Tuesday, March 20, 2007

Comments from an IT Auditor: Audits look at EXISTING data. That means no one looked at (or understood) this data before the auditors got there – even though they knew an earlier incident had occurred. Isn't that negligence?

http://www.southbendtribune.com/apps/pbcs.dll/article?AID=/20070319/News01/70320010

71,000 people have personal information hacked in Indiana

By Samuel King WSBT-TV Reporter March 19. 2007 6:59AM

A hacker has accessed the personal information of thousands of people across the state of Indiana. The state says the hacker got into a state database of licensed nursing assistants and home health aides.

Earlier this year WSBT News reported a hacker accessed 5,600 credit card numbers from the state's website.

The state performed an audit and discovered the same hacker got into the database of nursing assistants.

That's when a letter went out to the 71,000 people affected.



Wow, a reprimand. How severe is that!

http://www.cbc.ca/cp/business/070319/b0319100A.html

Posting of children's details triggers reprimand for Alberta energy regulator

Published: Monday, March 19, 2007 | 5:55 PM ET Canadian Press: JAMES STEVENSON

CALGARY (CP) - Alberta's energy regulator has been reprimanded by the province's privacy commissioner for posting personal information that included details about children on its public website.

Both the Alberta Energy & Utilities Board and West Energy Ltd. (TSX:WTL) were found in breach of the province's privacy and personal information protection acts act in an electronic well licence application.

Details on the regulator's website included children's names, school pickup times and when they would be home alone.

The information was included in emergency plans electronically filed by the company for two proposed sour-gas wells in the Drayton Valley area southwest of Edmonton.

It also included specifics about which homes in the area would be vacant.

The privacy commissioner's investigation concluded that the board didn't have "reasonable security arrangements" in place to stop such private information from being posted automatically.



Nowhere in your sensitive data control plan is there an exception that allows you to “abandon the data”

http://abclocal.go.com/ktrk/story?section=local&id=5133984

Sensitive documents found in CVS store dumpster

By Stephanie Guadian

(3/19/07 - KTRK/LIBERTY, TX) - Private, personal documents, with everything from social security numbers to credit card numbers, were found discarded in a Liberty dumpster, putting many people at risk for identity theft.

The records were found behind a popular drug store which may be responsible for putting them there.

"Speaking as a former, convicted identity thief, this is the motherload," says a man who does not want to be identified.

The self proclaimed ID thief found hundreds of sensitive documents with names, addresses and credit card numbers lying next to a dumpster. At one time, this find would have been like winning the criminal lottery for this man.

"It was very tempting," he said. "You know how usually an alcoholic will call a sponsor? I had to call the news."

The dumpster was behind what used to be a CVS pharmacy. Just last week the store closed its doors and relocated to another part of town. We were shocked to see what was left behind as trash - hundreds of receipts [so it should be easy to confirm who dumped the data Bob] with customer credit card numbers and expiration dates. We also found files belonging to former employees like Misty Sparks. She wasn't hard to find since we had all of her information.

"I figured it would have been shredded by now," Sparks said. "Not just lying out on the road for somebody to pick up."

We also called Judy Johnson after finding her name in the stacks of paperwork.

"I don't like it at all," Johnson said. "I mean I try to protect this from happening you know. I don't like my personal information being available to anybody that walks by and gets it out of the dumpster."

Employees at the newly reopened CVS pharmacy directed us to call corporate headquarters, but just a short time later, we came across the store's manager at the dumpster. The sensitive trash had been picked up and loaded into his car.

"I've cleaned it all up," he said. "Anything that was in there was a mistake, I mean it wasn't just something…this is not a common practice."

It's not clear whether or not any personal information was stolen from the dumpster. The two women we talked to earlier say they are already willing to take legal action.



Eventually, even the dumb ones will catch on? (Note that not all 'offenders' are tiny little mom & pop stores.)

http://www.realtime-itcompliance.com/privacy_and_compliance/2007/03/over_100_facta_lawsuits_filed.htm

Over 100 FACTA Lawsuits Filed in California Against Businesses Printing PII on Receipts; Are You In Compliance With All FACTA Requirements?

I read with interest an article in today's issue of the BNA Privacy & Security Law Report about over 100 lawsuits that have recently been filed within the California federal courts because of the amount of personally identifiable information (PII) that is printed on credit and debit card receipts.

... The list of defendants in these suits include Chanel Inc.; Toys-R-Us Delaware Inc.; Rite Aid Corp; Costco Wholesale Inc.; The Walt Disney Parks and Resorts; California Pizza Kitchen Inc.; El Pollo Loco; Levy Restaurants; United Artists Theatre Circuit Inc.; FedEx Kinkos Office and Print Services Inc.; Valero Energy Corp.; and Avis Rent-A-Car Systems Inc.

Businesses should realize that even though the suits were filed in California, FACTA is a Federal law, and all companies doing business throughout the U.S. need to comply.

... Plaintiffs can recover a minimum of $100 and up to $1,000 in statutory damages per willful violation of the law under FACTA.

... FACTA also has requirements for businesses to securely dispose of PII. These are elaborated upon in the Disposal Rule.

Another requirement is to ensure the PII you are responsible for is accurate.



They still don't get it. The point is to stop the loss of data, not to restrict employees to obsolete hardware (can you still buy thumb drives as small as 2GB?)

http://www.pogowasright.org/article.php?story=20070319065555179

VA gives thumbs down to thumb drives

Monday, March 19 2007 @ 06:55 AM CDT - Contributed by: PrivacyNews - Fed. Govt.

After a series of incidents over the past several months involving missing data, federal agencies are writing policies that restrict the use of mobile storage devices such as thumb drives. At the forefront of that trend is the Department of Veterans Affairs, which lost data on 26.5 million current and retired veterans last year when one of the department’s computers was stolen from an employee’s home.

A number of agencies say they are abandoning a culture in which almost everyone could take information out of the office on a mobile device and are creating a new culture in which people must justify taking any data off the network, where it is relatively secure.

The VA plans to institute a policy, beginning in April, that will require employees to use only approved thumb drives that hold no more than 2G of data and meet the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 for encrypting data.

Source - FCW



Implications for surveillance cameras?

http://blog.nj.com/ledgerupdates/2007/03/peeping_tom_law_can_be_used_ag.html

Peeping Tom law can be used against shutterbugs

Posted by The Star-Ledger March 19, 2007 11:47AM

An invasion of privacy law designed to crack down on electronic Peeping Toms can be used to prosecute two shutterbugs accused of photographing females with partially exposed backsides and inner thighs at public gatherings, a judge ruled this morning.

"A woman has a reasonable expectation of privacy underneath her skirt,'' said Superior Court Judge Salem Ahto, sitting in Morristown.



Apparently no transcript of the talk itself...

http://www.eweek.com/article2/0,1759,2105506,00.asp?kc=EWRSS03119TX1K0000594

The Now-What of Losing Customer Data

By Lisa Vaas March 19, 2007

ORLANDO, Fla.—Uh-oh, Sales has lost a laptop. The nightmare that ensues brings a host of uncertainties: Exactly what data was on that thing? How do you define nonpublic, private or confidential information? What constitutes a breach or a mass data compromise? What are your obligations to protect that data, and what are your organization's obligations regarding notifying the potential victims of identity theft?

These are just some of the questions you should answer before the laptop is lost, the BlackBerry is stolen or the database is hacked, said Mark Everist, a director of audit for American Express, during a session titled "Ensuring Customer Notification of Unauthorized Access" here at the InfoSec World Conference & Expo on March 19.

... What organizations should do to prepare for the next breach, he said, is to consider their ability to detect the data compromise. Does the organization know where the data is located, and what safeguards and detection ability surround it? Has the organization assessed its exposure to the variety of threats?

Organizations also should consider their readiness to react, Everist said. For example, can you map the breached data to the state of customer residence? Is there an established, yet flexible, incident response process? Also important is to include input from all the key decision-making groups, he said. That can include customer service, mailroom personnel and physical security. "They know when laptops disappear or boxes of checks disappear," he said. "It can be indicators of fraud."

In addition, Everist recommended that organizations involve leaders in order to drive prompt and correct response to data breaches, and adhere to the process whenever a potential breach is discovered. Finally, he recommended staying abreast of the rapidly evolving legal environment, in which emerging statutes, evolving interpretations and FTC settlements are currently in constant flux.

Here are his list of resources for keeping up on it all:



An increasingly common practice...

http://lsi.typepad.com/lsi/2007/03/denver_law_facu.html

March 19, 2007

Denver Law Faculty and Students to Blog the Nacchio Trial

Denver Law Prof Jay Brown is taking collaborative faculty-student blogging to new heights by providing daily coverage of the criminal trial of Joe Nacchio, the former CEO of Qwest Communications International at Race to the Bottom. Professor Brown writes that the Nacchio trial is "really the end of an era, the last big trial from the Enron days."

The trial is scheduled to begin today and is expected to last approximately 8 weeks. Students and faculty will rotate through each day of the trial with the expectation that there will be at least two posts a day.


ditto

http://techdirt.com/articles/20070318/221709.shtml

Courts Learning That Jurors Can Blog (Next They'll Find Out Jurors Can Email, Too)

from the really,-they-can... dept

While blogging lawyers has become quite common (and there is even the occasional blogging judge), it seems that lawyers and courts are just starting to grapple with the fact that jurors are blogging as well -- and they're not quite sure how to deal with it. The article focuses on a situation where a juror wrote in his blog not just about the jury selection process, but his surprise at being selected, given his beliefs on certain subjects, such as the police and God. He also stated (before the process began) that he was about to go "listen to the local riff-raff try and convince me of their innocence." Since the jury he was on found the defendant guilty, the defense lawyer has been asking for a retrial, claiming that the blog statements showed clear bias -- though, you would think the lawyer was supposed to have outed that bias during the selection process. Later in the article, it notes that judges and lawyers are going to need to start asking potential jurors about their blogging habits during the selection process. That seems to be going a little far. The court usually instructs jurors that they are not to discuss the case with anyone until it's over -- and a blog post about the specifics of the case (rather than just "hey, I've got jury duty") certainly seems to violate those rules -- and should be plenty of notice without having to carefully note down any particular website where any juror might post a comment. The problem in the specific case wasn't that the defense lawyer (or judge or prosecution, for that matter) didn't ask the guy if he blogged -- but they didn't ask other questions to determine if he was biased in how he might view the case.



Always useful

http://www.bespacific.com/mt/archives/014314.html

March 18, 2007

New on LLRX.com for March 2007



Worth a browse?

http://www.bespacific.com/mt/archives/014312.html

March 18, 2007

National Governors Association Releases Homeland Security Guide

"A Governor's Guide to Homeland Security contains practical advice for governors on how to organize their states to prepare for and respond to hazards of all kinds effectively. It shares information and guidance on how to approach issues such as mutual aid, information sharing, obtaining assistance from the military and protecting critical infrastructure. Last published in 2002, the guide includes a significant amount of new and updated information."

[This one works: http://www.nga.org/Files/pdf/0703GOVGUIDEHS.PDF



Oh, do tell!

http://techdirt.com/articles/20070318/223401.shtml

RIAA Bosses Try To Explain Why Suing College Kids Is Good For Business

from the try-that-one-again? dept

With the RIAA's recent new push to bully college students into paying up its "settlement" fees without giving them any chance to defend themselves, it seems that RIAA CEO Mitch Bainwol and RIAA President Cary Sherman have decided that they need to write an opinion piece explaining why they're suing so many college kids. The arguments aren't particularly surprising -- but it's a bit depressing that Bainwol and Sherman clearly have decided to ignore the fact that nearly every one of their arguments has been disproved already. For an organization trying to prove that it actually understands the challenge its members face, Bainwol and Sherman only trot out old, tired and simply wrong arguments. If the execs at the big music labels had any insight, they would fire these two for leading the industry down a disastrous trail.

They start by trotting out the bogus stats about "losses" due to piracy -- which are based not just on assuming that every download is a lost sale, but often using ridiculous multipliers that are allowed in calculating damages in lawsuits. To support these claims, though, they point out that "finding a record store still in business anywhere near a campus is a difficult assignment at best." That ignores quite a few important points. First, academic (not RIAA-financed) studies have shown that unauthorized downloading has no noticeable impact on CD sales. But, more importantly, it ignores the overall shift in the music buying market. It's increasingly difficult to find a standalone record store anywhere thanks to the shutting down of places like Tower Records and Warehouse Music. More important, however, is the fact that the only retailers profiting off of music sales are those that use it as a loss leader -- including Apple, but also Wal-Mart, Best Buy and others.

Sherman and Bainwol then try to get moral on everyone -- claiming that this is about taking the moral high ground (which you should remember the next time you listen to your RIAA label-released song about drugs, sex and murder). They repeatedly call it "stealing," when everyone from the Supreme Court on down have pointed out that copyright infringement isn't stealing. Bainwol and Sherman also screw up (on purpose?) by stating at one point that "downloading" music is illegal. That's never been shown. Uploading or "sharing" music has been shown to be infringement in terms of distribution -- but downloading still has never been found illegal itself. They also claim that the lawsuits are working, ignoring the fact that since they began the strategy of suing, file sharing has only increased. And we thought doing the same thing over and over again while not getting the intended result was the definition of insanity.

They then go on to whine about universities not helping them enough in turning over students -- but perhaps that's because universities recognize the importance of due process in letting an accused person defend themselves in a court of law. Bainwol and Sherman talk about all the "education" policies they've undertaken on college campuses... but conveniently leave out telling students to drop out of school in order to pay off an RIAA "settlement" offer.

The good news, though, is that if you read the comments from readers below the article (at least as of this posting) they're almost universally intelligent, well written, well thought out rebuttals against the RIAA's position, pointing out many of these mistakes, and how the RIAA's weak attempt to defend an obsolete business model by threatening, bullying and suing students isn't likely to help the big four record labels who fund it stay in business. Of course, we doubt that Sherman and Bainwol will take those messages to heart -- or even look to help the labels they represent adapt to the modern era. They'll just keep on whining about "theft" and pushing for the government to put in place new protectionist laws to protect the old, obsolete business model.


Related

http://consumerist.com/consumer/riaa/university-of-wisconsin+madison-will-not-forward-riaa-letters-to-students-245211.php

03 19 2007

University of Wisconsin-Madison Will Not Forward RIAA Letters To Students

Jason, a student at the University of Wisconsin-Madison has written in to share what his school is doing in response to the RIAA P2PLawsuit.com campaign. In this campaign, attorneys for Sony, Universal, EMI, Warner Music Group and more sent letters to several colleges demanding that they be forwarded to students. The letter (PDF) threatens students with a lawsuit and instructs them to identify themselves and pay a settlement to the recording companies via the website P2Plawsuits.com.

UW-M has sent an email informing students that although they've been given letters to forward to students, they university will not comply without a written subpoena.

Read Jason's email inside.



Might be interesting to see how this maps to polls and eventually the election.

http://www.infoworld.com/article/07/03/19/HNmyspaceforprez_1.html?source=rss&url=http://www.infoworld.com/article/07/03/19/HNmyspaceforprez_1.html

MySpace enters the U.S. presidential race

Opening its door wide to a hug audience, MySpace's Impact features pages for 2008 candidates

By Grant Gross, IDG News Service March 19, 2007

MySpace launched a U.S. presidential campaign site Monday, and it has the potential of reaching millions of people who don't otherwise go to political Web sites, one analyst said.

... Candidates with pages on MySpace Monday were Democratic Senators Hillary Clinton of New York; Barack Obama of Illinois; Joe Biden of Delaware; and Dennis Kucinich of Ohio; John Edwards, a former North Carolina senator and 2004 vice presidential candidate, along with Republicans Senator John McCain of Arizona; former New York City Mayor Rudy Giuliani; and former Massachusetts Governor Mitt Romney. Libertarian Ron Paul also has a page.

MySpace hopes to play a "powerful role" in the 2008 elections, CEO Chris DeWolfe said in a statement. The site plans to give users easy-to-use information in a format they can relate to, he said. [Send us money. There's this thing called “voting” Send us money. You can't do it because you aren't registered. Send us money. We'll do your voting for you. Send us money. Bob]

... In addition, people ages 18 to 24 remain the heaviest users of MySpace and the age group least likely to go to other political sites. "There's certainly the opportunity to drive new traffic to that channel ... because the site is so large," he said.

As of Monday afternoon, "friends" were already on board various candidate sites. For instance, Romney, McCain and Clinton each had more than 1,000 MySpace friends, while Obama had more than 68,000. Paul, also running for president, had about 350 friends. Giuliani's profile was set to "private" and so it could not be publicly seen.


WATCH THIS VIDEO! This my be the real trend in political use of technology... (Like any political ad, it provides no real information...)

http://macdailynews.com/index.php/weblog/comments/12991/

Unauthorized Obama Internet political ad converts Apple’s famous ‘1984’ commerical (with video)

Monday, March 19, 2007 - 12:12 AM EDT

"It may be the most stunning and creative attack ad yet for a 2008 presidential candidate -- one experts say could represent a watershed moment in 21st century media and political advertising," Carla Marinucci reports for The San Francisco Chronicle. "Yet the groundbreaking 74-second pitch for Democratic Illinois Sen. Barack Obama, which remixes the classic "1984" ad that introduced Apple computers to the world, is not on cable or network TV, but on the Internet."

"And Obama's campaign says it had absolutely nothing to do with the video that attacks one of his principal Democratic rivals, New York Sen. Hillary Rodham Clinton. Indeed, the ad's creator is a mystery, at least for now," Marinucci reports.

Marinucci reports, "The compelling 'Hillary 1984' video recently introduced on YouTube represents 'a new era, a new wave of politics ... because it's not about Obama,' said Peter Leyden, director of the New Politics Institute, a San Francisco-based think tank on politics and new media. 'It's about the end of the broadcast era.'"

"But some say the ad is just the latest attempt by outside activists to influence political campaigns -- or the newest way for campaigns to anonymously attack their opponents.

The video is a sophisticated new take on director Ridley Scott's controversial Apple ad that caused shock waves with its premiere during the 1984 Super Bowl, and shows the same blond young female athlete running with a sledgehammer toward a widescreen -- where an ominous Big Brother figure drones to a mass of zombielike followers," Marinucci reports. "But this time, the woman is wearing an iPod -- and has her candidate's slogan on her chest. And the Big Brother -- whose image she defiantly smashes with a wave of her sledgehammer -- is Clinton, the Democratic presidential front-runner."

"The tagline for the attack: 'On Jan. 14, the Democratic primary will begin. And you'll see why 2008 won't be like 1984.' An updated Apple symbol -- transformed into an O -- is followed by the dramatically emerging logo: BarackObama.com," Marinucci reports.

Full article here. (To see the video, go to: www.youtube.com/watch?v=6h3G-lMZxjo)



None of my students would ever be in this situation. Normally, I see one or two of these during the 10 weeks of my Business Continuity Planning class. This one is a bit late, but I'll include it in my grade emails...

http://hosted.ap.org/dynamic/stories/L/LOST_DATA?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Oops! Tech Error Wipes Out Alaska Info

By ANNE SUTTON Associated Press Writer Mar 20, 8:43 AM EDT

JUNEAU, Alaska (AP) -- Perhaps you know that sinking feeling when a single keystroke accidentally destroys hours of work. Now imagine wiping out a disk drive containing an account worth $38 billion. It happened to a computer technician reformatting a disk drive at the Alaska Department of Revenue.

While doing routine maintenance work, the technician accidentally deleted applicant information for an oil-funded account [No big deal, this is a common error and simple to fix – just go to the backup file. Bob - one of Alaska residents' biggest perks - and mistakenly reformatted the backup drive, as well. [Oops! But this suggests it was an operational backup (not a permanent archive) so there must be another backup handy... Bob]

There was still hope, until the department discovered its third line of defense, backup tapes, were unreadable. [Sounds like they skipped the “test backups to make certain they work” part of their plan. Bob]

"Nobody panicked, but we instantly went into planning for the worst-case scenario," [a little late for “planning” isn't it? Bob] said Permanent Fund Dividend Division Director Amy Skow. The computer foul-up last July would end up costing the department more than $200,000.

Over the next few days, as the department, the division and consultants from Microsoft Corp. and Dell Inc. labored to retrieve the data, it became obvious the worst-case scenario was at hand.

Nine months worth of information concerning the yearly payout from the Alaska Permanent Fund was gone: some 800,000 electronic images that had been painstakingly scanned into the system months earlier, the 2006 paper applications that people had either mailed in or filed over the counter, and supporting documentation such as birth certificates and proof of residence.

And the only backup was the paperwork itself - stored in more than 300 cardboard boxes. [You know you're in trouble when you have to go back to paper... Bob]

"We had to bring that paper back to the scanning room, and send it through again, and quality control it, and then you have to have a way to link that paper to that person's file," Skow said.

Half a dozen seasonal workers came back to assist the regular division staff, and about 70 people working overtime and weekends re-entered all the lost data by the end of August.

"They were just ready, willing and able to chip in and, in fact, we needed all of them to chip in to get all the paperwork rescanned in a timely manner so that we could meet our obligations to the public," Skow said.

Last October and November, the department met its obligation to the public. A majority of the estimated 600,000 payments for last year's $1,106.96 individual dividends went out on schedule, including those for 28,000 applicants who were still under review when the computer disaster struck.

Former Revenue Commissioner Bill Corbus said no one was ever blamed for the incident. [but did you do anything to prevent a recurrence? Bob]

"Everybody felt very bad about it and we all learned a lesson. There was no witch hunt," Corbus said.

According to department staff, they now have a proven and regularly tested backup and restore procedure.

The department is asking lawmakers to approve a supplemental budget request for $220,700 to cover the excess costs incurred during the six-week recovery effort, including about $128,400 in overtime and $71,800 for computer consultants.

The money would come from the permanent fund earnings, the money earmarked for the dividends. That means recipients could find their next check docked by about 37 cents.

---On the Net: http://www.revenue.state.ak.us

No comments: