Mrs. Mecomber's Scrapbook

Talking technology, computers, and the Internet… for the average computer user

Posts Tagged identity theft

Federal Data-Protection Law

Nov 24

Posted by Mrs. Mecomber in crime, security news | Comments off

On the surface, this sounds like good news. Basically, it’s a bill that would create a national standard for protection of data, and would require notification of breaches of sensitive data. Data breaches, data sharing, and data theft has become FAR too common, and businesses and the government have treated it very lightly. So, I’m hoping this new bill would help resolve it– of course, I’m also hoping the government hasn’t added a ton of pork or liberty-killing bills dog-eared with this bill. :-p

Federal data-protection law inches forward
The Personal Data Privacy and Security Act was approved by the Senate Judiciary Committee

A sweeping new bill that would implement a national standard for data protection and breach notification got a boost of support today from the Senate Judiciary Committee.

The committee approved the Personal Data Privacy and Security Act of 2009 (S.1490) by a vote of 15-5. The bill is now headed to the full Senate for consideration.

If it becomes law, the bill, which was introduced by Sen. Patrick Leahy (D-Vt.), would require companies and government agencies to follow specific rules for protecting sensitive and personally identifiable data.

Under the proposed law, all private and government entities handling sensitive data would be required to implement specific risk assessment and vulnerability testing measures. They also would be required to deploy measures for controlling access to sensitive data, detecting and logging unauthorized accesses to the data, and protecting data while it is in transit and at rest.

The bill would introduce a federal breach-notification standard under which companies would be required to notify not just individuals affected by a data breach, but also, in some cases, credit reporting agencies and the U.S. Secret Service. It would establish a new Office of Federal Identity Protection within the Federal Trade Commission and stiffen penalties for identity theft and related fraud.

The law would also provide notification exemptions for companies that have taken adequate measures — such as encryption — to protect sensitive data. Companies would also not be required to immediately disclose a breach if it would hinder a criminal investigation. But such exemptions would need to be vetted by the Secret Service. The law provides for penalties against executives of companies that willfully conceal a data breach.

Here’s hoping we see some change….

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Tags: , , ,

Another Security Breach: Health Net of Northeast Inc.

Nov 22

Posted by Mrs. Mecomber in crime, security news | 1 Comment

I don’t have anything to add. I’ll only get angrier than I am. This story just speaks for itself.

Health Net says 1.5M medical records lost in data breach

November 19, 2009 (Computerworld) A hard drive with seven years’ worth of personal financial and medical information on about 1.5 million customers of Health Net of the Northeast Inc. was reported missing to state officials yesterday — six months after the drive went missing.

Along with medical records, the hard drive contains names, addresses and Social Security numbers of Health Net customers from Arizona, Connecticut, New Jersey and New York. Connecticut has data breach laws requiring individuals be notified of the loss of their personal data without reasonable delay.

The data loss, which occurred in May, was only reported by the insurance company to the Connecticut state attorney general’s office and the Department of Insurance yesterday. The device containing the data was an external, portable hard drive. The data had not been encrypted.

Health Net, based in Shelton, Conn., had no information about the data breach on its Web site.

Connecticut Attorney General Richard Blumenthal said his office is investigating the data breach. “Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information,” he said in a statement.

“Shocking disregard” is an understatement. After such things happening AGAIN and AGAIN.. ya just come to the point where you wonder if these companies are doing it on purpose?! I mean, HOW MANY TIMES can companies constantly “lose” very, very important data????

All they are offering people is a free year of credit report checks. Big whoop. There should be a financial disincentive for such security breaches, like $10,000 per customer whose information has been “lost.” I’ll betcha we’d see the government and companies quit fooling around and shape up REAL fast.

Health Net of the Northeast is a subsidiary of managed health care provider Health Net Inc., based in Woodland Hills, Calif. Health Net Inc. is a $15.3 billion company that provides managed medical coverage to some 6.7 million customers in the U.S.

Health Net of the Northeast currently has about 580,000 members and a physician network comprising more than 160,000 doctors, 5,440 pharmacies, and 244 hospitals throughout Connecticut, New York, New Jersey, and Pennsylvania.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Tags: ,

Banks Are Just BEGGING For Identity Theft

Nov 19

Posted by Mrs. Mecomber in Google, crime, security news | 1 Comment

WHAT a disgusting disgrace! Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google.

A Wyoming bank sent an e-mail containing sensitive customer data to the wrong Gmail account, and now wants Google to reveal the identity of the account holder who received the data.

According to a court document in the case, in August a customer of the Rocky Mountain Bank asked a bank employee to send certain loan statements to a representative of the customer. The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the e-mail that should not have been sent at all.

The attachment contained confidential information on 1,325 individual and business customers that included their names, addresses, tax identification or Social Security numbers and loan information.

After realizing what he’d done, the employee “tried to recall the e-mail without success.”

When that didn’t work, the employee sent a second e-mail to the recipient instructing the person to delete the e-mail and attachment “in its entirety” without opening or reviewing it. The employee also asked the recipient to contact the employee to “discuss his or her actions.”

Silence ensued.

That’s when the bank sued Google to identify the recalcitrant recipient.

I am NO fan of Google, but if this bank thinks that suing Google for the identity of the email recipient is going to solve anything, they are nutso.

Let me get this straight: the employee EMAILED all this sensitive information?! :-O

Do you have any idea how many hands an email passes through to get to the recipient? Emails are NOT secure, not at all. I am appalled that Social Security numbers and bank account numbers are strewn across the Internet and FAX machines. Are the banks just BEGGING to be stolen from? I know that banks (and government bureaus) do this stuff all the time. So what! So the bank employee sent it to the wrong person. He never should have sent it AT ALL.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Tags: , , ,