Archive for October, 2006

Consumers Want Identity Theft Protection Through Homeowner Insurance

Tuesday, October 31st, 2006

An interesting article was released yesterday in the Insurance Journal, “J.D. Power: Homeowners Want Carriers to Offer Identity Theft.”
It indicates that the 2006 Homeowners Insurance Study, results of feedback from 9,045 homeowners insurance policy holders in the U.S., finds 40% wants their home policy to include identity theft coverage.

(more…)

Information Security Compliance Webcast

Tuesday, October 31st, 2006

My friend and professional colleague, Kevin Beaver, is giving a webcast on Tuesday, November 14, “How to manage the ongoing information security requirements for SOX, HIPAA, GLBA and other key regulations: A single solution.” Kevin has great experience with information security planning and implementation, and has been addressing compliance issues in a wide range of industries and organizations for the past several years. If you are struggling with how to comply with all the multiple information security compliance requirements and have the opportunity to attend this event, it will provide some useful information to help you with your efforts.

Technorati Tags





Website Privacy and Security Lessons From the USPS

Monday, October 30th, 2006

Last Friday (10/27) Washington Technology published an interesting article, “USPS site is much more than just a presence on the Web” about the privacy challenges of the United States Postal Service (USPS) website.
It is interesting and revealing to see how the concerns and threats have evolved from primarily worrying about web defacements and hackers to now needing to address information security and privacy protections throghout the entire enterprise, right on out to the user endpoints (desktop computers, laptops, etc.).
How often do organizations re-evaluate the adequacy of their information security and privacy programs? If they depend completely upon their own personnel to do this, it is likely it is not often enough. Except for those comparatively few security/privacy stellar organizations, such evaluation activities often take back seat to other activities and day-to-day security/privacy fire-fighting activities.
If you cannot reliably use your own personnel to perform periodic evaluation of the adequacy of your organization’s information security and privacy efforts because they cannot realistically fit such activities in with their other job responsibilities (which is all too common), then seriously consider hiring an independent third party to perform such evaluation. You should have a third party occasionally perform independent reviews anyway to provide a level of objectivity you cannot get with your own personnel, and also to catch vulnerabilities and identify new threats that your personnel may not have the experience or up-to-date knowledge to identify.

Technorati Tags





Electronic Frontier Foundation Sues the U.S. DOJ for FOIA Information

Sunday, October 29th, 2006

On October 17 the Electronic Frontier Foundation (EFF) sued the Department of Justice (DOJ) demanding records related to the FBI’s Investigative Data Warehouse (IDW) be released under the Freedom of Information Act (FOIA).
The IDW will basically allow more data mining activities, linking personal information with specific activities to spawn investigations, than ever before.

(more…)

GPS Tracking Urged As a Laptop Security Measure

Saturday, October 21st, 2006

A solution for addressing laptop thefts and losses was described in a press release today.  The product uses GPS in combination with encryption to locate stolen and lost laptops quickly in addition to being able to delete sensitive files from lost or stolen computers. 

I know nothing about this particular product, "MyLaptopGPS," beyond this press release, but the concept is good, and there may be other products out there that do the same thing.  Security in layers does not just apply to networks; it applies to all aspects of information security.

In fact, with regard to mobile computing devices it is good to take MANY safeguards, a few of which include:

  • Encrypt all sensitive data on the device.  This often is most efficient to accomplish by encrypting the entire hard drive.
  • Use boot and login passwords…GOOD passwords!
  • Configure the device to automatically lock, requiring requiring password based re-authentication, after a specified period of inactivity.  5 or 10 minutes is reasonable.
  • Use privacy screens to cut down the amount of information onlookers, nosy neighbors and other looky-loos can see, like on planes, in airports and so on.
  • Use asset monitoring tags and services, such as StuffBak.  The GPS product also serves a similar purpose.
  • Require unique devices for each person; don’t allow the devices or passwords on the devices to be shared; this destroys accountability.
  • Maintain an inventory of all mobile computing devices used, along with the data stored upon them.
  • Do not allow mobile computin devices used for business to also be used for personal activities or to be shared with others, such as friends and family members.
  • Do not allow employee-owned mobile computing devices to be used for business purposes.  Organizations should own all the computing devices used for business purposes to ensure all business policies and procedures can be applied to them.
  • Provide locking devices and other methods for physically protection mobile computing devices when personnel have them outside the more protected confines of the corporate facilities.
  • Do not allow large amounts of PII to be stored on mobile computing devices.
  • Implement malicious code prevention software and personal firewalls on mobile computing devices.
  • Very importantly, provide awareness and training for your folks who use mobile computing devices!!!  You can’t expect that they will provide appropriate safeguards if you do not tell them what the appropriate safeguards are that they need to take.

Technorati Tags






privacy

Study Shows Most Businesses and Virtually All Households Do Not Destroy Discarded Personal Information

Saturday, October 21st, 2006

An interesting report from 10/18 done in conjunction with National Identity Fraud Prevention Week in the UK reveals most businesses in the United Kingdom, and almost all the citizens, throw away documents containing personal information, such as accuont numbers, that can be used from crime and fraud as a result of not being irreversibly destroyed/shredded/etc. prior to disposal.  The rate of such risky disposal practices is up over 20% from last year’s findings.

Because of these alarming findings a website was created to educate individuals and businesses about the risks and how to better dispose of sensitive information.  The site is interesting, with a variety of facts, statistics and recommendations.  One in particular was:

"It takes 467 days to discover that you are a victim of identity fraud according to Experian."

This makes those statements that are released just days or even a few weeks following a breach that basically say "there is no evidence the data has been used to commit fraud" seem overwhelmingly meaningless, doesn’t it?

Technorati Tags







Study Shows Most Businesses and Virtually All Households Do Not Destroy Discarded Personal Information

Saturday, October 21st, 2006

An interesting report from 10/18 done in conjunction with National Identity Fraud Prevention Week in the UK reveals most businesses in the United Kingdom, and almost all the citizens, throw away documents containing personal information, such as accuont numbers, that can be used from crime and fraud as a result of not being irreversibly destroyed/shredded/etc. prior to disposal.  The rate of such risky disposal practices is up over 20% from last year’s findings.

Because of these alarming findings a website was created to educate individuals and businesses about the risks and how to better dispose of sensitive information.  The site is interesting, with a variety of facts, statistics and recommendations.  One in particular was:

"It takes 467 days to discover that you are a victim of identity fraud according to Experian."

This makes those statements that are released just days or even a few weeks following a breach that basically say "there is no evidence the data has been used to commit fraud" seem overwhelmingly meaningless, doesn’t it?

Technorati Tags







Government Report on Privacy Breaches in Agencies

Tuesday, October 17th, 2006

Last Friday (10/13) the U.S. Government Reform Committee released a report on the adequacy of the government’s agency security practices, “STAFF REPORT AGENCY DATA BREACHES SINCE JANUARY 1, 2003.”

The report discusses incidents within all the government agencies involving the loss or compromise of any sensitive personal information held by an agency or a contractor since January 1, 2003.

An important point made by the report is that, even though the agencies possess tremendous volumes of personal data, there is no requirement for any of the agencies to report breaches to the public, or even to the impacted individuals.  It seems that they should also have to abide by the existing state level breach notification laws, doesn’t it?

“Legislation authored by Committee Chairman Tom Davis and included in the House passed Veterans Identity and Credit Security Act of 2006 (Veterans Identity and Credit Security Act of 2006) would change that.”

Actually it appears as though this proposed bill would only apply to the Veterans Affairs agency.  A privacy breach notification, and actually a more encompassing data protection, bill is needed that applies to all organizations, government, public, private, non-profit, and any others that handle personally identifiable information (PII).

The report makes clear that the amount and types of responses from the agencies regarding their incidents varied greatly, so that this report cannot be considered as comprehensive.  However, there are certainly some very interesting statistics and breach examples found within it.  The four conclusions of the report were:

“1. Data loss is a government-wide occurrence.
All 19 Departments and agencies reported at least one loss of personally identifiable information since January 2003. This is not a problem that is restricted to the Department of Veterans Affairs or any other single agency.

2. Agencies do not always know what has been lost.
The letters received by the Committee demonstrate that, in many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete. For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, “the Department did not track the content of lost, stolen, or otherwise compromised devices.”

3. Physical security of data is essential.
Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees.

4. Contractors are responsible for many of the reported breaches.
Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors.”

The report then goes on to detail the reported privacy breaches within each of the agencies.  It is quite interesting!  Many incidents that have not previously been reported.

The report concludes:

“Taken as a whole, the agency reports outline hundreds of instances of data breaches involving sensitive personal information since January 1, 2003. The reports show a wide range of incidents, involving employee carelessness, contractor misconduct, and third-party thefts. The number of individuals affected in each incident ranges from one to millions. However, in many cases, the agency does not know what information was lost or how many individuals potentially could be affected. Few of these incidents have been reported publicly, and it is unclear in many cases whether affected individuals have been notified or whether remedial action has been taken.

Data held by Federal agencies remains at risk.  In many cases, agencies do not know what information they have, who has access to the information, and what devices containing information have been lost, stolen, or misplaced. In addition, in almost all of the reported cases, Congress and the public would not have learned of each event unless the Committee had requested this information.

Finally, each year, the Committee releases information security scorecards. This year the scores for many departments remained low or dropped precipitously. The federal government overall received a D+.”

Technorati Tags







Non-Technical Privacy Breach Example & Possible HIPAA Violation: Medical Information Printed on Back of Wal-Mart Fliers

Monday, October 16th, 2006

My local news reported late last week that a woman’s personal information, including medical details, were printed on the back of a back-to-school flier Wal-Mart made available in their Boone store.  The person who got the flier in the store called the woman whose personal details were printed on it, it included her phone number, to let her know about the incident. 

The woman’s attorney indicates they are filing a lawsuit against Wal-Mart, and said "The customer was very, very upset with what she found. She told Pat [the person whose info was on the flier] that ‘You don’t know me, but I have some information that I should not have, and I obtained it at the Wal-Mart store.’"

It is not known if this was the only flier with personal information printed on it, or if it was on more, or all, of the fliers.  It would be interesting to know if others got this same woman’s information on the fliers they picked up, or if they got medical information about other persons.

Wal-Mart indicated that, as of the date of the report, they had not received a lawsuit, and did not say anything at all about the incident.  I have not found any other news reports about this.

This is another good example of how mistakes or oversights happen that result in privacy breaches that are not technical.  It is possible that Wal-Mart was printing the fliers on recycled paper, some of which may have come from their pharmacy area.  If so, they need to have better controls in place to ensure such sensitive printed data is secured and shredded when disposed.

Someone also should have looked through the fliers prior to putting them out for the customers, just as a QA activity.  Doing so could have caught this blunder.

It once more boils down to the human element, and the importance of having well communicated and enforced information security policies and procedures.

Another issue is whether or not this is a HIPAA violation.  The pharmacy portion of Wal-Mart would be a covered entity.  If the medical details did come from it and investigation shows there were not reasonable controls in place to prevent the incident from happening, it would seem that this incident could be a good candidate for qualifying as a HIPAA violation.

Technorati Tags







Non-Technical Privacy Breach Example: 700 Mail Items Stolen from USPS Truck

Friday, October 13th, 2006

This morning I heard on my local news that around 700 pieces of mail were stolen by a couple of teen boys this Wednesday from a mail delivery truck while the mail carrier was walking his route.  They left the sledgehammer in the truck that they used to break in.

The local USPS postal inspecter notified the residents and is warning them of the potential of identity theft that could result from the credit cards, checks and other types of sensitive financial information letters that were stolen.

When people think of privacy breaches they often think of high tech crimes and hackers.  This is an example of how a physical theft crime, that is also a privacy breach, is committed using the centuries old method of basic thievery.

The USPS is advising the individuals whose mail was stolen to "call their bank and ask them to place them on a Fraud Watch List" and also cancel their credit cards if they were expecting statements or new cards.

They said nothing about the USPS providing credit alerts for them, but I wonder if that is being considered?  Since the truck was locked and a sledgehammer was used for breaking and entering it is doubtful…don’t you think?

Technorati Tags