Here is a link to a couple of segments of a data security roundtable I participated in not long ago:
http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20091222005345&newsLang=en
Some very interesting discussions with folks who are on the cutting edge of data security. I'll post the other segments as they are released.
Tuesday, December 22, 2009
Monday, December 21, 2009
The real cost of data breaches - Heartland to pay Amex $3.5 million
According to its 8-K filing with the Securities and Exchange Commission (SEC), Heartland Payment Systems Inc. has agreed to pay American Express Travel Related Services Co. Inc. just over $3.5 million to settle any claims arising out of a massive payment card data breach.
This settlement is likely to be only the first over the compromise of tens of millions of debit
and credit card accounts by malicious software planted on Heartland's computers
that the Princeton, N.J.-based payment card processor revealed in January of this year.
On November 12, Heartland filed a Form 8-K with the SEC, stating that it had doubled from $35.6 million to $73.3 million its anticipated breach expenses for 2009, because it expected to settle litigation related to the breach.
Heartland faced a total of 17 consumer class actions and 10 bank and credit union class actions related to the breach, which were consolidated in the U.S. District Court for the Southern District of Texas. According to the Form 8-K filing, the newly announced settlement agreement
would release Heartland from any claims raised by AmEx or its issuing banks. The filing did not indicate whether the settlement is subject to court approval and did not include a copy of the agreement.
This settlement is likely to be only the first over the compromise of tens of millions of debit
and credit card accounts by malicious software planted on Heartland's computers
that the Princeton, N.J.-based payment card processor revealed in January of this year.
On November 12, Heartland filed a Form 8-K with the SEC, stating that it had doubled from $35.6 million to $73.3 million its anticipated breach expenses for 2009, because it expected to settle litigation related to the breach.
Heartland faced a total of 17 consumer class actions and 10 bank and credit union class actions related to the breach, which were consolidated in the U.S. District Court for the Southern District of Texas. According to the Form 8-K filing, the newly announced settlement agreement
would release Heartland from any claims raised by AmEx or its issuing banks. The filing did not indicate whether the settlement is subject to court approval and did not include a copy of the agreement.
Wednesday, December 16, 2009
More Detail on Quan Case
My colleague, Martha Zackin, has published a more extensive discussion of the issues before the U.S. Supreme Court in the Quan case --
ELB Law Information: Supreme Court to Hear Case re Employer's Access to Employee's Text Messages
ELB Law Information: Supreme Court to Hear Case re Employer's Access to Employee's Text Messages
Tuesday, December 15, 2009
Supreme Court will review some issues in Quon Case, denied review to other issues
Some additional information on yesterday's post regarding the Supreme Court's decision to hear the Quon case. The high Court agreed to hear some, but not all of the issues presented by the Ninth Circuit decision in the case.
The Court will consider whether a police sergeant assigned to a SWAT team had a reasonable expectation of privacy under the Fourth Amendment in text messages transmitted on a department-issued pager and stored by an outside service providerk even in the face of the City of Ontario's "general practice" of non-monitoring of such communications. The Court denied review (known as "certiorari") to questions of whether the surrender to the city in the first instance by Arch Wireless (the service provider) of those messages violated the Stored Communications Act.
The questions for review are limited, then, to three:
• Does a SWAT team member have a reasonable expectation of privacy in text
messages transmitted on his SWAT pager, when the police department has an
official no-privacy policy but a non-policymaking lieutenant announced an
informal policy of allowing some personal use of pagers?
• Did the Ninth Circuit contravene Fourth Amendment precedents and create
circuit conflict by analyzing whether the police department could have used
'less intrusive methods' of reviewing text messages transmitted by the SWAT
team member on his SWAT pager?
• Do individuals who send text messages to a SWAT team member's SWAT pager
have a reasonable expectation that their messages will be free from review by
the recipient's government employer?
The Court will consider whether a police sergeant assigned to a SWAT team had a reasonable expectation of privacy under the Fourth Amendment in text messages transmitted on a department-issued pager and stored by an outside service providerk even in the face of the City of Ontario's "general practice" of non-monitoring of such communications. The Court denied review (known as "certiorari") to questions of whether the surrender to the city in the first instance by Arch Wireless (the service provider) of those messages violated the Stored Communications Act.
The questions for review are limited, then, to three:
• Does a SWAT team member have a reasonable expectation of privacy in text
messages transmitted on his SWAT pager, when the police department has an
official no-privacy policy but a non-policymaking lieutenant announced an
informal policy of allowing some personal use of pagers?
• Did the Ninth Circuit contravene Fourth Amendment precedents and create
circuit conflict by analyzing whether the police department could have used
'less intrusive methods' of reviewing text messages transmitted by the SWAT
team member on his SWAT pager?
• Do individuals who send text messages to a SWAT team member's SWAT pager
have a reasonable expectation that their messages will be free from review by
the recipient's government employer?
Monday, December 14, 2009
Good data protection sense from the Brits
The UK's Information Commissioner's Office (ICO) has done what the Federal Trade Commission should do -- produced a no-nonsense Guide to Data Protection. This Guide is intended to provide small and medium sized enterprises with practical advice about the UK's Data Protection Act and takes a straightforward look at the data protection principles, using practical, business-based examples. It allows users to choose whether they need very basic, or more detailed compliance advice, depending on their needs.
Stephen Alambritis, Head of Public Affairs at the Federation of Small Businesses, said: “Small businesses do not have time for pages and pages of jargon and gobbledegook, but getting data protection right makes good business sense. Data protection lapses cost reputations and can affect the bottom line. But, many organisations tell us that data protection law is difficult to understand. This new no-nonsense guide will help the business community to understand and comply with the law.”
This Guide will also be helpful for non-UK companies to understand their data protection obligations when doing business in the UK with the data of UK citizens. Clear, straight-forward and unambiguous. Makes sense.
Stephen Alambritis, Head of Public Affairs at the Federation of Small Businesses, said: “Small businesses do not have time for pages and pages of jargon and gobbledegook, but getting data protection right makes good business sense. Data protection lapses cost reputations and can affect the bottom line. But, many organisations tell us that data protection law is difficult to understand. This new no-nonsense guide will help the business community to understand and comply with the law.”
This Guide will also be helpful for non-UK companies to understand their data protection obligations when doing business in the UK with the data of UK citizens. Clear, straight-forward and unambiguous. Makes sense.
Supreme Court To Decide Privacy of Employee Texts
U.S. Supreme Court this morning decided to hear a case on the privacy of employee text messages sent on employer-provided devices, reports the Washington Post (see below).
The case--City of Ontario v. Quon--could have profound implications on employee privacy rights, according to a Baltimore Sun report. It involves an Ontario, California police officer who sent sexually explicit messages to another officer using the department-issued device. The messages were discovered during an audit, and a lawsuit claiming privacy violations followed. California's Ninth Circuit Court of Appeals ruled in favor of the sender of the messages, but dissent by a number of judges prompted an appeal to the Supreme Court.
9th Circuit Opinion:
Quon v. Arch Wireless (9th Circuit)
Additional reports:
Washington Post
The Curmudgeon's Comments - City of Ontario v. Quon — USSC
Pittsburgh Tribune-Review
The case--City of Ontario v. Quon--could have profound implications on employee privacy rights, according to a Baltimore Sun report. It involves an Ontario, California police officer who sent sexually explicit messages to another officer using the department-issued device. The messages were discovered during an audit, and a lawsuit claiming privacy violations followed. California's Ninth Circuit Court of Appeals ruled in favor of the sender of the messages, but dissent by a number of judges prompted an appeal to the Supreme Court.
9th Circuit Opinion:
Quon v. Arch Wireless (9th Circuit)
Additional reports:
Washington Post
The Curmudgeon's Comments - City of Ontario v. Quon — USSC
Pittsburgh Tribune-Review
Tuesday, December 8, 2009
National Public Radio 3-part special series on privacy
These are from October, but if you missed them, they are worth a look (or downloading the podcasts) --
Part 1: Online Data Present a Privacy Minefield
Part 2: Is Your Facebook Profile as Private as You Think?
Part 3: Digital Bread Crumbs: Following Your Cell Phone Trail
Part 1: Online Data Present a Privacy Minefield
Part 2: Is Your Facebook Profile as Private as You Think?
Part 3: Digital Bread Crumbs: Following Your Cell Phone Trail
Holiday Privacy Watch: Take care before you donate that cell phone
During the holiday season, many organizations are soliciting donations of old cell phones to be repurposed. This is an excellent way to "reuse, reduce, and recycle" and puts those useless (to you) items to use in a positive way, but please remember -- important and private data reside in your cell phone's internal memory, even if your phone has a removable SIM card. PINs, passwords and other critical information are often stored in a cell phone's memory. The more mobile apps you use, the more important it is for you to ensure that you wipe the cell phone internal memory before donating, trading-ins or selling.
Some tips -
1) Don't forget to remove the SIM card!
2) Call logs, photos, memos, and other information might reside in the phone's internal memory, and are often difficult to delete if you rely on the phone's manual (and who keeps those, anyway??). The folks at ReCellular - a cell phone recycling service - have a great solution called The Cell Phone Data Eraser. It lets you choose the brand and model number of your phone, and then displays the precise commands you need to delete every piece of data from it. The ReCellular website is http://www.recellular.com/recycling/data_eraser/default.asp. If you can't find the info you need here, most cell phone manuals are available online at the manufacturer website for download.
If you think you can circumvent the privacy threat by sending your phone back to your service provider, you could be mistaken. According to one report, a Cingular customer who received a refurbished phone as a replacement for one that malfunctioned found the new phone was filled with the previous owner's private data, including account numbers, user names, and passwords. In December, an old BlackBerry sold at a McCain campaign garage sale for 20 dollars was found to be preloaded with a mountain of Republican donor information, emails, and more.
Don't let this discourage you from turning those paperweights back into useable technology for folks who need it -- just take some extra time to protect your personal information.
Happy Holidays!
Some tips -
1) Don't forget to remove the SIM card!
2) Call logs, photos, memos, and other information might reside in the phone's internal memory, and are often difficult to delete if you rely on the phone's manual (and who keeps those, anyway??). The folks at ReCellular - a cell phone recycling service - have a great solution called The Cell Phone Data Eraser. It lets you choose the brand and model number of your phone, and then displays the precise commands you need to delete every piece of data from it. The ReCellular website is http://www.recellular.com/recycling/data_eraser/default.asp. If you can't find the info you need here, most cell phone manuals are available online at the manufacturer website for download.
If you think you can circumvent the privacy threat by sending your phone back to your service provider, you could be mistaken. According to one report, a Cingular customer who received a refurbished phone as a replacement for one that malfunctioned found the new phone was filled with the previous owner's private data, including account numbers, user names, and passwords. In December, an old BlackBerry sold at a McCain campaign garage sale for 20 dollars was found to be preloaded with a mountain of Republican donor information, emails, and more.
Don't let this discourage you from turning those paperweights back into useable technology for folks who need it -- just take some extra time to protect your personal information.
Happy Holidays!
Monday, December 7, 2009
House scheduled to act today on several privacy bills
The House is scheduled to vote on HR 1319, The Informed P2P User Act, and HR 2221, The Data Accountability and Trust Act, tomorrow under suspension of the rules. We will monitor the debate and keep you updated on its passage.
Federal Trade Commission hosts privacy roundtable today
The FTC kicks off the first in a series of "roundtable" discussions to explore privacy challenges posed by 21st technology and business practices that collect and use consumer data. Today's roundtable is being held in Washington, DC, and will focus on data collection, use and retention, consumer expectations of privacy, online behavioral advertising, information brokers and a discussion surrounding existing regulatory frameworks.
The event is being streamed live at the FTC website.
Live Webcast here
The event is being streamed live at the FTC website.
Live Webcast here
Friday, December 4, 2009
Privacy and Security Bits and Bytes
The Most Wonderful Time of the Year -- It's time for the annual "top ten" lists. Information Security Resources has posted an article that is eye-opening reading with respect to data breaches in 2009. Ten Most Damaging Data Breaches of 2009
U.S. to Join Fingerprint Sharing -- CBC News - Canada reports that the U.S. will join Canada, Australia and Britain in sharing fingerprints and other data to help authorities discern people's true identities in cracking down on asylum shopping and unlawful immigration.
Another site thinks "Privacy Matters" --
The Interactive Advertising Bureau yesterday launched an online campaign aimed at educating consumers about targeted advertising. On its website, IAB Privacy Matters, the IAB describes how marketers collect and use information about users' Web activities. IAB Senior Vice President David Doty said the site describes "in plain English" how online advertising works and includes guidance on how users can adjust their settings to control their information. The site is part of a broader effort among ad industry trade groups to head off potential regulation, the report states.
Facebook Changing -- Again -- Facebook will roll out new privacy controls in the coming weeks, reports itnews. The new options will let users control who sees their posts on a per-post basis. In an open letter to users, CEO Mark Zuckerberg said: "We're adding something that many of you have asked for--the ability to control who sees each individual piece of content you create or upload." The company will also roll out a simplified privacy settings page with a "walk-through" option where users can get recommendations from Facebook. In addition, the company will shutter its regional networks.
U.S. to Join Fingerprint Sharing -- CBC News - Canada reports that the U.S. will join Canada, Australia and Britain in sharing fingerprints and other data to help authorities discern people's true identities in cracking down on asylum shopping and unlawful immigration.
Another site thinks "Privacy Matters" --
The Interactive Advertising Bureau yesterday launched an online campaign aimed at educating consumers about targeted advertising. On its website, IAB Privacy Matters, the IAB describes how marketers collect and use information about users' Web activities. IAB Senior Vice President David Doty said the site describes "in plain English" how online advertising works and includes guidance on how users can adjust their settings to control their information. The site is part of a broader effort among ad industry trade groups to head off potential regulation, the report states.
Facebook Changing -- Again -- Facebook will roll out new privacy controls in the coming weeks, reports itnews. The new options will let users control who sees their posts on a per-post basis. In an open letter to users, CEO Mark Zuckerberg said: "We're adding something that many of you have asked for--the ability to control who sees each individual piece of content you create or upload." The company will also roll out a simplified privacy settings page with a "walk-through" option where users can get recommendations from Facebook. In addition, the company will shutter its regional networks.
Thursday, December 3, 2009
Court issues written opinion explaning decision regarding applicability of Red Flags Rule to attorneys
As we first blogged here, hours before the last Red Flags enforcement deadline, a federal court judge in the D.C. Circuit ruled from the bench that attorneys would not be subject to the Red Flags Rule. The court released Judge Walton's written opinion was released on December 1, 2009, which provides clarification of his comments from the bench. Click here for the opinion. Walton found the Federal Trade Commission overreached when it tried to define lawyers as "creditors". Walton wrote, "The Court is confident in concluding that the term attorney-client is nuanced enough that if Congress, which is comprised of many members who are themselves attorneys, intended to regulate attorneys and their invoiced billing practices it would have used the appropriate terminology to denote that intent and not hidden it in a statute expressly targeted at the credit industry." Judge Walton further noted, "Attorneys are already obligated to conduct themselves in a manner that promotes the objectives of the Red Flags Rule, and the Commission's position that its regulation is needed to protect third-parties against identity theft is just not the case."
On October 31, the FTC extended the Red Flags enforcement deadline for the fourth time to June 1, 2010.
Related Link:
Privacy and Security Information - Privacy MATTERS: Happy Halloween - No Red Flags Enforcement Until June 1, 2010.........
On October 31, the FTC extended the Red Flags enforcement deadline for the fourth time to June 1, 2010.
Related Link:
Privacy and Security Information - Privacy MATTERS: Happy Halloween - No Red Flags Enforcement Until June 1, 2010.........
Subscribe to:
Posts (Atom)