Defending The Digital Workplace

An publication

Posts Tagged ‘data breach

Revisions to FTC’s Red Flags Rule Exempts Lawyers, Doctors, and Accountants

The Federal Trade Commission’s (FTC) Red Flag Rules have been revised to exclude certain professionals prior to the latest enforcement deadline of December 31, 2010. Specifically, President Obama signed into law on December 18, 2010, the Red Flag Program Clarification Act of 2010 (Clarification Act), which clarifies the scope of the FTC’s Red Flags Rule. Under the amendment, professionals such as doctors, lawyers, and accountants are excluded from the Red Flags Rule. For a full copy of the Act, click here

The Red Flags Rule was enacted to protect consumers from identity theft by requiring “creditors” covered under the Rule to establish written policies and procedures to identify risks of identity theft to their customers. Under the plain language of the Red Flags Rule, a business becomes a “creditor” when it provides products or services in advance and require payment from the customer at a later time. Further, under prior FTC interpretations “creditor” was broadly interpreted to cover lawyers, doctors, accountants, and others because they bill for services after the services have been performed.

Under the the Clarification Act, however, the meaning of the term “creditor” now includes only those who (1) regularly and in the ordinary course of business obtain or use consumer reports in connection with a credit transaction; (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person, based on an obligation of the person to repay the funds. The Clarification Act does not specifically exclude doctors, lawyers, and accountants. But Senator Christopher Dodd (D.-Conn.) and Senator Mark Begich, (D.-Alaska) make clear that the Clarification Act does not extend to these professionals and other small businesses as creditors covered under the Red Flags Rule simply because they provide services and bill clients, patients, and customers for payment at a later time, except to the extent that they furnish information to consumer reporting agencies in connection with a credit transaction. Finally, the Clarification Act allows the FTC to determine in the future whether the scope of the Rule should be expanded to include other types of creditors that offer or maintain accounts subject to a reasonably foreseeable risk of identify theft.

From a practical standpoint, even those professionals and businesses specifically exempted from the Red Flags Rule should establish an identity theft prevention program: It is a good business practice to eliminate or, at least, minimize the chance of a data breach and minimizing the subsequent fall out with your customers. Additionally, there may be other applicable regulations that may require certain protection programs. For example, doctors must have HIPAA security programs in place and there is a patchwork of state statutes that cover data security and reporting requirements for breaches.

For questions about Red Flags Rule Compliance, establishing an information security program, or improving your organization’s current policies and procedures for preventing losses,  contact E-Business Counsel, PLC.


Written by Jason Shinn

December 21, 2010 at 3:38 pm

Internet Privacy to be Examined by Commerce Department

U.S. Commerce Secretary Gary Locke announced the launch of an initiative designed to gather public input and review the nexus between privacy policy and innovation with respect to the Internet. Additionally, Mr. Locke announced the formation of a Department of Commerce-wide Internet Policy Task Force to identify leading public policy and operational issues impacting the U.S. private sector’s ability to realize the potential for economic growth and job creation through the Internet. Click here for the full press release.

Mr. Locke explained that the motivation for this initiative is “[b]ecause of the vital role the Internet plays in driving innovation throughout the economy, the Department has made it a top priority to ensure that the Internet remains open for innovation while promoting an environment respectful of individual privacy expectations.”

Further, the Commerce Department is seeking public comment from all Internet stakeholders through a Notice of Inquiry (NOI) published in the Federal Register. One question the Department seeks to answer is “whether current privacy laws serve consumer interests and fundamental democratic values.”

Please contact me about offering insight on this topic or joining in the submission of a comment pursuant to the NOI. Your suggestions would be greatly appreciated. Thanks.

What your Company Should Know when it comes to Cyber Attacks

Concerns that U.S. business organizations are losing the digital arms race, a/k/a cyber-warfare, are widely reported. Among those raising concerns is Amit Yoran. He was appointed director of the US-CERT and National Cyber Security Division of the Department of Homeland Security, and also acted as CEO and advisor to In-Q-Tel, the venture capital arm of the CIA. He is presently the CEO of NetWitness and serves as a commissioner on the CSIS Commission on Cyber Security for the 44th Presidency and numerous other industry advisory bodies. In short, this guy might know a thing or two about the digital challenges U.S. business organizations are facing and what can be done.

And in fact, Mr. Yoran was interviewed by about these subjects and provided insight as to what steps business organizations can take to, at least, minimize the chance of being on the losing side of the cyber-war. Click here to be taken to the video clip. It is short but informative.

Cybercrime – FBI Reports Increase in Complaints & Losses for 2009.

As if your organization didn’t have enough to worry about – the FBI reported that cyber-crime is on the rise (click here for a post at InsideCounsel). The full report is available here.

Among the cyber-crime victims coming forward is a law firm that filed suit against the Chinese government (Click here for the full story from Wired’s Threat Level). In fact, the Wired article notes that “If you’re a law firm and you’re doing business in places like China, it’s so probable you’re compromised and it’s very probable there’s not much you can do about it.” The types of threats that such law firms and other companies face are called Advanced Persistent Threats (APT). An APT attack is distinctive in that they are rarely detected by antivirus and intrusion programs. Further, these attacks are espionage focused. In other words, APT hackers attempt to take business intelligence, e.g., files, e-mails, etc., rather than financial or customer data, which serves as a precursor for identity theft. For an in depth, yet very readable discussion about APT attacks, click here (also a Dark Reading post).

Equally dangerous as APT hackers or other cyber-criminals is the current or former rogue employee. For example, a federal grand jury recently indicted a former employee of the Transportation Security Administration (TSA) for trying to corrupt a database of terrorism suspects in an inside job that many within the information security industry say is a stark reminder of how important it is to track insider access to sensitive data stores. (click here for the full story originally posted at Dark Reading. ).

The preceding FBI report and stories illustrate that business organizations should assume that an attempt will be made to compromise their IT infrastructure.  I’ve talked with various IT security professionals about what are the appropriate steps to prevent APT or other cyber-attacks. Unfortunately, the general and unsatisfying response has been to the effect of if someone wants in bad enough and has the resources, they will get into your network. The sophistication and resources of some of the high-profile of cyber-victims (Google, Marathon Oil, ExxonMobil, and ConocoPhillips, to name a few), would seem to confirm this conclusion.

And many remedies available to business organizations are only available after the fact (Click here for prior post discussing theft of business assets and Computer Fraud and Abuse Act). But when it comes to discharging employees, low-tech and common sense go a long way in preventing near disasters like that allegedly committed by the former TSA employee: Make sure your termination process first removes all access to sensitive information, databases,  e-mail, etc., and then terminate the individual  – not the other way around. Such steps are especially important when the employee has administrative rights to the IT infrastructure.

Information Security — Where is the App for That? And Why Business Organizations Should Care

Smart phones such as the iPhone, BlackBerry, and other devices are as standard in today’s business organizations as business cards. But this standard creates an increasingly problematic security threat for business organizations.

This point was highlighted this past October with the release of a mobile-phone software that allows someone to eavesdrop on the user’s conversations. This program, called PhoneSnoop, can be secretly downloaded to a BlackBerry (company issued or otherwise) and the microphone can be remotely activated allowing one to listen to conversations held in proximity to the device.

In another example, a computer game developer (Storm8) was sued for violation of the Computer Fraud and Abuse Act by allegedly collecting personal data through an iPhone app. The class action litigation alleges that Storm8’s app stole user’s phone numbers. It is reported (click here) that Storm8 admits to collecting the numbers, but the collection was inadvertent due to a glitch in the source code.

For more information on the security threats posed by smart phones, click here for a BusinessWeek article by Olga Kharif, “Smartphones: A Bigger Target for Security Threats.” Also, a “must read” for any business professional using the iPhone is an excellent post “iPhone Secuirty? A Complete Misnomer,” which may be found here. This posts highlights significant iPhone vulnerabilities that can result in major harm to the business organization.

Why Care About Information Security?

So why should business organizations care about the quality of their information security practices? Setting aside bad publicity and loss of customer goodwill, there are a number of legal reasons to care about such practices.

First, for organizations in certain business sectors the short answer is because you are required to care. Gramm-Leach-Bliley Act (GLB) was enacted in 1999 to reform the banking industry and has various provisions concerning information protection. Similarly, the Health Insurance Portability and Accountability Act (HIPAA) governs the protection of medical information. Sarbanes-Oxley Act applies to publicly traded companies and may require effective security controls to be implemented. Also, the Fair and Accurate Credit Transactions Act (FACTA), which amended the Fair Credit Reporting Act (FCRA), requires “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose” to “properly dispose of such information or compilation.”

Second, there are also at least 45 reasons why business organizations not subject to the preceding federal statutes must be concerned about information security. This is the number of states with breach notification laws on the books that impose (potentially costly) notice requirements on companies that experience security breaches, together with additional potential liabilities for non-compliance.

Third, even if your business is not subject to the preceding state and federal regulations, chances are it is subject to the Federal Trade Commission oversight. Specifically, the Federal Trade Commission Act (FTC), 15 U.S.C. § 45(a)(1) states that “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” Under the provisions of the FTC Act, the FTC can take action against businesses that either: (a) publicly promise to keep sensitive personal information secure and confidential and then suffer a security breach; or (b) fail to implement reasonable and appropriate controls to secure sensitive personal information. Further, the FTC has promulgated its “Red Flags” rule, which address identity theft under the Fair and Accurate Credit Transactions Act of 2003. These rules, which were to originally take effect May 1, 2009, have been delayed (several times now) and are scheduled to go into effect June 1, 2010 … seriously … just trust the government … this time they will go into effect.

Fourth, in addition to statutory and regulatory sources of liability for mismanagement of information security, liability may be based on a breach of contract theory (make sure you know what you’re signing and what you are agreeing to).

Fifth, liability may also arise under a theory that the business organization was negligent in failing to secure sensitive information or information systems. See for example, a 2005 Michigan Court of Appeals case, Bell v. Mich. Council, that held a union had a special relationship with its members giving rise to a duty to safeguard personal data that the members entrusted to the union. Among the distinguishing facts cited by the court in finding a duty-imposing relationship were the union’s obligation to act in the best interests of its members, the foreseeability (under the circumstances) of theft and misuse of the data, and the union’s lack of safeguards to prevent unauthorized access to members’ personal data.

Steps towards Protecting Information

Information security is rapidly emerging as a “mission critical” component for business organizations. This is because virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. In other words, business organizations are, quite literally, completely dependent upon information technology and an interconnected information infrastructure. While this has provided organizations with tremendous economic benefits, e.g., reduced costs and increased productivity, it also creates a legal and public relations time-bomb for organizations that ignore information security.

Unfortunately, there is not a “silver bullet” app for responding to these challenges. But based on experience in working with business professionals, there are steps that should be considered. While far from the “Gospel,” the following measures should be evaluated because they concern the two biggest sources of security risks that I address on a regular basis:

  1. Laptops and portable storage devices routinely create information security risks for organizations. Accordingly, in addition to passwords (which may be – at best – a speed bump for cyber thieves) consider encryption software. A great open-source (and free) application is Truecrypt, which creates a virtual encrypted disk within a file and mounts it as a real disk and can encrypt an entire partition or storage device such as USB flash drive or hard drive; and
  2. Home computers used to access work may not have the appropriate protections, e.g., firewall or virus protection necessary to safeguard information. Additionally, information may be accessible by spouses and children (and if teenagers, their friends). Accordingly, it is critical for employees with home access to work information appreciate the risks and expectations for protecting company/consumer information. Also, it is important for employers to be prepared to step in if such information may be compromised or otherwise exposed due to litigation involving the employee. For example, it is a common scenario for an employee to be involved in a divorce or some other litigation. In such circumstances, the other side will commonly request access to a company provided laptop, Black Berry or related devices. Thus, it is a good practice to require employees to immediately notify their employers of any incident that may compromise the business organization’s information.

For additional information security resources, click here (FTC Resources) or feel free to contact me discuss what steps can be taken to decrease the risks and liabilities your business organization faces.

Digital Security Report: Social Networking Sites Expand Risks for Employers

Digital PadlockSocial networking websites—such as Facebook, LinkedIn, and MySpace— give users the platform to post information about themselves, to stay in touch with friends and meet new ones. These sites also create a buffet of legal and IT risk that business organizations must address.

In regard to IT risk, Sophos, an international provider of enterprise cyber-security solutions, released its Security Threat Report. The report noted that criminals have increased the focus of enterprise attacks using social networking sites. Click here to be linked to Sopho’s overview of the Report and here for the full report.

The Report also provides various recommendations and insight for responding to risk created by social networking websites. Despite the risks, Sophos recommends against employers implementing a wholesale ban on these social networking websites. The rationale for this conclusion is that users/employees will likely circumvent the employer’s protective measures and thereby open up another layer of vulnerability to the organization.

In regard to legal risks, these sites hold a goldmine of information for employers that may be useful in qualifying and screening potential hires. In fact, one in five decision-makers use social networking sites to screen potential applicants. See One in five bosses screen applicants’ Web lives. But the other side of the coin is that an employer may learn about information that may later become a cornerstone in a discrimination lawsuit. For example what if the information revealed that an applicant  is in a protected class under federal or state laws, e.g., photos showing a person’s race, information about a person’s religious affiliations, or that an applicant is pregnant. Whether this information was a determining factor in the adverse hiring decision will be answered against the factual backdrop  that the employer checked the applicant’s profile and was therefore aware of the particular fact creating the protected class under state for federal law.

Other risks employers must address when it comes to social networking sites is the disclosure of confidential and proprietary information. In a recent and extreme example, Britain’s new spy chief’s wife, posted family pictures and exposed details of where the couple live and take their vacations (or for those outside of the U.S., holidays) and who their friends and relatives are on her FaceBook page. The British spy agency was concerned that this information could compromise security and potentially be useful to hostile foreign powers or terrorists. See British Spy Chief’s Cover Blown on Facebook . (No offense to the spy chief’s wife (Lady Shelley Sawers), but I don’t ever recall any Bond Girl exposing Mr. Bond on their FaceBook pages).

While not every business organization employs a top spy or incorporate national security into their business plans, most organizations do have information they consider to be top-secret. Whether it is marketing plans, customers, formulas, etc., inadvertently distributing such information via the social networking world may significantly undercut a business initiative or other strategic plans. I’ve also run into situations where employees exchange information in responding to and asking questions through various Listservs and similar platforms. While the motivation is generally legitimate, the unintended consequence may result in the disclosure of confidential and proprietary information or preclude protection under a particular IP strategy.

There are a numerous risks that should be weighed against the benefits of social networking sites (feel free to contact me for more information). But a few take-aways for employers are as follows:

  1. First and foremost, start with determining what the employer’s expectations are when it comes to using company resources to access social networking sites. It may not be worth the trouble and risks and an across the board ban will be implemented. Or, it may be allowed with respect to certain departments. Ideally, formulating this expectation will involve working with your IT professionals. For instance, is it feasible to implement a wholesale ban against using social networking applications or is there a business justification for making exceptions? If so, what security gaps need to be addressed?
  2. Second, make sure your expectations are reflected in your company’s Internet acceptable usage policy and this policy expressly applies to social networking sites. Also, make sure that the policy clearly spells out the ramifications, including the levels of discipline that may occur for violating the policy.
  3. Third, educate users as to your expectations and be prepared to offer explanations for the policy/ban, e.g. the security risks, the risks of exposing information that provides a competitive edge to the company, etc. I know from experience that it is becoming common for employers to include social networking sections to their training on protecting corporate information. This is not a legal requirement, but speaking from experience, it is easier for an individual to “buy-in” to a policy if there is a rational reason for it.
  4. Finally, and this relates to the first point, work with IT to determine how the policy will be enforced. While the “scouts honor” system works great for scouts, a better approach is to rely on some sort of analysis of Web logs, which will detail use during business time (if not allowed), or implementing an automated search of websites for corporate information.But that is just the cynic in me speaking.
What if the information revealed on the site puts the applicant in a protected class under federal or state laws. Whether the information putting the applicant in the protected class was a determining factor in the adverse hiring decision, the fact that the employer checked the profile and was aware of that fact may give rise to an allegation of discrimination. In addition, the applicant’s conduct could be protected concerted activity under federal labor law. Also, some states prohibit adverse employment actions based on political expression.

BusinessWeek Podcast – Laptop Security: The high cost of lost data

BusinessWeek’s CEO Guide To Technology reported that – based on data from the security firm Symantec – about 66% of all identities exposed in 2008 were from the theft or loss of laptops, USB keys, and other backup devices. Against this backdrop, BusinessWeek presented an interesting podcast about data breaches based on Rachael King’s interview with the Ponemon Institute’s founder Larry Ponemon. The Ponemon Institute is a pre-eminent research center dedicated to privacy, data protection and information security policy. Click here for a link to the podcast and here to download BusinessWeek’s podcast. Definitely worth a listen.