FED ORDERS BANKS TO WARN OF ID THEFT

On March 14th, the Federal Reserve Board issued new rules requiring banks and other financial institutions to notify consumers "as soon as possible" when their sensitive personal information may have been compromised. The Federal Reserve and three other government banking agencies, including the Federal Deposit Insurance Corporation, have now unveiled their guidance on how banks must treat personal information theft under federal laws enacted in 2003. A key requirement is that consumers must now be notified when personal information has been stolen or illegally accessed and there is reason to believe it will be misused. In such cases, the institution must conduct a reasonable investigation to determine if the security breach was significant enough to require notification of affected consumers. Notice can be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation. Specific timelines on how quickly such notice should be given haven't been established. A financial institution is also expected to notify its primary federal regulator of a security breach involving sensitive customer information, whether or not the institution notifies its customers. According to the rules, sensitive customer information includes a customer's name, address, or telephone number, in conjunction with the customer's Social Security number, driver's license number, account number, credit card number, or debit card number, or a personal identification number or password that would permit access to the customer's account. The new requirements may be found at http://www.federalreserve.gov/BoardDocs/Press/bcreg/2005/20050323/

On March 9th, LexisNexis announced that information about 32,000 consumers was fraudulently gathered in a series of incidents. The data included names, addresses and Social Security and driver's license numbers. The breaches occurred at the company's recently acquired Seisint Inc. subsidiary, a Florida firm that sells data amassed from extensive public records searches to law enforcement agencies, businesses, private investigators and others. Kurt Sanford, president and chief executive of the LexisNexis corporate and federal markets unit, said company investigators discovered that con artists had assumed the identities and used the passwords of legitimate customers to download the customer data. The company has notified all individuals whose information may have been compromised. The breaches took place in January, and are under investigation by the Secret Service. Further information may be found at http://www.lexisnexis.com/about/releases/0779.asp

On March 17th, one of the leading brokers of personal data on millions of Americans said that it will restrict its sale of individual Social Security numbers amid growing public worries about privacy. Westlaw, which provides data to government agencies, law firms, companies and other organizations, said corporate clients will no longer have access to Social Security numbers, and government offices other than law-enforcement agencies will now be able to get only partial numbers. Sen. Charles E. Schumer (D-N.Y.) brought Westlaw some unwelcome attention by holding a news conference in February to demonstrate how easy it was for his staff to use the company's service to obtain virtually anyone's Social Security number, including those of Vice President Cheney and celebrity heiress Paris Hilton. Schumer and company officials met and agreed to the changes, and the company pledged to work with Schumer on identity-theft legislation. Further information may be found at http://informationweek.com/story/showArticle.jhtml?articleID=159901512

In late February, a California woman filed the first lawsuit against ChoicePoint for fraud and negligence after the company recently disclosed that it sold personal information about more than 140,000 people to identity thieves. Eileen Goldberg filed her suit in Los Angeles Superior Court, seeking class-action status. Thus far, authorities have traced 750 cases of identity theft to the security breach, which lasted for a year before being discovered by ChoicePoint. ChoicePoint bypassed the rules of the Fair Credit Reporting Act because it's not a credit agency. The Fair Credit Reporting Act gives consumers some control over who can view information that credit agencies collect about them and allows them to examine the data to dispute or correct false information. The Electronic Privacy Information Center (EPIC) has filed a complaint with the Federal Trade Commission asking the agency to hold an inquiry to examine the nature of the business that data brokers do and to determine whether they should be subject to the same rules as other organizations that deal with the private financial records of consumers. The EPIC complaint may be found at http://www.epic.org/privacy/choicepoint/fcraltr12.16.04.html

On March 3rd, Sens. Ron Wyden and Jim Talent introduced The Electronic Waste Recycling Promotion and Consumer Protection Act of 2005, which would give tax breaks to those who safely dispose of computers, monitors and television sets. The e-waste recycling bill would establish an $8-per-piece tax credit for companies that recycle at least 5,000 monitors or computer units per year. Individuals who use qualified recyclers to dispose of computers or TV sets would receive a $15 tax credit. The bill would also prohibit the disposal of any electronic equipment containing a display screen greater than 4 inches or any computer system in a municipal solid waste landfill, beginning three years after the bill is passed. The prohibition would take effect only if the administrator of the U.S. Environmental Protection Agency finds that a majority of U.S. households have reasonable access to e-waste recycling. The text of the bill may be found by entering the bill number (S. 510) at http://thomas.loc.gov/

On March 2nd, the Court of Appeals for the Federal Circuit reversed portions of a $521 million patent ruling against Microsoft and in favor of Eolas Technologies and the University of California. Microsoft will now get another crack at proving that its Internet Explorer browser did not infringe a preexisting patent. The case revolves around computer coding that enables a variety of software applications to work seamlessly with Web browsers. Eolas' founder, Michael Doyle, says he invented the technology while he was working at the University of California more than a decade ago and then watched Microsoft capitalize on the breakthrough by including the features in its Internet Explorer browser. Microsoft has denied the allegations since Doyle and the university sued him in 1999. The U.S. Patent and Trademark Office is now reviewing the validity of the patent, but that review remains unresolved. In its decision, the appeals court concluded the lower court had erred in its approach to a key issue in the case. Microsoft contends the Eolas patent is invalid because the technology had already been developed and showcased in a May 1993 demonstration by another inventor, Pei-Yuan Wei. Microsoft says Doyle was aware of Wei's work, but concealed the knowledge when he applied for a patent. The trial court will now have to examine exactly how this technology was developed. The decision in Eolas v. Microsoft may be found at http://fedcir.gov/opinions/04-1234.pdf

On March 1st, Sen. Patrick Leahy introduced the Anti-Phishing Act of 2005, which imposes stiff penalties on "phishers," those who use deception to trick computer users into divulging their personal and financial information. The Act would allow prosecutors to impose fines of up to $250,000 and jail terms of up to five years against anyone convicted of creating fake corporate Web sites and fraudulent e-mail messages designed to defraud consumers. The bill also would apply its penalties to a form of phishing sometimes called "pharming," which involves using computer programming tricks to redirect Internet users from a legitimate site to a counterfeit version operated by criminals. The text of the Act may be found by entering the bill number (S. 472) at http://thomas.loc.gov/

On March 3rd, a Santa Clara County Superior Court judge issued a preliminary ruling that Apple Computer can compel three blogging sites to reveal their sources. Apple alleges that the "John Does" violated trade secret laws. Judge James Kleinberg tentatively declined to extend to the Web sites, which had disclosed information about Apple’s forthcoming products, the protections of the U.S. Constitution's First Amendment and the California Shield Law, which is designed to protect journalists from having to divulge the names of sources or supply unpublished materials. In the past four months, Apple has subpoenaed PowerPage, Apple Insider and Think Secret, seeking to discover their sources of information about a yet-to-be released product code-named Asteroid and Q97. Think Secret subsequently moved for dismissal of the suit on First Amendment grounds. On March 11th, Judge Kleinberg ruled that Apple’s interest in protecting its trade secrets outweighed the public’s right to information about Apple and the right of bloggers to disseminate that. The ruling did not deal with California’s press protection laws and changed the focus of what was previously seen as an argument of press protection to that of the publication of material that was allegedly stolen from Apple. Further information may be found at http://www.siliconvalley.com/mld/siliconvalley/11049112.htm

On March 3rd, the Federal Communications Commission (FCC) announced that a North Carolina-based telephone company agreed to pay $15,000 and to stop blocking the ability of consumers to use voice-over-Internet calling services instead of regular phone lines. In the first action of its kind, the FCC settled with Madison River Communications, which operates several rural phone companies throughout the Southeast and Midwest. Vonage Holdings Corp., one of the nation's leading VoIP companies, had complained that as many as 200 customers had their service blocked by a Madison River subsidiary that provided its phone customers with Internet access. For those customers who had disconnected their traditional phone lines and were relying solely on Vonage, the blocking meant they had no ability to make calls. The consent decree in the case may be found at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-05-543A2.doc

The Department of Homeland Security has assembled a panel to recommend how to best safeguard privacy, as the agency makes use of ever-growing volumes of data about U.S. citizens. Critics are asking, "Where are the privacy experts?" and charging that the 20-member panel is tilted toward the industries that profit most from gathering, using and selling personal information, often to the government. Two of the members work for database-marketing companies, while two others work for think tanks that receive funding from the industry. Other members represent the insurance, airline-reservation, technology-research and database-software industries. At least two members are from companies with Homeland Security contracts. The most controversial appointment is D. Reed Freeman Jr., a Washington lawyer who is chief privacy officer of Claria Corp. Previously known as the Gator Corp., the California company was infamous for its software system for tracking online user behavior and displaying pop-up advertising on Web sites, which sparked lawsuits by media and many other companies. Privacy and security advocates said there should be a strong public voice to balance those in the information business. Further information may be found at http://washingtontimes.com/national/20050225-111610-3221r.htm

On March 8th, the Department of Justice (DOJ) announced that three men have pled guilty to criminal copyright infringement in what it called the largest multinational Internet piracy investigation to date. The investigation, called "Operation Higher Education," was conducted in 12 countries. The three men pled guilty to being part of organized groups including Fairlight and Kalisto, both of which specialized in distributing pirated copies of computer and video games. This investigation was part of a larger global antipiracy operation called "Operation Fastlink," which the Department of Justice announced last year. California resident Seth Kleinberg pled guilty to breaking copyright protection on software titles and distributing them online for several pirate groups. He faces up to 10 years in prison. Two other men, Jeffrey Lerman and Albert Bryndzda, face up to five years in prison. Further information may be found at http://www.usdoj.gov/opa/pr/2005/March/05_crm_108.htm

On March 7th, the Federal Trade Commission (FTC) issued a report identifying spyware as "a real and growing" problem. Eleven months after its April 2004 workshop, "Monitoring Software on Your PC: Spyware, Adware, and Other Software," the FTC released a report summarizing its findings, a transcript of the day-long panel discussion, and related documents. To mitigate spyware, the FTC staff recommends government and industry action, in the form of increased prosecution under existing laws and more educational initiatives. The report finds that technological solutions, both hardware and software, provide significant protection. The report asks the business community to come up with a definition of spyware, pointing out that there's no consensus as to whether adware is spyware. The report may be found at http://www.ftc.gov/os/2005/03/050307spywarerpt.pdf

On March 11th, the Federal Trade Commission announced that it had obtained a restraining order against MaxTheater, Inc., which allegedly offered Internet users a spyware scanner program that falsely reported that computers were infected with spyware, and which failed to remove any spyware at all from infected machines. The commission issued a report made public on the 11th that alleges the company engaged in fraudulent and deceptive business practices. Operating from the Web site SpywareAssassin.com, the company offered visitors a free scan of their PCs, and then sold them a $30 product called Spyware Assassin which, according to the FTC, didn't do a darn thing. The FTC is asking for a permanent ban on Spyware Assassin's claims and will ask the federal court hearing the case to order MaxTheater to refund money to its customers. The restraining order requires MaxTheater to immediately stop engaging in the deceptive advertising and to preserve all records from the company "due to the likelihood that advance notice of this action will cause the defendants to...abscond with or destroy evidence." Further information may be found at http://www.ftc.gov/os/caselist/0423213/0423213.htm

On March 16th, the Treasury Department’s inspector general for tax administration issued a report stating that more than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password. The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. Thirty five of them did so. However, this was a big improvement over a similar study in 2001 when 71 employees cooperated and changed their passwords. The report expresses concern about the security of taxpayer data and the IRS’ network in light of the study’s finding. Further information may be found at http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/national /w162055S07.DTL

On March 17th, it was reported in the British press that authorities had stymied a massive bank heist that reportedly was dependent on a keylogger. According to reports in the British media, the scheme was to steal 220 million pounds ($423 million) from the London offices of the Japanese bank Sumitomo Mitsui. The National Hi-Tech Crime Unit (NHTCU), the country's cyber-cops, began investigating last October after the bank discovered that hackers had infiltrated its network and were using a keylogger to capture keystrokes. Police arrested an Israeli man, identified as Yeron Bolondi, 32, in Israel after an attempt was made to transfer 13.9 million pounds ($26.8 million) into an account there. According to police, the gang was planning to transfer the $423 million to 10 different bank accounts. The NHTCU would not confirm whether the keylogger was planted by an inside accomplice, or inserted by hackers working outside the bank's network. Further information may be found at http://www.eweek.com/article2/0,1759,1777706,00.asp

On March 16th, Research In Motion Ltd. (RIM), maker of the popular BlackBerry mobile device, said it has agreed to pay $450 million to settle a patent-infringement suit filed by NTP Inc. Under terms of the agreement, RIM has licensed NTP technology covered by all current and future patents. The deal covers all customers and providers of RIM products and services, including wireless carriers, distributors, suppliers and independent software vendors. RIM also will have the right to grant sublicenses under the NTP patents to anyone for products or services that interface, interact or combine with RIM's products, services or infrastructure. NTP, based in Arlington, Virginia, claimed that RIM infringed on 16 of its patents, which included NTP's radio-communications technology. A federal court in Virginia had ruled against RIM in 2003, but that decision was reversed on appeal and sent back to Virginia court for reconsideration. Further information may be found at http://www.cbc.ca/story/business/national/2005/03/16/rimsettle-050316.html

On March 22nd, Texas sued Vonage, the nation's largest Internet-based phone service provider, saying Vonage failed to clearly inform customers that they cannot automatically dial 911 when they sign up. The lawsuit follows a case last month when a 17-year-old Houston girl was unable to call 911 on her family's Vonage service during an armed robbery in which her parents were shot and wounded. The girl ran to a neighbor's home and called for help. The suit was filed under the Texas Deceptive Trade Practices Act and seeks to require Vonage Holdings Corp. to more clearly inform consumers that they must separately sign up for the 911 feature. The lawsuit seeks $20,000 per violation. Further information is available at http://www.oag.state.tx.us/oagNews/release.php?id=850

On March 23rd the Federal Election Commission (FEC) released proposed rules which would exempt most political bloggers from most campaign finance laws. The FEC also proposed that online-only news outlets and even individual bloggers should be treated as legitimate journalists and immune from laws that could count their political endorsements as campaign contributions. The 47-page outline of proposed rules takes a cautious look at the controversial question of how Web sites and e-mail should be regulated, saying that its conclusions are only tentative and inviting public comment. The proposed rules may be found at http://www.fec.gov/agenda/2005/mtgdoc05-16.pdf

There’s a nifty new tech gadget being purchased by law enforcement. It's called the Eye Ball R1, a wireless camera and microphone inside a baseball-sized casing. The Eye Ball can be tossed into a crime scene to give police watching a tiny TV screen embedded in a handheld unit a 360-degree view of what’s happening. Marketed in North America by the newly formed Remington Technologies Division of Remington Arms Co., the Eye Ball was developed in cooperation with the Israeli military by ODF Optronics Ltd., a Tel Aviv company. For $4,800, buyers get a kit that contains two Eye Balls, a training ball, and a display unit, as well as a number of accessories. The first deliveries will made this spring. Remington sells the device to law-enforcement and government agencies only. Besides being thrown into a scene, the Eye Ball can be placed on a pole or dangled on a line to let authorities peer around corners, over fences, up and down stairwells, and in attics. When tossed or rolled, the device is designed to end upright, allowing the operator to remotely direct it toward a specific target, capturing a 55-degree horizontal and 41-degree vertical field of view. It can revolve four times a minute. The Eye Ball's omni-directional camera has night-vision capabilities with its near-infrared illumination up to 27 feet. It can take video up to 75 feet away and record audio from up to 15 feet away. Its signal can be transmitted as far as 600 feet. The wireless audio and video transmission operates on a 2.4-GHz frequency; the remote controls operate at 928 MHz. Further information about the Eye Ball may be found at http://www.remingtontd.com/default_flash.asp

On March 21st, Utah Governor Jon Huntsman signed into law a bill that would require Internet providers to block Web sites that are deemed pornographic. The controversial legislation will create an official list of Web sites with publicly available material deemed "harmful to minors." Internet providers in Utah must provide their customers with a way to disable access to sites on the list or face felony charges. Technology companies had urged the governor not to sign the bill, saying it was constitutionally deficient and worded so vaguely its full impact is still unclear. A federal judge struck down a similar law in Pennsylvania last year. The text of the Act may be found at http://www.cdt.org/speech/20050302hb260.pdf

On March 21, Senators Conrad Burns and Ron Wyden introduced anti-spyware legislation, calling for prohibitions and penalties on a variety of practices that result in unwanted software being placed on consumers' computers. Their act, known as the Spy Block Act, starts with the premise that computer owners should have knowledge and control over the software installed on their machines, according to a statement released by the senators. The bill specifically bans the surreptitious installation of software where the user never intended to trigger the installation and prohibits misleading inducements to install software. It also targets software that, once installed, prevents efforts by the user to uninstall or disable it. The legislation also bans the collection and transmission of information about the user of a computer without the user's consent and prohibits the installation of that software that causes ads to appear without identifying itself as the source of the ads. The bill also includes criminal penalties for certain "particularly egregious and intentional acts," as well as protection for providers of anti-spyware technology acting in good faith from being sued for blocking or removing software programs from a user's computer. The Federal Trade Commission would be charged with enforcing the legislation, with violations treated as unfair or deceptive trade practices. State attorneys general would be authorized to bring actions as well. The bill would preempt state spyware statutes, except to the extent such statutes prohibit deception. The House of Representatives has been aggressively pushing its own version of an anti-spyware bill since January. The text of the bill may be found by entering the bill number (S. 687) at http://thomas.loc.gov/

On March 21st, Time Warner Inc. agreed to pay securities regulators $300 million to settle long-running civil fraud charges related to online advertising deals that helped America Online (AOL) artificially inflate revenue. Time Warner said it had restated financial results for 2000 to 2002 by about $500 million to correct its accounting for deals under scrutiny by the Securities and Exchange Commission (SEC). The company did not admit or deny wrongdoing as part of the settlement. The SEC also settled with the company's finance chief, controller and deputy controller, who stood accused of causing false financial reports to be filed in connection with $400 million worth of transactions that Time Warner negotiated with German media company Bertelsmann AG. The three men are not required to pay fines or face other sanctions as part of the settlement and remain employed at Time Warner. As part of the SEC settlement, Time Warner agreed to open its books to an independent examiner, who will review the company's accounting practices for deals it brokered with 17 other companies from June 2000 to December 2001. Further restatements may be needed after the examiner's review, Time Warner said in a recent securities filing. Further information may be found at http://washington.bizjournals.com/washington/stories/2005/03/21/daily3.html