Information Security Law this Month - June 2012
In the news in June 2012:
- Telstra breaches Privacy Act again
- Report on investigations into last year’s First State Super member application issues released by Commissioner
- FTC sues Wyndham Hotels while Stratfor settles class action suit in U.S.
- LinkedIn and eHarmony suffer major breaches
CASES AND LEGISLATION
Telstra Password Leak Found to be Breach of Privacy
The Australian Privacy Commissioner has found Telstra breached the Privacy Act when it exposed thousands of customer records to the public over the internet in December last year. Commissioner Timothy Pilgrim said the telco breached National Privacy Principle 2.1 and 4.1 as it “did not take reasonable steps to protect customers' personal information from unauthorised access and disclosure”.
Interestingly, in ceasing his investigation into the matter, the Commissioner asked Telstra to provide him with a report on the progress of the remediation project to address the identified security issues by October 2012. He also asked Telstra to provide to him with a report on the completion of the remediation project by April 2013.
In the report, the Commissioner noted that he does not currently have the power under the Privacy Act to impose any penalties or seek enforceable undertakings from organisations where investigating on his own motion, though the currently proposed reforms would include the provision of additional powers and remedies.
OAIC Media Release available here. Story here, here, here and here.
The Commissioner is also reported to be on the lookout out for systemic privacy weaknesses in Telstra's operational culture, following the handing down of his report – reportedly wanting to delve into Telstra's operational culture to work out why it breached privacy law. Story here.
Federal Privacy Commissioner Says First State Super Breached Privacy Act
The First State Super Trustee Corporation (FSS) has been found to have breached the Privacy Act, ZDNet reports. The privacy commissioner opened an investigation after an incident in October where a security director discovered that information from FSS systems was vulnerable to snooping by other FSS customers. The investigation found personal information, including member names and addresses, details of account transactions, balances and members' ages, could be downloaded from FSS, the report states. The investigation also found FSS had the capacity to remedy the vulnerabilities before the security director's discovery and breached the act because of its inaction. Story here.
The Privacy Commissioner’s report is available here. The media release is available here.
NSW Privacy Commissioner Finds NSW Rail Did Not Comply with Privacy Law
An Office of the New South Wales (NSW) Privacy Commissioner investigation has found passenger rail service RailCorp did not comply with privacy law when it wiped clean unclaimed USB keys it sold at auction, Infosecurity reports. The cleansing process was inadequate because it "did not prevent the recovery of cleansed data using off-the-shelf, inexpensive software," the report states. NSW Privacy Commissioner Elizabeth Coombs found the company "did not utilise specialised data deletion software" so the information was not protected against loss, unauthorised access, modification, disclosure and misuse. The company has since said it will no longer auction unclaimed USBs and will find a safe way to dispose of them. Story here.
Aus Government To Consider Data Retention Reforms
The federal government is pushing ahead with reforms that could see consumers' information kept on file for up to two years by internet service providers (ISPs). This could include the data retention of personal internet browsing information which intelligence agencies could access in the event of criminal activities by individuals or organisations.
Attorney-general Nicola Roxon is reported by Computerworld as stating that she has referred the matter to the joint intelligence committee, as well as other reforms to four pieces of legislation: the Telecommunications (Interception and Access) Act 1979; the Telecommunications Act 1997; the Australian Security Intelligence Organisation Act 1979; and the Intelligence Services Act 2001.
Electronic Frontiers Australia says the public will be locked out of discussions on the matter and notes the potential for data access abuse. Story here.
Greens Sen. Scott Ludlam has stated that government plans to require ISPs to retain user data for intelligence-gathering purposes (called OzLog) “is flawed”. He questions the privacy implications and whether the requirements are technically feasible. Story here
He is also reported as pointing to the Cybercrime Bill (2011) and the recent data retention proposal as examples of state intrusion into private lives – and wants that the internet freedom of Australians is being eroded. Story here.
Wyndham Hotel Sued for Data Breaches
Hotel chain Wyndham Worldwide Corp. has been sued by the U.S. Federal Trade Commission (FTC) for data breaches, which allegedly caused millions of dollars in customer losses. After one security breach in 2008, according to the FTC, Wyndham failed to protect customers’ personal data. As a result, two more data breaches occurred in 2008 and 2009 causing confidential information from more than 500,000 customer payment cards to be stolen. The stolen customer information was then sent to domain names registered in Russia, the FTC said. In a lawsuit filed in the federal court in Arizona, the FTC said that more than $10.6 million in fraudulent charges were attributed to the cards of affected Wyndham customers. Story here.
Stratfor Lawsuit Settlement Receives Preliminary Approval
Global intelligence firm Stratfor is expected to settle a class-action lawsuit that was brought following last year's massive data breach, according to reports. The Texas-based Stratfor will offer members of the class a one month subscription fee, which normally costs $29.08, as well as an electronic book published by Stratfor, priced at $12.99, according to a Reuters report. Under the settlement, which received preliminary approval from the judge on June 14, Stratfor also must provide free credit monitoring for class members who ask for it, and must continue to invest in upgrading its security. In settling, Stratfor didn't admit any wrongdoing. In total, the settlement is expected to cost Stratfor $1.75 million. Story here.
U.S. Village View ACH Case Settled
Village View settled its proceedings against Professional Business Bank relating to the fraudulent transfer of over $400k from its account, with the Bank agreeing to reimburse the amount transferred. Importantly, investigations conducted by the California Department of Corporations, the Federal Deposit Insurance Corp. and the Redondo, Calif., Police Department, determined that Village View played no role in the cybertheft it suffered and took all necessary precautions to avoid the losses. Hackers broke into Village View's network, successfully scheduled and sent 26 consecutive wire transfers out of the country. Dual controls were not used by the business, but an e-mail verification service offered by Professional Business Bank was successfully disabled by the criminals. Village View says the bank only offered single-factor authentication.
Village View also contended that, when the hackers disabled the bank's e-mail notification service, an alert should have automatically been generated and sent to the bank. Full story here – and discussion in the context of the Patco and Experi-metal decisions, here.
FTC Settles 2 Cases of P2P Related Info Security Failures
The Federal Trade Commission yesterday announced settlements with two companies over security breaches caused by peer-to-peer (P2P) file sharing software. The settlements require the companies to establish and maintain comprehensive information security programs and to undergo data security audits by independent auditors every other year for 20 years. Full Story.
Vermont and Connecticut Amend Data Breach Notification Laws
Recent changes to Vermont and Connecticut’s breach notification regimes point to a trend in those state statutes that don’t already provide for it, to require notification to the state’s Attorney General on either an accelerated or parallel timeframe for notification to affected residents. Full Story.
U.S. Federal Data Breach Notification Law Introduced
At the same time, the Data Security and Breach Notification Act (S. 3333), a bill that would preempt state data breach laws and replace them with a national standard, has been introduced. In the event of breaches, companies possessing personal data would have to contact consumers as quickly as possible. The bill requires covered entities, like ISPs, to take "reasonable measures" to protect personal information – defined to include Social Security numbers, driver's license numbers, financial account numbers, credit or debit card numbers and related security codes. Failure to follow the notification standard under the act goes results in a fine as high as $500,000. Full Story.
U.S. Regulator Issues Advice and Sample Policy for Employees Use of Social Media
On May 30 the National Labor Relations Board Acting General Counsel Lafe E. Solomon issued his third and latest report on social media cases, providing specific guidance on how to construct a lawful social media policy. In the report, Solomon takes a narrow view of what types of policy provisions are acceptable and instructs, for example, that certain confidentiality provisions, rules against "friending" co-workers, and blanket prohibitions of disparaging remarks are unlawful because they unduly restrict employees' rights to discuss working conditions and terms and conditions of employment under the National Labor Relations Act. Story here.
DATA BREACHES
LinkedIn Breach
More than 6.4 million LinkedIn passwords have leaked to the Web after an apparent hack. Story here.
More reports:
LinkedIn Breach puts site’s reputation on line. Story here.
LinkedIn Probes Data Breach After Passwords Stolen. Story here.
If you use LinkedIn, Change Your Password. Krebs Online.
LinkedIn's response to password breach raises troubling questions. Story here.
LinkedIn provides breach update -- sort of.
LinkedIn Has Neither CIO nor CISO: Failing to Learn Lessons from the RSA, Sony Breaches. Story here.
FAQ: LinkedIn breach -- what members (and others) need to know.
LinkedIn works with FBI on password theft. Story here.
LinkedIn Phishing Emails Surface. Story here.
6.5 million unsalted LinkedIn passwords posted online. Story here.
LinkedIn Hashed Passwords Breached. Here and here.
LinkedIn users buried in spam as hackers go phishing with their new bait. Story here.
LinkedIn is Sued for $5 million on basis that the social network violated promises to consumers by not having better security in place (story here)
But dismisses the claim as lawyer driven and without merit. Story here.
The Australian Privacy Commissioner is reported to be investigating (story here).
And seeking help from the Irish Authorities (story here).
More on the Irish investigation.
Dating site eHarmony confirms password breach
The online dating site eHarmony confirmed late Wednesday that passwords for its
members were exposed in a breach, a second major compromise following LinkedIn's password exposure. Story here.
Iran targeted by 'massive cyberattack,' official claims
Iran's intelligence minister has accused the U.S., the U.K. and Israel of
planning a "massive cyberattack" against his country after talks this week over
Iran's nuclear program failed to reach an agreement, Iranian state TV reported
on Thursday. Story here.
6 Biggest Data Breaches of 2012 … Story here
PRIVACY
Australia Drops Second Google Enquiry
The Australian Privacy Commissioner has decided against investigating Google a second time over the collection of Wi-Fi payload data in Google's Street View cars. Despite a damning FCC report released last month claiming that senior manager within Google were aware that a 'rogue' engineer was working on the project on the side, he said a second investigation wouldn't yield any new results. 'I have decided not to open another investigation into Google Street View,' he said in a statement. 'In reaching this decision, I have considered the FCC's report and don't consider that a new investigation would reveal any information that would change our original finding. Story here.
Telstra To Brief Commissioner Pilgrim on Data Practices
Telstra was scheduled to brief Privacy Commissioner Timothy Pilgrim in late June about its data outsourcing practices, The Australian reports. Red flags were raised by civil libertarian Mark Newton when it was discovered that the company was sending information about its Next G customers' web browsing habits to a U.S.-based security firm, Netsweep. Telstra said it was sending the information to NetSweep as part of a plan to offer an 'opt-in' filtered internet service for mobile phones aimed at concerned parents.
Telstra said it has cancelled the program. A representative for Pilgrim said the privacy commissioner "will seek further information from Telstra about this matter before deciding whether it will open an investigation." Story here.
Canadian Privacy Commissioner Bemoans Stalled Reforms – Including Mandatory Data Breach Notification
Canada's privacy watchdog says she's "very, very disappointed" by the federal government's failure to update a law meant to protect the personal information of consumers, when tabling her annual report on the private-sector privacy law, tabled in early June in the House of Commons. Story here.
UK ICO Issues Trust with Highest Fine To Date for Serious Breach
The Information Commissioner's Office (ICO) has served Brighton and Sussex university hospitals NHS trust with the highest civil monetary penalty - £325,000 - it has issued following what it described as a serious breach of the Data Protection Act. The breach occurred when hard drives containing sensitive data on tens of thousands of patients and staff were sold online instead of being destroyed. Story here.
But the trust disputes the finding and says it will challenge it in court. Story here.
UK ICO Issues IT Security Guidance for SMEs
Unlike large organisations which have spent significant amounts securing their IT, the UK ICO said smaller enterprises now wanted "simple and clear advice specifically designed for them", so that they could steer clear of a fine.
The guide provides detailed advice on securing data on the move, keeping systems up to date, looking out for problems, knowing what should be done and minimising the data that is stored – thus helping to reduce the chance of the imposition of significant fines on SMEs in the event of a data breach. Story here.
SURVEYS
One in five financial firms ‘don’t know’ whether they have suffered data breaches
Sensitive and confidential information held by financial firms across Europe is at risk of exposure because many are failing to check the effectiveness of their data protection and document management strategies, according to research from PwC and information management company Iron Mountain. Despite handling the sensitive personal details of millions of customers, four in 10 (41 per cent) of the financial services firms surveyed had no plans in place to check the effectiveness of their information risk strategy. 42% did not monitor the performance of the individual or team charged with information risk management, data protection or data recovery. 22% of financial businesses surveyed across Europe ‘don’t know’ whether they have suffered a data breach in the past three years. The research led to Europe’s first ‘Information Risk Maturity Index’, a benchmark to help organisations evaluate their ability to address information risk. Story here.
Small businesses not afraid of data breaches
A new survey by The Hartford finds that 85 percent of small business owners believe a data breach is unlikely, and many are not implementing simple security measures to help protect their customer or employee data. Story here.
OTHER NEWS
Gov't Plans Obligations for Smart Meter Suppliers
The UK government plans to require smart meter suppliers to ensure data security as part of licensing agreements to install the technology, reports Out-Law.com. The Department for Energy and Climate Change said in its latest consultation that it has established steps suppliers will have to carry out to ensure their systems are secure to an “appropriate standard,” the report states. Those steps will include initial and ongoing risk assessments of end-to-end systems and annual independent security risk audits. Smart meters are to be installed across the UK by 2014. Story here.
Report: Obama Ordered Stuxnet Assault. First Time U.S. Repeatedly Used Code to Cripple Infrastructure
President Obama, since the early months of his presidency, ordered increasingly sophisticated cyberattacks on Iranian computer systems to cripple nuclear enrichment centrifuges as part of a major expansion of America's first persistent use of cyberweapons, according to a report in The New York Times. Story here.
ENISA Advocates for Mandatory Cyber Insurance
European Network and Information Security Agency (ENISA) has advocated to impose mandatory cyber insurance for firms and urged insurance firms to develop related schemes, which will assist them to save reputational damage.
The agency in its recently published report said that mandatory insurance will enable firms to counter unintended effects of harsh data breach notifications, by providing them required coverage. Story here.
10 Concerns When Buying Cyber Insurance
Nothing too new – but a reminder to take care with a new and largely un-tested product. Story here.
Updates to PCI DSS Standards Effective Soon
Network World reports on modifications to the Payment Card Industry Data Security Standards, effective at the end of the month. The most significant change is a new requirement for "risk rankings to vulnerabilities," the report states, which means any business "dependent on processing customer debit and credit card information must now be able to show they are not only aware of known vulnerabilities but can demonstrate that they have a process for ranking them according to risks to their own systems and software." One expert described the updates as an "evolution of the requirements." Story here.
DOE Releases Electricity Cybersecurity Capability Maturity Model (ES-C2M2) Evaluation Toolkit
The Department of Energy (DOE)announced the release of a new cybersecurity tool for utilities called the DOE Cybersecurity Capability Maturity Model (ES-C2M2). The DOE tool builds upon a broader White House initiative to develop a Cybersecurity Capability Maturity Model for the electricity sector. The DOE tool utilizes best practices that were developed for the Electricity Subsector Cybersecurity Capability Maturity Model Initiative, which involved a series of workshops with the private sector to draft a maturity model that can be used throughout the electric sector to better protect the grid. Story here.
