incidents
responses
related
Guides:
Security &
InfoCrime
Consumers
& Trust
related
Profiles
& Notes:
ID Theft,
ID Fraud
|
responses
This page highlights responses to large scale exposure
of sensitive consumer information through hacking of databases,
loss of computer tapes in transit or theft of laptops.
It covers -
introduction
Responses to theft of data and to exposure of data (eg
negligence in protecting consumer records) has essentially
taken five forms -
- denial
- commercial entities and other organisations have not
acknowledged that data loss has taken place or have
refused to acknowledge vulnerabilities in their handling
of information. Denial within organisations has sometimes
led to recurrent losses by a particular organisation
and to failure to embrace best practice by learning
from the experience of corporate peers
- mandatory
reporting - failure by organisations to alert
consumers that breaches have occurred (desirable so
that consumers can be especially vigilant to potential
identity theft) has led some jurisdictions, notably
California, to mandate incident reporting to affected
consumers and/or regulators
- identification
and prosecution of thieves - action
under cybercrime or other statutes for unauthorised
access to databases and networks, damage to dabases,
theft of information, breach of contract, and identity
crime
- litigation
against negligent data custodians - suits by regulators
and on a class action or individual basis by victims
of data loss. That litigation has been reinforced by
increased premiums from insurance providers
- changes
to business practice to address vulnerabilities
- for example strengthening corporate firewalls, enhanced
surveillance of staff against 'insider' theft of data,
and encryption of disks/tapes in transit.
cybercrime prosecutions
It is clear from the preceding page of this note that
authorities have successfully prosecuted people who have
breached cybercrime or other law through unauthorised
access to and use of information. That access might have
occurred from outside the data custodian or might have
involved abuse of a privileged position (eg a staff member
or contractor walking out of the custodian's premises
with an illicit copy of a database on a memory stick,
CD or even floppy disk.
US hacker Christopher Phillips was thus convicted in 2005
for copying personal information on a University Texas
database, ordered to pay US$170,000 restitution and serve
five years of probation. Three former MphasiS employees
were arrested in 2005 for allegedly stealing US$350,000
from accounts of four Citibank customers
action by regulators
Regulators have also taken action against data custodians
who are inept or deceptive.
One example is the US Federal Trade Commission's 2004
settlement
with Petco Animal Supplies over FTC charges that security
flaws in the Petco site breached federal law and violated
privacy promises made to customers.
At
PETCO.com, protecting your information is our number
one priority, and your personal information is strictly
shielded from unauthorized access. Entering your credit
card number via our secure server is completely safe.
The server encrypts all of your information; no one
except you can access it.
The
FTC commented that, contrary contrary to Petco's claims,
the retailer "did not take reasonable or appropriate
measures to prevent commonly known attacks by hackers".
Petco did not implement security measures to "secure
and protect sensitive consumer information, including
simple, readily available defenses that would have blocked
such attacks" and falsely claimed that the sensitive
information Petco obtained through its site was maintained
in an encrypted format.
The FTC commented
Consumers
have the right to expect companies to keep their promises
about the security of the confidential consumer information
they collect. The FTC will hold companies to their word.
It
noted that Petco was the fifth FTC case challenging deceptive
claims by businesses about the security provided for consumers'
personal information.
In 2006 ChoicePoint agreed to pay US$15 million to settle
FTC charges that its security and record-handling procedures
violated consumers' privacy rights. Those charges followed
sale of the personal financial information of 145,000
consumers to criminals purporting to be legitimate businesses.
ChoicePoint had initially sent notice of that failure
only to Californians and appears to have widened the alert
after a media furore.
Action has been selective. In the US the major release
of data from iBill referred to in the preceding page of
this note was not disclosed by that company. Because the
information did not include Social Security, credit-card
or driver's-license numbers, no US laws require iBill
(or the adult content companies for which they provided
payment services) to warn people. A year after the FBI
first learned of the loss they had also failed to issue
any public warnings.
apologies and alerts
In 2005, after Citigroup lost computer tapes holding 3.9
million unencrypted consumer records, it apologised. That
apology featured boilerplate such as Citifinancial "has
no reason to believe that the information has been used
inappropriately". The group offered customers free
enrollment in a credit-monitoring service for 90 days.
Critics commented that the offer, while better than nothing
(and presumably useful in heading off action by activist
regulators in California and elsewhere), was somewhat
disingenous as the average time for victims to become
aware of the theft is 12 months, with a further 175 hours
and US$808 out-of-pocket expenses spent clearing their
names. Citigroup more meaningfully announced that it had
stopped delivering computer tapes by courier.
Later that year Marriott International, after another
loss of tapes, announced plans "to search for the
tapes, to determine how they disappeared and monitor accounts
for any unusual activity or possible misuse". It
commented "We regret this situation has occurred
and realize this may cause concern for our associates
and customers".
::
|
|
