Home / Privacy Resources / Article Search / PrivaTalk - March 2003

PrivaTalk - March 2003

PrivaTalk

March 2003
Volume 3
Issue 3

ISM Computer Theft puts Canadians’ Personal Data at Risk

The recent theft of a hard drive containing the personal information of hundreds of thousands of Canadians – including names, addresses, bank account details, beneficiaries, social insurance numbers, pension values and pre-authorized checking information –should put many companies on alert.


One of Canada’s largest providers of information management services for governments and private companies, Information Systems Management, a subsidiary of IBM Canada, reported the hard drive missing end of January, roughly three weeks after it went missing.  Three days later, the Canadian police announced an arrest in the case.  An ISM employee has been charged with possession of stolen property valued less than $5000.  The big question is whether the employee intended to steal just the hardware, or had eyes on the million or so confidential customer files stored on it.  The hardware is worth a couple of hundred dollars. The information, on the other hand, could potentially be worth tens of millions of dollars to a criminal skilled at assuming the identities of others to take control of bank accounts, write bogus cheques, apply for and run up credit cards and commit other forms of fraud.  


An examination of the drive was inconclusive, but police said the investigation strongly suggested the hard drive was not misused or used unlawfully.  The police believe the employee was after the 30 gigabytes of storage space, seemingly oblivious to the confidential information saved on the drive. When the drive was found, the information had been erased and overwritten with software programs and other data.  However, the policy can’t tell for sure whether the data was copied before being written over.  


About 650,000 Investors Group clients and nearly 180,000 clients of the Co-operators Life Insurance Company, were among those whose information was on the drive, as well as the Saskatchewan and Manitoba governments, which said they would notify individuals and businesses whose information was lost. The Co-operators and the Investors Group sent a letter to clients informing them of the missing hard drive and warning them of the risk of identity theft.  


The Regina-based Merchant Law Group has filed a class-action lawsuit against ISM on behalf of people whose personal information was on the hard drive. The suit alleges ISM violated customer privacy and was negligent in securing confidential information and notifying the public about the lost disk.  The data on the drive was apparently not encrypted or partitioned in a way that would protect the information in such unforeseen circumstances.  


In response to the theft, Saskatchewan’s privacy commissioner, Richard Rendek, has questioned whether control of personal information can be maintained. He has stated that the risk to privacy could be diminished if government agencies only collect information they absolutely need.  This is true to a certain extent – for example, many organizations use the SIN for identification purposes even if not required for taxation purposes, and this is unacceptable because it is possible for someone with a bit of skill in identity theft to find out a great deal of other information about an individual just by knowing their SIN. Obviously though, there are legitimate and necessary collections of sensitive personal information for some businesses, such as the credit card details of customers who want the businesses they deal with to remember this information.  


What’s more critical to learn from the ISM case is that security features need to be in place not just to prevent external access to systems, but to guard against employee theft.  Determining appropriate access levels for employees on a need-to-know basis, and storing data encrypted are just a few examples of such initiatives a business can take.  


Herein lies the problem that has emerged in our data-centric society: we have become dependent on technologies that can store millions of pieces of sensitive information, but we haven’t spent enough time figuring out how to ensure the data is adequately protected.

Resumes Posted with Internet Job Boards can Result in Significant Privacy Problems

Posting resumes to Internet job sites can result in privacy nightmares for job seekers according to a study undertaken by San Diego-based Privacy Rights Clearinghouse.  The study found that resumes posted to Internet job boards, which have become increasingly popular among both job seekers and employers in recent years, are often sold to other sites and anybody else who can pay for them.  The study also found that scam artists posing as recruiters can download all the resumes they want and do virtually whatever they want with them.  


For most job seekers, of course, the more exposure, the better. But when information from resumes is obtained – legally or otherwise – by people who weren’t intended to get them, it can create major problems. For identity thieves, this is a good starting point, because from a resume, you can get names, addresses, phone numbers and locations of every place an individual has lived.  


Some of the larger job boards allow job seekers to hide information such as their names and their phone numbers and set up special e-mail accounts for contacts. Meanwhile, clients who pay to access the resumes are screened before they’re allowed access, to make sure they’re legitimate employers or recruiters.  


The problem is there are a number of smaller job boards that don’t offer the same protections. Even when identity theft isn’t involved, having an online resume passed around and left floating forever on the Internet for all to see can be embarrassing.  


Last year, a person posing as a recruiter illegally downloaded about 2,400 resumes from the medical job Web site Medzilla.com. Medzilla has since implemented new privacy and security policies and successfully sued the illegal downloader, who was trying to establish a competing job search site.  


Job seekers who use on-line sites should research them thoroughly before posting resumes blindly.  Job seekers should pay particular attention to a site’s policies regarding how much control they have over the sharing, distribution and retention of their resumes. Postings also should be made sparingly, and highly private information, such as social insurance numbers and birthdays, should never be included.      

HIPAA Security Regulations Released

New security regulations under the Health Insurance Portability and Accountability Act (HIPAA) were recently published and require covered entities to implement administrative, physical, and technical safeguards to protect electronic health information in their possession.  


Under these new security standards, health insurers, certain health care providers and health care clearinghouses in the United States must establish procedures and mechanisms to protect the confidentiality, integrity, and availability of electronic health information, according to the U.S. Department of Health and Human Services.  


While these final rules take effect in April of this year, large health care organizations have until April 2005 to comply with the regulations. Smaller ones are given an additional year to comply.  


While the 289-page summary of security rules doesn’t mention any specific technologies be used to secure electronic health care information, it does establish baseline safeguards for health-care organizations to deploy administrative safety measures (such as security training and security assessments), physical security (such as restricting physical access to certain systems), and technological safeguards (such as electronic signatures and passwords) to ensure protected information remains confidential, isn't altered, is readily available, and isn’t accessed without authorization.  


While the security rules are established to protect the actual information electronically stored and transmitted, the privacy rules that go into effect in April focus on how protected health information is to be controlled through policies establishing who has access to that information and what specific rights patients have regarding their personal health care information.  


The final rules removed many of the technical requirements present in earlier drafts, that seemed to dictate health-care organizations deploy certain types of security applications. They removed, for instance, the requirement for digital signatures and chose much less technically strict electronic signatures.  As a result of the final security rules, health care providers are able to choose the types of security technologies they feel are appropriate for their own organization and system. While the lack of technological specifics about how organizations need to go about securing their information may make HIPAA compliance easier in some ways, in other ways, it will likely be more difficult for health care providers to determine whether they are in compliance.  Health care organizations are going to have to carefully establish security policies and procedures and document why they chose certain tactics and technologies so they can justify their choices.  


Among other things, entities affected by the new security standards are required to:  



  • Conduct a thorough risk analysis of their organizations by reviewing electronic information handling procedures and information systems;


  • Measure and ensure the integrity of patient health information;  
  • Develop clear policies for detecting and reporting security violations, as well as contingency and disaster recovery plans to guard against patient data loss; and  


  • Make business associates and partner companies aware of security policies and procedures, either through written contracts or other less formal means.  

Noticeably, however, the government backed away from many of the requirements it laid out when the standards were first proposed in 1998, after health care organizations complained that implementing those requirements would be prohibitively expensive. For example, the final rule narrows the focus of the security standards to apply to information in electronic form, removing a concern about more requirements for paper documents on top of those stipulated by the HIPAA health information privacy rules that have already been released.  


The new security regulations will require organizations dealing with health information to take a close, hard look at how they protect such sensitive information.  Although the burden rests on the consumer to be aware of their privacy rights under HIPAA and know when their privacy has been violated in order to trigger an investigation, it likely won’t be long before we see litigation in this area.

Drastic Increase in Data Security Breaches

The number of data security breaches reported in North America reached a record high last year, up from more than 21,000 cases in 2000 to more than 82,000 in 2002, according to CERT/CC, an Internet security centre operated by Carnegie Mellon University in the States.  


This alarming number is a wake-up call for senior executives and corporate directors – there is little doubt that the price of a security breach can be steep. Gartner reports that the average large company loses $20,000 (U.S.) per hour in the first 72 hours of responding to a security breach.  


Financial losses aside, it is impossible to measure the costs associated with damaged corporate reputations and the loss of customers’ trust. As well, companies can be legally liable for damages caused by privacy breaches, identity theft or loss of proprietary information.  


Recent industry reports show that companies are increasing their IT security spending, but this is only an encouraging first step. Organizations must foster a culture of security in which employees and partners understand and pledge to maintain a secure, trusted business environment.  


Every company has discrete security requirements depending on their business model, risk profile and risk tolerance. Increasingly, security requirements are driven by the extent to which companies are entrusted with personal data belonging to their customers, patients and employees.  


In defining a security strategy, it seems that senior executives need to focus on three critical areas: policy, education for employees and partners, and strategic technology deployment. The most comprehensive security policies are based on a thorough risk assessment that identifies risk areas and the appropriate level of protection for each. Security policies clearly define roles, responsibilities and information access privileges for employees. They describe the procedures necessary to safeguard information and ensure that employees have access to information only on a need-to-know basis. The most comprehensive policies must also extend to external business partners.  


Education and communication are the means by which policies and procedures transform into cultural practices. Employees and business partners must clearly understand and abide by the rules, and be committed to them. Training is also required to help employees detect possible hackers as well as those intruders using persuasion, intimidation and other social engineering tactics to gain unlawful access to information.  


When deploying security solutions, senior executives need to understand not only the benefits, but also the limitations of each. Firewalls and intrusion detection solutions are effective perimeter defence measures because they deter unauthorized access. Passwords and other forms of user authentication are useful for controlling access to networks as well. However, as the increasing number of security breaches illustrates, hackers are still successful in penetrating these defences.  


At the minimum level, data encryption should be considered as the last line of defence to protect stored data, including data on servers, in networked storage and on backup devices such as tape drives. Data encryption ensures persistent security - data protection that is always present to safeguard information, whether stored on disk or tape, within the data centre or moved outside.  


Should an offender breach a storage network or physically obtain a hard disk, encrypted data is useless to them. When implemented by an experienced system security architect, data encryption ensures valuable information is inaccessible to unauthorized individuals.  


With data security breaches on the rise, companies need to make security a top priority in their business planning.  

A Computer Security System that is Successfully making use of Biometrics

A small company in the United States has developed a computer-security system that locks itself when workers walk away.  Access Denied Systems is selling technology that combines biometrics, such as fingerprints and voiceprints, and radio-frequency identification (RFID) tags and readers.  


The company’s Bio Proximity Security System ensures that computer users are who they say they are, and that when they leave their stations, they automatically are logged off without pressing a key. The company hopes to capitalize on a growing number of businesses, hospitals, schools and government agencies with internal-security concerns.  


There are many cases where a person has access to a computer he isn’t supposed to have access to, and this has led to mischief, destruction or theft.  The recent ISM case in Canada is a good example.  


Replacing type-in password access systems with fingerprint scanners is nothing new, and the technology is becoming more common – the interesting part is Access Denied’s added use of the RFID badges worn by users. The badges are detected by small readers attached to each computer, so the computer knows when the user moves beyond a specified distance and can lock itself up.  


The system was installed in a computer lab in Washington University’s department of electrical engineering, where about 20 professors and graduate students are doing computer and systems security research of their own.  


While Access Denied’s system is meeting a need of the lab – to control access to sensitive research – it is also a case study to get a feel for whether people would balk at having to use fingerprints to do their work. It seems that fingerprinting and voiceprinting is more socially acceptable and less feared from a privacy-perspective than other readily available biometric technology, such as  eye scans.  


The Bio Proximity system sells for $329 US for a computer with one RFID badge, plus $45 US for each additional badge. It has been installed at a handful of facilities, including BMW of North America LLC and the U.S. National Library of Medicine.  Systems such as the one sold by Access Denied gets people used to having multiple forms of identification (the fingerprint and the tag) when they’re talking to a computer.  


While public comfort levels with using biometrics may vary, experts say the technology is here to stay. Using type-in passwords, which can be easily observed and copied, or found and stolen if they are written down, no longer is enough to meet security needs.