In Japan, this is a major indictment of the printing company. They might go out of business in shame... Seriously! Perhaps someone in this country might do the same for TJX? Naaaah.

http://www.asahi.com/english/Herald-asahi/TKY200703160105.html

EDITORIAL/Theft of personal data

--The Asahi Shimbun, March 15(IHT/Asahi: March 16,2007) 03/16/2007

In a shocking case of data theft, personal information on more than 8.6 million consumers was stolen from a printing company that handles direct mail for dozens of corporate clients. According to Dai Nippon Printing Co., the data affects customers of 43 of its clients, including credit sales companies, insurers, retailers and consumer loan firms.

The data was apparently pilfered by a former employee of a subcontractor that processed the information for the printing company. The suspect, Hirofumi Yokoyama, 45, smuggled out the information on a magneto-optical disk, according to prosecutors.

They said he sold the data of some 150,000 customers of a major consumer credit firm to a fraud ring targeting online shoppers. Part of the data was used for credit card fraud totaling several millions of yen. Yokoyama was arrested after he left the company. He was later indicted on theft charges.

Under the new law for the protection of personal information that went into force in 2005, companies dealing with such data are required to enhance their information security management.

Dai Nippon Printing clearly bears a heavy responsibility for this data leak. It says similar leaks started several years ago.

Dai Nippon says it hadn't expected data theft to be committed by insiders. [Historically the most common way... Bob] Still, the company could have prevented the crime if it had taken cautionary steps like prohibiting workers from taking recording media out of computer rooms and frequently checking records of access to databases.

The company clearly is out of touch in its awareness of the huge responsibility it shoulders in protecting such vast amounts of personal data provided by its clients.

The companies that entrusted the data with Dai Nippon also share blame. The privacy protection law stipulates that when companies provide personal data to other firms for processing they must properly supervise the information security management of those entities.

This is a data breach of an unprecedented scale that led to actual financial fraud. In order to identify the problems with Dai Nippon's information security system, the Ministry of Economy, Trade and Industry and other organizations need to start their own investigations into the case and warn the public about the risks of disclosing their personal information. If necessary, they should consider issuing special recommendations to companies that have experienced similar data leaks.

If such cases of data theft continue, political momentum could grow again for a proposal to introduce a new crime category to punish information leaks, an idea that the ruling camp had considered for a while.

The current law imposes private information protection requirements on companies and organizations but doesn't provide any punishment for individuals who have stolen or sold such information.

In the Dai Nippon case, Yokoyama has been indicted only on the charge of stealing a magneto-optical disc worth 250 yen, not of stealing the data.

We believe, however, it would not be wise to create new punishment for theft of all kinds of personal information. This kind of provision could be abused to deter acts that should be defended, such as whistle-blowing on corporate violations by insiders.

But it is worth considering how to establish category-specific regulations on the kinds of sensitive personal information that could be abused, causing serious consequences. This would include credit card numbers, data concerning personal savings and debts at financial institutions as well as data on patient charts at hospitals.

One reasonable proposal would be to establish specific rules for each of these areas--financial services, consumer credit and medical services--to hold individuals and companies that have stolen or traded personal information accountable.

The government's Quality-of-Life Council is now reviewing ways in which the information protection law has been enforced. The panel should consider a wide range of steps to prevent damaging data breaches.

This is all we get on TJX's indiscretions...

Perhaps what we need is someone to speculate on all the ways TJX could have screwed up?

http://www.channelinsider.com/article/TJX+Probes+Slowly+Crawl+Along/203180_1.aspx

TJX Probes Slowly Crawl Along

By Evan Schuman 3/15/2007 9:39:00 AM

The data breach case of $16 billion retailer TJX is crawling along, with this week delivering to us a handful of pseudo-developments. Those are things that sound like information, but examined closely tell us little new.

The Federal Trade Commission, for example, confirmed that it has been investigating TJX, but wouldn't say what it has found nor when it started. This would only be news to someone who thought the FTC would not have investigated and that pretty much rules out anyone who understands Washington's CYA mentality.

Yes, the FTC will make some inquiries, take many months to mull it over and then quietly issue a fine that is near the top of their penalties, which is also coincidentally just shy of what TJX would consider a rounding error. Oh, and the FTC investigation's details won't be published, probably under national security headings because it could help al-Qaeda attack the U.S. credit card business. (Snicker now, but just wait and see how close the FTC comes to that wording in six months.)

Ahhhhh, but this country has checks and balances, no? The new majority in the U.S. House of Representatives has pledged to act and act quickly. We're now told by House staffers that the Energy and Commerce Committee is going to leap into action with hearings in "mid-to-late May" about a proposed data security bill.

Great! So that's when congressional testimony will reveal the specifics of what happened with TJX, so the rest of the industry can protect itself, right? Well, actually, no. The FTC probe is giving Congress political cover to not investigate TJX, but the hearings will have lots of witnesses to say that data security really needs a lot of work. And money. Don't forget the money.

Maybe, say the congressional aides, the committee will truly investigate TJX when the FTC probe is over.

Wait. All hope is not lost. What about all of those class-action lawsuits? Surely those depositions will start shedding light? Don't bet on it. It's going to take quite a few months before any of those depositions will be taken and, even then, lawyers will want to keep those details quiet until they can negotiate juicy settlements with TJX.

Why? There's only one thing TJX fears more than letting this case get to a jury: letting the full details get to its customers and investors. A last-minute settlement—with a hush clause—is quite likely. To not lose their leverage, lawyers will likely sit on those details as though they're the crown jewels.

What of our state governments? They're certainly above political or monetary considerations, right? The multi-state attorney general probe is proceeding, but details coming out are few. We did learn this week some of the not-yet-released states that are participating and that it does appear to be about 34 states involved.

Beyond Massachusetts (which is in charge of the probe) and Rhode Island (which had launched its own probe before giving up and joining the group), states participating include: Alabama; Arkansas; Arizona; California; Colorado; Connecticut; Delaware; Florida; Washington, D.C. (OK, so it's not really a state. Sue me); Hawaii (Probe 'em, Danno); Illinois; Maine; Maryland; Michigan; Mississippi; Missouri; Montana; Nebraska; Nevada; New Hampshire; New Jersey; New Mexico; North Carolina; North Dakota; Ohio; Oklahoma; Oregon; Pennsylvania (which many years ago proved its insightfulness by grabbing the only "attornegeneral.gov" domain. Everyone else has to add state initials to their domain); South Dakota; Tennessee; Texas; and Vermont.

The Massachusetts case is apparently being run with the help of an all-volunteer executive committee, including representatives from the AG offices from Pennsylvania, Vermont, New Jersey, Arizona, Oregon, Ohio, Florida, Illinois, and California.

Those states participating on the executive committee, one source said, often get a shot at additional money for their states. That's part of the problem. The states have an incentive to negotiate financial arrangements to get money back to state residents, but little incentive to publicly detail the security procedure lapses that caused the breach to happen and, much more importantly, the disclosure of which might prevent similar ones from happening.

Was that the question? I thought it was “How does Real ID protect the country?”

http://www.infoworld.com/article/07/03/15/HNdhshead_1.html

DHS head: Security and privacy not at odds

Michael Chertoff downplays concerns about government's efforts to create data-chipped drivers licenses

By Grant Gross, IDG News Service March 15, 2007

The head of the U.S. Department of Homeland Security on Thursday downplayed privacy concerns raised by the government's efforts to create standardized, data-chipped drivers licenses across the country.

The same technology that makes information on identification cards more reliable can also protect privacy, DHS Secretary Michael Chertoff said during a speech to the Northern Virginia Technology Council. "It's my contention that properly used technology ... actually protects privacy," he said. "We should not allow folks to be captivated by the argument that every time we do something with a computer, it invades privacy." [Nor should we assume that all consequences are obvious and readily understood by the IT guys... Bob]

The start of something useful?

http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1173949429016

Sharing Business Information in a High-Risk World

William A. Tanenbaum New York Law Journal March 16, 2007

This is the inaugural column on privacy and data protection. The column is designed to assist general counsel in addressing the privacy and data issues that arise in a "stand-alone" context, such as liability for the wrongful disclosure of consumer personal information, and as part of large corporate initiatives, such as outsourcing, business services partnerships, structuring relationships with information technology vendors and securing intellectual property protection for databases (copyright) and business methods (patent).

The topics addressed in this column will be based on three fundamental premises. First, today's methods of doing business require a company to open its computer systems and data to third parties. More openness means more security risks. The result is that in-house counsel must work with chief information officers and other business executives to balance the benefits of openness with the increased risks to computer and data security.

Second, privacy is part of a larger category, and I will call that category "information management." This category includes trade secrets, corporate data protection, data exchange, data mining, IT security, protection against competitive intelligence, and information life-cycle management.

Third, data protection should be driven down to the data level. Focusing only on firewall protection is like building a fortress and then failing to take into account all the doors and windows that were inserted in the walls to enable data to flow to and from the castle domain. The data has to move in and out of the fortress, and it needs to be protected as it does, as required by the nature of a specific piece of information and the uses to which it will be put. Broadly speaking, protection in this context means that restrictions need to be in place so that exchange of data does not violate applicable privacy laws and so that confidential and proprietary business data does not lose its proprietary status and enter the public domain.

These three premises, which will be discussed in greater detail below, illustrate the convergence of privacy, security, cybercrime and intellectual property.

Interesting business model. How could it be a crime?

http://techdirt.com/articles/20070314/115923.shtml

Is It Illegal To Help Someone Watch TV Over Their Computer?

from the questions,-questions dept

This one is actually from a few weeks ago, but we were just informed of it by Ed.

Apparently, there's a company that's trying to help people watch satellite TV over their computer and has come up with an interesting plan. They'll use Slingboxes and DirecTV accounts to help people watch DirecTV via any internet connection. From the article, it sounds like neither DirecTV or Slingbox is happy about this, and there's talk about terms of service violations and such. However, it's not entirely clear why this is a problem. Everyone who should be getting paid still is getting paid. Each customer has to buy their own DirecTV account -- it's just that it's installed at this company's offices, rather than at their own home. Since you need to have a separate Slingbox for each account, the company is still buying the Slingboxes. So, both DirecTV and Sling Media get their cut. The company then charges a $99/month service fee, which is pretty steep considering that the person also has to pay for a DirecTV account on top of that. Really this is only useful for people who have internet connections, want the programming that's available on DirecTV, but for some reason cannot get DirecTV -- which might not be a huge market. However, it's hard to see why that should be considered a problem for any of the companies involved. This service is simply reselling their offerings, bringing it to markets that otherwise wouldn't get served.

It's good to know that when Microsoft says they have a process worked out – like security – it is infallible!

Vista Can Run Without Activation for a Year

Posted by CowboyNeal on Friday March 16, @07:22AM from the procrastinists-in-luck dept. Windows Microsoft

An anonymous reader gave us a heads up on this article for people who like putting things off. It begins: "Windows Vista can be run for at least a year without being activated, a serious end-run around one of Microsoft's key anti-piracy measures, Windows expert Brian Livingston said today. Livingston, who publishes the Windows Secrets newsletter, said that a single change to Vista's registry lets users put off the operating system's product activation requirement an additional eight times beyond the three disclosed last month. With more research, said Livingston, it may even be possible to find a way to postpone activation indefinitely."

I'll be curious to see what deal they made...

http://yro.slashdot.org/article.pl?sid=07/03/15/2124216&from=rss

RIAA Has to Disclose Attorneys Fees In Foster Case

Posted by Zonk on Thursday March 15, @05:56PM from the it-feels-good-to-come-clean dept. Music The Almighty Buck The Courts

NewYorkCountryLawyer writes "The RIAA has been ordered to turn over its attorneys' billing records by March 26, 2007, in Capitol v. Foster in Oklahoma. The 4- page decision and order, issued in connection with the determination of the reasonableness of Ms. Foster's attorneys fees, requires the RIAA to produce the attorneys' time sheets, billing statements, billing records, and costs and expense records. The Court reviewed authorities holding that an opponent's attorneys fees are a relevant factor in determining the reasonableness of attorneys fees, quoting a United States Supreme Court case which held that 'a party cannot litigate tenaciously and then be heard to complain about the time necessarily spent by his opponent in response' (footnote 11 to City of Riverside v. Rivera)."

A case of “We could, so we did?” (Imagine taking this image to the site that converts it to print in page size increments... You could wallpaper your whole house!

http://digg.com/general_sciences/Photo_Life_Size_Blue_Whale

Photo: Life Size Blue Whale

The Whale and Dolphin Conservation Society has posted a life size picture of a Blue Whale! Its so big that a map of the photograph is included to make it easier for you to know what you are seeing.

http://www.wdcs.co.uk/media/flash/whalebanner/content_pub_en.html OR

http://www.wdcs.co.uk.nyud.net:8090/media/flash/whalebanner/content_pub_en.html