Global Risks 2010 - A Global Risk Network Report. A World Economic Forum Report in collaboration with Citi, Marsh & McLennan Companies (MMC), Swiss Re, Wharton School Risk Center, Zurich Financial Services. January 2010.

News release: "Albert Gonzalez, 28, of Miami, pleaded guilty today to conspiring to hack into computer networks supporting major American retail and financial organizations, and to steal data relating to tens of millions of credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, U.S. Attorney for the District of New Jersey Paul J. Fishman, U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz and Director of the U.S. Secret Service Mark Sullivan. Gonzalez, aka “segvec,” “soupnazi” and “j4guar17,” pleaded guilty to two counts of conspiracy to gain unauthorized access to the payment card networks operated by, among others, Heartland Payment Systems, a New Jersey-based card processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. The plea was entered in federal court in Boston before U.S. District Court Judge Douglas P. Woodlock. The case is one of the largest data breaches ever investigated and prosecuted in the United States."

News release: "The Federal Trade Commission has launched its Web site and blog for National Consumer Protection Week 2010, which will be held March 7-13. Consumer.gov/ncpw, encourages people to learn about their rights as consumers, and promotes free resources to help them protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams. The twelfth annual consumer protection week is a partnership between the FTC and other government agencies and consumer groups. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life – from grade school to retirement. The site for the event features a page for kids and parents, and highlights games, videos, and other Web sites that teach kids practical lessons about the role of business and government in their everyday lives."

News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."

"CDT released a whitepaper highlighting policy issues related to responsible user-centric identification systems. The paper comes as the U.S. Government begins launching a series of pilot programs that will use third party user credentials to authenticate users to federal Web sites and discusses possible challenges to be considered as these activities are expanded in order to provide a better user experience."

Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009

News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."

National Identity Theft Prevention Week - UK's Fraud Prevention Service resources:

• Practical Guide To Identity Fraud Prevention For Business
  
• A Quick Reference Guide Leaflet
  
• Protecting your Information Checklist
  
• Personal Advice: A Quick Reference Guide Leaflet
  
• The Anonymous Attacker, A special report on
  Identity Fraud and Account Takeover, October 2009

FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."

News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."

Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."

Online Behavioral Tracking and Targeting Concerns and Solutions, Legislative Primer September 2009 - from the Perspective of: Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, The World Privacy Forum.

"PandaLabs issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008. PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007."

News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."

News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."

"The Federal Trade Commission today described its comprehensive efforts to combat identity theft before the U.S. House Subcommittee on Information Policy, Census, and National Archives of the Committee on Oversight and Government Reform. The FTC also recommended legislative remedies to enhance the effectiveness of these efforts. The testimony presented by Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection, highlighted the agency’s leadership role in developing a national strategy to combat identity theft as part of the President’s Identity Theft Task Force. The Task Force issued 31 recommendations that promoted an enhanced data security culture in the public and private sectors, launched victim assistance initiatives, and improved law enforcement’s ability to pursue and punish identity thieves."

• Broadcasting to Cuba: Observations Regarding TV Marti's Strategy and Operations, GAO-09-758T, June 17, 2009
• Identity Theft: Governments Have Acted to Protect Personally Identifiable Information, but Vulnerabilities Remain, GAO-09-759T, June 17, 2009
• Polar-Orbiting Environmental Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, GAO-09-564, June 17, 2009
• Polar-Orbiting Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, http://www.gao.gov/new.items/d09772t.pdf, June 17, 2009
• Telecommunications: Preliminary Observations about Consumer Satisfaction and Problems with Wireless Phone Service and FCC's Efforts to Assist Consumers with Complaints, GAO-09-800T, June 17, 2009
• Troubled Asset Relief Program: June 2009 Status of Efforts to Address Transparency and Accountability Issues, GAO-09-658, June 17, 2009
• American Battle Monuments Commission: Management Action Needed to Improve Internal Control Procedures, GAO-09-714R, June 17, 2008

News release: "Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The “Red Flags and Address Discrepancy Rules,” which implement sections of the Fair and Accurate Credit Transactions Act of 2003, were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC)."

"The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”

"In December 2003, the Internet Fraud Complaint Center (IFCC) was renamed the Internet Crime Complaint Center (IC3) to better reflect the broad character of such criminal matters having a cyber (Internet) nexus. The 2008 Internet Crime Report is the eighth annual compilation of information on complaints received and referred by the IC3 to law enforcement or regulatory agencies for appropriate action. From January 1, 2008 – December 31, 2008, the IC3 website received 275,284 complaint submissions. This is a (33.1%) increase when compared to 2007 when 206,884 complaints were received. These filings were composed of complaints primarily related to fraudulent and non-fraudulent issues on the Internet."

News release: "The Internal Revenue Service issued its 2008 list of the 12 most egregious tax schemes and scams, highlighted by Internet phishing scams and several frivolous tax arguments. Topping this year’s list of scams is phishing, which encompasses numerous Internet-based ploys to steal financial information from taxpayers. New to the “Dirty Dozen” this year is a scheme, which IRS auditors discovered, that relates to unreasonable and/or excessive fuel tax credit claims."

Identity Theft Resource Center, 2009 Breach List, 3/3/2009 - Breaches: 89 Exposed: 1,140,146.

"The Federal Trade Commission released the list of top consumer complaints received by the agency in 2008. The list, contained in the publication Consumer Sentinel Network Data Book for January-December 2008, showed that for the ninth year in a row, identity theft was the number one consumer complaint category. Of 1,223,370 complaints received in 2008, 313,982 – or 26 percent – were related to identity theft."

News release: "The U.S. Small Business Administration issued a scam alert today to small businesses, warning them not to respond to letters falsely claiming to have been sent by the SBA asking for bank account information in order to qualify them for federal tax rebates. The fraudulent letters were sent out with what appears to be an SBA letterhead to small businesses across the country, advising recipients that they may be eligible for a tax rebate under the Economic Stimulus Act, and that SBA is assessing their eligibility for such a rebate. The letter asks the small business to provide the name of its bank and account number."

News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

The Top 25 Errors are listed below in three categories:

• Category: Insecure Interaction Between Components (9 errors)
  
• Category: Risky Resource Management (9 errors)
  
• Category: Porous Defenses (7 errors)

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (Draft), Recommendations of the National Institute of Standards and Technology, January 13, 2009.

"The IRS does not initiate communication with taxpayers through e-mail. Before identity theft happens, safeguard your information...IRS Identity Protection Specialized Unit, toll-free at 1-800-908-4490."

News release: "Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center's 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest."

News release: "The federal bank, credit union, and thrift regulatory agencies today announced publication of a revised identity theft brochure – You Have the Power to Stop Identity Theft – to assist consumers in preventing and resolving identity theft. The updated brochure focuses primarily on Internet "phishing" by describing how phishing works, offering ways to protect against identity theft, and detailing steps to follow for victims of identity theft. The brochure includes contact information for three major credit bureaus, where to report suspicious e-mails, and where to access additional information."

The Role of the United States Postal Service in Public Safety and Security - Implications of Relaxing the Mailbox Monopoly, By Lois M. Davis et al.

"Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” For more information visit EPIC’s A-Z Privacy Page."

News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."

News release: "The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event."

OTS 08-051 - OTS Issues New Examination Procedures on Identity Theft Red Flags and Address Discrepancies: "This Regulatory Bulletin transmits revised Examination Handbook Section 341, Information Technology Risks and Controls, and revised Examination Handbook Section 1300, Fair Credit Reporting Act (FCRA). The revised Handbook Sections contain new guid-ance and examination procedures for the final rules on Identity Theft Red Flags and Address Discrepancies, which implement Sections 114 and 315 of the Fair and Accurate Credit Trans-actions Act (FACT Act) of 2003. This bulletin rescinds RB 37-15 dated April 20, 2006."

Office of Science and Technology Policy (OSTP) in the Executive Office of the President - Identity Management Task Force Report 2008, released September 2008

News release: "Attorney General Michael B. Mukasey and Federal Trade Commission Chairman William E. Kovacic announced today the release of a report from the President’s Identity Theft Task Force on progress the federal government has made in addressing identity theft since the Task Force’s Strategic Plan was released last year. Highlights of the report include expansion of the Task Force’s data security and identity theft business and consumer education campaigns; exploring means of improving consumer authentication processes to prevent the use of stolen information to commit identity theft; launching new initiatives to help identity theft victims recover; and improving law enforcement tools to investigate and prosecute identity thieves."

News release: "In keeping with the Patrick Administration’s commitment to protecting consumers, the Office of Consumer Affairs and Business Regulation (OCABR) last Friday issued a comprehensive set of final regulations establishing standards for how businesses protect and store consumers’ personal information. Additionally, Governor Patrick has signed an executive order requiring all state agencies to immediately take steps to implement security measures consistent with the requirements established by OCABR's regulations for private companies. The order calls for the adoption of uniform standards across government that protect the integrity of personal information and further the objectives of the identity theft prevention law."

News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."

• ITRC 2008 Breach List
  
• 2008 ITRC Breach report
  
• 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care).

News release: "Secretary Chertoff spoke on the balance between privacy and secure identity August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. He addressed crimes involving identity theft, and talked about identity validation and authentication, the associated financial costs, the effect on illegal workers, the universe of tools available for identity management, and possible solutions that address the concerns of privacy advocates."

News release: "State attorneys general received thousands of consumer complaints of online fraud and abuse in 2006 and 2007 and yet, with the exception of several notable standouts, brought few significant cases in response, according to a report released today from the Center for American Progress and the Center for Democracy and Technology, Online Consumers at Risk and the Role of State Attorneys General."

Official Google Enterprise Blog: "In July, our Postini datacenters saw the biggest volume of email virus attacks so far in 2008, with a peak of nearly 10 million messages on July 24. One of the more prominent attacks in the month involved a spoofed UPS package-tracking link that was intended to lure recipients into clicking on it and downloading malware. Our zero-hour virus protection technology first started catching these emails on July 20."

News release: "Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft, Attorney General Michael B. Mukasey, U.S. Attorney for the District of Massachusetts Michael J. Sullivan, U.S. Attorney for the Southern District of California Karen P. Hewitt, U.S. Attorney for the Eastern District of New York Benton J. Campbell and U.S. Secret Service Director Mark Sullivan announced today. The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the Department of Justice."

M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 14, 2008) (43 pages)

"Agencies should also submit their most current documentation related to OMB Memorandum M-07-16, of May 22, 2007, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, This information should be provided in an appendix to your annual report and include the following items for your agency:

• Breach notification policy
  
• Implementation plan and progress update on eliminating unnecessary use of Social Security Numbers (SSN);
  
• Implementation plan and progress update on review and reduction of holdings of personally identifiable information (PII); and
  
• Policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules."

News release: "The Federal Trade Commission today released a staff report on a Roundtable Discussion on Phishing Education that it hosted in April. Approximately 60 experts from business, government, the technology sector, the consumer advocacy community, and academia met at the FTC to discuss strategies for outreach to consumers about avoiding phishing. Phishers use deceptive spam that appears to come from legitimate, well-known sources to trick consumers into divulging sensitive or personal information, such as credit account numbers or passwords, often through a link to a copycat of the purported source’s Web site."

Federal Trade Commission: "Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new Red Flags Rules.

The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules."

News release: "The Federal Trade Commission plans to study the experiences of identity theft victims by conducting a survey of consumers who contacted the FTC after they were victimized. The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights. The survey results will help guide the FTC’s efforts to enforce the law and educate consumers and the consumer reporting industry about their rights and duties."

News release: "The ITRC Breach Report total has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses.

The ITRC Breach Report sub-divides all breaches into five categories. To date, the 2008 ITRC Breach Stats Report indicates the following: 17.0% government/military agencies, 21.3% from educational institutions, 36.8% from general businesses, 14.9% from health care facilities / companies, and 10% from banking / credit / financial services entities.

Click here for the 2008 ITRC Breach report. Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care). Please check regularly as this list is updated weekly.

A Guide to Protecting Your Identity Online, Rosemary Haworth, PC Advisor

Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.

News release: "The Federal Trade Commission...told the Senate Committee on Commerce, Science, and Transportation that “legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission.” In testimony to the Committee, Eileen Harrington, Deputy Director of the FTC’s Bureau of Consumer Protection, said that when other enforcement options – seeking consumer redress or making the operators give up their ill-gotten gains – are not appropriate or sufficient remedies to deter spyware distributors, “a civil penalty may be the most appropriate remedy and serve as a strong deterrent.” The testimony states that the agency supports legislation that would provide “the Commission this valuable law enforcement tool.”

OIG: The Social Security Administration's Internal Use of Employees' Social Security Numbers. A-13-07-27164 06/09/08

Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University

Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."

The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)

News release: "The Securities and Exchange Commission...took action to stop a sophisticated Internet scheme that stole the identities of unsuspecting individuals and netted more than $66,000 in illicit profits in just seven weeks. In a complaint filed in the U.S. District Court for the Eastern District of New York, the SEC alleged that one or more unknown traders conducted their entire online account intrusion scheme over the Internet and concealed their identities by, among other things, fraudulently opening brokerage accounts in the names of individuals who responded to a job advertisement on the Web site Craig’s List."

Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071

News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."

News release: "The Federal Trade Commission has released three 60-second videos to help alert consumers to phishing scams. Phishing uses deceptive spam to trick consumers into divulging sensitive or personal information, including credit card numbers and other financial data, through an email or a link to a “copycat” site. The goal of the videos is to offer practical, useful, and memorable messages. The videos are the newest tool on OnGuardOnline.gov, the agency’s multimedia initiative to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. The award-winning site features tips, articles, how-to videos, interactive quizzes, and tutorials in English and Spanish. The new videos also will be featured on YouTube and on the FTC Web site here."

News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."

U.S. Department of Energy, Office of Inspector General, Office of Audit Services, Audit Report, Management of the Department's Publicly Accessible Websites, March 2008.

"Our audit identified several opportunities to improve the security and management of the Department's publicly accessible websites. Specifically:

• We identified over 50 significant cyber security incidents in the last three fiscal years, about half involving the defacement of web pages, which, in our judgment, could have been prevented had proper security controls been in place;
  
• Content on publicly accessible web servers was not always controlled and reviewed periodically, contributing to an additional eight incidents which involved the exposure of personally identifiable information to unauthorized or malicious sources; and,
  
• Most of the organizations reviewed also had not incorporated
  contingency/emergency planning features, provided accessibility for individuals with disabilities, and/or disabled unneeded computer services for their publicly accessible websites - factors that decreased the utility and increased the risk of malicious damage to those websites.

Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.

One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."

HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.

Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.

Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."

"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."

News release: "A bi-partisan group of Senators from the Commerce, Science and Transportation Committee led by U.S. Senators Olympia J. Snowe (R-Maine), Bill Nelson (D-Florida) and the Committee’s Ranking Member Ted Stevens (R-Alaska), introduced today bi-partisan legislation aimed at ending the deceptive practice known as phishing. The Anti-Phishing Consumer Protection Act of 2008 would prohibit phishing – the deceptive solicitation of a consumer’s personal information through the use of emails, instant messages, and misleading websites that trick recipients into divulging their information for the purpose of identity theft. The legislation would also prohibit related abuses, such as the practice of using fraudulent or misleading domain names, by defining them as deceptive practices under the FTC Act."

Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.

• Introductory blog post


• Frequently asked questions


• Experiment guide


• Videos and images


• Abstract: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

"The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.

The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.

The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.

Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.

Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

Press release: "The California State Senate passed a bill Friday that would allow prosecution for identity theft cases in the county where the victim resides. State Sen. Joe Simitian, D-Palo Alto, co-authored Senate Bill 612 and praised fellow senators Friday for voting 40-0 in favor of the legislation. Current law permits prosecution in the county where the theft occurred, or where the information was illegally used, even when both locations are hundreds of miles from the victim’s home, according to Simitian’s office." Simitian also sponsored Senate Bill 364, that passed by a vote of 30-7.

Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA) (February 4, 2008) (4 pages, PDF)

A Chronology of Data Breaches, updated January 30, 2008

Department of Commerce Breach Notification Response Plan, September 28, 2007 (21 pages, PDF)

Federal Times: "The administration last week told agencies not to use federal employees’ Social Security numbers as primary identifiers for data processing purposes. The Office of Personnel Management said in a Jan. 18 notice that agencies must not print the numbers on paper or display on computer screens except in secure areas. And only employees whose official duties require access to the numbers can have access to them. Lastly, agencies can only collect employees’ Social Security numbers when an employee joins the agency for human resources and payroll purposes. OPM hopes the new rules will decrease the risk of identity theft."

Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

"Today, the Department of State released a final rule for the new "Passport Card," which is intended to be used by American citizens who frequently travel by land or sea to Canada, Mexico, the Caribbean, and Bermuda. The new rule calls for the use of "vicinity read" RFID technology without the use of encryption. This means the card will be able to be read remotely, at a long distance. CDT strongly objected to the use of this technology--developed for tracking inventory, not people--because it is inherently insecure and poses threats to personal privacy, including identity theft, location tracking by government and commercial entities outside the border control context, and other forms of mission creep."

Press release: "In a new report, the Federal Trade Commission staff describes findings from its July 2007 workshop, “Spam Summit: The Next Generation of Threats and Solutions” and proposes follow-up action steps that stakeholders can adopt to mitigate the harmful effects of malicious spam and phishing. In addition to proposing action steps for stakeholders, the report provides an overview of the agency’s decade-long role in protecting consumers from the threats of fraudulent spam and phishing. The report also announces results from staff’s 2007 Harvesting and Filtering Study, which suggest that Internet service providers’ spam filters continue to serve an integral role in reducing the amount of spam that reaches consumers’ in-boxes."

Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."

Press release: "The Federal Trade Commission today told the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security that identity theft remains one of the highest priorities for the Commission, and that the agency is playing a lead role in preventing identity theft and helping those who are victimized."

Press release: "As merchants get busier with holiday shopping, the Federal Trade Commission reminds them to be sure the credit and debit card receipts they give customers comply with federal law. To reduce the risk of fraud and identity theft, the electronically printed credit and debit card receipts given to consumers must not include more than the last five digits of the card number, and must not show the expiration date."

Consumer Information:

• Slip Showing? Federal Law Requires All Businesses to Truncate Credit Card Information on Receipts


• Protecting Personal Information: A Guide for Business


• Fighting Back Against Identity Theft
Permanent Link

Press release: "The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports. The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity... Jeannine Kenney, Senior Policy Analyst with Consumers Union...presented findings of a Consumer Reports National Research Center poll at the FTC forum showing that 89 percent of Americans want state and federal lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. The poll also found that nearly all consumers want the right to freeze access to their credit files to prevent new account fraud. Currently 39 states and the District of Columbia give consumers the right to a security freeze and the three major credit bureaus have made the freeze available to consumers in the remaining states."

McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.

Press release: "The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults, experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information."

"...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people."

20 November 2007, Statement to the House of Commons by Chancellor of the Exchequer, Alistair Darling, MP, on HMRC

Identity Theft, 2005 released on November 7, 2007: "Presents data from the National Crime Victimization Survey (NCVS) on identity theft victimization and its consequences. This report presents the first full year of data available after new questions about identity theft were added to the survey in July 2004. Identity theft is defined in the report as credit card thefts, thefts from existing accounts, misuse of personal information, and multiple types at the same time. Based on interviews with a nationally representative sample of 40,000 household residents, the report describes age, race, and ethnicity of the household head; household income and composition; and location of the household. Characteristics of the theft presented include economic loss, how the theft was discovered, whether misuse is ongoing, and problems experienced as a result of the identity theft."

Press release: "Starting November 1, consumers in all 50 states will be able to freeze access to their credit files at all three major credit bureaus to prevent identity thieves from opening fraudulent accounts in their names. By that date, all three major credit bureaus will offer “security freeze” protection to all consumers living in the eleven states that have not passed laws requiring it and the five states that currently limit this protection to identity theft victims. To help consumers learn how to take advantage of this powerful identity theft safeguard, Consumers Union, the nonprofit publisher of Consumer Reports, is making available online an updated Guide to Security Freeze Protection."

Text of the Federal Register Notice [256 pages, PDF] - Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003: 16 C.F.R. Part 681 (Federal Trade Commission Rule): Joint Final Rules and Guidelines of the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Offfice of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission.

CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."

Press release, October 16, 2007: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today introduced the bipartisan Identity Theft Enforcement and Restitution Act of 2007 to give federal prosecutors important new tools to combat the growing problem of identity theft and cyber crime.

The Identity Theft Enforcement and Restitution Act of 2007 would:

Press release: "The FTC today told the Maryland Task Force on Identity Theft that public organizations, including federal, state, and local governments, “play a critical role in guarding against misuse and unauthorized disclosure of the personal information they collect and maintain.” Speaking before the Maryland Task Force to Study Identity Theft, Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection said, “To succeed in the battle against identity theft, federal, state and local governments, working together with the private sector, must make it more difficult for thieves to obtain the information they need to steal identities, make it more difficult to use that information if they do obtain it, and assist victims when thefts occur.”

Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.

UK House of Lords, Science and Technology Committee, 5th Report of Session 2006-2007: Personal Internet Security, August 10, 2007 (121 pages, PDF)

"The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."

Press release, July 19, 2007: "The Department of Justice today submitted to Congress new proposed legislation that seeks to update and improve current laws aimed at protecting Americans from the increasingly sophisticated crime of identity theft. The proposed bill, titled the Identity Theft Enforcement and Restitution Act of 2007, was a significant recommendation included in the final strategic plan from the President’s Task Force on Identity Theft released in April 2007. The strategic plan was the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack identity theft at all levels in the public and private sectors. Among other provisions, the proposed legislation seeks to ensure that victims of identity theft can recover the value of the time lost attempting to repair damage inflicted by identity theft. Under current law, restitution to victims from convicted thieves is available only for the direct financial costs of identity theft offenses."

Top 10 Risks Impeding the Adequate Protection of Government Information, Sponsored by the Office of Management and Budget and the Homeland Security Department as Directed by the Identity Theft Task Force, July 2007.

sfgate.com - ON THE RECORD: DEBORAH MAJORAS CHAIRWOMAN, FTC: "She shares her thoughts on what her agency can -- and cannot -- do on everything from mergers to fraud to privacy to gas prices to infomercials," Sunday, July 15, 2007

Press release: "Google Inc. announced today that it has signed a definitive agreement to acquire Postini, a global leader in on-demand communications security and compliance solutions serving more than 35,000 businesses and 10 million users worldwide. Postini's services -- which include message security, archiving, encryption, and policy enforcement -- can be used to protect a company's email, instant messaging, and other web-based communications. Under the terms of the agreement, Google will acquire Postini for $625 million in cash, subject to working capital and other adjustments, and Postini will become a wholly-owned subsidiary of Google. The agreement is subject to customary closing conditions and is expected to close by the end of the third quarter 2007."

Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown. GAO-07-737, June 4, 2007.

Toward a Safer and More Secure Cyberspace, Seymour E. Goodman and Herbert S. Lin, Editors, Committee on Improving Cybersecurity Research in the United States, National Research Council, 272 pages, pre-publication copy, 2007.

Press release: "Fidelity National Information Services, Inc. announced today that its subsidiary, Certegy Check Services, Inc., a service provider to U.S. retail merchants, based in St. Petersburg, Fla., was victimized by a former employee who misappropriated and sold consumer information to a data broker who, in turn, sold a subset of that data to a limited number of direct marketing organizations...The misappropriated information included names, addresses and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be at issue, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the misappropriations occurred."

Administrative Investigation Loss of VA Information VA Medical Center Birmingham, AL [Rpt. #07-01083-157 6/29/2007]

NEWS.COM Special Report: Wardens of the WebTalkBack: Global security challenge falls to an elite corps, June 25, 2007

Treasury Inspector General for Tax Administration. Progress Has Been Slow in Meeting Homeland Security Presidential Directive–12 Requirements, June 20, 2007. Reference Number: 2007-20-110

Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information, Evaluations and Inspections Report I-2007-005, June 2007.

Privacy Policy Guidance Memorandum 2007-02 Regarding Use of Social Security Numbers at the Department of Homeland Security, June 4, 2007 (PDF, 4 pages)

"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims. The report is among a series of guides on investigating electronic crime."

Press release: "[June 13, 2007] the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle “botherders” and elevate the public’s cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity."

Press release: "Tens of thousands of consumers are unwitting accomplices of illegal spammers and at the mercy of identity thieves, warns the Federal Trade Commission. These consumers’ computers have been secretly hijacked by criminals who install spam-sending software and spyware on the computers when consumers open malicious e-mail attachments or visit a malicious Web site. After gaining access to consumers’ computers, the criminals can track consumers’ Internet surfing, steal personal information, and turn the computers into spam “zombies” that are part of a “botnet” made up of thousands of home computers through which spammers route spam. In a new consumer alert, Botnets and Hackers and Spam (Oh, My!), the FTC urges consumers to secure their personal information and stop assisting spammers."

"The anti-phishing research group at Indiana University, stop-phishing.com, is striving to understand, detect and prevent online fraud, and in particular, to reduce the economic viability of phishing attacks. We achieve this goal through a cross-disciplinary research agenda in which we consider all facets of the problem, ranging from psychological aspects and technology matters to legal issues and interface design considerations. We are attuned to needs and concerns within the financial sector, among privacy advocates, and of common users, and are dedicated to turning the tide."

Press release: "This Web site has been established to provide information about an Information Technology Security Incident in which a security breach in a computer application resulted in exposure of sensitive information belonging to current and former University of Virginia faculty members. A criminal investigation is being conducted by University of Virginia Police in consultation with the FBI and the University’s computing and audit professionals. The investigation has revealed that hackers tapped into the records of 5,735 faculty members."

Cooperation against Cybercrime: 11-12 June 2007, Palais de l’Europe, Strasbourg, France: "Societies worldwide rely on information and communication technologies. However, the increasing dependency on such technologies is accompanied by a growing vulnerability to criminal intrusion and misuse. In response to these challenges the Council of Europe adopted the Convention on Cybercrime (ETS 185) in 2001 and the Protocol on the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (ETS 189) in 2003."

The State of Search Engine Safety, June 4, 2007 - Ben Edelman, Advisor to McAfee SiteAdvisor and Hannah Rosenbaum - Research Analyst, McAfee SiteAdvisor

Press release, May 31, 2007: Attorney General Richard Blumenthal, with attorneys general from 43 other states, announced a settlement today with ChoicePoint for allegedly failing to adequately protect consumers' personally identifiable information, resulting in a massive security breach. The Atlanta-based ChoicePoint, which collects and maintains personally identifiable information on consumers, provides identification and credential verification services to businesses, government and non-profit organizations. In February 2005, ChoicePoint announced that criminals posing as legitimate businesses accessed consumers' personally identifiable information. The company notified more than 145,000 consumers nationwide whose information may have been compromised - including nearly 6,000 from Connecticut. Under today's settlement, ChoicePoint has agreed to adopt significantly stronger security measures. Those measures include written certification and, in some cases, on-site visits by ChoicePoint to ensure the legitimacy of companies before they are allowed access to personally identifiable information. ChoicePoint will also conduct periodic audits to ensure that companies are using consumer data for legitimate purposes."

Prepared Statement of the Federal Trade Commission On Public Entities, Personal Information, and Identity Theft, Presented by Betsy Broder, Assistant Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Before the Ohio Privacy and Public Records Access Study Committee of the Ohio Senate and House of Representatives, May 31, 2007.

Press release: "...a recent TriCipher Consumer Online Banking Study, conducted by Javelin Strategy and Research, reveals that consumers would take advantage of more online banking services if banks provided stronger identity protection. The TriCipher Consumer Online Banking Study included 3,349 respondents from a random-sample panel that was representative of the U.S. population. Surprising findings uncovered that nearly 1 in 5 - estimated at 26 million - adult consumers have been victims of identity theft or fraud in their lives. And, according to survey results, over 88 million online banking customers would switch banks, or reduce online banking usage, if news reports exposed their individual institution as compromised."

Clay Johnson III, Deputy Director for Management, Office of Management and Budget: M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 (22 pages, PDF)

FinancialPrivacyNow.org: "Identity theft is one of the fastest growing financial crimes. Nearly 10 million Americans fall victim each year. The Identity Theft Resource Center reported in 2005, on average, an ID theft victim of new account and other fraud spent 60 hours resolving problems brought on by ID theft, those victims of existing accounts spent an average of 15 hours resolving problems. A 2003 Federal Trade Commission study found that identity theft also costs U.S. businesses nearly $48 billion annually, and consumers an additional $5 billion per year. A security freeze lets consumers stop thieves from getting credit in their names. A security freeze locks, or freezes, access to the consumer credit report and credit score. Without this information, a business will not issue new credit to a thief. When the consumer wants to get new credit, he or she uses a PIN to unlock access to the credit file. These states [included at this link] give consumers this important weapon to prevent identity theft. (updated 5/8/07)"

Follow up to May 5, 2007 posting, Missing TSA Hard Drive Has Data on 100,000 Employees, this additional update from the TSA: "Today the Transportation Security Administration (TSA) announced a benefit package to provide employees and former employees affected by the data security incident with free credit monitoring for up-to one year. In addition to credit monitoring, the package includes ID theft insurance up to $25,000, fraud alerts and identity restoration specialists who will complete paperwork and assist employees in the event they are a victim of identity theft. Current and former employees can register via phone, mail or online through a secure web site. More information is available at www.tsa.gov, including a list of frequently asked questions."

Press release: "Today, the House Judiciary Committee approved four crime bills and sent them to the House floor for consideration. The bills were: HR 1700, the "COPS Improvement Act of 2007;" HR 916, the "John R. Justice Prosecutors and Defenders Incentive Act of 2007;" HR 1525, the "Internet Spyware Prevention Act of 2007;" and, HR 1615, the "Securing Aircraft Cockpits Against Lasers Act."

Press release: "Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras today announced the completion of the President’s Identity Theft Task Force strategic plan to combat identity theft. The strategic plan is the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack this widespread and destructive crime. The plan focuses on ways to improve the effectiveness of criminal prosecutions of identity theft; enhance data protection for sensitive consumer information maintained by the public sector, private sector, and consumers; provide more comprehensive and effective guidance for consumers and the business community; and improve recovery and assistance for consumers."

Related Documents:
Combating Identity Theft: A Strategic Plan, Final recommendations released April 23, 2007

Press release: "UK consumers are not as risk-averse when it comes to using online services as previously thought, according to recent research conducted by BT. Despite daily warnings about security threats and cyber-criminals, people are willing to take risks online, as long as they feel informed, and it is clear how consequences will be addressed. According to the findings from the Trustguide report, which was a collaborative research project by BT with support from the DTI, people use specific online services not because they trust them, but because they believe the benefits outweigh the risks. Government and private industry must therefore take responsibility for educating and reassuring the public that safeguards are in place, if they are to succeed with e-Government and e-Commerce initiatives..Based on the research, the Trustguide report outlines a set of guidelines to inform policy making and service development for ICT delivered services. In addition to enabling better-informed decision-making through education, and advising users of restitution and guarantee measures should something go wrong, the report highlights the need for greater honesty and transparency of data usage by service providers.

Anti-Phishing Working Group (APWG), Phishing Activity Trends for February 2007 (8 pages, PDF)

Tech//404® Data Loss Cost Calculator: "Data loss resulting from network security breaches and identity theft has become a regular occurrence. While the number of affected records can vary widely in any given data loss scenario, a recent study by the Ponemon Institute found that the average number was roughly 99,000. For recent examples and media reports, visit the data loss archive. Darwin created the Tech//404® data loss cost calculator as a tool to demonstrate the scope of negative financial impact an organization may face as a result of a data breach or identity theft data loss scenario. The calculator will automatically generate an average cost, and a plus/minus 20% range, for expenses associated with internal investigation, notification/crisis management and regulatory/compliance if the incident were to give rise to a class action claim."

According to a press release from the Georgia Department of Community Health, contractor Affiliated Computer Services confirmed on April 9, 2007 the loss of a CD containing the personal data of state Medicaid and PeachCare for Kids(TM) members. The data included full names, complete addresses, social security numbers, member ID numbers, and eligibility dates for 2.9 million individuals (as reported by AP).

Treasury Inspector General for Tax Administration - Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices. March 23, 2007. Reference Number 2007-20-048.

Press release: "The Federal Communications Commission has strengthened its privacy rules by requiring telephone and wireless carriers to adopt additional safeguards to protect the personal telephone records of consumers from unauthorized disclosure. These new safeguards will help prevent unauthorized access to customer proprietary network information, or CPNI."

"CIPPIC has issued the first batch of a series of working papers on identity theft. The papers released today include Introduction and Background, Techniques of Identity Theft, and Legislative Approaches to Identity Theft (all PDF). Additional papers examining identity theft caselaw, law enforcement, and policy approaches, as well as a Bibliography on identity theft, will be forthcoming. These working papers reflect research conducted during 2006 with funding from the Ontario Research Network for Electronic Commerce (ORNEC)."

Press release: "Former 9/11 Commission counsel Janice Kephart announces the launch of an online Identity Document Security Library, consisting of legal, technical and policy pieces regarding identity document security. Kephart, a nationally recognized border security expert, created the library to serve as a 'one-stop-shop' information portal for those seeking objective, credible information on the issue of identity document security...The issue of identity, and information about identity, underlies the 9/11 Commission's border work, whose recommendations included the creation of minimum standards for state-issued driver licenses and IDs. Kephart's recently issued white paper, Identity and Security: Moving Beyond the 9/11 Staff Report on Identity Document Security, maintains that securing identities and identity documents is perhaps the single most effective measure the United States can take to lay a foundation for national and economic security and public safety."

Press release: "The Commission has approved the publication of a Federal Register notice regarding a proposed amendment to the FTC’s existing routine uses of agency systems of records subject to the Privacy Act of 1974. As detailed in the notice, which will be published soon and can be found now on the FTC’s Web site and as a link to this press release, the amendment is necessary to implement data breach guidance issued by the U.S. Office of Management and Budget (OMB) and the President’s Identity Theft Task Force. The guidance is intended to ensure that federal agencies have legal and administrative procedures in place to respond and remedy or prevent harm to individual privacy in the case of an agency breach of personal data.">Press release: "The Commission has approved the publication of a Federal Register notice regarding a proposed amendment to the FTC’s existing routine uses of agency systems of records subject to the Privacy Act of 1974. As detailed in the notice, which will be published soon and can be found now on the FTC’s Web site and as a link to this press release, the amendment is necessary to implement data breach guidance issued by the U.S. Office of Management and Budget (OMB) and the President’s Identity Theft Task Force. The guidance is intended to ensure that federal agencies have legal and administrative procedures in place to respond and remedy or prevent harm to individual privacy in the case of an agency breach of personal data. The Commission vote authorizing the publication of the notice in the Federal Register was 5-0. (File No. P072104; the staff contact is Alex Tang, Office of the General Counsel, 202-326-2447.)"

"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The eleventh version of the report, released March 19, 2007, is now available."

Press release: "The Federal Trade Commission today told the Senate Judiciary Committee Subcommittee on Terrorism, Technology, and Homeland Security that “the government and the private sector must continue to work together to reduce the opportunities for thieves to obtain consumers’ personal information and make it more difficult for thieves to misuse that information if they obtain it.” Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection, said government and the business community should evaluate whether they need to collect and maintain the data they have about consumers, better-protect the data that they do possess, and develop better ways to authenticate customers to keep identity thieves from using the information they steal."

Press release: "If Assistant Professor of Communication at the University of Washington Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."

Press release: "The arm of the FBI that investigates financial crimes ranging from underground pyramid schemes to institutionalized fraud in the nation’s corporate suites has issued its annual report detailing the most prevalent types of schemes investigators tackled in 2006. The Financial Crimes Report to the Public is prepared each year by the Financial Crimes Section of the FBI's Criminal Investigative Division. The report, which covers a 12-month period ending September 30, 2006, explains in detail dozens of fraud schemes, tallies FBI accomplishments combating the crimes, and offers tips the public can use to protect itself."

E-Commerce Times:

"On April 23 and 24, 2007, the Federal Trade Commission will host a public workshop, Proof Positive: New Directions in ID Authentication, to explore methods to reduce identity theft through enhanced authentication. The workshop will facilitate a discussion among public-sector, private-sector, and consumer representatives, and will focus on technological and policy requirements for developing better authentication processes, including the incorporation of privacy standards and consideration of consumer usability issues."

Findings from a new study by ID Analytics, reported by ComputerWeek, indicate that "....the riskiest states for ID theft are New York, California, Nevada and Arizona, while the safest ones are Wyoming, Vermont, Montana and North Dakota. The riskiest 5-digit zip codes for ID theft -- after Floral Park and Faulkton -- are Old Bethpage, N.Y., New York City and Manhasset, N.Y."

Declan McCullagh reported last week on the reintroduction of numerous antispyware and ID theft bills, many of which reflect the same language as previous versions of related legislation. The article has links to major bills as well as respective legislative background.

Press release: "The Federal Trade Commission today issued its annual report, “Consumer Fraud and Identity Theft Complaint Data” on complaints consumers have filed with the agency. For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud."

Inspection Letter Report, Alleged Loss or Theft of Personally Identifiable Information at Pantex, February 2, 2007.

The Emperor's New Security Indicators, An evaluation of website authentication and the effect of role playing on usability studies, working draft released February 4, 2007. Authors: Stuart E. Schechter (MIT), Rachna Dhamija (Harvard), Andy Ozmet (MIT), Ian Fischer (Harvard).

"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims."

Press release: "The FBI in Los Angeles announced it opened an investigation to determine who hacked into a restricted database at the University of California at Los Angeles (UCLA) that held the names and personal information of some 800,000 students, faculty, and alumni. Anyone who thought they had been further victimized as a result of the breach was encouraged to contact the Internet Crime Complaint Center (IC3)."

Press release: "U.S. Senator Dianne Feinstein (D-Calif.) today reintroduced two bills [Notification of Risk to Personal Data Act and the Social Security Number Misuse Prevention Act] aimed at protecting individuals from identity theft by requiring businesses to notify consumers in the event of a security breach and prohibiting the sale or display of an individual’s Social Security number without his or her consent. Senator Feinstein said that the increased frequency of data breaches demonstrates that the legislation is needed sooner rather than later. Major data breaches have occurred in recent months at Boeing, UCLA, the Colorado Department of Human Services, Starbucks, the Chicago Voters' Database, and Akron Children's Hospital."

Press release, January 4, 2007: "Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection."
Related news:

Press release: "The Federal Identity Theft Task Force, chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras, is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce identity theft. The public comments on these issues will supplement the research and analysis being conducted, provide further information about the proposals being considered, and identify areas where additional recommendations may be warranted. The Task Force was established by an Executive Order 13402 on May 10, 2006."

2006: The Year in Security -Online attacks, spam, and sneaky cybercrime top list of year's most common security issues.

Press release: "Attorney General Kelly Ayotte announced today that if you live in New Hampshire, effective January 1, 2007 you will have the right to put a "security freeze" on your credit file. A security freeze means that your file cannot be shared with potential creditors. A security freeze can help prevent identity theft. Most businesses will not open credit accounts without first checking a consumer's credit history. If your credit files are frozen, even someone who has your name and Social Security number would probably not be able to get credit in your name. The security freeze legislation passed in the 2006 legislative session....A security freeze fact sheet, including step by step instructions on how to place a security freeze, is available here."

Press release: Among the predicitions, is the following - "Blogging and community contributors will peak in the first half of 2007. Given the trend in the average life span of a blogger and the current growth rate of blogs, there are already more than 200 million ex-bloggers. Consequently, the peak number of bloggers will be around 100 million at some point in the first half of 2007."

Telephone Records and Privacy Protection Act bill [H.R. 4709] passed in the Senate by Unanimous Consent on December 8, 2006 - To amend title 18, United States Code, to strengthen protections for law enforcement officers and the public by providing criminal penalties for the fraudulent acquisition or unauthorized disclosure of phone records.

Press release: "Today, the Federal Trade Commission mailed claims forms for reimbursement to more than 1,400 identity theft victims who experienced out-of-pocket expenses due to alleged security lapses at data broker ChoicePoint Inc. These victims, who were identified with the assistance of law enforcement, should receive the claims form with instructions on how to file a claim. The FTC also has created a website – where consumers who do not receive a letter can download a claims form and obtain information about the claims process...The FTC and ChoicePoint reached a settlement requiring the company, among other things, to pay $5 million to be used to reimburse consumers for expenses due to identity theft caused by ChoicePoint's security breach. A press release explaining the settlement can be found here."

Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."

Status Report on OIG Data Security via the Data Security Portal: "Our November 21, 2006, status report notes several important developments, including the fact that as a result of our investigation in cooperation with the Federal Bureau of Investigation and the Miami-Dade County Police Department, two individuals have been arrested for their alleged roles in a small Miami-area laptop theft ring. While the OIG's laptops have not been recovered, there has been no credit fraud resulting from the laptop thefts and we believe that the risk of credit fraud in the future is very low. A firm hired to perform data breach analysis has failed to find any misuse of information on the laptops, and will continue to analyze the information..."

Information Security: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing. Full text, GAO-07-65, and Highlights, October 20, 2006.

Press release: "Symantec Corp...announced the opening of the Symantec Phish Report Network to consumers worldwide. As one of the world's leading antifraud communities, the Symantec Phish Report Network, launched in May 2006, allows member companies to contribute and receive fraudulent Web site addresses that they can use in their antiphishing solutions to help protect users from online fraud. Consumer input further helps the Symantec Phish Report Network's fight against online fraud and will aid in preventing other computers users from becoming victims."

Follow up to previous postings on ChoicePoint and data breaches, today's New York Times article, Keeping Your Enemies Close, provides a chronology of how the company has made inroads in rehabilitating its reputation.

Will Knight at New Scientist reports the research by Professor Markus Jakobsson and grad student Jacob Ratkiewicz, Indiana University, indicates "...one in 10 internet users may be lured into handing over sensitive personal information such as a credit card number, by fraudulent "phishing" emails..." and "that some survey participants may not have realised that they have been stung by a phishing scam, or may simply be too embarrassed to admit to it."

Effective November 1, 2006, New York states law "provides consumers may elect to place security freezes on consumer credit
reports by making such request to consumer reporting agencies [TransUnion, Equifax and Experian]."

"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends. The tenth version of the report, released September 25, is now available."

Press release: "In a report released today, Reps. Davis and Waxman summarize information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected."

Key Conclusions:

Press release, October 4, 2006: "As information security concerns among consumers and other customer constituencies rise, just 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to findings of a major research initiative by the Chief Marketing Officer (CMO) Council. Without such a plan and other security strategies in place, companies are at risk of losing hundreds of million of dollars in market value and loss of reputation and brand trust, according to the study's findings."

Press release: "The Metropolitan Police Computer Crime Unit is investigating data recovered from a computer in the United States that was found to contain personal information from hacked computers located in the United Kingdom. We believe the data has been stolen by the use of a computer virus and it is believed more than 2,300 compromised computers in the UK consisting of 83,000 files have been targeted."

Press release: "The Federal Trade Commission today told the House Committee on Energy and Commerce Subcommittee on Oversight and Investigations that protecting the privacy of consumers' telephone records requires a multi-faceted approach. Joel Winston, Associate Director of FTC's Division of Privacy and Identity Protection, said that coordinated law enforcement efforts targeting pretexters, steps by telephone carriers to protect their records from intrusion, and educating consumers about actions they can take to protect their records, will help safeguard consumers' telephone records."

Press release: "Congressman Barney Frank yesterday wrote to the Chairman of the Federal Trade Commission (FTC) and representatives of the credit reporting industry asking that they look into the numerous complaints from consumers about access to credit reports and fraud alerts." [text of letter is included in this release]

Follow-up to September 19, 2006 posting, President's Identity Theft Task Force Announces Interim Recommendations, today OMB issued a memorandum of Recommendations for Identity Theft Related Data Breach Notification, from Clay Johnson, Deputy Director for Management.

FTC press release: "The President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today."

FTC press release: "An operation that placed spyware on consumers' computers in violation of federal laws will give up more than $2 million to settle Federal Trade Commission charges. Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer's computer use, including but not limited to distributing software code that tracks consumers' Internet activity or collects other personal information, changes their preferred homepage or other browser settings, inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers' computers."

Press release: Carnegie Mellon CyLab researchers create new system to address phishing fraud [ZDNet]

From the Antiphishing Working Group, the June Phishing Activity Trends Report.

Ponemon Institute Releases National Survey on Confidential Data at Risk

Consumer Alert: New Phishing Attack Claims to be FDIC

Follow up to August 9, 2006 posting, AOL Data Breach Causes Privacy Group to File Complaint With FTC, news today "the Electronic Frontier Foundation (EFF)...asked the Federal Trade Commission (FTC) to investigate America Online (AOL) and require changes in its privacy practices, after the company recently released search history logs that exposed the private lives of more than a half-million of its customers." A copy of the EFF complaint (11 pages, PDF).

Industry, Government Fret Over Tactics for Fighting Data Theft, by Marcia Coyle, The National Law Journal, August 10, 2006.

StopBadware.org Blog: "We're entering a new phase here at StopBadware.org. Google—which is one of our partners—will present people with a warning before they visit websites that have been reported to StopBadware.org as sites that distribute badware. These warnings currently link to a general page on StopBadware.org, but as we finish researching sites, we'll replace the general page with one of our individual website reports (see an example here). Hopefully this next step will bring us that much closer to fulfilling our mission of providing people with reliable, objective information about downloadable applications in order to help them make better choices."

Press release: "Senator Olympia J. Snowe (R-ME), Chair of the Senate Committee on Small Business and Entrepreneurship, today introduced the "Small Business Information Security Act of 2006," (S. 3786) legislation that will create the "Small Business Information Security Task Force" within the Small Business Administration to help small businesses both understand the information security challenges they face and identify resources to help meet those challenges."

Into the Breach: Security Breaches and Identity Theft/Research Report
July 2006 — "Security breaches of data files can lead to identity theft. In this AARP Public Policy Institute Data Digest, Neal Walters analyzes 244 breaches between January 1, 2005 and May 26, 2006, and finds that 40 percent were caused by hackers or insider access targeting sensitive personal information, potentially exposing 50 million individuals’ names and personal data."

GSA press release: "The U.S. General Services Administration’s (GSA) Office of Citizens Services & Communications is warning the public to avoid falling victim to a recent e-mail scheme that targets users by sending unsolicited e-mails allegedly from FirstGov, the citizen portal operated by GSA. These scam e-mails tell recipients that because of recent fraudulent activities on Money Access Online they need to confirm their account has not been stolen or hacked. The e-mails then direct recipients to click on a link and enter information related to personal credit card accounts."

EPIC: "A data breach notification bill [H.R. 3997] backed by the House Financial Services Committee drew criticisms from state law enforcement officials and a coalition of consumer groups, who said that existing state laws are more effective at protecting consumers. In a letter to House leadership signed by 48 state attorneys general, the National Association of Attorneys General stated that an effective data breach law should preserve strong consumer protections and allow states to enforce data breach laws. Consumer groups said that the Financial Data Protection Act "does nothing positive for consumers and rolls back existing state consumer protection laws."

Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, Full text GAO-06-674, and Highlights, June 26, 2006.

Treasury Inspecter General for Tax Administration - Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses, July 24, 2006. Reference Number: 2006-20-111.

AP reports that "[t]he names, addresses and Social Security numbers of as many as 540,000 injured workers [in New York] have been lost, and the state and a contracted company are trying to protect the workers from identity theft."

Matwyshyn, Andrea M., "Technoconsen(t)sus" (May 2006). Posted July 19, 2006 [Link to download]

Press release: "According to MarkMonitor's AntiFraud Operations Center™ (AFOC), domain-based phishing attacks now represent 73 percent of all attacks, up from 35 percent just 18 months ago." Related reference in this press release to an academic paper titled, Why Phishing Works.

FTC press release: "The federal financial institution regulatory agencies and the Federal Trade Commission are soliciting comments on a Notice of Proposed Rulemaking (NPRM) concerning identity theft “red flags” and address discrepancies. The NPRM, which has been reviewed and approved by each of the listed agencies, implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The regulations that the agencies are jointly proposing would require each financial institution and creditor to develop and implement an identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft in connection with account openings and existing accounts."

Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans, Rpt. #06-02238-163, July 11, 2006 (78 pages, PDF)

Risky Business? How Multinationals' Outsourcing Involving Customer Data Can Lead to Identity Theft and Other Fraud, by Anita Ramasastry.

In the wake of the steady stream of news (the latest at this time is here) about stolen laptops and data breaches impacting state and federal government agencies and personnel, as well as corporations large and small, this AP article raises an important question: "...Why is so much private data allowed to be on laptops to begin with?"

Press release: "CA today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security."

New York Times: Identity Thief Finds Easy Money Hard to Resist

From the Privacy Rights Clearinghouse, A Chronology of Data Breaches Reported Since the ChoicePoint Incident, updated June 30, 2006. Breaches reported in June 2006 include the Nebraska Treasurer's Office and the Minnesota Dept. of Revenue.

Federal Times: "In a few months, the 3.6 million participants in the Thrift Savings Plan will begin using account numbers instead of Social Security numbers to access their retirement accounts. TSP administrators are switching to randomly generated account numbers to enhance security and protect participants' Social Security numbers from being stolen, said Mark Hagerty, director of automated systems at the Federal Retirement Thrift Investment Board, which oversees the TSP."

"Utica College's Center for Identity Management and Information Protection is a research collaborative dedicated to furthering a national research agenda on identity management, information sharing, and data protection. Founded in June 2006, its ultimate goal is to impact policy, regulation, and legislation, working toward a more secure homeland."

Press release: "CDT's report charts the important cases against spyware distributors and identifies the statutes applied, June 26, 2006."

WSJ free feature: Laptop Lockdown - Companies Start Holding Employees Responsible for Security Of Portable Devices They Use for Work

Press release: "Sen. Bob Bennett (R-Utah) and Sen. Tom Carper (D-DE), members of the Senate Banking Committee, today introduced legislation to help protect individuals and businesses from the rampant crimes of identity theft and account fraud...The new bill requires that all entities – such as financial institutions, universities, retailers and federal agencies –safeguard sensitive information, investigate security breaches and notify consumers when there’s a substantial risk of identity theft or account fraud. That means retailers that take credit card information are now covered; data brokers who compile private information are covered; and government agencies that possess nonpublic personal information are also covered."

AP reported that a hacker obtained personal data on over 25,000 Agriculture Department employees.

The Consumer Privacy Legislative Forum (whose members include Google, Microsoft, Oracle, EBay Inc., Hewlett-Packard Co., Intel Corp., Sun Microsystems Inc. and Symantec Corp.) issued a statement supporting "a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework."

Following up on previous postings on the VA data breach, today the GAO issued yet another related report - Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs, Full text GAO-06-897T, and Highlights, June 20, 2006.

Yet another report today about the theft of a laptop from the home of a government employee, this time involving info on D.C. government personnel. The issue of why so many institutions have not implemented proper security measures, such as encryption on digital media removed from the office, remains baffling.

Press release: "In a major policy address on the challenges of privacy in our increasingly data driven world, Senator Hillary Rodham Clinton called for a comprehensive privacy agenda: a Privacy Bill of Rights that secures the interests of consumers; stronger, better enforced protection for medical privacy and a new national security consensus setting out clear rules to allow the government to use new intelligence techniques and make sure the public knows its rights and limits. Senator Clinton announced that she will introduce legislation to enact this Bill of Rights, the Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, the PROTECT Act."

Follow-up to recent postings VA ID theft and the continuous reports on government and corporate enterprise data breaches, see this Gartner press release: Gartner Says Rash of Personal Data Thefts Shows Social Security Numbers Can No Longer Be Sole Proof of Identity for Enterprises.

Related to previous postings on the recent breach of Veterans' data that was the focus of press and Congressional scrutiny, from GAO today, this report - Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues, full-text GAO-06-866T, and Highlights, June 14, 2006. From the report: "For many years, significant concerns have been raised about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. Both GAO and the department's inspector general have reported recurring weaknesses in such areas as access controls, physical security, and segregation of incompatible duties."

Related government documents:

WSJ free feature: Seeking a Safer Internet - New Tools Flag Sites With Spyware, Spam - But the Technology Is Far From Perfect

Press release, June 9, 2006: "Governor George E. Pataki today signed three bills [Security Freeze Law, Disposal of Personal Records Law, Anti-Phishing Act of 2006] that will further protect New York's consumers and their privacy. These bills will allow consumers to proactively defend themselves against identity thieves, require businesses to properly discard documents and records containing personal information, and prohibit individuals from deceptively soliciting sensitive information from Internet users. They will also help prohibit the potential repercussions that many identity theft victims encounter, including the denial of loan applications, false arrest, and criminal records."

Government Reform Committee Oversight Hearing, "Once More Into the Data Breach: The Security of Personal Information at Federal Agencies," June 8, 2006. "The data loss at VA is the largest by a federal agency to date, and the latest in a long string of personal information breaches in the public and private sectors, including financial institutions, data broker companies, and academic institutions."

Indiana House House Bill 1101 (HB 1101) which takes effect July 1, will "require disclosure of security breaches and encryption of data by companies holding customers' and clients' personal identification information in computer databases if it could cause identity theft, identity deception, or fraud."

Follow-up to postings on breach of veterans data, this press release from Sen. Patrick Leahy comments on the announcement that "the Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel – including nearly 80 percent of our active-duty force -- were among the data the VA has lost."

Press release, May 31, 2006: "Gov. Lynch today signed Senate Bill 334, which will allows victims of identity theft to ask their credit reporting agency for a "credit freeze." Once they do, their credit reports cannot be forwarded without their consent or involvement, which will help prevent identity thieves from using people's good credit against them. A credit freeze will also prevent criminals from being able to open new lines of credit in their victims' names...The law goes into effect on Jan. 1, 2007."

Another follow-up to postings and resources for veterans impacted by recent data breach: "The FTC is advising veterans and their families to keep a close hold on their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive personal information. One technique scammers use to get this information is phishing: they send an e-mail that appears to be from a well-known company, asking recipients to verify their personal information and luring them to a Web site that looks genuine, but is bogus. Scammers can lie on the telephone, as well, to get personal information." [Link]

Follow-up to postings and resources for veterans impacted by recent data breach, this press release (includes text of letter to HHS): "Thirty organizations participating in the Consumer Coalition for Health Privacy yesterday asked U.S. Department of Health and Human Services Secretary Mike Leavitt to undertake a compliance review of the U.S. Department of Veterans Affairs pursuant to the authority granted him by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Medical diagnostic codes and disability rating information about an undisclosed number of disabled veterans were stolen last month from the home of a VA employee along with 26.5 million veterans' names, birth dates and Social Security numbers."

Press release: "A new cyber security study released today highlights the difference between perception and reality of consumers' awareness of online scams and their actual online behavior. While 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail. Most respondents categorized all e-mails in the study as fake, even though one of them was legitimate. The Online Fraud Report has been sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America."

According to the New York Times, Arizona's rapid population growth combined with a "heavy traffic in methamphetamine" are signficant factors in the state's ranking at the top of the list for ID theft complaints recorded by the FTC.

Follow-up to recent postings, Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security and VA Launches Website and Call Center After Theft of Personal Data, from the Privacy Rights Clearinghouse: The VA's Data Breach – Tips for Veterans and Action You Can Take under Federal Law

The CCH Payroll Management Guide reports "Maryland employers, including the State, counties, and municipal corporations, may no longer print an employee's Social Security number on wage payment checks."

"In recognition of National Internet Safety Month (June 2006), National Criminal Justice Reference Service presents this compilation of Internet safety resources."

Follow-up to the latest extensive incident of ID theft involving government records and citizen personal data, see this OMB Memoranda M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006.

Related government documents and news:

NIST's National Vulnerability Database: Search for Vulnerabilities - Enter vendor, software, or keyword.

Follow-up to posting yesterday, Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security, this news from the government today: "Over the weekend following the recent theft of 26.5 million veterans' records, the Department of Veterans Affairs (VA) quickly put in place a call center and website to answer questions about the implications of the theft and the steps veterans can take to protect themselves from misuse of their personal information. The call center, at 1-800-FEDINFO, operates from 8:00 a.m. to 9:00 p.m. (EDT) Monday to Saturday. It can handle up to 260,000 toll-free calls a day. The latest information on VA data security is posted on Firstgov.gov, the U.S. government's official Web portal."

Related news and government documents:

Statement of Secretary of Veterans Affairs R. James Nicholson on the Status of the Veterans Data Theft (5/24/06): "I am outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of our policies. I am also concerned about the timing of the Department's response once the burglary became known. I will not tolerate inaction and poor judgment when it comes to protecting our veterans."

Cybersecurity Enhancement and Consumer Data Protection Act of 2006 (H.R. 5318), To amend title 18, United States Code, to better assure cyber-security, and for other purposes, introduced 5/9/2006, by Rep. James F. Sensenbrenner Jr.

Solove, Daniel J. and Hoofnagle, Chris Jay, A Model Regime of Privacy Protection (Version 3.0). Illinois Law Review, Vol. 2006, p. 357, 2006.

FTC press release: "The Federal Trade Commission today told the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce Committee that in the effort to reconcile the beneficial uses of Social Security Numbers with the threats to consumer privacy, "The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves, while giving businesses and government entities sufficient means to attribute information to the correct person."

Fact Sheet: The President's Identity Theft Task Force: "This task force will marshal the resources of the Federal government to crack down on the criminals who traffic in stolen identities and protect American families from this devastating crime."

"The Committee on Energy and Commerce, to whom was referred the bill (H.R. 4127) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass." [House Report 109-453 - Part 1 - Data Accountability and Trust Act (DATA), Ordered to be printed May 6, 2006]

FTC press release: "A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

The RFID Hacking Underground, by Annalee Newitz: "They can steal your smartcard, lift your passport, jack your car, even clone the chip in your arm. And you won't feel a thing. 5 tales from the RFID-hacking underground."

Preventing Identity Theft and Data Security Breaches: The Problem With Regulation, by Clyde Wayne Crews and Brooke Oberwetter, Competitive Enterprise Institute, May 9, 2006 (24 pages, PDF)

Building and Implmenting a Successful Information Security Policy, by John J. Pak, May 8, 2006 (25 pages, PDF).

The Ins and Outs of Spyware [15 pages, PDF] April 24, 2006: "Lesley Herring discusses what spyware is, categories of spyware, types of spyware, symptoms of spyware, research sites to find out more information, prevention techniques, and removal tools in this contribution."

Cyber Security Industry Alliance Board Urges Congressional Leadership on Consumer Data Protection: Letter to Congressional Leadership

The IRS held a public hearing today on proposed regs that will require taxpayers to specifically consent to the sale of their data as supplied to tax preparers.

Press release: The Anti-Spyware Coalition today released two new resources to help consumers and enterprises better protect themselves against spyware and unwanted adware...The coalition's two new documents walk consumers and network operators through the steps they should be taking to protect their machines against adware, spyware and other malicious software."

Press release: "An estimated 3.6 million households, or about 3 percent of all households in the nation, learned that they had been the victim of at least one type of identity theft during a six-month period in 2004, the Justice Department’s Bureau of Justice Statistics (BJS) announced today. Forty-eight percent had experienced an unauthorized use of credit cards; 25 percent had other accounts, such as banking accounts, used without permission; 15 percent experienced the misuse of personal information and 12 percent experienced multiple types of theft at the same time. These findings represent six-month estimates based on interviews conducted from July through December 2004 for the BJS National Crime Victimization Survey."

Social Security Numbers: More Could be Done to Protect SSNs, Full text GAO-06-586T, and Highlights. March 30, 2006.

Press release: "The House Energy and Commerce Committee unanimously approved new data security laws Wednesday that will ensure consumers' personal information is closely guarded and consumers are notified when they are at risk...The bill places new requirements on specific companies that specialize in collecting personal data. These "data brokers" will be required to implement effective security safeguards. If there is a reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other unlawful conduct, these data brokers must notify consumers. Additionally, data brokers will be prohibited from falsely representing themselves to obtain personal data...H.R. 4127, the Data Accountability and Trust Act, passed 41-0. The bill "sends a clear message: 'If you can't protect it, don't collect it,'" said U.S. Rep. John Dingell, D-Mich., the committee's ranking member."

"The Better Business Bureau (BBB) has partnered with nationally-recognized security and privacy experts to create a new toolkit to help small business owners manage security and privacy challenges. We call it Security & Privacy - Made Simpler (TM). The objective is to demystify the complexities of data security and give small businesses a non-technical roadmap to securing their customer data, and their employees' data, too."

"PhishRegistry.org is a free service provided by CipherTrust, Inc. to help businesses know when they are at risk of being phished. PhishRegistry.org monitors the content of your website and alerts you when attempts to duplicate it have been detected. Weekly reports are sent to your email address with information about suspect websites."

Privacy Rights Clearinghouse, Updated March 23, 2006: A Chronology of Data Breaches Reported Since the ChoicePoint Incident

"Thousands of visitors to StopBadware.org have shared their badware experiences with us since we launched. From their stories, we've identified and tested four applications that contain annoying or objectionable behaviors. To find out what we think of Kazaa, MediaPipe, SpyAxe, and Screensaver.com, read our reports (all in PDF):"

Information Security: Department of Health and Human Services Needs to Fully Implement Its Program, Full Report, GAO-06-267 and Highlights, February 24, 2006.

Press release: "Large well-respected companies are helping to fund the virulent spread of unwanted and potentially harmful "adware" by paying for advertisements generated by those programs, a new report by CDT finds. In "Following the Money: How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to Reverse the Trend," (10 pages, PDF) CDT details how -- through a complicated network of intermediaries -- major advertisers pay to have their products and services advertised though pop-ups and other ads generated by unwanted advertising software or "adware." The report dissects the financial relationships behind those arrangements and identifies a number of mainstream companies that advertise through one particularly unscrupulous adware distributor."

Press release: "Neil Holloway, president of Microsoft Europe, Middle East and Africa (EMEA), unveiled a global law enforcement campaign that will target cybercriminals behind phishing attacks. Microsoft Corp. announced that by the end of June 2006 it will have initiated legal actions on more than 100 cases in EMEA against individuals suspected of committing online fraud; 53 of these will have already started by the end of March 2006...The legal actions are linked to a larger Microsoft(R) program, the Global Phishing Enforcement Initiative (GPEI), launched by the company to coordinate and expand its many anti-phishing efforts worldwide to fight phishers through consumer protection, partnerships and prosecution."

Press release, March 16, 2006: The Federal Trade Commission today told the House Committee on Small Business, Subcommittee on Regulatory Reform and Oversight that protecting consumers' privacy rights is a top priority for the agency. Lydia Parnes, Director of the FTC's Bureau of Consumer Protection, told the Committee, "The Commission is committed to aggressive law enforcement, vigorous consumer and business education efforts, and global cooperation to safeguard the security of consumers’ personal information." To date, the agency has brought 12 data security cases, six spyware and adware cases, more than a dozen financial pretexting cases, and more than 80 spam cases.

U.S. Newswire: "The House Financial Services Committee voted today to repeal strict state notification and credit freeze laws that have helped to protect consumers from identity theft and financial fraud. These laws provide essential protections that allow consumers to prevent identity thieves from opening credit accounts in their names and require companies to inform consumers when their personal data -- such as their Social Security and credit card numbers -- have become compromised."

Press release: "Consumer confidence in conducting business and protecting personal data online is threatened every day by phishing scams. In an initiative led by the National Consumers League (NCL), law enforcement, financial services and technical industries have joined forces to combat this threat. The group today issued a "call to action" with the release of a paper outlining key recommendations that form a comprehensive plan for combating phishing more effectively."

Government Reform Committee Oversight Hearing: No Computer System Left Behind: A Review of the 2005 Federal Computer Security Scorecards, March 16, 2006.

From Viviane Reding, Member of the European Commission responsible for Information Society and Media, "Safety on the Net" (7 pages, PDF), (09/02/06).

Symantec Internet Security Threat Report, Volume IX: March 2006 Highlights.

Press release: "Citing the need to safeguard the personal information of Minnesotans, Governor Pawlenty today announced a series of proposals that will protect personal privacy and improve the way state government handles personal data...In 2005, more than 3,000 Minnesotans became the victims of identity theft according to the Federal Trade Commission.

NPR: Identity Theft - Protecting Your Good Name, February 27, 2006. (17 pages, PDF)

FTC press release: "In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

Related documents:

Follow-up to House Cmte. Seeks Operations Docs. from Websites Selling Cell Phone Records, "House Energy and Commerce Committee investigators have identified people behind 22 Web pages that may offer criminals, stalkers and any other paying customer the detailed records of a person's private telephone calls."

"The goal of National Computer Security Survey (NCSS) is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. Sponsors: U.S. Department of Justice, Bureau of Justice Statistics and the U.S. Department of Homeland Security, National Cyber Security Division (NCSD)."

Related government documents:

Data Security: Federal and State Laws, February 03, 2006

Press release: "The 2006 Identity Fraud Survey Report - released by the Council of Better Business Bureaus and Javelin Strategy & Research - provides new facts on how identity fraud occurs, counterintuitive insights that challenge conventionally accepted beliefs about these crimes, and steps consumers can take to further protect themselves against this problem...people are not helpless in protecting themselves from identity theft. Contrary to popular belief, consumers do not bear the brunt of financial losses from identity fraud, Internet use does not increase the risk of identity fraud; and... seniors are not the most frequent targets of fraud operators." The press release includes key data from the report, but the full text (57 pages) must be purchased from Javelin Strategy & Research.

Related resources:

UK Home Office: Updated Estimate of the of the Cost of Identity Fraud to the UK Economy, 2 February 2006 (4 pages, PDF).

The new StopBadware.org website, sponsored by the Berkman Center, the Oxford Internet Institute, with assistance from Consumer Reports WebWatch, ..."will seek to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. We aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware."

Identity Theft Again Leads the List: "The Federal Trade Commission...released its annual report (77 pages, PDF) detailing consumer complaints about fraud and identity theft in 2005. Complaints about identity theft topped the list, accounting for 255,000 of more than 686,000 complaints filed with the agency in 2005. The complaints, filed online or at a toll-free number, are shared via a secure database with more than 1,400 federal, state, and local law enforcement agencies, and law enforcement and consumer protection agencies in Canada and Australia."

FTC press release: "Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026."

Related Documents:

Press release: "The Federal Deposit Insurance Corporation (FDIC) today released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. The presentation also features actions consumers can take if their personal information has been compromised. Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. Identity theft is evolving in more complicated ways that make it harder for consumers to protect themselves, and easier for criminals to set up virtual storefronts on the Internet to sell confidential personal information."

New 2005 FBI Computer Crime Survey (19 pages, PDF). "The survey, developed and analyzed with the help of leading public and private authorities on cyber security, is based on responses from a cross-section of more than 2,000 public and private organizations in four states."

"After an extensive public comment period and review, the Anti-Spyware Coalition has released the Final Working Report of the Spyware Definitions. In addition, ASC has released a number of supporting documents, including a Vendor Dispute Resolution Process, a Glossary and a set of Safety Tips for Users."

"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."

Malware - Future Trends, by Dancho Danchev,10/01/06 (26 pages, PDF).

Spy? Where?: Understanding Spyware, by Benny C. Rayner, 03/01/06 (14 pages, PDF): "Spyware is a pest no matter which way you think about it. Whether it’s causing you to have numerous pop-ups or it is consuming all of your system resources; spyware is a menace to be reckoned with."

Press release: NCSL's Top Ten Legislative Issues Forecast For 2006.

Congress Ready to Tackle Tech Issues in 2006 - Spyware, data security, and telecom reform will be on the agenda next year.

"Cyber Security Industry Alliance (CSIA), the only advocacy group dedicated to ensuring the privacy, reliability and integrity of information systems, today called on the federal government to assert greater leadership in the protection our information infrastructure in 2006. Its release of the National Agenda for Government Action on Information Security (11 pages, PDF) identifies 13 specific actions required to improve information security for consumers, industry, and governments globally. As part of the Agenda, CSIA also provides a report of the government's limited progress in information security in 2005 and releases a new Digital Confidence Index that reflects the public's lack of confidence in our nation's critical infrastructure." [Link]

Press release: Phishing attacks aimed at identity theft now affect roughly one in four Americans (23%) each month, according to the second annual AOL/National Cyber Security Alliance (NCSA) Online Safety Study (11 pages, PDF). Additionally, more than two-thirds of consumers (70%) who received such scam e-mails thought they were from legitimate companies, putting them at high risk of losing sensitive personal information to identity thieves or criminals. The AOL/NCSA Online Safety Study is the largest study of its kind, sending technical experts into hundreds of typical homes to examine personal computers for known security risks and threats."

Windows OneCare Team Blog: "WOC is devoted to helping users' get their machines in a secure and healthy state."

The Personal Data Privacy And Security Act of 2005 was approved by the Senate Judiciary Committee and moves forward to Senate hearings.

From the Anti-Phishing Working Group and SRI International, the following report, commissioned by DHS, Online Identity Theft: Technology, Chokepoints and Countermeasures (58 pages, PDF).

Follow-up to November 1, 2005 posting, Data Breaches Remain A Concern for Consumers and Lawmakers. The House Commerce, Trade & Consumer Protection Subcommittee passed the Data Accountability and Trust Act, H.R. 1427, on November 3. Congressional support for the legislation remains mixed.

A new, joint federal law enforcement and industry initiative to fight Internet fraud, called LooksTooGoodToBeTrue, was launched today (press release, 5 pages, PDF). "This website was developed to arm you with information so you don’t fall victim to these Internet scam artists." The site provides consumers with documentation on: Types of Fraud; Victim Stories; FAQs & Tips; Information Regarding Phishing Scams; a Fraud Risk Test; and Links to help prevent you from being scammed.

Related references:

"Microsoft has teamed up with the National Cyber Security Alliance (NCSA) to help increase Internet security through a month-long awareness-raising campaign that provides information and sponsored events for consumers, small businesses, educators, and families. This year, the National Cyber Security Awareness Month campaign begins October 1, 2005...Events for this year's campaign include conferences and workshops in several cities across the U.S. For more information and a list of events, visit the NCSA Web site."

Press release, October 12, 2005: "The Federal Financial Institutions Examination Council (FFIEC) today released updated guidance (14 pages, PDF) on the risks and risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. The guidance, Authentication in an Internet Banking Environment, was issued to reflect the many significant legal and technological changes with respect to the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies."

The Complete Guide to E-mail, Inc. Magazine, October 2005: "What follows is a guide to the biggest e-mail concerns, particularly security, compliance, and archiving. We'll give you tools for building an e-mail policy now, which can save headaches later, and also advice on buying the right system."

"Kath Straub, Ph.D., CUA, Chief Scientist, looks at recent research on how people detect, and often miss, Web site fraud.."
Fine-tuning your Internet deception detectors is a brief, straight forward, practical guide to "how Internet deception works."

FTC press release: "The Federal Trade Commission today told the Senate Committee on Commerce, Science, and Transportation Subcommittee on Trade, Tourism, and Economic Development that spyware and other "malware" that is downloaded to consumers' computers without their consent can cause problems ranging from sluggish computer performance to loss of sensitive personal data. Chairman Deborah Platt Majoras said the FTC has an active program to address concerns about spyware and other malware, including research, law enforcement, and consumer education." Please note that this press release provides links to and descriptions of four cases brought by the FTC against defendants accused of distributing spyware and adware.

Related links:

How to foil a Phish, by Sarah D. Scalet, documents the creation and implementation of a successful anti-phishing response plan by an anonymous financial institution. This case study provides a range of scenarios that confront banks dealing with a bombardment of email attacks, and offers practical resources and solutions.

Related references:

Signed into law on September 30, S.B. No. 355: This bill would enact the Anti-Phishing Act of 2005. The bill would make it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business. The bill would provide certain civil remedies and civil penalties for a violation in that regard.

Symantec Internet Security Threat Report, Volume VIII, September 2005 (requires free registration): "The Symantec Internet Security Threat Report is an analysis and discussion of Internet security activity over the past six months. It covers Internet attacks, vulnerabilities, malicious code, and future trends. This edition of the Threat Report, covering the first six months of 2005, marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Unlike traditional attack activity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud."

"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."

How to Combat Spyware in Corporate Environments - "A vendor contribution from Panda Soft on Spyware...Spyware downloaded to companies can steal confidential information, reduce the performance of the IT infrastructure, due to the resources used by non work-related activity and loss of employee productivity, who have to deal with changes to system settings and unwanted advertisements." (20 pages, PDF)

Why the "Real ID" Act, Which Requires National Identity Cards, is a Real Mess

Related links:

The Pharming Guide by Gunter Ollmann (37 pages, PDF)

EPIC reports that "the Fair Credit Reporting Act's guarantee of free credit reports takes full effect today, and now residents of all states can gain access to a free copy of their credit report from all three of the big consumer reporting agencies by visiting annualcreditreport.com or by calling 1-877-322-8228. You can monitor your credit free by requesting one of your three credit reports every four months. For more information, see EPIC's Fair Credit Reporting Act Page."

Related reference:

More charges for L.A. man in ChoicePoint ID theft - Oluwatunji Oluwatosin now faces 22 more charges, L.A. prosecutors say.

New York Governor Pataki signed the Information Security Breach and Notification Act on August 22. It "requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions."

Understanding credit reports requires homework, patience, By Patricia Sabatini, Pittsburgh Post-Gazette.

How to let customers know there's been a breach of their data and help them keep their faith in you, by Dr. Larry Ponemon.

Webroot Software released their State of Spyware Report today (free but requires registration), which states in part that "...the number of websites distributing spyware has quadrupled since the beginning of 2005 to an astonishing 300,000 unique URLs." [press release] In addition, 80% of corporate computers are infected with malicious software, which can take the form of trojans, spyware or adware.

From the Reconnex August Insider Threat Index: "Ninety-one percent of companies who completed a Reconnex 48-Hour e-Risk Assessment in the month of July had credit card numbers entering or leaving their network and eight-two percent exposed social security numbers. Most concerning was the amount of personal data including name and SSNs exposed directly in the subject lines of emails, in clear, open text. The origin of the vast majority of these disclosures stemmed from human resources departments who often accidentally exposed employees' personal information when they communicate with partners in health insurance, payroll, workers compensation and other third-party processors. The personal data revealed by co-workers often included employee names, date of birth, social security numbers (SSN) and even sometimes bank routing information. This personal data was usually sent via Excel spreadsheets and in clear text. Sometimes the individual Excel spreadsheets contained thousands to tens of thousands of individuals personal data."

Press release from RSA Security: "A survey released [yesterday]...showed that – despite widespread fears of fraudulent activity and identity theft – consumers are willing to increase the amount of personal business they do online if their banks and other online service providers offer them strong authentication."

Press release from Unisys: "Survey results from Unisys Corporation launched [August 3, 2005] reveal that UK consumers' apathetic attitude to fraud could be helping to perpetuate the rapidly growing identity theft industry, which is now estimated to be costing UK businesses £1.3 billion per year."

IBM press release: "IBM reported that virus-laden emails and criminal driven security attacks increased by 50 percent in the first half of 2005 - underscored by a significant rise in 'customized' attacks on the government, financial services, manufacturing and healthcare industries. This substantial increase, along with a decrease in less profitable threats, such as spam and simple computer viruses, indicates a growth in targeted attacks against specific organizations and industries -- apparently created with the purpose of stealing critical data, identities or extorting money."

The U.S. Senate Special Committee on Aging held a hearing on July 27, Old Scams – New Victims: Breaking The Cycle of Victimization.

On July 20, the Privacy Rights Clearinghouse updated their Chronology of Data Breaches Reported Since the ChoicePoint Incident, which have impacted more than 50 million individuals.

Press release from the Progress & Freedom Foundation: "Notification Doesn't Benefit Consumers: State and Federal lawmakers should proceed with caution when considering notification legislation addressing the perceived growth of data security breaches, according to a new paper released by The Progress & Freedom Foundation. An Economic Analysis of Notification Requirements for Data Security Breaches (19 pages, PDF), authored by Senior Fellow and VP for Research Thomas Lenard and Adjunct Fellow Paul Rubin, finds the costs of such notifications to businesses and consumers are likely to be substantially higher than the benefits."

Related references:

From WSJ free content, Information Security - Where the Dangers Are: The threats to information security that keep the experts up at night -- and what businesses and consumers can do to protect themselves.

As a follow-up to my December 12, 2003 posting, E-ZPass Technology, Law Enforcement and Privacy, see this article, A Pass on Privacy, from the Sunday New York Times Magazine: "The computer system to which you have surrendered your payment information also records data about your movements and habits. It can be hacked into." Read on.

Press release: "A bipartisan coalition of Senate Commerce Committee leaders today introduced comprehensive legislation (The Identity Theft Protection Act, S.1408) that protects consumers from identity theft. The bill sets national standards for notifying consumers of data breaches, requires businesses to improve their safeguards for sensitive consumer information, gives consumers the right to freeze their credit reports to thwart identity theft, and limits the solicitation of Social Security numbers."

From the U.S. Public Policy Committee of the Association for Computing Machinery (ACM), Data security & privacy bill part of a crowded Senate agenda (Part 1).

Press release, July 1, 2005: "Three House members today released a report on the need for strong federal laws to protect consumers from identity theft. The report, Identity Theft and Terrorism, prepared by the House Homeland Security Committee, highlights the security gaps currently existing in consumer database companies and large financial institutions."

Press release from the Identity Theft Assistance Center (ITAC): Financial Services Companies Partner With Federal Trade Commission to Provide Identity Theft Data to Law Enforcement: Identity Theft Assistance Center Achieves Key Objective.

Deloitte & Touche published their annual Global Security Study, 2005 (44 pages, PDF) which surveys the state of IT security in the finanical services industry.

Related references:

Identity Theft: Some Outreach Efforts to Promote Awareness of New Consumer Rights Are Under Way, GAO-05-710, June 30, 2005. Highlights.

Press release: "...the Personal Data Privacy and Security Act of 2005, legislation...would help consumers better protect the privacy of their personal information in the face of recurrent data security breaches across the country..." Note that the press release includes: key features and a summary of the Specter-Leahy legislation, Senator Leahy's statements on the introduction of the bill, and a detailed section-by-section summary of the bill.
Text of the bill, 91 pages, PDF

The cover story of the July 4, 2005 issue of Newsweek is on ID theft. Following are links to several articles from the issue, as well as a link to a relevant article from the New York Times Sunday Week in Review:

Press release from NJPIRG: "Today the New Jersey Legislature passed the potent, comprehensive "Identity Theft Prevention Act" (6 pages, PDF) with overwhelming, bipartisan majorities in each house. The law limits the use and display of social security numbers, requires business to thoroughly destroy discarded documents, requires businesses to notify consumers if an unauthorized person accesses enough information to steal their identity, and empowers consumers to prevent new account fraud with a user-friendly "security freeze."

In what appears to be a parallel data mining program to that of the Dept. of Education, about which I posted on November 30, 2004 (Federal Gov't Wants To Mine College and University Student Data), and again on April 6, 2005 (Gov't Proceeds With Plans to Mine Personal Data on Students), new reports today on an extensive military recruitment database created by the Pentagon. Comprised of personal data on tens of millions of high school and college-aged students, the management of the database is in the hands of a commercial company in Massachusetts. A coalition of privacy groups filed comments yesterday strongly opposing the database, stating that "the collection of this information is not consistent with the Privacy Act..." and that the collection of social security numbers "heightens the risk of identity theft."

From CNN Money, ID data breaches: as rampant as it seems documents the circumstances of the most recently reported incident of hacking, called skimming, that involved the illegal acquisition and storage of credit card data, the exact impact of which still has been not fully disclosed apparently due to the ongoing investigation.

Related references:

FTC press release: "BJ's Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ's to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years."

From the Washington Post (reg. req'd), Private Eyes Fear Limits On Information Access

On Thursday, June 16, 2005, the Senate Commerce Committee held a Full Committee hearing to examine federal legislative solutions to data breach and identity theft.

Information Security: Emerging Cybersecurity Issues Threaten Federal Information Systems GAO-05-231, May 13, 2005. Highlights.

The Scramble to Protect Personal Information, from today's New York Times, addresses the issue of significant vulnerabilities in the transfer mechanisms used for financial data, which have resulted in numerous recent headline grabbing reports on the loss and theft of personal data impacting millions of consumers.

Two articles worth reading on state and federal efforts to regulate data brokers in response to the continuing cascade of system breaches, thefts, loss of tapes/drives, and leaks resulting in the release of sensitive personal data: from the Washington Post (reg. req'd), States Keep Watchful Eye on Personal-Data Firms, and from PC World, Policing Information Brokers, the Sequel.

From EPIC, June 1, 2005: "Today, residents of eleven southern states can gain access to a free copy of their credit report from all three of the big consumer reporting agencies by visiting annualcreditreport.com or by calling 1-877-322-8228."

Press release from the FTC, June 1, 2005: "Beginning today, a new federal rule will require businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which calls for the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the information."

IBM press release, May 24, 2005: "IBM today introduced first-of-its-kind software that allows organizations to anonymously share and compare information without revealing private or sensitive personal details, introducing a new era of open, collaborative data sharing in financial services, healthcare, retail and other industries. The breakthrough IBM technology, DB2 Anonymous Resolution, helps customers to rapidly and more securely share information with other organizations, while protecting - or "anonymizing" - the identity of individuals within their respective data repositories."

From the Privacy Rights Clearinghouse, an update today to their report, A Chronology of Data Breaches Reported Since the ChoicePoint Incident

Federal Register, May 11, 2005: United States Sentencing Commission , NOTICES, Sentencing guidelines and policy statements for Federal courts, 24852–24856. SUMMARY: Pursuant to its authority under 28 U.S.C. 994(p), the Commission has promulgated amendments to the sentencing guidelines, policy statements, commentary, and statutory index. This notice sets forth the amendments and the reason for each amendment.

Senate Commerce Committee Hearing on Identity Theft/Data Broker Services, Full Committee Hearing, May 10 2005

From Wired, this article Your Identity, Open to All clearly elucidates the privacy issues associated with signficantly increased accessibility to personal data on the web that is aggregated from public domain sources. Questions about the accuracy of this data, its timeliness, the reliability of the sources from which it is extrapolated, and the reasons for making it available are of critical importance in the context of increasing concerns related to cybercrimes, ID theft, privacy and availability of e-records to the public.

Information on 600,000 current, former Time Warner workers missing

From today's New York Times Magazine, You've Been Sold, by Richard A. Clarke. "What Congress can do now to bust the boom in identity theft."

From the free content section of the April 21 WSJ, A Cottage Industry Blooms To Help Victims of ID Theft examines the costs and range of services offered by companies who market assistance to victims of online or offline ID theft. In addition, potential red flags about, and the limitations to, these services are noted.

Press release, April 1, 2005: Spitzer Calls for Regulation of Information Brokers and Increased Penalties for Computer Hacking. Note - links to the text of the proposed legislation, in PDF, are available via this press release, and highlights include the following:

Press release today: "LexisNexis U.S., a leading provider of legal, news and business information said today it has begun mailing notification letters to approximately 280,000 individuals whose personally identifying information may have been accessed by unauthorized individuals using passwords and IDs stolen from legitimate customers of its Seisint unit."

Press release: "Senator Hillary Rodham Clinton and Representative Edward J. Markey announced that they would introduce the Safeguarding Americans from Exporting Identification Data (SAFE ID) Act in the United States Senate and House today, legislation that would protect the privacy of consumers' most sensitive personal information. This legislation would close gaps in U.S. privacy laws that leave consumers vulnerable when American businesses and healthcare organizations send accounting and medical information overseas for processing, often without consumers' knowledge."

The San Jose Medical Group reported the theft, from their facility, of two Dell PCs to which confidential data on 185,000 patients had been copied from the organization's servers.

Senate Judiciary Committee hearing, "Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use," April 13, 2005

S. 751, A bill to require federal agencies, and persons engaged in interstate commerce, in possession of data containing personal information, to disclose any unauthorized acquisition of such information, introduced April 11, 2005.

Press release, April 12: Recent Examples of Egregious Loopholes That Are Compromising Personal Information Need Immediate and Thorough Action by Congress - Schumer-Nelson Bill Would Empower FTC, Inform Consumer to Prevent ID Theft in Future, Not Just Punish Wrongdoers after the Fact

"CDT will testify (text of statement submitted by CDT Exec. Director, 17 pages, PDF) April 13 before the Senate Judiciary Committee on the privacy and security issues raised by recent losses of personal information by data brokers and others. CDT will call for a stronger policy framework, requiring notice of breach, security safeguards, limits on use and disclosure of Social Security numbers, rules for governmental use, and application of "fair information practices" to data brokers."

Related references:

Press release: LexisNexis Concludes Review of Data Search Activity, Identifying Additional Instances of Illegal Data Access: "In addition to the 30,000 individuals already notified, LexisNexis will begin notifying approximately 280,000 additional individuals whose information may have been acquired during these recently identified incidents. LexisNexis will offer free support services to individuals who receive the notification, to monitor and protect them from possible fraud associated with identity theft, including credit bureau reports, credit monitoring for one year and fraud insurance. In addition, LexisNexis will provide fraud counseling services or specialized assistance on a case-by-case basis to any individual who has been the victim of identity theft related to these instances."

Related references:

In States Scramble To Protect Data - Dozens of Privacy Bills Introduced After Spate of Security Breaches, the Washington Post reports that privacy legislation is under consideration in 28 states. However, industry support for a carefully crafted response on the federal level presents serious challenges to the future of these bills.

From the current issue of Managing Technology (Wharton School): Do You Know Where Your Identity Is? Personal Data Theft Eludes Easy Remedies

Subcommittee on Courts, the Internet, and Intellectual Property Oversight Hearing on Digital Music Interoperability and Availability, April 6, 2005.

Navigate to the full range of content in the article from this page, and see direct links to some of the highlights as follows:

Is your personal data next? Rash of data heists points to fundamental ID theft problem

The Use of Technology to Combat Identity Theft, Report from the Department of the Treasury on the Study conducted pursuant to Section 157 of the Fair and Accurate Credit Transactions Act of 2003 (116 pages, PDF)

From the Washington Post, via truthout, Net Aids Access to Sensitive ID Data addresses how it continues to be easy and inexpensive to obtain personal data on the web from a variety of sources, despite the escalating controversy focused on a range of recent ID theft scams launched against large database aggregators.

From AP, ChoicePoint to allow people access to personal records.

From the Privacy Rights Clearing House: Privacy Groups Urge Federal Reserve Board to Protect Consumers from Identity Theft and Stolen Convenience Checks

Press release today:Westlaw Ends SSN Sales to Private Companies, Greatly Limits Sale to Law Enforcement, Other Public Agencies:

"LexisNexis has created a Web site with helpful information regarding data privacy at http://privacyfacts.lexisnexis.com."

Subcommittee on Commerce, Trade, and Consumer Protection hearing today on Protecting Consumer's Data: Policy Issues Raised by Choice Point. Prepared Testimony (PDF) is available from the following:

Two articles worth reading from The Los Angeles Times (reg. req'd):

From Internetnews.com, this article on soon to be released fee-based products providing consumers with tracking and alert services on fraudulent activities associated with their personal data.

"The Federal Trade Commission testified...before the U.S. Senate Committee on Banking, Housing, and Urban Affairs about the reach of existing federal laws that require certain information providers to safeguard sensitive information and to ensure that the information doesn’t fall into the wrong hands. The Senate Banking Committee is examining recent developments involving the security of sensitive consumer information." [Link]

The US Senate Committee on Banking, Housing, and Urban Affairs will hold a hearing on Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information, 3/10/05, 2:30 PM. [Link]

Press release from Reed Elsevier PLC and Reed Elsevier NV: LexisNexis investigates compromised customer IDs and passwords to Seisint U.S. consumer data.

Press release from the United States Attorney, Central District of California, March 7, 2005: "An Encino man who used personal information fraudulently obtained from ChoicePoint Service and other companies to commit identity theft against thousands of victims was sentenced today to 66 months in federal prison. Adedayo Benson, a 38-year-old Nigerian national, was sentenced this afternoon by United States District Judge Gary A. Feess. In addition to the 5 1/2-year prison term, Judge Feess ordered Adedayo Benson to pay nearly $155,000 in restitution to 10 financial institutions."

From the Privacy Rights Clearinghouse, Criminal Identity Theft in California: Seeking Solutions to the "Worst Case Scenario"

Shareholders sue ChoicePoint: "A class-action lawsuit has been filed in U.S. District Court for the Central District of California on behalf of those who bought ChoicePoint shares between April 22, 2004, and March 3, 2005.."

From the Washington Post, New Industry Helping Banks Fight Back - Sleuths Hit Online Identity Thieves With 'Takedowns,' 'Poisoning'. A patch-work of emerging technology applications are available targeted to financial services and e-commerce, seeking to address growing consumer concerns with e-mail and website fraud. This article reviews the challenges posed by phishing and the possibility that there may be federal regulations down the road.

Related references:

Message to ChoicePoint users appears after login: "Dear Customer - Based on recent issues, we are taking a proactive stance on managing access to sensitive information. ChoicePoint is requesting an update of your user and account information and reducing your access to some data - until we process the update. Your account is still open and searches are running. Some Social Security numbers, Drivers License numbers and birth dates have been truncated (only part of the number will display) on reports or searches. We understand this may cause concern for your company or interfere with productivity. We sincerely apologize and will compensate you by crediting some future searches on ChoicePoint products. An account representative will call you to update your information. If you call or email us now, we cannot update or change your data access. If you have data questions or product questions contact us at 1-800-279-7710 or email us. We are serious about serving customers and serious about the responsible use of information. These may seem in conflict, but we are working towards a better solution for all stakeholders. Thank you for your understanding."

As the citizens of additional states join the list of those eligable for free credit reports, problems associated with this program have been noted. The World Privacy Forum recently issued an extensive report documenting fraudulent activities that are complicating consumer access to the reports. In addition, the group reviews how use of the legitimate sites providing the credit reports may result in exposure to unwanted marketing, spam and related privacy intrusions.

Press release: "Symantec has been granted U.S. patent number 6,851,057 for a system that enables the detection of complex viruses, worms, and spyware. The technology, "data driven detection of viruses," is employed throughout Symantec's portfolio of industry-leading information security solutions at the desktop, server, and gateway for both consumers and enterprises."

Critical personal and professional data resident on the hard drives of PCs that have been sold, traded or stolen remains a significant problem with no easy remedy. According to this Times Online article which documents the range of sensitive data retrieved from the drives of major corporations and individuals alike, the only reliable means of thoroughly wiping data is "to put an axe through it."

Press release today from Sen. Patrick Leahy, co-founder and co-chairman of the Senate Internet Caucus, on the introduction of the Anti-Phishing Act of 2005 (S. 472). The release "includes the Senate Floor speech of Sen. Patrick Leahy introducing his bill to explicitly target Internet "phishing," and "pharming" with new federal criminal penalties, and a fact sheet on the bill."

Related References

From the Privacy Rights Clearinghouse, this February 2005 update to their guide, Online Data Brokers: How Consumers Can Opt Out of Directory Assistance and Non-public Information, includes a chart detailing the specific procedure required by 17 free and fee-based websites and services which aggregate and provide access to a range of personal data. Take some time and review the information that these sites maintain on you, and be aware that they do not comprise all available online sources. Also note that unlike the Do-Not-Call Registry, opting out of these websites is not a one time request. As the database content is refreshed throughout the year, ensuring that your information is permanently removed may be an insurmountable challenge.

What follows is a group of recent, relevant articles and documents associated with the escalating critical evaluation of database aggregation and sale of personal data and associated digital scams and ID theft.

Press release: Leahy Calls For Hearings On Information Brokers That Are Emerging As Private Intelligence Agencies Tuesday, February 22, 2005:

Social Security Administration: Actions Needed to Strengthen Processes for Issuing Social Security Numbers to Children GAO-05-115, January 31, 2005, Highlights.

By Chris Jay Hoofnagle, associate director of the Electronic Privacy Information Center, Putting Identity Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors.

From the press release, Office of the Illinois Attorney General, February 16, 2005: "Joined by several other state Attorneys General, Attorney General Lisa Madigan has written to a Georgia company that collects vast amounts of personal and financial data urging that the company immediately notify any Illinoisans whose information may have been breached following the theft of such information from the company by identity thieves. Others signing the letter include Attorneys General of Alaska, Arizona, Connecticut, Florida, Idaho, Indiana, Iowa, Maryland, Massachusetts, Michigan, Ohio, Oregon, New York, North Carolina, North Dakota, South Dakota, Vermont and Washington."

Related references:

Updates today on news earlier this week, Data Mining Aggregator Reports Widespread ID Theft, disclose that the scope of the ID theft scam may involve half a million individuals around the country, not just the 35,000 in California as initially reported.

Related resources:

From the National Association of State Chief Information Officers (NASCIO), Welcome to the Jungle: The State Privacy Implications of Spam, Phishing and Spyware (15 pages, PDF).

Reports today from MSNBC, Reuters (via CNN Money), and New.com on the theft of between 30,000 to 35,000 personal digital data profiles of California residents, which occured last fall. Related postings.

"This report (19 pages, PDF) provides a detailed, comprehensive analysis of identity fraud in the United States, in order to better understand methods for prevention, detection and resolution. Co-released by Javelin Strategy & Research and the Better Business Bureau, this report is issued as a longitudinal update to the Federal Trade Commission’s (FTC) 2003 Identity Theft Survey Report."

Press release: "Today IBM announced the results from its 2004 Global Business Security Index Report and provided an early look at potential security threats in 2005. Based on early indicators, a new and troubling trend this year may be the aggressive spread of viruses and worms to handheld devices, cell phones, wireless networks, and embedded computers, which include car and satellite communication systems." [thanks David Ries]

From the FTC press release: "The Federal Trade Commission has launched the seventh annual National Consumer Protection Week (NCPW), February 6-12, 2005, in cooperation with federal, state and local agencies, and national advocacy organizations committed to consumer protection and education. This year's theme, "Identity Theft: When Fact Becomes Fiction," focuses on minimizing the risk of identity theft and taking fast action if an identity thief strikes...The NCPW Web site contains helpful information for consumers and businesses on a variety of topics, including "phishing" scams, telecommunications fraud, Internet fraud, and the theft of printed documents with personal information, as well as protecting employees from identity theft in the workplace. The site also contains valuable consumer information on the steps to take if you become a victim."

As a follow-up to my posting yesterday, FTC Releases Annual Report on Consumer Complaints - ID Theft Tops List, this Washington Post article (reg. req'd) highlights that the D.C. metropolitan area led the country in the number of complaints to the FTC.

Press release: "The Federal Trade Commission today released its annual report detailing consumer complaints about identity theft and listing the top 10 categories of fraud-related complaints filed with the FTC in 2004. For the fifth year in a row, identity theft topped the list of complaints, accounting for 39 percent of the 635,173 consumer fraud complaints filed with the agency last year."

S.116, Privacy Act of 2005. Introduced in Senate on January 24, 2005, Senator Dianne Feinstein (D-Calif.)

New Research Shows That Identity Theft Is More Prevalent Offline with Paper than Online:

From USA Today: Identity theft, new law about to send shredding on a tear

Security Focus has an in-depth report on how a Hacker penetrates T-Mobile systems and steals personal data, including social security numbers, emails, photos and Secret Service documents. [via David Reis]

From PCWorld, Legislative Year in Review: All Talk, Little Action: "For good or ill, Congress kept to its usual snail's pace on a number of controversial issues ranging from digital copyright to spyware; other government agencies, however, made up for some of the slack."

Terminating Spyware With Extreme Prejudice chronicles efforts to be rid of spyware and adware programs using the extreme method of reformatting a PC hard drive, after all other avenues had failed.

"CleanSoftware.org is a resource to help Windows users find the best free daily-use software, free from nasties: adware, spyware, harmful/intrusive components, and threats to privacy." (via Slashdot) Versions of the software included are accompanied by red, yellow and green dots indicating the level of reliability.

From EPIC, Top Ten Consumer Privacy Resolutions.

Press release - FDIC Issues Study on Identity Theft and Seeks Comments on Possible Guidance to Bankers: "Fraudsters are taking advantage of the reliance on single-factor authentication for remote access to online banking, and the lack of e-mail and Web site authentication, to perpetrate account hijacking."

As a follow-up to this posting, State Department documents obtained through a FOIA request, details of which