Tag Archives: Data Breach

Mobile App Developers Must Comply with California Online Privacy Protection Act by November 29

Effective November 29, 2012, all mobile application developers with “apps” available in California must be in compliance with the California Online Privacy Protection Act, according to a press release issued by  Attorney General Kamala D. Harris on October 30, 2012. The Attorney General formally notified up to 100 mobile app developers with ‘Notice of Non-Compliance with California Online Privacy Protection Act’ letters that they had 30 days to “conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information.” The press release is available at http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance. Continue reading

Small Business Data Protection Survey Finds 85 Percent of Small Businesses Believe Data Breach Unlikely

According to The Hartford Small Business Data Protection Survey, an overwhelming 85 percent of small business owners believe a data breach is unlikely and many do not implement security measures to help protect customer or employee data, this despite the fact that the number of data breaches involving smaller businesses is growing. For more information about the survey from The Hartford, visit: http://newsroom.thehartford.com/News-Releases/Small-Business-Owners-Despite-Being-Increasingly-Targeted-Believe-Data-Breach-Unlikely-50c.aspx. Continue reading

Larger Background Screening Companies Continue the Move to Offshore Processing of Background Check Reports

According to a report from the Associated Press (AP), a Minneapolis, Minnesota-based Consumer Reporting Agency (CRA) that performs employment screening for businesses will close two offices in South Dakota by the end of the year and move those jobs to new sites in Arizona, India, and the Philippines. The AP reports that the company, one of the largest background screening suppliers in the country, says the closings in Aberdeen, South Dakota and Mitchell, South Dakota are due to restructuring and will affect approximately 140 workers. The AP story is the latest case of a large U.S. background screening company “offshoring” the processing of background checks to foreign countries. Continue reading

FTC Report on Protecting Consumer Privacy Recommends Businesses Adopt Best Privacy Practices

The Federal Trade Commission (FTC) has issued a final report – ‘Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers’ – outlining best practices for businesses to protect the privacy of American consumers and give them greater control over the collection and use of their personal data, according to an FTC press release. The FTC also recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation. The report, which expands on a preliminary report the FTC issued in December 2010, is available at: http://www.ftc.gov/os/2012/03/120326privacyreport.pdf. Continue reading

Dangers of Background Check Firms Offshoring Personal Data of Americans Outside of US Revealed in Whitepaper

To alert U.S.-based employers and job seekers about the potential dangers caused by background check firms “offshoring” Personally Identifiable Information (PII) to countries such as India and the Philippines, Employment Screening Resources (ESR) is offering a new whitepaper on the subject. The whitepaper written by ESR founder and CEO Attorney Lester Rosen is titled ‘The Dangers of Offshoring Personally Identifiable Information (PII) Outside of United States’ and details the hazards of sending PII to counties that are well beyond the reach of U.S. privacy and identity theft laws. The complimentary whitepaper is available at: http://www.esrcheck.com/Download/. Continue reading

European Data Protection Regulation Overhaul Proposed by European Commission

To help individuals enjoy effective control over their personal information, an extensive January 2012 proposal by the European Commission for a new General Data Protection Regulation aims to strengthen and bring into harmony data protection law across Europe. A Communication from the Commission, ‘Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st Century,’ is at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0009:FIN:EN:PDF. Continue reading

Three Credit Report Resellers Settle FTC Charges for Not Protecting Personal Information of Consumers

By Lester Rosen, Employment Screening Resources (ESR) President & Thomas Ahearn, ESR News Editor

In the Federal Trade Commission’s (FTC) first cases against credit report resellers for the data security failures of their clients, three companies that resell credit reports of consumers have agreed to settle FTC charges that they did not take reasonable steps to protect personal information of consumers and allowed computer hackers to access that personal information, according to a recent news release from the FTC.

Administrative complaints issued by the FTC showed the three credit report resellers bought credit reports from the three nationwide consumer reporting agencies – Equifax, Experian, and TransUnion – and added them to reports to sell to determine eligibility for credit of consumers. Because these three resellers allegedly allowed clients to access these reports without basic security measures such as firewalls and updated antivirus software, hackers accessed more than 1,800 credit reports without authorization through the computer networks of clients. The three credit report resellers also allegedly did not make reasonable efforts to protect against future security even after becoming aware of these data breaches.

The three credit report resellers are charged with violating the Fair Credit Reporting Act (FCRA) by:

  • Failing to protect their internet portals and thereby furnishing credit reports to hackers who lacked a permissible purpose to have them,
  • Failing to maintain reasonable procedures to limit the furnishing of credit reports for such purposes, and
  • Furnishing credit reports when they had reasonable grounds for believing the reports would not be used for a permissible purpose.

The failure of the three credit report resellers to protect personal information of consumers also allegedly violated the FCRA. In addition, the credit report resellers allegedly violated the Gramm-Leach-Bliley Safeguards Rule by failing to:

  • Design and implement information safeguards to control the risks to consumer information;
  • Regularly test or monitor the effectiveness of their controls and procedures; to evaluate and adjust their information security programs in light of known or identified risks; and
  • Have comprehensive information security programs.

The proposed settlement, part of the ongoing campaign of the FTC to protect the personal information of consumers, would require the three credit report resellers to:

  • Have comprehensive information security programs designed to protect the security, confidentiality, and integrity of the personal information of consumers, including information accessible to clients;
  • Obtain independent audits of their security programs, every other year for 20 years;
  • Furnish credit reports only to those with a permissible purpose; and
  • Maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.

These cases show that the FTC will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports as required by the FCRA. These cases also send a strong message that companies giving their clients online access to sensitive information of consumers must have reasonable procedures to secure that information.

Consumer protection through data security makes up a critical part of the National Association of Professional Background Screeners (NAPBS) accreditation process. Since its founding in 2003, the NAPBS has believed that there is a strong need for a singular cohesive industry standard and created the Background Screening Agency Accreditation Program (BSAAP). Governed by a strict professional standard composed of requirements and measurements, the BSAAP is becoming a widely recognized seal of approval that brings national recognition to background screening organizations – also referred to as Consumer Reporting Agencies (CRAs) – that will stand as the industry “seal” representing a background screening organization’s commitment to excellence, accountability, high professional standards, and continued improvement.

The NAPBS Background Screening Credentialing Council (BSCC) oversees the application process and is the governing accreditation body that will ensure the background screening organizations seeking accreditation meet or exceed a measurable standard of competence. To become accredited, a CRA must pass an onsite audit of its policies and procedures as they relate to six critical areas of the BSAAP:

  • ‘Section 1: Consumer Protection’ includes standards for: Information Security Policy; Data Security; Intrusion, Detection and Response; Stored Data Security; Password Protocol; Electronic Access Control; Physical Security; Consumer Information Privacy Policy; Unauthorized Browsing; Record Destruction; Consumer Disputes; Sensitive Data Masking; and Database Criminal Records.
  • ‘Section 2: Legal Compliance’ includes standards for: Designated Compliance Person(s); State Consumer Reporting Laws; Driver Privacy Protection Act (DPPA); State Implemented DPPA Compliance; Integrity; Prescribed Notices; and Certification from Client.
  • ‘Section 3: Client Education’ includes standards for: Client Legal Responsibilities; Client Required Documents; Truth in Advertising; Adverse Action; Legal Counsel; Understanding Consumer Reports; and Information Protection.
  • ‘Section 4: Product Standards’ includes standards for: Public Record Researcher Agreement; Vetting Requirement; Public Record Researcher Certification; Errors and Omissions Coverage; Information Security; Auditing Procedures; Identification Confirmation; and Jurisdictional Knowledge.
  • ‘Section 5: Service Standards’ includes standards for: Verification Accuracy; Current Employment; Diploma Mills; Procedural Disclosures; Verification Databases; Use of Stored Data; Documentation of Verification Attempts; Outsourced Verification Services; Conflicting Data; Professional Conduct; and Authorized Recipient.
  • ‘Section 6: General Business Practices’ includes standards for: Character; Insurance; Client Credentialing; Vendor Credentialing; Consumer Credentialing; Document Management; Employee Certification; Worker Training; Visitor Security; Employee Criminal History; Quality Assurance; and Certification.

Employment Screening Resources (ESR) is formally recognized as accredited by the National Association of Professional Background Screeners (NAPBS) Background Screening Credentialing Council (BSCC) for successfully proving compliance with the Background Screening Agency Accreditation Program (BSAAP). For more information, visit Employment Screening Resources (ESR) at http://www.ESRcheck.com

Source:
http://ftc.gov/opa/2011/02/settlement.shtm

New Security Survey Finds Nearly One-Third of Healthcare Organizations Had At Least One Known Case of Medical Identity Theft

By Thomas Ahearn, ESR News Blog

A new survey released in November on security at healthcare organizations has revealed that nearly one-third of respondents said their healthcare organization had at least one known case of medical identity theft, and that some cases the medical identity theft may never be reported.

According to the 3rd Annual Healthcare Information and Management Systems Society (HIMSS) Security Survey, sponsored by Intel, while approximately two-thirds of respondents reported that their healthcare organization had policies and procedures in place addressing security breaches, almost one-third of respondents (31 percent) reported that their healthcare organization had at least one known case of medical identity theft.

Overall, the HIMSS Survey – which interviewed 272 Information Technology (IT) and security professionals at hospitals and medical practices – found that medical practices lagged behind hospitals in nearly every measure of healthcare IT implementation and security. For example:

  • Only 17 percent of respondents working for a medical practice were likely to report a security breach such as medical identity theft at their healthcare organization compared to 38 percent of respondents working for a hospital organization.
  • One-third of medical practices reported they did not conduct a risk analysis.

For the survey, ‘medical identity theft’ was identified as “the use of an individual’s identity-specific information such as name, date of birth, social security number, insurance information, etc. without the individuals’ knowledge or consent to obtain medical services or goods. It may also extend to cases where an individual’s beneficiary information is used to submit false claims in such a manner that an individual’s medical record or insurance standing is corrupted, potentially impacting patient care.”

The 3rd Annual HIMSS Security Survey, sponsored by Intel and supported by the Medical Group Management Association (MGMA), reports the opinions of IT and security professionals from U.S. healthcare provider organizations on issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations from security breaches such as medical identity theft.

For more information about identity theft, read the Employment Screening Resources (ESR) News Blog stories tagged ‘identity theft’ at http://www.esrcheck.com/wordpress/tag/identity-theft/.

Employment Screening Resources (ESR) is the company that wrote the book on background checks with ‘The Safe Hiring Manual’ by ESR founder and President Lester Rosen. ESR is recognized as Background Screening Credentialing Council (BSCC) Accredited by the National Association of Professional Background Screeners (NAPBS®) for proving compliance with the Background Screening Agency Accreditation Program (BSAAP). For more information about Employment Screening Resources, visit http://www.ESRcheck.com.

Source:
http://www.himss.org/content/files/2010_HIMSS_SecuritySurvey.pdf