Wednesday, August 29, 2012

I normally skip small ones like this, but on occasion I like to remind you that dumb still exists in the security/privacy arena. What was an employee doing storing (unencrypted?) backup files in his car?
By Dissent, August 28, 2012
Jill Disis reports:
Information on 55,000 patients and employees at an Indianapolis-based cancer center practice is missing.
A spokesman for Cancer Care Group, 6100 W. 96th St., confirmed today that someone stole a computer bag belonging to a Cancer Care Group employee on July 19.
The bag contained information such as names, birth dates, social security numbers, insurance information and addresses.
Read more on IndyStar.
At the time of this posting, the incident is not up on HHS’s breach tool. An article in the Indianapolis Business Journal states that the bag was stolen from an employee’s locked, but unattended vehicle. According to the group’s statement:
The bag contained the “Cancer Care Group’s computer server’s back-up media, which contained some patient demographic information, such as name, address, date of birth, Social Security number, medical record number, insurance information, and/or minimal clinical information used for billing purposes only,” the group said.
The bag also reportedly contained similar information about the group’s employees.

(Related) I suppose it could be worse... This is a BYOD organization.
Dakota County medical examiner investigator’s laptop stolen
August 28, 2012 by admin
Sarah Homer reports:
A computer containing photographs of crime scenes and dead bodies was stolen earlier this month from a medical examiner investigator, according to Roseville police.
The personal Toshiba laptop belongs to 25-year-old Navid Amini, a medical examiner investigator for Regina Medical Center, home to the Minnesota Regional Medical Examiner’s Office, which conducts medical examines in Dakota, Chisago and Goodhue counties.
It was stolen from Amini’s Toyota Rav4 when his car was parked in Roseville’s Central Park parking lot Aug. 8, according to Roseville Police Lt. Lorne Rosand. The laptop is not password protected, Rosand said. [No encryption either Bob]
Read more on Pioneer Press.
[From the article:
The investigators use personal computers to do their work, she said, adding that as far as she knows, Regina Medical Center has no policy in place that mandates that employees secure their computers with passwords.
"I would have thought everyone had a password on their personal computer but I don't know that there is a policy on that ... it certainly seems like a good idea, though," Thomas said.
… In addition to lacking a password, Amini told police he did not have tracking software installed in his computer nor could it be remotely disabled.

It took a while, but was probably inevitable. The hack was last summer, wasn't it?
Second Ariz. man charged in Sony Pictures hack
August 28, 2012 by admin
Associated Press reports:
A second suspected member of the LulzSec hacking group was arrested Tuesday in Phoenix for his alleged role in a computer breach at Sony Pictures Entertainment last year, authorities said.
An indictment filed in Los Angeles and unsealed Tuesday charged Raynaldo Rivera, 20, of Tempe, Ariz., with one count each of conspiracy and unauthorized impairment of a protected computer.
Rivera was known as “Neuron” and “Royal.”
Read more on The Mercury News.

It might be fun to link this to the various laws...
Imation Compliance Heat Map
August 28, 2012 by admin
From Imation:
To help businesses and IT pros navigate the compliance landscape and develop secure and functional infrastructures for data storage and protection, Imation created a Compliance Heat Map to depict the strictness of data breach laws and resulting penalties for breaches by state. Based on first-hand experience working with companies that face compliance challenges, Imation evaluated laws on record at the state level in the 50 United States, the District of Columbia, Puerto Rico and the U.S. Virgin Islands, and reviewed publicly available analyses created by other companies to develop the Compliance Heat Map. The map graphic contains a grid that depicts each state’s compliance score and a color scale – which ranges from light yellow to dark red – to denote the strictness of each state’s compliance laws and regulations.
Download the full Compliance Heat Map for additional information.

Back in New Jersey, “lip service” consisted of grabbing a lower lip and pulling it up and over their head. This sounds like a big fine, but will it be as memorable? Might be worth a read...
Paying Lip Service to Privacy
August 29, 2012 by Dissent
Jeffrey Roman writes:
News of Google’s $22.5 million settlement with the Federal Trade Commission has come and gone, yet privacy issues reflected in the case remain a concern. Where are the gaps and how can companies fill them? Attorney Francoise Gilbert offers details.
“Many companies just pay lip service to privacy,” says Gilbert of the IT Law Group in an interview with Information Security Media Group’s Tom Field [transcript below]. “They have a privacy policy on their website because that’s what’s expected from them, but they don’t go beyond that.”
Two aspects of the Google case that fascinate Gilbert are that Google misrepresented its practices in its privacy policy, and the company misrepresented its compliance with the Self-Regulatory Code of Conduct of the Network Advertising Initiative.
Read more on BankInfoSecurity.
[From the article:
In an interview about the legal ramifications of the Google case, Gilbert discusses:
  • The FTC's message in cracking down on Google;
  • How organizations need to respond to this case;
  • The important takeaways for privacy professionals.

The briefs sum up the argument reasonably well.
Can Magistrate Judges Deny Statutory Surveillance Orders Based on Prospective Fourth Amendment Concerns?
August 29, 2012 by Dissent
Orin Kerr writes:
On October 2, the Fifth Circuit will hold oral argument in case No. 11–20884, In Re Applications of the United States for Historical Cell-Site Data. In this case, the United States applied for a court order under the Stored Communications Act to compel cell phone providers to disclose location information about particular phones suspected in criminal investigations. The magistrate judge denied the applications on the ground that he expected that the orders would be executed in ways that will violate the Fourth Amendment. The government has appealed the denial of the orders, arguing that the orders will be executed in ways that comply with the Fourth Amendment. Although the government is the only party to the litigation, several amici have chimed in on the merits to defend the denial of the applications on the ground that the magistrate judge was right to fear that the orders would be implemented in ways that would violate the Fourth Amendment. You can read the various briefs here, and the government’s reply to the amicus briefs is here.
Read more on The Volokh Conspiracy.

For my Statistics students. No, this is not what I meant when I said Statistics is used in business! (But note that the probability is correct.)

No comments: