EMAIL gremlins are causing embarrassment at Macquarie University, with graduates up in arms after the university accidentally sent 25,000 email addresses to its alumni mailing list. In what would have to be one of the worst email privacy breaches in Australian history, the university's Alumni office sent every graduate in its database a copy of the full alumni mailing list. The list was contained in an email titled "Macquarie Alumni - enter the draw to win the FREE $1,000 investments and more by NAB!".

Federal Homeland Security officials say a computer storage device that may have held personal information on current and former employees has been lost. "We're relatively confident that thing got scraped into the trash, and it's gone," said Mike Irwin, federal security director at PDX.

The National Nuclear Security Administration is investigating the Energy Department to see whether the Los Alamos National Laboratory is complying with departmental security directives, according to a statement that NNSA Administrator Linton Brooks issued today. The action came after police in New Mexico found what appeared to be information from the lab while arresting a man for possession of drug paraphernalia earlier this month, according to published accounts.

A new study reports that data breaches may cost companies even more than previously thought. The Ponemon Institute released its annual study on the cost of data breaches and found that they cost companies on average $182 per compromised record. The institute arrived at the number by analyzing incidents involving 31 companies, all but one a Fortune 500 company. Institute Chairman Larry Ponemon said the companies choose to turn over their data on data breaches in hopes of gaining a benchmark of how they were doing.

Counterfeits and intellectual piracy (IP) theft cost companies millions in the first half of 2006, according to a report released Tuesday. An estimated 760 copyright and trademark intellectual property thefts in 69 countries between January and June 2006 cost companies nearly $700 million, up 7 percent from the year-ago period, according to Gieschen Consultancy's 2006 Mid-Year Counterfeit & Piracy Intelligence Report. The study, based on statistics from the Business Action To Stop Counterfeiting And Piracy (BASCAP), a joint initiative with the International Chamber of Commerce, ranks the United States at the top of the list, citing 205 violations and $51.7 million in losses.

A laptop containing the Social Security numbers and other personal information of T-Mobile USA Inc. employees recently disappeared, putting as many as 43,000 current and former workers at risk of identity theft. However, the company based in Bellevue, Wash., says there is no indication the laptop contained customer information.

A laptop computer containing the names and Social Security numbers of thousands of Allina Hospitals and Clinics obstetrics patients was stolen from a nurse's car Oct. 8, prompting alerts this week from the health-care provider to the patients. Company spokesman David Kanihan said Thursday night that there has been no indication any data have been accessed. Two passwords are needed to access the information on the laptop, he said.

A LOT of business travelers are walking around with laptops that contain private corporate information that their employers really do not want outsiders to see. Until recently, their biggest concern was that someone might steal the laptop. But now there’s a new worry - that the laptop will be seized or its contents scrutinized at United States customs and immigration checkpoints upon entering the United States from abroad.

Government officials need an arsenal of weapons to protect digital assets, including tools that fortify databases, prevent sensitive information from leaving an agency and give laptop computer users secure access to corporate networks. The rise in data security breaches at federal agencies and in the private sector has made security managers aware of the need to do more than secure networks with firewalls and expose intruders with intrusion-detection systems. Experts say security managers must focus on protecting databases and stopping data leakages by tracking the flow of data.

Like the United States, the European Union is seeking to improve border security without putting undue burdens on travelers or shippers of goods. As part of that effort, the EU is enhancing or developing several systems to replace the aging Schengen Information System. That 10-year-old centralized database has not kept up with the EU's growth to 25 nations, with two more set to join in January. In addition, although SIS allows border agents to check travelers’ identities, it only contains biographical information. Telmo Baltazar, political justice, freedom and security counselor for the European Commission’s delegation to the United States, said the primary new system, called SIS II, will store biometric data and allow agents to search multimedia data. He said the new system will be more modular and flexible to adapt to changing requirements.

By the end of the year, the Homeland Security Department will issue draft regulations specifying how states should implement mandatory federal standards for driver's licenses. But several states have already gotten started. Jonathan Frenkel, director of law enforcement policy at DHS, said the draft regulations will better explain the broad mandates in the Real ID Act of 2005. The department is currently reviewing the regulations and will then send them to the Office of Management and Budget and other agencies for their input.

The Social Security Administration has begun issuing new secure identity cards to its employees and contractors, beating an Oct. 27 deadline imposed under Homeland Security Presidential Directive 12 (HSPD-12) by nine days. SSA is also the first agency to issue the cards, according to David Simonetti, a senior design architect at Jacob and Sundstrom, which is assisting SSA in deploying the personal identity verification (PIV) cards.

They call it the 'Johnny Carson attack,' for his comic pose as a psychic divining the contents of an envelope. Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.

The European Union has approved a new agreement to share airline passenger data with U.S. law enforcement authorities. The deal settles, for now, a legal dispute that could have halted or at least seriously disrupted, trans-Atlantic flights between Europe and the United States. This is not, however, the last you will hear about the subject. The new agreement will expire in just nine months -- and while talks on a new, long-term passenger data-sharing pact will open later this year, I would not be surprised if next July brings yet another last-minute standoff pitting U.S. security concerns against Europe's no- nonsense privacy laws.

State Department officials will be issuing a Notice of Proposed Rule Making next week that lays out the architecture of a smart card that would be used under the Western Hemisphere Travel Initiative (WHTI). Frank Moss, the department’s deputy assistant secretary for passport services, said the intent is to create wallet-sized, secure People Access Security Services (PASS) cards – also known as passport cards – that would include radio frequency vicinity-read technology. He said such read technology is being used in other programs, such as Nexus, a joint U.S./Canadian traveler program to simplify border crossings for frequent travelers between the two countries.

I'd intended to use this issue to kick off a discussion on identity and anonymity and explore why anonymity might be useful, if there could be truly anonymous transactions online, the context of anonymity, and so on. We will get to that real soon, but while I was researching anonymity a press release crossed my inbox that was, literally, breathtaking. And it would be to anyone who has followed the discussions of privacy, security and even anonymity over the past year or two. The press release came from NCR and touted "RFID for branch banking". The document opens with: "NCR Corporation...demonstrated how radio frequency identification (RFID) can be used to make branch banking a more personalized experience."

FBI Director Robert Mueller said he supports a plan requiring Internet service providers to retain information on users' Internet activities. In a speech before the International Association of Chiefs of Police on Tuesday, Mueller praised law enforcement officials for adopting a resolution that would require ISPs to retain information in case it is needed for investigations.

A Southern California man has been indicted by a federal grand jury for alleged bank fraud involving hundreds of customers of Dollar Tree stores. Authorities said Parkev Krmoian is accused of using counterfeit ATM cards to make unauthorized withdrawals. Police said the cards Krmoias was using were actually gift cards that had been encoded with ATM card information.

In a keynote speech that was webcast at last month's Hack in the Box Security Conference in Kuala Lumpur, Malaysia, Bruce Schneier, chief technology officer of managed security services provider Counterpane Internet Security Inc., identified 10 trends affecting information security today. 1. Information is more valuable than ever. For example, Amazon.com Inc. relies on information to make purchasing of books easier through its one-click purchasing system. Similarly, when Internet retailer Pets.com went belly-up, the company's database of customers "was the only asset of value they had," he said.

End users -- god bless ‘em. You can’t live with ‘em -- but without them, you wouldn’t have a job. They’re the reason you have an IT infrastructure; they’re also the single greatest threat to the security of that infrastructure.

Federal agencies not only regularly lose personal identity data, but don't even always know what they've lost or how many Americans are affected, a recently-released House report claimed. According to the report issued by the House Government Reform Committee, which is chaired by Tom Davis (R-Va.), all 19 federal departments and agencies from which data was requested had lost or compromised personal information in the three-and-a-half years since January 2003. Some of the breaches were losses, others were the result of theft.

The public fears losing their fingers to ruthless biometric ID thieves in the fingerprint-controlled future, apparently. Or at least, so says Frost & Sullivan analyst Sapna Capoor, who argued unconvincingly that "A dead finger is no good to a thief." If you have a fingerprint scanner protecting your family jewels, your data might be safe, but what about your fingers?

Michael Chertoff, head of US Homeland Security, warned that people don't need to travel to a country with "-stan" in its name to become radicalized and commit acts of violence. Instead, they can now turn to the Internet. "They can train themselves over the Internet. They never have to necessarily go to the training camp or speak with anybody else and that diffusion of a combination of hatred and technical skills in things like bomb-making is a dangerous combination," Chertoff said at a conference of international police chiefs, according to Reuters. "Those are the kind of terrorists that we may not be able to detect with spies and satellites."

Criticized in the past for an initiative that would require the company to collect and catalog personal information about its customers, Microsoft on Wednesday released an internal document about how it protects customers' privacy in the hopes other companies will adopt similar practices. The company publicly published a 49-page document, called Microsoft’s Privacy Guidelines for Developing Software Products and Services, at the International Association of Privacy Professionals Privacy Academy 2006 in Toronto. The document can be found here. The

The European Union needs to consider adopting a solid legal framework to ensure that the use of radio frequency identification technology does not infringe on privacy, a top official of the European Commission, the executive branch of the EU, told an RFID conference Oct. 16. The EU also needs to standardize its RFID frequencies in the 865 to 868 MHz frequency band, according to a commission background paper presented at the conference. The commission said it expects to complete a draft spectrum decision by the end of this year.

A task force has issued a series of recommendations regarding privacy in justice information systems. The Privacy Technology Focus Group was chartered to examine the exchange of personally identifiable information, focusing on justice and public safety data. Last November, the Justice Department brought together a group of public- and private-sector specialists to look into privacy technology. The group’s working teams covered areas such as access and authentication, data aggregation and dissemination, and identity theft.

The securities firms that reported the breach have not confirmed the means by which accounts were accessed, but the Investment Dealers Association (IDA) pointed to pharming Web sites as another possible avenue. Only two accounts were affected, although the IDA said it was alerted by a U.S. regulator about a similar situation that happened there.

Hackers have breached the mailing list of the Congressional Budget Office (CBO), according to the agency. "There was limited breach of our list server that has since been patched and closed," said Melissa Merson, a CBO spokeswoman. "When people access a federal government computer, that's considered a possible criminal violation. So we've referred the matter to the appropriate law enforcement authorities, and it's under investigation."

Because equipment theft causes most data losses, agencies should use physical security to protect sensitive information, according to a new House Government Reform Committee report. "The vast majority of data losses arose from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees," the Oct. 13 report states. Computer system hackers caused few breaches.

Federal contractors that agencies rely on for IT management services are responsible for many of the data breaches that agencies reported to the House Government Reform Committee, which today released its findings on past data loss across government. That is just one of the conclusions from the committee staff report, which also found that data loss occurs in all major agencies, and that those agencies don’t always know what was lost.

Most Irish IT departments now face regulatory compliance issues but this is clashing directly with the need for more efficiency, leading to increased technical challenges, resourcing problems and cost concerns, new research claims. A survey carried out by Unitech Systems, which polled 300 information managers from the top 1,000 companies in Ireland, found that 88pc of Irish organisations are affected by regulatory compliance. The three most common regulations to affect Irish businesses are the Data Protection Act (34pc), the Freedom of Information Act (22pc) and Sarbanes-Oxley (22pc). Basel II and FDA regulations figured much lower down the list, at 7pc and 2pc respectively. Just over a quarter of respondents (26pc) said their company must comply with US legislation.

The inventors of a new monitoring system that uses RFID tags claim it could improve airport security by tracking passengers as they mingle in the departure lounge. The plan is to issue an RFID (radio frequency identification) tag to every passenger at check-in so human traffic can be monitored throughout the airport via transponders and video cameras. Paul Brennan, an electrical engineer at University College London, heads the project, which features an RFID technology called Optag. Funded by the European Union, the technology is being developed by a consortium of European companies and the university. Brennan told Silicon.com that a prototype RFID tag will be tested in an airport in Hungary next month. Brennan said that if the trials in Hungary are a success and the technology attracts customers, it could arrive in airports within two years. Brennan said Optag has been designed to improve airport security by virtue of its ability to track the movement of suspicious passengers, which would enable security personnel to bar them from entering restricted areas.

According to the report, which was released Friday, 19 federal agencies have reported at least one loss of personally identifiable information since January 2003. In addition, those agencies don't always know what information has been lost or how many people could be affected because they aren't tracking those losses, the report said. "For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, 'the department did not track the content of lost, stolen, or otherwise compromised devices,' " the report stated.

The personal information - including some credit card and bank account numbers - of about 70,000 people who gave money to Brock University has been stolen from the school's computers by a hacker. Terry Boak, Brock's vice-president academic, said the digital intruder had the secret passwords needed to access the file listing of possibly every individual to ever donate to the university. "It wasn't just someone who hacked in by playing around with it," Boak said. "So, you start thinking about how these passwords were obtained."

ARLINGTON - The personal information of about 2,500 University of Texas at Arlington students was on two computers stolen from a faculty member's home last month, school officials said.

The majority of telecommuters are aware of the security dangers that go along with using mobile devices and remotely logging onto their employers' networks, yet their behavior for the most part contradicts this awareness, according to a study issued Monday by Cisco Systems and research firm InsightExpress. Of 1,000 teleworkers contacted across 10 countries, more than one of every five allows friends, family members, or other non-employees to use his/her work computer to access the Internet. The top five justifications for doing this were that workers didn't see anything wrong with it, their companies didn't mind, they didn't think that letting others use company-issued computers increases security risks, they doubted their companies would care, and their co-workers did it, too.

A new Cisco (Quote) sponsored global study of 1,000 remote workers indicates that IT workers may well be engaged in more insecure activities than they are willing to admit. Users are apparently aware of insecure activities, such as opening e-mail attachments from unknown senders; yet they still open the attachments and e-mails. The study, which was conducted by research firm InsightExpress, reveals a number of such security contradictions.

I teach computer security for a living. Last week, a class of mine asked which vendor had the best security. I responded that they all are pretty bad. If you aren't using OpenBSD or software by D.J. Bernstein, then every other product in the world is pretty bad in comparison. Most software contains numerous vulnerabilities, holes, and exploitable routines. Even ourThe sad state of computer security

Australian-based analyst Hydrasight has teamed up with Colorado-based researcher Enterprise Management Associates Inc. (EMA) to release a study on the current state of global enterprise information security.

A laptop computer loaded with personal information on 2,400 residents of the Camp Pendleton Marine Corps base has been lost, authorities said Friday. The computer was reported missing Tuesday by Lincoln B.P. Management Inc., which helps manage base housing. The company and Camp Pendleton are investigating. As of Friday, investigators had not found evidence that the data had been accessed, the base said in a statement.

The names and Social Security numbers of at least 400 air traffic controllers are missing from a computer at the Cleveland Air Route Traffic Control Center in Oberlin, a union official says. Bill Liberty, president of the facility's National Air Traffic Controllers Association unit, said he was told on Monday by Eric Fox, Oberlin's air traffic control manager, that a computer hard drive with the personal information was stolen.

A new survey showed this week that while archiving technology continues to be more prevalent in the data center, regulatory compliance is no longer the number one driver to adopt new archiving equipment and software. A survey sponsored by BridgeHead Software surveyed 350 IT managers about their archiving preferences and practices.

A privacy-advocacy group is suing the U.S. government for records concerning electronic-surveillance tools such as one that appears to be a successor to the FBI's abandoned Carnivore program. The Electronic Frontier Foundation said it is suing the Department of Justice because the FBI failed to respond in time to its Freedom of Information Act request for records on the DCS-3000 and Red Hook programs.

European Union and U.S. negotiators have reached agreement on how to share information about passengers flying to the U.S. from Europe, a Finnish government spokesman said Friday. The new deal allows many more U.S. government agencies to access the data, which includes details such as a passenger's name, address and credit card details. The agreement replaces one that was thrown out on a technicality by Europe's top court in May.

Executives from the financial data transfer company Swift and the president of the European Central Bank faced tough questions in a European Parliament committee meeting Wednesday, about the illegal sharing of private data with U.S. authorities. ECB Chief Jean-Claude Trichet denied that the bank should have stepped in to prevent the breach of European data protection laws, saying that the bank could only advise the Society for Worldwide Interbank Financial Telecommunication SCRL (Swift). "We have no judicial competence in the field of data protection," he said.

The total number of records containing sensitive personal information involved in security breaches over the past two years now stands at 93,754,333, according to the Privacy Rights Clearinghouse. The updated tally includes thousands of instances of data exposure in the past month alone. The Privacy Rights Clearinghouse (PRC) says its running tally of data breaches shows nearly 94 million instances of data being exposed in less than two years of tracking such events, a veritable red flag of private information at risk. The PRC said its tally shows the total number of records containing sensitive personal information involved in security breaches now stands at 93,754,333.

Despite all of the press and political rhetoric regarding security concerns, only 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to the findings of a CMO Council report, "Secure the Trust of Your Brand: How Security and IT Integrity Influence Corporate Brands." Without such a plan and other security strategies in place, companies are at risk of losing hundreds of millions of dollars in market value and through loss of reputation and brand trust, according to Scott Van Camp, CMO council editorial director and author of the study. The Council uncovered that although that percentage of marketers responded that they have a plan in place, 49 percent of business executives say they do, van Camp says. "That could show a disconnect between the business executives and the marketing people." Rather than such a disconnect, consistency in security and privacy is needed across the enterprise, according to van Camp. Marketers must take a proactive role in ensuring that security policies and messaging are aligned in the organization, from the executive suite, across business lines, through the marketing organization, and down to the rank and file.

A man in India offered to sell the front man of a Channel 4 sting operation the credit card details of 200,000 people, the programme Dispatches will reveal tonight. The programme makers were inspired by a sting operation mounted on an Indian call centre last year by The Sun newspaper, in which a man allegedly sold the bank details of 1,000 British people to a journalist. The Sun story helped stoke a backlash against outsourcing to India. The Sun was subsequently accused of duping its quarry and fabricating the story about fraud in India.

The Port of Seattle announced today that six computer disks, containing personal information for 6,939 people who work for employers at Seattle-Tacoma International Airport, are missing. "We have no reason to believe that the information has been misused by anyone," said Mark Reis, managing director at Sea-Tac. "However, we do not know at this time whether the disks were misplaced, or were removed from Port property."

"Encryption is the ultimate protection mechanism, because even if someone ". gains access "they will not be able to read the data without further breaking the encryption." Is this quote from the Payment Card Industry (PCI) Data Security Standard enough to make your company leap into database encryption with both feet? Encryption is a powerful security tool, and nearly every compliance standard or industry regulation addresses data security in some manner, often at least implying a role for encryption. For instance, the Gramm-Leach-Bliley Act (GLBA) requires organizations must "insure the security and confidentiality of customer records and information," and California's SB 1386 breach-notification law states that any breach of the security of unencrypted personal information must be disclosed. But before you make the leap, there are some fundamental considerations. Database encryption can be put into two broad categories: communication encryption and field encryption.

You've followed all of the security compliance guidelines, but the auditor still isn't satisfied. How can I be certain, he asks, that no one -- not even IT -- has tampered with this data? A startup company thinks it may have the answer. Kinamik, a venture capital-backed venture out of Barcelona, Spain, next week will open the doors on a third-party technology that collects, aggregates, time-stamps, encrypts, and stores audit-sensitive data as it is created or altered.

The Internal Revenue Service has not done enough to protect the privacy of more than 130 million taxpayers, according to a Treasury Department Inspector General's report released Oct. 3. The agency has conducted privacy impact assessments (PIAs) on less than half of its computer system and does not adequately monitor its own application of privacy laws, according to the report from the Treasury IG For Tax Administration.

As I mentioned in previous columns, there’s a new set of draft documents from the Computer Security Resource Center of the National Institute of Standards and Technology (NIST). In addition, SP 800-86, "Guide to Integrating Forensic Techniques into Incident Response" by Karen Kent, Suzanne Chevalier, Tim Grance and Hung Dang has reached final-version stage. The PDF file is available for download.

A draft publication from the National Institute for Standards and Technology highlights some of the security and privacy risks associated with radio frequency identification technology. Some of the risks involved can be serious. The threat can extend from the RFID tags to central databases on an agency's network, according to the report. But NIST experts are not trying to scare agencies from using the technology.

The Defense Logistics Agency's network of 19 distribution sites can now track supplies with radio frequency identification technology, the agency announced Tuesday. RFID tagging will give the Defense Department global awareness of all military assets by using a unique identification to track each parcel as it moves through the military supply chain.

The communications network used to transmit medical data for the government's Medicare and Medicaid programs has security vulnerabilities that could expose patients' medical data and other personal information, according to a report released Tuesday. The report, released by the U.S. Government Accountability Office (GAO), identified 47 weaknesses in the way the Centers for Medicare and Medicaid Services (CMS) used a WAN (wide-area network) operated by contractor AT&T. CMS uses the network to transmit claims data -- including patient names, dates of birth, Social Security numbers, addresses and medical information -- to health-care facilities, contractors, financial institutions, and state Medicaid offices.

The Indian business process outsourcing industry is once again under attack for compromising the personal details of global clients. The Sunday Times has claimed — quoting an investigative report by Channel 4, to be telecast on October 5 — that credit card data and passport and driving license numbers are being stolen from Indian call centres and sold to the highest bidder. This time, unlike in the Karan Bahree and HSBC-like cases where BPO employees were in the firing line, the charges are against middlemen.

Data retention and deletion represent two sides of the same issue as companies grapple with their legal and regulatory responsibilities. Which electronic records must you save, and when should you delete them--for good? It's not just a legal and ethical consideration for employees, but also a critical security and storage management challenge for IT professionals. So why aren't companies paying more attention?

PayPal agreed Thursday to pay $3.5 million to consumers and $1.7 million to 28 states to settle a pair of lawsuits that charged the electronic payment provider didn't adequately inform users how it was protecting their financial data. The San Jose, Calif. subsidiary of online auctioneer eBay also promised to streamline its user agreement and provide more information about its data protection programs.

Which would be more likely to suffer data theft, a university or financial institution? If you've been reading the news lately, you probably said "university." But in New York, it's a different story. Nearly half of the 64 data breach incidents reported in the state between March and May of this year were by financial institutions and insurance companies -- not educational institutions, according to a researcher who's gathering the data. Only three of the 64 incidents were reported by schools, he says.

A group of university computer scientists are launching a research project to better protect data stored in radio-based smart tags. The project's goal is to prevent cyber thieves from cracking the tags and stealing personal data. Such tags, which include but are not limited to passive RFID systems, are used in a growing number of applications, from automatic vehicle toll collection to accessing medical records.

Internet auction house eBay will make changes to its site after discussions with the UK's Information Commissioner and civil rights group Privacy International. ZDNet UK has learnt that eBay has agreed to make changes to its Web site to make it easier for users to close accounts and track personal e-commerce transactions, following a complaint by Privacy International. The Information Commissioner's Office (ICO) has confirmed that changes are being made. "We have been corresponding with eBay and it has now taken steps to ensure its accounts are easier to close, by making changes to the My eBay page," said an ICO spokesman.

The state Division of Motor Vehicles is notifying 16,000 motorists that someone broke into the agency's driver's license office in Louisburg and took a computer containing their personal information. The computer was used to store information for driver's licenses issued over the past 18 months, between March 2005 and Sept. 10, according to the DMV. The information includes names, addresses, dates of birth, driver's license numbers, Social Security numbers and, in some cases, immigration visa information, DMV officials said.

Schuyler Cole needed an accessory for his Palm Treo 600 smartphone, so the Haleiwa, Hawaii, resident fired up his Web browser last month and ran a Google search. After scanning the search results, he purchased the inexpensive item -- a USB cable used to synchronize the Treo's settings with his personal computer -- from Cellhut.com, the first online store displayed in the results that looked like it carried the cable. The site featured a "Hackersafe" logo indicating that the site's security had been verified within the past 24 hours. Later that day, information from Cole's purchase --- including his name, address, credit card and phone numbers, and the date and exact time of the transaction --- were posted into an online forum that caters to criminals engaged in credit card and identity theft. Ostensibly, the data on Cole was posted as an enticement to other fraudsters lurking on the forum who might be interested in buying large numbers of similar records.

A global survey has found Canadian companies are more concerned with protecting their reputations than their global competitors when they spend on information security. According to the 2006 Global State of Information Security survey, 53 per cent of Canadian companies surveyed said their reputation was driving their information security spending. The global average was 41 per cent. "Poor information security that loses data such as customer profiles can seriously affect a company's brand," says Greg Murray of PricewaterhouseCoopers. "The cost of handling the public relations issues associated with losing customer identities can be devastating."

A global survey has found Canadian companies are more concerned with protecting their reputations than their global competitors when they spend on information security. According to the 2006 Global State of Information Security survey, 53 per cent of Canadian companies surveyed said their reputation was driving their information security spending. The global average was 41 per cent.

The Electronic Frontier Foundations, an advocacy group for online privacy, has released six tips for consumers who would prefer to remain as anonymous as possible when using search engines. Concern over privacy and the use of online search was heightened last month when Internet service provider AOL acknowledged publishing the search histories of 650,000 users on its Web site. Even though the users' names were withheld, The New York Times and others discovered the identities of several of them.

Complying with a plethora of state privacy laws is tough. Focus on their common elements. All the time, it seems, another state is coming up with a new law for protecting consumers' sensitive data. At least 23 have passed a security breach notification law, and these laws are far from uniform. The result is a bevy of regulations du jour and a daunting challenge for information security and compliance professionals. More than a few times I have been well on my way to meeting the privacy requirements for one state, only to find out another state has passed similar rules, but with additional mandates. Security breach laws vary as to who should be notified, what constitutes personal information, and most importantly, when notification should occur. Do we notify each time data has been accessed without authorization, or only when we believe the data is at risk?

A bill that would require all federal agencies to strengthen their protection of sensitive information has passed the House and now moves on to the Senate. The language is part of a larger bill, the Veterans Identity and Credit Security Act of 2006. Rep. Tom Davis (R-Va.), who introduced the measure applying to all agencies, said he will try to move the language separately if the Senate does not act on the bill.

Storage managers in the U.S. may have finally come to grips with Sarbanes Oxley, but if their firms want to do business in Europe they should brace themselves for even more compliance headaches over the next few years. (See AMR Sees $6B in SOX Spending and IDC: 'Users, Do Your Homework'.) Like the U.S., countries within the European Union have been hard at work tightening their own financial and homeland security regulations, bringing yet more complexity to the lives of already pressured IT pros.

Legislation that would require federal agencies to disclose data breaches involving sensitive information was introduced in the House Monday by Rep. Tom Davis, R.-Va., chairman of the House Government Reform Committee. Such a bill would put government agencies on par with businesses, which are required by a patchwork of state laws to notify their customers in such cases. The measure, HR 6163, would amend the Federal Information Security Management Act to direct the White House Office of Management and Budget to establish procedures for agencies to follow if personal information is lost or stolen. The legislation also would require that individuals be notified if their personal information could be compromised by a breach of data security at a federal agency. Agency CIOs would be expected to ensure that their staffs comply with information security laws and that equipment containing sensitive information is accounted for and secured.

A U.S. Senate bill that prohibits impersonating someone to obtain their telephone records without permission is not strong enough, a top House of Representatives lawmaker told Reuters Tuesday. Privacy of telephone records has gained attention since computer and printer maker Hewlett-Packard Co. admitted that investigators it hired obtained telephone records of board members, employees and journalists without their permission to help discover who was leaking information from board meetings.

The ability to use tiny USB memory sticks to download and walk away with relatively large amounts of data has already made the ubiquitous devices a potent security threat in corporate environments. Now, the emergence of USB flash drives that can store and automatically run applications straight off the device could soon make the drives even more of a security headache. Demonstrating the potential danger, Hak.5, a security-related podcast, earlier this month showed how a USB memory stick can -- in just a few seconds -- be turned into a device capable of automatically installing back doors, retrieving passwords or grabbing software product codes.

About 73 percent of corporate board members in a recent survey said that board chairpersons should have the power to use any legal means to identify the source of confidential leaks. Fifty-three percent said they believed it is permissible to follow individuals as they travel inside and outside of a company, and 53 percent said they believe it is permissible to obtain and review phone records if pretexting is legal, according to a recent survey conducted by the Ponemon Institute.

AT&T Inc. (T.N: Quote, Profile, Research), which has been questioned by regulators about the Hewlett-Packard Co. (HPQ.N: Quote, Profile, Research) media leak scandal, said on Friday it updated security requirements for its customer service workers. The changes were part of an ongoing effort to better protect customer information, according to an AT&T spokesman. He would not say if the update was related to the controversy over HP using false identities to obtain phone records as it investigated boardroom leaks.

There is news that thousands of current and former GE employees could be at risk for identity theft. A company employee's laptop computer was recently stolen from his locked hotel room while he was traveling on business.

Berry College President Dr. Stephen R. Briggs informed the campus community of a potential security breach this morning. College officials were notified late Monday afternoon that student information included on applications for need-based federal aid filed during the 2005-06 academic year has been misplaced by an external financial aid consultant on Friday. This data, including student name, Social Security number and reported family income, involves 2,093 students or potential students who submitted a Free Application for Federal Student Aid (FAFSA) to Berry in 2005-06. Of those, 1,322 are currently enrolled at the college.

Burglars entered the heavily guarded Kenya Revenue Authority (KRA) offices at Times Tower and stole computers containing crucial information. The computers were taken from the 14th floor, which houses the income tax section. The intruders also ransacked drawers and vandalised the offices.

Six notebook computers with data on about 9,000 patients have been stolen from Nagasaki University Hospital of Medicine and Dentistry in Nagasaki, a university official said. The data contained names, gender, dates of birth, and diagnoses of people who visited the hospital's hematology division since the early 1990s, the official said. The computers were stolen sometime between 11 p.m. on Sept. 14 and 8 a.m. the next day. The university reported the case to the police immediately, the official said.

Amid seemingly endless reports of lost laptops, some states have written laws that give companies a break if they encrypt data, letting them go without reporting a loss. Yet encryption can be costly and complicated, which has companies exploring not just what's available today but what's on the horizon that could make it easier and more effective. Some big changes on the way involve desktop encryption. Windows Vista BitLocker Drive Encryption is the future of encryption for Microsoft users. The data protection feature is scheduled for inclusion with the Enterprise and Ultimate versions of the forthcoming Windows Vista operating system, as well as in Windows Longhorn server. It's designed to protect data on PCs and servers that have been lost or stolen, or whose hard drives missed out on a thorough scrubbing before being decommissioned or resold.

Over the last several years, well-publicized security breaches have been causing enterprises to develop security policies in order to protect their brands from the damaging publicity surrounding such an event. The only feasible approach to securing information is to take an encrypted, data-level approach to security. Anything less leaves companies, customers and partners at risk. It used to be that armed guards, locked file cabinets and vaults were the tools for securing currency, as businesses operated in a physical world. Today, information is the currency of the global economy, as consumers pay through electronic card swipes, employees are paid through direct deposit, and businesses sell a good deal of their wares online. More than ever before, companies are now challenged to find ways to protect "currency" as it is exchanged with people inside and outside secure corporate networks.

Almost a third of company directors surveyed have admitted to stealing corporate information, with memory sticks making theft easier than ever. In a survey of 1,385 business people, 29 per cent of company directors admitting to stealing confidential corporate information when they left a company. The survey, conducted by polling company YouGov on behalf of software firm Hummingbird, found that 24 per cent of the thefts involved using memory sticks or MP3 players to move data and 18 per cent used email. The information was revealed as part of Hummingbird's Information Management Survey, which assesses the way in which firms are coping with increases in information sources.

The results of an international cyberwar game that involved Australia were released by the U.S. Department of Homeland Security's National Cyber Security Division last week. Dubbed Cyber Storm, the game was conducted in February this year and simulated a campaign to "affect or disrupt multiple, critical infrastructure elements within the energy, information technology, transportation and telecommunications sectors." Australia was represented by the Attorney General's department in the four-day event which involved more than 110 public, private and international organizations as part of efforts to protect critical infrastructure.

Each agency should assemble a core management team to plan and oversee the response to any data breach that could result in identity theft, according to a Sept. 20 memo from the Office of Management and Budget. That recommendation is from a recent report of the Identity Theft Task Force of which Attorney General Alberto Gonzales is chairman. OMB distributed the report and its memo to agency leaders.

Federal agencies have been losing laptop computers, including those with personal data, without public notification and sometimes undetected by the government. Agencies are finding out now, and disclosing the information, because House Government Reform Committee chairman Tom Davis (R-Va.) requested summaries of data breaches over the last several years. As a result, the situation requires a strong governmentwide policy on public notification, including strengthening legislation he has introduced, Davis said.

People who attended Purdue University in 2000 were being notified of a security breach that might have resulted in unauthorized access to identifying information, including Social Security numbers. University officials discovered the incident this month during a check of a workstation in the chemistry department. The incident involved a file dated Feb. 4, 2000, that contained Social Security numbers, names, e-mail addresses and other information for nearly 2,500 students.

Using clues obtained from a YouTube video and a simple four-word Google search engine query, a criminal can find step-by-step instructions for how to hack into and take control of thousands of ATMs scattered around the United States. Following up on a CNN report out of Virginia Beach, Va., here as a YouTube video, that a man reprogrammed an ATM at a gas station to dispense $20 bills instead of $5 bills, a New York-based security researcher did some old-fashioned online sleuthing and discovered that the operator manual for that specific model of ATM could be legally obtained in about 15 minutes.

As the U.S. government prepares to complete a conversion to the controversial RFID-based electronic passports, traditional paper-only IDs are still available for a few months to those listening to the raging debate over security and privacy concerns swirling around the electronic documents. Many security experts are still questioning whether e- passports, which have a 10-year life span, have enough security built in to survive a decade of hackers and technology advancements while protecting e-passports users from data theft, identity theft and other security and privacy intrusions. "If the government is right, this will be the first time in the history of mankind that a perfectly secure application will be produced. Of course it will be hacked," says Bruce Schneier, a noted security guru, author and CTO of Counterpane Internet Security.

The Commerce Department has lost 1,137 laptop computers since 2001, most of them assigned to the Census Bureau, officials said Thursday night. No personal information has been known to have been improperly used. The number of people affected could not be determined, officials said, in what was the latest in a series of data losses at government agencies that have raised concerns about identity theft. "All of the equipment that was lost or stolen contained protections to prevent a breach of personal information," Commerce Secretary Carlos M. Gutierrez said in a statement. "The amount of missing computers is high, but fortunately, the vulnerability for data misuse is low."

Thursday September 21, 4:19 pm ET By Brian Bergstein, AP Technology Writer BOSTON (AP) -- Insert your own punch line: Hewlett-Packard Co., the technology company facing federal and state investigations for spying on board members and journalists, is co-sponsor of an award for "privacy innovation." Nominees are currently being accepted for the fourth annual HP/IAPP Privacy Innovation award, which Hewlett-Packard gives in conjunction with the Maine-based International Association of Privacy Professionals. According to the award's Web site, the prize was created to honor "strong and unique contributions to the privacy industry." "At present, there is not sufficient recognition for organizations that have embraced privacy as a competitive advantage, and as a business/governmental imperative," the site states. Previous winners of the award have included eBay Inc., Microsoft Corp., Sprint Nextel Corp. and two Canadian provincial offices. No one from HP is a judge. Two IAPP directors did not immediately return a call seeking comment Thursday, nor did an HP spokesman. HP is facing multiple investigations into the company's surveillance of directors, employees and journalists as it sought the source of boardroom leaks to the media. HP investigators posed as other people to obtain their phone records and sent at least one reporter monitoring "spyware" in an e-mail. An HP director quit in protest of the methods and another resigned after being outed as a leaker. Questions about HP's methods led the board chair, Patricia Dunn, to agree to cede the post in January, though she plans to remain a director. One place to read about all this is none other the Privacy Innovation award's Web site. It contains a long list of privacy-related stories in the news, including the HP affair.

If you have a passport, now is the time to renew it -- even if it's not set to expire anytime soon. If you don't have a passport and think you might need one, now is the time to get it. In many countries, including the United States, passports will soon be equipped with RFID chips. And you don't want one of these chips in your passport. RFID stands for "radio-frequency identification." Passports with RFID chips store an electronic copy of the passport information: your name, a digitized picture, etc. And in the future, the chip might store fingerprints or digital visas from various countries. By itself, this is no problem. But RFID chips don't have to be plugged in to a reader to operate. Like the chips used for automatic toll collection on roads or automatic fare collection on subways, these chips operate via proximity. The risk to you is the possibility of surreptitious access: Your passport information might be read without your knowledge or consent by a government trying to track your movements, a criminal trying to steal your identity or someone just curious about your citizenship.

The European Commission has published proposals for a law change that would force telecoms firms to notify regulators and customers of all breaches of their data security. A similar law in California has resulted in a stream of data breaches being made public. In a consultation on changes to the EU framework on telecoms regulation the EC proposes that all providers of "electronic communications networks or services" be forced to notify customers and regulators of any breaches of security that would result in their personal data being made available to others. The current EU Directive only instructs network providers to notify customers of security risks. It does not cover security breaches.

As many as 500 current and former employees of San Francisco's Howard, Rice, Nemerovski, Canady, Falk & Rabkin may be at risk of identity theft after a laptop computer containing confidential employee pension plan information was stolen from an auditor. The firm sent a notice to current and former partners, associates and staff in mid-August alerting them of the security breach. "Given the circumstances of the theft, we think it is highly unlikely that the laptop was purloined because the thief knew that Howard, Rice employee names and Social Security numbers were resident on the computer," the letter stated. "Nonetheless, we want to treat this potential information breach with utmost caution."

Microsoft announced it has created a hotfix that patches a bug in one of the dozen August security updates which could corrupt users' data. Customers must contact Microsoft to get the hotfix. The MS06-049 update, which was released Aug. 8 to correct a flaw in the Windows 2000 kernel, can ruin data on NTFS formatted drives when the PC is using Windows' own file compression. Files larger than 4K that are either created or back up can be corrupted, and become unreadable. Microsoft issued a hotfix, but has not made it available to the general public. Instead, as is its practice with hotfixes, Microsoft requires users who want the patch to call the company.

Ethics are of incredible importance in the security field. Scott Granneman looks at recent examples of poor security decisions made at HP, Diebold, Sony, and Microsoft. Joel and Ethan Coen make some of the most inventive and clever movies in Hollywood history. With a record like Raising Arizona, Blood Simple, Barton Fink, Fargo, and The Big Lebowski, how could anyone argue? One of their absolute best, however, has got to be Miller's Crossing (1990), a gangster film filled with betrayals, violence, and a wonderful slang that is a joy to hear.

Computer tapes containing the private health and welfare records of "hundreds of thousands" of British Columbians were discovered missing from the government's main data centre in Victoria last year and have never been found, according to a confidential government investigation obtained by the Vancouver Sun. Poor record-keeping at the facility, which is run by Telus, means it's impossible to confirm exactly what happened to the 31 tapes, although the report speculates they were most likely destroyed in error or borrowed by a government staffer who forgot to return them. However, the report warns that their disappearance is serious and "may have resulted in the inadvertent disclosure of the data contents."

The Florida National Guard was conducting a security review Thursday after a laptop computer assigned to one of its soldiers was stolen in a car burglary. No classified information was on the computer stolen Tuesday from a soldier’s personal vehicle, said Florida Department of Military Affairs spokesman Jon Myatt. The laptop contains training and administrative records - including social security numbers - of up to 100 Florida National Guard soldiers.

The data breaches noted below have been reported because the  personal information compromised includes data elements useful to  identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included  the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure  under state laws. The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals.

IBM on Tuesday unveiled new technology it says will help curb the growing problem of businesses exposing, either through theft or carelessness, sensitive consumer data routinely stored on their computer networks. The technology, newly embedded in the company's TS1120 storage system, works to encrypt Social Security numbers, credit card information, and other customer data archived on magnetic tape--the most common type of storage media in use by businesses today. The goal is to make the data inaccessible to thieves and others who wrongfully come into possession of such tapes. "It's useless to whoever gets it," says Andy Monshaw, general manager of IBM's system storage group.

The Department of Homeland Security has quieted some but not all the concerns that have kept many U.S. companies from voluntarily submitting critical infrastructure information (CII) to the agency. The DHS badly needs private sector input in order to increase the utility of its National Asset Database (NADB), the registry of nearly 80,000 facilities and assets in the U.S. which could be targeted by terrorists. The DHS issued a final rule on Sept. 1 on how it plans to protect CII it validates as protected CII (PCII). Four days later, Robert Stephan, assistant secretary for infrastructure protection, briefed representatives of select companies at an invitation-only meeting at the U.S. Chamber of Commerce. Andrew Howell, vice president of homeland security for the chamber, said the final rule corrects many of the problems his members had with the interim rule, which was published in February 2004.

Government and private-sector efforts to build a nationwide health information infrastructure are ignoring the issues posed by secondary uses of data from patients’ records, according to a new report from the American Medical Informatics Association (AMIA). Although most hospitals, physicians and patients don’t know about it, the report states, "A multimillion-dollar industry based on the sale of health and heath-related data has prospered and appears to be growing."

Facebook on Friday tightened privacy controls for a controversial news feed feature, as founder Mark Zuckerberg apologized to hundreds of thousands of angry users, saying the social-networking site "really messed this one up." While apparently well intentioned, the feature launched this week sparked protests among Facebook users who objected to its automatic broadcasting of members' activities on the site to everyone in their social circles. Two online petitions gathered a total of more than 700,000 signatures from members demanding that Facebook pull the plug on the new feature. In addition, a one-day boycott of the site was called for Sept. 12, and members were organizing a Monday demonstration at the company's Palo Alto, Calif., headquarters.

Second Life, the fast-growing online site where hundreds of thousands of people play out fantasy lives online, has suffered a computer security breach that exposed the real-world personal data of its users. Linden Lab, the San Francisco-based company behind the Second Life site, said in a letter to its 650,000 users this weekend that its customer database, including names, addresses, passwords and some credit card data, had been compromised. All users - or residents in Second Life parlance - are being required to request a new password. Some 286,000 residents have used the site in the past 60 days, according to a count on the home page at http://www.secondlife.com/.

The agency responsible for safeguarding the nation's airports from terrorists has its own security problem after a contractor accidentally mailed documents containing Social Security numbers of former Transportation Security Administration (TSA) employees to the wrong addresses. In the latest privacy breach to affect a government entity, Accenture, an outsourcer responsible for personnel management at TSA, sent 1,195 documents to the wrong former employees, USA Today reported. The forms, sent to employees after they leave a government job, usually list sensitive information that could be used to steal identities, such as Social Security numbers, birth dates and salary. TSA spokeswoman Ann Davis could not be reached for comment today by SC Magazine. But another agency representative told USA Today last week that the breach was "an administrative error, and the contractor has taken steps to ensure it's not repeated."

Security executives from around the country converged in Boston this week to hear how their peers are tackling enterprise security and managing risk. The Security Standard conference, hosted by Network World and other IDG publications, examined such issues as regulatory compliance, dealing with internal and external threats, working with law enforcement and establishing security best practices.

Despite a veritable avalanche of negative publicity for companies this year that got caught with improperly-handled consumer information, preliminary findings from the Retail Systems Alert Group show that most retailers do not have any formal procedures in place to deal with protecting confidential consumer details. One of the authors of that report, Steve Rowen, who also serves as the senior editor for the group's Extended Retail Industry Journal, said there are many possible excuses for the absence, but it needs to change.

Five major credit card companies Thursday announced the formation of an independent body to oversee the development and maintenance of the Payment Card Industry (PCI) data security standard. American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International have thrown their weight behind the newly formed PCI Security Standards Council. Aimed at retailers and companies that process credit-card data, the PCI standard is a set of technology requirements for securing networks and applications, protecting cardholder data, maintaining a vulnerability management program, and regularly validating compliance via a third-party assessment. It was designed to consolidate what in the past have been a bunch of different security guidelines from credit card companies.

The National Institutes of Standards and Technology has released new draft guidelines for recovering data evidence from mobile phones. The draft covers phones with features that are “beyond simple voice communication and text messaging and their technical and operating characteristics,” NIST said. The guide outlines some of the reported examples of evidence, including text message logs and location tracking, and ways to access material, such as studying software authentication weaknesses, identifying and examining cell phone memory cards, and asking service providers for additional information about a phone. The guide also breaks down the memory structure of cell phones and call data analysis.

Personal information on 2.6 million past and current Circuit City credit card holders was mistakenly thrown out as trash, a division of J.P. Morgan Chase has said. Chase Card Services said on Thursday that it mistakenly tossed out computer tapes with the personal information of Circuit City card holders. It said it believes the tapes, inside a locked box, were compacted, destroyed and buried in a landfill.

If you put stock in a recent survey from Symantec, the company behind the Norton line of computer protection software, 57 percent of computer users who store personal data on their PC’s conscientiously back it up. Those people can feel very good about themselves, because the same survey found that a quarter of computer users have lost computer data like documents, photos and music files, most commonly when the computer crashes.

When it comes to data classification and search, IBM has adopted a "grow your own" stance via Java-based development tools called the Unstructured Information Management Architecture (UIMA). But a project in the Cape Breton region of Nova Scotia could yield something more generally useable. IBM is working with a local company called ADM Solutions (no Website), Cape Breton University, and the Cape Breton Regional Police Services, all of Sydney, Nova Scotia, to create a system that stores, classifies, and searches police crime data.

IT security professionals are struggling to detect and prevent data breaches, according to the results of a recent survey of 853 U.S. security executives conducted by the Ponemon Institute LLC. Nearly two-thirds of security executives said they have no way to prevent a data breach, while most respondents said their organizations lack the accountability and resources necessary to enforce data security policy compliance, according to the Elk Rapids, Mich.-based think tank. The study, conducted in June and July, was sponsored by Palo Alto, Calif.-based security firm PortAuthority Technologies Inc.

Federico Biancuzzi surveys statements from some of the world's largest software companies about vulnerability disclosure, interviews two security companies who pay for vulnerabilities, and then talks with three prominent, independent researchers about their thoughts on choosing a responsible disclosure process. In three parts.

The Compliance Security Council, made up of the Institute of Internal Auditors, the Computer Security Institute, and Symantec, has been tracking what's working and what's not, says James Hurley, executive director of research for the Security Compliance Council and a director of research at Symantec.

A primary reason corporate data security breaches occur is that companies do not know where their sensitive or confidential business information resides within the network or enterprise systems. This lack of knowledge, coupled with insufficient controls for data stores, poses a serious threat for both business and governmental organizations. Moreover, the danger doesn’t stop at the network, but includes employees’ and contractors’ laptop computers and other portable storage devices. Consider, for example, a recent data breach involving the U.S. Department of Veterans Affairs (VA) and the loss of veteran records that were stored on an employee’s laptop computer. Records contained the names and Social Security numbers of almost 27 million living veterans. According to the press, this laptop was stolen from the employee’s home office—which resulted in huge remediation costs and reputation damage for the VA and federal government.

Google Inc., which refused in the past year to hand over user search data to U.S. authorities fighting children's access to pornography, said yesterday that it was complying with a Brazilian court's orders to turn over data that could help identify users accused of taking part in online communities that encourage racism, pedophilia and homophobia. The difference, it says, is scale and purpose. The Justice Department wanted Google's entire search index, billions of pages and two months' worth of queries, for a broad civil case. Brazil, by contrast, is looking for information in specific cases involving Google's social networking site, Orkut. "What they're asking for is not billions of pages," said Nicole Wong, Google associate general counsel. "In most cases, it's relatively discrete -- small and narrow."

A medical lab is notifying patients that a computer with sensitive personal information was stolen from its Prospect Plains Road sample-collection center. LabCorp is identifying patients who may have had their names and Social Security numbers on a computer stolen from its Monroe Patient Service Center and notifying those people by mail, said Pamela Sherry, LabCorp's senior vice president of corporate communications. "We have no reason to believe the information is being used improperly," Sherry said.

Thousands of city employees could be at risk of identity theft following the theft of a laptop computer from a city contractor, and a delay of more than a year in reporting the theft to the proper personnel within the company, according to a release from the Mayor’s office. Nationwide Retirement Solutions, the provider of deferred compensation services for City of Chicago employees has notified the city that a laptop computer containing personal information about customers was stolen from the home of one of its employees, according to the release. NRS, which has provided services for city employees since 2004, is notifying affected individuals by letter and offering free credit-monitoring service for a year, which includes $25,000 of identity theft insurance, according to the release.

A bank has been ordered to pay a $50 million settlement for buying more than 650,000 names and addresses from the Florida Department of Highway Safety and Motor Vehicles. The Electronic Privacy Information Center, which filed an amicus brief in favor of the plaintiffs, announced the decision this week. EPIC said Fidelity Federal Bank & Trust bought 656,600 names and addresses for use in direct marketing and the purchase violated the Drivers Privacy Protection Act. The federal law was enacted in 1994, before a vast number of "find people" sites were popular on the Internet. It aims to protect drivers from having their personal information distributed because stalkers and other criminals had used motor vehicle records to locate victims.

If an attacker gains access to authorized user privileges to break into your network, it'll cost you more than a malware attack. That's what a new report released today by Trusted Strategies concludes: The average cost per event to an organization hit with stolen account privileges was $1.5 million, versus $2,400 for a virus attack, according to the report, which analyzes real data from publicly disclosed cybercrime cases.

Since July of 2005, attrition.org has been tracking data loss and data theft incidents not just from the United States, but across the world. Our archives go back to the year 2000, and with over 142 MILLION records compromised in over 300 incidents across six years, we would finally like to introduce a very basic and rudimentiary database that will assist others in tracking these incidents.

Most used smartphones and PDAs for sale online are loaded with sensitive data ranging from banking records to corporate emails that can easily be retrieved by hackers and data thieves, it was alleged today. According to a sampling by mobile security software provider Trust Digital, much of this sensitive information is retained in the Flash memory of the devices because of a widespread failure to perform the advanced hard reset required to delete data. Trust Digital claimed that its engineers were able to recover nearly 27,000 pages of personal, corporate and device data from nine out of 10 mobile devices purchased through eBay for the project.

A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations. The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006. The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions.

High-profile data security breaches make headlines. That means that in an election year you can expect to see plenty of politicians proposing data security legislation. The last time headlines spurred legislation aimed at regulating a business crisis, CIOs found themselves spending millions on Sarbanes-Oxley compliance. Every day it seems the media reveals another new nightmare. A data tape is stolen from a truck. A hard drive is stolen from an office. In May, thieves stole a laptop from the Maryland home of an analyst with the Department of Veterans Affairs. Although officials claimed the laptop had been recovered and they were confident no data was compromised, the theft still put 26.5 million veterans and current military members at risk of identity theft.

Most used cell phones and PDAs contain personal information that their former owners neglected to adequately delete, Trust Digital, a McLean, Va. security firm