Some breach-related events of the past week got me thinking about how maybe those of us who are serious about getting more data could start a relatively simple project….

This past week, eight major retail corporations that had been victims of hacks — Office Max, Barnes & Noble,  Sports Authority, TJ Maxx (TJX), DSW,  Dave & Buster’s, Boston Market, and Forever 21 — were no show’s at a California Assembly Judiciary Committee hearing on ID theft.  And so we continue to remain in the dark about what they knew, how they discovered the breach, when they knew it, how many people had their data compromised (not all of these companies revealed the numbers) and why it appears that in at least a number of cases, their customers were not notified of the breaches even though the federal government knew of the breaches and had active investigations ongoing.

There is much we do not know — and hence, cannot learn from — because either no one with authority is asking the tough questions and getting answers or maybe it’s just that no one is sharing the information with the public.

But what really got me thinking about a project was that this week the DOJ announced that a teenager identified as “Dshocker” is headed to a juvenile detention center for his cybercimes.  Among them, he reportedly stole customer data from Comcast, Charter Communications, and Road Runner.  Do you remember reading about those companies reporting breaches?  Were the customers whose data was stolen notified?  How many people had their data stolen?  Did those companies even know they had been breached, and if so, when and how did they first find out?  Will we discover that the feds knew but never told them or told them after a significant delay? ‘

Ignorance is not bliss. PogoWasRight.org only finds out about and reports the tip of the iceberg when it comes to breaches and since we are probably the most complete or extensive online news source, that’s a pretty grim situation.

As far as I know, only Chris Walsh and this site regularly use FOI laws to find out about breaches we might otherwise not hear about, but we are just two volunteers.  Maybe if more people were willing to devote a few minutes of their time, we could create a FOI project to ask every state to provide some data on breaches.  Although some states may not compile such information because they do not have mandatory reporting laws, imagine what we might discover if we asked every state for a breach list for a 1-year period.  Yes, it would still under-report, but I bet our numbers would be significantly higher than they are now.

So… do you think we can get one volunteer per state to make a request under FOI and then send this site the results/data?  Or if we can’t get 50 volunteers, maybe each volunteer could send a few letters/requests? If so, I’ll volunteer to organize the project, compile the results and upload it to this site so everyone can share the data.

Filing a request under FOI is pretty easy. I’d hope we would all ask for the same information for the same time period so we can more easily compare and compile data, keeping in mind that different states have different reporting requirements and different exemptions. I’m thinking that we would all send our letters in mid-January to request all 2008 data in log or summary form (so that we don’t incur huge expenses requesting copies of all of the individual breach reports, although obviously, those would be preferable for a number of reasons).   We would discuss the wording of the request as a team/project.

If you’d be interested/willing to send requests, email me at admin[at]pogowasright.org. Feel free to share or point to this idea if you know others who might be interested. And if you think it’s an utterly stupid idea/waste of time, let me know that, too, and why.

The AT&T-funded Future of Privacy Forum launched this week. Their stated agenda can be found here. In discussing the new group, Michael Zimmer writes:

[...]

While some are skeptical of an industry-funded effort to shape privacy policy and legislation, I’m optomistic that the FPF will work in good faith to bring together “dedicated technologists, policymakers, industry groups and advocates” to work towards new privacy practices and frameworks.

I’ve long argued that rather than a purely aggressive stance, we privacy advocates must work collaboratively with industry in order to find pragmatic solutions that foster the value-conscious design of new technologies to protect privacy, support corporate social responsibility, and yes, even profitability.

[...]

Although I frequently agree with Michael, I disagree with him on this one.  If some privacy advocates want to work with industry, that’s fine, but I wouldn’t underestimate the value of a “purely aggressive stance.”   It’s what brings some people to the bargaining table, makes them more receptive to working with other privacy advocates, and what elevates the debate to issues that some might not address if there was no outside pressure to do so.  In fact, I am no longer surprised when corporate attorneys privately thank me for the poking and prodding and some of the criticisms or comments I’ve published on PogoWasRight.org or this blog. They tell me that it makes it easier for them to try to get their clients to do what they should do — they use my sites to help convince their clients of what might happen if they do not do the “right thing.”

I realize that Michael wasn’t specifically referring to me in his discussion of an aggressive privacy advocacy stance, but I am squarely behind EPIC, EFF, and the ACLU when they take aggressive stances on privacy. The CDT, who he seemingly has more regard for than I do, seems to align too much with businesses and seems too willing to water down privacy.  And who accomplished more on the important issue of telecoms participating in warrantless surveillance?  The “play nice with others” folk or the EFF and ACLU who sued the telecoms and kept the pressure on Congress to deal with the issue?

When industries violate our privacy, it is appropriate to point out the problem and issues to them, but if they do not mend their ways, then I’m all for an aggressive stance.  Nor is it my responsibility to help them fix or prevent messes.  If they want my opinion or advice, they’re welcome to it, but it’s on them to conduct themselves responsibly when it comes to respecting and protecting privacy.   If a pharmaceutical company develops a medication and an independent researcher points out that the medication has harmful side effects, it is not the researcher’s responsibility to help the pharmaceutical company figure out how to fix that.   Similarly, it is not the responsibility of privacy advocates to help industries figure out the how-to.  I think that our job is to keep the bar high on privacy and give them feedback — both positive and negative — as to their success in respecting and protecting privacy.  If we happen to see a possible solution, fine, share it, but that’s not in my job description.

So we’ll see what the FPC actually does and I hope that they do something meaningful.  I’d write and ask them some questions using their contact form, but their form requires you to give your name and zip code, and well, no……

Yesterday’s New York Times had an article by Gardiner Harris about the overuse and misuse of psychotropic medications in children and teens.  Harris reports, in part:

More than 389,000 children and teenagers were treated last year with Risperdal, one of five popular medicines known as atypical antipsychotics. Of those patients, 240,000 were 12 or younger, according to data presented to the committee. In many cases, the drug was prescribed to treat attention deficit disorders.

But Risperdal is not approved for attention deficit problems, and its risks — which include substantial weight gain, metabolic disorders and muscular tics that can be permanent — are too profound to justify its use in treating such disorders, panel members said.

[...]

While panel members spoke at length about Risperdal, they said their concerns applied to the other medicines in its class, including Zyprexa, Seroquel, Abilify and Geodon.

The committee’s concerns are part of a growing chorus of complaints about the increasing use of antipsychotic medicines in children and teenagers. Prescription rates for the drugs have increased more than fivefold for children in the past decade and a half, and doctors now use the drugs to settle outbursts and aggression in children with a wide variety of diagnoses, even though children are especially susceptible to their side effects.

From 1993 through the first three months of 2008, 1,207 children given Risperdal suffered serious problems, including 31 who died. Among the deaths was a 9-year-old with attention deficit problems who suffered a fatal stroke 12 days after starting therapy with Risperdal.

One of the major reasons that children and teens are put on psychotropic medications is school. And if schools did a better job of accommodating and remediating students with these issues instead of just demanding that they act like everyone else or get sent to some time-out room as punishment, we would have fewer kids on medications. Educating students with neurological issues is not easy, granted. But the level of ignorance among professional educators and support personnel is risking our children’s health as well as their civil liberties, and yet New York State has done nothing to ensure that they get meaningful training. In fact, when the state was offered free publications that they could reproduce and disseminate to educators as to how to teach and help kids, they refused the offer, despite the fact that they have provided no high-level and meaningful information or training themselves. And so we will continue to have foster children or wards of the state with ADHD sent off to facilities where they receive painful electric shock as punishment for their symptoms or where we have desperate parents giving their children dangerous medications so that they can be maintained in their neighborhood public schools.

Yes, I know that there are those who believe that physicians prescribe because of the pharmaceutical industry’s influence, as suggested by Jennifer Berman’s great cartoon, reproduced with her kind permission below:

I do not doubt that that criticism does apply to some. But most physicians I know are genuinely trying to help their young patients and just don’t know what else to do in the face of school environments that neither accommodate or help children and teens who need our help and support. If we want to really start to make a dent in the overprescription of psychotropics, we need to educate the parents to insist that the schools do their job better and to insist that the state ensure that educators receive appropriate training in a wide variety of disorders.

Every child is entitled to a free appropriate public education. They shouldn’t have to risk their health and safety to get it.

A recap of breaches newly reported or updated last week on the main news site, PogoWasRight.org. For those looking for annual statistics: as of their last update on Nov.13, the Identity Theft Resource Center shows 572 breaches reported in the U.S. for this year.

Newly reported incidents in the U.S.:

• University of Florida College of Dentistry officials have notified about 330,000 current and former dental patients that an unauthorized intruder recently accessed a  computer server storing their personal information.
• Cora Dixon, a former U.S. Navy petty officer at Fort Worth’s Joint Reserve Base,  is facing criminal chargers for accessing secret military databases and compromising the identities of 8,000 sailors and reservists.
• For the second time in less than a week, Texas A&M University-Corpus Christi was notified of a security breach that exposed students’ Social Security numbers.
• A former employee of the Rick Case Acura dealership pleaded guilty to mail fraud conspiracy, admitting he supplied personal data from about 75 customers to an identity theft ring.
• OnPoint Community Credit Union notified its members of that a laptop stolen from an auditing firm may have contained their personal information.
• Attorneys for Magee-Womens Hospital filed court documents that included the names and confidential medical information of several patients.  The court documents wound up on the internet.
• Weld County authorities say they have uncovered 1,338 possible cases of identity theft by illegal immigrants after seizing records from a Greeley-based tax preparer, Amalia’s Translation and Tax Service.
• A laptop that  belonged to a Tulsa court reporter and that contained sensitive information including social security numbers and medical records was stolen.
• Ololade Aiyeku, a Rockland Community College employee, has been charged with illegally using the credit card numbers of former students seeking their transcripts to buy more than $2,200 in high-end clothing, police said today.
• A Mount Laurel man will face sentencing Dec. 5 after he pleaded guilty to impersonation and stealing confidential customer account information  for 17 customers during the two weeks he worked as a teller at a  PNC bank branch.
• James Wieland, a former University of Maine student, has been charged with felony invasion of privacy, after he allegedly hacked into as many as 1,000 campus e-mail accounts.
• Officials at Sinclair Community College in Dayton say the names and Social Security numbers of almost 1,000 employees were inadvertently made visible to Web search engines for about a year.
• In North Carolina, people’s personal tax papers were flying all over Capital Boulevard after a tax van lost its load while hauling tax papers from a Jackson Hewitt office.
• The Ehrhardt Group, a public relations firm hired by Jefferson Parish government, briefly posted the Social Security numbers of many east bank firefighters on a public Web site last week.

Newly reported incidents elsewhere:

In the U.K.:

• A laptop containing personal data, including addresses and telephone numbers, of 7,800 children who use school transport in Surrey has been stolen from a car.  The computer belonged to an employee of Trapeze, a software contractor.
• Leicester City Council informed police after a memory stick with personal details on about 80 children was discovered missing from an unnamed, council-run nursery.
• A laptop containing the bank details and personal information of 8,500 Brits working at UPS has been stolen in Italy.
• Details of 1,800 patients have been lost after two computers were stolen from two Hull and East Yorkshire Hospitals NHS Trust hospitals:   Castle Hill Hospital and Hull Royal Infirmary.

Elsewhere:

• Personal information of more than 4,500 students and professors at Seoul National University was leaked online.
• About 400 million yen in cash [$4,108,463.24 -- Dissent] has been illegally withdrawn from Okayama-based Chugoku Bank; Sapporo-based North Pacific Bank; Chiba Kogyo Bank; Shinjuku Ward, Tokyo-based Yachiyo Bank; Oita Bank and Wakayama-based Kiyo Bank using counterfeit ATM cards made with personal information leaked from another company since December 2006, according to police. Police found that most of the affected account holders were members of a program run by a Tokyo-based company that sells health food.

Updates on previously reported breaches from here and abroad:

• Express Scripts announced that a small number of its clients have received letters threatening to expose the personal information of its members. The threats are believed to be connected to an extortion threat the company made public last week.  The names of the clients were not made public.
• A federal judge has sentenced Akintunde Crawford to nearly 18 years in prison for his part in a multistate bank-fraud and identity-theft ring that targeted bank customers of of Commerce Bank, PNC Bank, Wachovia Bank and M&T Bank between February 2004 and November 2005.
• Edward Anderton, an Ivy League graduate, must serve four years in prison for a brazen identity theft scheme that netted him and a glamorous ex-girlfriend, co-defendant Jocelyn Kirsch, more than $100,000 in trips, dinners and luxury goods.
• The Idaho Department of Finance has issued a cease-and-desist order against Direct Mortgage, a division of DMI Funding Inc., after about 40 boxes full of customer loan files were found unprotected outside a recycling center last month.

To get all breach news reports, updates, and articles discussing breaches as they’re posted, subscribe to the Breaches RSS feed from PogoWasRight.org. To get this blog by RSS, subscribe to Dissent’s feed.

How often have we seen web sites set up in response to a breach?  My impression is that it has become more common in the past year, but Express Scripts added a simple, yet neat, feature to their breach support site that I thought I would mention.

A simple “enter your email address if you wish to be informed of updates to this site” form enables those affected or interested parties to be alerted to new press releases or updates.

How simple.

How useful.

How respectful of those affected.

Add it to your corporate “to do” list if your firm has a breach.  Just remember to update the site so that people are kept in the loop of any developments.   Even a simple, “We are still investigating but have nothing new to report and will keep you posted” lets people know that you are still actively working on things. If you tell people that your site will be updated and they keep coming back to search for updates and never find any, well…. that generally doesn’t sit too well with most folks.

With all the bailouts going on, how is it that we come up with the money for businesses and financial institutions, but funding for military support and care of our wounded soldiers remains underfunded?

I was sitting in the Will Rogers Airport in Oklahoma City a few weeks ago.  Across from me was a 12-year old boy who was all excited because he was going to Washington D.C. for a youth leadership conference.  He had never been away from home before and his mother kept reminding him of what he was supposed to do when he got to his connecting flight.  I asked him what he was looking forward to most, and he replied, “The Lincoln Memorial.” His eyes shone with excitement as he talked visiting our nation’s capital.

A few yards away, a soldier took leave of his family.  He hugged his son fiercely, and then hugged his sister, as his wife stood by trying to smile bravely.  When it came time for them to hug one last time, she broke down and clung to him, crying.

As he went to the board the plane during pre-boarding, I saw him turn back one last time to look at them.  The worry and sadness in his eyes still haunts me, weeks later.

Today’s USA Today has an article, For some military families, a long goodbye, that describes some of the horrors of a war that has been sanitized for us.  Occasionally, the media reminds us that the rates of Post-Traumatic Stress Disorder in veterans is high, that most are not getting the treatment they need, and that the rates of suicide are higher than they have ever been in any previous war.  And this week, a new study was published that shows that children of deployed troops are having significantly more behavior problems.

So on this Veteran’s Day, what are we doing substantively to help our veterans and to help prevent more wounded veterans?

If we can find the money to bail out Wall Street companies that were greedy, why can’t we manage to support our veterans and wounded warriors better?  Instead of just throwing a parade and a few media events, it’s time for this country to put its money and resouces where its mouth is.

And to all those soldiers and veterans who read this blog and have emailed me at times, and to all those who will probably never see even see this blog:  thank you for your service and your sacrifices.