Lawmakers seek credit monitoring for veterans

 Commentaries and Analyses, Government Sector  No Responses »
Jun 152013
 

Kevin Freking of Associated Press reports:

A bipartisan group of lawmakers asked the Veterans Affairs Department on Friday to offer credit monitoring to veterans and dependents whose personal information, including birth dates and Social Security numbers, might have been disclosed when its computer systems were hacked.

The lawmakers are responding to testimony at a hearing where witnesses said foreign-sponsored organizations had successfully compromised VA networks. One former VA official said at least eight groups, mostly connected to the Chinese military, had hacked into the system or had tried. A VA official downplayed the threat but acknowledged that he knew of one foreign-sponsored breach.

Read more on Yahoo!

I still think it would be cheaper and more effective to have all entities that store SSN and/or credit card info feed into a pool to provide routine and on-going monitoring for all consumers or individuals. Right now, although it’s common practice to offer services after a breach, it’s not mandatory. By making it a cost of doing business where the entity’s share of the costs is related to the number of individuals for whom they collect or store data, it might also make entities think twice about whether they really need to collect or store SSN and credit card numbers.

CN: Thousands busted in identity theft cases

 Commentaries and Analyses, Non-U.S.  No Responses »
May 302013
 

China Daily reports:

Police have busted 4,382 cases of personal information theft, involving 5 billion pieces ofstolen information, People’s Daily reported Thursday.

More than 4,000 suspects have been arrested in three national crackdowns launched in 2012 and 2013, and at least 1,200 gangs selling and buying personal information illegally have been destroyed.

More than 200 suspects have been punished for providing, selling and obtaining personal information illegally, and the rest face punishment.

That’s impressive.  I wish I could find the article on People’s Daily, but haven’t been able to track it down yet.

FTC Fires Back In Lawsuit Against Wyndham

 Breach Incidents, Business Sector, Commentaries and Analyses, Federal, Hack, Legislation, Of Note, U.S.  No Responses »
May 282013
 

Brent Kendall reports:

The Federal Trade Commission is offering a strong defense of its powers to police cybersecurity practices against a challenge by Wyndham Worldwide Corp.

We wrote about Wyndham’s challenge earlier this month in a case involving attacks by hackers on the hotel chain’s computer systems between 2008 and 2010. The FTC sued Wyndham last year for allegedly lax data security that let hundreds of thousands of credit-card numbers get stolen. The company said the government was unfairly seeking to punish the victim of the crime instead of the hackers who perpetrated it.

Now the FTC is firing back, arguing in a new court filing that corporations that collect consumer data bear responsibility for protecting it.

“The FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it,” the agency said in a court filing this week.

In a battle of analogies, Wyndham argued the FTC suit was “the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”

The FTC’s new filing offered a different picture.  “A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information.”

 

Read more on WSJ.  This is a case I’ve been following since the hacks were first disclosed, and represents the first time a data breach complaint by the FTC will be adjudicated by a court instead of reaching a settlement.  The Chamber of Commerce and others, including TechFreedom, have jumped in on Wyndham’s side. Their argument emphasizes the point  that the FTC has never promulgated clear rules that would provide fair notice to businesses as to what actions constitute “unfair or deceptive” practices under the FTC Act.  Of course, in many cases, the FTC draws upon other statutes, e.g., if it would be violative of the GLBA or other statutes to do something, that makes it an unfair or deceptive practice for purposes of the FTC.   Similarly, the FTC often looks to “industry standards” in determining whether an entity failed to provide adequate security.  It also looks to statements made in an entity’s privacy policy or Terms & Conditions to determine what representations the entity made about data security and whether they lived up to those representations.

One criticism that has been lodged against the FTC’s data security actions is that in many cases, there really is no showing of harm or injury to the consumers, who may be protected by their banks for any fraudulent charges on their credit cards.  Because most court cases involving data breaches result in dismissal for lack of standing due to absence of demonstrable harm, some (like Michael D. Scott) argue that the FTC should not be able to apply or enforce its powers in cases where you cannot demonstrate that consumers were objectively harmed.

To be clear: I’m hoping the FTC prevails. And if Congress doesn’t like the outcome, then let them get off their asses and introduce legislation that protects consumers from inadequate data security.  Congress wanted to avoid legislation and let industry regulate itself, so as not to stifle innovation. All well and good, but with almost every entity suffering data breaches, someone’s got to protect consumers from inadequate security, and the FTC stepped up to the plate. This is no time to go backwards.

The Wyndham case does not strike me as unusual in terms of the grounds the FTC cited for its action. What makes it unusual is that Wyndham didn’t settle and is fighting this. If Wyndham is successful in getting the case dismissed, that will be a serious setback for the FTC. If the FTC wins, I expect we’ll see many businesses paying even more attention to data security.

 

Are TerraCom and YourTel the poster children for how NOT to respond to a breach?

 Business Sector, Commentaries and Analyses, Exposure, Non-U.S., Subcontractor, U.S.  No Responses »
May 252013
 

Isaac Wolf reports:

A month ago, two phone carriers participating in a federal benefit program were alerted that sensitive customer records, including Social Security numbers and bank-account records, were freely posted online.

Now, Oklahoma-based TerraCom Inc. and affiliate YourTel America Inc. — the companies that collected the records — say they don’t plan to notify all affected consumers of the privacy breach, which affects residents of 26 states.

Read more on Evansville Courier & Press.

So if you were not one of the 343 individuals who did get notification letters because of heightened risk and you do not reside in Texas, Minnesota, Nevada, or Illinois – the four states where TerraCom will be sending notifications because of state notification laws – you probably will not get a notification letter. Only four states’ residents will get notification letters out of 26 states? There’s a lesson for state legislators and Congress to learn from this.

Frankly, TerraCom and YourTel seem to positioning themselves as the poster children of how not to respond to data breaches. First they accused TScripps Howard News Service of hacking and violations of CFAA. As Ms. Smith recaps:

Lee wrote a letter informing Scripps that the “intrusions and downloading” of sensitive records were associated with Scripps IP addresses. Lee warned that “the ‘Scripps Hackers’ have engaged in numerous violations of the Computer Fraud and Abuse Act by gaining unauthorized access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps.”

Lee added that the Scripps Hackers eventually used Wget to find and download “the Companies’ confidential files.” (Wget was the same tool used by Facebook’s Mark Zuckerberg in the film The Social Network to collect student photos from various Harvard University directories.) The rest of the letter pretty much blamed the “Scripps Hackers” for the cost of breach notifications, demanded Scripps hand over all evidence as well as the identity and intentions of the hackers, before warning that Scripps will be sued.

Perhaps not fully appreciating the backlash they would incur from a breach at an outsource contractor (VCare) and how absurd they look blaming reporters who did what reporters do – and were able to document their methods – they’ve now compounded their problems and the likelihood of lawsuits by consumers and investigation by the FTC  by taking the position that there is no need to notify everyone because of their risk assessment.

That simply will not fly in this day and age.

The breach is already under investigation by at least three states (Indiana, Illinois, and Texas).

TerraCom and YourTel would be well-advised to get a breach response firm with experience involved as soon as possible, if they haven’t already, take full responsibility, apologize to Scripps Howard, and offer consumers some free services.  If they don’t do those things, I expect some states will sue them, and the FTC may investigate them for their data security failures and for allegations that despite regulations and policies, they may have retained information that they were not supposed to retain.  Although the FTC could not fine them for a first offense, any investigation and possible corrective action plan and monitoring requirements could be costly for the firms.

Previous coverage of this breach on this blog can be found here and here.

Who – if anyone – is responsible for notifying victims of some breaches?

 Commentaries and Analyses, Exposure, Of Note, U.S.  1 Response »
May 182013
 

I’ve blogged a number of times about how although law enforcement may uncover breaches or data theft, the victims often do not get notified in a timely fashion – if at all.  Here are just a few scenarios where no one may notify people whose data have been stolen:

  • Law enforcement discovers a handwritten list of hundreds of individuals’ names, dates of birth, and Social Security numbers
  • Paper records with sensitive information – sometimes including medical information – are discovered in a dumpster and traced back to a defunct business or practice.
  • Law enforcement investigates stolen information available for sale on an underground market.

When credit card information is involved, people are more likely to get notified, as law enforcement may send a list of numbers to AmEx, Discover, or other card issuers who then take steps to protect and notify the consumer.  But if there are no credit card numbers involved, it seems there are gaps in notification.

The recent controversy over the FERC/EDRM data set involving emails from Enron employees provides a useful example of the hole in our patchwork quilt on notification.  The data set, available publicly, contained unredacted PII – including Social Security numbers – on thousands of people.    

The data were originally gathered by the Federal Energy Regulatory Commission, and when the issue of redaction came up in court, the court was sensitive to the issue. But did FERC and their contractor do a thorough enough job in removing documents? It seems that they didn’t if there was so much PII left in the data set, even though FERC  and their contractor went through a number of reviews of the data set to delete personnel’s personal information that was not appropriate for public release, as detailed in in this document.  

The data set has been available for download for years, and many people knew that it contained PII.  Is this a situation that the individuals affected should have been informed about? As a privacy advocate, I would say, “definitely.” But who is responsible for notifying them? And even though EDRM and Nuix have released a newly washed data set, the other Enron email data set has not yet been re-released after new washing.  More importantly, even when it is released, copies of the older data sets remain on numerous people’s hard drives and are still available for download on the Internet. As a result, those whose PII were exposed are still at risk.

I would bet that FERC takes the position that it gave Enron and others an opportunity to have PII removed and therefore, they are not responsible for any notification. EDRM may take the position that they merely distribute/make available the government’s records, and therefore they are not responsible.

So is no one responsible or liable for exposing thousands of individuals’ SSN to cybercriminals? Is no one responsible for notifying individuals that their SSN and details have been available for download on the Internet for years, and have been downloaded by people all over the world? Is no one responsible for contacting every site that hosts the problematic data sets to ask them to remove them?

And if you believe that either FERC or EDRM are responsible and should be held accountable in terms of notification to individuals, what existing law(s) are you basing that on?

In the meantime, the buck seems to stop… nowhere.

 Older Entries