News

MetLife: Female Execs Fear Retirement
About 62% of high-income women question whether they will ever have enough savings to retire.

Researchers at the MetLife Mature Market Institute, Westport, Conn., an affiliate of MetLife Inc., New York (NYSE:MET), and the Women's Institute for a Secure Retirement, Washington, have published that finding in a summary of an online survey of U.S. women ages 45 to 70...READ MORE

Data Theft Case Settles
The Los Angeles Times reports that the Bank of America, which took over Countrywide in 2008, has settled more than 30 lawsuits concerning allegations that 17 million customers were put at risk of identity theft and fraud. According to the Los Angeles Times, former Countrywide employee Rene Rebollo allegedly "downloaded customer files, including Social Security numbers, from the company's computers onto thumb drives and sold the information to employees of other mortgage lenders for use as sales leads". The Bank of America does not admit wrongdoing, but has reportedly agreed to "provide free credit monitoring, identity theft insurance and reimbursement for losses [up to US$50,000]".
According to the Los Angeles Times, California Office of Privacy Protection chief Joanne McNabb said that the case was "disconcerting", as employee theft, rather than accident or oversight, was the cause.
Los Angeles Times: Bank of America settles Countrywide data theft suits (24 August 2010)
(Source: Los Angeles Times)


Robocall Marketer Fined Millions
The Federal Trade Commission (FTC) has announced that settlements have been reached with Damian Kohlfeld and his companies Voice Foundations and Network Foundations, after allegations that consumers were bombarded with millions of illegal prerecorded telemarketing calls. Mr Kohlfeld will pay more than US$2.2 million, must liquidate his investments of US$130,000 and sell his car to recompense consumers, and Network Foundations will pay US$50,000. Mr Kohlfeld is also barred from engaging in telemarketing in the future.
FTC chairperson Jon Leibowitz said that the settlement was a clear message that "telemarketers who violate the privacy of ordinary Americans will have to pay the price".
FTC's media release (23 August 2010)
(Source: FTC)


Government Seeks Stronger Health Privacy Rules
The New York Times (NYT) reports that the Department of Health and Human Services decided to retract proposed medical privacy rules in July 2010 because of growing concern that the rules would not adequately protect patients' rights. The rules were reportedly intended to clarify mandatory notification of security breaches affecting health information, and would specify "when doctors, hospitals and insurers must tell patients about the improper use or disclosure of information in their medical records". Privacy advocates and consumer groups are particularly concerned that such breaches and misuse appear to be more common, owing to the rise of information technology in health care, reports the NYT. The Privacy Rights Clearinghouse (PRC) reportedly claims that "more than five million people have been affected by breaches of medical information in the last 18 months".
The proposed rules had reportedly required health providers to assess whether the breach posed a "significant risk" to the individuals concerned, although debate ensued as to whether this unfairly benefits the interests of providers versus those of patients. PRC director Beth Givens reportedly argued that "hospitals and insurers were often reluctant to notify patients" for reputational reasons, and might not deem a breach to be "significant".
NYT: Tighter Medical Privacy Rules Sought (22 August 2010)
(Source: NYT)


Breach Notification Law Proposed
California state Senator Joe Simitian introduced SB 1166 into the Senate on 19 August 2010, which proposes mandatory notification of security breaches. If passed, the Bill would apply to businesses and agencies operating in California which deal with computerised personal information of California residents. The Bill would also impose requirements for the form and content of the security breach notification, and would require covered entities to notify the state Attorney General if more than 500 residents are affected. The Bill would not apply to encrypted information or information which is not reasonably thought to have been accessed by an unauthorised person.
(Source: California State Senate)


Law Protects Workers' Credit History
Illinois Public Act 096-1426: Employee Credit Privacy Act was enacted on 10 August 2010. The Act prohibits employers from discriminating against candidates or employees on the basis of their credit history, and prohibits employers from carrying out credit checks on candidates or employees. The Act takes effect from 1 January 2011.
Related news item:
Chicago Tribune: New state law bans employer credit checks in hiring (10 August 2010)
(Source: Illinois General Assembly; Chicago Tribune)


Notifications Issued After Laptop Theft
The New Haven Register reports that Yale School of Medicine is notifying around 1,000 people after a laptop was stolen in July 2010. The laptop, which was password protected but not encrypted, reportedly contained patients' health details, although there is "no indication that any individual information on the computer has been misused". Massachusetts Attorney General Richard Blumenthal is reportedly investigating the incident to ascertain whether state or federal laws have been breached, whilst Yale and New Haven police investigations are also continuing. According to the New Haven Register, Yale School of Medicine is also working with state and federal authorities. 
Yale School of Medicine dean Robert Alpern reportedly said that privacy is of "paramount importance" and "we are moving to introduce immediately several security upgrades".
New Haven Register: Stolen Yale laptop held patient data; Blumenthal investigating breach (19 August 2010)
(Source: New Haven Register)

United Kingdom

Record Fine After Outsourced Customer Info Lost
The Financial Services Authority (FSA) has announced that it has issued a Final Notice (19 August 2010) to Zurich Insurance (Zurich UK), imposing a record £2,275,000 fine after the insurer lost 46,000 customers' details in 2008. The information included "identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements". The breach put customers at risk of identity theft and fraud, although no misuse has been reported so far.
The incident arose after Zurich UK outsourced some data processing operations to a related company in South Africa, which consequently lost an unencrypted back-up tape. No procedures were in place to report such losses to Zurich UK, and so the breach was not discovered for a year.
The FSA concluded that the breach arose because Zurich UK:

  • "failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement"; and
  • "failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime".

Consequently, the FSA concluded that Zurich UK had breached Principle of Business 3 (management and control), and rr. 3.1.1 and 3.2.6 of the Senior Management Arrangements, Systems and Controls rules. The fine was discounted by 30% after Zurich UK agreed to settle, and would otherwise have amounted to £3.25 million. Zurich UK chief executive Stephen Lewis advised that the firm has appointed KPMG to undertake a "comprehensive review of our data security systems and procedures and [Zurich UK has] ... taken a number of steps designed to enhance those procedures". Zurich UK is also appointing a dedicated information security officer "to provide assurance that appropriate measures are in place and that they will continue to be effective", thereby enhancing customer confidence.
FSA enforcement and financial crime director Margaret Cole said that "[f]irms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made".
Zurich UK's media release (23 August 2010)
FSA's media release (24 August 2010)
Related news item:
The Guardian: Zurich Insurance fined £2m for losing customer details (24 August 2010)
(Source: FSA; Zurich UK; The Guardian)


Data Left at Bus Stops and Skips
The Information Commissioner's Office (ICO) has announced that the following bodies have agreed to undertakings, following breaches of the Data Protection Act 1998 (both undated):

  • Royal Wolverhampton Hospitals NHS Trust, after a CD containing 112 patient records was found at a nearby bus stop. The CD was not password protected or encrypted, and investigations did not explain why the disc had ever been created. Wolverhampton Hospitals NHS Trust has agreed to "implement a number of security measures to protect personal information more effectively", and policy compliance will be subjected to continuous monitoring; and
  • DSG Retail, after customers' credit agreements were found "in or near a skip at one of the company's PC World stores". The documents had been retained by the company for longer than necessary, and the company's policy for secure document disposal had not been followed. DSG Retail has agreed to review its security procedures and will provide appropriate staff training on how to comply with company security policies.

ICO's media release #1 (24 August 2010) 
ICO's media release #2 (25 August 2010)
(Source: ICO; legislation.gov.uk)


Consumers Give Cold Callers Cold Shoulder
BBC News reports that a Which? survey has found that 75% of respondents want cold-calling to be banned. Householders who object to the calls are reportedly advised to opt-out by registering with the Telephone Preference Service. Which? spokesperson Ceri Stanaway reportedly added that if businesses do not respect a person's preference, the ICO or Ofcom should be informed.
BBC News reports that the Direct Marketing Association argued that the telemarketing industry had improved its practices, but conceded that improvements could be made.
BBC News: Cold callers 'should be banned', Which? survey finds (25 August 2010)
(Source: BBC News)