Among all of the data protection bills circulating in Congress, the House Energy and Commerce Committee approved on July 26th, a legislation designed to restrict the sale of Social Security numbers. The Social Security Number Protection Act (H.R. 1078), introduced by Rep. Markey, makes it a crime for a person to sell or purchase SSNs in violation of rules that would be promulgated by the Federal Trade Commission. The FTC would be given authority to determine appropriate exemptions and to enforce civil compliance with the bill’s restrictions. Under the bill, violators would be subject to civil penalties of $11,000 per violation.

Rep. Ed. Markey (D-Mass.) supported rationalized the proposed bill,

If someone actually obtains a Social Security number on the Internet, they have a critically important piece of information that can be used to locate a person, get access to their finances, or engage in a variety of other illegal activities. By stopping unregulated commerce in Social Security numbers, this bill will help reduce the incidence of pretexting crimes, identity thefts and other frauds or crimes involving misuse of a person’s Social Security number.

The bill contains important exceptions, e.g. for law enforcement, national security, emergency situations, and voluntary, affirmative written consent, and for legitimate consumer credit verification. The bill would also preempt any state statute or regulation that expressly restricts or prohibits the sale of Social Security numbers.

The movement behind this bill is more than clear to all of us - something needs to be done to stop the free flow of stolen or legitimately obtained SSNs. - The SSN has grown beyond what it was originally intended to do – uniquely identify recipients of benefits. When the SSN was first introduced, it was specifically pointed out that it would not be used to uniquely identify a person for any and all purposes and that the number was not meant to be a multipurpose personal identification number. Yet, years later, we have witnessed the "functionality creep" of the Social Security number as it is used for almost all government and some private sector purposes.

One of the problems with this pending legislation is that is somewhat resembles what CAN-SPAM did to address the problem of email spam. It allowed FTC to pursue spammers, it preempted "stronger" state laws, and in retrospect it did little to ease the problem of spam. Hopefully by the time this proposed legislation becomes a law, it would grow to be a stronger law that would squarely address the increasing problem of identity theft.

A 33-year-old Californian admitted illegally obtaining personal data on thousands of individuals and then using the information to obtain credit cards or otherwise conduct identity theft. In a plea agreement filed on July 17, 2006 with the U.S. District Court for Central District of California, Bryan Dill pleaded guilty to aggravated identity theft and other fraud related crimes. Sentencing is scheduled for September 25th.

In the plea, Dill admitted he accessed the Merlin database service claiming to be a private investigator. Dill used the database to obtain personal  information belonging to other people and used it to obtain credit cards on their behalf. Records suggest that Dill conducted at least 1,873 queries through the Merlin system to obtain information on approximately 5,875 people.  [DoJ press release.]

Merlin Information Services is a database of public and credit report records which allows [mostly] anybody to open an account by filling a form, pay a fee, and search records which may contain SSNs, DOB, among other interesting pieces of information.

What is troublesome in this case is the apparent lack of control on who can access the database and the potentially unlimited reach of information that can be obtained. It sort of becomes like a Russian roulette - we know that our records are in these databases, and we know that eventually they will be compromised, either technologically or socially, and then it is just a matter of luck whether our information will be extracted or not.

Federal agencies that discover a data breach of personally identifiable information must report the breach to US-CERT (part of Department of Homeland Security) within one hour. The directive came from the July 12 memorandum issued by the Office of Management and Budget (OMB). According to Karen Evans, administrator of OMB’s Office of E-Government and Training, agencies should report breach incidents regardless of whether it is a confirmed or merely a suspected breach, and regardless of whether the information was held in electronic or in "physical" form.

The memorandum defines "personally identifiable information" as:

any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.

Although this is an encouraging requirement in the direction of government transparency, especially in light of some recent government data breaches, the one hour requirement may be little too rigid. If agencies are to conform to this, they would have little time to actually figure out what happened and make a meaningful report to US-CERT. By rushing the reporting, US-CERT may be swamped by premature and inaccurate data that it may not be able to distinguish real threats and breaches from mere mistakes.

As it usually happens in a hot and popular issue, there are many congressmen who want to be the ones to take credit for the legislation that protects the public from evil and thus gain political capital. In theory this is good, as long as Congress is able to sort through the pending bills, combine and resolve conflicting provisions, and get the law enacted quickly. Seems this is not the case with the data breach legislation pending in Congress.

A new bill was introduced on June 26 by Sens. Bennett (R-Utah) and Carper (D-Del.) designed to create a uniform national standard to safeguard sensitive information and provide consumer notification of data security breaches. The Data Security Act of 2006 (S. 3568) is expected to be taken up by the Senate Banking Committee, which shares jurisdiction over data security with two other Senate committees. Under the proposed bill, companies would be required to notify their customers about data breaches posing a risk of "substantial harm or inconvenience," including identity theft or account fraud situations where consumers might experience financial loss or be forced to expend time and effort to correct false information. It is interesting the broad definition of harm that would trigger notification requirements - presumably any data breach would force a consumer to either expend time and effort to correct or false information or be threatened by financial loss.

Although financial institutions have similar requirements under current Gramm-Leach-Bliley Act of 1999, the new bill would apply to a broader range of entities if they handle sensitive information.

"Though current law requires financial institutions to protect the security and confidentiality of customer information, we have to expand this reach," said Bennett, who chairs the Senate Banking Subcommittee on Financial Institutions. "Many of the recent breaches in data security have occurred outside financial institutions’ networks."

Under the Bennett-Carper bill, "substantial  harm or inconvenience" would not include changing an account number or closing an account, sponsors said. Also, the measure would exempt notification that could not be used to commit identity theft or account fraud, including information that is encrypted or redacted. Also, a safe harbor is provided to financial institutions deemed in compliance with GLB requirements. To address the uniformity issue, a preemption provision is included that would preempt all state laws relating to security and breach notification, including the California data breach disclosure notification law we discussed some time ago.

However, not everything is so neat and clear in Congress these days. The Senate Judiciary Committee passed two different data breach bills in 2005. Sens. Specter (R-Pa) and Leahy (D-Vt) introduced the Personal Data Privacy and Security Act of 2005 (S. 1789) which would require notification broadly to "any resident in the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been accessed or acquired" as a result of data security breach. Exemption from this broad reporting requirement can be obtained only by filing with the U.S. Secret Service indicating that the breach poses "no significant risk of harm" to consumers.

A separate bill, introduced by Sen. Sessions (R-Ala.), called Notification of Risk to Personal Data Act (S. 1326) would require that consumers be notified when there is a "significant risk of identity theft."

In addition to the Senate bills, there are numerous data breach-related bills in the House as well. While it is nice to see that legislators are picking up on the emergency need of data breach legislation, it is not certain how quickly the politicians on the Hill will be able to reach an agreement on the terms and enact a good data breach law.

A comment on Slashdot made me think - in a similar way FEMA became the subject of late-night show jokes and ultimate mistrust after Katrina, would the Social Security Administration lose control of what they intended to be just a benefits number if something big were to happen to a large number of SSNs?

One of these days some government employee is going to run an errand with a laptop in his car and a lucky car thief will drive off with every single name and Social Security number in the country. You could fit them all on a USB thumb drive. And they could be all over the Internet within hours. It would be game over for Social Security numbers and the rickety infrastructure that has been built on top of them. It’s only a matter of time before this happens. It might not be in a single theft as I described, but smaller thefts will eventually add up to the point where everyone’s SSN has been compromised, and someone is going to compile them and make them widely available.

MillionthMonkey, Slashdot.org, June 20, 2006.

The University of Texas at Austin’s McCombs School of Business has confirmed that almost 200,000 electronic records have been accessed illegally.  The university confirmed that it learned late last week that Social Security Numbers and biographical information of students, alumni, faculty and staff might have been compromised. This is University of Texas‘ second major breach in three years.

In light of the almost daily announcements of thousands of records being stolen from various institutions do we really need a federal data breach notification law, similar to what Congress has been working over the past months? Let’s assume that Congress passes such law and that all data breaches must be reported. What would happen then? Big breaches will be widely publicized but over time people will become immune to the news of hundreds of thousands of personal records being stolen.

So what is the solution? It seems that over the past few years the free-market advocates who argued that the bad publicity (or the potential of bad publicity should a breach occur) would make institutions secure their systems. Obviously this hasn’t happened. Should Congress try to mandate some sort of minimum data protection requirements, instead of data breach reporting requirements? Congress has created similar legislation (HIPAA for example) where the main goal is protecting privacy, but this legislation has made medical institutions that are subject to it increase their system security. Why not impose similar requirements to all major data processors?

Florida Attorney General Charlie Crist issued last week subpoenas targeting five different Caller ID spoofing sites. Four of the subpoenas are directed at the domain name registrars in an effort to unmask the identities of the site operators, while the fifth one is directed at one such site operator, Tricktel.com, with demand to reveal business records and the identifies of any Florida customers.

"People use Caller ID to protect themselves from unwanted calls and contact from those who would do them harm," Crist said in a press release. "It is wrong for individuals or businesses to deceive our citizens, and this cannot be allowed to continue unchecked."

In the interest of disclosure, Florida AG Crist is also the Republican candidate for governor of Florida.

Federal Investigation

Florida’s probe comes after a broader federal investigation was launched by the FCC a month earlier. The FCC issued letters to at least three Caller ID spoofing sites demanding detailed information on the structure of their business and the names of every customer that has used the services, the dates, and number of phone calls made. Wired News has reported that at least one of those services, Telespoof.com, has complied and turned over its customer records to the FCC after FCC had issued a formal subpoena.

Privacy and Legal Implications

The debate on the legality of these sites is raging. Lawyers for the Caller ID spoofing services claim that they are primarily used for lawful aims. "We’re talking about private investigators, skip tracers, law enforcement agencies, attorneys, others who are legitimately trying to locate people to enforce their rights or in many cases the rights of the public, There are lots of legitimate uses of this." Also, Chris Hoofnagle, an attorney with the Electronic Privacy Information Center, says he thinks Caller ID spoofing has legitimate uses, and would rather see fraudsters prosecuted for their crimes than have spoofing sites categorized as burglar tools. Mr. Hoofnagle argues that the right thing to do is to prosecute the underlying fraud, and not the tools that have legitimate uses (e.g. calling a police tip line, or a newspaper story.)

On the other hand, it has been reported that criminals have used the sites while making pretext phone calls to extract private information like bank account and SSNs out of consumers and companies. Experts say the services have also been used to target businesses that rely on Caller ID for authentication — Western Union’s money-transfer service has been particularly vulnerable, as are T-Mobile voicemail boxes in their default configuration.

The newsworthiness of such stories declines by the day. The laptop-filled-with-personal-data theft du jour is from Fidelity Investments. In a report confirmed by Fidelity, a laptop containing personal information (names, SSNs, birthdates, addresses) of approximately 200,000 Hewlett-Packard employees has been stolen last week. A statement by Fidelity specifically indicates that the data had been running on an application with a license which was to expire one day after the theft. Thus, "the scrambled data would be difficult to interpret and generally unusable."

This is an interesting comment by Fidelity - even if the data is really unusable after the software license expires (which Fidelity doesn’t seem to suggest) they seem to put high emphasis on the fact that the thief had only one day to open the software and extract the data - plenty of time if there are no security restrictions such passwords to hack or encryptions to break (which Fidelity does not indicate were present.)

Another laptop theft. Another identity theft risk. This time it is Verizon.

A theft of two laptop computers has put a "significant number" of Verizon Communications’ employees at risk of having their identities stolen, the company said Wednesday.

According to the report, two laptops were stolen from a Verizon facility and may contain personal information, such as Social Security Numbers. Verizon has assured its employees in a March 1st letter that this incident appears to be a random criminal act and that the laptops were password protected.

It is interesting that Verizon has underscored that laptops were password protected. Are they trying to imply that because there is a password on the laptop any data stored inside is protected? Many of our readers know that having a Windows password is hardly any deterrent against obtaining access to the laptop information. Is having a relatively weak login password protection on a laptop sufficient to protect that data inside?

[Via Wall Street Journal (paid subscription required)]

Personal Information Theft Case Du Jour: McAfee employees are now vulnerable to ID theft after McAfee’s auditor, Deloitte & Touche USA lost a disk with McAfee employee information.

The disc contained personal details on all current U.S. and Canadian McAfee workers hired prior to April 2005 and on about 6,000 former employees in the same region, (McAfee spokeswoman Siobhan) MacDermott said. (The security company currently has approximately 3,290 employees worldwide.) The information wasn’t encrypted and potentially includes names, Social Security numbers and stock holdings in McAfee.

Deloitte & Touche confirmed the incident. “A Deloitte & Touche employee left an unlabelled backup CD in an airline seat pocket,” a representative for the professional services firm said. “We are not aware of any unauthorized access to this data in the two months since the CD was lost.”

Source: ZDNet

How ironic. Of course, this is not McAfee’s fault (or at least the article and the facts on their face do not suggest so) but the story shows how even the most-protected or vigilant organizations are not immune to theft of important personal data.

« Previous entries Next entries »