Archive for June, 2006

Lessons Learned: Don’t Blindly Trust Your Business Partners; the FTC Still Holds You Accountable

Wednesday, June 21st, 2006

Today the FTC released news that Executive Financial Home Loan Corp. was given a $1.1 million fine, reduced to $50,000 because of "inability to pay", for using the Do-Not-Call list to call "tens of thousands of consumers who are on the National Do Not Call (DNC) Registry for telemarketers and for failing to pay the annual fee required to access the DNC Registry. In addition, the company and its officers are permanently barred from violating the DNC provisions of the Telemarketing Sales Rule (TSR) and from making illegal telemarketing calls in the future." 

Executive Financial Home Loan Corp. claimed they purchased lead lists that they had been assured were not on the list.  However, the FTC indicated that even when an organization purchases such lists, ‚ÄúThe bottom line is that telemarketers are responsible for complying with the Do Not Call provisions of the Telemarketing Sales Rule, and cannot hide behind the claims of their service providers."

I have spoken with many organizations, and most depend upon the claims of their business partners about such situations, and do not go the step further to ensure the lists purchased truly does consist of consumers who have given their permission to use their personal information for marketing. 

This is a good example, and lesson, for the need for organizations to perform due diligence activities to validate the customer lists they are purchasing actually do consist of valid, legal, information.  If they don’t, not only could they face a fine and accompanying consent orders, but they may face even more damaging negative publicity…and significant lost customers and revenue…as a result.  Never underestimate the impact of bad PR.  Go the step further and validate the legality of any customer/marketing lists you purchase.

The FTC also indicated that the Executive Financial Home Loan Corp. did not "pay the required fees to gain access to the phone numbers in the Registry itself."  I wrote about another situation where the FTC took action against a telemarketer that was inappropriately using the Do-Not-Call list for marketing and did not pay the required fees to get access to the Registry.  How do these organizations get access to the Registry without paying the fee?  Hmm…another topic to explore…

Learn from these experiences of others.

It is good to see the FTC is taking actions to enforce the laws for which they are responsible for overseeing; it is the only way in which the laws will be effective.  The Department of Health and Human Services should take note and consider being more proactive for the HIPAA rules that are so limp and ineffective without active enforcement.

Technorati Tags

Privacy Gurus and Tech Giants Speak to Congress on 6/20 About the Need for a Unified Data Protection Law

Tuesday, June 20th, 2006

There was an interesting short piece published on CNET News today, "Tech titans lobby for national consumer privacy laws."  Basically the tech giants are pushing for a single unified privacy law to apply to all businesses.  Gee, makes sense, doesn’t it?  Too bad congress has been creating hodge-podge data protection (privacy) legislation for the past couple of decades.  Well, it’s better than not having anything. 

The meeting took place today with a group from the U.S. House of Representatives, the Subcommittee on Consumer Protection.

Well…the news item whetted my curiosity whistle…but I like to go to the source for the full details.  The meeting is currently available via a webcast but (RATS!) not yet the full transcript.  Arrggghhh…it is too late in the evening for me to listen to all of this…something to add to my to-do list for tomorrow.

The Witness List & Prepared Testimony came from Meg Whitman, President and CEO, eBay Inc, Dr. Thomas M. Lenard Ph.D., Senior Vice President for Research, The Progress & Freedom Foundation, Peter Swire ,  Professor, C. William O’Neill Professor of Law Moritz College of Law, The Ohio State University, Scott Taylor, Chief Privacy Officer, Hewlett-Packard Company, Evan Hendricks, Editor/Publisher, Privacy Times.

Their prepared statement, quite short, is also endorsed by Google, Microsoft and several other tech leaders, and pushes for a:

"comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework. The legislation should provide protection for consumers from inappropriate collection and misuse of their personal information and also enable legitimate businesses to use information to promote economic and social value. In principle, such legislation would address businesses collecting personal information from consumers in a transparent manner with appropriate notice; providing consumers with meaningful choice regarding the use and disclosure of that information; allowing consumers reasonable access to personal information they have provided; and protecting such information from misuse or unauthorized access. Because a national standard would preempt state laws, a robust framework is warranted."

Such a law truly would start to coincide with all the non-U.S. data protection laws currently in effect.  Harmonization is a great idea, and I urge companies to use that concept with their compliance efforts.  There are many commonalities and overlaps among existing laws, both U.S. and non-U.S.  It would be interesting to see how such a comprehensive law would impact the existing U.S. laws…or vice versa.

One of the subcommittee members, Cliff Stearns (or Joe Barton; it’s hard to tell the way the document is labelled) appears to support such legislation.

This will be something to keep an eye on…hopefully this is not just activity coming at a time to placate the public’s concerns with the glut of privacy/security incidents occurring in the past couple of years.  Both businesses and the public need a strong data protection law to help provide security and privacy, as well as provide a legal framework around which organizations can build strong privacy/security programs.  Will congress be brave enough to pass such a strong law with teeth and no loopholes?  Time will tell.  At least one eye will keep on this issue…

Technorati Tags

Semantic web and privacy

Monday, June 19th, 2006

Over the past few weeks I have been intrigued with semantic web and the impact of it upon privacy and security.  I was at CSI’s NetSec in Scottsdale, AZ last week (followed by a wonderful first visit to the Grand Canyon…and then some hardware problems…AARRRRGGGGHHHHH!!!!!…thus my lack of blog postings), and I was surprised that no one I spoke with (admittedly a small fraction of the total number of attendees) had heard of semantic web.

Semantic web has actually been in the news lately.  For example,

  • NSA Looking At Social-Networking Spaces"Bajarin also mentioned that the NSA searches are also tying into a time when the Internet is evolving towards what’s known as the "semantic Web." With simple code revisions to major Web sites, the Internet’s content becomes far easier to search through and index, larger systems and search engines seeing the structure of the Internet in a more logical, easily searchable way. "While it (the "semantic Web") might help surveillance, it helps make searches more accurate," Bajarin said. "It would have to help data mining and surveillance efforts to some degree. If you want serious data mining done for lower-level access, you’d need legal access to the back end."  Others have wondered about the NSA’s logic in tracking terrorist connections through social-networking sites such as and"
  • Pentagon datamines social networks"New Scientist reports that the Pentagon is datamining social networks.  This is to allow the US government to draw up detailed personal profiles of individuals, according to what they post to the internet.  It is also intended to work out which individuals are connected to blacklisted organisations, either directly, or through people they interact with online.  Ironically, attempts by the W3C to make the web more interaccessible via different data formats – the so-called semantic web, using the Resource Description Framework (RDF) – will expedite this process. "
  • Inventor of ‘Semantic Web’ hired as RPI professor"He is recognized as one of the inventors of the "Semantic Web," which is the development of a language for the Internet that can be understood by computers. Such a system can allow far fuller use of the Web, Hendler said. "As a simple example, imagine being able to search the Web for ‘the scene where the guy throws his hat at a statue and its head falls off’ and finding the right clip from the movie Goldfinger to download to your hand-held video device," Hendler said in a statement released by Rensselaer."

Several web sites are devoted to semantic web, such as W3C and the Semantic Web Community portal.

Much has been written about semantic web in various universities.  For example, just a few include:

It certainly has great potential…imagine the computing power! 

However, when delving into the possibilities, there are certainly significant privacy issues to consider in the way it is used, and the impact of incorrect labelings and codings. 

Consider a 1000 piece jigsaw puzzle of a blue lake and blue sky…looking at just one piece at a time would not tell someone what the completed puzzle would look like.  Even looking at a few connected pieces would not tell much more of significance.  However, by putting together significant portions of the puzzle, eventually leading to puzzle completion, everything about the picture becomes clearly obvious.  The semantic web holds that same potential for piecing together the private lives of people; taking a piece from here and a piece from there to form the complete picture about an individual.  A huge risk is when the semantic web does not interpret the pieces correctly, makes vastly inaccurate conclusions, and subsequent mistakes are made that negatively impact lives.  Similar to the profiling programs used by the TSA that have resulted in a few incorrect interpretations of travellers that resulted in significant impacts to their otherwise comparatively normal lives, only on a potentially larger scale.

There is much more to say about this…more research first, however…

Technorati Tags

State-Level Breach Notice Laws as of June 7, 2006

Tuesday, June 13th, 2006

There are many resources throughout various locations on the Internet that have listings of state level breach notice laws.  Unfortunately most are not up-to-date, and often they are not presented in a format that can serve as a quick reference.  I have found it most helpful to have a basic listing of all the state breach notice laws, along with the effective date for each.  As of June 7, 2006, I have found 32 state-level breach notice bills that have been signed into law, with the exception of the bill in Hawaii, which has been enrolled to the governor. I have created a table to serve as a handy reference to these laws and their corresponding effective dates.  My goal is to keep this up-to-date and repost whenever new laws are signed.

Technorati Tags

What IT Needs to Know About Compliance

Thursday, June 8th, 2006

Businesses must always be vigilant about data security and privacy, particularly in the global information-based economy.  The need for security and privacy has never before been more apparent, with a new incident occurring practically every day. Businesses are dependent upon information technology (IT), not only to be successful in business, but also to be successful in protecting and controlling electronic data.

The risks that are an inherent part of IT make it necessary for IT leaders and IT personnel to know the data protection laws and regulations more than ever before. It is with this knowledge that they can incorporate information security and privacy within all the IT processes, throughout the entire systems development life cycle (SDLC). 

There are many commonalities between the regulatory, contractual and policy requirements for protecting data.  By realizing these commonalities IT can more successfully address compliance in a unified manner throughout the enterprise, and not try to address compliance issues in a piecemeal manner (which is typical but leads to significant compliance gaps). 

I discuss these issues, the IT issues within a wide range of U.S. and international laws and regulations, and clearly list the IT requirements to demonstrate the commonalities, in a new article I posted on my site, "What IT Needs to Know About Compliance."

Technorati Tags

Information Security and Privacy Professionals MUST Work Together to be Successful

Tuesday, June 6th, 2006

A few weeks ago I discussed the need for Information Security and Privacy professionals to work together to be successful.  Yesterday I posted a new podcast that expands upon this topic, and I also describe 14 business trends that information security and privacy professionals must collaborate with each other to address. If you get a chance to listen, please let me know what you think!

MP3: Rebecca Herold – Information Security and Privacy Professionals MUST Work Together to be Successful

Government Oversight Agencies Need to Give HIPAA Its Teeth to Truly Address PHI Privacy and Security

Monday, June 5th, 2006

Today a story ran in the Washington Post about how no fines have yet been given for HIPAA noncompliance.  So far close to 20,000 complaints regarding HIPAA compliance have been with the Department of Health and Human Services (HHS) oversite agencies, the Office for Civil Rights, responsible for the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services, responsible for the HIPAA Security Rule.

The article indicates 73% of the complaints (over 14,000) were found to have no violation involved, or the HHS required the covered entities (CEs) involved to fix the problems.  This really is not at all surprising.  Back when HIPAA went into effect the HHS indicated that they would address HIPAA compliance by complaint-driven activities and investigations, and work with the CEs by working with them to fix the problems. 

On February 16 of this year, the HHS released the "HIPAA Administrative Simplification: Enforcement; Final Rule" that became effective March 16 2006 to more clearly define their compliance and enforcement plans.  Within this Enforcement Rule it is specifically stated:

"§ 160.410 Affirmative defenses.
(a) As used in this section, the following terms have the following meanings:
Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision
Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
(b) The Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violation, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d–6;
(2) The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation, determined in accordance with the federal common law of agency, and, by exercising reasonable
diligence, would not have known that the violation occurred; or
(3) The violation is—
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the date the covered entity liable for the penalty knew, or by exercising reasonable diligence would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
§ 160.412 Waiver.
For violations described in § 160.410(b)(3)(i) that are not corrected within the period described in § 160.410(b)(3)(ii), the Secretary may waive the civil money penalty, in whole or in part, to the extent that payment of
the penalty would be excessive relative to the violation."

So, you can see this is still apparently the planned course of action.

What does this mean with regard to HIPAA having teeth?  Hmm…well…this pretty much leaves HIPAA gumming the noncompliance meat.

I agree with many of the viewpoints at the end of the Washington Post article.  Many, if not most, CEs, knowing that they will only get in trouble with HIPAA noncompliance if 1) someone complains, and then 2) they are not cooperative, after the fact, with the HHS oversight agencies, will choose to stay their current course and take no compliance actions.  The CEs I’ve spoken to have told me this, and they’ve even blogged about it and discussed it in maillists and discussion groups.  The motivators for compliance have basically been removed. 

The only real motivators now are the penalties for criminal noncompliance, which have been applied twice so far.  Too bad crimes have to occur before actions are taken…isn’t it better to prevent the crimes to begin with by applying security and privacy safeguards? 

It is also really too bad that the government, which is more aggressively pursuing compliance for other regulations, such as SOX and the FTC Act, has taken such a milquetoast attitude with patient information privacy and security.  If HIPAA enforcement is to be effective, it appears that the public will need to be more vocal in their calls to have the regulation enforced.  And, it would be good if the CEs would just do the right thing to protect the privacy and security of protected health information (PHI) and follow the regulations now instead of waiting until their hand is caught in the noncompliance cookie jar.  One alternative may be the FTC Act…most CEs have posted privacy policies on their websites…notice of privacy practices (NPPs) are a requirement of HIPAA.  If CEs do not follow them, couldn’t they be found to be guilty of commiting unfair and deceptive business practices? 

We know the FTC and SEC are diligent in pursuing noncompliance cases…maybe the FTC and SEC heads should have lunch with the HHS head and discuss this issue.

The HIPAA Privacy Rule has been in force since 2003…it’s time the honeymoon period is over.  If the HHS would look at the increasingly large numbers of incidents occurring every week…heck, every day…they should realize enforcement and associated penalties are necessary for compliance and PHI protection.

Which brings me to wonder…how will the VA laptop/hard drive theft be handled through an HHS HIPAA violation investigation?  E&Y was a VA business associate (BA) who lost PHI about 26.5 million individuals…certainly seems something should be done.  Others think so as well…see "Health-privacy coalition seeks HIPAA review of VA." 

Technorati Tags

*ANOTHER* E&Y Laptop Reported as Stolen…in Late February…Containing Data on 243,000 Individuals

Sunday, June 4th, 2006

Oh, come on now!  I couldn’t believe I was reading yet ANOTHER report of ANOTHER E&Y laptop that has been stolen recently!  ANOTHER stolen from a car…ANOTHER with an unbelievably huge amount of personally identifiable information (PII)…ANOTHER that did not have the data encrypted!  C’mon folks!  If you are information security or privacy professionals, or business leaders of any kind, you really need to step up your efforts to educate your personnel about the risks involved with using laptops, implement encryption on all mobile computing devices, and not allow such inordinately large databases of personal information to be on mobile computing devices.

It is amazing also that the laptop theft occurred in February, but the E&Y client whose PII was on the laptop,, was not notified until May 3. 

The data included names, addresses and credit card information.

"Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor."

Why don’t they just go ahead and enroll all those individuals into the credit monitoring service?  Why make the victims have to tell them to do it…it’s likely many of the individuals will not be aware any potential breach has even occurred until they start having problems with their credit reports.  Yeah, sure, letters were mailed to them…but how many will be read?

"The letter from said "Ernst & Young was taking additional steps to protect the confidentiality of its data, including encrypting the sensitive information we provide to them as part of the audit process.""

If you entrust sensitive data, such as PII, to another company, for any reason, you should make it one of your contractual requirements for them to keep the data encrypted.  Their sloppy security is probably going to impact you more than them when they have an incident involving it.

Technorati Tags

Sophos Reports Top Ten List of Malware for May as Well as Arhiveus Ransomware Info

Friday, June 2nd, 2006

Those of you interested and intrigued with malware will find a couple of newly released Sophos reports interesting.

Of the top ten malware for May some of the interesting statistics provided include:

  • "Netsky-P worm remains the most widespread piece of malware spreading via email.
  • Sophos identified 1,538 new threats in May, bringing the total of malware protected against to 122,634.
  • The majority of the new threats (85.1%) were Trojan horses, while just 12.3% were worms or viruses.
  • The proportion of email which is virus infected has dropped considerably over the last year as hackers have turned from mass-mailing attacks to targeted Trojan horses. In May 2005, one in every 38 emails was infected, now this number is just one in 141."

And a creative, new, unique malware, Arhiveus, is a type of ransomware that encrypts victims’ computer data, and then attempts to force users into making a purchase from an online pharmacy.

Well, if businesses would keep their data encrypted and backed up to begin with they would not need to worry about this ransomware, would they?  This is a good example of how the cybercrooks are exploiting the human tendency and common business practice of not having adequate security implemented. 

Oh, yes, and not only do encryption and making backups protect your data assets, they also demonstrate due diligence and contribute to compliance with a wide range of laws and regulations.

Technorati Tags

Discount Offered for Workshop That Provides Tools for Helping Privacy and Information Security Officers to Work Most Effectively on Their Common Goals

Thursday, June 1st, 2006

On May 17 I wrote in this blog about how Information Security and Privacy Professionals MUST Work Together to be Successful and told about the workshop addressing this that Christopher Grillo and I will be teaching June 10 and 11 just before the upcoming CSI NetSec conference in Scottsdale, AZ. 

I’m very happy to learn from CSI today that you can get a discount to attend this workshop.  When registering use the code PRIV06 to get $100 off the workshop price.

We have created a huge amount of reference material for the attendees…according to CSI more than any other workshop they have sponsored…plus tools that took Chris and I literally 100s of hours to create.  If you can make it please join us; the more the merrier!  Plus, the more depth in our sharing of experiences, thoughts and opinions during the workshop.

Technorati Tags