A Survey of Pending Federal Legislation

Posted by John H. Lacey on November 02, 2011

Good Afternoon,

Tomorrow, November 3, 2011 I will be making a presentation at the Boston Bar Association on the topic of pending Federal legislation in the area of data breach and data security. It is sure to be a historic event as I will predict the future.

OK, maybe not historic, but certainly relevant. In 2007, Massachusetts passed the "Mass Data Privacy Law", followed shortly (ha ha) thereafter by the infamous regulations found at 201 CMR 17 (2010). The pending bills clearly intend to preempt all state laws. What will happen to Massachusetts law? I mean, it just got here... does it have to leave already?

I have chosen six bills that seem to have the best chance of passage this year. Of those six, probably three have a solid chance.

Come see which six are the "chosen ones" and which three have the best chance, and why!!

The United States lacks a comprehensive data privacy / data breach notification law. Even Russia purports to have one. Will it finally happen? Will the United States join the majority of the developed world and enact a nationwide law? Or will Congress bicker and debate for another year?

I have all the answers (maybe), you just have to be in Boston tomorrow at noon to get them...

Boston Bar Association

16 Tremont Street

Boston, MA

12pm - 1pm

https://www.bostonbar.org/membership/events/event-details?ID=8110

 

 

The tech world loses a visionary

Posted by John H. Lacey on October 06, 2011

As we've all heard by now, Steve Jobs has passed away. In the past 25 years or so I have been torn between the Mac world and the PC world... My first computer was an Apple IIe. I can still see it in my mind's eye, although physically I have no idea where it is (or what's on it!). After that it was PC after PC after PC. I can't even recall how many there were.

What is really amazing to me is the massive advances that Apple continuously make that leaves the PC in the dust. Even I, a diehard PC person, has to admit that Apple's technology is wicked cool. I do have a G5 at home that is pretty cool, I'm just not sure I'm a "mac guy"...

In the 80's and 90's I watched Apple get relegated to the "educational institutions of the world" only to reinvent itself as THE consumer computer company over the last 15 or so years. I know that Steve Jobs made that happen. It's also been fascinating to see how for a while there were "mac" people and "PC" people, just check out the ads about it. The way I see it now, with the iPad and the iPhone, it's gonna be a "Mac" world soon enough. Everything else will simply be a copy of theirs. (anyone remember the story about the first graphical interface? Karma's a bitch, Bill)

Rest in peace Steve.

 

PS - I am disgusted but not surprised that within hours of his passing, idiot advertising/affiliate/marketing/scammers started doing their thing. They set up "stevejobsfuneral[dot]com" which has no legitimate purpose. Check out the story over at Threatpost...

TWO MILLION PEOPLE - DATA BREACH VICTIMS - Mass AG says

Posted by John H. Lacey on September 21, 2011

What happens twice a day, every day for 20 months? Give up? Some company somewhere loses your personal information.

On Tuesday, September 20, 2011, the Massachusetts Attorney General announced that two million residents of Massachusetts personal information was subject to a data breach in one form or another. That's one out of every three residents here...

Almost every media outlet in Massachusetts has put something out about the announcement. Here's a few:

Boston Globe

Boston Herald

Although I haven't seen any press release from the AG, the Boston Herald did report a breakdown of the numbers, some of which I will recap here:

1,166 data breaches were apparently reported during a 20 month span starting in January of 2010. Mathematically, that works out to about 58 a month, or 2 a day.

25% were a result of intentional hacking (287), so YES, it's happening in Massachusetts.

16 of the breaches involved over 10,000 people's info, but the majority, 961, involved less than 100 people's info and 351 of that number involved only one person's information.

 

This was a very public announcement and the Attorney General herself says that "they're going to stay on top of it." I am glad to hear that for a couple of reasons.

One is because the whole culture of computer storage of information needs a wake up call. Does anyone remember the 3.5 inch floppy discs? Do you remember how many you used to have? Do you know where any, and I mean any, of them are today? Do you remember what was on them?

I used to have boxes of them, have no idea what was on them, and have no idea where they are today... Of course, I probably didn't have spreadsheets of people's social security numbers, but someone did.

Everyone who collects personal information needs to remember that it's just that: PERSONAL. It's personal to someone, a real person. Those who have it need to be responsible with it.

 

Another reason is simply because I am in the business of helping companies protect personal information. I help them conduct risk assessments, draft company policies and conduct training to reinforce the concept of security. My informal research has shown that many of you out there are still not taking this serious.

If you are reading this and are wondering if your company has a "data security program", (officially called a WISP or Written Information Security Program in Massachusetts) you should consider this announcement by the Attorney General a wake up call. Think that your company will not be subject to a data breach because they are so rare...? It's happening twice a day, everyday. How long do you think it will take to get to you?

Do yourself and your company a favor...give me a call (617.951.2929). It's not often you get to call an attorney for free... I can assure you, if the Attorney General calls you, it won't be free.

 

We were informed about the 2 MILLION that were reported... How many do you think went either unreported or unnoticed by companies?

 

 

 

Michaels' Data Breach Hits Massachusetts

Posted by John H. Lacey on May 11, 2011

Michaels.bmp If you have shopped at this store recently, you should read this blog post and all the available press releases issued by Michaels.

May 4th press release

May 10th press release

 

According to the company's May 10th press release, Michaels stores located in Burlington, Braintree, Everett and Danvers have had their machines compromised. They are saying that their "PIN pads" have been "tampered with".

 

Bank of America has reached out to some customers and informed them that they are replacing their cards. According to the Chicago Tribune, 2 "staffers" at the LA Times were contacted by Bank of America and asked to call them at an "800" number. When they called, they were allegedly told by the B of A representative that their "card was part of a mass compromise". A Bank of America spokesperson is now saying that the rep on the phone is "mistaken" about the "mass compromise" and no further comment.

 

The news of problems with Michaels credit/debit card PIN pad machines was first disclosed by them on May 4, but appeared at that time to have been limited to the Chicago area. It is now being reported that at least 90 individual PIN pad machines have been "tampered with" in 20 states.

Michaels last listed 80 different stores in 20 states where they have confirmed that the machines have been tampered with.

Brian Krebs over at his blog, KrebsOnSecurity.com, reported yesterday that a named police officer told him that withdrawals from the compromised accounts are taking place in Las Vegas and other West Coast locations, and exceed a million dollars. The withdrawals are in the $500 range and are made at ATMs. That means that the bad guys are making new cards with the stolen information, and are probably frustrated by the $500 per day limit on the accounts.

Please allow me to put this in context... The machines involved here may look like the ones pictured here:

PIN pad jpg  PIN pad 3.jpg PIN pad 2.jpg

I don't know the exact type that Michaels uses (happy about that right now), but what I do know is that if the device was physically tampered with then the bad guys either have a very very fast car or there are a whole lot of them. 20 states? 80 different locations?

 

What may come out is that the bad guys actually swapped out the real machine with a fake one. The fake one has been redesigned to copy all the credit card/debit card and PIN information being transmitted on the machine. In the old days the bad guys had to come back for the machines. I am aware of certain technology that now allows the information to be transmitted from the compromised device to the bad guys location "wirelessly." Usually they have to be somewhat nearby, say 1000 feet or so. For this one, I have no idea how the scam works.

 

The scope of this thing is scary. How long would it take to visit the 80 stores in 20 states? Just for fun, I used Google Maps... I put in 2 locations that I know are connected by one highway: Kirkland, WA and Braintree, MA - the highway is Interstate 90 and the distance is 3,086 miles. They say you can drive is in about 2 days and 2 hours, guess Google doesn't sleep.

 

Seriously, either there are a lot of bad guys in on this operation or the data has been available to the bad guys for a long time at some locations. Unraveling this will take a significant amount of time, thankfully the United State Secret Service have been alerted and are likely running the show now. This is in their wheelhouse. Hopefully when it's all over the USSS will tell us the whole story. Ya right.

 

This is the nightmare scenario for Michaels. I hope they had a "data breach scenario binder ready." They have to:

1) stop the bleeding, end the breach

2) figure out which numbers were swiped

3) notify VISA, MasterCard, American Express, Discover, Bank of America, Bank of -------, Fred's Credit Union, you get the picture (remember, 20 states, 80 locations)

4) read the applicable statute in the 20 states and make the associated notifications

5) contact their insurers, who are circling their wagons

6) hire a public relations firm

7) call Sony, Epsilon, RSA, TJX, Heartland for advice

8) contact their lawyers - fellas, over here in Boston I know a guy who knows this stuff

 

As this whole thing gets unraveled, I will see what Michaels' obligations may be under Massachusetts Data Privacy Law, and let you know my results. I will then have to figure out a way to put up a "pay wall" for members of Michaels legal team who will certainly try to read it...

 

 

Sony Data Breach, part deux: tu as cassé ma confiance (you lost my trust)

Posted by John H. Lacey on May 03, 2011

Sony has a new problem: a recently disclosed second data breach. A Part Deux, if you will.

It's not actually part two because it happened at either the same time or just before the "other" one. Of course, we're just hearing about it now... That seems to be their method.

 

24.6 MILLION, (with an M) people's information stolen... That brings the total from the Sony breach to over 100 million people's information. That's a third of the county. I sincerely hope that there is some overlap between PSN (PlayStation Network) and SOE (Sony Online Entertainment). OK, I know, of the 77 million in the original breach or "OB" only 36 million were US citizens. Of the next 24.6 million in the new breach or "NB" we don't know yet how many were US citizens. We do know that 12,700 credit card numbers, debit card numbers, and financial account numbers from the NB belonged to non-US citizens in places like Germany, Spain, Austria and Netherlands. (Good luck in Germany, Sony, their data breach laws are b-brutal)

I have a new question for Sony: Do you have any other online gaming systems?

 

Just curious. 

 

100 million... that's a big number... and I got to thinking about my Kindle. How many Kindles are out there? This gentleman suggests over 5 million heading into 2011. Remember way back when it was cold and snowy I told you about my Kindle? I got it from Amazon and during the "setup" I had to give them a credit card number. I wonder how that number is doing today? Is it warm and fuzzy all wrapped up in unbreakable encryption? Or is it getting chilly sitting on a server in plaintext just waiting for a visit. I really don't know. Am I entitled to know? Can I call  up Amazon and ask them about their security apparatus?

I spent a lot of time reading their "Privacy, Security and Accessibility" webpage.

In relevant part, at least as relevant a part that I could find:

How Secure Is Information About Me?

  • We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input.
  • We reveal only the last four digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing.
  • It is important for you to protect against unauthorized access to your password and to your computer. Be sure to sign off when finished using a shared computer. Click here for more information on how to sign off.

    • I can read those words, but what do they actually say? Oh, wait, this is for those people using Amazon's website... but what about me? A Kindle user...

     

    Found it: "Managing your Kindle on Amazon.com"

     

    Doesn't help me, lots of information, but nothing about credit cards... except this: they say that they use something trademarked as "1-Click" to make the credit card purchases.

    Is it ok to access free unsecured wifi on the MBTA commuter rail and make a wireless purchase via my Kindle and my credit card?  Can someone on the train intercept my data?  Is it "encrypted" during that process?  Maybe the Kindle doesn't transmit any data via wifi, just my "request" for a new purchase.  The rest of the transaction happens at Amazon.com.  OK, that's just a guess, but a logical one.  What about their servers?  Can someone get my credit card number from them? A re they encrypted in a "separate table" like Sony's...  Can someone "hack" my Kindle and then "get on their servers" and then "get my data"?

     

    I don't know the answers to those questions, nor does Amazon's website help me answer those questions, and you know what? I'm ok with that. I don't need Amazon's security protocol out in the public domain for every Tom, Dick and script kiddie to read.

     

    I just need to TRUST them, and you'd like to think that we can TRUST them. Incidents like these at Sony where 100 million people's information is taken is shaking that TRUST, now isn't it?

     

     

     

    Did Sony lose credit card data or not?

    Posted by John H. Lacey on April 29, 2011

    Why can't we get a straight answer to a simple question?

     

    SONY, DID YOU LOSE CREDIT CARD INFORMATION? Yes or No?

     

    Everyday you don't answer that question creates a real probability of fraud being perpetrated on the banks.

     

    First it was, "no evidence to suggest" that the credit card data had been stolen.

    Then is was, "the credit card table was encrypted, but we still don't think it was taken"

    Now there are stories all over the Internet that are saying that Hackers have 2.2 million credit card numbers WITH their associated CVV (that little 3 digit number on the back that you need sometimes)

    Your author got an email from a person who said they were a Sony PS3 user and they told me that their credit card was fraudulently used shortly after the date of the breach.

     

    MASSIVE AMOUNTS OF MISINFORMATION

    Ordinarily I provide links to the stories that either support my facts, or are the source of information. There are far too many today, and I can't tell which ones are accurate or which ones are merely repeating the information from a different source. If you want to read about the alleged "Hackers" just go to "google news" and you'll see that some 5,000 stories are floating around. Let me sum them up for you:

    Someone supposedly was on a "chat forum" where hackers tend to "chat". Apparently one of the hackers was claiming they had the credit card data, 2.2 million card numbers, and were offering it for $100,000.00 - they even allegedly offered "the list" back to Sony for the same price, but were turned down. (Sony denies this happened)

    Now there are also stories about fraudulent charges showing up on credit cards that are owned by PlayStation users. The source of these stories seem to come from "gaming forum" websites where video game players "chat". I guess a few people having been "chatting" and "Tweeting" that they're credit card had been used to buy various things fraudulently. One of the strange stories is that the fraudulent charges have been in Japan, Germany and the United States. And I must note that the charges seem to involve a physical presentment of a card.

     

    Here's my take:

    I can't see why the alleged hackers would discuss the matter publicly. From a law enforcement standpoint, if  you "chat" online, I will likely find you in a matter of hours.

    There are generally two kinds of thieves in a situation like this... ones who use the credit card info and ones who sell it. So far the rumors out there have both events happening.

    Sure, credit card data is easily moved around. The data could certainly fly from California to Romania to Japan to Germany, etc. But to have fraudulent transactions conducted in various countries around the world with a very short time frame is highly unlikely. This is especially true because the "victims" are claiming that cash withdrawals happened, groceries in Germany were purchased, and "something" was bought at a "store" in Japan. Simply unlikely.

     

    I don't know if the credit card data was stolen or not. I will take Sony at their word that it was stored in an encrypted table. I don't know if the "key" for that encryption was stolen along with everything else. And finally, I don't know for sure if any or none of the stories about hacking and credit card fraud are true.

     

    What I do know is that Sony had credit card data and with that data you can identify the banks involved. (remember, it's not actually stolen in the physical sense, its copied - meaning Sony still has the credit card numbers) If Sony would reach out to the banks involved, which they should have already done, the banks could flag those accounts. The banks may then issue new cards to the affected card holders. New cards ain't free ladies and gents, so don't count on that happening, not just yet.

    But, I have a solution:

    ** IF SEVERAL OF THOSE BANKS INVOLVED CAN CONFIRM  FRAUDULENT CHARGES AND THE ACCOUNT HOLDER WAS A PS3 USER, WE KNOW THAT THE CARD INFO IS OUT THERE AND THE ENCRYPTION HAS BEEN BEATEN**

    Cross reference the banks involved with the PS3 users. At some point the coincidence theory fails and the truth emerges.

     

    Fraudulent charges happen everyday. With 77 million peoples info involved, and an unknown amount of credit card numbers involved, the truth cannot be discerned from the "victim" reports. They could be coincidence or lies. I take $600 out of my account and then claim I was a victim... not too difficult is it.

     

    I return to my original question: Were the credit card numbers taken or not? Every day of delay in answering that is potentially costing the banks real dollars in fake fraudulent claims.

     

     

    Does Sony have a WISP? They seem to have had a breach!!

    Posted by John H. Lacey on April 25, 2011

    Late last week a small story broke that said Sony's Playstation Network was offline and would be out for a day or two.  Today the reports are getting more omnious. Various media outlets are now reporting that credit card data may be involved.  

    This small story is about to go big time based on the 75 MILLION networked users (according to Fox), who lost the ability to play their games online;  it meant days of playing video games by, egad, yourself!! And the little fact that the reason they're offline is due to a hacking incident, oh yeah, and Sony may have some credit card information on their users.

    (ABC, CBS, WSJ and others are currently covering the news as well)

     

    Sony's Playstation allows you to play a video game against other users via the Internet.  It also allows you to shop in their "store" online and buy new games.  It also, apparently, allows you to keep a credit card on file to make those, likely to be impulsive, purchases.

    If you're not a "playa" I want you to know that this is big business.  Online video gamesmanship is a big deal.  A real big deal. As of March 31, 2011, they sold 50 million Playstation machines (read release here- pdf) That's just the console, how about the games? Plus the bragging rights you get to wield in school the next day are very powerful.

     

    Out of the 75 million users of Sony's Playstation Network, how many are from Massachusetts?  And how many of those Massachusetts residents have their credit card numbers on file?  And what other information does the user have to provide in order to get "hooked up online"?

     

    If even ONE of Sony's Playstation Network users is from Massachusetts, and Sony has their credit card info, they are required to have a WISP.  A Written Information Security Program that lays out all the little details of how Sony keeps your information private and protected.

     

    If it turns out that even ONE of Sony's Playstation Network users is from Massachusetts and their information was obtained by hackers, or otherwise "Breached" - - - - - - There shall be notifications made to the affected resident and the Attorney General. In fact, the Massachusetts Attorney General is entitled to be informed:

    1. How the breach happened
    2. What remedial steps the company has taken to prevent future incidents
    3. How many Massachusetts residents were affected

     

    I know what the words of the law say. I know what Sony's obligations under the law may be, both pre and post breach.

    If this turns out to be an actual data breach, will Sony get the same treatment as the Briar Group did?

     

    Do stay tuned.... this may get real interesting...

     

     

    Does the Massachusetts Data Privacy Law apply to Banks, Hospitals and other federally regulated entities?

    Posted by John H. Lacey on April 21, 2011

    Does the Massachusetts Data Privacy Law apply to Banks, Hospitals and other federally regulated entities?

     

    The regulations (201 CMR 17) say a definite YES.

    The law (MGL 93H) seems to say otherwise…

     

    Read on, my friends:

     

     Section 5 of the Massachusetts Data Privacy Law states:

    MGL 93H Section 5.

    “This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information; provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach. The notice to be provided to the attorney general and the director of the office of consumer affairs and business regulation shall consist of, but not be limited to, any steps the person or agency has taken or plans to take relating to the breach pursuant to the applicable federal law, rule, regulation, guidance or guidelines; provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.

     

     

    Let’s break this down: “this chapter does not relieve a person…from the duty to comply with…[other] law[s]…” That makes sense, lawmakers didn’t want to make a law that allows someone to be immune from other laws. Okay, so the MA Data Privacy law requirements do not forgive other obligations – got it.

     

    Then we see the infamous intro: “provided however.” In law school the “provided however” essentially meant that whatever you were reading was about to take a sharp left …oh dear… watch out, we’re turning….

     

    … “provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter IF…”

     

    OK, the legislature has now identified a group (those subject to federal laws) and is granting them “compliance”… IF – if what?

     

    … “IF, the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further…”

     

    So, if I am an entity that is subject to a federal law and comply with that law I am deemed in compliance with the Massachusetts law if I notify the affected Massachusetts residents when a breach occurs. Check, can do. But we see that pesky “provided further” and our sharp left continues…

     

    … “provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach.”

     

    Seems simple enough, I have rules and regulations promulgated by the Feds that I have to follow if I suffer a loss of data, a breach; in order to satisfy the Massachusetts law I simply have to be in compliance with the Federal law and then make sure to notify the Massachusetts residents and also the MA Attorney General and the Office of Consumer Affairs.

     

     

    And just to add one more twist to our journey, the good legislature uses “provided further” one more time:

     

    … “provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.”

     

    So, if I ignore the federal laws, I must follow this law – sound right?

     

    Is the inverse true? If I follow my federal laws, do I have to follow this one? The language of the statute seems to suggest that if you follow your federal laws, and make sure that you notify the correct people, you’re all set, or “deemed to be in compliance.”

     

    Let’s see what the legislators said during their debate of the bill: (from the legislative history)

     

    May 9, 2007 ----- RODRIGUES AMENDMENT: Rep. Rodrigues offered another amendment.

    Rep. Rodrigues said, this amendment specifically addresses those industries governed by federal statute and regulation. There are a couple that we know are custodians of much personal information and abide by very strong federal regulations in order to protect that information. This amendment would not exempt them from the requirements of notification, but if they are in compliance with federal law relative to notification, and all of the entities are notified that are required to be notified, they will be in compliance with this bill.

    The House adopted the amendment on voice vote.

     

    Seems very clear, doesn’t it?

     

     

    I am a hospital that is subject to HIPAA regulations. Those regulations have strict rules regarding “personal health information” and those rules specifically address what to do if you suffer a data breach. This seems to be exactly what the legislators were talking about when they voted for the “Rodriques Amendment” and wrote section five, right?

     

    Allow me to refer you to the Massachusetts Office of Consumer Affairs and Business Regulations (“OCABR”) website, specifically the “FAQ’s” or “frequently asked questions” section:(pdf)

     

    I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well? Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.

     

     

    I want to be absolutely clear: the regulations in the code (201 CMR 17) are comprehensive and require significant effort to follow. The law, MGL 93H, says there must be regs, the OCABR created the regs. The regs require companies to have written policies, encryption technology, locking file cabinets, etc. It's not a short list.

     

    The law also has this “exception” built into it, doesn’t it?

     

    Why does the OCABR believe that a HIPAA compliant business must comply with their regs?

     

     

     

     I have researched the possible legal outcomes of this, so stay tuned for the conclusion.

     

    ******************************************

     

     

    Massachusetts Attorney General v. Briar Group, LLC - Data Breach Settlement - the details

    Posted by John H. Lacey on March 29, 2011

    Yesterday news broke (thanks to Jenn Abelson of the Boston Globe) that the Massachusetts Attorney General had come to an agreement with Briar Group, LLC regarding a data breach that dates back to 2009. I wrote on the topic and continued to investigate....

     

    A little research by your author turned up some interesting facts:

    One, the complaint was filed by the Attorney General in Suffolk Superior Court the same day as the announced settlement.

    Two, the facts alleged in the complaint are a lot more scary than what was relayed in the press release.

     

    Apparently the Attorney General was contacted by the Briar Group on November 25, 2009 and was informed by Briar that they had suffered a data breach. In fact, on November 25, 2009 the breach was STILL ONGOING. It wasn't until December 10, 2009 that the "malcode" was removed, thus ending the known breach.

    Some significant highlights of the complaint filed in court:

    • The breach involved "over 53,000 MasterCard accounts and over 72,000 VISA accounts."
    • Six of Briar's twelves locations were affected (Ned Devine's, The Lenox, The Harp, MJ O'Connor's Back Bay, MJ O'Connor's Waterfront, and The Green Briar).
    • The breach was discovered by a payment card processor in EUROPE on October 15, 2009.
    • The initial breach occurred at Ned Devine's in Fanueil Hall.
    • Briar was informed of the breach on or about October 29, 2009.
    • The president of Briar wrote an e-mail on November 5, 2009 stating that he wanted "to do the right thing" but did not want to "pay for an investigation that they could somehow avoid."
    • Briar hired Verizon Business Network Services only after being required by VISA to do so.
    • Verizon Business Network Services started work on Nov 15, 2009 - and established that the "malcode" was installed on April 24, 2009 and the "malcode" was gathering the "account number, cardholder name, expiration date and secure code"
    • Briar continued to accept credit cards the whole time.
    • The "malcode" was removed on December 10, 2009.
    • Briar had not changed passwords in over 5 years.
    • Briar had outsourced its IT work to Bromley Engineering..
      • "Peter Bromley... of Bromley Engineering noted in a December 2, 2009 e-mail to Briar that Briar's security "problems came up years ago when I first returned to Briar and saw the blatant lack of [] even basic security on the Micros servers." A second e-mail on March 25, 2010: "Probably the most egregious practice had been that all the Micros serves with which I have had contact used the same administrator and password - even at different restaurants."
    • The compromised accounts were used in Arizona, California, Nevada, Texas, the United Kingdom, Italy, India and Saudi Arabia.
    • More than 125,000 consumers were harmed by Briar's conduct.

     

    I have a copy of the Complaint AG v Briar.pdf and and Final Judgment.pdf for your review.

     

    Did you visit one of these restaurants between April 24, 2009 and December 10, 2009? Did you pay by credit or debit card? Are you in the "know" or in the "dark"? Have you heard from The Briar Group, LLC? From the Attorney General? If so, I'd like to hear about it, unless you have been sworn to secrecy.

     

    So, we find out yesterday, March 28, 2011, some 25 months after the incident really happened and and some 16 months after the known breach had been contained.

    [** A release by the New York Consumer Protection Board called the "Data Breach Report for the period of March 2010" lists that on 3/11/2010 The Green Briar, City Bar Solas, Ned Devine's Paris, The Harp, and MJ O'Connor's reported having suffered a "Hacking" effecting a total of 25 New York residents. So either there's a twin in NYC, or this is Briar]

     

    What breaches are currently ongoing that we won't find out about for 2 more years???

     

    It appears to me that the Attorney General did a thorough and complete job investigating the breach and it's likely that the delay in filing a complaint or going public was due to an ongoing criminal investigation which I hope was successful.

     

    The errors that Briar Group made are easily remedied IF a company takes security seriously. Their computer network setup had nothing in the way of real security, heck, they even had an unprotected WIFI network with access to their main system. Seriously? Unprotected WIFI?

     

    The Attorney General did NOT bring this action under MGL 93H, the "data breach law" now in force. The date of the breach pre-dated the effective date of the law. This is NOT the FIRST enforcement action under 93H / 201CMR17. This IS a serious breach. The details of the complaint show a complete disregard for the security of consumer information. This action was brought under MGL 93A, the consumer protection statute.

     

     

    If you are a restaurant group or a single proprietor, or a retail business or any business owner or decision maker who hasn't really thought about securing your information, please reconsider.

    Although $110,000.00 sounds like a lot of money, the fine could have, and based on what I read, should have been, much higher. The damage to the Briar Group's reputation is an intangible... will I go to their locations, probably... I don't know. How about 5 years from now when no one's watching them anymore? If I do, I'll definitely use cash.

    Taking credit cards when you know you have a problem is really disturbing and I hope that $110,000.00 sends enough of a message because it equates to roughly 88 cents per effected person, not exactly a stinging fine now is it?

     

     

     

    Major Boston Restaurant Group, The Briar Group, LLC - Data Breach Settlement

    Posted by John H. Lacey on March 28, 2011

    Today, the Masschusetts Attorney General issued a press release stating that they had reached a settlement with The Briar Group, LLC which owns and operates several restaurants and bars in Boston including: The Harp, The Green Briar, Ned Devine's, MJ O'Connor's, Solas and more.

     

    I would be surprised if a Bostonian hasn't been to at least one of their locations.

     

    Apparently, the Briar Group's computer system was somehow compromised by the installation of what the Attorney General called "malcode". This "malcode" was apparently installed on their computer system in April of 2009 and remained on their system until December of 2009.

    During this nine month gestation period, the "malcode" allowed hackers access to customer's credit and debit card information including names and account numbers.

     

    According to the AG, the Briar Group has agreed to pay $110,000.00 in a civil penalty and agreed to:

    • be in compliance with the Massachusetts Data security regulations;
    • be in compliance with the Payment Card Industry Data Security Standards;
    • "establishment and maintenance of an enhanced computer network security system;
    • develop a security password management system; and
    • implementation, maintenance and adherence to a Written Information Security Program. (WISP)

    The Attorney General points out that the "data breach occurred prior to the effective date..." of 93H / 201CMR17 (the Massachusetts Data Law with the stinging penalties) but the data security standards laid out in the law and the regulations were used in the settlement.

     

    This is all "hot off the presses", but I have some concerns... This company has, according to their website, 12 venues. That is 12 locations taking credit cards. From my old days (10 years) bartending for competing restaurant "groups" in Boston, I can tell you that the number of credit card transactions processed across 12 locations during a nine-month period is PROFOUND!

    To drive home the point: let's just say 100 per day per location which is likely way too low. The total is then over 300,000 transactions. (12 locations times 100 times approximately 250 days)

    Now, I don't know if this breach affected all 12 locations, nor do I know if each and every transaction was susceptible to the "malcode", but I do know that the retail industry, and in particular, the hospitality industry, is, and has been, ripe for this type of breach.

     

    Do we know the extent of this breach? Do the people whose cards were exposed already know? How many banks were forced to reissue cards because of this? Will anyone be held criminally responsible, or does this just end up a dead end in Romania... 

     

    I commend the Attorney General, and AAG Scott Schafer, for making this news public and for also taking the time and effort to hold this company accountable. Perhaps other restaurant groups out there will have a hard look at their systems so that another nine month long data breach doesn't expose half a million people's credit cards to the hackers.

     

    I think I will use cash tonight.

     

    RSA data breach revealed March 17, 2011

    Posted by John H. Lacey on March 21, 2011

    So, it was St. Patrick's Day and I was in sunny Florida enjoying a round of golf with family when my phone buzzed with a "data breach" story... I thought about blogging... but like golfing more.

    On Thursday March 17th, RSA, a division of EMC Corp, announced to the world (my world) that their computer system had been breached. EMC Corp. is a Massachusetts Corporation and the Boston Globe followed up with an article by Hiawatha Bray stating that the company had not filed a report with the Massachusetts Attorney General under our data breach law.

    Many other media outlets have run stories on this breach but none have been able to say just what happened, what was taken, or who did it. (at least none of the 100 or so that I reviewed)

    When investigating a crime, one of the key focus points is usually motive. "Why" did the bad guy do such and such. Financial gain is common, as is revenge. Establishing a motive can help investigators narrow their search for suspects and evidence. Of course getting the motive wrong can be a real problem. The best investigators let the evidence lead them to the suspect and then establish a motive to bring the whole thing together.

    So, I asked myself the question: why would someone breach RSA's computer system? This company is a serious security outfit and the bad guys apparently pulled out all the stops by using what the company said was an "advanced persistent threat", which apparently in layman's terms means "they did everything they could to get in".

    OK, so someone used a lot of time and energy to breach a major security company's computer system but why?

    For those who don't know, a common application of RSA's security business, SecureID, is that they provide these little "tokens" that have a small screen with numbers on them. The numbers are constantly changing. If you have one that probably means you have access to some significant, sensitive information. I knew a doctor who carried one so he could log in to his hospital's computer system to review patients records and make changes, etc. I read that our government is also a customer. The customer uses a computer to go to the place where the information is, they then enter a memorized password and then enter the number that is currently showing on the "token". Somehow, that token's number can be confirmed by the location that the customer is trying to access and allows the access if the number matches.

    Back to the question at hand, why... I have a few theories:

    1. Conspiracy.Whoever did this never intended to take anything, they just wanted to put the world on notice that even the largest security outfits are not safe, causing the government to over legislate by passing a quick "overregulating" law thus giving other security companies tons of business and tons of money.
    2. Foreign Government Action. Maybe the Chinese were just curious how the whole thing works and instead of creating one, they steal this one, reverse engineer it and now have their own version. Hey, just ask Google about that possibility.
    3. Corporate Espionage. If I was a major corporation, and I mean a world power corporation, and I needed to get inside a competitors network who happens to use RSA's SecureID, wouldn't this be a great way to do that? If you were able to use real log in credentials to access a competitor's network, that network would have no defenses, none.
    4. Criminal Organization. Even I think that this one is over their head. Sure, there are some smart criminals, but hacking into RSA? Really? I'd call that a stretch, but I have to include it until I eliminate it. (see generally Sherlock Holmes: "eliminate the impossible, and whatever remains, however implausible, must be the truth")
    5. It never happened. Remember when Coke changed their formula, only to change it right back? It was a boon for their business. Everyone tried the new one and then wished for the old one and went right out and bought it again. Maybe RSA can re-invent themselves and their product to prove to the world that they are NOW the best and strongest security since they improved on an arguably solid product. - No, I don't like this theory either.

     

    The problem with my theories are that they are based on no evidence, zero. That is no way to run an investigation. Our Attorney General apparently has no information either. This is an interesting question though... If what was taken was NOT PII (Personally Identifiable Information) but certain codes that in turn may give the holder access to information that IS PII... what is their responsibility, meaning RSA's responsibility? Are they required to tell the AG anything? I can't even suggest an answer without more evidence.

    I wonder if RSA has a WISP? Probably the mother of all WISPs if you ask me... but I digress.

    I guess we will have to stay tuned and see if EMC Corp, a Massachusetts Corporation, feels like telling someone, anyone, what happened. In the meantime I will keep working on my "theories".

    Does Amazon have a WISP?

    Posted by John H. Lacey on February 22, 2011

    So, I finally did it. I got myseft an Amazon Kindle e-reader. What a fabulous little device. Reading on the train has never been easier. I don't have to carry a 500 page book and try to manipulate it with one hand anymore. I can simply hold the little reader with one hand and turn the pages with a simple push of a well placed button.

    What does my Kindle have to do with Data Privacy you ask?

    When I initially set up my Kindle, it asked me to "register" it. Fair enough, there are usually benefits to registering your product, software updates and such. During my registration I was asked a very interesting question... what is your credit card number? Hmmm, I guess that makes sense since I will be purchasing books from Amazon (and only Amazon I found out), so I will need to pay for those books.

    Presumably Amazon will be keeping my credit card number, otherwise why ask for it now? How about asking for it only when I buy a book... nope, they asked for it right out of the gate. Now Amazon has my name, my address, my credit card number... sounds to me like they have the Personal Information of a Massachusetts' resident. I looked up my account and sure enough, there's my number... only the last four digits are visible to me, but what about them?

    Since they have this information they are required by law to have a Written Information Security Program, aren't they? I would like to see their policy, so I went to Amazon.com and looked around. I found their privacy policy. There is really no mention of my credit card information but there is mention of the fact that some "affiliates" of Amazon may have access to my information. The privacy policy clearly lays out the fact that Amazon uses third parties to process credit card payments. Ok, fair enough, but I have a few questions:

    1. Where is my credit card number kept?
    2. Who has access to it?
    3. Have you read your agreement with VISA and MasterCard?
    4. How many times have you been cyber attacked and have you ever lost a credit card number?

    I know that there are workarounds to the credit card issue. For example, get an Amazon gift card and load it with funds from... wait, a credit card... do they still keep it if I do it that way?

    But wait, Amazon may have a plan; there is a little paragraph in the MA Law, section 5 which says in part (MGL 93H sec 5):

     "...a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents..."

    What federal law is Amazon subject to? And does that mean that our consumer protection law is trumped? I am not getting the warm fuzzy here.

    Amazon claims to adhere to "safe harbor" provisions set up by the FTC. I read that website, quickly I will admit. It appears to me that this provision has something to do with Amazon attempting to comply with Swiss law... and I care why? Safe Harbor sounded so comforting until I realized that the "harbor" is in the Alps!!!

    All I know is that Amazon is in possession of a Massachusetts resident's Personal Information and is required by law to have a WISP and I want to know if they have one, and if not, I want to know why.

    Thank you, Mr. Gov't, for the sample WISP

    Posted by John H. Lacey on February 09, 2011

    The Massachusetts Office of Consumer Affairs put together a sample (PDF) written information security program or WISP. I have read it probably 75 times...  It must be incredibly difficult to produce a policy document for a fictional company created completely in the abstract. In fact, it is. The document created by the MA OCA is a guideline and not YOUR company's policy.

    The Written Information Security Program must apply to your company, your company's business processes and your company's procedure for dealing with that Personal Information that your company possesses. The "sample" may provide some guidance, but you need to customize it to your company's procedures.

    So, what happens when you try to adapt the "sample" to your company?

    The biggest mistake I have seen is the "copy/paste" job. In the sample there is a line under the "Internal Risks" section that suggests that terminated employees shall "be required to surrender all keys, IDs or access codes or badges or business cards and the like..." (page 4, second bullet point) There are companies who have that exact language in their WISP, yet they have no badges, IDs or business cards.

    Or how about the prohibition on employees keeping Personal Information on their desk when they're not there. (page 4, bullet 7) When you cross reference that one with the one that requires all Personal Information to be "locked up" (bullet 9) - wow, going to the bathroom during work is going to have to be planned well in advance, now isn't it?

    If a business takes the position that "hey, I'll copy Mr. Gov't's sample WISP and if something happens, I'll just tell them that I did exactly what you asked...look, my policy looks just like yours!!!" - then they are taking a very significant risk.

    Basing your company policy regarding "Personal Information" as required by Massachusetts law on the Gov't's sample policy document makes sense, but merely putting your company logo at the top of a copy/paste job is not compliance and doesn't make sense.

    Let me just break that document down a bit: Objective: comply with law, Purpose: comply with law, Scope: some how related to compliance with the law. Internal risk assessment: what? External risk assessment: (see internal risk assessment answer)

    Ladies and Gentlemen, the Government passed a law that requires compliance in the form of a written policy. My suggestion: Hire a lawyer. Hire a lawyer who knows about the data privacy law, about risk assessment and about the different ways that  your data can be compromised. (yes, that is a small plug for my services....)

    I thank the gov't for giving me, a lawyer, a cheat sheet on what they are looking for in terms of compliance, but I cannot credit them with creating a workable template for businesses because they didn't.

    Next up for review: the WISP "checklist" (PDF) by the same authors...