Federal | Office of Inadequate Security

AT&T Hacker ‘weev’ Tests Limits of U.S. Crime Law on Website Use

Jun 172013

Dune Lawrence and David Voreacos report:

He is a red-headed hacker who hails from Arkansas, goes by the name “weev,” and seems to delight in being annoying. For years, he broke into computer systems, disrupted blog sites and riled people with personal attacks.

Now his case has become a flashpoint in the debate over where to draw the line between online freedom and cybercrime in the U.S., and whether the law is too broad or too narrow in both criminal and civil cases.

FTC Fires Back In Lawsuit Against Wyndham

Breach Incidents, Business Sector, Commentaries and Analyses, Federal, Hack, Legislation, Of Note, U.S. No Responses »

May 282013

Brent Kendall reports:

The Federal Trade Commission is offering a strong defense of its powers to police cybersecurity practices against a challenge by Wyndham Worldwide Corp.

We wrote about Wyndham’s challenge earlier this month in a case involving attacks by hackers on the hotel chain’s computer systems between 2008 and 2010. The FTC sued Wyndham last year for allegedly lax data security that let hundreds of thousands of credit-card numbers get stolen. The company said the government was unfairly seeking to punish the victim of the crime instead of the hackers who perpetrated it.

Now the FTC is firing back, arguing in a new court filing that corporations that collect consumer data bear responsibility for protecting it.

“The FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it,” the agency said in a court filing this week.

In a battle of analogies, Wyndham argued the FTC suit was “the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”

The FTC’s new filing offered a different picture. “A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information.”

Read more on WSJ. This is a case I’ve been following since the hacks were first disclosed, and represents the first time a data breach complaint by the FTC will be adjudicated by a court instead of reaching a settlement. The Chamber of Commerce and others, including TechFreedom, have jumped in on Wyndham’s side. Their argument emphasizes the point that the FTC has never promulgated clear rules that would provide fair notice to businesses as to what actions constitute “unfair or deceptive” practices under the FTC Act. Of course, in many cases, the FTC draws upon other statutes, e.g., if it would be violative of the GLBA or other statutes to do something, that makes it an unfair or deceptive practice for purposes of the FTC. Similarly, the FTC often looks to “industry standards” in determining whether an entity failed to provide adequate security. It also looks to statements made in an entity’s privacy policy or Terms & Conditions to determine what representations the entity made about data security and whether they lived up to those representations.

One criticism that has been lodged against the FTC’s data security actions is that in many cases, there really is no showing of harm or injury to the consumers, who may be protected by their banks for any fraudulent charges on their credit cards. Because most court cases involving data breaches result in dismissal for lack of standing due to absence of demonstrable harm, some (like Michael D. Scott) argue that the FTC should not be able to apply or enforce its powers in cases where you cannot demonstrate that consumers were objectively harmed.

To be clear: I’m hoping the FTC prevails. And if Congress doesn’t like the outcome, then let them get off their asses and introduce legislation that protects consumers from inadequate data security. Congress wanted to avoid legislation and let industry regulate itself, so as not to stifle innovation. All well and good, but with almost every entity suffering data breaches, someone’s got to protect consumers from inadequate security, and the FTC stepped up to the plate. This is no time to go backwards.

The Wyndham case does not strike me as unusual in terms of the grounds the FTC cited for its action. What makes it unusual is that Wyndham didn’t settle and is fighting this. If Wyndham is successful in getting the case dismissed, that will be a serious setback for the FTC. If the FTC wins, I expect we’ll see many businesses paying even more attention to data security.

APF responds to AU’s data breach notification draft bill

Commentaries and Analyses, Federal, Legislation, Non-U.S. Comments Off

Apr 242013

The Australian Privacy Foundation has responded to Australia’s draft breach notification law. You can read their comments here. Not surprisingly, I agree with their concerns.

Attacks ‘highlight need for data breach notification law’

Breach Incidents, Breach Laws, Commentaries and Analyses, Federal, Financial Sector, Hack, Non-U.S. Comments Off

Mar 182013

Paul Smith reports:

The Australian Bankers Association has defended the strength of IT security processes in place across Australia’s banking system following the revelation that Reserve Bank of Australia systems had been compromised by China-based hackers.

However, security experts said the incident highlighted the need for Australian data breach notification laws to be tightened to force organisations to come forward when they were hacked.

ABA chief executive Steven Münchenberg told The Australian Financial Review that there were no reports of similar attacks on other local banks, and that effective processes were already in place to co-ordinate fraud investigations with federal and state police.

Crowd-sourcing an idea for a law

Commentaries and Analyses, Federal, Of Note, U.S. 1 Response »

Feb 242013

Thanks to partisan politics and intensive industry lobbying, we have no strong federal breach notification law. This, of course, is not news to my readers. But in light of (1) Congress’s current interest in cybersecurity and sharing of information, (2) the fact that up to 40% of breaches are first detected by members of the public, and (3) how damned difficult it can be to contact an organization to alert them that they’ve had a breach, I thought of proposing a bill. I don’t have a snappy acronym for it yet, which may doom it, but if you like the concept, perhaps you or the Twitterverse can up with one and help me flesh this out more.

So before I invest a lot of time in the language, here’s a brief outline of what the law might contain/say:

A BILL
To require any entity that collects, process, or stores personally identifiable information to provide prominently displayed contact information on their web site to be used for reporting a data security breach, security vulnerability, or privacy concern.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. NOTICES REGARDING CONTACT INFORMATION

(a) In General- Any entity that collects, processes, or stores personally identifiable information or sensitive personally identifiable information in any format for more than 50 U.S. citizens or residents shall display on the home page of their web site a notice providing a United States-based phone number with an e-mail address or link to an on-site contact form that can be used to report a security vulnerability, data security breach, or privacy concern involving the web site or entity’s database(s).
(b) Monitoring – The phone number, e-mail address, and contact form notification shall be monitored by the covered entity or its designated responsible party every day.
(c) Receipt of Notice – Covered entities or their representative will acknowledge receipt of the notification of a data security breach, possible vulnerability, or privacy breach within 24 hours of notice if the notifier provides an e-mail address or phone number.

SECTION 2. RESPONSE TO NOTIFICATION OF A DATA SECURITY BREACH
(a) In General – Covered entities shall initiate investigation of a report of a data security breach involving personally identifiable information or sensitive personally identifiable information within 24 hours of being notified.
(b) Mitigating Exposure – Covered entities shall take steps to prevent further exposure:
(i) In the event that that personally identifiable information or sensitive personally identifiable information has been exposed on the Internet, the entity shall promptly, but in no case later than 24 hours, attempt to have the data removed.
(ii) In the event that paper records with personally identifiable information or sensitive personally identifiable information have been improperly disposed of or found in public spaces, the entity shall, within 24 hours, arrange to recover possession of the records. The recovery of records shall be completed within 72 hours from time of initial notification.

SECTION 3. PROMOTING RESPONSIBLE DISCLOSURE
(a) In General – Any individual or organization that provides notification to a covered entity of a security vulnerability involving the covered entity’s web site or server(s) containing personally identifiable information or sensitive personally identifiable information shall be immune from civil or criminal action as long as:
(i) Notification is made to the covered entity and the entity is given an opportunity to secure its databases or server before the vulnerability is disclosed to others;
(ii) Personally identifiable information or sensitive personally identifiable information is not disclosed to others in unredacted form;
(iii) Personally identifiable information or sensitive personally identifiable information is securely deleted after acknowledgement of the vulnerability by the covered entity; and
(iv) Collection or download of personally identifiable information or sensitive personally identifiable information is kept to the minimum necessary for proof of vulnerability.
(b) Response to Notification – A covered entity shall respond to a notification of vulnerability within seven (7) days. The response:
(i) Shall include the covered entity’s findings with respect to the reported vulnerability, and
(ii) Steps the covered entity has taken or will take to address confirmed vulnerabilities.

Okay, that’s enough to show you where I’m going with this. Obviously, it would need sections on definitions and enforcement.

But what do you think so far? Is this a good idea to pursue, or is a bad idea?

And if you think it’s a good idea, what should we call this?
The Get Your Head Out of Your Ass, Please Act of 2013 ?
The Privacy and Security Notification Act of 2013 ?
The Wake Up and Smell the Data Leak Act of 2013?

Maybe if we throw in a “cyber” somewhere in the title…?

Have at it.

Update: This post and discussion on Slashdot last night is yet another demonstration of why we may need a federal law like this.

Maybe I should call it the “Help Me Help You Act” or the “Jerry MacGuire Act of 2013?”

Minnesota resident sues state agency and employee over breach involving driver’s license database

Breach Incidents, Commentaries and Analyses, Federal, Government Sector, Insider 1 Response »

Jan 242013

A Minnesota resident, Jeffrey Ness, has filed a potential class action lawsuit against the state’s Department of Natural Resources (DNR) and Department of Public Safety after a DNR employee exceeded authorized access and accessed about 5,000 residents’ driver’s license information. The employee was terminated but the motive for the improper access was not disclosed.

In the lawsuit filed yesterday in federal court, Ness alleges that as a result of the breach, he suffered ”injuries, including but not limited to emotional distress, anxiety, and stress.”

The lawsuit alleges violations of the Drivers Privacy Protection Act and the Fourth Amendment, as well as invasion of privacy.

I certainly don’t expect the Fourth Amendment claim to be upheld because then every time a government employee snooped in a file, the government might get sued. But can Ness get a statutory award for the alleged violation of DPPA? The DPPA provides:

A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.

(b) Remedies — The court may award –
(1) actual damages, but not less than liquidated damages in the amount of $2,500;
(2) punitive damages upon proof of willful or reckless disregard of the law;
(3) reasonable attorneys’ fees and other litigation costs reasonably incurred; and
(4) such other preliminary and equitable relief as the court determines to beappropriate.

I’d normally expect a lawsuit without demonstration of actual harm to get tossed, but it sounds like Ness might have a case against the employee. As to the state defendants, if Ness can show that the state knew it had a serious and repeated problem with inappropriate access to the database (and I’ve blogged about the repeated problems/breaches on PogoWasRight.org), that might help his claims against the state defendants. Then again, if the state’s Attorney General decided to go after the state agencies for a pattern of inadequate security that resulted in repeated and substantial noncompliance with the DPPA, they could be fined $5,000 a day for each day of substantial noncompliance. As I’ve blogged on PogoWasRight.org, I do think that someone should be doing something about all of the breaches involving their driver’s license database.

Bottom line: I won’t be surprised if the lawsuit gets dismissed, but it might turn out to be interesting.

But then, I am not a lawyer. Maybe I can get a lawyer to blog about this lawsuit and offer their more informed opinion.

h/t, AP

Older Entries