A Survey of Pending Federal Legislation

Good Afternoon,

Tomorrow, November 3, 2011 I will be making a presentation at the Boston Bar Association on the topic of pending Federal legislation in the area of data breach and data security. It is sure to be a historic event as I will predict the future.

OK, maybe not historic, but certainly relevant. In 2007, Massachusetts passed the "Mass Data Privacy Law", followed shortly (ha ha) thereafter by the infamous regulations found at 201 CMR 17 (2010). The pending bills clearly intend to preempt all state laws. What will happen to Massachusetts law? I mean, it just got here... does it have to leave already?

I have chosen six bills that seem to have the best chance of passage this year. Of those six, probably three have a solid chance.

Come see which six are the "chosen ones" and which three have the best chance, and why!!

The United States lacks a comprehensive data privacy / data breach notification law. Even Russia purports to have one. Will it finally happen? Will the United States join the majority of the developed world and enact a nationwide law? Or will Congress bicker and debate for another year?

I have all the answers (maybe), you just have to be in Boston tomorrow at noon to get them...

Boston Bar Association

16 Tremont Street

Boston, MA

12pm - 1pm

https://www.bostonbar.org/membership/events/event-details?ID=8110

 

 

Social Security Numbers Released by the Social Security Administration?

 

SSN jpgWhen you are born in the United States you are entitled to a "social security number." I say entitled, because it doesn't seem to be required, at least it wasn't. I didn't get mine until I was applying for my first job. My mother took me down to the Social Security Administration's office and I got myself a shiny new blue card with a number that would follow me my entire life. My children got theirs from the doctor who delivered them (kidding, but it was close in time).

When you die in the United States, apparently the Social Security Administration "re-categorizes" you as deceased in what is called the Death Master File or DMF. I can see the usefulness of that. It seems logical that you'd want to make sure that a decedent's SSN isn't used by anyone else... But what if, just maybe, the SSA listed you erroneously on the DMF? But wait, I'm not dead, in fact, I'm feeling much better now (remember Monty Python's Holy Grail..bring out yer dead scene? Hilarious).

What is the impact when you are erroneously listed on the DMF? Apparently, and according to people who were erroneously listed on the DMF, you can be turned down for loans and apartments, have bank accounts frozen and other negative events when your SSN is a required aspect. I guess the "inquirer" looks up the applicant's SSN on the DMF and if it's there, then the applicant must be dead (at least their SSN is), therefore the applicant can't have whatever it is they're asking for - because they are dead.

The DMF is apparently available for purchase, but if you buy it, you get the SSN's of living breathing humans because mistakes happen.

According to a report in the Seattle Times by Howard Scripps News Service reporter Thomas Hargrove, the news service purchased the list and then started contacting the "erroneously placed names and SSNs" to inform them that they are listed as dead. One woman said that she has been dealing with her number situation for 10 years! What a hassle.

From the article in the Seattle Times:

Social Security officials admit that, each year, they accidentally release the personal information of about 14,000 living Americans by posting their files among the records of 90 million deceased Americans.

 

WHOOPS, sorry 'bout that. Thanks for telling us though.... Oh, you didn't tell us? You don't tell us? You're not required to tell us?

Apparently the SSA takes the position that they're not required to tell those people erroneously listed that their personal information has been made available to the public, by accident. A data breach by my definition. The article doesn't clearly say that, nor do the quotes from Social Security Officials, but what other conclusion can you draw?

I know, I know, the Social Security Administration didn't KNOW that the mistake happened, otherwise, logically speaking, it wouldn't have happened. And since they didn't KNOW it happened, how could they possibly have informed the people involved?

If you read any of the pending Federal legislation regarding data breach notification requirements, you'll find that constant monitoring is required. If you have the data, it's your job to KNOW if it's been erroneously released.

If the Feds want to place these regulations on businesses across America, they should really clean up their own house first.

 

The tech world loses a visionary

As we've all heard by now, Steve Jobs has passed away. In the past 25 years or so I have been torn between the Mac world and the PC world... My first computer was an Apple IIe. I can still see it in my mind's eye, although physically I have no idea where it is (or what's on it!). After that it was PC after PC after PC. I can't even recall how many there were.

What is really amazing to me is the massive advances that Apple continuously make that leaves the PC in the dust. Even I, a diehard PC person, has to admit that Apple's technology is wicked cool. I do have a G5 at home that is pretty cool, I'm just not sure I'm a "mac guy"...

In the 80's and 90's I watched Apple get relegated to the "educational institutions of the world" only to reinvent itself as THE consumer computer company over the last 15 or so years. I know that Steve Jobs made that happen. It's also been fascinating to see how for a while there were "mac" people and "PC" people, just check out the ads about it. The way I see it now, with the iPad and the iPhone, it's gonna be a "Mac" world soon enough. Everything else will simply be a copy of theirs. (anyone remember the story about the first graphical interface? Karma's a bitch, Bill)

Rest in peace Steve.

 

PS - I am disgusted but not surprised that within hours of his passing, idiot advertising/affiliate/marketing/scammers started doing their thing. They set up "stevejobsfuneral[dot]com" which has no legitimate purpose. Check out the story over at Threatpost...

The Senate puts three data breach bills in play

 senate_large_seal.gif

Yesterday, the US Senate voted to approve three bills that deal with data privacy, security and breach notification. All three would preempt the existing state laws that deal with data breach notifications, so ya, this matters.

Senator Leahy’s bill, S. 1151, “Personal Data Privacy and Security Act of 2011”, passed on party line votes with no Republican support. A few amendments were passed during the hearing, none of them fundamentally changing the original bill, but rather “tweaking” it.

 

Senator Feinstein’s bill, S. 1408, “Data Breach Notification Act of 2011”, also passed on party lines with no Republican support. An amendment proposed by Sen. Grassley, the Chairman of the Committee debating this bill was defeated. His amendment sought to direct all fees and fines collected due to violations of the law to lower the deficit. How dare he tell Washington what to do with the money. (Should I pay my VISA card of go buy a new pair of shoes?)

 

Senator Blumenthal’s bill, S. 1535, “Personal Data Protection and Breach Accountability Act of 2011”, also passed on party lines with no Republican support. One amendment proposed again by Sen. Grassley failed. It proposed to limit the ability and authority of the FTC to expand the definition of “Personal Information”, or as the Senator calls it, “Sensitive Personally Identifiable Information” (SPII).

 

2011-2012-United-States-Senate-Breakdown--300x227.pngSo, no Republican support huh? Currently the Dems have 51 senators, the Republicans 47 and two independents. All things held constant we have a new law, but it’s not that simple, is it?

 

Blumenthal’s bill tries to do too much (102 pages). Feinstein’s bill is narrow (31 pages) and only deals with breach notifications. Leahy’s bill is somewhere in between (65 pages).

 

Recently the US Chamber of Commerce, a pretty influential group, wrote letters to the Senate and gave their position on the three bills. They didn’t like any of them. Of course they “lauded” the Senate’s efforts to protect the consumers, but their “client” is business not people. (oh wait, didn’t Romney just say that corporations are people?)

 

The Chamber dismissed Blumenthal’s bill out of hand, and rightfully so. It’s definition of personal information is about 400 words long! It gives a private right of action to the public, and as much as I can envision a million attorneys lining up to file suits and get their third, it’s not appropriate. I simply cannot see this bill getting anywhere without major revisions. Check out the Chamber's letter here: (US Chamber lett 2.pdf)

 

The Chamber addressed the other two in a little more detail.  They took issue with several parts of Leahy’s bill, nine sections to be specific. With regard to Feinstein’s bill, they only addressed a couple. You can read the Chamber's letter here: (US Chamber lett 1.pdf)

 

What’s the major differences between Leahy’s and Feinstein’s? A data security program requirement. There are other differences, and some may say they matter more, but essentially the debate will come down to whether or not the law is going to require business to have a data security program of some sort.

 

Leahy’s bill is very similar to Massachusetts. It discusses a “data privacy and security program”, but does not specify, as Massachusetts does, a specific required company policy (WISP in Massachusetts).

 

Feinstein’s bill doesn’t concern itself with any “data privacy program”, it merely requires the business to notify. Where’s the motivation to protect the data? Fear of bad press? Fear of lawsuits? Both of those fears can be easily mitigated, probably cheaper than implementing a robust data security program.

 

Now there are other, substantive, differences, but generally speaking the question is this: does government have to legislate business’ treatment of data or just require them to tell us when they’ve lost it?

 

The answer probably involves a discussion about “objective” and “motivation.” The objective seems clear, too much of individuals’ personal information is out in the wild, so let’s take better care of it. But what creates the proper motivation for businesses to do just that?

 

I am not a fan of having government run businesses. Government is too slow and is rarely produces cost effective results. Occasionally, however, government does have to regulate (speed limits for example). The profit motive can easily cause harm to both the economy as a whole and individuals in particular. The recent credit crisis is an excellent example.

 

I like Leahy’s bill because of it’s “data privacy program” requirement. It addresses the breach notification issue and once notified the government, if it chooses, could ask to see their program. In this way the business either has an answer or it doesn’t. It could make the enforcement options much easier. Did the business have a robust program, an “ok” program or none at all. I think the sanctions ordered by government would be in line with the business' level of security for the data. Oh, you didn't have a security program....POW!

 

The fear that Senator Grassley suggestshas little basis in fact. He says that businesses required to have a data privacy program will incur massive costs and force layoffs. I disagree. The requirements are necessary and in many instances are simply changing behavior not buying new technologies. If you’re in the business of collecting, using, or simply passing along our personal information, then you have an obligation to protect it. Didn’t we learn anything from the mortgage situation?

 

It would have been nice if we didn’t have to get to this point, but we are, and without swift government intervention things will not get better.

 

Compromise is key in politics. The Senate should not compromise our data any further than it already is…

 

 

 

PS – maybe the recent arrests of the LulzSec hackers will motivate the hacking to stop, and then again, maybe not.

Tracking the National Data Breach Notification Statutes

Capitol-Building.jpg

 

 

 

I have decided to get a little crazy today and use "widgets"...

The following is a list of all pending Federal Data Breach Notification bills. The associated widget should reflect the most recent activity associated with that particular bill.

Be sure to check back for the latest updates

 

It should be an interesting fall session... starting with hearings next week in the Senate.

 

 

Federal Data Breach Notification statute moves along

Today, I’d like to have a look at a Federal Data Breach notification statute that’s been getting some attention. There are, by my count, five, bills pending in Washington, D.C. Want a list?

Representative Bono Mack’s bill is the one we’re discussing today. Why? Because it’s likely to make it to at least a full House vote. Whether the Senate takes it up and the President signs it are too far off to predict. As an aside, Representative Rush’s bill, that competes with Bono Mack’s, was recently referred to the subcommittee that just approved Bono Mack’s bill. She chairs the committee, so Mr. Rush, try again next session. I can’t see Bono Mack calling for a vote on a bill that covers the same issues as hers.

 

The bill is known as the SAFE Data Act. It basically requires certain businesses to employ certain safeguards designed to protect data. Those requirements are eerily similar to the Mass regulations found at 201 CMR 17. The bill also requires certain businesses to inform the Federal Trade Commission and citizens of a data breach, in certain circumstances. Finally, the bill preempts certain state laws.

OK, I used the word “certain”, five times in that paragraph. I did so because the bill only applies to those companies engaged in interstate commerce. The security regulations only apply to those companies engaged in interstate commerce who are not already regulated by HIPAA or GLBA (Federal regulations for healthcare and banking industry respectively). And finally the preemption of the various state laws will affect its application to businesses… let’s briefly touch on that…

 

The preemption clause, in relevant part:

 …This act supersedes any provision of a statute, regulation or rule of a State…, with respect to any entity subject to this Act, that contains:

(1) requirements for information security practices or treatment of data similar to those under section 2; or

(2) requirements for notification of a breach of security similar to the notification required under section 3.

 ** Please note the “any entity subject to this act” statement. We will talk about this again.

 

Let me sum up the Massachusetts Data Law for you:

  • Massachusetts put in place strict regulations regarding the handling of Personal Information (PI), as well as notification triggers and requirements. The law and regulations apply to ALL Massachusetts businesses. In short, if you own PI, and it’s on a mobile device, got to be encrypted. If you realize that some data went missing, and there is a SUBSTANTIAL risk of identity theft, you must report it to the Attorney General and the various citizen’s whose data went missing.

 

Now let me sum up the SAFE Data Act (presuming you as a company possess PI):

  • If you are engaged in interstate commerce and you are not already regulated by HIPAA or GLBA, you have to have the required security safeguards in place.
  • If you are regulated by HIPAA or GLBA, this law doesn’t apply to you.
  • If you are not engaged in interstate commerce, then this law doesn’t apply to you.

 

  • If you are engaged in interstate commerce, not regulated by HIPAA/GLBA, and you lose data and you make the determination that “there is no reasonable risk of identity theft, fraud or other unlawful conduct… no notification necessary.   But if you do find a “REASONABLE risk” of identity theft then you must notify the Federal Trade Commission within 48 hours, and the affected citizens within 45 days.
  • If you are regulated by HIPAA or GLBA, this law doesn’t apply to you.
  • If you are not engaged in interstate commerce, then this law doesn’t apply to you.

 

Who does the law apply to then? Companies engaged in interstate commerce who are not in healthcare or banking, I guess.

So, if you are not engaged in interstate commerce, but are a Massachusetts company, where are you? Didn’t the new Federal Law preempt the Massachusetts law, or did it just preempt the law as it applies to those entities engaged in interstate commerce. Recall the “any entity subject to this act” from above. It appears that if you are engaged in interstate commerce you are an “entity subject to this act” and exempt from the Massachusetts law, right?

 

I am a small accounting firm in Central Massachusetts, I do not engage in interstate commerce. I am subject to the Massachusetts Data Law and the regulations. The neighboring business happens to be involved in interstate commerce, but offers a very similar service. Do we have different regulatory schemes? Yes, it appears you do.

 

The goal was to make data breach notification simpler. This does it, for the very largest companies in our country. Unfortunately for the small ones in Massachusetts they will end up with a more onerous law than the one that applies to say, Walmart...

 

PS - Bono Mack appears to have lost the support of Rep. Henry Waxman on this bill. That might be costly. His concerns are legitimate, but big business is happy with the bill.

 

National Data Breach Law Proposed

Another day of rain in Boston. That’s three in a row and at least four more coming. April showers bring May flowers, but what do May showers bring? Not pilgrims. How about data laws. Congress is awash with bills that deal with data in one way or another. They're just lining up down there in D.C.

 Bill.jpg

I was reading through what has been called the “President’s Cybersecurity Legislative Proposal.” It has multiple parts, so today we will only dive into the “Data Breach Notification” [pdf] section, and examine two problems that jump right out at me.

There is plenty of analysis to be completed here, but we have to start somewhere, this is where I am starting:

 

 

PROBLEM ONE:

The proposal follows a similar path as most of the bills that seek to protect our data. It defines what it intends to protect: Sensitive Personally Identifiable Information, or SPII.  Can’t we all just agree to call it the same thing?  Is it “PI” for personal information, or “PII” for personally identifiable information or is it now “SPII” for sensitive personally identifiable information?  As much as I like the acronym, SPII (pronounced “SPY” of course), it’s better if we all just called it “PII”. (the mathematicians took over PI a long time ago, remember: 3.14…?)

 

What difference does it make, you might ask. It makes a big difference, a real big difference. The President’s proposal defines the targeted information as:

 

(1) An individual’s first and last name, or first initial and last name in combination with any two of the following data elements:

            (A) home address or telephone number;

            (B) mother’s maiden name;

            (C) Month, day and year of birth;

 

(2) A non-truncated social security number, driver’s license number, passport number, or alien registration number or other government issued unique identification number;

 

It further defines “SPII” is sections 3 and 4 that include “biometric data”, financial account or credit or debit card number (apparently standing alone), or:

 

(5) Any combination of the following data elements:

            (A) an individual’s first and last name or first initial and last name;

            (B) a unique account identifier, including a financial account number or credit or debit card number…

            (C) any security code, access code or password or source code that could be used to generate such codes or passwords.

 

Note the missing information: e-mail addresses. I guess the Epsilon breach wasn’t that big a deal then, now was it? That party hasn’t even started yet – the bad guys are still designing the PHISH!!!

 

Recall our good Senator Kerry and his far flung fishing buddy, Senator McCain’s “Commercial Privacy Bill of Rights” definition of “PII” was (paraphrased) name, address, E-MAIL ADDRESS, (emphasis added), phone number, Social Security or other Govt number, credit card number, a “unique identifier that alone could be used to identify an individual”, and biometric data.

 

And for completeness, let’s get Massachusetts’ definition of PI out here too:

 

a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

 

(a) Social Security number;

 

(b) driver’s license number or state-issued identification card number; or

 

(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account…

 

So we have PI, PII, and now SPII and they’re all different or “legally distinct” as one may say. Wow, what a fabulous example of you say tomAYto and I say tomAHto…but  what’s the third guy supposed to say?

 

OK, I can accept the differences at some level because in practice it will just make more work for lawyers like me. (see generally $$$) I point them out to emphasize the chaotic storm that is raging in Congress. We can’t seem to agree on what we want to protect. Imagine if all the different definitions, PI, PII, SPII, are put into law. What data did you lose, Mr. Company? Oh, you lost this, then got to tell so and so. But if you lost that, you got to tell them over there. But if you lost a combination of this and that, you need to tell them. It's like an Abbott and Costello routine.

 

 

PROBLEM TWO:

 

 Let’s get to what’s likely to become the scuttlebutt here in Massachusetts: STATE LAW PREEMPTION.

 

The Federal Government is allowed to pass laws that “pre-empt” or trump the various state laws because of the “supremacy clause”, Article VI, clause 2, of the U.S. Constitution. (U.S. Const. art. VI, cl. 2. – hope that’s proper citing, old law school profs, been a while) The Federal Government also has significant leeway in passing “supreme” laws in the area of “interstate commerce”. Those two words are dropped more often than “my uncle’s a cop” after being pulled over by the “staties” here in Mass. It’s where Congress gets a lot of their juice.  You can be sure that if they can get a law passed in furtherance of protecting interstate commerce, they will.

 

 

In what has been called “Section 109”, the President puts forward the following language in his proposal:

 

Sec. 109 Effect on Federal and State Law

 

The provisions of this title shall supersede any provision of the law of any State, or a political subdivision thereof, relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data, except as provided in section 104(c).*

 

*for completeness: section 104(c) says essentially the States can require that the notice sent out after a breach include any “victim assistance program” offered by that particular State.

 

You noted the use of “interstate commerce”, right? It appears throughout the proposal.

 

So my question to ponder as I sail adrift in this storm is whether the Massachusetts requirement that businesses have a Written Information Security Program will be eliminated by the passage of this bill in its current state. You see, the proposed Federal law specifically says “supersede any provision of the law…relating to notification…” It doesn’t say any more or any less.

 

My initial read on this is that the Federal Government is trying to standardize the notification process by trumping all existing notification rules. The proposal lays out what the notification has to say, who it goes to and when. I can see the value in having a standardized approach to that, but there’s problems, “mattey!” (as in a ship’s mate – have you noticed the theme here?)

 

This law only applies to those companies who handle, (own, license, etc.) SPII of at least 10,000 people in a 12 month period. So, if I am a smaller company (i.e. less than 10K people’s PI, PII or SPII) in Massachusetts, am I off the hook?

 

 

But recall our “interstate commerce” connection. In order to have significant Federal involvement, and “supremacy”, the Feds really have to rely on “Interstate Commerce” as their basis to get involved. So this law only applies to those business who have at least 10,000 people’s information AND are involved in interstate commerce.

 

So, I am a small accounting firm or architecture firm, I do keep PI around, both of my employees and clients/customers. I employ lots of mobile devices and transmit the PI across the Internet on a regular basis. But all my business is in Massachusetts.  I paid big money for encryption software and other upgrades in order to be in compliance with the Mass regs… are you telling me that after only one year it’s going away?

 

There is an analogy… sort of… Back a bunch of years ago, Boston passed a rule/law that required restaurants to have a separate room for those customers who choose to smoke. That room had to have its own ventilation system. Many restaurants actually built out those rooms at a significant cost to the business. What happened next? Government passed a law that outlawed smoking in every restaurant, period.

 

Yes, that’s right, even government can change their mind.

 

It’s not clear that the proposal will actually sink the WISP, in fact there are several arguments to be made that the regulations under 201 CMR 17 will still stay in effect with the force of law. It’s just that there are arguments to be made that the passage of this proposal will put that issue “in play.”

This proposal now has to take the route made so famous in Schoolhouse Rock's "I'm just a bill... yes, I'm only a bill and I'm sitting here on Capitol Hill..." Do you remember how that ended?

 Bill2.jpgschoolhouse rock bill dies in committee.jpg

 Assigned to committee..... amended, negotiated, amended some more.

And it died in committee...

 

 

 

 You can be sure that your author will watch this situation closely.

 

It's official: Sony suffers massive data breach

Sony has put out a statement about what happened. I would like to put this in context... Epsilon lost what, 40 million email addresses? The whole nation heard about that, either on TV, radio, Internet or via an email from the myriad of companies who sent out "notifications".

Sony may have lost 75 million people's information. There are a little over 300 million documented people in the United States. That means that 25% of the population of the United States had information on Sony's network? And now who has it?

 

Sony has been calling this an "outage", as if it were an electric company after a big storm. Excuse me, the fact that your video game operations are offline is not the problem here, it's the fact that 25% of the United States citizens now are worried about identity theft, or should be.

Let's get to the specifics: Sony has said the following:

"...we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained... WHILE THERE IS NO EVIDENCE AT THIS TIME THAT CREDIT CARD DATA WAS TAKEN, WE CANNOT RULE OUT THE POSSIBILITY. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

From the statement posted by Patrick Seybold, Sr. Director, Corporate Communications & Social Media.

I have been reading words written by lawyers for fifteen years and pride myself on being able to tell when they are riding the razor's edge. I don't know if Mr. Seybold wrote it, I doubt it, nor do I know if a lawyer wrote it, but I am sure that Sony's legal counsel had a look at this statement before it went out.

Note that they are fairly certain that a bunch of your information was "stolen", but they're not quite sure that the credit card info was taken. A very convenient conclusion. Losing the credit card number would certainly make matters worse, but those could be changed... your name, address, etc cannot be changed.

Everyone stays focused on the credit card number... oh dear, they have my credit card number.. oh dear... LOOKIT, (as my grandmother used to say) with one simple phone call that "credit card" is a piece of plastic, nothing more. Of course, in order to make that happen, you'd have to know that it was missing... and Sony seemed to have waited at least a week to finally tell us that "hey, maybe, well, possibly, ahhh, out of an abundance of caution, let's assume its missing."

I find it hard to believe that they can't figure this out. This isn't some small restaurant group in Boston who was tech-ignorant... this is freakin' SONY.  I know, they want to be sure before they go public. Not just "sure" but what I would call "no-other-choice sure." (as in, we have no other choice fellas, we have to tell mom we broke the lamp playing ball in the house)

 

I took a hard look at the Massachusetts Law, MGL 93H, and it's definition of "personal information". Name and driver's license number; name and social security number; name and:

 "...financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account" MGL c.93H s.1(a)(iii)(c)

If Sony lost the credit card number, and the person is from Massachusetts, bingo - our law applies. If not, well, it's not clear. Could the rest of the information that Sony lost allow access to someone's financial account? Can't tell.

But let's revisit Sony's statement: recall they said that they can't say for sure if the credit card number was lost. (no evidence, but can't rule out the possibility - remember?)

MGL c.93H s.3(b)(1)(2) says: "...(1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired..."

There we have it ladies and gents, the razor's edge. They're willing to say to the public that "out of an abundance of caution, presume your card's been compromised." But they don't affirmatively say that they "know" the card info has been compromised. Can you see why?

 

There are 46 different state laws regarding data breaches. I hereby offer my hourly services to Sony Corporation in assisting them comply with them, in the event they have to...

 

And as I like to do in situations like this, figure out who did it, I think that the perps here are cybercriminals. This one's in their wheelhouse and now 25% of American citizens' personal information is in Eastern Europe being analyzing for future use.

Senators Kerry and McCain sponsor Federal Privacy Law

Senator's Kerry (D-MA) and McCain (R-AZ) introduced a "Commercial Privacy Bill of Rights" today at a press conference.

The text of the bill can be found here. Developing...

Massive e-mail data breach

A recently disclosed “massive data breach” has affected some seriously large companies. Epsilon is a company who will manage e-mail communication for your company. They will maintain a list of your customers and arrange for direct e-mail communication on behalf of your company.

Epsilon is also a company who provides a lot of different "marketing" programs with names like "Abacus" that scare me...and try decyphering their privacy policy, or at least figuring out which one applies to you.

 

Apparently Epsilon has lost a lot of email addresses that they were holding on behalf of some significant companies. Their "press release" is awfully short, but that's because they're probably still figuring out what the heck happened.

  

Epsilon has been breached by entities unknown. I found a list of companies with whom Epsilon was / is doing business and whose customers are involved in the breach: (provided by Mike Lennnon of SecurityWeek )

  • TiVoJpMorgan Chase
  • Capital One
  • Citi
  • LL Bean Visa Card
  • Best Buy
  • Walgreens
  • Brookstone
  • Marriot Rewards
  • Ritz-Carlton Rewards
  • Home Shopping Network
  • The College Board
  • Disney Destinations
  • US Bank
  • Kroger Supermarkets
  • McKinsey & Co.
  • Barclays Bank

 

 

So what, it’s just your e-mail address, right? Wrong. It’s more than you e-mail address, it’s a trusted relationship that has been breached. The customers involved here had “requested” to receive e-mails from the companies that Epsilon worked for… meaning that you might expect the email or, at least, wouldn’t assume any email from these companies to be “spam”.

 

 Oh look honey, an offer from the Ritz… we are such good customers that they sent us a special deal… I just have to click here………………………………

 

 

Who knows where that click will take you, but I thought that I would take this opportunity to define “PHISHING” for you in case you don’t know how it works.

 

Wikipedia defines it for us: http://en.wikipedia.org/wiki/Phishing as does probably a half million other websites.

Fish in water

Phish in cyberspace

Let me see if I can distill it down to a simpler concept. Someone sends you an email with a link that you may be expecting, you click on the link and you are taken to what appears to be what you expected, except it’s not. The bad guys went “phishing” for someone. If the bad guys have a solid email address for you and know that you have a trusted relationship with a particular company, it’s called “spear phishing” because it’s actually targeted for you in particular.

 

You fish for anything swimming by, you throw your spear at one fish in particular, see?

 

In this breach, one potential outcome may be an email from the Ritz-Carlton Rewards or Marriot Rewards offering a special deal because you are such a good customer. If you haven’t been there in a while or ever, you may suspect something is amiss. If you are a regular customer, and unaware of this data breach,  you may follow the link to the “deal”.

 

The bad guys around the world sit around all day thinking up ways to “trick” us into giving them certain information. How do you get someone’s social security number? Oh, I know, let’s pretend to be the IRS sending a “confirmation of tax return” email. How do you get their bank login information? I know, send them a link that takes them to a page that looks identical to the real bank…and then the unwitting person give us their account number and password… wow, that was easy.

 

This is no joke, the bad guys will actually make a fake website that looks just like the real one. There are ways to figure out that it’s a fake, but these are not commonly known. If I told you about security certificates would you know what I was talking about? How about “shortened urls”? Or how about just looking at the address bar at the top of your browser? Things that aren’t commonly known or done.

 

There are many of us out there who know about these scams and there are a lot more people who have some familiarity with these scams. There are also a significant amount of people out there, certain relatives of mine for example, who have no idea about all this “stuff”. Those are the people who can be tricked by a “copy” of a bank website.

 

 

Having your email address lost to “spammers” is not the end of the world. I used to, and still do, create email addresses for the purposes of making purchases online. Sure, send me whatever you want, I’m never going to read it anyway. If you are in a business relationship with a company and communicate with that company via email, it is a completely different situation.

 

 

Remember snail mail? An actual paper letter is delivered to your house; amazing concept, I know. There are thousands of people in the United States who after receiving an offer for something that was never going to come true, were tricked into providing some bad guy with something. You think that’s over? Try again… the United States Postal Service Investigators are actively pursuing fraudulent schemes – see the latest ones here.

 

 “There’s a sucker born every minute” is a quote attributed to P.T. Barnum, but even that fact is in dispute. (see here)

What is not in dispute is that even the most obvious scams will work on a certain percentage of the population and this fact is why this massive data breach should be of major concern to the population.

 

 

 

P.S. Will the new Federal Data Privacy law apply to Epsilon? That answer is not as clear as you may think.

P.P.S. if you really want to know about online crime and current schemes, you have to read Brian Krebs' blog - www.krebsonsecurity.com He is very knowledgable and easy to read - plus has a ridiculous network of "sources". Of course, he's not a local guy, so you'll need to come back here for the local spin.

 

UPDATE: (thanks to databreaches.net for an updated list of affected companies, WOW!)

  • Kroger
  • JPMorgan Chase
  • Capital One
  • Citi
  • New York & Company
  • US Bank
  • Barclays Bank of Delaware (and Barclay’s L.L. Bean Visa card)
  • Brookstone
  • McKinsey Quarterly
  • TiVo
  • College Board
  • Walgreens
  • Ameriprise
  • Marriott Rewards
  • Ritz-Carlton Rewards
  • Disney Destinations (The Walt Disney Travel Company)
  • Benefit Cosmetics (see below)
  • Home Shoppers Network (HSN)
  • AbeBook
  • Best Buy
  • Best Buy Canada Reward Zone
  • Robert Half International (copy of email sent to DataBreaches.net by recipient)
  • Borders (reported by Brian Krebs, but haven’t seen confirmation yet)
  • City Market (Kroger)
  • Dillons (Kroger)
  • Food 4 Less (Kroger)
  • Fred Meyer (Kroger)
  • Fry’s (Kroger)
  • Hilton Honors (reported by Brian Krebs, but haven’t seen confirmation yet)
  • Jay C (Kroger)
  • King Soopers (Kroger)
  • QFC (Kroger)
  • Ralphs (Kroger)
  • Smith Brands (Kroger)
  • Verizon (reported by Brian Krebs, but haven’t seen confirmation yet)
  • Visa (Barclays Bank of Delaware)

Federal Data Privacy Law looms

Back in early February, I wrote about the possibility of a Federal Data Privacy Law in 2011.  I know, a genius prediction… There are, by my count, three different data privacy bills being proposed in Congress.

 

Recently Senator Kerry released his proposed bill and thanks to the good folks over at Hogan Lovells, I was able to read the Senator’s draft. Based on the following facts, I believe that the Senator’s Bill, with some alterations, will likely be the Bill that Congress gets behind.

  • First, the content is clearly the result of negotiation and communication with the private sector. There are significant opportunities for industry self-regulation, and there is no “private right of action” included.
  • Second, this Bill is co-sponsored by Senator John McCain, an influential Republican who based on his 70 years in Congress is likely owed votes by half of Congress.
  • Third, the Obama Administration has indicated its support for this type of law.
  • Fourth, the good Senator used the term “Bill of Rights” in the name, how do you vote against that?

 

If you would like to read the proposed Bill, I suggest that you read Attorney Christopher Wolf’s blog post and the bill is linked to his site. Attorney Wolf is extremely knowledgeable on these issues and does a great job explaining the Bill.

 

Just as Attorney Wolf’s blog post does, most of the posts (here, here, here) that I have seen commenting on the bill have talked about what the Bill proposes to do. I am going to focus on what the Bill DOESN’T DO. Why simply copy when you can create, besides they already did a great job.

 

Senator Kerry’s Bill is called “Commercial Privacy Bill of Rights Act of 2011” and deals directly with regulating those businesses and industries that collect and/or collect and share data about individuals with or without the person’s knowledge. Most of this activity is done online. So, it seems to me that the Bill is trying to control the snooping being done online in the name of collecting awesome intel for advertisers.

 

In my old post, I used the term: Federal Data Privacy Law and suggested that a proposed Federal Law may mirror the existing Massachusetts law. The two have absolutely nothing in common. I should probably consider changing the name of this blog to “Massachusetts Data Breach Blog”.

 

Data Privacy in the Federal sense, according to Senator Kerry's Bill, involves that information about you that is available when you are online and engage in “interstate commerce.” (See below finding #6)

 

Data Privacy in the Massachusetts sense involves that information about you that anyone has, anywhere. You see, our law transcends the simple “data breach laws” because it makes clear that if you have a person’s information, you must take steps to protect it before you lose it.

 

 

In the United States today, there are 46 different State Laws that deal with data breaches. Some are similar and some are very very different. Either way, if you’re a company who does business nationwide, and you have a breach, you’re going to have to deal with all or some of those very different laws. Why are the citizens of the various states treated differently? Some will get detailed information about the breach, some will get generic information and some will get none….

 

Senator Kerry’s Bill includes “Findings.” These are important pieces of information that tell the world “why” Congress is passing this law (or at least that’s what they're supposed to do). Findings numbered (5) and (6) are the most interesting for my purposes.

 

(5) To the extent that States regulate the treatment of personally identifiable information, their efforts to address Internet privacy could lead to a patchwork of inconsistent standards and protections.

(6) Existing State, local and Federal laws provide inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.

 

The Senator and his crack team have correctly identified that when states passing their own laws on the same topic creates a "patchwork". I give him and his team credit for putting this bill forward before that "patchwork" is created.

 

What this bill doesn’t do is solve the patchwork problem of data breach laws. I believe that Senator Kerry had an opportunity to do just that. Sure, it would have been more complicated, but better for both business and citizens in the long run.

 

The bill also doesn’t deal with the possibility that one of the soon-to-be regulated companies loses a person’s information. I have to play this out. Company A is on online retailer, they are subject to the new “Privacy Bill of Rights” law and they give the “opt in” “opt out” buttons, they don’t violate the rest of the federal law’s regs… but one day their entire database of “opted in” people is stolen. Oh dear, what now…. What now is Company A's lawyers better start reading those 46 different state laws, cuz  there’s no guidance in the new Federal one.

 

 

So, in the end, I was dead wrong. Sure, there will be a bill passed at the Federal level with the word “privacy” in it, just not the one I had envisioned. Apparently Congress is going to take the divide and conquer strategy. Divide up data privacy into as many small laws as possible and then leave it to us lawyers to find, memorize and explain them all.