Thursday, June 29, 2006

FTC Loses Laptop, Private Data


FTC set lose personal data on laptop. Here we go again with yet another laptop loss - but this one was by the guardians and enforcers of privacy for US citizens. They cavalierly leave a couple of laptops in a "locked vehicle" as if car door locks were ever considered secure. The data lost was information on 110 people under investigation for FTC violations, and included financial account information as well as social security numbers, dates of birth, names and addresses.

So not only are those people being warned by the FTC that their personal and financial information was lost, but (if they didn't know already) that they are being investigated for FTC violations. "Oh, by the way, you'll be fined and jailed later - sorry we lost your information."

The FTC is now taking what has become the standard line in laptop thefts with the absurdly non-reassuring,

"The FTC has no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft," its statement said. "In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops."
Gee guys, that's swell. Thanks for all you do.

In a cute kind of CYA (Cover Your Assets) move, the White House, through the OMB, then issues a call for better security, encryption and two factor identity access of laptops. Does anyone think there is a trend developing here? How about here? Maybe here?

Here's a lucid commentary by columnist Mike Hoban of the Northwest Indiana Times suggesting some responsibility rest on the shoulders of executives of companies that lose data, especially on laptops stolen from cars.

Technorati , , ,


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:14 AM 0 comments

Wednesday, June 28, 2006

Privacy's Doom is Digital Data


Does digital age spell privacy's doom? This Christian Science Monitor story reviews a laundry list of privacy breaches, thefts, hacks, tricks and losses since the highly publicized ChoicePoint case from 2005. But here we are still blabbing about it and doing nothing.

Politicians are considering a crazy patchwork of laws in every state that are likely to be over-ruled by far weaker federal laws being considered in Congress. This is plain foolishness to fiddle while Rome burns.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:20 AM 0 comments

Thursday, June 15, 2006

AIG Laptop Data Theft on 930,000


AIG reports data theft on 930,000 applicants. Proving once again that companies which hold sensitive, private, personal, medical and financial information on customers and potential customers need to be REQUIRED to protect that information and lock down all sources of possible theft or leaks with ironclad security, encryption and theft prevention measures.

As a matter of fact, long lists of news stories relating the theft of laptops containing sensitive customer or applicant financial and health data suggest that it should never be allowed on laptops, without exception.

If employees that have access to those laptops or can download the data to their own computers remotely - then the company should be held fully accountable for all costs to every person listed (in the data held) for identity theft, denial of insurance claims, future loss of access to money, medical coverage and credit.

A quote in the News.com story that shows the need for this type of legal requirement by suggesting the delusional hope that the machine was stolen for the value of the machine and not its contents.

The burglar also took a laptop computer, a camera and other computer equipment, Winans said, adding that the insurance company thought the burglar's objective was to take the equipment and may not have known about the personal data.

This issue will end up in Congress if data brokers and other large companies like AIG insurance don't stem the tide of data theft, loss and hacking.

Technorati , , ,


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:00 AM 0 comments

Tuesday, June 06, 2006

Privacy Sticker Shock: IT Security


Technorati , , ,

Gartner Security news on an upcoming summit will hopefully rattle some businesses who hold sensitive personal and financial information on customers out of their complacency and move them into action on customer data protection.

According to Gartner vice president and analyst Avivah Litan, IT security measures at companies holding private and personal information on as few as 10,000 customers can spend up to $160,000 for encryption, intrusion prevention and security audits on that data. And although Litman gently broke down the numbers to a per-customer cost of $90, the cost to respond to a large scale data breach can exceed a bit more shocking amount approaching $1,000,000 (One MILLION) for those same ten thousand customers.

Litman also warns in the press release announcing the IT Security Summit, that social security numbers can no longer be the sole, trusted source of identity because as many in one in seven social security numbers in the US have already been compromised!

Here's an idea for companies who want to save money on IT Security - DON'T ASK FOR OR STORE CUSTOMERS SENSITIVE PERSONAL INFORMATION! Then you don't have to store it, protect it, encrypt it and audit your security. That also means you can't sell it - darn. Hmmmm. What a concept.

Now some financial companies do need to have sensitive personal and financial information on customers and they absolutely must guard that information as though it were all the gold in Fort Knox. Security should not be in question. Full and complete protection of customer data should never be doubted. Those companies should be legally required, yes I said LEGALLY REQUIRED to fully encrypt that data, have the finest intrusion protection systems and continually audit their systems and their people against fraud and error. Further, those companies that hold and store sensitive personal, medical, financial data on customers should be legally compelled to fully restore and make good any losses incurred by customers due to data breaches of any sort in their systems - period.

Now there is another element to this little puzzle as well. NO COMPANY SHOULD EVER BE ALLOWED TO SELL PRIVATE PERSONAL FINANCIAL OR MEDICAL INFORMATION ON ANY CUSTOMER OR POTENTIAL CUSTOMER to another company or individual - period. I reproduced an article in this space last week about that offensive practice in the financial industry that should have us all gasping in complete shock.

Companies that hold personal financial or medical information on any customers should treat it like gold and lock it away in the most secure way possible. IT geeks at companies who hold sensitive customer data, please attend this Gartner IT Security Summit oulined in the press release below and go back to your company, convince the beancounters to take security to heart and lock up and protect customer data like gold.

WASHINGTON--(BUSINESS WIRE)--June 5, 2006--

Analysts Examine Protective Measures Companies Can Implement During Gartner IT Security Summit, June 5-7, in Washington, DC

The recent thefts of personal data from companies and government agencies make it clear that Social Security numbers can no longer be relied on as proof of identity, according to Gartner, Inc. Gartner analysts said enterprises should use this data as only part of an overall "identity score."

Avivah Litan, vice president and distinguished analyst at Gartner, recently testified at the oversight hearings for the Committee on Veteran's Affairs regarding the theft of sensitive information belonging to 26.5 million veterans and spouses from a Veteran Affairs employee's home. Ms. Litan told the committee that this latest compromise shows just how unprotected some of the nation's most sensitive data is.

"This incident also shows that the Social Security number has become an extremely unreliable piece of information and cannot be trusted to be unique to an individual. Companies should not rely on Social Security numbers alone as proof of individual identity," Ms. Litan said. "As many as one-in-seven adult Social Security numbers in the U.S. may already have been compromised."

Ms. Litan is providing more detailed analysis regarding identity theft during the Gartner IT Security Summit, which is taking place here through June 7.

While security managers are attempting to implement more-stringent security measures around sensitive information, the price tag for such protection can cause sticker shock for many companies. Security managers are facing challenges in receiving the budget required to better protect customer and business-sensitive information. Gartner analysts point out that data protection is much less costly than data breaches.

"A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Ms. Litan said. "This compares with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach."

Encrypting stored data can provide the most robust data protection, but if that is unfeasible because of undue cost and complexity, companies should deploy comprehensive host-based intrusion prevention systems (HIPS). However, successfully deploying HIPS requires strong server configuration control and additional administrative cost and complexity. Another option is strong security audits to validate that the organization has deployed satisfactory mitigating controls, reducing the need for data encryption or HIPS.

"None of these options are mutually exclusive, but implementing all three will still be less expensive than having to respond to a large-scale data breach," Ms. Litan said.

Additional information on identity theft prevention is being released at the Gartner IT Security Summit, being held at the Marriot Wardman Park Hotel in Washington, DC. Gartner analysts, industry experts and IT security practitioners are delivering unbiased, realistic analysis on the current state of IT security, as well as an independent overview of the market during the next 12-18 months. For complete event details please visit the Gartner IT Security Summit Web site at www.gartner.com/us/itsecurity.

About Gartner

Gartner, Inc. (NYSE: IT) delivers the technology-related insight necessary for its clients to make the right decisions, every day. Gartner serves 10,000 organizations, including chief information officers and other senior IT executives in corporations and government agencies, as well as technology companies and the investment community. The Company consists of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 3,700 associates, including 1,200 research analysts and consultants in 75 countries worldwide. For more information, visit www.gartner.com.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:35 AM 0 comments

Monday, June 05, 2006

Human RFID Spying on Immigrants


Below is a press release issued by Katherine Albrecht and Liz McIntyre of SpyChips.com to focus a spotlight on the absurd statement of Scott Silverman, the chairman of the board of Verichip Corporation (maker of RFID tags currently being used in both human medical and animal tracking).

The devices are approved by the FDA for injection under the skin of both animals and humans to allow scanning of the implant to show unique ID's, which are linked to a database of information, either medical or identity.

The shocking statement came from Silverman suggesting using VeriChip RFID tags to track immigrants. Supposedly allowing those who agree to be tagged on entry to come in to the country if they agree to the tag injections. It looks like an opportunistic grab for attention of his companies product after President Bush called for a high tech way to monitor illegal immigrants. Silverman admits having talked with Administration officials about the idea.

Imagine the scenario, assuming this hairbrained scheme is implemented. Special underground (unregulated, unsafe and likely unsanitary) clinics set up nationwide to remove VeriChip tags once immigrants are here. Back alley tag removals will no doubt bring serious illness or death to those who have them dug out of their arms or hands. A new economy will no doubt emerge where secretly carried tags will be sold or distributed to immigrants needing to verify their employment or cross the border will be read instead of the actual device, which has been removed.

The idea of tracking humans is patently offensive and should be slapped down as quickly as possible. I've commented here before about the dangers of medical RFID tracking and hope we don't start requiring either legal or illegal immigrants to be tagged like cattle in order to allow them legal entry.

FOR IMMEDIATE RELEASE
May 18, 2006

VERICHIP INJECTS ITSELF INTO IMMIGRATION DEBATE
Company Pushes RFID Implants for Immigrants, Guest Workers

Scott Silverman, Chairman of the Board of VeriChip Corporation, has alarmed civil libertarians by promoting the company's subcutaneous human tracking device as a way to identify immigrants and guest workers. He appeared on the Fox News Channel earlier this week, the morning after President Bush called for high-tech measures to clamp down on Mexican immigrants.

Privacy advocates Katherine Albrecht and Liz McIntyre are warning that a government-sanctioned chipping program such as that suggested by Silverman could quickly be expanded to include U.S. citizens, as well.

The VeriChip is a glass encapsulated Radio Frequency Identification tag that is injected into the flesh to uniquely number and identify people. The tag can be read silently and invisibly by radio waves from up to a foot or more away, right through clothing. The highly controversial device is also being marketed as a way to access secure areas, link to medical records, and serve as a payment device when associated with a credit card.

"Makers of VeriChip have been planning for this day. They've lost millions of dollars trying to sell their invasive product to North America, and now they see an opportunity in the desperation of the people of Latin America," Albrecht observes.

VeriChip's Silverman bandied about the idea of chipping foreigners on national television Tuesday, emboldened by the Bush Administration call to know "who is in our country and why they are here." He told Fox & Friends that the VeriChip could be used to register guest workers, verify their identities as they cross the border, and "be used for enforcement purposes at the employer level." He added, "We have talked to many people in Washington about using it...."

Silverman is reportedly also planning to share his vision on CNBC's Squawk Box if a slot opens up tomorrow (Friday) morning sometime between 6 and 9 AM Eastern Time. He was originally scheduled to appear on the show this morning, but technical problems at the Florida studio prevented his appearance.

The numbering and chipping of people seems like a plot from a dystopian novel, but the company has gotten the buy-in from highly placed current and former government officials, including Columbian President Alvaro Uribe. He reportedly told Senator Arlen Specter (R-PA) that he would consider having microchips implanted into Colombian workers before they are permitted to enter the United States to work on a seasonal basis.

"The mantra 'chip the foreigners' has little appeal once people realize the company wants to stamp its 'electronic tattoo' into every one of us," cautions McIntyre. "Electronically branding and tracking visitors like cattle is VeriChip's excuse to get the government on board. But if that happens, we'll all be in their sights."

Tommy Thompson, former Secretary of Health and Human Services joined the board of VeriChip Corporation after leaving his Bush administration cabinet post. Shortly thereafter, he went on national television recommending that all Americans get chipped as a way to link to their medical records. He also suggested the VeriChip could replace military dog tags, and a spokesman boasted that the company had been in talks with the Pentagon.

Privacy advocates warn that once people are numbered with a remotely readable RFID tag like the VeriChip, they can be tracked. Once they can be tracked, they can be monitored and controlled.

Albrecht and McIntyre, the authors of "Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID" believe the world's people will stand firm against chipping. "Our country was founded on principles of freedom and liberty. We're betting that the American people will see the end game and buck VeriChip's attempts," said Albrecht. "We also believe the people of Latin America will rise up in opposition once they read our book."

The Spanish language version of "Spychips" will be hitting shelves across Latin America next month.


>> click here for a transcript of the Fox interview with Scott Silverman


ABOUT THE BOOK

"Spychips: How Major Corporations and Government Plan to Track your Every Move with RFID" (Nelson Current) was released in October 2005. Already in its fifth printing, "Spychips" is the winner of the 2006 Lysander Spooner Award for Advancing the Literature of Liberty and has received wide critical acclaim. Authored by Harvard doctoral researcher Katherine Albrecht and former bank examiner Liz McIntyre, the book is meticulously researched, drawing on patent documents, corporate source materials, conference proceedings, and firsthand interviews to paint a convincing -- and frightening -- picture of the threat posed by RFID.

Despite its hundreds of footnotes and academic-level accuracy, the book remains lively and readable according to critics, who have called it a "techno-thriller" and "a masterpiece of technocriticism."

The Spanish-language version of Spychips, titled "Chips Espias," will be available in bookstores in the Americas and Spain starting June 6, 2006.


FOR MORE INFORMATION CONTACT:

Katherine Albrecht (kma @ spychips.com) 877-287-5854 ext. 1
or
Liz McIntyre (liz @ spychips.com) 877-287-5854 ext. 2

 

Technorati  ,


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:39 AM 0 comments