A small, but hopeful sign in state breach legislation

A bill sits on Illinois governor Rod Blagojevich’s desk. If he signs it, Illinois will take a step toward meaningful central reporting of breach notifications:

5 		    (815 ILCS 530/25 new)
6 		    Sec. 25. Annual reporting. Any State agency that collects
7 		personal data and has had a breach of security of the system
8 		data or written material shall submit a report within 5
9 		business days of the discovery or notification of the breach to
10 		the General Assembly listing the breaches and outlining any
11 		corrective measures that have been taken to prevent future
12 		breaches of the security of the system data or written
13 		material. Any State agency that has submitted a report under
14 		this Section shall submit an annual report listing all breaches
15 		of security of the system data or written materials and the
16 		corrective measures that have been taken to prevent future
17 		breaches.

(emphasis added)
Unfortunately, this requirement only affects state agencies. After the VA fiasco, it would seem imprudent for the Governor not to sign this.
I am not a lawyer, but I’m optimistically thinking that such reports are not exempt from disclosure under Illinois’ Freedom of Information Act.

Marketing Privacy as a Feature

nsatt.jpgPaxx Telecom has issued a press release that they’ll hand over records only when given a court order:

The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree with unnecessary snooping by their government.

At Paxx Telecom, our records are secured offsite and we guarantee never to turn over any records to the government or anyone else without a court order. All our customers need do is dial a short access number in front of the number they want to reach. As a result, the local phone company will show only the connection to Paxx Telecom. It will have no record of the actual number the customer talked to”, he said. “In addition, we keep call records on our servers only temporarily to give customers access to verify proper invoicing, after which the calling information will be extinguished.

Via the excellent Canadian Privacy Law blog. New AT&T logo from Lucky225.

Never say die?

I’m not sure what to expect out of this story of a guy who, left behind in a crazed state and presumed to have died, overnighted above 8000 meters on Everest and was found alive the next day, prompting a rescue effort expected to take three days.
(Note that this is a different climber from the one who really did die after being left behind as beyond hope a few days earlier.)
Update 5/27/2006: He made it. Said to be suffering severe frostbite and cerebral edema (HACE).

Make that 12% of Adults

Rob Lemos convinces me that the better number is “One in 8 (or 9) Americans.” I buy his statement as long as we discuss adults, rather than Americans. Kids are at risk from ID theft, too, even if this incident doesn’t touch them. (Assuming none of the vets has an overlapping SSN, a stolen SSN, or an SSN with digits transposed.)

8.9%

peek-a-boo.jpg8.9% of Americans are at increased risk for ID theft due to that fellow at the veterans administration. Wow. Sure, the 13% at risk for account take-over from Cardsystems was bad, but that was just credit cards. This is about the databases that control our lives. This is horrendous. Maybe we’ll get some better laws about credit freezes out of it. [Update: That sentence doesn't quite read as I intended it, which was half optimistic, and half giving-up in disgust. That's what you get sometimes with blogs.]

[VA Secretary] Nicholson initially told the committee that the stolen information “did not include any of the VA’s electronic health records,” but after further questioning by Rep. Bob Filner (D-California), the Bush cabinet secretary admitted the data did include codes representing veterans’ specific physical ailments, Reuters reports. (From “VA Data Theft Could Cost Taxpayers $500M” in CSO Online.)

(The Census Bureau says there are 298,817,315 Americans today. 26500000/298817158 = .08868. Photo by daxsauerwein. )

“Encryption is hard, let’s go shopping!”


On upcoming changes to the Payment Card Industry Data Security Standard:

“Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.
In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more-acceptable compensating and mitigating controls,” he said.

News.com.com
Yeah. It sure is hard to encrypt a file. Or a filesystem. After all, the important thing about controls is not that they achieve their objectives, but that they be palatable.
Note to credit card companies:
sed ‘s/Veteran’s Administration/YOU/g’ < /dev/cnn
(Image: BlinkTank/Tim Wright)

Voting Registration Fraud

voting.jpgOne of the motivators often discussed for voter ID card requirements is voter registration fraud. I believe that ID card requirements are like poll taxes, and are not justified. I believe that they’re not justified even if they’re free, because of personal privacy concerns, regarding addresses. You know, like Gretchen Ferderbar had before her 911 operator ex-boyfriend killed her. Or like Amy Boyer had before she was tracked down and murdered. Or like Salman Rushdie, who can’t vote because he’s very aware that people want to murder him. Government claims that the data will be secured are laughable when you face threats like that. (If you don’t believe me, read the breaches category archive.)

Until last week, I didn’t have data to back that. In “Reed: 55,000 illegal entries scrubbed from database,” we get numbers (it’s a good article, and worth reading in full):

The purge of illegal registrations is the result of months of work by county and state elections officials, who began combing the new statewide voter database after its launch in January.

Reed, the state’s top elections officer, said the invalid registrations included 35,445 duplicate records and 19,579 entries for dead people.

But probes of the records found very few cases of potential voter fraud. About 30 cases of possible double voting were forwarded to county officials for investigation, Reed said. (Emphasis added.)

Sitting on the Fence

fence-border.jpg
Last week Dan Gillmor talked about Verisign’s monopoly wishes, stating:

This deal would be great for VeriSign, but terrible for the marketplace. It would consolidate one company’s control over an essential part of the Internet infrastructure.

Is the sky falling? I don’t think so. This sounds a whole lot like before GeoTrust was launched. GeoTrust earned market share by providing a less expensive, faster, easier to use solution. This demand will hasn’t magically gone away. I’m fully confident that someone else will come along and fill this hole.
[Fence photo from SeenyaRita via Flickr.]

Blogrolling Kim Cameron

I’ve added Kim Cameron’s Identity Blog to the blogroll. There’s a great post “Inebriation and the Laws of Identity” about what happens to you when you’re not firm and resolved about when you hand over your ID.

Hint to Paul Toal: The data is used for fraud prevention, and will stay in their databases forever. Just be glad that UK drivers licenses don’t have quite so much data on them as they will when they’re turned into your national ID cards.