All personal data needs to be secured. What part of “all” don't you understand?
http://www.baltimoresun.com/bal-hopkins0207,0,39635.story?track=mostemailedlink
Hopkins notifies 132,000 of data loss
Vital information on workers, patients was misdelivered
By Tricia Bishop Sun Reporter From the Baltimore Sun From Thursday's Sun February 7, 2007, 8:50 PM EST
Johns Hopkins began notifying thousands of university employees and hospital patients Wednesday that backup computer tapes containing personal information about them -- some of it sensitive -- have been missing for seven weeks.
Hopkins officials said they believe the data, which did not include patient medical information, wasn't compromised.
Still, two regulatory agencies that oversee hospitals are discussing whether to investigate Hopkins' security practices amid concerns of identity theft. [Another cost of bad security... Bob]
Eight university computer tapes, routinely sent to a contractor that makes microfiche archives of the data, held Social Security numbers, addresses and direct-deposit bank account information for 52,567 former and current employees.
A separate tape from the hospital had names, dates of birth, sex, race and medical record numbers for 83,000 new hospital patients seen be tween July 4 and Dec. 18, 2006, or those who updated their in formation during that period.
Hopkins officials said an "intensive investigation" by their staff as well as that of the contractor, Anacomp Inc., suggests that the tapes were likely misplaced by a courier, collected as trash and incinerated. [How can you prove that? Bob]
"Our best information is that the tapes have been destroyed. Nevertheless, we are concerned that there was ever even a possibility that the information on them was out of authorized hands," Hopkins University President William R. Brody said in a statement, apologizing for the incident.
"We will review our processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again," he said.
The hospital's relationship with Anacomp, based in San Diego, is also under review, and data shipments have been suspended.
According to Anacomp's Web site, "thousands of businesses and organizations worldwide" as well as the "majority of the Fortune 500" use its services to manage their documents and information technology equipment.
The company declined to comment beyond a statement reiterating Hopkins' findings.
"At no time do we believe the information on the tapes was accessed and we are virtually certain that the tapes were destroyed," Anacomp's statement read.
... At Hopkins Wednesday, employees said they understand that mistakes happen, but they expressed concern over why it took so long for the situation to come to light.
... In a fact sheet distributed to employees, Hopkins officials addressed the question of why the loss wasn't reported sooner. The sheet noted the complexity of having both hospital and university data missing, as well as the time it took to identify affected parties and prepare contact data.
... Privacy laws in seven states [Is that all? Bob] with affected people -- New York, Hawaii, Louisiana, Maine, New Hampshire, New Jersey and North Carolina -- required that Hopkins inform them of the breach.
Also notified were several regulatory bodies.
The state Office of Health Care Quality within the Department of Health and Mental Hygiene, which regulates hospitals and protects consumers, said it was seeking more preliminary information about the records before deciding whether to begin investigating the incident.
The agency has the power to launch, unannounced, an investigation, which could include searching files at Hopkins and in terviewing employees and patients. Its powers range from writing deficiency reports to revoking licenses. More recently, it acquired the power to fine institutions for serious and uncorrected problems. [Fairly impactive... Bob]
... Hopkins officials didn't realize anything was amiss until Jan. 18. [Adequate procedure? Bob] That's when they learned that the eight tapes of information about university employees from all divisions except the Applied Physics Laboratory were never returned. Those tapes were sent out for microfiche processing Dec. 21. On Jan. 26, internal investigators discovered that a ninth tape containing patient names and birth dates was also missing.
Investigators have concluded that the tapes were likely left behind [The shipper off-loaded them? Bob] at a shipping area stop along the courier's route. The site is "generally full of boxes, which are placed in a dumpster," Hopkins said, leading officials to believe the tapes have been discarded. [Not destroyed? Bob]
The tapes require special equipment [a tape drive Bob] to be read, though they weren't encrypted, [Should be routine! Bob] which troubles some privacy rights advocates.
"This breach would be a non-issue if the tape had been encrypted," said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse.
"It's the type of information and the type of data that is very sensitive. If this tape got into the wrong hands, they would have a treasure trove of sensitive personal information, enough to commit identity theft on many individuals and also sell the data on the black market," Givens said.
"This is Johns Hopkins, right? A leader in computer technology and education on that subject, so [there's] kind of an irony here."
Interesting twist. Once the data has been “exposed” is it okay to republish it?
http://www.thestar.com/Business/article/179406
Investment group caught in privacy breach
Confidential data mistakenly posted online is exposed
February 08, 2007 Tara Perkins business reporter
After accidentally posting a list of thousands of brokers and the number of complaints against them on the Web, the Investment Dealers Association of Canada is trying to regain control of the information and minimize any damage done.
Lawyers for the IDA have sent a letter to Robert Kyle, who discovered the list on the IDA's website and has since posted it to his own website. Kyle, the former director of the Consumers Council of Canada and the Small Investor Protection Association, has been openly critical of the IDA's ability to adequately regulate the industry. The IDA is a national self-regulatory organization of the securities industry.
"You must immediately remove from your website the information relating to IDA members and brokers," the letter states. "The IDA does not accept any responsibility as a result of your unauthorized and wrongful publication and disclosure of the information in any way and, further, will hold you responsible for any loss or damages incurred as a result of you doing so."
Last month, Kyle discovered that when he double-clicked [There's a technique not many people would know... Bob] on a graph on the IDA's website, up came raw data that was used to make the graph, including a spreadsheet with names of brokers and the number of customer complaints, civil claims, criminal claims, internal investigations, internal disciplinary actions and external disciplinary actions against them.
The data, which includes complaints from late 2002 to mid-2005, was on the IDA's website for more than a year before he came across it.
... The letter from the IDA's lawyers, Borden Ladner Gervais LLP, says "even though it became possible to access such information through charts posted on the IDA website, there ought not to be any such access and, if accessed, information ought not to have been copied. [and I should be good looking and paid more. Bob] The IDA has indicated that the information, as far as it is concerned, remains confidential."
... Jeff Kehoe, the IDA's director of enforcement litigation, said yesterday that the IDA's inadvertent disclosure of the information doesn't negate the fact that it's confidential. [Is that a dumb a statement as I think it is? Bob]
This is the risk you take when you try to “save money” by not spending enough on security.
http://www.eweek.com/article2/0,1759,2091585,00.asp?kc=EWRSS03119TX1K0000594
Massachusetts Leads National TJX Data Probe
February 7, 2007 By Evan Schuman
The Massachusetts Attorney General is heading up a group of more than 30 states [Initial reports hinted at 40 million cards. Could this be an indication that that number is correct? Bob] trying to force answers to how the massive TJX Companies data breach happened.
... "We're going to be looking at appropriate business practices and whether they put consumers at risk." She added that "businesses need to run their businesses, and they need certain amounts of information."
... The Rhode Island probe will continue, and Rhode Island is not—at this time—participating in the multi-state effort led by Massachusetts, said Michael Healy, the public information officer for Rhode Island Attorney General Patrick C. Lynch.
... The TJX incident was announced in mid-January, and according to TJX statements, discovered in mid-December.
That month long delay before public disclosure is a key issue in the Massachusetts probe. TJX has also said that the data problem began in mid-May and hadn't been discovered until mid-December, which is also something the Massachusetts group will likely examine.
... Coakley stressed that her multi-state probe will not be limited to credit- and debit-card transactions, but will look at a wide range of "paperless transactions of financial information," including TJX's retention of driver's license information required to handle in-store receipt-less product returns.
A Security Plan does not stop at the Backup/Recovery Plan. What part of “all” don't you understand?
http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20070208/BUSINESS/70207069/1003
Official: Data installed as part of drills
By Irwin M. Goldberg Poughkeepsie Journal Thursday, February 8, 2007
Since the Journal first learned of the laptop theft in August, it has had numerous phone conversations and e-mail exchanges with Vassar Brothers Medical Center, most of them through David Ping, the vice president of strategic planning and business development.
Why it was created
Documents obtained by the Journal indicate there was a disaster drill April 18, according to an e-mail from Nick Christiano, vice president and chief information officer. The email said personnel brought backups of the registration and billing systems to an off-site center and then those systems were able to run effectively.
The Journal was told Aug. 2 there was a mock drill held May 21 to see how the hospital functioned without access to its servers, then-hospital spokeswoman Jeanine Agnolet said.
That is why the patient data — including names, Social Security numbers and date of birth — were installed on machines throughout the hospital, officials said.
On Aug. 2, Florie Munroe, the hospital’s chief compliance officer, in response to further questions about why the data was on the laptop, said it was installed for disaster recovery training in May and a June 6 regional disaster training drill. [and never secured or removed? Bob]
... On Jan. 8, Ping, after being asked to clarify when the data was installed on machines and why, said the data was installed for participation in drills and for a planned outage of the system for an upgrade either on April 25 or June 25.
The data wasn’t removed from the machines until two days after the theft of the laptop was reported, documents show.
In Colorado, Identity Theft was far and away number one with 246,035 complaints.
http://www.bespacific.com/mt/archives/013885.html
February 07, 2007
FTC Issues Annual List of Top Consumer Complaints
Press release: "The Federal Trade Commission today issued its annual report, “Consumer Fraud and Identity Theft Complaint Data” on complaints consumers have filed with the agency. For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud."
This is driving up costs...
http://www.pogowasright.org/article.php?story=20070207105532140
ACB Data Breach Survey Highlights Need for Action by Card Networks and Congress
Wednesday, February 07 2007 @ 11:05 AM CST - Contributed by: PrivacyNews - Businesses & Privacy
A just-completed survey by America's Community Bankers reveals that data security continues to be a significant issue for community banks and their customers, and that card network and congressional action is necessary to address this far-reaching problem.
# Of the 181 respondents, more than 96 percent said they issued debit cards, while 19 percent said they issued credit cards.
# In the past 24 months, 70 percent of respondents said their bank had to reissue cards due to data breaches three times or more and 39% said their bank had to reissue cards more than five times.
# Eighty-nine percent of the debit card issuers and 53 percent of the credit card issuers indicated that their customers had been affected by a data breach.
# Of those affected by a data breach, 92 percent had reissued cards to customers.
While not specifically asked in the survey, cumulative data reflect that the average cost for reissuing each debit card is approximately $10-20 per card. Therefore, a bank reissuing 10,000 cards three times at an average cost of $15 per card would incur a cost of $450,000.
Some good points...
http://www.technewsworld.com/rsstory/55601.html
How to Respond to a Data Breach, Part 1
By Kelly Shermach CRM Buyer Part of the ECT News Network 02/08/07 4:00 AM PT
"A lot of people think security is expensive, but good security helps decrease the cost of maintenance," says Ira Winkler, vice president of marketing for the Information Systems Security Association and author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers and Criminals You Don't Even Know You Encounter Every Day.
As the technology that businesses depend on has diversified, new tools have enabled the capture and storage of minutia from operations and transactions.
However, the wealthier companies become in data assets, the more attractive they become to attackers. This is why data security requires great attention and investment -- to prevent potential breaches.
TJX surely realizes this, given its recent challenges in responding to an unauthorized intrusion of its computer systems that exposed the credit and debit card details of customers in several countries, including the United States. After all, inoculation against a crippling disease such as data theft is less painful to the pocketbook -- as well as the brand -- than the post-crisis cure.
"A lot of people think security is expensive, but good security helps decrease the cost of maintenance," says Ira Winkler, vice president of marketing for the Information Systems Security Association and author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers and Criminals You Don't Even Know You Encounter Every Day.
Additionally, overhead allocations for network utilities are eaten up exponentially faster by nefarious sources, which not only risk data integrity but eat up bandwidth and compromise efficiency.
Policies for Process
Data security policies should preempt any other provision in establishing strong security.
"Outsourcing to a hosting company is good in that the basic physical and technical security that a hosting company will have will easily exceed the majority of companies' [security]," Clive Longbottom, service director of business process analysis at the research firm Quocirca, tells CRM Buyer.
"However, for real levels of security, any outsourcing company will still need guidance and a strategy set by the owning company. ... You cannot depend on outsourcing companies to understand what your security needs are and therefore how to approach them with suitable solutions," he adds.
"We advise that companies take an intellectual-property asset view of security. ... Look at the actual files and data themselves, and ensure that these have security policies applied directly against them," Longbottom advises, so that "any item remains secure, even if copied, even when outside of the company, even when mobile."
Everyone needs some form of certificate that is checked on a constant basis, but this approach does give the highest levels of security within and across company boundaries.
Tactical Measures
After the policy-making, widely available solutions come into play -- including disk-level encryption software, firewalls, intrusion detection and other prevention tools. all PCs should have antivirus, anti-spyware and current software updates installed through automated commands as well as firewalls, according to Winkler.
Encryption follows industry standards such as the Payment Card Industry Data Security Standard. The credit card networks Visa, MasterCard, Discover and American Express cooperate in this initiative, which outlaws the storage of customer credit card data.
Lesson Learned
If TJX hadn't held onto shoppers account numbers, expiration dates and back-of-card security codes, there wouldn't have been assets for hackers to mine [what benefit did this information offer the company? Bob] or automated attacks -- from bots -- to make vulnerable.
"Encrypting data can protect information but can also work towards preserving the corporate reputation by reducing the data breach notification obligations," Rob Scott, managing partner of Scott & Scott, tells CRM Buyer, adding that, of the 23 states that require intrusion disclosure, only five stipulate that breaches of encrypted data must be disclosed to affected parties.
In addition, just as companies must assess the value of the data they collect and keep, they also should evaluate the risk of critical data once exposed.
"There is little point in applying 3DES (triple date encryption standard) encryption on information and data that is already in the public domain," Longbottom explains.
Further, in cases where data vulnerability is low, the financial or brand-equity impact of a breach would be minimal. "In these cases, a company might make a conscious decision not to bother securing certain assets," he adds.
Staff Up
Once a grand plan is established, it needs to be staffed adequately. "Most people think of IT as a cost center," Winkler says. "They are penny smart, Pound foolish."
Instead, he notes, organizations should determine the optimum IT administrator to employee ratio and attempt to meet it.
"Most people are not aware of the threats they face," Winkler claims. However, even small companies in niche industries may be infiltrated.
"The reality is: Anyone is a target. If you don't keep yourself well-maintained, you're a target," he adds.
Hackers who break into an easily penetrated system may do so only to use that network to attack others -- and to leave liability for their crimes with the zombie host.
No Status Quo
Meanwhile, internal and external stakeholders are putting pressure on today's corporations to secure their systems.
"Company-wide security policy development, enforcement and ongoing employee education and training can promote protection and risk mitigation at all levels of the corporation," Scott suggests.
Quocirca's Longbottom congratulates the few who are actually seeing through such policing.
"Whether they know it or not, a lot more companies are getting better at security, as firewalls have morphed to include better content filtering, deep packet inspection, DoS (denial of service) attack identification, IDS/IPS (intrusion detection systems/intrusion protection systems) and so on," he says.
"Also, the security of databases has been much in the news, and newer database versions have much improved data security," Longbottom concludes. "For many companies, updating to the latest version of the database and refreshing the firmware on their firewalls would help a lot. Combined with forcing desktop antivirus/spyware software to be updated on a regular basis takes this even further."
No matter how good the lens, it must be possible to see (have line of sight) your target. As long as the technology does not provide super-human abilities (see through walls, see in the infrared, etc.) why is this an issue?
http://michaelzimmer.org/2007/02/06/cellphone-cameras-that-zoomwhat-would-warren-brandeis-think/
Cellphone Cameras That Zoom…What would Warren & Brandeis Think?
Posted on Tuesday, February 6th, 2007 at 2:03 pm
MIT’s Technology Review has a brief article about advances in zoom technology for cellphone cameras. This adds a new dimension to the privacy and surveillance threats cellphone cameras pose.
We experienced a major advancement in camera zoom technology around the turn of the century, which spurred Warren & Brandeis to write their seminal article “The Right to Privacy.” As the sophistication of mobile and networked cameras continues to rise, what will our answer be?
Clarification of the First Amendment?
http://yro.slashdot.org/article.pl?sid=07/02/08/0329237&from=rss
Woman Wins Right to Criticize Surgeon on Website
Posted by samzenpus on Thursday February 08, @12:05AM from the tell-it-like-it-is dept. The Internet
Scoopy writes "The website of a cosmetic surgery patient critical of her Sacramento surgeon's work is protected free speech, an appeals court said in an opinion that could have statewide implications. The website contains before and after photographs of 33-year-old Georgette Gilbert, who said the surgery left her with one eyebrow higher than the other and a surprised look permanently affixed to her face. The website was challenged in a defamation suit filed by surgeon Jonathan Sykes, a prominent professor and television commentator on the subject of cosmetic surgery. Although the Sacramento-based 3rd District Court of Appeal only mentions Sykes, the opinion suggests that others who use 'hot topics' of public interest in their advertisements and promotions may shed protections against defamation afforded to ordinary citizens."
So, what will replace shrink wrap licenses?
http://knowledge.wharton.upenn.edu/article.cfm?articleid=1651
Why Software Business Models of the Future Probably Won't Come in a Box
Published: February 07, 2007 in Knowledge@Wharton
Microsoft's Vista operating system should give the company a revenue stream that will run for years, but that doesn't mean the company can rest on its laurels. Experts at Wharton say the January 30 launch of the consumer versions of Microsoft's flagship software may be among the last of its kind -- a product sold for a flat fee in a shrink-wrapped box. Indeed, many wonder if the software business model that has made Microsoft so dominant for the last 20 years may begin to fade in the decade to come as new software business models -- from open source to advertising supported -- gain increasing traction.
... But new models of software pricing and distribution are becoming increasingly popular. "Open source" software relies on voluntary programmers to build applications that can be distributed freely. Ad supported software includes web-based applications that are free as well, but they generate revenue through advertisements. Also on the increase: "on-demand" software where customers rent software applications when they need them and pay only for what they use.
All of these models pose unique threats to Microsoft, although that is hardly news to CEO Steve Ballmer, who clearly sees the challenges ahead. At a Wharton Leadership Lecture this past December, Ballmer noted that the two biggest competitive threats to Microsoft are open source software and advertising supported applications. "Right now, the emblem of the first one is Linux and the emblem of the second one is Google. But it's not the companies, it's the phenomena" that present the greatest challenge to Microsoft, said Ballmer.
Wharton legal studies and business ethics professor Kevin Werbach says Microsoft is right to be concerned. "Ten years from now, Microsoft must be weaned from ... license revenue. But it's a long process, because they justifiably don't want to cannibalize a revenue stream that remains phenomenally lucrative."
Makes perfect sense to me.
http://slashdot.org/article.pl?sid=07/02/07/1942243&from=rss
Video on Demand From the Public Library
Posted by ScuttleMonkey on Wednesday February 07, @03:32PM from the doing-it-for-free dept. Television Technology
ye oulde library lover writes "In light of the recent story about Wal-Mart and movies on demand, readers should know there is a free service available from some public libraries that lets you download movies and tv shows. The service is just beginning, so selection is pretty mediocre, but the sponsors, Recorded Books and PermissionTV, make some big promises. If your library ponies up the dough for the top service, you will be able to download movies on the same day as their dvd release. All you need is a library card. You can see one of the early adopters — Half Hollow Hills Community Library in the library's blog. Look for MyLibraryDV."
Free is good!
http://www.techzonez.com/comments.php?shownews=20370
Serence KlipFolio 4.0 Beta B
Posted by Reverend on 07 Feb 2007 - 20:23 GMT
Techzonez Serence KlipFolio is a free information awareness and notification application for Windows. It's quick to install and easy to use. KlipFolio lets you configure and monitor a wide variety of real-time information services on your desktop--like weather, stocks, breaking news, RSS feeds and auctions. These information services are called Klips. [as in Clippings? Bob]
View: Release Notes Download: Serence KlipFolio 4.0 Beta B View: Serence KlipFolio homepage Download: Techzonez Klips
