320 likes | 606 Views
Protecting Citizens’ Personal Information. HIPAA Solutions, LC info@hipaasolutions.org. What’s Personal Information. Financial Information Banking & Credit Investments & Mortgage Signatures Notary Seals Demographic Name, Address, Birth Certificate Government Related
E N D
Protecting Citizens’ Personal Information HIPAA Solutions, LC info@hipaasolutions.org
What’s Personal Information Financial Information • Banking & Credit • Investments & Mortgage • Signatures • Notary Seals Demographic • Name, Address, Birth Certificate Government Related • Social Security Number • Driver’s License • Gun Permit • Military Records • Court Records & Probate • Infrastructure Health Information • Medical Records & Insurance
Who Uses Personal Information Financial & Credit Institutions • Banking & Finance • Credit Card Government • Permits, Licenses, Courts, SSN, Veterans, Administrative, Taxes, Student Records, Property, Security, Law Enforcement Health Care Providers • Medical Records, Insurance Employers • Benefits, Pay Records, Taxes, SSN, Personnel & Hiring, Background Checks, Security Businesses • Retail Transactions, Credit Checks, Insurance, Contracts, Real Estate Title Companies, Land Brokers
Who ELSE Uses Personal Information Commercial & Political Organizations • Marketing Groups • “Data Mining” Organizations • Risk Evaluation – Insurance & Credit Companies • Foreign Companies • Campaigns & Political Organizations Criminals • Financial Gain – Identity Theft & Fraud • Illegal immigration • Criminal Alias’s • Medical Fraud – Medicaid & Medicare • Insurance • Real Estate Fraud • Stalkers • Organized Crime • Forgers • Terrorists
Why Protect Personal Information • Financial Loss • Credit Risk • Employment Risk • Disruption of Lives • Increased Cost of Products & Services • Taxes for Law Enforcement • Health Danger • Family & Children • Stalkers • National Security • Illegal Immigration
Real Risks 2006 FTC report on Identity Theft & Fraud • Texas 4th on list of complaints of ID Theft per 1,000 citizens • Texas has 4 of top 30 Metro areas with highest % of ID theft complaints per number of citizens • Almost half of top 50 cities based on number of complaints per population are in border states • Jan-Dec 2006 - Consumer Sentinel (complaint database developed by FTC) received over 670,000 consumer fraud and identity theft complaints. • Total overall losses in US for 2006 were $49 billion http://www.consumeraffairs.com/news04/2007/02/congress_identity_theft.html
Why Protect Personal Information . . . Darwin Professional Underwriters, analyzed data from media reports and other sources to come up with algorithms . . . . . . . a breach that exposes 75,000 identities will cost an organization $9.9 million on average.One third of the cost or $3.47 million is needed to provide credit monitoring to alert potential victims when their information is misused. . . . Last year, Chicago voters filed a class action lawsuit against the Elections board for a similar breach involving voter registration information of 1.3 million voters published on the Board's Web site. . . . recent reports indicate credit monitoring is insufficient protection for people whose confidential information is known to have been compromised. . . . http://www.davickservices.com/Data_Breach_Cost.htm
Real Risks - Financial • Internet security threat report from Symantec Corp. • Rate for the keys to assuming someone else's identity can be had for between $14 and $18 per victim on underground cyber crime forums. • Full identities typically include Social Security numbers, the victim's bank account information (including passwords), as well as personal information such as date of birth and the maiden name of the victim's mother. • DATA BREACHES SINCE JANUARY 2005 . . . • TOTAL number of records containing sensitive personal information involved in security breachesOVER 150 million records . . . http://www.privacyrights.org/ar/ChronDataBreaches.htm
Real Risks - Financial Man victimized again and again by ID theft For two years now, Mark Maynard has repeatedly been mistaken for a felon named Kevin O'Rourke. The ordeal has nearly cost Maynard his benefits and once put him in jail. By CLAUDIA ROWE Seattle Post Intelligencer - P-I REPORTER It was a benign-looking letter, just a business-sized envelope from a Seattle department store that came with the morning mail. But for Mark Maynard, it signaled the start of a bureaucratic maze worthy of Franz Kafka's nastiest nightmares. For the past two years, the retired Coast Guard veteran has been repeatedly mistaken for a convicted thief named Kevin O'Rourke, who once passed himself off as Maynard by presenting a fake driver's license. From that moment on, the disabled yeoman has been entangled in a net of ever-more-complex legal problems. In the past seven years, Social Security has received 94 million warrant files from states seeking fugitives such as O'Rourke. That Maynard's name got swept up in the data stream is an unfortunate but rare occurrence, a spokesman with the agency said. . . . http://seattlepi.nwsource.com/local/308306_stolenid21.html
Real Risks - Immigration Red Tape Chronicles - MSNBC.com - Bob Sullivan Author of “Your Evil Twin: Behind the Identity Theft Epidemic” . . . Linda Trevino, who lives in a Chicago suburb, applied for a job last year at a local Target department store, and was denied. The reason? She already worked there -- or rather, her Social Security number already worked there. Follow-up investigation revealed the same Social Security number had been used to obtain work at 37 other employers, mostly by illegal immigrants trying to satisfy government requirements to get a job. . . . . . . . MSNBC.com research and government reports suggest hundreds of thousands of American citizens are in the same spot -- unknowingly lending their identity to illegal immigrants so they can work. And while several government agencies and private corporations sometimes know whose Social Security numbers are being ripped off, they won't notify the victims. That is, until they come after the victims for back taxes or unpaid loans owed by the imposter. . . . http://redtape.msnbc.com/2006/03/hidden_cost_of_.html
Real Risks – Immigration Welfare Federal Loans Taxes School System Terrorist Infiltration Voter Fraud
Real Risks – Homeland Security Dan Verton, in his book Black Ice: The Invisible Threat of Cyberterrorism (2003), explains that "al-Qaeda cells now operate with the assistance of large databases containing details of potential targets in the U.S. They use the Internet to collect intelligence on those targets, especially critical economic nodes, and modern software enables them to study structural weaknesses in facilities as well as predict the cascading failure effect of attacking certain systems." According to Secretary of Defense Donald Rumsfeld, speaking on January 15, 2003, an al Qaeda training manual recovered in Afghanistan tells its readers, "Using public sources openly and without resorting to illegal means, it is possible to gather at least 80 percent of all information required about the enemy."
Real Risks - Healthcare MSNBC.com Doctors, insurers ask, ‘Who are you?’ Medical identity theft, on the rise, can threaten lives as well as wallets By Anne Thompson and Alex Johnson / NBC News / April 4, 2007 Andrew Brooke’s family knew something was screwy when they got a collection notice for unpaid bills for treatment of his work-related back injury, which included large prescriptions of the controlled painkiller Oxycontin. “I’m looking at this bill, and I’m looking at my 3-week-old baby that can’t even hold his head up, and it’s just a sense of outrage,” said Andrew’s father, John Brooke, of Bothell, Wash., a suburb of Seattle. Likewise, Jo-Ann Davis knew there was a mistake when a cop greeted her at the pharmacy where she had gone to pick up a prescription in early 2005. “I’ve never even had a speeding ticket,” said Davis, a veterinary technician from Moon, Pa., near Pittsburgh. Medical providers, it turned out, thought Andrew and Davis were other people. Their medical identities had been stolen. These are not isolated incidents: In a report last year, the World Privacy Forum found that the number of Americans identifying themselves in government documents as victims of medical identity theft had nearly tripled in just four years, to more than a quarter-million in 2005. . . . http://www.msnbc.msn.com/id/17048911/
Real Risks - Healthcare ID theft reaches medical realmStolen health care creates headaches, incorrect medical charts, empty wallets By DEBBIE GILBERT - The Times Identity theft can be a nightmare. If somebody steals your credit card and makes purchases in your name, you may spend hours on the phone with banks and credit agencies trying to restore your financial reputation. But medical identity theft can be even worse. Victims lose more than just money; their very lives may be at stake. . . . . . . . . Armed with the victim's name, Social Security number or insurance plan number, a thief may try to use that information to get free health care. . . . More ominously, any procedures, tests or medications administered to the thief may become part of your permanent medical record. Next time you're admitted to a hospital, you may find that your chart lists the wrong blood type or says you are on medications that you've never taken. This can lead to medical errors, with potentially tragic consequences. . . . . World Privacy Forum, a nonprofit consumer education group, estimates that at least 250,000 Americans have been victimized. Some law enforcement officials believe the high cost of health insurance may be making this form of theft more attractive to criminals. http://www.gainesvilletimes.com/news/stories/20070107/localnews/148613.shtml
Real Risks - Media Gun Owners Irked By Newspaper Database PloyBy Fred Lucas CNSNews.com Staff WriterMarch 13, 2007 (Editor's note: The Roanoke Times on Monday night removed the online database of registered concealed handgun permit holders from its website until the Virginia State Police, which provided the information, can "verify" the data. "When we posted the information, we had every reason to believe that the data the State Police had supplied would comply with the statutes. But people have notified us that the list includes names that should not have been released,“. . . (CNSNews.com) - Virginia handgun owners are fired up over the publication of their names and addresses in a database posted online by a state newspaper.The database of every Virginia resident who holds a state-issued permit to carry a concealed handgun was posted on the Roanoke Times' website Sunday to accompany a column in the paper by Times editorial writer Christian Trejbal. "There are good reasons the records are open to public scrutiny," Trejbal wrote. "People might like to know if their neighbors carry. Parents might like to know if a member of the car pool has a pistol in the glove box. Employees might like to know if employers are bringing weapons to the office." http://www.cnsnews.com/ViewNation.asp?Page=/Nation/archive/200703/NAT20070313b.html
Real Risks - Government Audit: IRS loses 490 computersBy UPI Staff April 6, 2007 WASHINGTON (UPI) -- A government audit in Washington found that the personal information of more than 2,000 taxpayers has been compromised by lost or stolen computers since 2003. The audit, conducted by the Treasury Inspector General for Tax Administration, found that 490 Internal Revenue Service computers were lost or stolen in 387 incidents and the majority of the incidents were not reported to the IRS computer security office as regulations require, USA Today reported Thursday. The report said IRS laptops are not equipped with sufficient password controls and encryption software to protect taxpayer information and other data from unauthorized access. . .http://www.gopusa.com/news/2007/april/0406_irs_computers.shtml
Real Risks - Government HHS, GAO criticized over privacy reportby: Joseph Conn / HITS staff writerFebruary 5, 2007 Last week, the Government Accountability Office issued a mild rebuke to HHS over its handling of privacy and security issues while the department leads the federal effort to promote development of a national healthcare information network. Reaction to the GAO report within the privacy community was far more strident. In fact, both HHS and the GAO were zinged with criticism. The 52-page GAO report, issued Thursday, was the focus of discussion the following day in Washington at a meeting of the Senate subcommittee on federal government management, the federal workforce and the Senate Committee on Homeland Security and Governmental Affairs. The report criticized HHS for failing to establish “milestones” to measure progress in development of privacy protections and for not having a person or organization in charge of coordinating federal privacy policy initiatives. HHS disagreed with the GAO’s findings in a written rebuttal. http://www.modernhealthcare.com/apps/pbcs.dll/article?AID=/20070205/FREE/70205005/1029/newsletter020
Real Risks – Data Mining CONSUMER REPORTS INVESTIGATION WARNS YOUR PRIVACY IS FOR SALE Buyers include marketers, employers, government agencies and thieves; Consumer Reports offers tips to limit privacy invasion and thwart identify theft - October 2006 Issue - YONKERS, NY – The practices of commercial data brokers can rob consumers of their privacy, threaten them with identity theft and profile them as dead beats or security risks, according to an investigative report in Consumer Reports October Issue. Choice Point, LexisNexis and Acxiom are among the largest of the horde of data brokers that generate billions of dollars in revenue by selling sensitive and personal information about millions of Americans to paying customers, sometimes including crooks looking to cash in. CR’s three-month investigation concluded that current federal laws do not adequately safeguard American’s sensitive information, which is often collected and sold by data brokers. This information can include Social Security Numbers, phone numbers, credit card numbers, information about an individual’s prescription medication, shopping habits, political affiliations and sexual orientations. (Cont’d Next Slide)
Real Risks – Data Mining CONSUMER REPORTS INVESTIGATION WARNS YOUR PRIVACY IS FOR SALE (Cont’d) Among the most troublesome findings of CR’s investigation: There is no way an individual can find out exactly what data collectors are telling others; and the accuracy of that data is rarely verified. . . . CR’s investigation reveals the growth of the Internet has spawned data brokers that use deceptive practices to obtain sensitive and personal information about people and sells it to virtually anyone, sometimes with fatal consequences. . . . Personal, sensitive information can be obtained from several sources, most commonly are public records. Some data collectors hire researchers to visit courthouses and county clerks’ offices to retrieve information from paper records. However, a growing number of state and local governments are posting personal records online, making information gathering easier and increasing the potential for abuse. In addition, consumers themselves supply tons of data, often unwittingly, because information about purchases, donations, and memberships is now widely shared. . . . . . http://www.consumerreports.org/cro/cu-press-room/pressroom/2006/10/0610_eng0610pri_ov.htm?resultPageIndex=1&resultIndex=8&searchTerm=Privacy
Real Risks – Data Mining Courthouse for Sale – Cheap! How your private information ends up on computer screens in Pakistan, Nigeria, China and Russia. David Bloys - News for Public Officials Updated May 12th, 2006 In what could be the largest single transfer of a county asset to a private company in the history of Texas, Fort Bend County Clerk Dianne Wilson recently sold every document ever filed with the county clerk’s office to a Florida-based company. Red Vision paid the county approximately $2,000 to transfer twenty million records by USB cable. This may also be the cheapest price ever paid by a private company for the bulk purchase of document images held by a government agency. According to Wilson, this was just business as usual. In an interview with B.J. Pollack of the Fort Bend Herald she said she sells the records "every day" in bulk to companies like Red Vision and has since 1995. An asset that took Fort Bend County taxpayers 167 years to create and ten years to digitize was transferred to Florida in approximately 150 hours. Local taxpayers pay $1 a page for copies of their documents. Red Vision bought every document at the liquidation price of 10,000 pages for a dollar. With a mission to “revolutionize” the way banks, attorneys and title companies do business with local government, the company has more U.S. courthouses on its shopping list. . . . . http://www.davickservices.com/Courthouse%20for%20Sale%20-%20Cheap.htm
Real Risks – Data Mining States consider limits on medical data-mining By Joe Mullin, Associated Press Writer | April 7, 2007 CARSON CITY, Nev. --"Know your customer" has long been the mantra of salespeople. But this year, state lawmakers from New York to Nevada are wondering whether pharmaceutical company representatives know their physician customers too well. Lawmakers around the country are taking a hard look at datamining companies that keep detailed records on what prescription drugs are prescribed by nearly every doctor in the U.S. Their databases, updated weekly, are stripped of patient names and sold to the drug companies, who use the information to target their sales pitches to doctors. "Most doctors really don't know the level of detail" in the reports, said New Hampshire state Rep. Cindy Rosenwald, who sponsored a bill last year making her state the first in the nation to ban such use of the data. "I would say most doctors are shocked when they hear that drug reps really know everything they've written." The largest health datamining company, IMS Health, joined with Verispan LLC to challenge the New Hampshire law in federal court. A decision is pending after the trial ended Feb. 5. In Canada, IMS also has challenged a 2001 Alberta ban on releasing doctors' names. Besides Nevada and New York, other states that have considered similar bills this year include Arizona, Illinois, Kansas, Maine, Massachusetts, Rhode Island, Vermont, Washington, West Virginia and Texas. A federal bill was proposed last year, but died in committee. Proponents say drug companies use the data to manipulate doctors and aggressively market off-patent drugs, which drives up health care prices and improperly interferes with doctors' practices. . . . . http://www.boston.com/news/local/new_hampshire/articles/2007/04/07/states_consider_limits_on_medical_data_mining/
Real Risks – Data Mining Addressing the inevitable outcomes of privacy loss Article published Mar 14, 2007 Privacy tends only to be addressed from the possessor's perspective. Our approach seems to be to try to whoa the horse as it's leaving the barn. Data mining is one obvious side effect of a centralized health record. But the other half of the equation is how we control the inevitable results. Despite our best efforts, someone will find a "legitimate" alternate use for this data—national security comes to mind—and someone, somewhere, will pay for the otherwise innocent activity of seeking medical help with a lost job, lost loan or other lost opportunity. We must also address the results that follow from some unknown person's interpretation of confidential information. The danger lies not in the information being accessed, but in the consequences of someone's colored interpretation. Imagine background-checking companies looking at this information and reporting back to a hiring company that one of their candidates had an abortion and one didn't and, though they are otherwise equal, some subjective decision based on private information will destroy someone's career. We know from our experience with Social Security and credit information that, despite all the best intentions, business pressures will find a way into our medical data, and unknown, unregulated viewers will be judging us and finding us lacking. . . . http://www.modernhealthcare.com/apps/pbcs.dll/article?AID=/20070314/FREE/70313008/1031/FREE
Real Risks – Data Mining DHS must assess privacy risk before using data mining tool, GAO says The tool would be used to cull data for the fight on terrorism March 22, 2007 (Computerworld) -- A tool being developed by the U.S. Department of Homeland Security (DHS) to help it sift through large volumes of data in the search for terrorist threats poses several privacy concerns, the Government Accountability Office (GAO) warned in a report released yesterday. The agency also called on the DHS to conduct a privacy impact assessment of the tool immediately to help ameliorate those risks. The tool, called ADVISE, for Analysis, Dissemination, Visualization, Insight and Semantic Enhancement, is designed to cull very large databases and search for patterns, such as relationships between individuals and organizations, to ferret out suspicious people or activity. ADVISE is currently under development by the DHS. In its report, the GAO raised questions about whether ADVISE could erroneously associate individuals with terrorism because of faulty data, misidentify people with similar names and rely on data collected for other purposes. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=9&articleId=9014068&intsrc=hm_topic
Real Risks – Personal Safety The Murder of Amy Boyer by Robert DouglasFar too often as we grapple with the issue of balancing the privacy of Americans with the necessary and legitimate uses of Americans’ personal information the debate centers on discussions of “data”, but not the lives behind the “data”. . . . . . . October of 1999 Amy Boyer, a young Nashua, New Hampshire woman, was leaving work with two co-workers. . . . As Amy said good-bye and closed her door, a car driven by Liam Youens sped up the street and . . . fired 11 bullets into the head and upper body of his unsuspecting 20 year-old victim. . . . . fired one last shot into his head, instantly killing himself . . . . . . . He openly planned Amy’s murder and the intended murder of others for more than a year. . . . . he documented his plans to murder Amy on a web site . . . . . . . . . evidence showed that Youens decided to ambush Amy as she left work. But Youens had a problem. He didn’t know where Amy worked. So he started using information brokers and private investigators that run Internet based operations that specialize in obtaining and selling personal information on Americans. In separate Internet transactions Youens purchased Amy’s date of birth, social security number, home address, and finally her place of employment. Youens himself was struck by how easily he was able to purchase Amy’s personal information while concealing his evil intent. . . . . From the Testimony of Robert Douglas, CEO, PrivacyToday.com to United State Senate Committee on the Judiciary Hearing on Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use http://www.davickservices.com/murder_of_amy_boyer.htm
Real Risks - Business T.J. Maxx data theft worse than first reported Data stolen covers transactions dating as far back as December 2002 The Associated Press March 29, 2007 BOSTON - Information from at least 45.7 million credit and debit cards was stolen by hackers who accessed TJX’s customer information in a security breach that the discount retailer disclosed more than two months ago. TJX Cos., the owner of about 2,500 stores, said in a regulatory filing late Wednesday that about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been masked — stored as asterisks rather than numbers. . . . http://www.msnbc.msn.com/id/17853440/ Data From T.J. Maxx Breach Connected To Florida Fraud By Martin H. BosworthConsumerAffairs.Com - March 22, 2007 Personal information stolen in the massive TJX data breach was used by thieves to make $8 million in purchases from Wal-Mart stores in Florida, according to authorities. http://www.consumeraffairs.com/news04/2007/03/tjx_florida.html
Who May Oppose Protection Businesses • Data Mining Companies • List Brokers • Marketing • Some Title Companies • IT Companies • Political Organizations Government -i.e. Some County Clerks Health Care Providers - Physicians & Hospitals Media - Freedom of Information Proponents
Legislative Protection FEDERAL LEGISLATION EXAMPLES • Social Security Act • Privacy Act • Health Insurance Portability & Accountability Act (HIPAA) • Family Educational Rights and Privacy Act Regulations (FERPA) • Fair Credit Reporting Act (FACTA) STATES • Public Information Acts • Health Legislation LIST OF STATE AND NATIONAL STATUTES PROTECTING PRIVACY • http://www.privacyrights.org/faq.htm
Protection - Issues CONSISTENCY OF LEGISLATION – A great number of statutes at Federal and State level have confusing or conflicting purposes ENFORCEMENT OF EXISTING LAWS IMMIGRATION – Lax Enforcement – 6th arrest practice SSN – Lax Enforcement – Standard practice to sell SSN’s HIPAA – Lax Enforcement – 28,000 complaints, no fines until 2007 CITIZEN AWARENESS – There is a lack of awareness of issues and what to do if information is misused and who is misusing it. MEDIA – Many in media underreport issues of personal information because of desire for access to all information in public domain LEGISLATORS – Business interests, some officials and media lobby legislators in favor loose enforcement. “Squeaky wheel syndrome”
CURRENT ISSUES – Texas AG Defines Problem [Attorney General] . . . Abbott, in his opinion, stressed the danger of identity theft and the potential for harm with the publication of individuals' Social Security numbers. . . . "Indeed, it is universally agreed that Social Security numbers are at the heart of identity theft and fraud," said Abbott, "and in today's Internet world where information - including public government information - can be instantly and anonymously obtained by anyone with access to the worldwide web, the danger is even greater.". . . . Abbott stated that while Social Security numbers may be included on documents considered public record, they should be redacted . . . before they are distributed.Furthermore, Abbott pointed out that the release of Social Security numbers does not advance the aims of the Public Information Act because it "does not serve the purpose of openness in government in any forseeable way".The statute . . . Section 552.147, was created by the Texas Legislature in 2005. http://www.herald-coaster.com/articles/2007/02/23/news/top_story/topstory.txt
CURRENT ISSUES – LEGISLATION RECENT TEXAS LEGISLATION REDUCING PROTECTION HB 2061 – Passed by Texas House and Senate, signed by Governor in March of 2007. Protects County Clerks who post SSN’s on internet and sell records to list brokers by declaring SSN’s contained in Clerk’s records to be not protected under PIA and also eliminates exposure to Clerk’s of criminal prosecution or civil suits for releasing SSN’s. Citizen’s given the right to ask for SSN redaction IF can identify in writing where their information is located and ask for redaction. Allows posting of unredacted information and bulk sale of documents.
BETTER PROTECTION CITIZENS CAN REALIZE BETTER PROTECTION: • BE AWARE OF THE NEED FOR PROTECTION • OFFICIALS CAN ELIMINATE BULK SALE OF UNREDACTED PUBLIC RECORDS • STRICTLY CONTROL ONLINE ACCESS TO PUBLIC RECORDS ON INTERNET • STREAMLINE LAWS FOR EASIER IMPLEMENTATION OF PRIVACY POLICIES • AUDIT FOR COMPLIANCE WITH FEDERAL AND STATE PRIVACY REGULATIONS • ENFORCE THE EXISTING LAWS • MAKE LEGISLATORS AWARE OF CITIZEN CONCERNS • ASK FOR STRONG LEGISLATIVE ACTION • REQUIRE “BEST BUSINESS” PRIVACY PRACTICES • RECOMMEND EFFECTIVE USE OF TECHNOLOGY
RESOURCES Personal Information Complaints Resources . . . Financial, Identity Theft or Fraud Local District Attorney & AG http://www.privacyrights.org/fs/fs17a.htm Social Security Number Misuse US Attorney Local District Attorney & AG http://www.privacyrights.org/fs/fs10-ssn.htm Misuse Health Information Office or of Civil Rights & Dept. Of Justice http://www.hhs.gov/ocr/privacyhowtofile.htm AG & Local DA CONTACT INFORMATION FOR STATE & COUNTY OFFICIALS http://www.capitol.state.tx.us/Home.aspx http://www.naco.org/Template.cfm?Section=Find_a_County&Template=/cffiles/cou GENERAL INFORMATION http://www.epic.org/ http://www.consumersunion.org/campaigns/financialprivacynow/learn.html http://www.privacyrights.org/ http://www.privacyrights.org/ar/ChronDataBreaches.htm