US DATA COLLECTION BOOM CREATES MARKETPLACE OF VALUABLE INFORMATIONBad practices drive up data theft - washingtonpost.com Highlights - MSNBC.comBad practices drive up data theft
Data collection boom creates marketplace of valuable informationBy Jonathan Krim

Updated: 3:02 a.m. ET June 22, 2005WASHINGTON - Call 2005 the year of the data breach.

One day, tapes with the Social Security numbers of 1.2 million federal workers are reported missing. Another day it's hackers gaining access to private information on 120,000 alumni at Boston College. Then, last Friday, comes word that 40 million credit card numbers fell prey to computer criminals.

Collectively, nearly 50 million accounts have been exposed to the possibility of identity fraud since the beginning of the year, a significant increase from last year.

Security experts, law enforcement officials and privacy advocates agree that while computer crime is on the rise, it is hardly new.


• Hackers score big by thinking small
• More technology news

So why the apparent escalation?

In part, organizations are telling their customers or employees about incidents more than they used to, many complying with a California notification law that is being considered as the basis of possible federal legislation.

After data broker ChoicePoint Inc. reported in February that it was infiltrated by identity thieves posing as legitimate customers, the company received a second black eye when reports surfaced that it did not notify consumers about a previous breach, before California's law took effect. Now, most organizations are choosing to notify potential victims.

Boom in data collection
Experts see other factors contributing to the data-theft siege.

A boom in data collection has created a marketplace of valuable information stored on computers in thousands of places, many with weak security.

"The current fiascos in cyber-security have been occurring for the past 10 years," said Tom Kellermann, who recently left his position as senior data risk management specialist for the World Bank.

Kellermann and others blame poorly designed software, inattention to data security and an underappreciation of the problem by top management in corporations and other institutions.

"We've used weak practices for some time," said Chuck Wade, an Internet security and commerce consultant. "The vulnerabilities are well known, and we have not been improving the security measures . . . as we should have been."

Joint efforts
At the same time, some hackers who used to get their kicks merely being disruptive are pooling efforts with organized criminals, said Jonathan J. Rusch, a special counsel in the fraud section of the Justice Department.

"The motivation now is money," Rusch said. In addition to using stolen data for credit card or other financial fraud, a thriving black market for the stolen data itself exists online, run in large part from Eastern Europe.

Among the most extreme examples of data for sale are offerings known in the online underground as "fulls." These reports include not only Social Security and credit card numbers, but also account passwords for Web sites that a consumer might use, such as eBay or a bank.

"There's so much information that has been leaked out over the years, it may be that there are, outside of the country, criminal elements with huge databases on American consumers," Wade said.

With more and more people getting high-speed Internet connections, and participating in online commerce and banking, the targets of opportunity for criminals only grow.

Wade and others argue that many industry players have not responded aggressively enough because they are insulated from the financial consequences of breaches.

Banks and credit card companies, for example, pay nothing when a criminal uses someone's credit card for a fraudulent charge. The same is true for credit card processing companies such as CardSystems Solutions Inc., which announced last week that it housed the 40 million credit card numbers that hackers may have obtained.

Payment processors and banks collect fees for charges that are reversed.

"They are making money on fraudulent transactions," said Brian Mortensen, head of a New Jersey company that sells telecommunications equipment. "They should not be allowed to do that."

Mortensen said that as a result of fraudulent purchases, his firm has lost $12,000 to $15,000 on equipment that will never be recovered and owes several thousand dollars more in various fees.

Although consumers generally don't have to pay for fraudulent charges on their credit cards, if their identity has been compromised it can take years and thousands of dollars to restore good credit.

Some security experts say many financial companies have been slow to adopt multiple layers of customer verification, such as requiring a password and a second identification number. Many companies also are not encrypting stored data.

'Very difficult to stay on top of it'
But many firms argue that while data protection is a top priority, such measures could make online commerce too inconvenient for consumers without adding appreciably to security. And security already is a large business expense.

Companies must monitor their computer networks and "patch" vulnerabilities in software that are discovered regularly.

That can be especially complex when firms merge and one company's system needs to be incorporated into another's, said David Thomas, head of the FBI's computer intrusion section.

"It's very, very difficult to stay on top of it," Thomas said.

Moreover, said Mark Rasch, a former federal prosecutor who works for an Internet security firm, "The company has to try to protect against every kind of attack. The intruder only needs to find one."

Some breaches, such as mortgage data from General Motors Acceptance Corp. that was stored on a laptop stolen from a car, leave consumers wondering how seriously companies take information security.

Sen. Dianne Feinstein (D-Calif.), one of several on Capitol Hill sponsoring identity theft legislation, said the CardSystems incident last week "is a clear sign that industry's efforts to self-regulate when it comes to protecting consumers' sensitive personal data are failing."

Thomas F. Holt Jr., an attorney who represents companies involved in breach cases, said he expects things to change when large class-action suits begin to get filed against firms for improperly protecting information.

"When that game is afoot . . . companies will begin to redouble their security efforts and reexamine a lot of assumptions they have regarding the gathering and storing of sensitive data," Holt said.
© 2005 The Washington Post Company

ROCHESTER COMPUTER STOLEN FROM COMPANY13WHAM-TV || Rochester - Stolen Laptop Contained Sensitive Info: "Stolen Laptop Contained Sensitive Info
(Rochester, NY) 06/22/05 -- Someone has stolen a laptop computer with the personal information of 5,800 former Eastman Kodak employees.
The information included Social Security numbers, names, and birth dates but no account numbers. A Kodak spokesperson says the laptop is password protected and belongs to an employee from Hewitt Associates, a company Kodak contracts to handle retiree benefits.
The company sent a letter to all potential victims. So far; there haven't been any reports of identity theft."

ISLAMIC CONFERENCE URGES MEMBERS TO ENSURE CYBER SECURITYMalaysian National News Agency :: BERNAMAOIC Members Should Cooperate To Ensure Cyber Security


By Santha Oorjitham

PUTRAJAYA, June 22 (Bernama) -- Organisation of Islamic Conference (OIC) members should set up Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) to collaborate and prevent or reduce cyber terrorism.

National Information Communication Technology Security and Emergency Response (NISER) Centre director Lt Col Husin Jazri called on delegates at the 30th annual meeting of the Islamic Development Bank (IDB) Board of Governors to pass a resolution tomorrow to set up the OIC-CERT.

CERT is a national or regional coordination centre, which tackles any emergency computer and network security incidents.

Husin was moderating a session Wednesday on cyberspace security at the Knowledge and Information and Communications Technology for Development (KICT4D) conference, a side event of the IDB meeting, which had standing room-only for participants from Nigeria, Tunisia, Senegal, United Arab Emirates (UAE) and Pakistan as well as Malaysia.

Noting that only seven of the 57 OIC members have CERTs or CSIRTs, he asked OIC members (of which the IDB is the investment arm), to contribute to an OIC-CERT collaboration, setting up an OIC-CERT task force and an interest group forum.

(Malaysia has three CERTs: MyCERT for Malaysian Internet users; GCERT for federal, state and local governments, as well as statutory bodies; and Sabah CERT for users in the East Malaysian state.)

OIC-CERT could increase the dissemination of cyber alerts, provide a platform to exchange ideas and expertise, jointly develop measures to deal with large-scale network security incidents and address information security and emergency response across regional boundaries, Husin said.

Associate Professor Dr Ibrahim Kamel of the College of Information Systems at Zayed University in Dubai, UAE, noted that five West Asian countries (UAE, Kuwait, Saudi Arabia, Egypt and Iran) are among the top 10 countries vulnerable to hacking (Symantec Report 2003).

Ibrahim pointed out that more nations are adding computer network warfare to their strategies, criminals are using cyberspace and critical infrastructures have become prime targets.

As NISER's Husin stressed, "It's not 'Will I get hit?' but it's a matter of 'When will I get hit?'"

-- BERNAMA

CALIFORNIA PASSES NEW IDENTITY THEFT STATE LAW Technology News Article | Reuters.comCalif. lawmakers back tougher identity theft law
Tue Jun 21, 2005 08:23 PM ET

SAN FRANCISCO (Reuters) - Concerned with the growth of identity theft, California lawmakers gave initial approval on Tuesday to a bill that, with other state safeguards, would require companies to notify consumers of all security breaches involving their personal information.
The California Assembly's judiciary committee voted 6-3 for the bill, which would apply to paper and taped records. Breaches of computer records are already covered by a state law.

The state senate has already approved the bill, which now goes to the Assembly business and professions committee.

California leads the nation in personal information privacy laws, which have become a hot topic for other states and the U.S. Congress after a series of recent high-federal security breaches.

The California law already in effect led data mining company ChoicePoint Inc. (CPS.N: Quote, Profile, Research) in February to send warning letters to 30,000 to 35,000 consumers after criminals gained access to a database of personal records.

Bank of America Corp.(BAC.N: Quote, Profile, Research) and MasterCard International also have disclosed major breaches.

Democratic state Sen. Debra Bowen said that there was a loophole in the state law, though.

"Right now, companies have to tell you when a thief hacks into their computer system and gets access to your personal account information or Social Security number, but they don't have to say word one when paper records or a back-up tape containing the exact same personal information are lost, stolen or inadvertently handed to a perfect stranger," said Bowen.

"That's a loophole that needs to be closed."

© Reuters 2005. All Rights Reserved.

INDIA COMPUTERS STOLENThe Tribune, Chandigarh, India - Regional Briefs: "JAGRAON
Liquor seized: The Sudhar police has arrested Dinesh Muni of Mirchawali (Bihar ) from the area of Rattowal village and seized over 18 lt. of illicit liquor from his possession. A case under the Excise Act has been registered.
COMPUTER STOLEN: A case has been registered on the complaint of Mohinder Singh, sarpanch, Ranjowal, against the unidentified persons under Sections 457 and 380 of the IPC. It is learnt that four computers have been stolen"

OREGON SCHOOL COMPUTER THIEVES APPREHENDED News - StatesmanJournal.comPolice arrest four teens in burglary of Gubser Elementary in December

June 22, 2005

Keizer police said Tuesday that they have arrested four teenagers in connection with a burglary last year at Gubser Elementary School.

Computers, monitors, stereo equipment and a Fender guitar amplifier were among the items stolen from the school Dec. 26, Keizer police Sgt. John Troncoso said.

On Sunday, two teenagers, both 16, were arrested after Keizer police caught one of the boys trying to move a stolen computer from a friend's home, Troncoso said.

One boy was booked on charges of first-degree theft receiving. The other was booked on charges of first-degree theft, first-degree theft receiving, second-degree burglary, criminal mischief, hindering prosecution and criminal conspiracy to commit second-degree burglary.

Two others, both 17, were arrested Monday and booked on charges of second-degree burglary and criminal conspiracy to commit second-degree burglary.

The Statesman Journal is not publishing the identities of the juveniles because the charges are not Measure 11 offenses.

Police are looking for other computer and stereo equipment that has not been recovered, and police think the items may have been sold, Troncoso said. Selling, possessing, hiding and disposing of stolen items are crimes, he said.

Anyone with information is asked to call (503) 390-3713, Ext. 3481

OHIO COMPUTERS STOLEN FROM INVESTMENT COMPANYVindy.com - Aggravated assaults: "Careful computer theft

YOUNGSTOWN — Computer equipment was reported missing from First Educators Investment Corp. on West Federal Street after a cleaning lady discovered a break-in early Monday, police said. The rear door had been damaged, but the owner needed to use a key to unlock the deadbolt, reports show. Removal of the computers was done with care, no mess was found, police said."

CALIFORNIA EXTERNAL COMPUTER HARD DRIVEMAKER ADDS UPEK BIOMETRIC SECURITY AS A NEW FEATUREUPEK Biometric Security Protects LaCie External Hard Drives; LaCie SAFE Mobile Hard Drive Features Data Access Protection Enabled by UPEK TouchStrip Fingerprint Authentication SolutionJune 21, 2005 12:05 PM US Eastern Timezone

UPEK Biometric Security Protects LaCie External Hard Drives; LaCie SAFE Mobile Hard Drive Features Data Access Protection Enabled by UPEK TouchStrip Fingerprint Authentication Solution

BERKELEY, Calif.--(BUSINESS WIRE)--June 21, 2005--UPEK(R), Inc., the leading supplier of biometric fingerprint security solutions, today announced that LaCie has introduced the SAFE Mobile Hard Drive featuring data access protection enabled by UPEK. The SAFE Mobile Hard Drive offers high capacity storage options of 40GB and 80GB along with pocket-sized portability, highlighting the need for data protection which is offered in the form of UPEK's biometric security solution. Fingerprint authentication is performed locally on the external hard drive instead of relying on the host PC, ensuring the highest level of security.


"We have selected UPEK's TouchStrip(TM) Fingerprint Authentication Solution foremost because of the high level security enabled by their chipset solution and patented active capacitive sensing technology," said Marie Renouard, Product Manager at LaCie. "UPEK is a full solution provider, not simply a component supplier, and has provided us integration support in order to ensure the LaCie SAFE Mobile Hard Drive is both secure and convenient to use."

"As the storage capacity and portability of external hard drives grow, so do the needs to protect access to data on these devices and ensure such protection doesn't introduce an inconvenience to the end user," stated Alan Kramer, president and CEO, UPEK. "LaCie's decision to protect their product with biometric security is an indicator that the external hard drive market is taking the value proposition of security to heart," said Kramer. "We are pleased to work with LaCie because they understand the need to offer the highest levels of security and convenience for end users in both the corporate and consumer markets."

About UPEK

Headquartered near Berkeley, California, with offices in Prague, Tokyo, Singapore and Taipei, UPEK, Inc. is a privately-held biometric fingerprint security company launched as a venture-backed spin-off from STMicroelectronics in 2004. The security solutions offered by UPEK under the TouchChip(R) and TouchStrip(TM) brands have been shipping in volume since 1999 and have been integrated into a broad range of commercial and consumer applications. UPEK offers the full range of capabilities needed to deliver end-to-end solutions, including silicon fingerprint sensors, biometric algorithms, companion processors, and client/server software. For more information, visit www.upek.com

About LaCie

LaCie creates external storage solutions and color monitors that help professionals and everyday people easily manage their digital lives. Powerful technology combined with unique designs by the internationally acclaimed Philippe Starck, Neil Poulton and Porsche Design GmbH make LaCie the world leader in storage innovation. Established in France in 1989, LaCie is now headquartered in North America, Europe and Asia and listed on the Paris Nouveau Marche (code 5431). For more information, visit www.lacie.com.

* All trademarks or registered trademarks are the property of their respective owners.

Contacts


UPEK, Inc.
Steve Hahm, 510-420-2630
steve.hahm@upek.com
or
Citigate Cunningham for UPEK, Inc.
Lisa Kennedy, 415-618-8746
LKennedy@citigatecunningham.com
or
LaCie Press Inquiries
Melissa Logan, 503-844-4578
mlogan@lacie.com

JAPAN COMPUTER CONTAINING DATA ON 307,000 PEOPLE STOLEN FROM COMPANY DORMITORYDaily Yomiuri On-LinePC stolen with data on 307,000 people

The Yomiuri Shimbun

A notebook computer containing personal information on 307,000 people has been stolen from a company dormitory in Itami, Hyogo Prefecture, an Osaka municipal government official said Monday.

The computer included information on donors to the construction of a tower at the Flower Expo Memorial Park in Tsurumi Ward, Osaka. The data leakage is thought to be the largest since the Personal Information Protection Law took effect in April.

According to the municipal government, an employee of Mitsubishi Electric Control Software Corp., which was contracted to digitalize the data, copied the data onto his personal computer to work on it at home, and it was stolen from the company's dormitory on June 13.

The data included people's names, addresses and other information. The municipal government said it was unlikely to be misused, however, as a 16-digit password must be inputted to access the data.

US GOVERNMENT CAPITOL HILL HEARING TESTIMONY ON DATA BREACH AND IDENTITY THEFT
June 16, 2005 Thursday

CAPITOL HILL HEARING TESTIMONY

3732 words

SENATE COMMERCE, SCIENCE, AND TRANSPORTATION


DATA BREACH AND IDENTITY THEFT

DEBORAH MAJORAS, CHAIRMAN

FEDERAL TRADE COMMISSION

Statement of The Honorable Deborah Majoras Chairman, Federal Trade Commission and The Honorable Orson Swindle Commissioner, Federal Trade Commission and The Honorable Thomas B. Leary Commissioner, Federal Trade Commission and The Honorable Pamela Harbour Commissioner, Federal Trade Commission and Mr. Jon Leibowitz Commissioner, Federal Trade Commission

Committee on Senate Commerce, Science, and Transportation

June 16, 2005

INTRODUCTION

Mr. Chairman, I am Deborah Platt Majoras, Chairman of the Federal Trade Commission.

My fellow Commissioners and I appreciate the opportunity to appear before you today as we work to ensure the safety and security of consumers' personal information. As we have testified previously, advances in commerce, computing, and networking have transformed the role of consumer information. Modern consumer information systems can collect, assemble, and analyze information from disparate sources, and transmit it almost instantaneously. Among other things, this technology allows businesses to offer consumers a wider range of products, services, and payment options; greater access to credit; and faster transactions.

Efficient information systems - data that can be easily accessed, compiled, and transferred - also can lead to concerns about privacy and security. Recent events validate concerns about information systems' vulnerabilities to misuse, including identity theft.

BACKGROUND

One particular focus of concern has been "data brokers," companies that specialize in the collection and distribution of consumer data. Data brokers epitomize the tension between the benefits of information flow and the risks of identity theft and other harms. Data brokers have emerged to meet the information needs of a broad spectrum of commercial and government users. The data broker industry is large and complex and includes companies of all sizes. Some collect information from original sources, both public and private; others resell data collected by others; and many do both. Some provide information only to government agencies or large companies, while others sell information to smaller companies or the general public as well. The amount and scope of the information that they collect varies from company to company, and many offer a range of products tailored to different markets and uses. These uses include fraud prevention, debt collection, law enforcement, legal compliance, applicant authentication, market research, and almost any other function that requires the collection and aggregation of consumer data. Because these databases compile sensitive information, they are especially attractive targets for identity thieves.

Identity theft is a crime that harms both consumers and businesses. A 2003 FTC survey estimated that nearly 10 million consumers discovered that they were victims of some form of identity theft in the preceding 12 months, costing American businesses an estimated $48 billion in losses, and costing consumers an additional $5 billion in out-ofpocket losses. The survey looked at the two major categories of identity theft: (1) the misuse of existing accounts; and (2) the creation of new accounts in the victim's name. Not surprisingly, the survey showed a direct correlation between the type of identity theft and its cost to victims, in both the time and money spent resolving the problems. For example, although people who had new accounts opened in their names made up only onethird of the victims, they suffered two-thirds of the direct financial harm. The ID theft survey also found that victims of the two major categories of identity theft cumulatively spent almost 300 million hours - or an average of 30 hours per person - correcting their records and reclaiming their good names. Identity theft causes significant economic and emotional injury, and we take seriously the need to reduce it.

As detailed in our recent testimony on this subject,4 there are a variety of existing federal laws and regulations that address the security of, and access to, sensitive information that these companies maintain, depending on how that information was collected and how it is used. For example, the Fair Credit Reporting Act ("FCRA") regulates credit bureaus, any entity or individual who uses credit reports, and the businesses that furnish information to credit bureaus. The FCRA requires that sensitive credit report information be used only for certain permitted purposes. The Gramm- Leach-Bliley Act ("GLBA") prohibits financial institutions from disclosing consumer information to non-affiliated third parties without first allowing consumers to opt out of the disclosure. GLBA also requires these businesses to implement appropriate safeguards to protect the security and integrity of their customer information.

In addition, Section 5 of the Federal Trade Commission Act ("FTC Act") prohibits "unfair or deceptive acts or practices in or affecting commerce." Under the FTC Act, the Commission has broad jurisdiction to prohibit unfair or deceptive practices by a wide variety of entities and individuals operating in commerce. Prohibited practices include deceptive claims that companies make about privacy, including claims about the security they provide for consumer information. To date, the Commission has brought five cases against companies for deceptive security claims. These actions alleged that the companies made explicit or implicit promises to take reasonable steps to protect sensitive consumer information, but because they allegedly failed to take such steps, their claims were deceptive. The consent orders settling these cases have required the companies to implement appropriate information security programs that generally conform to the standards that the Commission set forth in the GLBA Safeguards Rule. In addition to deception, the FTC Act prohibits unfair practices. Practices are unfair if they cause or are likely to cause consumers substantial injury that is neither reasonably avoidable by consumers nor offset by countervailing benefits to consumers or competition. The Commission has used this authority to challenge a variety of injurious practices that threaten data security.

As the Commission has testified previously, an actual breach of security is not a prerequisite for enforcement under Section 5; however, evidence of such a breach may indicate that the company's existing policies and procedures were not adequate. It is important to note, however, that there is no such thing as perfect security, and breaches can happen even when a company has taken every reasonable precaution.

Despite the existence of these laws, recent security breaches have raised questions about whether data brokers and other companies that collect or maintain sensitive personal information are taking adequate steps to ensure that the information they possess does not fall into the wrong hands, as well as about what steps should be taken when such data is acquired by unauthorized individuals. Vigorous enforcement of existing laws and business education about the requirements of existing laws and the importance of good security can go a long way in addressing these concerns. Nonetheless, recent data breaches have prompted Congress to consider legislative proposals, and the Commission has been asked to comment on the need for new legal requirements.

INCREASING CONSUMER INFORMATION SECURITY

The Commission recommends that Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety. Such a requirement could extend the FTC's existing GLBA Safeguards Rule to companies that are not financial institutions.

Further, the Commission recommends that Congress consider requiring companies to notify consumers when the security of this information has been breached in a manner that creates a significant risk of identity theft. Whatever language is chosen should ensure that consumers receive notices when they are at risk of identity theft, but not require notices to consumers when they are not at risk. As discussed below, the goal of any notification requirement is to enable consumers to take steps to avoid the risk of identity theft. To be effective, any such requirement must provide businesses with adequate guidance as to when notices are required.

In addition, many have raised concerns about misuse of Social Security numbers. It is critical to remember that Social Security numbers are vital to current information flows in the granting and use of credit and the provision of financial services. In addition, private and public entities routinely have used Social Security numbers for many years to access their voluminous records. Ultimately, what is required is to distinguish between legitimate and illegitimate collection, uses, and transfers of Social Security numbers.

Finally, law enforcement activity to protect data security is increasingly international in nature. Given the globalization of the marketplace, an increasing amount of U.S. consumer information may be accessed illegally by third parties outside the United States or located in offshore databases. Accordingly, the Commission needs new tools to investigate whether companies are complying with U.S. legal requirements to maintain the security of this information, and cross-border fraud legislation would give the Commission these tools. For that reason, the Commission recommends that Congress enact cross-border fraud legislation to overcome existing obstacles to information sharing and information gathering in cross-border investigations and law enforcement actions.

For example, if the FTC and a foreign consumer protection agency are investigating a foreign business for conduct that violates both U.S. law and the foreign country's law, current law does not authorize the Commission to share investigative information with the foreign consumer protection agency, even if such sharing would further our own investigation. New cross-border fraud legislation could ease these restrictions, permit the sharing of appropriate investigative information with our foreign counterparts, and give us additional mechanisms to help protect the security of U.S. consumers' data whether it is located abroad or in the United States.

A. Require Procedures to Safeguard Sensitive Information

One important step to reduce the threat of identity theft is to increase the security of certain types of sensitive consumer information that could be used by identity thieves to misuse existing accounts or to open new accounts, such as Social Security numbers, driver's license numbers, and account numbers in combination with required access codes or passwords.

Currently, the Commission's Safeguards Rule under GLBA requires financial institutions to implement reasonable physical, technical, and procedural safeguards to protect customer information. Instead of mandating specific technical requirements that may not be appropriate for all entities and might quickly become obsolete, the Safeguards Rule requires companies to evaluate the nature and risks of their particular information systems and the sensitivity of the information they maintain, and to take appropriate steps to counter these threats. They also must periodically review their data security policies and procedures and update them as necessary. The Safeguards Rule provides a strong but flexible framework for companies to take responsibility for the security of information in their possession, and it reflects widely accepted principles of information security, similar to those contained in the Organization for Economic Cooperation and Development's Guidelines for the Security of Information Systems and Networks.

Currently, the Safeguards Rule applies only to "customer information" collected by "financial institutions."20 It does not cover many other entities that may also collect, maintain and transfer or sell sensitive consumer information. Although we believe that Section 5 already requires companies holding sensitive data to have in place procedures to secure it if the failure to do so is likely to cause substantial consumer injury, we believe Congress should consider whether new legislation incorporating the flexible standard of the Commission's Safeguards Rule is appropriate.

Notice When Sensitive Information Has Been Breached

Unfortunately, even if the best efforts to safeguard data are made, security breaches can still occur. The Commission believes that if a security breach creates a significant risk of identity theft or other related harm, affected consumers should be notified. Prompt notification to consumers in these cases can help them mitigate the damage caused by identity theft. Notified consumers can request that fraud alerts be placed in their credit files, obtain copies of their credit reports, scrutinize their monthly account statements, and take other steps to protect themselves. The challenge is to require notices only when there is a likelihood of harm to consumers. There may be security breaches that pose little or no risk of harm, such as a stolen laptop that is quickly recovered before the thief has time to boot it up. Requiring a notice in this type of situation might create unnecessary consumer concern and confusion. Moreover, if notices are required in cases where there is no significant risk to consumers, notices may be more common than would be useful. As a result, consumers may become numb to them and fail to spot or act on those risks that truly are significant. In addition, notices can impose costs on consumers and on businesses, including businesses that were not responsible for the breach. For example, in response to a notice that the security of his or her information has been breached, a consumer may cancel credit cards, contact credit bureaus to place fraud alerts on his or her credit files, or obtain a new driver's license number. Each of these actions may be time-consuming for the consumer, and costly for the companies involved and ultimately for consumers generally.

Currently there are two basic approaches in place that are used to determine when notices should be triggered. The first is the bank regulatory agency standard. Under that standard, notice to the federal regulatory agency is required as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information. In addition, notice to consumers is required when, based on a reasonable investigation of an incident of unauthorized access to sensitive customer information, the financial institution determines that misuse of its information about a customer has occurred or is reasonably possible.

The second approach is found in the California notice statute. Under that approach, all businesses are required to provide notices to their consumers when a defined set of sensitive data, in combination with information that can be used to identify the consumer, has been or is reasonably likely to have been acquired by an unauthorized person in a manner that "compromises the security, confidentiality, or integrity of personal information."

The California "unauthorized acquisition" approach to requiring consumer notice does not compel notice in every instance of improper access to a database. Instead, it allows businesses some flexibility to determine when a notice is necessary, while also providing a fairly objective standard against which compliance can be measured by the broad range of businesses subject to the law. Under guidance issued by the California Office of Privacy Protection, a variety of factors can be considered in determining whether information has been "acquired," such as (1) indications that protected data is in the physical possession and control of an unauthorized person (such as a lost or stolen computer or other device); (2) indications that protected data has been downloaded or copied; or (3) indications that protected data has been used by an unauthorized person, such as to open new accounts. One issue that is not directly considered is what action to take in cases in which, prior to sending consumer notification, the business already has taken steps that remedy the risk. For example, one factor to consider in deciding whether to provide notice is whether the business already has canceled consumers' credit card accounts and reissued account numbers to the affected consumers.

We have growing experience under both models to inform consideration of an appropriate national standard. Because formulating any standard will require balancing the need for a clear, enforceable standard with ensuring, to the extent possible, that notices go to consumers only where there is a risk of harm, we believe that if Congress decides to enact a notice provision, the best approach would be to authorize the FTC to conduct a rulemaking under general statutory standards. The rulemaking would set the criteria under which notice would be required for data breaches involving non-regulated industries. The rulemaking could address issues such as the circumstances under which notice is required, which could depend on the type of breach and risk of harm, and the appropriate form of notice. This approach would also allow the Commission to adjust the standard as it gains experience with its implementation.

Social Security Numbers

Social Security numbers today are a vital instrument of interstate commerce. With 300 million American consumers, many of whom share the same name, the unique 9-digit Social Security number is a key identification tool for business. As the Commission found in last year's data matching study under FACTA, Social Security numbers also are one of the primary tools that credit bureaus use to ensure that the data furnished to them is placed in the right file and that they are providing a credit report on the right consumer. Social Security numbers are used in locator databases to find lost beneficiaries, potential witnesses, and law violators, and to collect child support and other judgments. Social Security number databases are used to fight identity fraud - for example, they can confirm that a Social Security number belongs to a particular loan applicant and is not stolen. Without the ability to use Social Security numbers as personal identifiers and fraud prevention tools, the granting of credit and the provision of other financial services would become riskier and more expensive and inconvenient for consumers.

While Social Security numbers have important legitimate uses, their unauthorized use can facilitate identity theft. Identity thieves use the Social Security number as a key to access the financial benefits available to their victims. Currently, there are various federal laws that place some restrictions on the disclosure of specific types of information under certain circumstances. The FCRA, for example, limits the provision of "consumer report" information to certain purposes, primarily those determining consumers' eligibility for certain transactions, such as extending credit, employment, or insurance. GLBA requires that "financial institutions" provide consumers an opportunity to opt out before disclosing their personal information to third parties, outside of specific exceptions, such as for fraud prevention or legal compliance. Other statutes that limit information disclosure include the privacy rule under the Health Insurance Portability and Accountability Act of 1996, which applies to health care providers and other medical-related entities, and the Drivers Privacy Protection Act,32 which protects consumers from improper disclosures of driver's license information by state motor vehicle departments.

While these laws provide important privacy protections within their respective sectors, they do not provide comprehensive protection for Social Security numbers.33 For example, disclosure of a consumer's name, address, and Social Security number may be restricted under GLBA when the source of the information is a financial institution,34 but in many cases the same information can be purchased on the Internet from a non-financial institution. The problem of how to strengthen or expand existing protections in ways that would not interfere with the beneficial uses of Social Security numbers is challenging.

Although the Commission has extensive experience with identity theft and the consumer credit reporting system, restrictions on disclosure of Social Security numbers could have a broad impact on areas where the Commission does not have expertise. These areas include public health, criminal law enforcement, and anti- terrorism efforts. Morever, efforts to restrict disclosure of Social Security numbers are complicated by the fact that among the primary sources of Social Security numbers are the public records on file with many courts and clerks in cities and counties across the nation. Regulation or restriction of Social Security numbers in public records thus poses substantial policy and practical concerns.

Ultimately, what is required is to distinguish between legitimate and illegitimate collection, uses, and transfers of Social Security numbers. The Commission would appreciate the opportunity to work with Congress to further evaluate the costs and benefits to consumers and the economy of regulating the collection, transfer, and use of Social Security numbers.

CONCLUSION

New information systems have brought benefits to consumers and businesses alike. Never before has information been so portable, accessible, and flexible. Indeed, sensitive personal financial information has become the new currency of today's high tech payment systems. But with these advances come new risks, and identity thieves and other bad actors have begun to take advantage of new technologies for their own purposes. As the recent focus on information security has demonstrated, Americans take their privacy seriously, and we must ensure that the many benefits of the modern information age are not diminished by these threats to consumers' security. The Commission is committed to ensuring the continued security of consumers' personal information and looks forward to working with you to protect consumers.

June 16, 2005

CALIFORNIA COMPUTER STOLEN FROM BUSINESSSan Mateo Daily Journal: "Theft. Computer equipment was stolen from a business on the 2900 block of Campus Drive before 1:41 p.m. Wednesday. "

JAPAN COMPUTERS STOLEN FROM ALL NIPPON AIRWAYSJapan Today - News - ANA subsidiary employee held over theft of personal data - Japan's Leading International News Network: "ANA subsidiary employee held over theft of personal data


Sunday, June 19, 2005 at 07:27 JST
TOKYO An employee at a subsidiary of All Nippon Airways Co was arrested Saturday on suspicion of stealing three laptop computers containing personal data on a total of 5,300 customers, police said.
Shigeru Takizawa, 32, of ANA Communications Co allegedly stole the three computers from the corporate sales section at ANA's Tokyo branch early Thursday morning, according to the police. He has admitted to the allegations and apologized, they said. (Kyodo News)"

ILLINOIS STATE GOVERNMENT SIGNS IN NEW LAWS PROTECTING CONSUMERS FROM IDENTITY THEFTChester Local News
June 17, 2005

New Laws Protecting Illinois Consumers From Identity Theft

After several high profile financial information security breaches across the nation, Governor Rod R. Blagojevich today signed several pieces of legislation designed to safeguard consumers against identity theft. The bills the Governor signed not only place more stringent regulations on businesses, requiring them to quickly notify consumers of possible security breaches, but also increase the penalties against identity thieves and provide victims with the resources necessary to protect themselves from future violation. The cornerstone of the package, House Bill 1633, makes Illinois the second state in the nation to require companies to quickly notify consumers in the state if their personal information is compromised due to a breach in company security.

HB 1633 came in response to an October 2004 incident in which Georgia-based ChoicePoint, sold the personal information of more than 145,000 people, including 5,000 Illinoisans, to identity thieves who pretended to be legitimate businesses. Even though officials at ChoicePoint were aware of the breach, consumers weren’t notified of the situation until months later, when officials, prompted by an existing California law requiring the disclosure of any security breach which puts Californians’ personal information at risk, revealed the information. Other massive security breaches have earned attention recently: roughly 1.5 million DSW Shoe Warehouse customers’ financial information were compromised in April; tapes containing information about 3.9 million CitiFinancial customers were reported missing earlier this month; and just last week Motorola disclosed that computers were stolen that containing the social security numbers of potentially thousands of employees.

House Bill 1633 becomes effective January 1, 2006.

CANADA COMPANIES NEED TO LOCK UP DATA ON COMPUTERS Technology - canada.comCompanies, lock up your data
Failure to have an 'incident response protocol' could cost a business a bundle if clients' information is stolen

Geof Wheelwright
Financial Post


June 17, 2005

REDMOND, Wash. - Does your company know what to do if someone breaks into its computer network and steals information? According to the security experts at Microsoft, you need an "incident response protocol" - and failure to have one can cost you.

While the world's largest software company regularly issues "patches" and security updates to the products it encourages all businesses to use, company officials suggest no-one should assume their systems are invulnerable just because they are current on security updates.

Jan Vandenbos, senior network security technologist at Microsoft, says developing an incident response protocol is a matter of defining what your company is supposed to do if someone breaks into its computer network and steals information.

He says that is one of a number of steps businesses need to take in order to lock down the data that is vital to their daily operations and comply with government regulations about information privacy and protection.

Failure to do so could cost the company a lot of money because a growing number of government regulations require that companies not only take all appropriate steps to ensure private information in their databases stays private, but that they be able to clearly and accurately track the movement of all information in and out of their businesses.

"If your major server is intruded upon, you need to know if you should unplug it or leave it plugged in to see who is connected," Mr. Vandenbos says.

"You need to do three things: preserve, document and notify."

Businesses need to be able to preserve all information about the state of the system at the time of the security breach, document what information was copied off the network and notify everyone who needs to know about it. In the United States, the latter can be time-consuming, expensive and embarrassing.

The provisions of the U.S. Health Insurance Portability and Accountability Act (HIPAA) provide for enormous fines if patient records are stolen from a computer network (what the act calls "unintended disclosure"). Mr. Vandenbos says fines can be as much as US$250,000 per patient record stolen. In addition, health care providers are required to immediately notify all those whose records have been compromised. Similarly, the Fair Credit Reporting Act requires that a high level of care is taken with consumer credit information.

In addition to having a plan to be able to document an attack and quickly be able to assess what information was stolen and notify those affected, Mr. Vandenbos warns companies also need to start thinking more about the types of attacks that could affect them. He says companies should think more about how to deal with "higher value, lower frequency" attacks, rather than those attacks that may be frequent, annoying and inconvenient but result in little or no information theft.

Amy Roberts, director of product management at Microsoft's Security Business & Technology Unit, says it's possible for businesses to apply traditional "total cost of ownership" criteria to the cost of security solutions -- and that they should do so as part of an overall risk-assessment strategy. She says a company with more sensitive and valuable data, such as health information or consumer credit data, may spend more on computer security than those who less vital information.

"It depends on an individual company's risk analysis," she says. "You need to look at how do you do security and take a look at the business drivers. If you live and breathe by your database, protecting that database will be very important."

CALIFORNIA COMPUTERS STOLEN FROM BUSINESSContraCostaTimes.com | 06/17/2005 | POLICE LOG: "Saturday, June 11
BUSINESS BURGLARY -- An employee at Independent Equipment Company on Mt. Diablo Boulevard reported at 1:53 p.m. that someone had broken into the business and stolen $3,400 worth of computers and accessories."

US GOVERNMENT SENATE CONSIDERS OPTIONS ON DATA ISSUES DMNews.com | News | Article Senate Committee Considers Options on Data Issues

June 17, 2005

By: Kristen Bremner
Senior Editor
kristen@dmnews.com

With several bills that address data security and identity theft already in the congressional mix, the U.S. Senate Committee on Commerce, Science & Transportation considered legislative options yesterday at a hearing on those topics.

Meanwhile, the Federal Deposit Insurance Corp. began notifying about 6,000 current and former employees that their personal data were breached and that the breach had resulted in fraud, according to a report in yesterday's Washington Post.

The newspaper said that letters to employees were dated June 9 and advised the individuals to monitor their credit reports and accounts. The data included names, birth dates, Social Security numbers and salary information on FDIC employees from 2002 forward.

In what the letter characterized as a "small number of cases," the data were used improperly to gain credit union loans.

The Washington Post reported that the letter said the breach happened early last year and was discovered recently but no other details were offered.

Also yesterday, Equifax Canada revealed that apparently hackers had improperly used customer access codes and security passwords to obtain credit files on about 600 Canadians.

Sen. Gordon Smith, R-OR, presided over yesterday's hearing and began by saying that an identity theft and data security bill written by him is forthcoming.

The first panel consisted of testimony by William Sorrell, Vermont attorney general and president of the National Association of Attorneys General, who said that since he had not consulted with all of his colleagues in the association, his comments reflected only his position as attorney general of Vermont.

"The reality is that quite apart from our cash assets our truly valuable assets are not our possessions but our access to credit," he said. "Consumers need government help to protect themselves from identity theft."

Sorrell testified that he encourages a federal security breach notification law but fears state preemption. He viewed the federal law as a floor, not a ceiling, on which states should be allowed to build.

He also commended the California notification law and suggested giving consumers the option to freeze their credit reports.

The second panel included Federal Trade Commission chairman Deborah Platt Majoras and the four FTC commissioners.

Majoras testified on behalf of herself and the commissioners, reiterating her comments from previous congressional hearings by outlining the Fair Credit Reporting Act, Gramm Leach Bliley and Section Five of the FTC Act prohibiting unfair and deceptive trade practices as existing legislation that regulates some data brokering.

She spoke of the need for further legislation regarding data security and identity theft. The commission urged mandatory security measures for all companies that collect and store sensitive personal information on consumers. Majoras said a law similar to the Safeguards Rule under GLB that requires physical, technical and procedural safeguards for financial information might be considered.

The FTC also recommended the consideration of a data breach notification law as well as legislation outlining legitimate and illegitimate collection, use and transfer of Social Security numbers.

Commissioners Orson Swindle, Thomas B. Leary, Pamela Harbour and Jon Leibowitz also gave individual testimony.

Other lawmakers, including Sens. Charles Schumer, D-NY; Bill Nelson, D-FL; and Dianne Feinstein, D-CA, gave opening statements and spoke about the bills that they had previously introduced.

Schumer and Nelson introduced an identity theft prevention bill in April to create an FTC office of identity theft and require data providers to register with the commission. Other provisions would institute safeguards to prevent fraudulent access to data and give consumers access and the option to fix errors.

Their legislation also would mandate notice of third-party data disclosure and notification of breaches. Provisions related to Social Security numbers would prohibit companies from asking for the numbers unless necessary for a transaction; prohibit display of Social Security numbers on employee IDs; ban the sale and purchase of the numbers except for law enforcement, national security and fraud purposes; and grant the attorney general the ability to define exemptions.

Also in April, Feinstein offered a revised version of the Notification of Risk to Personal Data Act that she first introduced Jan. 24. The original bill required mandatory notification when sensitive data are breached. The revision adds provisions to close loopholes that exempt encrypted data and specify the contents of the notices.

Legislation started appearing when high-profile data breaches began coming to light this year. Data provider ChoicePoint notified 35,000 California consumers that their information may have been accessed in late January as required by state law. On Feb. 16, it said another 110,000 letters would be sent nationwide involving the accessed data.

Bank of America confirmed Feb. 25 that some of its computer data tapes containing personal and account information for 1.2 million federal government charge card program customers were lost during shipment to a backup data center.

LexisNexis on March 9 said personal information of 32,000 consumers had been accessed through misappropriation of legitimate customer identifications and passwords from its Seisint database. After an internal investigation, it said April 12 that another 280,000 consumers were at risk.

DSW Shoe Warehouse parent Retail Ventures Inc. said March 8 that DSW suffered a data theft affecting 103 of its 175 U.S. stores. On April 18, Retail Ventures, Columbus, OH, issued a statement based on an investigation saying 1.4 million credit card transactions and 96,000 check payments were discovered across 108 DSW stores. Ohio Attorney General Jim Petro filed a complaint against DSW Inc. involving the firm's handling of the data breach, seeking to have all affected individuals notified.

CitiFinancial, a consumer lending branch of Citigroup, said June 6 that it has begun notifying 3.9 million of its U.S. branch network customers that computer tapes containing personal information were lost by United Parcel Service on the way to a credit bureau. The data involved current U.S. CitiFinancial branch network customers and information on closed accounts from CitiFinancial Retail Services but included no data from CitiFinancial Auto, CitiFinancial Mortgage or any other Citigroup business, the firm said. Personal information on the tapes included names, Social Security numbers, account numbers and payment histories. The firm also said it would halt its practice of shipping consumer data on tapes, opting to begin sending encrypted data electronically as of July.

Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters

GEORGIA 255 COMPUTERS STOLEN AT CLAYTON COUNTY SCHOLLS OVER THE LAST 3 YEARS news-daily.comClayton schools lose $300,000 in computers
By Bob Paslay

bpaslay@news-daily.com

Thieves have made off with 255 computers from schools in Clayton County in the last three years, and an official said security steps are being stepped up to stem this growing crime.

The loss amounted to more than $350,000, according to Steve Holmes, executive director of Information Technology for the 50,000-student school system.

"Computer theft is becoming a serious problem. There is a $10 billion lost a year nationally and it is growing at a rate of 25 percent," Holmes said.

Holmes said some of the methods the school system is using to slow down the thefts are making it harder to get to the computers and hard to haul them away if they do get to them, but he said one or more things are being done that the district doesn't want to say to tip off the thieves.

The computers stolen since 2003 are 182 laptops and 73 desktops.

"Easy to carry also means easy to steal," Holmes said in explaining the number of laptops taken.

"We are doing everything we can do" to stop this theft, Holmes said.

Every laptop now has a "tattoo" that is the seal of the Clayton County School system. Unlike a stick-on identification the tattoo is actually imbedded in the plastic so it can't be removed. This means that even if one of the laptops is snatched it would be harder to fence because it would be clear it was stolen from the school system.

Teachers who use their laptops in class are now required to sign a statement that the will take their computer with them when they leave the classroom. This makes it harder to find a computer that is unguarded.

For the tabletop computers, they are being bolted to the computer tables with four different kinds of screws which means a thieve would have to have four different tools to unbolt them. The screws themselves are unique enough that the tools are readily available.

In addition, all school buildings have security systems designed to stop any break-ins at night.

So far, police have only recovered seven stolen laptops.

Some are inside jobs and a worker for a contractor doing work for the schools was arrested for stealing some computers, Holmes said.

In the past, a cart containing a number of computers was kept at various schools, and in one instance when a thieve broke into one school the theft of one cart resulted in the loss of 15 computers. The system is now storing its computers in a way to cut down on this multiple theft.

Clayton County schools were paying $50,000 a year for a security tracking system designed to help at least recover stolen computers, but Holmes said the tracking recovered only one computer and wasn't worth the cost.

The following is a breakdown of the losses by schools:

Alternative School, 2; Anderson Elementary, 1; Babb Middle, 3; Brown Elementary, 2; Callaway Elementary, 13; Church Street Elementary, 22; East Clayton Elementary, 1; Forest Park High, 1; Fountain Elementary, 1; Harper Elementary 12; Hawthorne, 20; Haynie Elementary, 2; Hendrix Drive Elementary, 1; Jackson Elementary, 1; Jonesboro High 26; Jonesboro Middle, 1; Kemp Elementary, 13.

Also, Kendrick Middle, 10; Kilpatrick Elementary, 12; King Elementary, 1; Lake Ridge Elementary, 2; Lee Street Elementary, 1; Lovejoy High, 3; Lovejoy Middle, 5; M.D. Roberts Elementary, 2; McGarrah Elementary, 2; Morrow High, 10; Morrow Middle 1; Mount Zion Elementary, 4; Mount Zion High, 4; Mundy's Mill High, 2; Mundy's Middle, 2; Northcutt Elementary, 6; North Clayton High, 8; North Clayton Middle, 2; Oliver Elementary, 38; Point South Elementary, 1; Point South Middle, 3; Riverdale High, 16; Swint Elementary, 1; Tara Elementary, 1 and West Clayton Elementary, 4.

The 14 other schools in the district had no thefts.

TENNESSEE CYBERANGEL AND SKYHOOK WIRELESS ANNOUNCE NEW COMPUTER RECOVERY SYSTEM FOR STOLEN LAPTOP TRACKINGCyberAngel Security Solutions and Skyhook Wireless Announce Groundbreaking New Laptop Recovery System; New Wi-Fi Tracker Combines the CyberAngel Security and Recovery System with Wi-Fi Based Location SystemJune 20, 2005 08:00 AM US Eastern Timezone

CyberAngel Security Solutions and Skyhook Wireless Announce Groundbreaking New Laptop Recovery System; New Wi-Fi Tracker Combines the CyberAngel Security and Recovery System with Wi-Fi Based Location System

NASHVILLE, Tenn. and BOSTON--(BUSINESS WIRE)--June 20, 2005--CyberAngel Security Solutions, Inc. (CSS, Inc.), a leading provider of laptop recovery solutions, and Skyhook Wireless, provider of the industry's first Wi-Fi based metro-area positioning system, today announced Wi-Fi Tracker, a revolutionary new system for reducing the risk of stolen computer equipment and confidential data. Built on Skyhook Wireless' new Wi-Fi Positioning System, The CyberAngel Wi-Fi Tracker enables laptop owners, CIO's and government security managers to identify the exact location of stolen equipment.


According to Safeware The Insurance Agency, more than 600,000 laptops are stolen or lost every year, increasing the risk of confidential customer data, corporate trade secrets and classified government documents becoming compromised. This joint solution extends The CyberAngel Software recovery capabilities by enabling any Wi-Fi enabled computer to be tracked throughout the major metropolitan areas of the United States. This powerful combination, scheduled for availability this summer, will increase the recovery rates of stolen laptops and decrease the time it takes to locate and reclaim critical assets.

When The CyberAngel Authentication is breached at login or boot-up, The CyberAngel Security Software's patented technology silently transmits an alert to The CyberAngel Security Monitoring Center, where the location of the computer is identified. The "unauthorized user" is unaware that an alert is being transmitted. The Wi-Fi Tracker utilizes the Skyhook Wireless system to supply a latitude and longitude reading of the laptop at that precise moment. The Recovery Team then helps coordinate notice to all necessary law enforcement officials and works closely with them to provide a rapid recovery of the stolen computer.

"With the proliferation of Wi-Fi-enabled devices, partnering with Skyhook Wireless to extend our search and recovery capabilities was a logical next step," said Bradley Lide, president and CEO of Cyber Angel Security Solutions. "We now offer increased piece-of-mind for those mobile professionals and CIO's who worry about the damage and liability these theft situations cause."

"The CyberAngel is uniquely combining Wi-Fi location technologies with the proven search and recovery capabilities of its security software solutions and delivering a valuable service to companies concerned about laptop and data theft," said Ted Morgan, CEO of Skyhook Wireless. "With the exponential growth in mobile computing, on-line services, and the usage of the Internet, innumerable security risks have been created. We are proud to work with companies like CyberAngel to reduce the risks of hardware theft and information embezzlement."
About CyberAngel Security Solutions, Inc.

CyberAngel Security Solutions, Inc. (CSS, Inc.) has been providing The CyberAngel Software since 1996, and is considered a pioneer in PC Tracking & Recovery, Intrusion Detection, and Data & Information Security. For more information about The CyberAngel Security Software and the Wi-Fi Tracker please contact Bradley Lide with CSS, Inc. at INFO@THECYBERANGEL.COM.

About Skyhook Wireless

Founded in 2003, Skyhook Wireless has pioneered the development of the first-ever metro-area positioning system that leverages Wi-Fi rather than satellites or cell towers to deliver precise location data supporting the growing market for location-based services. The Skyhook Wi-Fi Positioning System (WPS) requires no new hardware, works indoors and outdoors, provides an instant location and is more accurate than current technologies in congested downtown areas. Skyhook Wireless is headquartered in Boston, MA and is privately held. For more information on the company and its Wi-Fi positioning system, visit www.skyhookwireless.com, send email to info@skyhookwireless.com or call 781.898.0495.

MILWAUKEE COMPUTERS STOLEN FROM BUSINESSJS Online: Milwaukee County Police Report - North: "WAUWATOSA
Burglary
Stereo, electronics and computer equipment, valued at $27,600, were stolen from Global Sight & Sound, 611 N. Mayfair Road, between 5:30 p.m. June 9 and 7:55 a.m. June 10. An exterior glass door was smashed with a brick to gain entry. Stolen items included two plasma televisions, DVD players, speakers, radios and computer monitors."

CALIFORNIA STOLEN COMPUTERS RECOVEREDRed Bluff Daily News Online - NewsSuspects arraigned in county burglaries

By REBECCA WOLF-DN Staff Writer

RED BLUFF Two people arrested after authorities recovered hundreds of pieces of stolen property in September were arraigned this week on charges of receiving stolen property.

Red Bluff residents Connie Elaine Whitson, 50, and Steven Ray Palmer, 40, have been charged with 24 counts each and were told to return to court on June 27 after their attorney, Ronald McIver, asked for a two-week continuance for an informal discovery request.

The two have pleaded not guilty and in May waived their preliminary hearings.

Whitson and Palmer were arrested after a series of raids on several locations that yielded several hundred pieces of stolen property. The property included a large variety of hand tools, power tools, computer and electronic equipment, jewelry, lawn and garden equipment and other items.

The property is believed to have come from residential and commercial burglaries and thefts, authorities have said.

Officers from the Red Bluff Police Department and the Tehama County Sheriff's Department began a complex investigation in August that led to searches at several Red Bluff locations.

The RBPD and the sheriff's department worked together on the case because there were victims in both jurisdictions.