Short of beating it into them, how do we get this message across?

http://www.pogowasright.org/article.php?story=20080211115706921

Two more businesses left unencrypted employee data in vehicles -- with predictable results.

Monday, February 11 2008 @ 12:30 PM EST Contributed by: PrivacyNews News Section: Breaches

Despite the highly publicized and costly Ohio breach affecting over 600,000 people due to the theft of a storage device improperly left in an employee's vehicle, and despite the more recent highly publicized theft of a laptop that contained personal information on 21,000 seniors from a vehicle belonging to an employee of the Pennsylvania Dept. of Aging, some companies or their employees seemingly continue to tempt fate -- with predictable results. Two new incidents involving theft of devices from employee vehicles have just come to light.

In the first incident, Cross Country Travcorps, Inc.. NovaPro, Inc., and Assignment America, Inc. (dba "Cross Country Staffing"), a supplier of healthcare staffing services for facilities throughout the U.S., reported [pdf] that an unencrypted laptop was stolen from a corporate executive's car on February 1st.

The laptop contained sensitive personal information on an unspecified number of Cross Country Staffing employees, including their names, Social Security numbers, and addresses. In the notification letter, Joseph Boshart, Cross Country Staffing's Vice President, did not indicate whether the laptop was supposed to have been encrypted instead of just password-protected, and he did not indicate where the theft occurred, i.e., whether the vehicle was parked outside the employee's home or was in some other location.

In the second newly reported incident, David Schellhase, General Counsel for CRM software vendor Salesforce.com reported [pdf] that an unencrypted storage device had been stolen from an employee's vehicle. Personal details on the stolen device included names, Social Security numbers, and dates of birth of some of Salesforce.com's current and former employees. Schellhase's letter, dated Feb. 7th, does not indicate whether the firm's security policies had been followed or why unencrypted personally identifiable information had been left in a vehicle.

Requests for additional information from Cross Country Staffing and Salesforce.com were not immediately answered.

Another one...

http://www.pogowasright.org/article.php?story=20080212045733990

CA: Thieves swipe ID info from Modesto schools employees

Tuesday, February 12 2008 @ 04:57 AM EST Contributed by: PrivacyNews News Section: Breaches

A computer drive holding names, addresses, birth dates and Social Security numbers of all 3,500 Modesto City Schools employees was stolen early today from a Southern California data processing firm, district officials said.

... The burglary happened at Systematic Automation Inc. in Fullerton. It prints annual, customized statements for each district employee with a summary of their health and other employee benefits, said Dennis Snelling, director of business services.

... School district officials said they sent an encrypted file containing employee information to Systematic Automation, where it was apparently stored on the computer in an unencrypted format. [Shouldn't we at least double the liability when a company removes the security to make the crooks job easier? Bob]

Source - ModBee.com

...and a local one...

http://www.pogowasright.org/article.php?story=20080211140158518

CO: Jeffco special ed students' information stolen

Monday, February 11 2008 @ 02:01 PM EST Contributed by: PrivacyNews News Section: Breaches

Letters are being sent home to approximately 2,500 Jeffco Public Schools households telling them that their students' information may have been compromised because of a crime. On Monday, Jan. 28, a special education technician had a personal laptop and jump drive stolen during a home robbery in Arvada. The jump drive may have contained the following information for as many as 2,900 special education students:

- Student name and date of birth
- Student ID number (this is not a Social Security number, but rather a school district identification number only)
- School location

If the student has received district transportation, additional information such as parent or guardian name and contact information, may also have been on the jump drive.

Source - YourHub.com

It seems to have taken them quite a while to count all these incidents. Perhaps next year they could use a computer?

http://www.pogowasright.org/article.php?story=20080211092122266

Educational Security Incidents Year In Review – 2007 (udpated)

Monday, February 11 2008 @ 09:21 AM EST Contributed by: PrivacyNews News Section: Breaches

The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007.

2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

Source - ESI
Report and Analyses [pdf]
(Update) Related - Chronicle of Higher Education: More Colleges Suffered Data Losses in 2007 Than in 2006, Study Finds

Ditto (TJX is number one)

http://www.pogowasright.org/article.php?story=20080211092440793

2007: A Year of Record Data Breaches

Monday, February 11 2008 @ 09:24 AM EST Contributed by: PrivacyNews News Section: Breaches

See the data behind the substantial rise in identity theft and data breaches from 2007—a record year.

Since the term identity theft was coined, the number of recorded data breaches and compromises has steadily risen in both volume and severity. The following is an accounting of known data breaches and record compromises for 2007, which for the time-being will go down in the annals as a record year. The original data was supplied by the Identity Theft Resource Center and has been reconfigured by Baseline's editorial staff.

The data in this article has the following information:

• Top 25 Data Breaches of 2007

• Chief Causes of Data Breaches

• List Toppers By Vertical

• Affected Records By Industry

Source - Baseline

Do we need a new law?

http://www.pogowasright.org/article.php?story=20080211163539980

With Libel Law Often Unenforceable Online, What Rules Can Be Used to Protect Reputation?

Monday, February 11 2008 @ 04:35 PM EST Contributed by: PrivacyNews News Section: Internet & Computers

Recently, as Wired reported, the online auction site eBay has decided to remove sellers' ability to give buyers a negative or neutral rating, while leaving intact buyers' ability to give sellers neutral or negative ratings. Sellers, in contrast, can now give positive feedback or none at all.

... In this first column of a two-part series, I'll consider the difference between the protection of reputation in real-life and online contexts. In addition, I'll argue that because of some serious problems with "real world" libel law, devising new online reputation-protection systems - systems that can be tweaked over time to make them fairer -- may prove over the long term to be a superior approach

Source - Julie Hindlen, FindLaw's Writ

Another interesting legal debate... Does this have the potential to invalidate the mandatory notice laws?

http://www.pogowasright.org/article.php?story=20080212064534944

Fifth Widens Circuit Split Over Psychotherapist-Patient Privilege

Tuesday, February 12 2008 @ 06:45 AM EST Contributed by: PrivacyNews News Section: In the Courts

Today, the Fifth Circuit broke new ground in a growing circuit split over whether the psychotherapist-patient privilege applies to violent threats. Defendant John Auster is a retired police officer who suffers from paranoia, anger, and depression; the fact that his worker’s compensation benefits were about to be terminated did not help matters. Auster told his two therapists that he was prepared for a campaign of violent retribution if his benefits were not reinstated. The therapists had a duty under state law to report these threats, and the government decided to prosecute Auster for extortion.

But the prosecution hit a road bump when the district court tossed out Auster’s threatening statements. Following authority from the Sixth and Ninth Circuits, the district court decided that Auster’s threats were protected by the psychotherapist-patient privilege and therefore not admissible at trial.

On appeal, the Fifth Circuit reverses.

The case is U.S. v. Auster, 07-30084 (5th Cir., Feb. 11, 2008)

Source - Decision of the Day

We probably won't get a new law, but some ethical guidelines would be interesting...

http://www.pogowasright.org/article.php?story=20080212053334603

Rethinking Surveillance

Tuesday, February 12 2008 @ 05:33 AM EST Contributed by: PrivacyNews News Section: Breaches

Video surveillance has become a fact of everyday life. Each time you withdraw cash from the corner ATM, travel through an airport or visit a national monument, your image is probably being recorded.

But you may be surprised to learn that there are no federal laws governing how these images can be used, where they should be stored, with whom they may be shared and when they must be destroyed. In this age of YouTube, TMZ and "Cops," it's hard to know where your image might reappear.

Source - Washington Post

Just in case I need some information...

http://www.bespacific.com/mt/archives/017475.html

February 11, 2008

Government Information Online (GIO): Ask a Librarian

"Through Government Information Online (GIO) you can ask government information librarians who are experts at finding information from government agencies of all levels (local, state, regional, national international) on almost any subject from aardvarks to zygomycosis. GIO is a free online information service supported by nearly twenty public, state and academic libraries throughout the United States. All participants are designated Federal depository libraries in the U.S. Government Printing Office's Federal Depository Library Program. Many are also official depository libraries for their other types of governments and public agencies."