Emergent Chaos

I missed this when it hit the newswires two weeks ago, but the FTC has delayed enforcement of the Red Flags Rule. This change was in response to the American Bar Association successfully suing the FTC and being granted an injunction to prevent the Red Flags Rule being applied to lawyers.
Similarly, the American Institute of CPAs (AICPA) is now also suing the FTC to also get injunctive relief from having to comply with the Red Flags Rule as well.

“We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” said AICPA president and CEO Barry Melancon in a statement. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.”

The current AICP requirements are pretty much inline with most of the security requirements of the Red Flags Rule already. So really what the AICP is telling us is that they really care about our privacy but they can’t be bothered to monitor their own systems for abuse or loss of our information. I guess they don’t really care after all.

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint’s consumer databases.

In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint’s AutoTrack XP Product…

Really? You’re blaming customers? Saying it’s not your fault? Claiming to be the victim? Ummm, lemme use small words here: you’ve played that card. Shot that wad. From 2004 onwards, you own all failures. You should have had systems to watch for unauthorized access, and failure to properly safeguard credentials.

Oh wait. You did. We agree on that need. You had a system to do that, and you turned it off. So really, all that work you’ve done to convince people you’d turned a corner? This undercuts that. You need to come out with an explanation of why you turned off that system, and you need to do it this week. It needs to be comprehensible to the techies who are taking you to task all over the blogosphere. No legal defensiveness. Tell people what happened. This:

The FTC expressed concerns that not detecting the former government customer’s inappropriate access was inconsistent with ChoicePoint’s obligations under the Final Order, which ChoicePoint denies. Notably, the Supplemental Order does not allege any current or ongoing violations of ChoicePoint’s Final Order. Following the incident and acquisition by Reed Elsevier, new policies and practices were put into place to enhance the strength and quality of ChoicePoint’s security. As part of that effort, certain security enhancements were made to the ChoicePoint product at issue including providing additional information and steps customers could take to further safeguard their IDs and passwords.

is incomprehensible. Your customers know what you did. Why not talk about both what you did and what you turned off, and most importantly, why? I bet there are real reasons, but your lawyers ain’t saying. How many false positives was that system shooting out? What did it cost to investigate them?

Either come clean, or suck it up, and be glad it was only $275,000.

For more, “ChoicePoint Breach Exposed 13,750 Consumer Records,” or our prior posts on Choicepoint.

[Update: Comments from ChoicePoint in the comments.]

PS to C: This is, once again, my opinion, on my blog, and has nothing to do with my employer.

I want to congratulate the folks at the FTC, who’ve decided we all need to follow some rules about what bloggers can say. See for example, “
Epicenter The Business of Tech
FTC Tells Amateur Bloggers to Disclose Freebies or Be Fined” at Wired. These new rules are documented in an easy to read 81 page document, which the Internet Patrol helpfully explains in this short write-up.

I don’t know what folks like Jim Harper are getting worked up about with strange posts like “Congress Shall Make No Law . . . But Regulators Act Anyway.” I mean, it’s not like the FTC should be regulating the $24 Billion dollars that banks made in poorly disclosed overdraft fees last year, or scammers like Cash4Gold. This was obviously and importantly top of mind for them, and we all know that bloggers can’t be trusted with the 1st amendment.

The FTC sent me hookers and blow to post this.

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write:

the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ information and network security postures, possible vulnerabilities and the ability to better protect our federal systems.
(“Moving Beyond Compliance: The Status Quo Is No Longer Acceptable”)

I’m tremendously excited to see this because back in April I wrote “Security is about outcomes, not about process.” I don’t know that I can claim credit for this, but it’s nice to see how far the meme has gone.

Law Prof Dan Solove tool the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality:

Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach of confidentiality. The tort is recognized in most states, and it provides for liability whenever one owes a duty of confidentiality and breaches that duty. We observed, however, that the tort has remained “relatively obscure and frequently overlooked” in American law. In contrast, in England, the tort is robust and applies quite broadly. We suggested in our article that the American tort could develop more along the lines of the English tort, and it is, in fact, already beginning to head in that direction. See Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).

Lots more very interesting analysis. Check it out!

In 2003 the deal was simple: The players would submit to anonymous steroid testing, and if more than 5 percent tested positive, real testing with real penalties would begin in 2004.

But in 2003, the tests were going to be (A) anonymous and then (B) destroyed. Those were the rules of engagement, and in any civilized contest, the rules of engagement are critical. Everything has rules of engagement, even something as life-or-death as war. Ever heard of the Geneva Convention? Those are rules of engagement, and it’s something we are expected to follow — even against a war-time enemy we literally want to kill.

Somebody broke the rules of engagement with A-Rod. Baseball and the union were supposed to destroy the tests in 2003. If there was a master list linking each test to a specific player, that list was supposed to be destroyed, too. This was serious stuff, this confidentiality, and only because it was so serious did players like Alex Rodriguez submit to it. (“A-Rod should sue sinister system that snagged him,” CBS Sports)

So there’s an obvious violation of the contract, which may or may not have specified damages. Are there other torts here?

It seems that given the nature of the literally irreparable harms to reputation that privacy invasions can entail, the law may or may not have reasonable remedies here. (Note that I said irreparable, not un-compensatable or even of great magnitude. Even if it turns out that the tests were flawed, A-Rod’s reputation will be permanently sullied by those who remember the initial burst of news.)

There’s also a tie to Facebook’s latest changing and re-changing of their privacy rules.

The idea that your privacy contract is fungible and flexible inhibits the creation of a real market differentiation around privacy. If a company can change the rules at any time, why bother reading what they say today?

What should the law say about this?

Image: StockXpert.

[Update: Dan Solove has very interesting follow-on analysis in " A-Rod, Rihanna, and Confidentiality."]

Iang recently indicted the entire audit industry with “Two Scary Words: Sarbanes-Oxley”. I’ve excerpted several chunks below:

Let’s check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?
No. Not one, not even a single one!
Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it? No, not one, known to date. At least, as far as I know, and we should probably wait a few years before writing the final judgment.

and

Can we pronounce the financial audit as bankrupt by its own measures? In theory, the audit should have picked up these failures, all of them. Consider this case-in-point, to prove that the theory works: the enhanced audit required on public listing did in fact pick up the Refco fraud that led quickly to its failure, and the near-failure of Bawag, a big bank in Austria that participated in the fraud. (The sorry fool who found the fraud was fired for his troubles, and only later did his reports filter out and cause questions that ultimately forced the fatal result.)
The audit theory works, then, in some sense or other. Manifestly, audits didn’t work for the financial crisis. And, they so didn’t work after that so-huge rewrite called Sarbanes-Oxley, that we can conclude that mere improvement is completely off the agenda

The thing about SOX is that while it is hugely in-depth as audit requirements go, it is also incredibly narrow in it’s breath in terms of how it is implemented by companies and how it is audited. Auditors are so busy ensuring that someone isn’t cooking the books that they don’t look for people deluding themselves or who don’t understand their own inputs or whether or not the source data for the models was reasonable. This is why Refco was identified and the bank failures were not. And if there this is an actual failure of SOX this is it. Not that it didn’t catch the bank failures but that it was never designed to do so in the first place. If all you are worried about is nails, all you look for is hammers.

The Globe and Mail and the CBC each report that Canada’s Do Not Call list is being used by telemarketers both good and bad (where each term is relative).

This is a bit sad for Canada. The US’s DNC list has been very successful, and one of the very few places where the US has leadership in privacy. Before the DNC list, I used to get a dozen or so calls a day. The annoying ones would be the junk faxes coming to our main line between 3am and 6am. The nightly ritual had to include taking the phone off the hook for some time. These days, the only issue we have are the people we affectionately call “The Illegal Carpet Cleaners.”

On the other hand this is an opportunity. There’s a fine of up to $15,000 for violating the DNC list in Canada, and this could easily be a profit center for the privacy commission. If I were a legitimate firm in Canada, I’d be looking closely at my marketing plans now. No one’s going to feel sorry for the company that is found to have been calling people from a stolen DNC list.

Both articles point out that complete fraudsters are an issue, and companies such as “a Caribbean telemarketer selling fake Caribbean cruises” now have more numbers they can use. But those numbers are stolen property of a sort, and toxic. They can be a tool against foreign scammers. After all, the tourist board of said Caribbean island wouldn’t want to seem uncooperative to people trying to stop fraud and dinner interruptions. If I were a scammer, I’d also want to examine the phone numbers I have recently gotten, because those could be dangerous to have as well.

It remains to be seen how Canada will handle it, how they’ll track down the loss, how they’ll recover from it. It will be interesting to watch, because they’re good and they take privacy seriously. There’s the potential for some seriously tasty lemonade to be made from these lemons. I have my fingers crossed.

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”:

The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable these days). For all others, risk management is just an ancilliary aspect, a nice-to-have, something that others say is critical to you, but you ignore because you’ve got too much to do. So we have a choice: is security like finance, or is it like “the rest of business?”

I disagree while it’s true that financials and insurance have done a much better job then anyone else of formalizing their risk management practices, every business does risk management to some degree, it’s part of the job of the C-Suite. Arguing that we don’t have data so trying to do it in security is pointless is taking the lazy way out. It’s true we don’t have as much data as we’d like, but as Hubbard said, (more or less) “You don’t need as much data as you think, and you have more data then you think.” or in other words, we have to start somewhere.
On a related note, The Economist ran an article at the beginning of this year, from which I took the title of this post “Rethinking Risk.

What makes the current situation so dire is the way in which so many major risks are converging all at once: a credit crisis, volatile commodity prices, soaring government debt, rising unemployment and its attendant impact on consumer spending — the list goes on.
None of those risks are lost on CFOs, of course, who now have an additional impetus to address them: more pressure from boards. Corporate directors in most industries have gotten risk religion, says Henry Ristuccia, U.S. leader of Deloitte’s governance and risk-management practice in the Northeast. “More external directors are asking senior management: What are the company’s major risk issues? What are the dimensions of governance and risk management? What levers and tools does the company have in place for risk management?

Now, The Economist doesn’t explicitly talk about security but as several companies including Hannaford and TJ Maxx learned, just because you’re not in the finance industry doesn’t mean you don’t face significant financial or security risk. A shame neither of them had real risk management in place.

In reading Arthur’s post on “Canadian PM FAIL,” I was thinking of the odds that this would be investigated and dealt with under Canadian privacy law. Now, I’m not an expert on that, but my recollection is that the main private sector law, PIPED complements a Federal Privacy Act which would likely be the relevant law for the office of the Prime Minister. I also recall that neither law contains any sort of right of private action.

So, will the Privacy Commissioner investigate? She has limited resources, and perhaps she doesn’t see this the way that Arthur does, “there are few groups who care less for this sort of tracking than Jews.” Perhaps she has other priorities. (Does anyone know if a formal complaint has been filed?)

Regardless of if the Commissioner investigates, I think there’s value to society in allowing citizens to balance government, rather than having to act as supplicants, asking one department to investigate another. The ability to act as a party in a case can be a powerful balancing factor.