Rob Hyndman is writing about car black boxes and an insurance company's pilot project using them. Check it out: robhyndman.com - Blog Archive - Update on Car Black Box Surveys.
Wednesday, August 03, 2005
Alberta Commissioner releases report concerning collection and retention of personal information by two retail stores
It has become common practice for retailers to demand personal information in order to process returns and refunds. (See The Canadian Privacy Law Blog: Retailers demanding ID, tracking returns and The Canadian Privacy Law Blog: Article: New privacy sprouts forest of complaints).
Today, the Alberta Information and Privacy Commissioner's office released a decision that faulted two large retailers for collecting drivers' license data for input into a centralized. All retailers in Canada who collect ID to deter fraud should be aware of this decision.
From the Commissioner's news release:
Commissioner releases report concerning collection and retention of personal information by two retail storesCommissioner Frank Work authorized an investigation under the Personal Information Protection Act (""PIPA"" or ""the Act"") after receiving complaints alleging that two Canadian Tire stores contravened the Act.
The complainants reported that a Canadian Tire store in Calgary and a Canadian Tire Store in Sherwood Park refused to complete a return of good transaction unless the customers provided their Drivers'' Licence (D/L) numbers or other identification.
The investigator found that the Calgary store contravened the Act by collecting and retaining D/L numbers in its merchandise return system. There was no evidence that the Sherwood Park Store retained the complainant''s D/L number.
The investigation revealed that:
- For the purposes of deterring fraud, the stores collect certain personal information of individuals returning goods. Simply asking for a name, address and telephone number was sufficient to meet their purposes.
- Viewing picture identification to confirm the name, address and telephone number in some cases was sufficient; it was not necessary to collect and retain more sensitive personal information such as a D/L number.
In response to this Office''s investigation, the Calgary Store immediately ceased collecting and retaining ID as part of its return of goods transactions. As well, Canadian Tire Corporation Limited, in consultation with the Canadian Tire Dealers'' Association (CTDA) committed to redesign the merchandise return computer system used by all Canadian Tire stores so that ID can no longer be entered into the system. They also agreed to purge the existing numbers from the system. The CTDA agreed to communicate this report to all Canadian Tire Associate Dealers, and to revise corporate merchandise return policies required as a result of this report. This will assist in harmonizing the practices across all Canadian Tire stores.
The circumstances in this case illustrate that organizations need to carefully consider and limit the amount of personal information collected for legitimate business purposes.
To obtain a copy of Investigation Report P2005-IR-007 contact:
Office of the Information and Privacy Commissioner
410, 9925 - 109th Street
Edmonton AB T5K 2J8
Phone: (780) 422-6860
E-mail: generalinfo@oipc.ab.ca
Website: www.oipc.ab.ca
What's the meaning of 'privacy'?
A little while ago, I referred to a posting by Timothy Grayson, discussing the lack of a common vocabulary about privacy (see The Canadian Privacy Law Blog: The language of privacy). That posting on Grayson's blog has garnered a lot of attention, most recently from David Kearns of Network World:
What's the meaning of 'privacy'?"...Last week, I read a lament by Timothy Grayson (he works for the Canadian Postal Administration, but likes to talk about identity) called "I guess I just don't understand Privacy" http://timothygrayson.com/blog/archives/000737.html.
It seems that a Canadian Privacy Commissioner had ruled that those sometimes annoying inserts that come along with your bank statement amounts to a breach of the customer's privacy. Read the whole entry by Grayson (and the articles he links to) as it's much too long to re-create here. But I do like his reasoning:
"To be an invasion of one's privacy presumes that all communication and contact with a person has to be approved by the recipient. The logical extent of this is that there can be no communication because the initial mover is prevented from moving. That logical extent is, of course, ridiculous. But what it does present is bold relief of the inherently unworkable nature of a 'privacy culture' that extends the definition of privacy in this excessive, individual-centric way."
In other words, we need some generally understood definitions of terms like "privacy," "identity," "personal information," etc. How can we ever hope to move to a worldwide, federated, everybody's-included identity metasystem if we can't even agree on the meaning of "identity" and "privacy" and can't tell which information is "personal" and what isn't?"
Some say privacy rules hindering mortgage speed
The struggle between privacy rules and speedy credit approvals is front and centre is this article from Market Watch. Some mortgage brokers are arguing that credit freezes and other privacy rules are hindering their ability to provide quick access to credit to their clients, in some cases causing people to lose opportunities to buy houses. The author of the article really doesn't buy that and quotes consumers who are able to obtain mortgages while their credit files are frozen. See: Consumer Watch: Some say privacy rules hindering mortgage speed - Banks - Financial - Real Estate - Specialty Finance - Financial Services - Personal Finance
Tuesday, August 02, 2005
Analysts Say ATM Systems Highly Vulnerable
The Associated Press is reporting on a report from Gartner Inc., which suggests that most banks are not doing enough to protect customers from ATM fraud. The reason is that most bank and debit cards do not take advantage of the full potential of two-track magnetic strips. Most bank cards only encode the card number on the magnetic strip, so anybody with a card writer and your card number (available from discarded receipts) is able to make a duplicate. Combine that with your PIN and that's the key to emptying your account. The solution posited by the Gartner analysts is to use the second track in the magnetic strip to encode an additional token that is verified by the ATM but is not otherwise available to the users. Some banks already use this technique. See: Analysts Say ATM Systems Highly Vulnerable - Yahoo! News.
Judge dismisses privacy lawsuit against JetBlue for lack of harm
On Friday, a US District Court Judge dismissed a class-action lawsuit brought against JetBlue, Acxiom and two defence department subcontractors. The airline, JetBlue, had provided detailed passenger information which was matched with data from Acxiom to the subcontractors, contrary to the arline's privacy policy. According to the Associated Press, the case was thrown out because the plaintiffs could not show any actual harm or any actual benefit to JetBlue. See the AP report on FindLaw: Judge Dismisses Lawsuit Against JetBlue.
Monday, August 01, 2005
The CardSystems blame game
First, blame the auditors ...
Mark Rasch, in his Security Focus column this week, has some interesting things to say about security auditors and consultants in the wake of the cardsystems breach. The focus of his column is on what audits are and are not, but also contains some interesting insights about the Cardsystems debacle.
The CardSystems blame game"...None of this is surprising. One of the first things you do when confronted with a public relations problem is to minimize the extent of the problem. Lawyers do this all the time, exclaiming things like "My dog didn't bite you, my dog doesn't bite, I don't own a dog." The next thing to do, of course, is to find someone else to blame.
In the case of CardSystems, they reportedly found someone who wasn't at the table to blame -- not VISA, not MasterCard, not their sponsoring bank, and not their customers. They blamed their auditors and consultants. In his testimony, Perry noted that CardSystems had undergone a CISP audit by consultants from Cable and Wireless in December of 2003 (17 months before the incident), and that there were "do deficiencies" that did not have adequate compensating controls. Thus, according to Perry's live testimony, it was Cable and Wireless' fault. Oh, and while he was at it, he also reportedly blamed the California mandatory disclosure law, SB 1386, claiming that without the law, the company would have suffered no losses. Well, still the data would have been lost, just nobody would have known about it.
Cable and Wireless claimed that there was nothing wrong with their audit, and that they were simply retained to audit the systems that were used to process the payment information. If there was a separate system used to store transactional data not connected to the processing system, or a system not within the scope of the audit, it was not examined.
Meeting of the minds
The relationship between consultant and consultee is almost always one based on a consulting agreement. The case points out a serious problem with understanding the nature of auditors, security consultants, and the relationship between these consultants and the underlying client. The consulting contract is supposed to reflect a meeting of the minds between the parties. Invariably however, the parties come to the table with differing expectations about what they are buying and selling. In the case of CardSystems and Cable and Wireless, CardSystems thought they were auditing discrete parts of the payment processing network for compliance with VISA's standards. CardSystems, on the other hand, apparently thought they were purchasing "hacker insurance" and a guarantee that they would never be subject to attack. At a minimum, CardSystems was seeking a "Certificate of Assurance" that they were compliant with all the relevant standards. As we will see, even this latter assumption may be unrealistic...."
Larger class-action firms shy away from privacy suits, leaving the field open for smaller firms
Recent privacy and security incidents have spawned a whole range of class action lawsuits, but Law.com reports the larger class-action firms in the US are shying away. Into that gap has stepped a number of smaller firms, looking to make precedent in this untested area:
American Lawyer Media's Law.com - Small Firms Blaze a Trail for Privacy Suits"Matthew Righetti says companies that leak consumer data should be forced to pay. But the San Francisco plaintiffs lawyer can't say how much. Or, for that matter, whether any court would agree with him.
In fact, no one is sure. While electronic privacy breaches have caught the attention of big media -- the Wall Street Journal wrote Monday that they're generating large class actions -- the major class action firms have shied away from.
Since the cases rest on untested laws -- and often involve victims with no monetary losses -- the big plaintiffs firms are letting smaller outfits like Righetti's take the first steps in a litigation area with equally great risks.
Eager to find new practice areas without competition from the big firms that dominate consumer and securities class actions, the small plaintiffs shops have been happy to oblige.
Basing their complaints on disclosure notices that companies, under California law, send to customers whose financial data has been leaked, a bevy of small firms has aggressively pursued the suits.
While the plaintiffs lawyers say the notices fairly reek of liability, the outlook is so uncertain that small plaintiffs shops feel forced to share the risk of privacy suits with other firms...."
Thanks to Rob Hyndman for the pointer to this story.
The Sniffer vs. the Cybercrooks - New York Times
Continuing its tradition of great reporting in the area of privacy and security, the Sunday New York Times has a feature on Mark Seiden. Seiden makes his living providing businesses with the straight goods on how vulnerable their information is to being compromised.
The Sniffer vs. the Cybercrooks - New York Times"... THE investment bank, despite billions in annual revenue and the small squadron of former police, military and security officers on its payroll, was no match for Mark Seiden.
"Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back. The executive listed two. One involved the true identities of clients negotiating deals so hush-hush that even people inside the bank referred to them by using a code name. The other was the financial details of those mergers and acquisitions.
A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets. As a bonus, he also had in hand a pilfered batch of keys that would give him entry into this company's offices scattered around the globe, photocopies of the floor plans for each office and a suitcase stuffed with backup tapes that would have allowed him to replicate all the files on the bank's computer system.
"Basically, that all came from working nights over a single weekend," he said with a canary-eating smile that seemed equal parts mischief and pride. Mr. Seiden is what some people inside the security industry call a "sniffer": someone who is paid to twist doorknobs for a living, to see which are safely locked and which are left dangerously unsecured. Clients sometimes hire Mr. Seiden, a former computer programmer, to buttress the security systems that protect their computers and other precious corporate assets. But primarily, large corporations turn to him to test the vulnerability of their networks...."
The article is accompanied by a very interesting 22 minute interview with Seiden. Download it here
Learning the ABCs of identity theft
The Daily Herald of Provo, Utah has a Q & A column. This week, it's about identity theft:
Learning the ABCs of identity theft :: The Daily Herald, Provo Utah Learning the ABCs of identity theft"Q: Do all of the recent data thefts mean everyone affected will be a victim of identity theft? How can one protect oneself against identity theft if our data isn't safe? -- MT, Palo Alto, Calif.
A: The theft of data is in the news almost every day. It would seem that, based on the recent rash of data thefts, almost the entire country is now exposed to identity theft.
...
The root cause of the recent data thefts are companies and organizations -- banks, credit card processors, universities, motor vehicle departments and Web sites -- that maintain a great deal of sensitive personal information in their databases. Their databases are constantly hacked, and these companies lack the appropriate level of standards with respect to protecting data.
Your question is certainly timely and provides an opportunity to review the basics of identity theft.
As explained before, identity theft is a crime that occurs when a thief steals your personal information and then uses it to impersonate you or to commit fraud and theft in your name. Typically, the thief will need your Social Security number, your name, address and driver's license in order to "become" you. In certain cases, the thief may also need your credit card account numbers and other information contained in your credit report.
...
In this context, you need to understand the difference between identity theft and credit card fraud. When, for example, a security breach at CardSystems Solutions compromised 40 million credit cards, you likely became exposed to credit card fraud, not identity theft.
Credit card fraud, while annoying and troubling, does not expose you to the same effects as identity theft. Federal law limits your financial risk to $50...."
Subscribe to:
Comments (Atom)