, who are then faced with the prospect of struggling to comply with what seem to be mercurial and/or contradictory mandates. The result, predictably, is frustration for all sides, such as was shown in a recent panel discussion sponsored by Symantec (described in this article). That frustration has also manifested itself in more problematic ways, such as noncompliance by merchants who feel that they are too expensive or too unwieldy (as blogged here).

However, it seems that that frustration also has the potential to lead to positive change. For example, in response to complaints by merchants, the payment card industry is changing the way its data security standard will be defined in the future (blogged about here). Similarly, in response to concerns from banks, states are considering laws which would shift the cost of cleaning up after data breaches to the entities who cause them (one such proposal is described in this article). The lesson from all this? First, if you have concerns about data security, regardless of what type of organization you represent, you're not alone. Second, if you express your concerns, there's a real possibility that they will be addressed, as both public and private organizations have shown themselves to be responsive to feedback and criticism.

PCI Data Security Standards Present Compliance Challenges

Despite the June, 2006 deadline for credit card merchants to comply with the PCI Data Security Standards imposed by VISA and Master Card, more than half of all credit card merchants have not initiated the necessary changes to their credit card process, according to a recent study. These standards provide security safeguards to protect cardholders' personal information and thus reduce the risk of identity theft losses to cardholders, merchants and the acquiring banks. Most of the merchants that have failed to implement the necessary changes are smaller merchants who do not have the time and financial resources necessary to comply. Many reported that it took up to two years to implement the changes. Considering that a failure to comply would result in hefty fines, merchants need to reprioritize this obligation. Ecommerce Times article

HIPAA Enforcement Actions

The Department of Health and Human Services has launched the first audit of a hospital's compliance with HIPAA's security and privacy rules since they went into effect in 2005. According to Barry Runyon, an analyst at Gartner quoted in this article, it is likely that there will be more unannounced audits in the future. What effect this will have is anyone's guess, though in Piedmont's case the audit has already lead to the approval of a 1.3 million dollar item for encryption software in next year's hospital budget. It seems safe to assume that there will be a number of similar purchases in the health care industry going forward.

Court Holds Bank Liable for Failure to Verify Credit Card App

A Tennessee trial court has found MBNA America Bank liable for damages sustained by a victim of identity theft. MBNA received an application for a credit card in the name of Thomas Wolfe, and issued the card to the address on the application. The card limit was promptly exceeded, the account became delinquent, and the "customer" disappeared. The Bank sent the account for collection, and the collection attorney found the plaintiff's address and requested payment from the plaintiff, also named Thomas Wolfe. The plaintiff replied but never received a response. After the plaintiff was denied a job because of his poor credit rating, he again contacted MBNA to dispute the account, but received no satisfactory reply. He then sued MBNA alleging it breached its duty of care to the plaintiff by not attempting to verify the accuracy of the information on the credit application, and asserting negligence and gross negligence. In a groundbreaking decision, the court found such a duty to verify information existed, and found that the bank was negligent for having failed to so investigate. (Wolfe v. MBNA America Bank, No. 05-2972 (W.D. Tenn. 04/25/07)).

Risks from P2P Networks

ComputerWorld has a pair of articles up here and here discussing risks posed by P2P networks. The first article focuses on a Dartmouth study which found that substantial amounts of sensitive information, including (ironically) a security evaluation for a bank performed by a third party contractor, is inadvertently made accessible by consumers who download P2P software. The second article provides a concrete example of that danger: a Pfizer employee who installed P2P software on a laptop which was provided by the company for her own home use inadvertently exposed personal data for around 17,000 current and former employees of Pfizer. The take home message from all this? Have policies which control the use of P2P software, and make sure that employees know that violating those policies won't only be a breach of workplace rules, it would also put their own personal data at risk.

Dubai First Arab Nation to Adopt Data Protection Law

On May 29, 2007, the Data Protection Commission of Dubai issued an Enforcement and Compliance Notice. It directs all DIFC entities, whether or not regulated by the Dubai Financial Services Authority, to register with the Commissioner of Data Protection by June 30, 2007, and to comply with all aspects of the Dubai Data Protection Law. Companies failing to comply will be subjected to fines and penalties.

In January, 2007, the Data Protection Law 2006 became effective, which applies in the jurisdiction of the Dubai International Financial Center (DIFC). The law regulates and protects individuals’ “personal information,” and will have immediate implications for companies operating in Dubai, especially those companies that transfer data from one office to another in different jurisdictions. “Personal information” is defined broadly as “any information relating to an identifiable natural person.” The law also protects “sensitive data” such as information about a person’s political affiliation or racial identity.

The most significant provisions of the Dubai Data Protection Law concern international transfer of data, governing the transfer of personal information out of the DIFC to other countries. It requires that those recipient countries provide “an adequate level of protection” for the personal information, which is the same as the standard imposed by the EU Data Privacy Directive. Transfers of personal information to countries without such protection (including the United States) are permitted only with the consent of the newly appointed Commissioner of Data Protection. The regulations, which became effective in March, 2007, do not specify which countries qualify as having an “adequate level of protection,” however, although it is anticipated that the DIFC will simply adopt the list of the EU “certified” countries.

The regulations also provide for an application process to obtain a permit to process information out of the DIFC to a country that does not provide an adequate level of protection. There are other stated conditions to the transfer of personal information, such as the written consent of the data subject, or that the transfer is necessary or legally required on grounds important in the interests of the DIFC.

HIPAA Enforcement Steps Up

When the Health Insurance Portability and Accountability Act (HIPAA) became effective in 2003, many health care providers scrambled to create the privacy notices required by the Act and didn't give HIPAA a second thought. However, a recent spate of private HIPAA litigation is raising the concern of hospitals and other health care providers. Although HIPAA does not provide a private right of action, several courts have recently been allowing private plaintiffs to use HIPAA standards to prove liability for failure to sufficiently protect the plaintiffs' sensitive medical data. Courts in North Carolina and Utah have recognized a common law duty of confidentiality by the health care provider, and have based that duty on the HIPAA standard of care to be applied to medical data. In addition, the U.S. Department of Health and Human Services, which enforces HIPAA, has been more actively enforcing its requirements, and instituting new enforcement measures such as HIPAA compliance audits. Health care providers would be well-advised to review the data security of their patients personal information to guard against potential liability and regulatory enforcement actions.

Choicepoint Pays Surprisingly Small Settlement

ChoicePoint, which made headlines last year by paying $15 million in fines to the FTC as a result of an unauthorized release of consumer data, has settled lawsuits stemming from the same incidents with 44 states. The price, according to this article from CNET is...$500,000. Apparently, once the breach wasn't in the headlines, ChoicePoint felt that multimillion dollar settlements were no longer worth the money. Surprisingly, the states agreed, and ChoicePoint got off with payments of about $3.50/affected consumer in state fines.