Saturday, December 23, 2006

A commendable over-abundance of caution?

http://www.pegasusnews.com/news/2006/dec/22/personal-data-15000-twu-students-made-vulnerable/

Personal data of 15,000 TWU students made vulnerable

By Pegasus News wire Friday, December 22, 2006

In the wake of this recent potential personal data nightmare at UT Dallas, comes one at Texas Woman's University. From a school release:

Texas Woman’s University is notifying approximately 15,000 students that their personal data has been exposed to potential identity theft.

The personal data of all students who were enrolled at TWU in the calendar year 2005 was exposed. The personal data includes names, addresses and Social Security Numbers. This exposure affects the university’s three campuses in Denton, Dallas and Houston.

University officials discovered earlier this week that IRS 1098-T Tuition Statement data for 2005 was transmitted to an outside vendor via a non-secure connection. The data was briefly exposed only during transmission and is now secure.



No detail, but certainly computer related...

http://www.ksl.com/?nid=148&sid=750672

Personal Info. of Faculty and Students Appeared on Yahoo

December 22nd, 2006 @ 9:31pm

(KSL News) -- A security breach at Utah Valley State College has potentially left thousands of students and faculty at risk.

Personal information, including Social Security numbers, started to show up on Yahoo's search engine in November. The information has since been removed from UVSC's servers.

The compromised data pertains only to Distance Education instructors and students enrolled in UVSC courses between January 2002 and January 2005.

Not all faculty and students during that time were affected.



Not a computer issue?

http://www.charleston.net/assets/webPages/departmental/news/Stories.aspx?section=business&tableId=123519&pubDate=12/22/2006

Bank says customer data may have been stolen

BY PETER HULL The Post and Courier

Bank of America, one of the region's largest financial institutions, said this week that Social Security numbers and other information about an undisclosed number of its Charleston-area customers may have been stolen.

The Charlotte-based financial giant declined to say how many people were affected or what areas they live in, but it said it has notified all of them of the suspected breach in writing.

The ill-gotten personal information also includes names, addresses and telephone numbers, the company said.

Bank of America said it is working closely with law enforcement officials as part of an ongoing investigation.

"The security of clients' information remains a key priority for us," said company spokeswoman Nicole Nastacie.

In a letter to a Charleston customer dated Dec. 14, the bank said that it "recently learned that some of your personal information may have been obtained by unauthorized persons for the purpose of engaging in fraudulent activity."

An unidentified former contractor for Bank of America is believed to be responsible, according to the letter.



Dumpster diving is alive an well... I wonder what they were looking for?

http://www.newsnet5.com/news/10590678/detail.html

Personal Info On Dozens Of Ballplayers Taken From Dumpster

POSTED: 9:03 am EST December 22, 2006 UPDATED: 9:07 am EST December 22, 2006

CLEVELAND -- Former Indians player Jim Thome is one of close to 90 major leaguers whose identity could be at risk.

SFX Sports represents some of the biggest names in a variety of sports, and police said 38-year-old David Dright went through a Dumpster outside the agency's Northbrook, Ill., office and recovered personal information on 80 to 100 Major League ballplayers.

"He was actually going through trash receptacles or Dumpsters and recovered numerous paperwork, documents, things like that," [How descriptive... Bob] said Detective Adam Hyde, of the Lincolnshire police.

Police weren't looking for the ballplayers personal documents when they searched Dright's Chicago apartment but knew what they had once they found them.

An attorney for SFX said they will work with their clients to ensure no identities were compromised, and Illinois police are doing the same.

"We've been in contact with Major League Baseball, also the Major League Baseball Players' Association, and we've also contacted some of the players individually," said Detective John Anderson.

Police said it appears that Dright attempted to get credit cards using the identities of at least two players. The extent of the fraud won't be known until police can process Dright's computer.



If its good enough for Her Majesty....

http://www.infoworld.com/article/06/12/22/HNpodcastingroyal_1.html?source=rss&url=http://www.infoworld.com/article/06/12/22/HNpodcastingroyal_1.html

Podcasting gets U.K. royal seal of approval

Queen's speech will, for the first time, be available as video and audio downloads from the BBC's Web site

By Nancy Gohring, IDG News Service December 22, 2006

... This year for the first time Queen Elizabeth II's Christmas speech will be available as a podcast.

... Interested listeners can sign up for the Royal Podcast now and will receive the latest episode, the Christmas speech, at the time of the broadcast.



Another “secret regulation” bites the dust?

http://techdirt.com/articles/20061221/153821.shtml

Court Not Buying FCC's Claims Over Indecency Fines

from the where-are-the-parents? dept

As many of you are aware, the FCC in the last few years has spent an awful lot of time on television indecency issues -- though they seem to do so not because of any real offense, but because certain family groups flood the FCC with complaints, often long after a TV show actually aired. The FCC refuses to give TV broadcasters any guidelines or preview any content, noting that that would be "censorship." Instead, they give vague guidelines and will only fine you if you fail to meet the hidden standards. The networks are fighting back in court, and it looks like the FCC isn't looking very good so far. In court hearings yesterday, the 3-judge panel blasted the FCC on a variety of points, noting that their hidden standards are really no different than censorship -- and, if anything, are worse, because it's just a game of "gotcha." However, even more to the point, the judges questioned why the FCC feels the need to take over the parents' role in policing what children see on TV, noting that it's the parents' responsibility to monitor what their kids watch. Basically, they say that if parents are worried about what kids are watching in their bedrooms, the parents shouldn't allow TVs in kids' bedrooms. In other words, it's the parents' responsibility to protect the children, not the government's. The judges also point out how silly it is to hold a separate standard for broadcast TV (the only thing the FCC really has the authority to regulate), when there's so much more on cable and satellite which the kids are probably watching anyway. While that could just open up the FCC to pushing for greater authority over cable and satellite TV (as some politicians would like), it's worth remembering that the FCC's mandate is only over public airwaves -- not private ones, and any change would face tremendous resistance. While the case is still ongoing, it certainly looks like the court took a pretty hostile view to the FCC's usual reasons for fining broadcasters over indecency.



I'd like to see this booklet. Perhaps it could be translated into a guide for the rest of us?

http://www.prweb.com/releases/privacy_law/personal_privacy/prweb493544.htm

Guidebook Designed to Help Judges Protect Their Personal Privacy

"Protecting Your Personal Privacy," a collaborative effort of The Center for Information Technology and Privacy Law at The John Marshall Law School and the Chicago Bar Association (CBA), is an easy-to-read informational booklet that has been distributed to all federal judges in the 7th Circuit, and now is being distributed to other federal circuits as well as state court judges.

(Vocus/PRWeb ) December 22, 2006 -- The desire to protect judges and their families from the wrath of the public outside of the courthouse has led to the publication of a 20-page guide that offers tips on how best to protect one's privacy.

"Protecting Your Personal Privacy," a collaborative effort of The Center for Information Technology and Privacy Law at The John Marshall Law School and the Chicago Bar Association (CBA), is an easy-to-read informational booklet that has been distributed to all federal judges in the 7th Circuit, and now is being distributed to other federal circuits as well as state court judges. The booklet has been made available to the families of judges through the Judicial Family Institute and is also available to the general public. [I haven't found it yet. Bob]

"It has been very well received said Collins T. Fitzpatrick, circuit executive for the U.S. Court of Appeals, 7th Circuit. "It's a terrific help to anyone who follows it."

"A series of events, starting with the murders of family members of U.S. District Court Judge Joan Humphrey Lefkow, raised awareness of both physical and informational security and safety for judges and their families," said the booklet's chief author Leslie Ann Reis, director of the Center for Information Technology and Privacy Law.

The CBA called together members of the federal and state judiciary, academics and leading practitioners to propose ways judges and their family members could protect their security and safety.

Committee members initially were "shocked" by the amount of information available on judges and the vulnerabilities created by the misuse of that information, Reis said. The booklet is meant to empower judges by outlining ways that personal information can be protected from public availability by limiting the amount of one's personal information that is put into the public domain.

"We found there was no real guidance out there that would allow judges to proactively protect their privacy," Reis said. "Our approach (in developing the booklet) was how to keep the information from getting into the public domain in the first place, rather than legislating and criminalizing the disclosure of information.

"Availing yourself to the conveniences of modern-day living involves giving up a certain amount of privacy. We aren't telling judges what to do. What information you share and with whom is a cost benefit analysis that everyone has to make for themselves," she noted.

Reis, who has been studying and teaching privacy law the past 10 years, said the booklet is "helping to raise awareness among the judges of the potential dangers, and empowering them to make reasoned uses of their personal information."

The booklet has suggestions as simple as not providing information for directories or product rebates, to the more detailed outlines, including creating land trusts so that personal information is not tied to real estate transactions in the public record.

"We all know the benefits of technology. What needs to be decided is how much personal information you're willing to exchange to gain those benefits," Reis said. "If you follow the tips we give, you'll have the tools to make a reasoned decision."



http://www.eweek.com/article2/0,1759,2076062,00.asp

Vista Exploit Surfaces on Russian Hacker Site

December 22, 2006 By Ryan Naraine

Proof-of-concept exploit code for a privilege escalation vulnerability affecting all versions of Windows—including Vista—has been posted on a Russian hacker forum, forcing Microsoft to activate its emergency response process.

Mike Reavey, operations manager of the Microsoft Security Response Center, confirmed that the company is "closely monitoring" the public posting, which first appeared on a Russian language forum on Dec. 15. It affects "csrss.exe," which is the main executable for the Microsoft Client/Server Runtime Server.

... "While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date," [How sad... Bob] he added.

Friday, December 22, 2006

Well, thanks Al Gore! I've got 24 inches of global warming in my driveway.


Strange quote...

http://www.mercurynews.com/mld/mercurynews/news/local/states/california/peninsula/16289017.htm

Stolen server holds 2,500 Social Security numbers

By Truong Phuoc Khánh Mercury News Posted on Thu, Dec. 21, 2006

A computer stolen from Santa Clara County's employment agency contained the Social Security numbers of 2,500 people who are being advised to take steps to protect themselves from identity theft.

The risk to clients is not believed to be high because the information was encrypted by passwords, [Let's hope the reporter got this wrong. Data can be encrypted or access can be controlled by passwords, but “encrypted by password” is a non-sequitur... Bob] according to a statement from the county. Only those who have used the PESCO software to assess their job skills are affected.

The theft was discovered last week and reported to police Friday.

Three computer servers were stolen from an unoccupied building undergoing construction. [No doubt move there to make it easier for the thieves... Bob] Because of electrical work, the power had been turned off and the alarm was not working. Two of the servers did not contain client information; the third server did. The information included names, Social Security numbers and job skill assessments, but not addresses or telephone numbers.

The county is notifying affected clients.



I wonder if this is the end to it?

http://www.infoworld.com/article/06/12/21/HNrootkitgrows_1.html?source=rss&url=http://www.infoworld.com/article/06/12/21/HNrootkitgrows_1.html

Sony rootkit settlement with states reaches $5.75M

Two days after reaching settlements worth $1.5 million with Texas and California, Sony agreed on Thursday to pay another 40 states to end investigations

By Robert McMillan, IDG News Service December 21, 2006

Sony BMG Music Entertainment's botched attempt to stop unauthorized music copying has cost the company another $4.25 million.

Two days after reaching settlements worth $1.5 million with Texas and California, Sony agreed on Thursday to pay another 40 states the money to end investigations into its use of two copy protection programs: First 4 Internet's XCP (extended copy protection), and MediaMax, written by SunnComm International.

In a statement, Sony said it was pleased with Thursday's settlements.

... Sony has reportedly also reached a tentative settlement with the U.S. Federal Trade Commission in the matter, although nothing relating to that investigation was announced Thursday. Sony settled a class-action lawsuit over the software in May.

As with the California and Texas agreements, residents of the 40 states that settled with Sony are entitled to up to $175 in refunds for damages that may have been caused to their computers. The settlements also limit the ways that Sony can use copy protection software in the future and require that the company notify consumers if it uses this kind of software.

A list of the states covered in Thursday's settlement can be found in the Massachusetts statement.

Sony has set up a Web site with information for consumers on the matter. It is expected to eventually include information on how to file a claim under these latest settlements.



I hope the ruling includes the requirement that notice is given online – as easy to find as the content itself. Otherwise we get back to the individual request for each item...

http://techdirt.com/articles/20061221/191554.shtml

Judge Says No Deep Linking To Videos

from the that's-a-problem dept

Deep linking is apparently an issue that just won't die. You would think, by now, people would realize that if you put something on the web, people can link to it. If you don't want them to link to it, then don't put it online, or put in place one of the incredibly easy technical methods to redirect traffic that comes into the content you want to hide. It's really not that difficult -- but too many people still haven't figured it out, and unfortunately some of them are judges. In the latest case, a federal judge in Texas has said that it's illegal to deep link to a video on another site if that site objects. The fact that linking is the core of the internet and the other site can easily put in place technical measures to stop it apparently isn't particularly important. Admittedly, part of the problem may be that the guy who did the linking also chose to defend himself rather than hire a lawyer, and apparently part of his legal strategy was to accuse the company suing him of "acting like Genghis Khan." You'd have to hope that a lawyer would be able to better defend the case and explain to the judge why this ruling doesn't make much sense -- but in the meantime, beware of linking directly to videos on other sites.


More...

http://news.com.com/2100-1030_3-6145744.html

Judge: Can't link to Webcast if copyright owner objects

By Declan McCullagh Story last modified Thu Dec 21 17:44:12 PST 2006

... What's unusual in the SFX case is that a copyright holder is trying to prohibit a direct link to its own Web site. (There is no evidence that SFX tried technical countermeasures, such as referer logging and blocking anyone coming from Davis' site.)

A 2000 dispute between Ticketmaster and Tickets.com suggested that such direct links should be permitted. A California federal judge ruled that "hyperlinking does not itself involve a violation of the Copyright Act" because "no copying is involved."



Like most users aware of this problem, I don't use Internet Explorer...

http://developers.slashdot.org/article.pl?sid=06/12/21/1836240&from=rss

Clipboard Data Theft Now Optional With IE7

Posted by Zonk on Thursday December 21, @03:08PM from the options-are-good dept. Internet Explorer Microsoft Programming The Internet

An anonymous reader writes "It's been known for a long time that Internet Explorer will happily allow any Web site to steal data that users have recently cut-and-pasted or copied into the Windows 'clipboard' data storage area. Well, now it looks like Microsoft has finally decided that this 'feature' was probably ill-advised, according to The Washington Post's Security Fix blog. IE7 throws up a warning asking whether users really want to let a site filch their clipboard data (Firefox, Opera and most other non-IE browsers forbid this behavior by default)."



Could this indicate that DHS has hired a lawyer? Nah...

http://www.washingtonpost.com/wp-dyn/content/article/2006/12/21/AR2006122101621.html?nav=rss_technology

Report Says TSA Violated Privacy Law

Passengers Weren't Told That Brokers Provided Data to Screening Program in '04

By Ellen Nakashima and Del Quentin Wilber Washington Post Staff Writers Friday, December 22, 2006; A07

Secure Flight, the U.S. government's stalled program to screen domestic air passengers against terrorism watch lists, violated federal law during a crucial test phase, according to a report to be issued today by the Homeland Security Department's privacy office.

The agency found that by gathering passenger data from commercial brokers in 2004 without notifying the passengers, the program violated a 1974 Privacy Act requirement that the public be made aware of any changes in a federal program that affects the privacy of U.S. citizens. "As ultimately implemented, the commercial data test conducted in connection with the Secure Flight program testing did not match [the Transportation Security Administration's] public announcements," the report states.

The finding marks the first time that the Homeland Security Department has acknowledged that the problem-plagued Secure Flight program has violated the law.

... A 2004 probe found that the TSA improperly stored 100 million commercial data records containing personal information on passengers after the agency said no data storage would occur.



For my technology law friends...

http://www.bespacific.com/mt/archives/013351.html

December 21, 2006

The Best (and Worst!) of Legal Technology 2006 From FindLaw

"The world of Legal Technology has...had its share of ups and downs in 2006, with companies spying on their boards, the treasury department spying on money transfers, and the government spying on, well, everyone! With all the spying going on, data security was certainly on everyone's mind in 2006, and several key stories arose out of the inability of companies and government agencies to protect their customer and employee data. The new Federal Rules of Civil Procedure also added to the mix with new requirements for companies and other potential litigants to keep in mind as they generate gigabytes and gigabytes of information every day." [Link]

[My favorite:

IT Security Issues Discussed in Recent Federal Decision
Despite the Department of the Interior’s repeated failures to meet network security standards, a federal appeals court recently vacated an order requiring the agency to disconnect its computers from the internet and internal networks. The detailed and specific IT security aspects mentioned in the opinion are noteworthy in light of recent and widespread data security breaches at government and private organizations. The decision also provides guidance for any organization seeking to improve its network security.
(read more)



Potentially useful – if you are disposing of your old computers improperly...

http://www.bespacific.com/mt/archives/013349.html

December 21, 2006

Consumer Reports Launches Online Electronics Reuse and Recycling Center

Press release: "Consumer Reports' environmental website has
launched an online Electronics Reuse and Recycling Center. The Center features thoroughly researched, unbiased, expert advice to help de-clutter your home and solve the huge and growing problem of electronics waste. It also features the results of a March 2006 nationwide, online survey including information about why people replace their electronics and what they did with their old equipment."



Perspective. Makes an interesting hypothetical (Also: Your tax dollars at play)

http://techdirt.com/articles/20061221/115606.shtml

Who'll Pay For C3PO's Social Security Benefits?

from the what-are-you-doing-dave dept

Despite the fact we can't create a robot that can navigate stairs without doing a face plant, there's apparently concern in some circles that robots may someday want the same rights afforded humans. A "speculative paper" released by the British government predicts that should robots eventually learn to reproduce, improve or think for themselves -- it's inevitable that they'll sue for equal rights. Once obtained, the robots would then drain government coffers, as "states will be obligated to provide full social benefits to them including income support, housing and possibly robo-healthcare to fix the machines over time," according to the report. Of course the very nature of a more efficient economy where robots comprise a significant portion of the labor force should hopefully mean an increase in the distribution of wealth, potentially offsetting the impact of having to pay the social security costs incurred by a legion of hard-working R2D2s. The paper admits we won't be worrying about any of this for at least another twenty years, assuming robots can first hurdle the monumental task of self-sustained bipedal movement sans fatality. Judging from existing robots, we've got a long way to go before sentient reproducing robots become societal burdens: the Japanese government this week honored its most innovative robot designs, which included a $3,454 robotic spoon, and a sensor wielding toy seal.



Looks like it could already be useful...

http://digg.com/tech_news/wikiHow_3

wikiHow

"wikiHow is a collaborative writing project to build the world's largest how-to manual. With your contributions, we can create a free resource that helps people by offering clear, concise solutions to the problems of everyday life. wikiHow currently contains 14,962 articles written, edited, and maintained primarily by volunteers" http://www.wikihow.com/Main-Page



Geek stuff? Security Managers: Does your policy cover this? Study this article carefully!

http://www.oreillynet.com/pub/a/network/2006/12/21/using-google-to-view-myspace-or-any-restricted-sites.html

Using Google to View MySpace or Any Restricted Site

by Wei-Meng Lee 12/21/2006

Editor's Note: A year ago, a reader with the handle of bigthistle posted one of our favorite hacks to hacks.oreilly.com, describing how to access restricted websites using the Google Translate feature. Acknowledging that our readers often have better ideas than we do, we recently asked Wei-Meng Lee to take a closer look at this technique, and he wrote up this awesome HOWTO based on the original submitted hack. For many more innovative ways to use Google, get your hands on a copy of our recently released Google Hacks, Third Edition.



I'm a sucker for these lists...

http://digg.com/tech_news/The_new_100_most_useful_sites_by_Guardian

The new 100 most useful sites by Guardian

Two years ago most Britons didn't have broadband and Web 2.0 was barely a twinkle in a developer's eye. Things have changed - as our cream of the crop for 2006 shows

http://technology.guardian.co.uk/weekly/story/0,,1975939,00.html



Another case of poor management – it took two months to figure out something that should be in the logs... Lots of fun questions thought: Was a crime committed? Why bring along the SWAT team? What was the basis for the search warrant?

http://digg.com/security/Swat_team_raids_High_School_student_s_house_for_changing_school_website

Swat team raids High School student's house for changing school website!

Some kid in high school has several armed police officers and the swat team attempt to break down the door to gain access to his house. All this because of a few harmless changes made to the home page of his High School website. Over $20,000 in electronics confiscated!

http://operationsuccess.blogspot.com/2006/12/why-swat-team-raided-my-house.html



Always amusing

http://www.pogowasright.org/article.php?story=2006122107272726

New State Laws Go Into Effect Jan. 1

Thursday, December 21 2006 @ 07:27 AM CST - Contributed by: PrivacyNews - State/Local Govt.

Residents in at least 32 states will wake up New Year's Day to a host of new state laws, according to a compilation of legislation from the National Conference of State Legislatures (NCSL).

... .Source - Government Technology

http://www.ncsl.org/programs/press/2006/pr061220.htm

PRIVACY

  • As of January 1, 2007 it will be illegal in Arkansas to publicly post or display an individual’s social security number or to require an individual to transmit their social security number via the internet unless the information is encrypted. (Arkansas 85th General Assembly, SB 335)

  • Employers in Maryland are no longer allowed to print an employee’s social security number on their paycheck or any part of the pay stub. (Maryland General Assembly, 2006 Regular Session, HB 388)

  • Victims of identity theft in Hawaii, Kansas, New Hampshire, Oklahoma, Pennsylvania, Rhode Island and Wisconsin will be able to place a security freeze on their credit reports. The security freeze will prevent credit reporting agencies from releasing information to unauthorized parties without the consumer’s authorization preventing perpetrators of the identity theft from obtaining additional credit. (Hawaii 23rd Legislature 2006, HB 1871; Kansas Legislature, 2006 Session, SB 196; New Hampshire General Court, 159th Session, SB 334; Oklahoma Legislature, 2006 Regular Session, SB 1748; General Assembly of Pennsylvania, Session of 2005, SB 180; Rhode Island General Assembly, 2006 Session, H 7148Aaa; Wisconsin State Legislature, 2005 – 2006 Session, AB 912)



Will this become a trend? We could add all felons to the registry for example... (What did you do to that phone to become a registered sex pervert?)

http://www.out-law.com/page-7598

Online criminals threatened with sex offenders' register

OUT-LAW News, 21/12/2006

Internet and email users can be added to the sex offenders' register for a whole slew of new offences after the Home Office drastically increased the number of relevant offences.

An unspecified range of offences related to internet and phone use has been added.

Thursday, December 21, 2006

The computer did it!”

http://www.mlive.com/news/muchronicle/index.ssf?/base/news-10/1166631362312200.xml&coll=8

E-problem puts library patrons' info on Internet

Wednesday, December 20, 2006 By Michael Buck CHRONICLE STAFF WRITER

A technical problem on the Lakeland Library Cooperative Web site made available personal information of more than 15,000 patrons across West Michigan on the Internet.

Information that was displayed included names, phone numbers, e-mail addresses, street addresses and library card numbers of library patrons registered on the site.

Minors were also indicated on the spreadsheet type document by a listing of parents' names.

"(Our systems manager) thinks there was a software malfunction," said Martha McKee, interim director of the Lakeland Cooperative Library. "They fixed that, so the information is not accessible anymore."

... "I don't think anything bad will happen, but we need to be proactive," she said.

... Less than 24 hours after VanOosterhout alerted library officials to the problem, Lakeland Cooperative computer administrators secured the data.

... Neither McKee nor VanOosterhout could estimate how long the information was available for viewing on the Internet. [Real managers keep records! Bob]



Note what they knew about this one. Every organization should have this information!

http://www.gazetteextra.com/bigfootwebsite122006.asp

Report: Privacy breach limited on Big Foot Web site

(Published Wednesday, December 20, 2006 01:16:06 PM CST) By Chris Schultz Gazette staff

WALWORTH-It appears that no one outside Big Foot High School saw personal information that accidentally was posted on the school's Web site, according to a summary report released by the school board Tuesday.

"We are completely certain that information was available only to our staff," Superintendent Thomas Nykl told the board.

... School board member Rick Ackman wanted to create a committee to review the incident and determine whether action should be taken against the person responsible.

He withdrew his motion at the request of Sue Pruessing, school board president, who said the board should wait for reaction from people affected by the breach. [Let's see if anyone cares... Bob]

... On Oct. 18, Nykl was trying to post financial information on the district Web site, including cost of individual teacher and staff salaries and benefits.

Nykl didn't know that personal information, such as Social Security numbers and dates of birth, was attached. Salary and benefit information is open to the public; the other information is not.

Social Security numbers, last names and years of birth of 87 current and former employees were published on the Internet.

... When the items were first posted about 9:40 a.m., the link to the financial and confidential information didn't work, the report said.

The links were repaired about 11:20 a.m. They were then accessed 37 times by 14 computers, all of them internal, the report says.

Two hits on the link came from outside, but they were not able to retrieve the files containing the confidential information, the report says. [This type (and detail) of information should be available in all of these privacy breach cases. Bob]

About 20 minutes later, secretaries informed the administration [...because no one else look to see if they had done what they were trying to do! Bob] that Social Security numbers and birthdates were on the Web site.

The report said files containing confidential information were accessible for 36 minutes before being taken down.

The report does not explain what caused the information to be posted. [Isn't that obvious? Bob]

As far as he determined, Nykl said, no one saved copies of the information, [of course, there are many ways to copy the data without leaving a trail on the server... Bob] and none of the confidential pages were cached by Internet service providers. Cached pages are copies that can be accessed and read later, even if the original is deleted or removed.



Only 200,000,000? No big deal...

http://www.mlive.com/newsflash/regional/index.ssf?/base/news-40/116664114312100.xml&storylist=newsmichigan

Lawsuits settled over marketing use of sensitive driver info

12/20/2006, 3:40 p.m. ET By CURT ANDERSON The Associated Press

MIAMI (AP) — A settlement proposed Wednesday would resolve lawsuits claiming that national information companies improperly used sensitive motor vehicle records for marketing purposes, in a case that could affect 200 million people nationwide.

... "Everyone agrees that no one should have their driver's information used for marketing purposes without their consent," said Tom Loffredo, spokesman for the companies that include Atlanta-based Choicepoint Inc., Costa Mesa, Calif.-based Experian Information Solutions Inc. and U.S. units of London-based Reed Elsevier PLC.

Under the agreement, most of the defendant companies would adopt a series of safeguards aimed at protecting personal data commonly available from state motor vehicle agencies. No damages would be paid in the case, although each of the original plaintiffs would get up to $15,000 each and the lawyers involved could get $25 million in fees and expenses from the companies.

People around the country who have evidence they were harmed by misuse of personal data could still file lawsuits even if the settlement is approved as a nationwide agreement, plaintiffs' attorneys said.

... Martinez would retain jurisdiction over the settlement for seven years to ensure its terms are followed, attorneys said.



http://www.securitypark.co.uk/article.asp?articleid=26270&CategoryID=1

25 million personal records are exposed to theft and fraud annually

20/12/2006

75% of the world’s largest financial services organisations have reported a security breach in the last year (according to Deloitte Touche Tohmatsu). Almost, 25.5 million personal records have been exposed to potential theft and fraud in the UK during the past year according to a new study from DQM Group. This equates to the same number of identity exposures as there are households in the land.

The DQM Group research findings incorporate both data security breaches on the internet, along with poor practice over paper-based personal records. An ‘exposure’ occurs when a sufficiently detailed record is exposed for identity theft and fraud to take place.

... Security measures are currently concentrated on avoiding security breaches, yet DTI figures show that these are increasing nevertheless. Adrian Gregory, Managing Director, DQM Group, commented: “More attention needs to be paid to tracking and tracing data abusers, identity thieves and fraudsters once a breach has occurred, so that criminals can be brought to justice and the growing identity fraud problem be actively reduced. This can achieved by inserting seed names into databases. These are agents or identities that appear to be real customers, but have in fact been inserted into the database to obtain a view of any unauthorised use of record.”

... Adrian Gregory added: “UK public and private sector organisations are holding an increasing volume of data on customers and citizens. If such organisations are to continue to be allowed to use this information to improve customer service, they also have to take on the responsibility of keeping it safe and secure. The exposure of 25.45 million personal records every year to potential theft and fraud is already unacceptable."



Something for organizations with security cameras to consider...

http://www.praguemonitor.com/ctk/?story_id=w48255i20061220;story=RFE-may-be-fined-for-alleged-monitoring-pedestrians---press

RFE may be fined for alleged monitoring pedestrians

Prague, Dec 19 (CTK) - The Office for the Protection of Personal Data may impose a fine of up to 10 million crowns on Radio Free Europe/Radio Liberty (RFE/RL) for alleged monitoring of pedestrians outside its building in Prague, daily Pravo writes today.

The paper writes that employees of a private security service who guard the radio seat photograph and video record with digital apparatuses selected passers-by in places that are normally public accessible.

Pravo writes that data protectors have started to thoroughly deal with the matter. If the office found out that the law on personal data protection is breached, RFE/RL could be fined five million crowns.

If a bigger number of people were affected by the monitoring, the fine could reach up to 10 million crowns,the paper writes.

Pravo wrote recently that the security service agents make a database of possible suspects which they send to the United States, probably for the needs of the U.S. secret services.

The Czech police have been unofficially asked to check some of the photographed persons, Pravo wrote.

The security experts and lawyers Pravo has addressed say this is a problem and a possible breach of Czech laws and EU legislation.

The building has been officially guarded since the terrorist attacks on New York and Washington in 2001 and it is separated from its vicinity by concrete barriers. The radio is to move to another building which has started to be built outside the city centre.

(USD1=21.151 crowns)



http://techdirt.com/articles/20061220/150715.shtml

How Private Are Your Emails From The Government?

from the legal-questions dept

Slashdot has a post up claiming that the government has the right to read your emails, which is a little misleading. However, the story does raise some interesting issues. While the article there suggests that the government has an open right to snoop through your emails, what the actual case is about is the standard that the government can use before it can look at emails you have that are stored on someone else's servers (such as Yahoo or Google). The specific case involves a seller of "male enhancement" products who is being sued by the government. They viewed some of his emails that were stored Yahoo's mail servers. They didn't, as the original post implies, have free access to them, but required a court order directed at the companies hosting the servers to see them. The argument, then, is over whether or not a court order is enough, or if the government should have been required to get a search warrant, which would require a higher level of proof and support before a court would grant permission.

If you take it a step back, what this really becomes is an argument over who owns your emails. If you believe that you own your own emails once they're in your inbox, then like traditional mail, it would seem that a search warrant is the right standard. However, if you believe that whoever is storing the content owns the rights to access it, then, the court order should be enough. This is made that much more complicated by the fact that a piece of email traveling around a network could leave traces or copies on many different servers at times. Where this gets really tricky is that if the "court order" standard is accepted, that puts an awful lot of data at risk of being easily targeted by the government. With the rise of "hosted" services for things like enterprise software, email, photos and even documents and spreadsheets -- all of that information may now be much more easily viewed by government authorities. It still requires a court order, but as long as they're on someone else's server, it appears that a search warrant may not be needed. One of the reasons that many companies have shied away from software as service vendors was fear that by putting their data on other servers it would be more open to hackers or competitors. Apparently, it's also more open to government officials, based on the current ruling in this court case.



So many aspects...

http://techdirt.com/articles/20061220/160512.shtml

Is E-Voting Too Costly To Use? Or Too Costly Not To Use?

from the help-us-out-here dept

Remember earlier this month when the feds wouldn't decertify existing e-voting machines because that would be too costly? Well, thanks to John for pointing us to a report that notes that the too costly part was actually using the machines in the first place. Utah's elections officials (the same folks who forced an elections official out of his job for daring to conduct independent security tests of Diebold machines that later turned up a huge security hole) are now claiming they had no idea how expensive it would be to operate an election using e-voting machines. No wonder they were so pissed off at the elections official who tested the machines. As you may recall, Diebold then charged them to examine the reset the machines following the test. It's not just the cost of the machines that was the problem, but they required a lot more training, more poll-workers and additional costs for storage and maintenance of the machines. As that last article notes, elections shouldn't necessarily be cheap, but it's ridiculous to claim that we need to keep the faulty machines because it would be too expensive to get rid of them, when it looks like it's pretty damn expensive to keep them as well.



"It ain't over 'til it's over " Y. Berra, philosopher

http://news.com.com/2100-1027_3-6145266.html?part=rss&tag=2547-1_3-0-5&subj=news

Sony has far to go in rootkit case

By Greg Sandoval Story last modified Wed Dec 20 17:44:30 PST 2006

Sony BMG is making amends in California and Texas for secretly loading antipiracy software onto customers' computers. But the record label has a long way to go before putting the public relations nightmare behind it.

Sony BMG, which Sony operates jointly with Bertelsmann Music Group, agreed earlier this week to pay $1.5 million in fines and pay customers in California and Texas whose computers suffered damage as a result of Sony's surreptitiously installed digital rights management (DRM) software. The company declined to comment for this story other than to say that it was pleased to have reached the agreement with California and Texas.

Likely so, but the deal with California and Texas won't be the end of the "rootkit" fiasco for the music giant. Sony still has to contend with a consortium of 13 states, including Massachusetts, Nebraska and Florida, that are expected to look for a similar deal, according to Jeff McGrath, deputy district attorney for Los Angeles County, which took part in California's case against Sony. In addition, McGrath said an investigation launched earlier this year by the Federal Trade Commission looms. A spokesperson for the FTC declined to comment.

... The case has hounded Sony BMG and undermined the company's credibility, say Sony critics.

"I think that there was a lot of record labels who got carried away with the idea of DRM," said Cindy Cohn, legal director for the Electronic Frontier Foundation, one of the groups that filed a class-action suit against Sony last year on behalf of those affected by the antipiracy software. "I don't think many of them stopped to think about the impact to their customers when they used DRM."

... The EFF's Cohn said that something positive may come from the fiasco: the case provides another reason for entertainment companies to abandon DRM.

She said that there are indications some entertainment companies may be ready to do just that. First, Sony hasn't placed any DRM on CDs since the the rootkit ordeal surfaced. The latest example came this week with reports that Amazon.com is preparing to launch a music download site featuring DRM-free songs.

"I think we're seeing a growing consensus that DRM isn't working," Cohn said. "I think DRM was a bad idea that had a heyday but that it will be fading away soon. The (entertainment companies) are learning that DRM is an anticompetitive tool that ultimately hurts their business."



Let's kill them all!”

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/12/20/MNG5CN2PUU1.DTL&feed=rss.news

An online outlet for road rage

Fast-growing site lets drivers vent -- but privacy an issue

Michael Taylor Wednesday, December 20, 2006

... Tired of clueless drivers? Want to vent a little, but realize that ramming your SUV into the offending Jaguar may not be the best way to deal with this?

Try www.platewire.com, a Web site created by two frustrated commuters who decided that the antics of their roadmates needed a public forum - someplace to snitch on all those idiots you see during the slog to work.

PlateWire, where the above rants originated, was "born out of frustration from years of driving alongside drivers who seem to have no concern with anyone's safety, including their own," founders Mark Buckman, 32, and Luke Sevenski, 27, announce on their site.

The way to lance that boil goes like this: Take down the license plate number of the reckless car; write an angry e-mail, including the plate number and time, date and place where this all happened; and send it in to PlateWire, which then posts the information along with the license plate number and invites responses from other site viewers.

... The venture does raise some thorny privacy issues, not to mention the possibility of lawsuits over disputed public identification of erratic driving. "We're taking feedback from the community," Buckman said. "Perhaps it will get so we only show the license plate numbers to registered PlateWire members. It's still evolving."



Think of the potential if we could extend this to include Solid State (locked in) modules for the processes that run the enterprise. No chance the reactor could be made to melt down, the water supply wouldn't stop purification, air traffic systems wouldn't ignore those head-on approaches... You get the idea.

http://www.technewsworld.com/rsstory/54830.html

Solid-State PCs: Computing's Next Horizon

By Jack M. Germain TechNewsWorld 12/21/06 4:00 AM PT

"Solid-state PCs are entirely feasible to develop, but there still are issues to solve in booting from Flash RAM," Robert Hoffer, cofounder and managing director of NewForth Partners, told TechNewsWorld. "The ideal approach is to use Linux. This is already being worked on by numerous companies."

Coming to computer stores in the not-too-distant future will be a new type of PC. It will not have a hard drive, and the operating system will be burned onto a chip, making malware manipulations and viruses problems of the past.

Wednesday, December 20, 2006

Would you want to steal identities from people will bad credit?

http://www.zone-h.org/content/view/14448/31/

Russian Banks in the eye of the storm

Written by Roberto Preatoni (SyS64738) Tuesday, 19 December 2006

A huge attack against several major Russian banks ended up with the leak of a database containing the personal details of about 3 million individuals. The data is now being sold for between 2,000 - 4,000 roubles (around $76 - $150) at Russian black market.

This case represents a further example about the low level of security that is supposed to protect people but it wouldn’t be so worth noticing if it wasn’t for the outcry this news has caused :a media fuss that might have negative effects on data security as well.

The aspect of this story that mostly aroused journalists’ curiosity is the fact that this specific database contain information about clients of Russian banks who’ve been refused credit, and those who’ve defaulted, either partially or fully, on their payments.

Moreover, the archive includes personal details such as name, address, and passport numbers since in Russia, in credits applications in Russia such details are required.

Some journalists made questions about the damages that a similar data leak could provoke, but this isn’t that difficult to guess: anyone could buy the database and call a creditor pretending to be calling from the bank to collect the debt… Can you imagine the number of swindles that might be carried out?

Data leaks, online frauds and scams do not usually provoke such an uproar in Russia, but now the media attention could represent a good moment to work on the increase the public awareness about Security issues.

But “public awareness” is not enough, and Russian people should hope in a review of Russian cyber crime legislation and in the introduction of standard security policies for banks.

Russian black market is definitely well stoked, and this is not the first time that a database containing classified information is available for sale: recently, it was highlighted how database including data coming from customs and passport authorities are freely available.



http://www.clarionledger.com/apps/pbcs.dll/article?AID=/20061219/NEWS/61219032

December 19, 2006

Security breach affects about 2,400 MSU students, workers

By Richard Lake rlake@clarionledger.com

Social Security numbers and other private information from about 2,400 Mississippi State University students and employees were “inadvertently” posted on a publicly accessible Web site, the university said Tuesday.

Everyone who was affected has been sent a letter explaining the situation and will be offered free credit monitoring service for one year, the university said.

“We’ve taken this very seriously and we’ve worked hard to try to solve it,” said university spokeswoman Maridith Geuder.

The security breach was discovered last week, officials said. Geuder would not identify the department responsible for the slip up, but said the information was removed from the Web immediately.



Inside job?

http://www.azstarnet.com/sn/hourlyupdate/161119.php

ID theft ring targeted Raytheon employees, authorities say

By Alexis Huicochea Arizona Daily Star Tucson, Arizona | Published: 12.19.2006

An identity theft ring that was busted earlier this month targeted current and former Raytheon employees, the Pima County Sheriff’s Department said Tuesday.

Because the investigation is ongoing, the Sheriff’s Department warned that other Raytheon employees may still be at risk of being victimized.

The investigation began in August and culminated with the arrests of five people said to be heavy methamphetamine users, said Deputy Dawn Barkman, a Sheriff’s Department spokeswoman.

About 40 people had personal information stolen over a few months, which was then used to open fraudulent credit card accounts online, Barkman said.

“Obviously, there has been a compromise of employee information,” Barkman said. “It is unknown how the information on Raytheon employees is being obtained.”

Six search warrants have been served and a number of computers, fraud and identification documents, including personal IDs, Social Security cards and other documents, were seized, Barkman said.

The potential loss as a result of the identity theft is more than $100,000, she said.



Add this to what it has already cost Sony in reputation and sales...

http://www.businessweek.com/ap/financialnews/D8M446200.htm

Sony BMG settles suit over CDs

By ALEX VEIGA BW Exclusives The Associated Press December 19, 2006, 2:52PM EST

LOS ANGELES Sony BMG Music Entertainment will pay $1.5 million and kick in thousands more in customer refunds to settle lawsuits brought by California and Texas over music CDs that installed a hidden anti-piracy program on consumers' computers.

Not only did the program surreptitiously monitor users' behavior, but the method Sony BMG originally recommended for removing the software also damaged computers.

The settlements, announced Tuesday, cover lawsuits over CDs loaded with one of two types of copy-protection software -- known as MediaMax or XCP.

Under the terms of the separate settlements, each state will receive $750,000 in civil penalties and costs.

In addition, Sony BMG agreed to reimburse consumers whose computers were damaged while trying to uninstall the XCP software. Customers in both states can file a claim with Sony BMG to receive between $25 to $175 in refunds.

The company had previously settled a class-action case over the episode.

"Companies that want to load their CDs with software that limits the ability to copy music should fully inform consumers about it, not hide it, and make sure it doesn't inflict security vulnerabilities on computers," California Attorney General Bill Lockyer said in a statement.

------On the Net: Sony BMG information on settlement: http://www.sonybmgcdtechsettlement.com



Next on the Class Action hit list...

http://games.slashdot.org/article.pl?sid=06/12/19/1731210&from=rss

Wiimote Straps Result in Class Action Suit

Posted by Zonk on Tuesday December 19, @12:41PM from the sigh dept.

Kotaku reports the news that problems with breaking Wiimote straps has resulted in a class action lawsuit against Nintendo. From the press release about the suit: "Green Welling LLP filed a nationwide class action lawsuit on behalf of the owners of the Nintendo Wii against Nintendo of America, Inc., in the U.S. District Court for the Western District of Washington. The class action lawsuit arose as result of the defective nature of the Nintendo Wii. In particular, the Nintendo Wii game console includes a remote and a wrist strap for the remote. Owners of the Nintendo Wii reported that when they used the Nintendo remote and wrist strap, as instructed by the material that accompanied the Wii console, the wrist strap broke and caused the remote to leave the user's hand. Nintendo's failure to include a remote that is free from defects is in breach of Nintendo's own product warranty."



Recognizing that the world has changed: This presents management with an interesting problem. How would you write a policy to control (not ban) use of consumer tools?

http://it.slashdot.org/article.pl?sid=06/12/20/0227259&from=rss

Consumer Technologies Driving IT

Posted by kdawson on Wednesday December 20, @07:46AM from the not-invented-here dept.

fiannaFailMan writes to point out The Economist's reporting on the way consumer-driven software products are increasingly making their presence felt in the corporate world. Some CIOs are embracing the influx while others continue to resist it.

From the article: "In the past, innovation was driven by the military or corporate markets. But now the consumer market, with its vast economies of scale and appetite for novelty, leads the way. Compared with the staid corporate-software industry, using these services is like 'receiving technology from an advanced civilization,' [Great quote! I'm gonna use that (in a non-plagiarizing kinda way...) Bob] says [one university CIO]... [M]ost IT bosses, especially at large organizations, tend to be skeptical of consumer technologies and often ban them outright. Employees, in return, tend to ignore their IT departments. Many young people... use services such as Skype to send instant messages or make free calls while in the office. FaceTime, a Californian firm that specializes in making such consumer applications safe for companies, found in a recent survey that more than half of employees in their 20s and 30s admitted to installing such software over the objections of IT staff."



Corporate Governance, basic management skills, and a recognition that these things do matter... (Also food for the e-discovery world)

http://hosted.ap.org/dynamic/stories/M/MORGAN_STANLEY_E_MAILS?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Dec 19, 5:39 PM EST

NASD Says Morgan Stanley Withheld Emails

WASHINGTON (AP) -- Securities regulators on Tuesday accused big investment firm Morgan Stanley Inc. of repeatedly withholding documents sought in connection with customer complaints and falsely claiming that millions of e-mails it had were lost in the Sept. 11, 2001 terror attack on the World Trade Center.

Morgan Stanley disputed the allegations by the National Association of Securities Dealers, the brokerage industry's self-policing organization, saying that it would contest them through NASD's administrative process.

It was not the first time that regulators alleged repeatedly withholding of e-mails by Morgan Stanley, the second-biggest investment house on Wall Street. In May, the firm agreed to pay a $15 million civil fine to settle charges by the Securities and Exchange Commission that it failed to provide tens of thousands of e-mails that the agency sought in major investigations over several years.

Morgan Stanley neither admitted nor denied the allegations in that case but did consent to a permanent injunction against future violations of the securities laws and agreed to overhaul its system for handling e-mails.

In the new action, the NASD alleged that retail brokerage arm Morgan Stanley DW Inc. failed to provide e-mails sought by the industry regulators and by customers who had entered arbitration proceedings against the firm from October 2001 through March 2005. The organization also said Morgan Stanley falsely claimed in many instances that the e-mails in question had been destroyed in the attack on the World Trade Center, where its computer servers were located. [So if I presented my version... er... copy of that e-mail, it would be the only version of the evidence, right your honor? Bob]

In fact, the NASD said, Morgan Stanley had millions of e-mails that were restored to its computer system using backup tapes soon after Sept. 11, 2001. Many other e-mails were retained on individuals' computers and were never affected by the attack, yet the firm often failed to search those computers when e-mails were requested, according to the NASD.

Morgan Stanley later destroyed many of the e-mails by overwriting backup tapes and by allowing users of the e-mail system to permanently delete them, the NASD said.

In a statement Tuesday, Morgan Stanley said the 9/11 attack destroyed the e-mail servers and archives it had inherited from Dean Witter when it acquired the brokerage firm. When the previous management learned that there were still backup e-mails from the earlier time that might be relevant to investigations, it informed regulators and attorneys, built new databases, produced e-mails and cooperated fully, Morgan Stanley said.

It said its current management has tried to settle the matter, but NASD's "disproportionate and unprecedented demands leave us no choice but to litigate."

Morgan Stanley said it would request a hearing before an NASD disciplinary panel, which it is entitled to do under the organization's rules.

If the complaint is upheld, sanctions can include a civil fine, censure, payment of restitution and suspension from the securities industry.



This is very interesting. I see direct application to the “free music” issue. The RIAA is doomed, and here's the evidence.

http://hbswk.hbs.edu/item/5580.html

The Value of a "Free" Customer

Published: December 2006 Authors: Sunil Gupta, Carl F. Mela, and Jose M. Vidal-Sanz

Executive Summary:

Traditional models for calculating customer lifetime value (CLV) cannot assess the profitability of customers in networked settings such as job agencies, realtors, and auction houses, where the presence of one type of customer can affect the value of another. Monster.com, for example, is free to job-seekers and obtains revenue by charging fees to employers, but without job-seekers the employers will not sign up, and without these firms Monster would have no revenues or profits. An indirect network effect extends to any exchange with multiple buyers and sellers. This study computed the value of such customers by developing a joint model of buyer and seller growth using one data set. As a study of customer valuation it may be useful to firms that want to better manage their customer portfolio in a networked economy. Key concepts include:

* This study examined one data set.

* The network effects of buyers on sellers were nearly six times the effect of sellers on buyers, according to the data set used here. This effect may be quite different in another empirical application.

* Customer value increased over time as the network was built. The network may eventually reach a point at which an additional customer no longer enhances the effect of the network.

* Though there were 4.6 sellers for each buyer, buyers and seller had roughly equal value.

* As the network effect becomes stronger, marketing plays less of a role in attracting buyers and sellers, according to this data set. [Suggesting the death of the RIAA? Bob]

* This new method offers a good approximation of firm value compared with traditional CLV methods that may capture only 2 percent of firm value.



I'll have to think about this one...

http://michaelzimmer.org/2006/12/19/entrenchment-of-non-privacy-norms-online/

Entrenchment of Non-Privacy Norms Online

Posted on Tuesday, December 19th, 2006 at 12:33 am

Gaia Bernstein, an Associate Professor at Seton Hall University School of Law (and guest blogger over at Law & Technology Theory) has a thoughtful post about how particular diffusion characteristics made the Internet vulnerable to the establishment of what she calls “non-privacy norms.” She writes:

I believe two diffusion characteristics made the Internet vulnerable to this paradox and may make other technologies that share these qualities susceptible to the same paradox. First, the Internet is characterized by a critical mass point quality. This characteristic is prevalent among interactive technologies. A critical mass of people needs to adopt them before they are of value. For example, the telephone was far less useful before there were many people to call. Once the critical mass point is reached the rate of diffusion accelerates. At that point a technology is less likely to be affected by a privacy threat. It is less likely to be abandoned because of the threat. When the critical mass point is reached and diffusion accelerates, social norms become quickly entrenched.

The Internet reached its critical mass point in 1990 with 4 million users worldwide. The privacy threats appeared around the mid-1990s at a time of rapid diffusion, and non-privacy norms became quickly entrenched.

The second relevant diffusion characteristic is decentralization. The entrenchment of non-privacy norms is also enhanced where a technology is decentralized. Where a technology is decentrally diffused all users can re-invent it. In the case of the Internet, many users could act to develop privacy threatening tools, such as cookies. This exacerbated the entrenchment of non-privacy norms.

I suggest that where a technology is characterized by a critical mass point and decentralized diffusion the window of opportunity for intervention is much narrower. Privacy protection, whether through technological design or legal rules, is likely to be effective earlier before social norms are entrenched.

This is important work, and Gaia has two papers that develop these ideas further: The Paradoxes of Technological Diffusion: Genetic Discrimination and Internet Privacy and When New Technologies are Still New: Windows of Opportunity for Privacy Protection.



Consider the source...

http://www.insurancetech.com/feed/showArticle.jhtml?articleID=196700953

Keep Your Guard Up: Privacy & Information Management Trends for 2007

Given the ease and speed with which information flows globally, privacy and information security must remain at the top of the legislative and corporate agenda for 2007. Attorney Lisa Sotto, privacy and information management leader at New York-based law firm Hunton & Williams, discusses trends and offers predictions for the new year.

By By Lisa J. Sotto Insurance & Technology December 19, 2006

Information security is one of the most pressing concerns for businesses today. The high level of criminal activity involving personal information (sometimes leading to ID theft or account fraud) affects every company that maintains personal information, whether customer or employee data. In addition, the publicity surrounding the many high-profile data breaches during the past year has focused CEOs and boards of directors on this topic. Information security is no longer an issue that is relegated to the dusty basement.

1. Security Breach Notification In the U.S., when there is a security breach that involves unencrypted, computerized sensitive personal information (such as Social Security or credit card numbers), the company that maintains the information must notify all the individuals whose data was reasonably likely to have been compromised. There currently are over 30 state security breach notification laws. While they are similar, they are not harmonized. This lack of uniformity makes compliance in the event of a security breach a logistical nightmare.

How do the state laws differ? First, the type of information covered by the laws varies from state to state. In addition, in some states, there is a harm threshold for notification -- that is, an entity that experiences a data breach does not need to provide notification in certain states unless there is a "substantial" or "reasonable" risk of harm. In other states, there is a private right of action so that individuals can sue if an entity does not provide the required notice. In yet other states, an entity that experiences a data breach must notify the state attorney general. These are just a few examples of the legal nuances that make compliance with over 30 state security breach laws daunting.

The federal government is likely to step in to resolve the lack of consistency among the states. In 2007, with a Democratic Congress at the helm, we are likely to see a federal breach notification law that preempts state law. In addition to U.S. initiatives, officials in the E.U. and Canada have taken up the issue of breach notification. In the E.U. in particular, there is a proposed directive that would require certain entities to provide notification to individuals if their data were compromised.

2. Information Security Requirements In the U.S., most businesses are not subject to any federal requirement to safeguard personal information. There is no federal law that requires entities other than those in the financial and health care sectors to keep data safe. In 2007, Congress is likely to pass a federal law requiring all entities that maintain sensitive personal information to implement a comprehensive information security program. Such a law probably will resemble the security standards currently in place for financial institutions, requiring businesses that handle sensitive data to develop administrative, technical and physical safeguards to protect the data.

3. Privacy Litigation and Enforcement To date, there have been surprisingly few lawsuits brought in connection with information security breaches and other privacy events. But plaintiffs are becoming more creative in pursuing new grounds for lawsuits and bolder in bringing actions against major global entities. We are likely to see a rise in litigation and more willingness on the part of courts to grant relief to plaintiffs.

Recently, the Federal Trade Commission formed a new division to handle privacy and data security matters (called the Division of Privacy and Identity Protection). This indicates a new focus by the FTC on privacy and data security matters. Indeed, the FTC considers privacy and data protection to be a central part of its consumer protection mission. We will likely see more FTC privacy investigations and enforcement actions against companies that have suffered serious security lapses or data breaches.

4. New Privacy Laws Overseas While many countries have extant privacy regimes, a number of high-profile countries do not yet have comprehensive data protection laws in place. In 2007, we are likely to see serious discussions about a new privacy law in China. In addition, reacting to a number of significant data breaches, India will likely amend its existing rules to enhance security requirements and penalties for data compromises.

5. Data Sharing to Combat TerrorismThere has been significant confusion surrounding the sharing of information both among governments and between the private sector and governments for use in anti-terrorism activities. There are inadequate guidelines globally to assist companies in determining to which jurisdiction they are subject and whether sharing data with one nation will violate the laws of another nation. There will likely be extensive dialogue about this issue on a global level. Given the global nature of information, this issue cannot be governed by individual countries' laws but instead must be managed through agreement among the nations.

Conclusion Privacy and data protection laws are evolving rapidly. The number of regulatory enforcement and individual privacy actions is increasing. Individuals are growing more aware of and concerned with protecting their privacy. We can anticipate more high-profile privacy events, putting this area even higher on the corporate compliance agenda. Companies would be well advised to prepare for the onslaught.

Lisa J. Sotto is a partner in the New York office of Hunton & Williams and heads the firm's Privacy and Information Management practice. She also serves as Vice Chair of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee. Ms. Sotto has testified before Congress and an executive branch agency on privacy and data security issues. She writes and speaks extensively on these topics. Ms. Sotto can be reached at lsotto@hunton.com.



http://www.bespacific.com/mt/archives/013323.html

December 19, 2006

FBI's Semiannual Uniform Crime Report , January - June 2006

FBI press release: "Preliminary figures indicate that, as a whole, law enforcement agencies throughout the Nation reported an increase of 3.7 percent in the number of violent crimes brought to their attention in the first half of 2006 when compared to figures reported for the first six months of 2005."

  • The data presented in Tables 1 and 2 indicate the percent change in offenses known to law enforcement for 2005 and 2006 by population group and geographic region, respectively. Table 3 reflects the percent change within the Nation for consecutive years (each year compared to the prior year). Table 4 presents the number of offenses known to law enforcement for agencies having a resident population of 100,000 and over and providing 6 months of complete data for 2006. In addition, Table 4 presents 2005 data for the first half of the year, where available, as a point of comparison. All data in this report are preliminary. [Download Spreadsheets]




http://www.bespacific.com/mt/archives/013322.html

December 19, 2006

New on LLRX.com

The following articles are available in the December 2006 issue of LLRX.com:

  • Bloggers Beware: Debunking Nine Copyright Myths of the Online World - Updated, by Kathy Biehl

  • Criminal Justice Resources - Criminal Justice Blogs, by Ken Strutin

  • A Compilation of State Lawyer Licensing Databases, by Trevor Rosen and Andrew Zimmerman

  • Deep Web Research Research 2007, by Marcus P. Zillman

  • Librarianship - Promoting Public Service and Philanthropy, by Kara Phillips

  • CongressLine by GalleryWatch.com: Voting in Congress, by Paul Jenks

  • E-Discovery Update - by Fios Inc.: Choosing An E-Discovery Vendor, by Conrad J. Jacoby

  • Reference from Coast to Coast: An Overview of Selected SEC Resources on the Web, by Jan Bissett and Margi Heinen

  • Faulkner's Practical Web Strategies for Attorneys: Planning Your 2007 Web Strategy, by Frederick L. Faulkner IV

  • The Government Domain: 2007 Calendars and Schedules, by Peggy Garvin

  • After Hours: But Wait! There's More, by Kathy Biehl

  • FOIA Facts: Rapid Response Team for FOIA, by Scott A. Hodes

  • The Tao of Law Librarianship: Reaching Across the Generations in the Profession, by Connie Crosby

  • Commentary: The Military Commissions Act and The Habeas Corpus Act, by Beth Wellington



Cultures differ...

http://techdirt.com/articles/20061219/232949.shtml

YouTube's Solution To Unauthorized Japanese Videos: A Warning Written In Japanese

from the well-that-will-solve-everything dept

Earlier this month, the Japanese Society for Rights of Authors, Composers and Publishers sent a nastygram to YouTube demanding they cease allowing copyrighted materials to be uploaded to their site. This came soon after the same group demanded the removal of approximately 30,000 videos from the site, and was disappointed to find that many were put back on the site some time later. Of course, since YouTube just provides the platform, it's pretty much impossible to completely prevent such uploads. However, YouTube has responded by promising to put up a warning in Japanese about copyright violations and to send a delegation to Japan to meet with JASRAC over these concerns. So far, it seems like JASRAC is satisfied by the response, but at some point they're going to have to realize that there is no real way to prevent the content from being uploaded. Should some sort of magic bullet ever actually show up that YouTube could use to block uploads, the content would simply migrate to sites that just don't care as much about copyright violations. In other words, it's a time-consuming and totally ineffective game of whack-a-mole. One of these days, they'll have to realize that there are ways to benefit from letting people upload shows -- and the whole "problem" goes away.



This could be a valuable resource for accessing old files.

http://digg.com/software/How_old_can_you_go_Oldversion_com_because_newer_isn_t_always_better

How old can you go? Oldversion.com "because newer isn't always better!"

A great site that archives older version of software. Maybe you're looking for a pre-bloatware favorite application, or maybe you having been able to get AIM to work right on granny's Pentium II. This is the place for you.

http://www.oldversion.com/



Just because we are nerds doesn't mean we can't cook!

http://digg.com/offbeat_news/So_you_can_t_cook_well_can_you_count_Make_meals_the_nerd_way

So you can't cook, well can you count. Make meals the nerd way!

Simply click on what you've got in the fridge (it's assigned a number) and they'll show you what you can cook.. Their catchphrase: "Don't worry, Skills By Numbers will make you look great in the kitchen..... Can't make up your mind about what to cook? Click I feel lucky as well....." You gotta love it.

http://www.cookingbynumbers.com/frames.html



Now this is new... (Bugmenot.com works here...)

http://www.pogowasright.org/article.php?story=20061219075200135

N.D. patrol probes WSI privacy law

Tuesday, December 19 2006 @ 07:52 AM CST - Contributed by: lyger - State/Local Govt.

BISMARCK – The North Dakota Highway Patrol is investigating whether criminal acts took place when Workforce Safety and Insurance used state-held driver’s license photos to identify current or former employees it suspected of sending e-mails to the agency. [How would your drivers license photo help you ask? See below... Bob]

Source - The Forum

[From the article: When investigators determined the e-mail had come from a public library computer, they used their access to driver’s license records to get images of four current or former employees suspected of sending the e-mail. Investigators showed the photos to library workers in their attempt to identify who sent the e-mails.



We should be seeing lots more of this!

http://www.pogowasright.org/article.php?story=20061219083403793

New Policy On Use of Student SSNs Adopted

Tuesday, December 19 2006 @ 08:34 AM CST - Contributed by: PrivacyNews - Minors & Students

The provost and Council of Deans recently approved, and the university has adopted, a more formal policy on the protection and use of student Social Security numbers. The detailed and specific measures were passed in an effort to reduce reliance on the SSN for identification purposes and to increase student confidence involving the handling of the numbers. Johns Hopkins considers the student SSN, or any part thereof, to be "personally identifiable information" under the Family Educational Rights and Privacy Act of 1974.

Source - Johns Hopkins University