Last year, Governor Easley proclaimed January 28th as Data Privacy Day for the state of North Carolina. This year, he proclaimed January Data Privacy Month. North Carolina, Washington, California, Oregon, Massachusetts, and Arizona have also declared January 28th to be state-wide Data Privacy Day. Last but certainly not least, Congressman David Price and Congressman Cliff Stearns introduced House Resolution 31 which was passed on January 26th with a vote of 402 to 0 to make today National Data Privacy Day in the United States. It is truly outstanding to see such strong support in the form of resolutions and proclamations.

The best way to support or celebrate Data Privacy Day is to take action. Since the goal of Data Privacy Day is to promote awareness and education about data privacy, one easy way to act is to check out all the great educational resources made available in conjunction with Data Privacy Day. For example, Google has posted about what it has done to protect privacy and increase awareness of privacy. Microsoft is holding an event tonight and has more information on data privacy on their website.

Here at The Privacy Place, we were once again pleased to have the opportunity to celebrate Data Privacy Day at Duke University by attending the panel discussion on Protecting National Security and Privacy. The panel discussion was extremely well-attended and well-received. This event had a number of sponsors, including Intel who has a fantastic website with extensive information on Data Privacy Day. If you weren’t able to make it to the panel, I would strongly encourage you to check out Intel’s site.

Lastly, Data Privacy Day is all about awareness and education, so be sure to spread the word!

[Update: Fixed the link to the House Resolution that passed on Monday.]

Hackers recently broke into Governor Palin’s personal Yahoo email account and, subsequently, several of personal emails and family photos were posted on the internet [See: BBC Article].
This recent case reminds us that we must be careful with the information we divulge online as well as the information that is requested of us online. Consider that the responsible hacker was able to guess Governor Palin’s answers to the security questions that Yahoo used by doing some simple Internet searching [See: PCWorld].

This attack could be considered a social engineering attack [See: Social Engineering Fundamentals]–– social engineering attacks are not technical attacks, but instead aim to trick the victim into divulging personal information. Phishing and trojan horses are also examples of social attacks. The Governor Palin attack, however, is similar to the attack described by Herbert Thompson, where an attacker can gain access to user accounts simply by using information available on the internet, usually using some sort of password resetting service that asks personal questions to validate the identity of the user. If this private information is well known, than anyone could impersonate the identity of the victim. Sources of information can include public records such as driving or court records, blogs, social networking websites, personal websites, etc. The lesson here is to avoid posting private information in a public setting. Most people would not post their Social Security number or the password to their email account on their blog, but the information they do post might be enough.

So before you post the name of your first pet on Facebook or MySpace or on your blog, think about whether it can be used to fraudulently impersonate you at a later date.

[Update: Fixed minor grammar error]

The UK IT Trade web site, The Register, had the following headline:

40,000 BP workers exposed in Ernst & Young laptop loss

It’s not until you read much deeper into the article that you find out that the laptop that was stolen was password protected. To me, the interesting thing about this article is how quickly the author dismisses the password protection as a false assurance.

Is this an example of a zealous reporter trying to spin the story to make it appear more scandalous than it really is? If the laptop is password protected, what is the chance that the personal information could be accessed and used for identity theft? There is usually a lag of several months from the time an incident like this happens until the identity theft incidents start occurring.

But the public relations debacle is happening right now. Let’s assume for a moment that 6 months later, E&Y issues a press release that says, “Hey, remember that laptop loss 6 months ago, well, we have detected no identity theft incidents among any of the people whose data was exposed. So we conclude that the password protection was sufficient for the protection of personal information.” Would that restore E&Y’s reputation? Would the affected people feel better? I doubt it.

I assume that laptops are always going to be lost or stolen. Given that so many people take them every where they go, there’s always going to be accidents and theft. It seems reasonable to me to conclude that the issue is not about how to secure laptops. How strong would the encryption on the laptop have to be for the reported to think, “well, with that level of encryption, there’s no way a criminal will get access to it so I guess I don’t have a story.”

I believe that no level of encryption or any security measure would stop the reporter from writing a story about a lost laptop with personal information. The reason for this is that the personal information should have never been on that laptop in the first place!

It is difficult for me to imagine anyone in E&Y needing immediate access to that many people’s records at one time. Who would physically have time to individually look at the information? And more to the point, why must the E&Y employee have the personal data of BP employees on his personal laptop? In this age of an increasingly pervasive internet, it’s difficult for me to imagine a situation in which the personal data couldn’t be kept on a secure server in the E&Y network and accessed remotely from the laptop over a secured VPN.

And I think that’s the real lesson from all the laptop loss stories we hear so much about these days. It’s not about securing the laptop. It’s about keeping the sensitive information off the laptop and on a physically secure server on a secured network. We need to think of laptops not as computing platforms in their own right, but more as access points to computing resources. Any business process that requires customer information to physically be located on an employee’s personal laptop needs redesigned as quickly as possible before the inevitable laptop loss and the inevitable PR debacle happens.

Read more about this by accessing the N&O article here.

Wikipedia defines identity theft as “the deliberate assumption of another person’s identity, usually to gain access to their finances or frame them for a crime.” The same Wikipedia entry goes on to quote Javelin Strategy & Research founder James Van Dyke as arguing for two separate terms:

• identity theft: unauthorized access to personal records;

• identity fraud: unauthorized use of personal records.

This distinction helps to explain how a data breach can lead to identity theft, which may or may not result in identity fraud for each victim. Given Van Dyke’s interpretation of identity theft and identity fraud, I think we can more accurately express the various elements of data privacy. A data breach, such as the one befalling ChoicePoint, has undoubtedly led to 145,000+ victims of identity theft, where at least 765 of those people also suffered identity fraud.

A recent AP article highlights how the term ‘identity theft’ has been “too broadly defined and often misunderstood.” The risk, according to the article, is that “lawmakers and companies might be misdirecting their anti-fraud energies” and that consumers end up overly fearing Internet activities. The biggest problem with the term ‘identity theft’ ends up with how the misuse of an existing credit card is classified. If a criminal simply getting your existing credit card number and embarking on a shopping spree is identity theft, then 40 million people were put at risk of identity theft by the CardSystems breach. If instead, we limit identity theft to the exploitation of personal information (more in line with the Wikipedia entry), then those victims become simply inconvenienced individuals. While they may face fraudulent charges on their account, U.S. citizens rarely have to pay up for those charges: there is a $50 limit on personal liability, regardless of the amount fraudulently charged. Instead, it is when criminals possess enough information to obtain a new credit card that we are victims of identity theft and threatened by identity fraud.

Click here to read this article.

Author’s recommendation:
For Windows users, please download ALL of the following three antispyware tools and run them once a WEEK on your personal computer. All these three tools are free for personal use:
Ad-Aware
Spybot Search and Destroy
Microsoft Windows AntiSpyware

Last week, experts (such as the FTC ID theft program head) were already warning the public of the high risk of identity theft tied to the hurricane’s aftermath. An AP story noted that “Social Security cards, driver’s licenses, credit cards and other personal documents are literally floating around New Orleans.” The risk of credit card fraud and identity theft is clear, as the information leakage was certainly not the first thought of survivors escaping their homes and being rescued from rooftops.

The same article notes that some 2,000 web sites popped up related to Hurricane Katrina relief efforts, but about a dozen are under investigation for potential fraud. Not only is there a risk from completely fraudulent web sites, but also from phishers spoofing major relief efforts such as the Red Cross or Salvation Army. This article notes the email scams already observed and the risk of such phishing attacks increasing in the coming weeks. According to the article, VeriSign has gotten involved in hunting down such phishing efforts and took down two such sites already as of last week.

Some unscrupulous individuals have already been arrested for attempted ID theft. Three people in Mississippi went to a shelter and posed as FEMA officials in an effort to obtain personal information – such as names, birthdates, and SSNs – from evacuees. The AP broke this story on Saturday.