Friday, August 27, 2010

They just think differently in Pennsylvania...

Lower Merion webcam plaintiff's attorney again demands payment

By Derrick Nunnally Inquirer Staff Writer

Despite a hostile initial response from the Lower Merion School District, the lawyer handling the webcam lawsuit against it repeated his demand Monday to be paid more than $400,000 while the case is pending.

In an Aug. 12 federal court filing, the district attacked attorney Mark S. Haltzman for a bill that it said "far exceeds the bounds of reasonableness" and for suing in the first place instead of going directly to school officials. Concerns over the webcam surveillance of Harriton High School student Blake Robbins, the district said, could have been handled without the expense of litigation.

Haltzman responded on both fronts Monday, defending his accounting and the decision to take the matter to court - backing the latter up with the first public glimpse at the sworn statements given by school district officials in the case.

In a sliver of a transcript from a June deposition - eight of the document's 296 pages - included with the filing, district information services coordinator Carol Cafiero said that the principals of Lower Merion and Harriton High Schools blocked an attempt to end the webcam monitoring.

She described a Nov. 10 meeting with the principals and Cafiero's boss, information services director George Frazier, over the surveillance program.

"The principals were on the side of keeping it going," Cafiero said. "Mr. Frazier wanted to stop and get a policy."

Although the meeting happened two weeks after school officials tapped Robbins' computer and saw pictures from within his house, Cafiero said the discussion was about the general policy, rather than any student.

Cafiero's attorney, Charles Mandracchia, said Monday that the excerpt fairly characterized her extended deposition. Cafiero remains on paid administrative leave from her district job, he said.

Cafiero's claim of a rift over whether to continue the schools' use of remote webcam monitoring to track computers thought to be misplaced has been debated for months. In April, she told The Inquirer that administrators at that November meeting had wanted to keep using the feature.

But a May report made by the Ballard Spahr law firm for the district said "all of the known attendees of that meeting" had no recollection like that.

Haltzman, however, made the deposition a linchpin Monday in his quest to get paid while litigating the case.

Proving that the lawsuit he filed for Robbins ended the webcam surveillance and other privacy violations in the case would help enable Haltzman to begin to collect attorney's fees and other court costs as a winning party, though the decision rests with U.S. District Judge Jan E. DuBois.

Lawyer Henry E. Hockeimer Jr., who represents the school district in the case, declined to comment Monday. In the Aug. 12 filing, he attacked Haltzman for a bill that "far exceeds the bounds of reasonableness" and for suing in the first place instead of going directly to school officials.

In Monday's filing, Cafiero's deposition was cited to defend the escalation to court.

"Surely if the school's own IT director was unable to stop the practice," Haltzman wrote, "what chance did a mom have to get the surveillance stopped?"

He also defended the costs at which the district's attorneys had balked, including the cost of hiring technical experts to analyze computer records. In an interview, Haltzman called one item "ironic" for a lawsuit over surveillance: the school district's objection to paying a $4,836 charge for videotaping the depositions.

"At least I was doing it with the full knowledge of everybody in the room," Haltzman said. "The school district did it without anybody knowing about it."

(Related) The next kerfuffle?

LMSD to install GPS tracking units in its bus fleet

Will this become a trend? (If not, why not?)

Connecticut Insurance Commissioner Announces Data Breach Notification Mandate

August 27, 2010 by admin

Joseph Lazzarotti of Jackson Lewis writes:

On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any “information security incident.” This post provides a brief summary of this new requirement.


What is an “information security incident”?

Under this Bulletin, an information security incident is:

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk [Isn't that the reason encrypted data is normally excluded? Bob] the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.

Read more about the new bulletin on Workplace Privacy Data Management & Security Report. The state is now requiring covered entities to provide them with a lot of detailed information to the state within five (5) calendar days after a breach is identified.

Obviously, I’m delighted to see the inclusion of paper records and the absence of a “significant harm” threshold. Without knowing the history of this bulletin, I might guess that it is, at least in part, a reaction to a number of breaches by health insurers where neither the state nor residents were promptly notified of a breach and where the state’s attorney general investigated the breaches and insisted that the insurers offer credit monitoring services, etc.

That said, this situation also highlights the patchwork quality of regulations and statutes even with one state, much less between states. Can you hear me now, Congress?

More on your Privacy Policy as a contract...

Never Make a Promise You Can’t Keep- Especially in Your Privacy Policy

August 26, 2010 by Dissent

Kevin Khurana of Proskauer writes:

Expect the unexpected from your Web site privacy policy. In a handful of cases, including two which were recently decided, companies have been thwarted in various, unexpected ways by the commitments made in their online privacy policies.

Are your intellectual property litigators reading your privacy policy?

In FenF, LLC v. Healio Health, Inc., No. 5:08-CV-404 (N.D. OH July 8, 2010), the court held that a provision from a settlement agreement entered into by FenF, LLC (“FenF”), the plaintiff, and Healio Health, Inc. (“Healio”), the defendant, which required Healio to transfer certain customer information to FenF was unenforceable because doing so would result in a violation of Healio’s privacy policy.

Read more about this and the other cases where privacy policy came into play on Proskauer Law Blog.

“Just because everyone agrees we should do something doesn't mean anyone actually will do something.” As an Auditor (or an Ethical Hacker) I'd probably want to re-test periodically just to ensure someone didn't turn off a security feature to speed performance.

NIST Publishes Approved Testing Procedures for Electronic Health Records

… Starting next year, the federal government will provide extra Medicare and Medicaid payments to health care providers that implement EHR systems certified to meet ONC requirements that conform to technical standards and are put to “meaningful use,” performing specifically defined functions.

These ONC-approved test procedures help ensure that electronic health records function properly and work interchangeably across systems developed by different vendors. The set of 45 approved test procedures evaluate components of electronic health records such as their encryption, how they plot and display growth charts, and how they control access so that only authorized users can access their information.

(Related) This is the modern equivalent of “We can't afford insurance.”

Panda: 46 percent of U.S. SMBs victimized in 2010

“Many SMBs simply don’t have the resources in terms of budget, time and human capital to devote to protecting their computers and sensitive data,” said Sean-Paul Correll, threat researcher at PandaLabs.

… The entire report can be viewed by clicking here.

For my Ethical Hackers. Passwords should be longer AND contain numbers and symbols. But then, add more layers for real protection.

Longer passwords not solution to better security

August 26, 2010 by admin

Vivian Yeo reports on industry responses to a recent research report from the Georgia Tech Research Institute suggesting users should create longer, 12-character, passwords:

… Ronnie Ng, Symantec’s systems engineering manager for Singapore, told ZDNet Asia that the username-and-password application is the “first and only layer of defense” for many information systems in organizations today. Hence, while brute force attacks are the least sophisticated of attacks, they remain very effective, he explained in an e-mail.

Ng added: “Probability dictates that the longer a password is, the more difficult it will be to crack.” Symantec recommends a minimum password length of eight characters for typical users, and at least 15 for administrators.

However, more than just length, users need to consider the “depth and width” of the password. He said a secret code with depth refers to one that is not conventional or easily guessable, while width refers to the use of numbers and symbols alongside letters.

Concurring, Victor Keong, executive director of IT advisory services at KPMG in Singapore, pointed out that long passwords do not necessarily equate to strong passwords.

Read more on ZDNet (Asia)

(Related) A list of actual passwords is a good starting point for “dictionary attacks”

Researcher Creates Clearinghouse Of 14 Million Hacked Passwords

August 26, 2010 by admin

Andy Greenberg reports:

Canadian researcher Ron Bowes has created a sort of Wall of Sheep for the entire Internet. By simply collecting all the publicly-spilled repositories of users’ passwords from recent hacking incidents, he’s created a clearinghouse for stolen passwords on his Web site–14,488,929 distinct passwords to be exact, collected from 32,943,045 users.

Bowes didn’t steal these passwords, and they’re not associated with usernames, an extra piece of data that would make listing them far more dangerous. All but 250,000 or so became public after the breach of, a social networking applications site penetrated by cybercriminals using an SQL-injection. Another 180,000 were spilled when the bulletin board software site phpbb was hacked using a vulnerability in one of the site’s plugins. 37,000 more were stolen from MySpace using phishing techniques.

Read more on Forbes.

Clips for classes?

YouTube Debuts New Movies Section With 400 Free, Full-Length Films (Updated)

YouTube has launched a fresh Movies category on its website, gathering about 400 full-length films for your on-demand viewing pleasure, all free of charge.

… What can you find there? Loads of Bollywood flicks, a bunch of Bruce Lee and Jackie Chan films, obscure horror movies and cartoons, among many other sections.

No comments: