[ISN] Spitzer Targets Hackers

[InfoSec News]

http://www.redherring.com/Article.aspx?a=11839

April 19, 2005

New York Attorney General Eliot Spitzer has urged his state's 
legislators to do more to protect consumers from digital fraud and 
taken a swipe at computer criminals.

"The theft of one's identity and personal information is not a matter 
of "if," but a matter of "when," Mr. Spitzer said on Monday. "New 
York State must enact reforms to strengthen consumers' ability to 
control personal information and to facilitate the prosecution of 
identity theft crimes."

The proposed legislation would make it easier for consumers to file 
identity fraud complaints, put "security freezes" on credit files, and 
provide "opt-out" lists for consumers who do not want their data 
passed along to third parties.

Mr. Spitzer's legislation would make it tougher for businesses. It 
would require companies to notify customers whenever they send out 
reports containing their information. The notification would include 
the address of the entity which had requested the private information. 
Companies would also have to inform New Yorkers of any exposure of 
their personal information that affected more than 500 people.

The proposal resembles California Senate Bill 1386, which became law 
in July 2003. It requires companies to inform California of data 
leaks. On Tuesday, the Senate Judiciary Committee was scheduled to 
consider ways to augment the existing legislation. Senate Bill 852 
would make companies as responsible for theft of records as they are 
now for digital data theft.

More than 785,000 Americans learned that they may have been the 
subject of identity theft in the last three months. HSBC, a U.K. bank, 
recently informed 180,000 of its customers that information the 
company kept on them had been exposed to potential criminals (see HSBC 
Warns 180,000 of Fraud) [1]. 

Earlier the same week, data-collection firm LexisNexis announced it
would mail 280,000 letters to Americans who had their information
tapped into inappropriately (see LexisNexis Leaks 280,000 IDs [2]).  
Before that, the San Jose Medical group lost 185,000 patient records
and social security numbers when someone walked out of the hospital
with a computer under each arm.

The recent rash of identity theft started with ChoicePoint's 
announcement in February that it had lost detailed data on 145,000 
people at the hands of a low-tech fraudster (see The Choicepoint 
Incident [3]).


Cyber trespassers

On top of the legislation designed to protect consumers, Mr. Spitzer 
has called for tougher penalties on computer criminals. He wants to 
prosecute people who gain access to computers surreptitiously, but who 
do not do any harm. The proposed legislation would also make 
encrypting information a crime if it concealed some other crime.

The anti-hacker part of Mr. Spitzer's proposed legislation has drawn 
criticism from computer experts.

"I've always admired Elliot Spitzer because of the types of bad guys 
he went after," said noted cryptographer Phil Zimmermann. "But I think 
it would be a mistake to make it a crime to use crypto. It's 
pervasive, and built into our web browsers and applications. It would 
be hard for most people to avoid using crypto because of its 
ubiquity."

Making cryptography a crime when it is used to conceal illegal 
activity would be a step in the wrong direction, said Mr. Zimmermann, 
who created an encryption program called Pretty Good Privacy. "We need 
an ever-increasing ubiquity of crypto deployment across all relevant 
applications on the Internet, in databases, in access control, in 
authentication, in backup utilities: everywhere," he said. "That will 
help reduce identity theft, which is certainly a goal shared by Mr. 
Spitzer."

[1] http://www.redherring.com/Article.aspx?a=11798&hed=HSBC+Warns+180%2c000+of+Fraud
[2] http://www.redherring.com/Article.aspx?a=11763&hed=LexisNexis+Leaks+280%2c000+IDs
[3] http://www.redherring.com/Article.aspx?a=11336&hed=The+Choicepoint+incident