Even relatively small data breaches can
have a serious impact...
By Dissent,
December 20, 2011
Amanda Bronstad reports
that UCLA Health System was sued over a September breach revealed
last month. The potential class action lawsuit, filed December 14,
alleges violations of California’s Confidentiality of Medical
Information Act, which provides for statutory damages of $1,000/per
person. At over 16,000 patients, that could cost them $16.3 million
plus legal fees and other breach-related costs.
The breach
occurred September 6, when an encrypted hard
drive was stolen during a home invasion. [Normally, encryption is a
“get out of jail free” card. Bob] UCLA reported that
although this information was encrypted, the password
was written on a piece of paper near the hard drive and could not be
located. The files on the drive did not include Social
Security numbers or any financial information, but did include first
and last names and may have included birth dates, medical record
numbers, addresses and medical record information.
Bronstad’s report includes an
interesting piece of information, previously unknown to me:
The physician
whose home was burglarized had not worked at UCLA since July.
Of course, that doesn’t mean that the
physician had no need to still access those records, but it may raise
other questions, such as what UCLA Health does to secure patient
records when employees terminate. In this case, the drive was
encrypted, and it may well be that the piece of paper with the
encryption key was merely lost at some other time but went unnoticed
until the burglary. The bigger concern I see is that four years’
worth of patient data were on an external drive off premises by
someone no longer employed by the health system. Did UCLA know where
all those data were? Someone must have known since individual
notification letters were sent, but the incident certainly should
give us all pause to reflect on how many patients in this country
have their data on external devices or portable devices that are
outside the covered entities’ premises and that could be stolen or
lost – without the covered entity ever finding out (or the
patients, for that matter!). This doctor did the right thing by
reporting the breach, but how would a hospital know if a former
employee still retained data that were subsequently stolen? They
might not know.
And that is today’s scary thought of
the day.
They have a thermostat connected to the
Internet? Cool! Completely unsecured? Stupid! How much sensitive
temperature data do you suppose they lost?
"The Wall
Street Journal is now reporting that a group of hackers in China
breached the computer defenses of the United
States Chamber of Commerce. The intrusion
was quietly shut down in May 2010, while FBI investigations
continue. 'A spokesman for the Chinese Embassy in Washington, Geng
Shuang, said cyberattacks are prohibited by Chinese law and China
itself is a victim of attacks. ... Still, the
Chamber continues to see suspicious activity, they say. A
thermostat at a town house the Chamber owns on Capitol Hill at one
point was communicating with an Internet address in China,
they say, and, in March, a printer used by Chamber executives
spontaneously started printing pages with Chinese characters.'"
According the article, the group
"gained access to everything stored on its systems" and may
have "had access to the network for more than a year before the
breach was uncovered."
There are some “services” you
really really hope have secured your data...
Norwegian
sex scandal brewing?
December 21, 2011 by admin
A new scandal is brewing. According to
Harald S. Klungtveit and Anders Johansen Holth of Dagbladet in
Norway, hackers have downloaded the entire database of 26,000 users
of a sex-exchange (prostitution) site, Hemmelig.com.
The hackers, who refer to themselves as
Team Appunity, are reportedly threatening to release the entire
database. [Go for it, Dudes! Bob]
There are many problems with
censorship. For example: Who gets to know what has been censored?
Will all the intelligence agencies and ICE and DHS and local cops
know that anyone asking for more than 6 ounces of rock salt is a
potential bio-weapons manufacturer? Will the FBI show up to ensure
that you are using it (and you better prove you used all of it!) to
clear snow from your driveway?
Following up on a disturbing story we
discussed in November, Meshach writes
"The
United States is asking scientific journals publishing details about
biomedical research to censor
articles out of fear that terrorists could acquire the information.
'In the experiments, conducted in the United States and the
Netherlands, scientists created a highly transmissible form of a
deadly flu virus that does not normally spread from person to person.
It was an ominous step, because easy transmission can lead the virus
to spread all over the world. The work was done in ferrets, which
are considered a good model for predicting what flu viruses will do
in people.' The panel cannot force the journals to censor their
articles, but the editor of Science, Bruce
Alberts, said the journal was taking the recommendations seriously
and would most likely withhold some information. Are we heading for
another Rorschach-style
cheat sheet being developed?"
Apparently I'm not the only one
noticing this trend...
You
say regulate, we say delegate, let’s call the whole thing off? EU
and US privacy law
December 20, 2011 by Dissent
Kirsten Sjovoll writes:
It is common
ground that there is relatively little common ground between the US
and the EU in their approach to data protection and privacy
legislation. While the EU operates perhaps the most stringent and
comprehensive system of data protection in the world, the US has
opted for a more piecemeal approach with a focus on industry
self-regulation over a centralised system of legislation. This
divergent approach has resulted in some transatlantic turbulence over
the years, with the Safe Harbour Agreement which requires US
corporations seeking to trade with EU member states to guarantee that
they will comply with the stricter EU rules on data protection. In
January, the EU will announce even tougher internet privacy
restrictions which will have global reach. Amidst growing concerns
particularly amongst US-based internet companies that the EU is
monopolizing too much of the data discussion, is the US finally
taking a more comprehensive approach to privacy?
Read more on Inforrm.
Kirsten was being quite diplomatic or
tactful in calling the U.S. approach “more piecemeal.” I would
have just called it “half-assed” or dyfunctional.
(Related) Meanwhile, in the US...
EPIC
Sues DHS Over Covert Surveillance of Facebook and Twitter
December 21, 2011 by Dissent
From EPIC.org:
EPIC has filed a
Freedom of information Act lawsuit
against the Department of Homeland Security to force disclosure of
the details of the agency’s social network monitoring program. In
news reports and a Federal
Register notice, the DHS has stated that it will routinely
monitor the public postings of users on Twitter and Facebook. The
agency plans to create fictitious user accounts and scan posts of
users for key terms. User data will be stored for five years and
shared with other government agencies. The legal authority for the
DHS program remains unclear. EPIC filed the lawsuit after the DHS
failed to reply to an April 2011 FOIA request.
(Related) ...and just to prove that
geeks tend to be more forward thinking and pro-active that Congress
(they put debate off yet again) here is a technical solution to a
problem we don't even have yet.
"The Atlantic reports that one
developer who doesn't have much faith in
Congress making the right decision on anti-piracy
legislation has already
built a workaround for the impending censorship measures being
considered, and called it DeSOPA. Since SOPA would block specific
domain names (e.g. www.thepiratebay.com) of allegedly infringing
sites, T Rizk's Firefox add-on allows you to revert to the bare
internet protocol (IP) address (e.g. 194.71.107.15) which takes you
to the same place. 'It could be that a few members of Congress are
just not tech savvy and don't
understand that it is technically not going to work, at all,'
says T Rizk. 'So here's some proof that I hope will help them err on
the side of reason and vote SOPA down.' Another group called
'MAFIAAFire' decided to respond when Homeland Security's ICE unit
started seizing
domain names, by coding a browser add-on to redirect the affected
websites to their new domains. More than 200,000 people have already
installed the add-on. ICE wasn't happy, and asked
Mozilla to pull the add-on from their site. Mozilla denied the
request, arguing that this type of censorship may threaten the open
Internet."
Perhaps not so innovative (going after
people rather than the Internet services they use) but still I think
it is a first.
UK:
New Approach to Privacy: AMP v Persons Unknown
December 20, 2011 by Dissent
Andrew Murray writes:
I mentioned on
Twitter last week that I was involved in a potentially ground
breaking court case but that I couldn’t say any more. Well the
judgement came out this morning. The case is AMP v Person’s
Unknown [2011] EWHC 3454 (TCC) and the impact it may have is far
reaching in terms of an alternative to orders being sought against
essentially unregulatable (for the UK courts) offline platforms such
as Twitter or Facebook (see entries passim on CTB v Twitter such as
this one or my evidence to the Select Committee on Privacy and
Injunctions.
Read about the case and some creative
lawyering on The
IT Lawyer. If you’re wondering how you can stop the flow of
files on a torrent site, you’ll want to read the approach as it was
successful in getting court approval. Whether it will actually work
to stem the flow and dissemination of problematic information is
remains to be seen.
Proving I'm no Harvard Scholar, I must
admit I don't get it. He seems to be saying that law is like a
pendulum, swinging from left to right to left to right... We knew
that. The question is, should it come to rest at some point (where,
exactly) and should we allow anyone to increase the period of
oscillation?
Orin
Kerr: An Equilibrium-Adjustment Theory of the Fourth Amendment
December 20, 2011 by Dissent
Orin Kerr has an article in the current
issue of Harvard Law Review, “An Equilibrium-Adjustment Theory of
the Fourth Amendment.” Here’s the abstract:
Fourth Amendment
law is often considered a theoretical embarrassment. The law consists
of dozens of rules for very specific situations that seem to lack a
coherent explanation. Constitutional protection varies dramatically
based on seemingly arcane distinctions.
This Article
introduces a new theory that explains and justifies both the
structure and content of Fourth Amendment rules: the theory of
equilibrium-adjustment. The theory of equilibrium-adjustment posits
that the Supreme Court adjusts the scope of Fourth Amendment
protection in response to new facts in order to restore the status
quo level of protection. When changing technology or social practice
expands government power, the Supreme Court tightens Fourth Amendment
protection; when it threatens government power, the Supreme Court
loosens constitutional protection. Existing Fourth Amendment law
therefore reflects many decades of equilibrium-adjustment as facts
have changed over time. This simple argument explains a wide range of
puzzling Fourth Amendment doctrines, including the automobile
exception; rules on using sense-enhancing devices; the decline of the
mere evidence rule; how the Fourth Amendment applies to the telephone
network; undercover investigations; the law of aerial surveillance;
rules for subpoenas; and the special Fourth Amendment protection for
the home.
The Article then
offers a normative defense of equilibrium-adjustment. Equilibrium-
adjustment maintains interpretive fidelity while permitting Fourth
Amendment law to respond to changing facts. Its wide appeal and focus
on deviations from the status quo facilitates coherent decisionmaking
amidst empirical uncertainty and yet also gives Fourth Amendment law
significant stability. The Article concludes by arguing that judicial
delay is an important precondition to successful
equilibrium-adjustment.
You can download the full article from
Harvard Law Review, here.
“Beware of geeks bearing gifts.”
After reading this list of “10
Things our Kids will Never Worry About Thanks to the Information
Revolution” from Forbes, I was inspired to remind people that
technology usually creates just as many problems as it solves. So
here’s my list of the new worries created by the
Information Revolution.
Something for my geeks
SearchCo.de is a very specialized
search service focused on programming codes and snippets. When you
enter a keyword, SearchCode looks through thousands of programming
websites, documents and manuals to see if its part of a programming
language. If found, SearchCo.de not only lists the full command, but
also provides the complete syntax of using the command along with
examples.
Similar tools: Codesnipp.it, Chop,
MyCodeStock,
Snippshot,
WP-Snippets,
Snipplr,
CodeFetch,
CodePaste
and TextSnip.
No comments:
Post a Comment