Worse Than Choicepoint: The FTC?

So part of Choicepoint’s settlement with the FTC was a $5m fund to compensate their victims. Now, there were 167,000 victims, of whom 800+ had their identities abused by fraudsters. None have gotten any money:

Jessica Rich, assistant director of the FTC’s division of privacy and identity theft, said in a statement released to AP on Wednesday that “law enforcement is still identifying victims and we want to make sure we have the right people.”

(From the AP, “FTC Yet To Pay Choicepoint Victims.”)

U.S. versus E.U. Audits

Speaking of the differences between how security gets managed in the U.S. versus the E.U., CSO magazine has a light-hearted and somewhat irreverent article on the differing goals and priorities of audits on either side of the Atlantic. In spite of its tone, it does highlight some important issues to keep in mind. In particular:

But it also illustrated a fundamental difference in the way audits are conducted on both continents. In the United States, audits are about ensuring that sufficient controls are in place to mitigate risks. Thus, the audit findings tend to emphasize lapses in application and network security. In Europe, audits tend to focus on following a predefined process, being transparent in the actions taken, precisely defining policies and procedures, and adhering to international standards.

I’d love to see a much deeper analysis of managing compliance in the U.S. versus the E.U. from someone who has a lot experience working in both domains. Does this already exist? Or are folks interested in collaborating on writing something like this?

“Handling Security Breaches Under European Law”

In a comment on “What’s Next in Breach Analysis,” Ian Grigg pointed out the very interesting “Handling Security Breaches Under European Law:”

There are as yet no direct equivalents of the mandatory security breach reporting legislation we have seen in the U.S., either at a European Union level or within Europe itself. That is not to say there is no law on the reporting of breaches in Europe. While a number of countries have been looking at the increasing number of security breaches, in the main the response has been to use existing privacy legislation to take action.


In Norway, the unauthorized disclosure of personal data must be reported to the Datatilsynet, but not to the data subject. Section 2-6 of the Norwegian Personal Data Regulations provides…

So…does Norway have a Freedom of Information act?

International Breach Notices: The Future Is Unevenly Distributed

So said William Gibson, and it is as true in breach notices as it is anywhere else. While only 34 US states have laws requiring these notices, we see organizations around the world sending them. They resonate as the right thing. Acknowledging and apologizing for your mistakes is powerful. (Hey, someone should mention that to Mark Hurd. Using a scandal as a pretext for promotion isn’t going to serve you well. But I digress.)

Organizations around the world are getting ahead of their problems by reporting them to their customers:
KRA computers stolen, which contains the interesting comment “A [Kenya Revenue Authority] official said the computers had crucial data on tax returns and it is likely that the data had no back up.”

On the other side of the world, “Computers with patient data stolen from Nagasaki hospital.”

Both via the Dataloss list.

Breach Tidbit

One of the things people would like to find out is how likely it is that improperly-revealed personal information will be used to commit real fraud.
ID Analytics has done some research which they interpret as suggesting that even with focused attacks, where the bad guy is going after SSN and account information, the probability of illicitly-gained PII being used for actual fraud is less than 1 in 1000.
In looking over some information I received from New York, I noticed a case in which branded credit card applications (including the assigned CC#) were targeted, and 150 stolen. Now, I don’t know if the case I’m talking about is like those in the “targeted” group studied by ID Analytics, but if it is, I’d expect maybe one fraud attempt, and that’s being extremely generous.
The number actually observed: 11, all fraudulent purchases.
There is a lot of work left to be done on this topic, that’s all I’m saying.
Updated: Link to press release, and characterization of observed fraud.

Darn kids! Get off my lawn!!

“Until Solaris became open, students were only interested in Solaris for the same reason they were interested in NextStep Unix — because it was this arcane, old-fashioned thing,” said Asheesh Laroia, a graduate student in computer science at Johns Hopkins University.

Via NetworkWorld.