Saturday, March 10, 2007

Have you looked on eBay?

Data on Border Soldiers Stolen

The Associated Press Mar 9, 2007

SACRAMENTO, Calif. - A computer hard drive containing Social Security numbers and other personal information on nearly 1,300 California National Guard troops deployed to the U.S.-Mexico border has apparently been stolen.

The hard drive was reported missing Feb. 23 from the Guard's border mission headquarters inside San Diego Naval Base, said California National Guard spokesman Lt. Col. Jon Siepmann. It contains home addresses, birth dates and other identifying information for all soldiers serving long-term assignments on the border.

The Guard notified the soldiers Feb. 28 that their information had been compromised. It advised them to begin checking credit statements and take other protective measures.

The Guard has turned the investigation over to the Navy's Criminal Investigative Division, Siepmann said.

"Our theory right now - and obviously this is an investigation that's ongoing - is that it was taken for its intrinsic value," Siepmann said of the computer. "It cost us about $450."

Investigators are focusing on whether a Guard member stole the drive, Siepmann said. It was inside a building controlled by keycard access, but about 20 Guardsmen have regular access to the room.

There must be something here that I'm missing...

Mar 8, 2007 6:25 pm US/Central

Attorney Distributes Criminal Records By E-Mail

Police Say Records Included Social Security Numbers And Other Sensitive Information That Could Leave People Vulnerable To Identity Theft

Rafael Romo Reporting

(CBS) HIGHWOOD, Ill. An e-mail newsletter in north suburban Highwood is raising eyebrows. An attorney in the area included the criminal records of reputed gang members in the message.

As CBS 2's Rafael Romo reports, a police investigation is now underway.

The report contains not only the full names and birthdates of more than two dozen minors and young adults. It also includes some Social Security numbers and other sensitive information.

Highwood Police Chief John Kearin is fuming.

It opens them up to potential identity theft and so there's a myriad of problems from this, civil and criminal,” said Kearin said.

He says the information was only intended to be used by his police officers.

We are going to try to do what we can to find out where the leak is and we are going to take whatever actions appropriate,” he said.

Highwood attorney Paul Diambri published the reports in a newsletter he distributes to about 500 people. He says there's a very valid reason why he disclosed the information.

My motivation was to publicize the fact that there was this gang activity so people would be aware of it, and secondly, hopefully, to motivate the police department,” Diambri said.

The Highwood Police Department has launched an internal investigation to find out who provided the reports to Diambri.

But Diambri says there's no need for an investigation because the reports were openly available.

Several copies of these reports were sitting out in the open in the open in the City Council Chambers at City Hall for about two months,” he said.

He's got connections in the city that he's known for years and someone could've given them to him,” Kearin said.

The newsletter, which is distributed by e-mail, may now be in the hands of thousands of people in Highwood and other places; identity theft is a real concern.

The state's attorney office has also launched an investigation to assist the Highwood Police Department with theirs.

Attention laptop users! See, it can be done.

Mar 09, 2007

Anonymization: Protecting Customer Privacy While Sharing Data

Jeff Jonas, the chief scientist and distinguished engineer at IBM’s entity analytic solutions group, has developed a means of sharing corporate data without revealing what that data contains.

Attention drug sniffing dogs! (Glade will offer a Mary Jane scented candle you can send to people you don't like.)

Does this mean “search by odor” is out?

Saturday, March 10, 2007 Last modified Friday, March 9, 2007 7:24 PM PST

Utah court: Drug odor didn't justify search without warrant

By: Associated Press -

SALT LAKE CITY -- The odor of burning marijuana didn't justify a search of a trailer without a warrant, the Utah Supreme Court said Friday.

Police officers broke through the door of a trailer in April 2003 because they believed the suspects were eliminating evidence by smoking it. The court, however, said there was no sign that Bernadette Duran knew authorities were around.

"Most significantly, there is no indication that the law enforcement officers engaged in any effort, much less a reasonable one, to reconcile their ... needs with the demands of personal privacy," the court said in a 4-1 decision.

The Supreme Court upheld a ruling by the Utah Court of Appeals. The case originated in 7th District Court in Price, which had refused to throw out evidence. Police seized guns and drugs.

The dissenter on Utah's highest court was Associate Chief Justice Michael Wilkins, who said "this was not a close call" that would require a search warrant.

"Protecting the rights of citizens does not necessarily require the handcuffing of police," he wrote.

This was obvious in the reported numbers... Wasn't it?

FBI Illegally Used Patriot Act, Audit Says

03/09/2007 7:59 AM ET; UPDATED 1:51 PM ET

WASHINGTON (CBS/AP)- The FBI improperly and, in some cases, illegally used the USA Patriot Act to secretly obtain personal information about people in the United States, a Justice Department audit concluded Friday.

And for three years, the FBI has underreported to Congress how often it forced businesses to turn over the customer data, the audit found.

FBI agents sometimes demanded the data without proper authorization, according to the 126-page audit by Justice Department Inspector General Glenn A. Fine. At other times, the audit found, the FBI improperly obtained telephone records in non-emergency circumstances.

The audit blames agent error and shoddy record-keeping for the bulk of the problems; it did not find any indication of criminal misconduct.


A Review of the Federal Bureau of Investigation’s Use of National Security Letters (Unclassified), March 2007 PDF (Full Report)

A Review of the Federal Bureau of Investigation’s Use of Section 215 Order for Business Records (Unclassified), March 2007 PDF (Full Report)

Cute short, but reading the comments is more amusing.

Big Brother State -- GENIUS animation about surveillance society

Big Brother State' is a nice animation about surveillance society with examples of trusted computing and CCTV. This is brilliant -- some of the best work on the subject I've ever seen. Watch it NOW.

[It's easier on Youtube:

Do you suppose the Chinese/North Koreans/flavor of the month, could do better?

DNS Attack Factsheet Released

March 9, 2007 News Release

ICANN has today released a factsheet concerning the recent attack on the root server system on 6 February 2006. The factsheet is intended to provide an explanation of the attack for a non-technical audience in the hope of enlarging public understanding surrounding this and related issues.

Download the DNS attack factsheet here [PDF, 289K].

If you can attend in person, you can use technology to extend your senses (hearing, sight, even memory)

New Jersey Says People Must Be Allowed To Videotape Government Meetings

from the citizen-journalists,-start-your-cameraphones dept

Remember how Virginia Republicans were upset at Democrats for videotaping them in the State House and putting the videos on YouTube? Apparently, that's not the only place where government officials have been worried about being caught on tape. Over in New Jersey, the state Supreme Court has now said that governments in the state cannot prevent citizens from videotaping public meetings (assuming that the taping doesn't interrupt the progression of the meeting). This certainly seems like a reasonable rule for a governing organization -- but politicians aren't known for being reasonable very often, which is why this case had to end up in the New Jersey Supreme Court.

Citations made easy? What next!

March 08, 2007 Citation Feature Helps Students and Researchers

News: "Item records in, WorldCat’s open-Web interface, now include a Cite this Item link that provides bibliographic citations in five common styles: APA, Chicago, Harvard, MLA and Turabian. Displayed in a separate pop-up window, the citations follow the reference standard for each style. The citations window cautions users that "formatting rules within a style can vary widely between applications and fields of interest or study," and that they should apply the specific requirements of a reviewing body."

For clueless types like me...

March 08, 2007

Civil Law Dictionary Wiki Project

From Vicenç Feliú: "Civil Law Dictionary Wiki project based on an article previously published in the Louisiana Law Review, Volume 54, Number 5, May 1994, for the use of Common Law practitioners unfamiliar with Civil Law terminology."

  • See also "JurisPedia, an encyclopædic project of academic initiative devoted to worldwide law, legal and political sciences."

I heard about this on NPR. Perhaps some of our data breach companies could use it...

Apology Letters eBook

Say "I'm sorry" with elegance and grace!

[Just a couple of samples...

... Apologize for betrayed trust

... Apologize for poor or inadequate service

Friday, March 09, 2007

I like this! Lose information, get a specific set of required actions from the Privacy Commissioner! Probably costs more than a fine, and helps secure the data!

Stolen laptop sparks Order by Commissioner Cavoukian requiring encryption of identifiable data: Identity Must be Protected

TORONTO, March 8 /CNW/ - Ontario Information and Privacy Commissioner Ann Cavoukian is ordering Toronto's Hospital for Sick Children (SickKids) to introduce a number of specific protections following the off-site theft of a laptop computer containing the personal health information of 2,900 patients of the hospital. The most notable measure required is the need to encrypt any personal data taken out of the hospital on a laptop or other remote computing device.

... The hospital must also develop and implement a hospital-wide endpoint electronic devices policy, applicable to both desktop and portable devices (laptops, PDAs), which mandates that any personal health information not stored on secure servers must either be de-identified or encrypted.

Going further, the Commissioner is telling all health information custodians in Ontario that they should never store any personal health information on their laptops or mobile computing devices unless they have taken strong steps (such as encryption) to ensure that the information is protected against unauthorized access, if the device is lost or stolen.

The Commissioner's health order is available at:

[Go direct to the PDF:

Unspecified “costs,” but another way to “fine” the offender.

Outsourcer to pay over laptop theft

IT firm to cough up for security breach

Tash Shifrin, Computerworld UK 08 March 2007

IT services firm Serco has apologised and agreed to pay costs after one of its laptops, containing sensitive data on more than 16,000 Worcestershire council staff, was stolen.

... But in a report to the council’s cabinet, financial services director Mike Weaver confirms that the sensitive data should not have been kept on the laptop, describing the security breach as “regrettable and entirely avoidable.”

... The incident had resulted in unplanned costs “which in due course will be reimbursed by Serco,” the report confirms.

I make this $574 per person just for looking at a credit report. Now if TJX compromised 40 million...

New York Attorney General Cuomo Obtains Compensation For New Yorkers Whose Credit Reports Were Accessed Illegally

Posted by Patriot on 2007/3/8 7:48:31 New York

New York insurance company to pay $229,600 in compensation to nearly 400 consumers

NEW YORK, NY (March 7, 2007) - New York Attorney General Andrew M. Cuomo today announced a settlement affecting nearly 400 New York consumers whose credit reports were unlawfully accessed by an insurance company. Under the settlement, Administrators for the Professions, Inc. (AFP), a New York insurance company, is paying $229,600 in compensation to those consumers.

Another reiteration of the obvious?

For Release: March 8, 2007

FTC Unveils Practical Suggestions for Businesses on Safeguarding Personal Information

The Federal Trade Commission is offering a new guide for businesses with practical suggestions on safeguarding sensitive data.

Protecting Personal Information: A Guide for Business,” available at, is built around five simple phrases:

TAKE STOCK. Know what personal information you have in your files and on your computers.

SCALE DOWN. Keep only what you need for business.

LOCK IT. Protect the information you keep.

PITCH IT. Properly dispose of what you no longer need.

PLAN AHEAD. Create a plan to respond to security incidents.

[Go direct to the PDF:


Featured Story: Privacy's Other Path: Recovering the Law of Confidentiality

Thursday, March 08 2007 @ 05:43 PM CST - Contributed by: PrivacyNews - Other Privacy News

Editor's Note: Great thanks to Dan Solove for letting me know that he has a new article out. The entire article can be downloaded for free and addresses a fascinating question about the divergent development of American privacy law and English privacy law.


The familiar legend of privacy law holds that Samuel Warren and Louis Brandeis “invented” the right to privacy in 1890, and that William Prosser aided its development by recognizing four privacy torts in 1960. In this article, Professors Richards and Solove contend that Warren, Brandeis, and Prosser did not invent privacy law, but took it down a new path. Well before 1890, a considerable body of Anglo-American law protected confidentiality, which safeguards the information people share with others. Warren, Brandeis, and later Prosser turned away from the law of confidentiality to create a new conception of privacy based on the individual’s “inviolate personality.” English law, however, rejected Warren and Brandeis’s conception of privacy and developed a conception of privacy as confidentiality from the same sources used by Warren and Brandeis. Today, in contrast to the individualistic conception of privacy in American law, the English law of confidence recognizes and enforces expectations of trust within relationships. Richards and Solove explore how and why privacy law developed so differently in America and England. Understanding the origins and developments of privacy law’s divergent paths reveals that each body of law’s conception of privacy has much to teach the other.

Source - SSRN

Interesting combination of hardware, lottery and liquor...

Swiping licences called no threat to buyers' privacy


HAMILTON -- A new practice in which convenience store clerks will check ID by swiping driver's licences through a lottery terminal won't violate customer privacy as suggested by government officials, Ontario's privacy commissioner said yesterday.

... Called "We Expect ID," the system would require convenience store clerks to swipe ID through lottery terminals to verify a customer's age when buying alcohol, cigarettes, adult magazines, lottery tickets or fireworks.

... "(There are) really no privacy implications because no information is being stored," [but what an attractive target! Bob] Debra Grant, a senior health privacy specialist with the privacy commissioner's office said

"It's actually more privacy protective than someone examining the driver's licence and looking at all the personal information."

... McGuinty suggested the issue might pop up again should a new high-tech driver's licence be rolled out as an alternative to passports.

Those who have not considered the “Streisand Effect” [ ] are doomed to experience it first hand.”

Surprise: Attempt To Suppress Security Research Blows Up In Company's Face

from the instant-karma dept

The big story out of last week's Black Hat security conference was that HID Global, a maker of RFID-based door entry cards, managed to prevent a demonstration of how their products were vulnerable to cloning. What made their threats particularly odious was their claim that the presenters were somehow engaging in patent infringement by demonstrating the attack. More broadly, however, this kind of intimidation is almost always a mistake. It only made the company look like bullies with something to hide. It seems that the company may already be paying the consequences for its heavy-handed actions, as the DHS is said to now be examining the vulnerability further. HID Global is now backtracking, saying that it never intended to prevent the presentation from happening, although they don't seem to explain how everybody got that impression. Either way, any hope that the company had in keeping this threat quiet is now totally lost.

Can your computer be secure in this environment?

Report of 08.03.2007 17:34

All Microsoft updates phone home

Possibly as a reaction to heise Security's report that Windows Genuine Advantage Notification sends back data to Redmond even when users choose to terminate its installation, a Microsoft developer using the pseudonym alexkoc has now posted an entry in the WGA blog. There he reveals that every update that flows through Windows Update at the very least informs Microsoft about whether the installation was successful or not.

In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights.

See also:

Fun reading?

March 07, 2007

FBI Releases Annual Report to the Public

Press release: "The arm of the FBI that investigates financial crimes ranging from underground pyramid schemes to institutionalized fraud in the nation’s corporate suites has issued its annual report detailing the most prevalent types of schemes investigators tackled in 2006. The Financial Crimes Report to the Public is prepared each year by the Financial Crimes Section of the FBI's Criminal Investigative Division. The report, which covers a 12-month period ending September 30, 2006, explains in detail dozens of fraud schemes, tallies FBI accomplishments combating the crimes, and offers tips the public can use to protect itself."


Notes On Vista Forensics, Part One

Jamie Morris 2007-03-08

... What does BitLocker mean for forensic examiners? In a recent, and highly recommended, Cyberspeak podcast [ref 5] Jesse Kornblum talks in some detail about the impact of BitLocker and the growth in importance of memory analysis for first responders. In the discussion with the show's hosts which follows, the suggestion is made that now may be the time when memory capture (and subsequent analysis) becomes the accepted norm for forensic examiners when first approaching a suspect machine, rather than the more traditional option of "pulling the plug." Undoubtedly, BitLocker presents a challenge - after all, one of Microsoft's goals with BitLocker is to protect data even when the storage device has been removed from the user's physical control, a scenario not entirely dissimilar to lawful seizure!

Could be useful...

Coffee Talk in the Teachers' Lounge

3/08/2007 11:45:00 AM Cristin Frodella, Manager, Google K-12 Programs

Since we launched our resource for educators in October, many of you have been in touch with us. "Hey, Google," you've said, "Thanks for the site. Now how 'bout letting us talk to you--and more importantly, to each other?"

You wanted a place where you could send feedback, lesson ideas, and classroom activities, or just meet some of your fellow teachers. Ok, ok! We're good students. We know how to learn from the experts. Thanks to your input, we've created the Google for Educators discussion group. We invite you to visit the group today, to let us know your thoughts and to reach out to other folks in the world of classrooms and libraries. Help us understand how to make Google for Educators a more valuable tool for you—and share the kind of information that can help give students the best education possible.

Oh, and, while you're at it, why not give our site another visit? We've added tools, activities, classroom posters, and a new RSS feed to the Infinite Thinking Machine, a Google-sponsored blog written for teachers by teachers. We look forward to seeing you there.

Labels: Google for Educators

This could be most interesting. Apparently still in Beta and keeping a low profile...

Google Keyword Tool Showing Number of Previous Month's Searches

Just caught this development this morning.

Surprise! You could see this one coming from a mile away!

Feds Seek To Gag D.C. Madam

Prosecutors fear leak of sensitive client, escort information

MARCH 7--Federal prosecutors want to gag an indicted former Washington, D.C. madam who has recently threatened to go public with details about her former customers.

... In their motion, a copy of which you'll find below, government lawyers claim that some discovery documents contain "personal information" about Palfrey's former johns and prostitutes that is "sensitive." The prosecution filing does not detail the nature of this confidential information,...

Thursday, March 08, 2007

Inadvertent” means, “We didn't know it worked that way.”

Census Bureau admits privacy breach

By STEPHEN OHLEMACHER ASSOCIATED PRESS WRITER Wednesday, March 7, 2007 · Last updated 11:23 a.m. PT

WASHINGTON -- The Census Bureau inadvertently posted personal information from 302 households on a public Internet site multiple times over a five-month period, the bureau said Wednesday.

... The information was on and off the public Web site from October to Feb. 15 as Census employees working from home tested new software, Cymber said. The workers were supposed to use fictitious information to test the site, but they inadvertently mingled data from the bureau's Current Population Survey, a monthly survey best known for generating the nation's employment statistics.

Cymber said the real and fictitious data were indistinguishable. [The test file is probably not labeled “Real Data” Why would employees working from home even have access to this data? Bob] The information could have been accessed through a search engine on the Census Bureau's Web site used to disseminate large data files. She said she didn't know whether the data actually was accessed by anyone. [Look at your logs! Bob]

... The affected households were located in Alabama, Alaska, Arkansas, Arizona, California, Colorado, Delaware, Florida, Connecticut and Washington, D.C.

Not Google's problem.

Google shock for Los Rios

By Eric Stern and Dorothy Korber - Bee Staff Writers Published 12:00 am PST Wednesday, March 7, 2007

A community college student who was "Googling" himself last month found some disconcerting information when he typed his name into the popular Internet search engine.

A Los Rios Community College District database popped up that included his name, birth date and Social Security number. The file also contained data on about 2,000 other students.

"We didn't think [all too common. Bob] the information was open to Google," said Susie Williams, a spokeswoman for the Los Rios schools. "It was a shock to learn they were able to do it."

... A Web site by Johnny Long,, includes a database of hundreds of sneaky Google-search tips, such as adding "not for distribution" or "confidential" into query searches. Typing "filetype:xls" will spit out Microsoft Excel spreadsheets.

In the case of Los Rios, staff members were testing a new online application system and "just grabbed some files" to upload, [“Live” files are not the recommended way to test applications. For one thing, they rarely contain all possible variations of the data – and should never contain “bad data” that the application must detect and “handle.” Bob] said Williams, the college spokeswoman.

"Google had come along and indexed this little test batch," Williams said. "The data was on what we thought was a secure part of our Web server." [“we thought” translates to “we assumed” Bob]

... After checking the Los Rios Web logs, which track computer addresses of people accessing the school's site, Williams said only the one student who spotted the information -- and his wife -- clicked on the file. [Have they checked the Google archives? Bob]

In case you don't know it, I like free stuff. Professor Alexander tipped me to this one... Registration required!

What You Don’t Know Can Kill You (or At Least Your Organization)

Register now for this FREE live Web broadcast.

Tuesday, March 13, 2007 11 AM PDT / 2 PM EDT

Heavy fines and penalties await those who don’t “know what they should have known.”

* A major oil company was fined more than $2 million for not knowing and acting on the circulation of sexually harassing emails.

* A major aerospace company estimates that it averages two discovery requests a day from legal, at a cost of $1 million for every 15 emails retrieved. [Now that I don't believe. Bob]

* Companies are fined millions of dollars every year for failure to archive information — and at least 20% of these fines are not due to intentional misconduct.

I wonder if anything useful will be generated? Would be nice to see this as a webinar like in the previous article.

Visa summit will counter data breach hype

D.C. event will argue breach fallout not that widespread

By Matt Hines March 07, 2007

Credit-card payments giant Visa is hoping to shed new light on problems like consumer data theft and identity fraud through a conference that will bring together leaders from the business, government, and technology communities to discuss security for the electronic payments industry.

Hosted in partnership with the publishing arm of Harvard Business School, the day-long set of briefings is being held March 8 in Washington under the banner "Maintaining Trust in Payments Summit."

In a series of panels, controversial topics like the amount of time companies should be allowed to wait before disclosing data breaches to card issuers and consumers will be up for debate, as will the role of the government in providing protection for consumers and industry.

Told ya!,1895,2101683,00.asp

Report: Some Companies Lose Data Six Times a Year

By Lisa Vaas March 7, 2007

TJX's massive data loss is just the tip of the iceberg.

Almost seven out of 10 companies—68 percent—are losing sensitive data or having it stolen out from under them six times a year, according to new research from the IT Policy Compliance Group. An additional 20 percent are losing sensitive data a whopping 22 times or more per year.

... The good news to come out of the group's survey is that 12 percent of surveyed organizations are losing sensitive data less than twice each year.

... "In the high-90 percent of these organizations that have very few losses consider the IT security-side data as their most important and sensitive data," he said in an interview with eWEEK. "The rest of the universe doesn't value IT and audit information as highly."

As a matter of fact, the respondents that rated financial data as their most important and sensitive data turn out to have high data losses, Hurley said.

... The takeaway is that those organizations that focus in on protecting the keys to the kingdom—i.e., those that track who has access to data and also protect the knowledge of how to get access to data—are doing "very well," comparatively, Hurley said.

... "Frequency of monitoring appears to have been stepped up by organizations doing well with lack of high data losses," he said. Those organizations doing poorly aren't paying attention to IT security controls and evidence logs of what happened during a data loss incident, he said.

Another finding: Losing data is expensive. Companies that publicly reported a data loss or breach had to shell out, on average, 8 percent per customer to report the loss, notify the customers and restore the data. The average loss of revenue was 8 percent as well. The cost on average to notify customers and to clean up and restore data was $100 per record.

[An excerpt is available at:

No surprise. It has to be simple enough for bureaucrats to understand.

RFID Passports Cloned Without Opening the Package

Posted by ScuttleMonkey on Wednesday March 07, @02:05PM from the step-one-cut-a-hole-in-a-box dept. Security Technology

Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."

This could never happen here...

Computer Foul-up Breaks Canadian Tax Filing System

Posted by samzenpus on Thursday March 08, @02:00AM from the great-white-mix-up dept. Bug IT

CokeJunky writes "During a weekend maintenance window, the Canada Revenue Agency (Fills the same role as the IRS south of the border) experienced data corruption issues in the tax databases. As a precaution, they have disabled all electronic filling services, and paper based returns will be stacking up in the mail room, as returns cannot be filed at all until the problem is fixed. Apparently on Monday they discovered tax fillings submitted electronically where the social insurance number, and the date of birth were swapped."

Business opportunity: HIPAA Privacy Plan generator! “No need to take action! Just enter a few facts (right off the complaint) and this software generates a 96 page plan that you can submit to HHA, then ignore!”

Is There Bite to HIPAA’s Privacy Rule?

By Selena Chavis For The Record Vol. 19 No. 5 P. 12 March 5, 2007

Chew on this: 24,000 HIPAA-related complaints, zero fines to covered entities. Sounds like a toothless rule, but some say misconceptions mask the fact that it’s doing its job.

It’s been the typical scenario for valid privacy complaints under HIPAA, say many legal experts. Consider that a nurse leaks sensitive information about a patient’s health status to someone outside the scope of the person’s medical care. Whether malicious or accidental, it’s a privacy breach that definitively falls under the protection of the HIPAA privacy rules that were fully enacted in 2003, says attorney Heather Fesko, partner with Chicago-based McGuireWoods law firm.

In this real-world scenario offered by Fesko, a complaint was filed with the Office for Civil Rights (OCR) of Health and Human Services (HHS) by the individual who was the subject of the privacy breach. HIPAA requires that the complaint be filed against the covered entity where the offense occurred rather than an individual—in this case, a hospital client of McGuireWoods.

In an effort to show voluntary compliance, the hospital submitted a plan for necessary corrective action to the HHS. The plan satisfied the HHS, and a letter of closure was submitted to the hospital.

... The scope of HIPAA allows for CMPs of up to $100 per violation and up to $25,000 per year for each requirement or prohibition violated. Criminal penalties apply for certain actions such as knowingly obtaining protected health information in violation of the law. Criminal penalties can reach up to $50,000 and one year in prison for certain offenses; up to $100,000 and five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.

... Attorney Kevin Paul, HIPAA privacy expert with Denver-based Parsons, Heizer, and Paul, notes that the HHS never really considered that CMPs would be the initial course of action toward their efforts to enforce compliance. “In part, that made sense due to the size of the privacy rule,” he says, adding that the rule is filled with jargon and many new processes and procedures. “It was thought that there might be some misconceptions about the scope of the obligations.”

... A clear picture of whether entities are doing the “right thing” is exactly what is missing from the HHS, says Goldman. Relaying that there is currently no hard data available from the HHS that details the nature or severity of the complaints or the number of repeat offenders, Goldman emphasizes that it’s impossible for the general public or entities such as the Health Privacy Project to know whether voluntary compliance is truly addressing the problem.

It would be great if OCR would audit how the voluntary compliance is working,” she says, adding that without any civil enforcement actions, the only big enforcement news has been on the criminal front involving the U.S. Department of Justice (DOJ).

The HHS spokesperson also referenced these cases, noting that complaints considered more criminal in nature are most often referred for review by the DOJ. Since HIPAA, three criminal cases have been filed by the DOJ invoking HIPAA, two of which ended in convictions.

... Fesko believes that if there were more focus on individuals rather than covered entities, it would be easier for covered entities to enforce HIPAA. The OLC opinion does find that the law can apply to a few individuals, including certain directors, officers, and employees who may be criminally liable. The opinion emphasizes that criminal liability will apply especially when “the agents act within the scope of their employment.” For example, in a case where a covered entity makes a decision to sell patient data in violation of HIPAA, employees who act criminally but within their job description could be criminally liable.

Now that's good lawyering...

EFF Lawyer gets Google to reverse her unfair YouTube DMCA takedown

"On Chilling Effects we see many DMCA takedowns, some right and some wrong, but very few counter-notifications. Part of the problem is that the counter-notifier has to swear to much more than the original notifier."

Geek stuff? Another example of a company offering proof that they know more about a subject (computing) than any of their competitors. Try a search on Privacy or Identity Theft...

March 07, 2007

Free Access to Current and Historic IBM Systems Journals Online

Via Metafilter, this link to current issues of the IBM Journal of Research and Development and the Systems Journal (no fee) as well as to a Special Report - Celebrating 50 years of the IBM Journals: "Since the first publication of the IBM Journal of Research and Development in 1957 and the IBM Systems Journal in 1962, these Journals have provided descriptions and chronicles of many important advances in information technology and related topics ranging from atoms to business solutions. To celebrate the 50th anniversary of the IBM Journals, this report highlights a selection of significant papers published in the Journals, along with brief commentaries."

So, what are you going to do about that?

Law Students Say Message Board Postings Are Costing Them Job Offers

from the if-it's-online-it-must-be-true dept

As people increasingly live and document their lives online, stories about potential employers doing web searches on job candidates and turning up information candidates would rather not have them see -- information that often costs them a shot at the job -- are becoming more common. The Washington Post has a front-page story on this topic today, focusing on some law-school students who aren't having a lot of luck finding jobs, and blaming it on message board postings. What makes this story a little bit different is that the students didn't make the postings themselves, they're just the subject of certain threads and messages -- some which could possibly be viewed as defamatory, while others are simply unbecoming (such as a discussion of a female student's breasts). The employers weren't finding the students' MySpace pages or blogs, or other sites documenting their personal lives, but rather their inadvertent digital resumés were being created by other people. The article seems to put the blame on the owner of a particular site that's popular among law students, but that's misplaced -- perhaps the more questionable activity is on the part of employers who are using this information. If they're going to search the web, they need to have the understanding that people can't control what other people say or post about them (similar to the idea of hearsay in a courtroom), and that not every mention that casts a student in a poor light is true, or an indication of their character. It's also not entirely clear why potential employers should consider many of these comments relevant to their hiring decisions, though one person says law firms are afraid of candidates who could attract controversy. Of course, it's also possible that comments a person labels as "defamatory" may be unflattering, but true. While site owners have no legal liability for what third parties post on their sites, thanks to Section 230 of the Communications Decency Act, at least one company senses an opportunity here, and searches for potentially damaging content online and "destroy it on behalf of clients", which we'll assume to mean they drown site owners with cease and desist orders and threats of lawsuits akin to legal bullying. All in all, this sounds like quite a bit of overreaction -- not just on the students' parts, but from their potential employers, too.

As if using cell phones while driving isn't bad enough... (Perhaps we could get a few BMWs to test-drive?)

Google Maps Send to Car

3/07/2007 09:40:00 AM Posted by Thai Tran, Product Manager

On the Google Maps team, our goal is not only to help you find local businesses, but also to enable you to quickly connect with those businesses, wherever you are. To that end, we recently introduced the ability to call businesses in the U.S. directly from Google Maps, and, as of today, users in Germany can send a business listing found on Google Maps Deutschland directly to cars enabled with the BMW Assist service. Drivers can then set it as the destination for the in-car navigation system, or they can call the business from within the car. No more having to write down the address and re-enter it in the car -- now you can just click and drive! Here's a video showing how this feature works (German version). We've partnered with BMW because they're a leading innovator in the automotive space, and they share our vision for a network-connected world.

As additional devices come online, we're excited to see what is possible, and we'll continue working to make the information that you need available to you when and where you need it.

Google hacks. Perhaps you should look in your back yard?

Wednesday, March 7, 2007

Super-Close Google Maps Zooms

Holy moly that is a close up zoom of a camel (see my screenshot above) – and it works for other place on Google Maps too! Yes, it turns out that you can zoom in much more deeply onto Google Maps by doing this:

  1. Select a location and switch to satellite view

  2. Zoom in as far as you can, and click “link to this page” at the top right

  3. Now replace the “z” parameter in the URL with a higher value, e.g. 20, 22, or 23, and wait. Some locations will now show more detailed imagery

The French Ecrans website and Geotrotter have more on this.

Wednesday, March 07, 2007

If you can't figure out how to comply with the law – change the law so you are already in compliance.

House votes to allow release of SS numbers

Associated Press March 6, 2007, 1:06AM

AUSTIN — The state House approved a measure Monday that would allow county and district clerks to release Social Security numbers under the Texas Public Information Act, despite an opinion to the contrary last month from the Texas attorney general.

The bill by Rep. Jim Keffer, an Eastland Republican, would change existing law to declare that a Social Security number is not confidential.

It states that county or district clerks can disclose those numbers contained in information held by their offices without being subjected to civil or criminal liability. The measure also would require the public official to establish a procedure for redacting a Social Security number if a person requests it. [This is an after-the-fact Opt-Out procedure Perhaps we could work recall of politicians the same way? Bob]

Many local officials had interpreted the current law, which was designed to prevent identity theft, as a suggestion more than a requirement. But Attorney General Greg Abbott clarified last month the numbers must be removed before a document is made public. After his ruling, county clerks rebelled, saying they didn't have the staff nor money to redact all the numbers right away.

Is any of this new?,289142,sid14_gci1246423,00.html

Gartner: IT departments lack finances to protect data

By Bill Brenner, Senior News Writer

06 Mar 2007 |

Data breaches like the one TJX recently disclosed are starting to take a heavy toll on consumers, according to the newly-released results of a Gartner Inc. survey.

The Stamford, Conn.-based research firm said in a report released Tuesday that 15 million Americans suffered from identity theft between mid-2005 and mid-2006. That's a 50% increase since 2003, when the Federal Trade Commission (FTC) reported 9.9 million American identity theft victims. The people Gartner surveyed weren't affected by the more recent TJX breach, but that company's mistakes mirror the failures of other merchants to protect customer data, said Avivah Litan, a vice president at Gartner.

"This survey shows that the efforts of IT professionals to protect customer data aren't working very well," she said. "It has taken a lot of work to get companies compliant with the PCI Data Security Standard (PCI DSS) and in many cases IT departments aren't getting the necessary financial support from upper management."

Litan's research included an online survey of 5,000 U.S. adults. Based on feedback from those respondents, she found that:

  • The average victim lost $3,257 in 2006, up from $1,408 in 2005.

  • The percentage of funds consumers managed to recover dropped from 87% in 2005 to 61% in 2006.

  • The average loss on new account fraud more than doubled from $2,678 in 2005 to $5,962 in 2006.

  • Unauthorized charges to credit cards rose nearly fourfold from an average of $734 in 2005 to $2,550 in 2006.

... Using the TJX breach as an example, she said one of the retail giant's biggest mistakes was storing credit card data it didn't need to store. Several auditors who check companies for violations of the PCI Data Security Standard (PCI DSS) made the same observation last week, and said TJX will almost certainly pay a heavy financial price for its PCI DSS violations.

... Regardless of the method used to steal data to commit new account fraud, Litan said this kind of fraud can be largely prevented if companies use identity verification and scoring services.

I wonder if bureaucracies are incapable of a non-political, straight answer? (same problem with VA and FBI?)

USDA Gave Lawmakers False Data on Security Breaches (updated)

Tuesday, March 06 2007 @ 04:43 PM CST - Contributed by: PrivacyNews - Breaches

The U.S. Department of Agriculture gave erroneous information to lawmakers about its security compromises, understating thefts of computers that contained confidential data on farmers' social security numbers and payments, according to an audit by the USDA's Inspector General.

The department responded to a congressional inquiry last July by saying there had been eight instances of lost or stolen federal laptops from its offices since 2003, a copy of the USDA letter shows. In fact, there were at least 17 instances between October 2005 and May 2006 alone, the Inspector General said in the audit, which was released today.

The agency also failed to notify the farmers, ranchers, small businessmen and Agriculture Department employees whose personal information was in the stolen files, the Inspector General said.

Source - Bloomberg

Related - Reuters: USDA lacked controls to protect stolen data: report

Related - Report No: OIG74.02: Information Technology – Stolen Computer Equipment Containing Sensitive Information [PDF]

Attention Security Managers, e-Discovery lawyers... Your Word Processor is calling...

Microsoft Office finds its voice

By Marguerite Reardon Story last modified Wed Mar 07 04:45:46 PST 2007

After months of anticipation, corporate customers will soon get their hands on a beta version of Microsoft's voice over IP software, an event that marks an important step in the evolution of corporate communications.

... But more than adding a new competitor to the mix, Microsoft's entry into the corporate telephony market also marks the next evolution in communications. Tying voice services into Microsoft Office applications turns telephony into another software feature rather than making it a separate and standalone product that requires its own hardware and team of technicians to purchase, install and manage it.

... "Users just want an easy and intuitive way to communicate," O'Sullivan said. "So that means that we have to bring communications to different applications. Whether they use Microsoft, Lotus Notes, SAP or Oracle, we can easily integrate our technology."

Gee golly gosh, what a great idea! I bet we could do that here too!

Security agencies could access health card data


Asio and the Federal Police will not need a warrant to get information held on the Government's new health and welfare Access Card or on its related databases - including one holding the biometric data of almost all Australians - a parliamentary inquiry has heard.

I wonder what (if any) guidelines these employees were given? I suspect this practice is quite common.

Illegal snooping suspected

WTVG-- March 6, 2007 - Lexus Nexus provide a wealth of information on people's background. The website isused to dig into the backgrounds of people and it may have been misused by Lucas County employees.

Now there are reports of them using the site improperly. Employees are accused of logging onto their computers, pulling up the website and surfing for information on people they weren't authorized to check out. The information obtained could be sensitive and personal, like addresses, dates of birth and Social Security numbers. The department took out the system for its investigative department to help detect welfare fraud and to conduct employee background checks. The team has been able to confirm higher-ups in the department were tipped off to the possible problem this past November, and to date, five employees have been put on administrative leave with pay in connection with the investigation.

At this time, administrators say they aren't sure if there was any misuse of the search engines. They are working with Lexus Nexus to see who exactly employees were checking out. They hope to have that information later this month.

If you can't get the laws you want in this country, get them elsewhere, then point to them as a model for new laws here. “See! Everyone else is doing it!”

Cybercrime Treaty — Hidden Costs For All

Posted by kdawson on Tuesday March 06, @08:02PM from the externalizing-costs dept. The Internet

linuxtelephony writes in with an article at CIO Insight about a cybercrime treaty drafted in Europe with help from the US. It has implications for just about everyone with a network.

From the article: "Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located... Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind... The provisions for data retention and production apply to any operator of a computer network, not just telecoms... Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you."

Interesting comment: “Too many people are trying to make others do work for them for free. There's only so much attention to go around. And we're running out.” (The graph of government expenses is interesting...)

IBM Many Eyes After One Month

Posted by Hemos on Tuesday March 06, @01:59PM from the measuring-the-web dept. The Internet IBM

ReadWriteWeb writes "IBM's Many Eyes app, a 'shared visualization and discovery' service, has been running for a month now. In this article two of the IBM researchers behind Many Eyes, Martin Wattenberg and Fernanda B. Viégas, showcase some of the best visualizations so far. They also talk about the future of 'social data analysis' on the Web. Wattenberg and Viégas believe that Many Eyes is not just social software, but 'societal-scale software.' They say that Many Eyes represents a break from conventional visualization research. Traditionally, computer scientists concentrate on scaling in terms of data, making visualizations work for bigger and bigger databases. IBM's agenda with Many Eyes is to scale the audience, not the data."

I doubt Bill Gates will give up flying...

FAA May Ditch Vista For Linux

Posted by kdawson on Wednesday March 07, @08:07AM from the hello-Google dept. Linux Business Microsoft

An anonymous reader writes "Another straw in the wind: following last week's news that the US Department of Transportation is putting a halt on upgrades to Windows Vista, Office 2007, and Internet Explorer 7, today comes word that the Federal Aviation Administration may ditch Vista and Office in favor of Google's new online business applications running on Linux-based hardware. (The FAA is part of the DOT.) The FAA's CIO David Bowen told InformationWeek he's taking a close look at the Premier Edition of Google Apps as he mulls replacements for the agency's Windows XP-based desktop computers. Bowen cited several reasons why he finds Google Apps attractive. 'From a security and management standpoint that would have some advantages,' he said."

Life just gets easier...

March 06, 2007

New, Free Searchable Database of Federal Register Rules and Notices

Tim Stanley and the Justia team keep rolling out new services for the legal community that assist us in accessing essential government documents via user-friendly websites, with accompanying RSS feeds and customized search capabilities. Today news is about the launch of a free, searchable database of Federal Register Regulations, Proposed Rules and Notices. This site parses the subject and topical content, as well as document type, from each daily Federal Register Index, and allows users to browse the content, and create a custom filter of specific content of interest. The site supports RSS feeds for each agency's respective documents, specific to document type as well.

Bill Gates is NOT on this list.,129301/printable.html

The 50 Most Important People on the Web

Here's who's shaping what you read, watch, hear, write, buy, sell, befriend, flame, and otherwise do online.

Christopher Null, PC World Monday, March 05, 2007 01:00 AM PST

My picks...

First Look

Each week First Look summarizes new working papers, case studies, and publications produced by Harvard Business School faculty.

Slippery Slopes and Misconduct: The Effect of Gradual Degradation on the Failure to Notice Others' Unethical Behavior

Authors: Francesca Gino and Max H. Bazerman

Brightcove and the Future of Internet Television

Harvard Business School Case 707-457

Check the one on “anti-Smiley Face” emoticons... 'cause I'm a ( e=mc2 )

Scribd “YouTube for Documents” Gets $300K

Nick Gonzalez

Scribd, a site for sharing documents, is coming out of private beta this morning with a fresh Angel investment of $300K on top of their original Y Combinator nest egg of $12,000. Scribd is most easily described as a text version of YouTube. It is a social network that lets you tag, share, and comment on uploaded documents (.doc, .pdf, .txt, .ppt, .xls, .ps, .lit).

Scribd is not just a carbon copy of YouTube. They borrowed a lot of the basic design principles, but also took advantage of the written format by including flexible file formats for download and upload along with some interesting analytics tracking. Documents can be displayed and embedded as html or the under-utilized, and faster-than-a-pdf, Flash paper format. They can be downloaded as .pdf’s, .docs, .txt, and even .mp3 files. The mp3 version is created by Scribd’s text-to-speech package (powered by Nuance) that lets you listen to the text of your document [No doubt my students will use this to “read” their textbooks Bob] in a quivering British accent (downloadable example here). People have uploaded all sorts of documents for the private beta, like this guide to dating and seduction for dummies, or this less than legal copy of Visual C++ in 21 days. Scribd also lets you “geek out” on all the analytics generated by documents you post, such as how many votes and views your piece gets, as well as geographic location and http referrer that brought the reader there.

We’ve seen a lot of different social networks pop up around different mediums, photos, video, and even audio, but dominating a medium is no guarantee of an easy business model, as the “For Sale” sign on audio-focussed Odeo reminds us. So far social sites around the written word have dealt with books, rather than user generated, or at least user-uploaded content. Scribd lets people do something new, we just need to wait and see how far people go with it.

See our coverage of SlideShare as well.

Sometimes you need sophisticated scientific/technological tools like this one..

The Much Needed Beer Calculator

Michael Arrington

If you want to know exactly how many kegs of beer, pounds of ice and number of cups you need to get everyone at your party hammered, give Kegulator a whirl. Tell it how many guests you are having, use their Ajax slider to set how drunk everyone will get, and the site will spit out the supplies necessary to achieve your goal. If you’re Canadian, use Beer Hunter afterwards to figure out where to buy all that stuff. Or use the open source beer recipe and make your own.