A new research report titled "Protecting Personal Information: We Lost the Battle, Can We Win the War?" by TowerGroup declares that the financial services industry has lost the battle to protect consumers' personally identifiable information (PII) data. TowerGroup's George Tubin points out that "in light of the loss or theft of hundreds of millions of data records containing PII, the financial services industry must consider the ramifications of past, present and future data losses." READ MORE »

[Reposted from my personal blog: www.sjl.us]

I happened to hear from Peter Wayner that he's got new editions of both his Disappearing Cryptography (third edition) and Translucent Databases (second edition) now available.

Disappearing Cryptography is available from Amazon while it looks like Translucent Databases, for the moment anyway, is only available on the publisher's web site.

The Payment Cards Center of the Federal Reserve Bank of Philadelphia has published a new discussion paper titled "Legislative Responses to Data Breaches and Information Security Failures" by Philip Keitel. READ MORE »

ING DIRECT has announced that it has partnered with Trusteer to become the first US bank to offer Trusteer’s Rapport consumer Identity Theft protection software free to all of its customers. READ MORE »

The latest U.S. results of the Unisys Security Index find that Americans are more concerned than they were seven months ago about national security issues and health epidemics and are increasingly concerned about financial security issues and worries about identity theft. READ MORE »

Sarah D. Scalet writes for CSO Magazine about the Payment Card Industry - Data Security Standard (PCI-DSS) standard - calling it "corporate America's most ambitious effort yet to prove that it can self-regulate."

Eight federal regulators have released a notice of proposed rulemaking (NPR) requesting comment on a model privacy form that financial institutions can use for their privacy notices to consumers required by the Gramm-Leach-Bliley Act (GLB Act).

Damon Darlin writes for the New York Times about efforts to try to get Social Security numbers removed from web sites, etc. “The problem is every dentist’s office has Social Security numbers. Every doctor’s office has them. How secure are these?”

In an article titled 'New Credit Cards May Leak Personal Information," Erik Larkin writes for PC World writes about the privacy aspects of new contactless credit cards - including a discussion of new "second generation" specifications from Visa that require the issuer not include the cardholder name in the data transmitted by the contactless card's chip.

The Federal Deposit Insurance Corporation's latest quarterly Supervisory Insights newsletter features an article titled "Incident Response Programs: Don't Get Caught Without One". From the abstract: "A security incident can damage corporate reputations, cause financial losses, and foster identity theft, and banks are increasingly becoming targets for attack because they hold valuable data that, when compromised, allow criminals to steal an individual's identity and drain financial accounts. To mitigate the effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs). This article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs."

Thomas J. Smedinghoff writes us with news about a new paper he's written titled "Where We're Headed — New Developments and Trends in the Law of Information Security" that's available online. Smedinghoff is a partner at the law firm of Wildman Harrold, in Chicago, and a member of the firm's Privacy, Data Security, and Information Law Practice. In the paper, he writes that "three legal trends are rapidly shaping the information security landscape for most companies." These include a continuing expansion of the duty to provide security, the emergence of a legal standard for compliance - a definition of "reasonable security", and the imposition of a duty to warn.

Bruce V. Bigelow of the San Diego Union-Tribune writes a profile of Beth Givens, founding director of the Privacy Rights Clearinghouse, a San Diego nonprofit group "dedicated to helping consumers deal with the darker disadvantages of the information age."

Glenbrook's Russ Jones comments on the release a few weeks ago by six federal agencies (Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, and the Securities and Exchange Commission) of a new report titled "Evolution of a Prototype Financial Privacy Notice" (pdf).

Federal regulators have announced the release of Evolution of a Prototype Financial Privacy Notice, a report by Kleimann Communication Group summarizing consumer research commissioned by the regulators as part of their ongoing efforts to develop improved financial privacy notices.

Edward Epstein reports for the San Francisco Chronicle on legislation pending in the House that would mandate certain uniform national standards for consumer notifications in the event of breaches of personal financial data, thereby pre-empting various state laws that are in effect dealing with notification requirements.

NPR's Morning Edition had an interview this morning with Jeff Jonas, chief scientist with IBM's Entity Analytic Solutions, in which he talks about the future of privacy protection.

The Federal Trade Commission has announced that CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law.

Bill Husted writes from tomorrow's Atlanta Journal-Constitution about what a difference a year has made to suburban Atlanta-based ChoicePoint.

Ponemon Institute and Vontu, Inc. have announced the results of their 2006 Privacy Trust Study for Retail Banking concluding that National City and US Bank tied for first place.

The Federal Trade Commission has announced that ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle FTC charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws.

Visa International has released the results of new global survey of consumer attitudes concluding that the theft or loss of personal and financial information is the No. 1 concern of consumers worldwide (64 percent). A media backgrounder on the survey results (PDF) is available online.

MasterCard has announced several new merchant-related initiatives: incentives for merchants to adopt MasterCard SecureCode payer authentication, free network vulnerability scans of merchant systems, and new education for merchants on security and data protection issues. MasterCard has also launched a new merchant website focused on security at www.mastercardsecurity.com.

Patrik Jonsson writes for the Christian Science Monitor about the potential risks to customer and bank data associated with banks offshoring certain jobs.

Joseph Menn reports for the Los Angeles Times on efforts by various data brokers to support federal rules to safeguard personal information - preferring a consistent federal standard vs. a range of potentially tougher and more varied state laws.

PGP Corporation has announced the results of two surveys of customer response to incidents of data breaches. The surveys reported that almost 20 percent of customers immediately terminated their accounts with vendors that lost their information, and an additional 40 percent considered termination. Companies participating in a parallel study estimated incurring an average cost of $14 million per breach incident, with costs ranging as high as $50 million. The reports are available online from PGP.

David Birch of Consult Hyperion writes for Principia on contactless payments and how they deliver appropriate levels of security and privacy.

In a typical retail environment the retailer's point-of-sale (POS) terminal and the payment token both contain a microprocessor; the microprocessors communicate using a payment protocol (on top of the ISO 14443 protocol for basic data exchange).

When it is time to pay, the customer brings their tag close to the POS terminal. The terminal interrogates the card and gets back the serial number and a cryptogram (a one-time code calculated inside the token). It feeds these to the acquiring bank, which passes them back to the issuer. From the serial number, the issuer knows which account to authorise and from the cryptogram the issuer knows that the token is valid.

The cryptogram is made up from the serial number and a transaction counter, encrypted using the token security key. This key is inserted in the token during manufacturing; it is derived from the serial number and a bank master key. Once in the token, it is never divulged.

From an article by Eric Dash in today's New York Times on data privacy:

Switzerland, for example, requires every employee who handles sensitive data like credit information to "sign a very draconian document," Ted Crooks, vice president of global fraud solutions for Fair Isaac, a data analytics company, said of data protection laws in that country.

"You don't mess with Swiss data," he said.

Eric Dash reports for the New York Times on the use of security features by card associations and card issuers in their advertising efforts.

"As it becomes a bigger consumer issue, more companies are going to talk about it," said David Sigel, the Citigroup account director at Fallon Worldwide in Minneapolis, a division of the Publicis Group. "It's a very competitive category, and you are looking to make your product as relevant as it can to consumers."

Hiawatha Bray writes for the Boston Globe on concerns of private investigators about legislation that may limit the sale of Social Security Numbers in the wake of data security and information access breaches.

'We're under a lot of pressure to minimize the availability of Social Security numbers," said LexisNexis spokeswoman Mary Dale Walters.

Marco Piovesan, vice president of business services at ChoicePoint, said that his company has discussed the issue with private investigators, but has decided not to sell them Social Security numbers. ''We restrict that information to a large number of business types, including the PI group," Piovesan said.

Joe Nocera writes for the New York Times about data theft-- looking back at the actions twenty years ago led by Sen. William Proxmire that changed the way credit card issuers had to deal with consumers and why Bruce Schneier is recommending similar changes today to deal with data theft or data loss.

What we need right now is someone in power who can put the burden for this problem right where it belongs: on the financial and other institutions who collect this data. Let's face it: by the time even the most vigilant consumer discovers his information has been used fraudulently, it's already too late.

"When people ask me what can the average person do to stop identity theft, I say, 'nothing,' " said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."