Up Front

ARMA International: Information Management Magazine

Up Front

Below is the latest news, trends, and analysis from the July-August 2010 issue of Information Management. At the end of each item is an "END" mark just in case you need to step away and pick up where you left off.

PRIVACY

EU Investigates Facebook, Google Tagging

European regulators are investigating photo and video “tagging” used by Facebook and on Google’s YouTube for possible breach of data privacy laws.

EU regulators argue that tagging without the consent of non-registered users violates European privacy laws. The inquiry, led by Swiss and German officials, also is looking into whether such action constitutes an unlawful “processing” or “transfer” of personal data under the EU Data Protection Directive.

Regulators also said that there should be an age requirement for information users post about others on Facebook or YouTube. (Currently, there is not.) Google executives were recently convicted in Italy of violating data privacy laws by allowing a disparaging video of a minor to be posted on YouTube. EU regulators are discussing whether social networking providers should be legally responsible for content posted by their members.

Under Swiss privacy laws, Facebook could be required to obtain the written consent of those whose images have been posted online and to remove all photo and video tags until this consent has been secured. EU regulators have rejected Facebook’s argument that either prior express or implied consent for all postings is obtained through registered users, and Facebook Europe recently added a tool for nonusers to have their data removed.

Facebook and Google have said they will cooperate with EU regulators. END

Social Media

Library of Congress to Archive Tweets

The Library of Congress has announced it will archive every public tweet posted to the social networking site Twitter, beginning with the first post on March 21, 2006.

From historical tweets about President Obama’s campaign to not-so-historical tweets from celebrities, Google said it will make the entire Twitter archive searchable online. The search giant already enables users to “zoom to any point in time and ‘replay’ what people were saying publicly about a topic on Twitter.”

“Tweets and other shortform updates create a history of commentary that can provide valuable insights into what’s happened and how people have reacted,” said Dylan Casey, Google’s product manager for real-time search, in a blog post. “We want to give you a way to search across this information and make it useful.”

The Twitter archive will join the Library of Congress’ web capture project, begun a decade ago, the library’s director of communications told The New York Times. That project collects web pages, online news, and documents related to significant events such as presidential elections, The Times reported.

According to The Times, the web capture project already has stored 167 terabytes of digital material – an amount greater than the text of the 21 million books in the library’s collection.

It will have to make room for even more: The Times said Twitter users currently send out more than 55 million messages each day, each containing 140 characters or less. END

Data Security

Washington State Passes PCI Law

Washington state is now the third U.S. state to make the Payment Card Industry Data Security Standard (PCI) law. It joins Nevada and Minnesota.

HB 1149 amends Washington’s breach notice law to better protect consumers from identity theft due to compromised credit card information. The law also gives issuing banks a legal mechanism by which to recoup the cost of reissuing payment cards after a payment card security breach.

The law, which is effective July 1, 2010, covers businesses, processors, and vendors that process more than 6 million payment cards annually, and who provide, offer, or sell goods or services to Washington residents. To qualify as a regulated entity, the business need not be located in the state of Washington, so the law presumably covers Internet businesses and any others who serve or sell products in the state.

HB 1149 regulates “account information,” which it defines as:

The full, unencrypted, two magnetic stripe of a credit card or debit card
The full, unencrypted account information contained on identification devices, such as those that use RFID or facial recognition technology
The unencrypted primary account number on a credit or debit card, or identification device, plus any of the following if not encrypted: cardholder name, expiration date, or service code

The law states that if a processor or business fails to take reasonable care to prevent unauthorized access to account information, and that failure results in a breach, then the processor may have to reimburse issuing banks for the costs of reissuing the affected cards.

HB 1149 defines a breach as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”

“Personal information” includes the first name or initial and last name in addition to other data, such as Social Security or driver’s license number. According to the law, it also includes first name or initial and last name combined with “account or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”

Critics say the law, as written, falls short in several respects. For example, according to the law’s own definitions, “account information” could be breached without any breach of “personal information.” In this case, there would be no “breach” under HB 1149 and its provisions would not apply.

HB 1149 also includes a “safe harbor” clause stating that under certain circumstances, even if a company failed to take reasonable care or was negligent in protecting account information, issuing banks will not be able to recover reissuance costs.

The law states that regulated entities are not liable under two circumstances: if the account information at issue was encrypted at the time of the breach or the regulated entity was certified as PCI-compliant when the breach occurred.

Under the law’s safe harbor provision, a regulated entity is considered compliant if it was validated by an annual security assessment and if that assessment took place no more than one year before the breach occurred. However, critics say the law does not care whether a company is actually PCI-compliant. It states that as long as the company has done a security assessment and certified it (by filling out and turning in the required paperwork, which consists of a self-assessment report on compliance), its assessment is “nonrevocable” – even if it is incorrect. END

Government Records

Illinois Birth Records Go Digital

Births in Illinois hospitals will now be recorded electronically rather than on paper certificates.

The Illinois Department of Public Health Director Damon Arnold, M.D., said there are about 500 births every day in Illinois and “the efficiency of the new electronic systems should help us get birth certificates into the hands of parents sooner.”

The department says it anticipates the Electronic Birth Registration System within the Division of Vital Records will speed the filing of birth records. Officials say the time frame for hospitals and local registrars to file information has not changed. END

Data Security

Data on 3.3 Million Borrowers Stolen

The names, addresses, and Social Security numbers (SSNs) of 3.3 million student loan recipients was stolen from the headquarters of a nonprofit guarantor of federal student loans in March 2010 – the largest breach of such information ever, according to The Wall Street Journal (WSJ).

Company and federal officials said the breach could affect as many as 5% of all federal student loan borrowers. The personal data was compromised when the portable media device it was stored on was stolen from Educational Credit Management Corp. (ECMC), based in St. Paul, Minn.

ECMC’s headquarters has card-key access for the 320 employees who work there, an official told the WSJ, adding that the company is reviewing its security.

ECMC services and insures more than $11 billion in student loans for the U.S. Department of Education. According to the WSJ, ECMC is the designated guarantor for loans in Oregon, Virginia, and Connecticut, but borrowers from all states could be affected.

The 3.3 million SSNs that were stolen from ECMC represent 8.9 million loans, said ECMC spokesman Paul Kelash, noting that one borrower may take out multiple loans.

“We are working with ECMC to make sure that affected individuals are provided with resources to protect their information and to provide them with identity-theft insurance,” said U.S. Department of Education spokesman Justin Hamilton.

According to the Privacy Rights Clearinghouse, more than 347 million records containing sensitive information have been compromised in the United States since 2005. END

E-Mail

FBI Computer Overhaul Delayed Again

The Federal Bureau of Investigation (FBI) was supposed to complete a long overdue computer overhaul this fall, but after yet another setback, the agency said it will not be completed until next year, at the earliest.

The FBI recently announced it has suspended work on parts of its massive decade-long effort to modernize its information system to help combat terrorism and crime. The delay could cost at least $30 million, congressional officials told The New York Times.

FBI officials said that design changes and “minor” technical problems – including slow response times and too-small screen print – prompted the suspension of parts of the third and fourth phases of the project, which is meant to improve agents’ ability to better navigate investigative files, search databases, and communicate with one another, The Times reported. However, the FBI said the little “kinks” that prompted the suspension have not affected its ability to respond to threats.

The $305-million-dollar project, dubbed “Sentinel,” is considered vital to national security. Before the project began, Florida agents had to send photos of the 9/11 hijackers via overnight mail to Washington because the FBI computer system did not allow them to send e-mail attachments.

Robert Mueller, FBI director, told a House appropriations committee that the suspension will allow the agency and its contractor, Lockheed Martin, to make necessary adjustments to the system now “so that when we roll it out, it would be successful.”

But some lawmakers said they have doubts, especially because this is yet another delay of the project.

“This is terribly frustrating,” Sen. Charles Grassley (R-Iowa) told The Times. “Wouldn’t you think after hundreds of millions of dollars being wasted that they’d finally get it right?”

According to The Times, Grassley and Sen. Richard Shelby (R-Ala.) wrote a letter to Mueller stating that they
viewed the problems as a “serious development” that threatened the entire project. They asked for answers about the source of the problems and Lockheed Martin’s work and said they would not agree to budget increases until they get them. The FBI has requested a 4% budget increase, or $317 million, The Times said. END

Info Technology

New RFID Tag Could Replace Bar Codes

Researchers have created a radio frequency identification (RFID) tag that can be printed onto paper and plastic. The discovery may mean the end of grocery store lines: the technology would allow shoppers to drive their cart by a detector, which would instantly transmit data about their groceries, researchers from Sunchon National University in South Korea and Rice University in Houston told Science News.

Silicon RFID tags have been used in passports, library books, and toll road access cards, but those are cost-prohibitive for items such as toothpaste and socks.

The new tag, reported in the March issue of IEEE Transactions on Electron Devices, costs only three cents to print, compared to 50 cents for each silicon-based tag. The researchers want to reduce that cost to below one cent per tag to make the devices commercially usable.

One new tag can store one bit of information — essentially a 1 or a 0 — in an area about the size of a business card, Science News reported. The research team is working on squeezing 96 bits onto a three-square-centimeter tag, which would be large enough to give a unique identification code to each item in a grocery store, along with data, such as how long the item has been on the shelf.

The tags rely on a special semi-conducting ink, which contains carbon nanotubes that can hold an electrical charge. A transistor must be completely semiconducting to hold information, said James Tour, whose Rice
University-based research group invented the ink. Roll printers were built to transfer ink to the tag material. The tags are printed in three layers. One of the team’s final hurdles to getting the tags to store more memory in less space is to perfect the alignment of those layers, according to Science News.

One of the biggest hurdles for RFID tags in general, however, is the privacy issue. Consumers don’t want an RFID tag on a package of chicken to broadcast information about them to the store or manufacturers. Tour said there’s a simple solution: wrapping groceries in aluminum foil. END

Privacy

Google Releases Govt. Request Data

Google Inc. has made available to the public a new online tool that reveals the amount of requests for user information and censorship that it receives from governments worldwide.

The Government Requests (www.google.com/governmentrequests) tool details government requests for surveillance and censorship on Google – information that has never been available before, according to the search giant.

Google noted that many of the requests are legitimate ones. For example, requests for the removal of child pornography or for data about a person involved in a criminal investigation.

Google also acknowledged that the data is not comprehensive and noted there may have been some duplication. For example, multiple requests may have been received for one specific action.

The search giant did not reveal whether it complied with or refused any of the requests for data or content removal. Google said it plans to update the information every six months. END

Government Records

Fed Ordered to Release Bank Bailout Records

The Federal Reserve must release records related to the $2 trillion bank loan program instituted by the Obama administration to prevent a collapse of the U.S. financial market.

The U.S. Court of Appeals in Manhattan has upheld a lower court decision, ruling that the Fed cannot withhold records showing which banks borrowed from the national bank during the financial crisis of 2008. Bloomberg News and Fox Business Network issued a Freedom of Information request for the names of the banks, but the Fed refused to hand over the information. The news agencies filed a lawsuit and won their first case last year.

The Fed argues that disclosing the banks’ names will stigmatize them in the eyes of consumers, causing “severe and irreparable competitive injury.” It has not said whether it will appeal the latest ruling. END

Privacy

French Court Upholds Ruling on E-Mail Seizure

France’s Court of Appeals of Versailles has upheld the unlimited search and seizure of a company’s e-mails by agents of the French Competition Authority.

The court said the actions of the agents, who had been authorized by a lower court to inspect the e-mails pursuant to an investigation into possible abuse related to gaining market share in France’s pharmaceutical market, did not breach employee privacy rights.

The company under investigation and several of its employees argued that the search was not valid because the Competition Authority had reviewed all employee e-mails, not just those relevant to their investigation. As a result, private documents belonging to employees and third parties were searched, an action that violated those individuals’ rights to secrecy of correspondence and protection of personal data.

Article L.450-4 of the French Code of Commerce authorizes Competition Authority agents to seize any documents that are relevant to their investigation. In this case, the court ruled that the agents were legally authorized to include private correspondence if it was relevant to the investigation, and thus their review of the e-mails did not breach correspondence secrecy rights.

With respect to the right to privacy, the court validated the entire investigation on the grounds that the agents used the only method that enabled them to preserve the accuracy and reliability of the relevant documents. The fact that employees’ personal documents were reviewed during the investigation did not invalidate the search because a judge had pre-authorized the investigation. However, the Competition Authority was ordered to return any documents that were identified as personal to their owners.

Under the French Data Protection Act, “personal data processing” broadly encompasses any operation or means used to obtain, record, organize, store, or retrieve data. Therefore, any investigation conducted by the
Competition Authority could be considered a “data-processing” activity subject to limitations and safeguards necessary to protect individuals’ privacy rights.

However, the court ruled that seizing computer files does not constitute a data-processing activity, setting up a potential conflict in future investigations. END

Government Records

OMB Relaxes PRA Rules for Social Media

In April 2010, the Office of Management and Budget (OMB) issued a memo exempting web-based interactive technologies from the requirements of the Paperwork Reduction Act (PRA), clearing the way for federal agencies to communicate with the public via social media networks without worrying about excessive paperwork burdens.

Under the PRA, agencies are required to obtain approval from the OMB, which is supposed to authorize all forms that solicit feedback from the public. But this sometimes takes months. Current policies are unclear whether the PRA covers web-based tools, used to communicate with the public. So, many agencies have avoided using social media tools, such as Twitter, Facebook, and blogs, according to OMB Watch.

But this will likely change after the new social media policy that states: “The PRA does not apply to posts that allow members of the public to provide general or unstructured feedback about a program.”

However, unstructured items, such as surveys and web polls, are still subject to the PRA. But blogs, public conference calls, webinars, discussion boards, social networks, and online communities are exempt from PRA as “in-person public meetings.”

The new OMB guidance clearly states that information created by social media is governed by the same
rules as government records. END

Privacy

Google, EU Argue over Street View

European Union privacy regulators have ordered Google to warn citizens before taking pictures of their neighborhood for its Street View maps service and said it should retain those images for only six months.

These instructions were included in a letter from the head of EU data protection agencies, Alex Turk, to Google’s data privacy chief, Peter Fleischer, according to the Associated Press, which obtained a copy. In response, Google said it has a “legitimate and justified” need to retain Street View images for one year. The company also said it posts notifications on its website about where its Street View cameras will be taking pictures, and it blocks out faces and license plates.

While some countries in Europe, such as France and Britain, have accepted Google’s Street View photo-mapping technology, others, including Switzerland and Germany, have rejected it on privacy grounds.

The New York Times reported that German data protection officials had argued that Street View would breach data privacy laws, but they dropped their resistance last year after Google agreed not to disclose details, such as faces, license plates, and house numbers, by using pixilation.

It also agreed to let citizens choose whether to remove their property from the Street View archive. German officials say hundreds of citizens have done so. In an attempt to keep the search giant honest, Hamburg’s senator for justice, Till Steffan, recently introduced a bill in the Bundesrat that would fine Google €50,000 ($66,000 U.S.) each time it fails to delete the data of individuals who have opted out of Street View.

Google plans to activate Street View in Germany by the end of 2010, according to The Times. But data protection regulators in several German states recently learned that Google has also been recording the location of household wireless networks with its roving cameras, and they have asked Google to end the practice, The Times said. Google has continued to collect the data, however, setting itself up for yet another privacy battle with German officials.

Kay Oberbeck, a Google spokesman in Hamburg, told The Times that this data are in the public domain in Germany and, therefore, what Google is doing is legal. He added that Google does not plan to publish the archive or link WLAN devices to individual users. It is only meant to aid services, such as location-based advertising, to cell phones, he said. END

Health Records

ISO Releases Patient Archives Standards

Two documents released by the International Organization for Standardization (ISO) aim to provide internationally harmonized guidelines for archiving patient information. “Health informatics-Security requirements for archiving of electronic health records-Principles” and “Health informatics-Security requirements for archiving of electronic health records-Guidelines” discuss records maintenance, retention, disclosure, and eventual destruction, as well as a practical method and tools for developing and managing electronic archives.

The guidelines suggest that data in electronic medical archives must be stored for the life of the patient and is subject to legal, ethical, and privacy concerns.

More information is available at iso.org/iso/catalogue_detail?csnumber =44479 and iso.org/iso/iso_catalogue/catalogue_tc/catalogue_ detail.htm?csnumber=44480. END

Data Security

Indian Data Breach Traced to China

Researchers have found that the cyber thieves who pilfered classified information through the Indian government’s computers are based in China.

For eight months, Canadian and U.S. computer security researchers watched the group steal sensitive documents from the highest level of the Indian Defense Ministry. Their report details how the spy operation, dubbed the Shadow Network, systematically hacked into personal computers in government offices on several continents, The New York Times said.

The researchers were able to see some of the documents stolen, including a classified report about security in several Indian states and sensitive embassy documents about India’s relationships in West Africa, Russia, and the Middle East. The thieves also stole several reports on Indian missile systems, as well as a year’s worth of the Dalai Lama’s e-mail messages, The Times said. Documents detailing the travel of NATO forces in Afghanistan were also compromised.

Given the sophistication of the intruders and the targeted data, the researchers say it is possible that the Chinese government not only knew about, but also approved the cyber spying. The research team said it traced the attacks to hackers based in Chengdu by examining their e-mail addresses. But after eight months of surveillance, the researchers still could not definitively determine who was using the Chengdu computers responsible for the attacks.

The Chinese government has strongly denied any government role in the cyber attacks, calling them “groundless,” according to Xinhua, the official state-run news agency.

According to the researchers’ report on the India-focused spying, “Shadows in the Cloud: An investigation Into Cyberespionage 2.0,” the cyber criminals used Internet services like Twitter, Google Groups, and Yahoo! Mail to automate the control of computers once they had been infected, The Times reported.

The researchers gained access to the control servers used by the thieves, according to The Times, and could see what information the group targeted. They were shocked at the depth and sensitivity of the documents that were stolen.

The report notes that documents the researchers recovered were marked “Secret,” “Restricted” and “Confidential.” These documents included assessments of India’s security situation in various states, as well as personal data about an Indian military intelligence official.

Researchers found evidence that Indian Embassy computers in Kabul, Moscow, Dubai, United Arab Emirates, and at the High Commission of India in Abuja, Nigeria had been breached, along with computers used by Indian military groups, The Times said.

The report asks whether the People’s Republic of China will shut the Shadow Network down. “Doing so will help to address longstanding concerns that malware ecosystems are actively cultivated, or at the very least tolerated, by governments like the P.R.C. who stand to benefit from their exploits though the black and gray markets for information and data,” it states. END

Government Records

NARA Posts Federal Records Schedules Online

The National Archives and Records Administration (NARA) has launched a new portal on its website that provides access to scanned images of federal agency records schedules since 1985. For the first time, these records can be viewed via NARA’s Records Control Schedule website: www.archives.gov/records-mgmt/rcs.

By statute, the U.S. archivist grants federal agencies the legal authority to carry out disposition actions against their records. These authorities are proposed by federal agencies, approved by the archivist, and documented for action through a Standard Form 115 Request for Records Disposition Authority (SF115), also referred to
as “records schedule.”

The SF 115 contains descriptions of record series (a grouping of related records) or systems and the disposition instructions for each. These NARA-approved disposition instructions specify when the series is to be cut off, when eligible records are to be moved to offsite storage, when eligible temporary records must be destroyed or deleted, and when permanent records are to be transferred to the National Archives.

The RCS website contains scanned versions of the paper SF 115s submitted from 1985 to the present. Records schedules for the period between 1973 and 1985 will soon be added. Newly approved schedules will be posted weekly.

All SF 115s have been converted to PDF file format and are listed by agency name and NARA-assigned record group number. Records schedules can be searched by the National Archives job number, by agency name by NARA record group, or by keyword or subject. END

Data Security

Federal Govt. Still Wary of the Cloud

A survey of federal government agencies, funded by the Lockheed Martin Cyber Security Alliance and commissioned by research firm Market Connections Inc., found that 70% of those surveyed are most concerned about data security, privacy, and integrity in the cloud. But those with experience in the cloud are more likely to be comfortable with it, according to the survey.

Other highlights from the survey include:

Thirty-four percent of respondents are not familiar with the cloud.
Twenty-one percent of professionals involved in cyber security at their agencies are unaware of cloud computing.
Fourteen percent said their agencies have adopted cloud computing.
Twenty-three percent don’t know what their agencies are doing with cloud computing.
Fourteen percent said their agencies have at least one cloud computing application, and 85% of them are using multiple applications in the cloud.

“The awareness, trust, and security issues that have limited federal government adoption of cloud computing appear to be more perceptual than prohibitive,” the survey states. “Professionals who are most aware of and involved with cloud computing and cyber security generally trust the cloud model and do not consider it a leading security vulnerability.”

By contrast, local government agencies are more at ease with cloud computing, according to a survey by the nonprofit Public Technology Institute (PTI). The survey found that 45% of local governments are using some form of cloud computing for applications or services. An additional 19% plan to implement some form of cloud computing within the next year, while 35% don’t intend to do so at all.

Government Technology reported that the economic downturn and subsequent budget pressures have forced local governments to embrace the cloud.

According to the PTI survey, local governments currently using or planning to use the cloud cite three reasons:

Resource savings (staff time, maintenance, and support): 87%
Features: 48%
Availability and uptime: 45% END

Open Records

Senate Passes Faster FOIA Act

The U.S. Senate has voted unanimously to pass an amendment to the Freedom of Information Act (FOIA) meant to speed up responses to public information requests and investigate delays.

In a rare bipartisan effort, Sen. Patrick Leahy (D-Vt.) and Sen. John Cornyn (R-Texas) partnered to author the bill, which would create an advisory panel to examine agency backlogs in processing FOIA requests and recommend solutions to expedite future requests.

The panel, named the Commission on Freedom of Information Act Processing Delays, will be required to provide recommendations to Congress for legislative and administrative action to enhance agency responses to FOIA requests. It will also examine whether the system for charging fees and granting fee waivers under FOIA should be reformed to reduce delays in processing fee requests.

“Senator Cornyn and I believe that agency delays in processing FOIA requests are simply unacceptable, and that is why we introduced this bill,” Leahy said in a release.

Leahy and Cornyn first introduced the Faster FOIA Act in 2005, and again in March. In past years, they have authored successful legislation to make important reforms to FOIA, including the OPEN Government Act, which made the first major reforms to FOIA in more than a decade. The OPEN Government Act was signed into law in 2007. In 2009, Leahy and Cornyn authored the OPEN FOIA Act, which mandated greater transparency for legislative exemptions to FOIA. The legislation was signed into law in October 2009.

The Faster FOIA legislation was reintroduced after a study by The Associated Press found that federal agencies were citing more exemptions to FOIA requests even though the number of requests has decreased and the Obama administration has called for more transparency.

The House version of the bill has been referred to the House Committee on Oversight and Government Reform. END

Government Records

Recordkeeping Error Affects UK Organ Donors

A recordkeeping mistake by the UK’s National Health Service may have resulted in a real nightmare for families of deceased loved ones.

Thanks to a data-handling error, NHS officials said organs may have been removed from deceased people without consent. It is against the law in the United Kingdom (UK) to take organs from deceased individuals without their prior consent or the consent of their family after death.

In addition, more than 800,000 people on the UK donor registry may have had their wishes about donating their organs recorded incorrectly. The Sunday Telegraph reported that 45 of those individuals on the organ donor list have died, and 20 families have let organs of relatives be taken based on incorrectly stored data.

NHS Blood and Transplant said it is “urgently investigating.” The problem can be traced to 1999, when details about many donors’ preferences were accidentally deleted. It was not detected until 2009, when NHS Blood and Transplant wrote to donors, restating which organs they agreed to donate. Many wrote back saying the
information from NHS was incorrect, according to BBC News.

NHS Blood and Transplant said it has corrected 400,000 flawed records – but hundreds of thousands of people must now be contacted to confirm which organs may be taken. Until consent is given from those affected, the NHS said no organs will be removed.

Joyce Robins of patient-rights organization Patient Concern told the Telegraph: “This government has got an absolutely dreadful record when it comes to data, but it is horrific that such sensitive details were handled in such a careless way.” END

Data Security

Inmates in 8 States Have Access to Personal Data

Prisoners in eight U.S. states have regular access to the public’s personal information, including Social Security numbers (SSNs), according to a federal audit.

Despite warnings that the practice should end, the prisoners hold jobs processing public records for federal, state, and local governments, the Social Security Administration’s Office of Inspector General found. The work includes data entry and processing for documents, such as student transcripts, tax files, and healthcare and labor claims forms.

The audit states: “Although we recognize there may be benefits in allowing prisoners to work while incarcerated, we question whether prisoners have a need to know other individuals’ Social Security numbers … Allowing prisoners access to Social Security numbers increases the risk that individuals may improperly obtain and misuse (the data).”

The practice of giving inmates jobs where they have access to private citizens’ personal data is occurring in eight states: Alabama, Arkansas, Kansas, Nebraska, Oklahoma, South Dakota, Tennessee, and West Virginia. The Social Security Administration lacks the authority to force states to halt the practice, but in the audit it urges Congress to pass pending legislation that would bar states from allowing prisoners to hold such jobs.

For example, in Kansas last year a prisoner stole names, birth dates, and SSNs while making digital images of public records, the audit said. This was discovered during a routine search of inmates after their shift ended.

“We’re extremely sensitive to the potential for any kind of access to personal identifying information and have policies ... to limit an inmate’s ability to write down any of this information,” Bill Miskell, spokesman for the Kansas Department of Corrections, told USA Today. There have been “isolated” cases of inmates trying to steal data, he said, but “we’re not aware of any compromise that has resulted in an inmate being able to utilize personal information for illegal purposes.”

A 2006 audit by the inspector general found that 13 states allowed prisoners to work in jobs where they had access to personal data. Since then, the new audit says, five of those states have stopped the practice.

In a written statement, the Social Security Administration said it will push for legislation to bar prison systems from letting inmates work in jobs where they can access SSNs. Officials also will consider making direct appeals to states that still allow the practice and asking them to stop, USA Today reported. END

Data Security

FTC Starts Enforcing Red Flags Rule

After four postponements, the Federal Trade Commission (FTC) began enforcing its Red Flags Rule June 1. The rule requires companies and professional groups that deal with consumers’ personal information to develop, implement, and monitor programs to prevent identity theft.

The FTC published the Red Flags Rule in 2007 to implement provisions of the Fair and Accurate Credit Transactions Act that require financial institutions and creditors to create programs to detect warning signs – or red flags – of identity theft and respond appropriately. The agency has delayed enforcement of the rule multiple times, however, at the request of businesses who said they were not prepared to comply.

According to an FTC press release, creditors “include professionals, such as lawyers or healthcare providers, who bill their clients after services are rendered.” A court ruled in late 2009 that the Red Flags Rule does not apply to attorneys, but the FTC is appealing that decision.

Medical groups also lobbied the FTC to be excluded from the Red Flags Rule, but the agency rejected their request. The April issue of the Journal of AHIMA argues that the rule is in limbo as lobbyists and legislators determine whether groups, including medical professionals, lawyers, and the financial industry, are accountable for defining and reporting incidents. They argue that the FTC overreached its authority and applied the rule to too many types of businesses.

In late 2009, the U.S. House of Representatives passed a bill (H.R. 3763) to exempt healthcare practices with 20 or fewer employees from the Red Flags Rule. The bill went to the Senate Committee on Banking, Housing, and Urban Affairs and is awaiting further deliberation. END

Government Records

EPA May Have Suppressed Landfill Records

An Environmental Protection Agency (EPA) Inspector General (IG) report found that EPA officials intentionally stopped keeping records related to potentially hazardous landfills in New Mexico in order to prevent the information from being released through the Freedom of Information Act (FOIA).

Citizens Action New Mexico, a public interest group, had filed FOIA requests seeking information related to an investigation of possible contamination of Albuquerque’s groundwater. One EPA official told the IG that “her section discontinued recordkeeping in favor of undocumented phone calls and conversations …
to prevent the production of documents … [She] informed us that her section had discontinued record keeping … because of … requests for information under the Freedom of Information Act.”

The report, first reported by the Albuquerque Journal, also found that the officials marked unclassified records as “confidential” so that they would not be widely distributed. Officials said they only meant to indicate that the document was a deliberative draft, not that it was classified.

According to the IG report, failure to document agency activities is a violation of EPA policy and federal law, which require the preparation and preservation of “adequate and proper” records of agency functions, decisions, and transactions.

Because of the deficient recordkeeping, the IG said it could not determine whether the EPA oversight of the New Mexico landfills was acceptable. In response to the IG report, the regional EPA office firmly “denied its staff took inappropriate steps to withhold information from the public.” But the response did not refute evidence that showed EPA “staff intentionally stopped documenting discussions to avoid responding to the public’s FOIA requests,” the IG said.

In a reply to the IG report, the regional EPA office stated that it did not agree with the IG’s findings or the recommendations, and that local EPA officials had done nothing wrong. The case has been passed on to the EPA deputy administrator for resolution. END

Download the PDF version here.