Privacy and Information Security In the News -- Week of January 4, 2006

January 4, 2006

Happy New Year! After taking time to celebrate the holidays (and work on closing year-end matters) we are resuming our publication of Privacy and Information Security In the News with a special edition – “2005: Privacy and Information Security By the Numbers.” This special issue is posted on our Web site at this link.

January 5, 2006

Sober Worm to Spew Nazi Propaganda Today?

Today is the day that the Sober worm is predicted to make its reappearance. In December, In the News linked to articles explaining that the Sober worm, which was spread widely in November in an email that purported to come from the FBI, was programmed to come to life today and to direct infected computers to spew out spam e-mails calling for the reinstatement of the Nazi party in Germany. See “Sober Worm Slows E-mail Traffic; Prepares to Spread Nazi Propaganda,” In the News, December 8, 2006. According to CNet News, security experts predict little impact for the worm, since systems administrators and antivirus firms have had so long to prepare for it. “Experts: Sober time bomb's under control,” Jack Kapica, writing in the Toronto Globe and Mail, discusses the Sober worm’s sordid history. “Sober ready for reappearance,”

Online Retailers Lag in Meeting Data Protection Rules

Internet Retailer reports on a survey of online retailers that shows that only 3 percent to comply with the data protection rules of MasterCard International, Visa U.S.A., American Express Co. that went into effect six months ago. Twenty-six percent of the survey respondents said they had not yet begun the process of complying. Another 19% said they had just begun. Failure to comply can result in penalties of $500,000 or in a retailer being permanently barred from accepting credit cards. “6 months after deadline, many e-retailers lag in card data security,”

H&R Block Prints SSNs on Envelope

H&R Block has advised customers that a December mailing to them showed their Social Security number on the envelope. The number appeared as part of a long string of characters and was not formatted like a Social Security number (123-45-6789). For this reason, Block says there is little risk of identity theft resulting from the breach. Block would not disclose how many customers were affected, but said the error occurred in only 3 percent of its mailing. “H&R Block blunder exposes consumer data,”

Computers Stolen from Clinic Held Sensitive Consumer Information

The University of Pittsburgh Medical Center has alerted 700 patients that sensitive information about them, including Social Security numbers but not medical records, was breached when six computers were stolen from one of the Medical Center’s offices. “Computers with patients' information stolen from office,”

Predicting 2006

The Electronic Privacy Information Center has predicted that the following will be the top privacy stories for 2006:

  • Nomination of Samuel Alito
  • Future of REAL ID
  • "Welcome to the US. Fingerprints, please."
  • Workplace Privacy
  • Student Privacy
  • Location Tracking
  • New Revelations About Government Datamining
  • Wiretapping the Internet
  • DNA Databases and Genetic Privacy Legislation
  • Data Broker Regulation

Epic offers an explanation for each prediction in the Alert that appears at

January 6, 2006

New York Warns Against New Credit Card Security Code Scam

The New York State Banking Department has alerted consumers to a new scam aimed at tricking them into revealing the three digit security code on the back of their credit cards. The security code, known as the CVV number, is used by legitimate merchants to verify that customers making purchases by telephone or over the Internet actually have possession of the card. In the scam, a thief who has obtained the consumer’s credit card number calls the consumer posing as a representative of the security and fraud department of the credit card issuer. The thief reports that the consumer’s card has been flagged because of unusual activity in a certain amount. When the consumer denies any involvement with the activity, the thief explains that the consumer’s next credit card statement will show the unusual transaction and gives the consumer a phony control number to document a fraud claim. The thief then asks the customer to verify that the card is in the consumer’s possession by providing the CVV number. According to the alert, the thief then typically uses the CVV number and stolen credit card number to make a purchase in the amount of the supposed unusual transaction. When the charge appears on the consumer’s statement, the Banking Department says, the consumer will not be immediately concerned because the thief had already said it would be there and had taken a phony fraud claim to have it removed. “Banking Department Warns Against Credit Card Security Code Scam,”

Chicago Police Warned of Sale of Personal Phone Records

The Chicago Police Department is warning its officers that records of their telephone calls are freely available for purchase on the Internet, raising the prospect that criminals could use phone records to identify undercover officers or a government informant who calls a police officer. According to a bulletin issued by the Department, undercover officers need to be particularly concerned if they occasionally call personal numbers such as home or the office from the phones they use in their undercover work. The story, in yesterday’s Chicago Sun Times, recounts how easy it is to go to a site like to order phone records. “Anyone can buy cell records,”

In November, In the News linked to an article in Macleans, a Canadian news magazine, in which the magazine reported on the easy availability of telephone records. Macleans went and purchased the private phone records of Canada’s Federal Privacy Commissioner, obtaining detailed lists of the calls made from her Montreal home, her vacation home, and her government-issued BlackBerry. See “Phone Records of Canadian Privacy Commissioner Easily Obtained from U.S. Data Brokers,” In the News, December 16, 2005.

ISP Awarded $11.2 Billion Judgment Against Spammer

An Internet service provider (“ISP”) won an $11.2 billion judgment against a Florida man who it alleged sent more than 280 million illegal spam messages using the ISP’s network. In 2004, the ISP was awarded a total of $1 billion against three other spammers. The ISP brought the case under an Iowa state law prohibiting spam. “Spammer Must Pay $11.2 Billion,”,69966-0.html.

FTC Settles Claims Against Bogus Anti-Spyware Firms

The Federal Trade Commission yesterday announced settlements against two businesses that made bogus claims in promoting spyware detection products that were not effective. The two businesses agreed to disgorge $2 million they earned with their schemes. One of the two companies was banned from selling or marking any anti-spyware product or service in the future. “Two Bogus Anti-spyware Operators Settle FTC Charges,”

Dozens of Federal Agency Websites Track Users in Violation of Federal Policy

According to Cnet News, dozens of federal agencies have tracking cookies on their websites in violation of a 2003 government directive. The 2003 directive prohibits government agencies from tracking website visitors. But a broad variety of sites, from the Department of Defense to the Smithsonian Institution, place cookies on a visitors site that do not expire for a decade or more. Information gleaned from the tracking cookies, says Cnet, could be used with information obtained from other sites to profile the visitor’s online behavior. Those government agencies who spoke with Cnet said they did not use the data to track cross-site traffic. Several claimed they were unaware of the existence of the cookies. “Government Web sites follow visitors' movements,”

Judges Seek Answers on Warrantless Surveillance Program

Judges on the federal Foreign Intelligence Surveillance Court will receive a briefing from the officials in the Justice Department and the National Security Agency on the controversial program to intercept certain telephone calls and email messages without the court’s permission. The court was established in 1978 to hear requests by the National Security Agency to conduct surveillance of people in the United States. After the 9/11 attacks, President Bush authorized the National Security Agency to intercept international phone calls and e-mails where one party was in the United States. According to the Washington Post, several of the judges are concerned that information that the National Security Agency intercepted without a warrant was later presented to the court to gain permission for additional wiretaps. Only the chief judge of the court had been notified of the eavesdropping program. In 2004, she raised the concern about the use of tainted evidence to obtain warrants. Attorneys representing defendants convicted of aiding foreign terrorist groups have asked federal prosecutors whether tainted evidence was used in the investigations of their clients. “Surveillance Court Is Seeking Answers,”

Expert Bemoans State of Computer Security

Eugene Spafford, professor of Computer Sciences and a professor of Electrical and Computer Engineering at Purdue University, spoke yesterday as part of Calvin College’s prestigious January Series. In an hour-long address, Spaf, as he is known, painted a grim picture of the state of computer security. He cites a “massive overload of vulnerabilities” in commonly deployed software and says new ones are reported at the rate of 20 a day. He attributes our security problem to many factors, including the faulty design of software, a “culture of patching,” insufficient expertise in the field of information security, and a lack of money being spent on research and development. He notes that only 60 to 75 persons receive Ph.D.s in information security each year, compared to 45,000 who receive MBAs annually, and 75,000 who become lawyers.

Spafford argues that our failure to devote adequate resources to research and development is a matter of national security. According to Spafford, the Department of Homeland Security has not devoted sufficient resources to protect critical systems such as the utility grid and banking networks. Of the DHS’s research budget of $1.3 billion. Less than one percent ($16 million) is used for cybersecurity research. Of that, only $2 million pays for actual research. The other $14 million is used for acquisitions. Says Spafford, “DHS is spending more right now to ensure you don’t take a pair of fingernail clippers on planes than they are at protecting computer systems in the United States.”

You can listen to a recording of his lecture, entitled “You're Almost on Your Own: The State of Computer Security," is available online at

Sober Worm Update

Computer Weekly reports that the Sober Worm was “unleashed” last night, but that there have been no reports of major problems. “New Sober Worm Is Unleashed Today,”

Note:Current and past issues of In the News are now available online at this link.

This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLPto advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.

Warner Norcross & Judd LLP ( is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49506.

"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.

Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.