Proof that even Law School Professors get it right on occasion. (Good on ya' John! ) Perhaps you should host a seminar titled “How to turn Identity Theft into a Class Action Bonanza!” and charge attendees 2% of future awards...
What’s Keeping the Tort Lawyers at Bay
Mark Willoughby
December 18, 2006 (Computerworld) Ever since security breaches became a regular happening, pundits have been saying liability lawsuits are sure to follow. Information security breaches have been dubbed “the next asbestos” because of the potential for courts to force companies to pay billions of dollars in damages to thousands of victims.
But it probably will be many years before large numbers of victims of information leaks collect a dime. There are a couple of reasons why the deluge of security lawsuits hasn’t materialized, according to John Soma, a professor at the University of Denver College of Law and the executive director of its Privacy Foundation.
For starters, there isn’t a legally recognized foundation for launching lawsuits over data breaches. The mere occurrence of a security breach is insufficient justification for filing a lawsuit, Soma says. Lawsuits charging negligence must show that accepted standards of performance weren’t met. [see below Bob] But today’s standards of security performance are either immature or untested in court.
Actual damages are the second criteria for a lawsuit. Asbestos victims were exposed to a hazardous substance and exhibit symptoms of deadly diseases directly linked to that exposure. So far, there haven’t been thousands of security breach victims who can demonstrate that they have actually suffered significant damages, although the potential for that to happen certainly exists. [Perhaps I'll document what expenses I incurred when the VA notified me I was “at risk.” Bob]
It isn’t even easy to file a lawsuit saying regulations were violated, because today’s security regulations are purposely nebulous. [Translation: Written by lawyers, for lawyers. Bob] The lack of concrete details in federal security regulations, such as the rules under the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act, make a poor target for the tort bar.
Dan Langin, an information security lawyer in Overland Park, Kan., says the legal system is “at the stage where the compliance picture is being sorted out.” For example, the Securities and Exchange Commission’s guidance on internal controls required by Sarbanes-Oxley is nowhere near as specific as the Environmental Protection Agency’s regulations on asbestos exposure. [Of course, Asbestos exposure has been a regulatory target since the 1950s... Bob]
HIPAA and Gramm-Leach-Bliley have vague security guidelines, too. And the security frameworks often used to comply with federal guidelines, ISO 17799 and the Control Objectives for IT and Related Technology (Cobit) from the IT Governance Institute haven’t been sanctioned by court decisions. Any lawsuits seeking to establish a precedent that makes these security frameworks a standard have probably been settled out of court to preempt that from happening.
There have been some significant, well-publicized regulatory actions taken against companies that exposed confidential information. Last year, the Federal Trade Commission charged that lax security at BJ’s Wholesale Club led to the fraudulent use of credit card information. A settlement requires BJ’s to implement an IT security program that will be audited over the next 20 years. Plus, the company is embroiled in lawsuits seeking damages totaling millions of dollars.
In January, the FTC fined ChoicePoint $10 million in civil penalties and $5 million to cover the damages to individuals arising from ChoicePoint selling sensitive consumer information to criminals. ChoicePoint, too, was hit by lawsuits.
But those cases are exceptions. One challenge for the tort bar is that the actual damages for victims of security breaches are varied. To join a class- action suit, everyone must suffer similarly. So unless identity thieves replicate scams resulting in damages of approximately similar amounts, it isn’t clear how security breaches can become class- action suits like the big-ticket shareholder lawsuits alleging securities fraud.
The wild card for information security lawsuits is the possibility that criminals are sitting on thousands of stolen identities, waiting for credit-monitoring defenses to lapse so they can pounce and maximize the potential gain from their scams. This scenario could lead to class-action suits if the damages suffered can be shown to be similar.
There’s another way that data leaks could turn into class-action lawsuits: if we recognize the economic value of privacy and the costs of losing that privacy. Risk management techniques can easily be used to calculate the cost that victims incur to repair privacy breaches, such as the costs of monitoring credit, closing accounts and opening new ones. With those metrics, class-action lawyers could fulfill the requirement to show similar damages on a large scale.
Perhaps the biggest reason we haven’t seen a flood of lawsuits is that organizations are raising the bar by implementing stronger security that a jury would find adequate. “Most companies have commercially reasonable security in place. They’ve effectively inoculated themselves from liability lawsuits,” says technology lawyer Mark Grossman.
If misfortune does strike, and you discover a breach despite your best efforts to keep systems secure, Congress is considering preemptive actions to stymie the tort bar. Legislators have introduced bills that would, if passed, give a federal exemption from liability lawsuits to companies that voluntarily disclose the security breach and cooperate with investigators.
A counterpoint to the previous article...
http://www.technewsworld.com/rsstory/54759.html
PCI, HIPAA, SOX: Is Compliance the Tail Wagging the Dog?
By Amichai Shulman www.EcommerceTimes.com Part of the ECT News Network 12/18/06 4:00 AM PT
With the convergence in security and compliance, businesses will evolve their IT infrastructure to include new technologies, such as the database gateways, in order to achieve the level of data security required. Smart businesses will use this new technology to their competitive advantage. [Another reason not to be sued for inadequate security... Bob]
As the sensitive financial and identity data in corporate databases becomes increasingly valuable on the black market, mandates such as PCI, SOX and HIPAA are requiring businesses to protect, track, and control all access to and usage of sensitive information. This is forcing an evolutionary shift in security from protecting against data theft to ensuring comprehensive control over all data access and usage.
To meet the wide array of regulatory requirements, security and compliance teams within organizations must work together. [...and document shortcomings... Bob]
Narrowing the Gap
PCI, SOX, HIPAA, and other mandates are narrowing the gap between security and compliance. The PCI Data Security Standard 1.1 released in September 2006 requires businesses to implement specific tools to protect and control sensitive data. Compliance is becoming less a matter of passive auditing and reporting, and more an exercise in data security.
....Well, Okay, maybe not HIPAA...
http://www.ama-assn.org/amednews/2006/12/25/gvsb1225.htm
Court: Patients can't file federal privacy suits against doctors
Physicians still can get sued in state court. The plaintiff attorney says that's not enough.
By Amy Lynn Sorrel, AMNews staff. Dec. 25, 2006.
The first federal appeals court decision to affirm that patients cannot sue under HIPAA offers some relief for physicians. But with patients still able to bring privacy claims in state court, the ruling does little to alleviate doctors' concerns about the possibility of lawsuits for confidentiality breaches.
The 5th U.S. Circuit Court of Appeals in November concluded that, because Congress delegated HIPAA enforcement to the Dept. of Health and Human Services, lawmakers did not intend to create a private right for individuals to sue for privacy violations.
The patient in the case at hand sued her doctor, alleging that he broke federal privacy law when he disclosed her medical information in a deposition without her consent.
"HIPAA has no express provision creating a private cause of action," the opinion states. "Instead, it focuses on regulating persons that have access to individually identifiable medical information and who conduct certain electronic health care transactions."
The ruling was the first by a federal appeals court. It upheld similar decisions by nine lower courts, judges said. They noted, however, that the patient was free to pursue her claim in state court.
"It's a good thing for physicians whenever they can be assured that the courts are going to interpret federal law consistently," said Lee A. Spangler, assistant general counsel to the Texas Medical Assn. Texas falls within the 5th Circuit's jurisdiction. But the ruling does not mean that doctors are in the clear, Spangler said.
[...]Full text of AMNews content is available to AMA members and paid subscribers.
Of course, failure to protect personal data is...
Credit records found in trash
posted by: Jeffrey Wolf Web Producer written by: Paula Woodward 9Wants to Know Investigative Reporter and John Fosholt Producer/Photographer Created: 12/15/2006 1:39 PM MST - Updated: 12/17/2006 11:36 PM MST
ARAPAHOE COUNTY - Two viewers called 9NEWS after finding hundreds of sensitive financial documents dumped un-shredded in two dumpsters in the Denver area.
A woman who works at a shopping mall in Arapahoe County and wanted to remain anonymous told our investigative team that she was curious about a huge stack of files she saw in a dumpster in the parking lot.
She opened a few files and discovered they were filled with complete 16-digit credit card numbers and expiration dates, along with customer names, addresses, phone numbers and signatures.
... The files belonged to Calico Corners, a fabric and upholstery shop at 9611 E. County Line Road.
... The Colorado Consumer Protection Act requires businesses to "develop a policy for the destruction or proper disposal of paper documents containing personal information."
... A "human error" apparently was also the reason that hundreds of mortgage application records were left un-shredded in a dumpster on east Evans Avenue. A 9NEWS viewer saw the records and discovered they contained names, bank account records, and IRS tax documents. The files belonged to Southern Mortgage Corporation of Greenwood Village.
Manager Ed Summerhill said they were dead files that had been stored in a warehouse on Evans.
He said he was stunned to learn they had been discarded by another tenant, apparently as the result of workmen taking the wrong file boxes. [Were the boxes marked “Property of ...” and “Do not Destroy/Dispose” Bob]
... Arapahoe County Sheriff's Investigator Todd Marner said records like those are invaluable to identity thieves.
"It's a huge problem in Colorado," he told our I-Team. "We have the fifth-highest rate of ID theft in the nation."
...all too common an occurrence.
http://www.duncanbanner.com/local/local_story_351145532.html
Identity theft prevented -this time
By Barbara Jernigan Published: December 17, 2006 02:55 pm
Searching through a dumpster for some cardboard boxes, a local woman found more than she was looking for last week: boxes full of discarded employee records that included names, birth dates and Social Security numbers.
Luckily, when notified, the business that had tossed out the records quickly retrieved them to prepare for their proper disposal.
... Oklahoma state law recognizes identity theft as a felony offense, punishable by up to two years in prison and/or a fine of up to $100,000 plus restitution. However, there is no state law prohibiting a business from throwing out personal information intact.
Fortunately, governments are using all their wisdom (and tons of our money) to guarantee our security!
http://yro.slashdot.org/article.pl?sid=06/12/17/227247&from=rss
E-Passport Cloned In Five Minutes
Posted by kdawson on Sunday December 17, @08:50PM from the if-more-proof-were-needed dept.
Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip." [Idiot! Bob]
This could be interesting in a lot of contexts... (I could see using this to “encourage” (force) my students to research selected topics for my next book...)
http://www.technewsworld.com/rsstory/54756.html
Will Scholarpedia Pass or Fail?
Information World Review 12/17/06 4:00 AM PT
Unlike Wikipedia, each article in Scholarpedia has an expert editor attached to it as a "curator," who approves all changes and ensures the article is an approved version. And it is not as elitist as Citizendium. Anyone can suggest changes to an article, and there's an anonymous forum for initial peer review.
Have we reached another milestone in the evolution of academic publishing? Scholarpedia is the first "free peer-reviewed encyclopedia," a kind of morphing of open access (OA) publishing with wiki technology.
Initial reaction may be, not another Wikipedia wannabe!, especially as the ink is barely dry on Larry Sanger's Citizendium manifesto, which he describes as a "progressive fork" of Wikipedia. Scholarpedia could be very different, however.
Looks Familiar
Although suffering from a few gremlins when the blogosphere took a look, Scholarpedia could disrupt publishing models.
For a start, it takes the headache out of setting up and maintaining an online publishing operation for scholars inclined to develop their own OA journal.
Eugene Izhikevich, editor-in-chief of Scholarpedia, points out that it uses the same MediaWiki technology engine as Wikipedia, the phenomena created by Jimmy Wales.
Unlike Wikipedia, each article in Scholarpedia has an expert editor attached to it as a "curator," who approves all changes and ensures the article is an approved version. In addition, it is not as elitist as Citizendium.
Avoiding Mistakes
Anyone can suggest changes to an article, and there's an anonymous forum for initial peer review. Scholarpedia appears far more inclusive than Citizendium and less obsessed with creating something worthy of "intellectuals."
With concerns continuing to mount about errors in Wikipedia (many put there for malicious reasons) and even hackers using it to hide malware, then something more managed and controlled like Scholarpedia may well be an answer to freely available scholarship online.
Scholarpedia has also narrowed its initial ambitions by restricting itself to three disciplines: computational neuroscience, dynamical systems, and computational intelligence. Izhikevich describes them as "seeds" that could branch out into related disciplines.
Scholarpedia may be the second-generation wiki that makes the grade.
Gee, maybe we shouldn't leave our computers turned on 24/7... And keeping a fire extinguisher handy might be a good idea, too. This may be the next class action...
NEC desktops have caught fire in Japan
NEC is offering to replace faulty power units that caused two desktops to catch fire
By Nancy Gohring, IDG News Service December 18, 2006
Two NEC desktop computers in Japan have caught fire since late last year and NEC is now offering to replace faulty power units at the root of the problem, the electronics giant said on Monday.
The first Valuestar computer caught fire in October 2005 and the second in November this year, said Akiko Shikimori, an NEC spokeswoman. The culprit is a component within the power unit inside the computer. The component and the power unit are not manufactured by NEC but she could not reveal which company makes them.
The power unit overheats and if the customer continues to use the desktop it can cause a fire, she said.
Very interesting. I wonder how this will impact them? Something to follow!
http://www.lessig.org/blog/archives/003637.shtml
GateHouse removes the gate on 96 newspapers
The best news is the stuff that just happens. Here’s an example: As reported by Lisa Williams on Jay Rosen’s site, GateHouse Media, a conglomerate “that owns 75 daily and 231 weekly newspapers” has rolled over 96 of its newspaper sites to a Creative Commons license.
posted by [ Lessig ] on [ Dec 18 06 at 12:58 AM ]
Not that it was a rough neighborhood, but we used to get these in High School...
http://www.bespacific.com/mt/archives/013318.html
December 15, 2006
Pentagon Releases New Counterinsurgency Field Manual
Press release: "The Army and Marine Corps announce the release of the Counterinsurgency Field Manual...the new manual pursues a general approach to counterinsurgency, not one aimed specifically at any of the ongoing operations."
From the Forward: "It has been 20 years since the Army published a field manual devoted exclusively to counterinsurgency operations. For the Marine Corps it has been 25 years. With our Soldiers and Marines fighting insurgents in Afghanistan and Iraq, it is essential that we give them a manual that provides principles and guidelines for counterinsurgency operations. Such guidance must be grounded in historical studies. However, it also must be informed by contemporary experiences."
U.S. military's new 282-page (PDF) Field Manual 3-24, Counterinsurgency, December 2006
See also Military Review, Counterinsurgency, Special Edition (PDF), October 2006. Accomapnies the new Counterinsurgencey Manual
Well, so much for the Democrats protecting our rights...
http://www.humanevents.com/article.php?id=18510
Pelosi Targets Grassroots Freedom of Speech
by Amanda B. Carpenter Posted Dec 18, 2006
House Speaker-to-be Nancy Pelosi (D.-Calif.) has pledged to take up a lobbying reform proposal that would impose new regulations on speech by grassroots organizations, while providing a loophole in the rules for large corporations and labor unions.
Free is good!
http://www.oculture.com/weblog/2006/12/whats_the_most_.html
December 18, 2006
The Hottest Course on iTunes (and the Future of Digital Education)
What's the most popular podcast in the Higher Education section of iTunes? Ahead of all the podcasts from Princeton, and all of those from Yale, and ahead of the Understanding Computers course from Harvard, and even the pyschology course from UC Berkeley, is an unexpected podcast called Twelve Byzantine Rulers: The History of the Byzantine Empire. The course, which focuses on the Greek-speaking Roman Empire of the Middle Ages, is taught by Lars Brownworth, who teaches high school at The Stony Brook School on Long Island, New York. And it gets rave reviews. "I'm disappointed because I don't think I'll ever find a podcast that I enjoy as much as this one." "This podcast has quickly become a hit with me and all of my friends, even those who don't like history so much." You get the gist.
The success of this course makes us think that companies that sell digital lectures for a fee might not be long for this world. Take The Teaching Company for example. They're in the business of selling polished, lecture-based courses, which can often be very well done. And, yes, they offer too a course on the Byzantine Empire that retails in audio download form for $129. So what will the savvy consumer do? Download Brownworth's course for free? Or pay $129? This is not a knock on what The Teaching Company is doing. I like their product and can appreciate their need to sell products to recoup their costs. But you can't compete with free. With so many university courses now taping their courses and putting them on iTunes (see our University Podcast list), you have to wonder whether The Teaching Company is just another once viable business model that is being steadily commoditzed by the Internet.
Resources:
No comments:
Post a Comment