November 2006 Privacy UpdatePresentation Transcript
Recent Developments in Privacy and Information Security Presented by Tom Zych, Michelle Cohen, and Michele Kryszak November 14, 2006 ABA Antitrust Section Privacy and Information Security Committee
Data Losses and Security Breaches
Data Losses & Security Breaches (plus ca change, plus c’est la meme chose)
Starbucks: Get it while it’s hot!
Four laptops containing personal information of 60,000 employees in the U.S. and Canada were discovered missing on Sept. 6.
The company announced the theft on Nov. 4, but stated that there were no reports of identity theft related to the data stored on the stolen computers.
The data included names and Social Security numbers. Starbucks is notifying the affected individuals and has offered free credit monitoring and a toll-free hotline to answer questions.
CEO Is Charged With Stealing Identities
A prominent Westchester businessman has been charged with stealing his employees' identities to obtain more than $1 million in bank loans and credit card charges
He is accused of using the names, addresses and Social Security numbers of his employees to secure the bank loans between 2001 and 2006. He also is accused of running up $100,000 in credit card charges using their identities.
Ironically, the executive and his company were inducted this year into the Hall of Fame by the Business Council of Westchester.
Source: The New York Times
Social Security Administration Plagued by Phishing Scam
E-mails asked for bank account numbers and other personal information.
Information from a real Social Security Administration announcement about cost of living increases was copied, and stated that if recipients did not supply personal information, they could risk having Social Security payments suspended.
The Inspector General’s office of the Social Security Administration is investigating.
Cost of data breaches escalating
Average data breach costs companies $5 million, with stolen hardware as the main culprit for data loss.
Companies spent nearly $5 million on average, and 30 percent more, this year than in 2005, to respond to loss or theft of corporate data, according to a new study from the Ponemon Institute.
Legislation (In your own backyard and across the pond…)
EU Considering Security Breach Notification
EU commissioners are considering breach notification rules that would require some companies to notify affected customers and regulators upon a security breach.
Most experts believe it was time for Europe to follow the US lead.
Some experts, however, believe that EU proposal won't go far enough because it only covers ISPs and network operators.
New York Enacted Three Identity Theft Laws on November 1
The Security Freeze Law: Allows consumers, who are either identity theft victims or are concerned that they might be at risk of having their identities stolen, to cut off an identity thief's access to credit, loans, leases, goods and services by placing a "freeze" on their consumer credit report.
The Disposal of Personal Records Law: Requires any business to properly dispose of records containing personal information or risk a civil penalty of up to $5,000.
The Anti-Phishing Act of 2006: Prohibits the deceptive solicitation of personal information through electronic communications, including sending e-mails to Internet users, falsely claiming to be a legitimate enterprise in an attempt to scam the user into surrendering private information.
Australian, New Zealand Privacy Chiefs Collaborate on Privacy
The Australian and New Zealand Privacy Commissioners have signed an agreement to allow for cooperation between their offices on privacy-related issues, including cross-border complaints and joint investigations. This agreement fosters cooperative agreements as set forth in the APEC Privacy Framework, OECD Guidelines Governing the Protection and Transborder Flows of Personal Data, and the Asia Pacific Privacy Authorities Forum.
"The agreement will cement the already close ties between our Offices and tackling emerging privacy challenges and will enhance the management of cross-border cases," said Karen Curtis, Australian Privacy Commissioner.
Marie Shroff, New Zealand Privacy Commissioner, added, "The agreement will provide our Offices with a broader framework and base of resources, affording Australians and New Zealanders an ongoing high level of privacy protection."
Litigation (The civil suits are flowing in…lawsuits that is…)
Verizon Steps Up Text Spam Suits
Verizon Wireless is stepping up efforts to protect its customers from spam specifically regarding unsolicited text messaging.
Over the past four months, the company has filed three lawsuits, all in District Court in Trenton, N.J.
June: 1.1 million messages mostly sent to Verizon subscribers in New Jersey that advertised discount prescription medication. The Web site from which they were sent, located in Poland, has since been shut down.
September: 550,000 text message promoting penny stocks. Most recipients of the text messages had New York City area codes.
October: 30,000 texts sent promoting certain stocks or medications. Much like their similar e-mail counterparts, the actual message includes text that does not make sense.
The company also has introduced a feature in its system that would allow its subscribers to change their text message delivery settings. Users would be able to block text messages sent from the Web, or designate certain addresses to block.
New Appellate Court Ruling May Foster HIPAA Litigation
As privacy advocates, class action lawyers, interested consumers and others struggle to find means of enforcing privacy obligations in the courts, judges grapple with the question of whether entities that violate privacy laws properly face private damages liability. Because most national privacy rules (notably HIPAA and Gramm-Leach-Bliley) contain no private cause of action, plaintiffs struggle to find creative ways to sue over such privacy and security violations. For "injured" victims, finding an appropriate legal theory may be a critical threshold requirement to securing monetary damages. For companies facing privacy obligations, understanding these challenges is critical to appropriately assessing litigation risks.
Source: International Association of Privacy Professionals, www.privacyassocation.org , “ New Appellate Court Ruling May Foster HIPAA Litigation ” by Kirk Nahra
FTC issues TRO shutting down distributor of malware
FTC announced that a U.S. District Court in Nevada had issued a temporary restraining order, shutting down an operation involving secret downloads of "malevolent software programs."
FTC charged ERG Ventures, LLC and an affiliate with tricking consumers into downloading software by hiding the program with innocuous free software, including screensavers, and video files.
The "malware" installed by the Media Motor program harmed consumers' computers by, among other things:
changing consumers' home pages
tracking consumers' Internet activity
generating disruptive and occasionally sexually explicit pop-up ads
degrading computer performance
attacking and disabling consumers' anti-spyware and anti-virus software
making it nearly impossible for consumers to remove the malware from their computers
FTC charged that ERG Ventures and its affiliate violated the FTC Act by failing to disclosed to consumers that the free software was bundled with malware, among other charges
FTC press release notes that the case was brought with assistance from Microsoft
U.S. Attorney's Office engaged in a parallel criminal investigation of the defendants
Court also ordered asset freeze and an accounting of assets
FTC has asked the court to order a permanent halt to these deceptive and unfair downloads and to order ERG Ventures to give up its ill-gotten gains
FTC issues TRO shutting down distributor of malware
Yesmail Inc. Agrees To Settle Charges With FTC
On Monday, the FTC announced an agreement with Yesmail. Yesmail will pay a $50,717 civil penalty for allegedly violating the CAN-SPAM Act by failing to honor consumers' unsubscribe requests.
Zango, Inc. Settles FTC Charges
Will Give Up $3 Million in Ill-Gotten Gains for Unfair and Deceptive Adware Downloads
Zango, Inc., formerly known as 180solutions, Inc., one of the world’s largest distributors of adware, and two of its principals have agreed to settle Federal Trade Commission charges that they used unfair and deceptive methods to download adware and obstruct consumers from removing it, in violation of federal law. The settlement bars future downloads of Zango’s adware without consumers’ consent, requires Zango to provide a way for consumers to remove the adware, and requires them to give up $3 million in ill-gotten gains.
FBI nabs phishers in U.S., Eastern Europe
The FBI is seeking the arrest of at least 16 individuals in connection with a global cybercrime investigation.
More than 20 FBI offices participated in the probe into a series of phishing attacks against a "major financial institution" that occurred in 2004 between August and October, according to materials provided by the FBI ahead of the announcement. Agents conducted investigations inside the U.S. and other countries to identify a ring of identity thieves who were acquiring and trading stolen credit and debit card numbers through an online forum.
FTC Stops Illegal Mortgage Services Phone Calls
USA First Investment Group Inc., USA Home Loans Inc. and their principals have agreed to settle Federal Trade Commission charges that they violated the FTC’s Telemarketing Sales Rule (TSR) by calling telephone numbers listed on the National Do Not Call Registry and failing to pay the required fee for access to numbers listed on the Registry.
Do Not Call is 3 years old
The FTC reported that it filed six cases in FY 2005 alleging violation of the National Do-Not-Call Registry.
Several of the actions included claims that the defendant had failed to pay the required fee to access the list before making the calls.
Perhaps the most significant recent trend in Do-Not-Call list enforcement is a series of cases in which the FTC has successfully prosecuted companies that had relied on their telemarketing service companies to comply with the list.
The FTC fined DirecTV nearly $5.4 million for making numerous calls to numbers contained in the national registry.
The FTC recently settled charges against one of the telemarketers for $75,000, an amount tempered by the defendant's inability to pay, but with a substantial additional penalty of more than $400,000 if the defendant later is found to have misrepresented its financial condition.
The FTC brought similar claims against Executive Financial Home Loan, a mortgage broker based in California. Although that case settled for a far smaller amount - $50,000 - the Executive Financial Home Loan decision builds on the DirecTV decision by reaffirming that businesses engaged in telemarketing promotional campaigns cannot delegate the responsibility for compliance to their service companies.
Prerecorded Telemarketing Calls -- FTC Does Its Own Thing
FTC rejected a petition that asked it to conform its rules to similar FCC rules to permit prerecorded telemarketing calls when there is an "existing business relationship."
FCC permits prerecorded telemarketing calls where there is an existing business relationship or prior consent -- unless called party has made a company-specific do not call request.
FTC takes position that unless there is prior express consent, prerecorded telemarketing calls (even in existing business relationships) violate the FTC's call abandonment rule.
FTC recognizes it is out of synch with FCC long-established rules, but declines to follow FCC, creating inconsistent federal system.
Prerecorded Telemarketing Calls -- FTC Does Its Own Thing (Cont’d)
Earlier, the FTC said it would not enforce the prohibition during the review of the petition.
FTC states it will begin enforcing pre-existing prohibition on Jan 2, 2007.
Industry asked for additional time to provide comment and the FTC recently extended the comment period through December 18, 2006.
FTC indicated that the record contained thousands of consumer comments stating that they did not wish to receive such calls, and industry could not agree on a prompt opt out mechanism at the beginning of a call.
Industry may promote the changes in technology that permit a prompt opt out at the beginning of a call, in lieu of facing a prohibition.
Industry concerned about the freeze on productive commercial speech that could result -- e.g., "your subscription is about to expire," but would not let the message allow you to press a button to renew, etc.
FTC Launched Blog Related to Tech-Ade Hearings
The public hearings examined how evolving technology will shape and change the habits, opportunities and challenges of consumers and businesses in the coming decade, and featured experts from the business, government and technology sectors, consumer advocates, academicians, and law enforcement officials.
Tech-Ade: FTC: Focus Will Shift To Advertisers
In the wake of a $3 million settlement with Zango over allegations that the company used unfair and deceptive practices to distribute adware, an FTC commissioner said the agency plans to notify advertisers that their ads may have been distributed through Zango's adware.
Commisisoner Jon Liebowitz said during the FTC's public hearings this week on "Protecting Consumers in The Next Tech-ade" that the agency will take the next step beyond actions against adware firms by focusing on advertisers.“
FACTA Red Flags
The federal financial institution regulatory agencies released the Identity Theft Red Flags and Address Discrepancies under the FACT Act and the comment period closed in September.
The proposed regulations require each financial institution to implement a written Identity Theft Prevention Program with reasonable policies and procedures to address the risk of identity theft.
Responsibility is placed at the highest level of the institution, and a report must be made no less than annually by the staff members who have implementation and compliance duties.
Substantial preparation will be needed to achieve compliance with the new requirements.
Microsoft Issues Privacy Guidelines for Developing Software Products and Services
Published on October 16, 2006.
The document offers very precise and practical guidance for creating notice and consent experiences, providing sufficient data security, maintaining data integrity, offering customer access, and supplying controls when developing software products and Web sites.
The document relies on many of Microsoft's internal practices and is designed to assist organizations in meeting, and exceeding, customer expectations regarding privacy.
Creating and maintaining consumer TRUST is the highest priority and objective of the document.
Privacy Pitfalls in No-Swipe Credit Cards
Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were easily able to retrieve data from the new cards. From the article:
"They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked.”
Source: The New York Times
Prerecorded Political Calls a Hot Topic During Political Season
Democrats have criticized Republicans’ purported use of recorded telephone messages – also known as “robocalls” in the weeks and days leading up to the recent elections.
Reportedly, the robo-calls were sent to voters several times a day and repeated the name of the Democratic opponent over and over again so that the called party would think that the caller was the Democratic opponent and get annoyed with the calls.
Democratic Congressional Committee Chairman Rahm Emanuel claims the robocalls were even sent in the middle of the night to Democratic voters in an effort to annoy voters.
National Republican Congressional Committee states that it never places phone calls past 8pm.
Rutland Herald reports that Reps. Conyers and Dingell sent letters to the U.S. Department of Justice, the Federal Communications Commission and the Federal Election Commission, saying the calls are unethical and could be illegal.
A Maryland attorney recently filed suit in state court against Governor Ehrlich and others claiming that the political calls violate federal and state communications laws which require the identification of a caller at the beginning of a prerecorded message. The attorney hopes that the law is changed to make political calls subject to the “do not call” requirements (they currently are exempt).