George is correct - note that about a monthy ago the Main Public Utilities Commission held Verizon liable for penalties due to Verizon's failure to sufficiently protect its systems from the Slammer worm, which caused performance problems for some "competitive local exchange carriers" (CLECs, i.e. local telcos). The ruling was based on findings that virus and worm attacks are well-known events, and Verizon did not install appropriate patches which had been around for at least six months despite "critical" security bulletins about the problem. See Maine PUC Order, Docket No. 2000-849 (April 30, 2003). Consider this in light of the complaint in the TriWest class action (562,000 individuals affected by potential identity theft in burglary of laptops and hard drives, allegedly due to negligent security) and the recent award of thre quarters of a million dollars to three victims of identity theft caused by health system malfeasance in Pennsylvania, and derive the following syllogism: (1) Some organizations hold and have legal obligations to protect financial and other sensitive information about individuals from disclosures which might be harmful to those subject individuals (Gramm-Leach-Bliley, HIPAA, contractual, other). (2) Bugbear.B is known to breach the confidentiality of financial and other sensitive information, potentially valuable for fraud and other uses harming subject individuals. (3) Bugbear.B is well known and can be prevented. Conclusion: An organization subject to GLB, HIPAA, etc. may be liable to individuals whose protected data it holds if Bugbear.B infests its systems and breaches the confidentiality of the individuals' information. How much could it cost? From Pennsylvania I get the figure $250K/individual. In the story below Stanford may present a class of 35,000 (not knowing particulars, I can't say for sure how much of this information, if any, if specifically protected by law, but can guess a lot either would be or would be claimed to be). I leave it to the arithmetically inclined to calculate the potential exposure . . . And oh yes, if this happens after July 1 of this year, any organization experiencing this kind of event would have to notify all affected subject individuals who are California residents - near as I can tell, whether or not the organization is itself in California or not - unless their data was encrypted. John R. Christiansen Preston | Gates | Ellis LLP *Direct: 206.370.8118 *Cell: 206.683.9125 Reader Advisory Notice: Internet email is inherently insecure. Message content may be subject to alteration, and email addresses may incorrectly identify the sender. If you wish to confirm the content of this message and/or the identity of the sender please contact me at one of the phone numbers given above. Secure messaging is available upon request and recommended for confidential or other sensitive communications. -----Original Message----- From: George Heuston [mailto:GeorgeH@private] Sent: Monday, June 09, 2003 8:54 AM To: crime@private; crime-announce@private; biztech-hillsboro@private Subject: [C.r.i.m.e.-announce] FW: [Information_technology] Daily News 6/09/03 Failing to update virus software--another potential exposure to employers. Situations like the one below are bound to be a catalyst for civil actions for negligence. ____________________ Sent: Monday, June 09, 2003 6:53 AM To: Information Technology Subject: [Information_technology] Daily News 6/09/03 June 06, Mercury News Virus sends confidential Stanford information out in e-mail. People at Stanford University got spam Thursday containing sensitive information including confidential details about employee salaries and bonuses. The Bugbear.B virus that infected the university's computer system Thursday sent out files at random from campus PCs. It's unclear if outsiders read the rogue e-mails, but some of the 35,000 computer users inside Stanford did -- including the man in charge of Stanford's computer systems. The university Web site said Stanford's computer crew intercepted messages containing salary and bonus information. Source: http://www.siliconvalley.com/mld/siliconvalley/6027714.htm June 05, Computerworld New regulations have companies turning to risk management. Regulatory changes are causing financial services and health care companies to lead the way in rethinking the role of information security. As a result, security is finding a new home in the field of corporate risk management. In addition to the privacy impact of the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, the tighter financial controls levied by the Sarbanes-Oxley Act will force chief financial officers to take steps to guarantee financial information, said Gartner Inc. privacy and security analyst Arabella Hallawell at last week's Gartner Enterprise IT Security and Sector5 infrastructure protection conference in Washington. The result is likely to be the hiring of chief information security officers (CISO) who are independent of the CIO and who report to the CFO from within the corporate risk management entity. The toughened privacy regulations are also forcing customers to seek stronger contractual guarantees from their IT suppliers in the event they suffer unauthorized privacy disclosures as a result of software flaws. A routine part of every IT purchase should be an evaluation of the amount of security built into a supplier's product, as well as the supplier's security processes, Hallawell said. Source: http://www.computerworld.com/securitytopics/security/story/0,10801,81827 ,00. html Internet Security Systems - AlertCon: 2 out of 4 https://gtoc.iss.net/ Last Changed 6 June 2003 Security Focus ThreatCon: 3 out of 4 www.securityfocus.com Last Changed 9 June 2003 Current Virus and Port Attacks Virus: #1 Virus in USA: BAT_SPYBOT.A Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports: 137 (netbios-ns), 80 (www), 1434 (ms-sql-m), 445 (microsoft-ds), 113 (ident), 139 (netbios-ssn), 53 (domain), 0 (---), 25 (smtp), 41170 (---) Source: http://isc.incidents.org/top10.html; Internet Storm Center _______________________________________________ Information_technology mailing list Information_technology@listserv _______________________________________________ C.r.i.m.e.-announce mailing list C.r.i.m.e.-announce@private http://lists.whiteknighthackers.com/mailman/listinfo/c.r.i.m.e.-announce
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 09:47:29 PDT