Thursday, December 27, 2007
Costs Of A Data Breach
A new study of 35 companies that incurred a data breach demonstrates how expensive thse incidents are to companies. The study reports that the average total cost per reporting company was more than $6.3 million per breach and ranged from $225,000 to almost $35 million. The study also indicates that these costs are increasing each year and that financial service firms are impacted the most.
Wednesday, December 19, 2007
FTC Testifies On ID Theft
In testimony yesterday before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security, the FTC's Joel Winston testified that since 2001 the Commission has brought 14 cases since against businesses that failed to implement reasonable security measures to protect sensitive consumer data. In each of those cases the security vulnerabilities were multiple and systemic, and the preventative measures were inexpensive and readily available. The full text of the testimony is available here.
Thursday, December 06, 2007
Guide For Businesses On Protecting Personal Information
Entitled “Protecting Personal Information: A Guide for Business,” this new tutorial from the FTC outlines a framework businesses can use to implement a data security plan. The framework offered in the tutorial is built on 5 principles:
- Take stock
- Scale down.
- Lock it.
- Pitch it.
- Plan ahead.
New CRS Report On Botnets, Cybercrime
CRS recently published a new report entitled "Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues." Among the findings in the report are that "cybercrime is becoming more organized and established as a transnational business....[and that] designs for cybercrime botnets arebecoming more sophisticated, and future botnet architectures may be more resistant to computer security countermeasures."
Monday, December 03, 2007
Study Shows Low Awareness of Security Freeze Laws
A study conducted by the AARP indicates that although consumers have a high concern about identity theft, their awareness of security freeze legislation remains extremely low. The study indicates that more than half (57%) of the respondents did not know where to turn for security freeze information. For the full text of the study, click here. For a summary, click here.
Monday, November 12, 2007
First Prosecution In File Sharing ID Theft
This AP news story reports on the case of Gregory Kopiloff. According to the Justice Department this is the first prosecution against someone accused of using file-sharing to commit identity theft. Kopiloff used file sharing programs to gain access to the personal information of more than 50 people. He then used that information to fraudulently buy and resell more than $73,000 in merchandise.
Thursday, November 08, 2007
The Prevalence of Identity Theft
The Bureau of Justice Statistics recently published a report on identity theft. According to the report, in 2005, 6.4 million households (5.5% of all households in the US) discovered that at least one member experienced one or more types of identity theft. Of this group, unauthorized use of an existing credit card was the the most prevalent type of identity theft (about 3 million households). Given that the data in the report is from 2005, the statistics today would likely be significantly larger.
Monday, November 05, 2007
Fair Use For User Generated Content
With the growth of user generated content (UGC) services like Youtube.com, the question of what is considered fair use is only now beginning to be defined. This article from the Electronic Frontier Foundation provides a framework for applying fair use in the UCG context. Hats off to beSpacific for this catch.
Thursday, October 25, 2007
E-Discovery Local Rules
Following on yesterday's post, Maryland is not the only state where federal courts have proposed or enacted e-discovery local rules. As this article shows, at least 32 US District Courts have enacted or proposed special rules addressing electronic discovery.
Wednesday, October 24, 2007
Suggested Protocol For E-Discovery
Judge Paul W. Grimm of the US District Court of Maryland recently posted this "Suggested Protocol For Discovery of Electronically Stored Information." Although not currently adopted, the document is a "working model" which may at some point be recommended for adoption.
Website Liability For User Posted Content
This Findlaw article by Eric Sinrod discusses when websites will be held liable for the content posted by others on their site. In particular, the article discusses the case of Fair Housing Council of San Fernando Valley v. Roommates.com, LLC where the website http://www.roommates.com/ was sued by the Fair Housing Councils of San Fernando Valley and San Diego. The plaintiffs alleged that the site's practice of allowing users to filter out potential roommates according to user-selected criteria violated the Fair Housing Act (FHA).
Tuesday, October 09, 2007
'07 Global Security Survey
Deloitte recently published it's annual review of the state of information security in the financial services industry. The survey includes data from 169 global financial institutions in 32 countries. Key findings include: companies are moving away from a sole focus on shoring up infrastructure against external breaches and are focusing instead on a a layered approach of preventative, detective and corrective controls; respondents identified access and identity management (50%) as their top operational initiative; generic countermeasures (encryption, access control, and network security) are proving inadequate at protecting on-line applications; and in an organization’s attempt to prevent security breaches, people remain the weakest link.
Tuesday, September 25, 2007
A Global Privacy Standard?
A senior executive at Google stated today that he agreed on the need for a basic set of global privacy protections. See this CNET article for more.
Domain Name Theft
This Wall Street Journal article examines how domain name hijacking is becoming an increasingly prevalent phenomenon.
Monday, September 24, 2007
EU Data Transfer Regulations
U.S. companies transferring personal data from Europe to the U.S. must follow prescribed methods to protect data in accord with EU data privacy protection laws. Complying with this "adequacy requirement" means satisfying each European nation's data protection authorities. Binding Corporate Rules allow a company to design a single set of internal rules that work on their own data protection policies for intranet sites, databases and other electronic business tools that also comply with EU requirements. For more on this, see this article from the New York Law Journal.
Monday, September 17, 2007
Robot Exclusion Protocol
If you are concerned, as I am, about the privacy threats posed by Google's search bots, take a look at the following post from Paul Ford of Ftrain.com.
Tuesday, September 11, 2007
VOIP Security Whitepaper From IBM
This 16-page whitepaper from IBM discusses "vishing." From the intro, "Vishing is the practice of leveraging IP-based voice messaging technologies (primarily Voice over Internet Protocol, or VoIP) to socially engineer the intended victim into providing personal, financial or other confidential infor-mation for the purpose of financial reward." The term "vishing" is a contraction of the terms 'voice' and 'phishing.'
Friday, September 07, 2007
DOT Issues Memo On Loss of Personal Information
The US Department of Transporation issued this memorandum on the theft of two laptops belonging to the Office of The Inspector General. Both laptops contained large amounts of Sensitive Personally Identifiable Information.
Thursday, September 06, 2007
National Security Archive Sues White House Over Emails
See this press release. The suit, filed in the US District Court of the District of Columbia, demands the recovery and preservation of 5 million emails which were allegedly deleted by the White House during the period of March 2003 and October 2005.
Wednesday, September 05, 2007
Source Code For Breathalyzer Softwere Held Not To Be Trade Secret
See this post from the DUI Blog. A number of manufacturers of breathalyzer software had refused to disclose their source close, claiming they were trade secrets. The Supreme Court of New Jersey, however, recently ruled that the source code for this software is not a trade secret and therefore the company should be forced to reveal the code.
Online Listing Qualifies For Copyright Protection
In a decision published on June 21 (BUC Int'l Corp. v. Int'l Yacht Council), the 11th Circuit Court of Appeals affirmed that BUC International Corp.'s method of organizing its online listings of yachts for sale was unique enough to qualify for copyright protection. The defendant had "scraped" adds off of BUC's website.
Executive Office of The President Not Subject To FOIA
This page on the White House website states "The Office of Administration, whose sole function is to advise and assist the President, and which has no substantial independent authority, is not subject to FOIA and related authorities."
Friday, August 17, 2007
Anti-Cybersquatting Enforcement
Columnist Eric Sinrod reports in this article how a non-profit group called The Coalition Against Domain Name Abuse (CADNA) is leading the fight against cybersquatting.
Thursday, August 16, 2007
Youtube's Failure To Dismiss Tur Suit
According to an article in Andrews Intellectual Property Litigation Reporter (14 No. 9 Andrews Intell. Prop. Litig. Rep. 2) on Robert Tur's copyright suit against Youtube.com (Tur v. Youtube Inc.), Youtube's motion to dismiss was refused because the company failed to show that it has the "right and ability to control" the content posted on its site. For background on this case, see this post. To see the text of the orders, click here and here.
Antitrust Concerns In Cyberspace
For an interesting case applying antitrust principles to the cyber arena, see this recent case from the US District Court of the Central District of California (Liveuniverse v. Myspace).
Tuesday, August 14, 2007
A Setback For Spammers
See this article from PC World: "Researchers at the University of California, San Diego (UCSD) said this week they've discovered a critical weakness in the spam ecosystem that could be used to help cut off the promise of economic returns fuelling the huge growth in spam levels." For a brief history of spam, see this article from the New Yorker entitled "Damn Spam."
Monday, August 13, 2007
Authenticating Email
Check out today's article from Law.com entitled "Authenticating Email Evidence As Evidence." As the authors point out, part of what makes authenticating email for use as evidence difficult is that each email is not an independent entity--it is part of a chain of emails which form a discussion.
Thursday, August 09, 2007
Tuesday, August 07, 2007
Financial Privacy Legislation
The National Conference of State Legislatures provides this list of financial privacy legislation--both introduced and enacted--from all 50 states for the years 2000-2006. The list includes links to the full text of the legislation. The same site also provides a 50-state listing of security breach legislation.
Monday, August 06, 2007
Visa Held Not To Be Vicarious Infringer
A recent 9th Circuit Court of Appeals decision, Perfect 10 Inc. v. Visa International Service Association et al., found that credit card companies that process transactions over the internet that ultimately involve infringed goods, are not themselves liable for vicarious infringement. See this article from Mealey's for more.
Thursday, August 02, 2007
GAO Report On Cybercrime
GAO recently published a new report entitled "Public and Private Entities Face Challenges in Addressing Cyber Threats." From the Executive Summary: "Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey."
Monday, July 30, 2007
iPhone Vulernable To Hackers
This AP article reports on a vulnerability within Apple's iPhone which could make it susceptible to hackers.
YouTube To Institute Copyright Filtering
See this article from InfoWorld and this article from Wired News which discuss Google's intent to implement an antipiracy tool on it's YouTube website. According to the articles, Google plans to implement the changes as soon as this Fall.
Thursday, July 26, 2007
Government Barred From Accessing Emails From ISP
In a recent 6th Circuit decision, Warshak v. United States (June 18, 2007), the Court ruled that email users have a reasonable expectation of privacy and thus barred the government from accessing emails from the Internet Service Provider of a criminal defendant.
Wednesday, July 25, 2007
Law Firm Cleared of Hacking Opponents' Web Archives
Yesterday's New Jersey Law Journal reported on a case (Healthcare Advocates Inc. v. Harding Earley Follmer & Frailey) in which a law firm had been sued for allegedgly violating copyright and anti-hacking laws when it recovered old web pages belonging to its client's adversary. The opinion by Judge Robert Kelley, Jr. of the US District Court of Eastern District of Pennsylvania stated that the firm, in accessing pages from the Way Back Machine, did not violate any law. As stated in the opinion, "They did not 'pick the lock' and avoid or bypass the protective measure, because there was no lock to pick...Nor did the Harding firm steal passwords to get around a protective barrier... The Harding firm could not 'avoid' or 'bypass' a digital wall that was not there." A copy of the Complaint is available here. The opinion does not appear to be online.
Monday, July 23, 2007
Top Ten Opt Out List
Also from the World Privacy Forum: The World Privacy Forum's Top Ten Opt Out List is "a list of what top things to opt out of, and how to opt out. Millions of people have heard about the Do Not Call list, an opt out list that gets people off of telemarketing lists. But many fewer people have heard about the other opt outs that are available, like those that can take people out of data broker lists or opt outs that can stop schools from giving out directory information like email and home addresses."
State Security Freeze Laws
This page from the World Privacy Forum provides an overview of state security freeze laws, as well as a list of states with enacted security freeze legislation. Each entry includes a link to the full text of the that state's security freeze statute.
Friday, July 20, 2007
IT Disaster Recovery Tool-kit
The National Association of State Chief Information Officers publishes this tool-kit which is designed to assist state CIOs and their staff in IT disaster recovery and business continuity planning. It is an updated and expanded version of business continuity and disaster preparedness checklists utilized for a brainstorming exercise at the “CIO-CLC Business Continuity/ Disaster Recovery Forum” at NASCIO’s 2006 Midyear Conference.
Spyware's Effect on Web Site Traffic Counts
Ben Edelman has a new article entitled "How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts." Also see this related New York Times article from Dec. 11 of 2006 entitled "In Web Traffic Tallies, Intruders Can Say You Visited Them."
House Committee Passes Social Security Privacy Legislation
In a press release, the House Ways and Means Committee stated "During the course of the 16 hearings conducted by the Subcommittee, numerous experts testified that the easy availability of Social Security numbers (SSNs) in the public and private sectors, combined with the number’s widespread use as an individual identifier, greatly facilitates the crime of identity theft. The bill would restrict the use of the SSN by government and business, to make it less accessible to identity thieves, while providing exceptions for legitimate and necessary uses of the number." Click here for a text of the bill.
Subscribe to:
Posts (Atom)