Headlines
Data Breaches and Compliance Issues in the News
Hundreds of employee laptops are unaccounted for at the U.S. Department of State, which conducts delicate, often secret, diplomatic relations with foreign countries, an internal audit has found. As many as 400 of the unaccounted for laptops belong to the department’s Anti-Terrorism Assistance Program, according to officials familiar with the findings. The program provides counterterrorism training and equipment, including laptops, to foreign police, intelligence and security forces. Ironically, the Anti-Terrorism Assistance Program is administered by the State Department’s Bureau of Diplomatic Security (DS), which is responsible for the security of the department’s computer networks and sensitive equipment, including laptops, among other duties. It also protects foreign diplomats during visits here. DS officials have been urgently dispatching vans around the bureau’s Washington-area offices to collect and register employee laptops, said department sources who could not speak on the record for fear of being fired. The inventory sometimes strips DS investigators of their laptops for “days, or weeks,” they said. The State Department’s Inspector General launched an audit of the equipment about three months ago. Only the first stage, or inventory of equipment, has been completed. A State Department official referred all questions regarding laptop losses to the Inspector General. A senior IG official, asking not to be identified, said he could “not comment on ongoing work.” Nita M. Lowey , D-N.Y., who heads a House Appropriations subcommittee that oversees State Department operations, said she was concerned about the security revelations. “The importance of safeguarding official laptops and office equipment containing sensitive information is not a new concern,” she said through a spokesman. “I intend to review the facts about this situation.” “Unaccounted for” does not necessarily mean the laptops have been lost. But they are “missing” until they have been found or otherwise accounted for. Auditors found that the department had lost track of $30 million worth of equipment, according to one official, “the vast majority of which . . . perhaps as much as 99 per cent,” was laptops. Calculating that the average State Department laptop costs $3,000, another official said, hundreds, perhaps as many as a thousand, were missing. It could not be learned how many employees have been issued laptops. On Feb. 6, the department’s Senior Assessment Team gathered at the State Department headquarters in Foggy Bottom to discuss the security of “personal identification information.” The department’s official in charge of computer equipment, John Streufert, warned the more than two dozen officials present that the department did not have good records of its inventory. A “significant deficiency” relating to laptops existed, Streufert said, according to a source who attended the meeting. Mark Duda, a representative of the Inspector General’s office at the meeting, warned the managers that they needed to get on top of the equipment issue before it “blows up.” He said a scandal loomed akin to the one that engulfed the Veterans Administration in 2006, when news broke that a VA official had taken home a laptop with the personal records of 26 million veterans, where it was stolen. The official who chaired the meeting, Christopher Flaggs, the department’s deputy chief financial officer, also warned that revelation of the laptop losses could develop into a “material weakness,” an accounting term-of-art that essentially means inventories are out of control. “It’s the worst flaw you can have in management control,” one close observer of the State Department’s problems said. It would have to alert the White House Office of Management and Budget (OMB) and Congress. There could be hearings, headlines, camera crews on the doorstep of State Department officials. That’s what happened in 1999, when a laptop containing the names of foreign agents working for the U.S. government was stolen from the State Department. The security of laptops has vexed federal officials, as well as private industry, for years. The CIA, FBI and other national security agencies have all lost significant numbers of laptops containing sensitive information. More than a year ago, the administration’s Identity Theft Task Force warned of security vulnerabilities within the government’s Internet technology systems. In May 2007, OMB had ordered all federal departments and agencies to “develop and implement a breach notification policy within 120 days.” Hints of the State Department’s laptop losses first surfaced March 31 in an anonymous post at an obscure Web site frequented by employees of the Bureau of Diplomatic Security, called Dead Men Working. We’re not talking about a missing laptop or two,” said a poster who identified himself as “Steve.” “A Department-wide audit found hundreds of laptops unaccounted for and identified DS, now rushing to close the barn door before the scandal really breaks, as having the laxest control of any bureau in the agency,” Steve wrote. John Naland, a retired diplomat who is president of the American Foreign Service Association, said the alleged losses were worrisome, and perplexing. “If the missing ones might have contained classified data, this could be serious,” Naland said. “At my last overseas post, we did not have any laptops,” Naland continued. “But we sure did an annual serial number physical inventory of computers. Sometimes our initial count came up with discrepancies, but then we remembered that we returned one to Washington or whatever and that cleared up the paperwork discrepancy.”
Customer data of more than 40 major international financial institutions has been compromised in what one official describes as "the tip of the cybercrime iceberg," says a Bank Info Security report. A computer server holding 1.4 gigabytes of business and personal data stolen from Trojan-infected computers was discovered last month in Malaysia. Compromised data found on the crime server includes user names, passwords, account numbers, Social Security numbers, credit card numbers, patient data and e-mail communications. Finjan, the information security vendor that discovered the server, said that two other servers holding similar data have been turned over to law enforcement officials
Following a privacy breach that exposed the personal information of an undisclosed number of individuals, online mortgage broker LendingTree has filed suit against five home loan lenders and two former company executives, says a Washington Post report. LendingTree charges that the lenders gained access to LendingTree customer information inappropriately by garnering passwords from former LendingTree employees. Ari Schwartz, deputy director of the Center for Democracy and Technology, says the LendingTree business model raises questions about privacy. "You fill out a form for free. They have companies that pay to see your information," Schwartz says. "When you make personal information that much of a commodity...there's a higher risk of mistakes on privacy and security."
A lost tape containing the names, addresses and social insurance numbers of Chrysler auto customers has the Office of the Privacy Commissioner of Canada monitoring the company's lending arm, Chrysler Financial, says a report in the Toronto Star. "We are communicating with [the organization] to determine what took place and what is being done to remedy the situation," said spokesperson Anne-Marie Hayden. An investigation has not been started. The tape disappeared in early March while en route from Farmington Hills, Michigan to Quebec, via UPS.
Online mortgage lead generation service LendingTree disclosed this week that a number of former employees used their old passwords to give mortgage brokers unauthorized access to subscribers' personal records, according to NetworkWorld. LendingTree said that when it learned of the breaches, which took place between October 2006 and early 2008, it contacted law enforcement authorities, made changes to its security procedures and filed lawsuits against those involved. It is not known at this time how many subscribers to the service were affected, but the information involved likely included names, addresses, telephone numbers, Social Security numbers and employment and income data.
So far no fraud has been detected in relation to a Bank of Ireland data breach that left exposed the account numbers, medical backgrounds, life assurance details, and names and addresses of more than 10,000 customers. IN an RTE News report, Ireland's Data Protection Commissioner Billy Hawkes said he learned of the incident on Friday, but the four unencrypted laptop computers that caused the breach were stolen last year. The computers belonged to staff working for the bank's life assurance division. Hawkes said he is investigating the incident as "a matter of urgency".
George Hulme reports in his recent Security Weblog entry for InformationWeek that, according to a new Ponemon Institute survey, nearly a third of consumers who receive a breach notification letter will terminate their relationship with the offending vendor, while another 57 percent said the letter caused them to lose confidence in the company. Fifty five percent of those surveyed had received two or more breach notice letters in the previous 24 months according to the study, which was sponsored by ID Experts, and only two percent reported that the disclosure of their personal information had resulted in being victimized by ID theft.
The personally-identifiable information of 2.1 million University of Miami patients was stolen on March 17, says a Miami Herald report, when thieves made off with a case of computer backup tapes from the van of an off-site storage company. In a press release, the university said "Anyone who has been a patient of a University of Miami physician or visited a UM facility since Jan. 1, 1999, is likely included on the tapes," Patients' names, addresses, Social Security numbers, and health information was stored on the tapes, as well as the credit card or other financial information for some. Two computer security expert firms engaged by the university were unable to extract the data, presumably due to the "complex and proprietary" format in which they were written, said a UM statement.
The new requirements for HIPAA compliance may mean that existing computer systems will require upgrading. But per the standard, before the PC is recycled, donated, or re-sold, all PHI data must be removed. Other options for passing on that old computer include taking it to a PC recycler or toxic waste disposal center. Besides, filling up landfills is not environmentally friendly, especially considering the foul substances that can leech out of old computers. With increasing pressure to reduce costs and the availability of new methods to resell computers, businesses are looking for ways to either internally recycle their aging computer inventory or sell them into a growing used computer market. It is not unusual to find companies reselling their excess equipment on Internet sites such as eBay. However, in all cases there is a requirement to remove all of the PHI data stored on the computer before its disposal. Data Storage Basics To understand the challenges of data removal, you must first understand the basics of data storage. There are fundamentally two ways of retaining data in the PC, RAM memory and disk, principally the hard drive. Initially, before a hard drive can be used it has to be conditioned to accept information. This occurs in two steps. Using FDISK will establish the areas on the drive and how they are going to be used. Formatting sets up an environment on the disk so that the operating system can store and access files from the drive. The misconception is that these steps can also be used to remove any existing information. Myths about Data Removal Myth #1 – I can just empty my recycle bin As many users will already know, when a file is deleted with a delete command, it is not really removed; it just goes to the Recycle Bin. Once the recycle bin is emptied, it is gone, right? Unfortunately, no, it isn’t. The operating system makes the disk space available for future use. New data will overwrite the unused information. Until it is overwritten, the previous data can easily be recovered. When the drive is reformatted the utility will merely rewrite the information that is used to locate the files on the drive. Essentially, it will tell the operating system that there are no files and that all of the space on the disk is free. Until the operating system comes along and writes new data over the old, the original data still exists. Myth #2 – I can just run FDISK on the drive again In the case of an FDISK operation, all of the information that is needed to locate the data from the operating system is removed. But as in the reformatting case, the original data is still there in its rawest of forms. Tools are readily available which will extract large portions of data even though the disk is presumed clean. The Bottom Line None of the standard tools described above will remove the bulk of the data contained on the hard drive. The only solution to ensure that the information on the hard drive is removed is to either physically destroy the drive itself, or write over all of the existing data so that it cannot be recovered. US Department of Defense (DOD) 5220.22-M Standard There has been a standard in place for some time that addresses the problem of permanent removal of data from a hard drive. The standard was developed by the Defense Security Service (DSS) and is used by many federal and commercial organizations. Under the National Industrial Security Program (NISP), DSS Industrial Security Representatives oversee cleared contractor facilities and assist the organizations' management staff and Facility Security Officers in formulating their security programs. As part of the NISP initiative, DSS has developed the DOD standard 5220.22-M NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL. Among other items, the standard outlines the method to be used for removing data from unclassified hard drives – sanitizing. NISP defines an overwriting technique that will remove any existing data yet leave the hard drive in a state where it can be reused. The process involves the following two steps: 1. Before any sanitization product is acquired, careful analysis to the overall costs associated with overwrite/sanitization should be made. Depending on the contractor’s environment, the size of the drive and the differences in the individual products time to perform the sanitization, destruction of the media might be the preferred (i.e., economical) sanitization method. 2. Overwrite all addressable locations with a character, then its complement. Verify “complement” character was written successfully to all addressable locations, then overwrite all addressable locations with random characters; or verify third overwrite of random characters. Overwrite utility must write/read to “growth” defect list/sectors or disk must be mapped before initial classified use and remapped before sanitization. Difference in the comparison lists must be discussed with the DSS Industrial Security Representative (IS Rep) and/or Information System Security Professional (ISSP) before declassification. Note: Overwrite utilities must be authorized by DSS before use. View the full matrix of recommended disposal methodologies for a wide variety of computer components. Other Considerations when Choosing a Disk Sanitizing Product In addition to meeting the process defined by the DOD 5220.22-M standard there are some other important criteria that should be taken into consideration before selecting a product. BIOS independence Part of the PC hardware contains the BIOS (basic input/output system) program. Older BIOSs can return an incorrect disk size when it is not compatible with a newer larger hard drive. This is not noticed during normal operation as the flaw is automatically corrected by the operating system. However if the sanitizing product is not independent of the BIOS, then it will only remove the data from part of the hard drive as reported by the BIOS. This will result in data being left behind on the disk, which could be PHI data. Hard drive standard compatibility There are two predominant standards for hard drive technology used by personal computers today. One is IDE and the other is SCSI. The sanitizing utility should be able to sanitize either drive type Size compatibility As hard drive sizes continue to increase, it is important to verify that the sanitizing product is able to address the larger drives. Hard drive sizes have already exceeded the 100 gigabyte limit. Many products are not yet capable of handling this size of drive. Reporting An important part of the HIPAA regulation is accounting. There needs to be a record that all of the software that was on the drive has been removed. This will allow the software to be legally re-used on another computer. By having a record that all company information has been removed, the drive can then be safely resold outside of the company. Summary As computer systems become faster and cheaper, the desire to replace them in the workplace will result in the need to dispose of the obsolete equipment. Although this equipment may not meet the needs of the business there is a thriving market, especially for personal use, for reselling it. However, it is important that no PHI or software is lost in this transaction. If this occurs the impact can range from inconvenience, public embarrassment, fiscal damage or violations of HIPAA requirements. The DOD standard 2550.22-M provides a good, proven framework for designing a digital data disposal process. This can be augmented by some other considerations that are not currently included in the standard to help select the right sanitizing product. This will result in meeting the goal of retiring obsolete equipment and recovering any residual value while not compromising digital data security.
The News & Observer and nine other North Carolina news organizations sued Gov. Mike Easley on Monday over his administration's deletion of e-mail, which they say violates the state's Public Records Law. The news media coalition accuses Easley's administration of "the systematic deletion, destruction or concealment of e-mail messages sent from or received by the Governor's Office" in violation of the law, according to the lawsuit, which was filed in Wake County Superior Court. The practice was meant to stop North Carolinians from seeing information and records to which they are entitled, the suit alleges. The lawsuit also accuses the state Department of Cultural Resources, which oversees government records, of establishing an illegal policy permitting government workers to delete e-mail messages that they decide are of "short-term value" or "when they no longer have reference value to the sender or receiver." The Public Records Law, which trumps administrative policies, does not allow the destruction of public records for those purposes, the plaintiffs say. The lawsuit accuses Easley and his administration of failing in their legal duty to install adequate electronic storage systems to preserve public-record e-mails. And the lawsuit accuses Easley himself of violating the law last month by discarding a hand-written note from Carmen Hooker Odom, former state secretary of health and human services, concerning her views on the failure of state mental-health reforms her department implemented. In a meeting last week with several newspaper editors, Easley said Hooker Odom's letter was "a personal note" to him that "didn't have any news in it." "If it needed to be saved, I would have saved it -- if it had any kind of value to it at all," he said. Under the Public Records Law, that's not Easley's call, the news organizations argue. Hooker Odom's note concerned public business and therefore was a public record, so destroying it was illegal, they say. They say that based on Easley's other public statements, the governor probably has discarded additional public records. The news organizations seek a judge's ruling that Easley and his administration's policies violated the law and will follow it in the future. The media groups also seek reimbursement of their legal expenses in pursuing the lawsuit, as the law allows. "They are taking this step reluctantly after not getting any indication from Governor Easley that he is willing to admit that the law has been violated, or to fix the violations," said the lead attorney in the lawsuit, Hugh Stevens of Raleigh. Asked for comment Monday, Easley spokesman Seth Effron said, "We have not seen the lawsuit." Easley's term ends in January, likely before the case will end. But Stevens said he'll ask the courts to expedite it. And the result should give the next governor useful legal guidance, he said. "The issue of the scope of the governor's authority is never moot," Stevens said. The controversy arose last month as a result of an N&O series reporting on the failure of mental health reforms that the state enacted in 2001, during Easley's first year as governor. Days after the series ran, the Department of Health and Human Services, which implemented the reforms, fired its top spokeswoman, Debbie Crane. Franklin Freeman, Easley's senior assistant for governmental affairs, said he ordered Crane fired in part for dissuading Hooker Odom from giving the N&O an interview on the subject. The day Crane was fired, she told the N&O that Easley's press officials had told subordinates to destroy e-mail messages to the Governor's Office daily as a way to evade the Public Records Law. At first the Governor's Office denied the charge, but the administration later produced notes from two other agency spokespeople that support Crane's assertion. Their records from a meeting with other public information officers last May, led by Easley press secretary Renee Hoffman, included notes to delete e-mail messages to and from the governor's office every day. In last week's meeting with newspaper editors, Easley said Hoffman's deletion instruction "never should have happened." But the governor said that everyone involved followed the administration's policy to save important e-mail anyway. Easley defended the policy that allows employees to discard official e-mails and written documents if they decide the communication holds no lasting "administrative value." "Everything doesn't get saved," he said. "We've got two rules: One, if it's of administrative value, save it. Two, if it's of no value, you have the option to delete it or save it, whatever you want to do. But you're not required by law to." The Public Records Law, however, says that, with some exceptions, all government e-mail concerning public business is a public record, and must be retained and provided upon request. Easley said last week that he hopes a commission he appointed to study e-mail retention will develop a clearer policy. "People who work for the state are very honest, and they try to do the right thing," he said. "But they need to know what that is, and the guidelines are going to have to be much more specific."
A new mother, Poli Marinova set out to find the best possible day-care provider for her infant son. She had little trouble finding a list of nearby caregivers, but she discovered there was no easy way to check their track records in Maryland. Then a friend sent her a link to an online system in Virginia, where she could view inspections and complaints. "You could look back over a number of years and see if there was anything major," said Marinova, 30, who settled on a day-care center near her Alexandria office. "That was very important to me." At a time when many parents worry about safety in child care, a growing number of states have launched online record systems that bring a new layer of accountability into day-care decision making. Locally, Virginia's online system will be matched soon by similar initiatives in the District and Maryland. Experts laud the improved access to public records for both day-care centers and home day-care operators, which they say is vital for parents, but many suggest that it will also take other changes to make the nation's day-care system safer. Many states need to conduct more inspections and tighten licensing standards, they say. "We totally believe parents should have access and that it should be online and readily available," said Linda K. Smith, executive director of the National Association of Child Care Resource & Referral Agencies. Still, the online system would be improved by better monitoring, Smith said. Otherwise, she said, "what parents see online is not going to be the full picture." A study by researchers at Wellesley College that focused on Broward County, Fla., found that the Internet system alone improved the quality of child care at centers serving low-income children. The study also found that inspectors produced more detailed critiques, in greater number. "I definitely think it's valuable," said sociologist Julia Wrigley of the City University of New York, who has studied child-care fatalities. "I think very often inspection reports are buried in state files, and few parents understand they can have access to them." At least 17 states have posted inspection reports, full or in part, online. In Virginia, where child-care inspection records went online in 2005 through the Department of Social Services, many parents say they take note of the infractions: an unlocked medicine cabinet, missing baby gates, lack of soap in a bathroom, caregivers found reading magazines or talking on cellphones. In one case, children were found restrained by snap belts and cords. In another, a child was forgotten in the back of a vehicle. After each violation is a notation about what corrective action is to be taken. "Parents need all the information they can get," said Karen Metivier-Carreiro, 44, a mother of two in Fairfax County. "You can get more information about buying a car than you can about who is caring for your children." The online system, she said, "helps make people more accountable, and it also gives parents some leverage." Parents can better advocate for improvements or changes if they have a sense of history, Metivier-Carreiro said. Tracy Frost, 34, a mother in Alexandria, used the online system when she was first shopping for day care -- and ruled out several possible caregivers after reading about their infractions. "Some of them seemed too serious or very repetitive," she recalled. When she did choose a provider, she discussed with her the kinds of problems the woman had been cited for before signing her child up. Even now, with her daughter happily situated with a new caregiver, "I go back periodically and check it," Frost said. Some parents point out that the online system is especially useful because it allows them to check on safety without making an issue of it. The day-care world is a competitive place, they say, with years-long waiting lists at some places and a premium on spots for infants. Julie Bindeman Belgard, 30, of Rockville said that when she was expecting her first child, she found a day-care provider she liked, and they agreed that her baby would get a spot. But Belgard also let her know she wanted to check the provider's record with the state, which took three to four weeks. When she contacted the provider again, her son's spot was gone. "My feeling was that she was a little put off by the background check," Belgard said. Among child-care providers, reaction to the online system has been mixed. Jim Kendzel, executive director of the National Child Care Association, which represents licensed centers, said the group does not oppose online records posting but urges states to also post responses from providers and a weighting factor "so the parent understands what is critical and what isn't." "We totally believe in transparency for the parent, but if they're going to put the information online, let them see the whole picture," Kendzel said. Monica Jackson, president of the Virginia Alliance of Family Child Care Associations, described the online system as "just another opportunity for us to do the best that we can" and noted that providers already post their most recent inspection reports in their day-care homes. "It's tying in very well with the states trying to push programs to support children's development," she said. Child-care experts say that many parents are surprisingly uninformed about how child-care is monitored. Twenty-one states inspect home-based day-care operations less than once a year -- or not at all, Smith said. A majority of states allow home day-care providers to go without a license, and still others allow such businesses to open before an inspector checks the premises, Smith said. Until the online system is working in Maryland -- later this year or early next -- parents must write letters to request information about complaints and violations. In Montgomery County, several parents said they were told to file Freedom of Information Act requests. In the District, the system is expected to be in place before Oct. 1, officials said. In the meantime, parents can inquire about inspections and complaints by telephone, letter or in person at the D.C. Health Regulation and Licensing Administration office. Jeanne Woodbridge, 38, of Gaithersburg said the new systems will be a welcome improvement. She recalled that when she searched for child care in 2004, it seemed impractical and cumbersome to write letters for records about potential providers. An online system, she said, "would give you a peace of mind about where you're placing your child and where they're going to be for seven, eight or nine hours a day."
Currently, medical identity theft makes up only a small portion of identity theft crimes, but as states, nations, and the marketplace move toward electronic medical records (EMRs), privacy experts worry that instances of medical identity theft will rise considerably, says a Star-Telegram report. And although most states have breach laws that mandate disclosure of financial data loss, it is unclear how medical record breaches would apply under these laws. U.S. News and World Report writer Michelle Andrews unravels the challenges and offers tips for recovering from medical identity theft.
Pharmaceutical firm Pfizer disclosed that a password-protected laptop computer stolen from a contractor in February contained personally-identifiable information for about 800 employees, according to TheDay.com. The report adds a new chapter to the company's data breach trouble; in 2007 the company experienced four data breaches that exposed personal data for more than 52,000 people. Commenting on the event, Connecticut Attorney General Richard Blumenthal said "The latest security breach again raises questions as to why any company would leave sensitive information on laptops. We will be discussing very seriously with Pfizer how to avoid incidents in the future."
The health insurance information of 71,000 Georgia families enrolled in insurance programs for the poor was left exposed on the Internet for a number of days, and may have been viewed by unauthorized parties, the Atlanta Journal Constitution reports. The families involved were enrolled in insurance programs by WellCare Health Plans Inc., a Tampa, Fla.-based firm. A spokesperson for the firm said the information was exposed for an unknown period before being removed on April 2. The state of Georgia was notified of the error on March 31.
SACRAMENTO -- Gov. Arnold Schwarzenegger said this morning that the snooping into his wife's medical records by an unauthorized UCLA Medical Center employee follows a long history of such intrusions on California's first couple. "I have been a victim of this in my own hospital visits," Schwarzenegger said at a news conference to promote volunteerism, "if it was for heart surgery or hip surgery, shoulder surgery, all of those things." Schwarzenegger click to enlarge Celebrities who got snooped for scoop Photo Gallery Celebrities who got snooped for scoop Every time he has left an operating room, the governor said, he has been told there were "people going through your file that had white coats on. Obviously, they snuck into the hospital. They had nothing to do with the hospital staff at all. So those things happen." The Times reported in today's paper that California first lady Maria Shriver and 1970s TV icon Farrah Fawcett were among 32 celebrities, politicians and other high-profile patients at UCLA Medical Center whose files were improperly viewed by an employee. Schwarzenegger reiterated that his administration will push hospitals to implement new safeguards to stop such snooping. "It is not just UCLA," he said. "This kind of thing has been happening all over the state, wherever there are celebrities involved. . . . Everyone's medical history ought to be protected. That is the responsibility of the hospital. So we are going to work with them and find a way."
AUSTIN — After the Texas Secretary of State's Office spent more than a quarter of a million dollars to remove Social Security numbers from business and financial documents posted online, an anti-fraud businessman said it took him just a few minutes to find documents that still appeared to have such numbers. "My belief is that if there's one or three, in this case, there are more, and probably many more," said SellitSAFE.com president Steven D. Peisner, whose business is to protect companies from fraud related to identity theft and who last year raised an alarm about personal information on the Texas site. "There's no way I just found the only three that they forgot," Peisner said. Scott Haywood, spokesman for Secretary of State Phil Wilson, said the numbers discovered by Peisner were removed after the state learned of them. "We're dealing with millions of files. We knew there would be some that would probably slip through the cracks," Haywood said. "We are going to do everything we can to make sure those are minimized." Documents posted on the state's "SOSDirect" site include corporation filings, federal tax liens, trademarks and limited partnership filings, among others. Peisner found the three documents containing the numbers after being contacted by a reporter concerning the state office's efforts to secure the information. As it happens, the documents appear to be fraudulent filings, Haywood said, but there was still a big enough concern on the state's part to remove the numbers. A duty to protect Concern over personal information on documents posted online by the state bubbled up last summer, when Peisner found what appeared to be Troy Aikman's Social Security number on one. That number was quickly removed, but Peisner highlighted his find to illustrate the problem. "It's dangerous because it gives people ... the ability to search and find our personally identifiable information that we as consumers believe is secure and that I believe our government has a higher duty to protect," Peisner said. "I could take this information and I could apply for a credit card. I could apply for a loan." Even before Peisner's Aikman discovery last year, the secretary of state's office had started to remove Social Security numbers from posted documents, Haywood said. The project was completed last fall, he said. To help in the effort, the state contracted with Mobilis Technologies LLC of Houston, he said. Of 25 million documents on the site, the state office forwarded to the company 6.3 million that had the potential to include Social Security numbers. The secretary of state's office paid the company $272,000 — money generated by records-usage fees — for the work. Mobilis got the job without a competitive bid because the company already was working on the state's system and was knowledgeable about it, Haywood said. "It's money well spent because we're protecting Texans' private information, and we're making an aggressive effort to make sure that kind of information isn't made publicly available," Haywood said. Being cost-effective Jack Hanson, president of Mobilis Technologies, said the company's familiarity with the system meant it could perform the work in a more cost-effective manner. "When you are reviewing millions upon millions of documents, there are going to be numbers that slip through the cracks," he said, noting that the need for precision was weighed against what would have been a cost-prohibitive triple-verification system to improve on the 98 percent accuracy requirement. He said any numbers that are discovered to remain on the documents "can be immediately redacted as soon as they're identified." The three documents found by Peisner were among those sent to Mobilis, Haywood said. In addition to the work by Mobilis, the secretary of state's staff in 2005 began removing Social Security numbers from public documents as they were filed with the office. They also allowed people to contact the secretary of state's office to speed up removal of the information from already-posted documents. The numbers aren't required, but some people have included them in filings anyway. As of early February, 531,704 Uniform Commercial Code documents and 248,130 corporate documents had been reviewed and possible Social Security numbers had been removed, including work done by Mobilis and state staff, Haywood said. Although Peisner questioned the thoroughness of the job, he gave the secretary of state credit for mounting the effort and said his greatest concern is for counties, which vary in their efforts to remove such information online. "The state set a great example," Peisner said. "Now the counties should follow." Harris County only has document indexes on its Web site, not actual documents, which people must come to the office to see, said Chief Deputy Kevin Mauzy in Harris County Clerk Beverly Kaufman's office. A primary reason, Mauzy said, is that "Mrs. Kaufman was concerned with putting personal information out there. We've held back on doing that."
A laptop containing medical test results for 2,500 patients was stolen from the car trunk of a National Institutes of Health (NIH) employee, exposing the names, birth dates and unencrypted test results of participants in a heart imaging study. The Baltimore Sun reports it is the third federal agency in recent months dealing with the breach of sensitive information due in part to its failure to encrypt laptop computers. The theft occurred February 23. Patients were alerted to the breach last week. Rep. Bart Stupak, chairman of the House Subcommittee on Oversight and Investigations said, "The theft of a government laptop from an NIH employee and subsequent mishandling of the situation raises serious questions about the agency's commitment to data security."
Katrina Brooke felt well prepared for the birth of her son, Andrew, three Aprils ago. The only complication was her Caesarean section; otherwise, everything went smoothly. After three days in the hospital, Brooke returned to her home outside of Seattle to recover and enjoy her baby boy. Three weeks later, as Brooke stood in her kitchen opening mail, she found a curious $94 bill from a local health clinic, a place neither she nor her husband had ever heard of. Stranger still, the notice was addressed to her newborn son: Andrew had apparently visited the clinic and been prescribed the painkiller OxyContin for a work-related back injury. It seemed like a simple clerical error at first — one that might even have been funny, considering the only labor Andrew had been involved in was his own birth. But the more Brooke scrutinized the letter, the more concerned she grew. Andrew’s middle name was on the bill, and no one knew the baby’s full name but a handful of friends and family — as well as the hospital, where she had filed the paperwork for Andrew’s birth certificate, which included their family’s home address and Social Security numbers and Brooke’s maiden name. A call to the clinic confirmed that a mystery man had used their child’s newly minted identity to obtain health care only one week after Andrew was born. The Brookes had become victims of a crime they’d never heard of: medical identity theft. “People aren’t aware of this unless it happens to them,” Brooke says. “When you first get the bill, you’re confused. Then when you delve into it, you think, What other information do they have? What else is going to happen to us now? At that point, it was scary.” Luckily for the Brookes, the clinic agreed to waive its charges. But for many victims, the crime doesn’t surface until unthinkable damage has been done. The worst case: insurance maxed out to its lifetime limit, years spent untangling paper trails, and medical records permanently altered. Unlike a stolen credit card or savings account number, this kind of identity theft could be life-threatening. Imagine what could happen if someone else’s medical history was injected into your records: You could arrive at an ER and be given the wrong type of blood or be refused medication because your file says you are allergic. And because mistakes in medical records can be notoriously hard to expunge, you could spend years convincing doctors you weren’t actually diagnosed with the diseases, mental illness or substance-abuse problems appearing in your file. According to a recent survey by the Federal Trade Commission (FTC), 3 percent of U.S. identity-crime victims had someone use their personal information — a Social Security number, an insurance policy ID, even a mere driver’s license — to obtain medical services or to profit from filing false claims in their name. That means nearly 250,000 Americans may be victims each year. For an increasing number of career criminals, health care workers and consumers struggling to keep up with bills, the lure of medical identity theft is too great to resist, notes Chris Dorn, a fraud expert with Ingenix, a health care fraud investigation firm in Eden Prairie, Minnesota. “The overall cost of health care has risen so much that it has become a valuable commodity,” Dorn says. “Any time you have 47 million Americans without adequate health care coverage, you will have people out there willing to steal it.”The stakes are high It took one phone call to make Anndorie Sachs, a mother of four in Salt Lake City, aware of how serious medical identity theft has become. She says that in April 2006, a Utah social worker notified her that her newborn had tested positive for methamphetamines — as a result, the state planned to take away all of her children. In fact Sachs, then 27, hadn’t been pregnant in more than two years; her stolen driver’s license had ended up in the hands of Dorothy Bell Moran, a meth user who gave birth using Sachs’s name. After a tense few days of phone calls with child services, Sachs was allowed to keep her kids. She then hired a lawyer to sort out the damage to her legal and medical records, and figured her worries were over. Months later, when Sachs suffered a kidney infection, she was careful to avoid the hospital where Moran had used her identity. It didn’t matter: The thief’s records had circulated electronically and intermingled with her own. Moran’s emergency contact number was listed in Sachs’s file, and there may have been other mistakes, such as the thief’s blood type. Sachs — who has a blood-clotting disorder and for whom the wrong medication could be disastrous — was savvy enough to alert the hospital staff, who straightened out her charts before making a critical error. “Had [Moran’s] baby not tested positive for drugs, I wouldn’t have known anything about it,” Sachs says. “I have a hard time believing that everything is back the way it was before. It’s terrifying to think about.” Consider the number of people who see your personal information when you become sick. “There are so many players,” says Robert Gellman, a privacy consultant and attorney in Washington, D.C. “Doctors, hospitals, pharmacies, labs, insurance companies — any single medical treatment can involve a half dozen entities.” To turn your life upside down, it takes only one person at one of those places willing to use her access as an opportunity for exploitation. In Florida, an office coordinator at the Cleveland Clinic in Weston printed out 1,100 patient records, then sold them to her cousin for $5 to $10 per patient, according to an FBI agent involved in the case. The World Privacy Forum, a nonprofit research group in San Diego, reports that prosecutors in New York, California and Florida have uncovered a technique that would make Tony Soprano proud: “clinic takeovers,” in which criminals buy a health care center, steal information from it to file false insurance claims, and then shut the whole thing down before anyone catches on. Click for related content Concerned about medical identity theft? Hospital ID theft: How to protect yourself The doctor will see your credit now More doctors, insurers asking, 'Who are you?' It’s not just professional crooks working the system. In Miami, physicians sold their medical licenses and provider numbers to a clinic that racked up $6.5 million in false claims. A Boston-area psychiatrist altered records of his patients and their families to reflect sessions and diagnoses they didn’t have, then billed insurance companies for treatment he never provided. Then there are victims like Joanne Lomax of Philadelphia, a 32-year-old package handler who was surprised when her insurance rejected her claim for a $189 gynecological visit. She was even more stunned to learn why — only one annual checkup was covered, and another woman had already used Lomax’s name to pay for her own exam. As Lomax learned, your insurance card isn’t just something you dust off for doctor’s appointments — in the hands of a thief, it becomes a credit card, a PIN and a license to spend. FTC numbers suggest that medical identity crimes may cost the U.S. economy $468 million per year. “This crime is so insidious,” warns Pam Dixon, founder and executive director of the World Privacy Forum. “It affects more people than you realize — and the stakes are as high as they can get.” Regaining control of identity On Christmas Day in 2003, Jo-Ann Davis pulled out of a gas station near Pittsburgh without realizing she’d left her wallet on the roof of her car. She hoped she could minimize the damage by quickly canceling her credit cards. But her insurance card was in the wallet, too. Before her identity thief was caught, she had used Davis’s information nearly 40 times, racking up almost $14,000 in prescription meds and treatment in Pennsylvania and Ohio. For the next four months, regaining control of her identity became a second job for Davis, a 42-year-old veterinary nurse. She exchanged faxes and phone calls with her insurer and fended off bill collectors. She says the police investigated her to make sure she wasn’t a conspirator. And then came the day she stopped by her pharmacy to pick up her migraine medication. When a well-meaning clerk noticed her account was flagged and called the police, Davis was nearly arrested. “I don’t think my insurance company realized the magnitude of this,” says Davis, who eventually convinced the cops she wasn’t her impostor. “You don’t know how long this is going to go on.” The unsettling reality is that it’s far easier to safeguard your financial well-being than records that could affect your physical health. “On the medical side, we’re at the same stage as we were 10 years ago with financial identity theft,” Gellman says. Three credit bureaus serve as centralized gatekeepers to your financial records; it takes mere minutes to download a free annual credit report. It could take years to track down the hundreds of records compiled by every medical provider you’ve ever used. And after you’ve found them, some providers charge hundreds of dollars to copy all the pages. Complicating matters is the federal regulation designed to protect your medical privacy — the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In theory, the rule provides access to your medical records and the ability to correct mistakes. But in practice, when patients challenge the accuracy of their files, insurance companies and physicians are often loath to delete information, preferring to red-flag the items in question. No one is compelled to amend records they didn’t create, so if an M.D. submitted a claim to your insurance based on an identity thief’s scam, the insurer is not required to correct it as long as the doctor is still in business. “There’s a tendency among medical professionals to be suspicious of why you need to make changes,” says Adam Levin, chairman of Identity Theft 911, a crisis-resolution firm in Scottsdale, Arizona. Worse yet, once someone else’s history is entangled with yours, health care providers will sometimes prevent you from seeing that information, for fear of violating the thief’s privacy rights under HIPAA. When Sachs asked to see her records at the hospital where the impostor had given birth under her name, officials refused, saying the records were no longer technically hers. “The hospital said they’re not the police — they’re in the business of trusting people,” she recalls. ‘You have to be persistent’ The costly, time-consuming investigation of these crimes often falls on the victim’s shoulders. “To say there’s little recourse for these folks would be an understatement,” Dixon says. Brooke and her husband had to go to two stations before police agreed to look into the matter; at the time in Washington, some medical ID theft was treated as a property crime, akin to a stolen iPod or car break-in on the police priority scale. On the federal level, the FTC logs complaints but doesn’t have the authority to pursue them. The U.S. Department of Health and Human Services is the agency to contact if you’re denied access to your medical records. Although every insurance company has its own investigators, victims may be made to feel they aren’t a priority, says Byron Hollis, managing director of the Blue Cross and Blue Shield Association’s national antifraud department in Washington, D.C. “There are a lot of different kinds of fraud, and medical ID theft is a small subsection of that. So the consumer may feel, when they first call, that it’s the most important thing to them, but the person they’re talking to may have 20 to 40 cases of other kinds of fraud they’re working on. You have to be persistent.” Thirty-nine states have laws requiring companies to alert you when a security breach compromises your personal information, but not all of the laws specifically protect medical information. A California law that took effect in January took that step, and other states may follow. But lawmakers have made little headway on fixing federal laws so that they affirm the victim’s right to clear corrupted medical records. Meanwhile, there’s an Orwellian scenario keeping privacy advocates up at night: The government is moving forward with plans to create an online records locator called the Nationwide Health Information Network, designed to help physicians share records. Its upside is that doctors would have nearly instantaneous access to your health history in an emergency, no matter where you are. On the other hand, millions of health care workers — and potential criminals — could be a mouse-click away from those same records. With so little standing between your health information and the con artists who covet it, the future of medical identity theft might get worse before it gets better. But as more victims step forward, more legislators will be pressured to take action. In Washington, the story of the Brookes and their son, who may be the youngest identity-theft victim in the country, helped inspire a measure now making identity theft a priority for law enforcement across the state. Two-year-old Andrew was sitting on the lap of Governor Christine Gregoire as she signed the law. “At least one good thing came out of it,” Brooke says. “When you’re affected by this crime, you want to see things change. I’d like to see other states pass similar laws. This is just the beginning.”
A British computer repair technician says he found highly confidential government data on a disc inside a laptop purchased over eBay. Lee Bevan, managing director of Leapfrog Computers near Bolton, said a customer brought a laptop into the repair shop and "in between the keyboard and the circuit board we found a CD that said, 'Home Office, highly confidential.'" Bevan said he called the police and officers from the Counter Terror Command took the equipment, Sky News reported. The incident follows a number of embarrassing losses of information by government departments in recent months with personal information on millions of Britons missing.
An article by Tom Kenny of WTVQ in Lexington, KY on February 19th tells how a discarded computer yielded some pretty interesting information about the previous owner. Not only did it contain e-mail messages, a name, age and birth date of an individual, presumably the owner, but also personal letters, including an individual's name and address, and what the users looked at on the Internet, which included everything from instant messaging to pornography.
A British computer repair technician says he found highly confidential government data on a disc inside a laptop purchased over eBay. Lee Bevan, managing director of Leapfrog Computers near Bolton, said a customer brought a laptop into the repair shop and “in between the keyboard and the circuit board we found a CD that said, ‘Home Office, highly confidential.’”
Wisconsin's WEAU television news team reports that more than 100,000 doctors in 10 states have had their Social Security numbers exposed as a result of an erroneous Web posting by California-based Health Net Federal Services, a health insurance firm that works primarily with military families and veterans. The breach occurred in December of 2007 and was disclosed this week. The breach was rectified, and in a statement to the station Health Net in part said, "Unfortunately, in late December 2007, we were notified of potential vulnerability for us that provider data was accessible through our Web site that included Social Security numbers of a limited group of network and non-network providers."
A Georgia Department of Transportation employee was arrested Thursday on charges she stole $20,000 by using the identities of people who bought permits from the agency. Dnez Bracy, 21, of Union City, and five other accomplices are facing identity fraud charges, GBI spokesman John Bankhead said. Bracy was fired Thursday from her job as a clerk in DOT's permits office, where she had worked since April, agency spokeswoman Karlene Barron said. GBI began investigating the case in January and discovered an identity theft ring that involved the five others and $200,000 in fraudulent charges, Bankhead said. The others arrested were: Qwan Boykin, 30; Shuna Hutchins, 27; Jimia Ragin, 28; Verique Johnson, 30; and Robert Smith, 29. All are believed to be metro Atlanta residents. Bracy is accused of taking $20,000 in the names of 55 DOT customers, Barron said. Her job was to take payments for truck permits for oversize or overweight loads, such as mobile homes and large equipment.
A laptop computer stolen in early January contained personal information about 30,000 members of Fallon Community Health Plan (FCHP), according to an article in the January 25 Worcester Telegram & Gazette. FCHP, the fourth largest HMO in Massachusetts, told the newspaper that the laptop at a vendor office in Boston contained the names, dates of birth, and Social Security numbers of approximately 30% of its members. The data analysis company, which FCHP declined to identify, originally told the HMO that the stolen laptop contained encrypted information about approximately 150 members, the newspaper reported. However, FCHP later concluded, with the assistance of a forensic technologist, that the laptop was not password-protected in accordance with company policy and that it contained personal information about additional members. FCHP told the newspaper that it has mailed letters to 29,800 members affected by the breach in Worcester, Middlesex, Norfolk, Hampden, and Hampshire counties and has offered free credit monitoring service for 12 months. Savvy criminals know the value of stolen financial information, Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, told the newspaper. Data breaches have exposed more than 215 million records since 2005, she said. Givens described credit monitoring services as the standard response from those responsible for data breaches, but she said that these services don't protect consumers when thieves use the stolen data to register a motor vehicle, file a civil lawsuit, or register a firearm
A backup tape containing credit-card information from hundreds of U.S. retailers is missing, forcing the company responsible for the data to warn customers that they may become the targets of data fraud. GE Money, which manages in-store credit-card programs for the majority of U.S. retailers, first realized that the tape was missing from an Iron Mountain secure storage facility in October, said Richard Jones, a company spokesman. "We were informed that one of the tapes could not be located. But at the same time there was no record of it ever having been checked out," he said. The tape contained in-store credit-card information on 650,000 retail customers, including those of J.C. Penney, he said. GE Money employees are also affected by the breach. The missing backup tape was unencrypted. Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. "Clearly that number includes many of the national retail organizations," he said. The tape also contained Social Security numbers of 150,000 customers. When matched with name and address information, Social Security numbers can be used to set up fraudulent credit-card accounts, a common form of identity theft. Jones said that following a GE Money investigation, there is no evidence that the tape in question has been stolen or that the data it contained was misused. After reconstructing the data that was on the missing tape, GE Money began sending out letters to those affected by the breach in December. The company has set up a toll-free number and is offering one year of free credit monitoring services to those affected by the breach. In 2006, retailer TJ Maxx discovered that thieves had broken into its computer networks, stealing an estimated 94 million credit- and debit-card numbers. Costs related to that breach are expected to be in the hundreds of millions of dollars. GE Money is a division of General Electric.
Names, Social Security numbers and other personal information for 219 Minnesotans licensed by the state Department of Commerce are on a laptop computer reported stolen more than three weeks ago. Commerce Department officials said Friday that the computer belonging to a vendor went missing Dec. 6 in Philadelphia. The vendor, Promissor Corp., notified police of the apparent theft but waited until Dec. 21 to tell the Minnesota agency, a state spokesman said. The department uses the company to manage licensing data for the real estate, mortgage and debt collection industries in Minnesota. According to the Minnesota department, the data was stored on an employee's computer hard drive, which was protected by a password but lacked more sophisticated encryption. Commerce Department spokesman Bill Walsh said the agency didn't know the full extent of the missing data on Minnesotans until Friday. "We're very concerned about the delay, and we're looking into whether they followed our state laws disclosing the information," Walsh said. The agency is working to notify people whose sensitive data could be compromised. The company is offering to pay for a credit-watch monitoring service for the affected people. State officials were told the computer contains information for a total of 257 people, including some living in Alabama, Arizona, Georgia, Illinois, Iowa, Kansas, Missouri, North Dakota, Ohio, South Dakota and Wisconsin.
Dumpster-diving -- going through trash bins in hopes of finding paper records with valuable information like customer names or future product plans -- is alive and well in the age of USB flash drives and portable music players. Every user who throws away (or loses) a keychain-size flash drive could be unintentionally leaking critical information to a competitor. Any of the tens of millions of desktop and notebook computers disposed of each year in landfills, junkyards and yard sales could be a rich trove of corporate data left on a hard drive by lazy users or IT departments. Dumpster-diving remains "an extremely effective way of gathering a lot of information quickly," says Dennis Szerszen, senior vice president at patch management and security software vendor PatchLink Corp. "It's become even more of a threat with the added dynamic that removable media brings to the table." But any IT manager who lets sensitive data get out the door into the trash can -- or anywhere else PCs or mobile devices are disposed of -- has only himself to blame. Tools ranging from low-cost or free disk-wiping software to low-cost encryption and more-expensive "disintegration" machines for disk drives are available for any IT manager with the will and awareness to use them. Risk Factors "Dumpster-diving" originally referred to going through the trash looking for paper records that might hold valuable information such as customer names, product plans or budget projections. Paper records still pose a challenge, of course. As an estimated 50 million or more PCs, notebooks and servers are disposed of each year, the information they hold also poses a new and growing risk for their former owners. New portable storage devices, such as USB flash drives and portable music players, can store gigabytes of data and make it easier for a disgruntled insider to download and walk out the door with sensitive information. Moreover, handheld computing and communications devices such as BlackBerries and PDAs can, via e-mail, funnel sensitive data out of the organization -- or let viruses or other malware in. Converge Global Trading Exchange in Peabody, Mass., offers an IT asset disposal service called NextPhase. Chris Adam, director of NextPhase says "the hot topic now is portable devices, BlackBerries and other PDAs, cell phones and even USB drives. We get requests all the time [asking] 'How do we secure those?'" Lines of defense The easiest, least expensive technology for protecting digital information is encryption. Observers say modern encryption software is inexpensive and easy to use and is capable of protecting virtually any organization against the theft of data on devices after they are disposed of -- or if they are lost or stolen. Among the vendors offering free or low-cost encryption, are TrueCrypt Foundation, PGP Corp. and Voltage Security Inc., according to Paul Kocher, president and lead scientist at Cryptography Research Inc., a security consulting and technology licensing firm in San Francisco. "In a lot of cases organizations already have the software they need," he says, citing the BitLocker encryption included in some versions of Microsoft's Windows Vista operating system. "It's just a question of getting the configuration right and the policies right and training users." "Encryption," says Szerszen, "is far too available not to be making use of it." Kocher notes that modern notebooks and desktops are powerful enough that encryption won't significantly slow down other applications. The larger obstacle, he says, is that encryption creates "one more password for somebody to remember," and that the IT staff must create processes to recover encrypted data "if somebody loses their password or leaves" the organization. Encryption is so widely available and easy to use that the loss of unprotected data "speaks loud words" about the IT policies of the company involved, says Neel Mehta, team leader of X-Force Advanced Research & Development at IBM Internet Security Systems. His group strongly recommends that its customers encrypt sensitive data wherever it resides, whether it's at rest on a hard drive or being transmitted over a private or public network. To prevent, or at least detect, insider data theft, many vendors offer software that can restrict the use of physical ports on a computer or even dictate what types of files they can download to which types of devices. USB-Defender from TriGeo Network Security Inc., for example, detects the insertion of devices such as flash drives into USB ports, captures details about the device and logs every file copied to or from the device, according to a company spokesman. Jeff Fuhler, information security officer at the Nevada Office of Veterans Services, uses Sanctuary device control software from PatchLink Corp. (formerly SecureWave) to protect sensitive information. Because Windows will automatically configure portable storage devices such as USB drives, allowing them to upload or download data, he has configured Sanctuary to deny access to such mobile storage devices except for users to whom he has specifically granted access. Credant Technologies Inc. 's Mobile Guardian provides server-based control over portable devices, enforcing policies covering areas such as what data can be transferred to or from the devices and the strength of the encryption and the passwords used on them. Mobile phones and PDAs such as BlackBerries also pose a risk because of their ability to receive and store e-mail. But observers say most of them support encryption and note that administration tools allow administrators to automatically deny access or even wipe the data from them if anyone repeatedly enters an incorrect user name or password. End of life protection After a device is disposed of, the Dumpster becomes the greatest risk. Depending on the sensitivity of the data on the drive, IT managers can rely on anything from low-cost manual processes and commercial software to physical destruction to be sure no data can be taken from a disposed-of device. As most IT managers know, simply reformatting a hard drive just erases the directory information that indicates where data is stored, but doesn't erase the data itself, says Kocher. A wide variety of tools, ranging from freeware and shareware to commercial software do an effective job wiping data from hard drives. Just completely filling a drive with meaningless data does "a reasonably good job of erasing the content," says Kocher. Some users pass a powerful magnet over a disk drive (or magnetic tapes) to scramble the magnetic orientation of bits and bytes that stores the actual data on the media in a process known as degaussing. For data whose loss would be catastrophic, the ultimate step is to physically destroy the drive, including the magnetic platters that hold the data. NextPhase can reduce hard drive platters to fragments of a quarter inch or less. That's the minimum size, says Adam, from which a really determined expert could still retrieve data. "We call it disintegrating, as opposed to shredding," he says. "It comes out looking like cereal." The cost of such destruction: US$4 to $15, depending on whether the customer wants NextPhase to record the serial number of the drive and document its destruction. The company can also destroy PDAs and personal communicators such as BlackBerries. When it comes to USB or flash drives, filling the device with junk data and deleting it is enough to stop a casual hacker, says Kocher, but a more sophisticated adversary might be able to find data in a memory sector that is marked as bad or that is stored as part of the error-correction code in the device. Physical destruction may not be the ultimate answer for discarded flash drives, he says, because the chip within the drive that holds the data is quite small and might escape even a thorough shredding. Before disposing of server hard drives that held sensitive information, Fuhler uses a commercial product to erase data from them. Before disposing of the RAID arrays, he "scrambles" the physical location of the hard drives that make any surviving partition tables useless. He then reformats the RAID array and reinstalls the operating system to prepare it for the next agency within state government that will use the array. The human factor Whatever you do to prevent Dumpster-diving, any security policy that gets in the way of users doing their jobs simply won't work, says Richard Stone, vice president of marketing at Credant Technologies Inc., a mobile data protection software vendor in Addison, Texas. "A security process that says 'don't plug in USB drives' is not realistic," he says. A realistic policy, he argues, is one that allows users only to attach USB drives to devices that are protected by control software such as Credant's. Finally, says Kocher, "the most important thing isn't even technology." Rather, he says, "it's making sure you hire people you trust and you educate them properly." He points out that 40% of security breaches are caused by current or former employees rather than outside hackers. And if malicious employees have access to sensitive data, he says, "there's not really any technical solution you can rely on to ensure nothing bad ever happens." In other words, no matter how finely you shred your old hard drives, he says, "if you have a culture where employees are unhappy, that is a security threat."
A government survey released this week questions the conventional wisdom that identity theft is a growing problem in the U.S. But don't toss out your shredder just yet. Consumer advocates are not convinced the Federal Trade Commission numbers are accurate, though they do agree on a key point highlighted in a footnote of the agency's report: the difficulty in coming up with a reliable assessment of the problem. An estimated 8.3 million Americans over the age of 18 were victims of identity theft in 2005, according to an analysis of a phone survey released Tuesday by the FTC. That represented a decline of about 16 percent from an estimated 9.9 million victims in 2003, when the agency last conducted its survey. While the FTC's identity theft survey is broad, the agency acknowledged in a footnote that its conclusion is not "statistically significant" because the sample size was too small. The government's report drew criticism — and some sympathy — from fraud experts and consumer advocacy groups, who cite conflicting data that point to a rise in the number of cases of identity theft in the U.S. "It's a difficult thing to get a precise handle on," said Susan Grant, vice president of public policy for the National Consumers League. "These surveys are helpful but may not show what's really happening." Consumers often are unaware their personal information may have been compromised through a data breach, or some other form of fraud, Grant said. And when they don't know they've been victimized, they can't accurately respond to telephone or Web-based surveys. Furthermore, retailers, banks and brokerage firms — often the first to be notified by possible identify theft victims — are not required to disclose fraud losses, said Avivah Litan, a senior fraud analyst at research company Gartner Inc. "The real number is unknown," Litan said. Like banks and mortgage lenders hesitant to reveal the extent of the credit crunch, retailers and banks aren't itching to disclose their fraud losses, Litan said. "No one wants to call attention to their fraud problems," she said. Identity theft cost U.S. businesses $55.7 billion in 2006, according to Javelin Strategy & Research. The FTC estimates that in 2006 the cost to consumers was $1.2 billion. But experts say complaints filed with the FTC offer only a glimpse of the actual damage. "Most people don't even think about calling the government because they are not going to help them get their money back," Litan said. The FTC estimates that 1.8 million Americans discovered some type of fraud committed using their personal information, 3.2 million had their credit card accounts misused and 3.3 million experienced misuse of other financial accounts. Javelin's estimates back the FTC's findings. It said 8.4 million people were victims of identity theft in 2007, down from 8.9 million in 2006 and 9.3 million in 2005. However, a report released by Gartner contradicts them both. Gartner's report showed the number of victims of fraud related to identity theft rose to 15 million during a 12-month period ended August 2006. To further muddle the matter, both the FTC and Gartner used the same research firm, McLean, Va.-based Synovate. The only difference was Gartner used a Web-based survey of 5,000 U.S. adults, while the FTC used a random-digital-dialing sampling for interviews. The author of Gartner's February fraud report says neither the FTC nor Javelin is "totally accurate." "It shouldn't matter what channel you use to gather information," Litan said. Jim Van Dyke, founder and president of Javelin, criticized Gartner for using a Web-based approach, which he contends skews results because consumers who cannot afford Internet access are underrepresented
CARSON CITY, Nev. (AP) - Hundreds of CDs containing payroll information about state employees, including Social Security numbers, have either been lost or stolen over the last three years, state Personnel Director Todd Rich said. Rich said his department sent a total of more than 13,000 CDs to 80 agencies for review every two-week pay period over the last three years. He said as many as 470 are still missing. "We haven't had any notification from anybody that, `Hey, my identity has been stolen,'" Rich told the Nevada Appeal. He said it would be up to Attorney General Catherine Cortez Masto whether to issue a breach notification. If so, he said, it would be done by agencies with missing discs. The system has been tightened to prevent unauthorized people from getting employee information, Rich added. "It's on top of my list because we want to make sure foremost our employees' personal information is protected," said Rich, who assumed his position in May. "It concerns me greatly." Under the new system, discs will be signed for and returned to the personnel department after each pay period, Rich said. The CDs now require a password in order to read data, and employee identities will be better protected with a switch from Social Security numbers to a unique employee identification number. "We want to make sure we get this cleaned up," he said. The issue was raised by Jim Elste, a former state Department of Information Technology security manager, who says his efforts to prod the state to notify workers their personal information may have fallen into the wrong hands caused him to be fired. He made the argument during hearings before a state hearing officer. Elste is appealing his termination, saying he's covered by whistleblower statutes. Elste said he discovered in June that there was no system for tracking the CDS after they were sent and no system for getting them back or destroying them. DOIT Director Dan Stockwell testified Elste was fired for poor management and lack of anger control. Adminstrative Hearing Officer Bill Kockenmeister's ruling on the appeal is expected early next year.
Cabarrus County officials notified more than 28,000 people this week that their personal data, including Social Security numbers, are on a missing laptop computer owned by Cabarrus County Emergency Medical Services. The computer had accidentally been left on an ambulance's back bumper at 10 p.m. Oct. 28, while the vehicle was parked at Carolinas Medical Center-NorthEast in Concord. County officials said it is possible, but unlikely, that the information in the laptop could be breached. The county is offering a $500 reward for the safe return of the lost laptop, a silver Panasonic Toughbook 18 tablet PC version. It is encased with a hard black alloy. Hawkins said the county spent $17,676 to print and mail the letters to the people whose data are affected. The county also is hiring a call center (704-920-2424) to deal with calls from those people. The laptop contained names, addresses, phone numbers and Social Security numbers of about 28,000 people who had been cared for by the county EMS over the past four years. It also contained medical information on about 58 people who received treatment from EMS Oct. 13-28.
The operators of a New York business have been charged with running a massive identity-theft and money-laundering operation that raked in more than US$35 million over a four-year period. In total, 17 people have been indicted in the investigation, which centered on a midtown Manhattan company called Western Express International. The charges were announced Wednesday by the Manhattan District Attorney's Office, following a two-year investigation by the Manhattan DA and the United States Secret Service. They are facing as much as 25 years each in prison. "The defendants participated in a multinational, Internet-based, criminal enterprise ... dedicated to trafficking in stolen credit card numbers and other personal identifiers," the DA said in a statement. Western Express had been based at 555 Eighth Avenue, in New York, and it operated the Dengiforum.com and Paycard2000.com Web sites. Both of these Web sites were operational on Thursday. According to the DA, criminals played a variety of roles in the scheme. Criminals who had access to stolen credit card numbers would be hooked up with buyers via what the DA called "cybercrime service providers." Finally, there were "money movers," who would use digital currencies such as Egold and Webmoney to launder the proceeds. The defendants would meet on "carder" forums, Web sites designed to facilitate this type of illicit commerce, the DA said. In total, the group trafficked more than 95,000 stolen credit card numbers. Authorities have identified more than US$4 million worth of credit card fraud with the group, but they say Western Express bank accounts moved more than US$35 million in funds over four years. The illegal activity lasted longer than that, the DA states, running from 2001 to 2007. Last year, two of Western Express's corporate officers received prison sentences after pleaded guilty to illegal check-cashing and money-laundering activities. The Secret Service referred questions on this case to the Manhattan DA's office. DA representatives did not return calls seeking comment.
Attorney General Greg Stumbo displayed a large table of records yesterday with personal information, including Social Security numbers and medical information, that his investigators had recovered from the trash of 121 businesses chosen at random in Lexington, Frankfort, Florence and Louisville. "Consumers face an increased risk of identity theft or loss of privacy when their personal information is not destroyed when records are discarded," Stumbo said in a news conference to warn businesses not to discard records with personal information. Stumbo said 33 of the 121 businesses threw more than 500 records, containing personal information about more than 1,250 people, into publicly accessible trash receptacles. Fourteen of those businesses tossed out more sensitive information about nearly 1,000 people, he said. Businesses don't want to be held responsible for a stolen identity, but many of them don't think about the consequences when tossing information, said Jay Foley, executive director of the Identity Theft Resource Center, a non-profit organization based in San Diego. He said "dumpster diving" is one of the primary ways that identities are stolen. Kentucky law requires businesses to properly dispose of records containing personal information, by shredding, erasing or other methods to make the personal information unreadable, Stumbo said. The records his investigators retrieved will be shredded after they are are no longer needed, the attorney general said. Todd Leatherman, who heads Stumbo's Office of Consumer Protection, said the 33 businesses have been notified, and that more information is being sought from the 14 that threw away sensitive information. The businesses, Leatherman said, will be asked to develop or strengthen policies to ensure compliance with the law. Personal information discarded improperly by businesses is only one of many ways identity theft occurs, said Heather Clary, director of communications at the Better Business Bureau of Central and Eastern Kentucky. She said the organizations receives calls every day from people concerned about identity theft. Information -- sometimes from paycheck stubs, credit card offers or medical prescriptions -- is often stolen from the individuals' trash cans or mailboxes. Internet "phishing" scams also are common. And in regard to business, information is sometimes stolen electronically. "The consumer has to be just as vigilant about it as the business," Clary said.On the Web
Bananas.com was caught off guard last year. The musical instrument sales site suffered a data breach that was followed swiftly by a double whammy of consequences. Roughly 250 customer records were exposed, likely after an individual stole an administrative password by accessing systems remotely. (Site owner Bananas at Large has since put additional security procedures in place to prevent a recurrence.) After the breach, the 25-person company scrambled to comply with the many state laws requiring customer notification. It alerted only the affected customers, either by mail or e-mail. Because its own resources were limited, Bananas referred victims to large credit-reporting agencies to monitor for subsequent financial damage from the breach. Despite its efforts, Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies. “They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them,” says Bananas President J.D. Sharp. “They’ll fine the pants off you,” he adds. The Bananas experience provides a hint of the turmoil a company can face as it tries to cope with disclosure requirements in the wake of a data breach. With more than 30 state data-disclosure notification laws now on the books, officials at many companies doing interstate business are hoping that cohesive national legislation will smooth out the nuances among differing statutes. But so far, federal legislation that would unify corporate disclosure rules is merely inching forward. With no imminent legislative relief in sight, corporations sometimes resort to blanketing customers with notifications after a breach — lobbing disclosures even in those states that don’t require them, simply to cover all bases. But this practice can have “unintended detrimental consequences,” says Robert Scott, managing partner at the Dallas office of Scott & Scott LLP, a law and IT services firm. Studies have shown that most customers would take their business elsewhere if they received two or more security breach notices, says Scott. “When faced with a security incident, businesses should carefully determine who has been impacted, review their breach notification laws in the relevant states, and devise a breach notification strategy that satisfies the legal obligations and properly notifies affected consumers,” he says. Many organizations are integrating the efforts of IT, Legal and other departments to come up with strategies to comply with state regulations and ultimately weather worst-case scenarios. Others are stepping up encryption efforts, since many states don’t force companies to disclose security incidents if the compromised data was encrypted. Companies as varied as Microsoft Corp., Bank of America Corp. and Verizon Communications Inc. have all taken steps to address the issue with specific teams and processes to handle disclosure in the event of a breach. In large companies, disclosure activity often involves multiple jurisdictions, such as the offices of the chief auditor, the chief compliance officer, the chief privacy officer and the chief technology officer or the CIO, says Joseph Rosembaum, a partner at New York law firm Reed Smith LLP. The lack of a central authority can create problems. “Where responsibilities are partitioned across a diverse set of functions, each office may have the ability to provide greater focus on individual issues, but the challenge of coordination across multiple disciplines is more difficult,” Rosembaum notes. Moreover, it takes corporate vigilance to keep pace with so many differences in state disclosure laws — variations that start with notification triggers. Some states require notification only if a breach is likely to harm individuals. Others force companies to cast a wider net. “For some states, any breach that compromises the security or confidentiality of covered personal information triggers the obligation to notify the affected individuals,” notes Thomas Smedinghoff, a partner at Chicago law firm Wildman, Harrold. The timing on triggers also varies. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami. Notification triggers aren’t the only differences among state laws. For example, although one state might allow exemptions for compromises of encrypted data, “another state without such an exception would require a notice, even though the data was unreadable,” says Geoff Gray, a privacy and data security consultant at the Cyber Security Industry Alliance in Arlington, Va. And as Bananas.com learned, the high cost of notification compliance doesn’t stop with the resources it takes to coordinate a response and alert customers. “Enterprises may face potential litigation and fines,” says Scott. Damage Control The team at ChoicePoint Inc. knows all too well the complexities of navigating state disclosure laws. After a data breach two years ago, the Alpharetta, Ga.-based company dashed out notices to about 163,000 people. “We expanded upon legislation that only existed at the time in California and opted to make nationwide notification of potentially affected consumers, without any state or federal law requiring us to do so,” says Christopher Cwalina, ChoicePoint’s assistant general counsel and vice president for compliance. The company’s woes made headlines, but the incident also prompted it to codify breach management plans and assemble a response team. Its policy now “lists all enacted state data breach notification laws, as well as the unique requirements of each law,” Cwalina says. In addition, ChoicePoint leans heavily on its government affairs team and legal department to track the laws and monitor compliance in the event of a breach. Large or small, companies should plan ahead to lessen the burden of notification in the event of a data breach. “Encryption is the single most effective way to avoid the negative business impact of data breaches,” says Scott. “Under most privacy statutes, if you have encryption, you get a free pass from notification.” But with or without encryption, it’s wise to devise a strategy for disclosure in the event of a breach. Companies should have a team in place that can assess the scope of damage and meet the demands of state regulators and credit card companies. The goal, says Cwalina, is to “act quickly, investigate thoroughly and notify promptly.”
Amid piles of computer gear piled behind a chain-link fence in White City, there are stacks of Macs, tons of televisions and perhaps even stray bits of data on hard drives that could pique the interest of identity thieves. The equipment, filled with lead, mercury and other hazardous materials, still has the tags of companies and organizations from all over Southern Oregon, including the U.S. government, school districts and the Rogue Valley Transportation District. It was supposed to be recycled by American Appliance Recyclers, but the company, which promised to destroy the hard drives on computer equipment, went out of business and left the refuse behind. "This is a problem because businesses are liable," said Lisa Freeman, toxic use and waste reduction technical assistant with the Oregon Department of Environmental Quality. She said a business that owns a piece of electronic equipment remains responsible for its disposal even after a recycling company takes it away. "Businesses have cradle-to-grave liability," she said. A new recycling company, ECS Regenesys, took the piles of computer gear and other equipment this week to its recycling center in Santa Clara, Calif. The DEQ is considering levying a fine against American Appliance Recyclers. Freeman said the company previously had been investigated for not disposing of electronic equipment in a timely manner. The recycling company did remove a lot of equipment since it started in 2002, she said, but much of it was sent overseas. "Sending it to China isn't getting it right," said Freeman, referring to the lack of environmental safeguards in that country and the lack of oversight of the recycling process. Curt Spivey, division president of electronic collections for ECS, estimates that some 300,000 pounds of electronic gear will be hauled away from a lot surrounded by a chain link fence and razor wire outside the old Pepsi plant on Avenue G, near Highway 62. "I drove by this pile and said, 'What is that?'" said Spivey. He said the clean-up effort is being underwritten by a company, but Spivey said the company didn't want to disclose its name. On Oct. 20, ECS collected about 150,000 pounds of electronics from Jackson County residents during a free introductory offer. The company typically charges a fee for recycling. Spivey said that unlike other recycling outfits that ship overseas, his company grinds up all the computers, televisions and circuit boards and extracts the raw materials so they can be recycled. Spivey said the some recyclers sell computer gear to foreign companies, where it can fall into the wrong hands, including identity thieves who use equipment to mine hard drives searching for Social Security numbers and other private information. Some of the computers found in White City belonged to Asante Health Systems in Medford. Mark Hetz, chief information officer for Asante, said that before computers are sent to the recyclers by his company they are run through a software scrub program that meets the standards of the U.S. Department of Defense. The program rewrites the hard drive seven times to make it difficult to extract the former data. Hard drives used on servers are never let go, he said, just to make sure none of the data falls into the wrong hands. Asante is looking at more sophisticated equipment that could potentially erase any information. He said equipment to deal with data theft has become more sophisticated, but so have the capabilities of those wanting to steal the information. Hetz said his company has a system in place that provides levels of security from the point the data is collected to the time the memory device is obsolete. "We have a gentleman in our IT (information technology) department that does nothing but security," he said. "It's important to us." The process for recycling electronic gear is soon going to change in Oregon under House Bill 2626. Manufacturers will have to develop a plan to recycle equipment, adding an extra up-front cost that will likely be borne by the consumer. Freeman said other counties in the state have developed a program to handle the collection of hazardous waste. "Sadly, Jackson County doesn't have a permanent hazardous waste collection (program)."
Confidential data leakage is more likely to cause the dismissal of an IT manager than a virus outbreak on a business network according to a September survey of Australian IT Managers. The survey, conducted by market research firm StollzNow and commissioned by Websense, found that 56 percent out of 159 IT managers believed data leakage caused by employees could put their job at risk. 52 percent deemed the introduction of a virus as likely grounds for a dismissal followed by 47 percent who found accessing inappropriate material is also a trigger.
The state of West Virginia this week began notifying members of its insurance plans that their personal data may have been compromised through the loss of a system backup tape. The tape was lost when a third-party shipper discovered an empty package from the West Virginia Public Employees Insurance Agency. The package was bound for a Pennsylvania company that the agency uses for backup analysis. The agency believes the package came unglued in transit, and does not suspect theft, according to a spokeswoman. The tape contains data on all of the West Virginia PEIA's insured, as well as members of the states' Children's Health Insurance Program and the AccessWV high-risk insurance pool. The data loss is another in a long series of losses that have occurred over the past year as a result of mishandled backup tapes or devices. In most cases, the tapes have been lost in transit to a third party or off-site storage facility. (See IBM Offers Reward for Lost Employee Data, Data on 28,279 Nationwide Customers Stolen, and 26 IRS Computer Tapes Missing.) The frequent data losses have spurred many storage vendors to develop tools for automating the encryption of backup data, as well as the creation of new industry standards for tape storage. (See Hard Disks Spin Up New Security Spec and Bookham Buys Marconi Components .) Despite the availability of such tools, however, enterprises continue to report loss of tapes and other backup storage media. Less than a week ago, the state of Louisiana reported that the loss of backup media may have exposed the personal information of virtually all college applicants to state universities for the past nine years. Authorities in West Virginia did not say whether the data on the lost tape was encrypted. The spokeswoman did say the tape cannot be read by standard computer equipment and does not contain medical or prescription claims information. Accessing the data would require highly knowledgeable individuals with specialized data processing equipment loaded with appropriate software, she said.
A new security intelligence report and survey from Microsoft may reveal the root cause of some data breaches. The biggest reason, it seems, is that various company departments tend to mismanage their data while assuming the IT department is securing it all. The biggest disconnect appears to be between a company's marketing staff and its security and privacy professionals, said Brendon Lynch, a privacy strategist with Microsoft. If better coordination doesn't happen, he warned, more data breaches are a certainty. "Each of the three groups we talked to have different motivations for protecting personal information and they tend to speak different languages," Lynch said in an interview Tuesday. "Marketers care about trust and brand reputation, and worry about the brand's reputation suffering in the face of a data breach. The security professionals are focused on preventing attacks, and the privacy folks care about regulatory compliance." Unfortunately, security and privacy professionals labor under the false assumption that marketing personnel are regularly checking in with their departments before collecting and using sensitive data, Lynch said. The survey found that 78% of the security and privacy executives surveyed said they were confident that their marketing colleagues consult them before collecting or using personal information. But only 30% of marketers said they actually do so. Data security breach: UK group pushes for stiff data security breach laws: A group representing technology firms is pushing UK lawmakers to pass breach notification laws and data protection rules. Industry group uses awareness month to lobby for data breach laws: The Cyber Security Industry Alliance is shifting from educating businesses to targeting members of Congress in its push for tougher data security and data breach notification laws. The survey of more than 3,600 security, privacy and marketing executives across a variety of industries in the United States, United Kingdom and Germany was conducted by the Ponemon Institute on Microsoft's behalf. It found that organizations with poor collaboration were more than twice as likely as organizations with good collaboration to have suffered a data breach in the past two years. Lynch said 74% of companies that acknowledged poor collaboration between departments suffered a data breach in the last two years. Only 29% of those reporting good collaboration had suffered a breach in that period. "It shows the need for better collaboration that accounts for the entire data lifecycle," he said. "You can't just assume the IT security people are taking care of it all." One reason the IT security staff can't handle it all is that attackers are adjusting their tactics too quickly for them to keep up, according to Microsoft's latest security intelligence report. The report measures the amount of malware detected via the software giant's Malicious Software Removal Tool, Windows Defender and ForeFront products in the first half of 2007. It indicates a continued rise in attacks designed to steal personal information or trick people into providing it through malicious Web sites, email attachments and other means. During the first half of 2007, Microsoft said, 31.6 million phishing scams were detected, an increase of more than 150% over the previous six months. Meanwhile, there was a 500% increase in such Trojan malware as password stealers and keyloggers. Two notable families of Trojans detected and removed by the Microsoft Malicious Software Removal Tool are specifically designed to steal data and banking information, the report said. Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group, shared the results in his keynote address at the International Association for Privacy Professionals Privacy Academy in San Francisco Tuesday. "There is no one-size-fits-all solution for organizations looking to effectively collaborate and protect data, but we hope this research will be a good resource for companies thinking about how to approach this," Charney said
In 2009, all television broadcasting in the United States will switch to digital transmission. And that means the state's landfills are likely to fill up quickly with obsolete TVs. Even now, about 80% of the Commonwealth's elctronic waste -- computers TVs, DVD players -- goes to landfills. And according to experts, that poses threats to human health and the environment. Legislation has been proposed in the senate (Senate BIll 1115) which would tack a fee, between 6 and 10 dollars, onto the purchase of new computers and TVs to pay for recycling those older models. But not everyone thinks that's such a good idea. Tom Fidler, for example, of the state Department of Environmental Protection, says the agency woulduprefer a "market-driven approach" in which producers and retailers would be responsible for recycling. "If in fact," Fidler said, "the market would drive the recycling program, I think thre would be a lot more incentive and thought put into the manufacture of the materials initially to allow them to be recycled more efficiently and cost-effectively." But Bob Erie, the CEO of the California-based E-World Recyclers, says banning e-waste from landfills without fees to cover recycling, has had unintended consequences on the West Coast. Erie said, "Forty percent of the volume being generated in California now, is electronic waste that doesn't have any fees to cover it. What does somebody do with it? They ship it. They ship it to China, they ship it to Asia, they ship it to India. They ship it anywhere someone will buy it from them, because as a business, you have to make money on the material that you're touching." And, Erie says, the fee system has worked well in California. "There were a lot of people in the state that said the general public is not going to want to pay this 6, 8, or 10-dollar fee, and there's going to be problems a the retailer. I can tell you that has never happened. They welcomed the opportunity to help save the earth and to recycle correctly and to pay that fee up front; there was not any problem," Erie said.