Ephemerallaw

Turn on your Syndication

2009-04-12T19:21:00.000-07:00

Sadly, my actual job, combined with some personal issues have been taking up essentially all of my time recently, and will likely continue to do so for the foreseeable future. I expect to be able to return to maintaining the blog on a more regular basis at some point in the future. However, at this point, I recommend taking advantage of the feed for the site, since coming back in order to see when I have a new post up is unlikely to result in finding anything.

Federal Security Breach Notification is Here

2009-04-04T19:27:00.000-07:00

After years of talk, and failed attempts, tucked into a corner of the massive American Recovery and Reinvestment Act, we get a federal security breach notification law. Actually, we get a whole chunk of health care related privacy legislation, but what I'm going to focus on is the security breach notification part of it, as there's simply too much there for a single post otherwise.

In any case, the relevant provisions are sections 13402 (Notification in the case of breach, starting at page 146 in the linked PDF) and 13407 (Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities, starting at page 155 in the linked PDF). The question that needs to be asked is: how do they stack up against existing state security breach notification laws? The answer: reasonably well. The new federal law covers security breaches which expose individually identifiable health information* which means it's actually broader than some state laws which limit their coverage based on how the information is stored (e.g., California's SB1386 which is limited to "computerized" data). The new federal law also includes a media notice provision, which requires notice to "prominent media outlets" if the unsecured protected health information of more than 500 residents is compromised. That provision is actually stricter than the media notice from California's security breach notification law (used as a model for similar laws around the country), which is triggered if the number of people to be notified exceeds 500,000.

On the other hand, while the new federal law is stricter in some ways, it lacks what I consider one of the most important features of an effective protection - an individual right to bring suit. The lack of an individual right in various state laws has been used against people seeking compensation before (e.g., here), and I think the fact that the new federal law could be used in the same way could undermine enforcement. However, even though enforcement is a little questionable, the substance of the new federal law looks like a significant expansion in the rights of individuals to be notified when their data is exposed to unauthorized parties.

*Note: I am aware that it says it covers "unsecured protected health information". However, if you look at the definitions, the "unsecured" part basically means unencrypted, while the "protected health information" refers back to the HIPAA regulations, and translates into individually identifiable health information which is either transmitted or maintained in any medium.

Red Flag Rules - Deadline May 1

2009-03-24T19:05:00.000-07:00

My colleagues Jane Shea and Gretchen Ackerman have published a new business advisory on the FTC red flag rules. I am posting it here with permission.

The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA.

The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008.

Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act, which amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, patient deferred payment plans, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.

The regulations provide organizations subject to the Rules with flexibility in developing their programs according to their relative size and complexity. However, the Program must include reasonable policies and procedures that:

identify relevant Red Flags, and then incorporate those Red Flags into the Program;
detect such Red Flags;
respond appropriately to any Red Flags to prevent and mitigate identity theft; and
ensure that the Program is updated periodically to reflect changes in risks to customers
What are the "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. The Regulations include a section explaining the relationship of the rules to the guidelines, specifically, that each financial institution or creditor must consider the guidelines in developing its Program, and must include those Guidelines that are appropriate. They provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the Rules.

Thus, the Guidelines provide with respect to risk factors an organization should consider in identifying red flags, likely sources of red flags, and categories of red flags that should be included in the Program. Additionally, the supplementary materials to the Guidelines include illustrative examples of Red Flags which may be incorporated into a Program, and break these down into five categories: 1) Alerts, Notifications or Warnings from a Consumer Reporting Agency; 2) Suspicious Documents; 3) Suspicious Personal Identifying Information; 4) Unusual Use of, or Suspicious Activity Related to, the Covered Account; and 5) Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Others Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor. Examples include:

a fraud or active duty alert is included with a consumer report
a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report
a consumer reporting agency provides a notice of address discrepancy
identification documents appear to be forged
inconsistencies between identification provided and the consumer's/patient's appearance or the information actually provided by the consumer/patient
inconsistencies between personally identifying information provided and that obtained from external information sources
a new revolving credit account is used in a manner commonly associated with known patterns of fraud.
Once the Program has been established, the organization must administer the Program, and not simply place it on a shelf. This involves requiring that the board of directors or an appropriate committee of the Board approve the initial written Program, and that the Board, an appropriate Board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required.

Organizations covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject an organization to civil actions for damages. The type and amount of damages available will depend on whether the violations are "negligent" or "willful." For a claim for negligent violation, a plaintiff must prove he or she suffered actual harm as a result of the defendant's negligence. In the case of a claim for a willful violation, most courts will require proof of actual knowledge and intentional violation of the relevant statute by the organization.

EPIC Files Interesting Complaint Regarding Google Services

2009-03-22T17:08:00.000-07:00

Earlier this month, Google sent out an email admitting to a bug (subsequently fixed) which caused some documents on Google's cloud computing services to be shared without their owners' knowledge or consent (a copy of the email can be found in this blog post). Now, the Electronic Privacy Information Center (EPIC) has filed a complaint with the FTC asking it to investigate Google's procedures, to force Google to revise its terms of service, and to spend $5,000,000 on security research. The complaint also asks that Google be enjoined from offering cloud computing services until "safeguards are verifiably established." The complaint can be found here.

At this point, I actually don't want the complaint to succeed - at least, not to succeed in full, as I use some of the services in question, and I don't want to wait for Google to get its act together on privacy before using them again. However, while I don't want the complaint to succeed, I do think it makes for interesting reading for people who care about, but aren't familiar with, the FTC's role in protecting consumer privacy. Highly recommended reading, at least for that class of reader.

via

PCI and the Efficacy of Self Regulation

2009-03-15T20:59:00.000-07:00

Tucked away in the conclusion of this article is an interesting question: is the PCI Data Security Standard effective? Actually, the question as posed, which was whether the PCI Data Security Standard in its current form is effective, is not particularly interesting (at least to me). The more interesting question is whether the PCI DSS, or any self regulation can be an effective counter to information security threats. I don't know the answer, but the article gives some indication that that answer might be no.

Of course, the article itself did not tackle the question of self regulation versus governmental oversight. The article was devoted to describing a new set of guidelines which is intended to facilitate the process of becoming PCI compliant. Apparently, there is a perception that some businesses look at the PCI requirements, become overwhelmed by what's necessary to comply, and, as a result, do nothing. The hope is that, by breaking things down and ranking them in terms of priority, the new guidelines will make the task more manageable, and therefore increase compliance. The article then mentioned that these new efforts to increase compliance come at a time when the effectiveness of the PCI DSS is being questioned based on recent security breaches such as that at Heartland Payment Systems. The article mentioned that a spokesman from the PCI Security Standards council had said that there wasn't anything wrong with the standards. However, if that's true, it raises a bigger question - why are the breaches still happening?

One possible answer, the one I alluded to at the beginning of the post, is that breaches are still happening because self regulation isn't an effective means of influencing behavior. I think that position is probably too extreme - merchants do care about the PCI DSS. However, the fact that there is a perceived need for the current compliance campaign, and the fact that massive breaches like that at Heartland keep happening indicates that something needs to change. Maybe what that is is to add a dose of federal government enforcement power to the supposedly sufficient requirements of the PCI DSS.

What I wouldn't give for some time...

2009-03-10T19:07:00.000-07:00

Actually, I know very well what I wouldn't give up for some time. I wouldn't give up my productivity at work, or my relaxing evenings with my wife. However, if I would give those things up, I could write a great blog post on proposed changes to California's security breach notification act. Instead, I'll just mention this article from Computer World, and quickly note that the proposed changes require businesses that suffer breaches to report them to a centralized authority, not just to the people whose data is compromised.

Of course, if I were writing a really good blog, post, I wouldn't just talk about the proposed changes, but instead I'd try and put them in broader context, perhaps by referring to this post from the Threat Level blog, which describes a panel discussion on whether notification laws "work". I might even have some analysis on the proper way to measure the efficacy of notification laws.

As it is though, I'm not writing that blog post, I'm writing this relatively uncreative excuse for a blog post. Oh well. On the bright side, I'm still a good lawyer by day, and I've had a nice evening with my wife.

Facebook Content Policy

2009-03-01T16:21:00.000-08:00

Last month, there was something of a controversy regarding the terms of service for the popular social networking site Facebook. The issue (described in this article) was that Facebook removed a statement from its terms of service that said it couldn't claim rights in original content uploaded by users after they terminated their accounts, and replaced it with a statement saying that Facebook might maintain archived copies of user content. From my perspective, this would not have seemed like a significant event. I assume that everything (including this web site) I put online is archived somewhere, whether its at the site that's hosting the content (e.g., Facebook), some external site (e.g., the internet archive), or the local computers of whoever happens to have looked at whatever I posted (e.g., blog readers). My guess is that the lawyers who recommended that Facebook make the change thought that most Facebook users were about like me, and wouldn't see the modification of the policy as a significant change.

They were wrong.

Facebook's users were outraged. They started a Facebook group (!) to protest, and it quickly signed up 88,000 members. The Electronic Privacy Information Center prepared an FTC complaint. As one user rhetorically asked: "Will I wind up seeing pictures of my niece staring at me from a bus stop at some point and be told I shoulda read the fine print?" (quote via this article).

Anyway, because of the outrage, Facebook backed down, and is now asking users to help define its policies (article here). On one hand, it's a demonstration that consumer pressure actually can have beneficial effects. On the other hand, it's a demonstration that privacy concerns crop up over the most bizarre things. For example, if someone really wants to have their niece's picture taken out of an advertisement, they can sue Facebook for making an unauthorized public display and get an injunction.* Additionally, there have been several cases where people have sued for common law torts such as libel, or false light invasion of privacy for using pictures in advertisements without the subjects' consent (e.g., Virgin, which was sued for using a picture uploaded to Flickr with the tag line "virgin to virgin" - article here). In short, the fears that led to the revolt against Facebook are one of the areas where the law does offer redress for unauthorized use of personal data. Strange that people got outraged over that, rather than something where the law offers little or no protection.

*Copyright protection subsists in any work fixed in a tangible medium of expression. 17 USC 102. That includes computer memory, which means that everything uploaded to Facebook is automatically protected by copyright.**

**Yes, there is a requirement for registration, but you can register after infringement has taken place. 17 USC 408 et seq. While there are significant advantages to registering before an infringement occurs, a discussion of those advantages is way outside the scope of this post.

A Quick Reminder: If you want legal advice, get a lawyer

2009-02-22T19:32:00.001-08:00

As it says in the disclaimer at the bottom of the page (which you should definitely read): "This site is provided for informational purposes only...This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state."

Data privacy and information security is governed by a patchwork of state laws, and there is massive variation from jurisdiction to jurisdiction. For example, my home state, Ohio, has a data security notification law (ORC 1349.19). However, if I drive 10 minutes south from my office, I'm in Kentucky, which doesn't have an equivalent law (a handy table of what states do and do not have such laws can be found here). Tort remedies, such as trespass to chattels, breach of contract, negligence and intentional infliction of emotional distress (to name 4) are also governed by state law.

This web site does discuss the law surrounding information security and data privacy. However, anyone who has a question about their own information security or data privacy situation should get a lawyer who can apply the law as it exists in their jurisdiction to the facts as it exists in their case - not rely on a web site (this one, or any other).

Massachusetts Extends Compliance with Data Security Rules

2009-02-16T17:12:00.000-08:00

We've written previously (e.g., here) about Massachusetts' new data security rules. Briefly, they would have required anyone who owns, stores or maintains the personal data about a resident of Massachusetts who stores data electronically to encrypt the data before transmitting it wirelessly or over a public network. The rules would also have required encryption of data stored on mobile devices. I say "would have" because because their implementation deadline, which had been previously set at May 1, 2009 has been extended till January 1, 2010 (see article here).

Of course, this isn't a big surprise, since regulations having to do with privacy (both strengthening, like the red flag rules and weakening, like Real ID) have a history of getting delayed.

Even More Limitations on Private Rights of Action

2009-02-10T17:02:00.000-08:00

Previously, I've written about problems with protecting privacy through private civil suits, such as transaction costs, difficulty of proving damages, and a generally hostile court system. However, a recent breach notification by Geeks.com as indicated that even when those factors aren't present, people (or, in this case, businesses) still aren't that interested in enforcing their rights. The story, according to this article from Computer World is that the web site was victimized by an SQL injection attack, and the operators eventually entered into a settlement with the FTC wherein they agreed to undergo audits and not to make any further misleading claims about privacy. So far not particularly notable. However, as the article says, unlike most security breaches:

The breach was notable because the Geeks.com site prominently displayed a "Hacker Safe" seal provided to companies by McAfee Inc. as part of its ScanAlert vulnerability scanning service. However, McAfee officials said at the time that the Hacker Safe certification — since renamed McAfee Secure — had been withdrawn from Geeks.com on multiple occasions during 2007 after scans found vulnerabilities in its systems.

To me this is shocking. Not because a supposedly secure site was compromised, but because they were improperly displaying the "Hacker Safe" seal.

Where was McAfee?

Didn't it care about its good name? I would guess that Geeks.com would have taken down the "Hacker Safe" seal if McAfee simply asked them to. I doubt even a sternly worded letter would have been necessary. Still, if it had been, there are any number of attorneys who could have written it, and who would have been happy to go to court to get the seal removed if Geeks.com wouldn't take it down otherwise. Happily, the FTC stepped up in this case. However, it's a little surprising that they were the ones who ended up doing it, rather than the private actor who one would think would have had both the incentive and opportunity to have taken action earlier.

A view from the dark side

2009-02-01T18:45:00.000-08:00

Via Bruce Schneier, we have a fascinating interview with an adware author. From a technical perspective, it's fascinating - he gives a programmer's eye view of the various mechanisms he used to make sure his adware couldn't be uninstalled or stopped. From a privacy standpoint it's disturbing. When asked the question of whether people had any security or privacy at all, his answer was (essentially) no, but it doesn't matter because most people aren't criminals so you're probably ok.

From a legal standpoint, it had two interesting takeaways. First: End User License Agreements are trouble. The interviewee's opinion was that people don't read EULAs, so you can put anything in them, including agreements by the user that the adware company can install whatever software they want on the user's computer. In the coming years, I would expect to see some limits placed on this (e.g., by the FTC under its authority to police unfair or deceptive trade practices). Second, the legal system can work to curb bad practices, but only once the bad practices are known. The company the interviewee worked for, Direct Revenue, was sued by Elliot Spitzer. The problem is, the suit only happened after the company made the poor business decision to start branding their adware. If they hadn't done that, it's anyone's guess as to whether they even would have shown up on the (now disgraced) attorney general's radar screen.

Also, one final takeaway from the interview: if you want to reduce your susceptibility to adware (or various forms of viruses or other malware) switch off Microsoft products. The interviewee was openly contemptuous of Microsoft products. The money quote: "If you’re using IE [Internet Explorer], then either you don’t care or you don’t know about all the vulnerabilities that IE has." I'm not sure I agree with him, but it's interesting to see how an insider views the world at large.

Privacy for me but not for thee

2009-01-25T19:00:00.000-08:00

Via BoingBoing, I found this article, which shows that the UK government has no (or at most very little) respect for the privacy of individual citizens. According to the article, there is a clause in a pending piece of UK legislation which would

allow ministers to make 'Information Sharing Orders', that can alter any Act of Parliament and cancel all rules of confidentiality in order to use information obtained for one purpose to be used for another.

Now, admittedly, I am not an expert on UK law, but allowing such information sharing orders would seem to basically nullify any types of privacy protections which currently exist. It's almost as if the British government doesn't care about privacy at all.

...of course, we know that can't be true, since just a week earlier, British MPs (members of parliament) had attempted to pass a law which would have exempted records of their expenses from freedom of information act requests (see this article, also via BoingBoing). I guess this is just one more example of how government officials care deeply about privacy - but only if it's their own information that they're trying to keep secret.

And They're Off

2009-01-21T17:21:00.000-08:00

We're a little less than a month into the new year, and there's already a strong contender for biggest data security breach of '09. Actually, the breach, which involved a compromise of Heartland Payment Systems took place in 2008, but it wasn't publicly disclosed until yesterday, so I'm classifying it as a 2009 breach. However, whatever year the breach is placed in, it's potentially a monster, with over 100,000,000 accounts at risk. We don't know the full extent of the breach yet, but this is one to keep an eye on as potentially not only being a candidate for the biggest breach of 2009, but also as having the potential to dethrone TJX as the biggest breach ever.
via

Malwarebytes Link

2009-01-14T19:12:00.000-08:00

As a (most likely final) follow up to my posts (here and here) on removing Antivirus 2009, I contacted Malwarebytes and asked if they had an alternate site where you could download their tools without being blocked. In response, they sent me this link to their free product. I can't guarantee that it will work, and I'm not planning on purposefully getting infected just to test it. However, if anyone happens to stumble across this blog looking for a way to remove the virus, the above link might do the trick.

Government spurs security improvements

2009-01-13T17:58:00.000-08:00

Well, we still don't know if (as I predicted here) Obama will be the first email friendly president. However, we do know that there is now a PDA which has been certified by the NSA for top secret voice communication. Sadly, the price tag is a hefty $3,350, which will keep it out of the hands of most private citizens (including me). Still, that's no object for Obama, and I wouldn't be at all surprised if he uses this device (or something like it) to avoid having to give up email.

via

Hallmark E-Card Virus

2009-01-09T15:53:00.000-08:00

Today I received an email (actually, several emails) with yet another virus. Unlike Antivirus 2009, which has the potential to trick unsuspecting users by masquerading as a legitimate program, this one, which appears to spread via email attachment would only catch the absolutely most unsophisticated. Indeed, unlike some email viruses, this one doesn't even bother trying to personalize the emails it sends out. Instead, it uses the following generic message:

Hello!

You have recieved a Hallmark E-Card from your friend.

To see it, check the attachment.

There's something special about that E-Card feeling. We invite you to make a friend's day and send one.

Hope to see you soon,
Your friends at Hallmark

Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy.

I'm not sure what to say about it, except that anyone who trusts a card from an anonymous "friend" who wants them to open an email attachment probably has so many viruses on their system already that one more won't do much damage (either that or an antivirus program strong enough to protect them from themselves - something I recommend all users get regardless of their sophistication).

Removing Antivirus 2009

2009-01-08T16:04:00.000-08:00

I've received a number of hits on my previous post about some legal issues regarding Antivirus 2009 which I suspect are from people looking for how to get rid of the malware but can't get to the big antivirus sites because Antivirus 2009 has blocked them. For anyone looking for how to get rid of the program, here's my advice:

1) Don't expect to download a tool to fix the problem. The nastiest feature of Antivirus 2009 is that blocks downloads from the major antivirus websites. In particular, Malwarebytes, which is recommended in a number of places to deal with Antivirus 2009, is blocked.

2) Get to a clean system. Just because you can't download the proper tools on a compromised system doesn't mean you can't download them at all. Go to another computer and download the tools you need. Malwarebytes Anti-Malware, mentioned above, can be downloaded here.

3) Send the tools from the clean system to the compromised system. The most obvious way to do this is via a flash drive. However, the version of Antivirus 2009 I dealt with (surprisingly) allowed me to send the mbam-setup.exe program though email.

4) Once the tool (whatever it is) is downloaded, rename it to .bat. With the version of Antivirus 2009 I dealt with, it wouldn't let mbam-setup.exe execute, but it would let blank.bat (what I renamed mbam-setup.exe) run just fine.

Please note that, for step 4 above to work, you might have to restart Windows in safe mode. A description of how to do that can be found here.

Please also note that the above 4 steps (including restarting in safe mode) might not actually work. The version of Antivirus 2009 which got onto my grandmother's computer let me run the antivirus setup program, but blocked the antivirus program itself. My next step after step 4 would have been to create a rescue CD and use that to boot from. However, my brother who also happened to be visiting that weekend had different advice: since my grandmother's computer was brand new, why not reformat the hard drive and just reinstall everything my grandmother wanted? In the end, that's what happened, since I would have been required to go back to my house (across town) to get a rescue CD, while my brother could reformat the hard drive immediately. It's an extreme measure, but I can testify that it certainly worked for my grandmother.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.

Will Anyone be Ready for the Next Level of Identity Theft Protection?

2009-01-07T17:31:00.000-08:00

The Massachusetts and Nevada Models

Brace yourself for the countless retrospectives to appear in the coming months, touting 2008 as an eventful year for so many reasons: an historic presidential election, a meltdown in the financial and real estate industry and resulting economic maelstrom, Michael Phelps winning a record-breaking eight gold medals in the Beijing Olympics – the list goes on.

One notable characteristic of 2008 that may go unnoticed by the mainstream commentators, but is no less remarkable, is the continuing wave of consumer protection legislation enacted by state legislatures in the wake of spiraling incidents of identity theft. In addition, an otherwise lethargic Congress has managed to enact a cybercrime law, signed by President Bush in early October, called The Identity Theft Enforcement and Restitution Act of 2008. This law makes it easier for prosecutors to bring hacking and other cybercrime charges against an individual, eliminating the minimum $5,000 in damages requirement. It also makes it a felony, during any one-year period, to damage ten or more government or financial institution computers, and directs the U.S. Sentencing Commission to consider increasing its penalty guidelines for those convicted of identity theft, computer fraud, illegal wiretapping or breaking into computer systems. Combined with the issuance early in 2008 of the FTC’s Identity Theft Red Flag Guidelines, these new legislative and regulatory initiatives are designed to combat what has become a crime wave of increasing dimensions.

The proactive trend of the state legislatures began several years ago with California’s data security breach notification and security freeze laws, resulting in 44 states and the District of Columbia enacting the same or similar laws. The momentum has continued with many states strengthening identity theft laws concerning the protection from the public of social security numbers and personal information from credit cards. Massachusetts has moved in another new direction with a law that will become effective on May 1, 2009. The law was an addition to Massachusetts Laws Chapter on Security Breaches, and was as expanded upon by administrative regulations. It applies to anyone who owns, stores or maintains the personal data about a resident of Massachusetts. The data that is stored electronically must be encrypted before it is transmitted over a public network or transmitted wirelessly, especially on portable devices such as laptop computers and Blackberries, as well as other portable devices such as flashdrives, cellphones and CDs. For this reason, according to some commentators, the law is a little ahead of its time, since the technology for encryption of portable devices is just starting to be developed.

In addition to the computer system security requirements, the law imposes a duty to protect and standards for protecting personal information. Its requirements are similar to the federal Identity Theft Red Flag Guidelines requirements, effectively extending the federal regulations’ applicability well beyond the original class of “creditors,” as defined in the Guidelines, to all types of businesses. It requires the development and maintenance of a comprehensive, written information security program, that includes the designation of an employee responsible for the program, identifying foreseeable risks, ongoing employee training, employee compliance with policies and procedures, and processes for detecting and preventing security system failures. It requires disciplinary measures be imposed for violations of the program rules, the prevention of terminated employees from accessing records, and the taking of reasonable steps to verify that third-party service providers have the capacity to protect the personal data. It imposes data collection and retention standards and requires access be limited to those persons reasonably required to know, as well as restrictions on physical access.

Nevada has also enacted a similar law that went into effect October 1, 2008. NRS 597.970 takes a different approach than Massachusetts to applicability, so that it only applies to businesses operating or “doing business in” the state of Nevada, without regard to where their customers reside. It imposes an encryption requirement as well, by simply stating that businesses in the state of Nevada “shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” Of course, as with the Massachusetts law, the devil is in the details. The Nevada law defines “encryption” broadly to mean the use of any protective or disruptive measure (including cryptography, enciphering, encoding or a computer contaminant) to prevent or disrupt access to, or the normal operation of, any device, system or network, or to cause such data to be unintelligible or unusable. The definition raises more questions than it answers. While the definition of “personal information” is similar to that found in many data security laws, the questions of who is a customer and what constitutes “doing business” in Nevada have no clear answers. It could arguably apply to businesses with no physical presence in the state of Nevada, but which do business through an internet website.

The Massachusetts law is enforceable only by the Massachusetts Attorney General. However, the Nevada law does not limit enforcement to its attorney general, nor does it contain any specific penalty provisions, so that the potential for a private lawsuit (including a class action suit) exists with no limit on damages. Companies operating nationally should consider whether their existing policies and procedures regarding the transmission of personal data meet the encryption and other requirements of these laws.

Whether the Massachusetts and Nevada laws forecast a trend or whether they are isolated anomalies remains to be seen. But if recent experience with state enactment of security breach notification and security freeze statutes is any gauge, these two laws may very well signal the beginning of the next wave of state law initiatives designed to combat the growing phenomenon of identity theft.

Reviews and Comparisons

2009-01-06T18:28:00.000-08:00

Recently, I discovered (or, more accurately, was informed of) the site NextAdvisor, a web page which provides comparisons and reviews for a variety of services, including (of particular interest to readers of this blog) Identity Theft, Security Software, and Online Backup Services. They also have a blog which has quick summaries of recent identity theft news items. The blog appears to be updated relatively regularly, and the articles are fun in an offbeat sort of way (for example, this article about a mother who pretended to be her daughter for cheerleading tryouts). Definitely a site to consider for some quick info or tidbits on identity theft.

Antivirus 2009

2009-01-04T16:40:00.000-08:00

Over the holidays I had the intriguing experience of watching a computer get hijacked by a nasty piece of malware: Antivirus 2009. According to this article from Bleeping Computer

Antivirus 2009 is a new rogue anti-spyware program from the same family as Antivirus 2008 and Doctor Antivirus. Antivirus 2009 is installed and advertised through the use of misleading web sites that attempt to make you think your computer is infected with a variety of malware. Once installed, Antivirus 2009 will scan your computer and list a variety of fake infections that can't be removed unless you first purchase the software. These infections are fake, though, and only being shown to scare you into purchasing the software.

What that article doesn't make clear is the fact that Antivirus 2009 (or at least the variant I was dealing with) will also cause a substantial slowdown in your computer's performance, and will cause your browser to display all manner of annoying pop-ups. The other point about Antivirus 2009 that that article doesn't make clear is that Antivirus 2009 includes some relatively sophisticated countermeasures to prevent people from removing it from their system. For example, the variant I was dealing with stopped by grandmother's computer (where it was installed) from accessing websites of antivirus vendors (e.g., AVG) and technical web sites which had instructions on how to remove it (e.g., Bleeping Computer). Additionally, it also detected and prevented execution of removal tools that I was able to download on another system and install on the infected computer. I have to admit, I was impressed by the countermeasures the creators of Antivirus 2009 had included, as they made it MUCH harder to remove than the last virus I had to deal with (slammer).

Anyway, as impressed as I was by the measures Antivirus 2009 took to prevent me from disabling it, the more interesting aspect of the program is that it even exists at all. Antivirus 2009 isn't just a program that enrolls a computer in a botnet where it can be rented out for pump and dump schemes or to spew fake Viagra spam. Instead, it appears to be connected with a business selling subscriptions which could, in theory, be shut down (or at least taken off the web). Therefore, it should be possible to file suit against the business connected with Antivirus 2009 (i.e., the people selling the software using bogus virus notifications). My guess is that either the people behind the software don't know that what they're doing is illegal (highly unlikely) or they think that whatever profit they can make between the time they released their software and the time a court inevitably shuts them down will be enough to compensate them for their efforts in creating their malware. Either way, the fact that Antivirus 2009 exists raises serious questions about whether the law can function as a deterrent to even the most blatant cybercrime.

PostScript: One other point of interest on the Antivirus 2009 front: both the FTC and Microsoft have filed suit against fake antivirus companies (see here). My suspicion is that these suits will accomplish nothing, as the companies are probably set up with pseudonyms, and the people behind them will vanish into the woodwork long before any court can find them. However, I would very much like to be wrong, and I would be quite happy to see the FTC and/or Microsoft being awarded (and collecting) some sizeable judgments.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.

Holidays

2008-12-28T16:07:00.001-08:00

In case anyone was wondering:

No, I'm not dead.
Yes, I do intend to continue to post.
No, I don't intend to do so before the first Monday of 2009.

So happy new year to all, and I'll be back in about a week.

-William Morriss

Self Inflicted Wounds

2008-12-14T15:38:00.000-08:00

Massive data security breaches get lots of headlines, which makes sense, since big numbers (e.g., 94 million records stolen) are an easy way to capture attention. Similarly, security breaches also come with a built in and easily understandable storyline - hackers from somewhere breached the (usually poorly implemented or obsolete) defenses of some large company, exposing large numbers of innocent consumers to an increased risk of losing money due to various forms of fraud. However, while security breaches generate easy headlines and narratives, it's important to remember that, totally independent of hackers, companies can get in trouble for improperly collecting or exploiting user data.

The newest object lesson on this point is Sony, which has agreed to pay a $1,000,000 penalty to settle charges that it violated the Children's Online Privacy Protection Act and section 5 of the FTC act (FTC press release here, via this story from Computer World). The upshot of the complaint filed by the FTC was that Sony knowingly obtained personal information from at least 30,000 children without their parents' consent (alleged COPPA violation) and falsely stated that it restricted children under the age of 13 from participating in Sony's online activities (alleged FTC act violation). Thus, it was Sony's websites functioning for their intended purpose, not hackers, that hurt Sony in this case.

So how can companies avoid being in the position to pay seven figure settlements? My recommendation is to talk to a lawyer in the area who knows what he/she is doing, and to have that lawyer stay in contact with the marketing people who are responsible for the design and operation of a website. The staying in contact part can be particularly important. For example, as shown in the Gateway Learning case, even if a company is acting properly when an information collection program is first launched, changes made later on (e.g., starting to sell consumer data in violation of a privacy policy that said consumer data would not be sold) can expose a company to liability. My guess is that something similar happened with Sony, where the lawyers were probably consulted early in the process, but, later on, changes were made which weren't run by the lawyers first. Hopefully, settlements like Sony's will provide an incentive for other companies not to follow that same path.

Too Much Protection for Computer Security

2008-12-08T18:17:00.000-08:00

Generally, I find that my posts advocate additional protections for data privacy, and argue that people don't pay enough attention to security. This is post is the exception, where I unequivocally state that people should not be criminally liable for violating a website's terms of service, even if such a violation may technically be prohibited by the computer fraud and abuse act. As is admirably laid out in this post in the Wired threat level blog, the consequences of attaching criminal liability to a terms of service violation would be severe. However, while that post, which argues that a criminal conviction based on a terms of service violation is likely to be overturned, I'm not so sure. The computer fraud and abuse act can be analogized, roughly, to a criminal trespass statute. While I doubt that Congress intended to make random terms of service violations criminal acts when it passed the CFAA, in the real world criminal trespass can be based on entry onto the land of another in violation of restrictions placed on entry by the owner (see ORC 2911.21(A)(2)). Thus, it wouldn't be such a stretch to imagine that the application of the CFAA to a terms of service violation will be upheld. True, I think it would be a bad result, but it would be a result that would not be outside the realm of the possible.

Giving up Email

2008-11-30T15:55:00.000-08:00

How long could you live without email? What would it cost in terms of lost productivity and increased difficulty and expense of communication?

I know that I could live without email. I suspect that doing so would significantly decrease my productivity (a suspicion supported by this study of the impact of email on productivity in a white collar environment). There would unquestionably be a period of adjustment when I would be most unhappy to lose what is probably my primary means of communication with friends and clients.

Now, Barack Obama is facing the prospect of losing his ability to use email (see article here). The short version of why is that there are concerns that email isn't secure enough for presidential communications, and the White House doesn't want the president to create an email paper trail which could potentially be subpoenaed. To me, this is crazy. Other secrecy sensitive professions, such as lawyers (who have to protect client confidences) have managed to make peace with the limitations of email and embraced it as a useful tool (see, e.g., this opinion regarding usage of cell phones and email by lawyers). Now, it's true that the president has information (e.g., plans for the conduct of war) which is substantially more important than the confidential information lawyers have access to. However, there's no reason for the president to be completely cut off from email.

So, given that most people are not, and will never be, president, what significance does this have for the day to day lives of ordinary individuals? Only this: I don't think Obama will do it. Even back in 2000, George W. Bush lamented having to give up his email. Since 2000, people's usage of email has increased dramatically (compare this article from 2000 which predicted email usage of about 9 megs/day/person in 2001, with this white paper which puts email usage at 19.3 megs/day/person in 2008) and Obama is a famously wired individual. I predict (though I realize that there is a note of wishful thinking in this prediction) that Obama will rebel against the prohibition on email, and will use his position as the most powerful person in the world to do something about it. Maybe he'll request that technology be put in place that will make his emails more secure, and that technology will eventually become available to the public at large. Maybe he'll propose tougher laws or regulations on network service providers so that email becomes a more secure medium of communication. Whatever the case, if Obama takes action to make being a wired professional more consistent with the heightened security requirements of being president, it can't help but have positive security implications for the country as a whole.

New Blogs (Update)

2008-11-23T18:53:00.000-08:00

Back in June, I put up a post about a the (then new) blog Identity Theft and Business, highlighting it as a resource for news and information on identity theft. In the comments to that post, several bloggers put up links to their own blogs, which I wanted to repost here, since, as I said in the June post, the run of the mill stories about the latest thousand, or million, or ten million records being exposed get old fast, so new sources of informed comment can be good to have.
Anyway, without further ado, I'd like to highlight the Identity Theft Daily, and Identity Theft.com (featuring Sarah Smith).

Also, from the random rhetorical question file: will fact that Barack Obama's cell phone records were breached lead to broad support for privacy protective legislation since it shows that people on all parts of the political spectrum are vulnerable, or will it simply be another quickly forgotten blip in today's 24 hour news cycle? My cynical guess is the latter, but I suppose one can always hope...