Tuesday, July 31, 2007

States Legislate Security Freeze Options

Just as state legislatures have grown impatient with waiting for Congress to enact data breach notification legislation, so too have they become frustrated with Congress' inaction to grant consumers a security freeze option. Also known as a "credit freeze", a "security freeze" lets a consumer stop the disclosure of his credit information by a credit bureau. The result of a freeze is that neither the consumer nor anyone else can open an account in the consumer's name. This option is a key measure to guard against identity theft if a consumer suspects that his personal information has been stolen or compromised. But the option is unavailable without state law authorization. According to the World Privacy Forum, by September, 2007, 27 states will have made the option of a security freeze available to residents of their respective states, and by 2008, that number jumps to 34. A few of the states make the security freeze available only to those who have been previous victims of identity theft, but most have no such prerequisite. World Privacy Forum. Several of the bills that have been introduced in Congress also include security freeze options, and several of the Senate bills have been approved by either the Judiciary or Commerce Committees. In the meantime, consumers in at least 27 states have one more weapon to combat identity theft.

Friday, July 27, 2007


Recently, at a hearing on P2P networks, Henry Waxman stated that he was considering laws aimed at the problem of inadvertent leaking of classified information (described here and here). Apparently, sensitive documents have been making their way onto P2P networks such as those accessed via Limewire or Kazaa. While this is obviously a problem, the solution proposed by Waxman - regulating the networks - is insane. I could access that sensitive data through my computer, and, in getting to my computer, that sensitive data would travel through a DSL line. However, Mr. Waxman isn't proposing that computer makers or telcos take responsibility for making sure that people can't access sensitive documents. The reason is obvious: telcos and computer makers can't be responsible for the actions of end users, because there is no effective way for them to control end users without effectively shutting down. P2P networks are no different. Looking at his comments charitably, it seems that Mr. Waxman simply doesn't understand the consequences of putting responsibility for the acts of consumers on the providers of P2P software.

Of course, it is also possible to look at Mr. Waxman's comments in a less charitable light. Currently, the federal government is scrambling to meet a White House directive on securing personal data (details can be found here) and it seems that there is an almost continuous stream of incidents of lost data involving government employees (e.g., the theft of a laptop containing records for 26.5 million veterans, described here), so attacking an easy target, such as P2P networks, could serve an instrumental purpose for Waxman of making it appear that he is doing something about information security. Further, by attacking P2P networks as a threat to national security, Waxman is undoubtedly pleasing the powerful recording industry, which has been seeking to destroy P2P technology ever since Napster. In this regard, it is telling that Waxman said that he would seek to achieve a balance between "sensitive government, personal and corporate information and copyright laws" (emphasis added). Given that protecting copyrights, while a valid concern, is an entirely different type of objective than protecting the physical well-being of Americans by improving national security, the inclusion of copyright law on that list seems strange. However, if the primary motivation to regulate P2P networks is to benefit copyright holders, then the list provided by Mr. Waxman makes perfect sense, with the national security concerns acting as window dressing for the desire to shut down P2P networks on behalf of copyright holders.

In any case, I think it is extremely unlikely that regulating P2P networks is a viable solution to the Federal Government's information security problems. Even if P2P networks were banned entirely, that would do nothing to stop people from stealing data, or from losing the media on which data are stored. However, when faced with a decision as to whether to spend time exercising oversight on HR or training policies which might increase information security, and blasting the enemies of the RIAA, it is clear where Congress' priorities lie. Disappointing, but not at all a surprise.

Friday, July 20, 2007

Privacy and Contract

Assume that I, without your permission, install a keylogger on your home computer that records everything you type and sends it back to me. Clearly, I have violated your privacy, and probably exposed myself to civil liability as well (e.g., trespass to chattels, as described here). Change the scenario slightly. Assume that you and I meet, and you agree to allow me to install a keylogger on your home computer that records everything you type and sends it back to me. That magic element of authorization changes what would be a privacy violation and a lawsuit into a straightforward agreement between two people. Now change the scenario slightly again. Assume you buy a product from me, but, before the product can be used, you have to agree to a 15,000 word contract which includes as one of its provisions an agreement that a keylogger will be installed on your home computer which records everything you type and sends it back to me. Before arguing that the license couldn't possibly be upheld, think again, clickwrap licenses are routinely upheld as valid contracts by US courts (as described here). Before arguing that no legitimate business would ever put such onerous terms in a license, consider that the terms of service for the new iPhone state that Apple may monitor the users' phones (NOTE: I do not own an iPhone. My knowledge of their terms of service is based on this article).

So what does all this mean for privacy? Well, I think it means that privacy is basically dead. It's insane to think that consumers will actually read and understand the multitude of licenses they are presented with (the iPhone license is 17,000 words long, and apparently so convoluted that many lawyers can't understand it). It's also insane to think that consumers are going to stop buying new products, or that businesses are going to stop using clickwrap licenses. The result is that, as businesses realize that they can get consumers to agree to literally anything, consumer privacy is going to be killed by new consumer toys and the licenses that people will agree to to get them.

Tuesday, July 17, 2007

Department of Energy Levying Security Breach Fines?

Apparently, the Department of Energy (DOE) can levy fines for security breaches - when you're working for them and allow their information to be stolen. At least, that's what's currently happening to the University of California, and a company called Los Alamos National Security, in connection with a loss of classified information from 2006. According to this article from ComputerWorld, the DOE has proposed a fine of $3,000,000 on the University of California, Oakland - the largest fine ever assessed by the DOE. The university, not surprisingly, is fighting back, noting that the breach took place after the university's contract had expired, and noting that the university had taken a number of steps to enhance security. One particular measure taken by the university which is likely to become a trend in other enterprises is the implementation of a diskless and medialess environment, which, when properly implemented, can address one of the most difficult challenges in information security - sensitive data walking off in a portable hard drive or other medium.

Monday, July 16, 2007

Identity Theft Victim Beneficiary of Excess Proceeds

The decision in a recent California Court of Appeals case provided an identity theft victim with an unusual bonus. The thief had bought and mortgaged real estate using the victim's name and information. A foreclosure sale resulted in an unexpected surplus of $51,000. The only claimant to the surplus was the victim whose information had been used to obtain the real estate. The lower court ruled that the victim was not entitled to the surplus since he had never owned the property. However, the appellate court reversed, holding that the victim was entitled to the surplus on a theory of restitution. The court recognized the victim's information as a valuable asset, and that the victim had the right to restitution for the theft of the asset, and anything acquired with the asset, in this case, the real estate. While many states have criminalized identity theft, few have provided a means of recovery for the time and effort expended by the victim to correct his credit record, or for damages incurred arising out of the theft. This case provides an opening for such a recovery. (CTC Real Estate Services v. Lepe, 44 Cal. Rptr. 3d 823 (Ct. App. 2006)).

Thursday, July 12, 2007

Pressure on CEOs for Information Security

According to this article in ComputerWorld, the Information Commissioner in the UK is blaming CEOs for data security breaches. "How", he asks, "can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store card transactions fall into the wrong hands?" Of course, there are any number of ways that "millions of store card transactions" can fall into the wrong hands even if a business does have an effective information security policy in place (e.g., they can be stolen by an employee, such as described here). Also, how productive it would be to make CEO's responsible for information security is anyone's guess, as most CEOs aren't (and aren't expected to be) knowledgeable enough about information security to contribute effectively to the conception or implementation of an information security policy. Whether the commissioner's comments are a harbinger of regulations targeting CEOs, or whether they are simply another statement of outrage from a government official about identify theft is another open question. However, whether followed by regulation or not, there is no reason to believe that targeting CEOs will positively contribute to reducing identify theft or incidence of data security breaches.

Friday, July 6, 2007

And why beholdest thou the mote that is in thy brother's eye?

As if a reminder was necessary, a recent theft of data at Fidelity National Information Services, Inc. has demonstrated that threats to data security doesn't have to come from outside an organization. According to this article from ComputerWorld a senior database administrator - the very person who had responsibility for defining and enforcing data access rights - stole over 2 million consumer records and sold them to a data broker. How can this type of incident be avoided? Well, good personnel policies might help. If there were any red flags (e.g., criminal convictions for related crimes) then putting the former DBA in such a sensitive position would have been a clear mistake. However, not all potential thieves have actually committed a crime (after all, there's always a first time), so looking at an employee's background isn't foolproof. Given that, businesses should make sure that they have in place policies which can detect unauthorized data use (preferably not all enforced by one person, in case that one person happens to be the thief) and then respond quickly, thus minimizing the damage if a theft of data does occur.

Sunday, July 1, 2007

New Data Security Breach Law Moves Through California Legislature

In 2002, California passed the nation's first data breach notification statute, SB 1386, which has since been copied by states around the country. Now, a new bill is making its way through the California legislature, this one significantly modifying the provisions of SB 1386 by mandating that retailers who suffer data security breaches to reimburse banks and credit unions for the cost of issuing new cards to their customers. Predictably, as described in this article, groups representing retailers are opposing the bill, which, if it passes could become a model for similar bills around the country (by comparison, 39 states have enacted data breach notification laws similar to SB 1386). Thus far, laws shifting costs for replacing cards from banks and credit unions to retailers have been defeated in Texas, Massachusetts, and Connecticut, though one has passed in Minnesota, thank, in part, to the TJX breach. Whether that breach will be enough to carry the bill in California is an open question, but, if it does, it will usher in a brave new world in which the risks to retailers of data security breaches would be substantially larger than they are now.