According to a widely published news story, AOL today announced in an inter-office memo that their CTO, Maureen Govern was fired and immediately being replaced by an interim CTO, John McKinley.  A CNN report, however, indicates she resigned. 

Govern was in charge of the area that released search data for the 658,000 users during March through May earlier this year.  According to the initial reports about the release of the search data, AOL had indicated it had been released for "research purposes" to a publically available site, but that it was "mistakenly" released, and the decision to do so was "not appropriately vetted."

"A researcher in AOL’s technology research department and the employee’s supervisor have also left the company in the wake of the disclosure, a source familiar with the matter said on Monday." 

"In response to a torrent of criticism across the Internet, AOL also said it plans to create a task force to review its customer information privacy policy."

The AOL privacy policy is pretty much standard fare…including the statement, "Your AOL Network information will not be shared with third parties unless it is necessary to fulfill a transaction you have requested, in other circumstances in which you have consented to the sharing of your AOL Network information, or except as described in this Privacy Policy." 

It will be interesting to see how they update their policy as a result.

Since the AOL spokesperson, Andrew Weinstein, indicated this was "a screw up, and we’re angry and upset about it," in a BNA news release, and also indicated "AOL is undertaking an internal investigation into the matter to ensure that it does not happen again," these personnel eliminations are likely part of the actions they are taking to mitigate any potential fines and penalties and try to demonstrate due diligence in addressing the incident. 

So, the personnel eliminations could have been sacrificial lambs, or perhaps they really did perform their job responsibilities in ways that were either completely negligent in consideration of potential consequences, or maybe purposefully malicious in intent.  It will be interesting to see if any statements will be made by Govern…highly unlikely considering she and the other dismissed employees probably signed NDAs.

This AOL incident is a good example of the need for thoughtful and well communicated and enforced privacy policies and procedures.  Put it in your awareness and training file to use so your organization doesn’t make a similar mistake.

• Know your privacy policy and inplement procedures to support them.
• Communicate often and clearly about what is considered as personally identifiable information (PII) along with the other types of sensitive information (e.g., search data) that, when coupled with PII can create a huge invasion of privacy and violate your own privacy policies.
• Communicate how to protect PII and sensitive data often and effectively.
• Make businss leaders accountable for their decisions and enforce sanctions when they "screw up."
• Very, very basically, don’t use the Internet as your company’s open research data repository!  Just because a research URL may not be easy to guess, it usually is very easy to find.

Technorati Tags
information security
IT compliance
regulatory compliance
AOL
application security
policies and procedures
awareness and training
privacy

Yet another…and another…in the ongoing saga of stolen laptop computers was recently reported.

Last Thursday South Florida’s Herald Tribune reported healthcare provider PSA HealthCare, reported a laptop containing cleartext information about 51,000 patients was stolen from an employee’s car on July 15.

"The computer contained personal information on current and former patients, including their names, addresses, Social Security numbers and medical case information.  It did not include banking information or credit card numbers, and the computer was password-protected, the company said.  The company quietly announced the data theft in an Aug. 4 press release titled "PSA HealthCare Announces Data Security Update."  The company notified patients and their families four days later, in a letter dated Aug. 8, more than three weeks after the computer was stolen.  "That’s what was so staggering to me," said Bradenton resident Virginia Robertson, who received the letter last week. Her mother is a PSA HealthCare client.  "It took them this long to get the information to the people that were affected by it. It would have given someone time to do some damage.""

The article goes on to indicate PSA Healthcare "is improving its data security policies."  They are a HIPAA covered entity; they should have identified weaknesses within their policies as part of their compliance activities.  It is really too bad the Department of Health and Human Services does not seek to enforce this *law*…this really seems like a good candidate for HIPAA noncompliance actions.

It is also worth noting that the PSA Healthcare site does not make a HIPAA-mandated Notice of Privacy Practices statement available on their site…if they do, it certainly was hiding from me when I looked there.  Another potential HIPAA infraction if the HHS should have the notion to pursue it.

"Kohl said PSA HealthCare had policies preventing employees from taking data out of its offices. "That has been dealt with from a disciplinary standpoint," he said, declining to elaborate.  That didn’t satisfy Robertson.  "If they say they had a company policy against it, why in the world would the company allow someone to download personal information into a laptop in the first place?" she said."

Exactly!  Not only do courts and regulatory oversight agencies look at enforcement of policies and the associated sanctions leveled, but customers/patients/consumers also want to know that policies aren’t just empty words…meaningless promises.  Non-enforcement of policies can have major negative impact on an organization.  Business leaders need to understand that policies are basically another form of legally binding contract.  To date web site privacy policies have been the one most aggressively monitored for compliance, noticeably by the FTC.  However, as more incidents occur, the noncompliance penalties and fines net will expand to include consideration of whether or not companies are following and enforcing their own policies.

This incident came soon after a Department of Transportation laptop was stolen from a Miami-Dade Florida employee’s car; that laptop contained 133,000 driver’s license and pilot license records, was NOT encrypted, but was "password protected."  There is still no news about whether that computer was ever recovered; but even when it is, there is no way to tell whether or not the files have been copied and distributed, sold, or otherwise misused, until the involved individuals become victims of subsequent crimes.

These types of stolen and lost laptops reports have many similarities and almost always indicate that 1) the data was not encrypted, 2) there was a policy against such activity that led to the incident, and 3) that the information security practices were being improved as a result.

Before an incident happens, use encryption to protect sensitive data that is in the hands, and under the control, of end-users.  Moving data is vulnerable data; encrypt it on laptops and other mobile computers, when it is used by remote users, and when it is traveling through at risk networks, such as the Internet.

Review information security programs to find gaps with compliance for the policies you have, and in addressing important topics within your policies.  HIPAA and GLBA require you to do this if you are a covered entity under these regulations.

Don’t settle for a mediocre information security program; make sure yours is effective and adequately addresses your business risks, reducing them to an acceptable level.  Most incidents expose information security programs that are not up to par.

Technorati Tags
information security
IT compliance
regulatory compliance
stolen laptop
HIPAA
patient privacy incident
policies and procedures
awareness and training
privacy

Recently the Bellingham Herald reported a former employee of Madrona Medical Group "was charged with illegally downloading patient files onto his personal laptop computer.  Madrona officials don’t believe the files were copied or used for identity theft, but they sent letters this week to more than 6,000 patients anyway, asking them to take steps to make sure no one uses the information illegally.  The records include patients’ names, addresses, Social Security numbers and dates of birth."

The medical provider notified the 6,000 patients wtih letters and established a phone number those concerned could called with questions.

"Former Madrona Medical Group employee Timothy R. Kiel was arrested June 8 and faces trial Sept. 19 on first- and second-degree computer trespass charges. Whatcom County prosecutors say Kiel downloaded onto his personal computer patient records, proprietary software, licensing keys and other data Dec. 17, 2005.  Kiel resigned from the company Dec. 20, prosecutors say, but continued to use his laptop to connect to Madrona’s servers more than 50 times between Dec. 26, 2005, and Jan. 15, 2006.  For example, prosecutors say, Kiel on Jan. 13 used a stolen vendor account, his laptop and a high-speed Internet connection at his Lynden home to connect to Madrona’s computer system. He deleted backup files, e-mail files belonging to Madrona’s human resources director, and server log files to cover his tracks, prosecutors allege."

The amount of time elapsed from when the former employee started accessing the personal files illegally to when the patients were notified…close to 8 months…is incredibly long.  Especially considering there were "more than 50 times" he accessed the provider’s computer systems.  The amount of times personal information could have been copied, distributed, misused, and otherwise used with malicious intent, could be incredibly large.

"Though the security breach was discovered in December, Madrona officials didn’t know exactly which files had been compromised until they could review the police report that arrived in mid-July, said Madrona spokesman Mark Johnson.  Madrona officials are now more closely monitoring the few employees who have access to so many records, like Kiel did, Johnson said.  The practice already has "very sophisticated" computer security systems, Laine said.  "What we cannot secure ourselves against, unfortunately, are other people’s actions," he said. "Illegal actions, in particular.""

So, it appears that law enforcement took all those months to create a police report?  What are the reasons why the police reports for compromised personal information always seem to take an inordinately large amount of time?  What activities are actually going on?  All the while, the personal information could be being used for so many different fraudulent activities, all while the victims have had no notification or awareness at all that their personal information was compromised, and fraud could be occurring.  Doesn’t it seem time law enforcement establish some reasonable guidelines for allowing individuals to be notified much more quickly?  Does there need to be a clause in a federal breach notification law covering this?  It seems there should not need to be a law to do what is right to protect victims in the most timely manner possible, but unfortunately it seems without such laws victims are allowed to potentially be vicitimized for lengthening periods of time often for flimsy reasons for notification delays because of matters related to the investigation.

Donnie Werner wrote about this last week; here are the interesting follow-up questions he posed to the Madrona Medical Group and their replies:

"1. What is the patient data loss probability?
Apparently Mr Kiel either never intended nor did he utilize the patient data and the 6000 or so records appear to be ancillary files stemming from the main attack(s), according to forensics data.

2. What was the position held by Mr Kiel?
A manager in the company IT department with intimate knowledge of the internal network structure. In a statement to patients, Madrona had the following to say:

"We would like to emphasize that this employee had high security clearance while employed at Madrona Medical Group, due to the nature of the position within our organization.  This level of access is rare and limited to very few members of the staff here at Madrona Medical Group."

3. Were background checks and clearances run when Mr Kiel was hired?
Full standard background and security checks as required by a person with a sensitive position within the company.

4. Was there any warning signs of a possible "bad seed" at the company?
None that anyone noticed and he was considered a good employee and had great performance reviews.

5. What was the motive behind the attack?
Evidentially there was some issues with either the HR department or one of it staff members. While the exact specifics are not totally clear, Mr Johnson stated: "this individual  wanted to capture HR records from a fellow HR employee (for what exactly, who knows) and inadvertently captured certain patient records in the process. The HR info contained various types of data about a variety of subjects. It doesn’t appear, from on own data analysis or from the police data report, that this person did anything with the data other then view it for their own information"."

As the article points out, this is a very clear example of an insider threat that materialized into a data incident. 

Some questions that come to mind related to this incident:

• Why weren’t procedures in place to completely remove remote access when an employee leaves the organization?  Even if the employee had "high security clearance" the procedures should ensure continued access can no longer occur immediately upon termination or, particularly in the case of a high security clearance upon notice of imminent termination.  In fact, such procedures are even more important for high security clearance employees.
• What were the provider’s policies for employees using their personal computers for business purposes?  There are apparently ways in which they need to improve these practices.
• Do the lack of such procedures, or absence of good procedures, substantiate a HIPAA violation?  It seems it very well could.  It is true that authorized, trusted insiders will sometimes do illegal activities by taking advantage of their access, and this is very hard to prevent.  However, effective procedures for termination of employees and removing all authorized access may have prevented such an incident.  This weakness in policies and procedures would be identified within a good risk analysis, such as is required by HIPAA, and the implementatioin of policies, procedures and technologies (as necessary) could have possibly prevented the incident.  Wouldn’t this seem to point to a lack of HIPAA compliance diligence on the part of the covered entity?  It will be interesting if any Washington State government agencies or groups pursue an investigation into this, or (better yet) if the Department of Health and Human Services (HHS) investigates.

Technorati Tags
information security
IT compliance
regulatory compliance
insider threat
HIPAA
patient privacy incident
policies and procedures
awareness and training
privacy

For those of you that travel occasionally…or often…I’m sure you are wondering about the ever-changing restrictions for the airlines.  I know I worry about one day hearing the requirement for all electronics to be put into checked baggage; my computer is my livelihood and even if I do take all the precautions I described in my recent blog, I still do not want to have to check my computer or cell phone if at all possible.

A friend and colleague of mine (thanks Larry!) told me about the U.S. Transportation Security Administration (TSA) site that provides answers to questions about travel restrictions.  A nice feature is that you can sign up to get notice of updates to the site.

Technorati Tags
information security
IT compliance
regulatory compliance
travel restrictions
travel security
TSA
policies and procedures
awareness and training
privacy

On August 10 the Michigan Attorney General, Mike Cox, last week issued a press release about charges against Florida and California companies. 

"Attorney General Mike Cox announced today that he is filing criminal and civil charges against senders of unsolicited e-mail messages ("spam") that seek to lure children to gamble and buy alcoholic beverages.  The messages were sent to children’s e-mail addresses registered with the State of Michigan under Michigan’s Child Protection Registry Act.  The act requires senders to check the registry to remove children’s e-mail addresses before sending messages advertising goods or services that children cannot legally buy.  Today’s criminal charges against RR Media, Inc. of Cathedral City, CA, and Data Stream Group, Inc. of Bonita Springs, FL, are the first of their kind in the country and may subject the spammers to a fine of up to $10,000 and other penalties.

            "The Internet – especially email and instant messaging – is a favorite vehicle for spammers and sexual predators to solicit children to buy harmful products, view pornographic images, and, worst of all, become targets of predatory activity," Cox said.  "I will continue to utilize all the tools available under the law to protect Michigan children from these menaces."

            The "Protect MI Child Registry" allows parents and others to submit e-mail addresses, instant message addresses, and other electronic contact points to which children in Michigan have access to the Michigan Public Service Commission, which administers the registry. The law prohibits sending e-mail to a registered address with content in the e-mail that advertises anything a minor is prohibited from doing, viewing, or using.  Examples include alcohol, tobacco, gambling, and pornography.  The law requires senders of this type of e-mail to electronically scrub their mailing lists against the registry, eliminating the registered e-mail addresses from mailing lists. Michigan and Utah are the only states that have adopted a registry law.

            "Spamming is a huge problem with no easy solution.  The registry law is an attempt by our State to find an effective way to protect children from the most offensive variety of spam.  I hope our criminal and civil actions send a message to spammers peddling harmful products – stay away from our kids," Cox said.

            The cases follow an investigation by the Attorney General’s Office, which received complaints of inappropriate e-mail solicitations for gambling and alcohol purchases being sent to e-mail addresses registered as children’s contact points.  The Attorney General’s cyber-investigation led to the defendants, RR Media, Inc. and Data Stream Group, Inc.  Each corporation stands charged with one count of violating the Registry Act.  Criminal complaints were signed on August 10, 2006, in the 36th and 52-2nd District Courts in Detroit and Clarkston, respectively.  The next court date has not yet been set.

            In addition to the criminal cases, Cox has filed civil actions against RR Media, Inc. and Data Stream Group, Inc. in Ingham County Circuit Court.  These companion cases to the criminal actions seek injunctions against further violations and other statutory penalties.

            Parents and guardians of minor children can visit the State of Michigan’s "Protect MI Child" website, operated by the Michigan Public Service Commission, at: https://www.protectmichild.com .  At this site, parents can:

• register their children’s contact points (including e-mail addresses, instant message   addresses, and fax numbers);
• file complaints concerning violations of the Michigan Child Protection Registry Act;
• obtain additional information.

Consumer alerts on e-mail scams, identity theft, and a wide range of other topics of interest to parents and consumers can be viewed or downloaded at the Attorney General’s Web site, www.michigan.gov/ag  (click on "Consumer Alerts").  An online complaint form is also available.

Mail or telephone inquiries and complaints may be directed to the Attorney General’s Consumer Protection Division at:

Consumer Protection Division
P.O. Box 30213
Lansing, MI 48909

Phone: 517-373-1140

Toll-free within Michigan: 1-877-765-8388
Fax: 517-241-3771
www.michigan.gov/ag (click on "File A Complaint")"

This continues with the more aggressive actions I’ve seen states taking with regard to compliance, particularly those laws addressing children’s safety and rights, using the Internet, and protecting individuals from identity theft and other privacy intrusions.

Just a few examples:

• On July 10, 2006 Rhode Island Governor Donald L. Carcieri signed into law bill H. 7674 that prohibits the use of the Internet or e-mail to obtain personal information, such as Social Security numbers or financial account information, from individuals under the pretense of being a legitimate online business. The new law, which took effect immediately upon being signed, makes it a criminal offense to "solicit, request or take any action to induce another person to provide identifying information by representing that the person, either directly or by implication, is an online business without the express authority or approval of the online business purported to be represented by the person" through a Web page, e-mail, or any other type of Internet service.
• On July 13, 2006 the California Supreme court ruled a California statute under which *all* parties must consent to the recording of their telephone conversation precludes Salomon Smith Barney Inc.’s Atlanta branch office from recording its telephone conversations with California clients without their knowledge and consent.  Multiple lawyers reported they believe the supreme court’s decision may have broad implications for businesses nationwide, not just those which are in California or that conduct telephone calls with individuals in the state. There are 11 other states in addition to California that have laws on the books that require all parties to a telephone call to consent to the taping of the call.
• A law, S.B. 601, signed June 29, 2006 by Pennsylvania Governor Edward G. Rendell bars businesses and government agencies from publicly posting a Social Security number or printing it on any card required for access to a company’s products or services.
• On June 30, 2006 Delaware Governor Ruth Ann Minner signed two bills that add a new privacy safeguard for Delaware residents (H.B. 392) and help reduce the damage identity theft can cause its victims (H.B. 334).  H.B. 392 makes it a criminal violation to install an electronic or mechanical location tracking device in or on a motor vehicle without the consent of the person who owns or leases the vehicle. The prohibition does not apply to use of a tracking device by a law enforcement officer or by a parent or legal guardian who installs the device to track his or her minor child. H.B. 334 authorizes the Delaware Attorney General’s Office to issue an "identity theft passport" to any person who files a police report alleging identity theft, as long as there is reasonable assurance that the claim is valid.  The "passport" will be a card or certificate that the identity theft victim can present to a law enforcement agency to help prevent his or her arrest for a crime committed by someone else using the victim’s stolen identity.

And so many more…it is hard to keep up with all the new laws!

I find Delaware law H.B. 334 particularly intriguing…issuing an identity theft passport to show to law enforcement.  What if the person is in a different state?  Will law enforcement there know about this passport?

The legal and regulatory data protection environment just gets more interesting all the time…

Technorati Tags
information security
IT compliance
regulatory compliance
state data protection laws
spam
identity theft
encryption
policies and procedures
awareness and training
privacy

A friend and colleague of mine of mine told me today that he had received an email notice from a company for which he is a customer, Book Surge, which was recently acquired by Amazon. 

I had not noticed any news reports about it before I heard from my friend, but upon hearing this and doing some searching I found one lonely little article about it in the Charleston Post & Courier from August 10:

"North Charleston-based publisher BookSurge LLC said Wednesday that a hacker possibly infiltrated its computer system and gained account information on tens of thousands of its customers.  As of Wednesday, none of the 42,000 customers who could be affected had reported any problems with their personal accounts, said BookSurge spokeswoman Mary Meagher.  "We have no reason to believe that any customer data was compromised, but we have notified the affected individuals out of an abundance of caution," she said.  BookSurge has been owned since last year by Internet heavyweight Amazon.com.

Meagher declined to say what percentage of the company’s customer base the affected accounts represent. She also would not comment on how the security breach came about and how it was discovered.  BookSurge learned late last week that an "unauthorized individual" might have gained access to files on a computer server that contained credit card and other account information for some customers and authors, according to an e-mail message it sent out. It went on to say it had "no indication that your credit card or other account information" was compromised.

Meagher said the company has taken its servers offline and has started an investigation. "We’ve been in touch with the appropriate authorities," she said. 

Typically, potential computer crimes are investigated by the Secret Service, which is a branch of the U.S. Treasury.  On Wednesday afternoon, BookSurge’s Web site was not functioning. Meagher said the company is working to get the system up and running again as soon as possible.  "We take the protection of customer data very seriously and are committed to providing a safe and secure online environment for our customers and authors," Meagher said. "We are taking additional security measures to help prevent such an incident from happening again."

For security reasons she declined to say what those measures are.  BookSurge developed an "on-demand" software system that can quickly print and bind as many or as few copies as a buyer wants. It can ship orders in two days, saving publishing houses and authors the cost of printing and storing thousands of copies at a time.  The company operates next to a bingo hall in a Dorchester Road shopping center. The company was purchased in April 2005 by online retail pioneer Amazon.com, reportedly for $10 million.  While the BookSurge computer system is down, customers still can place book orders via Amazon.com, said Patty Smith, spokeswoman for the Seattle-based company.  "The servers are completely separate," Smith said."

The BookSurge site was working today.

According to my friend, the only notification he received was a brief (6 sentence) vaguely worded email on August 8.  The extent of the information provided was just:  "I am writing to let you know that we have learned that an unauthorized individual may have gained access to files on a BookSurge server which contained credit card and other account information from some BookSurge customers."

The email provided no dates about when the breach occurred. 

The email did not provide a phone number that those impacted individuals could call, they did not indicate when the breach occurred (although the news report said BookSurge "learned late last week" about the breach).

They said they had no indication that credit card or other account information was compromised, but without knowing any details about the event, how does this make 42,000 feel better?  They will likely be the ones to know if their personal information has been compromised.

Not only was the email notification vague, breach notification via email, especially *only* via email, is a very bad business decision. 

Breach notification via email should only be done

1. if the customers have agreed to accept such types of notifications in advance by email, and
2. as a supplement to a USPS mailed letter, and/or personal phone call. 

Numerous state-level breach notification laws indicate that email only notification should not be done, but only done only as a secondary form of notification.

Email-only notification is a bad idea for many reasons.

1. It is highly likely in today’s spam-heavy environment that many, of not most, recipients will view such email notifications as spam and never read them, or their spam filters will delete them before they ever get to the inbox.
2. It is highly likely in today’s phish-abundant electronic waters that many, of not most, recipients will view such email notifications as phishing attempts without even reading them and delete them.
3. It is highly likely that a large percentage of customers, particularly within a group of 42,000, will either no longer use the email address the company has on file for them, or they may not check that email regularly, if at all, any more.
4. Email is not a reliable form of communication.  Just because you send an email, even to a valid email address, does not guarantee it will ever reach its recipient; businesses should not make such faulty assumptions that just because you send an email it will be delivered.
5. If the email is sent to a "family" or shared type of email address it is very possible the person who would recognize the importance of the information may never get the message before it is deleted by someone else who may have seen it first.
6. Only sending an email…and a horribly vague and weakly worded one at that…shows disregard for the customer and appears to just be a token action being done in a sorry attempt to appease regulators.
7. And several more reasons I decided to edit out of my typing… 🙂

There was no mention of the need for the customers to check credit reports, let alone any suggestion that they company might step up to their blunder and provide credit monitoring for the affected customers.

The email also indicated they were "taking additional security measures to help prevent such an incident from happening again."  Why weren’t these measures already in place?  If the information had been encrypted would the incident even have occurred?  What other measures should they have already had in place?

Their website has absolutely no information about this breach…another bad thing.

The Amazon site has nothing about this incident in their press releases, either.  Wonder if Amazon did any type of review of the Book Surge security program when they acquired them?

Technorati Tags
information security
IT compliance
regulatory compliance
security incident
privacy breach
breach notification
encryption
policies and procedures
awareness and training
privacy

More computer thefts were reported this past week…one I’ve already blogged about and numerous others.  Just a few of them…

• A briefcase containing U.S. Bank customer information was stolen from the car of one of the bank’s employees. "Bank spokesman Steve Dale said the names, phone numbers and Social Security numbers of a "very small" number of customers were in the briefcase that was stolen in Covington from the employee’s car."  This points out the reality that information security incidents and privacy breaches often occur through means other than electronic.  People have been stealing paper documents and committing fraudulent acts with them for basically as long as people have figured out how to commit frauds.  The bank actually is responding to the incident well compared to other organizations that have experienced incidents.  They even called all the people involved instead of just sending a form letter, as most companies have done.
• Theft of laptops, Blackberries, iPods and cellphones is not a U.S. only phenomenon.  A story published in Australia today discusses the alarming jump in the number of thefts of these electronics from parked cars.  The report indicates over 250 such thefts have occurred since June 1 of this year.
• "…burglars broke into a regional office and stole 10 computers containing names and Social Security numbers for thousands of patients treated" at HCA hospitals in Nashville.  "The computers contain 15,000 to 18,000 files with information on Medicare and Medicaid patients who have uncollected co-pays and deductibles."  Although the data was NOT encrypted, the computers were password-protected, and were stolen from a locked facility, so it is unlikely, based upon past Department of Health and Human Services (HHS) activities, that any HIPAA noncompliance actions will be pursued.  It appears from the report, though, that Internet transmissions may have been made in clear text, so this could lead to a HIPAA infraction if HHS chooses to pursue it.

Technorati Tags
information security
IT compliance
regulatory compliance
stolen computers
HIPAA
patient information privacy
encryption
policies and procedures
awareness and training
privacy