http://www.databreaches.net/?p=9504
UK: ContactPoint database suffers ’serious’ security breaches during trial phase
January 18, 2010 by admin Filed under Exposure, Government Sector, Lost or Missing, Non-U.S., Paper, Unauthorized Access
Andrew Hough and Martin Beckford report:
The controversial database containing personal details of all 11 million children in England has suffered at least three security breaches even before its nationwide launch.
At least 51,100 people have also demanded to have their personal information hidden from users of ContactPoint amid persistent fears that it is unsafe.
The investigation by The Daily Telegraph has led to renewed criticism of the delayed £224 million computer system, which is meant to protect young people by creating a single register of their contact details. [...]
But there have been at least three security breaches so far, in London, Staffordshire and Surrey, according to details obtained under the Freedom of Information Act.
One “serious” breach involved two staff at Westminster City Council, where many politicians and public figures live, losing details of children that had been originally stored in an envelope. [“But it was a sealed envelope, so the information is not easily viewed! Bob] [...]
Two of the councils that acted as “trailblazers” for the information-sharing project in 2005 were forced to investigate after staff breached guidelines on data use.
East Sussex County Council said: “There was one incidence of inappropriate behaviour in the early stages of the project, with one practitioner sharing access information with a colleague who had not yet received access information.
“Both accounts were suspended until the issue was dealt with through the [council’s] usual disciplinary procedures.”
Sheffield City Council said: “There have only been two incidents that have required formal investigation – both were identified by the internal auditing built into the system.
“The two incidents referred to above were considered to be ‘inappropriate use’ of the system by authorised users as per our user guidelines.”
Read more in the Telegraph.
We seem to be edging closer to recognition of harm deriving from the breach. I'm not certain how it will finally be defined, but I sure it will eventually happen.
http://www.databreaches.net/?p=9501
(follow-up) Northern District of Illinois Foreshadows Tough Row[e] to Hoe for Identity Exposure Plaintiff, but Denies Motion to Dismiss
January 17, 2010 by admin Filed under Breach Incidents, Healthcare Sector, Of Note
Brendon Tavelli writes:
On January 5, 2010, Judge William Hibbler of the U.S. District Court for the Northern District of Illinois became the latest federal district judge to share his views about whether an increased risk of future harm based on the inadvertent exposure of personal information is a legally cognizable harm. In Rowe v. UniCare Life & Health Insurance Co., No. 1:09-cv-2286 (N.D. Ill. Jan. 5, 2010), Judge Hibbler denied the defendant’s motion to dismiss for failure to state a claim because, in his view, after drawing all reasonable inferences in the plaintiff’s favor, the plaintiff’s complaint satisfied the minimal pleading standard required to survive a motion to dismiss. Nevertheless, in his written opinion, Judge Hibbler hinted that the plaintiff’s claims for violations of the Fair Credit Reporting Act (“FCRA”) and the Illinois Insurance Information and Privacy Act, as well as his common law claims of invasion of privacy, negligence and breach of implied contract, may ultimately be dismissed if the plaintiff failed to show a basis for damages other than his alleged increased risk of future harm, such as identity theft.
Read more on Privacy Law Blog.
This lawsuit may be related to the Wellpoint/Unicare breach that was first exposed by PogoWasRight.org. If so, there are aspects of the lawsuit that are puzzling to me, but perhaps the plaintiff never read PogoWasRight.org’s coverage of the circumstances of the breach.
http://www.phiprivacy.net/?p=1856
FTC: Health Breach Notification Rule
By Dissent, January 18, 2010 8:46 am
From the FTC:
Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record? [Like a Fitness Record at a gym? Bob]
The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.
Under the FTC’s Rule, companies that have had a security breach must:
Notify everyone whose information was breached;
In many cases, notify the media; and
Notify the FTC.
The FTC has designed a standard form for companies to use to notify the FTC of a breach. The FTC will begin enforcement on February 22, 2010.
The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule.
Interestingly, the list of choices for Type of Breach lists:
Lost or stolen laptop, computer, flash drive, disk, etc.
Stolen password or credentials
Unauthorized access by an employee or contractor
Hacker
Other (describe)
I might have broken it down a bit more to list malware, exposure due to file-sharing application, exposure due to insider error (such as email attachment). I would also include a sub-level for lost/stolen that asks whether the device was lost or stolen from the premises, off-premises, or unknown. And I’d give them an option to check if the company received an extortion attempt. But that’s just me — I love to get more data that can be analyzed and having specific bullets as opposed to “describe” for “other” could facilitate data analysis.
H/T, HIPAA Blog.
Hey! You're a felon, You got no rights.
http://www.pogowasright.org/?p=7081
WI: State’s DNA letter to felons may yield future setbacks in court
January 18, 2010 by Dissent Filed under Surveillance
Ben Poston reports:
A letter being sent by the Wisconsin Department of Corrections that orders released felons to submit DNA samples or face prosecution [failure to be submissive is a crime? Bob] may exceed the state’s authority and undermine future cases, legal experts, defense attorneys and even one prosecutor say.
The concerns are important because the use of DNA evidence obtained under questionable grounds could later be challenged in court if it is used to prosecute a future crime.
The notices have been mailed out by the Corrections Department since December to about 700 of the more than 11,000 offenders whose profiles are missing from the state DNA databank and who already have completed their sentences. [Obviously not. Bob]
Read more in the Journal Sentinel. Hat-tip, FourthAmendment.com.
Ah dudes and dudettes, (Is “dudettes” politically incorrect? One can only hope.) this is the result of those zero tolerance rules. Police apparently don't monitor Twitter (they got a tip) as they don't consider it a terrorist tool (where they could prevent an incident)
Police In Britain Arrest Man For Bomb-Threat Joke On Twitter
Posted by timothy on Monday January 18, @04:42AM from the credibility-gap-looms dept.
An anonymous reader writes
"A British man was arrested under anti-terrorism legislation for making a bomb joke on Twitter. Paul Chambers, 26, was arrested under the provisions of the Terrorism Act (2006). His crime? Frustrated at grounded flights over inclement weather, he made a joke bomb threat on the social networking site Twitter."
[From the article:
A week after posting the message on the social networking site, he was arrested under the Terrorism Act and questioned for almost seven hours by detectives who interpreted his post as a security threat. After he was released on bail, he was suspended from work pending an internal investigation, and has, he says, been banned from the Doncaster airport for life. “I would never have thought, in a thousand years, that any of this would have happened because of a Twitter post,” said Mr Chambers, 26. “I’m the most mild-mannered guy you could imagine.”
Click here to read the full story in the Independent
[From the Independent:
He has been bailed until 11 February, when he will be told whether or not he will be charged with conspiring [no indication with whom Bob] to create a bomb hoax. In the interim, detectives have confiscated his iPhone, laptop and home computer.
The civil libertarian Tessa Mayes, an expert on privacy law and free speech issues, said: "Making jokes about terrorism is considered a thought crime, mistakenly seen as a real act of harm or intention to commit harm.
"The police's actions seem laughable and suggest desperation in their efforts to combat terrorism, yet they have serious repercussions for all of us. In a democracy, our right to say what we please to each other should be non-negotiable, even on Twitter."
Likely to be more and more common as users find more and more services that provide huge volumes of data. Universities don't offer “unlimited plans,” but they don't limit you're use either. If you rely on the University system, having your paid service cut off could be rather annoying. Oh well, back to the pirate services – that don't seem to overload the University's network.
Oxford University takes a dislike to Spotify, bans it
by Mike Butcher on January 18, 2010
Oxford University has taken a fairly drastic measure against music startup Spotify. It’s banned it.
The University’s computing services, OUCS, says the service is using too much bandwidth for their networks to handle. But no warning was given and students are understandably rather annoyed.
I'll have to see how this works. If the “limited number” is reasonable, no problem. If I have to hack it, there are several sites that will make each of my requests for an article appear to come from a new and unique user. But actually, there is very little I get from the NY Times that I can't get elsewhere.
http://news.cnet.com/8301-1023_3-10436455-93.html?part=rss&subj=news&tag=2547-1_3-0-20
Report: New York Times to charge online readers
by Steven Musil January 17, 2010 11:05 AM PST
… The newspaper is expected to announce in coming weeks that it will institute a metered pay plan in which readers would have access to a limited number of free articles before being invited to subscribe, according to a report in New York magazine that cited sources close to the newsroom.
The report also suggests that a content deal could be in the works for Apple's long-rumored tablet, which many expect to be unveiled on January 27.
For my Computer Security class. I might have spotted it, but only because I tend to pull on things that don't look like they are firmly attached...
http://www.krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/
Would You Have Spotted the Fraud?
Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM machine and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money.
If there is really a market here, would a better business model try to limit the scope to one topic at a time? Is “law” too broad?
Aol Quietly Launches An Expert Site Called Owl, and Feeds It Seed
by Erick Schonfeld on January 17, 2010
Aol’s answer to Wikipedia is Owl, a new site described as “a living, breathing library where useful knowledge, opinions and images are posted from experts the world over.”
Owl seems more of a testbed for Seed than anything else. Seed, of course, is Aol’s new low-cost content management system for soliciting articles and photographs for its network of existing Websites. Owl will crowdsource freelance work from “experts” who submit articles about movies, books, health, sports, money, parenting, computers, and other topics.
An “expert” is anyone who gets approved through Seed. Contributers get paid a little bit and the articles tend to be more how-to advice such as “How To Survive A Long Flight”, “The Right Way To Pop a Zit,” and “Top 5 Ways To Score Free Food.” It’s all very search-engine friendly.
Actually, Owl is less like Wikipedia than it is like Helium, which also pays for expert articles and has been around for more than three-years. Right now, Owl is rather spare. Most of the articles still seem to be written by Owl/Aol staff instead of contributors. That should change once more people find out about it.
I have my own Invoive generator, but this could be useful for those just starting in consulting.
Invoice App
Invoice App is free, fast and amazingly simple!
Create beautiful invoices, track their payment status and upload your own invoice templates.
I'm considering this or something similar for my website class, but I never have them actually print to paper. At least, submissions would have the same appearance...
http://www.makeuseof.com/dir/prettyprinter-online-code-formatting/
PrettyPrinter: Online Code Formatting Tool
Pretty Printer is an online source code formatting utility. It’s an elegant tool to effectively format your code, based on the options available. Just copy and paste your source code into the field provided, check mark the appropriate options and click on ‘submit query‘. Then you will be provided with the corresponding formatted code.
Similar websites: Ideone, Ecoder, TextSnip, CodeFetch and CodePaste.
Dilbert again explains Management by PowerPoint.
No comments:
Post a Comment