Privacy & Security Laws - Laptop Security Blog

Canadian Information Protection Report 2007

The Privacy Commissioner of Canada, Jennifer Stoddart, has released the Annual Report to Parliament 2007, a Report on the Personal Information Protection and Electronic Documents Act (PIPEDA). The report details whether companies are complying with PIPEDA.

The Commissioner has called 2007 the “year of the data breach“, in Canada as well as the rest of the world. The report reminds us that PIPEDA imposes a legal obligation on businesses to safeguard personal data, and that human errors and a “cavalier approach to security” resulted in too many data breaches.

“Businesses recognize the value of personal information to themselves – for targeted marketing campaigns, for example. Unfortunately, this perception doesn’t always translate into security measures up to the job of protecting the information from criminals.”

The report indicates that half of the 37 voluntarily reported data breaches in Canada involved electronically stored data, often held in a format not secured with firewalls or encryption.

An important area in the report addresses global concerns where data breaches can be cross-border in an International, not just National sense. This has vast implications for privacy and the responses to data breaches. In a similar line, the trends of private-sector organizations (airlines, banks) collecting personal information for the state blur the lines between privacy and security.

“The way we address security needs to reflect our society’s fundamental values – including the right to privacy. We must constantly ask ourselves why we accept the growing shift towards security at the expense of privacy. Is it always justified? Is it irreversible?”

The report points out that information technology was a component of nearly every privacy issue and complaint in 2007, and that the privacy impacts of such technologies must be understood and mitigated by consumers and businesses alike.

Ms. Stoddart has laid out many recommendations in the report about how businesses should comply with the 10 “golden rules” of privacy set out in PIPEDA. In addition to great policy & procedure recommendations, the report urges the Canadian government to adopt breach notification legislation.

“Breach notification offers people a choice. Individuals can decide for themselves how to respond to a breach. One person could decide that it would be a good idea to check her credit report more often. Another person may feel no action is warranted.”

You can read the full report here.

hat tip to Jonathon ; via national post Tags: canada, legislation, privacy act, pipeda, government security, data security, data breaches, report, study, parliament

Iowa Passes Breach Law

On May 10, Iowa enacted its own breach notification law, becoming the 42nd US state to do so. The bill will come into effect on July 1.

Bill S.F. 2308 requires businesses and government agencies to notify residents if their personal information has been accessed (if it is likely to do financial harm). Notice is not required if an investigation by the law enforcement agencies deems no financial harm can come of the risk. Encrypted information is not exempt from the notification requirement, unlike in many states. Given that many data breaches can be ruled out if they pose no risk for financial harm, it is my opinion that there will be a lot of public criticism of breaches when they do come to light. Such an investigation will likely delay the breach notification, which inevitably increases public scrutiny after a breach incident.

If you were to plot the adoption of data breach notification laws against time, the remaining states should all adopt their own law by some time in late 2011. Check out the graph here, realizing (of course) that statistics cannot be depended on to accurately gauge when (if ever) all states will adopt such a law.

I think it would be interesting, statistically speaking, to see if the trends in data breaches and legislative maneuvering could predict when one of the many data breach bills would pass at the national level.

Via emergent chaos, electran Tags: iowa, breach, breach notification, breach law, legislature, legal system, business, security, personal information

HIPAA Examined

Tech News World has done a 2-part series about HIPAA. Part 1: Privacy vs. Portability and Part 2: Seeking Balance. It’s a very well-done examination of the state of the Health Insurance Portability and Accountability Act (HIPAA), some of which I will synthesize below. Given that HIPAA is often misunderstood in basics and in application, it’s a great refresher series.

HIPAA Concerns:

There is a push for health information to become more liquid, but the privacy and security framework does not exist yet
The technologies being designed now will have a huge impact on how health information is accessed, stored and shared
Post-HIPAA privacy and security protections need to be adopted in law and in best practices
HIPAA compliance was a heavy burden at initial inception, but there has been no proof that HIPAA has in any way had negative effects on patient care
Staff training and education must be ongoing for new, and old, employees
Continue reading about the concerns here.

HIPAA Myths:

That it weakened, rather than strengthened, rights to health information privacy
HIPAA is all we need in the digital age
HIPAA “covered entities” cover every use of personal health information
Check out the full examination of these myths here.

Logo: ; Tags: hipaa, health privacy, privacy information, health information, information, legislation, law, security

Retailer Breaches Not Disclosed

According to a new report from Gartner, many retailers have not reported data breaches to their customers. The study found that 21 of the 50 retailers interviewed have had a data breach, but only 3 of these 21 breaches had been disclosed to the public.

The sample size for the survey is too small to draw firm conclusions about the industry as a whole, but it does highlight a troubling pattern. Gartner analyst Avivah Litan says:

“Sensitive data is being stolen and most of the time it’s not being disclosed. There are a lot more breaches than we hear about.”

This not only touches on the importance of consumer trust, but also a lack of compliance with data breach regulations that require consumers to be notified. Companies have noticed the bad press to result from such data breach notifications, and they don’t want to call the same attention to themselves.

The survey did not make clear if the retailers surveyed had broken state laws by not informing customers, but Litan said it was a possibility. 4 companies have been fined by credit card companies for not meeting Payment Card Industry compliance requirements, and another 11 were threatened with fines.

In other retailer news, a survey shows that most retailers using card payment technology will not be ready to meet the PCI-DSS Section 6.6 deadline of 30th June. This deadline requires merchants to have a firewall to protect web applications or to have completed a web application software code review to ensure vulnerabilities are patched. The main reason behind the inability to meet the deadline is that retailers don’t understand what they need to be doing, which undermines the purpose of the new legislation.

Via PC World, Finance Week ; image: pindiyath100 @moreguefile ; Tags: retailers, retail industry, breach, data breach, data security, breach notification, pci dss, pci, compliance

Canadian Government ID Theft Flyer

I opened up my mail this week to see a flyer from the Canadian Conservative Government via our MP Stockwell Day. The front of the flyer is shown above. There is a quote on the back as follows:

“This Government is following through on its commitment to give police the tools they need to better protect Canadians by stopping identity-theft activity before the damage is done.” - Rob Nicholson, Minister of Justice

According to the flip side, the Canadian Conservative Government is putting forward tough new laws to prevent identity theft, to compensate victims, and to put identity thieves behind bars. I am supposed to cut out the bottom half of this flyer and return it with the answer to this question as “Yes” or “No”:

“Do you support the Conservative Government’s tougher laws against identity theft?”

Sounds great - proactive, right? I have a problem with it though. There is no information about what these laws are, what they do, or where I can learn about them. No website, nothing. I have absolutely no idea to which law the flyer refers.

So, if a member of the Conservative Government would like to fill the public in on which of the multiple identity theft bills before Parliament they are referring to, I’d be happy to answer their survey.

Tags: id theft, id theft survey, canada, identity theft, parliament, laws, legal system, conservative government, stockwell day

5 Data Device Security Tips for International Travel

Last month, a United States court ruled [PDF] that border agents have the right, without cause, to search your data devices as you enter the country. If your device is encrypted, you have to hand over your encryption key.

The US government has the right to download the entire content of your laptop or data device, and to keep it indefinitely. And according to security expert, Bruce Schneier, these types of searches are happening at the borders of many countries. There has been a major backlash to this from every corner, including from civil liberties groups and from the business community.

Business travelers who carry sensitive information may have to expose this information - aside from breaking confidentiality, it can also result in a data breach incident. Copied and seized data may be subject to breach notification laws, since such data has been exposed and can no longer be accounted for. If you want to take action against this violation of digital privacy, you can learn more here.

5 Data Device Security Tips for International Travel

1. Hide Your Data

Bruce Schneier is advising one solution: hide your important data in a second encryption on your drive. Programs like PGP Disk or Truecrypt will allow you to encrypt a portion of your hard drive with a strong password, and you can hide the icon for added protection. The data would be invisible upon inspection, though smart forensic software could find it. Take note that if asked by security officials if there is an encrypted partition, you are legally required to answer truthfully.

2. Limit Your Data

This is the easiest solution - if you don’t have data, it can’t be found. Delete any un-needed information (old emails, photos, confidential information) with a secure file erasure program. Delete your browser’s cookies, cache and browsing history before heading through security. Also, IT administrators using Computrace can use its Data Delete function to securely erase files. And turn your computer off before heading through. Clean out your other devices in the same way.

3. Use a VPN

Some companies are issuing laptops for travel that are “clean” of any pre-existing data. Once the traveler is at the destination, the data can be downloaded over an encrypted virtual private network. The data can be re-synced before exiting the country, and the laptop wiped clean once again.

4. Ship It

Put sensitive data onto an encrypted drive or card and let FedEx get it to your destination for you.

5. Store It Online

If you don’t have a VPN set up to download information onto a clean laptop, you can set up a similar system on your own. After deleting what information you don’t need, Chris Sogholan of CNet recommends encrypting the data and uploading it to one or two secure places on the web such as Amazon S3. Then make your laptop clean with a secure file erase.

Sources: guardian, gizmodo, eff, cnet, info week, us politics, idg
Photos: morguefile by pdell, ppdigital, somadjinn
Tags: data security, border, laptop, laptop security, border search, business travel, security, it security, business security

Genetic Privacy Compromised?

The Genetic Information Nondiscrimination Act of 2008 (HR 493), recently passed by Congress, has inadvertently legalized the sharing of genetic information without patient consent.

Sue Blevins, President of the Institute for Health Freedom, notes that the new bill applies the Health Insurance Portability and Accountability Act (HIPAA) regulations to genetic data. HIPAA regulations permit data sharing without consent with in connection with treatment, payment, or oversight of health-care operations.

The intent of the HIPAA regulations is to protect medical records in the digital age, but many HIPAA critics argue that it opens up privacy issues as a result of the routine sharing of personal health information. Regardless of the validity of this argument, qualifying genetic test results as health information can be problematic. Genetic information can be used to determine rates for health plans, and as the new bill provides this data to health care companies, it could be cause for discrimination.

This is a controversial topic, to say the least. HIPAA has its critics, though its intentions are great. Health information, in and of itself, is controversial, and in particular genetic information is about as personal as information gets. Some advocates are fighting for personal ownership of genetic information, in order to avoid genetic privacy issues such as those presented here.

Via FOX Business ; Image: clarita @ morguefile Tags: genetic, genetic privacy, genes, genetic testing, privacy, health privacy, health information, genetic information

ID Theft Safeguard used to Steal IDs

Even the most carefully laid plans can go awry. Federal prosecutors charged a Southern Californian woman this week with aggravated identity theft after she used a genealogy website to locate people who had recently died and to take over their credit cards.

Tracy June Kirkland was using Rootsweb.com to find the names, Social Security numbers and birth dates of people who had died. She would then call credit card companies randomly to see if "she" had an account, if "she" did, she would request a mailing address change and, in some cases, would add her own name as an authorized user. Ms. Kirkland repeated this scheme at least 100 times between October, 2005 and last month.

Rootsweb.com is a genealogical research site that, amongst other services, reproduces the Social Security Administration’s Death Index, which is a public list of people who have died, along with their birth dates and Social Security Numbers. The government publishes this list with such detail in order that banks can prevent people from applying for credit under any deceased people’s identities. The information is made public by the Freedom of Information Act.

Tracy Kirkland has found a loophole in the system by, instead of applying for new credit, simply co-opting existing credit accounts. This is the first time this exploit has been found, according to a spokesperson for the Social Security Administration.

"The reason the Social Security Administration has it out there is to prevent fraud, and when it’s used to perpetrate fraud it’s because not all the checks and balances were in place on the financial institution’s end."

So, what do you think? Should the Social Security Numbers be reported on the Death Index? Do you think the benefits to the prevention of identity theft outweigh the risks shown here?

You can feel the full court indictment here [PDF]

Via wired ; Logo: Rootsweb, a part of Ancestry.com and MyFamily.com Inc.Tags: rootsweb, identity theft, id theft, death index, breach

South Carolina Considers Identity Theft Bill

South Carolina is considering a new identity theft bill. Lawmakers in the state say it has been lagging behind in the battle against identity theft. However, on Tuesday, the House approved a new identity theft protection bill. It will now go to the governor for final approval.

“We should have done it two years ago. The senate passed it a couple of times but the house was very, very thorough in looking at it. They improved the bill that we sent over. So I’m not complaining. I’m just glad we’ve got something,” says Greenville Senator David Thomas.

Despite the time it took to get this bill into play, if approved, it will be one of the toughest identity theft protection bills in the country.

The new bill covers:

ability for consumers to place or lift a security freeze on their credit reports without a fee.
penalties for businesses who do not properly discard paper and electronic information
penalties if consumer reporting agencies don’t correct information on a credit report when notified
prohibitions against using Social Security Numbers on membership cards or in mailings
breach notification requirements when any type of personal information is breached

Tags: south carolina, identity theft, identity theft protection, law, legislation, bills, state law, id theft, id theft protection, id theft law

E-Commerce Times on the Cost of ID Theft

The E-Commerce Times is publishing a series on “The Cost of ID Theft”. Part one of the series is titled “Beyond Dollars and Cents” and examines the cost of ID theft to victims and to businesses. In the end, victims are usually affected by trauma and paperwork, but the real damage is done on the business end.

Absolute Software CEO John Livingston is quoted in the article as noting that consumers can expect to recover 54% of money lose due to identity theft (a number declining), and that businesses can expect to pay an average of $197 per customer record lost. With 127 million records lost in 2007, that is over $25 billion in direct business losses.

In part two of the series, entitled “Fixing the System”, notes that the business cost per incident of ID theft as a result of a data breach have increased from $41,717 to $49,254. While the cost to notify consumers of a data breach have declined, the cost of lost business is more significant than direct cash losses. Customer churn as a result of a data breach is an average of 2.67%.

Failing to encrypt stored data is “one of the most egregious errors” being made by organizations, maintained Randy Abrams, director of technical education at security firm ESET. “Consumer information should always be encrypted. If media is lost or stolen in transit, it is not going to be used for identity theft or anything else if it is encrypted. Similarly, consumer information, student information, taxpayer information and the like must be encrypted anywhere it is stored. The only reason a stolen computer or hard drive can compromise personal information of thousands of people is because of gross incompetence.”

The article notes the growing government reaction to identity theft in the form of state and national regulations. The current regulatory environment can result in conflicting state requirements, which can result in higher costs to companies that span several states. A federal data breach law has yet to be passed, although several have been tabled for consideration.

Tags: identity theft, id theft, costs, data breach, data breach notification, law, legislation, privacy legislation, cost of data breach

Canadian Information Protection Report 2007

Iowa Passes Breach Law

HIPAA Examined

Retailer Breaches Not Disclosed

Canadian Government ID Theft Flyer

5 Data Device Security Tips for International Travel

Genetic Privacy Compromised?

ID Theft Safeguard used to Steal IDs

South Carolina Considers Identity Theft Bill

E-Commerce Times on the Cost of ID Theft

Education Newsletter

Corporate Newsletter

Government Newsletter

Healthcare Newsletter

Recent Posts

Recent Comments

Absolute Links

Links

Subscribe

Categories

Search

Archives

Absolute Software News