Update: Schnucks Data Breach Exposed 2.4 Million Cards

Back in March 2013, this blog reported about the Schnucks supermarket data breach. On Monday, the St. Louis Business Journal reported:

"Over a three-month period, up to 2.4 million credit and debit cards used at 79 Schnucks stores may have been compromised..."

Two civiil lawsuits have been filed against the company. Now we know more than we did in March. Still, not good.

The Words Organizations Use In Their Data Breach Notices

What words do organizations use frequently in breach notification letters and announcements? To better understand this, I used the Wordle tool to create word clouds from several actual, high-profile breach notifications during the past six months. The tool gives more prominence to words that appear more frequently.

Some breach notices were blog posts, some were press releases, some were web pages in a small website specifically about that data breach, and others were letters shared with state agencies, as required by law in some states. I wanted to see what words were frequently used and any variations.

A word cloud from the February 2013 breach notice by Twitter:

 

A word cloud from the February 2013 breach notice by GE Capital Retail Bank (Adobe PDF):

A word cloud from the February 2013 breach notice by Walgreens drug stores (Adobe PDF):

A word cloud from the January 2013 breach announcement by the Experian credit reporting agency (Adobe PDF):

A word cloud from the January 2013 breach announcement by Zaxby's restaurants:

A word cloud from the November 2012 breach notice by Pinnacle Foods:

A word cloud from the November 2012 breach notice by Nationwide Insurance:

Clearly, there is a lot of variety. Some words (e.g., information, report, credit, security) appear frequently within and across breach notices. Some breach notices feature the company name prominently while others don't. While the words may vary, basic information about the breach is presented pretty consistently: organization name, relevant dates, the types of individuals affected (e.g., members, employees, students), and what that organization calls the notice.

A lot of this is mandated by state breach notification laws. Depending upon local laws, the notification may be sent to affected individuals, a public notice, or both.

The content that varies seems to be the amount of detail disclosed about he cause of the data breach, and the resources for breach victims. The resources vary based on the type of data stolen. For example, when consumers' Social Security numbers have been stolen. the notices frequently mention the major credit reporting agencies. This is what I have seen frequently in both breach notices I have received and others I have read.

An exception seems to be the GE notice which only mentions a single credit reporting agency. Sometimes, the resources to help breach victims are in a separate document or website page. So, this will affect the words used in the actual breach notice.

Sadly, the credit reporting agencies experience data breaches, too. Since they specialize in information about individuals, you might think that they don't experience data breaches, but they do. The FTC has studied the accuracy of credit reports, and many people feel that credit reporting agencies should do a lot more to fix the errors in their consumer credit reports.

What do you think of data breach notices? How many breach notices have you received?

Facebook Hacked. Site Says User Data Not Compromised

In case you were away for the long weekend and missed it, on Friday Facebook.com announced via its website that it had been hacked:

"Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues... We have found no evidence that Facebook user data was compromised."

This means that the old saying still applies: a chain is only as strong as its weakest link. In this case, your sensitive personal information on a social networking site is only as secure as the weakest (mobile or website) app developer.

Data Breach At Nationwide Insurance Affects More Than 28,000 Consumers In Georgia

On Monday, the State of Georgia Insurance Commissioner (GADOI) confirmed a data breach at Nationwide Insurance. Hackers gained unauthorized access to private and sensitive information at the company's online computers.

The announcement contained few details. It did not list the specific personal data elements stolen or exposed, nor explain how the breach happened and what the insurance company is doing so this breach won't happen again.

About 28,467 Georgia residents and policyholders were affected. The insurance company has agreed to:

• Provide the GADOI with copies of written breach notices sent to affected consumers,
• Set up a toll-free phone number (800-760-1125) for breach victims to ask questions, and
• Provide breach victims with at least one year of free credit monitoring services

Some news sources reported that the F.B.I. is investigating the breach. Another news source reported that names, birth dates, drivers license numbers, and marital statuses were stolen. Given the personal data elements stolen, the hackers can do damage.

This is not the first data breach at Nationwide. A check of the breach database at Privacy Rights Clearinghouse found that the insurance company had two small breaches (Florida and New York) during 2007 where laptops containing sensitive personal information were stolen from employee's cars. In 2006, Nationwide was one of severalinsurers affected by a lockbox theft at Concentra Preferred Systems in Ohio.

The insurance company has not disclosed the number of affected consumers in other states. More details will emerge and the number of breach victims will most likely increase since several states require notice of data breaches.

NASA Data Breach Affects About 10,000 Employees And Contractors

Last week, the National Aeronautics and Space Administration (NASA) announced a data breach on October 31 where an employee's laptop computer was stolen from a locked car. The laptop contained the sensitive personal information for about 10,000 employees and contractors.

NASA first notified all of its employees in an e-mail message. The agency has contracted with ID Experts to provide free credit monitoring and fraud resolution services for breach victims. In the e-mail message, the agency warned that it make take up to sixty (60) days to notify all affected persons.

The stolen laptop was password protected, but did not have full disk encryption. As a result of the data breach, the agency has mandated that any laptops removed the its offices contain full disk encryption:

"The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data."

The agency expects to encrypt all laptops by by December 21, 2012 after which any laptops removed from its offices will have all data encrypted, whether or not that laptop contains sensitive information.

Mintz Levin Updates Its Listing of States Data Breach Notification Laws

Recently, Mintz Levin updated its listing of states data breach notification laws. The listing, often referred to as the "Mintz Matrix" (Adobe PDF), summarizes the data breach notification laws for 46 states, plus the District of Colombia, the U.S. Virgin Islands, and Puerto Rico.

Within the past few months, the states of Texas and Connecticut have amended their breach notification laws. Alabama, Kentucky, New Mexico and South Dakota do not have any laws about data breach notifications.

Breach notification laws typically describe the kinds of data elements (e.g., Social Security number) that comprise consumers' sensitive personal information, the format (e.g., paper, electronic) of information covered by the laws, the types of information that must be encrypted, the types of businesses and government entities covered by the state's law, and both the time period and methods by which notification must be provided to consumers affected by the data breach.

Mintz Levin is a law firm focusing upon general business, intellectual property, biotechnology, litigation, telecommunications, regulatory issues, and financial planning. Earlier this month, former Massachusetts Governor William F. Weld joined the firm.

South Carolina Officials Say 657,000 Businesses Also Affected By Data Breach

The South Carolina data breach that affected 3.6 million consumers is more extensive than originally announced. On Wednesday October 31, state updated their breach announcement with 657,000 businesses also affected. The update also included 620,000 phone calls to Experian by consumers seeking breach information, and about 418,000 consumers have signed up for one year of free Experian ProtectMyID service.

The State also expanded the assistance it is providing both businesses and individuals affected by the breach. Starting today, Friday, South Carolina offers for free to businesses that have filed a state tax return since 1998 the CreditAlert services from Dun & Bradstreet Credibility Corporation. CreditAlert will notify business customers of changes to their business credit file, such as a business address change, or a company officer change. Business owners can visit www.dandb.com/sc/ or call CreditAlert customer service toll free at 1-800-279-9881.

The state is also offering to affected South Carolina businesses the Business Credit Advantage from Experian, which provides unlimited access to a company’s business credit report and score. Interested businesses can sign up for Business Credit Advantage at www.smartbusinessreports.com/SouthCarolina. Businesseshave until December 1, 2012 to sign up.

The state also announced expanded assistance for individuals. Free fraud resolution services are extended past one year, and individuals with children can sign up for the "Family Secure Plan" to protect the Social Security numbers and sensitive personal information of minors and children also exposed/stolen during the data breach. Consumers have until January 31, 2013 to sign up.

The fact that businesses were also found to have been impacted by the breach, suggests that the breach inivestigaton is ongoing: determining the entitites affected, the data elements stolen, and how the unauthorized access and theft was performed technically. As reported by The State:

"Like other S.C. taxpayers, state businesses will be able to get free credit monitoring. But companies will get longer coverage. Businesses that have filed state taxes since 1998 can sign up for lifetime record monitoring from Experian starting [Thursday] and Dun & Bradstreet starting Friday. Consumers can get one year of monitoring and insurance from Experian, paid for by the state."

Why the longer coverage for businesses? The threat to both from identity criminals does not magically end after one year. Of course, businesses have more money, on average, than individuals. I look forward to hearing more from the state about why they chose to give businesses longer coverage for free. It suggests that the state has not finished improving its data security methods and systems.

If you are new to the issue of identity theft and fraud, then the alert services and credit monitoring service will likely help you get started and learn how to protect your sensitive personal information. However, it won't stop all identity fraud, so the value is in the fraud resolution services.

Are you a South Carolina resident or business owner? We'd like to hear about your experiences with the ProtectMyID, CreditAlert, or Business Credit Advantage services.

Massive Data Breach In South Carolina Affects 3.6 Million Consumers

With all of the news and focus on hurricane Sandy, you may have missed this news item. On Friday October 26, the South Carolina Department of Revenue (DOR) announced a data breach where a hacker accessed and stole information affecting 3.6 million consumers, or about 77% of the state's population. The breach victims include consumers who have filed a state tax return since 1998.

The data stolen included 3.6 million Social Security numbers, and 387,000 debit- and credit-card numbers. All except 16,000 credit card numbers were encrypted. None of the Social Security numbers were encrypted.

On October 10, the state's Division of Information Technology informed the DOR of a "potential cyber attack." With the recommendation of law enforcement, the DOR contracted with Mandiant, an information security company, to help with the breach investigation, secure the computer system, and install new equipment and software for stronger protections.

On October 16, breach investigators discovered two breaches during September and one during August. On October 20, weaknesses in the state's computer systems were closed. The state has arranged for one year of free credit monitoring and fraud resolution services with Experian ProtectMyID. Affected consumers should contact ProtectMyID online or via phone (1- 866-578-5422) to see if there personal information was stolen.

By Monday October 29, about 455,000 consumers had called Experian, and about 154,000 had signed up for the ProtectMyID service. However, there have been problems and criticism of the state's response to the data breach. The complaints by consumers trying to call Experian (to see if their information was stolen) included busy phone signals, recordings, no answer, and long waits on hold.

Callers who got through successfully to Experian received a code so they could sign up online for ProtectMyID. At a Monday October 29 press conference, South Carolina Governor Nikki Haley announced the code so breach victims could sign up online for the ProtectMyID service.

If you were affected by the South Carolina data breach, please share your opinions about the state's response or the ProtectMyID service.

Massive Data Breach At TD Bank Affects 260,000 Consumers

Several news outlets have reported about a massive data breach at TD Bank, affecting about 260,000 persons from Maine to Florida. The affected consumers include 35,000 in Maine, 3,000 in Florida, 73,000 in Massachusetts, and 43,000 in New Hampshire. According to the CBS affiliate in Philadelphia, most breach victims -- about 150,000 -- are in states in the New England region of the USA.

The bank is notifying affected customers via letters. In a breach notice sent to the New Hampshire Attorney General (Adobe PDF), the bank said:

"We have determined that personal information of New Hampshire residents was included on two data backup tapes that we shipped to one of our locations in late March 2012. The tapes have been missing since then, and we have been unable to locate them..."

The sensitive personal information exposed/stolen includes full names, addresses, Social Security numbers, bank account numbers, birth dates, and driver's license numbers. The bank is offering breach victims with one year of free credit monitoring services via ITAC Sentinel Plus.

In a statement, Martha Coakley, the Massachusetts Attorney General, said:

"The loss of these tapes potentially puts the personal information of thousands of Massachusetts consumers at risk, and we remind consumers to take appropriate steps to protect themselves... We will be reviewing the circumstances of this breach and the steps that TD Bank is taking to address the loss.”

A close review of the bank seems appropriate, since banks are not supposed to lose things, since they are entrusted with valuable items. And, this is not the bank's first data breach:*

• March 2011: "insider identity theft" involving an employee that sold the account information of about about 10 customers causing about $39,000 in fraudulent charges 
• March 2010: a fraud ring, using a former employee, stole and sold the account information of customers to accomplices who then stole about $200,000 from bank accounts

This breach sounds similar to what I experienced in 2007 with IBM, where computer data tapes were lost or stolen during shipment from its headquarters fo an off-site storage facility. That breach sounded like theft, as does the recent TD Bank breach. Vendors don't just accidentally lose computer tapes. Misplace them, perhaps. Lose, no.

Things I noticed in the TD Bank breach notice to its affected customers lacked:

• If a vendor or contractor was involved with transporting the missing/stolen computer data tapes, the corrective actions the bank is taking with this vendor to avoid a repeat of this breach
• If an employee was involved with transporting the missing/stolen computer data tapes, the internal employee training and data security methods is taking to avoid a repeat of this breach. Sadly, there are numerous breaches where company employees left data tapes unsecured in parked autos.
• Notice about how results of its breach investigaton will be communicated to breach victims
• Whether or not the data on the tapes was encrypted; and if it wasn't encrypted why not
• An explanation of why only 12 months of free credit monitoring, when the usability of stolen personal information is far longer

*Note: breach history from Privacy Rights Clearinghouse.

Massive Data Breach At Northwest Florida State College Affects About 300,000 Persons

Last week, officials at Northwest Florida State College (NWFSC) announced a data breach that affected more than 275,00 persons. The affected persons include about 76,500 current and former students, 200,000 Bright Futures scholars, and 3,200 employees.

The breach occurred between May 21 and September 24, 2012, and included the unauthorized access of one of the school's computer servers.The sensitive personal data exposed/stolen includes full names, addresses, birth dates, and Social Security numbers. The Bright Futures persons affected include students during the 2005-06 and 2006-07 academic years. The data exposed/stolen about Bright Futures students includes full names, birth dates, Social Security numbers, ethnicity and gender. NWFSC announced that no student academic files were compromised.

The data exposed/stolen about employees included full names, Social Security numbers, birth dates, banking direct-deposit account numbers, addresses, phone numbers, and college email addresses. A breach investigation is ongoing, where NWFSC has hired an unnamed technology consultant, and is working with local law enforcement. According to a press release:

"The college is coordinating its efforts with the Division of Florida Colleges in the Department of Education to formally notify all students impacted by the data breach."

Northwest Florida State College has contracted with an external consultant, to ensure the college’s data remains safe and secure. Further, the Okaloosa County Sheriff’s Office cybercrimes unit continues to investigate the matter with assistance from the Florida Department of Law Enforcement.

NWFSC advises affected persons:

"... individuals who notice improper use of their Social Security number and believe they may be the victim of identity theft should contact the Federal Trade Commission at www.ftc.gov/idtheft or at 1-877-ID-THEFT (438-4338). Affected persons may also call the local sheriff’s office and file a police report of identity theft, keeping a copy of the police report."

In an Oct. 8, 2012 memo to employees (Adobe PDF), NWFSC said:

"... one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees..."

The memo to employees outlined three specific identity theft and fraud actions by the thieves:

"The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting your bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card..."

Given this active identity fraud, both students and employees should take the threat seriously, and take immediate actions to check their credit reports at the three major credit-reporting agencies; and place a Fraud Alert or Security Freeze if appropriate. Plus, NWFSC should offer breach victims free credit monitoring and resolution services for at least two years.

New Data Breach Law In Connecticut Begins October 1

A new data breach law goes into effect in Connecticut on October 1. The Connecticut Attorney General office announced:

"Connecticut law generally requires anyone who conducts business in Connecticut and who – in the ordinary course of business – owns, licenses or maintains computerized data that includes personal information to disclose a security breach without unreasonable delay to state residents whose personal information is believed to have been compromised. Failure to provide such notice could be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA)."

The new law includes an email address for companies to report breaches directly to the Connecticut AG office. Previously, companies were required to notify only consumers affected by data breaches. Now, companies must notify both breach victims and the state.

Hacker Group Announces Theft Of 12 Million Apple Mobile Device Identification Numbers

A hacker group has announced the theft of 1 million Apple iPhone UDIDs, or Unique Device Identifcation numbers. The hacker group claimed that the data breach was to highlight the unannounced tracking of US citizens by the Federal Bureau of Investigation (FBI) agency. The Next Web reported:

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cellphone numbers, addresses, etc. the personal details fields referring to people..."

The AntiSec hacker group stole 12 million UDIDs, and has publicly released 1 million of them.

What is a UDID? If you read this blog, then you already know what UDIDs are. Every smart phone, tablet, and mobile device has one: a 40-digit number that uniquely identifies each device. If you switched devices recently, chances are your telecommunications provider (e.g., Sprint, AT&T, Verizon, etc.) probably required that you provide them with the UDID for your new device.

The UDID is a bonanza for companies, marketers, government agencies, and any entity interested in tracking consumers. When matched with your 10-digit phone number and iTunes account, the UDID is a powerful identification (and tracking) tool that allows the compilation of all data, usage, and information on a mobile device to a person: phone calls, email messages, photos, video, text messages, GPS position, phone book, web browser history, apps downloaded, music, movies, and more. That compilation is more extensive since many consumers now use multiple email addresses (e.g., work and personal) on a single mobile device. Parents, who gave their children mobile devices, also need to be aware of the tracking threat. Links between your device's UDID and your Apple iCloud account would enable even more extensive tracking at the document level.

The Huffington Post advises consumers who want to check if their UDID was stolen:

"First, use the website whatsmyudid.com to figure out how to access your UDID, which can easily be found by plugging Apple devices into iTunes. Next, copy and paste the ID into The Next Web's data checker, or use tech consultant Sean MacGuire's website to quickly scan through the hacked IDs."

This blog has reported privacy abuses where app developers and marketers allegedly collected consumers' UDID without notice and without consent, including this class-action suit against Apple and this class-action suit against Ringleader Digital and several other companies. The sad reality is that consumers' UDIDs could already be in a lot more entities' databases, since too many mobile device apps fail to provide privacy policies, and collect data without notice and without consent.

[Update 3:30 pm: one blogger analyzed the data released by the hackers, and concluded it isn't so bad since not much other personal data was stolen. I don't place much weight on this view, as there is no guarantee the hackers released everything stolen.]

[Update 10:00 am: the FBI denies that it has the data the hacker group claimed it has.]

Data Breach At University Of South Carolina Affects 34,000 People

The University of South Carolina experienced a data breach on an Internet-connected computer in its College of Education. The university is notifying 34,000 people, whose sensitive personal information has been exposed. The breach was discovered on June 6.

The University's breach announcement did not list the specific types of sensitive personal information exposed/stolen:

"Files on the server contained confidential, personally identifiable information of approximately 34,000 individuals."

McClatchy news service reported that the sensitive personal information exposed/stolen included the names, addresses and Social Security numbers of staff, researchers, and student at the College of Education since 2005.

The university advised breach victims to check their credit reports at the three major credit reporting agencies (e.g., Experian, Equifax, and TransUnion), and to place a fraud alert on their credit reports. The university did not name the credit monitoring/resolution service it has retained to assist breach victims, nor if it will provide that service freely to breach victims.

Organizations usualyy provide a couple years of free credit monitoring services after data breaches like this. This is the sixth breach at the University of South Carolina. Prior breaches:

• March 2011: 31,000 records exposed/stolen on 8 campuses affecting faculty, staff, retirees, and students
• June 2008: 7,000 records exposed/stolen during an office theft at the Moore School of Business
• September 2007: 1,482 students' files, including Social Security numbers, test scores, and grades, were exposed on an Internet-connect computer
• August 2006: 6,000 current and former students' sensitive information was exposed/stolen
• April 2006: 1,400 students' sensitive information, including Social Security numbers, was attached to and distributed in an email message by a faculty member

Given this poor history, the university's chief security officer and IT staff need to step up faculty/staff training and data security procedures at the school.

Data Breach At EPA Affects About 8,000

The Environmental Protection Agency (EPA) announced last week a March 2012 data breach which affected about 8,000 persons. In a statement to the Washington Business Journal, tha EPA said that it had notified about 5,100 current employees and about 2,000 "other individuals." The EPA did not state whether contractors were involved.

The information lost or stolen included Social Security numbers, bank account routing numbers and home addresses. The EPA has offered one year of free credit-monitoring services to breach victims.

Several news sources reported that a computer virus, possibly delivered via an e-mail attachment caused the breach. The affected computers were reportedly hazardous-waste program servers frequently used by contractors.

It is unclear exactly why the agency took two four months to notify breach victims. The agency stated that it had performed a risk analysis about the breach, and like most other breach notices concluded that the exposed data had not yet been used fraudulently. In 2008, the EPA published its breach notification guidelines (Adobe PDF), which stated:

"... all notification for Category I PII incident should take place within (48) business hours of the completion of the risk evaluation and score determination. The time between discovery and reporting is one (1) hour. The time between reporting and risk evaluation should not exceed (48) hours... Each Category within its provided constraints should also consider legitimate time requirements of law enforcement and national security entities... the delay should not exacerbate risk or harm to the individual, Agency or related investigations..."

When it is your bank account information lost or stolen, early notification seems best so consumers can check for any fraudulent charges.

In testimony before the U.S. Senate this year, the Government Accountability Office (GAO) reported some troubling statistics about data security at federal agencies. There were 15,500 breaches during 2011, up 19.2% from 13,000 breaches during 2010.

Data Breach At The Consumerist Website

A data breach at The Consumerist website has exposed the passwords of users who have submitted comments at the website. As a result of the breach, the website was taken down twice last week and the commenting feature was temporarily disabled. In an announcement, the website stated:

"Because of the nature of the investigation, we cannot – at this time – share further details of the specific changes. But we do want you to know of two actions we will be taking in the next few days that may affect your experience on the site:"

So, the breach investigation is ongoing. The website plans to reset all users' passwords. The website advises users to:

• Change your passwords at any other websites where you use the same password to sign in
• Run a scan of your computer to check (and remove) any computer viruses installed

At its July 16 breach announcement, the website had hoped to restore the commenting feature in a couple days. At press time, a check of the website found that this feature was still disabled.

Data Breach At Beth Israel Deaconess Medical Center Affects 3,900 Patients

About 3,900 patients of Beth Israel Deaconess Medical Center (BIDMC) are being notified of a data breach exposing their sensitive personal information. According to the Boston Globe newspaper, the patient records were stored on a physician's laptop which was stolen from an office on May 22. The hospital has already notified local law enforcement and began a breach investigation to determine the data exposed/stolen.

This is a second major breach at the hospital. In July 2011, a breach exposed the protected health information (PHI) of about 2,021 patients after a vendor failed to restore security controls on an Internet-connected computer during routine maintenance. That 2011 breach exposed patients' names, BIDMC medical record numbers, gender, date of birth and the date and name of radiology procedures. According to the 2011 breach announcement, the breached computer, infected with a computer virus, had transmitted stolen data to an unknown location.

A check of the hospital's website did not find an announcement yet about its 2012 breach. Hopefully, the data was encrypted on the laptop. Earlier this month, BIDMC was again rated by U.S. News & World Report as a leading hospital in the USA.

After its 2011 breach, BIDMC provided affected patients with one year of free identity protection services, and a list of state and federal resources.

[Update, Tuesday May 23, 1:30 pm: BIDMC released a press release later on Monday, explaining that it was in hte process of contacting affected patients. Local law enforcement had arrested a suspect, but the stolen laptop had not been recovered.]

Vermont Updates Its Breach Notification Law

On May 8, 2012, the State of Vermont amended its Security Breach Notice Act. was amended. The changes included:

• The breach can be either a known unauthorized acquisition, or a "reasonable belief of an unauthorized acquisition..."
• Breach notice must be provided to Vermont residents within 45 days after discovery of the breach
• Breach notice must be given to the Vermont Attorney General with 14 business days of the date the breach was discovered, or the date affected Vermont residents were notified
• Breach notice must include the date discovered, a description of the breach, the number of Vermont residents affected, and a copy of the notice sent to affected Vermont resident
• Textual changes to make the law's description of sensitive personal information consistent with the industry-standard, PII (Personally Identifiable Information)

Breach notice to affected Vermont residents must describe the incident, the date of the breach, the types of personal data lost/stolen, and methods to protect sensitive personal data from further breaches

Download the amended Vermont Security Breach Notice Act (Adobe PDF).

Mintz Levin: Breach Notification Laws In The United States

The law firm of Mintz Levin has produced a report listing data breach notification laws in the United States as of June 1, 2012. The report includes details by state, and includes the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Typically, breach notification laws include a:

• Description of the personal information that must be protected
• List of the businesses, organizations, and state/local agencies that must comply with the state's breach notification law
• Process for the timing, content, and distibution of a breach notification
• Any exceptions to the law (e.g., encrypted files)
• Other provisions and applicable state laws
• Penalties for violations
• Whether breach victims (e.g., state residents) can sue, and if so against whom

Four states do not have any breach notification laws:

• Alabama
• Kentucky
• New Mexico
• South Dakota

If you live in one of these states, contact your elected officials and demand that your state pass a breach notification law. When companies or government agencies have consumers' sensitive personal information lost or stolen, you need to know to protect yourself.

The report is also available here (Adobe PDF, 469 k bytes).

Data Breach At University of Nebraska

There is a storm brewing at the University of Nebraska. After a member of the school's information technology department discovered the data breach on May 23, the university distributed a notice on May 25 that the Nebraska Student Information Service, NeSIS, which contains sensitive information about students, alumni, and applicants had been accessed by unauthorized users.

Individuals are concerned because the types of data exposed or stolen includes school records, addresses, bank account information, and Social Security numbers. The breached database contains records for more than 650,000 individuals. The breach affects students, alumni, and applicants of the university’s four campuses, the Nebraska College of Technical Agriculture, plus university employees and parents of students who applied for financial aid.

In a letter to breach victims, Joshua Mauk, the university's Information Security Officer stated:

"On May 23, 2012, University personnel detected a security breach in the system indicating that an unauthorized individual had gained high-level access to the restricted database. This was a sophisticated and skilled attack on our system. Information in the system includes Social Security numbers, any bank account information associated with the NeSIS account, and personal and academic data. Our records indicate that you have a bank account that is associated with your NeSIS account, so we are writing to notify you of this breach and to advise you to monitor your bank accounts over the next several weeks and report any suspicious activity to your financial institution."

The letter also advises individuals to monitor their financial accounts and to consider placing a fraud alert or security freeze on their credit reports at the major credit reporting firms: Equifax, Experian, and TransUnion. The final number of records exposed/stolen has not been determined yet.

A breach investigation is underway by Nebraska University with local and federal law enforcement. The university has set up the http://nebraska.edu/security website to distribute updates about the breach and breach investigation.

Data security has been an issue in higher education since at least 2005: George Mason University (32,000 records). Recent, notable data breaches:

• May 3, 2012: University of Pittsburgh: undisclosed
• April 30, 2012: Volunteer State Community College (Tennessee): 14,000 records
• April 18, 2012: Emory Healthcare, Emory University Hospital: 315,000 records
• April 14, 2012: Texas A&M University: 4,000 records
• April 10, 2012: Case Western Reserve University: 600 records
• March 31, 2012; San Francisco State University: undisclosed
• March 16, 2012: University of Tampa: 30,000 records
• March 14, 2012: Humboldt State University: 5,700 records
• March 13, 2012: Brigham Young University: 1,300 records
• February 16, 2012: Central Connecticut State University: 18,763 records
• February 15, 2012: University of North Carolina at Charlotte: 350,000 records
• January 27, 2012: Indiana University (President's Challenge): 650,000 records
• January 20, 2012: Arizona State University: 300,000 records

Breach history source: Privacy Rights Clearinghouse

Data Breach At Experian Credit Reporting Service

Experian has notified the New Hampshire Department of Justice of data breach where unauthorized third parties may have obtained consumers credit reports. The company discovered the breach in February 2012 and began notifying affected consumers on May 17, 2012.

The breach notice did not disclose the number of consumers affected. The unauthorized access occurred between November 2010 and March 2012. An investigation into the breach was conducted including the analysis of computer logs. In its breach notice, Experian stated:

"... we do not believe that any third party obtained access to any specific data elements that are covered by the New Hampshire security breach law because those data elements (e.g., financial account numbers) were redacted or truncated on any credit report disclosure..."

New Hampshire is one of about 46 states that require entities (e.g., companies and state agencies) to notify both the state and affected residents in each state whose personal information archived by that entity was lost, stolen, or accessed by unauthorized persons.

In its breach notice to consumers, Experian stated:

"While any consumer report will contain public information like name and address, Experian masks or displays only partial social security numbers, birth dates, and account numbers, so they are not identifiable and cannot be abused."

This is troublesome because, a) the breach went undiscovered for a long time, 16 months; b) partial social security and bank account numbers, partially masked, and c) the extremely sensitive personal and financial information contained in consumer credit reports.

Experian placed fraud alerts on the files of breach victims, and, of course, is offering breach victims two years of fee credit monitoring services through its ProtectMyID service.

Experian is one of the three larges credit reporting agencies. The other two are Equifax and TransUnion. Experian also operates the Triple Alert and FreeCreditReport.com websites. In 2010, the U.S. Federal Trade Commission changed the disclosre rules for web sites offering free credit reports. Consumers should know that the official webiste for truly free credit reports.