Monday, December 31, 2007

2008 Privacy Roundup

Privacy International has released its 2007 International Privacy Rankings. Sadly, the United States ranks last in terms of statutory protections and privacy enforcement of all the countries in the democratic world. Among the points noted about U.S. privacy protection were that state data breach notification laws had proven useful in identifying security faults, but that Congress had approved presidential spying program, and is considering retroactive immunity for telecoms (something I wrote about here, and will almost certainly write more on in the future). One thing I'd like to point out in this is that the problems the report identified (e.g., presidential spying) are coming from the Federal Government, while the bright spots in privacy protection (e.g., data breach notification laws) are implemented at the state level. To my mind, this provides further evidence that we should be cautious in pushing for a federal data breach notification laws, given that they could preempt the state laws which are already in place and have proven to be effective.
(via BoingBoing)

Thursday, December 27, 2007

2008 Budgets Beefed Up for Data Security Expenses

One item that is not getting short shrift in the community bankers' 2008 budgets is expenses for protecting consumer data. While controlling costs has consistently been a top priority for these financial institutions, many report being fearful of an unauthorized infiltration of their bank databases, and are investing security related technology. In an article in the December 21, 2007 American Banker, bankers report that criminals are constantly searching for a weakness in banks' firewalls, and that they must continually monitor such attempts to be certain they have addressed any vulnerabilities. These banks now appear to be keenly aware of the damage to their reputation that could result from a data security breach, particularly where it could be shown that they did not take sufficient preventive steps to stave off an attack. This reputation risk, combined with increased attention being paid to banks' risk management policies and procedures by banking regulators, has caused banks to increase their budgets on fraud detection technology for the coming year. Reports of banks who were unprepared when a hacker "intrusion" occurred, and the resulting financial resources required to address the aftermath, have been a "wakeup call" for many banks. It has been this writer's frustration over the past several years that risk of data security breach has not been taken seriously enough. In the end, however, it appears that it was the plight of these victims of security breaches that finally convinced financial institutions that being penny wise and pound foolish should not be their motto when it comes to securing customer data.

Wednesday, December 19, 2007

Congress Ignores Individual Privacy

"Wider Spying Fuels Aid Plan for Telecom Industry" - that's the headline of this article from the New York Times (via CNET). In a sane world, that type of headline would be appropriate for an article describing legislation designed to help telecoms fight hackers who are spying on their networks, or avoid industrial espionage by unscrupulous rivals. In this world though, the headline is about a plan to grant telecoms retroactive immunity from lawsuits for spying on American citizens. Previously, it had been thought that telecoms had helped the Bush administration spy on American citizens as part of the government's counterterrorism operations - activities that have led to lawsuits being filed (see here for more info). The telecoms, understandably worried about losing in court, lobbied for a bill granting them retroactive immunity from suit. Thanks to some political controversies that I'm not going to get into (though you can get details here), the retroactive immunity bill hasn't gone through - which led to the article about wider spying fueling aid plans for telecoms. Apparently, telecoms weren't just providing information in terrorism investigations, they were providing information on everything. In other words, they were engaging in "wider spying." If I were a senator, I would react with outrage. After all, spying isn't a positive good that should be encouraged. However, I'm not a senator, and the senators we do have apparently feel that wider spying is something to be encouraged, and therefore the wider spying, instead of sinking the telecoms' bid for retroactive immunity, actually aided it, the fact that "wider spying" basically means that individual privacy is routinely violated apparently meaning nothing to our elected representatives. A dark day for people who care about privacy.

PostScript: Happily for supporters of rule of law, the retroactive immunity bill hasn't gone through (again, thanks to the political controversies describes here).

Are Security Breaches the Cause of Identity Theft?

Frequent news reports in 2007 of data security breaches have heightened the public's and business' concern over the risk of identity theft. The FTC estimates that 9 million Americans will have their identity stolen this year, so there is clearly cause for concern. But in what percentage of these reported incidents does an identity thief actually make use of the information that has been compromised? What if the thief was actually a member of the clan?

Most of the breach incidents reported concern lost or stolen laptops containing sensitive personal information, unencrypted backup data tapes, careless document disposal and destruction, and inadequate security procedures related to database and document protection. In fact, most of these breaches have not resulted in identity theft, as reported in recent testimony by the FTC. The greater risk of identity theft, says the FTC, arises in the case of deliberate criminal action, such as insiders who take a bribe to reveal sensitive personal information or to use it themselves. Companies would be well-advised to focus their attention on their internal security processes by restricting access to personal information of their customers, clients and employees, and adopting other measures to prevent insider abuse. According to some reports, one in three cases of identity theft are the work of employee insiders who have taken workplace records, in most cases of a customer or client.

Certain industries are more vulnerable to identity theft than others. The retail industry holds the highest number of incidents of employee theft, where by some estimates nearly 60% of workers steal personal information to commit identity theft. The financial services industry is second, with 22%. The reason for the difference between the two industries is likely due to the safeguards that are mandated by the Gramm-Leach-Bliley Act and government regulations.

Most of the thieves who have been apprehended did not have a prior criminal history, so that background checks would not provide a solution. The FTC recommends that companies take five security measures to help protect information from insider theft:

1) Take stock of what personal information is in company files and track where it goes within the company
2) Reduce wherever possible the personal data of customers and employees that is stored
3) Protect the information kept by the company by both physical and technological controls
4) Dispose of unneeded information using appropriate means
5) Plan ahead for responding to security incidents, closing off threats to personal information, and evaluating whom to notify in case of an incident.
FTC Guidance

Tuesday, December 18, 2007

New North Carolina Privacy Protection Law

North Carolina has a new law protecting individual privacy. The law adds to North Carolina's existing identity theft protection act by making it a violation of the act for any person to
knowingly broadcast or publish to the public on radio, television, cable television, in a writing of any kind, or on the Internet, the personal information of another with actual knowledge that the person whose personal information is disclosed has previously objected to any such disclosure.
Looking at its text, the North Carolina law seems to have been written to actually be enforced by aggrieved individuals. Indeed, the North Carolina law explicitly states that it can be enforced by individuals, rather than limiting the right to bring suit under the law to the state attorney general. Also, the North Carolina law includes a statutory damages provision, which addresses difficulties that individuals have had showing actual damage in previous data exposure cases. See, e.g., here and here.

So what's behind these consumer friendly features of the North Carolina law? I think there are two forces at work. The first is an individual named Glenn Hagele (web site here), who lobbied for this specific law to help address a specific fact pattern - where an individual's personal information was made available on the Internet as a reprisal for that individual's public statements. Without Glenn's work on the law, there is simply no reason to think it would exist. The second force I see is more systemic. Identity theft is still a significant concern for consumers (e.g., this article from the AARP describing identity theft concerns of older Americans) and with a seemingly endless stream of high profile incidents taking place, legislators are probably feeling pressure to do something about it. While data breach notification acts revealed that there is a problem with personal information being revealed, the repeated failures of consumers in court have shown that current law doesn't really give individuals the tools they need to protect themselves. Laws like that in North Carolina, which explicitly give consumers a right to sue for statutory damages, could be a step that more legislatures will take in the future to remedy that situation.

Thursday, December 13, 2007

Privacy Red Tape

One argument I often hear (and not just in the privacy context) is that regulation is just red tape - it imposes costs on businesses, it doesn't achieve it's stated goals, and we'd be better off without it. However, a new study of Chief Security Officers from the University of California-Berkeley School of Law indicates that (at least on the context of security breach notification laws), that argument is simply wrong. Among the study's other findings:

Breach notification laws have significantly contributed to heightened awareness of the importance of information security throughout all levels of a business organization and to development of a level of cooperation among different departments within an organization that resulted from the need to monitor data access for the purposes of detecting, investigating, and reporting breaches. CSOs reported that breach notification duties empowered them to implement new access controls, auditing measures, and encryption. Aside from the organization's own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness.

In any case, probably not a big surprise to those of us who are already concerned about privacy, but something to keep in mind if confronted with arguments that privacy regulation won't help consumers in any case.

Via Schneier on Security.

Wednesday, December 12, 2007

Data Breach Notification Prioritized over Identity Theft Restitution

According to this article from SC Magazine the House Judiciary Committee is likely to give precedence to a bill making it a federal crime to fail to notify law enforcement in the event of a major security breach. The alternative proposal, which is not expected to be voted on before the end of the year, would have made it easier for victims of identity theft to recover compensation and also would have facilitated prosecution of individuals deploying botnets. Based on my understanding of the legislation, I'm not sure that either bill would have any real effect. State data breach notification statutes already have the effect of forcing businesses to disclose when a security breach takes place, so I'm not sure what would be accomplished by having a separate federal law which requires only notification of law enforcement. Regarding the bill which would help victims of identity theft recover compensation, victims of identity theft can get compensation now (or more than compensation, as described here) - assuming they can find the thief. The reason people end up having to eat costs of identity theft isn't because the law won't help them, it's because they can't find the perpetrator. Similarly, when it comes to prosecuting individuals who maintain botnets, I don't see the problem as being one with existing law. Instead, finding people controlling botnets can be difficult, end even if they are found, there is no guarantee they will be within the reach of U.S. courts.

With that having been said, I think the mere existence of these bills is a positive step. The federal government is way behind the states when it comes to protecting privacy, and privacy protection is something that (ideally) should be approached in a manner that isn't limited by state borders.

Tuesday, December 11, 2007

Incredibly Narrow Privacy Protection

In case you were worried about unauthorized disclosure of personal information by a video tape service provider, you will be happy to know that there is a law which is specifically designed to prevent video tape service providers (and those they communicate with) from knowingly disclosing their customers' personally identifiable information. An interesting discussion of how that law might actually be applied can be found here (via BoingBoing).

As a note, while ridiculous, the level of specificity of the law mentioned above isn't unusual. A good example of an even more specific law is 17 USC 110(5)(b)(i)(II), which sets forth specific diagonal screen lengths in inches for equipment that can be used to make an audiovisual display without infringing a copyright.

Monday, December 10, 2007

Children's Online Privacy Protection Act Enforcement in Texas

As described in this article from Computer World, the Texas attorney general has sued two web sites for violations of the Children's Online Privacy Protection Act (COPPA). According to the article, the two sites collected personal information from children under the age of 13 without obtaining sufficient verification of parental consent, and without giving the children the opportunity to review or pull back the data.
There are two things I find particularly interesting about the article. First, this article is another demonstration (to me) that law enforcement in Texas is taking its responsibilities regarding individual privacy relatively seriously. As described previously here, this year the Texas attorney general has repeatedly brought suit based on violations of privacy law, for example, for improper disposal of customer records. Thus, the actions by the Texas attorney general show what can be done if state law enforcement is willing to take an active role. The second thing I found interesting about the article was it stated that this enforcement by the Texas attorney general was the first to be brought under COPPA. COPPA was passed in 1998. To me, that shows just how far we have to go in terms of actually enforcing even the (relatively minimial) privacy protections that the law does provide.

Wednesday, December 5, 2007

The Forgotten Side of the TJX Litigation

As it happens, the TJX litigation isn't only about TJX. That litigation is actually about lawsuits against both TJX and Fifth Third, TJX's bank. The relationship between Fifth Third and TJX was that, when a consumer would make a credit card purchase, the information from that purchase would be sent from TJX to Fifth Third. The information would then be sent to the bank that issued the credit card to the consumer, who would say either yea or nay, then the information would be passed back to TJX through Fifth Third. For some purposes in the litigation, TJX and Fifth Third could be (and were) given the same treatment. However, the unique status of Fifth Third came to the fore when the judge in the TJX litigation decided to deny class certification to the issuing banks in their suit against TJX. For class certification, it was necessary that there be some assurance that the issuing banks would vigorously prosecute the litigation, and that there be no conflict between the members of the class as a whole. The problem raised by Fifth Third's relationship with TJX is that some of the issuing banks suing TJX were also acquiring banks, that is, they functioned in the same capacity for their customers as Fifth Third had for TJX. The result was that the court found that a verdict which imposed liability on Fifth Third could actually be negative for some of the banks filing suit - leading to a conflict between those banks and the banks which only issued credit cards, but did not act as acquiring banks. For the court, that conflict provided an independent reason why class certification in the parallel action against Fifth Third was inappropriate.

Tuesday, December 4, 2007

Bankers' Class Action Rejected

Last Thursday, the judge in the ongoing TJX litigation denied the motion for class certification by financial institutions seeking to recover damages caused by cancelling and reissuing credit cards. The primary reasons given by the court for denying class certification was that the issues of whether any individual banks relied on TJX's maintaining adequate security, and whether any losses for individual banks were caused by TJX's security breach (as opposed to, for example, unrelated fraud) predominated over issues common to the class seeking to sue TJX.

Assuming that the court adheres to its denial of class certification (there is a pending motion to amend the banks' complaint, and there will likely be an appeal of the denial of class certification) the result will be that individual banks will have to either drop their litigation against TJX, or pursue their cases on an individual basis. Realistically, many of the bankers' claims will likely be too small to justify the costs of pursuing individual litigation, meaning that the denial of class certification could effectively end TJX's current legal troubles. Accordingly, this decision should be seen as a big (albeit potentially temporary) win for TJX, and a similarly large setback for those seeking to recover costs caused by that breach.

Sunday, December 2, 2007

TJX Settling Out?

According to this article from Computer World TJX has proposed to pay $40.9 million to banks that issued Visa cards potentially affected by TJX's massive data breach if the affected banks agree not to pursue litigation against TJX. The article describes TJX's offer a move which could save "tens of millions of dollars in lawsuit damages." Actually, that's understating things quite a bit. In paragraph 96 of the fifth amended complaint in the ongoing litigation regarding the TJX breach (case number 1:07-cv-10162), a bankers association seeking class certification alleged that "The cancellation and reissuance of cards resulted in damages and losses to Plaintiff Banks and members of the proposed Class of up to $25 per card." As the first paragraph of that same complaint alleged that "approximately 100 million credit cards were compromised because of TJX's acts and omissions," it seems that there were potentially up to 2.5 billion (25 dollars/card * 100 million cards) dollars in damages. Even assuming that the $25 per card cited as the maximum in the lawsuit is unrepresentative, and the real cost is lower (e.g., the 10 dollars/card quoted in this posting), the cost of canceling and reissuing almost 100 million cards is certainly greater than the $40.9 million offered by TJX. Of course, there's no guarantee that the banks would win if they did pursue litigation. However, if TJX ends up eliminating its litigation risks from banks who had to reissue cards for only $40.9 million, then TJX would dodge a very big bullet at only a (relatively) low cost.

Saturday, December 1, 2007

Study Finds Costs of Data Security Breaches Rising

2007 has not been a good year for consumer data security, if one measures by the size and number of records compromised by data security breaches that have occurred this year. Data security breaches have affected millions of consumers around the globe. Large scale breaches grabbed the headlines, beginning in January, 2007 with the theft of the personal information of 45 million customers of the retailer TJX, and culminating with the loss of personal records of 25 million national insurance and child benefit recipients in the UK by a government agency last month.. In between were reports of breaches at the U.S. Department of Veteran’s Affairs, the U.S. Department of Agriculture, Monster.com, the State of Ohio, and numerous colleges and universities. The Consumers Union reports that the total number of records of total number of records containing sensitive personal information involved in security breaches in the U.S. is currently 216,251,736, although this number is likely larger since in the case of many breaches, the total number of records compromised is unknown.

A recent study by the Ponemon Institute shows that data breach costs continue to rise. Ponemon Press Release In its 2007 Annual Study: Cost of a Data Breach, it found that in 2007, data breach incidents cost companies an average of $197 per compromised customer record, compared to $182 in 2006. Lost business opportunity, including customer turnover and expenditures to acquire new customers, was the most significant component of the cost increase. Other cost factors include legal, investigative and administrative expenses, reputation management, and costs related to customer support, such as credit monitoring fees and consumer hotlines. The study found that one category of expenditure had decreased from 2006, however; the cost of notification of consumers fell 40 percent, decreasing from $25 per customer in 2006 to $15 per customer in 2007. This may indicate that the data breach notification and security freeze laws enacted in more than 30 states, many of these laws became effective in 2006 and 2007, have allowed for a more certain and measured approach to notification to U.S. residents by companies than in the past.

Consumers have noticed the increase in data security breaches, and consumer confidence in the organizations with which they share their data has declined. In a separate study, the 2007 Consumer Survey on Data Security issued by Vontu and the Ponemon Institute, 62% of respondents indicated that their personal data had been stolen, and 84% of those respondents reported increased anxiety and loss of confidence resulting from the data loss events. Such a loss of trust will likely affect the consumers buying behavior. While consumers may toss the annual privacy notices received from their financial institutions, consumers do read the privacy notices on websites, and truly care about these notifications.

Companies will be wise to make note of the results of these studies. The persistent problem will continue to be how companies deal with data security. Preventing compromises in data security is the surest way to avoid the costs and issues discussed above. The study makes clear that erecting another firewall within the company isn’t the solution, since the confidential data to be protected is actually in the possession of third parties. More than a third of data breaches result from data being shared with third parties in connection with outsourcing arrangements. Companies need to look closely at how they are sharing the data with their third party service providers, what security measures they have imposed on their providers, and work with the providers to make certain the necessary data security strategy that has been agreed upon is in fact in place. Too often, the company hires a company, shifts responsibility for security of the data to be processed by the third party service provider to that party, and never gives it another thought. Requiring periodic audits and reports can help detect weaknesses in the security of the data and perhaps avoid the expense and embarrassment of a security breach.