Monthly Archives: December, 2009

Happy Holidays, New Year, etc

What does the coffee shop, the mall, the discount super center, the grocery store, the post office, the laundromat, and your favorite local restaurant have in common?

Aside from a fundamental desire to part you from your money, they also are a common stopping point on the way home from work, or while out shopping. This week and next, think about your data while you get that double mocha latte, or run in for a last-minute holiday gift. Leave the laptop someplace safe (not in the back seat of your car), lest you want to ring in the new year with your company in the headlines. Better yet, don’t store anything sensitive on it to begin with. New Years resolution in the making, perhaps?

Several data loss incidents occurred this year and last over the holidays, and there are reports that Santa’s naughty/nice list may have been compromised. This suggests that the holidays are indeed a chaotic time, and that chaos can desensitize you to the value of the data you may be carrying, or leaving behind (understandably). Unfortunately, there are no “I forgot cousin Eddy was coming and needed that last minute gift…” exemptions in the various data breach laws. These holiday incidents also shows us that thieves enjoy our “vacation”, and celebrate the holidays by breaking into our offices! So keep that in mind as well when you leave work this week.

And last, if you’ve already filled the stockings, and bought everything you need for the holidays, and happen to have a few dollars left over, consider a donation to OSF to keep these projects running.

$

Happy Holidays and Such,
The DataLossDB Team

Posted by d2d

When Reporters Go Looking For Data Breaches…

They often find them, and usually get a complimentary legal threat or outright lawsuit to go with it.

Recently, a Minnesota Public Radio reporter went digging, and indeed found records exposed. The records in question were I-9 processing forms held by Texas-based Lookout Services. The undisputed truth seems to end about there. The reporter wrote about the incident, and the attention the incident stirred caused the entire state of Minnesota to stop using Lookout Services for I-9 verification. Lookout Services responded with a lawsuit, essentially claiming that MPR illegally accessed the data.

Now, MPR claims it didn’t need to authenticate in order to access the data. Lookout Services supposedly disagrees, according to a great article by minnpost.com reporter David Brauer, which gives excellent background into the issue. My interpretation is this: an authenticated connection was used to find a URL that granted access to data without authentication. For instance, most modern web applications determine if a login session is established on every request to the website. It is possible to ‘omit’ or ‘forget’ to check on certain requests, and just hand the content over. If I had to bet, I’d bet that the reporter found such an omission, then ran with it.

Was it illegal to do so, if that indeed is what happened? Maybe! Which is why reporters should really tread carefully when trying to ‘create news’.

This isn’t a recent phenomenon either.

In October of 2008, a WHRW campus news reporter, while reportedly walking through campus, stumbled upon an unlocked room with the door taped open. The room reportedly contained thousands of student records. The reporter announced the “breach” on the radio and blogged about it. The University then began a criminal investigation, which involved the district attorney, per this reporting:

The room was apparently several feet off the ground on a maintenance catwalk, and the reporter didn’t simply ‘stumble upon’ it. Was it a ‘good thing’ that this data storage issue was brought to light? Maybe, but was it done properly? We didn’t even add this incident to the database, although the option to do so isn’t exactly off the table.

Sometimes these things go without bickering between the reporter and the breached entity, but usually only when the breach was wide open and it is clear that the reporter did indeed just happen to stumble upon it.

Searching for data breaches isn’t something we at OSF have ever really condoned. It falls in a grey area for certain. Even using search engines to find the data, such as utilizing public resources to find publicly accessible data, is somewhat questionable as the act itself mirrors what an ID thief would do.

Federal Data Breach Bill (H.R. 2221) Passes House

Yesterday, for the first time ever, a data breach notification bill actually came to a vote in the United States Congress. The House of Representatives passed by voice vote H.R. 2221, the Data Accountability and Trust Act. This bill and others have been introduced many times over the past several sessions of Congress, but unlike other similar bills and this bills’ predecessors, H.R. 2221 not only came out of committee, but was voted on and passed.

This bill is similar in nature to multiple state breach notification laws that have already been passed. Here are some highlights:

H.R. 2221 defines personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

  • (i) Social Security number
  • (ii) Driver’s license number or other State identification number
  • (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”

Some more details include:

  • The Federal Trade Commission would be the responsible agency.
  • The FTC would ultimately define the proper technical procedures for protecting data.
  • Organizations that have data need to establish a data security policy.
  • Organizations must identify an information security officer.
  • Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
  • Organizations need a process for securely destroying data that is no longer required.
  • Breaches need to be reported to the consumers affected, and the FTC, unless:
    • “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”, which will be defined by the FTC should the bill pass.
    • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The jurisdiction point is significant. The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities. These limitations seem significant.

The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. There is an encryption exemption (in addition to whatever exemptions the FTC will define) should the bill become law. The FTC would also be tasked with posting breaches on their website if the commission deems it in the public interest on a case-by-case basis.

There are several other interesting subtleties in this bill, and we encourage anyone interested to read the bill themselves. The law has some gaping holes, such as FTC jurisdiction, and may preempt stronger state laws. On the flip side, it would certainly add some degree of consistency for organizations experiencing breaches, and would simplify compliance as a result. It also would provide notification for consumers in states without breach notification laws. For these reasons and many more, it behooves everyone to familiarize yourselves with this particular proposed legislation.

Updated (12-10-2009): See Incidents that may have been exempt from this bill were it law at the time of the incidents.

Finally, below is a clip of the bill being explained in the House, and subsequently passing by voice vote: