Emergent ChaosThe other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there's no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.
There's some analysis of how hard it would be to read the tapes. I'm skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?
The Breach Blog feels differently. In "University of Miami reports stolen tapes affecting patients," he digs into the likelihood of the data being accessed.
Now, the University claims that the tapes are in a "complex and proprietary format," which seems to be "Tivoli Storage Management" from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I'm curious why that wasn't in use.
Also, looking around, I found this quote at an IBM partner site:
Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.Until I hear more, I'm skeptical of the University's claims. I don't believe, and I have not believed for a long time, that breach notices are about identity theft. They're about the performance of a promise to protect information.
(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)
Bookmark this post:
I have two clients who are asking me to investigate matters with Choice Point as it relates to inaccurate employment records provide to prospective employers. I am seeking persons who have similar experiences to determine a "pattern and practice" on the part of Choice Point.I don't know Mr. Lyons, but I can't imagine anyone would object to "more informed, more timely decisions that positively impact society." Feel free to get in touch with him.
Bookmark this post:
Now WATE in Knoxville, TN, reports that "Anderson Co. man finds credit report error:"
At his insurance company's request, ChoicePoint gathered the sum total of Ray's credit, what he owes for his car, his house, credit cards and other purchases. "It says my grand total of indebtedness is $426,000. That's about five times what I currently owe," Ray says.See also my May 2005 posting, "Choicepoint Analyses:"Some debts Ray paid off showed as though they hadn't been paid at all. "This was a boat loan" for $50,000, Ray says. "I paid it off over a year ago."
He also says he went online to ChoicePoint, filed a dispute and spoke with company officials. "My data had not been updated. It was incorrect. My employer was incorrect," Ray says.
...
ChoicePoint disputes that any errors were made.
Choicepoint defines an error as a problem between their collector and the report; bad data collected, which we used to call the "garbage in, garbage out" problem, has been defined away.and finally, don't forget Deborah Pierce's work in "Data Aggregators: A Study of Data Quality and Responsiveness:"
100% of the reports given out by ChoicePoint had at least one error in them.The deep trouble here is not that Choicepoint reports are inaccurate (although that seems to be a problem based on impartial reports). The trouble is the accountability disconnect between data collection, aggregation, and use. No one takes responsibility for the decisions that are made based on bad data.
[Update: Just after posting this, I came across "Where’s Waldo? Spotting the Terrorist using Data Broker Information:"
In its coverage of the issue, the Ottawa Citizen reported that since September 2001, the RCMP has been buying and retaining this kind of personal information from data brokers, and in some instances may have forwarded that information to U.S. law enforcement.Good thing Ray's inaccurate data was "only" used to deny him credit.]
[Update 2: Choicepoint's Chuck Jones disagrees; please see comments.]
Bookmark this post:
Or so "Shipcompliant" would have us believe, with a blog post entitled "Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices."
The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions (Internet, phone, mail, fax, etc.). This can be done either by obtaining a photocopy of the purchaser’s drivers license or by using an approved online age verification vendor such as ChoicePoint or IDology.So to protect themselves from liability, wine merchants who sign up for this code will be putting their customers at risk. Of course, the code already says:
Free the Grapes! encourages licensees to contract only with shippers who check the identification of recipients at the time of delivery to ensure that the recipient is 21 years of age or older.So there's no reason to add this step. The very next step ensures that wine won't get into the hands of our corruptable youth.
This is two steps backwards: We're creating more work for the wineries and wine sellers, exposing their customers to increased risk of privacy violations, and all to cover a risk that's already covered.
Free the grapes? How about free the people from this nonsense?
Photo: "A sculpture commemorating the wine press and its importance to California history in Golden Gate Park near the De Young Museum of Fine Arts (6)" by mharrsch.
Bookmark this post:
ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005.Choicepoints losses are a severe outlier. As I said in March, 2005, "Why Choicepoint Resonates:" It's now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I'd like to think back, and ask, why does this story have legs? Why are reporters still covering it?
There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers. I still think my analysis is decent, and that any serious statistical analysis of breach costs must show "without Choicepoint" numbers.
[Update: Clarified title, which attributed all expenses to the breach.]
Bookmark this post:
Topping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. "Greek Scandal Sees Vodaphone fined" at the BBC, via Flying Penguin.On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers in the US. None of that money would go to those whose privacy was invaded. ("Driver Data Lawsuits Settlement Proposed.")
Pop quiz: Which do you think will influence behavior more?
Photo: Peeping Dog, by ErinV.
Bookmark this post:
Jessica Rich, assistant director of the FTC's division of privacy and identity theft, said in a statement released to AP on Wednesday that "law enforcement is still identifying victims and we want to make sure we have the right people."(From the AP, "FTC Yet To Pay Choicepoint Victims.")
Bookmark this post:
"Well, first they said, 'Something was wrong with your background check,'" she said. "I said, 'What is wrong with it? What is wrong with my background check?'"Oh, the irony.ChoicePoint found out that Smith was convicted of identity theft 10 years ago and sentenced to three years' probation.
The problem? It wasn't the correct Smith.
Bookmark this post:
It is factually incorrect to describe ChoicePoint or its subsidiary, Bode Technology Group, as attempting to "amass a DNA database." Bode's clients are almost entirely government laboratories that are trying to solve crimes and identify victims as well as felony offenders. The samples provided to Bode for analysis are identified by a case number and Bode's work does not reveal information about race, hair or eye color, national origin or medical conditions. DNA analysis is done simply to develop a profile that can be used to determine if two people are related or the sample matches a suspect. In no circumstance, however, does Bode "own" any data, samples or any other material and never maintains permanent custody of any sample.Matt actually sent that over two weeks ago, and I have a number of operational questions about it, such as: Is the data identified only by a case number? Could it be correlated with other data? Is the question of relation given as "sample A, sample B?" or is one sample named? What data does Bode retain after the sample is destroyed or returned? Presumably, there's some data kept to enable Bode or its representatives to testify in court. However, I'm swamped with other things, and despite my interest in the questions, I don't have a lot of time to pursue them.The only centralized databases of DNA profiles are managed by the FBI and its counterparts in the states, not by Bode. Bode is not now nor has it ever been in the business of amassing DNA data and selling it wholesale or otherwise to any government agency. Instead, the men and women of Bode are responsible for making DNA-based identifications where no one else has been able and bringing criminals to account for their crimes.
However, I remain glad that "amassing a DNA database and selling the contents to the government is something even Choicepoint doesn't expect will become profitable," even if that was a mis-understanding of their plans.
Bookmark this post:
ALPHARETTA, Ga., July 10 /PRNewswire-FirstCall/ -- ChoicePoint (NYSE: CPS - News) today announced its intent to divest various businesses resulting from its company-wide strategic review. The previously disclosed review process resulted in the company adopting a new strategic focus on helping customers manage economic or physical risks, as well as the decision to divest businesses that either do not fit within the new strategic direction or are unlikely to gain critical mass in the marketplace under ChoicePoint's ownership. This process is ongoing and is expected to continue throughout 2006. Included in the announced divestiture plan are ChoicePoint's direct marketing, forensic DNA and shareholder services businesses.I'm glad to discover that amassing a DNA database and selling the contents to the government is something even Choicepoint doesn't expect will become profitable. I'm also glad that they're owning up to mistakes. Now lets see if we can see some fair information practices around the rest of their services.
See other analysis in Direct Marketing News or the Boston Globe.
Bookmark this post:
Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company's CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly "to ensure we're hitting every aspect of security and privacy," says DiBattiste.So ends an article "Choicepoint's Lessons Learned" in Baseline."One of the lessons we learned is that security is a moving target," she says. "The bad guys move too. So we have to constantly be in touch with the things we need to be doing to respond."
They learned that in 2006?
Maybe they should be attending Blackhat, or Defcon. I hear tell Defcon has some ATMs that they could use.
Bookmark this post:
Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on Chron.com.That's from the CSO Blog, "Data Brokers May Act Illegally." In other news, "ChoicePoint-FBI Deal Raises New Privacy Questions."A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still surveying agents around the United States, but so far has found no "systemic" use of data brokers by the FBI.
So what are we paying for?
Bookmark this post:
Pete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What's the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories.
For example, we know of 800 ID thefts from the 167,000 Choicepoint victims, all of which happened before notification. We don't know how many more of those people have been victimized, because no one is collecting data. The breach data we have is collected by three amateur volunteer efforts: ourselves, here at Emergent Chaos, the Privacy Rights Clearinghouse "Chronology of Data Breaches," and Attrition.org's Dataloss list. There are also regular reports through ISN, and Dave Farber's Interesting People List.
While we're happy that there are amateur efforts, it's hard to measure the results. To the best of my knowledge, there is no central database of ID theft victims. There is no repository of who's gotten notices. And thus, no easy way to measure the real human impact of breaches, or see how much crime they enable.
"Dam Water" photo by Ed Hidden.
Bookmark this post:
This is: the snooping into your phone bill is just the snout of the pig of a strange, lucrative link-up between the Administration's Homeland Security spy network and private companies operating beyond the reach of the laws meant to protect us from our government. You can call it the privatization of the FBI -- though it is better described as the creation of a private KGB.Read "The Spies Who Shag Us," by Greg Palast. Don't miss the bits about who's the number one supplier of DNA to the FBI.The leader in the field of what is called "data mining," is a company called, "ChoicePoint, Inc," which has sucked up over a billion dollars in national security contracts.
Bookmark this post:
Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not.Wow. Fifteen months since Choicepoint, and that's being written? There's a new set of expectations out there, and it hasn't taken long to set. Thank you, Choicepoint. The quote leads an article, "Are Banks Required To Give Notice of Database Hacks?" on San Diego Business Lawfirm.
Thanks to the Privacy Law Blog, we know that Arizona and Colorado have passed new breach notice laws. Arizona has taken a broad definition of breach in Senate Bill 1338:
"Security Breach" means "an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information... and that causes or is reasonably likely to cause substantial economic loss to an individual."Colorado meanwhile, has enacted House Bill 1119, which contains a "fox guards the henhouse, and sits in the alarm booth" clause:
The new law requires to businesses to conduct, in good faith, a reasonable and prompt investigation into a security breach, and unless it determines that misuse of the personal information has not occurred and is not reasonably likely to occur...I think it would be remarkably risky to invoke that clause. Business should ask, who owns that liability if someone makes a mistake? The Center For Policy Alternatives has Model Identity Theft Legislation that doesn't contain this clause. In my non-lawyerly opinion, that speaks to the new norms, and the burden of proof that companies are being asked to develop in a short time, under extreme pressure. Who wants these clauses, anyway?
These questions hold up a national law, according to Computerworld, "Analysis: Data breach notification law unlikely this year." Such delays are a good thing, because they give the new norm time to set, and for people to become accustomed to breach notices.
The overflowing dam photo is by Firesign, on Flickr. Come to think of it, maybe an overflowing dam is a better metaphor than a breached one: there's so much data collected that organizations can't hope to control it?
Bookmark this post:
The deputy press secretary for the Department of Homeland Security was arrested last night on charges that he used the Internet to seduce an undercover Florida sheriff's detective who he thought was a 14-year-old girl, the Polk County Sheriff's Office said.See "DHS Spokesman Is Accused of Soliciting Teen Online" at the Washington Post.Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45 p.m. and charged with seven counts of using a computer to seduce a child and 16 counts of transmitting harmful materials to a minor, according to a sheriff's office statement.
While I hate to make light of such a disturbing story, it's a good thing Choicepoint screened all those TSA employees, to make sure no bad people get through. (Doyle worked for TSA before moving to DHS.)
Bookmark this post:
Google CEO Eric Schmidt said "We're always on the look-out for large databases that we can use to better serve our customers. We used to have access to Choicepoint's data, but the "due diligence" people they kept sending would burst into flames the minute they hit our "no evil" barrier. After seven or eight of those, we couldn't believe it was coincidence any longer, so we just bought them."
Choicepoint CEO Derek Smith (according to the merged database, the two are 17th cousins, three times removed) said "Our missions are remarkably similar. We bring in every scrap of data we can, and never throw anything away."
"I fully support the synergies and customer choice made possible by the merger,' said Chris Hoofnagle, privacy advocate and newly-appointed director of privacy oversight for the program. 'The merger will bring value to consumers and shareholders, and it has pre-approval from Truste.'
The move is expected to substantially improve Google's relationship with governments around the world.
Bookmark this post:
How are True.com’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There's nothing wrong with that on the surface. But we wondered how True.com could know which version of its e-mails to send to which users?So writes Hannah Rosenbaum in "True.com Uses Adult List to Send Targeted Valentine's Day E-mail." I'm going to disagree. It is wrong to track the color of people's skin and use it as part of your decision making process. It's wrong at the surface, and it's wrong in very deep ways. It may even be wrong with explicit consent, which 'True' certainly didn't have.
Speaking of wrong, I'd mentioned the lovely people at 'true' before, in "Choicepoint, March 21." I wonder if their data on race is any better than their criminal background histories? Siteadvisor's one data point per person is a beautiful way to watch the flow of data behind the scenes, but it fails to capture the rich tapestries of our lives, the poor quality of the data (what we used to call garbage-in, garbage-out), or how companies cope with the chaos.
Bookmark this post:
Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties," according to ChoicePoint spokesman James Lee.I raised the question of other states the next day on a panel at the RSA Conference, and have been getting milage out of Choicepoint and breaches ever since. I'd like to take a moment to look back at what's happened, what we've learned, and yes, to honestly thank Choicepoint for the dramatic changes in international privacy law and norms that they've brought about. Derek Smith, Choicepoint's CEO, had been fond of calling for a national debate. I don't think he anticipated the answers that debate has produced.California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.
Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.
Bookmark this post:
