1 / 26

Privacy and Information Security Monthly Update December

Privacy and Information Security Monthly Update December. Privacy and Information Security Committee. December 14, 2006. Overview . Enforcement/Admin. Review (FTC, State AGs, & BBB) Litigation Legislation (U.S. and International) Regulation Hot topics in Privacy/Data Security.

kinsey
Download Presentation

Privacy and Information Security Monthly Update December

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Information Security Monthly Update December Privacy and Information Security Committee December 14, 2006

  2. Overview • Enforcement/Admin. Review (FTC, State AGs, & BBB) • Litigation • Legislation (U.S. and International) • Regulation • Hot topics in Privacy/Data Security

  3. FTC Enforcement – Data Security Guidance Software Inc. (Nov. 16, 2006) (14th FTC Data Security Case) • Leading provider of software used to diagnose hacker break-ins was subject to a data breach last Dec. • 3,800 credit cards were hacked via unencrypted databases that contained customers' "card value verification" (CVV) numbers. • Company retained this information indefinitely. • Visa & Mastercard merchant guidelines require sellers to encrypt customer credit-card databases. They are also prohibited from retaining CVV numbers for any longer than it takes to verify a given transaction. • Late Nov., Guidance settled charges w/ the FTC over its practices that lead to the breach.

  4. FTC Enforcement – Data Security Guidance Software Inc. (cont.) • FTC charged that Guidance violated Section 5 of the FTC Act b/c it: • Failed to adequately assess vulnerability of its network to commonly known web-based hacking (like SQL injection attacks); • Failed to implement low-cost, reasonable defenses to hacking attacks; • Created an unnecessary risk by storing administrator user name and password, which made it easier for hacker to access sensitive consumer data; and • Failed to implement basic security & detection measures, creating an unnecessary risk to consumers. • Settlement requires the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for ten years. • No monetary penalties.

  5. CA AG Enforcement – Pretexting Hewlett-Packard (Dec. 8, 2006) • HP settled with California AG over charges that the company used unethical and deceptive investigative techniques in its efforts to determine the source of sensitive company information leaked to media outlets. • The allegations focused on whether the company engaged in “pretexting,” in which investigators posed as company employees and journalists to obtain confidential telephone records, engaged in wrongful use of computer data, identity theft, and conspiracy. • These are the same allegations that the state made in its criminal filing in Oct. against former HP Chairwoman Patricia Dunn, former HP legal counsel Kevin Hunsaker, and 3 private detectives that HP hired to trace the source of boardroom leaks.

  6. CA AG Enforcement – Pretexting Hewlett-Packard (cont.) • The Dec. settlement in the civil case requires HP to pay $14.5 million. • $13.5 million will be used to establish a Privacy and Piracy Fund to finance CA AG’s investigation of privacy investigations & IP theft. • $650,000 in civil penalties and $350,000 to cover investigatory costs. • HP also must maintain an ethics and compliance officer, expand the role of its chief privacy officer, expand employee and vendor codes to make sure that they address ethical standards regarding investigations, and train an expert in the field of investigations to assist the chief ethics officer. • Former employees and the private investigators they retained still face criminal charges stemming from their actions, including the use of pretexting, when they tried to identify the source of leaked corporate information. • Insider trading case also pending.

  7. FTC Enforcement – Spyware Odysseus Marketing, Inc. (Nov. 21, 2006) • Settled with the FTC over charges that it falsely advertised free file sharing software, which was bundled with spyware designed to capture consumers’ personal information and transfer it to the defendants’ computers. • FTC also charged that Odysseus distributed its software by exploiting known security vulnerabilities in the IE web browser. • Fed. Court in NH previously had enjoined practices pending trial. • Settlement resolves case and bars the company from exploiting any security vulnerability to download/install software, or make false representations about its software programs. • Settlement = $1.86 million judgment, suspended except for $40K.

  8. Wash. AG Enforcement – Spyware Secure Computer (Dec. 4, 2006) (1st case under Wash.’s spyware law) • NY-based company settled with Washington Attorney General over charges that it induced consumers to purchase a program “Software Cleaner” to remove spyware by falsely representing that the computers were infected. • Suit alleged violations of Washington’s 2005 Computer Spyware Act, federal and state spam laws, and the state consumer protection act. • Suit also criticized the company’s practice of collecting, using and disclosing personal information and referring the consumer to its privacy policy regarding such use.

  9. Wash. AG Enforcement – Spyware Secure Computer (cont.) • Settlement bars the company from • misrepresenting that a computer is infected w/ spyware or the software's ability to detect or remove spyware, and • sending deceptive emails, or incorrectly suggesting that a product is “discounted” or available for a “limited time” (i.e., continuous sale and false urgency claims). • Company must send emails to all Wash. customers informing them of refund rights. • Required to pay $1 Million ($200,000 civil penalties, $75,000 restitution, $725,000 attorney’s fees and costs). • Individuals also named in the suit, charged with advertising “Spyware Cleaner” using Google AdWords that deceptively represented the product was affiliated with/sanctioned by Microsoft.

  10. CDD Requests FTC Inquiry • On Nov. 1st, The Center for Digital Democracy (CDD) and the U.S. Public Interest Research Group (USPRIG) filed a request for the FTC to open a formal investigation into the $100 billion online marketing industry. • The request calls special attention to Microsoft's adCenter service, which allows advertisers to bid to have advertisements published next to online search results. • Full copy of "Complaint":  http://www.democraticmedia.org/PDFs/FTCadprivacy.pdf • CDD Press release:  http://www.democraticmedia.org/issues/privacy/FTCprivacypr.html

  11. CARU Review – COPPA (linking websites) Maniacal Mktg./Cadbury (Nov. 20, 2006) • Cadbury’s Bubblicious gum website was featured in a print ad in Nickelodeon magazine. On the homepage of the website, there was a prominent link to the LeBron James website. • That website (www.lebronjames.com) allowed children under 13 to disclose personal information and post messages. The site’s privacy policy did not comply w/ CARU guidelines or COPPA. • CARU recommended that the company modify the basketball player’s site to prevent children from providing personal information. • CARU also asked Cadbury Adams to modify the Bubblicious website so that it no longer contained links to non-CARU/COPPA compliant websites (here, the LeBronjames.com site). • Reminder that if your website is kid-focused, make sure the links you feature in your ads (on- or off-line) are CARU/COPPA compliant.

  12. Litigation California Security Freeze Law • Nov. 15, 2006 – a CA appellate court declared the state’s security freeze law (Cal. Civ. Code Sec. 1785.11.2) unconstitutional. The law took effect Jan. 3, 2003, and was enacted as part of legislation intended to protect consumers from ID theft. • This provision permits a consumer to place a “security freeze” on his consumer report, which prohibits CRAs from releasing the consumer’s credit report or any information from it. • If a security freeze is in place, information from a consumer’s credit report may not be released to a third party without prior express authorization from the consumer.

  13. Litigation California Security Freeze Law (cont.) • A CRA claimed the law was unconstitutional because it bars reporting information that is already a public record in violation of First Amendment rights. • The CRA also argued that its dissemination of public record facts and other credit–related information is speech that is protected by the federal and CA constitutions. • The court agreed, determining that the law violates the First Amendment because it precludes the reporting of information held in public records. • Thus, it concluded that the CRA was not required to comply with the state security freeze statute to the extent the statute precluded the agency from reporting information contained in a public record.

  14. Litigation Do Privacy Protections Extend to Online Email? • The Electronic Frontier Foundation, the ACLU, and the Center for Democracy and Technology are seeking to extend Fourth Amendment protections against unreasonable search and seizure to emails stored online. • A brief filed in Warshak v. USA argues that the users of online email services (e.g., Hotmail, Yahoo Mail, and Gmail) have a “reasonable expectation of privacy” for their stored information. • Last year, the U.S. government was investigating allegations of mail/wire fraud, money laundering, and other offenses arising from the operations of Steven Warshak's dietary supplement company. • In May 2005, the government obtained an order from an Ohio judge directing NuVox Communications, an ISP, to turn over electronic communications belonging to Warshak and his associates. • 9 months after it was granted access to Warshak's communications, the government notified Warshak of its actions. Warshak then sued the govt.

  15. Litigation Online Email Privacy Protections (cont.) • The Ohio court order was issued pursuant to the Stored Communications Act, which allows the government to obtain stored communications from ISPs without notice or with delayed notice where knowledge of the government's actions would jeopardize a lawful investigation. • Unlike the Fourth Amendment, there’s no “probable cause” requirement in the SCA. Thus, the government only has to demonstrate that the information it is seeking is relevant to an investigation. It doesn't have to establish that there's probable cause for a crime. • The brief recently filed by EPIC argues that, if there's no Fourth Amendment protection for e-mail, then online e-mail is open to the government for any reason unless there are other statutes that protect it. The brief argues the privacy protections for telephone and mail should apply similarly to online email.

  16. Legislation – Domestic Safe Web Act • The Senate agreed to House Amendments to the Safe Web Act last week, clearing legislation for the President’s approval. The FTC sought the legislation to help combat cross-border fraud and deception. Among other things the bill: • Allows the FTC to seek restitution under Section 5 of the FTC Act for foreign victims; • Authorizes the FTC to disclose certain privileged or confidential information to foreign law enforcement agencies; • Authorizes the FTC to: retain employees of foreign government agencies on a temporary basis, and allow FTC employees to work for foreign agencies;

  17. Legislation – Domestic Safe Web Act (cont.) • Authorizes the FTC to provide investigative assistance to a foreign law enforcement that is investigating/enforcing fraudulent or deceptive commercial practices or other practices substantially similar to practices prohibited by laws administered by the FTC (but no requirement that the conduct identified violate U.S. law); • Specifies conditions under which an FTC-designated custodian can share certain compelled or confidential material with foreign law enforcement agencies; • Exempts from public FOIA disclosure requirements any material received by the FTC from foreign sources in the course of an investigation; and • Requires the FTC to report to Congress on its actions under this Act and make recommendations for additional legislation.

  18. Legislation – Domestic Federal Pretexting Law • The Senate passed H.R. 4709 (the Telephone Records and Privacy Act of 2006), which would make “pretexting” (i.e.,the act of illegally obtaining an individual’s telephone records without their consent) a federal crime. Senate Commerce Committee Chairman Ted Stevens (R-Alaska) was a co-sponsor of the Senate companion to the House legislation, S.2178. • The bill calls for fines up to $500,000 for companies that are convicted of pretexting. • Individuals who knowingly buy or sell phone lists obtained through deceptive means could face penalties and a prison sentence up to 10 years. • Similar House legislation imposed the same prison sentence, but fines of $250,000.

  19. Legislation – Domestic Pennsylvania Enacts Credit Freeze Law • Pennsylvania legislature enacted SB 180, the Credit Reporting Agency Law. • The law gives consumers the right to place a security freeze on their consumer reports in order to provide protection from the effects of identity theft. • The Attorney General’s Office has sole authority for enforcement of the new law, which becomes effective January 1, 2007. • PA’s credit freeze law adds to the list of states of over 25 states that have enacted similar laws.

  20. Legislation – Domestic New Jersey Seeks Protection for ID Theft Victims • A bill pending in the Assembly is intended to protect identity theft victims. • The bill would bar companies from denying credit or cutting credit limits of identity theft victims capable of presenting either a police report or an affidavit detailing the theft. • Companies could be fined up to $5,000 per violation.

  21. Legislation – Domestic Michigan Considers Data Breach Notification Law • Michigan bill pending that would require businesses and governments to notify consumers when their personal information has been compromised by a data breach. • The bill was unanimously approved by the state Senate last month. Now before the House. • The bill would impose fines of up to $250 for each failure to notify. A company’s liability would be capped at $750,000 per incident. Narrower scope than CA’s law. • Would join the list of 34 states that have enacted similar notification laws.

  22. Legislation – International New UK Fraud/Privacy Law • The Fraud Act of 2006 has received Royal Assent and will go into effect next year. • Until now there has been no single, general fraud law in English law. Instead, the UK relied on eight specific statutory crimes. • The Act introduces a general offense of fraud which can be committed in three ways. • The Act also bans the use of phishing kits and make it illegal to write software designed for use in fraud, closing loopholes left open by previous legislation.

  23. Legislation – International EU Seeks Stronger Protections Against Spam • The European Commission reports that spam makes up between 50 and 80 percent of emails worldwide. • The EC stated that new spam laws aren’t needed, but that member states need to step up the fight against spam. • The EC urged national regulators, governments, and industry to work together more efficiently to combat the problem • The EC will revisit the issue next year to determine whether new laws are needed.

  24. Legislation – International Australian Bill Aims to Protect Privacy • A bill to protect Australia’s Integrated Public Number Database is currently pending before Parliament. • The IPND is a complete directory of all listed and unlisted phone numbers. • The law would impose a $66,000 fine for any misuse of the database’s information. • In addition, the law would also move some powers from a private entity to a government body.

  25. Regulation Federal Rules Regulating Electronic Files • On Dec. 1, an updated version of the Federal Rules went into effect, requiring companies in federal litigation to produce electronically-stored documents. Fed. R. Civ. P. 26 (a)(1)(b) and 34 (a). • To ensure compliance, companies will need to keep track of all emails, instant messages, information stored on USB devices and other electronic files. Fed. R. Civ. P. 34 (b). • Also covers routine practices, such as copying over existing information stored on back-up tapes, which could be the equivalent of “virtual shredding” if not paused during litigation. Fed. R. Civ. P. 37 (f). • This record retention requirement also is a good reminder that any personal information stored should be protected against unauthorized access and unnecessary risk of a breach.

  26. Hot Topics – Security Breaches • As of December 11th, Privacyrights.org reported the total number of personal records compromised by security breaches was 99,577,201. • In the last month there have been 24 data breaches, involving at least 1,015,312 data records. • 9 of these breaches resulted from loss of computers or stolen laptops. Several laptops were reported missing from company offices, while others were stolen or misplaced by employees out of the office. • Another breach was caused when a USB device containing personal information was stolen from an employee’s purse. • 5 breaches were the result of employee error. 3 of these were caused by the unintentional posting of personal information on a publicly accessible website.

More Related