Sunday, April 12, 2009

Turn on your Syndication

Sadly, my actual job, combined with some personal issues have been taking up essentially all of my time recently, and will likely continue to do so for the foreseeable future. I expect to be able to return to maintaining the blog on a more regular basis at some point in the future. However, at this point, I recommend taking advantage of the feed for the site, since coming back in order to see when I have a new post up is unlikely to result in finding anything.

Saturday, April 4, 2009

Federal Security Breach Notification is Here

After years of talk, and failed attempts, tucked into a corner of the massive American Recovery and Reinvestment Act, we get a federal security breach notification law. Actually, we get a whole chunk of health care related privacy legislation, but what I'm going to focus on is the security breach notification part of it, as there's simply too much there for a single post otherwise.

In any case, the relevant provisions are sections 13402 (Notification in the case of breach, starting at page 146 in the linked PDF) and 13407 (Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities, starting at page 155 in the linked PDF). The question that needs to be asked is: how do they stack up against existing state security breach notification laws? The answer: reasonably well. The new federal law covers security breaches which expose individually identifiable health information* which means it's actually broader than some state laws which limit their coverage based on how the information is stored (e.g., California's SB1386 which is limited to "computerized" data). The new federal law also includes a media notice provision, which requires notice to "prominent media outlets" if the unsecured protected health information of more than 500 residents is compromised. That provision is actually stricter than the media notice from California's security breach notification law (used as a model for similar laws around the country), which is triggered if the number of people to be notified exceeds 500,000.

On the other hand, while the new federal law is stricter in some ways, it lacks what I consider one of the most important features of an effective protection - an individual right to bring suit. The lack of an individual right in various state laws has been used against people seeking compensation before (e.g., here), and I think the fact that the new federal law could be used in the same way could undermine enforcement. However, even though enforcement is a little questionable, the substance of the new federal law looks like a significant expansion in the rights of individuals to be notified when their data is exposed to unauthorized parties.

*Note: I am aware that it says it covers "unsecured protected health information". However, if you look at the definitions, the "unsecured" part basically means unencrypted, while the "protected health information" refers back to the HIPAA regulations, and translates into individually identifiable health information which is either transmitted or maintained in any medium.

Tuesday, March 24, 2009

Red Flag Rules - Deadline May 1

My colleagues Jane Shea and Gretchen Ackerman have published a new business advisory on the FTC red flag rules. I am posting it here with permission.

The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA.

The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008.

Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act, which amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, patient deferred payment plans, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.

The regulations provide organizations subject to the Rules with flexibility in developing their programs according to their relative size and complexity. However, the Program must include reasonable policies and procedures that:

identify relevant Red Flags, and then incorporate those Red Flags into the Program;
detect such Red Flags;
respond appropriately to any Red Flags to prevent and mitigate identity theft; and
ensure that the Program is updated periodically to reflect changes in risks to customers
What are the "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. The Regulations include a section explaining the relationship of the rules to the guidelines, specifically, that each financial institution or creditor must consider the guidelines in developing its Program, and must include those Guidelines that are appropriate. They provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the Rules.

Thus, the Guidelines provide with respect to risk factors an organization should consider in identifying red flags, likely sources of red flags, and categories of red flags that should be included in the Program. Additionally, the supplementary materials to the Guidelines include illustrative examples of Red Flags which may be incorporated into a Program, and break these down into five categories: 1) Alerts, Notifications or Warnings from a Consumer Reporting Agency; 2) Suspicious Documents; 3) Suspicious Personal Identifying Information; 4) Unusual Use of, or Suspicious Activity Related to, the Covered Account; and 5) Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Others Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor. Examples include:

a fraud or active duty alert is included with a consumer report
a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report
a consumer reporting agency provides a notice of address discrepancy
identification documents appear to be forged
inconsistencies between identification provided and the consumer's/patient's appearance or the information actually provided by the consumer/patient
inconsistencies between personally identifying information provided and that obtained from external information sources
a new revolving credit account is used in a manner commonly associated with known patterns of fraud.
Once the Program has been established, the organization must administer the Program, and not simply place it on a shelf. This involves requiring that the board of directors or an appropriate committee of the Board approve the initial written Program, and that the Board, an appropriate Board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required.

Organizations covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject an organization to civil actions for damages. The type and amount of damages available will depend on whether the violations are "negligent" or "willful." For a claim for negligent violation, a plaintiff must prove he or she suffered actual harm as a result of the defendant's negligence. In the case of a claim for a willful violation, most courts will require proof of actual knowledge and intentional violation of the relevant statute by the organization.

Sunday, March 22, 2009

EPIC Files Interesting Complaint Regarding Google Services

Earlier this month, Google sent out an email admitting to a bug (subsequently fixed) which caused some documents on Google's cloud computing services to be shared without their owners' knowledge or consent (a copy of the email can be found in this blog post). Now, the Electronic Privacy Information Center (EPIC) has filed a complaint with the FTC asking it to investigate Google's procedures, to force Google to revise its terms of service, and to spend $5,000,000 on security research. The complaint also asks that Google be enjoined from offering cloud computing services until "safeguards are verifiably established." The complaint can be found here.

At this point, I actually don't want the complaint to succeed - at least, not to succeed in full, as I use some of the services in question, and I don't want to wait for Google to get its act together on privacy before using them again. However, while I don't want the complaint to succeed, I do think it makes for interesting reading for people who care about, but aren't familiar with, the FTC's role in protecting consumer privacy. Highly recommended reading, at least for that class of reader.


Sunday, March 15, 2009

PCI and the Efficacy of Self Regulation

Tucked away in the conclusion of this article is an interesting question: is the PCI Data Security Standard effective? Actually, the question as posed, which was whether the PCI Data Security Standard in its current form is effective, is not particularly interesting (at least to me). The more interesting question is whether the PCI DSS, or any self regulation can be an effective counter to information security threats. I don't know the answer, but the article gives some indication that that answer might be no.

Of course, the article itself did not tackle the question of self regulation versus governmental oversight. The article was devoted to describing a new set of guidelines which is intended to facilitate the process of becoming PCI compliant. Apparently, there is a perception that some businesses look at the PCI requirements, become overwhelmed by what's necessary to comply, and, as a result, do nothing. The hope is that, by breaking things down and ranking them in terms of priority, the new guidelines will make the task more manageable, and therefore increase compliance. The article then mentioned that these new efforts to increase compliance come at a time when the effectiveness of the PCI DSS is being questioned based on recent security breaches such as that at Heartland Payment Systems. The article mentioned that a spokesman from the PCI Security Standards council had said that there wasn't anything wrong with the standards. However, if that's true, it raises a bigger question - why are the breaches still happening?

One possible answer, the one I alluded to at the beginning of the post, is that breaches are still happening because self regulation isn't an effective means of influencing behavior. I think that position is probably too extreme - merchants do care about the PCI DSS. However, the fact that there is a perceived need for the current compliance campaign, and the fact that massive breaches like that at Heartland keep happening indicates that something needs to change. Maybe what that is is to add a dose of federal government enforcement power to the supposedly sufficient requirements of the PCI DSS.

Tuesday, March 10, 2009

What I wouldn't give for some time...

Actually, I know very well what I wouldn't give up for some time. I wouldn't give up my productivity at work, or my relaxing evenings with my wife. However, if I would give those things up, I could write a great blog post on proposed changes to California's security breach notification act. Instead, I'll just mention this article from Computer World, and quickly note that the proposed changes require businesses that suffer breaches to report them to a centralized authority, not just to the people whose data is compromised.

Of course, if I were writing a really good blog, post, I wouldn't just talk about the proposed changes, but instead I'd try and put them in broader context, perhaps by referring to this post from the Threat Level blog, which describes a panel discussion on whether notification laws "work". I might even have some analysis on the proper way to measure the efficacy of notification laws.

As it is though, I'm not writing that blog post, I'm writing this relatively uncreative excuse for a blog post. Oh well. On the bright side, I'm still a good lawyer by day, and I've had a nice evening with my wife.

Sunday, March 1, 2009

Facebook Content Policy

Last month, there was something of a controversy regarding the terms of service for the popular social networking site Facebook. The issue (described in this article) was that Facebook removed a statement from its terms of service that said it couldn't claim rights in original content uploaded by users after they terminated their accounts, and replaced it with a statement saying that Facebook might maintain archived copies of user content. From my perspective, this would not have seemed like a significant event. I assume that everything (including this web site) I put online is archived somewhere, whether its at the site that's hosting the content (e.g., Facebook), some external site (e.g., the internet archive), or the local computers of whoever happens to have looked at whatever I posted (e.g., blog readers). My guess is that the lawyers who recommended that Facebook make the change thought that most Facebook users were about like me, and wouldn't see the modification of the policy as a significant change.

They were wrong.

Facebook's users were outraged. They started a Facebook group (!) to protest, and it quickly signed up 88,000 members. The Electronic Privacy Information Center prepared an FTC complaint. As one user rhetorically asked: "Will I wind up seeing pictures of my niece staring at me from a bus stop at some point and be told I shoulda read the fine print?" (quote via this article).

Anyway, because of the outrage, Facebook backed down, and is now asking users to help define its policies (article here). On one hand, it's a demonstration that consumer pressure actually can have beneficial effects. On the other hand, it's a demonstration that privacy concerns crop up over the most bizarre things. For example, if someone really wants to have their niece's picture taken out of an advertisement, they can sue Facebook for making an unauthorized public display and get an injunction.* Additionally, there have been several cases where people have sued for common law torts such as libel, or false light invasion of privacy for using pictures in advertisements without the subjects' consent (e.g., Virgin, which was sued for using a picture uploaded to Flickr with the tag line "virgin to virgin" - article here). In short, the fears that led to the revolt against Facebook are one of the areas where the law does offer redress for unauthorized use of personal data. Strange that people got outraged over that, rather than something where the law offers little or no protection.

*Copyright protection subsists in any work fixed in a tangible medium of expression. 17 USC 102. That includes computer memory, which means that everything uploaded to Facebook is automatically protected by copyright.**

**Yes, there is a requirement for registration, but you can register after infringement has taken place. 17 USC 408 et seq. While there are significant advantages to registering before an infringement occurs, a discussion of those advantages is way outside the scope of this post.

Sunday, February 22, 2009

A Quick Reminder: If you want legal advice, get a lawyer

As it says in the disclaimer at the bottom of the page (which you should definitely read): "This site is provided for informational purposes only...This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state."

Data privacy and information security is governed by a patchwork of state laws, and there is massive variation from jurisdiction to jurisdiction. For example, my home state, Ohio, has a data security notification law (ORC 1349.19). However, if I drive 10 minutes south from my office, I'm in Kentucky, which doesn't have an equivalent law (a handy table of what states do and do not have such laws can be found here). Tort remedies, such as trespass to chattels, breach of contract, negligence and intentional infliction of emotional distress (to name 4) are also governed by state law.

This web site does discuss the law surrounding information security and data privacy. However, anyone who has a question about their own information security or data privacy situation should get a lawyer who can apply the law as it exists in their jurisdiction to the facts as it exists in their case - not rely on a web site (this one, or any other).

Monday, February 16, 2009

Massachusetts Extends Compliance with Data Security Rules

We've written previously (e.g., here) about Massachusetts' new data security rules. Briefly, they would have required anyone who owns, stores or maintains the personal data about a resident of Massachusetts who stores data electronically to encrypt the data before transmitting it wirelessly or over a public network. The rules would also have required encryption of data stored on mobile devices. I say "would have" because because their implementation deadline, which had been previously set at May 1, 2009 has been extended till January 1, 2010 (see article here).

Of course, this isn't a big surprise, since regulations having to do with privacy (both strengthening, like the red flag rules and weakening, like Real ID) have a history of getting delayed.

Tuesday, February 10, 2009

Even More Limitations on Private Rights of Action

Previously, I've written about problems with protecting privacy through private civil suits, such as transaction costs, difficulty of proving damages, and a generally hostile court system. However, a recent breach notification by as indicated that even when those factors aren't present, people (or, in this case, businesses) still aren't that interested in enforcing their rights. The story, according to this article from Computer World is that the web site was victimized by an SQL injection attack, and the operators eventually entered into a settlement with the FTC wherein they agreed to undergo audits and not to make any further misleading claims about privacy. So far not particularly notable. However, as the article says, unlike most security breaches:

The breach was notable because the site prominently displayed a "Hacker Safe" seal provided to companies by McAfee Inc. as part of its ScanAlert vulnerability scanning service. However, McAfee officials said at the time that the Hacker Safe certification — since renamed McAfee Secure — had been withdrawn from on multiple occasions during 2007 after scans found vulnerabilities in its systems.

To me this is shocking. Not because a supposedly secure site was compromised, but because they were improperly displaying the "Hacker Safe" seal.

Where was McAfee?

Didn't it care about its good name? I would guess that would have taken down the "Hacker Safe" seal if McAfee simply asked them to. I doubt even a sternly worded letter would have been necessary. Still, if it had been, there are any number of attorneys who could have written it, and who would have been happy to go to court to get the seal removed if wouldn't take it down otherwise. Happily, the FTC stepped up in this case. However, it's a little surprising that they were the ones who ended up doing it, rather than the private actor who one would think would have had both the incentive and opportunity to have taken action earlier.

Sunday, February 1, 2009

A view from the dark side

Via Bruce Schneier, we have a fascinating interview with an adware author. From a technical perspective, it's fascinating - he gives a programmer's eye view of the various mechanisms he used to make sure his adware couldn't be uninstalled or stopped. From a privacy standpoint it's disturbing. When asked the question of whether people had any security or privacy at all, his answer was (essentially) no, but it doesn't matter because most people aren't criminals so you're probably ok.

From a legal standpoint, it had two interesting takeaways. First: End User License Agreements are trouble. The interviewee's opinion was that people don't read EULAs, so you can put anything in them, including agreements by the user that the adware company can install whatever software they want on the user's computer. In the coming years, I would expect to see some limits placed on this (e.g., by the FTC under its authority to police unfair or deceptive trade practices). Second, the legal system can work to curb bad practices, but only once the bad practices are known. The company the interviewee worked for, Direct Revenue, was sued by Elliot Spitzer. The problem is, the suit only happened after the company made the poor business decision to start branding their adware. If they hadn't done that, it's anyone's guess as to whether they even would have shown up on the (now disgraced) attorney general's radar screen.

Also, one final takeaway from the interview: if you want to reduce your susceptibility to adware (or various forms of viruses or other malware) switch off Microsoft products. The interviewee was openly contemptuous of Microsoft products. The money quote: "If you’re using IE [Internet Explorer], then either you don’t care or you don’t know about all the vulnerabilities that IE has." I'm not sure I agree with him, but it's interesting to see how an insider views the world at large.

Sunday, January 25, 2009

Privacy for me but not for thee

Via BoingBoing, I found this article, which shows that the UK government has no (or at most very little) respect for the privacy of individual citizens. According to the article, there is a clause in a pending piece of UK legislation which would
allow ministers to make 'Information Sharing Orders', that can alter any Act of Parliament and cancel all rules of confidentiality in order to use information obtained for one purpose to be used for another.

Now, admittedly, I am not an expert on UK law, but allowing such information sharing orders would seem to basically nullify any types of privacy protections which currently exist. It's almost as if the British government doesn't care about privacy at all.

...of course, we know that can't be true, since just a week earlier, British MPs (members of parliament) had attempted to pass a law which would have exempted records of their expenses from freedom of information act requests (see this article, also via BoingBoing). I guess this is just one more example of how government officials care deeply about privacy - but only if it's their own information that they're trying to keep secret.

Wednesday, January 21, 2009

And They're Off

We're a little less than a month into the new year, and there's already a strong contender for biggest data security breach of '09. Actually, the breach, which involved a compromise of Heartland Payment Systems took place in 2008, but it wasn't publicly disclosed until yesterday, so I'm classifying it as a 2009 breach. However, whatever year the breach is placed in, it's potentially a monster, with over 100,000,000 accounts at risk. We don't know the full extent of the breach yet, but this is one to keep an eye on as potentially not only being a candidate for the biggest breach of 2009, but also as having the potential to dethrone TJX as the biggest breach ever.

Wednesday, January 14, 2009

Malwarebytes Link

As a (most likely final) follow up to my posts (here and here) on removing Antivirus 2009, I contacted Malwarebytes and asked if they had an alternate site where you could download their tools without being blocked. In response, they sent me this link to their free product. I can't guarantee that it will work, and I'm not planning on purposefully getting infected just to test it. However, if anyone happens to stumble across this blog looking for a way to remove the virus, the above link might do the trick.

Tuesday, January 13, 2009

Government spurs security improvements

Well, we still don't know if (as I predicted here) Obama will be the first email friendly president. However, we do know that there is now a PDA which has been certified by the NSA for top secret voice communication. Sadly, the price tag is a hefty $3,350, which will keep it out of the hands of most private citizens (including me). Still, that's no object for Obama, and I wouldn't be at all surprised if he uses this device (or something like it) to avoid having to give up email.


Friday, January 9, 2009

Hallmark E-Card Virus

Today I received an email (actually, several emails) with yet another virus. Unlike Antivirus 2009, which has the potential to trick unsuspecting users by masquerading as a legitimate program, this one, which appears to spread via email attachment would only catch the absolutely most unsophisticated. Indeed, unlike some email viruses, this one doesn't even bother trying to personalize the emails it sends out. Instead, it uses the following generic message:


You have recieved a Hallmark E-Card from your friend.

To see it, check the attachment.

There's something special about that E-Card feeling. We invite you to make a friend's day and send one.

Hope to see you soon,
Your friends at Hallmark

Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy.

I'm not sure what to say about it, except that anyone who trusts a card from an anonymous "friend" who wants them to open an email attachment probably has so many viruses on their system already that one more won't do much damage (either that or an antivirus program strong enough to protect them from themselves - something I recommend all users get regardless of their sophistication).

Thursday, January 8, 2009

Removing Antivirus 2009

I've received a number of hits on my previous post about some legal issues regarding Antivirus 2009 which I suspect are from people looking for how to get rid of the malware but can't get to the big antivirus sites because Antivirus 2009 has blocked them. For anyone looking for how to get rid of the program, here's my advice:

1) Don't expect to download a tool to fix the problem. The nastiest feature of Antivirus 2009 is that blocks downloads from the major antivirus websites. In particular, Malwarebytes, which is recommended in a number of places to deal with Antivirus 2009, is blocked.

2) Get to a clean system. Just because you can't download the proper tools on a compromised system doesn't mean you can't download them at all. Go to another computer and download the tools you need. Malwarebytes Anti-Malware, mentioned above, can be downloaded here.

3) Send the tools from the clean system to the compromised system. The most obvious way to do this is via a flash drive. However, the version of Antivirus 2009 I dealt with (surprisingly) allowed me to send the mbam-setup.exe program though email.

4) Once the tool (whatever it is) is downloaded, rename it to .bat. With the version of Antivirus 2009 I dealt with, it wouldn't let mbam-setup.exe execute, but it would let blank.bat (what I renamed mbam-setup.exe) run just fine.

Please note that, for step 4 above to work, you might have to restart Windows in safe mode. A description of how to do that can be found here.

Please also note that the above 4 steps (including restarting in safe mode) might not actually work. The version of Antivirus 2009 which got onto my grandmother's computer let me run the antivirus setup program, but blocked the antivirus program itself. My next step after step 4 would have been to create a rescue CD and use that to boot from. However, my brother who also happened to be visiting that weekend had different advice: since my grandmother's computer was brand new, why not reformat the hard drive and just reinstall everything my grandmother wanted? In the end, that's what happened, since I would have been required to go back to my house (across town) to get a rescue CD, while my brother could reformat the hard drive immediately. It's an extreme measure, but I can testify that it certainly worked for my grandmother.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.

Wednesday, January 7, 2009

Will Anyone be Ready for the Next Level of Identity Theft Protection?

The Massachusetts and Nevada Models

Brace yourself for the countless retrospectives to appear in the coming months, touting 2008 as an eventful year for so many reasons: an historic presidential election, a meltdown in the financial and real estate industry and resulting economic maelstrom, Michael Phelps winning a record-breaking eight gold medals in the Beijing Olympics – the list goes on.

One notable characteristic of 2008 that may go unnoticed by the mainstream commentators, but is no less remarkable, is the continuing wave of consumer protection legislation enacted by state legislatures in the wake of spiraling incidents of identity theft. In addition, an otherwise lethargic Congress has managed to enact a cybercrime law, signed by President Bush in early October, called The Identity Theft Enforcement and Restitution Act of 2008. This law makes it easier for prosecutors to bring hacking and other cybercrime charges against an individual, eliminating the minimum $5,000 in damages requirement. It also makes it a felony, during any one-year period, to damage ten or more government or financial institution computers, and directs the U.S. Sentencing Commission to consider increasing its penalty guidelines for those convicted of identity theft, computer fraud, illegal wiretapping or breaking into computer systems. Combined with the issuance early in 2008 of the FTC’s Identity Theft Red Flag Guidelines, these new legislative and regulatory initiatives are designed to combat what has become a crime wave of increasing dimensions.

The proactive trend of the state legislatures began several years ago with California’s data security breach notification and security freeze laws, resulting in 44 states and the District of Columbia enacting the same or similar laws. The momentum has continued with many states strengthening identity theft laws concerning the protection from the public of social security numbers and personal information from credit cards. Massachusetts has moved in another new direction with a law that will become effective on May 1, 2009. The law was an addition to Massachusetts Laws Chapter on Security Breaches, and was as expanded upon by administrative regulations. It applies to anyone who owns, stores or maintains the personal data about a resident of Massachusetts. The data that is stored electronically must be encrypted before it is transmitted over a public network or transmitted wirelessly, especially on portable devices such as laptop computers and Blackberries, as well as other portable devices such as flashdrives, cellphones and CDs. For this reason, according to some commentators, the law is a little ahead of its time, since the technology for encryption of portable devices is just starting to be developed.

In addition to the computer system security requirements, the law imposes a duty to protect and standards for protecting personal information. Its requirements are similar to the federal Identity Theft Red Flag Guidelines requirements, effectively extending the federal regulations’ applicability well beyond the original class of “creditors,” as defined in the Guidelines, to all types of businesses. It requires the development and maintenance of a comprehensive, written information security program, that includes the designation of an employee responsible for the program, identifying foreseeable risks, ongoing employee training, employee compliance with policies and procedures, and processes for detecting and preventing security system failures. It requires disciplinary measures be imposed for violations of the program rules, the prevention of terminated employees from accessing records, and the taking of reasonable steps to verify that third-party service providers have the capacity to protect the personal data. It imposes data collection and retention standards and requires access be limited to those persons reasonably required to know, as well as restrictions on physical access.

Nevada has also enacted a similar law that went into effect October 1, 2008. NRS 597.970 takes a different approach than Massachusetts to applicability, so that it only applies to businesses operating or “doing business in” the state of Nevada, without regard to where their customers reside. It imposes an encryption requirement as well, by simply stating that businesses in the state of Nevada “shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” Of course, as with the Massachusetts law, the devil is in the details. The Nevada law defines “encryption” broadly to mean the use of any protective or disruptive measure (including cryptography, enciphering, encoding or a computer contaminant) to prevent or disrupt access to, or the normal operation of, any device, system or network, or to cause such data to be unintelligible or unusable. The definition raises more questions than it answers. While the definition of “personal information” is similar to that found in many data security laws, the questions of who is a customer and what constitutes “doing business” in Nevada have no clear answers. It could arguably apply to businesses with no physical presence in the state of Nevada, but which do business through an internet website.

The Massachusetts law is enforceable only by the Massachusetts Attorney General. However, the Nevada law does not limit enforcement to its attorney general, nor does it contain any specific penalty provisions, so that the potential for a private lawsuit (including a class action suit) exists with no limit on damages. Companies operating nationally should consider whether their existing policies and procedures regarding the transmission of personal data meet the encryption and other requirements of these laws.

Whether the Massachusetts and Nevada laws forecast a trend or whether they are isolated anomalies remains to be seen. But if recent experience with state enactment of security breach notification and security freeze statutes is any gauge, these two laws may very well signal the beginning of the next wave of state law initiatives designed to combat the growing phenomenon of identity theft.

Tuesday, January 6, 2009

Reviews and Comparisons

Recently, I discovered (or, more accurately, was informed of) the site NextAdvisor, a web page which provides comparisons and reviews for a variety of services, including (of particular interest to readers of this blog) Identity Theft, Security Software, and Online Backup Services. They also have a blog which has quick summaries of recent identity theft news items. The blog appears to be updated relatively regularly, and the articles are fun in an offbeat sort of way (for example, this article about a mother who pretended to be her daughter for cheerleading tryouts). Definitely a site to consider for some quick info or tidbits on identity theft.

Sunday, January 4, 2009

Antivirus 2009

Over the holidays I had the intriguing experience of watching a computer get hijacked by a nasty piece of malware: Antivirus 2009. According to this article from Bleeping Computer

Antivirus 2009 is a new rogue anti-spyware program from the same family as Antivirus 2008 and Doctor Antivirus. Antivirus 2009 is installed and advertised through the use of misleading web sites that attempt to make you think your computer is infected with a variety of malware. Once installed, Antivirus 2009 will scan your computer and list a variety of fake infections that can't be removed unless you first purchase the software. These infections are fake, though, and only being shown to scare you into purchasing the software.

What that article doesn't make clear is the fact that Antivirus 2009 (or at least the variant I was dealing with) will also cause a substantial slowdown in your computer's performance, and will cause your browser to display all manner of annoying pop-ups. The other point about Antivirus 2009 that that article doesn't make clear is that Antivirus 2009 includes some relatively sophisticated countermeasures to prevent people from removing it from their system. For example, the variant I was dealing with stopped by grandmother's computer (where it was installed) from accessing websites of antivirus vendors (e.g., AVG) and technical web sites which had instructions on how to remove it (e.g., Bleeping Computer). Additionally, it also detected and prevented execution of removal tools that I was able to download on another system and install on the infected computer. I have to admit, I was impressed by the countermeasures the creators of Antivirus 2009 had included, as they made it MUCH harder to remove than the last virus I had to deal with (slammer).

Anyway, as impressed as I was by the measures Antivirus 2009 took to prevent me from disabling it, the more interesting aspect of the program is that it even exists at all. Antivirus 2009 isn't just a program that enrolls a computer in a botnet where it can be rented out for pump and dump schemes or to spew fake Viagra spam. Instead, it appears to be connected with a business selling subscriptions which could, in theory, be shut down (or at least taken off the web). Therefore, it should be possible to file suit against the business connected with Antivirus 2009 (i.e., the people selling the software using bogus virus notifications). My guess is that either the people behind the software don't know that what they're doing is illegal (highly unlikely) or they think that whatever profit they can make between the time they released their software and the time a court inevitably shuts them down will be enough to compensate them for their efforts in creating their malware. Either way, the fact that Antivirus 2009 exists raises serious questions about whether the law can function as a deterrent to even the most blatant cybercrime.

PostScript: One other point of interest on the Antivirus 2009 front: both the FTC and Microsoft have filed suit against fake antivirus companies (see here). My suspicion is that these suits will accomplish nothing, as the companies are probably set up with pseudonyms, and the people behind them will vanish into the woodwork long before any court can find them. However, I would very much like to be wrong, and I would be quite happy to see the FTC and/or Microsoft being awarded (and collecting) some sizeable judgments.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.