Lost Or Stolen Laptops Containing Personal ID Databases
Accountability and Liabilities Continue To Raise Public Concern
Part 1 - The Introduction, Cases and Some Root Issues
Sal  (JT) Tuzzo - New Technology Development 4^thDT Security  
 Adam-Paul Tuzzo - 2L Suffolk University Law School  
 January 31, 2010 -  Updated  incidents table Aug 23, 2010

Introduction

2009 was a year of technology growth for the Internet as well as for criminal organizations that exploit the advances in technology to commit various types of criminal activity in the Identity theft arena.  What we have seen in 2009 is an increase in criminal sophistication and planning.  Criminal organizations are outsourcing the development of malware and network sniffing programs to countries that perform software design that are willing to be an accessory to program development of criminal activity regardless of the damage or consequences.  Because of international and political complexities tracking and neutralizing these type of activity is almost if not impossible. What this does is make the playing field with the same weapons and strategies on both sides. Where does that leave the consumer, right in the middle as the victim.

2009 has shown an increase of lost or stolen laptops, desktop computers and USB type storage media containing PII (Personal Identifiable Information).  The question that arises is "Why is this information on the laptop and portable media in the first place?"  For a few years now this same issue pops up in security discussion groups and the general consensus is the same, that the data should be kept on secure servers and the laptop or desktop only access and perform operations on the database on the secure server thus eliminating any replication of data on the laptop or desktop that would compromise the information.

A breached database containing customer's personal identities. A misplaced laptop holding veteran's service records. Credit card information transmitted over a hacked wireless network. In the age of information technology such occurrences are both common and costly, touching the United States economy hundreds of billions of dollars over the past few years. But behind the figures and the ones and zeroes of the binary world are real life people - victims of identity theft who struggle to regain their financial state of mind and their reputations. And the problem is only getting worse. Dedicated cyber criminals are finding willing partners in foreign governments, giving the criminal extensive resources to penetrate corporate networks and steal sensitive information. Unfortunately this leaves consumers, who are required to share personal data with merchants and financial institutions almost daily, caught in the middle and asking, "What is being done to protect my interests and who is accountable when those measures fail?"

It is interesting that among the security arena, many agree that laptops and desktops should not contain PII databases, however as the recorded incidents of stolen laptops and desktops with PII rise it is obvious that the security policy agreed on and understood is not in place or just ignored. WHY ?  One reason is in the previous Blog on Secure Servers which the industry justifies by the cost of encryption.  What encourages this lack of security behavior. One of the areas is accountability.  The public which are the victims of this horrendous reckless neglect have no where to turn for retribution because of the fact that companies are not held accountable to the individual for the data lost.

Laptops and many computers today become obsolete about six months after purchase so steeling them for resale is a difficult way to make money.  The information contained on them is generally worth more than the hardware itself making information the prime target.  Even if the data is encrypted in a database there is no guarantee that there is not a buffer file that has been decrypted for a working data area as with most encryption programs. Also with today's computing power breaking encryption and obtaining access information is alive and well.

Many companies have disciplinary procedures up to and including dismissal for the mishandling of laptops and other information storage devices. This is a good start in implementing security policies and putting accountability on the table for all to understand.  Part 1 will look at the overall picture of the issues and some high profile cases.  Part II will address the full legal side of this dilemma and attempt to organize the legal and technical facts for the public to review and understand their legal rights and available options.

Where Does The Legal System Stand On PII Accountability?

We (4^thDT Security) have been following security breaches for several years now and the one common issue that always arises is the concern of accountability, is there any and if so where in the process is it ?  One question that has come up several times in discussions of security breaches is, could the general public file a class action suit against the corporations that hold PII that may be used for Identity theft ?  This now enters the legal system and becomes a "what are the legal rights" issue.  These legal issues now require some legal research so we went to the best place, a Law College.  Many technology security experts including myself have to learn the law as we move forward since law was not our main field of interest.  We asked Adam-Paul Tuzzo a Suffolk University Law School student to help us with researching the legal issues and concerns of what protection(s) within the legal system currently exists to protect the public or end user.   We will discuss more in depth the security and legal procedures in part II however, to establish the proper mind-set of both law and security, the basic elements of a civil negligence claim have to show duty, breach, and damages.  The simple reasoning is that unless your identity is stolen and you have or do suffer some form of damages then you have no case since no crime has been committed that effects your current status. Yes, the corporation failed to secure your PII and maybe made corrections after the fact and allowed you to monitor your credit report for a year.  What happens after that year or even two years ?

Legal Statutes

Congress responded with 15 U.S.C.A. 1681, the Fair and Accurate Credit Transactions Act (FACTA), which codified standards for addressing identity theft and ensuing fraud. Upon request by the consumer, FACTA requires credit reporting agencies to disclose  that the individual may be the victim of identity theft.  In turn, prospective creditors who receive a fraud alert are prohibited from extending credit under the consumer's name without taking reasonable measures to ascertain the true identity of the person making the request.  Additionally, credit reporting agencies are required to share fraud alerts with other credit reporting agencies and provide identity theft victims with free credit reports.  FACTA also allows credit reporting agencies to block from credit reports any information that the consumer identifies which comes from an instance of identity theft.

Victims of identity theft are afforded the opportunity to bring a federal suit against parties who fail to comply with FACTA.  Parties who knowingly fail to comply with the statute may be liable for damages up to $1,000, punitive damages awarded by the court, attorney fees, and court costs.  However, the law limits damages for negligent non-compliance to the amount of damages the consumer actually suffered as a result of the failure to include court costs and attorney fees.  Therefore, identity theft victims can sue credit reporting agencies for failing to report accurate information or for failing to take the prescribed methods for preventing identity theft.  However, FACTA fails to address the company that negligently maintains private information databases and allows a hacker to acquire the personal information belonging to hundreds of thousands of unsuspecting consumers.

The Latest Court Case and Settlements

The latest case study was Heartland Pay Systems security breach back in January 2009 where the judge ruled in favor of Heartland and dismissed the class action suite in December 2009 against them for the stock holders failure to produce sufficient evidence under the PSLA (Private Securities Litigation Reform Act).  What is interesting is that another suite against Heartland vs American Express for the same breach was settled with a $3.6 million from Heartland. What is interesting in this case is the 130 million names that have been exposed, the settlement only allows 2500 claims and that is only for a short fixed time frame as well as a lengthy process to register the claim.  The other interesting part is that AE gets more compensation than the victim (account holder) and there is no protection of the other accounts that the victim holds if they are stolen as well as the account holders identity. The Heartland Visa settlement Heartland has agreed to pay up to $60 Million to cover losses caused to Visa Inc..  The Visa settlement this month and the AE settlement last month is a business to business settlement which covers consumer right-off losses on charges which protect the consumer. The thieves did get off with about $50 Million in damages recorded to date for this incident. The losses not only have to cover the stolen products but the administration time and expense to make changes to prevent this from happening again. There are more claims being pursued against Heartland as well from smaller banks and affiliations that will continue for some time.

An Alleged Compliance Issue Or Not ?

Another interesting situation was with a Binghamton University reporter from WHRW News that went into a open room that contained PII - Student information SSN, Tax forms of parents etc. stored in an unlocked room where the door lock was taped open in plain view of anyone passing.  Initially the university appreciated being informed of the security vulnerability until the reporter decided to go public with the information.  Video of breach on You Tube  The university advised the reporter not to air the breach until he talked to a lawyer since the University was contemplating pressing charges against the reporter.   The fact remains that the door was taped open and it was in a high traffic area of the university where anyone could easily enter without suspicion shows the extent of perplexity.

Part I Summary:

In summarizing the courts decided to take the matters out of the hands of the public and put it in the hands of the businesses. From the Heartland case alone business seem to be able to recover as well as claim this loss to the IRS. The public whose information is out their in hands of criminals to act on at will has little or no defence until after the fact as well as very limited financial resources to recover.  The above are just a couple of cases that have caused concern about accountability.  In a final note for Part 1 the article Why Compliance Is Not Enough shows that the network security playing field is growing more sophisticated.   Part 2 and beyond will cover other security procedures and laws that courts allow between business to business and business to consumers concerning PII security breaches as well as the protection of Trade Secrets and  Intellectual Property.    Part II  will look at the law in depth, action to consequence along with a few other legal cases. The table below shows a summary of the incidents from MITM (Man-In-The-Middle) hacked to lost/stolen information.

A Decade Summary of Lost / Stolen data
Table data extracted from OSF (Open Security Foundation) database

Copyright© 2005-2010 4^thDimensional Technology™
webmaster