EDUCAUSE | Identity Theft

Free EDUCAUSE Webcast 10/22/08 on Identity Theft Rules

Rodney — Wed, 08 Oct 2008 19:26:45 -0500

New federal regulations to address identity theft go into effect November 1, 2008, and are likely to affect colleges and universities in nuanced ways. Compliance will require careful study and collaboration among business officers, human resources, legal counsel, student services, IT, and other affected campus units. The rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency. They also require that institutions develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts.

Who is subject to and must comply with the regulations on ID Theft Red Flags and Notices of Address Discrepancy? What business practices at colleges and universities are covered by the rules? What are some of the things that entities subject to the rules must do? What role does IT play in compliance with the rules? What are the penalties for failure to comply? On Wednesday, October 22, from 2-3 p.m. U.S. Eastern Time, EDUCAUSE will host a webcast featuring Naomi Lefkovitz from the Federal Trade Commission (FTC) to address many of these questions and more. For details and connection instructions, visit http://connect.educause.edu/term_view/ID+Theft+Red+Flags. This webcast is open to the public at no charge and no registration is required. It will also be archived and accessible to all.

Brought to you by EDUCAUSE, in cooperation with the American Council on Education (ACE), Coalition of Higher Education Assistance Organizations (COHEAO), College and University Professional Association for Human Resources (CUPA-HR), International Association of Privacy Professionals (IAPP), National Association of College and University Attorneys (NACUA), and the National Association of College and University Business Officers (NACUBO).

Identity Theft Rules Cover Non-Profits, Including Institutions of Higher Education

Rodney — Wed, 08 Oct 2008 12:38:53 -0500

The "Red Flags Rules" apply to "creditors" with "covered accounts", according to guidance issued by the Federal Trade Commission. The guidance indicates that "where non-profit and government entities defer payment for goods and services, they, too, are to be considered creditors". It also explains that a "covered account" is alson an account "for which there is a foreseeable risk of identity theft." It is quite possible that student or employee loans, including the payment of tuition over time, are examples of accounts that are covered by the new rule. The rule requires the development and implementation of "a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account."

A related rule requires users of consumer reports to "develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency." This provision would likely cover credit checks, possibly including criminal background checks, that are conducted for employees.

Institutions who are striving to come into compliance should consult the Final Rules, FTC Guidance, and seek the advice of legal counsel.

For more information, consult a Resource Page established by EDUCAUSE.

Indiana University and Others Announce the Creation of the Center for Applied Identity Management Research

Rodney — Tue, 07 Oct 2008 13:52:42 -0500

The Center for Applied Identity Management Research (CAIMR) was unveiled today at a National Press Club event in Washington, D.C. CAIMR, hosted by Indiana University, is a coalition of corporate, government, and academic institutions "focused on developing research and solutions for society's most daunting identity management challenges such as cyber crime, terrorism, financial crimes, identity theft and fraud, weapons of mass destruction, and narcotics and human trafficking."

CAIMR's founding members include Indiana University, U.S. Secret Service, LexisNexis, Lockheed Martin, IBM, Cogent Systems, Visa, and Intersections. Dr. Gary R. Gordon, a Senior Scholar in Identity Management at the Indiana University School of Law in Bloomington, will serve as Executive Director of the Center. The Center will undertake applied research projects concentrating on the identity management aspects of: 1) public safety; 2) national security; 3) financial and corporate fraud; and 4) individual protection. Additional members include Fair Isaac, University of Texas at Austin, Wells Fargo & Company, U.S. Marshals Service, Dragnet Solutions, ID Experts, Identity Theft Assistance Corporation (ITAC), Information Technology Association of America (ITAA), and National Center for Missing and Exploited Children (NCMEC).

In a press release issued today Michael A. McRobbie, President, Indiana University, said "Indiana University is delighted to not only be part of CAIMR, but to serve as its academic home as well." He continued, "As a National Center of Academic Excellence in both Information Assurance Education and Information Assurance Research, IU is committed to enhancing the science and the practice of identity management. CAIMR's collaborative approach to these issues, and the partnership it reflects among key stakeholders in government, industry, and academia, will be invaluable to achieving that vital goal."

The Center, heralded as "the first of its kind", will bring together cross-disciplinary experts in criminal justice, financial crime, biometrics, cyber crime and cyber defense, data protection, homeland security, and national defense to address identity management challenges that impact individuals, public safety, government programs, and national security. More information is available at www.caimr.org.

The FTC's “Red Flag Regulations” To Combat Identity Theft Go Into Effect On November 1, 2008

ckeller — Tue, 30 Sep 2008 16:36:38 -0500

This is a legal alert concerning the Red Flag Regulations that go into effect on November 1, 2008

‘Red Flag’ Regulations Require Financial Institutions and Creditors to Have Identity Theft Prevention Programs

ckeller — Tue, 30 Sep 2008 16:17:17 -0500

An FTC announcement that financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new "Red Flags Rules."

FTC Identity Theft

ckeller — Tue, 30 Sep 2008 15:46:39 -0500

This website is a one-stop national resource to learn about the crime of identity theft. It provides detailed information to help you deter, detect, and defend against identity theft.

On this site, consumers can learn how to avoid identity theft – and learn what to do if their identity is stolen. Businesses can learn how to help their customers deal with identity theft, as well as how to prevent problems in the first place. Law enforcement can get resources and learn how to help victims of identity theft.

Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy

ckeller — Tue, 30 Sep 2008 15:36:19 -0500

The Federal Trade Commission and the federal financial institution regulatory agencies have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.

FTC's Red Flag Rule Likely to Affect Colleges

ckeller — Fri, 26 Sep 2008 11:50:19 -0500

NACUBO's brief opinion concerning how the Federal Trade Commission (FTC)'s Red Flags Rule applies to Colleges and Universities as Creditors.

Information Security Governance: Standardizing the Practice of Information Security

ckeller — Tue, 19 Aug 2008 09:05:37 -0500

This ECAR research bulletin discusses the trend to use a variety of risk assessment frameworks and standards to create an information security program that is sufficiently comprehensive for colleges and universities. These standards include the Control Objectives for Information and related Technology (CobiT) IT control framework, the Information Technology Infrastructure Library (ITIL) service management framework, and the set of information control objectives now commonly referred to as ISO 27001. In specific, the process of implementing this framework at Georgia State University (GSU) is discussed. In addition, the bulletin provides a rationale for an information security governance framework that enables executives to see the degree to which their information security programs are effective in assessing and mitigating risks, protecting confidential data, aligning goals with institutional academic and business objectives, and continuously improving over time.

Citation for this work: Clark, Tammy L., and Toby D. Sitko “Information Security Governance: Standardizing the Practice of Information Security” (Research Bulletin, Issue 17). Boulder, CO: EDUCAUSE Center for Applied Research, 2008, available from http://www.educause.edu/ecar.

The FTC as an Educational Partner in Improving Data Security and Privacy

drupal — Wed, 21 May 2008 12:55:12 -0500

The Federal Trade Commission deals with issues that touch the economic lives of most Americans. The current portfolio includes protecting consumers in the areas of data security and privacy, identity theft, Social Security number misuse, identity management, spam, maintaining the National Do Not Call Registry, and other IT issues of interest to colleges and universities. The FTC's Bureau of Consumer Protection, although a regulator of businesses, is also an educator: it seeks to educate consumers and provide businesses and other organizations with the information they need to comply with the rules of the road and to provide consumers with the necessary tools to engage in commerce intelligently. This session will highlight information policy issues the FTC is addressing and educational resources institutions of higher education can leverage to improve student, faculty, and staff awareness of data security and privacy risks.

Identity Finder LLC and Carnegie Mellon University - Find and Protect Personal Information Before It's Too Late

drupal — Wed, 14 May 2008 10:48:24 -0500

It's estimated that the black market trafficking of stolen electronic identities will increase to $1.6 billion in 2010. Finding personal information is an increasingly complex problem due the myriad places it can reside and forms it can take on computers. Learn not only how to find it but also how to easily and quickly protect it.

What Price Insularity? Reflections About Computer Security Failings

ckeller — Thu, 03 Jan 2008 16:44:07 -0600

Why is it risky for technologists to ignore the nontechnical context where their systems will be deployed? Furthermore, what is the risk when policymakers ignore the limits and potential of technology? How can we structure dialogue between technologists and policymakers to address security failings—to revisit identity theft, electronic voting machines, digital rights management, and network neutrality? Fred Schneider, editor of the National Research Council study Trust in Cyberspace and longtime researcher on what makes computer systems secure, will consider these and other questions.

Spock's Risky Take on Trust, Privacy, and Identity Management Online

catherine — Tue, 04 Dec 2007 07:38:34 -0600

This post sort of follows on from my musings on Pownce, and the relative (in)utility of the current glut of social networking "services".

Received any Spock trust invitations lately?

Spock, a self-described “people search application that allows you to see what your friends and colleagues are doing on the web”, could potentially tell us something about the future of metasearch engines—those clunky crawlers that tried, and mostly failed, to bridge the gap between structured web directories like Dmoz, and the chaotic openness of Google’s PageRank™ technology. Although its interface design, a web-2.0-ified “Google Classic Home”, is so trendy that I’m afraid it’s already terribly dated.

The Spock team have got one thing right: web search is now the primary vehicle for information discovery, and the sudden realisation of this (by the media, at least) has created all sorts of headaches for identity management and privacy online.

We, i.e. the affluent, educated, Western audience that remains the dominant internet consumer group, have made search engines, and the companies that run them, immensely powerful because we have enabled them effectively to constitute our interface to the world. Consequently, we have endowed search engines -- and their enabler, internet connectivity -- with powerful social meanings. “Searchability” means potential, openness, connectedness, currency, agency—qualities that are socially desirable in early 21st century cultures; or at least, the “globalised” cultures of the developed world.

Spock’s positive appeal to consumers is to tap directly into these powerful social meanings. Its negative appeal to consumers consists of using the language of risk to talk about identity management on the web:

“The first step towards managing your online identity is putting the information you want seen about you online. That allows you to control what is being said about you. The second step is staying up to date on new information about you as it appears.” (Spock blog)

Both aspects of Spock’s appeal, positive and negative, come at absolutely the right time for the consumer market: in education, careers advisors are trying to convince students of the need to “clean up their profile”, while teachers, counsellors and youth workers grapple with issues around cyberbullying; in the media and political spheres, the risks posed by ID theft loom large.

So, no argument on my side that managing online identity is important, and becoming increasingly more so. But if you already have an online identity, and if you proactively manage your online identity by publishing indexable information that allows others to locate you, then I don’t see value in the “service” Spock provides. Instead, I see considerable risk.

If you read through Spock’s Terms of Service, it becomes immediately apparent that the Spock folks are terribly worried about two things: the currency of the information on Spock, and the potential for individuals to create profiles that do not belong to them.

Like many, if not most, social networking services (e.g. StumbleUpon, Flickr), Spock is largely reliant on its user community to create value. The first cause of anxiety for Spock, of course, is that if Spock user profiles become out-of-date, then Spock is a useless “non-service” and people will just go back to Google. So, Spock talks tough, threatening to terminate your service if you do not maintain your information.

The second worry for Spock is that a user profile might not “authentically” represent an individual. Again, Spock is totally reliant on users to co-operate in this way to create a community of trust, because Spock itself cannot guarantee identity, and if users do not trust the identities they find on Spock then Spock again is exposed as a useless “non-service.” Doing a couple of sample searches on Spock for people that you already know have a well-established web presence reveals an intrinsic problem for Spock: Spock can and often does generate multiple search results for a single individual, just as happens on the “open” web via a traditional search engine.

Spock tries to solve this problem by encouraging users to consolidate these results into a single profile, by “claiming” them. In this way, Spock is asking users to help conserve its overall aim of having one Spock profile represent a single individual.

But why would you choose to help Spock by doing this? One of the things about the web in general is that information has a short life, and that is exactly what enables people to retain some control over their privacy. What if I change my personal or career goals, leave an organization or group of which I was a member, or move to a different city? Life happens, and people reinvent themselves all the time. But that might not necessarily mean that I want to reject or withdraw “obsolete” information about me – at times, it’s best to just let it alone, and let new information take its place.

It’s not especially useful, and it could even be dangerous, for a company to try and create a public expectation that “identity management” equates to an individual actively “controlling” all the personal information that is available about him/her on the web. And I can’t help thinking that it’s naïve at best, stupid at worst to think that an individual can solve the problem of managing his or her online identity (which consists of a complex mish-mash of information, some generated by the individual, some created by others) by creating Yet Another Profile on this type of system. At this stage, Spock’s goal of a single profile per user looks fundamentally incompatible with the way people—and the web in general—works.

Spock is behaving a bit like the banks that try and stop consumers from sharing their PIN numbers, even with immediate family members. Its attempt to make one profile represent “one authentic user” already looks redundant. Try asking kids using Bebo or Xanga not to share passwords, or create new profiles for their friends -- an interesting theme of the recent symposium on Facebook research.

With my academic hat on, I’d say we’ve already got other, better mechanisms to do the things that Spock says it’s offering users. Mechanisms that allow people to selectively share their information with services and with other individuals, and that don’t rely on submitting personal information to a commercial third party provider. I recognise that my bias towards sharing information, and towards open systems and standards, isn't necessarily shared by tech firms or the general public. But if people are prepared to share information with a system like Spock, surely it's worth looking again at OpenID, ClaimID and FOAF for trust and authentication; or Explode as a way to display distributed networks of people. Somebody like Scott Wilson can probably explain this much better than I can; check out FeedForward, his alpha tool for personalized information discovery.

FTC Workshop on "Security in Numbers: SSNs and ID Theft"

Rodney — Mon, 12 Nov 2007 09:49:22 -0600

On December 10 and 11, 2007, the Federal Trade Commission will host a public workshop, “Security in Numbers: SSNs and ID Theft,” to explore the uses of Social Security numbers in the private sector and the role of SSNs in identity theft. This workshop continues the work of the President’s Identity Theft Task Force, and, in particular, its recommendation to explore ways to reduce unnecessary uses of the SSN.

The workshop will provide a forum for public-sector, private-sector, and consumer representatives to discuss the various uses of SSNs by the private sector, the necessity of those uses, alternatives available, the challenges faced by the private sector in moving away from using SSNs, and how SSNs are obtained and used by identity thieves. The workshop will be free and open to the public.

For more information, visit http://www.ftc.gov/bcp/workshops/ssn/index.shtml

The University's Role in Advancing Data Encryption, Part 2

ckeller — Fri, 02 Nov 2007 16:48:58 -0500

"Identity theft is one of the fastest-growing cyber-crimes, and, as a result, 38 states have identity theft legislation -- with some states using encryption as a safe haven," said Southwestern Illinois Community College CIO Christine Leja. "The education market as a whole is becoming more serious about protecting student information and is looking to encryption as the means to making that happen."

Training Your Staff to Protect SIS Data

ckeller — Fri, 07 Sep 2007 14:32:08 -0500

"No matter how robust your firewall, trained faculty and staff are your first line of defense against system breaches."

FTC Seeking Comments on SSN Use - Including Usage by Colleges and Universities

Rodney — Mon, 06 Aug 2007 16:46:37 -0500

The Federal Trade Commission (FTC) has announced that it is seeking comments on the use of Social Security Numbers (SSNs) in the private sector. This inquiry is in response to a recommendation in the President’s Identity Theft Task Force Strategic Plan that called for the development of a comprehensive record on the uses of the SSN in the private sector and evaluate the necessity of those uses.

The FTC invites interested parties to comment on the various uses of SSNs by the private sector (including colleges and universities), the necessity of those uses, alternatives available, the challenges faced by the private sector in moving away from using SSNs, and how SSNs are obtained and used by identity thieves. The FTC asks that comments be as specific as possible, and include items such as studies, surveys, research, and cost estimates. Comments must be received on or before September 5, 2007. For more detailed information on how to submit comments and the specific questions and topics the FTC would like addressed in the comments, please see: http://www.ftc.gov/opa/2007/07/ssncomments.shtm.

New PSA Addresses Identity Theft

vvogel — Thu, 02 Aug 2007 17:37:04 -0500

Similar to love, identity theft can occur when you least expect it! When that hot guy or girl in the coffee shop starts flirting...it could be more than just your heart at stake!

This PSA was inspired by a winning submission for the 2007 Computer Security Awareness Video Contest, which was organized by the EDUCAUSE/Internet2 Computer and Network Security Task Force, in cooperation with ResearchChannel, and sponsored by the National Cyber Security Alliance.

View or download this year's winning videos. And don't forget to check out the 2006 winners.

GAO Releases Report on Data Breaches and Identity Theft

Rodney — Tue, 24 Jul 2007 15:00:19 -0500

The Government Accountability Office (GAO) has released a Report on Data Breaches that concludes while "breaches of sensitive information have occurred frequently and under widely varying circumstances, . . . the extent to which data breaches have resulted in identity theft is not well known." It further concludes that "should Congress choose to enact a federal notification requirement, use of a risk-based standard could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk."

Some further higher education references in the report:

EDUCAUSE, a nonprofit association that addresses technology issues in higher education, conducted a survey in 2005 on data security at higher education institutions in the United States and Canada. Twenty-six percent of the 490 institutions that responded said they had experienced a security incident in the past year that resulted in the compromise of confidential information." (page 16)
Representatives of the American Council on Education and two other higher education associations stated that while data breaches at colleges and universities were not uncommon, they were aware of little to no identity theft that had resulted from such breaches. (page 23)
7 higher education institutions are identified (although not by name) among the 24 large publicly reported data breaches from January 2000 - June 2005 that were examined by the GAO which included interviews with educational institutions. (page 26)
There are also costs associated with actual notifications - potentially including printing, postage, legal, investigate, and public relations expenses . . . Entities also may incur costs related to staffing call centers to field inquiries from consumers about the breach. For example, representatives of the University of California at Berkeley told us that following a 2005 breach of 98,000 records, the university spent $75,000 in staffing, telecommunications, and other call center costs. (page 34)

The report also makes frequent reference to the President's Identity Theft Task Force Report released in April.

Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown

ckeller — Tue, 24 Jul 2007 14:46:25 -0500

In recent years, many entities in the private, public, and government sectors have reported the loss or theft of sensitive personal information. These breaches have raised concerns in part because they can result in identity theft--either account fraud (such as misuse of credit card numbers) or unauthorized creation of new accounts (such as opening a credit card in someone else's name). Many states have enacted laws requiring entities that experience breaches to notify affected individuals, and Congress is considering legislation that would establish a national breach notification requirement. GAO was asked to examine (1) the incidence and circumstances of breaches of sensitive personal information; (2) the extent to which such breaches have resulted in identity theft; and (3) the potential benefits, costs, and challenges associated with breach notification requirements. To address these objectives, GAO reviewed available reports on data breaches, analyzed 24 large data breaches, and gathered information from federal and state government agencies, researchers, consumer advocates, and others.

Podcast:: Security Breaches and Identity Theft

gbayne — Tue, 26 Jun 2007 15:05:47 -0500

In this 55 minute podcast, we present a general session from the EDUCAUSE 2007 Policy Conference entitled, “Security Breaches and Identity Theft”. This is a panel discussion moderated by EDUCAUSE Government Relations Officer and Security Task Force Coordinator, Rodney Peterson. The discussion features:

Michael Atleson, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission

Liz Gasster, General Counsel and Acting Executive Director of the Cyber Security Industry Alliance

As Congress strives to pass legislation that would provide a uniform federal law for security breach notifications, a number of related privacy and security policy proposals are under consideration in the Congress and executive branch agencies. This panel will address topics such as preventing misuse of Social Security numbers, requirements for a personal data privacy and security programs, and measures to prevent identity theft.

Security Breaches and Identity Theft

drupal — Fri, 18 May 2007 09:17:51 -0500

UCLA Hearing Testimony: "Identity Theft: Innovative Solutions for an Evolving Problem"

vvogel — Fri, 23 Mar 2007 10:50:06 -0500

On March 21, 2007, Jim Davis (Associate Vice Chancellor and Chief Information Officer at the University of California, Los Angeles) appeared before the United States Senate Judiciary Committee's Subcommittee on Terrorism, Technology and Homeland Security Committee to provide his testimony during a hearing on "Identity Theft: Innovative Solutions for an Evolving Problem".

Identity Theft: Innovative Solutions for an Evolving Problem

drupal — Mon, 19 Mar 2007 11:22:55 -0500

Written Testimony of Jim Davis, Associate Vice Chancellor, Information Technology Chief Information Officer at the University of California, Los Angeles. This testimony was presented before the Subcommittee on Terrorism, Technology and Homeland Security Committee on the Judiciary United States Senate. The subject of the testimony is Identity Theft: Innovative Solutions for an Evolving Problem.

EDUCAUSE Offers Michigan Seminar on Higher Ed Data Security and Privacy Issues (UPDATED)

cluckett — Thu, 22 Feb 2007 12:24:53 -0600

In this one-day seminar, “A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations,” on May 2, 2007, keynote speakers (UPDATED) Rodney J. Petersen, Government Relations Officer and Security Task Force Coordinator, EDUCAUSE, and David Escalante, Director of Computer Policy & Security, Boston College, will outline a blueprint for protecting sensitive data according to the EDUCAUSE/Internet2 Computer and Network Security Task Force. The seminar will be held at Michigan State University in East Lansing. A recent study by the EDUCAUSE Center for Applied Research (ECAR) found that campus security incidents compromised personal information, leading to bad publicity and the potential for identity theft. This seminar will address the steps necessary to protect sensitive data, which include implementing an information security risk management program, data-classification policies, awareness programs, and technology solutions, as well as clearly defining roles and responsibilities.

View the program.
Access the PowerPoint presentation for the seminar.
Register by April 6 for low, early-bird rates; this limited-enrollment seminar tends to fill quickly.
Peruse additional EDUCAUSE resources on Security Management and Data Security.

UVM to get new ID numbers

drupal — Wed, 10 Jan 2007 17:27:26 -0600

Due to a new state law the University of Vermont will be begin using new ID numbers that are not SSNs.

UCLA Warns Students, Staff of Data Theft

drupal — Wed, 13 Dec 2006 08:59:00 -0600

The University of California-Los Angeles alerts some 800,000 current and former students, applicants, faculty and staff that their personal information -- names, addresses, Social Security numbers -- were exposed when a hacker broke into a campus computer system. The university says that only a small percentage of the records in the database were actually accessed. The case may be the largest computer breach ever at an American university.

Major breach of UCLA's computer files

drupal — Tue, 12 Dec 2006 13:35:27 -0600

"Personal information on 800,000 students, alumni and others is exposed. Attacks lasted a year, the school says."

The President's Identity Theft Task Force

drupal — Mon, 02 Oct 2006 17:20:45 -0500

On May 10, President Bush signed an Executive Order creating the nation's first ever Identity Theft Task Force. The goals of the Task Force are to develop a strategic plan to better prevent identity theft, coordinate prosecution, and ensure recovery for victims. The Task Force is chaired by U.S. Attorney General Alberto R.Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras. This site includes a Summary of Interim Recommendations.

Fight Back Against Identity Theft

drupal — Wed, 16 Aug 2006 10:47:17 -0500

There's no surefire way to protect yourself from identity theft, but there are steps you can take to minimize the risk of becoming a victim. That is the message of a nationwide education program recently launched by the Federal Trade Commission: "AvoID Theft: Deter, Detect, Defend."

* Deter: Take steps to reduce your risk of ID theft
* Detect: Monitor your personal information
* Defend: Act quickly when you suspect identity theft

Nat Wood will discuss these steps and how you can make presentations to your community about identity theft using the FTC's ID Theft Consumer Education Kit. The kit includes a how-to guide for talking about identity theft, an easily reproduced pamphlet, a PowerPoint presentation, and a 10-minute video with tips from the FTC.

Tune In August 16: Fight Back Against Identity Theft

cluckett — Wed, 09 Aug 2006 13:55:45 -0500

Tune in August 16 to hear from the FTC's Nat Wood about how you can protect yourself from identity theft and make presentations to your community. Unable to tune in? Listen later by visiting the archives.

Locking Down Departmental Data

drupal — Tue, 23 May 2006 10:09:52 -0500

As hackers have found their way into computer networks around the country in recent years — putting individuals' personal information at risk of identity theft and embarrassing companies, colleges and other entities — many if not most higher education institutions have significantly tightened their technological security.

Airline passenger's details insecure

StuartYeates — Thu, 04 May 2006 09:14:11 -0500

The Guardian is carryingan article by Steve Boggan on how insecure airline passenger'sdetails are. He paints the US government as the principal underminerof the privacy and security of the individual's information, but Iimagine that a number of organisations on this side of the Atlanticfind access to the information very useful too.

Identity Management in Higher Education: A Baseline Study Key Findings

drupal — Mon, 17 Apr 2006 01:00:00 -0500

These Key Findings describe the major discoveries of the ECAR research study called "Identity Management in Higher Education: A Baseline Study". This ECAR research study illuminates findings from a survey of identity management practices in higher education. In addition to exploring the adoption of identity management technologies, the study examines the importance institutions place on the benefits of identity management and their ability to deliver those benefits; the motivations that drive institutions to adopt identity management and the challenges they face; the policies and plans being prepared to support identity management; how identity management projects are organized and what resources and staff are dedicated to them; and the factors that influence good outcomes in identity management investment and capability. The study is based on a literature review, consultation with a select group of individuals representing organizations involved in identity management, survey responses from 403 higher education institutions, and qualitative interviews with 36 executives and IT personnel from 24 institutions. A corporate edition is available here.

Identity Management in Higher Education: A Baseline Study Roadmap

drupal — Mon, 17 Apr 2006 01:00:00 -0500

This ECAR research study illuminates findings from a survey of identity management practices in higher education. In addition to exploring the adoption of identity management technologies, the study examines the importance institutions place on the benefits of identity management and their ability to deliver those benefits; the motivations that drive institutions to adopt identity management and the challenges they face; the policies and plans being prepared to support identity management; how identity management projects are organized and what resources and staff are dedicated to them; and the factors that influence good outcomes in identity management investment and capability. The study is based on a literature review, consultation with a select group of individuals representing organizations involved in identity management, survey responses from 403 higher education institutions, and qualitative interviews with 36 executives and IT personnel from 24 institutions. A corporate edition is available here.

Risk Assessment 101

drupal — Mon, 20 Mar 2006 12:58:14 -0600

Have you examined how to physically protect your data? With federal requirements imposed such as GLBA, FERPA, and HIPAA and threats of identity theft, where do you start? Learn where we began by assessing institutional risks, as well as the changes that risk assessment has inspired.

Identity Management in Higher Education: A Baseline Study

drupal — Thu, 16 Mar 2006 13:26:23 -0600

Server hack at Georgetown University probed

drupal — Tue, 07 Mar 2006 14:06:17 -0600

Data on as many as 41,000 people may have been compromised.

Guilty Pleas in ID Theft Bust

drupal — Mon, 21 Nov 2005 11:24:43 -0600

Six individuals caught in a Secret Service sting called Operation Firewall pleaded guilty to conspiracy to commit credit and bank card fraud and ID document fraud. Two other individuals involved in the scam previously pleaded guilty to the same charge. All were among 19 who were indicted last year, charged with running a private-access Web site where people from around the globe bought and sold sensitive information, such as Social Security numbers, credit card numbers, and fake IDs. The ID theft ring is thought to have trafficked in more than1.5 million credit card numbers, close to 18 million e-mail accounts, and other information that was used to buy and sell merchandise online.One who pleaded guilty, Wesley Lanning, specialized in making and selling fake IDs. His attorney, Marc Leibman, said that although Lanning sold most of the IDs to teens to use to buy beer, "obviously everyone is concerned that some...militant is going to get one of Wesley Lanning's fake IDs and use it to transport a bomb."

Data Incident Notification Toolkit

drupal — Thu, 13 Oct 2005 17:36:58 -0500

This Data Incident Notification Toolkit was created by the EDUCAUSE/Internet2 Computer and Network Security Task Force as a guide for higher education institutions.

New California Law Makes Phishing Illegal

drupal — Thu, 13 Oct 2005 16:29:57 -0500

"The Anti-Phishing Act of 2005 allows for fines of thousands of dollars".

Thresholds for Notification

drupal — Fri, 07 Oct 2005 10:37:26 -0500

"Thresholds for Notification: Deciding Whether or Not to Notify", which helps to determine the threshold for security breach notification was produced by the University of California Office of the President.

U.S. Colleges Struggle to Combat Identity Theft

drupal — Thu, 18 Aug 2005 10:20:56 -0500

"Despite their image as leafy enclaves of higher learning shielded from the real world, universities across the United States are finding themselves on the front lines of the battle against identity theft. With their huge databases, universities may rival financial institutions as attractive targets for the crime, estimated to affect over 9 million Americans a year at the total cost of more than $50 billion, experts said. Nearly half of the publicized incidents of data breach since January occurred at universities, according to the San Diego-based Identity Theft Resource Center."

Stanford Professors Offer Password Protection

drupal — Fri, 29 Jul 2005 10:12:04 -0500

The increase in identity theft has prompted two Stanford University professors to develop software that protects computer passwords from Internet thieves.

Legislative Solutions to Security Problems

drupal — Wed, 20 Jul 2005 15:42:56 -0500

The author gives a preview of upcoming legislation related to internet dat privacy and security.

GLBA at Two: What It Is, Who's Doing What, and Compliance on the Cheap

drupal — Tue, 24 May 2005 11:29:27 -0500

In May 2003, the Gramm-Leach-Bliley Act (GLBA) appeared to be another unfunded federal mandate. For the unacquainted, the intent of this portion of the Financial Services Modernization Act of 1999 will be reviewed, the progress and effectiveness of some GLBA activities willbe discussed, and several low-cost solutions for becoming GLBA-compliant will be presented.

Privacy and Security of Personal Information

drupal — Mon, 11 Apr 2005 12:27:25 -0500

Identity theft has become a hot topic, with near daily reports about thousands or millions of lost or stolen personal records. Laws have been passed or are being considered in the states and in Congress to mandate tighter security for companies storing personal records and notification when data is compromised. Spyware also presents a threat to keeping personal information or institutional data confidential. This session will review some of the recent incidents, legislative and regulatory approaches, and potential technology solutions, as well as their impact on higher education.

Study: 9.3 Million ID Theft Victims Last Year

drupal — Wed, 26 Jan 2005 11:05:52 -0600

"Identity theft continues to afflict millions of U.S. consumers, according to a new study recently released. About 9.3 million people were victims of the crime last year, the study says, echoing a study last year by the Federal Trade Commission that indicated 10.1 million consumers had been hit in 2003. In all, one in every 23 consumers were victims last year."

Is a New ID Theft Scam in the Wings?

drupal — Mon, 24 Jan 2005 12:19:17 -0600

The article discusses the next generation Phishing scam, Pharming. Pharming is a malicious Web redirect, in which a person trying to reach a legitimate web site is sent to the phony site.

Hackers Steal ID Info From Virginia University

drupal — Tue, 11 Jan 2005 10:39:42 -0600

George Mason University has become the latest institution of higher education to be the victim of hackers' accessing personal information of faculty and students. University officials said that hackers gained access to information including names, photos, Social Security numbers, and campus ID numbers for "all members of the Mason community who have identification cards." An e-mail sent by the university's vice president for information technology indicated that the intruders appeared to be seeking "access to other campus systems rather than specific data," but the message warned that the information the hackers obtained could be used for identity theft. George Mason had ended its practice of putting Social Security numbers on ID cards, replacing them with university-generated numbers, in response to a Virginia state law that required such a change. The university maintains a database, however, that includes Social Security numbers. University officials discovered the intrusion on January 3 and said the hackers gained access to records of more than 30,000 faculty, staff, and students.