Senate will vote on tougher Data Breach laws

Will they or won’t they vote on tougher requirements when breaches occur?   It’s long overdue.

From Wired.

National Data Breach Laws Move Through Senate

• By Kim Zetter
• November 6, 2009  |

A national data breach law got closer to passage this week.

The Senate Judiciary Committee approved two bills Thursday that address data security and breach notification, according to Government Information Security. The legislation was drafted in response to the plague of data thefts that have occurred over the last few years.

The Personal Data Privacy and Security Act would set standards for protecting sensitive personally identifying information and impose civil penalties for those caught violating them.

It would make it illegal for a company to conceal a breach if it resulted in unauthorized access to sensitive personal information. Entities that experience the breach of such data would have to notify the affected victims and consumer reporting agencies if the breach involves more than 5,000 individuals. They would have to notify the U.S. Secret Service if the intrusion involves more than 10,000 individuals.

The bill would also make theft of personal information subject to federal racketeering charges.

The second bill, the Data Breach Notification Act, would require entities engaged in interstate commerce to notify victims whose personal information is compromised in a breach — unless disclosure would harm national security or in some way hinder a law-enforcement investigation. Breached entities would have to notify the Secret Service if more than 10,000 individuals are affected by the breach, or if the breached database contains information on more than 1 million people, is a federal government database or is involved national security.

Forty-four states currently have breach-notification laws that require entities to notify residents of those states if any are affected by breaches of personally identifiable information. The laws, however, vary by state. Some require the breached entity to also inform a state agency, such as the attorney general’s office, if a breach occurs, which makes it easier to track breaches.

The federal bills have languished on Capitol Hill for four years. The bills now face a vote in the full Senate.

Predictive Intelligence vs. Intelligent Preparation

Right now, California is in the middle of a simulated massive earthquake called the “The Great California Shakeout.” The annual drill, conducted last year as well, is intended to help individuals, families, schools, emergency management, etc. prepare for what scientists say is inevitable—a massive California earthquake.

For years, scientists have attempted to predict when and where the next earthquake would strike but have had little success.  Before I moved to California I thought I would take a look at the existing fault lines and choose to live anywhere but on a fault line.  After looking at how many fault lines there were, I realized it’s impossible to avoid them.  And what about the fault lines that scientists don’t know about yet? The 1994 6.7 magnitude Northridge  earthquake apparently hit on a previously unknown fault line.   Surprise!

Even if scientists were lucky enough to predict “when”,  if they were off their predicted location by just one mile and a massive quake hit just offshore in the ocean, we’d be under an instant tsunami threat and the ability to swim would take priority over falling debris.  I wouldn’t know if I should duck and cover or if I should put on flippers, mask and snorkel.

I have no idea when and where the “big one” is going to strike and neither do scientists.  We all have limited resources and limited time. I do monitor real-time earthquake activity in the region so I know what “happened” in near-real time.  Here’s a picture of the current earthquake activity from the US Geological Survey. You can sign up for a free message service to receive alerts based on location and magnitude of your choosing.

I’m glad  “The Great California Shakeout” takes place every year.  It’s a good reminder and motivator to make intelligent preparations for possible catastrophic events.

Making intelligent preparations involves running through a variety of scenarios related to the event and ensuring you have a plan for each one.   Things like communications, food, water, medicine, etc. should be prepared in advance.   For example, my family knows already that the odds of cell phones working are practically zero in the aftermath of a major earthquake.  So they know upfront not to panic when their principle means of communication is dead.

We have limited resources and limited time.  There is a lot of work involved in being prepared for an emergency, and since you have to do it even if you knew where and when the “big one” was going to strike, you might as well spend your time and energy getting better prepared, or helping others get prepared, then spend your time trying to predict the future.

What are people thinking about?

Good guess, but the answer isn’t sex.

Gallup Poll did some research in 2007 to figure out what people around the world were thinking about. What was the number one thing they were seeking? All cultures, all countries, all languages, all religions were included in the study.

The surprising answer? Jobs!  I’m sure it is still applicable in 2009, maybe even more so.

“What the whole world wants is a good job.  That is one of the single biggest discoveries Gallup has ever made. “ [1]

So where are the jobs? In their report, “Global Migration Patterns and Job Creation,” Gallup says nearly $10 trillion in unexpected US revenue growth over the last 25 years can be attributed to only 1,000 people. Those people are star innovators and entrepreneurs and each one creates thousands of additional jobs. And they cite, more than half of the 1,000 were Americans who had migrated from other countries. [1] Not only did they create jobs, but the money earned from the jobs was spent on cars, houses, shoes, etc.

So how do you jumpstart your own job search, your business, your town, your city, or your state?  The object of the global game is who can attract the most innovators, entrepreneurs, superstars, and supermentors.  The environment has to be attractive for what Gallup calls “brain gain.” Ideas matter.  Ideas create value.

Gallup says we underestimate ideas. “Value is now created from piles of ideas and determination, not piles of materials and natural resources. The economists underestimated the massive force of innovation and entrepreneurship that led to a technology revolution.”[1]

“A country grows one city at a time. A city grows one organization at a time. An organization grows one star at a time. And all organizations are economic engines for all cities.”[1]

If innovators and entrepreneurs really are the drivers in the economy, which US States have the best chance to grow and which ones don’t?  Florida and Texas are in.  Maryland, California, and New York are out.  Look at the tax and incentive differentials.

NY’s expected tax revenues are down $1B.  Why?  NY State officials say they don’t know how much of the missing revenue is because any wealthy New Yorkers simply left.[2] “People aren’t wedded to a geographic place as they once were. It’s a different world,” said New York Lt. Gov. Richard Ravitch. He said last year’s surcharge on income taxes, set to last three years, won’t likely meet expectations.[2] But where did the New Yorkers go?  Florida—the land of no income tax.  Where are the Californian’s going? Many are headed to Texas.  Lower tax rates.

What does the global landscape look like compared to the US?  What about those 500 or more brains that came to the US from other countries? Would they still come today or are there more attractive options available elsewhere? Switzerland is worth watching after being named most competitive in the world. [3] Where are the top brains hanging out these days?

Should you follow the money? No.  Follow the brains.

1. “GallupWorldPollWhitePaperGlobalMigration.pdf.”
2. “Risky business: States tax the rich at their peril – Yahoo! News” http://news.yahoo.com/s/ap/20090927/ap_on_re_us/us_taxing_the_rich
3. “Switzerland Named Most Competitive Economy, Topping U.S. – WSJ.com.” http://online.wsj.com/article/SB125242350935892695.html.

---

Can hackers access your pacemaker?

With a little creativity it is possible to hack a heart monitor and induce a heart attack on the unsuspecting victim.   A UMass professor created such a device as a test…and it worked.

Time for pacemaker manufacturers to consider a security framework around their devices and the interfaces.

Can hackers control wireless implantable devices?

Tuesday – August 18th, 2009 – 10:07am EST by Brian Dolan | ICD | MIT Review | wireless implantable devices | wireless security |

While investigating potential security holes in wireless pacemakers, Kevin Fu, software engineer and assistant professor of computer science at University of Massachusetts-Amherst, has created a prototype “heart-attack machine,” according to a MIT Technology Review report.

Fu spent nine months de-constructing the “matchbook-sized microchip and antenna coil” that connects the latest generation ICDs to the Internet to uncover its security risk potential. Fu correctly believed that hackers could be able to listen in on the wireless communication between an ICD and its programming computer and then use that signal to control the device and inflict harm on the patient.

Fu created a device, that could be “easily miniaturized” to an iPhone-sized device, that can communicate with a patient’s ICD, according to the report.

“Fu’s software radio was capable of completely reprogramming a patient’s ICD while it was in his or her body,” MIT Review writes. “The researchers were able to instruct the device not to respond to a cardiac event, such as an abnormal heart rhythm or a heart attack. They also found a way to instruct the defibrillator to initiate its test sequence–effectively delivering 700 volts to the heart–whenever they wanted.”

The research described in the MIT Review article is a must-read for any company working in the wireless implantable devices market. Read the article over at MIT Review here.

Amazon’s Orwellian Visit

Amazon has been trying hard to try to change the way people read books with the release of its electronic book reader Kindle.    Trying to convince people to switch from that cozy paperpack just got alot harder after Amazon’s Orwellian home invasion.   Amazon “recalled” Orwell’s novel “1984″ and deleted the contents from owner’s Kindle devices in the middle of the night.  There were no reported signs of forced entry.  The Kindle apparently has a wireless synchronization feature that  “phones home” back to Amazon.   Amazon used this feature to delete the novel from Kindle devices because allegedly the distributor of the novel didn’t own the rights to it.    Creepy.

From the NY Times.

Pirate Hunting Cruises have begun

Well I was half-joking this past December in my posting “Cruising for Pirates” when I suggested Blackwater should offer Pirate Hunting cruises.  Well some firm is up and running now and what a better way to pass the summer time heat than by spending a week out on the open waters with your family.

Only in Russia…

via NewMajority.com

The Newest Sport: Pirate Hunting

Luxury ocean liners in Russia are offering pirate hunting cruises aboard armed private yachts off the Somali coast.

Wealthy sportsmen pay upwards of $5,000 per day to patrol the most dangerous waters in the world hoping to be attacked by raiders.

The story as it’s written suggests the clients are already engaging Somali pirates with grenade launchers, machine guns and rocket launchers.

An AK-47 assault rifle goes for $8.50 a day, 100 rounds of ammo is $11.50, are they are also protected by a squad of ex-special forces troops.

The yachts travel from Djibouti in Somalia to Mombasa in Kenya, cruising deliberately close to the coast at a speed of just five nautical miles in an attempt to attract the interest of pirates.

Hard to imagine who is worse; the pirates, who are just trying to earn a decent living through the time-honored trade of kidnapping, or these so-called sportsmen who are essentially fronting up cash to hunt humans…

Sears used Spyware on their customers

Via: Sans Institute:

Sears Settles FTC Complaint Regarding Customer Internet Data Collection (June 4, 2009)

Sears has settled charges brought by the US Federal Trade Commission (FTC) regarding the company’s failure to accurately describe the amount of information gathered by tracking software. Sears offered the customers US $10 to participate in “My SHC Community;” those who agreed were asked to download software that they were told would gather information about their “online browsing.” The FTC charges allege that the software also monitored secure sessions, such as online banking, e-shopping cart contents, drug prescription information and information about web-based email the users sent. Under the terms of the settlement, Sears would cease collecting data with the software and would destroy all the data it has already collected. The settlement also calls for Sears to “clearly and prominently disclose the types of data (their software) will monitor, record, or transmit.”
-http://www.ftc.gov/opa/2009/06/sears.shtm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9133965

How to track Website privacy changes

Websites frequently change their terms of service.   How can you keep track of these changes?

TOS (terms of service) Tracker now does that for you.   Link here

Hat Tip: Thoughts of a Technocrat

Judge rules Fraud Alert Service Illegal

A Federal Judge ruled in credit company Experian’s favor regarding not allowing individuals to contract to 3rd party companies for managing the fraud alert process on credit bureaus.  The consumer is supposed to request that a fraud check flag be placed on their credit report every 90 days if they feel identity theft is a threat.  The Judge ruled that “companies” aren’t allowed to do this.

If the individual has contracted with a 3rd party agent, or even a “company,” then I see absolutely no privacy issues with this arrangement.

Experian complained that they were being burdened by the number of requests.   Besides Lifelock, there are other competitors that perform this service for customers.   One such company is called ProtectMyId.com and claims to be “your single source for identity theft protection.”    Oh, but who owns ProtectMyID.com?   Experian does.  You can find it here http://www.protectmyid.com/–an Experian Company.     And the State of California is looking for a 3rd party company to provide ID Theft Protection services to its 1M plus retirees.   I wonder what effect this ruling will have on that arrangement.

—————————————

Judge Rules LifeLock’s Fraud Alert Service Illegal

• By Kim Zetter
• May 27, 2009  |
• 5:03 pm  |
• Categories: Breaches, The Courts

In a decision that has privacy advocates and others scratching their heads, a federal judge has ruled that LifeLock has been breaking California law for years by placing fraud alerts on its customer’s credit profiles.

The decision is a blow to the burgeoning identify-theft protection industry, and means that companies that experience data breaches may no longer be able to offer victims free subscriptions to such services — a standard damage-control tactic in recent years. Consumers can still place fraud alerts by contacting one of the three U.S. credit reporting agencies directly.

Bo Holland, founder and CEO of Debix, a competitor of LifeLock, called the ruling “dramatic and unexpected.”

“It causes a real shift in the industry,” he told Threat Level.

The pre-trial partial summary judgment comes in a lawsuit filed last year against LifeLock by Experian, one of the nation’s three credit reporting bureaus. Experian claimed LifeLock is trying to “game the system” of fraud alerts to make a profit.

LifeLock, a controversial company that gained notoriety for publishing its CEO’s Social Security number in advertisements , charges $120 a year to consumers to place fraud alerts on their credit profiles, among other services. The company also offers a $1 million guarantee to reimburse the expenses of any customer who suffers losses from identity theft while subscribed to LifeLock.

Under the 2003 Fair and Accurate Credit Transactions Act, or FACTA, fraud alerts are available for free to any consumer who believes he may have been a victim of identity theft, or is at imminent risk of it. With a fraud alert on a consumer’s credit profile, banks and other businesses are required to make a reasonable effort to check with a consumer before opening a new line of credit in his or her name.

The consumer normally has to contact a credit reporting bureau directly to place the alert, and then repeat the process every 90 days for as long as the risk remains — a minor hassle that LifeLock and other companies have been happy to help consumers avoid, for a fee. On its face, the business model appeared consistent with FACTA, which allows fraud alerts to be placed by third parties acting on behalf of the consumer.

But in its lawsuit, Experian complained that LifeLock (.pdf) “surreptitiously placed hundreds of thousands” of alerts on Experian files “by posing as the consumer,” even when there was no suspicion of identity theft. LifeLock then renewed the alerts every 90 days.

Claiming it was losing “millions of dollars every year” processing such requests, Experian asked a judge to rule that LifeLock was engaging in unlawful and unfair business practices under California’s Unfair Competition Law.

U. S. District Judge Andrew Guilford granted the motion (.pdf) last week, finding that federal lawmakers, in writing FACTA, did not intend for consumers to be able to contract with a business to place fraud alerts.

To reach his conclusion, Guilford examined the legislative history of the law and determined that Congress intended only that a family member, guardian or attorney should make the request on behalf of a potential fraud victim, not “companies and entities such as credit repair clinics.”

The judge’s ruling opens the door for Experian to seek damages from LifeLock, and for the judge to issue an injunction barring the company from placing fraud alerts with any credit reporting agency.

LifeLock did not respond to a call for comment. Experian, in a statement sent to Threat Level, called the ruling “not just positive for Experian, but for consumers.”

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, found the ruling odd, but says consumers haven’t lost anything.

“They still retain the right to make an independent judgment as to whether or not it is appropriate to place a fraud alert on their credit reports,” he says.

But Chris Hoofnagle, director of information privacy programs for the Berkeley Center for Law and Technology, says the ruling is a disappointment.

“The idea that we could some day see a market where we pay $10 a month to a company to opt us out of junk mail, to monitor our credit, to do all sorts of privacy-enhancing steps that we don’t have time to take … for that market to emerge, LifeLock’s business model and similar ones have to be legal,” Hoofnagle says.

LifeLock isn’t the only company impacted by the ruling. Debix, which offers fraud alert services at an annual subscription of $24, says it will have to cancel its fraud alert placement service.

But Debix sees hope in a relationship it has established with Experian competitor TransUnion. Beginning in September, Debix plans to sell a version of TransUnion’s credit monitoring service, which provides customers with alerts whenever someone inquires about a customer’s credit history, attempts to open a new credit account in the customer’s name or makes a change to the customer’s address.

Under that service, TransUnion monitors inquiries and changes made to credit accounts in its own database, as well as the databases of Experian and Equifax. It will feed an alert to Debix whenever there is activity on one of its customer’s accounts, and Debix will notify the customer. The company will pay TransUnion a fee for every customer it signs up for monitoring.

Holland says Debix currently has about 400,000 customers signed up for its now-outlawed fraud-alert service, which will end in 90 days. After that, Debix will provide those customers with free credit monitoring for the duration of their subscriptions.

Swine Flu-H1N1 Update

Sorry, but I will continue to call H1N1 Swine Flu because it sounds better than H1N1, even if it’s offensive to pigs.

Because I was interested in the forecast vs. actual differentials, and the potential of modeling human movement based on currency flows, I contacted Asst. Professor Brockmann at Northwestern and asked for his opinion on the model.  I had wondered about the validity of wheresgeorge.com, but he did not see any issues with using wheresgeorge.com in the model.  He was kind enough to explain that the original model did not have enough cases but as more are input, new projections are being made.   So the forecast is being adjusted as data is added.

The updated forecast is 6,600 and 7,900 cases.   As of now, CDC is reporting 4,714 cases.

You can follow the updates at Professor Brockmann’s web site here.