References

Here you will find a clickable listing of all the publications that were used as resources for the “Data Breaches” book.

Chapter 1:

  1. Alex Salkever, “Computer Break-Ins: Your Right to Know,” BusinessWeek, November 11, 2002, https://www.bakerlaw.com/files/uploads/documents/data%20breach%20documents/data_breach_charts.pdf.
  2. CERN, “Dark Matter,” CERN, https://home.cern/about/physics/dark-matter (accessed January 5,2018).
  3. Paul R. Cichonski, Thomas Millar, Timothy Grance, and  Karen  Scarfone, Computer  Security Incident  Handling Guide, Special Pub. 800-61, rev. 2 (Washington, DC: NIST, 2012), https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-61r2.pdf
  4. “HITECH Act Enforcement Interim Final Rule,” U.S. Department of Health and Human Services, last revised June 16, 2017, https://www.hhs.gov/hipaa/for-professionals/index.html.
  5. BakerHostetler,“DataBreachCharts,”BakerLaw,July2018, https://www.bakerlaw.com/files/uploads/documents/data%20breach%20documents/data_breach_charts.pdf.
  6. Charles Duhigg, “How Companies Learn YourSecrets,” New YorkTimes Magazine, February 16, 2012, http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=1&r=2&hp.
  7. U.S.  Department  of  Health and  Human  Services, Examining  Oversight of  the  Privacy &  Security  of Health Data Collected by Entities Not Regulated by HIPAA (Washington, DC: US HSS, June 17, 2016), https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf.
  8. U.S.  General Accounting Office (GAO), Information Security: Computer Attacks at Department of Defense  Pose Increasing Risks, Pub. No. B-266140 (Washington, DC: GPO, May1996), 19, http://www.gao.gov/assets/160/155448.pdf.
  9. Tracey Lien, “It’s Strange Yahoo Took 2 Years to Discover a Data Breach, Security Experts Say,”Los Angeles Times, September 23, 2016, http://www.latimes.com/business/technology/la-fi-tn-yahoo-data-breach-20160923-snap-story.html.
  10. Jaikumar Vijayan, “TJX Data Breach: At 45.6M Card Numbers, It’s  the Biggest Ever,”  ComputerWorld,May  29, 2007, https://www.computerworld.com/article/2544306/security0/tjx-data-breach–at-45-6m-card-numbers–it-s-the-biggest-ever.html.
  11. Letter from Goodwill Industries International President and CEO Jim Gibbons, September 2, 2014,http:// www.goodwill.org/wp-content/uploads/2014/09/Letter.pdf.
  12. David  E. Sanger and Julie Hirschfield Davis,  “Hacking Linked to China Exposes Millions of U.S.  Workers,” NewYorkTimes,June4,2015,http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html
  13. Patricia Zengerle and Megan Cassella, “Millions More Americans Hit by GovernmentPersonnel DataHack,”Reuters, July9,2015, https://www.reuters.com/article/us-cybersecurity-usa/millions-more-americans-hit-by-government-personnel-data-hack-idUSKCN0PJ2M420150709.
  14. Sean Gallagher, “Why the ‘Biggest Government Hack Ever’ Got Past the Feds,”ArsTechnica, June 8, 2015, https://arstechnica.com/information-technology/2015/06/why-the-biggest-government-hack-ever-got-past-opm-dhs-and-nsa/2.
  15. Verizon, 2018 Data Breach Investigations Report, Verizon Enterprise, 2018, 28, https://enterprise.verizon.com/ resources/reports/2018/DBIR_2018_Report.pdf.
  16. Brian Krebs, “How Was YourCredit Card Stolen?” Krebs on Security, January 19, 2015, https:// krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen.
  17. Brian Krebs, “Banks: Credit Card Breach at CiCi’s Pizza,” Krebs on Security, June 3, 2016, https:// krebsonsecurity.com/2016/06/banks-credit-card-breach-at-cicis-pizza.
  18. Mandiant, APT1: Exposing One of China’s Cyber Espionage Units (Alexandria, VA: Mandiant, 2013) https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf.
  19. Jordan Robertson, “Yahoo’s Data Breach: What to Do If Your  Account Was  Hacked,” Bloomberg, September  22, 2016, https://www.bloomberg.com/news/articles/2016-09-22/yahoo-s-data-breach-what-to-do-if-your-account-was-hacked.
  20. U.S. Department of Health and Human Services, “Cases Currently Under Investigation,” Office for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (accessed October 14,2016).
  21. Privacy Rights Clearinghouse, Chronology of Data Breaches: FAQs,https://www.privacyrights.org/chronology-data-breaches-faq#is-chronology-exhaustive-list (accessed October 14,2016).
  22. Trend Micro, Follow the Data: Analyzing Breaches by Industry (San Diego: Privacy Rights Clearinghouse,2015), https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-analyzing-breaches-by- industry.pdf.
  23. Sara Peters, “Healthcare Biggest Offender in 10 Years of Data Breaches,” DarkReading, September 22, 2015, http://www.darkreading.com/analytics/healthcare-biggest-o_ender-in-10-years-of-data-breaches/d/d-id/1322292.
  24. Jonathan Vanian, “Five Things to Know to Avoid Getting Hacked,” Fortune, September 25, 2015, http://fortune.com/2015/09/25/five-facts-cyber-security.
  25. Patrick Nelson, “More Data Breaches Caused by Lost Devices than Malware or Hacking, Trend Micro Says,” NetworkWorld, October 5, 2015, https://www.networkworld.com/article/2988643/security/device-loss-data-breach-malware-hacking-trend-micro-report.html.
  26. Mark Pribish, “Lost Electronic Devices Can Lead to Data Breaches,” AZ Central, September 30, 2015, http://www.azcentral.com/story/money/business/tech/2015/09/30/lost-electronic-devices-data-breaches/73058138.
  27. Dinei Florêncio and Cormac Herley, “Sex, Lies and Cyber-crime Surveys,”  10th Workshop  on the  Economics of Information Security, Fairfax, VA, 2011, https://web.archive.org/web/20110902055639/http://weis2011.econinfosec.org/papers/Sex,%20Lies%20and%20Cyber-crime%20Surveys.pdf.
  28. Business Wire, “Riptech Unveils Caltarian, a Next-Generation Managed Security  Platform,” Free  Library, April 2, 2001, http://www.thefreelibrary.com/Riptech+Unveils+Caltarian,+a+Next-Generation+Managed+Security…-a072584421.
  29. Riptech  Inc.,  Riptech  Internet Security  Threat  Report: Attack  Trends  for Q3  and  Q4 2001  (Alexan-  dria,VA: Riptech Inc., 2001), http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_symantec_internet_security_threat_report_i.pdf.
  30. Symantec, Internet Security Threat Report vol. 21 (Mountain View, CA: Symantec, April 2016), 4, https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf.
  31. Wade H. Baker, C. David Hylender, and J. Andrew Valentine, 2008 Data Breach Investigations Report, Verizon Enterprise, 2008,http://www.verizonenterprise.com/resources/security/databreachreport.pdf.
  32. VERIS: The Vocabulary for Event Recording and Incident Sharing, http://veriscommunity.net (accessed January 5,2018).
  33. Verizon,2016DataBreachInvestigationsReport,VerizonEnterprise,2016,1,http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf.
  34. MarketWatch,“Target’s Profits Down $440M after Data Breach,” New York Post, February 26, 2014, https://nypost.com/2014/02/26/targets-profits-down-46-after-data-breach.
  35. Antone  Gonsalves, “Target  CEO Resignation  Highlights  Cost of  Security  Blunders,” CSO  Online, May  5, 2014, http://www.csoonline.com/article/2151381/cyber-attacks-espionage/target-ceo-resignation-highlights-cost-of-security-blunders.html.
  36. Jonathan Stempel, “Home Depot Settles Consumer Lawsuit over Big 2014 Data Breach,” Reuters, March 8,2016, http://www.reuters.com/article/us-home-depot-breach-settlement-idUSKCN0WA24Z.
  37. Hayley Tsukayama, “Cyber Attack on RSA Cost EMC $66 Million,” Washington Post, July 26, 2011, https://www.washingtonpost.com/pb/blogs/post-tech/post/cyber-attack-on-rsa-cost-emc-66-million/2011/07/26/gIQA1ceKbI_blog.html.
  38. Ponemon Institute LLC, Reputation Impact of a Data Breach: U.S. Study of ExecutivesandManagers (Research Report Sponsored by Experian, November 2011), https://www.experian.com/assets/data-breach/white-papers/reputation-study.pdf.
  39. Roi Perez, “S&P Could Downgrade Lenders to Standard and Poor for Cyber-Security,” SC Media UK, October 1, 2015,http://www.scmagazineuk.com/standard-and-poor-to-downgrade-banks-credit-rating/article/441892.
  40. Hugo Moreno, “Protecting Your Company’sReputation in a Heartbleed World,” Forbes, April 14, 2014, https://www.forbes.com/forbesinsights/ibm_reputational_IT_risk/index.html.
  41. Joe Siegrist, “LastPass Security Notice,”LastPass, June 15, 2015, https://blog.lastpass.com/2015/06/lastpass-security-notice.html.
  42. Symantec, “2016 Internet Security Threat Report,” ISTR 21 (April 2016): 6, https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf.

Chapter 2:

  1. “Event Report as of 1/21/81 08:45:30,” FBI file 196A-397 (New Haven), FOIA/PA #1364189-0, E3df34b6cc6c2a9a14ddc71e47c1a18b8d966c57f_Q3702_R343967_D1813129.pdf, January 21, 1981, 48 (obtained under the FOIA from the FBI; received March 2019).
  2. IT History Society, National CSS, Inc. (NCSS), http://www.ithistory.org/db/companies/national-css-inc-ncss (accessed April 29,2019).
  3. Federal Bureau of Investigation, “Prosecutive Report of Investigation Concerning Bruce Ivan Paul; National   CSS – Victim; Fraud by Wire – Computer Fraud,” FBI file 196A-397 (New Haven), FOIA/PA #1364189-0,E3df34b6cc6c2a9a14ddc71e47c1a18b8d966c57f_Q3702_R343967_D1813131.pdf, October 6, 1981, 12 (obtained under the FOIA from the FBI; received March2019).
  4. Federal Bureau of Investigation, “FD-302,” FBI file 196A-397 (New Haven), FOIA/PA #1364189-0, E3df34b6cc6c2a9a14ddc71e47c1a18b8d966c57f_Q3702_R343967_D1813129.pdf, May 29, 1981, 85 (obtained under the FOIA from the FBI; received March2019).
  5. Harold Feinleib “A Technical History of National CSS,” IT Corporate Histories Collection, March 4, 2005, http://corphist.computerhistory.org/corphist/documents/doc-42ae226a5a4a1.pdf.
  6. FederalBureauofInvestigation,“ComplaintForm:FD-71,”FBIfile196A-397(NewHaven), FOIA/PA #1364189- 0,E3df34b6cc6c2a9a14ddc71e47c1a18b8d966c57f_Q3702_R343967_D1813129.pdf,November15,1980,3(obtained under the FOIA from the FBI; received March2019).
  7. Vin McLellan, “Case of the Purloined Password,”New York Times, July 26, 1981, http://www.nytimes.com/1981/07/26/business/case-of-the-purloined-password.html?pagewanted=1.
  8. BoeingFrontiers,“AStepBackinVirtualTime,”BoeingFrontiers2,no.4(August2003),http://www.boeing.com/news/frontiers/archive/2003/august/cover4.html.
  9. Claudia H. Deutsch, “Dun & Bradstreet’s Bid to Stay Ahead,” New York Times, late ed. (East Coast), February 12, 1989, A1.
  10. Tom Furlong, “TRW Credit-Check Unit Maintains Low Profile—and 86 Million Files,”Los Angeles Times, September 18, 1981.
  11. MarkFurletti, “An Overview and History of Credit Reporting,” Federal Reserve Bank of Philadelphia, June 2002.
  12. LouDolinar, “Computer Thieves Tamper with Credit,” MorningNews (Wilmington,DE), June 21, 1984, 9.
  13. Christine McGeever, “TRW Security Criticized,” InfoWorld, August 13, 1984,14.
  14. Marcida Dodson, “TRW Investigates ‘Stolen’ Password,” Los Angeles Times, June 22,1984.
  15. Lenny Zeltser, “Early Discussions of Computer Security in the Media,” SANS ISC InfoSec Forums,September10, 2006, https://isc.sans.edu/forums/diary/Early+Discussions+of+Computer+Security+in+the+Media/1685.
  16. Mitch Betts, “DP Crime Bill Toughened,” ComputerWorld, July 2,1984.
  17. Shaya Tayefe Mohajer, “Former UCLA Hospital Worker Admits Selling Records,” San Diego Union-Tribune, December 2, 2008,http://www.sandiegouniontribune.com/sdut-medical-records-breach-120208-2008dec02-story.html.
  18. Charles Ornstein, “Farrah Fawcett: ‘Under a Microscope’ and Holding On to Hope,” ProPublica, May 11, 2009, https://www.propublica.org/article/farrah-fawcett-under-a-microscope-and-holding-onto-hope-511.
  19. Jim Rutenberg, “The Gossip Machine, Churning Out Cash,” New York Times, May 21, 2011, http://www.nytimes.com/2011/05/22/us/22gossip.html.
  20. Patient confidentiality is federally protected by Alcohol and Drug Abuse Patient Records, 42 C.F.R. pt. 2; and/or HIPAA Privacy Regulations, 45 C.F.R. pts. 160, 164. See Hazelden Betty Ford Foundation, Authorization to Disclose MedicalRecords,https://www.hazelden.org/web/public/document/privacy-notice.pdf (accessed May 12, 2019).
  21. Adam Tanner, Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records (Boston:Beacon Press, 2017),130.
  22. Wullianallur Raghupathi and Viju Raghupathi, “Big Data Analytics in Healthcare: Promise and Potential,” Health Information Science and Systems 2, no. 1 (2014): article 3, doi:10.1186/2047-2501-2-3.
  23. Shannon Pettypiece and Jordan Robertson, “Hospitals Soon See Donuts-to-Cigarette Charges for Health,” Bloomberg, June 26, 2014, https://www.bloomberg.com/news/articles/2014-06-26/hospitals-soon-see-donuts-to-cigarette-charges-for-health.
  24. Shannon Pettypiece and Jordan Robertson, “Hospitals, Including Carolinas HealthCare,  Using  Con- sumer Purchase Data for Information on Patient Health,” Charlotte Observer, June 27, 2014, http://www.charlotteobserver.com/living/health-family/article9135980.html.
  25. U.S. Securities and Exchange Commission (SEC), “Truven Holding Corp./TruvenHealth Analytics, Inc.,” Form 10-K,2013,https://www.sec.gov/Archives/edgar/data/1571116/000144530514001222/truvenhealthq410-k2013.htm.
  26. Rajiv Leventhal, “Explorys CMO: IBM Deal Will Fuel New Predictive Power,” Healthcare Informatics, April 15, 2015, https://www.healthcare-informatics.com/article/explorys-cmio-ibm-deal-will-fuel-new-predictive-power.
  27. Laura Lorenzetti, “IBM Debuts Apple ResearchKit Study on Watson Health Cloud,” Fortune, March 2, 2016, http://fortune.com/2016/03/02/ibm-watson-apple-researchkit.
  28. Federal Trade Commission, Protecting Consumer Privacy in anEraofRapidChange(Washington,DC: FTC, 2012), https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf.
  29. Federal Trade Commission, Data Brokers: A Call for Transparency and  Accountability  (Washington,  DC: FTC, 2014), iv, https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.
  30. U.S.Senate, What Information Do Data Brokers Have on Consumers, and How Do They Use It?(Washington,DC: GPO, 2013), 75,https://www.gpo.gov/fdsys/pkg/CHRG-113shrg95838/pdf/CHRG-113shrg95838.pdf.
  31. John Deighton and Peter A. Johnson, “The Valueof Data: 2015,” Data and Marketing Association, December 2015,https://thedma.org/wp-content/uploads/Value-of-Data-Summary.pdf.
  32. Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” UCLA Law Review 57(2010):1701, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006 (accessedJanuary 18, 2018).
  33. Jane Doe v. Netflix, Inc., 2009, San Jose Division, CA, https://www.wired.com/images_blogs/threatlevel/2009/12/doe-v-netflix.pdf.
  34. Steve Lohr, “Netflix Cancels Contest after Concerns are Raised about Privacy,” New York Times, March 12, 2010, http://www.nytimes.com/2010/03/13/technology/13netflix.html.
  35. David S. Isenberg,“ Word of the Day:renonymize,” isen.blog, May28, 2009, http://isen.com/blog/2009/05/word-of-the-day-renonymize/.
  36. Alexander Muse, “How the NSA Identified Satoshi Nakamoto,” Medium, August 26, 2017, https://medium.com/ cryptomuse/how-the-nsa-caught-satoshi-nakamoto-868affcef595.
  37. BizJournals.com,“CardinalHealth,OthersFormPrescription-DataAnalysisFirm,”Columbus Business First, July 30, 2001, https://www.bizjournals.com/columbus/stories/2001/07/30/daily2.html.
  38. U.S. Securities and Exchange Commission (SEC), “IMS Health Incorporated 2004 Annual Report to Shareholders,” Exhibit 13, https://www.sec.gov/Archives/edgar/data/1058083/000104746905006554/a2153610zex-13.htm (accessed May 12, 2019).
  39. Elizabeth Dwoskin, “The Next Marketing Frontier: Your Medical Records,” Wall Street Journal, March 3, 2015, https://www.wsj.com/articles/the-next-marketing-frontier-your-medical-records-1425408631.
  40. Cerner, Analytics: Uncover the Value of Your Datahttps://www.cerner.com/solutions/population-health-management/analytics (accessed January 8, 2018).
  41. Marketwired, “New AI Cloud Platform by Prognos Transforms Member Lab Data to Address Business Challenges for Payers,” press release, May 10, 2017, http://markets.businessinsider.com/news/stocks/New-AI-Cloud-Platform-by-Prognos-Transforms-Member-Lab-Data-to-Address-Business-Challenges-for-Payers-1002000305.
  42. B.R.I.D.G.E. To_Data, Quintiles IMS Real-World Data Adjudicated Claims: USA [Quintiles IMS PharMetrics Plus]https://www.bridgetodata.org/node/824 (accessed January 8,2018).
  43. Sean Hooley and Latanya Sweeney, “Survey of Publicly Available State Health Databases” (whitepaper 1075-1, Data Privacy Lab, Harvard University, Cambridge, MA, June 2013), https://thedatamap.org/1075-1.pdf.
  44. Washington State Department of Health, Comprehensive Hospital Abstract Reporting System (CHARS)https://www.doh.wa.gov/DataandStatisticalReports/HealthcareinWashington/HospitalandPatientData/HospitalDischargeDataCHARS (accessed January 9,2018).
  45. Latanya Sweeney, “Matching Known Patients to Health Records in Washington State Data” (Data Privacy Lab, Harvard University, Cambridge, MA, June 2013), https://dataprivacylab.org/projects/wa/1089-1.pdf.
  46. “Who’s Buying Your Medical Records?,” Bloomberg, https://www.bloomberg.com/graphics/infographics/whos-buying-your-medical-records.html (accessed January 9, 2018).
  47. Form a Query to Find Sensitive Data Stored on Sites, Microsoft, https://support.office.com/en-us/article/Form-a- query-to-find-sensitive-data-stored-on-sites-3019fbc5-7f15-4972-8d0e-dc182dc7f836 (accessed January 19, 2018).
  48. National Wildfire Coordinating Group, Wildland Urban Interface Wildfire Mitigation Desk Reference Guide (Boise:NWCG, May 2017), 4, https://www.nwcg.gov/sites/default/files/publications/pms051.pdf.

Chapter 3:

  1. Equifax, “Equifax Announces Cybersecurity Incident Involving Consumer Information,” Equifax Announcements, September 7, 2017, https://www.equifaxsecurity2017.com/2017/09/07/equifax-announces-cybersecurity-incident-involving-consumer-information.
  2. T. Siegel Bernard, T. Hsu, N. Perlath, and R. Lieber, “Equifax Says Cyberattack May Have Affected 143 Million in the U.S.,”New York Times, September 7, 2017, https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html.
  3. Hearing on “Oversight of Equifax Data Breach: Answers for Consumers” Before the Subcomm. on Digital Commerce and Consumer Protection of the H. Comm. on Energy and Commerce, 115th Cong. (October 3, 2017), https://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf (prepared testimony of Richard F. Smith, former Chairman and CEO, Equifax).
  4. U.S. Securities and Exchange Commission (SEC), “Equifax Inc.,” Form 10-Q, 2017, https://www.sec.gov/Archives/edgar/data/33185/000003318517000032/efx10q20170930
  5. Hayley Tsukayama, “Equifax Faces Hundreds of Class-Action Lawsuits and an SEC Subpoena overthe Way It Handled Its Data Breach,” Washington Post, November 9, 2017, https://www.washingtonpost.com/news/the-switch/wp/2017/11/09/equifax-faces-hundreds-of-class-action-lawsuits-and-an-sec-subpoena-over-the-way-it-handled-its-data-breach.
  6. Joe Uchill, “Dems Propose Data Security Bill after Equifax Hack,” Hill, September 14, 2017, http://thehill.com/policy/cybersecurity/350694-on-heels-of-equifax-breach-dems-propose-data-broker-privacy-and-security.
  7. Steven Fink, Crisis Communications: The Definitive Guide to Managing the Message (New York: McGraw-Hill, 2013), xv.
  8. Paul R. Cichonski, Thomas Millar, Timothy Grance, and  Karen  Scarfone, Computer  Security Incident  Handling Guide, Special Pub. 800-61, rev. 2 (Washington, DC: NIST, 2012), https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-61r2.pdf.
  9. T. Pauchant and I. Mitroff,Transforming the Crisis-Prone Organization (San Francisco:Jossey-Bass, 1992),12.
  10. Steven Fink, Crisis Management: Planning for the Inevitable, rev.ed. (Bloomington, IN: iUniverse, 1986), 23–24.
  11. William L. Benoit, Accounts, Excuses, and Apologies, 2nd ed. (Albany:SUNYPress, 2014), 28.
  12. MichaelD. Matthews,“The3C’s ofTrust,” Psychology Today, May 3, 2016, https://www.psychologytoday.com/blog/head-strong/201605/the-3-c-s-trust.
  13. Baker Hostetler, “Data Breach Charts,” Baker Law, November 2017, https://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf.
  14. Michael Riley, Jordan Robertson, and Anita Sharpe, “The Equifax Hack Has the Hallmarks of State-Sponsored Pros,” Bloomberg, September 29, 2017, https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.
  15. Hayley Tsukayama, “It Took Three Years for  Yahoo  to Tell Us about Its Latest Breach.  Why  Does It  Take So Long?” Washington Post, December 19, 2016, https://www.washingtonpost.com/news/the-switch/wp/2016/12/16/it-took-three-years-for-yahoo-to-tell-us-about-its-latest-breach-why-does-it-take-so-long.
  16. “Uber ‘Bug Bounty’ Emails,” Document Cloud, https://www.documentcloud.org/documents/4349230-Uber-Bug-Bounty-Emails.html (accessed March 19,2018).
  17. Joseph Menn and Dustin Volz, “Exclusive: Uber Paid 20-Year-Old Florida Man to Keep Data Breach Secret: Sources,” Reuters, December 7, 2017, https://www.reuters.com/article/us-uber-cyber-payment-exclusive/exclusive-uber-paid-20-year-old-florida-man-to-keep-data-breach-secret-sources-idUSKBN1E101C.
  18. Dara Khosrowshahi, “2016 Data Security Incident,” Uber, November 21, 2017, https://www.uber.com/newsroom/2016-data-incident.
  19. Naomi Nix and Eric Newcomer, “Uber Defends Bug Bounty Hacker Program to Washington Lawmakers,” Bloomberg, February 6, 2018, https://www.bloomberg.com/news/articles/2018-02-06/uber-defends-bug-bounty-hacker- program-to-washington-lawmakers.
  20. Louise Matsakis, “Uber ‘Surprised’ by Totally Unsurprising Pennsylvania Data Breach Lawsuit,” Wired, March 5, 2018, https://www.wired.com/story/uber-pennsylvania-data-breach-lawsuit.
  21. Brian Krebs, “Equifax Breach: Setting the Record Straight,” Krebs on Security, September 20, 2017, https://krebsonsecurity.com/2017/09/equifax-breach-setting-the-record-straight.
  22. Brian Krebs, “Equifax Breach Response Turns Dumpster Fire,” Krebs on Security, September 8, 2017, https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire.
  23. Mahita Gajanan,“Equifax Says You Won’t Surrender Your Right to Sue by Asking for Help After Massive Hack,” Time, September 11, 2017, http://time.com/4936081/equifax-data-breach-hack.
  24. Zack Whittaker, “Equifax’s Credit Report Monitoring Site Is also Vulnerable to Hacking,” ZD Net, September 12, 2017, http://www.zdnet.com/article/equifax-freeze-your-account-site-is-also-vulnerable-to-hacking.
  25. Krebs, “Equifax Breach Response”; Lily Hay Newman,“All the Ways Equifax Epically Bungled Its Breach Response,” Wired, September 24, 2017, https://www.wired.com/story/equifax-breach-response.
  26. Alfred Ng, “Equifax Ex-CEO Blames Breach on One Person and a Bad Scanner,” CNET, October 3, 2017, https://www.cnet.com/news/equifax-ex-ceo-blames-breach-on-one-person-and-a-bad-scanner.
  27. Brian Krebs, “Ayuda! (Help!) Equifax Has My Data!” Krebs on Security, September 12, 2017, https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data.
  28. Lily Hay Newman, “Equifax Officially Has No Excuse,”Wired, September 14, 2017, https://www.wired.com/story/equifax-breach-no-excuse.
  29. Robert W. Baird & Co., “Equifax Inc. (EFX) Announces Significant Data Breach; -13.4% in After-Hours,” Baird Equity Research, September 7, 2017, https://baird.bluematrix.com/docs/pdf/dbf801ef-f20e-4d6f-91c1-88e55503ecb0.pdf.
  30. BradStone, “The Category 5 Equifax Hurricane,”Bloomberg, September 11, 2017, https://www.bloomberg.com/news/articles/2017-09-11/the-category-5-equifax-hurricane.
  31. Michael Hiltzik, “Here Are All theWays the Equifax Data Breach Is Worse than You Can Imagine,” Los Angeles Times, September 8, 2017, http://www.latimes.com/business/hiltzik/la-fi-hiltzik-equifax-breach-20170908-story.html.
  32. Liz Moyer, “Equifax’s Then-CEO Waited Three Weeks to Inform Board of Massive Data Breach, Testimony Says,” CNBC, October 2, 2017, https://www.cnbc.com/2017/10/02/equifaxs-then-ceo-waited-three-weeks-to-inform-board-of-massive-data-breach-testimony-says.html.
  33. Daniel Marans, “Elizabeth Warren Scorches Former Equifax CEO for Profiting from Data Breaches,” HuffPost, October 4, 2017, https://www.huffpost.com/entry/elizabeth-warren-equifax-ceo_n_59d503ace4b06226e3f55c83.
  34. Equifax, “Rick Smith, Chairman and CEO of Equifax, on Cybersecurity Incident Involving Consumer Data,”YouTube, September 7, 2017, https://www.youtube.com/watch?v=bh1gzJFVFLc.

Chapter 4

  1. “ChoicePoint’s Letter to Consumers Whose Information Was Compromised,” CSO, May 1, 2005, http://www.csoonline.com/article/2118059/data-protection/choicepoint-s-letter-to-consumers-whose-information-was-compromised.html.
  2. Sarah D.  Scalet, “The Five Most Shocking Things About the ChoicePoint Data Security Breach,” CSO, May        1, 2005, https://www.csoonline.com/article/2118134/compliance/the-five-most–shocking-things-about-the-choicepoint-data-security-breach.html.
  3. Joseph Menn, “Fraud Ring Taps Into Credit Data,” Los Angeles Times, February 16, 2005,http://articles.latimes.com/2005/feb/16/business/fi-hacker16.
  4. Paul N. Otto, Annie I. Antón, David L. Baumer, “The  ChoicePoint  Dilemma: How  Data  Brokers Should Handle the Privacy of Personal Information,” North Carolina State University Technical Reports, TR-2005-18, p. 2, https://repository.lib.ncsu.edu/bitstream/handle/1840.4/922/TR-2006-18.pdf  (accessed May 14,2019).
  5. Bob Sullivan, “Database Giant Gives Access to Fake Firms,” NBC News, February 14, 2005, http://www.nbcnews.com/id/6969799/print/1/displaymode/1098.
  6. Bob Sullivan, “Choice Point to Pay $15 Million over Data Breach,”NBC News, January 26, 2006, http://www.nbcnews.com/id/11030692/ns/technology and science-security/t/choicepoint-pay-million-over-data-breach/.
  7. “ChoicePoint Stops Selling ‘Sensitive Consumer Data,’ Confirms SEC Investigation,” Chief Marketer, March 6, 2005, http://www.chiefmarketer.com/choicepoint-stops-selling-sensitive-consumer-data-confirms-sec-investigation.
  8. Dan Kaplan, “Choice Point Settles Lawsuit over 2005 Breach,” SC Media US, January 28, 2008, https://www.scmagazine.com/choicepoint-settles-lawsuit-over-2005-breach/article/554149.
  9. Joseph Menn and David Colker, “More Victims in Scam Will Be Alerted,” Los Angeles Times, February 17,2005, http://articles.latimes.com/2005/feb/17/business/fi-hacker17.
  10. L. Kuykendall, “BJ’s Case Shows Issuers’ Data-Breach Cost Fatigue,” American Banker, August 26,2004.
  11. Chronology of Data Breaches: FAQs, Privacy Rights Clearinghouse, https://www.privacyrights.org/chronology-data-breaches-faq#is-chronology-exhaustive-list (accessed October 14, 2016).
  12. A Chronology of Data Breaches Reported Since the Choice Point Incident , Privacy Rights Clearinghouse, April 20, 2005, http://web.archive.org/web/20050421104632/http://www.privacyrights.org/ar/ChronDataBreaches.htm.
  13. Erica H. James and Lynn P. Wooten, “Leadership in Turbulent Times: Competencies for Thriving Amidst Crisis,” (Working Paper No. 04-04, Darden Graduate School of Business Administration, University of Virginia, 2004), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=555966.
  14. Center for Investigative Reporting (CIR), “Identity Crisis,” CIR Online, August9, 2003, https://web.archive.org/web/20150526053835/http://cironline.org/reports/identity-crisis-2085.
  15. Gary Rivlin, “Purloined Lives,” NewYork Times, March 17, 2005, http://www.nytimes.com/2005/03/17/business/purloined-lives.html?%20r=0.
  16. Robert O’Harrow Jr., “ID Data Conned from Firm: ChoicePoint Case Points to Huge Fraud,”Washington Post, February 17, 2005,http://www.washingtonpost.com/wp-dyn/articles/A30897-2005Feb16.html.
  17. GlennR.Simpson,“FBI’sRelianceonthePrivateSectorHasRaisedSomePrivacyConcerns,”WallStreetJournal, April 13, 2001, http://www.wsj.com/articles/SB987107477135398077.
  18. Carolyn Puckett, “The Story of the Social Security Number,” Social Security Bulletin 69, no.2 (2009), https://www.ssa.gov/policy/docs/ssb/v69n2/v69n2p55.html.
  19. Suzanne Woolley, “Your Social Security Number Now Looks Like a Time Bomb. It Is,” Bloomberg, June 1, 2017, https://www.bloomberg.com/news/articles/2017-06-01/identity-theft-feeds-on-social-security-numbers-run-amok.
  20. U.S. Department of Justice, “1030.Definitions,” Criminal Resource Manual, https://www.justice.gov/usam/criminal-resource-manual-1030-definitions (accessed January 8,2018).
  21. Brian Krebs, “At Experian, Security Attrition Amid Acquisitions,” Krebs on Security (blog), October 8, 2015, https://krebsonsecurity.com/tag/court-ventures.
  22. Anthem, “Attention Providers in Virginia: Important Message from Joseph Swedish,” Network eUpdate, February 5, 2015, https://www11.anthem.com/provider/va/f1/s0/t0/pw_e231507.pdf.
  23. U.S. Census Bureau, U.S. and World Population Clock, https://www.census.gov/popclock (accessedJanuary 8, 2018).
  24. U.S. Census Bureau, QuickFacts: United States, https://www.census.gov/quickfacts/table/PST045216/00 (accessed January 8,2018).
  25. Data Breaches, Privacy Rights Clearinghouse, https://www.privacyrights.org/data-breaches (accessed January 8, 2018).
  26. Lily Hay Newman, “The Social Security Number’s Insecurities,” Slate, July 10, 2015, http://www.slate.com/articles/technology/future_tense/2015/07/opm_anthem_data_breaches_show_the_insecurity_of_the_social_security_ number.html.
  27. United States v. ChoicePoint Inc., CA No. 1:06-CV-0198 (N.D. Ga. 2006), https://www.ftc.gov/sites/default/files/documents/cases/2006/01/0523069complaint.pdf.
  28. Evan Perez and Rick Brooks, “For Big Vendor of Personal Data, a Theft Lays Bare the Downside,” Wall Street Journal, May 2, 2005, https://www.wsj.com/articles/SB111507095616722555.
  29. Bruce Schneier, “ChoicePoint,” Schneier on Security (blog), February 23, 2005, https://www.schneier.com/blog/ archives/2005/02/choicepoint.html.
  30. Evan Perez and Rick Brooks, “For  ChoicePoint, a Theft Lays Bare the Downside,” Pittsburgh Post-Gazette,  May 3, 2005, http://www.post-gazette.com/business/businessnews/2005/05/03/For-ChoicePoint-a-theft-lays-bare-the-downside/stories/200505030214.
  31. William Safire, “Goodbye to Privacy,” New York Times, April 10, 2005, https://www.nytimes.com/2005/04/10/books/review/goodbye-to-privacy.html.
  32. Derek V. Smith, Risk Revolution: The Threat Facing America and Technology’s Promise for a Safer Tomorrow (Lanham, MD: Taylor Trade, 2004).
  33. Evan Perez and Rick Brooks, “For Big Vendor of Personal Data, a Theft Lays Bare the Downside,” Wall Street Journal, May 3, 2005, https://www.wsj.com/articles/SB111507095616722555.
  34. FindLaw®, California Raises the Bar on Data Security and Privacyhttp://corporate.findlaw.com/law-library/california-raises-the-bar-on-data-security-and-privacy.html (accessed January 7,2018).
  35. Official California Legislative Information, Bill No. SB1386, http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html (accessed January 7, 2018).
  36. Charles Gasparino, “When Secrets Get Out,”Newsweek, March 13, 2005, http://www.newsweek.com/when-secrets-get-out-115027.
  37. Bill Husted, “Boss Keeps Low Profile Amid Crisis Experts Rap Strategy of ChoicePoint,” Atlanta Journal- Constitution, February 19,2005.
  38. Baker Hostetler, “Data Breach Charts,”Baker Law, November 2017, 25, https://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf.
  39. Rachel Konrad, “Californians Warned that Hackers May Have Stolen their Data,” USA Today, February 16, 2005, http://usatoday30.usatoday.com/tech/news/computersecurity/hacking/2005-02-16-choicepoint-hacked_x.htm.
  40. Associated Press, “Big ID Theft in California,” Wired, February 16, 2005, http://web.archive.org/web/20050217193946/http://wired.com/news/business/0,1367,66628,00.html.
  41. ChoicePoint, ChoicePoint Update on Fraud Investigation, February 16, 2005, https://web.archive.org/web/ 20050217071222/http://www.choicepoint.com/news/statement_0205_1.html.
  42. Rachel Konrad, “Data Firm Allowed 700 Identity Thefts: Half-Million Stillat Risk at Credit Broker with No Federal Regulation,” Pittsburgh Post-Gazette, February 19,2005.
  43. Bob Sullivan, “Database Giant Gives Access to Fake Firms,” NBC News, February 14, 2005, http://www.nbcnews.com/id/6969799/print/1/displaymode/1098.
  44. Evan Perez, “ChoicePoint Is Pressed for Explanations to Breach,” Wall Street Journal, February 25, 2005, http://www.wsj.com/articles/SB110927975875763476?mg=id-wsj.
  45. Robert O’Harrow Jr., “ID Data Conned from Firm: ChoicePoint Case Points to Huge Fraud,”Washington Post, February 17, 2005,http://www.washingtonpost.com/wp-dyn/articles/A30897-2005Feb16.html.
  46. EPIC.org, ChoicePoint letter dated February 25, 2005, https://epic.org/privacy/choicepoint/cp_letter_022505.pdf (accessed January 7,2018).
  47. U.S. Social Security Administration, Identity Theft and Your Social Security Number, (Pub. No. 05-10064 (Washington, DC: SSA, June 2017) https://www.ssa.gov/pubs/EN-05-10064.pdf.
  48. Nafeesa Syeed and Elizabeth Dexheimer, “The White House and Equifax Agree: Social Security Numbers Should Go,” Bloomberg, October 4, 2017, https://www.bloomberg.com/news/articles/2017-10-03/white-house-and-equifax-agree-social-security-numbers-should-go.
  49. House Energy and Commerce Subcommittee Hearing on “Equifax Data Breach ”Before the Subcomm. on Digital Commerce and Consumer Protection of the H. Comm. on Energy and Commerce, 115th Cong. (October 3, 2017), https://www.c-span.org/video/?434786-1/lawmakers-grill-equifax-ceo-data-breach&start=9971 (prepared testimony of RichardF. Smith, former Chairman and CEO, Equifax).
  50. Pew Research Center, “Mobile Fact Sheet,”Pew Internet and Technology, January 12, 2017, http://www.pewinternet.org/fact-sheet/mobile.
  51. Ron Lieber, “A Free Credit Score Followed by a Monthly Bill,” New York Times, November 2, 2009, http://www.nytimes.com/2009/11/03/your-money/credit-scores/03scores.html.
  52. Gerard Dalbon, “FreeCreditReport.com All 9 Commercials,” YouTube, 4:38, min, posted October 3, 2009, https://www.youtube.com/watch?v=tloVHJtrJ_k.
  53. Federal Trade Commission (FTC), “FTC Releases Spoof Videos with a Serious Message: Annual- CreditReport.com is  the  Only Authorized  Source  for   Free  Annual  Credit  Reports,”   press release,  March   10, 2009, https://www.ftc.gov/news-events/press-releases/2009/03/ftc-releases-spoof-videos-serious-message-annualcreditreportcom.
  54. FTC, “AnnualCreditReport.com Restaurant: Federal Trade Commission,” YouTube, 0:50 min, posted March 9, 2009, https://www.youtube.com/watch?v=xZ0xsF5XWfo (accessed January 9,2018).
  55. William L. Benoit, Accounts, Excuses, and Apologies, 2nd ed. (NewYork:SUNYPress,2014), 28.
  56. Kathleen Burke, “‘Free Credit Monitoring’ after Data Breaches is More Sucker than Succor,” MarketWatch, June 10, 2015, http://www.marketwatch.com/story/free-credit-monitoring-after-data-breaches-is-more-sucker-than-succor-2015-06-10.
  57. David Lazarus, “So What Does a Corporation Owe You after a Data Breach?” Los Angeles Times, May 10, 2016, http://www.latimes.com/business/lazarus/la-fi-lazarus-security-breaches-20160510-snap-story.html.
  58. Taxpayer Advocate Service, “Most Serious Problems: Fraud  Detection,” Annual  Report to  Congress  1 (2006): 151–60. https://taxpayeradvocate.irs.gov/Media/Default/Documents/2016-ARC/ARC16_Volume1_MSP_09_ FraudDetection.pdf.
  59. Taxpayer Advocate Service, “Most Serious Problems: IRS Toll-Free Telephone Service Is Declining as Taxpayer Demand for Telephone Service Is Increasing,”Annual Report to Congress1(2009):1, 5, https://www.irs.gov/pub/tas/msp_1.pdf
  60. Byron Acohido and Jon Swartz, “Credit Bureaus Fight Consumer-Ordered Freezes,” USA Today, June 25, 2007, https://usatoday30.usatoday.com/money/perfi/credit/2007-06-25-credit-freeze-usat_n.htm.
  61. Richard Burnett, “Debit Card ‘On/Off’ Switch Helps Keep Security Intact,” Wells Fargo Stories, April 28, 2017, https://stories.wf.com/debit-card-onoff-switch-helps-keep-security-intact.
  62. Ann Carrns, “A Way to Lock Lost Debit Cards, from a Big Bank,” NewYork Times, February 3, 2016, https://www.nytimes.com/2016/02/04/your-money/a-way-to-lock-lost-debit-cards-from-a-big-bank.html.
  63. Kim Zetter, “LifeLock CEO’s Identity Stolen 13 Times,” Wired, May18, 2010, https://www.wired.com/2010/05/lifelock-identity-theft.
  64. Federal Trade  Commission (FTC), “LifeLock Will Pay  $12 Million to Settle Charges by the FTC and 35    States That Identity Theft Prevention and Data Security Claims Were False,” press release, March 9, 2010, https://www.ftc.gov/news-events/press-releases/2010/03/lifelock-will-pay-12-million-settle-charges-ftc-35-states.
  65. Federal Trade Commission v. Lifelock Inc., 2:10-cv-00530-MHM (D. Ariz. 2010), https://www.wired.com/images_blogs/threatlevel/2010/03/lifelockcomplaint.pdf.
  66. Jonathan Peterson, “Data Collectors Face Lawmakers,” Los Angeles Times, March 16, 2005, http://articles.latimes.com/2005/mar/16/business/fi-choice16.
  67. C-SPAN, “Securing Electronic Personal Data,”C-SPAN, video, 2:32:49 min, posted April 13, 2005, https://www.c-span.org/video/?186271-1/securing-electronic-personal-data.
  68. Evan Perez and Rick Brooks, “For  ChoicePoint, a Theft Lays Bare the Downside,”  Pittsburgh Post-Gazette,  May 3, 2005, http://www.post-gazette.com/business/businessnews/2005/05/03/For-ChoicePoint-a-theft-lays-bare-the-downside/stories/200505030214 (accessed January 7, 2018).
  69. “ChoicePoint Reported to Have Had Previous ID Theft,” Insurance Journal, March 3, 2005, http://www.insurancejournal.com/news/national/2005/03/03/52108.htm.
  70. Khalid Kark, “The Cost of Data Breaches: Looking at the Hard Numbers,” Tech Target, March 2007, http://searchsecurity.techtarget.com/tip/The-cost-of-data-breaches-Looking-at-the-hard-numbers.
  71. Jon Swartz and Byron Acohido, “Who’s Guarding Your Data in the Cybervault?” Tech News World, May 17, 2007, http://web.archive.org/web/20070517203855/http://www.technewsworld.com/story/56709.html.
  72. Scott Henry, “ChoicePoint,” Creative Loafing, February 23, 2005, http://www.creativeloafing.com/news/article/13017248/choicepoint.
  73. Milton C. Sutton, Security Breach Notifications: State Laws, Federal Proposals, and  Recommendations   (Moritz College of Law, Ohio State University, 2012), 935, http://moritzlaw.osu.edu/students/groups/is/files/2012/02/s-sutton.pdf.
  74. “ChoicePoint CISO Named Information Security Executive of the Year in Georgia  2004,”  Business  Wire News, March 19, 2004, https://www.businesswire.com/news/home/20040319005030/en/ChoicePoint-CISO-Named-Information-Security-Executive-Year.
  75. Associated Press, “Choice Point Names DiBattiste Chief Credentialing, Compliance and Privacy Officer,”Atlanta Business Chronicle, March 8, 2005, https://www.bizjournals.com/atlanta/stories/2005/03/07/daily6.html.