Privacy and Information Security In the News -- Week of July 18, 2006

Rodney D. Martin

July 18, 2006

A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.

Identity Thieves Increasingly Prey on Persons with Ethnic Names

The Chicago Sun-Times reports that identity thieves are increasingly stealing the identities of ethnic Americans and legal residents so they can forge documents enabling illegal immigrants to work. According to the Sun-Times people learn that their identities have been stolen "after getting letters from the IRS saying they owe back taxes on jobs they never held, being denied unemployment benefits because state records show they are gainfully employed at more than one job, or when they lose their public assistance benefits because of income they're supposedly earning." The Illinois Attorney General's Office says that 80 percent of work-related identity theft complaints have involved victims with Hispanic, Polish or Asian last names. Also increasing are instances where identity thieves steal the identity of children – often the children of family and friends. The article quotes Jay Foley, the director of the nonprofit Identity Theft Resource Center, who says, "The beauty for an ID thief is that when they're dealing with a child, they get to establish the identity . . . The thief could be a stranger or a relative—maybe even a parent who has convinced themselves that using the child's number to help get the family out of debt is in everyone's best interest." "Identity thieves target common ethnic surnames," http://www.suntimes.com/output/news/cst-nws-idtheft16.html

California Court Says Both Parties Must Consent to Recording of Phone Calls

California's Supreme Court has ruled that all parties to a telephone call must consent before a caller can record a telephone conversation with a resident of California, even if the caller is from a state that allows a conversation to be taped based on only one person's consent. Business interests, including the Chamber of Commerce of the United States, had argued that California's statute interfered with interstate commerce and should not be enforced. The decision of the Court overturned the opinions of the lower courts, which had dismissed a case brought by two California residents against Citicorp. Recognizing that companies may have reasonably relied on the laws of other states where they were located to authorize the recording, the court determined not to apply the decision retroactively. However, the court's decision states, "out-of-state companies that do business in California now are on notice that, with regard to future conduct, they are subject to California law with regard to the recording of telephone conversations made to or received from California, and that the full range of civil sanctions by California law may be imposed for future violations." "Calif. Supreme Court Sides With State's Privacy Law," http://www.law.com/jsp/article.jsp?id=1152867929640

Northwestern University Data Breach

Northwestern University has sent letters to 17,000 students who applied to attend the school informing them that personal information about them may have been stolen by someone who hacked into computers in the school's Office of Admissions and Financial Aid. The computers contained sensitive information about student applicants, including social security numbers. "Hackers breach Northwestern computers," http://www.chicagotribune.com/news/custom/newsroom/chi-060714nu-hacked,1,5329380.story?coll=chi-news-hed

July 19, 2006

Federal Agencies Propose Rules to Address Identity Theft Red Flags, Change of Address Requests, and Address Discrepancies

Federal bank and thrift regulators, the National Credit Union Administration, and the Federal Trade Commission yesterday jointly published proposed regulations that would require financial institutions and creditors to establish a risk-based identity theft prevention program that identifies potential red flags for identity theft and establishes policies and procedures to prevent and mitigate the identity theft risk with respect to new and existing accounts. The regulations would require that the program be developed and implemented under the oversight of the board of directors, an appropriate committee of the board, or senior management and that the board must approve a written program. The institution's staff must then report to the board at least annually regarding compliance with the program.

In developing its potential red flags, an institution would be required to consider:

  • Which of its accounts are subject to a risk of identity theft;
  • The methods it provides to open those accounts;
  • The methods it provides to access those accounts; and
  • Its size, location, and customer base.

The institution would then be required to establish procedures its staff must follow in the event that a red flag is detected. An appendix to the proposed regulations lists 31 potential red flags. An institution's program must at a minimum incorporate any red flags listed in the appendix that the institution determines is applicable to its circumstances. It is incumbent upon the institution to determine which red flags, either alone, or in combination with other reliable factors, apply to the institution's situation.

The proposed regulations would also require an institution that issues a debit or credit card to establish procedures to assess the validity of a request it receives to change the address of the cardholder if that request is followed a short time later by a request for an additional or replacement card for the same account. The card issuer would be prohibited from issuing the card without first following its procedures to assess the validity of the request.

Finally, the proposed regulations address the circumstance where a user of a consumer report receives a notice by the consumer reporting agency that there is a substantial difference between the address that the user provided to request the credit report and the address in the consumer reporting agency's file on the consumer. Upon receiving such a notice, the user must take steps to verify to establish a reasonable belief that it knows the identity of the consumer. (Following the procedures set forth in a Customer Identification Program under the USA Patriot Act will satisfy this requirement, even if the institution itself is not subject to the CIP rules.) The user must then provide the consumer reporting agency with the address that it has verified.

Comments on the proposed rules must be submitted by September 18, 2006. The proposed regulations can be found online at http://a257.g.akamaitech.net/7/257/2422/01jan20061800/edocket.access.gpo.gov/2006/pdf/06-6187.pdf

July 20, 2006

Proposals Raise Concerns of Some Educators

Educators are concerned about the impact of two proposals of the federal government. The first is the requirement of the Federal Communication Commission to expand the scope of the 1994 Communications Assistance for Law Enforcement Act (CALEA) to require broadband wireless providers and providers of Voice over Internet Protocol ("VoIP") services to incorporate into their systems the wiretapping capabilities that are required of traditional phone companies. See, "FCC Wiretap Order Threatens p2p Internet Telephony," In the News, (October 21, 2005). If applicable to colleges and universities, which offer broadband service to their students and faculty, the schools would be required to modify their systems to allow government surveillance. The cost for colleges and universities to comply was originally estimated to be $7 billion. That estimate has been revised downward to about $400 million, or $30,000 to $100,000 per affected campus.

The second proposal would create a national student database to track student performance. The database would identify students by their social security numbers. According to eSchool News Online, "[t]he database would include information on a student's course load, major, financial aid level, and graduation status as well as name, date of birth, gender, race, and social security number--albeit with a unique 10- or 14-digit identifier." Privacy advocates cite recent security lapses by government agencies to support their concern that the database could threaten students' privacy. Supporters of the proposal point out that 39 states already have such databases. "Schools in internet privacy battles," http://www.eschoolnews.com/news/showStoryts.cfm?ArticleID=6444

Privacy Commissioner Reviews Possible Changes in Canadian Privacy Law

The Canadian Office of the Privacy Commission has published a discussion paper concerning one of the country's major privacy laws, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires that Parliament review the act every five years. The Commissioner addresses a number of areas in which the act may need reform, including the need to get consent (PIPEDA is a consent-based act) before sharing information about consumers with a potential merger partner, whether PIPEDA should include a duty to notify consumers of a data breach involving their information, and whether PIPEDA needs to impose greater responsibilities on Canadian companies that outsource data processing beyond the country's borders (currently PIPEDA requires a company to use contractual or other means to provide a level of protection comparable to that required in Canada by PIPEDA). The discussion paper can be found at http://www.privcom.gc.ca/information/pub/pipeda_review_060718_e.asp. Thanks to David T.S. Fraser of the Canadian Privacy Law Blog for calling this paper to our attention. "OPC issues PIPEDA Review Discussion Document," http://www.privacylawyer.ca/blog/2006/07/opc-issues-pipeda-review-discussion.html

Government Data Mining Continues After Congress Terminates Program

USA Today reports that the government continues to develop and use data-mining software developed in what was called the Total Information Awareness project, even though Congress pulled the plug on the project three years ago because of concerns the program intruded on the privacy of Americans. According to USA Today, the "software is designed to find links between terrorism suspects and previously unknown people; track the international flow of money, operatives and materials; and search for clues in the worldwide communications over phone lines, wireless connections and Internet links." The administration maintains that the ongoing program falls within exceptions created by Congress when it passed legislation shutting down the program in 2003. "Feds sharpen secret tools for data mining," http://www.usatoday.com/tech/news/techpolicy/2006-07-19-data-mining_x.htm?csp=34

July 21, 2006

Surveillance Case against AT&T Can Proceed, For Now

A federal judge ruled yesterday that the Electronic Frontier Foundation can continue to pursue a civil lawsuit against AT&T for providing the National Security Agency with access to customer records as part of the spy agency's controversial surveillance program information involving telephone calls made by or to persons in the United States. The government had argued that the case should be dismissed under the state secrets doctrine, because to adequately defend itself AT&T would have to reveal state secrets. The judge said that for now the case can go forward. He said that the government had opened up the inquiry by acknowledging the existence of the program and describing some of its details, such as the fact that the program monitored only calls between the United States and foreign countries. The judge also dismissed a motion by AT&T, which argued that it had immunity because it was cooperating with the government. "Judge Declines to Dismiss Privacy Suit Against AT&T," http://www.nytimes.com/2006/07/21/washington/21data.html

Bob Sullivan, who blogs at MSNBC, analyzes the opinion and is careful to note that the decision does not mean that the case will not later be dismissed to prevent the disclosure of state secrets. Writes Sullivan, "While [the judge] ruled the potential compromise of state secrets did not preclude the judicial branch from entertaining the case, a state secret defense may prevent most evidence from being admitted. The judge clearly signaled he would tread carefully in the discovery phase.

"'The court also must take special care to honor the extraordinary security concerns raised by the government here,' he said. He's so concerned about the issue that he suggested appointing a special adviser with high security clearance to advise the court on procedural issues." "Wiretapping ruling hints at legal strategies," http://redtape.msnbc.com/2006/07/a_federal_judge.html

Current and past issues of In the News are now available online at this link.

This message is provided by the Privacy and Information Security Task Force at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.

Warner Norcross & Judd LLP (www.wnj.com) is a full-service law firm with four offices in Michigan. Our Privacy and Information Security Task Force includes lawyers from across the Firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Task Force at Warner Norcross & Judd LLP, e-mail Rodney Martin at rmartin@wnj.com or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.