This is almost identical to the situation in Cobell v. Norton. For those who don't know that case it is a long-running Indian tribal class action against the U.S. Dep't of the Interior for mismanagement of tribal assets. It included a claim asking for a review of the computer systems used by the Dep't to manage information and accounts. The court appointed a special master who found that there had been a number of prior consultant reports indicating the security of the systems was badly flawed, and the special master retained some "white hats" who then hacked the system to demonstrate that they could access, copy, modify and delete data - i.e., find out medical information, copy information useful for identity theft, change title to property, transfer funds, etc. The court ordered the systems disconnected from the Internet until the problems are fixed, and last week held the Secretary of the Dep't in contempt of court (actually stated she was committing "fraud on the court") for representing curative actions were being undertaken, when apparently they were not, or they were inadequate. I use Cobell to show how a court could impose liability on a private enterprise for mismanagement of systems used to store/process private or proprietary information. (In fact I had just given the presentation at SecureWorld Expo and was driving home when I heard of the Cobell contempt finding on NPR.) This is even clearer. Seems to me anybody who has information in the DHS systems now has grounds to sue under the Cobell theory. Seems to me it would make a pretty solid class action. Seems to me that serving the interests of DHS clients includes a duty to keep their personal data protected, which appears to have been breached . . . From: John R. Christiansen Preston | Gates | Ellis LLP 701 Fifth Avenue, Seattle, Washington 98104 *Direct: 206.613.7118 - *Cell: 206.799.9388 * johnc@private Reader Beware: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, e-mail content may have been modified or corrupted, and e-mail headers or signatures may incorrectly identify the sender. If you wish to confirm the contents of this message or identity of the sender, or wish to arrange for more secure communication please contact me using a communications channel other than a "reply" to this e-mail. Thank you. -----Original Message----- From: brvarin@private [mailto:brvarin@private] Sent: Monday, September 23, 2002 7:44 AM To: crime@private Subject: CRIME Computers vulnerable at Oregon department This'll make you feel good....with our current budget, does anyone seeing security actually improving? And this quote is classic "I will never divert program money to serve people to take care of these data security issues," Mink said. "We've got security interests competing against service interests." But it's ok to divert program money to criminals who steal it from the state! http://www.oregonlive.com/news/oregonian/index.ssf?/xml/story.ssf/html_stand ard.xsl?/base/front_page/1032782122290112.xml LES ZAITZ SALEM -- The state Department of Human Services has systematically neglected computer security for years, leaving Oregon's largest agency vulnerable to hackers and thieving employees who can pay themselves public benefits, according to an internal agency report. A consultant hired to evaluate the agency's computer safeguards found lapses at every level. State auditors identified similar problems a year ago, and agency leaders then promised to fix them. They still haven't. "Nothing's been completed," said Cindy Becker, Human Services' chief administrative officer. "We thought we were fixing things that ended up not getting fixed." Becker's boss, Human Services Director Bob Mink, says that he knows the computers are vulnerable but that he doesn't have the money to plug the leaks and won't do it unless the Legislature comes up with the cash. No one knows how much it will cost. "I will never divert program money to serve people to take care of these data security issues," Mink said. "We've got security interests competing against service interests." The agency, with 9,300 employees and a two-year budget of $8.5 billion, serves Oregon's neediest residents. Its computers store personal information on more than 900,000 people who receive state benefits and an unknown number of former recipients. The computers also are used to issue millions of dollars in payments to Oregonians. Security weaknesses allow outsiders access to much of that information, according to the consultant, Certicom Corp. The consultant said hackers could tap into the computers for identity theft, sabotage or state benefits. Certicom also concluded that state employees can readily get into computer files they don't need for their jobs, allowing privacy breaches or theft. Crooked employees already have cracked the computers. State auditors highlighted that problem last year, identifying nine instances in which agency employees tapped computers to steal $201,000. In one case, an office clerk making $21,228 a year got $5,917 in state welfare by failing to disclose she had a job. Her employer: the Human Services Department's child welfare agency. When agency officials discovered the theft, they kept the clerk on staff but arranged for her to repay the money: at $20 a month. Another employee took information from closed client files to open new files and create paperwork to make it look as if clients were getting day-care services from his wife. The employee generated checks totaling $72,618 during 28 months for nonexistent day care. Police and state ethics investigators are examining those cases. Portions of Certicom's July report recently were released to The Oregonian under the state's public records law. The report echoed concerns raised last year by state auditors, who found that Human Services managers needed to make security a priority to stop employee theft and guard against disclosure of personal information such as medical records. Agency officials were surprised by what state auditors found. "I wasn't aware how vulnerable we were," Mink, the Human Services director, said in a recent interview. Mink responded to the August 2001 state audit by pledging to make security a higher priority and to work to plug security breaches. However, Mink said he considers lax security a serious problem but doesn't have the money to fix it. The agency will ask the 2003 Legislature for money, but he and Becker aren't optimistic. "I don't think there's going to be any type of money for this in the future," Mink said. The agency set up a task force last month to address security issues, focusing on changes that don't require money. Becker said the agency also might get some help as it meets new federal requirements to safeguard personal information. An agency proposal for meeting that requirement includes $2.3 million to improve security. Certicom and state auditors said in their separate reports that security is as much an attitude as a computer code. "Executive management has not made security of its systems a priority," state auditors reported in August 2001. The Certicom report agreed. "Security, over and over again, has been an afterthought," it said. Certicom described five "absolutely essential" steps to boost security, starting with a basic plan for how to do that. Certicom noted the agency doesn't have staff capable of such planning. The consulting firm found that the agency's computers are vulnerable to hackers because no security policies are in place, employee passwords are poorly managed, and encryption is inadequate. "This is a textbook case of how computer systems are commonly compromised over the Internet," the report said. Employees not on guard The report said the agency's lack of concern about security means employees aren't on guard for potential breaches and could be tricked into allowing outsiders to reach sensitive computers. "Trusting employees are very susceptible to such attacks when security is not forefront on their minds," it noted. Employees also can compromise agency computers, Certicom concluded. "Motivation can include personal hardship, malice or extortion," the report said. "Targets are most likely to be those that lead to direct personal gain (e.g. unauthorized funds transfers or theft)." Human Services' computer security problems date to at least 1991, when an internal evaluation was done as the agency planned to shift to new software to secure its electronic files. "The current system doesn't work very well," the report said. "Giving 100 people the same password doesn't amount to very effective security." The current system deployed by the agency hasn't worked much better. The one employee who understood the security software left three years ago. Agency officials can't locate him, and no one else understands how the agency's computers have been programmed with the code. In 1998, state auditors identified security gaps and recommended 22 remedies. Three years later, auditors discovered 14 steps still not finished. The agency's own auditors in 1999 chronicled the computer security lapses, but the only recommendation followed was to hire a data security manager. Scott Burrows took the job in April 2001, but he was given no budget and no authority to order any changes. He quit two months ago, and agency officials say they have no immediate plans to replace him. "We got off to a bad start," Becker said. "It's been a stop-and-start thing. It has not gone the way we wanted it to." Les Zaitz: 503-221-8181; leszaitz@private =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 09:40:48 PDT