WEEKLY PRIVACY-SECURITY NEWS BRIEF

Privacy & Security News Brief May 18-24, 2008 Vol. 1, No. 31 TABLE OF CONTENTS BIOMETRICS ..............................................................................................................................................................3 Retailers fingerprint plans prompt privacy concerns ______________________________________________ 3 Fujitsu gives biometrics a hand ______________________________________________________________ 3 DATA BREACH ...........................................................................................................................................................3 Health Spring says laptop with personal data stolen _______________________________________________ 3 Police: Student Hacker Stole Personal Info of 55,000 _____________________________________________ 3 Data breach at New York bank possibly affecting hundreds of thousands of CT consumers _______________ 3 OKC buyer finds sensitive information on server ________________________________________________ 4 Confidential health records lost ______________________________________________________________ 4 NYU students‘ information on Web for months __________________________________________________ 4 UF warns patients of security breach __________________________________________________________ 4 Theft of Laptop Imperils School Employees‘ Data _______________________________________________ 4 Crimeware server exposes breadth of data theft __________________________________________________ 5 E-COMMERCE ............................................................................................................................................................5 Retail E-Commerce and the Economy _________________________________________________________ 5 EDITORIALS & OPINION .........................................................................................................................................5 Phone Companies That Allowed Wiretaps Shouldn‘t Get Immunity __________________________________ 5 EDUCATION................................................................................................................................................................5 Schools Struggle With Dark Writings _________________________________________________________ 5 EMPLOYEE .................................................................................................................................................................6 U.S. corporations massively read employee e-mail _______________________________________________ 6 Old User Accounts Pose Current Security Risks for Enterprises _____________________________________ 6 GOVERNMENT – U.S. FEDERAL ............................................................................................................................6 CIOs look to ‗thin client‘ computing for increased security, efficiency ________________________________ 6 GSA systems seen needing more protection _____________________________________________________ 6 OMB plans domain name security measures ____________________________________________________ 6 GOVERNMENT – U.S. STATES ................................................................................................................................7 MONTANA _____________________________________________________________________________ 7 New Montana Cyber Safety Web Site _________________________________________________________ 7 NEW YORK _____________________________________________________________________________ 7 New York AG Stops Internet Company from Illegally Selling Personal Information _____________________ 7 HEALTH & MEDICAL ...............................................................................................................................................7 Proliferating HIPAA complaints and medical record breaches ______________________________________ 7 ‗Google Health‘ launches despite privacy fears __________________________________________________ 7 IDENTITY THEFT ......................................................................................................................................................8 LifeLock Identity Fraud Service Finds Skeptics__________________________________________________ 8  ID Protection Firm LifeLock Sued by Customers When CEO's ID is Stolen ______________________ 8 INTERNATIONAL.......................................................................................................................................................8 AFRICA....................................................................................................................................................................8 ASIA/PACIFIC ........................................................................................................................................................8 AUSTRALIA ____________________________________________________________________________ 8 Civil penalties sought for data privacy breaches _________________________________________________ 8 EUROPE ..................................................................................................................................................................8 European Data Privacy Laws Pose E-Discovery Problems _________________________________________ 8 UK ____________________________________________________________________________________ 8 Criticism for ‗UK database‘ plan _____________________________________________________________ 8 Identity theft prime concern, says survey _______________________________________________________ 9 MIDDLE EAST .......................................................................................................................................................9 NORTH AMERICA ................................................................................................................................................9 CANADA _______________________________________________________________________________ 9 Move to protect Canadians‘ privacy on Net irritates police, attracts others _____________________________ 9 Ont. privacy czar worried about high-tech licences _______________________________________________ 9 Pending law will highlight health-record privacy: Wiseman ________________________________________ 9 Senator‘s anti-spam bill is welcome news ______________________________________________________ 9 SOUTH AMERICA ............................................................................................................................................... 10 LEGISLATION – FEDERAL .................................................................................................................................... 10 Republicans shift, a little, on surveillance bill standoff ___________________________________________ 10 Bush signs genetics anti-discrimination law ____________________________________________________ 10 Report: Government‘s Cyber Security Plan Is Riddled With New Spying Programs ____________________ 10 LEGISLATION – STATE .......................................................................................................................................... 11 NEVADA ______________________________________________________________________________ 11 Nevada Attorney General offers special program to assist identity theft victims ________________________ 11 NEW YORK ____________________________________________________________________________ 11 Governor Paterson Unveils Legislation to Strengthen New York‘s ID Theft Laws ______________________ 11 LITIGATION & ENFORCEMENT ACTIONS ........................................................................................................ 11 Lending Tree sued over data breach __________________________________________________________ 11 Phishing ring busted ______________________________________________________________________ 11 ID theft protection firm sued _______________________________________________________________ 11 MOBILE/WIRELESS ................................................................................................................................................ 12 Mobile-Related Security Threats On the Rise __________________________________________________ 12 ODDS & ENDS .......................................................................................................................................................... 12 The Sad State of U.S. Broadband ____________________________________________________________ 12 Spam Switches from Remedies to Replicas ____________________________________________________ 12 YouTube refuses Lieberman request _________________________________________________________ 12 ONLINE ...................................................................................................................................................................... 13 Lawmaker questions Google over privacy practices _____________________________________________ 13 Congressmen call for a halt to one CATV firm‘s Web tracking plans ________________________________ 13 RFID ........................................................................................................................................................................... 13 Researcher: RFID market to hit $9.7 billion by 2013 ____________________________________________ 13 SECURITY.................................................................................................................................................................. 13 Feds encrypt 800,000 laptops; 1.2 million to go _________________________________________________ 13 Critics question value of federal IT security report card___________________________________________ 14 Experts warn of cyber terrorism threat ________________________________________________________ 14 Passwords no longer work to protect privacy ___________________________________________________ 14 SEMINARS & PAPERS............................................................................................................................................. 15 2 ARTICLE SUMMARIES AND LINKS BIOMETRICS Retailers fingerprint plans prompt privacy concerns Two UK supermarket chains, Budgens and Costcutter, have introduced fingerprint recognition technology to monitor the hours worked by retail staff and to prevent other staff members from clocking each other in. The systems do not store the fingerprint, but instead, generate a log number which can be matched against the number generated the next time the person clocks in. There are concerns that the retailer‘s system may not comply with the Data Protection Act. Under the DPA, an employer is required to demonstrate that the fingerprint technology is appropriate under the circumstances and must demonstrate why other less intrusive measures are not appropriate. http://www.computing.co.uk/computing/news/2217184/retailers-fingerprint-plans-4017151 (Computing – 5/22/08) Fujitsu gives biometrics a hand In an interview with Joel Hagberg, vice president of marketing and business development at Fujitsu Computer Products of America, Hagberg discusses a new type of biometrics security that overcomes many of the problems with traditional fingerprint or retina scanning technology. Security systems equipped with retina or fingerprint scans are easily fooled with flat photographs or molded fingertips. With Fujitsu PalmSecure, a system that reads the vein patterns in a person‘s hand, the system is not fooled in these ways. http://news.cnet.com/8301-10789_3-9948422-57.html (Cnet.com – 5/20/08) DATA BREACH Health Spring says laptop with personal data stolen Nashville-based managed care company Health Spring, Inc. has reported that a laptop containing customer‘s personal data was stolen from an employee‘s locked car in March. The laptop contained names, dates of birth, and Social Security numbers of about 9,000 individuals. The computer was password protected but not encrypted. HealthSpring executive vice president and chief operating officer Jerry Coil believes it is ―highly unlikely‖ that the data was compromised. http://www.tennessean.com/apps/pbcs.dll/article?AID=/20080522/BUSINESS01/805220343/1003/NEWS01 (Tennessean.com - 5/22/08) Police: Student Hacker Stole Personal Info of 55,000 A 15-year-old Downingtown West High School student (Chester County, PA) stole the names, addresses, and Social Security numbers of more than 50,000 people. The student used a flash drive to save the personal data of 40,000 taxpayers and 15,000 students on May 15. This breach is the second incident since December 2007 for the school district. School officials do not believe the purpose of the breach was identity theft or to use any of the acquired information. http://www.nbc10.com/news/16360457/detail.html (NBC10.com – 5/22/08) Data breach at New York bank possibly affecting hundreds of thousands of CT consumers A storage company for a New York bank lost an unencrypted tape containing Social Security numbers and bank account information of about 4.5 million consumers nationwide. Bank of New York Mellon gave the unencrypted backup tape and nine other tapes to storage firm Archive System, Inc. for transporting to a storage facility on February 27. When the tapes arrived at the facility, the tape was missing, while the nine other tapes arrived at their destination. Bank of New York Mellon began notifying consumers of the data breach just this week. http://www.norwalkplus.com/nwk/information/nwsnwk/publish/News_1/Data_breach_at_New_York_bank_possibl y_affecting_hundreds_of_thousands_of_CT_consumers1402.shtml (Norwalkplus.com – 5/21/08) 3 OKC buyer finds sensitive information on server The Oklahoma Corporation Commission is removing the hard drives from surplus computer equipment, after a server containing 5,000 names and Social Security numbers was sold at an auction last month. The server had been used by the State Tax Commission and the Corporation Commission. Oklahoma City resident Joe Sills discovered the personal information after purchasing the server and other surplus equipment at auction. State policy requires sensitive information to be erased from surplus equipment before it is auctioned. The agency that owned the equipment is responsible for complying with the state policy. People who buy surplus equipment from the Corporation Commission will now have to buy their own hard drives to prevent this sort of data breach in the future. http://www.tulsaworld.com/news/article.aspx?articleID=20080521_12_OKLAH32253 (Tulsa World – 5/21/08) Confidential health records lost The personal health information of more than 38,000 patients was compromised when a back-up tape was lost by a courier firm. The Isle of Wight‘s Sandown Health Centre (UK) sent the tape to a specialist firm to check the software. The tape was sent back to the Centre in March using the courier service, City Link, but it failed to arrive at its destination. The personal health information of patients dating back to July 1996 was on the tape. The Centre does not believe that the data on the tape will be compromised. The tape requires specialist computer equipment to run, and the data on the tape was password-protected. http://news.bbc.co.uk/2/hi/uk_news/england/hampshire/7410119.stm (BBC – 5/20/08) NYU students’ information on Web for months Duke University has notified 273 former New York University students that their personal information was inadvertently available by Internet search between July 2007 and April 2008. The students were part of a class taught by a former NYU professor, who now teaches at Duke‘s business school. The students‘ names and Social Security numbers were contained in the professor‘s research records. According to the University, there is no evidence of unauthorized access to the records, and the information could only be accessed if a student‘s specific name and Social Security number were searched. http://www.newsobserver.com/news/story/1079337.html (newsobserver.com – 5/20/08) UF warns patients of security breach The private health information of 1,900 patients of a plastic surgeon at the University of Florida College of Medicine-Jacksonville was compromised after the information was improperly disposed. The information included names, dates, Social Security numbers, Medicare numbers, and photographs of his patients. UF policy requires all confidential patient information to be stored on secure university servers. Instead, the information was stored on the doctor‘s own computer. The doctor improperly disposed of the information when he gave the computer to a friend who replaced the operating system; this resulted in the loss of most of the patient information. http://www.bizjournals.com/jacksonville/stories/2008/05/19/daily9.html (Jacksonville Business Journal – 5/20/08) Theft of Laptop Imperils School Employees’ Data A laptop containing the personal information of Harrisonburg City School employees (Harrisonburg, VA) was reportedly stolen May 1. The laptop, stolen from a car in Ohio, belonged to BB&T Insurance and was used by a sales representative to develop an insurance proposal for the school system. The company does not know how many school employees‘ information was on the computer, but it does know that the information contained names, dates of birth, social security numbers, and medical histories. BB&T‘s media relations manager, A.C. McGraw, has said that several security measures, including passwords, protected the computer. http://www.rocktownweekly.com/news_details.php?AID=16845&CHID=1 (DNRonline.com – 5/19/08) 4 Crimeware server exposes breadth of data theft Researchers at Finjan, an online security company, discovered a 1.4 gigabyte cache of stolen data from North America, Europe, the Middle East, and India on a Malaysian server. Not only was this a site to store stolen information, but it also provide command and control functions for malware attacks. The data included 5,388 unique log files containing personal and business e-mails, medical records, and financial log-in and transaction information. Most of the data discovered was in raw log files, waiting for someone to collect it. Yuval Ben-Itzhak, chief technical officer at Finjan, believes that this discovery illustrates the vulnerability of not only personal financial information, but of corporate data as well. Information from 40 top-tier businesses was included in the discovered data. http://www.gcn.com/online/vol1_no1/46228-1.html?topic=security (Government Computer News – 5/06/08) E-COMMERCE Retail E-Commerce and the Economy Retail e-commerce grew by only 13.4% in Q1 2008 over Q1 2007. Compared to the total e-commerce growth rate of 19.8% for 2007 over 2006, this rate is quite a slow-down. Although the slow-down is partly due to more general concerns about the economy, Jeffrey Grau, a senior analyst at eMarketer, believes the slow-down would have occurred even without broader economic concerns. Grau says that the current economy is merely ―accelerating existing trends.‖ Since 2003 e-commerce growth has come from increased sales to existing e-commerce buyers, rather than from sales to new buyers. The e-commerce growth rate is still higher than overall sales growth. Sales growth has been, at the highest, 6% over the past five years; e-commerce growth has been 25% or more. Many buyers even say that as their online buying increases, their offline buying decreases—a factor that might explain the differences in growth rates. http://www.emarketer.com/Article.aspx?id=1006307 (eMarketer – 5/19/08) EDITORIALS & OPINION Phone Companies That Allowed Wiretaps Shouldn’t Get Immunity Many telecommunications companies are being sued for allowing federal authorities to place wiretaps on phone lines without warrants. President Bush wants these companies to receive immunity for their actions, and the Senate has agrees. While the telecommunications companies say they were acting in good faith and were certainly responding to requests from the federal government, it does not necessarily follow that they should receive immunity for their actions. These taps were not placed because of the risk of an immediate threat. (If that had been the case, taps could be placed without warrants as long as one was later requested.) The issue is complicated further because the government has marked any warrants that may have been issued ―state secrets.‖ http://www.pcworld.com/article/id,146116-c,privacylegislation/article.html (PC World – 5/23/08) EDUCATION Schools Struggle With Dark Writings After the shootings at Virginia Tech, the creative-writing faculty put out a guide to help instructors identify and respond to disturbing fictional work. The University of New Mexico has created a hot line to take calls from professors with worries about students, including concerns about writing that contains "credible threats of harm to self or others." Yet some experts worry that these measures pose legal or ethical risks. If they overreact, schools could violate students' privacy and civil rights. http://online.wsj.com/public/article/SB121124048245705393C6h0S850XJ7I9GwIiHnkNxBWxls_20080619.html?mod=tff_main_tff_top (Wall Street Journal – 5/19/08) 5 EMPLOYEE U.S. corporations massively read employee e-mail A new study reveals that companies continue to incur risks from information leaks and continue to take action to prevent these leaks. 44% of surveyed companies said that they have investigated an e-mail leak of confidential information in the past year. 41% of the largest companies surveyed report that they employee staff to read outgoing email for potential leaks. http://www.net-security.org/secworld.php?id=6149 (Help Net Security – 5/20/08) Old User Accounts Pose Current Security Risks for Enterprises Orphaned accounts, accounts left by a company‘s former employees, pose an increasing threat to a company‘s security. A study by eMedia USA found that 27 respondents had more than 20 orphaned accounts currently within their organization, 38% had no way of knowing if a current or former employee used an orphaned account to access information, and 15% said that this has occurred at least once. 30% of respondents indicated that it takes longer than 3 days to terminate an account once an employee leaves the company, while 12% said it takes more than a month. This survey underscores concerns raised by the recent LendingTree data breach, where former employees gave their log-in information to mortgage lenders who used the information to steal customer data. http://www.eweek.com/c/a/Security/Old-User-Accounts-Pose-Current-Security-Risks-for-Enterprises/ (eWeek.com – 5/16/08) GOVERNMENT – U.S. FEDERAL CIOs look to ‘thin client’ computing for increased security, efficiency The Department of Energy, in a pilot program of 40 users, is experimenting with ―thin client‖ computing as a means of increasing security and energy savings. Thin-client computing involves desktop computers with no hard drive, memory or operating system. Computing is centralized by storing all data and programs a user needs on a server, rather than a hard drive on a user‘s desktop or laptop. A user must log in to receive access to the programs and files he needs; when he logs out at the end of the day, everything is saved to the server rather than his computer. Thinclient improves security, uses far less energy than a regular computer, and can provide faster access to sensitive data. The project, has already freed up an hour per day for some employees who would normally have to spend time checking out classified data on hard drives. http://federaltimes.com/index.php?S=3533568 (Federal Times – 5/22/08) GSA systems seen needing more protection An audit has found weaknesses in how the General Services Administration protects personally identifiable data in its custody. The agency‘s inspector general has found problems in both the agency‘s information technology systems and in its contracts. A scan of several of GSA‘s major IT systems that collect and store personal data revealed the need for security guides and patches to reduce risk and unauthorized access to the information. The audit also reported problems with GSA contracts. The agency‘s IT support contracts did not include privacy-related clauses, which are required by the Federal Acquisition Regulation. Without these clauses, GSA cannot be sure that contractors are aware of their responsibility to protect sensitive information. http://www.fcw.com/online/news/152585-1.html (FCW.com – 5/19/08) OMB plans domain name security measures A new policy directive will be issued by the Office of Management and Budget to require agencies to implement security measures designed to protect the federal government‘s domain name servers from unauthorized access. Agencies will be required to examine the hierarchy of their domains and decide ―who is in and who is out.‖ http://www.fcw.com/online/news/152526-1.html (FCW.com – 5/14/08) 6 GOVERNMENT – U.S. STATES MONTANA New Montana Cyber Safety Web Site A new web site designed to educate young people about potential dangers online, www.safeinyourspace.org, was unveiled by Montana Attorney General Mike McGrath. The site was designed to allow young people to work with their parents and educators as they learn about potential dangers. The site offers information on cyberbullying, Internet predators, technical issues for teachers, as well as tips on e-mail; instant messaging; and social networking. http://www.govtech.com/gt/articles/324846?utm_source=newsletter&utm_medium=email&utm_campaign=GTSN_ 2008_5_27 (Government Technology – 5/21/08) NEW YORK New York AG Stops Internet Company from Illegally Selling Personal Information After an investigation by New York Attorney General Andrew M. Cuomo, USSearch.com, an online data broker, must pay $250,000 in penalties and costs for violating federal laws which prohibit companies from selling the private credit bureau data of consumers. USSearch.com provides information found in public domain, such as court records, real estate records, and telephone directories. For an additional fee, the company would offer business nonpublicly available information from credit reporting agencies. USSearch.com illegally obtained private information more than 2,385 times. These information requests were made without the consumer‘s knowledge. http://www.govtech.com/gt/articles/324860?utm_source=newsletter&utm_medium=email&utm_campaign=GTSN_ 2008_5_27 (Government Technology – 5/22/08) HEALTH & MEDICAL Proliferating HIPAA complaints and medical record breaches The number of complaints related to the U.S. Health Insurance Portability and Accountability Act (HIPAA) continue to increase each year. These complaints correlate with an increase in breaches of medical records. As these numbers grow, more of these complaints are going unresolved. In the past five years, 32,000 HIPAA-related complaints have been reported to the Office of Civil Rights. Only 25,000 of these complaints have been resolved. Four main issues are the usually the subjects of these complaints: impermissible use and disclosures, safeguards, access, and minimum necessary. These issues contribute significantly to privacy breaches. http://www.scmagazineus.com/Proliferating-HIPAA-complaints-and-medical-record-breaches/article/110555/ (SC MagazineUS.com – 5/23/08) ‘Google Health’ launches despite privacy fears Google has launched Google Health, a system enabling Americans to collate information about their medical histories in one easily accessible site. Google is working to allay any privacy concerns that individual users might have about the site‘s new system. The site will store personal health data, including vaccinations, illnesses, procedures, prescriptions, and blood tests. A user can even set up an alert to remind them when to have prescriptions refilled. Google assures users that it will not sell, rent or share user information without explicit consent. The company has built a secure computer platform separate from the search system to ensure that medical data is safe. http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1996012/'Google-Health'-launches-despite-privacyfears.html (Telegraph.co.uk – 5/20/08) 7 IDENTITY THEFT LifeLock Identity Fraud Service Finds Skeptics Two years ago, Todd Davis decided to put his Social Security number in the television commercials and print advertisements for LifeLock, the company he helped found. For a fee of about $10 a month, LifeLock offers what it calls a ―proven solution‖ that prevents its customers from becoming victims of identity theft and fraud. Regulators and lawyers have the company in their sights, too. The state of Oklahoma accused LifeLock of selling insurance without proper certification. New York City has announced its intention to sue the company. Class-action lawyers have filed federal and state lawsuits, charging deceptive business practices and fraudulent advertising, among other things. http://www.nytimes.com/2008/05/24/business/yourmoney/24money.html?8dpc (New York Times – 5/24/08) Also see:  ID Protection Firm LifeLock Sued by Customers When CEO's ID is Stolen http://blogs.pcworld.com/staffblog/archives/007008.html (PC World - 5/23/08) INTERNATIONAL AFRICA ASIA/PACIFIC AUSTRALIA Civil penalties sought for data privacy breaches The Australian Law Reform Commission will recommend to the federal government that failure to notify the federal Privacy Commissioner of any data security breaches should result in civil penalties. The Commission will suggest that data notifications should only be triggered where a breach involves a ―real risk of serious harm to an individual.‖ The Commission hopes that a data breach notification regime will pressure organizations and agencies to secure their databases. http://www.theaustralian.news.com.au/story/0,25197,23737212-17044,00.html (The Australian Business – 5/22/08) EUROPE European Data Privacy Laws Pose E-Discovery Problems While e-discovery, the review and production of e-mails and other electronic data, has become a common part of U.S. civil litigation, strict privacy laws in the EU have prevented e-discovery from becoming common through Europe. These diverging laws create tension for a corporation trying to both comply with EU laws and to produce documents for U.S. court proceedings. At the moment, there is no easy way to collect and transport data from the EU to the U.S. And, there are no general procedures for requesting the collection of EU data from privacy authorities. http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1202421552806 (Law.com - 5/21/08) UK Criticism for ‘UK database’ plan The UK government has plans for a super-database containing details of all e-mails and phone calls in the UK. The database would be created as part of the government‘s fight against terrorism and serious crime. Many are concerned that this is the beginning of a widespread surveillance society and that the government has not adequately demonstrated its ability to protect this sensitive data. Public confidence in the government‘s ability to store sensitive personal data has faltered after several recent high profile security breaches. http://news.bbc.co.uk/2/hi/technology/7410885.stm (BBC – 5/20/08) 8 Identity theft prime concern, says survey According to a Unisys Security Index survey, UK residents are more fearful of identity theft and credit card fraud than over computer security. Unisys measures the perceived risk and attitudes towards personal, financial, internet, and national security issues. 86% of adults surveyed were worried about unauthorized access to or misuse of their personal information. 61% of adults were ―extremely‖ or ―very worried‖ about the issue. This fear is attributed to high profile data breaches in the UK. http://www.itpro.co.uk/news/198915/identity-theft-prime-concern-says-survey.html (ITPro – 5/20/08) MIDDLE EAST NORTH AMERICA CANADA Move to protect Canadians’ privacy on Net irritates police, attracts others The Canada Internet Registration Authority is instituting a new privacy policy on June 10 that will greatly increase the privacy for individuals who own domain names under dot-ca. In the past, an easy Internet search called a Whois would reveal a domain name owner‘s name, home address, phone number, and e-mail. After June 10, this information will no longer be available through the simple search. Currently, more than 1 million dot-ca domain names exist; the owners of these domain names are pleased that there privacy will be protected and that potential spammers will no longer have such easy access to this personal information. http://canadianpress.google.com/article/ALeqM5gBOrhHurTB0tEUyCBNXclu1m8W-w (Canadian Press – 5/24/08) Ont. privacy czar worried about high-tech licences Ann Cavoukian, Ontario‘s privacy commissioner, is concerned that new high-tech driver‘s licenses will expose the province‘s residents to personal data breaches. The new license, which would double as a passport when a resident crosses the U.S.-Canada border, would be embedded with immigration information. The federal government is unwilling to make citizenship information available to provinces developing the new license; instead, provinces would be required to create their own databases of citizenship information. Cavoukian is concerned that creating multiple databases will lead to inaccuracies and will expose residents to an increased possibility of identity theft. http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20080521/privacy_concerns_080521/20080521?hub=SciTe ch (CTV.ca – 5/21/08) Pending law will highlight health-record privacy: Wiseman The Protection of Personal Health Information Act will set out new rules for the collection, disclosure, and use of a person‘s personal health records, in Newfoundland and Labrador. Health minister, Ross Wiseman, said that the goal of the new legislation is to ―create a culture of privacy in the health-care system.‖ The new act will allow patients to prevent the sharing of their personal health information. http://www.cbc.ca/health/story/2008/05/20/health-privacy.html (5/20/08) Senator’s anti-spam bill is welcome news The Canadian 2005 National Task Force on Spam recommended, several years ago, the need for national anti-spam legislation. Canada remains one of the only Western nations with no such legislation. In the years since the report was issued, the spam problem has only grown, with an estimate that 90% of all email is spam. Senator Yoine Goldstein, in an attempt to fill the policy void and to prevent Canada from becoming a safe-haven for spammers, introduced the Anti-Spam Act (ASA). The bill requires form and content requirements for commercial e-mails and prohibits common spamming techniques. It also would impose fines as high as $500,000 for first time violators and $1.5 million for repeat violators. http://www.thestar.com/sciencetech/article/427246 (thestar.com – 5/19/08) 9 SOUTH AMERICA What makes a cybercriminal? A profile on a new cyber criminal, ―Fabio,‖ illustrates how cyber crime has easily become a $100 billion a year industry. Fabio lives and works in Brazil, a nation that has by far the largest number of cyber criminals. Fabio steals credit card numbers and makes small purchases, such as cell phones or cameras, so that the victim is unlikely to notice that someone has been using his credit card. Even if a person reports the theft, police, in Brazil and elsewhere, are unlikely to have the resources to track down a cyber criminal. There is concern that more poor Brazilians, who are increasingly computer literate, will be drawn to cyber crime. http://news.bbc.co.uk/2/hi/americas/7403472.stm (BBC – 5/19/08) LEGISLATION – FEDERAL Republicans shift, a little, on surveillance bill standoff House and Senate Republicans are offering a compromise to a new government surveillance bill. Republicans and Democrats had been in a standoff over the 40 civil lawsuits filed against telecommunications companies that allegedly cooperated in a warrantless wiretapping program. The new proposal allows plaintiffs to file complaints with the FISA (Foreign Intelligence Surveillance Act) court. The court would review any communications to a telecommunications company. A company must have received either a warrant or a certification from the attorney general stating that the company was acting lawfully and at the request of the president. The FISA court would read the documents and determine whether a company acted legally. The American Civil Liberties Union feels that the proposed compromise is not enough. The FISA court is not able to determine whether the wire-tapping program itself was illegal; the court only determines whether a certification or warrant was sent making a particular tap legal. http://www.siliconvalley.com/ci_9356246?IADID=Search-www.siliconvalley.com-www.siliconvalley.com (siliconvalley.com – 5/23/08) Bush signs genetics anti-discrimination law President Bush signed The Genetics Information Nondiscrimination Act into law on Wednesday, legislation which prohibits employers and health insurers from discriminating against those whose genetic information shows a predisposition to illnesses such as cancer or heart disease. The law bars health insurers from rejecting coverage or raising premiums of healthy people based on personal or familial predisposition to disease. Health insurers are also prohibited from requiring a genetic test. http://www.reuters.com/article/politicsNews/idUSN2143439320080521?pageNumber=1&virtualBrandChannel=0 (Reuters – 5/21/08) Report: Government’s Cyber Security Plan Is Riddled With New Spying Programs The Senate Armed Services Committee released a report this week claiming that elements of the Bush Administration‘s proposed $17 billion cyber security initiative are more concerned with spying than with protecting government networks. The report also alleges that the National Cyber Security Initiative is wrapped in unnecessary secrecy and would spend billions on unproven and potentially illegal projects. The Committee believes the proposal will achieve far less than it hoped to in the realm of cyber security and will increase internet spying initiatives that have not been publicly reviewed or debated. http://blog.wired.com/27bstroke6/2008/05/senate-report-g.html (Wired – 5/15/08) 10 LEGISLATION – STATE NEVADA Nevada Attorney General offers special program to assist identity theft victims Nevada has instituted a new program called Nevada Identity Theft Passport to help victims of identity theft. After a resident has been the victim of identity theft, the victim files a police report and then fills out the Identity Theft Passport application. After the application has been verified, the identity theft victim receives a personal Nevada ―Passport‖ program card that contains a photo, signature, and thumb print. The card allows a victim to demonstrate to merchants, banks, and law enforcement officials that his identity has been stolen. http://news.rgj.com/apps/pbcs.dll/article?AID=/20080523/MVN01/805230462/1305/BIZ01 (RGJ.com – 5/23/08) NEW YORK Governor Paterson Unveils Legislation to Strengthen New York’s ID Theft Laws New York Governor David A. Patterson introduced legislation to strengthen New York State‘s identity theft protection laws. The legislation is intended to improve New York‘s existing laws by focusing on providing victims of identity theft services to repair their financial records, credit rating, and wellbeing. Specifically, the bill restricts the ability of an employer to use and/or display an employee‘s social security number, outlaws ―skimmer‖ devices which obtain personal identity information from credit cards if the device is used to commit identity theft, enables victims to seek assistance from the Consumer Protection Board‘s Identity Theft Prevention and Mitigation Program, and enables victims to seek restitution for the value of the time they spend fixing the damages a criminal has inflicted. http://www.govtech.com/gt/324819?topic=117671 (Government Technology – 5/21/08) LITIGATION & ENFORCEMENT ACTIONS Lending Tree sued over data breach A lawsuit filed on behalf of Marvin Garcia, former Lending Tree customer, alleges that the lending firm was negligent in failing to keep personal customer information secure and for failing to notify customers of the breach in a timely manner. Garcia alleges that a security breach with the frim has harmed his credit score, led to higher credit card interest rates, and resulted in him getting rejected from at least one loan. The breach, involving names and Social Security numbers, began in october 2006, but Lending Tree did not notify customers until last month. http://news.cnet.com/8301-10784_3-9950367-7.html (CNet news – 5/22/08) Phishing ring busted Thirty-eight people, involved in a global crime ring, were charged with stealing names, Social Security numbers, and credit card data in a Romanian-based phishing scam. The alleged scam was operated in the United States, Canada, Portugal, and Pakistan. The indictments involve crimes in Los Angeles and New Haven, Connecticut. The Los Angeles charges stem from phishers collecting credit card information from people answering spam e-mail. In Connecticut consumers were spammed with directions to visit legitimate bank websites that had been hacked. http://www.cnn.com/2008/TECH/05/19/phishing.bust.ap/index.html (CNN – 5/19/08) ID theft protection firm sued A new class action lawsuit filed against the security company LifeLock Inc. Joins similar suits in New Jersey and Maryland. The suit claims that LifeLock made false and misleading claims in its million dollar ad campaign. The company assures customers that it protects against all types of fraud including computer hacking, password theft, and other non-credit related theft. The suit alleges that LifeLock doesn‘t actually protect a person against many types of theft. http://wvgazette.com/News/200805172662 (wvgazette.com – 5/18/08) 11 MOBILE/WIRELESS Mobile-Related Security Threats On the Rise In a survey, individuals responsible for information security enforcement in their organizations believe that there are significantly more security risks related to mobile devices and remote workers this year than there were last year. These mobile threats include user operating error, unauthorized use or misuse of mobile devices, phishing attacks, and loss or theft of devices and data. Part of the problem stems from a lack of appropriate security training for users. While 71% of survey respondents said their organization provides remote access to corporate data and systems to mobile workers, only 39% said their organizations offer specific security training to these remote workers. 92% of respondents who said their organization did offer security training believe that the number of major security breaches has been reduced. http://www.cio.com/article/364113/Mobile_Related_Security_Threats_On_the_Rise (CIO – 5/21/08) ODDS & ENDS The Sad State of U.S. Broadband The U.S. ranks 15th out of 30 members of the Organization for Economic Cooperation & Development (OECD) in terms of broadband availability. Denmark ranked first in OECD‘s annual survey. Several reasons explain why only 23% of Americans enjoy broadband access, as opposed to the more than 30% in other developed nations. Differences in geography and population have made it more difficult for the U.S. to provide access than in similar countries. It is harder to provide access to the same size population in a rural area than in an urban area. Other factors are probably more to blame. Broadband access is much more expensive in the U.S. than in other developed countries. http://www.businessweek.com/technology/content/may2008/tc20080522_340989.htm?campaign_id=rss_tech (BusinessWeek – 5/22/08) Spam Switches from Remedies to Replicas Health-related spam has previously accounted for 75-80% of all spam in circulation. A new trend shows that spam offering pills and other health remedies is declining, while spam promoting replica products is on the rise. The new trend is believed to be the result of spammers increasing understanding of what consumers actually buy. Most people are wary of spam offering unknown and unreliable pills to cure their ailments. Knock-off products for designer labels have much wider commercial appeal. Recent trends show that health spam has reduced from 80% to 45% and product spam has risen from 12% to 46%. http://www.govtech.com/gt/articles/324228?utm_source=newsletter&utm_medium=email&utm_campaign=GTSN_ 2008_5_20 (Government Technology – 5/19/08) YouTube refuses Lieberman request Google, YouTube‘s parent company, refused to comply with a request from Senator Joseph Lieberman, chairman of the Senate Homeland Security and Governmental Affairs Committee. The request asked YouTube to ―immediately remove content produced by Islamic terrorist organizations‖ from YouTube and to prevent future content from being posted. YouTube refused to remove all videos mentioning or featuring terrorist organizations without first determining if the videos were legal, non-violate or non-hate speech videos. YouTube thanked the Committee for alerting it to several videos that violated the company‘s community guidelines, but refused to remove most of the videos mentioned, if the content of those videos was not illegal. http://www.fcw.com/online/news/152587-1.html (FCW.com – 5/19/08) 12 ONLINE Lawmaker questions Google over privacy practices Representative Joe Barton of the U.S. House of Representatives Energy and Commerce Committee has asked Google‘s chief executive to explain its privacy practices since it acquired rival DoubleClick. Representative Barton asked if and how data collected about each search engines‘ users would be merged and used. Barton‘s letter also asked if Google intended to continue to allow users to opt-out of ad-serving cookies. Privacy advocates fear that the consolidation of online advertising may put in a large amount of personal information in the hands of a few powerful companies. http://www.reuters.com/article/internetNews/idUSN2142539620080521 (Reuters – 5/21/08) Congressmen call for a halt to one CATV firm’s Web tracking plans U.S. Representatives Edward Markey and Joe Barton, senior members of the House Energy and Commerce Committee, have requested that Charter Communications put a temporary stop on plans for a new service which would collect private user data for targeted Internet advertising. Last week, customers in four service communities were notified that the new service would be tested in their areas. The service would gather information to deliver targeted ads through ad company NebuAd. Charter Communications has told customers that collected information cannot be used to identify them. While the cable company offers users the chance to ―opt out,‖ a statement released by Representative Markey indicated that, ―Simply providing a method for users to opt out of the program is not the same as asking users to affirmatively agree to participate in the program.‖ http://www.betanews.com/article/Congressmen_call_for_a_halt_to_one_CATV_firms_Web_tracking_plans/121121 9112 (BetaNews – 5/19/08) RFID Researcher: RFID market to hit $9.7 billion by 2013 ABI Research predicts that over the next five years the RFID market will experience a 15% compound annual growth rate, resulting in a $9.7 billion market by 2013. The growth can be seen in many different markets— everything from Wal-Mart requiring all of its suppliers to adopt RFID technology to researchers at the University of Wisconsin-Madison using the technology to create a way to track blood supplies around the world. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=development&arti cleId=9087760&taxonomyId=11&intsrc=kc_top (Computerworld – 5/21/08) SECURITY Feds encrypt 800,000 laptops; 1.2 million to go In the past year, federal, state, and local agencies have purchased 800,000 licenses for encryption software through the federal Data at Rest (DAR) encryption program, run jointly by the General Services Administration and the U.S. Department of Defense. The Office of Management and Budget requires federal agencies to purchase encryption software for laptops, handhelds, and removable storage devices. The DAR encryption program allows federal, as well as state and local, agencies to buy this encryption software at extremely low prices. Software that normally costs $125 or more only costs $10 to $12 per laptop under the program. DOD originally estimated that there were 2 million laptops needing encryption. With 800,000 encrypted under the DAR program, there are still another 1.2 million to go. http://www.networkworld.com/news/2008/052008fedlaptops.html?page=1 (Network World – 5/22/08) 13 Critics question value of federal IT security report card The federal government received a ―C‖ grade on an annual information security report card. Grades are based on reports compiled annually by the inspector general at each government agency to measure compliance with the Federal Information Security Management Act (FISMA). While the law, initially passed post-9/11, was originally seen as necessary for improving federal information security, it is now seen more as a paperwork exercise than a way to actually improve information security. The major problem with FISMA is that it does not require agencies to actually demonstrate that they have implemented mandated programs. For example, all an agency has to show is that it has a security awareness training program, not that it has effectively implemented the program. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9087338&source=rss_ne ws50 (Computerworld – 5/20/08) Experts warn of cyber terrorism threat Government authorities and technology experts from more than thirty countries announced at an international conference in Kuala Lumpur, Malaysia, the need for increased international cooperation to fight cyberterrorism attacks. Cyberterrorism can have ―truly catastrophic consequences,‖ according to Malaysian Prime Minister Abdullah Ahmad Badawi. This form of terrorism disrupts systems that control telecommunications networks, emergency services, nuclear power plants or major dams. Malaysia will be the home of a new center to be run by the International Multilateral Partnership Against Cyber Terrorism. The center is expected to open at the end of the year and will serve as an emergency response training and resource center to counter cyber threats. http://www.forbes.com/feeds/ap/2008/05/20/ap5029793.html (Forbes.com – 5/20/08) Passwords no longer work to protect privacy Many security professionals believe that passwords are no longer enough to secure an individual‘s privacy. A recent survey of IT professionals found that 70% feel passwords are not secure. One in five companies have had a security breach placing private information into unwanted hands, and the FTC claims that consumers lost $5 billion to identity theft in 2007. One approach for sites to be more secure is through two-factor authentication—a web site checks two separate things before allowing someone access to an account. The ultimate solution, however, will require consumers to choose to do businesses with those corporations that take adequate measures to protect privacy and businesses responding appropriately. http://www.northfloridanewsdaily.com/News/2008/0519/business_news/151.html (North Florida News Daily.com – 5/19/08) 14 SEMINARS & PAPERS IAPP Practical Privacy Series June 16-17, 2008 City University of New York, New York, NY https://www.privacyassociation.org/index.php?option=com_content&task=view&id=1464&Itemid=138 CyberLaw: Expanding the Horizons June 18-20, 2008 Washington, D.C. http://www.abanet.org/cle/programs/n08ceh1.html Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. http://www.ethicsandtechnology.eu/ETI The Privacy Symposium August 18-21, 2008, Harvard University, Cambridge, MA http://www.privacysummersymposium.com/ IAPP Privacy Academy 2008 Orlando, FL September 22-24, 2008 http://www.privacyacademy.org/ _____________________________________________________________________ PAPERS Security as a Process http://go.techtarget.com/r/3696105/7804464 Demystifying Data Loss Prevention: Requirements for Comprehensive Protection http://go.techtarget.com/r/3696106/7804464 Information Security: Meeting Today’s Challenges http://go.techtarget.com/r/3727958/7804464 15