Identity Theft and the Data Custodian

1
Identity Theft and the Data Custodian

• W. Scott Blackmer
• sblackmer_at_blackmerlaw.com
• International Association of Privacy
  Professionals
  
• Las Vegas ? October 26, 2005

2
Arizona Man Steals Bushs Identity, Vetoes Bill
3
Identity Theft

• A fraud committed or attempted using the
  identifying information of another person without
  authority FTC
  
• FTC estimates 10 million cases annually
• US Dept of Justice fastest-growing crime
• Global scope
• Ex US and UK data used to make credit cards in
  Poland, then purchases in Singapore
  
• Escalating costs for individuals and firms
• Measurable impact on e-commerce, online banking
• Employers, merchants, and financial institutions
  are often the unwitting source of data used in ID
  theft

4
Widening Impact of Identity Theft

• US 2.4 billion stolen from bank accounts
  remotely in 2004 only 75M in person (Gartner)
  
• 6M individuals received notice of security
  breach Feb-May 2005 expect more from CardSystems
  hack
  
• Cyber Security Industry Alliance survey June
  2005 48 avoid e-commerce for fear of ID theft
  
• Harris-Westin survey June 2005
• 87 aware of security breaches
• 20 say they have been ID theft victims
• 59 say current laws and business practices are
  inadequate
  
• WSJ reports declines of 1-3 in stock prices for
  several months following corporate disclosures of
  breaches
  
• Legislators demanding accountability

5
Identity Theft As an Organizational Challenge

• Reputation in the marketplace
• Employee relations
• Costs of securing personal data
• Costs of incident response
• Compliance with privacy laws (eg security
  requirements, notice of security breaches)
  
• Potential liability for negligence

6
New Age Crime

• Organized crime, hackers, even street gangs
• Industrial espionage, cyber warfare, terrorism
  (second stage attacks using stolen ID
  credentials to attack a company or agency)

7
ID Theft Lifecycle
Planning
Setup
Attack
Collection
Fraud
Post Attack

• Target a firm
• Target a victim
• Target credentials
• Decide method
• Fraud objective
• Criminal collaboration
• Research/probing networks

• Create materials
• Setup destinations
• Obtain contact Info
• Setup attack
• machinery
• Install physical traps/loggers

• Web response
• eMail response
• IM response
• Gather malware data
• Read discarded disk/tape data
• Gather vectored data

• True name fraud
• Account compromise
• Criminal fraud
• Credential
• trafficking
• Credentials
• used in 2nd
• stage attack
• Money
• laundering
• False
• registrations
• Pump and dump schemes

• Shutdown
• attack machinery
• Destroy
• evidence
• Qualify compromised accounts
• Assess
• effectiveness
• Launder
• proceeds
• Share/sell techniques or information

• Vector website
• Vector eMail
• Vector IM
• Vector news,
• chatroom, blog
• Vector bulletin
• board
• Vector wireless
• technology
• Vector P2P or
• games
• Vector insider
• Vector malware
• Vector backup media
• Dumpster diving
• Physical theft
• Shoulder surfing

8
Recent Security Breaches

• CardSystems data on 40M credit cards exposed to
  hackers, ca. 200K downloaded (class action filed
  in San Francisco against CardSystems, Visa,
  MasterCard)
• CitiGroup 3.9M loan records on tapes shipped to
  credit bureau and lost in transit
  
• ChoicePoint 145K persons (phony merchants) (class
  action)
  
• Bank of America 1.2M federal employee travel
  charge cards (tapes)
  
• MCI, US Dept of Justice, Motorola, FDIC
  employees
  
• Iron Mountain / Time Warner 600k employees,
  Ameritrade 200K customers (backup tapes)
  
• Lexis-Nexis / Seisent 310K (poor password
  control)
  
• DSW Discount Shoe Warehouse 1.4M cards checks
  transactions (OH Atty General suit)
  
• Polo Ralph Lauren GM-branded MasterCards
  compromised
  
• BJs Wholesale Club (Track II data from credit
  card mag stripes)
  
• Wachovia, Bank of America, PNC, Commerce Bancorp
  .7M (bank employees sold customer data to phony
  collection agency)
  
• UC Berkeley, UC San Diego, Boston College, Tufts,
  Northwestern (stolen laptops, hacks)
  
• Illinois Motor Vehicle records (unshredded
  trash)
  
• Kaiser fined for using health data on test
  website
  
• Japan FSA warns Michinoku Bank (3 CDs, 1.3M
  customers)
  
• Canadian tax and bank records lost or stolen
• 2005 incidents 1/3 hacking, 2/3 lost or stolen
  hardware, tapes, or CDs (Privacy Rights
  Clearinghouse) typically not encrypted
  

9
Laws Follow Fears

• Government intrusion (1789 4th Amendment, 1974
  Privacy Act)
  
• Contract, fraud
• Invasion of privacy torts
• Credit Bureaus (Fair Credit Reporting Act)
• Unfair or deceptive practices (FTCA 5 and state
  laws)
  
• Financial harm (FCRA, FACTA, GLBA)
• Medical records (HIPAA)
• Academic records (FERPA)
• Children (COPPA)
• Cybercrimes
• SPAM, malware, phishing (CANSpam, malware bills
  in Congress, UT spyware act NY 7.5M Intermix
  settlement)
  
• Security breach notice and response (Calif. SB
  1386, AB 1950, etc. bills in Congress and
  states)
  
• California anti-phishing law
• Security, Notification, Credit Freeze, Sensitive
  Data (Health, SSN)
  
• RealID, acceptance of biometrics and RFID (Whats
  in Your Wallet?)
  
• Proposed regulation of data brokers
• Comprehensive data protection laws in Europe,
  Canada, Japan, Australia . . . 40 countries
  
• OLD WORRY Big Brother
• NEW WORRY Lots of Little Brothers sharing
  data, losing data, stealing data

10
Example State SSN Laws Negligence Lawsuits

• MI SSN Privacy Act (eff March 1, 2005)
• Employers and others with SSNs must create policy
  by 1/1/06
  
• Ensure confidentiality of SSNs
• Limit access to info docs containing SSNs
• Establish document destruction procedures
• Penalties for violations
• MI Ct Appeals (Feb. 2005) upheld 275K verdict
  against union for negligence in protecting
  personal information stolen by treasurers
  daughter (special relationship duty of care)
• CA, IL, TX, AZ also impose duties on employers
  and others to protect SSNs which could also be
  the basis for a special relationship duty of
  care in negligence actions

11
Example Leahy-Specter Bill

• June 2005 bill for a federal Personal Data
  Privacy Security Act
  
• Regulation of data brokers (data on 5K persons
  or more)
  
• Right of individuals to access their records
• Control collection use of Social Security
  Numbers
  
• New criminal sanctions, review of sentencing
  guidelines
  
• Documented privacy and security programs required
  for most businesses (GLBA model)
  
• Security breach notices (10K or more)
• Privacy impact assessments when federal agencies
  use data brokers
  

12
Example FTC Order in BJs Wholesale Club

• 13M in fraudulent credit debit card charges
• Transmittal and storage of Track II data from
  card mag stripes, over unsecured wireless
  networks
  
• Complaint is the first based on unfair rather
  than deceptive trade practices (FTC Act 5)
  
• FTC settlement June 2005 requires encryption,
  data retention rules, better username and
  password procedures, intrusion detection,
  incident response, biennial security audits and
  reports for 20 years

13
Example Application of Data Protection Laws
outside US

• Broad regulation of collection, use, and
  disclosure of personal information
  
• Security obligations for data controllers
• Including due diligence in outsourcing and
  contracts requiring appropriate security
  measures
  
• Technical and organizational security
• Special controls in many countries for official
  ID numbers, financial accounts, biometric data
  
• Administrative fines and orders, criminal
  penalties, civil liability for compensatory
  damages

14
Example Information Security and Corporate
Financial Accountability

• Sarbanes-Oxley (SOX) focus on corporate
  governance and financial reporting (after Enron,
  WorldCom)
  
• 302 quarterly annual certifications on
  disclosure control procedures (since 2002)
  
• 404 annual mgmt report CPA attestation on
  effectiveness of internal controls (2004 or
  2005)
  
• Reassurance that business objectives will be
  achieved and undesired events prevented,
  detected, and corrected IT controls support
  financial reporting
• IT threats and noncompliance may be material
  and require public disclosure
  
• IT internal controls often based on COBit or ISO
  17799
  
• US financial institutions subject to new
  information security guidelines
  
• BASLE II (capital adequacy) and SOX-like
  proposals in Europe
  

15
Common Security Obligations in Handling Personal
Information

• Protect personal information against loss and
  unauthorized access, alteration, use, or
  disclosure
  
• Reasonable, appropriate -- refer to
  standards such as FTC Safeguards Rule, ISO,
  CoBIT, NIST, Common Criteria
  
• Technical and organizational measures
• Designated responsibilities and training
• Documented security policy procedures, based on
  risk assessment and sensitivity of data
  
• Control access to those with need to know
• Access logs
• Intrusion detection
• Incident response
• Contracts with third parties
• Encryption for sensitive data
• Data retention and disposal

16
Sensitive Data

• US credit financial, children, medical
  genetic data, SSN and drivers license
  
• EU race or ethnicity, health or sex life,
  political or trade union activities, religious
  and philosophical opinions criminal judicial
  records, use of national ID numbers
• New regulation of RFID, presence or geolocation
  data, biometrics (CA, Italy)
  
• Employee monitoring (CT, DE, Europe, Canada)
• The list grows with changing perceptions of data
  and uses posing a risk of harm, including
  correlation attacks using multiple pieces of
  individually harmless data

17
Multiplying Challenges

• New law hundreds of statutes and regs each
  year, court and agency interpretations
  
• Divergent or conflicting requirements Privacy
  vs.
  
• Transaction records and proof of payment
  authorization
  
• Preventing fraud or abuse of the organization
• Human resources management
• Protection of trade secrets
• Directory administration
• Marketing and customer service
• Compliance with tax and EEO laws, OSHA, PATRIOT
  Act, public health reporting
  
• Avoiding hostile workplace claims
• Digital rights management
• Jurisdiction when are you covered by GLBA,
  HIPAA, state laws, foreign laws?
  
• ChoicePoint class action are you acting as a
  consumer reporting agency subject to statutory
  damages?
  
• Coverage of proposed laws on data brokers
• Jurisdiction for online transactions and
  communications
  
• Security breaches what and when must you report
  to shareholders, regulators, law enforcement,
  individuals?
  

18
Contractual Risk Management

• Outsourcing (online transactions and web
  services, call centers, transcription, BPO,
  software development)
  
• Data sharing in supply chains, business networks
• Reference to security standards (eg, Common
  Criteria, ISO 17799)
  
• Security annexes
• Due diligence and mandatory contract provisions
  HIPAA (medical records), financial institutions
  (FFEIC, GLBA, SAS 70, BASEL II), EU Art. 17
  clauses and standard contracts for transborder
  personal data flows, US-EU Safe Harbor Onward
  Transfer contracts
• Government contracts, FISMA and NIST standards
• Liability and indemnification clauses
• ID theft insurance

19
Compliance Future-Proofing

• Compliance and risk management requires a team
  approach, including legal audit as well as IT
  and users
  
• Focus IT security on the riskiest kinds of
  personal data
  
• Conduct security privacy audits, privacy impact
  assessments
  
• Document, communicate, and verify information
  policies procedures, including incident
  response plans and public communications
  
• Refer to accepted standards wherever possible
• Run training awareness programs
• Use contracts to allocate responsibilities
• Use the Web, IAPP and other associations,
  professional resources to stay on top of changing
  requirements and best practices
  

20
Resources

• FTC identity theft site, www.consumer.gov/idtheft
  
  
• Liberty Alliance Identity Theft SIG,
  www.projectliberty.org
  
• ITAC (ID Theft Assistance Center),
  www.identitytheftassistance.org
  
• ISTPA Privacy Framework, www.istpa.org (an
  approach to engineering privacy into information
  systems)