Archive for March, 2006

Website operator breaks privacy promises

Friday, March 24th, 2006

A privacy breach incident reported by the Associated Press shows that even with the best security and privacy technology, humans are the weakest, and most unpredictable, link.  Some choose to break legally binding promises, such as those made in website privacy policies.  Gratis Internet sold personal information they gathered at their website even though they promised in their privacy policy that they would not.  "Gratis wrongfully shared as many as 7 million "user records," creating the largest deliberate breach of a privacy policy discovered by U.S. law enforcement."

Interestingly enough, there is currently no privacy policy posted on the Gratis website.

Technorati Tags

Interesting Statistics on Compliance Costs

Friday, March 24th, 2006

There were some interesting statistics in a Sarbanes Oxley Compliance Journal article yesterday regarding the costs of compliance for various regulations.

"According to Gartner, the average company spends $2 million on SOX, and Accenture says the average bank will spend $61 million on Basel II over the next couple of years."

"Despite the investment being made in compliance, companies are still failing to meet requirements. In fact, only 18% of hospitals and health systems can prove compliance with HIPAA security regulations, according to the AHIMA, and Gartner says two-thirds of all companies found material weakness in controls this year, with audit deficiencies expected to double until 2008."

"Each case of fraud costs companies an average of $15,000, and IT departments spend about 175 hours on remediation after a security incident. Corporations can be held liable, leading to legal debt and other related expenses. Additionally, brand damage resulting from waning consumer trust can cause huge losses in revenue. According to Gartner, by 2006, 20-30% of Global 1000 companies will suffer exposure due to privacy mismanagement. The costs to recover from these mistakes could range from $5-20 million per incident. In addition to legal risks, intellectual property leakage, such as shared trade secrets or pre-announced products, can cost companies millions in lost profits."

Technorati Tags

Basel II

The List Keeps Growing…Fidelity Investments Laptop Stolen

Thursday, March 23rd, 2006

My list of laptops stolen or lost keeps growing.  Everyday I find a report (no I have not been blogging about each instance, but they are added to my list), but this one was noteworthy.  A Fidelity Investments laptop containing confidential information on around 200,000 of their customers, those in HP’s pension fund and 401K, was stolen on March 15th.   

"Fidelity says there is no evidence that the data has been misused."  There is rarely evidence within 8 days that bad people are doing bad things with confidential personal information.  The smarter bad people typically wait a while, or do bad things in ways that are not readily identified…usually taking advantage of poor security practices within the various organizations where they want to use the personal information fraudulently.

These incidents continue…why can’t organization’s learn from the mistakes and incidents of others?  Why do companies allow clear text confidential information to be stored on mobile computing devices that have already been demonstrated to be easily lost and stolen?  Probably to save money…and because no law specifically requires them to, verbatim, "encrypt data on mobile computing devices."  I have heard too many lawyers within organizations say that if the letter of the law does not specifically require a safeguard such as encryption, then they should not do it if it will save the company money.

"It is unusual to have so much information on one laptop, Fidelity spokeswoman Anne Crowley said, but the computer in question was brought to a business meeting by a team of employees."

What does this mean?  No one was accountable?  A group of people are sharing a laptop…why?  Probably to save money.  No accountability to any one person for the security of the laptop that way, either.

"William G. Duserick, vice president and chief privacy officer for Fidelity, recommended in a letter to Hewlett-Packard participants that those affected remain vigilant for the next 12 to 24 months, regularly review account activity and obtain a credit report from one or more of the national credit reporting companies, according to the Worcester Telegram & Gazette, which obtained a copy of the letter." 

So…instead of the company being vigilent and implementing proper security, it is easier to ask the impacted customers to be vigilent.  It is also pretty sad that they are not even purchasing the credit monitoring service for those impacted…I guess that *is* another cost savings, though.  Maybe they will, but you would think this significant tidbit would have been reported.

"Fidelity said the license to the software that contained the data has expired and, as a result, the scrambled data is difficult to interpret. The data is also in a form that is generally "unusable," Fidelity said." 

Well, so many things to say about the expired license issue, but that’s a different topic…

Similar cop-out statements like this are increasingly being used when mobile computing devices are lost and stolen.  The data was not encrypted, it was "difficult to interpret."  If the software used with it is something widely available, then it will likely be very easy to access.  However, it was not reported what software was used, so we don’t know. 

*  Implement security for mobile computing devices
*  Strongly encrypt data on the devices
*  Train people how to protect the devices

Oh, yes, and don’t have group laptops…that’s an incident waiting to happen.

Technorati Tags

A true first test of HIPAA?

Tuesday, March 21st, 2006

There was an interesting story this weekend about how the Ohio Supreme Court ruled the Ohio law guaranteeing people access to government records outranks HIPAA.  This ruling was reported to be "the nation‚Äôs first ruling weighing a state‚Äôs open-records law against provisions of the federal Health Insurance Portability and Accountability Act."  Basically a newspaper wanted to view lead-paint citations issued by the local health department.  "The Cincinnati Health Department denied access to 10 years‚Äô worth of lead-paint citations, saying they contained children‚Äôs private health information because they listed the addresses of homes with lead hazards."

But is it really a test of HIPAA?  The first question would be, is the local health department a Covered Entity under HIPAA?  Well, does it fall under the definition of a healthcare provider?  Hmm… well, they are not listed as a healthcare provider on the The Health Improvement Collaborative of Greater Cincinnati.  Are they a healthcare insurer?  Not listed in that section, either.  Are they a clearinghouse?  Well, it is doubtful.

They are, however, listed within the "Public Sector" section.  Let’s check out the Cincinnati Health Department website using the link provided… oops!  An invalid URL.  Gee, looks like it should be a .gov site…

Okay…let’s see, where is the website for the Cincinnati Health Department?  Ahh…here it is, a .gov URL, which makes sense.  So, does it indicate that it is a healthcare provider, insurer/payer or clearinghouse?  Appears to be a provider; according to the website, "The Cincinnati Health Department provides many services to the community such as medical and dental care; inspections required under Cincinnati Municipal Code, Ohio Revised Code, and Board of Health Regulations; health education; litter and weed control; and maintaining birth and death records. The Department also investigates communicable disease outbreaks and is a partner in the regional medical response system for responding to medical emergencies in Cincinnati and the surrounding communities."

Now we need to determine if the Department, as a provider, furnishes, bills or receives payment for healthcare (things necessary to be a CE).  Upon a quick skim it appears they probably do, but I cannot verify this.

Let’s assume they are a CE then.

Next question to ask is, what information was in the records?  Lead paint citations and the associated addresses.  Well, addresses ("geographic subdivisions smaller than a state") are one of the 18 items identified as PHI (actually individually identifiable health information) within the HIPAA regs.

An interesting passage from the Dispatch report:  "Justice Terrence O‚ÄôDonnell wrote, however, that city citations contained no medical information, nor did they list names, ages or any other personal information. And even if they had, O‚ÄôDonnell wrote, HIPAA doesn‚Äôt shield information that other laws require to be made available. "The Ohio Public Records Law requires disclosure of these reports and HIPAA does not supersede state disclosure requirements," he wrote."

Okay…very interesting!!  This judge says HIPAA does NOT supersede state disclosure requirements.  However, HIPAA regs state that HIPAA applies if it is stronger than the state requirements.  But then…wait…there are also exceptions to state preemption! 

Bear with me.  There is a Privacy Rule state preemption exception category called "public health and vital statistics" that allows providers to report diseases or injuries, child abuse, births, or deaths, or those that authorize public health surveillance, or public health investigation or intervention.  Ahhh…perhaps this is the loophole. 

So, apparently if this information can be reported as part of public health surveillance or investigation, then it goes into the state government records, to which the public is then guaranteed access?  Perhaps.  Ask your lawyer for his or her interpretation; you’ll probably get 20 different opinions if you ask 20 different lawyers.

Aye yi yi…wouldn’t it be nice to have just one all-encompassing federal privacy law that covered all industries and personal information equally?  (That’s another blog posting…sometime in the near future.) 

Cases like these in Ohio certainly do not help to clarify compliance activities, and they really don’t set any precedents, only stir the pot of confusion.

Technorati Tags

Even information security pros don’t use encryption

Sunday, March 19th, 2006

If you couldn’t tell by now, I am an almost ardent proponent of encryption.   It is an effective safeguard, and is easier to use and stronger than ever.  It always amazes me when even information security vendors and pros who promote encryption do not use it themselves.  I read with interest the article about how the vendors at the recent CeBIT tradeshow, promoting the use of Wi-Fi honeypots, overwhelmingly did *NOT* use encryption…55%!  Too bad encryption is still so underutilized even by security professionals…how long will it continue to be the Rodney Dangerfield of information security technologies?

Technorati Tags

The lost/stolen laptop saga continues…Ernst & Young adds to the list of incidents

Thursday, March 16th, 2006

The Register reported yesterday more stolen laptops; this time an Ernst & Young employee had a laptop containing personal information for IBM’s current and past employees stolen from his/her car.  Traits similar to other laptops that have been lost or stolen:  1)  The laptop was stolen from the E&Y employee’s car; 2) The data, including SSNs, birthdates and other personal information easily used for fraud and identity theft, was NOT encrypted.

This event apparently happened in January, but the IBM employees whose personal information was on the laptop were not notified until March.

There have been other E&Y laptops with personal information stolen and lost in the past.

When will companies learn to 1) Train personnel on acceptable physical security for mobile computing devices, and enforce policies addressing such requirements; and 2) Encrypt data on mobile computing devices?

Technorati Tags

New HIPAA FAQ posted by the OCR

Wednesday, March 15th, 2006

The Office of Civil Rights (OCR), the agency that is responsible for HIPAA Privacy Rule compliance and support, has just posted a new FAQ addressing the question, "May a health plan disclose protected health information to a person who calls on the beneficiary‚Äôs behalf?"  If you are responsible for HIPAA compliance, or just curious, I encourage you to monitor the OCR site for the many interesting and useful messages the post regarding HIPAA issues.

Technorati Tags

Companies Increasingly Complying with Sarbanes-Oxley That Are Not Required To Comply

Wednesday, March 15th, 2006

A newly released study by Foley & Lardner shows private organizations are increasingly adopting Sarbanes-Oxley standards even though they are not legally required to do so.  I learned over the past year or so that three of my colleagues who are responsible for information security or privacy at large private organizations have also been adopting the standards as a demonstration of due diligence following best practices.  They all indicated their board members and/or executives had encouraged…actually required…this so that the leaders themselves would be protected in the event fraud occurred within their organizations. 

So, the trend is there, and it really demonstrates that executive leaders must be motivated to drive information governance (security, privacy and compliance) actions, and then actively support them to get them effectively implemented.

Some of the findings listed within the article include:

"Among the findings:
  — 86% of survey respondents felt that SOX and other corporate governance
     reform requirements have impacted their organizations, consistent with
     the 87% who responded in this manner in 2005.
  — Private organizations continue to self-impose corporate governance
     standards, but are also strongly influenced by their boards and outside
  — Private companies tend to adopt the least expensive reforms, as opposed
     to more costly initiatives such as Section 404 audits of internal
     financial controls.
  — 84% of private organizations responding to the survey felt that
     corporate governance reform is "about right," an increase in comparison
     to 2005, when 78% responded in this manner.
  — Private organizations responding to our survey estimated an average
     annual price tag of $105,000 for corporate governance procedures,
     representing an estimated increase of approximately 26% over their
     estimated costs prior to the enactment of the Sarbanes-Oxley Act."

It will be interesting to see how this trend impacts compliance budgets, along with information security and privacy budgets, as time goes on.

Technorati Tags

Some more laptops stolen…

Monday, March 13th, 2006

Yes, I’m still keeping an eye out on those stolen and lost mobile computing devices!  🙂

I’m compiling a list of stolen and lost mobile computing devices…I’ll post it here occasionally as I add to it.

"A thief made off with two laptop computers after breaking into the campaign headquarters of Oakland mayoral candidate Ignacio De La Fuente, officials said today."    "De La Fuente said today that he did not believe the laptops contained any sensitive information." 

Geesh…wonder how many companies and organizations will start claiming there was no sensitive information on the laptops they lose or have stolen?  After all, in California, they would have to notify impacted individuals under SB 1386.  Considering this was a campaign center…collecting donations and names, addresses, etc. of constituents…it is odd there would not be personal information on the laptops used there.  Hmm…

    • "Two newly bought laptop computers were reported stolen recently in Sunrise.
      A 43-year-old resident of Argentina paid $1,495 for a Toshiba laptop at Circuit City and drove directly to BrandsMart U.S.A., 12801 W. Sunrise Blvd., in the Sawgrass Mills mall. Between 3 and 4 p.m. Feb. 24, someone smashed a window and stole the laptop from his 2006 Dodge van.
    • In another theft four days earlier, an employee at Sam’s Club, 13550 W. Sunrise Blvd., heard a crash and saw a man reaching into the rear driver’s-side window of Salvadore LoPresti’s 1997 Dodge Caravan. The man pulled out a box and left in a gold Ford Crown Victoria.
      LoPresti filed a police report at 2:32 p.m. Feb. 20. He said he had bought a Hewlett-Packard Pavilion laptop for $800 at Circuit City in Pembroke Pines before driving directly to Sam’s Club.
      He said he hid the laptop under the back seat and covered it with a printed advertising section."

Well, the good thing is there was probably no sensitive information on new laptops (unless they had been returned and information still lingered.)  However, this points to the fact that laptops are prime targets for theft.

BTW, another thing to tell employees…print ads are not appropriate safeguards!

Technorati Tags

Hacked bank used to host phishing sites

Monday, March 13th, 2006

Yes, the story of the bank in China that was being used to host a phishing site to spoof messages and collect personal information from customers of a different bank, as well as eBay customers, made it all over the news today. 

Such an ironic situation; exploiting the security weaknesses of one bank’s network infrastructure to host a site to exploit the vulnerabilities of another bank’s (and eBay’s) customers.  What is discouraging with regard to security diligence is that the exploit was reported by a customer receiving one of the phishing messages, and not (at least as reported) noticed by the bank itself being used as the host.  In fact, some reports implied the bank may still not be aware of the exploit, but that is hard to believe…or is it? 

Just imagine how many organizations possibly are currently being exploited…and possibly have been for years…because they do no activity logging, vulnerability checks, or audits of their systems on a regular basis.  There have already been many reported instances of the computer systems of several organizations being used as repositories for warez, illegal music and CDs, and porn stockpiles.  Folks, part of an effective regulatory compliance program is establishing safeguards to prevent such situations from happening.

Technorati Tags