"DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate."

News release: "The Federal Trade Commission today sent a letter to the Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees Internet domain names, expressing concern that the organization's plan to dramatically expand the domain name system could leave consumers more vulnerable to online fraud and undermine law enforcers' ability to track down online scammers. In its letter to ICANN, the Commission warned that rapid expansion of the number of generic top-level domain names (gTLDs) – the part of the domain name to the right of the dot, such as ".com," ".net" and ".org" – could create a "dramatically increased opportunity for consumer fraud," and make it easier for scam artists to manipulate the system to avoid being detected by law enforcement authorities. The Commission urged ICANN – before approving any new gTLD applications – to take additional steps to protect consumers, including starting with a pilot program to work out potential problems."

Identity Theft Reported by Households, 2005-2010: "Presents data on the nature of and trends in identity theft victimization among U.S. households from the National Crime Victimization Survey (NCVS). The NCVS defines identity theft as the misuse or attempted misuse of an existing credit card or another existing account or the misuse of personal information to open a new account or for other fraudulent purposes. Findings are based on experiences of all household members age 12 or older as reported by the head of household. The data brief examines changes in the percentage of households experiencing identity theft from 2005 to 2010. It describes differences in the types of identity theft experienced by households in 2010 compared to 2005, as well as changes in the demographic characteristics of victimized households. The brief also presents estimates on the monetary losses attributed to household victims of identity theft. Highlights include the following:

• In 2010, 7.0% of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced one or more types of identity theft victimization.
  
• Among households in which at least one member experienced one or more types of identity theft, 64.1% experienced the misuse or attempted misuse of an existing credit card account in 2010.
  
• From 2005 to 2010, the percentage of all households with one or more type of identity theft that suffered no direct financial loss increased from 18.5% to 23.7%."

"Consumer Reports' Guide to online security outlines some of the most common Net threats—such as phishing, online scams, and computer viruses. (See: Best ways to stay safe online.) But our latest security report also notes that mobile phones and social media sites can also present a rising amount of ID theft risks since more consumers are using their smart phones to shop and sharing news of online bargains on Facebook. (See: Mobile phones: The new risk and Concerns about Facebook.) The Consumer Federation of America, a non-profit association of almost 300 consumer organizations, has compiled a list of 10 tips for having an ID theft-free holiday season (PDF) on its website, IDTheftInfo.org."

News release: "The loss of computer tapes by Science Applications International Corporation (SAIC) may have placed TRICARE patient data at risk. There is no evidence that any of the data has actually been accessed by a third party, and analysis shows the chance any data was actually compromised is low, but proactive measures are being taken to ensure that potentially affected patients are kept informed and protected. SAIC is a contractor for the TRICARE Management Activity. On September 14, TMA learned that an SAIC employee reported that on September 12 computer tapes containing personally identifiable and protected health information (PII/PHI) of 4.9 million military clinic and hospital patients in Texas, or those patients who had laboratory exams sent to the military hospitals in Texas, were stolen. The data contained on the tapes may include names, Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes."

DOE IG Evaluation Report - The Department's Unclassified Cyber Security Program – 2011, DOE/IG-0856 October 2011

News release: "Check Point® Software Technologies Ltd. announced the results of a new report revealing 48 percent of enterprises surveyed have been victims of social engineering, experiencing 25 or more attacks in the past two years, costing businesses anywhere from $25,000 to over $100,000 per security incident. The report, The Risk of Social Engineering on Information Security, shows phishing and social networking tools as the most common sources of socially-engineering threats – encouraging businesses to implement a strong combination of technology and user awareness to minimize the frequency and cost of attacks. Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information. Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization. According to the global survey of over 850 IT and security professionals, 86 percent of businesses recognize social engineering as a growing concern, with the majority of respondents (51%) citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge."

Identity Theft - Trends, Patterns, and Typologies Based on Suspicious Activity Reports. Filed by the Securities and Futures Industries January 1, 2005 – December 31, 2010. Report released September 2011.

News release: "Want to know more about Internet safety and security? Visit the new and improved OnGuardOnline.gov for practical tips and resources on how to be safe, secure and responsible online. Created through a partnership of 16 federal agencies led by the Federal Trade Commission, it’s a great source of free information for your home, school, community group, or workplace. OnGuardOnline’s new features include a cybersecurity blog and information updates via e-mail. Also, the FTC has partnered with the Department of Homeland Security and other agencies in the Stop.Think.Connect Campaign™ to raise awareness of the need for stronger cybersecurity with new approaches to help increase online safety and security. The new OnGuardOnline blog offers cybersecurity news from around the government, how-to articles and videos, and insights from federal officials. Check back regularly for updates, or sign up to get an e-mail when a new post is up. You can copy information from the site, adapt it, post it, or link to it, and you can share your thoughts on the blog. Updating your website or blog? Link to OnGuardOnline. Editing a newsletter? Use our articles. Need hand-outs for a talk you’re giving? Print publications from the website, or order free materials from the FTC."

News release: "A new publication from the Federal Trade Commission, Protecting Your Child’s Personal Information at School, advises parents how to limit the risks of identity theft. It also explains the federal Family Educational Rights Privacy Act, which protects the privacy of student records and gives parents of school-age children the right to opt out of sharing contact information with third parties. In addition, the publication advises parents to ask their child’s school about its directory information policy, to learn about privacy policies of sports or music activities not formally sponsored by the school, and what to do if their child’s school experiences a data breach."

Trends in Circumventing Web-Malware Detection. Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt. Google Technical Report rajab-2011a, July 2011

News release: "Acting on recent data that reveals many consumers still aren’t protected by even basic antivirus software when banking online, McAfee today released an educational guide for banking safely on computers, tablets or mobile devices. According to Javelin Strategy & Research, in 2010 47 percent of household financial managers did not have antivirus software installed. Combining McAfee intelligence with the latest U.S. banking data from many top sources revealed that most consumers fall into one of three categories of online banking behavior, and that age tends to play a strong role in safety and security habits online. Most people’s level of confidence with banking online is associated with their overall comfort level online, including participating in such activities as shopping, searching, and social networking."

Faces of Facebook: Privacy in the Age of Augmented Reality - FAQ only - See also slides here. Alessandro Acquisti (Heinz College, Carnegie Mellon University), Ralph Gross (Heinz College, Carnegie Mellon University) Fred Stutzman (Heinz College, Carnegie Mellon University), August 2011

Federal Register Volume 76, Number 125 (Wednesday, June 29, 2011)]

News release: "The Federal Trade Commission told Congress today during a hearing that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach...The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities."

News release: "AVG Technologies, Inc. announced it will make its leading Family Safety software available for free in exchange for a 99 cent donation to the American Red Cross family relief efforts in Joplin, Mo. The move comes in response to research the company conducted and has released over the course of the year on early childhood technology usage trends, “Digital Diaries" and is complemented with the release of a first-of-its-kind e-book and mobile application for teaching very young children the basics of online safety, Little Bird’s Internet Security Adventure.” AVG CEO JR Smith is making appearances across the country today urging parents to consider introducing their child to Little Bird to help them learn about online safety....Roughly half of today’s children (ages 6-9) are regularly talking to their friends online and using social networks, yet 58 percent of their parents admit they are not well-informed about their children’s online social networks. The “Digital Playground,” the third stage of AVG’s year-long “Digital Diaries” research program, further reveals the increasingly digitally-literate group of 6- to 9-year-olds and their parents in North America, Europe, Australia and New Zealand to find that:

• More than half (51 percent) of 6- to 9-year-olds use some kind of children’s social network such as Club Penguin or WebKinz.
  
• Roughly one in five use email, and despite being underage, 14 percent are on Facebook, according to their parents.
  
• 47 percent of 6- to 9-year-olds talk to their friends on the Internet.
  
• Almost one in six 6- to 9-year-olds and one in five 8- to 9-year-olds have experienced what their parents consider objectionable or aggressive behavior online.
  
• American children average four hours online each week, slightly more than the worldwide average of 3.5 hours per week.
  
• 58 percent of parents admit they are neither well-informed nor understand their children’s online social networks.
  
• Only 56 percent of parents were certain their family computer has parental controls or safety programs in place."

Privacy leakage vs. Protection measures: the growing disconnect, Balachander Krishnamurthy - AT&T Labs Research; Konstantin Naryshkin - Worcester Polytechnic Institute; Craig E. Wills - Worcester Polytechnic Institute, May 2011.

Consumer Finance Protection Bureau: "The people just now reaching their sixties are part of America’s largest-ever generation of retirees. The CFPB is creating an Office of Financial Protection for Older Americans to ensure we serve this large community effectively. This Office will connect seniors with what they need to guide themselves through their financial lives. The Dodd-Frank Wall Street Reform and Consumer Protection Act requires this Office to be active by January 21, 2012. We are building it right alongside the rest of the consumer bureau, and in the coming weeks and months you’ll hear more from us about financial issues for seniors. Here are some places you can go now for senior financial protection information:

• The Administration on Aging has Elder Rights Protection resources to make sure seniors can guard their rights.
  
• The Securities and Exchange Commission offers some tip sheets and resources.
  
• The FTC offers information on avoiding scams and fraudulent business practices, which advertise in ways that make them look like legitimate opportunities.

• Antidumping and Countervailing Duties: Options for Improving Collection, GAO-11-693T, May 25, 2011
• Deaf and Hard of Hearing Children: Federal Support for Developing Language and Literacy, GAO-11-357, May 25, 2011
• Defense Management: Comprehensive Cost Information and Analysis of Alternatives Needed to Assess Military Posture in Asia, GAO-11-316, May 25, 2011
• Economic Development: Efficiency and Effectiveness of Fragmented Programs Are Unclear, GAO-11-651T, May 25, 2011
• Federal Student Loans: Patterns in Tuition, Enrollment, and Federal Stafford Loan Borrowing Up to the 2007-08 Loan Limit Increase, GAO-11-470R, May 25, 2011
• Opportunities to Reduce Potential Duplication in Government Programs, Save Tax Dollars, and Enhance Revenue, GAO-11-635T, May 25, 2011
• Smithsonian Institution: Much Work Still Needed to Identify and Repatriate Indian Human Remains and Objects, GAO-11-515, May 25, 2011
• Tax Refunds: Enhanced Prerefund Compliance Checks Could Yield Significant Benefits, GAO-11-691T, May 25, 2011
• Taxes and Identity Theft: Status of IRS Initiatives to Help Victimized Taxpayers, GAO-11-674T, May 25, 2011

Catching AuthTokens in the Wild - The Insecurity of Google's ClientLogin Protocol by Bastian Könings, Jens Nickels, and Florian Schaub, May 13, 2011

Via CDT - The Threat of Data Theft to American Consumers: "Two high profile data (Sony's Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005.5 According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions."

DOJ OIG: The Federal Bureau of Investigation's Ability to Address the National Security Cyber Intrusion Threat (Redacted Version), Audit Report 11-22, April 2011

EPIC: "Senator Richard Blumenthal (D-CT) wrote to Attorney General Eric Holder asking that the Department of Justice open an investigation into the Sony PlayStation security breach. Sony recently informed PlayStation Network customers that an "unauthorized user" had obtained the personal and financial information of 70 million gamers, including minors. Blumenthal wrote that whomever hacked into the PlayStation Network violated the Computer Fraud and Abuse Act. He also expressed concern about Sony's week-long delay in notifying users about the breach. In 2009, EPIC testified before Congress about the need to strengthen data breach notification laws, noting "in the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." For more information, see EPIC: Identity Theft.

News release: "Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the "Verizon 2011 Data Breach Investigations Report." These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices. The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action. The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

EU: "77% of 13-16 year olds and 38% of 9-12 year olds in the EU have a profile on a social networking site, according to a pan-European survey carried out for the European Commission. Yet, a quarter of children who use social networking sites like Facebook, Hyves, Tuenti, Nasza-Klasa SchuelerVZ, Hi5, Iwiw or Myvip say their profile is set to "public" meaning that everyone can see it, and many of these display their address and/or phone number. The figures highlight the importance of the European Commission's upcoming review of the implementation of the Safer Social Networking Principles for the EU. This agreement was brokered by the Commission in 2009 (IP/09/232) when major social networking companies agreed to implement measures to ensure the online safety of their under 18s users. Children's safety online is an important part of the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200)."

• Safer Internet Programme
  
• Concrete tips for parents on how to keep your child safe online
  
• Digital Agenda website

Follow-up: Personally Identifiable Information Made Available to the Public Via the Death Master File (Limited Distribution), A-06-10-20173, 3/31/11

"The Federal Trade Commission today told a House subcommittee that millions of consumers are victims of identity theft each year at a cost of billion of dollars and countless hours of consumers’ time to repair the damage. In testimony before the House Ways and Means Committee’s Social Security Subcommittee, the agency said helping protect consumers from ID theft and deal with its consequences is a critical part of the FTC’s consumer protection mission. In the testimony, the FTC recommended legislation to help mitigate the identity theft problem by making Social Security numbers less useful to identity thieves and making the numbers harder to access."

Via EPIC: "Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data."

Smartphone Security - Survey of U.S. consumers, Ponemon Institute© Research Report, Sponsored by AVG Technologies, Independently conducted by Ponemon Institute LLC, Publication Date: March 2011

News release: "The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors."

News release: "The Federal Trade Commission today released the list of top consumer complaints received by the agency in 2010. The list showed that for the 11th year in a row, identity theft was the number one consumer complaint category. Of 1,339,265 complaints received in 2010, 250,854 – or 19 percent – were related to identity theft. Debt collection complaints were in second place, with 144,159 complaints. The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted."

2010 Internet Crime Report, The Internet Crime Complaint Center (IC3), February 2011

News release: "At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt announced plans to create a National Program Office to help foster an environment in which sensitive online transactions can be carried out with greater levels of trust. The National Program Office, to be established within the Department of Commerce, would coordinate federal activities needed to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for consumers. The national office would serve as the point of contact to bring the public and private sectors together to meet this challenge."

Top Issues Facing Social Security Administration Management - Fiscal Year 2011, December 2010

News release: "An estimated 11.7 million persons, representing five percent of all persons age 16 or older in the United States, were victims of identity theft during the two years prior to being surveyed in 2008, the Bureau of Justice Statistics (BJS) announced today. The financial losses due to the identity theft totaled more than $17 billion. Identity theft was defined in the survey as the attempted or successful misuse of an existing account, such as a debit or credit account, misuse of personal information to open a new account, or misuse of personal information for other fraudulent purposes, such as obtaining government benefits. Approximately 6.2 million victims (three percent of all persons age 16 or older) experienced the unauthorized use or attempted use of an existing credit card account, the most prevalent type of identity theft. An estimated 4.4 million persons reported the misuse or attempted misuse of a banking account, such as a debit, checking or savings account. Another 1.7 million persons experienced the fraudulent misuse of their information to open a new account, and about 618,900 persons reported the misuse of their information to commit other crimes, such as fraudulently obtaining medical care or government benefits or providing false information to law enforcement during a crime or traffic stop. About 16 percent of all victims (1.8 million persons) experienced multiple types of identity theft during the two-year period."

News release: "The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage security flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking... This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough...Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly."

Identity-Related Crime: A Threat Assessment - A Report to the Attorney General of the United States and the Minister of Public Safety of Canada, November 2010

Google Confronts China’s “Three Warfares”, by Timothy L. Thomas. Parameters, Summer 2010, Vol. 40, No. 2, U.S. Army War College.

State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust, September 2010

Identity Theft Trends, Patterns, and Typologies Reported in Suspicious Activity Reports Filed by Depository Institutions January 1, 2003 – December 31, 2009, released October 2010 by the Financial Crimes Enforcement Network

News release: "The Federal Trade Commission has created a guide to help attorneys and victim advocates provide legal assistance to identity theft victims. Geared toward resolving issues out of court, the Guide for Assisting Identity Theft Victims describes how advocates can intervene with creditors, credit reporting agencies, debt collectors, and others, as well as self-help measures that victims can take. Victims may need an advocate’s help in a variety of situations: their age, health, language skills, or income prevents them from making effective disputes; they’re being pursued for someone else’s debt; they face uncooperative creditors or credit reporting agencies; or their case is complex."

News release: "The Federal Trade Commission today told the Equal Employment Opportunity Commission that the Fair Credit Reporting Act (FCRA) imposes requirements on Consumer Reporting Agencies (CRAs) - which include the three major credit bureaus - and on employers that use the information “to ensure that sensitive consumer report information is used with fairness, impartiality, and respect for consumers’ privacy.” Commission testimony given by Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, states that FCRA requirements placed on CRAs and employers are designed to promote privacy, accuracy, and fairness in the use of consumer reports. For example, before giving a consumer report to an employer, the CRA must take reasonable steps to ensure that the employer has a legitimate basis to obtain the report; must inform the employer of his or her obligation to provide certain notices to consumers; and must obtain the employer’s certification that he or she is complying with the FCRA and will not use consumer report information in violation of equal opportunity laws."

News release: "This is National Protect Your Identity Week, and the Federal Trade Commission, the nation’s consumer protection agency, has information to help consumers, businesses, and law enforcement officials safeguard personal information and take action if an identity thief strikes.

• www.ftc.gov/idtheft is a one-stop national resource to learn about the crime of identity theft. Consumers can learn how to avoid identity theft – and what to do if their identity is stolen. Businesses can learn to help their customers deal with identity theft and prevent problems in the first place. Law enforcement officials will find resources that help victims of identity theft.
  
• www.YouTube.com/FTCVideos has short educational videos that help consumers learn more about identity theft, phishing, reducing spam, and protecting their computers against unwanted intrusions.
  
• www.onguardonline.gov/games lets consumers test their cyber smarts with interactive games on everything from phishing and computer security to social networking and e-mail scams.
  
• www.ftc.gov/freereports offers details about a consumer’s right to get a free copy of his or her credit report from each of the three national credit reporting companies, upon request, once every 12 months. Reviewing one’s credit report regularly is an effective way to deter and detect identity theft."

State of the Internet 2010: A Report on the Ever-Changing Threat Landscape, CA Technologies Internet Security Business Unit
Internet Security Intelligence Report, October 2010

WSJ: "Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found. The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure. The problem has ties to the growing field of companies that build detailed databases on people in order to track them online—a practice the Journal has been examining in its What They Know series. It's unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information."

News release: "The Federal Trade Commission today unveiled a community outreach kit with new resources to help parents and communities keep kids safe online and on their mobile phones. With more than five million copies of the Net Cetera: Chatting with Kids About Being Online guide already in the hands of families across the country, FTC Chairman Jon Leibowitz announced the expanded campaign."

News release: [On September 22, 2010] the Federal Trade Commission told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach. In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations..
The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted."

Identity Theft Resource Center 2010 Breach List - Breaches: 435 Exposed: 13,329,706 - Report Date, 8/17/2010

News release: "The Federal Trade Commission testified [July 22, 2010] about FTC efforts to protect consumer privacy and commented on legislative proposals to improve privacy protections before the U.S. House Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce. The testimony presented by David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the FTC’s law enforcement actions to hold companies accountable for protecting consumer privacy, focusing on data security, identity theft, children’s privacy, and protecting consumers from intrusive spam, spyware, and telemarketing. The testimony noted that the FTC has brought 28 actions charging businesses with failing to protect consumers’ personal information and 15 actions charging website operators with collecting information from children without parents’ consent. The FTC also has brought 15 spyware cases and dozens of actions challenging illegal spam, including an action against a rogue Internet Service Provider that resulted in a temporary 30 percent drop in spam worldwide. Finally, the FTC has brought 64 actions alleging violations of the Do Not Call Rule, resulting in violators paying almost $40 million in civil penalties and giving up nearly $18 million, including consumer redress."

"EPIC Executive Director Marc Rotenberg testified [July 15, 2010]before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies."

Identity Theft Reported by Households, 2007 - Statistical Tables: "Presents data on identity theft victimization reported by households from the National Crime Victimization Survey (NCVS). These statistical tables provide 2007 data on rates and types of identity theft, as well as demographic characteristics of victimized households and their monetary losses. Tables compare rates of identity theft victimization in 2005 to 2007. Estimates from the last half of 2008 are also presented and compared to estimates from the same 6-month period in 2007."

The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure."

Your Office Copy Machine Might Digitally Store Thousands of Documents That Get Passed on at Resale

NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, Erika McCallister, Tim Grance, Karen Scarfone, April 2010.

Follow up to postings on security issues and erasing hard drive, from Gizmodoa detailed article with accompanying screen shots and product references: "With stories abounding of identity theft aided by information lifted from discarded storage devices, you want devices you no longer plan to use to have no usable information when they head out the door. Here's how to wipe them clean...When you erase/delete a file from your computer, it's not really gone until the areas of the disk it used are overwritten by new information. If you use the normal Windows delete function, the "deleted" file is sent to the Recycle Bin until the space it uses is required by other files. If you use Shift-Delete to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software. As long as the operating system does not reuse the space occupied by a file with another file, the "deleted" file can be recovered."

Although many organizations do not report breaches on a timely basis, or in many instances, report them at all, the most recent Identity Theft Resource Center report reveals data protection remains a critical issue for organizations, especially financial services.

News release: Prepared Statement of the Federal Trade Commission On Keeping Score on Credit Scores: An Overview of Credit Scores, Credit Reports and Their Impact on Consumers, Presented by David Vladeck, Director, Bureau of Consumer Protection, Before the Subcommittee On Financial Institutions and Consumer Credit of the Committee On Financial Services, United States House of Representatives (March 24, 2010)

News release: "FinCEN joins with other Federal, State and Local government agencies and consumer protection organizations to recognize the 12th Annual National Consumer Protection Week (NCPW), March 7-13. This coordinated consumer education campaign encourages individuals across the country to take full advantage of their consumer rights. FinCEN provides a number of special resources to educate consumers, and the financial institutions that serve them, of potential fraud and scam attempts. FinCEN's rules help consumers by requiring financial institutions to be on the alert for illicit activity. Requirements that a financial institution know its customers can help both to provide better customer service and to prevent that customer from becoming a victim of fraud."

News release: "The Federal Trade Commission and other government agencies and national consumer groups are sponsoring the 12th annual National Consumer Protection Week from March 7-13, 2010. The event is a coordinated consumer education campaign that encourages individuals across the country to take full advantage of their consumer rights. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life, from grade school to retirement. In keeping with the theme, the consumer education campaign features a Web site with a page for kids and parents, as well as games, videos, and links other Web sites that teach practical lessons about the role of business and government in everyday life. The site, www.consumer.gov/ncpw, provides information that encourages people to take full advantage of their consumer rights, and promotes free resources to help people protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams."

News release: "The Federal Trade Commission today released a report listing top complaints consumers filed with the agency in 2009. It shows that while identity theft remains the top complaint category, identity theft complaints declined 5 percentage points from 2008.

• A complete list of complaints can be found here.
  
• The FTC is releasing a new animated video showing how people can file a complaint, and offers examples of what complaints the FTC handles."

News release: "Starting April 1, advertising for “free credit reports” will require new disclosures to help consumers avoid confusing “free” offers – which often require consumers to spend money on credit monitoring or other products or services – with the no-strings-attached credit reports available at AnnualCreditReport.com, or 877-322-8228. The Federal Trade Commission’s Free Credit Reports Rule will require new prominent disclosures in advertisements for “free credit reports.” For example, any Web site offering free credit reports must include a disclosure, across the top of each page that mentions free credit reports, which states:

THIS NOTICE IS REQUIRED BY LAW. Read more at FTC.GOV. You have the right to a free credit report from AnnualCreditReport.com or 877-322-8228, the ONLY authorized source under federal law."

2010 Identity Fraud Survey Report: Consumer Version

Global Risks 2010 - A Global Risk Network Report. A World Economic Forum Report in collaboration with Citi, Marsh & McLennan Companies (MMC), Swiss Re, Wharton School Risk Center, Zurich Financial Services. January 2010.

News release: "Albert Gonzalez, 28, of Miami, pleaded guilty today to conspiring to hack into computer networks supporting major American retail and financial organizations, and to steal data relating to tens of millions of credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, U.S. Attorney for the District of New Jersey Paul J. Fishman, U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz and Director of the U.S. Secret Service Mark Sullivan. Gonzalez, aka “segvec,” “soupnazi” and “j4guar17,” pleaded guilty to two counts of conspiracy to gain unauthorized access to the payment card networks operated by, among others, Heartland Payment Systems, a New Jersey-based card processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. The plea was entered in federal court in Boston before U.S. District Court Judge Douglas P. Woodlock. The case is one of the largest data breaches ever investigated and prosecuted in the United States."

News release: "The Federal Trade Commission has launched its Web site and blog for National Consumer Protection Week 2010, which will be held March 7-13. Consumer.gov/ncpw, encourages people to learn about their rights as consumers, and promotes free resources to help them protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams. The twelfth annual consumer protection week is a partnership between the FTC and other government agencies and consumer groups. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life – from grade school to retirement. The site for the event features a page for kids and parents, and highlights games, videos, and other Web sites that teach kids practical lessons about the role of business and government in their everyday lives."

News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."

"CDT released a whitepaper highlighting policy issues related to responsible user-centric identification systems. The paper comes as the U.S. Government begins launching a series of pilot programs that will use third party user credentials to authenticate users to federal Web sites and discusses possible challenges to be considered as these activities are expanded in order to provide a better user experience."

Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009

News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."

National Identity Theft Prevention Week - UK's Fraud Prevention Service resources:

• Practical Guide To Identity Fraud Prevention For Business
  
• A Quick Reference Guide Leaflet
  
• Protecting your Information Checklist
  
• Personal Advice: A Quick Reference Guide Leaflet
  
• The Anonymous Attacker, A special report on
  Identity Fraud and Account Takeover, October 2009

FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."

News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."

Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."

Online Behavioral Tracking and Targeting Concerns and Solutions, Legislative Primer September 2009 - from the Perspective of: Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, The World Privacy Forum.

"PandaLabs issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008. PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007."

News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."

News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."

"The Federal Trade Commission today described its comprehensive efforts to combat identity theft before the U.S. House Subcommittee on Information Policy, Census, and National Archives of the Committee on Oversight and Government Reform. The FTC also recommended legislative remedies to enhance the effectiveness of these efforts. The testimony presented by Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection, highlighted the agency’s leadership role in developing a national strategy to combat identity theft as part of the President’s Identity Theft Task Force. The Task Force issued 31 recommendations that promoted an enhanced data security culture in the public and private sectors, launched victim assistance initiatives, and improved law enforcement’s ability to pursue and punish identity thieves."

• Broadcasting to Cuba: Observations Regarding TV Marti's Strategy and Operations, GAO-09-758T, June 17, 2009
• Identity Theft: Governments Have Acted to Protect Personally Identifiable Information, but Vulnerabilities Remain, GAO-09-759T, June 17, 2009
• Polar-Orbiting Environmental Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, GAO-09-564, June 17, 2009
• Polar-Orbiting Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, http://www.gao.gov/new.items/d09772t.pdf, June 17, 2009
• Telecommunications: Preliminary Observations about Consumer Satisfaction and Problems with Wireless Phone Service and FCC's Efforts to Assist Consumers with Complaints, GAO-09-800T, June 17, 2009
• Troubled Asset Relief Program: June 2009 Status of Efforts to Address Transparency and Accountability Issues, GAO-09-658, June 17, 2009
• American Battle Monuments Commission: Management Action Needed to Improve Internal Control Procedures, GAO-09-714R, June 17, 2008

News release: "Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The “Red Flags and Address Discrepancy Rules,” which implement sections of the Fair and Accurate Credit Transactions Act of 2003, were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC)."

"The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”

"In December 2003, the Internet Fraud Complaint Center (IFCC) was renamed the Internet Crime Complaint Center (IC3) to better reflect the broad character of such criminal matters having a cyber (Internet) nexus. The 2008 Internet Crime Report is the eighth annual compilation of information on complaints received and referred by the IC3 to law enforcement or regulatory agencies for appropriate action. From January 1, 2008 – December 31, 2008, the IC3 website received 275,284 complaint submissions. This is a (33.1%) increase when compared to 2007 when 206,884 complaints were received. These filings were composed of complaints primarily related to fraudulent and non-fraudulent issues on the Internet."

News release: "The Internal Revenue Service issued its 2008 list of the 12 most egregious tax schemes and scams, highlighted by Internet phishing scams and several frivolous tax arguments. Topping this year’s list of scams is phishing, which encompasses numerous Internet-based ploys to steal financial information from taxpayers. New to the “Dirty Dozen” this year is a scheme, which IRS auditors discovered, that relates to unreasonable and/or excessive fuel tax credit claims."

Identity Theft Resource Center, 2009 Breach List, 3/3/2009 - Breaches: 89 Exposed: 1,140,146.

"The Federal Trade Commission released the list of top consumer complaints received by the agency in 2008. The list, contained in the publication Consumer Sentinel Network Data Book for January-December 2008, showed that for the ninth year in a row, identity theft was the number one consumer complaint category. Of 1,223,370 complaints received in 2008, 313,982 – or 26 percent – were related to identity theft."

News release: "The U.S. Small Business Administration issued a scam alert today to small businesses, warning them not to respond to letters falsely claiming to have been sent by the SBA asking for bank account information in order to qualify them for federal tax rebates. The fraudulent letters were sent out with what appears to be an SBA letterhead to small businesses across the country, advising recipients that they may be eligible for a tax rebate under the Economic Stimulus Act, and that SBA is assessing their eligibility for such a rebate. The letter asks the small business to provide the name of its bank and account number."

News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

The Top 25 Errors are listed below in three categories:

• Category: Insecure Interaction Between Components (9 errors)
  
• Category: Risky Resource Management (9 errors)
  
• Category: Porous Defenses (7 errors)

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (Draft), Recommendations of the National Institute of Standards and Technology, January 13, 2009.

"The IRS does not initiate communication with taxpayers through e-mail. Before identity theft happens, safeguard your information...IRS Identity Protection Specialized Unit, toll-free at 1-800-908-4490."

News release: "Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center's 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest."

News release: "The federal bank, credit union, and thrift regulatory agencies today announced publication of a revised identity theft brochure – You Have the Power to Stop Identity Theft – to assist consumers in preventing and resolving identity theft. The updated brochure focuses primarily on Internet "phishing" by describing how phishing works, offering ways to protect against identity theft, and detailing steps to follow for victims of identity theft. The brochure includes contact information for three major credit bureaus, where to report suspicious e-mails, and where to access additional information."

The Role of the United States Postal Service in Public Safety and Security - Implications of Relaxing the Mailbox Monopoly, By Lois M. Davis et al.

"Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” For more information visit EPIC’s A-Z Privacy Page."

News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."

News release: "The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event."

OTS 08-051 - OTS Issues New Examination Procedures on Identity Theft Red Flags and Address Discrepancies: "This Regulatory Bulletin transmits revised Examination Handbook Section 341, Information Technology Risks and Controls, and revised Examination Handbook Section 1300, Fair Credit Reporting Act (FCRA). The revised Handbook Sections contain new guid-ance and examination procedures for the final rules on Identity Theft Red Flags and Address Discrepancies, which implement Sections 114 and 315 of the Fair and Accurate Credit Trans-actions Act (FACT Act) of 2003. This bulletin rescinds RB 37-15 dated April 20, 2006."

Office of Science and Technology Policy (OSTP) in the Executive Office of the President - Identity Management Task Force Report 2008, released September 2008

News release: "Attorney General Michael B. Mukasey and Federal Trade Commission Chairman William E. Kovacic announced today the release of a report from the President’s Identity Theft Task Force on progress the federal government has made in addressing identity theft since the Task Force’s Strategic Plan was released last year. Highlights of the report include expansion of the Task Force’s data security and identity theft business and consumer education campaigns; exploring means of improving consumer authentication processes to prevent the use of stolen information to commit identity theft; launching new initiatives to help identity theft victims recover; and improving law enforcement tools to investigate and prosecute identity thieves."

News release: "In keeping with the Patrick Administration’s commitment to protecting consumers, the Office of Consumer Affairs and Business Regulation (OCABR) last Friday issued a comprehensive set of final regulations establishing standards for how businesses protect and store consumers’ personal information. Additionally, Governor Patrick has signed an executive order requiring all state agencies to immediately take steps to implement security measures consistent with the requirements established by OCABR's regulations for private companies. The order calls for the adoption of uniform standards across government that protect the integrity of personal information and further the objectives of the identity theft prevention law."

News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."

• ITRC 2008 Breach List
  
• 2008 ITRC Breach report
  
• 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care).

News release: "Secretary Chertoff spoke on the balance between privacy and secure identity August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. He addressed crimes involving identity theft, and talked about identity validation and authentication, the associated financial costs, the effect on illegal workers, the universe of tools available for identity management, and possible solutions that address the concerns of privacy advocates."

News release: "State attorneys general received thousands of consumer complaints of online fraud and abuse in 2006 and 2007 and yet, with the exception of several notable standouts, brought few significant cases in response, according to a report released today from the Center for American Progress and the Center for Democracy and Technology, Online Consumers at Risk and the Role of State Attorneys General."

Official Google Enterprise Blog: "In July, our Postini datacenters saw the biggest volume of email virus attacks so far in 2008, with a peak of nearly 10 million messages on July 24. One of the more prominent attacks in the month involved a spoofed UPS package-tracking link that was intended to lure recipients into clicking on it and downloading malware. Our zero-hour virus protection technology first started catching these emails on July 20."

News release: "Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft, Attorney General Michael B. Mukasey, U.S. Attorney for the District of Massachusetts Michael J. Sullivan, U.S. Attorney for the Southern District of California Karen P. Hewitt, U.S. Attorney for the Eastern District of New York Benton J. Campbell and U.S. Secret Service Director Mark Sullivan announced today. The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the Department of Justice."

M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 14, 2008) (43 pages)

"Agencies should also submit their most current documentation related to OMB Memorandum M-07-16, of May 22, 2007, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, This information should be provided in an appendix to your annual report and include the following items for your agency:

• Breach notification policy
  
• Implementation plan and progress update on eliminating unnecessary use of Social Security Numbers (SSN);
  
• Implementation plan and progress update on review and reduction of holdings of personally identifiable information (PII); and
  
• Policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules."

News release: "The Federal Trade Commission today released a staff report on a Roundtable Discussion on Phishing Education that it hosted in April. Approximately 60 experts from business, government, the technology sector, the consumer advocacy community, and academia met at the FTC to discuss strategies for outreach to consumers about avoiding phishing. Phishers use deceptive spam that appears to come from legitimate, well-known sources to trick consumers into divulging sensitive or personal information, such as credit account numbers or passwords, often through a link to a copycat of the purported source’s Web site."

Federal Trade Commission: "Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new Red Flags Rules.

The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules."

News release: "The Federal Trade Commission plans to study the experiences of identity theft victims by conducting a survey of consumers who contacted the FTC after they were victimized. The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights. The survey results will help guide the FTC’s efforts to enforce the law and educate consumers and the consumer reporting industry about their rights and duties."

News release: "The ITRC Breach Report total has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses.

The ITRC Breach Report sub-divides all breaches into five categories. To date, the 2008 ITRC Breach Stats Report indicates the following: 17.0% government/military agencies, 21.3% from educational institutions, 36.8% from general businesses, 14.9% from health care facilities / companies, and 10% from banking / credit / financial services entities.

Click here for the 2008 ITRC Breach report. Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care). Please check regularly as this list is updated weekly.

A Guide to Protecting Your Identity Online, Rosemary Haworth, PC Advisor

Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.

News release: "The Federal Trade Commission...told the Senate Committee on Commerce, Science, and Transportation that “legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission.” In testimony to the Committee, Eileen Harrington, Deputy Director of the FTC’s Bureau of Consumer Protection, said that when other enforcement options – seeking consumer redress or making the operators give up their ill-gotten gains – are not appropriate or sufficient remedies to deter spyware distributors, “a civil penalty may be the most appropriate remedy and serve as a strong deterrent.” The testimony states that the agency supports legislation that would provide “the Commission this valuable law enforcement tool.”

OIG: The Social Security Administration's Internal Use of Employees' Social Security Numbers. A-13-07-27164 06/09/08

Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University

Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."

The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)

News release: "The Securities and Exchange Commission...took action to stop a sophisticated Internet scheme that stole the identities of unsuspecting individuals and netted more than $66,000 in illicit profits in just seven weeks. In a complaint filed in the U.S. District Court for the Eastern District of New York, the SEC alleged that one or more unknown traders conducted their entire online account intrusion scheme over the Internet and concealed their identities by, among other things, fraudulently opening brokerage accounts in the names of individuals who responded to a job advertisement on the Web site Craig’s List."

Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071

News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."

News release: "The Federal Trade Commission has released three 60-second videos to help alert consumers to phishing scams. Phishing uses deceptive spam to trick consumers into divulging sensitive or personal information, including credit card numbers and other financial data, through an email or a link to a “copycat” site. The goal of the videos is to offer practical, useful, and memorable messages. The videos are the newest tool on OnGuardOnline.gov, the agency’s multimedia initiative to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. The award-winning site features tips, articles, how-to videos, interactive quizzes, and tutorials in English and Spanish. The new videos also will be featured on YouTube and on the FTC Web site here."

News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."

U.S. Department of Energy, Office of Inspector General, Office of Audit Services, Audit Report, Management of the Department's Publicly Accessible Websites, March 2008.

"Our audit identified several opportunities to improve the security and management of the Department's publicly accessible websites. Specifically:

• We identified over 50 significant cyber security incidents in the last three fiscal years, about half involving the defacement of web pages, which, in our judgment, could have been prevented had proper security controls been in place;
  
• Content on publicly accessible web servers was not always controlled and reviewed periodically, contributing to an additional eight incidents which involved the exposure of personally identifiable information to unauthorized or malicious sources; and,
  
• Most of the organizations reviewed also had not incorporated
  contingency/emergency planning features, provided accessibility for individuals with disabilities, and/or disabled unneeded computer services for their publicly accessible websites - factors that decreased the utility and increased the risk of malicious damage to those websites.

Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.

One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."

HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.

Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.

Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."

"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."

News release: "A bi-partisan group of Senators from the Commerce, Science and Transportation Committee led by U.S. Senators Olympia J. Snowe (R-Maine), Bill Nelson (D-Florida) and the Committee’s Ranking Member Ted Stevens (R-Alaska), introduced today bi-partisan legislation aimed at ending the deceptive practice known as phishing. The Anti-Phishing Consumer Protection Act of 2008 would prohibit phishing – the deceptive solicitation of a consumer’s personal information through the use of emails, instant messages, and misleading websites that trick recipients into divulging their information for the purpose of identity theft. The legislation would also prohibit related abuses, such as the practice of using fraudulent or misleading domain names, by defining them as deceptive practices under the FTC Act."

Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.

• Introductory blog post


• Frequently asked questions


• Experiment guide


• Videos and images


• Abstract: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

"The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.

The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.

The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.

Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.

Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

Press release: "The California State Senate passed a bill Friday that would allow prosecution for identity theft cases in the county where the victim resides. State Sen. Joe Simitian, D-Palo Alto, co-authored Senate Bill 612 and praised fellow senators Friday for voting 40-0 in favor of the legislation. Current law permits prosecution in the county where the theft occurred, or where the information was illegally used, even when both locations are hundreds of miles from the victim’s home, according to Simitian’s office." Simitian also sponsored Senate Bill 364, that passed by a vote of 30-7.

Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA) (February 4, 2008) (4 pages, PDF)

A Chronology of Data Breaches, updated January 30, 2008

Department of Commerce Breach Notification Response Plan, September 28, 2007 (21 pages, PDF)

Federal Times: "The administration last week told agencies not to use federal employees’ Social Security numbers as primary identifiers for data processing purposes. The Office of Personnel Management said in a Jan. 18 notice that agencies must not print the numbers on paper or display on computer screens except in secure areas. And only employees whose official duties require access to the numbers can have access to them. Lastly, agencies can only collect employees’ Social Security numbers when an employee joins the agency for human resources and payroll purposes. OPM hopes the new rules will decrease the risk of identity theft."

Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

"Today, the Department of State released a final rule for the new "Passport Card," which is intended to be used by American citizens who frequently travel by land or sea to Canada, Mexico, the Caribbean, and Bermuda. The new rule calls for the use of "vicinity read" RFID technology without the use of encryption. This means the card will be able to be read remotely, at a long distance. CDT strongly objected to the use of this technology--developed for tracking inventory, not people--because it is inherently insecure and poses threats to personal privacy, including identity theft, location tracking by government and commercial entities outside the border control context, and other forms of mission creep."

Press release: "In a new report, the Federal Trade Commission staff describes findings from its July 2007 workshop, “Spam Summit: The Next Generation of Threats and Solutions” and proposes follow-up action steps that stakeholders can adopt to mitigate the harmful effects of malicious spam and phishing. In addition to proposing action steps for stakeholders, the report provides an overview of the agency’s decade-long role in protecting consumers from the threats of fraudulent spam and phishing. The report also announces results from staff’s 2007 Harvesting and Filtering Study, which suggest that Internet service providers’ spam filters continue to serve an integral role in reducing the amount of spam that reaches consumers’ in-boxes."

Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."

Press release: "The Federal Trade Commission today told the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security that identity theft remains one of the highest priorities for the Commission, and that the agency is playing a lead role in preventing identity theft and helping those who are victimized."

Press release: "As merchants get busier with holiday shopping, the Federal Trade Commission reminds them to be sure the credit and debit card receipts they give customers comply with federal law. To reduce the risk of fraud and identity theft, the electronically printed credit and debit card receipts given to consumers must not include more than the last five digits of the card number, and must not show the expiration date."

Consumer Information:

• Slip Showing? Federal Law Requires All Businesses to Truncate Credit Card Information on Receipts


• Protecting Personal Information: A Guide for Business


• Fighting Back Against Identity Theft
Permanent Link

Press release: "The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports. The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity... Jeannine Kenney, Senior Policy Analyst with Consumers Union...presented findings of a Consumer Reports National Research Center poll at the FTC forum showing that 89 percent of Americans want state and federal lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. The poll also found that nearly all consumers want the right to freeze access to their credit files to prevent new account fraud. Currently 39 states and the District of Columbia give consumers the right to a security freeze and the three major credit bureaus have made the freeze available to consumers in the remaining states."

McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.

Press release: "The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults, experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information."

"...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people."

20 November 2007, Statement to the House of Commons by Chancellor of the Exchequer, Alistair Darling, MP, on HMRC

Identity Theft, 2005 released on November 7, 2007: "Presents data from the National Crime Victimization Survey (NCVS) on identity theft victimization and its consequences. This report presents the first full year of data available after new questions about identity theft were added to the survey in July 2004. Identity theft is defined in the report as credit card thefts, thefts from existing accounts, misuse of personal information, and multiple types at the same time. Based on interviews with a nationally representative sample of 40,000 household residents, the report describes age, race, and ethnicity of the household head; household income and composition; and location of the household. Characteristics of the theft presented include economic loss, how the theft was discovered, whether misuse is ongoing, and problems experienced as a result of the identity theft."

Press release: "Starting November 1, consumers in all 50 states will be able to freeze access to their credit files at all three major credit bureaus to prevent identity thieves from opening fraudulent accounts in their names. By that date, all three major credit bureaus will offer “security freeze” protection to all consumers living in the eleven states that have not passed laws requiring it and the five states that currently limit this protection to identity theft victims. To help consumers learn how to take advantage of this powerful identity theft safeguard, Consumers Union, the nonprofit publisher of Consumer Reports, is making available online an updated Guide to Security Freeze Protection."

Text of the Federal Register Notice [256 pages, PDF] - Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003: 16 C.F.R. Part 681 (Federal Trade Commission Rule): Joint Final Rules and Guidelines of the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Offfice of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission.

CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."

Press release, October 16, 2007: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today introduced the bipartisan Identity Theft Enforcement and Restitution Act of 2007 to give federal prosecutors important new tools to combat the growing problem of identity theft and cyber crime.

The Identity Theft Enforcement and Restitution Act of 2007 would:

Press release: "The FTC today told the Maryland Task Force on Identity Theft that public organizations, including federal, state, and local governments, “play a critical role in guarding against misuse and unauthorized disclosure of the personal information they collect and maintain.” Speaking before the Maryland Task Force to Study Identity Theft, Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection said, “To succeed in the battle against identity theft, federal, state and local governments, working together with the private sector, must make it more difficult for thieves to obtain the information they need to steal identities, make it more difficult to use that information if they do obtain it, and assist victims when thefts occur.”

Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.

UK House of Lords, Science and Technology Committee, 5th Report of Session 2006-2007: Personal Internet Security, August 10, 2007 (121 pages, PDF)

"The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."

Press release, July 19, 2007: "The Department of Justice today submitted to Congress new proposed legislation that seeks to update and improve current laws aimed at protecting Americans from the increasingly sophisticated crime of identity theft. The proposed bill, titled the Identity Theft Enforcement and Restitution Act of 2007, was a significant recommendation included in the final strategic plan from the President’s Task Force on Identity Theft released in April 2007. The strategic plan was the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack identity theft at all levels in the public and private sectors. Among other provisions, the proposed legislation seeks to ensure that victims of identity theft can recover the value of the time lost attempting to repair damage inflicted by identity theft. Under current law, restitution to victims from convicted thieves is available only for the direct financial costs of identity theft offenses."

Top 10 Risks Impeding the Adequate Protection of Government Information, Sponsored by the Office of Management and Budget and the Homeland Security Department as Directed by the Identity Theft Task Force, July 2007.

sfgate.com - ON THE RECORD: DEBORAH MAJORAS CHAIRWOMAN, FTC: "She shares her thoughts on what her agency can -- and cannot -- do on everything from mergers to fraud to privacy to gas prices to infomercials," Sunday, July 15, 2007

Press release: "Google Inc. announced today that it has signed a definitive agreement to acquire Postini, a global leader in on-demand communications security and compliance solutions serving more than 35,000 businesses and 10 million users worldwide. Postini's services -- which include message security, archiving, encryption, and policy enforcement -- can be used to protect a company's email, instant messaging, and other web-based communications. Under the terms of the agreement, Google will acquire Postini for $625 million in cash, subject to working capital and other adjustments, and Postini will become a wholly-owned subsidiary of Google. The agreement is subject to customary closing conditions and is expected to close by the end of the third quarter 2007."

Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown. GAO-07-737, June 4, 2007.

Toward a Safer and More Secure Cyberspace, Seymour E. Goodman and Herbert S. Lin, Editors, Committee on Improving Cybersecurity Research in the United States, National Research Council, 272 pages, pre-publication copy, 2007.

Press release: "Fidelity National Information Services, Inc. announced today that its subsidiary, Certegy Check Services, Inc., a service provider to U.S. retail merchants, based in St. Petersburg, Fla., was victimized by a former employee who misappropriated and sold consumer information to a data broker who, in turn, sold a subset of that data to a limited number of direct marketing organizations...The misappropriated information included names, addresses and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be at issue, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the misappropriations occurred."

Administrative Investigation Loss of VA Information VA Medical Center Birmingham, AL [Rpt. #07-01083-157 6/29/2007]

NEWS.COM Special Report: Wardens of the WebTalkBack: Global security challenge falls to an elite corps, June 25, 2007

Treasury Inspector General for Tax Administration. Progress Has Been Slow in Meeting Homeland Security Presidential Directive–12 Requirements, June 20, 2007. Reference Number: 2007-20-110

Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information, Evaluations and Inspections Report I-2007-005, June 2007.

Privacy Policy Guidance Memorandum 2007-02 Regarding Use of Social Security Numbers at the Department of Homeland Security, June 4, 2007 (PDF, 4 pages)

"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims. The report is among a series of guides on investigating electronic crime."

Press release: "[June 13, 2007] the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle “botherders” and elevate the public’s cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity."

Press release: "Tens of thousands of consumers are unwitting accomplices of illegal spammers and at the mercy of identity thieves, warns the Federal Trade Commission. These consumers’ computers have been secretly hijacked by criminals who install spam-sending software and spyware on the computers when consumers open malicious e-mail attachments or visit a malicious Web site. After gaining access to consumers’ computers, the criminals can track consumers’ Internet surfing, steal personal information, and turn the computers into spam “zombies” that are part of a “botnet” made up of thousands of home computers through which spammers route spam. In a new consumer alert, Botnets and Hackers and Spam (Oh, My!), the FTC urges consumers to secure their personal information and stop assisting spammers."

"The anti-phishing research group at Indiana University, stop-phishing.com, is striving to understand, detect and prevent online fraud, and in particular, to reduce the economic viability of phishing attacks. We achieve this goal through a cross-disciplinary research agenda in which we consider all facets of the problem, ranging from psychological aspects and technology matters to legal issues and interface design considerations. We are attuned to needs and concerns within the financial sector, among privacy advocates, and of common users, and are dedicated to turning the tide."

Press release: "This Web site has been established to provide information about an Information Technology Security Incident in which a security breach in a computer application resulted in exposure of sensitive information belonging to current and former University of Virginia faculty members. A criminal investigation is being conducted by University of Virginia Police in consultation with the FBI and the University’s computing and audit professionals. The investigation has revealed that hackers tapped into the records of 5,735 faculty members."

Cooperation against Cybercrime: 11-12 June 2007, Palais de l’Europe, Strasbourg, France: "Societies worldwide rely on information and communication technologies. However, the increasing dependency on such technologies is accompanied by a growing vulnerability to criminal intrusion and misuse. In response to these challenges the Council of Europe adopted the Convention on Cybercrime (ETS 185) in 2001 and the Protocol on the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (ETS 189) in 2003."

The State of Search Engine Safety, June 4, 2007 - Ben Edelman, Advisor to McAfee SiteAdvisor and Hannah Rosenbaum - Research Analyst, McAfee SiteAdvisor

Press release, May 31, 2007: Attorney General Richard Blumenthal, with attorneys general from 43 other states, announced a settlement today with ChoicePoint for allegedly failing to adequately protect consumers' personally identifiable information, resulting in a massive security breach. The Atlanta-based ChoicePoint, which collects and maintains personally identifiable information on consumers, provides identification and credential verification services to businesses, government and non-profit organizations. In February 2005, ChoicePoint announced that criminals posing as legitimate businesses accessed consumers' personally identifiable information. The company notified more than 145,000 consumers nationwide whose information may have been compromised - including nearly 6,000 from Connecticut. Under today's settlement, ChoicePoint has agreed to adopt significantly stronger security measures. Those measures include written certification and, in some cases, on-site visits by ChoicePoint to ensure the legitimacy of companies before they are allowed access to personally identifiable information. ChoicePoint will also conduct periodic audits to ensure that companies are using consumer data for legitimate purposes."

Prepared Statement of the Federal Trade Commission On Public Entities, Personal Information, and Identity Theft, Presented by Betsy Broder, Assistant Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Before the Ohio Privacy and Public Records Access Study Committee of the Ohio Senate and House of Representatives, May 31, 2007.

Press release: "...a recent TriCipher Consumer Online Banking Study, conducted by Javelin Strategy and Research, reveals that consumers would take advantage of more online banking services if banks provided stronger identity protection. The TriCipher Consumer Online Banking Study included 3,349 respondents from a random-sample panel that was representative of the U.S. population. Surprising findings uncovered that nearly 1 in 5 - estimated at 26 million - adult consumers have been victims of identity theft or fraud in their lives. And, according to survey results, over 88 million online banking customers would switch banks, or reduce online banking usage, if news reports exposed their individual institution as compromised."

Clay Johnson III, Deputy Director for Management, Office of Management and Budget: M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 (22 pages, PDF)

FinancialPrivacyNow.org: "Identity theft is one of the fastest growing financial crimes. Nearly 10 million Americans fall victim each year. The Identity Theft Resource Center reported in 2005, on average, an ID theft victim of new account and other fraud spent 60 hours resolving problems brought on by ID theft, those victims of existing accounts spent an average of 15 hours resolving problems. A 2003 Federal Trade Commission study found that identity theft also costs U.S. businesses nearly $48 billion annually, and consumers an additional $5 billion per year. A security freeze lets consumers stop thieves from getting credit in their names. A security freeze locks, or freezes, access to the consumer credit report and credit score. Without this information, a business will not issue new credit to a thief. When the consumer wants to get new credit, he or she uses a PIN to unlock access to the credit file. These states [included at this link] give consumers this important weapon to prevent identity theft. (updated 5/8/07)"

Follow up to May 5, 2007 posting, Missing TSA Hard Drive Has Data on 100,000 Employees, this additional update from the TSA: "Today the Transportation Security Administration (TSA) announced a benefit package to provide employees and former employees affected by the data security incident with free credit monitoring for up-to one year. In addition to credit monitoring, the package includes ID theft insurance up to $25,000, fraud alerts and identity restoration specialists who will complete paperwork and assist employees in the event they are a victim of identity theft. Current and former employees can register via phone, mail or online through a secure web site. More information is available at www.tsa.gov, including a list of frequently asked questions."

Press release: "Today, the House Judiciary Committee approved four crime bills and sent them to the House floor for consideration. The bills were: HR 1700, the "COPS Improvement Act of 2007;" HR 916, the "John R. Justice Prosecutors and Defenders Incentive Act of 2007;" HR 1525, the "Internet Spyware Prevention Act of 2007;" and, HR 1615, the "Securing Aircraft Cockpits Against Lasers Act."

Press release: "Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras today announced the completion of the President’s Identity Theft Task Force strategic plan to combat identity theft. The strategic plan is the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack this widespread and destructive crime. The plan focuses on ways to improve the effectiveness of criminal prosecutions of identity theft; enhance data protection for sensitive consumer information maintained by the public sector, private sector, and consumers; provide more comprehensive and effective guidance for consumers and the business community; and improve recovery and assistance for consumers."

Related Documents:
Combating Identity Theft: A Strategic Plan, Final recommendations released April 23, 2007

Press release: "UK consumers are not as risk-averse when it comes to using online services as previously thought, according to recent research conducted by BT. Despite daily warnings about security threats and cyber-criminals, people are willing to take risks online, as long as they feel informed, and it is clear how consequences will be addressed. According to the findings from the Trustguide report, which was a collaborative research project by BT with support from the DTI, people use specific online services not because they trust them, but because they believe the benefits outweigh the risks. Government and private industry must therefore take responsibility for educating and reassuring the public that safeguards are in place, if they are to succeed with e-Government and e-Commerce initiatives..Based on the research, the Trustguide report outlines a set of guidelines to inform policy making and service development for ICT delivered services. In addition to enabling better-informed decision-making through education, and advising users of restitution and guarantee measures should something go wrong, the report highlights the need for greater honesty and transparency of data usage by service providers.

Anti-Phishing Working Group (APWG), Phishing Activity Trends for February 2007 (8 pages, PDF)

Tech//404® Data Loss Cost Calculator: "Data loss resulting from network security breaches and identity theft has become a regular occurrence. While the number of affected records can vary widely in any given data loss scenario, a recent study by the Ponemon Institute found that the average number was roughly 99,000. For recent examples and media reports, visit the data loss archive. Darwin created the Tech//404® data loss cost calculator as a tool to demonstrate the scope of negative financial impact an organization may face as a result of a data breach or identity theft data loss scenario. The calculator will automatically generate an average cost, and a plus/minus 20% range, for expenses associated with internal investigation, notification/crisis management and regulatory/compliance if the incident were to give rise to a class action claim."

According to a press release from the Georgia Department of Community Health, contractor Affiliated Computer Services confirmed on April 9, 2007 the loss of a CD containing the personal data of state Medicaid and PeachCare for Kids(TM) members. The data included full names, complete addresses, social security numbers, member ID numbers, and eligibility dates for 2.9 million individuals (as reported by AP).

Treasury Inspector General for Tax Administration - Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices. March 23, 2007. Reference Number 2007-20-048.

Press release: "The Federal Communications Commission has strengthened its privacy rules by requiring telephone and wireless carriers to adopt additional safeguards to protect the personal telephone records of consumers from unauthorized disclosure. These new safeguards will help prevent unauthorized access to customer proprietary network information, or CPNI."

"CIPPIC has issued the first batch of a series of working papers on identity theft. The papers released today include Introduction and Background, Techniques of Identity Theft, and Legislative Approaches to Identity Theft (all PDF). Additional papers examining identity theft caselaw, law enforcement, and policy approaches, as well as a Bibliography on identity theft, will be forthcoming. These working papers reflect research conducted during 2006 with funding from the Ontario Research Network for Electronic Commerce (ORNEC)."

Press release: "Former 9/11 Commission counsel Janice Kephart announces the launch of an online Identity Document Security Library, consisting of legal, technical and policy pieces regarding identity document security. Kephart, a nationally recognized border security expert, created the library to serve as a 'one-stop-shop' information portal for those seeking objective, credible information on the issue of identity document security...The issue of identity, and information about identity, underlies the 9/11 Commission's border work, whose recommendations included the creation of minimum standards for state-issued driver licenses and IDs. Kephart's recently issued white paper, Identity and Security: Moving Beyond the 9/11 Staff Report on Identity Document Security, maintains that securing identities and identity documents is perhaps the single most effective measure the United States can take to lay a foundation for national and economic security and public safety."

Press release: "The Commission has approved the publication of a Federal Register notice regarding a proposed amendment to the FTC’s existing routine uses of agency systems of records subject to the Privacy Act of 1974. As detailed in the notice, which will be published soon and can be found now on the FTC’s Web site and as a link to this press release, the amendment is necessary to implement data breach guidance issued by the U.S. Office of Management and Budget (OMB) and the President’s Identity Theft Task Force. The guidance is intended to ensure that federal agencies have legal and administrative procedures in place to respond and remedy or prevent harm to individual privacy in the case of an agency breach of personal data.">Press release: "The Commission has approved the publication of a Federal Register notice regarding a proposed amendment to the FTC’s existing routine uses of agency systems of records subject to the Privacy Act of 1974. As detailed in the notice, which will be published soon and can be found now on the FTC’s Web site and as a link to this press release, the amendment is necessary to implement data breach guidance issued by the U.S. Office of Management and Budget (OMB) and the President’s Identity Theft Task Force. The guidance is intended to ensure that federal agencies have legal and administrative procedures in place to respond and remedy or prevent harm to individual privacy in the case of an agency breach of personal data. The Commission vote authorizing the publication of the notice in the Federal Register was 5-0. (File No. P072104; the staff contact is Alex Tang, Office of the General Counsel, 202-326-2447.)"

"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The eleventh version of the report, released March 19, 2007, is now available."

Press release: "The Federal Trade Commission today told the Senate Judiciary Committee Subcommittee on Terrorism, Technology, and Homeland Security that “the government and the private sector must continue to work together to reduce the opportunities for thieves to obtain consumers’ personal information and make it more difficult for thieves to misuse that information if they obtain it.” Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection, said government and the business community should evaluate whether they need to collect and maintain the data they have about consumers, better-protect the data that they do possess, and develop better ways to authenticate customers to keep identity thieves from using the information they steal."

Press release: "If Assistant Professor of Communication at the University of Washington Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."

Press release: "The arm of the FBI that investigates financial crimes ranging from underground pyramid schemes to institutionalized fraud in the nation’s corporate suites has issued its annual report detailing the most prevalent types of schemes investigators tackled in 2006. The Financial Crimes Report to the Public is prepared each year by the Financial Crimes Section of the FBI's Criminal Investigative Division. The report, which covers a 12-month period ending September 30, 2006, explains in detail dozens of fraud schemes, tallies FBI accomplishments combating the crimes, and offers tips the public can use to protect itself."

E-Commerce Times:

"On April 23 and 24, 2007, the Federal Trade Commission will host a public workshop, Proof Positive: New Directions in ID Authentication, to explore methods to reduce identity theft through enhanced authentication. The workshop will facilitate a discussion among public-sector, private-sector, and consumer representatives, and will focus on technological and policy requirements for developing better authentication processes, including the incorporation of privacy standards and consideration of consumer usability issues."

Findings from a new study by ID Analytics, reported by ComputerWeek, indicate that "....the riskiest states for ID theft are New York, California, Nevada and Arizona, while the safest ones are Wyoming, Vermont, Montana and North Dakota. The riskiest 5-digit zip codes for ID theft -- after Floral Park and Faulkton -- are Old Bethpage, N.Y., New York City and Manhasset, N.Y."

Declan McCullagh reported last week on the reintroduction of numerous antispyware and ID theft bills, many of which reflect the same language as previous versions of related legislation. The article has links to major bills as well as respective legislative background.

Press release: "The Federal Trade Commission today issued its annual report, “Consumer Fraud and Identity Theft Complaint Data” on complaints consumers have filed with the agency. For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud."

Inspection Letter Report, Alleged Loss or Theft of Personally Identifiable Information at Pantex, February 2, 2007.

The Emperor's New Security Indicators, An evaluation of website authentication and the effect of role playing on usability studies, working draft released February 4, 2007. Authors: Stuart E. Schechter (MIT), Rachna Dhamija (Harvard), Andy Ozmet (MIT), Ian Fischer (Harvard).

"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims."

Press release: "The FBI in Los Angeles announced it opened an investigation to determine who hacked into a restricted database at the University of California at Los Angeles (UCLA) that held the names and personal information of some 800,000 students, faculty, and alumni. Anyone who thought they had been further victimized as a result of the breach was encouraged to contact the Internet Crime Complaint Center (IC3)."

Press release: "U.S. Senator Dianne Feinstein (D-Calif.) today reintroduced two bills [Notification of Risk to Personal Data Act and the Social Security Number Misuse Prevention Act] aimed at protecting individuals from identity theft by requiring businesses to notify consumers in the event of a security breach and prohibiting the sale or display of an individual’s Social Security number without his or her consent. Senator Feinstein said that the increased frequency of data breaches demonstrates that the legislation is needed sooner rather than later. Major data breaches have occurred in recent months at Boeing, UCLA, the Colorado Department of Human Services, Starbucks, the Chicago Voters' Database, and Akron Children's Hospital."

Press release, January 4, 2007: "Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection."
Related news:

Press release: "The Federal Identity Theft Task Force, chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras, is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce identity theft. The public comments on these issues will supplement the research and analysis being conducted, provide further information about the proposals being considered, and identify areas where additional recommendations may be warranted. The Task Force was established by an Executive Order 13402 on May 10, 2006."

2006: The Year in Security -Online attacks, spam, and sneaky cybercrime top list of year's most common security issues.

Press release: "Attorney General Kelly Ayotte announced today that if you live in New Hampshire, effective January 1, 2007 you will have the right to put a "security freeze" on your credit file. A security freeze means that your file cannot be shared with potential creditors. A security freeze can help prevent identity theft. Most businesses will not open credit accounts without first checking a consumer's credit history. If your credit files are frozen, even someone who has your name and Social Security number would probably not be able to get credit in your name. The security freeze legislation passed in the 2006 legislative session....A security freeze fact sheet, including step by step instructions on how to place a security freeze, is available here."

Press release: Among the predicitions, is the following - "Blogging and community contributors will peak in the first half of 2007. Given the trend in the average life span of a blogger and the current growth rate of blogs, there are already more than 200 million ex-bloggers. Consequently, the peak number of bloggers will be around 100 million at some point in the first half of 2007."

Telephone Records and Privacy Protection Act bill [H.R. 4709] passed in the Senate by Unanimous Consent on December 8, 2006 - To amend title 18, United States Code, to strengthen protections for law enforcement officers and the public by providing criminal penalties for the fraudulent acquisition or unauthorized disclosure of phone records.

Press release: "Today, the Federal Trade Commission mailed claims forms for reimbursement to more than 1,400 identity theft victims who experienced out-of-pocket expenses due to alleged security lapses at data broker ChoicePoint Inc. These victims, who were identified with the assistance of law enforcement, should receive the claims form with instructions on how to file a claim. The FTC also has created a website – where consumers who do not receive a letter can download a claims form and obtain information about the claims process...The FTC and ChoicePoint reached a settlement requiring the company, among other things, to pay $5 million to be used to reimburse consumers for expenses due to identity theft caused by ChoicePoint's security breach. A press release explaining the settlement can be found here."

Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."

Status Report on OIG Data Security via the Data Security Portal: "Our November 21, 2006, status report notes several important developments, including the fact that as a result of our investigation in cooperation with the Federal Bureau of Investigation and the Miami-Dade County Police Department, two individuals have been arrested for their alleged roles in a small Miami-area laptop theft ring. While the OIG's laptops have not been recovered, there has been no credit fraud resulting from the laptop thefts and we believe that the risk of credit fraud in the future is very low. A firm hired to perform data breach analysis has failed to find any misuse of information on the laptops, and will continue to analyze the information..."

Information Security: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing. Full text, GAO-07-65, and Highlights, October 20, 2006.

Press release: "Symantec Corp...announced the opening of the Symantec Phish Report Network to consumers worldwide. As one of the world's leading antifraud communities, the Symantec Phish Report Network, launched in May 2006, allows member companies to contribute and receive fraudulent Web site addresses that they can use in their antiphishing solutions to help protect users from online fraud. Consumer input further helps the Symantec Phish Report Network's fight against online fraud and will aid in preventing other computers users from becoming victims."

Follow up to previous postings on ChoicePoint and data breaches, today's New York Times article, Keeping Your Enemies Close, provides a chronology of how the company has made inroads in rehabilitating its reputation.

Will Knight at New Scientist reports the research by Professor Markus Jakobsson and grad student Jacob Ratkiewicz, Indiana University, indicates "...one in 10 internet users may be lured into handing over sensitive personal information such as a credit card number, by fraudulent "phishing" emails..." and "that some survey participants may not have realised that they have been stung by a phishing scam, or may simply be too embarrassed to admit to it."

Effective November 1, 2006, New York states law "provides consumers may elect to place security freezes on consumer credit
reports by making such request to consumer reporting agencies [TransUnion, Equifax and Experian]."

"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends. The tenth version of the report, released September 25, is now available."

Press release: "In a report released today, Reps. Davis and Waxman summarize information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected."

Key Conclusions:

Press release, October 4, 2006: "As information security concerns among consumers and other customer constituencies rise, just 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to findings of a major research initiative by the Chief Marketing Officer (CMO) Council. Without such a plan and other security strategies in place, companies are at risk of losing hundreds of million of dollars in market value and loss of reputation and brand trust, according to the study's findings."

Press release: "The Metropolitan Police Computer Crime Unit is investigating data recovered from a computer in the United States that was found to contain personal information from hacked computers located in the United Kingdom. We believe the data has been stolen by the use of a computer virus and it is believed more than 2,300 compromised computers in the UK consisting of 83,000 files have been targeted."

Press release: "The Federal Trade Commission today told the House Committee on Energy and Commerce Subcommittee on Oversight and Investigations that protecting the privacy of consumers' telephone records requires a multi-faceted approach. Joel Winston, Associate Director of FTC's Division of Privacy and Identity Protection, said that coordinated law enforcement efforts targeting pretexters, steps by telephone carriers to protect their records from intrusion, and educating consumers about actions they can take to protect their records, will help safeguard consumers' telephone records."

Press release: "Congressman Barney Frank yesterday wrote to the Chairman of the Federal Trade Commission (FTC) and representatives of the credit reporting industry asking that they look into the numerous complaints from consumers about access to credit reports and fraud alerts." [text of letter is included in this release]

Follow-up to September 19, 2006 posting, President's Identity Theft Task Force Announces Interim Recommendations, today OMB issued a memorandum of Recommendations for Identity Theft Related Data Breach Notification, from Clay Johnson, Deputy Director for Management.

FTC press release: "The President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today."

FTC press release: "An operation that placed spyware on consumers' computers in violation of federal laws will give up more than $2 million to settle Federal Trade Commission charges. Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer's computer use, including but not limited to distributing software code that tracks consumers' Internet activity or collects other personal information, changes their preferred homepage or other browser settings, inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers' computers."

Press release: Carnegie Mellon CyLab researchers create new system to address phishing fraud [ZDNet]

From the Antiphishing Working Group, the June Phishing Activity Trends Report.

Ponemon Institute Releases National Survey on Confidential Data at Risk

Consumer Alert: New Phishing Attack Claims to be FDIC

Follow up to August 9, 2006 posting, AOL Data Breach Causes Privacy Group to File Complaint With FTC, news today "the Electronic Frontier Foundation (EFF)...asked the Federal Trade Commission (FTC) to investigate America Online (AOL) and require changes in its privacy practices, after the company recently released search history logs that exposed the private lives of more than a half-million of its customers." A copy of the EFF complaint (11 pages, PDF).

Industry, Government Fret Over Tactics for Fighting Data Theft, by Marcia Coyle, The National Law Journal, August 10, 2006.

StopBadware.org Blog: "We're entering a new phase here at StopBadware.org. Google—which is one of our partners—will present people with a warning before they visit websites that have been reported to StopBadware.org as sites that distribute badware. These warnings currently link to a general page on StopBadware.org, but as we finish researching sites, we'll replace the general page with one of our individual website reports (see an example here). Hopefully this next step will bring us that much closer to fulfilling our mission of providing people with reliable, objective information about downloadable applications in order to help them make better choices."

Press release: "Senator Olympia J. Snowe (R-ME), Chair of the Senate Committee on Small Business and Entrepreneurship, today introduced the "Small Business Information Security Act of 2006," (S. 3786) legislation that will create the "Small Business Information Security Task Force" within the Small Business Administration to help small businesses both understand the information security challenges they face and identify resources to help meet those challenges."

Into the Breach: Security Breaches and Identity Theft/Research Report
July 2006 — "Security breaches of data files can lead to identity theft. In this AARP Public Policy Institute Data Digest, Neal Walters analyzes 244 breaches between January 1, 2005 and May 26, 2006, and finds that 40 percent were caused by hackers or insider access targeting sensitive personal information, potentially exposing 50 million individuals’ names and personal data."

GSA press release: "The U.S. General Services Administration’s (GSA) Office of Citizens Services & Communications is warning the public to avoid falling victim to a recent e-mail scheme that targets users by sending unsolicited e-mails allegedly from FirstGov, the citizen portal operated by GSA. These scam e-mails tell recipients that because of recent fraudulent activities on Money Access Online they need to confirm their account has not been stolen or hacked. The e-mails then direct recipients to click on a link and enter information related to personal credit card accounts."

EPIC: "A data breach notification bill [H.R. 3997] backed by the House Financial Services Committee drew criticisms from state law enforcement officials and a coalition of consumer groups, who said that existing state laws are more effective at protecting consumers. In a letter to House leadership signed by 48 state attorneys general, the National Association of Attorneys General stated that an effective data breach law should preserve strong consumer protections and allow states to enforce data breach laws. Consumer groups said that the Financial Data Protection Act "does nothing positive for consumers and rolls back existing state consumer protection laws."

Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, Full text GAO-06-674, and Highlights, June 26, 2006.

Treasury Inspecter General for Tax Administration - Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses, July 24, 2006. Reference Number: 2006-20-111.

AP reports that "[t]he names, addresses and Social Security numbers of as many as 540,000 injured workers [in New York] have been lost, and the state and a contracted company are trying to protect the workers from identity theft."

Matwyshyn, Andrea M., "Technoconsen(t)sus" (May 2006). Posted July 19, 2006 [Link to download]

Press release: "According to MarkMonitor's AntiFraud Operations Center™ (AFOC), domain-based phishing attacks now represent 73 percent of all attacks, up from 35 percent just 18 months ago." Related reference in this press release to an academic paper titled, Why Phishing Works.

FTC press release: "The federal financial institution regulatory agencies and the Federal Trade Commission are soliciting comments on a Notice of Proposed Rulemaking (NPRM) concerning identity theft “red flags” and address discrepancies. The NPRM, which has been reviewed and approved by each of the listed agencies, implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The regulations that the agencies are jointly proposing would require each financial institution and creditor to develop and implement an identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft in connection with account openings and existing accounts."

Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans, Rpt. #06-02238-163, July 11, 2006 (78 pages, PDF)

Risky Business? How Multinationals' Outsourcing Involving Customer Data Can Lead to Identity Theft and Other Fraud, by Anita Ramasastry.

In the wake of the steady stream of news (the latest at this time is here) about stolen laptops and data breaches impacting state and federal government agencies and personnel, as well as corporations large and small, this AP article raises an important question: "...Why is so much private data allowed to be on laptops to begin with?"

Press release: "CA today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security."

New York Times: Identity Thief Finds Easy Money Hard to Resist

From the Privacy Rights Clearinghouse, A Chronology of Data Breaches Reported Since the ChoicePoint Incident, updated June 30, 2006. Breaches reported in June 2006 include the Nebraska Treasurer's Office and the Minnesota Dept. of Revenue.

Federal Times: "In a few months, the 3.6 million participants in the Thrift Savings Plan will begin using account numbers instead of Social Security numbers to access their retirement accounts. TSP administrators are switching to randomly generated account numbers to enhance security and protect participants' Social Security numbers from being stolen, said Mark Hagerty, director of automated systems at the Federal Retirement Thrift Investment Board, which oversees the TSP."

"Utica College's Center for Identity Management and Information Protection is a research collaborative dedicated to furthering a national research agenda on identity management, information sharing, and data protection. Founded in June 2006, its ultimate goal is to impact policy, regulation, and legislation, working toward a more secure homeland."

Press release: "CDT's report charts the important cases against spyware distributors and identifies the statutes applied, June 26, 2006."

WSJ free feature: Laptop Lockdown - Companies Start Holding Employees Responsible for Security Of Portable Devices They Use for Work

Press release: "Sen. Bob Bennett (R-Utah) and Sen. Tom Carper (D-DE), members of the Senate Banking Committee, today introduced legislation to help protect individuals and businesses from the rampant crimes of identity theft and account fraud...The new bill requires that all entities – such as financial institutions, universities, retailers and federal agencies –safeguard sensitive information, investigate security breaches and notify consumers when there’s a substantial risk of identity theft or account fraud. That means retailers that take credit card information are now covered; data brokers who compile private information are covered; and government agencies that possess nonpublic personal information are also covered."

AP reported that a hacker obtained personal data on over 25,000 Agriculture Department employees.

The Consumer Privacy Legislative Forum (whose members include Google, Microsoft, Oracle, EBay Inc., Hewlett-Packard Co., Intel Corp., Sun Microsystems Inc. and Symantec Corp.) issued a statement supporting "a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework."

Following up on previous postings on the VA data breach, today the GAO issued yet another related report - Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs, Full text GAO-06-897T, and Highlights, June 20, 2006.

Yet another report today about the theft of a laptop from the home of a government employee, this time involving info on D.C. government personnel. The issue of why so many institutions have not implemented proper security measures, such as encryption on digital media removed from the office, remains baffling.

Press release: "In a major policy address on the challenges of privacy in our increasingly data driven world, Senator Hillary Rodham Clinton called for a comprehensive privacy agenda: a Privacy Bill of Rights that secures the interests of consumers; stronger, better enforced protection for medical privacy and a new national security consensus setting out clear rules to allow the government to use new intelligence techniques and make sure the public knows its rights and limits. Senator Clinton announced that she will introduce legislation to enact this Bill of Rights, the Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, the PROTECT Act."

Follow-up to recent postings VA ID theft and the continuous reports on government and corporate enterprise data breaches, see this Gartner press release: Gartner Says Rash of Personal Data Thefts Shows Social Security Numbers Can No Longer Be Sole Proof of Identity for Enterprises.

Related to previous postings on the recent breach of Veterans' data that was the focus of press and Congressional scrutiny, from GAO today, this report - Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues, full-text GAO-06-866T, and Highlights, June 14, 2006. From the report: "For many years, significant concerns have been raised about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. Both GAO and the department's inspector general have reported recurring weaknesses in such areas as access controls, physical security, and segregation of incompatible duties."

Related government documents:

WSJ free feature: Seeking a Safer Internet - New Tools Flag Sites With Spyware, Spam - But the Technology Is Far From Perfect

Press release, June 9, 2006: "Governor George E. Pataki today signed three bills [Security Freeze Law, Disposal of Personal Records Law, Anti-Phishing Act of 2006] that will further protect New York's consumers and their privacy. These bills will allow consumers to proactively defend themselves against identity thieves, require businesses to properly discard documents and records containing personal information, and prohibit individuals from deceptively soliciting sensitive information from Internet users. They will also help prohibit the potential repercussions that many identity theft victims encounter, including the denial of loan applications, false arrest, and criminal records."

Government Reform Committee Oversight Hearing, "Once More Into the Data Breach: The Security of Personal Information at Federal Agencies," June 8, 2006. "The data loss at VA is the largest by a federal agency to date, and the latest in a long string of personal information breaches in the public and private sectors, including financial institutions, data broker companies, and academic institutions."

Indiana House House Bill 1101 (HB 1101) which takes effect July 1, will "require disclosure of security breaches and encryption of data by companies holding customers' and clients' personal identification information in computer databases if it could cause identity theft, identity deception, or fraud."

Follow-up to postings on breach of veterans data, this press release from Sen. Patrick Leahy comments on the announcement that "the Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel – including nearly 80 percent of our active-duty force -- were among the data the VA has lost."

Press release, May 31, 2006: "Gov. Lynch today signed Senate Bill 334, which will allows victims of identity theft to ask their credit reporting agency for a "credit freeze." Once they do, their credit reports cannot be forwarded without their consent or involvement, which will help prevent identity thieves from using people's good credit against them. A credit freeze will also prevent criminals from being able to open new lines of credit in their victims' names...The law goes into effect on Jan. 1, 2007."

Another follow-up to postings and resources for veterans impacted by recent data breach: "The FTC is advising veterans and their families to keep a close hold on their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive personal information. One technique scammers use to get this information is phishing: they send an e-mail that appears to be from a well-known company, asking recipients to verify their personal information and luring them to a Web site that looks genuine, but is bogus. Scammers can lie on the telephone, as well, to get personal information." [Link]

Follow-up to postings and resources for veterans impacted by recent data breach, this press release (includes text of letter to HHS): "Thirty organizations participating in the Consumer Coalition for Health Privacy yesterday asked U.S. Department of Health and Human Services Secretary Mike Leavitt to undertake a compliance review of the U.S. Department of Veterans Affairs pursuant to the authority granted him by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Medical diagnostic codes and disability rating information about an undisclosed number of disabled veterans were stolen last month from the home of a VA employee along with 26.5 million veterans' names, birth dates and Social Security numbers."

Press release: "A new cyber security study released today highlights the difference between perception and reality of consumers' awareness of online scams and their actual online behavior. While 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail. Most respondents categorized all e-mails in the study as fake, even though one of them was legitimate. The Online Fraud Report has been sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America."

According to the New York Times, Arizona's rapid population growth combined with a "heavy traffic in methamphetamine" are signficant factors in the state's ranking at the top of the list for ID theft complaints recorded by the FTC.

Follow-up to recent postings, Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security and VA Launches Website and Call Center After Theft of Personal Data, from the Privacy Rights Clearinghouse: The VA's Data Breach – Tips for Veterans and Action You Can Take under Federal Law

The CCH Payroll Management Guide reports "Maryland employers, including the State, counties, and municipal corporations, may no longer print an employee's Social Security number on wage payment checks."

"In recognition of National Internet Safety Month (June 2006), National Criminal Justice Reference Service presents this compilation of Internet safety resources."

Follow-up to the latest extensive incident of ID theft involving government records and citizen personal data, see this OMB Memoranda M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006.

Related government documents and news:

NIST's National Vulnerability Database: Search for Vulnerabilities - Enter vendor, software, or keyword.

Follow-up to posting yesterday, Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security, this news from the government today: "Over the weekend following the recent theft of 26.5 million veterans' records, the Department of Veterans Affairs (VA) quickly put in place a call center and website to answer questions about the implications of the theft and the steps veterans can take to protect themselves from misuse of their personal information. The call center, at 1-800-FEDINFO, operates from 8:00 a.m. to 9:00 p.m. (EDT) Monday to Saturday. It can handle up to 260,000 toll-free calls a day. The latest information on VA data security is posted on Firstgov.gov, the U.S. government's official Web portal."

Related news and government documents:

Statement of Secretary of Veterans Affairs R. James Nicholson on the Status of the Veterans Data Theft (5/24/06): "I am outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of our policies. I am also concerned about the timing of the Department's response once the burglary became known. I will not tolerate inaction and poor judgment when it comes to protecting our veterans."

Cybersecurity Enhancement and Consumer Data Protection Act of 2006 (H.R. 5318), To amend title 18, United States Code, to better assure cyber-security, and for other purposes, introduced 5/9/2006, by Rep. James F. Sensenbrenner Jr.

Solove, Daniel J. and Hoofnagle, Chris Jay, A Model Regime of Privacy Protection (Version 3.0). Illinois Law Review, Vol. 2006, p. 357, 2006.

FTC press release: "The Federal Trade Commission today told the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce Committee that in the effort to reconcile the beneficial uses of Social Security Numbers with the threats to consumer privacy, "The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves, while giving businesses and government entities sufficient means to attribute information to the correct person."

Fact Sheet: The President's Identity Theft Task Force: "This task force will marshal the resources of the Federal government to crack down on the criminals who traffic in stolen identities and protect American families from this devastating crime."

"The Committee on Energy and Commerce, to whom was referred the bill (H.R. 4127) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass." [House Report 109-453 - Part 1 - Data Accountability and Trust Act (DATA), Ordered to be printed May 6, 2006]

FTC press release: "A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

The RFID Hacking Underground, by Annalee Newitz: "They can steal your smartcard, lift your passport, jack your car, even clone the chip in your arm. And you won't feel a thing. 5 tales from the RFID-hacking underground."

Preventing Identity Theft and Data Security Breaches: The Problem With Regulation, by Clyde Wayne Crews and Brooke Oberwetter, Competitive Enterprise Institute, May 9, 2006 (24 pages, PDF)

Building and Implmenting a Successful Information Security Policy, by John J. Pak, May 8, 2006 (25 pages, PDF).

The Ins and Outs of Spyware [15 pages, PDF] April 24, 2006: "Lesley Herring discusses what spyware is, categories of spyware, types of spyware, symptoms of spyware, research sites to find out more information, prevention techniques, and removal tools in this contribution."

Cyber Security Industry Alliance Board Urges Congressional Leadership on Consumer Data Protection: Letter to Congressional Leadership

The IRS held a public hearing today on proposed regs that will require taxpayers to specifically consent to the sale of their data as supplied to tax preparers.

Press release: The Anti-Spyware Coalition today released two new resources to help consumers and enterprises better protect themselves against spyware and unwanted adware...The coalition's two new documents walk consumers and network operators through the steps they should be taking to protect their machines against adware, spyware and other malicious software."

Press release: "An estimated 3.6 million households, or about 3 percent of all households in the nation, learned that they had been the victim of at least one type of identity theft during a six-month period in 2004, the Justice Department’s Bureau of Justice Statistics (BJS) announced today. Forty-eight percent had experienced an unauthorized use of credit cards; 25 percent had other accounts, such as banking accounts, used without permission; 15 percent experienced the misuse of personal information and 12 percent experienced multiple types of theft at the same time. These findings represent six-month estimates based on interviews conducted from July through December 2004 for the BJS National Crime Victimization Survey."

Social Security Numbers: More Could be Done to Protect SSNs, Full text GAO-06-586T, and Highlights. March 30, 2006.

Press release: "The House Energy and Commerce Committee unanimously approved new data security laws Wednesday that will ensure consumers' personal information is closely guarded and consumers are notified when they are at risk...The bill places new requirements on specific companies that specialize in collecting personal data. These "data brokers" will be required to implement effective security safeguards. If there is a reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other unlawful conduct, these data brokers must notify consumers. Additionally, data brokers will be prohibited from falsely representing themselves to obtain personal data...H.R. 4127, the Data Accountability and Trust Act, passed 41-0. The bill "sends a clear message: 'If you can't protect it, don't collect it,'" said U.S. Rep. John Dingell, D-Mich., the committee's ranking member."

"The Better Business Bureau (BBB) has partnered with nationally-recognized security and privacy experts to create a new toolkit to help small business owners manage security and privacy challenges. We call it Security & Privacy - Made Simpler (TM). The objective is to demystify the complexities of data security and give small businesses a non-technical roadmap to securing their customer data, and their employees' data, too."

"PhishRegistry.org is a free service provided by CipherTrust, Inc. to help businesses know when they are at risk of being phished. PhishRegistry.org monitors the content of your website and alerts you when attempts to duplicate it have been detected. Weekly reports are sent to your email address with information about suspect websites."

Privacy Rights Clearinghouse, Updated March 23, 2006: A Chronology of Data Breaches Reported Since the ChoicePoint Incident

"Thousands of visitors to StopBadware.org have shared their badware experiences with us since we launched. From their stories, we've identified and tested four applications that contain annoying or objectionable behaviors. To find out what we think of Kazaa, MediaPipe, SpyAxe, and Screensaver.com, read our reports (all in PDF):"

Information Security: Department of Health and Human Services Needs to Fully Implement Its Program, Full Report, GAO-06-267 and Highlights, February 24, 2006.

Press release: "Large well-respected companies are helping to fund the virulent spread of unwanted and potentially harmful "adware" by paying for advertisements generated by those programs, a new report by CDT finds. In "Following the Money: How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to Reverse the Trend," (10 pages, PDF) CDT details how -- through a complicated network of intermediaries -- major advertisers pay to have their products and services advertised though pop-ups and other ads generated by unwanted advertising software or "adware." The report dissects the financial relationships behind those arrangements and identifies a number of mainstream companies that advertise through one particularly unscrupulous adware distributor."

Press release: "Neil Holloway, president of Microsoft Europe, Middle East and Africa (EMEA), unveiled a global law enforcement campaign that will target cybercriminals behind phishing attacks. Microsoft Corp. announced that by the end of June 2006 it will have initiated legal actions on more than 100 cases in EMEA against individuals suspected of committing online fraud; 53 of these will have already started by the end of March 2006...The legal actions are linked to a larger Microsoft(R) program, the Global Phishing Enforcement Initiative (GPEI), launched by the company to coordinate and expand its many anti-phishing efforts worldwide to fight phishers through consumer protection, partnerships and prosecution."

Press release, March 16, 2006: The Federal Trade Commission today told the House Committee on Small Business, Subcommittee on Regulatory Reform and Oversight that protecting consumers' privacy rights is a top priority for the agency. Lydia Parnes, Director of the FTC's Bureau of Consumer Protection, told the Committee, "The Commission is committed to aggressive law enforcement, vigorous consumer and business education efforts, and global cooperation to safeguard the security of consumers’ personal information." To date, the agency has brought 12 data security cases, six spyware and adware cases, more than a dozen financial pretexting cases, and more than 80 spam cases.

U.S. Newswire: "The House Financial Services Committee voted today to repeal strict state notification and credit freeze laws that have helped to protect consumers from identity theft and financial fraud. These laws provide essential protections that allow consumers to prevent identity thieves from opening credit accounts in their names and require companies to inform consumers when their personal data -- such as their Social Security and credit card numbers -- have become compromised."

Press release: "Consumer confidence in conducting business and protecting personal data online is threatened every day by phishing scams. In an initiative led by the National Consumers League (NCL), law enforcement, financial services and technical industries have joined forces to combat this threat. The group today issued a "call to action" with the release of a paper outlining key recommendations that form a comprehensive plan for combating phishing more effectively."

Government Reform Committee Oversight Hearing: No Computer System Left Behind: A Review of the 2005 Federal Computer Security Scorecards, March 16, 2006.

From Viviane Reding, Member of the European Commission responsible for Information Society and Media, "Safety on the Net" (7 pages, PDF), (09/02/06).

Symantec Internet Security Threat Report, Volume IX: March 2006 Highlights.

Press release: "Citing the need to safeguard the personal information of Minnesotans, Governor Pawlenty today announced a series of proposals that will protect personal privacy and improve the way state government handles personal data...In 2005, more than 3,000 Minnesotans became the victims of identity theft according to the Federal Trade Commission.

NPR: Identity Theft - Protecting Your Good Name, February 27, 2006. (17 pages, PDF)

FTC press release: "In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

Related documents:

Follow-up to House Cmte. Seeks Operations Docs. from Websites Selling Cell Phone Records, "House Energy and Commerce Committee investigators have identified people behind 22 Web pages that may offer criminals, stalkers and any other paying customer the detailed records of a person's private telephone calls."

"The goal of National Computer Security Survey (NCSS) is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. Sponsors: U.S. Department of Justice, Bureau of Justice Statistics and the U.S. Department of Homeland Security, National Cyber Security Division (NCSD)."

Related government documents:

Data Security: Federal and State Laws, February 03, 2006

Press release: "The 2006 Identity Fraud Survey Report - released by the Council of Better Business Bureaus and Javelin Strategy & Research - provides new facts on how identity fraud occurs, counterintuitive insights that challenge conventionally accepted beliefs about these crimes, and steps consumers can take to further protect themselves against this problem...people are not helpless in protecting themselves from identity theft. Contrary to popular belief, consumers do not bear the brunt of financial losses from identity fraud, Internet use does not increase the risk of identity fraud; and... seniors are not the most frequent targets of fraud operators." The press release includes key data from the report, but the full text (57 pages) must be purchased from Javelin Strategy & Research.

Related resources:

UK Home Office: Updated Estimate of the of the Cost of Identity Fraud to the UK Economy, 2 February 2006 (4 pages, PDF).

The new StopBadware.org website, sponsored by the Berkman Center, the Oxford Internet Institute, with assistance from Consumer Reports WebWatch, ..."will seek to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. We aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware."

Identity Theft Again Leads the List: "The Federal Trade Commission...released its annual report (77 pages, PDF) detailing consumer complaints about fraud and identity theft in 2005. Complaints about identity theft topped the list, accounting for 255,000 of more than 686,000 complaints filed with the agency in 2005. The complaints, filed online or at a toll-free number, are shared via a secure database with more than 1,400 federal, state, and local law enforcement agencies, and law enforcement and consumer protection agencies in Canada and Australia."

FTC press release: "Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026."

Related Documents:

Press release: "The Federal Deposit Insurance Corporation (FDIC) today released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. The presentation also features actions consumers can take if their personal information has been compromised. Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. Identity theft is evolving in more complicated ways that make it harder for consumers to protect themselves, and easier for criminals to set up virtual storefronts on the Internet to sell confidential personal information."

New 2005 FBI Computer Crime Survey (19 pages, PDF). "The survey, developed and analyzed with the help of leading public and private authorities on cyber security, is based on responses from a cross-section of more than 2,000 public and private organizations in four states."

"After an extensive public comment period and review, the Anti-Spyware Coalition has released the Final Working Report of the Spyware Definitions. In addition, ASC has released a number of supporting documents, including a Vendor Dispute Resolution Process, a Glossary and a set of Safety Tips for Users."

"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."

Malware - Future Trends, by Dancho Danchev,10/01/06 (26 pages, PDF).

Spy? Where?: Understanding Spyware, by Benny C. Rayner, 03/01/06 (14 pages, PDF): "Spyware is a pest no matter which way you think about it. Whether it’s causing you to have numerous pop-ups or it is consuming all of your system resources; spyware is a menace to be reckoned with."

Press release: NCSL's Top Ten Legislative Issues Forecast For 2006.

Congress Ready to Tackle Tech Issues in 2006 - Spyware, data security, and telecom reform will be on the agenda next year.

"Cyber Security Industry Alliance (CSIA), the only advocacy group dedicated to ensuring the privacy, reliability and integrity of information systems, today called on the federal government to assert greater leadership in the protection our information infrastructure in 2006. Its release of the National Agenda for Government Action on Information Security (11 pages, PDF) identifies 13 specific actions required to improve information security for consumers, industry, and governments globally. As part of the Agenda, CSIA also provides a report of the government's limited progress in information security in 2005 and releases a new Digital Confidence Index that reflects the public's lack of confidence in our nation's critical infrastructure." [Link]

Press release: Phishing attacks aimed at identity theft now affect roughly one in four Americans (23%) each month, according to the second annual AOL/National Cyber Security Alliance (NCSA) Online Safety Study (11 pages, PDF). Additionally, more than two-thirds of consumers (70%) who received such scam e-mails thought they were from legitimate companies, putting them at high risk of losing sensitive personal information to identity thieves or criminals. The AOL/NCSA Online Safety Study is the largest study of its kind, sending technical experts into hundreds of typical homes to examine personal computers for known security risks and threats."

Windows OneCare Team Blog: "WOC is devoted to helping users' get their machines in a secure and healthy state."

The Personal Data Privacy And Security Act of 2005 was approved by the Senate Judiciary Committee and moves forward to Senate hearings.

From the Anti-Phishing Working Group and SRI International, the following report, commissioned by DHS, Online Identity Theft: Technology, Chokepoints and Countermeasures (58 pages, PDF).

Follow-up to November 1, 2005 posting, Data Breaches Remain A Concern for Consumers and Lawmakers. The House Commerce, Trade & Consumer Protection Subcommittee passed the Data Accountability and Trust Act, H.R. 1427, on November 3. Congressional support for the legislation remains mixed.

A new, joint federal law enforcement and industry initiative to fight Internet fraud, called LooksTooGoodToBeTrue, was launched today (press release, 5 pages, PDF). "This website was developed to arm you with information so you don’t fall victim to these Internet scam artists." The site provides consumers with documentation on: Types of Fraud; Victim Stories; FAQs & Tips; Information Regarding Phishing Scams; a Fraud Risk Test; and Links to help prevent you from being scammed.

Related references:

"Microsoft has teamed up with the National Cyber Security Alliance (NCSA) to help increase Internet security through a month-long awareness-raising campaign that provides information and sponsored events for consumers, small businesses, educators, and families. This year, the National Cyber Security Awareness Month campaign begins October 1, 2005...Events for this year's campaign include conferences and workshops in several cities across the U.S. For more information and a list of events, visit the NCSA Web site."

Press release, October 12, 2005: "The Federal Financial Institutions Examination Council (FFIEC) today released updated guidance (14 pages, PDF) on the risks and risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. The guidance, Authentication in an Internet Banking Environment, was issued to reflect the many significant legal and technological changes with respect to the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies."

The Complete Guide to E-mail, Inc. Magazine, October 2005: "What follows is a guide to the biggest e-mail concerns, particularly security, compliance, and archiving. We'll give you tools for building an e-mail policy now, which can save headaches later, and also advice on buying the right system."

"Kath Straub, Ph.D., CUA, Chief Scientist, looks at recent research on how people detect, and often miss, Web site fraud.."
Fine-tuning your Internet deception detectors is a brief, straight forward, practical guide to "how Internet deception works."

FTC press release: "The Federal Trade Commission today told the Senate Committee on Commerce, Science, and Transportation Subcommittee on Trade, Tourism, and Economic Development that spyware and other "malware" that is downloaded to consumers' computers without their consent can cause problems ranging from sluggish computer performance to loss of sensitive personal data. Chairman Deborah Platt Majoras said the FTC has an active program to address concerns about spyware and other malware, including research, law enforcement, and consumer education." Please note that this press release provides links to and descriptions of four cases brought by the FTC against defendants accused of distributing spyware and adware.

Related links:

How to foil a Phish, by Sarah D. Scalet, documents the creation and implementation of a successful anti-phishing response plan by an anonymous financial institution. This case study provides a range of scenarios that confront banks dealing with a bombardment of email attacks, and offers practical resources and solutions.

Related references:

Signed into law on September 30, S.B. No. 355: This bill would enact the Anti-Phishing Act of 2005. The bill would make it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business. The bill would provide certain civil remedies and civil penalties for a violation in that regard.

Symantec Internet Security Threat Report, Volume VIII, September 2005 (requires free registration): "The Symantec Internet Security Threat Report is an analysis and discussion of Internet security activity over the past six months. It covers Internet attacks, vulnerabilities, malicious code, and future trends. This edition of the Threat Report, covering the first six months of 2005, marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Unlike traditional attack activity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud."

"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."

How to Combat Spyware in Corporate Environments - "A vendor contribution from Panda Soft on Spyware...Spyware downloaded to companies can steal confidential information, reduce the performance of the IT infrastructure, due to the resources used by non work-related activity and loss of employee productivity, who have to deal with changes to system settings and unwanted advertisements." (20 pages, PDF)

Why the "Real ID" Act, Which Requires National Identity Cards, is a Real Mess

Related links:

The Pharming Guide by Gunter Ollmann (37 pages, PDF)

EPIC reports that "the Fair Credit Reporting Act's guarantee of free credit reports takes full effect today, and now residents of all states can gain access to a free copy of their credit report from all three of the big consumer reporting agencies by visiting annualcreditreport.com or by calling 1-877-322-8228. You can monitor your credit free by requesting one of your three credit reports every four months. For more information, see EPIC's Fair Credit Reporting Act Page."

Related reference:

More charges for L.A. man in ChoicePoint ID theft - Oluwatunji Oluwatosin now faces 22 more charges, L.A. prosecutors say.

New York Governor Pataki signed the Information Security Breach and Notification Act on August 22. It "requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions."

Understanding credit reports requires homework, patience, By Patricia Sabatini, Pittsburgh Post-Gazette.

How to let customers know there's been a breach of their data and help them keep their faith in you, by Dr. Larry Ponemon.

Webroot Software released their State of Spyware Report today (free but requires registration), which states in part that "...the number of websites distributing spyware has quadrupled since the beginning of 2005 to an astonishing 300,000 unique URLs." [press release] In addition, 80% of corporate computers are infected with malicious software, which can take the form of trojans, spyware or adware.

From the Reconnex August Insider Threat Index: "Ninety-one percent of companies who completed a Reconnex 48-Hour e-Risk Assessment in the month of July had credit card numbers entering or leaving their network and eight-two percent exposed social security numbers. Most concerning was the amount of personal data including name and SSNs exposed directly in the subject lines of emails, in clear, open text. The origin of the vast majority of these disclosures stemmed from human resources departments who often accidentally exposed employees' personal information when they communicate with partners in health insurance, payroll, workers compensation and other third-party processors. The personal data revealed by co-workers often included employee names, date of birth, social security numbers (SSN) and even sometimes bank routing information. This personal data was usually sent via Excel spreadsheets and in clear text. Sometimes the individual Excel spreadsheets contained thousands to tens of thousands of individuals personal data."

Press release from RSA Security: "A survey released [yesterday]...showed that – despite widespread fears of fraudulent activity and identity theft – consumers are willing to increase the amount of personal business they do online if their banks and other online service providers offer them strong authentication."

Press release from Unisys: "Survey results from Unisys Corporation launched [August 3, 2005] reveal that UK consumers' apathetic attitude to fraud could be helping to perpetuate the rapidly growing identity theft industry, which is now estimated to be costing UK businesses £1.3 billion per year."

IBM press release: "IBM reported that virus-laden emails and criminal driven security attacks increased by 50 percent in the first half of 2005 - underscored by a significant rise in 'customized' attacks on the government, financial services, manufacturing and healthcare industries. This substantial increase, along with a decrease in less profitable threats, such as spam and simple computer viruses, indicates a growth in targeted attacks against specific organizations and industries -- apparently created with the purpose of stealing critical data, identities or extorting money."

The U.S. Senate Special Committee on Aging held a hearing on July 27, Old Scams – New Victims: Breaking The Cycle of Victimization.

On July 20, the Privacy Rights Clearinghouse updated their Chronology of Data Breaches Reported Since the ChoicePoint Incident, which have impacted more than 50 million individuals.

Press release from the Progress & Freedom Foundation: "Notification Doesn't Benefit Consumers: State and Federal lawmakers should proceed with caution when considering notification legislation addressing the perceived growth of data security breaches, according to a new paper released by The Progress & Freedom Foundation. An Economic Analysis of Notification Requirements for Data Security Breaches (19 pages, PDF), authored by Senior Fellow and VP for Research Thomas Lenard and Adjunct Fellow Paul Rubin, finds the costs of such notifications to businesses and consumers are likely to be substantially higher than the benefits."

Related references:

From WSJ free content, Information Security - Where the Dangers Are: The threats to information security that keep the experts up at night -- and what businesses and consumers can do to protect themselves.

As a follow-up to my December 12, 2003 posting, E-ZPass Technology, Law Enforcement and Privacy, see this article, A Pass on Privacy, from the Sunday New York Times Magazine: "The computer system to which you have surrendered your payment information also records data about your movements and habits. It can be hacked into." Read on.

Press release: "A bipartisan coalition of Senate Commerce Committee leaders today introduced comprehensive legislation (The Identity Theft Protection Act, S.1408) that protects consumers from identity theft. The bill sets national standards for notifying consumers of data breaches, requires businesses to improve their safeguards for sensitive consumer information, gives consumers the right to freeze their credit reports to thwart identity theft, and limits the solicitation of Social Security numbers."