Category: Privacy (ID Theft)


The Government’s Data Security Breach and “Data Neutralization”

data-security-breach1.jpgThe AP reports an enormous breach of data security by the government:

Thieves took sensitive personal information on 26.5 million U.S. veterans, including Social Security numbers and birth dates, after a Veterans Affairs employee improperly brought the material home, the government said Monday.

The information involved mainly those veterans who served and have been discharged since 1975, said VA Secretary Jim Nicholson. Data of veterans discharged before 1975 who submitted claims to the agency may have been included.

This data breach is one of the largest ever. There are several points worth mentioning about this fiasco:

1. The government can be just as careless with people’s personal data as businesses and other organizations, which last year revealed data security breaches affecting millions of Americans — over 50 million according to one tally.

2. Keeping massive quantities of personal data creates risks to individuals. People must depend upon those keeping their data to maintain good security practices. This is one reason why, whenever the government collects data about people, we should be concerned.

3. Many data breaches are low-tech and are due to just a few irresponsible individuals or bad apples. Often, all it takes is for one dishonest or careless employee to breach security. In this instance, an employee took the data home, something that the employee wasn’t supposed to do. But why weren’t there better limits in place at Veterans Affairs? It is amazing that an employee can just walk out with personal data on 26.5 million people. Shouldn’t procedures be in place to prevent such things from happening?

4. Congress should look into legislation to neutralize the damage that all the leaked data can cause to people. Many of the laws addressing data security breaches focus on notifying people about breaches and on limiting such breaches. That’s all well and good, but more needs to be done. We need a “data neutralization” law. By “data neutralization,” I mean neutralizing certain pieces of personal information to reduce the potential damage that can be caused when such information is leaked. Leaked Social Security numbers and other identifying information wouldn’t cause so much trouble if the government restricted businesses and other organizations from using them as passwords to gain access to accounts or to verify identity. If these practices are stopped, the leaking of a Social Security number becomes much less harmful.

Read More


New Casebook (Privacy, Information, and Technology)

Spinoff Cover 2e.jpgApologies for the self-promotion, but in time for this fall semester, Paul Schwartz, Marc Rotenberg, and I will be publishing a short paperback casebook of about 300 pages entitled PRIVACY, INFORMATION, AND TECHNOLOGY (Aspen Publishers, forthcoming mid-July 2006), ISBN: 0735562548.

This book is intended to be an inexpensive volume that adapts the cyberspace and technology materials from our full-length casebook, INFORMATION PRIVACY LAW (Aspen Publishers, 2d ed. 2006). The full-length casebook is about 1000 pages; the shorter paperback book is a more streamlined volume of about 300 pages, focusing exclusively on cyberspace, databases, and technology. Aspen informs me that this shorter paperback adaptation will probably sell at a price between $30 and $35.

The book might be useful as a supplement for cyberlaw or information law courses for instructors who want in-depth coverage of information privacy issues for between 2 to 5 weeks.

More information about the book is here. If you’re interested in getting on the list to obtain a review copy of the book (available in mid-July), please send an email to Daniel Eckroad.

The table of contents is available here. A summary of the book’s contents is after the fold.

Read More


Outsourcing Our Data

convergys1.jpgA growing data privacy issue is the outsourcing of personal data. Increasingly, US companies are outsourcing data processing to other countries. Although the United States lags much of the world in data protection, our personal information is being sent overseas to many countries that lack the same level of privacy protections as the United States. This can create risks that the data can be misused for identity theft or for fake identification. It could also create national security concerns.

There’s a big outsourcing controversy brewing in Florida, where Governor Jeb Bush made a multimillion dollar deal with a company called Convergys to process personal data, including Social Security Numbers and financial information. Convergys then contracted with another company that then outsourced to India. According to the Tallahassee Democrat:

The Tallahassee Democrat reported Dec. 25 that two former employees of GDXdata Inc. had secretly sued their ex-employer, saying the company improperly sent Florida employee records to companies in India, Barbados and possibly China for some processing steps involving the People First system. People First is Gov. Jeb Bush’s biggest “outsourcing” project – a nine-year, $350 million deal with Convergys – and all employee records are supposed to stay within the country.

Democratic legislators and U.S. Rep. Jim Davis of Tampa, a candidate for governor, called for an investigation of possible identity theft. Unions representing state employees urged DMS to make Convergys buy insurance to protect emloyees against fraudulent use of their personnel information.

Argenziano had scheduled a presentation by DMS Secretary Tom Lewis for her Senate Governmental Oversight and Productivity Committee meeting. But she said Lewis is meeting with top Convergys officials this week and “is not happy about some of the things he’s finding.”

The suit was filed under seal in Leon County Circuit Court, seeking to collect damages on behalf of the state for alleged irregularities in People First records processing. It did not accuse Convergys of any wrongdoing and the employee-services giant said at the time it had dropped GDXdata as a subcontractor for unexplained failure to do work as provided by its contract.

GDXdata said it would vigorously defend the suit. The plaintiffs said the company sought to cut processing costs from 6 cents to a penny per page by sending work overseas.


Even Tearing Up Your Credit Card Applications Isn’t Enough


One of the reasons why identity thieves are the luckiest criminals alive is because credit card companies make their crime really easy. This person at tried an experiment. He tore up his credit card application into little pieces, meticulously taped it back up, and then filled it out as follows:

Now, I wasn’t going to be able to check my mailbox for a few weeks, so I marked this little checkbox and CHANGED MY ADDRESS to my parent’s address, who are blessed with a very secure mailbox.


Also, I used my CELL PHONE NUMBER on the application. I’m not always at home, so I didn’t want to have to call from my real home to authorize the card.

The result? A shiny new credit card was sent to his parent’s address.

Check out the full story here.

It is amazing how irresponsible credit card companies can be.

Hat tip: Ann Bartow. Chris Hoofnagle has more ridiculous credit card application stories.

Read More


Public Records and Identity Theft

idtheft4.jpgThere are new details to report about the famous Hamilton County public records website. Several years ago, the clerk of courts of Hamilton County, Ohio placed a wide range of public records online. Many of the records had extensive personal information about individuals, including Social Security Numbers and home addresses. The Hamilton County website garnered a lot of attention. The NY Times ran a story about it in 2002 called Dirty Laundry, Online for All to See (Sept. 5, 2002) at G1, by Jennifer 8. Lee:

Four years ago, Mr. Cissell decided that it was time to move the county’s court records onto the Web. The documents were already public. They were already electronic. Where else to put public electronic documents but on the Internet?

“It was the natural progression of technology,” said Mr. Cissell, the clerk of courts for Hamilton County, whose seat is Cincinnati.

Mr. Cissell’s three-person technology staff put together the Web site at State tax liens, arrest warrants, bond postings — all became searchable and accessible on the Internet.

“Everything we get is scanned and available,” said Mr. Cissell, a former United States attorney. “It was very easy to open the door to the public.”

Visitors have flowed to the site. So have the complaints.

Later, in 2004, it was reported that records were removed from the website due to the fact that they were being used for identity theft:

Read More


Identity Theft: Increasingly an Affliction of the Young

creditcard-2a.jpgNew statistics from the FTC on identity theft illustrate some interesting trends. From the AP:

Identity thieves are increasingly targeting children. Identity theft complaints involving youngsters under 18 have nearly doubled since 2003, up from 6,512 to more than 11,600 last year, the Federal Trade Commission said Wednesday.

While they make up a small percentage — about 5 percent — of the total ID theft complaints, the FTC’s Jay Miller says young people are attractive to cons because they may not be as savvy about safeguarding personal information and could easily fall prey while surfing the Internet. . . .

Read More


The ChoicePoint Settlement

choicepoint3.jpgRecently, the FTC announced a settlement in its complaint against the data broker ChoicePoint for a data security breach that resulted in over 160,000 people’s personal information being sold to identity thieves. According to the Washington Post:

Data broker ChoicePoint Inc. yesterday agreed to pay a $10 million federal fine over security breaches that exposed more than 160,000 people to possible identity theft. Privacy experts praised the settlement as a warning to companies to get more serious about protecting sensitive information.

The Alpharetta, Ga.-based company, one of the nation’s largest buyers and sellers of personal information such as Social Security numbers, birth dates and addresses, also agreed to pay $5 million into a fund to compensate people who suffered as a result of the breaches.

The Federal Trade Commission, which said the fine was the largest civil penalty it had ever imposed, said ChoicePoint violated consumers’ privacy and breaking federal laws by mishandling the information and misleading people about its privacy policy.

The FTC complaint is here. There are some important issues worth discussing in connection with the news of the settlement.

Read More


Teaching Information Privacy Law

privacy1a.jpgThis post was originally posted on PrawfsBlawg on May 10, 2005. I have made a few small edits to this post.

For the law professor readers of this blog, especially newer professors (or professors-to-be) who are still figuring out the courses they want to teach, I thought I’d recommend information privacy law as a course you might consider teaching. (I have a casebook in the field, so this is really a thinly-disguised self-plug.)

Information privacy law remains a fairly young field, and it has yet to take hold as a course taught consistently in most law schools. I’m hoping to change all that. So if you’re interested in exploring issues involving information technology, criminal procedure, or free speech, here are a few reasons why you should consider adding information privacy law to your course mix:

1. It’s new and fresh. Lots of media attention on privacy law issues these days. Students are very interested in the topic.

2. Lively cases and fascinating issues abound. There’s barely a dull moment in the course. Every topic is interesting; there is no rule against perpetuities to cover!

Read More


Free Credit Reports: My Exciting Adventure

Under the federal Fair and Accurate Credit Transactions Act of 2003, the credit reporting agencies must provide a yearly free credit report to individuals who request it. This was one of the benefits given to consumers by the law in return for extending the federal preemption of certain state law regulations.

There are three major credit reporting agencies: Equifax, Experian, and Trans Union. You may have heard that there’s a new website where you can conveniently get your credit report from all three agencies. Since I pay attention to this field of law, I knew the name of the website, but many people I’ve spoken to don’t know what it is called.

But we live in the age of Google, so most people would just do a Google search for “free credit report.” Here’s what you pull up in your search:


Read More