Schools Risk Theft of Social Security Numbers of Children
Schools are putting children at risk of identity fraud by obtaining their Social Security numbers when it is not required by law and often unnecessary, the Social Security Administration’s Office of Inspector General has concluded. Some school systems in at least 26 states collect the nine-digit identifiers when students from kindergarten through high school register for classes, even though the respective state does not require it as a matter of law, according to a report released last week. Read the full Washington Times article here.

Health Net Settles with Connecticut Over Data Breach
California-based Health Net has agreed to pay $250,000 to the state of Connecticut to settle a lawsuit brought by the state’s attorney general, Richard Blumenthal, who sued the company over a large-scale data breach in 2009. Nothing in the settlement addresses protection of physician data specifically, and it’s unclear how much identifying information about network physicians might have been lost along with patient information. Health Net, which sold its Connecticut business to UnitedHealth Group in December 2009, did not admit any wrongdoing but agreed to adopt new security procedures and to pay the state an additional $500,000 if between now and Nov. 30, 2011, it’s determined that the compromised data has been accessed and misused. Read the full American Medical News post here.

Should You Tell Shareholders about Breaches?
Federal law states that health companies have to disclose if they’ve suffered a data breach. Information security group ISACA doesn’t think that’s enough. Considering the reputational risk to enterprise, the association believes mandatory reporting should be included in the company’s regular accounting releases, such as quarterly and annual reports. There has been a lot of conversation about what consumers should know about breaches and what steps should be taken if personal information is at risk. Along that line, I think it is a good idea to keep shareholders informed on the company’s security efforts. Read the full IT Business Edge post here.

Former University of California Employee Pleads Guilty in Identity Theft Scheme
Cam Giang pleaded guilty in federal court today to one count of wire fraud and one count of use of a Social Security number in violation of the laws of the United States, United States Attorney Joseph P Russoniello announced. In pleading guilty, Giang, who was an employee of the University of California San Francisco Medical Center at the time of the offense, admitted that he obtained and used the personal information (i.e ., birthdates and social security numbers) of other UC employees to create accounts on the StayWell Health Management, Inc. website and complete online health surveys on behalf of those individuals without their knowledge or consent. Read the full press release here.

Former Credit Union Employee Arrested for Identity Theft
Mesa police arrested a former credit union employee who they said used a customer’s identity and her own address to apply for credit cards, court records state. An investigation into a reported credit card theft led officers to Esther J. Hulse, a former Arizona Federal Credit Union employee from Phoenix, Wednesday morning, court records state. The victim contacted police on June 22 after she received a call from Bank of America, thanking her for applying for a credit card online. Read the full AZ Central article here.

Child-Identity Theft Increases
Imagine applying for that first job, that first exciting credit card, that freshman-year college loan. Now, don’t. For more young adults, plans and hopes are being dashed because they are unwitting victims of identity theft at the hands of someone they know, usually their parents. It often happens when victims are too young to do anything about it, so it’s a crime that can go undetected for years. Read the full AJC story here.

Conn. AG Wants Teachers Board to Explain Lost Data
Connecticut Attorney General Richard Blumenthal says the state Teachers’ Retirement Board owes its members identity theft protection and an explanation after waiting six months to inform them of a lost flash drive containing retirement data. Blumenthal said Wednesday he is urging the board to give more than 58,000 members identity theft protection for two years and more details of how the drive vanished and exactly what information it contained. Read the full AP story here.

Bill Would Target Data Breaches
Two Senate lawmakers introduced a bill last Wednesday that would require financial institutions, retailers, federal agencies and others to do more to safeguard sensitive information and to investigate security breaches. The bill offered by Sens. Tom Carper, D-Del., and Robert Bennett, R-Utah also would require these entities to notify consumers when there is a “substantial” risk of identity theft or fraud becauase of a security breach involving their sensitive information. It would apply to retailers who take credit card information, data brokers who compile private information and government agencies that hold nonpublic personal information, according to a news release. Read the full National Journal article here.

AMR Breach Puts 79,000 Employees at Risk
In one of the largest data breaches in recent months, AMR, the parent company of American Airlines, said it’s in the process of notifying more than 79,000 current, former and retired employees that a hard drive containing their most sensitive personal information was stolen from its corporate headquarters in Fort Worth, Texas. The Associated Press reported the breach earlier this month. AMR (NYSE: AMR) officials told the AP that the purloined drive contained images of microfilm files that stored data such as employees’ names, address, birth dates, Social Security numbers and what it described as “limited” bank account information. Read the full eSecurity Planet article here.

Happy Monday!

According to Computerworld, among those expected at the meeting are Homeland Security Secretary Janet Napolitano, and Gary Locke, Secretary of Commerce and several industry representatives, including some from electric utility companies and the vendor community. President Obama is expected to “briefly” attend the meeting.

Well, it seems that the timing is right for such a meeting. They should have had this meeting several months ago? Why? The GAO recently slammed the White House Office of Science and Technology Policy for failing to live up to its responsibility to coordinate a national cybersecurity R&D agenda. As a result (according to the GAO Report), the U.S risks falling behind other countries on cybersecurity matters, and being unable to adequately protect its interests in cyberspace.

FedEx Loses 138,000 Patient Records
New York City Lincoln Hospital has suspended sending CDs via courier after a package containing seven containing detailed patient data was lost en route from its bill processing supplier Siemens Medical Solutions to the hospital. Siemens notified the hospital in early April that the package had gone missing some time between 16 and 24 March. Siemens said it was attempting to locate the CDs, which had been sent via FedEx and was lost while in its possession. Read the full IT News article here.

Cyber Threats Command Congressional Attention
mid amplifying alarms that the U.S. is unprepared for a cyberattack that could cripple electricity grids, shut down water and sewage systems or freeze up the financial system, momentum is building in Congress to pass major legislation to boost the country’s cyber defenses. But as lawmakers appear poised to act within months, privacy advocates are concerned about how much control a new law would vest in the federal government to monitor communications over private networks or to control the Internet in the event of an attack. Yet with CIA Director Leon Panetta recently calling a potential cyberattack one of the most underappreciated national security dangers, the need to do something is not in dispute. “A full-scale cyberattack,” Sen. Joe Lieberman, chairman of the Senate Homeland Security and Governmental Affairs Committee, said at a June hearing, “could lead to the death and injury of thousands of people, and could cost our economy billions of dollars.” Read the full San Jose Mercury News article here.

Ten Arrested in Multi-Million Dollar Mortgage Fraud and Identity Theft Enterprise
Attorney General Bill McCollum and the Florida Department of Law Enforcement (FDLE) Commissioner Gerald Bailey today announce the arrest of 10 members of a criminal mortgage fraud and identity theft operation. The group is charged with defrauding numerous financial institutions out of more than $8 million, and using the identities of unsuspecting individuals as part of the conspiracy to obtain the mortgages and properties. The arrests are the result of a four-year investigation conducted by FDLE’s Miami Regional Operations Center and the Attorney General’s Office of Statewide Prosecution. The individuals arrested face charges including racketeering, conspiracy to commit racketeering, grand theft, and title insurance fraud. Read the full RealEstateRama post here.

UPDATE: Connecticut Investigating Data Breach At Insurer WellPoint
Connecticut Attorney General Richard Blumenthal announced Friday his office is investigating an online security breach that may have exposed personal information about nearly 500,000 WellPoint Inc. (WLP) customers, including thousands in his state. A Democratic candidate to succeed Sen. Chris Dodd (D., Conn.), Blumenthal is requesting details about the breach and steps the largest health insurer in the U.S. by members has taken to protect the affected people and prevent future breaches. He also wants WellPoint to provide at least two years of credit monitoring and $25,000 in identity theft insurance to each person while saying they should be allowed to place a “security freeze” on their credit reports and be able to remove them at WellPoint’s expense. Read the full WSJ post here.

Security Breach Exposes Sensitive University of Maine Student Data
Hackers have compromised two University of Maine servers, hosting personal and clinical information of 4,585 students who received counseling services in the last eight years. The university plans to offer all affected individuals at least twelve months of credit monitoring services. The first server was breached at the beginning of March, the intruders using the newly gained access to compromise the second one shortly thereafter. The methods employed to carry out the attacks successfully have not been disclosed due to an ongoing investigation led by the University of Maine police department. Read the full Softpedia post here.

FTC Delay of Identity Theft Rules A Reprieve For Businesses
The Federal Trade Commission has once again delayed enforcing new regulations that would require lawyers, accountants, and a sweeping number of other businesses to have procedures for detecting possible identity theft. The agency said it will not begin enforcing its so-called “red-flag rules” until December 31, six months after they were supposed to go into effect. The delay gives business owners and others some breathing room while the FTC sorts out exactly who would be covered by the rules. Read the full Portfolio article here.

Data Breaches Persist in Healthcare
In September 2009, the Obama administration’s Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect, requiring hospitals and other health care organization to beef up client data protections. Despite this, a recent study found that health care data is still hemorrhaging from peer to peer networks. A peer-to-peer, commonly abbreviated to P2P, is any distributed network architecture composed of participants that make a portion of their resources (such as processing power, disk storage or network bandwidth) directly available to other network participants, without the need for central coordination instances (such as servers or stable hosts). Read the full CIO post here.

Community Hospital of San Bernardino Fined for Data Breach
For violations of patient confidentiality, the state Department of Public Health fined Community Hospital of San Bernardino $325,000. The hospital was assessed a $250,000 fine for unauthorized access of 204 patients’ medical information by one employee. A fine of $75,000 was added after the facility failed to prevent the unauthorized access of three patients’ medical information in a separate case. Diane E. Nitta, the hospital’s administrator, said the hospital has “enhanced staff education efforts around patient privacy (and) put in place expensive security measures that guard against inappropriate access to our patients’ records. Read the full article from The Sun here.

Government Pushing to Control Internet
For the past decade, the federal government has been moving to gain effective control over the internet. Now, thanks to legislation just crafted by Sen. Joseph Lieberman of Connecticut, the government may finally realize its goal of being able to control virtually all aspects of the vast internet, including private internet systems. The decade-long process began in earnest in 2001, when the Bush Administration secured passage of legislation giving it jurisdiction to prosecute computer hackers anywhere in the world if the packets of information traveled through a U.S. computer or router and affected a “federal interest computer.” Read the full AJC post here.

U.S. Hampered in Fighting Cyber Attacks, Report Says
The U.S. government’s ability to counter cyber attacks against its nonmilitary computer systems is largely ineffective, according to a report from an internal watchdog released last week. The Homeland Security Department branch that monitors cyber attacks can’t force other agencies to protect their systems, is woefully understaffed and its ability to manage responses to cyber attacks has been hindered by constant turnover, said the department’s inspector general. The department’s U.S. Computer Emergency Readiness Team, known as US-CERT, also withheld data from other federal agencies that could have helped them address security breaches, the report found. Read the full WSJ post here.

Wanted: Young Cyber Experts to Defend Internet
Nationwide campaigns to steer youthful techies into careers defending the Internet are gaining steam. The federal government, education officials and giant military contractors are collaborating to recruit a new class of tech professional specifically trained to battle data thieves, online scammers and cyberspies. The recruitment tool of choice: competitions that pit tech-savvy youths in mock warfare against professional hackers. This year, the Collegiate Cyber Defense Competition drew teams from 83 colleges and universities, up from five schools in 2005. Boeing hired seven contestants to help defend its internal networks, which are prime targets for corporate and military spies. Read the full USA Today post here.

The Unreadiness Team
THE REPORT is chilling. Optimistically titled “U.S. Computer Emergency Readiness Team Makes Progress in Securing Cyberspace, but Challenges Remain,” it paints a disturbing picture of a national security disaster waiting to happen. The U.S. Computer Emergency Readiness Team, or CERT, established in 2003 to coordinate national cyber-defense efforts, is an arm of the Department of Homeland Security (DHS) tasked with “analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating cyber incident response activities.” But this vast responsibility has come with little and confusing authority. Read the full Washington Post Op-Ed here.

Quit Facebook Day was a Success Even as it Flopped
Quit Facebook Day may have flopped when it comes to creating a mass exodus of Facebook users, but those who care about privacy owe a debt of gratitude to the failed movement. If you’re still using Facebook after pledging to quit, you’re in good company. According to the organizers of Quit Facebook Day, only 31,000 angry Facebook users, out of an estimated 450 million, actually followed through with their pledge to delete their account on Monday (Quit Facebook Day). The day of protest was designed to send Facebook a message that its users were fed-up with surprise privacy changes. Read the full PC World article here.

Facebook Launches Privacy Page
Facebook, which is battling intense criticism over its handling of user privacy, has launched a page that provides updates on content, products and news stories related to online privacy. The new “Facebook and Privacy Page” is the site’s latest attempt to provide easier access to information on how users can restrict access to personal information. Facebook introduced the new page Thursday, one day after chief executive Mark Zuckerberg defended the site’s handling of privacy in an onstage interview at the D8 tech conference. Read the full InformationWeek article here.

Is Your Privacy Secure Online? There’s No Way to Tell
Long before Facebook got blamed for turning the concept of online privacy into a sick joke, I could tell that the Internet was going to make the control of one’s personal information a challenge. That moment arrived in the late 1990s, when I realized that my listed phone number, previously accessible only to those who knew enough about me to know where I lived and therefore which local phone book to check or which 411 operator to call, had become available to anyone capable of typing my name — and that’s all — into an online database. Read more of Michael Hiltzik’s LA Times column here.

U.S. Backs Talks on Cyber Warfare
The chief of the Pentagon’s new cyber-security command on Thursday endorsed talks with Russia over a proposal to limit military attacks in cyberspace, representing a significant shift in U.S. policy. The U.S. has for years objected to Russian proposals to establish a kind of arms-control treaty for cyber weapons, arguing that international cooperation should first focus on reducing cyber crime. Russia has been working to marshal support for a United Nations treaty to limit the use of cyber weapons, such as software code that could destroy an enemy’s computer systems. “What Russia’s put forward is, perhaps, the starting point for international debate,” Gen. Keith Alexander said Thursday at the Center for Strategic and International Studies, a Washington think tank. “It’s something that we should, and probably will, carefully consider.” Read the full Wall Street Journal article here.

Should Cybersecurity Reforms be Reformed?
Major cybersecurity reforms were included as part of the House Defense authorization bill passed last week. The provisions call for a permanent cyber office in the White House and a major overhaul of the 2002 Federal Information Security Management Act (FISMA). Jim Lewis is Director of the Technology and Public Policy Program at the Center for Strategic and International Studies. He was also the program manager of the Commission on Cybersecurity for the 44th Presidency. He joins us with his take on the proposed reforms. Listen to the exclusive FedNewsRadio interview here.

Data Breach Puts Kidney Dialysis Patient Info at Risk
For those of us who tend to think that data breaches happen far away and to everyone else comes this reminder from the public radio station right here in IT Business Edge’s hometown of Louisville, Ky. WFPL News reports the University of Louisville has alerted roughly 700 patients in the university’s kidney dialysis program that personal information, including their names and Social Security numbers, was briefly accessible outside of the program. University spokesman Mark Hebert explained the information was not password protected and was leaked to “the public domain on the Internet.” The dialysis program’s website has since been shut down, and the university has offered to pay for a year of credit monitoring for the affected patients, the story says. Read the full IT Business Edge story here.

Today we are speaking with Aftab Jamil, Partner in the Technology Practice at BDO. Listen to the full podcast below.

Don’t Be Surprised If More Businesses Start Asking You For Identification
Be prepared to pull out your driver’s license on your next visit to the dentist. And don’t be surprised if a retailer asks for a birth date or mother’s maiden name if it’s giving you credit for your big-ticket purchase. They’re just following federal rules to protect consumers from identity theft. Beginning next month, a wide range of businesses — auto dealers, cell phone companies, real estate agents, mortgage brokers, utilities and health care providers — must start complying with “Red Flag Rules.” The rules are meant to stop fraud before it happens by requiring certain businesses to look for signs that customers might be imposters and, if there are signs that they are, to take action. Read the full Baltimore Sun article here.

VA Reports New Data Breaches
The Veterans Affairs Department has notified lawmakers of two recent data breach incidents, according to a House committee aide. One breach was a contractor’s laptop that was stolen on April 22 and contained unencrypted personal information on 616 veterans. The second breach occurred this month and involved “thousands” of veterans’ personal information at a VA facility, according to the congressional source familiar with the breach, who spoke on the condition of anonymity. Both incidents occurred in Texas. VA chief information officer Roger Baker, however, said in a May 14 interview he was aware of only one breach involving the 616 veterans. He said Congress has not provided the VA with any information on a second incident. Read more from the Federal Times here.

New Mexico Medicaid Security Breach Puts Members’ Data at Risk
The New Mexico Human Services Department is informing about 9,600 members of its Medicaid fee-for-service and Medicaid Salud health plans that their personal information, including Social Security numbers, might have been compromised because of a computer data breach, Modern Healthcare reports. According to a news release, the department was notified of the breach on April 9 by DentaQuest, a dental health plan that provides benefits to New Mexico’s Medicaid beneficiaries. Read the full iHealthBeat article here.

Pentagon Works to Define Rules of Cyber Warfare
The U.S. military may never have a direct answer on when to fire back against a computer-based attack, a top Pentagon leader said Wednesday, reflecting the complex world of cyber warfare. James Miller, the principal deputy undersecretary of defense, said the Pentagon has been working through a range of scenarios, in an effort to come up with rules of war that will work in an attack that can be launched from continents away in milliseconds, and routed through innocent civilians’ computers by unknown assailants. “I do not think we’re going to have a single answer,” Miller said during a speech at Ogilvy Public Relations. He said officials may just have to use their judgment because there are “a lot of gray areas in this field.” Read the full AP story here.

White House Asks Public for Game Changing Cybersecurity Ideas
The Obama administration will open next week a web-based forum to discuss a cybersecurity research and development agenda, according to a notice published in the Federal Register on Thursday. The White House Office of Science and Technology Policy and the National Coordination Office for Networking and Information Technology Research and Development asked the public to submit comments for a “game change” initiative to boost the safety and security of the Internet, telecommunications and computer systems, according to the notice. The administration wants to focus on three areas: to build targeted areas within cyberspace to meet a range of security needs; to increase the cost of a cyberattack to the attacker and enable systems to operate in spite of threats; and to develop appropriate metrics and economic policies to encourage good security practices. Check out the full NextGov article here.

Cybersecurity Gets New Attention from the Hill
It was a year ago this month — May 29 to be exact — that President Barack Obama welcomed a standing-room only crowd to the East Room of the White House to announce his administration’s commitment to a comprehensive new approach to cybersecurity. Declaring that the status quo “no longer is acceptable,” Obama placed a cybersecurity stake in the ground by announcing a number of initiatives, perhaps the most visible of which was creating a new cybersecurity coordinator position to direct national cybersecurity policy from the White House. The new policy and the ceremony itself were greeted by many as an important victory — a sign that a serious and escalating concern had at last won the attention of the nation’s president. Read the full GSN article here.

Today, we are speaking with Mike Smoyer, President of the Digital Government Institute, along with one of the event’s speakers Karen Evans. Karen is the former Administrator for IT and E-Government at OMB, and Cybersecurity Commission Member for the Center for Strategic and International Studies. Karen will be giving a presentation titled “A Strategy to Develop and Effective U.S. Cyber Workforce” at the event. Listen to our exclusive podcast with Mike and Karen below.

As we have highlighted before on this blog, our biggest concerned about the National Broadband Plan is security portion of the public safety portion of the plan so we’re pleased about this latest development. This new certification program certainly is a response to reports of cyber attacks increasing over the past 12 months. According to The Hill, one firm told the commission that the total number of malware samples archived in its database last year reached 40 million — its highest point in 20 years.

The FCC is acknowledging that cyber security is an issue when it comes to the National Broadband Plan with this proposed certification program. But, our big question is…why is it voluntary? Shouldn’t it be mandatory? Isn’t there just too much at risk to do something of this scale on a “voluntary” basis?

The Hill also stated that the FCC envisions its system as completely voluntary, “but that by agreeing to participate, such communications providers would be bound by the program’s rules.” So, ISPs that agree to participate will be bound by stringent rules. Hmmm…who wants to place bets on how many ISPs will actually step up to the plate? We figured you wouldn’t take that bet.