Category Archives: Privacy and Security

The controversial National Security Agency (NSA) wiretapping program, which the Bush Administration has asserted did not need warrants to operate, has been changed. In an article published in today’s Washington Post (registration required), the Attorney General has stated this program will be subject to judicial review through the court that administers the Foreign Intelligence Surveillance [...]

Two actions in recent days demonstrated the level of Congressional interest in privacy under the new Democratic Congress. The Senate Judiciary Committee held a hearing Wednesday on government data mining programs. You can access witness statements, member statements and the hearing webcast at that link. The new chairman, Senator Leahy of Vermont, indicated that there [...]

Update – October 16 – The House Government Reform Committee has released a Staff Report on the data breach information they have received. Perhaps as troublesome as the number of events is the extent to which agencies may be unaware of what they’ve lost. Original Post – October 12 There have been a large number [...]

On Wednesday, September 13, the Federal Workforce and Agency Organization subcomittee of the House Government Reform Committee approved a bill to spur the development of electronic health records for federal employees. The legislation, The Federal Family Health Information Technology Act (HR 4859), would establish the health records through the Federal Employees Health Benefits Program. This [...]

Two items showing the ongoing struggle to maintain the security of personal information. Government Computer News reported in their July 24 issue that the Office of Management and Budget has tightened requirements for federal agencies to report data breaches. Responding to recently reported data breaches, the OMB guidance reinforces much of current federal law in [...]

The House Veterans Affairs Committee, responding to the May 2006 theft of a laptop containing information on over 26 million veterans and active duty personnel, has approved legislation improving and reorganizing cybersecurity activities in the Department of Veterans’ Affairs. This follows a series of hearings the committee has held over the last 2 months – [...]

Many privacy advocates dubbed 2005, “The Year of Data Breach.” Perhaps the term should be amended to “the years” or even “decade” with yet another announcement of a massive loss of data. This time a Department of Veterans Affairs (VA) employee took a laptop home, which was then stolen, that had personal information (including social [...]

In the wake of today’s USA Today story shedding new light on the National Security Agency’s (NSA) Terrorist Surveillance Program, CQ.com (sub. required) is reporting that the Senate Judiciary Committee will call representatives of three major telephone companies to testify before the panel.

ChoicePoint, the data broker at the center of the data breach controversy that erupted last year (and continues to play out even now), has received a $10 million fine from the Federal Trade Commission and, in addition, has agreed to contribute another $5 million to a fund aimed at helping those who were harmed following [...]

Recently, Microsoft added its voice to those calling for uniform federal privacy legislation that preempts individual state laws. Brad Smith, a senior VP and general counsel for the company, made the announcement at a recent Congressional Internet Caucus gathering: Over the past few years … several factors have altered the privacy landscape in such a [...]

Update (10/25/05) — As promised below, click here to see an updated comparison of the four bills mentioned in the original post. Last week we reported that the Senate Judiciary Committee — a major player in the effort to enact federal data security legislation — moved Senator Jeff Sessions’ (R-AL) legislation (S. 1326) intended to [...]

Thursday the Senate Judiciary committee approved (by voice vote) Senator Jeff Sessions’ (R-AL) “Notification of Risk to Personal Data Act” (S. 1326). The bill calls for the creation of data protection programs, mandates security breach notifications, and provides for the preemption of similar state laws. It was one of a number of data protection bills [...]

The House Homeland Security Committee yesterday heard testimony regarding the security of the nation’s supervisory control and data acquisition (SCADA) systems — the computer systems used to control such things as water flow through dams, the operation of power plants, and so on. The occassion was a joint hearing between the Subcommittee on Economic Security, [...]

There are a couple of interesting cybersecurity items currently worthy of your attention: * USACM Chair Eugene Spafford makes comments on the Department of Defense’s approach to cybersecurity in a recent Federal Computer Week article: [...] Spafford said incremental changes will not strengthen existing networks and a whole new approach [to DOD cybersecurity] is needed. [...]

The Seattle Post-Intelligencer reports on the feelings of some state lawmakers (who are gathering this week for a meeting of the National Conference of State Legislatures) regarding the impending implementation of the Real ID Act. The crux of the issue for many state lawmakers is just who should pay the act’s costs: [State leaders at [...]

With things relatively quiet in Washington just now (it is August, after all), we have a chance to take a closer look at an interesting law that is pending in the California legislature: S.B. 682, Senator Simitian’s “Identity Information Protection Act.” The bill has two main purposes: 1. Prohibit the inclusion of “contactless integrated circuit” [...]

Not to be outdone by other Congressional committees working to address the current data security and privacy crisis illustrated by this year’s numerous data breach disclosures and controversies, the Senate Commerce committee has decided to wade into the debate and is set to markup S. 1408 on Thursday. The bill, dubbed the Identity Theft Protection [...]

A recent article in the Chronicle of Higher Education [subscription req'd] points us to proposed rule changes from the Department of Defense that would create new restrictions on foreign researchers’ access to export-controlled technology: The proposed rules would require foreign researchers to wear badges and would require laboratories to contain segregated work areas to control [...]

In part one, we took a look at some of the bill’s basic characteristics, its political context, and its likely prospects. In this part, we’ll address what we see as some areas of concern with the bill: Complexity, Imprecision — The bill sets forth a very dense, complex regulatory framework for data security and protecting [...]

Senator Russ Feingold (D-Wis.) recently added his support to the “Personal Data Privacy and Security Act” (S. 1332), an important bill from Senators Specter and Leahy that we described briefly in a recent post. At over 90 pages, the bill is a comprehensive (and complex) attempt to address the privacy and security issues that have [...]

Reacting to the current troubling situation regarding data security and privacy in the U.S., two powerful senators introduced legislation yesterday designed to better protect sensitive personal information. Senator Arlen Specter (R-PA) and Senator Patrick Leahy (D-VT) — the two most powerful members of the Senate Judiciary Committee — put forward the “Data Privacy and Security [...]

The NY Times has more information (and two follow-up articles) about the staggering loss of data at a credit card transaction processing company that came to light over the weekend: The security breach was first reported Friday when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that [...]

Update – June 18: Details are emerging this weekend of a very large scale data breach of credit card data at a transaction processing center affecting some 40 million files. More details are available at the Washington Post and the NY Times. Yesterday the Senate Commerce, Science & Transportation Committee held a hearing on identity [...]

The Washington Post has an article today about the ongoing work of private investigators to prevent policymakers (and some data brokers) from limiting their access to Social Security numbers, a key tool of their trade for tracking individuals: Private investigators are working to blunt legislation that cracks down on the active marketplace for Social Security [...]

Update: The NY Times published a thoughtful follow-up article on data security today. Citigroup has become the latest member of a group of large companies that have suffered major data losses or breaches in the last several months. As reported in today’s Washington Post: A unit of financial services giant Citigroup Inc. said yesterday that [...]

The NY Times ran an editorial today sounding the cybersecurity alarm (again): [...] Experts have long warned that the nation’s power, transportation and communications systems are vulnerable to “cyberattacks” that could devastate the economy and cause huge damage to life and property. Now a new government report has concluded that far too little is being [...]

With most eyes focused (understandably) on the Senate’s judicial filibuster fight, the House of Representatives yesterday passed two pieces of spyware legislation: H.R. 29 — Rep. Mary Bono’s (R-CA) Securely Protect Yourself Against Cyber Trespass Act (SPY Act), which would, among other things, prohibit deceptive acts or practices intended to take unsolicited control of the [...]

Federal Trade Commissioner (FTC) Orson Swindle had some strong words recently for business leaders attending a meeting on cybercrime convened by the Business Software Alliance and the Center for Strategic and International Studies (as reported in National Journal’s Tech Daily [subscription req'd]): “Industry has been irresponsible, and someone’s got to pay,” [he said ...] Swindle [...]

In a previous post (recommended reading for background to this post), we outlined House Homeland Security Chairman Cox’s (R-CA) efforts to add cybersecurity provisions to the Department of Homeland Security Authorization Act. The leading idea was to give cybersecurity more political clout within the department by moving it higher up on the bureaucratic food chain. [...]

News.com has a rather troubling article today about how ID theft and phishing are converging to create a new very active threat to electronic commerce. Here is the key excerpt: According to Cyota, the phishing e-mails arrive at bank customers’ in-boxes featuring accurate account information, including the customer’s name, e-mail address and full account number. [...]

Update 5/10/05:The Senate passed the supplemental appropriations conference report tonight by a vote of 100-0. Update 5/6/05: The House passed the supplemental appropriations conference report yesterday by a overwhelming margin 368-58-1. Original Post 5/5/05:The House and Senate have reached agreement on the Real ID Act. We posted the final agreement here. It is largely the [...]

Security expert Bruce Schneier has a sobering post on the Real ID Act today: REAL ID The United States is getting a national ID card. The REAL ID Act … establishes uniform standards for state driver’s licenses, effectively creating a national ID card. It’s a bad idea, and is going to make us all less [...]

From the front page of today’s NY Times, an article on the Real ID Act’s progress: WASHINGTON, May 2 – Congress is moving quickly toward setting strict rules on how states issue driver’s licenses, requiring them to verify whether each applicant for a new license or a renewal is in this country legally. A House [...]

Update 5/2/05: Last week, the Homeland Security Committee folded the “cyber czar” legislation (see below), pretty much as is, into the Department of Homeland Security Authorization Act of 2006. This massive bill reauthorizes and updates many different programs at the department. The Committee did add two items to the cybersecurity provisions. The first is a [...]

Update 4/28/05: Proving that Congress can move quickly when it needs to, CQ.com is reporting (sub. req.) that conferees on the supplemental appropriations bill are close to a deal. Earlier in the week Senator Minority Leader Harry Reid (D-NV) was quoted as saying that immigration provisions in the supplemental were likely to be included in [...]

From an article in this morning’s Washington Post: A former employee of the Blockbuster video store in [Washington's] Dupont Circle [neighborhood] has been indicted on charges of stealing customers’ identities, then using them to buy more than $117,000 in trips, electronics and other goods, including a Mercedes-Benz. A grand jury charged that Miles N. Holloman [...]

The New York Times recently ran an editorial pointing out how crucial California’s data breach notification law has been in bringing to light the current vulnerabilities of personal information:

The Wall Street Journal (subscription required) has an article today that describes how many European banks have tighter security for online banking:

Chairman Arlen Specter (R-PA) presided over a Senate Judiciary Committee hearing yesterday looking further into recent breaches of personal information at data brokers like ChoicePoint, LexisNexis, and Acxiom. The hearing served to deepen the sense in Washington that Congressional action to regulate data brokers and the commercial use of personal information is inevitable at this [...]

Declan McCullagh’s most recent article provides some interesting insight into the power and effectiveness of the Department of Homeland Security’s Chief Privacy Officer (CPO), Nuala O’Connor Kelly. The article seems to reinforce the notion that privacy concerns aren’t always taken as seriously within DHS as they are within other organizations that have CPOs: Nuala O’Connor [...]

If you were thinking that the controversy over recent large-scale data breaches and identity theft was settling down into a nice orderly policy debate, think again: LexisNexis Data on 310,000 People Feared Stolen NEW YORK/AMSTERDAM (Reuters) – Data broker LexisNexis said Tuesday that personal information may have been stolen on 310,000 U.S. citizens, or nearly [...]

“Legislatures in more than two dozen states are considering ways to give consumers more control over personal information that is collected and sold by private firms, but many of the proposals are drawing fire from financial services companies. Bills are on the table in 28 states responding to a series of high-profile security breaches at [...]

Wednesday (April 6) saw the first meeting of the Department of Homeland Security’s new Data Privacy and Integrity Advisory Committee (the creation of which we covered earlier here). The 20-member committee will be led by the Heritage Foundation’s Paul Rosenzweig (chair) and Lisa Sotto (vice chair), a Hunton and Williams partner. The committee heard from [...]

Congressional Quarterly is reporting (subscription required) that the Senate will strip the Real ID Act from the supplemental appropriations bill when it considers the legislation in committee next week. Ultimately this means that the House and Senate will battle over this provision during conference negotiations, which should happen quickly after Senate passage.

The White House released the long-awaited President’s Information Technology Advisory Committee (PITAC) report on cybersecurity today. The report, titled Cyber Security: A Crisis of Prioritization, calls for more funding for cybersecurity R&D and refocusing of the current R&D portfolio. Peter at CRA posted more detail on the report and is following this issue and report [...]

One thing became crystal clear during this week’s hearings involving the leaders of information brokers ChoicePoint and LexisNexis (among others) by a House Energy and Commerce subcommittee and the Senate Banking Committee (here and here): namely, the intent of policymakers to take action toward regulating the information brokerage industry. Indeed, the question now is less [...]

The Business Section of today’s Washington Post has an interesting article suggesting that federal regulators are pushing industry harder on cybersecuity. “Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, warned top electric company officials in a private meeting in January that they need to focus more heavily on cyber-security. Wood also [...]

Some strong words from powerful policymakers in a NY Times article today: “I personally see no socially redeeming value in anyone having the right to give away and sell my personal information unless I approve it,” the chairman of the House Energy and Commerce Committee, Joe Barton, said yesterday. “Under current law these companies [information [...]

LexisNexis, a large international provider of legal and business data, announced today that it, too, had recently been the vicitim of identity thieves. A Washington Post article this afternoon describes how “data on 32,000 consumers was fraudulently gathered in a series of incidents.” Among the data were such things as names, addresses, Social Security numbers [...]

U.S. Rep. Mary Bono’s (R-CA) “Securely Protect Yourself Against Cyber Trespass Act (or “SPY ACT”) passed another hurdle earlier today as the full House Energy and Commerce Committee held a hearing to mark up H.R. 29. The measure has fairly wide bipartisan support and counts 58 cosponsors as of this writing.

“Have you ever wondered what good it does when they look at your driver’s license at the airport? Let me assure you, as a former bureaucrat partly responsible for the 1996 decision to create a photo-ID requirement, it no longer does any good whatsoever. [...] Congress is debating the Real ID bill [click here for [...]

“[...] For years, fears of identity theft and improper disclosure of private information have fueled calls for tighter regulation of the mountains of personal data now electronically available to employers, insurance companies, lenders and others. Those anxieties have risen since ChoicePoint revealed last month that alleged identity thieves had duped the company into selling the [...]

The Department of Homeland Security has finally announced the membership of its expert advisory committee for privacy issues. The good news for USACM is that Professor Lance Hoffman from George Washington University is one of the 20 appointees and is also a USACM member. Dr. Hoffman helped bring the Computers, Privacy, and Freedom conference under [...]

“The recently disclosed privacy breach at the data collection giant ChoicePoint, in which con artists gained access to the Social Security numbers, addresses and other personal data of nearly 145,000 people, has exposed the shortcomings of the laws governing the data-mining industry and consumer privacy. [...] But whatever the specific legal fallout of the ChoicePoint [...]

“A major break-in at one of the nation’s largest information brokers could usher in regulation for companies that have trafficked in data unfettered for years, computer-security experts and privacy advocates say. New York, Texas and Georgia are among states pressing for laws that mirror California’s breach law, which requires companies to notify residents if their [...]

“A California woman has sued ChoicePoint Inc. for fraud and negligence after criminals gained access to a database of personal records compiled by the company. The suit, which seeks class-action status, was filed in Los Angeles Superior Court last Friday and claims that for at least five months the company failed to adequately protect people’s [...]

“[...] At America’s insistence, passports are about to get their biggest overhaul since they were introduced. They are to be fitted with computer chips that have been loaded with digital photographs of the bearer (so that the process of comparing the face on the passport with the face on the person can be automated), digitised [...]

“One of the nation’s largest commercial information services said yesterday that thousands of Washington area residents were among those whose personal and financial details were sold to fraud artists apparently behind a nationwide identity theft scheme. As many as 4,500 residents in the District, Maryland and Virginia were among up to 145,000 people whose names, [...]

“One of the nation’s biggest information services has begun warning more than 100,000 people across the country they may be targets of fraud, following disclosures the company inadvertently sold personal and financial records to fraud artists apparently involved in a massive identity theft scheme. ChoicePoint Inc. electronically delivered thousands of reports containing names, addresses, Social [...]

Declan McCullagh has a new article about the Real ID Act, which (as we reported here) easily passed the House of Representatives last week. Among other things, Declan reports on the opposition to the bill by Rep. Ron Paul (R-TX), one of “eight Republicans to object to the measure.” Declan also addresses the legislation’s chances [...]

“Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen, MSNBC.com has learned. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint aggregates and sells such [...]

Yesterday House Judiciary Committee Chairman James Sensenbrenner’s (R-WI) immigration bill, the Real ID Act (H.R. 418), was passed by the U.S. House of Representatives. The bill is intended to disrupt terrorist travel and bolster U.S. border security and includes much of the immigration reform language that was dropped from last year’s intelligence overhaul legislation (discussed [...]

“SUTTER, Calif. (AP) — The only grade school in this rural town is requiring students to wear radio frequency identification badges that can track their every move. Some parents are outraged, fearing it will take away their children’s privacy. The badges introduced at Brittan Elementary School on Jan. 18 rely on the same radio frequency [...]

“Former federal prosecutor Michael Chertoff is expected to be confirmed this week as homeland security secretary, and one of the first items in his in-tray will be how to deal with the question of cyber-security. Mr. Chertoff was questioned about the issue at his confirmation hearing last week, and undertook to appoint a special adviser [...]