title for Data Losses note
home | about | site use | resources | publications | timeline |::| blaw

overview

networks

tapes

laptops

sale

law

prevention

responses

studies

costs














related pages icon
related
Guides:

Security &
InfoCrime

Consumers
& Trust

ID Theft,
ID Fraud

















section heading icon     responses

This page highlights responses to large scale exposure of sensitive consumer information.

It covers -

     introduction

Responses to theft of data and to exposure of data (eg negligence in protecting consumer records) has essentially taken six forms -

  • denial - commercial entities and other organisations have not acknowledged that data loss has taken place or have refused to acknowledge vulnerabilities in their handling of information. Denial within organisations has sometimes led to recurrent losses by a particular organisation and to failure to embrace best practice by learning from the experience of corporate peers
  • mandatory reporting - failure by organisations to alert consumers that breaches have occurred (desirable so that consumers can be especially vigilant to potential identity theft) has led some jurisdictions, notably California, to mandate incident reporting to affected consumers and/or regulators
  • identification and prosecution of thieves - action under cybercrime or other statutes for unauthorised access to databases and networks, damage to dabases, theft of information, breach of contract, and identity crime
  • litigation against negligent data custodians - suits by regulators and on a class action or individual basis by victims of data loss. That litigation has been reinforced by increased premiums from insurance providers
  • changes to business practice to address vulnerabilities - for example strengthening corporate firewalls, enhanced surveillance of staff against 'insider' theft of data, and encryption of disks/tapes in transit
  • promotion of identity theft insurance services and monitoring services - provided on a commercial basis by specialists or bodies such as credit reference service providers.

Security guru Bruce Schneier commented

it might seem that there has been an epidemic of personal-data losses recently, but that's an illusion. What we're seeing are the effects of a California law that requires companies to disclose losses of thefts of personal data. It's always been happening, only now companies have to go public with it.

As a security expert, I like the California law for three reasons. One, data on actual intrusions is useful for research. Two, alerting individuals whose data is lost or stolen is a good idea. And three, increased public scrutiny leads companies to spend more effort protecting personal data.

Think of it as public shaming. Companies will spend money to avoid the PR cost of public shaming. Hence, security improves.

This works, but there's an attenuation effect going on. As more of these events occur, the press is less likely to report them. When there's less noise in the press, there's less public shaming. And when there's less public shaming, the amount of money companies are willing to spend to avoid it goes down.

This data loss has set a new bar for reporters. Data thefts affecting 50,000 individuals will no longer be news. They won't be reported.

The notification of individuals also has an attenuation effect. I know people in California who have a dozen notices about the loss of their personal data. When no identity theft follows, people start believing that it isn't really a problem. (In the large, they're right. Most data losses don't result in identity theft. But that doesn't mean that it's not a problem.)

     cybercrime prosecutions

It is clear from the preceding page of this note that authorities have successfully prosecuted people who have breached cybercrime or other law through unauthorised access to and use of information. That access might have occurred from outside the data custodian or might have involved abuse of a privileged position (eg a staff member or contractor walking out of the custodian's premises with an illicit copy of a database on a memory stick, CD or even floppy disk.

US hacker Christopher Phillips was thus convicted in 2005 for copying personal information on a University Texas database, ordered to pay US$170,000 restitution and serve five years of probation. Three former MphasiS employees were arrested in 2005 for allegedly stealing US$350,000 from accounts of four Citibank customers

     action by regulators

Regulators have also taken action against data custodians who are inept or deceptive.

One example is the US Federal Trade Commission's 2004 settlement with Petco Animal Supplies over FTC charges that security flaws in the Petco site breached federal law and violated privacy promises made to customers.

At PETCO.com, protecting your information is our number one priority, and your personal information is strictly shielded from unauthorized access. Entering your credit card number via our secure server is completely safe. The server encrypts all of your information; no one except you can access it.

The FTC commented that, contrary contrary to Petco's claims, the retailer "did not take reasonable or appropriate measures to prevent commonly known attacks by hackers". Petco did not implement security measures to "secure and protect sensitive consumer information, including simple, readily available defenses that would have blocked such attacks" and falsely claimed that the sensitive information Petco obtained through its site was maintained in an encrypted format.

The FTC commented

Consumers have the right to expect companies to keep their promises about the security of the confidential consumer information they collect. The FTC will hold companies to their word.

It noted that Petco was the fifth FTC case challenging deceptive claims by businesses about the security provided for consumers' personal information.

In 2006 ChoicePoint agreed to pay US$15 million to settle FTC charges that its security and record-handling procedures violated consumers' privacy rights. Those charges followed sale of the personal financial information of 145,000 consumers to criminals purporting to be legitimate businesses. ChoicePoint had initially sent notice of that failure only to Californians and appears to have widened the alert after a media furore. Unsurprisingly visitors to Consumerist.com voted ChoicePoint the second "worst company in America" and it received the 2005 "Lifetime Menace Award" from Privacy International.

Action has been selective. In the US the major release of data from iBill referred to in the preceding page of this note was not disclosed by that company. Because the information did not include Social Security, credit-card or driver's-license numbers, no US laws require iBill (or the adult content companies for which they provided payment services) to warn people. A year after the FBI first learned of the loss they had also failed to issue any public warnings.

     apologies, alerts and freezes

In 2005, after Citigroup lost computer tapes holding 3.9 million unencrypted consumer records, it apologised. That apology featured boilerplate such as Citifinancial "has no reason to believe that the information has been used inappropriately" (PDF). The group offered customers free enrollment in a credit-monitoring service for 90 days.

Critics commented that the offer, while better than nothing (and presumably useful in heading off action by activist regulators in California and elsewhere), was somewhat disingenous as the average time for victims to become aware of the theft is 12 months, with a further 175 hours and US$808 out-of-pocket expenses spent clearing their names. Citigroup more meaningfully announced that it had stopped delivering computer tapes by courier.

Later that year Marriott International, after another loss of tapes, announced plans "to search for the tapes, to determine how they disappeared and monitor accounts for any unusual activity or possible misuse". It commented "We regret this situation has occurred and realize this may cause concern for our associates and customers".

In 2006 the US Veterans Administration responded to loss of a VA laptop with personal data on 26.5 million ex-servicepeople, apologised and announced that it would spend up to US$25 million on a call centre to address queries (with some US$11 million being budgeted for correspondence with all of the affected people).

US consumer disquiet about alert services has resulted in some 33 states passing 'freeze' legislation, which requires credit reference services to freeze access to the consumer's report and credit score. Without that information, many lenders will not issue new credit to a thief. (When the consumer wants to get new credit, that person uses a PIN to unlock access to the credit file.)

     class actions

In 2006 South Korean law firm KR announced that it would sue five ISPs on behalf of victims over sale of their customer data. KR is reported as seeking US$500 damages for each customer.

During the same year two Ohio University graduates - whose Social Security numbers were among 173,000 exposed through security breaches at the university's business school, alumni office, health center and contracting unit - filed a class action lawsuit, alleging their right to privacy had been violated. The suit asked a judge to order the university to pay for credit monitoring services and, more originally, to compensate anyone who suffers financial losses from the breaches. The university concurrently revealed that IT security had been given a low priority for over 10 years.

The suit was dismissed in 2007, on the basis that the plaintiffs had failed to demonstrate damage through exposure of data at the university.






icon for link to next page   next page (studies)

 


this site
the web

Google

version of September 2007
© Bruce Arnold
caslon.com.au | caslon analytics