Get documents about "Privacy Regulation and ID Theft
Document Sample
Privacy Regulation
and ID Theft
Presenter’s Name: Tim R. Sills
Presenter’s Title: Lead Consultant
Date of Presentation: March 11, 2004
1
Presentation Overview
Topics
– ID theft – the numbers
– Sample of US privacy laws
– Example incidents
Key Message
– Government is taking a more active role
– Privacy breaches will continue to rise substantially
– A strategic approach is required to navigate legislation and
avoid being front page news
2
ID Theft – The Numbers
Online Fraud Losses Hit $437M for 2003
– The FTC’s year-end Consumer Fraud and ID Theft Report
indicated it received more than half a million consumer complaints
during 2003, a 40 percent jump over complaints in 2002. More than
40 percent of all complaints related to identity theft through
"phishing" and other Web-related scams.
– The most common identity theft complaints related to credit card
fraud, bank fraud, employment-related fraud, government
document or benefit fraud and loan fraud.
– The worse part is that the FTC concedes the majority of incidents
are not reported thus making the above number most likely much
higher.
3
ID Theft – The Numbers
Identity Theft More Common
– A Gartner study found that more than 11 million consumers were the
victims last year of credit card fraud, where a criminal uses a victim's credit
card.
– Harris Interactive found that the seven million victims in 2002 represented
an 81% increase over 2001. And, early reports suggest that the increase is
continuing in 2003.
With such a variance, does anyone really know the number of
consumers impacted and by how much?
4
California Database Security Breach Act
Overview
– The CDSBA requires any person or business conducting business in
California to notify affected customers of any breach of security
resulting in the disclosure to an unauthorized person of personal
information in electronic form.
5
California Database Security Breach Act
What is protected?
– “Personal Information” is defined as an individual’s first name or
first initial, combined with the last name, plus any one of the
following identifiers:
– (1) Social Security number; (2) driver’s license number or California
Identification Card number; or (3) account number, credit or debit
card number, in combination with any required security code, access
code or password that would permit access to the account.
Security
– If both the individual’s name or the accompanying identifiers are
encrypted, then the data does not constitute “personal information.”
6
CDSBA Breach Example
Friday, February 13, 2004
Hackers break into California state server
– Hackers broke into a state agency's server containing the sensitive
personal information of tens of thousands of people who work as
nannies, butlers, and gardeners, and those who employ them.
– The server houses information on about 90,000 people. The
hackers gained access to employee's names, Social Security
numbers and wage records, and some employers' Social Security
numbers.
– As a precaution, letters dated Feb. 11 warned household employers
and employees of the breach and referred them to the state Office
of Privacy Protection for help.
7
Health Insurance Portability and Accountability Act
(HIPAA)
Overview
– Drive development of electronic
data interchange with the goal of
protecting the security and
confidentiality of electronic
health information.
Covered Entities
– HealthPlans: HMOs, health
insurers, group health plans
including employee welfare benefit
plans
– Health Care Clearinghouses:
Persons and organizations that
translate health information to or
from the standard format that will
be required for electronic
transactions under HIPAA
8
Health Insurance Portability and Accountability Act
(HIPAA)
What is protected?
– In order to be considered protected health information (PHI) it
must:
Relate to a person’s physical or mental health, the provision of health
care, or the payment of health care
Identify, or could be used to identify, the person who is subject of the
information
Be created or received by a covered entity
Penalties
– Civil penalty for inadvertent violation = fines of $100/per incident
up to $25,000/per annum for each similar offense.
– Selling patient information for personal profit is not the same as
accidentally allowing the information to be released. Criminal
penalties could be much as $250,000 and/or 10 years in jail.
9
Health Insurance Portability and Accountability Act
(HIPAA)
Security
– Covered entities must make reasonable efforts to limit protected
health information to the minimum amount necessary to accomplish
the intended purpose of the use
Adopt written privacy procedures. These must include who
has access to protected information, how it will be used within
the entity, and when the information would or would not be
disclosed to others.
Train employees and designate a privacy officer. Employees
must understand the new privacy protections procedures, and
designate an individual to be responsible for ensuring the
procedures are followed.
Establish grievance processes. Must provide a means for
patients to make inquiries or complaints regarding the privacy of
their records.
10
Gramm-Leach-Bliley (GLBA)
Overview
– Establishes functional regulation of financial institutions:
Banks- FDIC, FRB, OCC, OTS
Securities and investments- SEC
Insurers- State Departments of Insurance/Insurance
Commissioners
All other financial institutions- FTC
11
Gramm-Leach-Bliley (GLBA)
What is protected?
– Any information maintained by or for a financial institution, which is
derived from the relationship between the financial institution and a
customer of the financial institution and is identified with the
customer.
Penalties
– The financial institution shall be subject to a civil penalty of not
more than $100,000 for each violation; and
– The officers and directors of the financial institution shall be subject
to, and personally liable for, a civil penalty of not more than $10,000
for each violation
– Also, fines in accordance with Title 18 of the US Code,
imprisonment for not more than five years, or both
12
Gramm-Leach-Bliley (GLBA)
Security
– Financial institutions must adopt policies and procedures that
address administrative, technical, and physical safeguards.
These policies and procedures must be reasonably designed to:
Insure the security and confidentiality of customer records and
information;
Protect against any anticipated threats or hazards to the security
or integrity of customer records and information; and
Protect against unauthorized access to or use of customer
records or information that could result in substantial harm or
inconvenience to any customer.
13
Children’s Online Privacy Protection Act
Overview
– COPPA provides the first federal protection of Web sites that
are targeted to children under age 13 or whose operators
knowingly collect personal information from children under
age 13.
Applies to commercial Web sites, federal Web sites and some
non-profit Web sites;
Protect against any anticipated threats or hazards to the security
or integrity of customer records and information; and
Protect against unauthorized access to or use of customer
records or information that could result in substantial harm or
inconvenience to any customer.
14
Children’s Online Privacy Protection Act
What is protected?
– Provide parents notice of their information practices
– Obtain verifiable parental consent for the collection, use and/or
disclosure of personal information from children
– Provide a parent, with the opportunity to prevent the further use of
personal information that has already been collected, or the future
collection of personal information from that child.
– Provide a parent, upon request, with the means to review the
personal information collected from his/her child
– Establish and maintain reasonable procedures to protect the
confidentiality, security and integrity of the personal information
collected, and
– Limit collection of personal information for a child’s online
participation in a game, prize offer, or other activity to information
that is reasonably necessary for the activity.
15
Children’s Online Privacy Protection Act
Security
– Requires reasonable steps to be taken to ensure and protect the
confidentiality, security, and integrity of personal information from
children under 13.
Example incidents from FTC press release 2/27/03:
– “Mrs. Fields will pay civil penalties of $100,000 and Hershey will pay
civil penalties of $85,000.”
– mrsfields.com, pretzeltime.com, and pretzelmaker.com offered birthday
clubs for children 12 or under and provided birthday greetings and coupons
for free cookies or pretzels. The company allegedly collected personal
information - including full name, home address, e-mail address and birth
date - from more than 84,000 children, without first obtaining parental
consent.
16
Breaches Come in All Shapes & Sizes
Victoria's Secret Reveals Too
Much
– NEW YORK (AP) - Lingerie retailer
Victoria's Secret agreed to pay a $50,000
fine as part of a settlement announced
over a breach of privacy on the
company's website.
– A glitch in a feature allowing customers (Photo: CBS/AP)
to check their order status allowed them
to randomly call up other orders, seeing
details such as sizes, prices, customer
names and addresses.
– Approximately 560 people were
affected.
17
Civil Liability Trends
What constitutes “reasonable care” and “industry
standard”?
Already legal cases involving security failure and
resulting financial harm
– Future: Duty of care set by statute, FTC, industry standards?
– Class actions on identity theft
No flood of litigation, but an increase in underway
18
Case Examples
– Hamilton v. Microsoft Corp., California state court, SB 1386 and
related claims based on unspecified breaches.
According to Hamilton, Microsoft's programs contain serious security flaws that
could allow hackers to break into the computer system of an individual or
corporation via computer viruses or worms, obtain confidential or personal
information and exploit that information to the detriment of the system's owners.
– Stollenwerk v. TriWest Healthcare Alliance, federal court case in
Arizona, negligence case based on theft of hard drive containing
personal information.
Thieves broke into Phoenix-based TriWest Healthcare Alliance, a government
contractor's office, and snatched computer hard drives containing Social Security
numbers, addresses and other records of about 500,000 service members and
their families.
– Intel v. Hamidi, California state courts, on trespass to chattels theory
for alleged spam.
Intel Corporation brought suit in California state court against former employee
Ken Hamidi, alleging trespass to chattels and seeking to enjoin Hamidi from
sending mass distributed emails to Intel employees at their places of work
19
Summary
We’ve discussed some key privacy
legislation and its requirements.
It’s anyone’s best guess as to what
the real financial impact has been to
the consumers.
Breaches and identify theft will
increase exponentially.
Apply common sense methodology
to limit your company’s exposure.
20
Thank You
21
Related docs
