Identity Theft? Victim and Alleged Thief ID Each Other.

Digital or Analog, identity theft is frightening, anxiety provoking, and tedious – even if you aren’t in danger of losing money or at risk of physical injury. But it’s often not that simple – for the victim or the perpetrator. As an Applebee’s waitress in Lakewood, Colorado, found out, identity theft in the real world can be more frightening than digital theft.

A few weeks ago, the waitress, Brianna Priddy, while out with some friends (not while working), apparently lost her wallet with all of her credit cards, her checks, and her driver’s license, as well as the cash. She dutifully went through the time-consuming and sometimes frustrating process of calling, writing and notifying everyone she could remember, alerting them to stop transactions that may involve the lost instruments and identification, and asking for replacements. Not fun. Even when her bank called, alerting her to forged checks being issued, she probably resigned herself to living with some frustration, anxiety and pain for a while. But if you think digital identity theft is frightening, read on.

Fast forward, Ms. Priddy is now back at work, waiting tables. A group of young people at her station order drinks. She asks for ID. How amazing to find that one of the women at the table ordering a drink is none other than herself! Cloning? Not really. The woman in the group had offered the victimized waitress’ ID as proof, and I confess she must have been a lot calmer than I would have been. She didn’t let on and, according to reports, said to the patron, handing her back the ID, “I’ll be right back with your Margarita." The waitress called police and despite what must have been a nerve racking eternity, she tried to appear calm and collected waiting for the police to arrive. They did and promptly arrested the woman patron on suspicion of theft, identity theft and criminal impersonation.

Not all criminals are as unwitting or as helpful as the alleged thief in this case. Not all identity thieves are that cooperative, even by accident. Most digital identity theft, compromises of personally identifiable information, and data breaches are more complex, and involve more than one individual and often cross-state and national borders – with multiple statutory and regulatory schemes that apply to you, the “victim.” Rimon has an entire group dedicated and experienced to help companies deal with identity theft – from preventive policies to defense of legal rights with respect to consumers and regulators. If you need more information about the complex legal and regulatory involved, contact me, Joseph I. Rosenbaum, or the Rimon attorney with whom you regularly work.

LifeLock CEO May Not Be Giving Out His Social Security Number Anymore

Todd Davis, the CEO of LifeLock is not the first CEO to appear in advertising, but was probably the first to prominently display his U.S. Social Security Number in full-page ads in major newspapers and billboards across the country. Although these ads disappeared a while ago, the action brought by the Federal Trade Commission and the Attorneys General of 35 states of the United States, has now resulted in a settlement valued at $11 million. FYI, the states involved were: Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia. The settlement resolves claims that LifeLock’s advertising was deceptive and misleading and misrepresented the types of services consumers could expect if they become victims of identity theft and their personal information was compromised.

While LifeLock does provide some measure of identity-theft protection, it was apparently not as robust and comprehensive as the advertising might lead a consumer to believe (personal information would be “useless to a criminal”). As a result of the action, not only has LifeLock promised to make changes (or has already made changes) to address the FTC complaint – in its business practices as well as its advertising – but the complaint also named CEO Davis and his co-founder Robert J. Maynard, Jr., who both will be barred from making the same misrepresentations as LifeLock. The $11 million received from LifeLock will provide refunds to consumers who signed up for the service. Information about eligibility and how the redress program will work can be obtained directly from the FTC – LifeLock Redress Program.

FTC Chairman Leibowitz stated: “Consumers received far less protection than they were promised," noting further that LifeLock’s service was ineffective against identity theft involving existing credit cards or bank accounts. Despite the advertised claims, according to the FTC, LifeLock often did not encrypt data in storage or transmission, didn’t install any antivirus protection software on computers used by employees, and failed to even require strong password protection for employees’ access to systems and files.

The documents were filed by the FTC in the U.S. District Court for the District of Arizona, and you can obtain a full copy of the original Complaint and the Stipulated Final Judgments against LifeLock, Davis and Maynard, right here: Federal Trade Commission v. LifeLock.

The Advertising Technology & Media law practice has lawyers and the resources of Rimon’s litigation and regulatory enforcement team to help clients seeking to prevent legal and regulatory problems and, if necessary, defend you if they arise. We have a team of data security and identity-theft lawyers with hands-on experience who know how to respond if a data breach occurs and can counsel you in complying with federal and state requirements. Need to know more? Call Joe Rosenbaum, or any of the lawyers at Rimon with whom you work – and, by the way, don’t give out your Social Security Number.

The War on Privacy Opens a New Front

In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.

Continue reading “The War on Privacy Opens a New Front”

Data Breach. Cause for Alarm or a Big Yawn?

By August 2008, there were more publicly disclosed data breaches among U.S. businesses than for all of 2007. More information is created, flowing and stored by commercial enterprise than ever; more clever schemes are being hatched by criminals for hacking or disrupting information; employees don’t appreciate the value of assets you can’t feel; and consumers are befuddled by a maze of privacy notices, data theft notices, credit report advertisements, and scare tactics launched by advocacy groups—well intentioned though they may be. More than 40 U.S. states have laws requiring disclosure of data breaches. If these were intended to create incentives to prevent data breaches and reduce occurrence, how do we explain the steady rise? Are the laws ineffective? Are businesses accountable beyond some adverse publicity, once they provide legally mandated disclosure? Have we become jaded by news reports, privacy and breach notices as just so much junk mail? In the credit card world, consumers generally have a maximum $50 liability if a card is lost or stolen. In situations where there are no real time approvals, credit card companies take the risk. In that environment, a business decision is made to accept certain loses because the potential revenue generated by the business model yields a greater reward. In the world of consumer privacy and personally identifiable information disclosure, who is taking what risk? Studies for years indicate IT professionals appreciate that digital crime—theft of intellectual property, piracy, theft of trade secrets, customer data or employee information—is a problem. Many companies may not even know their security is breached and others have little incentive to solve the problem. Need more information? Come to my web page, contact me and tell me what you think. Call if you need help with a policy, a position or an understanding of your legal rights and obligations. We can help.

Coping With COPPA

The Children’s Advertising Review Unit recently held that screening for age to avoid collecting personal information from children under 13 was not enough. In Bandai America (the website is Bandai’s Wireless.com site), CARU found that although Bandai’s website had a screening mechanism that asked for a date of birth, there was no tracking once a child put in a birth date. Thus, anyone under 13 could come back and enter a different (inaccurate) date of birth to get by the screen. CARU’s COPPA compliance guidelines require that not only must interactive sites have an age screening mechanism, but there also must be some reasonably effective means of tracking so children can’t get around the screening process. Forewarned is forearmed.

Who Pays For the Data Security Breach?

Have you received one of those “data security breach” letters? Quick, call the credit bureau and bank. Change the checking, credit card and license numbers. Most financial institutions have absorbed the cost of reissuing payment cards or providing new checks, even when these financial institutions had nothing to do with the security breach. When B.J.’s Wholesale Club disclosed that a theft of credit card information had occurred, two financial institutions sued to recover the costs that resulted from that breach. The institutions claimed B.J.’s breached its legal obligation to maintain the security of the financial institution and should be liable for the damages. Those claims were initially rejected, but have now been revived by the U.S. Court of Appeals for the Third Circuit, which has issued a decision holding these financial institutions were intended third-party beneficiaries of the contract among the retailer, its merchant bank, and the payment card industry, to keep customer data safe. If the retailer breached data protection rules imposed by the payment card industry and the financial institutions were third-party beneficiaries of that  agreement, then any damage and loss could be recovered based on contract law claims. Stay tuned.

You Would Think They Would Know Better

Cyber-Ark Software, a U.S.-based information security company, surveyed information technology professionals at the Infosecurity Europe Expo 2008 in London this past April. They asked 300 senior IT folks attending the Expo about abuses relating to information access, and guess what they found? First, about one-third of all IT professionals surveyed abused their own company’s information access rights policies to view information unrelated to their job (e.g., spying on employees or looking at confidential information). The survey report noted that passwords of IT and systems oversight staff often aren’t required to be changed as often as user passwords—or sometimes not at all. In most cases, IT administrators have free reign to use or abuse access privileges—which apparently happens too often.

The notion of “internal firewalls” is highlighted by this report. While companies often take great pains to protect themselves from external threats, as history has shown us in the physical world, the biggest dangers are from “inside jobs.” Without protections that apply internally, snooping, economic espionage, sabotage, spying and data security risks will remain a looming threat to the information assets of a business enterprise.

Data, Data Everywhere, But Hackers Drop into Secure Websites

Criminals stole customer information from the Hannaford Bros. and Sweetbay grocery chains’ computer networks. As shoppers swiped cards at checkout and their information was routed to transaction processors using state-of-the-art, fiber-optic, hard-wired cable for transmissions, malicious software intercepted the information and transmitted it to an ISP off-shore. Experts are still trying to figure out how the code got into the systems in the first place.

Continue reading “Data, Data Everywhere, But Hackers Drop into Secure Websites”

Data Security Breach – Who Are You Going to Call?

The New York State Information Security Breach and Notification Act amends the State Technology Law (Section 208) and the General Business Law (Section 899-aa), and requires that any New York State entity, as well as any person or business conducting business in New York and who owns or licenses computerized data that includes private information, must disclose any breach to New York residents (New York State governmental entities must also notify non-residents). This is similar to well more than 30 other states that have data breach notification statutes. Did you also know that when notification is necessary, New York law requires notification to the Attorney General, the Office of Cyber Security & Critical Infrastructure Coordination, and the Consumer Protection Board? Did you know there’s a “New York State Security Breach Reporting” form? No company relishes the idea of having to deal with a compromise of sensitive customer data? And no company should have to worry about not having the right legal advice when dealing with their customers, regulators and law enforcement officials. Rimon has a Data Security Group that keeps track of these laws in the United States and throughout the world.

Test Data? Really?

Are you using real customer data for testing? In a recent survey, well over 60 percent of IT professionals use live customer data for application testing and for software development. Guess how many IT professionals outsource application testing (and share live data with the testing company)—about 50 percent. Worried about sensitive data? Compliance with data breach statutes? Privacy concerns? Is this a potential gap in the security wall many companies build around their networks? You bet. Could it be a big compliance, legal and regulatory problem? Bigger bet. While live customer data is obviously the most representative for testing, it’s also the most risky. What can you do? Use fake data. Anonymize or sanitize real data. Use encryption. Limit access and strengthen contract, monitoring and audit controls. We know privacy and security, regulation and compliance. Call us.