Archive for September, 2006

FTC Pretexting Report: All Businesses are Obligated to Protect Consumer Data Under Multiple Federal Regulations

Saturday, September 30th, 2006

Yesterday the FTC released a 13-page report on "Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?" documenting their stance on consumer information privacy, discussing their efforts in combatting pretexting, and making recommendations to congress for stronger laws and enforcement.

If you wonder what pretexting is and want to understand better what all the hubbub is surrounding the HP board pretexting and privacy turmoil, then this is a nice report for you to read.

Some interesting tidbits from within the report…

  • "…in May 2006, the Commission filed five lawsuits in federal courts across the country against online data brokers that, directly or through third parties, allegedly obtained and sold consumer telephone records without the consumer’s knowledge or consent."

Pretexting appears to be widely practiced.  Considering few, but thankfully growing, numbers of companies have strong identity verification procedures in place, this is not surprising.

  • "The complaints charge the defendants with violating Section 5 of the FTC Act, which prohibits ‚Äúunfair or deceptive acts or practices in or affecting commerce.‚Äù7 In each of these cases, the defendants advertised on their websites that they could obtain confidential customer phone records from telecommunications carriers for fees ranging from $65 to $180. The FTC alleged that the defendants or persons they hired obtained this information by using false pretenses, including posing as the phone carrier’s customer to induce the telephone company’s employees to disclose the records."

Unfortunately many information security and privacy officers are not aware of the FTC Act, but they should be.  It certainly applies to a much wider scope of activity than just pretexting; many companies have received fines and penalties under the FTC Act because they did not follow their own posted privacy policies, their employees carelessly sent PII within emails to large groups of customers, and so on.

  • "Although the acquisition of telephone records does not present the same risk of immediate financial harm as the acquisition of financial records does, it nonetheless is a serious intrusion into consumers‚Äô privacy and could result in stalking, harassment, and embarrassment."

This is an important point, and it is good that a federal agency is stating this.  Misuse and unauthorized access of PII most commonly is associated with identity fraud, but so many more bad things can happen as a result of criminals and fraudsters obtaining PII.

  • "And while there is no specific federal civil law that prohibits pretexting for consumer telephone records, the Commission may bring a law enforcement action against a pretexter of telephone records for deceptive or unfair practices under Section 5 of the FTC Act."

Good!  In fact, much of the strength of the FTC Act is that it does not get into naming specific activities, but covers the general ways in which companies must do business in an honest and ethical manner.

  • "In addition to the recent cases involving telephone records pretexting, the Commission has brought actions under Section 5 of the FTC Act and Section 521 of the GLBA against businesses that use false pretenses to obtain financial information without consumer consent."

Another good point; pretexting is also covered under the Gramm Leach Bliley Act (GLBA).

  • In 2oo1, "FTC staff conducted a ‚Äúsurf‚Äù of more than 1,000 websites and a review of more than 500 advertisements in print media to identify firms offering to conduct searches for consumers‚Äô financial data. The staff found approximately 200 firms that offered to obtain and sell consumers‚Äô asset or bank account information to third parties. The staff then sent notices to these firms advising them that their practices were subject to the FTC Act and the GLBA, and providing information about how to comply with the law."

200 companies from the 500 ads…if each of the ads was from a different company (which they probably were not) this would mean 40% of companies they looked at were obtaining personal information through other than legitimate or ethical methods.  This percentage is likely higher considering some of the companies probably put more than one of these ads out on the websites.

  • "In 1999, Congress passed the GLBA, which provided another tool to attack the unauthorized acquisition of consumers‚Äô financial information.17 Section 521 of the GLBA prohibits ‚Äúfalse, fictitious, or fraudulent statement[s] or representation[s] to an officer, employee, or agent of a financial institution‚Äù to obtain customer information of a financial institution."

This GLBA statement covers a wide range of activities that have been reportedly pursued by many organizations.

As the report indicates, the FTC has made efforts to warn the public about pretexting through some awareness efforts, such as their consumer alert, "Pretexting: Your Personal Information Revealed."

  • "in several recent cases, the Commission has challenged data security practices as unreasonably exposing consumer data to theft and misuse.26 Companies that have failed to implement reasonable security and safeguard processes for consumer data face liability under various statutes enforced by the FTC, including the Fair Credit Reporting Act, the Safeguards provisions of the GLBA, and Section 5 of the FTC Act."

And also the Fair Credit Reporting Act (FCRA); another regulation to make sure your company is complying with, if applicable.  Make sure you know if it IS applicable; don’t make assumptions that it is not.

The FTC’s Recommendations within the report:

1.  "Have more specific prohibitions against pretexting for consumer telephone records and soliciting or selling consumer telephone records obtained through actual or reasonably known pretexting activity."

2.  Ensure "any such legislation contain appropriate exceptions for specified law enforcement purposes."

3.  Ensure "as part of any such legislation give the Commission authority to seek civil penalties against violators."

4.  "Congress enact cross-border fraud legislation. The proposal, called the ‚ÄúUS SAFE WEB Act,‚Äù will overcome many of the existing obstacles to information sharing in cross-border investigations."

Technorati Tags








HIPAA, FERPA and Lawsuits

Thursday, September 28th, 2006

Yesterday the news report following my commentary was published.

It doesn’t say what the sensitive information was, but makes clear that often times the wrong law is used to pursue wrongful disclosure of personal information.  HIPAA (the Privacy Rule and the Security Rule) tends to be foremost in most people’s minds when privacy infractions occur because it is written about so often.  However, as the article points out, it only applies to covered entities (CEs). 

Unfortunately the discussion given to the television station is misleading.  The list provided is incomplete in that some organizations not in the list are considered hybrid entities; those whose primary business is not being a healthcare provider or healthcare insurer, but have portions of their business that do those type of activities.  Some educational institutions certainly are hybrid entities; simplistically those who provide health clinic services with the medical staff providing the care on their payroll.

It is good whenever considering privacy issues and regulatory noncompliance related to the protection of personally identifiable information (PII) within educational institutions to keep FERPA in the foremost of your considerations.

However, it *IS* possible that inappropriate sharing of PII can be covered by more than one regulation; and certainly, depending upon the details and involved issues, a situation where student PII is inappropriately shared with others could come under both FERPA and HIPAA.  It is important to discuss any situation with a lawyer well-versed in the data protection laws and regulations to determine which one to use when pursuing legal action.

"A Grove mother who’s suing the school district on behalf of her 15 year-old son says an administrator told her sensitive information about another student.

Specific medical information that she says, he had no right to reveal.

Sheila Dawson’s lawsuit alleges Grove school faculty and administrators violated the Health Insurance Portability and Accountability Act or HIPAA, when they told others medical facts and lies about her son and other students.

The News on 6 spoke with a HIPAA expert and learned that "the act" only protects healthcare providers, healthcare clearing houses and others who bill electronically for medical services. Elise Brennan says if the information comes from anywhere else, it’s not protected under HIPAA. "HIPAA doesn’t pertain to idle gossip. If an employer or the school has learned information from gossip, then that’s not protected health information, which is what’s covered under HIPAA."

The US Department of Education points to the Family Education Right to Privacy Act, which prohibits schools from disclosing a student’s records without parental consent.

If a school has medical information about a student, it becomes part of the education record and is protected under FERPA."

Technorati Tags







“Trustworthy” Scammers & Checking Website Before Doing Business With Them

Wednesday, September 27th, 2006

I read with interest an article from The Register yesterday, "Malware Lurks Behind Safety Seal" that looked at some research done by Ben Edelman for his PhD at Harvard.

Within his report he stated, "I find that TRUSTe-certified sites are more than twice as likely to be untrustworthy as uncertified sites, a difference which remains statistically and economically significant when restricted to “complex” commercial sites." He also determined through his research of cross-referencing 500,000 websites that of the ones with TRUSTe certification, 5.4% were linked to either spamming or spywire, compared to 2.5% of the sites with no TRUSTe certification.

TRUSTe disputed the findings.  They indicate that some of the sites Edelman reported as having the TRUSTe seal either did not actually have it, or had the seal revoked.

The research report and TRUSTe rebuttal are interesting reads.

Bottom line, consumers must realize that web seals typically only represent the "certification" of that site at one point in time.  Security and trustworthiness of a site will change as site updates are made, staff changes are made, and other business changes occur.  A web seal can show the site was considered, by a certification vendor, as being trustworthy on the date indicated on the seal, but always take that seal with a grain of salt knowing that since the seal was put on the site it may no longer be as trustworthy. 

If you aren’t sure about doing business with a site, besides just looking at the seal, among other things also look at their posted privacy policy (if they don’t have one, that’s a red flag for you), see if they use SSL for collecting personal and sensitive information, see if they use cookies in an acceptable way (very simplistically meaning they do not collect clear text meaningful or personal data within cookies), they don’t use web bugs on their site, and they have not been involved in any litigation or had adverse audit findings about their site security.

Yes, I know that is a lot of checking to do before you make that purchase that you really, really wanted.  You may decide to take the risk.  But just keep in mind that the less checks you perform before doing business with a site, the more likely it will be that you will experience some adverse consequences.

Technorati Tags







Data Breach Notifications: OMB Recommendations

Tuesday, September 26th, 2006

On September 20 the U.S. Office of Management and Budget (OMB) issued an 11-page memo with guidance to government agencies on how to plan to give notifications for data breaches.

This is a very important issue.  Too many times organizations, including, certainly, government agencies, have woefully responded to breaches and handled the notifications in a much less than stellar manner.  Good guidance would certainly be welcome.

I read the guidelines closely, hoping to find recommendations for a common ground of good practice not only for government agencies, but also to serve as a starting point or model for any type of organization.

Overall there are some good recommendations.  However, it misses an important point that bad things can be done with personally identifiable information (PII) other than what the memo defines as "identity theft."  Granted, the memo clearly states that the purpose is to notify individuals if identity theft specifically is a good possibility, but I think it should have also at least mentioned that many bad things have also been done with PII beyond identity theft, such as stalking, spamming, unsolicited phone calls, using other people’s medical insurance, voting, and so on.

Just a few of the excerpts…

  • "The memorandum provides a menu of steps for anagency to consider, so that it may pursue such a risk-based, tailored response. Ultimately, the precise steps to take must be decided in light of the particular facts presented, as there is no single response for all breaches."

Yes, the response definitely must be risk-based, considering *ALL* types of risks, and the resulting actions based upon the specific situation.  Certainly pre-planning MUST occur.   Unfortunately most organizations do not have a breach identification plan in place, let alone a breach notification plan, according to many different surveys. 

Most of the organizations I’ve spoken with who have a breach notification plan in place do not have one that is truly executable, taking into consideration the types of data involved, or how to communicate about the breach to the impacted individuals or the news media.

  • "This memorandum focuses on the type of identifying information generally used to commit identity theft." 

In fact the memo not only focuses on that type of PII, but also just on the potential of identity theft and nothing beyond, as I stated earlier.

  • "Thus, an important first step in responding to a breach is for agencies to engage in advance planning for this contingency."

Indeed!  Pre-planning must be done to handle an incident and determine when, if and how to provide notification in order to be as effective and efficient as possible, and to lessen the resulting potential damage as much as possible.

  • "Our experience suggests that such a core group should include, at minimum, an agency’s chief information officer, chief legal officer, chief privacy officer (or their designees), a senior management official from the agency, and the agency’s inspector general (or equivalent or designee)."

Where’s the information security officer, CISO, in this list?  Are they assuming the CIO has all the background and information security knowledge necessary for this type of event?  Most CIOs have awareness, but not all the experience and knowledge necessary to use for an effective breach notification response.  It is very important to include the CISO.  Even if notification is determined to not be necessary it is important to remember a security incident has occurred and needs to be resolved. 

Security incident response plans must consider breach notifications, and breach notification teams must consider information security and the actions they must take to help prevent a similar incident from happening.

Another person to definitely include in the core group is the public relations officer.  They must know the reality of what is going on with the incident in order to release information about the incident in the most honest and effective way possible.

  • "Thus, the first steps in considering whether there is a risk of identity theft, and hence whether art "identity theft response" is necessary, are understanding the kind of information most typically used to commit identity theft and then determining whether that kind of information has been potentially compromised in the incident being examined."

Again, the considerations must go beyond just whether or not identity theft can occur, and it will depend upon the situation.  For example, what if a database of names and addresses were stolen from a company that is a potential terrorist target?  There could be safety issues involved here for these individuals, even if the possibility of identity theft with this information is low.

  • "An SSN standing alone can generate identity theft. Combinations of information can have the same effect. With a name, address, or telephone number, identity theft becomes possible, for instance, with any of the following: (1) any government-issued identification number (such as a driver’s license number if the thief cannot obtain the SSN); (2) a biometric record; (3) a financial account number, together with a PIN or security code, if a PTN or security code is necessary to access the account; or (4) any additional, specif c factor that adds to the personally identifying profile of a specific individual, such as a relationship with a specific financial institution or membership in a club."

All good information to have documented within the breach notification plan.  Along, of course, with other types of data that could lead to bad things.

  • "Our experience suggests that in determining the level of risk of identity theft, the agency should consider not simply the data that was compromised, but all of the circumstances of the data loss, including
    • how easy or difficult it would be for an unauthorized person to access the covered information in light of the manner in which the covered information was protected;
    • the means by which the loss occurred, including whether the incident might be the result of a criminal act or is likely to result in criminal activity;
    • the ability of the agency to mitigate the identity theft;
    • and evidence that the compromised information is actually being used to commit identity theft"

Some of these recommendations are concerning.  It implies that if the theft of the PII can be mitigated the individuals involved should not be notified.  Wouldn’t this be a little bit like saying the police do not have to notify a homeowner if they found a burgler in the homeowner’s house and chased him away, and don’t think the burgler actually took anything?

I do believe that stongly encrypted data that is stolen poses very little risk to the individuals.  Whether or not data is encrypted should be a consideration.  It would be nice if we could get to a point where all PII on mobile computers and storage devices were strongly encrypted.   

However, trying to second guess WHY the incident occurred and the criminals INTENTIONS is not a good idea. 

Also, breach notifications should be made as quickly as possible.  Just because PII has not been used within a week or two or three…or even a couple of months…to commit crime, does not mean that the individuals’ PII will not be used to commit crimes months later.  Some criminals are smart enough and patient enough to wait until the heat is off to do their crimes. 

  • "For example, as a general matter, the risk of identity theft is greater if the covered inforrnation was stolen by a thief who was targeting the data (such as a computer hacker) than if the information was inadvertently left unprotected in a public location, such as in a briefcase in a hotel lobby. Similarly, in some cases of theft, the circumstances might indicate that the data-storage device, such as a computer left in a car, rather than the information itself, was the target of the theft."

You cannot know the intentions of an unknown thief!  It is best for the potentional vicitms involved for an organization to consider that the thief HAS intentions to do bad things…or potentially someone buying the stolen laptop from the thief will want to do bad things with the PII.

Granted, the circumstances must be considered.  If someone accidentally knocked their computer off the Grand Canyon, smashing it into canyon gravel, then true, this would not need notification…but then again, this really wouldn’t be a breach.  Yes, this is a bit of a facetious example, but hopefully you see my point.

  • "Considering these factors together should permit the agency to develop an overall sense of where along the continuum of identity-theft risk the risk created by the particular incident falls. That assessment, in turn, should guide the agency’s further actions."

This AND following the at least 33 state level breach notification laws.  Those laws do not try to second guess the intentions of criminals.  It is odd the memo does not even reference the state level breach notification laws; it mentions the state level freeze laws.

  • "While assessing the level of risk in a given situation, the agency should simultaneously consider options for attenuating that risk."

More reason to include the CISO in the core breach notification team.

  • "It might take a few months for most signs of fraudulent accounts to appear on the credit report, and this option is most useful when the data breach involves information that can be used to open new accounts."

Yes, it could!  It could also take many months.  Funny they included the seemingly contradictory statement earlier when talking about how to determine IF notification should be made. 

It is still nice to see this point being made, though, within a government publication such as this.  Often organizations and agencies make published statements that "there is no evidence of fraud occurring" just a week or two after the data compromise. 

They recommend telling the individuals to

  • "Place an initial fraud alert on credit reports maintained by the three major credit bureaus noted above."

Legitimate advice, but it is still placing the responsibility of dealing with the organization’s breach impact upon the victim.  All unplanned time, stress and irritation for individuals when the breach often could have been prevented to begin with…or if the data had been encrypted!

  • "Be aware that the public announcement of the breach could itself cause criminals engaged in fraud, under the guise of providing legitimate assistance, to use various techniques, including email or the telephone, to deceive individuals affected by the breach into disclosing their credit card numbers, bank account information, SSNs, passwords, or other sensitive personal information."

This may be possible, but then again, these scams are going on all the time.  Silence about a crime that has occurred potentially impacting privacy and security is not a good risk mitigation control.  It’s usually better to have many eyes and ears on the alert for the subsequent wrong-doings with the stolen data than worry about one or two people who may take advantage.

Here are the high levle recommendations for actually executing the breach notification; see the memo for the details that go with each:

"1. Timing: The notice should be provided in a timely manner, but without compounding the harm from the initial incident through premature announcement based on incomplete facts or in a manner Iikely to make identity theft more likely to occur as a result of the announcement. While it is important to notify promptly those who may be affected so that they can take protective steps quickly, false alarms or inaccurate alarms are counterproductive."

"2. Source: Given the serious security and privacy concerns raised by data breaches, notification to individuals affected by the data loss should be issued by a responsible official of the agency, or, in those instances in which the breach involves a publicly known component of an agency, a responsible official of the component."

"3. Contents: The substance of the notice should be reduced to a stand-alone document and written in clear, concise, and easy-to-understand language, capable of individual distribution and/or posting on the agency’s website and other information sites."

"4. Method of Notification: Notification should occur in a manner calibrated to ensure that the individuaIs affected receive actual notice of the incident and the steps they should take. First-class mail notification to the last known mailing address of the individual should be the primary means by which the agency provides notification."

"5. Preparing for follow-on inquiries: Those notified can experience considerable frustration if, in the wake of an initial public announcement, they are unable to find sources of additional accurate information."

"6. Prepare counterpart entities that may receive a slsrge in inquiries: Depending on the nature of the incident, certain entities, such as the credit-reporting agencies or the FTC, may experience a surge in inquiries also."

On the last page they provide a "Risk Based Decision Framework" flowchart.  I really like, and encourage organizations to use, flowcharts to map out and visually describe procedures.  It makes it clearer what needs to be done, and can be referenced more quickly than 10 pages of documentation (which you still need as support for the flowchart) on its own.

This flowchart would make a good starting point for organizations.  It will need modification to go beyond just indentity theft possibilities, and your will want to incorporate the state level breach notification requirement considerations as well.

Overall this is a nice resource for organizations to use when establishing their breach notification plans, but organization need to keep in mind that it is incomplete and that they need to consider the other issues I discussed earlier.

Technorati Tags








Data Breach Notifications: OMB Recommendations

Tuesday, September 26th, 2006

On September 20 the U.S. Office of Management and Budget (OMB) issued an 11-page memo with guidance to government agencies on how to plan to give notifications for data breaches.

This is a very important issue.  Too many times organizations, including, certainly, government agencies, have woefully responded to breaches and handled the notifications in a much less than stellar manner.  Good guidance would certainly be welcome.

I read the guidelines closely, hoping to find recommendations for a common ground of good practice not only for government agencies, but also to serve as a starting point or model for any type of organization.

Overall there are some good recommendations.  However, it misses an important point that bad things can be done with personally identifiable information (PII) other than what the memo defines as "identity theft."  Granted, the memo clearly states that the purpose is to notify individuals if identity theft specifically is a good possibility, but I think it should have also at least mentioned that many bad things have also been done with PII beyond identity theft, such as stalking, spamming, unsolicited phone calls, using other people’s medical insurance, voting, and so on.

Just a few of the excerpts…

  • "The memorandum provides a menu of steps for anagency to consider, so that it may pursue such a risk-based, tailored response. Ultimately, the precise steps to take must be decided in light of the particular facts presented, as there is no single response for all breaches."

Yes, the response definitely must be risk-based, considering *ALL* types of risks, and the resulting actions based upon the specific situation.  Certainly pre-planning MUST occur.   Unfortunately most organizations do not have a breach identification plan in place, let alone a breach notification plan, according to many different surveys. 

Most of the organizations I’ve spoken with who have a breach notification plan in place do not have one that is truly executable, taking into consideration the types of data involved, or how to communicate about the breach to the impacted individuals or the news media.

  • "This memorandum focuses on the type of identifying information generally used to commit identity theft." 

In fact the memo not only focuses on that type of PII, but also just on the potential of identity theft and nothing beyond, as I stated earlier.

  • "Thus, an important first step in responding to a breach is for agencies to engage in advance planning for this contingency."

Indeed!  Pre-planning must be done to handle an incident and determine when, if and how to provide notification in order to be as effective and efficient as possible, and to lessen the resulting potential damage as much as possible.

  • "Our experience suggests that such a core group should include, at minimum, an agency’s chief information officer, chief legal officer, chief privacy officer (or their designees), a senior management official from the agency, and the agency’s inspector general (or equivalent or designee)."

Where’s the information security officer, CISO, in this list?  Are they assuming the CIO has all the background and information security knowledge necessary for this type of event?  Most CIOs have awareness, but not all the experience and knowledge necessary to use for an effective breach notification response.  It is very important to include the CISO.  Even if notification is determined to not be necessary it is important to remember a security incident has occurred and needs to be resolved. 

Security incident response plans must consider breach notifications, and breach notification teams must consider information security and the actions they must take to help prevent a similar incident from happening.

Another person to definitely include in the core group is the public relations officer.  They must know the reality of what is going on with the incident in order to release information about the incident in the most honest and effective way possible.

  • "Thus, the first steps in considering whether there is a risk of identity theft, and hence whether art "identity theft response" is necessary, are understanding the kind of information most typically used to commit identity theft and then determining whether that kind of information has been potentially compromised in the incident being examined."

Again, the considerations must go beyond just whether or not identity theft can occur, and it will depend upon the situation.  For example, what if a database of names and addresses were stolen from a company that is a potential terrorist target?  There could be safety issues involved here for these individuals, even if the possibility of identity theft with this information is low.

  • "An SSN standing alone can generate identity theft. Combinations of information can have the same effect. With a name, address, or telephone number, identity theft becomes possible, for instance, with any of the following: (1) any government-issued identification number (such as a driver’s license number if the thief cannot obtain the SSN); (2) a biometric record; (3) a financial account number, together with a PIN or security code, if a PTN or security code is necessary to access the account; or (4) any additional, specif c factor that adds to the personally identifying profile of a specific individual, such as a relationship with a specific financial institution or membership in a club."

All good information to have documented within the breach notification plan.  Along, of course, with other types of data that could lead to bad things.

  • "Our experience suggests that in determining the level of risk of identity theft, the agency should consider not simply the data that was compromised, but all of the circumstances of the data loss, including
    • how easy or difficult it would be for an unauthorized person to access the covered information in light of the manner in which the covered information was protected;
    • the means by which the loss occurred, including whether the incident might be the result of a criminal act or is likely to result in criminal activity;
    • the ability of the agency to mitigate the identity theft;
    • and evidence that the compromised information is actually being used to commit identity theft"

Some of these recommendations are concerning.  It implies that if the theft of the PII can be mitigated the individuals involved should not be notified.  Wouldn’t this be a little bit like saying the police do not have to notify a homeowner if they found a burgler in the homeowner’s house and chased him away, and don’t think the burgler actually took anything?

I do believe that stongly encrypted data that is stolen poses very little risk to the individuals.  Whether or not data is encrypted should be a consideration.  It would be nice if we could get to a point where all PII on mobile computers and storage devices were strongly encrypted.   

However, trying to second guess WHY the incident occurred and the criminals INTENTIONS is not a good idea. 

Also, breach notifications should be made as quickly as possible.  Just because PII has not been used within a week or two or three…or even a couple of months…to commit crime, does not mean that the individuals’ PII will not be used to commit crimes months later.  Some criminals are smart enough and patient enough to wait until the heat is off to do their crimes. 

  • "For example, as a general matter, the risk of identity theft is greater if the covered inforrnation was stolen by a thief who was targeting the data (such as a computer hacker) than if the information was inadvertently left unprotected in a public location, such as in a briefcase in a hotel lobby. Similarly, in some cases of theft, the circumstances might indicate that the data-storage device, such as a computer left in a car, rather than the information itself, was the target of the theft."

You cannot know the intentions of an unknown thief!  It is best for the potentional vicitms involved for an organization to consider that the thief HAS intentions to do bad things…or potentially someone buying the stolen laptop from the thief will want to do bad things with the PII.

Granted, the circumstances must be considered.  If someone accidentally knocked their computer off the Grand Canyon, smashing it into canyon gravel, then true, this would not need notification…but then again, this really wouldn’t be a breach.  Yes, this is a bit of a facetious example, but hopefully you see my point.

  • "Considering these factors together should permit the agency to develop an overall sense of where along the continuum of identity-theft risk the risk created by the particular incident falls. That assessment, in turn, should guide the agency’s further actions."

This AND following the at least 33 state level breach notification laws.  Those laws do not try to second guess the intentions of criminals.  It is odd the memo does not even reference the state level breach notification laws; it mentions the state level freeze laws.

  • "While assessing the level of risk in a given situation, the agency should simultaneously consider options for attenuating that risk."

More reason to include the CISO in the core breach notification team.

  • "It might take a few months for most signs of fraudulent accounts to appear on the credit report, and this option is most useful when the data breach involves information that can be used to open new accounts."

Yes, it could!  It could also take many months.  Funny they included the seemingly contradictory statement earlier when talking about how to determine IF notification should be made. 

It is still nice to see this point being made, though, within a government publication such as this.  Often organizations and agencies make published statements that "there is no evidence of fraud occurring" just a week or two after the data compromise. 

They recommend telling the individuals to

  • "Place an initial fraud alert on credit reports maintained by the three major credit bureaus noted above."

Legitimate advice, but it is still placing the responsibility of dealing with the organization’s breach impact upon the victim.  All unplanned time, stress and irritation for individuals when the breach often could have been prevented to begin with…or if the data had been encrypted!

  • "Be aware that the public announcement of the breach could itself cause criminals engaged in fraud, under the guise of providing legitimate assistance, to use various techniques, including email or the telephone, to deceive individuals affected by the breach into disclosing their credit card numbers, bank account information, SSNs, passwords, or other sensitive personal information."

This may be possible, but then again, these scams are going on all the time.  Silence about a crime that has occurred potentially impacting privacy and security is not a good risk mitigation control.  It’s usually better to have many eyes and ears on the alert for the subsequent wrong-doings with the stolen data than worry about one or two people who may take advantage.

Here are the high levle recommendations for actually executing the breach notification; see the memo for the details that go with each:

"1. Timing: The notice should be provided in a timely manner, but without compounding the harm from the initial incident through premature announcement based on incomplete facts or in a manner Iikely to make identity theft more likely to occur as a result of the announcement. While it is important to notify promptly those who may be affected so that they can take protective steps quickly, false alarms or inaccurate alarms are counterproductive."

"2. Source: Given the serious security and privacy concerns raised by data breaches, notification to individuals affected by the data loss should be issued by a responsible official of the agency, or, in those instances in which the breach involves a publicly known component of an agency, a responsible official of the component."

"3. Contents: The substance of the notice should be reduced to a stand-alone document and written in clear, concise, and easy-to-understand language, capable of individual distribution and/or posting on the agency’s website and other information sites."

"4. Method of Notification: Notification should occur in a manner calibrated to ensure that the individuaIs affected receive actual notice of the incident and the steps they should take. First-class mail notification to the last known mailing address of the individual should be the primary means by which the agency provides notification."

"5. Preparing for follow-on inquiries: Those notified can experience considerable frustration if, in the wake of an initial public announcement, they are unable to find sources of additional accurate information."

"6. Prepare counterpart entities that may receive a slsrge in inquiries: Depending on the nature of the incident, certain entities, such as the credit-reporting agencies or the FTC, may experience a surge in inquiries also."

On the last page they provide a "Risk Based Decision Framework" flowchart.  I really like, and encourage organizations to use, flowcharts to map out and visually describe procedures.  It makes it clearer what needs to be done, and can be referenced more quickly than 10 pages of documentation (which you still need as support for the flowchart) on its own.

This flowchart would make a good starting point for organizations.  It will need modification to go beyond just indentity theft possibilities, and your will want to incorporate the state level breach notification requirement considerations as well.

Overall this is a nice resource for organizations to use when establishing their breach notification plans, but organization need to keep in mind that it is incomplete and that they need to consider the other issues I discussed earlier.

Technorati Tags








The Need for Passwords on Cell Phones & FTC Advice for Protecting Your Identity

Thursday, September 21st, 2006

Today the Washington Post hosted a live call-in show with Joel Winston, Associate Director for the FTC’s Division of Privacy and Identity Protection.  He fielded questions about how individuals can avoid being vicitims of identity thieves.  The Washington Post published an edited copy of the transcript of the show.  I tried to find a copy on the FTC site, but then noticed all editorial rights were reserved.

Some interesting discussions occurred during the show…

He reminded listeners that now everyone has a legal right to request one free credit report each year.  I encourage everyone to do so; you can find some significant, as well as many small, errors.  These reports certainly are an interesting trip down memory lane.  And when requesting them, it is VERY interesting the way the major credit reporting agencies (Equifax, Experian and TransUnion) use some of the most nondescript information from your credit report to verify your identity.  It would be even better if you could get one free report from EACH of the major agencies since one may have different information from the other.

Some interesting portions of the show:

  • “A Social Security number without a name can lead to identity theft, because the thief often can “reverse engineer” the name using public data services and online search engines.  Truncated numbers are far safer, but not foolproof.”

Unfortunately many organizations believe that it is okay to use the SSN if no other types of personally identifiable information (PII) is used at the same time.  This is a good reminder from the FTC…the agency that *WILL* and *HAS* applied severe penalties against companies…that using an SSN even on it’s own, and subsequently having an incident occur, could lead to some significant negative business impact.

  • “Arlington, Va.: My cell phone was stolen and used by the thief to call other people. I reported this to the police but they refused to help me retrieve it and said it is not worth their time. I really want my phone back because it has lots of data. What can I do if the police refuse to help?

Joel Winston: I’m not sure what you can do if the police won’t conduct an investigation. You should, of course, contact your telephone carrier, which I assume you’ve done.”

There is so much information…so much PII…stored on most people’s cell phones.  Not only their personal phones, but also on the phones they use for business.

I encourage companies to establish policies and procedures for their personnel to put passwords on their cell phones; not necessarily to be able to answer the phone (although that may be appropriate for certain people), but definitely to get to the phone book, incoming and outgoing phone logs, text messages, photos, website activity logs and so on.  If they do not, they are not putting everyone in their phone book’s information at risk.  Recall the Paris Hilton cell phone debacle and how upset all the folks in her phone book were for being exposed by her lack of security sense?

I have been impacted by someone else’s cell phone being stolen.  One of my business colleagues and friends in California had his cell phone either lost or stolen, he thinks while at a restaurant.  He did not notice it until his friends and business associates started calling his office phone the next day to ask him if he knew where his cell phone was…I was one of the people who called him.  He did not have any security on his cell phone…a big embarrassment to a security guru such as he is.  I was working late one night and my cell phone rang; I saw who it was from by the number on the display and thought it odd he would be calling me late at night.  When I answered I knew right away it actually was not my friend, but a sicko who was going through all the phone book numbers…which also had everyone’s full name listed…and was calling those he wanted to “get to know”…ick…I had to get a Q-Tip after that call and clean out my ear.  Fortunately nothing worse than a few more calls (which I did not answer) from the phone criminal occurred before my friend had his phone number cancelled.  However, it could have been worse if my friend had stored even more information, including about himself, on the phone.

Put passwords on your cell phone!  You’ll not only be protecting your own privacy, but the privacy of the others whose numbers are in your phone book or in your calling logs.

  • “Technically, federal law defines “identity theft” to include credit card fraud. But, the far more damaging problem is when a thief gets your Social Security number and opens new accounts in your name. If they only steal your credit card number and make unauthorized charges, typically you won’t have to pay for them. The law limits your liability to $50 and most credit card companies waive even that.”

Identity theft is a darling phrase used most commonly in the media.  However, many, many types of crime can be committed through the use of a wide range and combination of PII items.

Technorati Tags






Data Recovery…Always Expect that Anything Can Happen to Your Data

Wednesday, September 20th, 2006

I needed a good laugh today…and I got it from the Channel Register story "The Cat Peed on my Laptop…"

If you need to relieve a bit of stress, perhaps the following will make your frown turn upside down…

"By John Leyden 20 Sep 2006 13:09
The cat peed on my laptop…
and other bizarre data recovery disasters

It’s not only IT Help Desks that get strange queries and requests. Data recovery specialists at UK-based firm Disklabs have compiled an illuminating list of the oddest requests for assistance it receives from the 50,000 cases a year it deals with involving people needing to get their data recovered.

Disklabs said that recovery of data is nearly always possible, even from the extreme cases it highlights. "It seems that each year this list gets more and more bizarre," Disklabs director Simon Steggles said.

Disklabs top ten data recovery disasters

*  My cat urinated on my laptop – Disklabs technicians had to thread gingerly in handling a Toshiba laptop which had been urinated on by a client’s pet Persian Blue."

Talk about a bad review…sounds like the computer literally pissed him off!

"*  It fell off the roof of the car – A salesperson in a hurry placed his laptop on the roof of his car, while he placed all his demo products into the vehicle. He forgot the laptop on the roof and drove off. He stated: "I was doing about 40mph when I saw it in the rear view mirror"."

I know of *2* CEO’s who lost their laptops off the top of their cars!  This is a common occurrance I think.

"*  I accidentally drove over it – An MP3 player was the victim of this roadside mishap. The client didn’t realise that the MP3 player had fallen out of her pocket, and accidentally drove over the offending device. "

Not really surprising…more roadkill…

"*  We just sacked the IT manager and he started kicking the server – The IT manager wasn’t up to the job so he was fired. The man in question threw a wobbler, deciding the server had to go before he did. He achieved this by kicking the server until it stopped working, causing data corruption and hardware damage to the hard drives. "

What’s a wobbler?  Is that like a hissy-fit?  Or more like a having a cow?

"*  There was a bit of oil on it – Quite an understatement. One Disklabs’ client had approximately 120 barrels of crude spilt over his laptop, which was in use on an oil rig at the time. "

Wow!  Trying to visualize where on the rig they put him to have his computer covered with all the oil.  Gosh…what kind of job did he have on that rig…

"*  I accidentally threw it out of a window – A student claimed he was ‘messing around’ with his roommate’s laptop. But instead of pretending to throw the laptop out of the window, he chucked it for real ‚Äì much to the dismay of his roommate. "

Yes, this is very credible.  If you know college students, you KNOW this could happen!

"*  She just got stroppy and snapped it in half – A client’s wife thought he was playing away from home and snapped his mobile in a fit of pique. The phone, a Motorola V3 Razor, was literally snapped in half. Disklabs only received one half of the phone and was still able to retrieve all the SMS messages and contacts. "

Hey, I learned another new word, "stroppy"!  Of course I had to look it up…"touchy"…"belligerent".    I don’t know, sounds more like she was throwing a "wobbler" to me.

"*  The dog has had a go at it – a Staffordshire bull terrier took a liking to its owner’s camera and bit into it. The memory card inside sustained some damage and arrived still wet from dog saliva. "

Whew!  I was afraid of what that last word in the sentence was going to be.

"*   I was showing my friend how to delete data on the spare hard drive, but I deleted the wrong one – Enough said. "

Yeah, ‘nuf said.

"*  My wife threw my laptop down a well – Another marital dispute. Excuses offered failed to placate an irate wife who took her revenge by throwing her husband’s laptop into a 60 foot well. "

LOL…we have a 120 foot well…with a true throw, I can imagine the laptop bumping and ricocheting against the sides…thwank…bwonk…thunk…all the way down until you hear the deep, plonking splash, following by the lyrical echoes.  Or, if was a straight drop down, the waiting silence…finally broken by the big, SPLOSHing water crash.  Hope they didn’t have to drink that water…you’ve seen those reports about all the bacteria on computer keyboards, haven’t you?  😉

"Disklabs swears all the anecdotes above come from real jobs undertaken by its data recovery service. Disklabs was able to save data in all the above instances.  Which is nice."

Wonder if the husband or the wife climbed down the well for the retrieval?  Yeah, I think most definitely the husband, too…

Technorati Tags





U.S. Dept of Justice Identity Theft Task Force Recommendations: Possible Models for All Organizations?

Tuesday, September 19th, 2006

Today the U.S. DoJ announced in a speech their interim identity theft task force recommendations.  The final recommendations will be submitted to President Bush in November.  They also provided a press release about the interim task force recommendations.  But before showing a copy of the press release, a few thoughts about the guidelines…

I look forward to seeing the data breach guidance the task force creates.  Most organizations have very weak, if any, breach response plans, so if this could potential be a good model for them.  True, it will be guidance written specifically for government agencies, but there should be many guidelines applicable to any organization; no use re-inventing the wheel.

I really like the idea of creating a universal police report!  The challenge will be implementing this report throughout the U.S.  State, county and city-level government agencies, particularly law enforcement, are notoriously disjointed from all other law enforcement agencies.  I want to see the report they come up with!  I hope they do a privacy impact assessment (PIA) on their implementation plans before putting it into use…you don’t want this type of personally identifiable information (PII) getting into the wrong hands because the system was created poorly and/or with insufficient controls.  It would be horrible for the victims of identity theft to become victims again because of the mishandling of the identity theft report.

Restitution for victims’ lost time could be a very good motivator for organizations to create strong safeguards for their PII.  It will be interesting to see what ways they create to determine the restitution…what forms victims must fill out, how much they determine a victim’s time is worth per hour, etc.

Limiting use of SSNS…what a great idea…whose time has finally come??  Well, we shall see.  Hopefully they CAN take some positive steps forward with this initiative; anything is better than doing nothing, or worse, doing even more with SSNs as identifiers.

Authenticating individuals’ identities is so important; not only for the government, but for all organizations.  And most organizations struggle with how to do this efficiently, effectively and without the use of SSNs.  Perhaps this can be another area where the proposed and final solutions of the task force can also be used by any type organization.

Improving the security of information within the government…always a great idea!  I look forward to seeing what they come up with as the “top 10 or 20 ‚Äúmistakes‚Äù to avoid in order to protect government information.”

Improving the ability to respond to breaches; probably all organizations need to do this.  Definitely in some of the high profile government agencies that have had widely publicized incidents.

They are all great ideas, and it will be interesting to see the final recommendations in November.  The real test will be to see if there is any actual implementation or action taken after the final recommendations are issued.  Will these be mandatory, through some new or amended law, for all government agencies?  Will an oversight agency be chosen that will actually make sure the agencies are implementing the directives?  If not the recommendations will turn out to be a good hill of bean ideas never sewn or cultivated.  With proper cultivation and harvesting, however, these could turn out to be cash crop actions that actually make a dent in the misuse and subsequent crime committed with PII.

Okay…yes…it’s getting to be harvest time in the midwest…:)

Now here’s the press release:

“WASHINGTON ‚Äì The President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today. The Identity Theft Task Force, which was established by Executive Order of the President on May 10, 2006, and is now comprised of 17 federal agencies and departments, will deliver a final strategic plan to the President in November.

The interim recommendations of the Identity Theft Task Force were announced following a meeting of the Task Force today at the Justice Department.

‚ÄúAs with any crime, victims of identity theft suffer feelings of violation and stress, but in these cases, victims have the added burden of cleaning up the mess that the identity thieves leave behind,‚Äù said Attorney General Gonzales. ‚ÄúThe President created the Identity Theft Task Force to oversee the implementation of real and practical solutions at the federal level to defeat this ongoing intrusion into the lives of law-abiding Americans. Today’s recommendations move that process forward.‚Äù

“Conquering identity theft demands that we work as a team to develop tools that strengthen law enforcement, practices that enhance data security, and programs that help consumers in prevention and recovery,” said FTC Chairman Majoras. “Through these initiatives, we are taking solid steps toward eradicating this persistent consumer problem.”

The Identity Theft Task Force’s interim recommendations to the Administration include the following:

Data Breach Guidance to Agencies-

In light of several, large data breaches suffered in recent months by government agencies, the Task Force recommends that the Office of Management and Budget (OMB) issue to all federal agencies a Task Force memorandum, which covers the factors that should govern whether and how to give notice to affected individuals in the event of a government agency data breach, and the factors that should be considered in deciding whether to offer services such as free credit monitoring. Such guidance is the first comprehensive road map of the steps that agencies should take to respond to a breach and to mitigate the risk of identity theft.

Development of Universal Police Report for Identity Theft Victims-

To ensure that identity theft victims have easy access to police reports documenting the misuse of their personal information ‚Äì which are necessary in order for the victims to, for example, request that fraudulent information on their credit report be blocked, or to obtain a seven-year fraud alert on their credit file ‚Äì the Task Force recommends the development of a ‚Äúuniversal police report‚Äù that an identity theft victim can complete online, print and take to a local law enforcement agency for verification and incorporation into the police department’s report system. The use of universal police reports will also ensure that identity theft complaints will flow into the FTC’s ID Theft Data Clearinghouse, and thereby will assist law enforcement officers in responding to such complaints.

Extending Restitution for Victims of Identity Theft-

To allow identity theft victims to recover for the value of the time that they spend attempting to make themselves whole – for example, the hours spent disputing fraudulent accounts with creditors that may be compromised or spent correcting credit reports – the Task Force recommends that Congress amend the criminal restitution statutes, 18 U.S.C. 3663(b) and 3663A(b), to require that defendants pay identity theft victims for the value of their lost time.

Reducing Access of Identity Thieves to Social Security Numbers-

In order to limit the unnecessary use in the public sector of Social Security Numbers (SSNs) – which are the most valuable pieces of consumer information for identity thieves – the Task Force recommends the following:

* The Office of Personnel Management (OPM) should accelerate its review of the use of SSNs, and take steps to eliminate, restrict or conceal their use, including assignment of employee identification numbers where practicable.

* OPM should develop and issue policy guidance to the federal human capital management community on the appropriate and inappropriate use of an employee’s SSN in employee records, including the appropriate way to restrict, conceal and/or mask SSNs in employee records and human resource management information systems.

* OMB should require all federal agencies to review their use of SSNs to determine where such use can be eliminated, restricted or concealed in agency business processes, systems and paper and electronic forms.

Developing Alternative Methods of “Authenticating” Identities-

Developing reliable methods of authenticating the identities of individuals, such as “biometrics,” would make it more difficult for identity thieves to misuse existing accounts or open new accounts using other individuals’ information. The Task Force recommends that agencies gather together academics, industry experts and entrepreneurs who are exploring ways to encourage greater development and use of authentication systems, and hold a workshop or workshops focused on developing and promoting improved means of authenticating the identities of individuals.

Improving Data Security in the Government-

To ensure that government agencies improve their data security programs, the Task Force recommends that OMB and the Department of Homeland Security (DHS), through the interagency effort already underway to identify ways to strengthen the ability of all agencies to identify and defend against threats, correct vulnerabilities, and manage risks: (a) outline best practices in the areas of automated tools, training, processes, and standards that would enable agencies to improve their security and privacy programs, and (b) develop a list of the top 10 or 20 “mistakes” to avoid in order to protect government information.

Improving Agencies’ Ability to Respond to Data Breaches in the Government-

In order to allow agencies to quickly respond to any data breaches, including by sharing information about those who may be affected with other agencies and entities that can assist in the response to the breach, all federal agencies should publish a “routine use” for their systems of records under the Privacy Act that would allow for the disclosure of such information in the course of responding to a breach of federal data.

Anyone wishing to ask a question about identity theft or to report identity theft may call 1-877-ID-THEFT, or visit the FTC’s Web site, http://www.ftc.gov/idtheft, or the Department of Justice’s Web site, http://www.justice.gov/criminal/fraud/websites/idtheft.html.” 

Technorati Tags







July VA Laptop Theft Was an Inside Job: Another Example of the Insider Threat

Monday, September 18th, 2006

A subcontractor was charged with stealing the VA laptop in July that contained billing information on 38,000 VA patients

This highlights the importance of ensuring controls exist for all individuals you entrust with access to your information…going beyond your employees, and also doing activities to ensure the business partners to whom you have outsourced data handling of any kind are adequately securing your information.  You also need to ensure they do not then pass your information on to yet another entity without your knowledge and approval.

I talk about the threats and suggested controls for outsourcing in a couple of recent papers, "Addressing the Risks of Outsourcing" and "Security and Privacy Contract Clause Considerations" which I co-wrote with Christopher Grillo.

I’ve had great and interesting discussions with CISOs from many companies, and a significant number of them have experienced information security incidents from the employees to whom they have given authorized access to sensitive information and systems, as well as many incidents with their outsourced business partners, vendors, contractors and so on.  I believe that, even with the majority of states having breach notification laws, most incidents still never get reported.  If the incident was "handled" quickly and the company believes the culprits did not have time to actually do anything with the data, then it does not get reported.

In more than one case the insider doing bad things was a systems security administrator who was unhappy with his or her work situation…not enough pay…not enough respect…no promotion…no recognition…no perceived importance or appreciation… 

Information security and privacy incidents so often result from the actions of trusted insiders…information security and privacy practitioners need to make sure they keep that in mind and expand their scope of concern from just the physical and ether issues and try to inject some human psychology considerations into their information assurance activities.  Information security programs benefit from considering the human factor and recognizing and being aware of the motivations that lead to security incidents.

Technorati Tags







July VA Laptop Theft Was an Inside Job: Another Example of the Insider Threat

Monday, September 18th, 2006

A subcontractor was charged with stealing the VA laptop in July that contained billing information on 38,000 VA patients

This highlights the importance of ensuring controls exist for all individuals you entrust with access to your information…going beyond your employees, and also doing activities to ensure the business partners to whom you have outsourced data handling of any kind are adequately securing your information.  You also need to ensure they do not then pass your information on to yet another entity without your knowledge and approval.

I talk about the threats and suggested controls for outsourcing in a couple of recent papers, "Addressing the Risks of Outsourcing" and "Security and Privacy Contract Clause Considerations" which I co-wrote with Christopher Grillo.

I’ve had great and interesting discussions with CISOs from many companies, and a significant number of them have experienced information security incidents from the employees to whom they have given authorized access to sensitive information and systems, as well as many incidents with their outsourced business partners, vendors, contractors and so on.  I believe that, even with the majority of states having breach notification laws, most incidents still never get reported.  If the incident was "handled" quickly and the company believes the culprits did not have time to actually do anything with the data, then it does not get reported.

In more than one case the insider doing bad things was a systems security administrator who was unhappy with his or her work situation…not enough pay…not enough respect…no promotion…no recognition…no perceived importance or appreciation… 

Information security and privacy incidents so often result from the actions of trusted insiders…information security and privacy practitioners need to make sure they keep that in mind and expand their scope of concern from just the physical and ether issues and try to inject some human psychology considerations into their information assurance activities.  Information security programs benefit from considering the human factor and recognizing and being aware of the motivations that lead to security incidents.

Technorati Tags