Costs Of A Data Breach

A new study of 35 companies that incurred a data breach demonstrates how expensive thse incidents are to companies. The study reports that the average total cost per reporting company was more than $6.3 million per breach and ranged from $225,000 to almost $35 million. The study also indicates that these costs are increasing each year and that financial service firms are impacted the most.

FTC Testifies On ID Theft

In testimony yesterday before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security, the FTC's Joel Winston testified that since 2001 the Commission has brought 14 cases since against businesses that failed to implement reasonable security measures to protect sensitive consumer data. In each of those cases the security vulnerabilities were multiple and systemic, and the preventative measures were inexpensive and readily available. The full text of the testimony is available here.

Guide For Businesses On Protecting Personal Information

Entitled “Protecting Personal Information: A Guide for Business,” this new tutorial from the FTC outlines a framework businesses can use to implement a data security plan. The framework offered in the tutorial is built on 5 principles:

1. Take stock
2. Scale down.
3. Lock it.
4. Pitch it.
5. Plan ahead.

New CRS Report On Botnets, Cybercrime

CRS recently published a new report entitled "Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues." Among the findings in the report are that "cybercrime is becoming more organized and established as a transnational business....[and that] designs for cybercrime botnets arebecoming more sophisticated, and future botnet architectures may be more resistant to computer security countermeasures."

Study Shows Low Awareness of Security Freeze Laws

A study conducted by the AARP indicates that although consumers have a high concern about identity theft, their awareness of security freeze legislation remains extremely low. The study indicates that more than half (57%) of the respondents did not know where to turn for security freeze information. For the full text of the study, click here. For a summary, click here.

First Prosecution In File Sharing ID Theft

This AP news story reports on the case of Gregory Kopiloff. According to the Justice Department this is the first prosecution against someone accused of using file-sharing to commit identity theft. Kopiloff used file sharing programs to gain access to the personal information of more than 50 people. He then used that information to fraudulently buy and resell more than $73,000 in merchandise.

The Prevalence of Identity Theft

The Bureau of Justice Statistics recently published a report on identity theft. According to the report, in 2005, 6.4 million households (5.5% of all households in the US) discovered that at least one member experienced one or more types of identity theft. Of this group, unauthorized use of an existing credit card was the the most prevalent type of identity theft (about 3 million households). Given that the data in the report is from 2005, the statistics today would likely be significantly larger.

Fair Use For User Generated Content

With the growth of user generated content (UGC) services like Youtube.com, the question of what is considered fair use is only now beginning to be defined. This article from the Electronic Frontier Foundation provides a framework for applying fair use in the UCG context. Hats off to beSpacific for this catch.

E-Discovery Local Rules

Following on yesterday's post, Maryland is not the only state where federal courts have proposed or enacted e-discovery local rules. As this article shows, at least 32 US District Courts have enacted or proposed special rules addressing electronic discovery.

Suggested Protocol For E-Discovery

Judge Paul W. Grimm of the US District Court of Maryland recently posted this "Suggested Protocol For Discovery of Electronically Stored Information." Although not currently adopted, the document is a "working model" which may at some point be recommended for adoption.

Website Liability For User Posted Content

This Findlaw article by Eric Sinrod discusses when websites will be held liable for the content posted by others on their site. In particular, the article discusses the case of Fair Housing Council of San Fernando Valley v. Roommates.com, LLC where the website http://www.roommates.com/ was sued by the Fair Housing Councils of San Fernando Valley and San Diego. The plaintiffs alleged that the site's practice of allowing users to filter out potential roommates according to user-selected criteria violated the Fair Housing Act (FHA).

'07 Global Security Survey

Deloitte recently published it's annual review of the state of information security in the financial services industry. The survey includes data from 169 global financial institutions in 32 countries. Key findings include: companies are moving away from a sole focus on shoring up infrastructure against external breaches and are focusing instead on a a layered approach of preventative, detective and corrective controls; respondents identified access and identity management (50%) as their top operational initiative; generic countermeasures (encryption, access control, and network security) are proving inadequate at protecting on-line applications; and in an organization’s attempt to prevent security breaches, people remain the weakest link.

A Global Privacy Standard?

A senior executive at Google stated today that he agreed on the need for a basic set of global privacy protections. See this CNET article for more.

Domain Name Theft

This Wall Street Journal article examines how domain name hijacking is becoming an increasingly prevalent phenomenon.

EU Data Transfer Regulations

U.S. companies transferring personal data from Europe to the U.S. must follow prescribed methods to protect data in accord with EU data privacy protection laws. Complying with this "adequacy requirement" means satisfying each European nation's data protection authorities. Binding Corporate Rules allow a company to design a single set of internal rules that work on their own data protection policies for intranet sites, databases and other electronic business tools that also comply with EU requirements. For more on this, see this article from the New York Law Journal.

Robot Exclusion Protocol

If you are concerned, as I am, about the privacy threats posed by Google's search bots, take a look at the following post from Paul Ford of Ftrain.com.

VOIP Security Whitepaper From IBM

This 16-page whitepaper from IBM discusses "vishing." From the intro, "Vishing is the practice of leveraging IP-based voice messaging technologies (primarily Voice over Internet Protocol, or VoIP) to socially engineer the intended victim into providing personal, financial or other confidential infor-mation for the purpose of financial reward." The term "vishing" is a contraction of the terms 'voice' and 'phishing.'

DOT Issues Memo On Loss of Personal Information

The US Department of Transporation issued this memorandum on the theft of two laptops belonging to the Office of The Inspector General. Both laptops contained large amounts of Sensitive Personally Identifiable Information.

National Security Archive Sues White House Over Emails

See this press release. The suit, filed in the US District Court of the District of Columbia, demands the recovery and preservation of 5 million emails which were allegedly deleted by the White House during the period of March 2003 and October 2005.

Source Code For Breathalyzer Softwere Held Not To Be Trade Secret

See this post from the DUI Blog. A number of manufacturers of breathalyzer software had refused to disclose their source close, claiming they were trade secrets. The Supreme Court of New Jersey, however, recently ruled that the source code for this software is not a trade secret and therefore the company should be forced to reveal the code.

Online Listing Qualifies For Copyright Protection

In a decision published on June 21 (BUC Int'l Corp. v. Int'l Yacht Council), the 11th Circuit Court of Appeals affirmed that BUC International Corp.'s method of organizing its online listings of yachts for sale was unique enough to qualify for copyright protection. The defendant had "scraped" adds off of BUC's website.

Executive Office of The President Not Subject To FOIA

This page on the White House website states "The Office of Administration, whose sole function is to advise and assist the President, and which has no substantial independent authority, is not subject to FOIA and related authorities."

Anti-Cybersquatting Enforcement

Columnist Eric Sinrod reports in this article how a non-profit group called The Coalition Against Domain Name Abuse (CADNA) is leading the fight against cybersquatting.

Youtube's Failure To Dismiss Tur Suit

According to an article in Andrews Intellectual Property Litigation Reporter (14 No. 9 Andrews Intell. Prop. Litig. Rep. 2) on Robert Tur's copyright suit against Youtube.com (Tur v. Youtube Inc.), Youtube's motion to dismiss was refused because the company failed to show that it has the "right and ability to control" the content posted on its site. For background on this case, see this post. To see the text of the orders, click here and here.

Antitrust Concerns In Cyberspace

For an interesting case applying antitrust principles to the cyber arena, see this recent case from the US District Court of the Central District of California (Liveuniverse v. Myspace).

A Setback For Spammers

See this article from PC World: "Researchers at the University of California, San Diego (UCSD) said this week they've discovered a critical weakness in the spam ecosystem that could be used to help cut off the promise of economic returns fuelling the huge growth in spam levels." For a brief history of spam, see this article from the New Yorker entitled "Damn Spam."

Authenticating Email

Check out today's article from Law.com entitled "Authenticating Email Evidence As Evidence." As the authors point out, part of what makes authenticating email for use as evidence difficult is that each email is not an independent entity--it is part of a chain of emails which form a discussion.

FTC On Laptop Security

The FTC recently published this page offering suggestions for maintaining laptop security.

Financial Privacy Legislation

The National Conference of State Legislatures provides this list of financial privacy legislation--both introduced and enacted--from all 50 states for the years 2000-2006. The list includes links to the full text of the legislation. The same site also provides a 50-state listing of security breach legislation.

Visa Held Not To Be Vicarious Infringer

A recent 9th Circuit Court of Appeals decision, Perfect 10 Inc. v. Visa International Service Association et al., found that credit card companies that process transactions over the internet that ultimately involve infringed goods, are not themselves liable for vicarious infringement. See this article from Mealey's for more.

GAO Report On Cybercrime

GAO recently published a new report entitled "Public and Private Entities Face Challenges in Addressing Cyber Threats." From the Executive Summary: "Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey."

iPhone Vulernable To Hackers

This AP article reports on a vulnerability within Apple's iPhone which could make it susceptible to hackers.

YouTube To Institute Copyright Filtering

See this article from InfoWorld and this article from Wired News which discuss Google's intent to implement an antipiracy tool on it's YouTube website. According to the articles, Google plans to implement the changes as soon as this Fall.

Government Barred From Accessing Emails From ISP

In a recent 6th Circuit decision, Warshak v. United States (June 18, 2007), the Court ruled that email users have a reasonable expectation of privacy and thus barred the government from accessing emails from the Internet Service Provider of a criminal defendant.

Law Firm Cleared of Hacking Opponents' Web Archives

Yesterday's New Jersey Law Journal reported on a case (Healthcare Advocates Inc. v. Harding Earley Follmer & Frailey) in which a law firm had been sued for allegedgly violating copyright and anti-hacking laws when it recovered old web pages belonging to its client's adversary. The opinion by Judge Robert Kelley, Jr. of the US District Court of Eastern District of Pennsylvania stated that the firm, in accessing pages from the Way Back Machine, did not violate any law. As stated in the opinion, "They did not 'pick the lock' and avoid or bypass the protective measure, because there was no lock to pick...Nor did the Harding firm steal passwords to get around a protective barrier... The Harding firm could not 'avoid' or 'bypass' a digital wall that was not there." A copy of the Complaint is available here. The opinion does not appear to be online.

Top Ten Opt Out List

Also from the World Privacy Forum: The World Privacy Forum's Top Ten Opt Out List is "a list of what top things to opt out of, and how to opt out. Millions of people have heard about the Do Not Call list, an opt out list that gets people off of telemarketing lists. But many fewer people have heard about the other opt outs that are available, like those that can take people out of data broker lists or opt outs that can stop schools from giving out directory information like email and home addresses."

State Security Freeze Laws

This page from the World Privacy Forum provides an overview of state security freeze laws, as well as a list of states with enacted security freeze legislation. Each entry includes a link to the full text of the that state's security freeze statute.

IT Disaster Recovery Tool-kit

The National Association of State Chief Information Officers publishes this tool-kit which is designed to assist state CIOs and their staff in IT disaster recovery and business continuity planning. It is an updated and expanded version of business continuity and disaster preparedness checklists utilized for a brainstorming exercise at the “CIO-CLC Business Continuity/ Disaster Recovery Forum” at NASCIO’s 2006 Midyear Conference.

Spyware's Effect on Web Site Traffic Counts

Ben Edelman has a new article entitled "How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts." Also see this related New York Times article from Dec. 11 of 2006 entitled "In Web Traffic Tallies, Intruders Can Say You Visited Them."

House Committee Passes Social Security Privacy Legislation

In a press release, the House Ways and Means Committee stated "During the course of the 16 hearings conducted by the Subcommittee, numerous experts testified that the easy availability of Social Security numbers (SSNs) in the public and private sectors, combined with the number’s widespread use as an individual identifier, greatly facilitates the crime of identity theft. The bill would restrict the use of the SSN by government and business, to make it less accessible to identity thieves, while providing exceptions for legitimate and necessary uses of the number." Click here for a text of the bill.