Archives: Identity Theft

Subscribe to Identity Theft

Written by Jake Romero

In a move signaling increased enforcement of the state’s data privacy and security regulations, California’s Attorney General Kamala D. Harris has announced the creation of the Privacy Enforcement and Protection Unit.   The Privacy Unit will be staffed by California Department of Justice Employees, including six dedicated prosecutors, and will have broad authority to enforce federal and state laws relating to the collection, retention, disclosure and destruction of private and sensitive information, including medical, financial and government records, by individuals and public and private organizations.  Effective immediately, a number of California Justice Department programs related to identity theft enforcement and education will be absorbed by the Privacy Unit, in an effort to centralize and streamline California’s data privacy protection efforts.    For California consumers, the creation of the Privacy Unit will likely result in easier access to education materials for protecting personal data.  For businesses and organizations collecting, storing, transmitting or processing personally identifiable information, the Privacy Unit is one of many warning signs that California intends to take the enforcement of data privacy regulations seriously.

The creation of the Privacy Unit is the latest in a series of initiatives by the California Attorney General’s office intended to address growing concerns about data privacy.  In August 2011, Attorney General Harris announced the creation of the eCrime Unit, a division responsible for “investigating and prosecuting large scale identity theft and technology crimes with actual losses in excess of $50,000.  Earlier this year, the six largest companies offering platforms for mobile applications agreed to a set of principles, authored and developed by the Attorney General’s office, designed to ensure that mobile applications sold on such platforms comply with California’s Online Privacy Protection Act.  Last month, that set of mobile application privacy principles was expanded significantly when Facebook elected to sign on as well.

With the Privacy Unit in place, actions enforcing California’s data privacy regulations, which are among the strictest in the nation, are certain to increase.  “The Privacy Unit,” according to Attorney General Harris, “will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.”  Based on prior comments from Harris, such enforcement may include prosecutions under California’s Unfair Competition Law  and/or False Advertising Law, which imposes penalties of up to $500,000.   As a result, if you operate a business or organization using or accessing the personally identifiable information of others, time may be running out to ensure that you comply with California’s quickly evolving requirements.

 

Written by Amy Malone

Amy Malone is attending the Data Protection & Privacy Law Conference in Arlington, Virginia this week and will be providing updates.

Kevin Moriarty from the Division of Privacy and Identity Protection of the Federal Trade Commission addressed the privacy conference on Wednesday.  His discussion focused on the current FTC policy work, including workshops and privacy roundtables.  Kevin reviewed historical cases brought under Section 5 of the FTC Act, and ended with words of advice to prevent your organization from becoming a target of an FTC enforcement action.  He suggests you:

  1. Review the FTC website and use the Consumer Protection Resources. (Kevin said the FTC looks favorably on organizations that can show they have reviewed the site and used the resources provided.)
  2. Keep your promises; do what your privacy policy says you do.
  3. Share information only for permissible purposes.
  4. Dispose of information properly –don’t forget about paper!
  5. Keep up with common threats such as stolen credentials, SQL injection attacks, and access to Wi-Fi networks.
  6. Develop an incident response plan before you have an incident.

Symantec has released its annual Internet Security Threat Report, and the numbers are astounding. 

According to the report, malicious attacks on networks skyrocketed by 81 percent in 2011.    The report also highlights that advanced persistent threats, known as APT attacks, are spreading to organizations of all sizes, with the number of daily APT attacks increasing from 77 per day to 82 per day by the end of 2011.   Such attacks are no longer limited to large organizations, as demonstrated by the data in the report.  According to Symantec, more than 50 percent of such attacks target companies with fewer than 250 employees.   It is possible that smaller organizations are now being targeted because they are somehow related to larger companies, through supply chain or other relationships — and they are less well-defended.

The 2011 Report also includes information regarding data breaches.  According to Symantec, approximately 1.1 million identities were stolen per data breach on average in 2011, and hacking incidents exposed 187 million identities in 2011 — the largest number for any type of data breach in 2011.  

Now here comes the “kicker”…….the most frequent cause of data breaches was theft of loss of unencrypted data on a computer or other medium on which data is stored or transmitted, such as a smartphone, USB drive, or a backup device.   These theft or loss related breaches exposed 18.5 million identities.

It’s May, 2012 — do you know where your data is????

An employee — former employee — of the South Carolina Department of Health and Human Services found out the hard way after transferring the information of more than 228,000 Medicaid beneficiaries to his personal email account.     The data included Medicare numbers (which include Social Security numbers as part of the identifier) linked to the beneficiaries names.  The Department’s response?  “[T]he employee has been fired.”   Not only was Christopher Lykes, Jr. fired, he has also been charged by the South Carolina Law Enforcement Division with 5 counts of criminal violation of confidentiality laws.

Compliance and privacy officers should feel free to print out the article from the Charleston Post and Courier or the Greenville News as a “teachable moment” to discourage everyone’s favorite secure email workaround.

 

Since it’s traditionally the time for new beginnings and resolutions to clear away old habits, we’d like to pass on some tips for improving privacy and security in your operations — and in your own life —  in 2012.

1.   Be sure to secure.

Many data breaches occur by leaving sensitive information lying around the office.  Keep documents containing sensitive data and personally identifiable information locked up.  A clean desk is a safe desk.  Also, make this the time to secure your home network.   Since many online banking and other types of activities occur across a home network, why allow drive-by hackers to compromise your information?

2.  Encrypt, Encrypt, Encrypt.

When transmitting sensitive information, make sure it is encrypted and transmitted over a secure connection.   This is not only a privacy and information security “best practice,” it is also required by several laws and industry body regulations, including the HITECH Act (for electronic protected health information), the Massachusetts data security regulations, and the Payment Card Industry Data Security Standards (for credit card information).

3.  If you don’t need it, don’t take it.

Data breaches often occur when a laptop or document files are stolen from an employee’s home, or lost while in transit.  If you don’t need to work with sensitive data outside the office, don’t take it with you.

4.   Once you have read it, shred it.

If you no longer need files or documents containing sensitive information, destroy them using proper methods.  Using a secure file deletion program or an “e-shredder” is an effective way to destroy electronic copies.  Again, this isn’t just “best practice” in many situations — it’s the law (e.g., FTC Disposal Rule, Mass. Gen. Law 93I, HIPAA Privacy Rule).

5.   Browse intelligently.

Make sure that your web browser’s security and privacy settings are set to an appropriate level.  When traveling, or using a personal computer, be sure to delete web or temporary file caches so your “e-footprints” don’t expose any sensitive information.

6.    Never engage with a spammer.

  While unsolicited commercial emails (“spam”) are annoying, do not e-mail or otherwise contact the spammer unless you use a valid “unsubscribe” link at the bottom of the email.   It only serves to confirm your email as “live” and may actually increase the amount of spam you receive. Don’t open email or attachments from anyone you do not know.   Remind employees of this at work to avoid your company’s information being compromised by phishing scams.

7.  Make your passwords complex.

The passwords you use for your email, online banking, network access, or any other services that contain your private information — or the confidential information of your company/employer — should not be simple or easily guessed.   The best passwords are a mix of numbers, characters and letters.   If your company does not have a password policy, 2012 is a good time to start.  And,  mix up your own passwords.   Utilization of the same password across all your electronic activities is an invitation to be hacked.

Here’s to a happy and SAFE 2012!!

 

(UPDATED)

Late Tuesday, the House of Representatives passed the Red Flag Program Clarification Act of 2010 on a voice vote, clearing the way for President Obama’s signature.  The Clarification Act exempts doctors, lawyers, accountants and certain other professionals from compliance with the Red Flags Rule.  As you may recall, we discussed lawsuits filed by the American Bar Association, the American Medical Association and the AICPA to exempt professionals from the definition of “creditors.”

 

In all the flurry of privacy-related issues over the last few weeks, a deadline has been slowly creeping up……remember the Red Flags Rule?   (blog posts: June 29, 2010, May 24, 2010, December 3, 2009)

The December 31 deadline is looming for Federal Trade Commission (FTC) enforcement of the Red Flags Rule, which requires businesses and organizations to establish a program to detect and remediate identity theft — and the program must have written policies and procedures and be approved by the Board of Directors.

The rule itself, which stems from the Fair and Accurate Credit Transactions Act, actually took effect on November 1, 2008. The FTC has delayed enforcement five times so companies could develop their compliance programs. According to the FTC, many didn’t know they were engaged in activities that would cause them to fall under the rule, or hadn’t even heard of it.

Despite the lead time, plenty of companies still aren’t prepared for enforcement and even those who have actually implemented a program could be vulnerable.   The Red Flags Rule requirements are very specific and without proper attention, covered entities may not be in compliance.

Continue Reading It’s almost 2011. Do you know where your Red Flags Rule compliance program is?

As Federal Reserve Chairman Ben Bernanke and his wife recently found out, identity theft often has nothing to do with technology….

PC Mag: Fed Chairman Hit by ID Theft