Sunday, November 18, 2012
Fair is fair. I agree this is far better than most. Still, nothing on HOW the breach occurred (so we have no way to know if it was even fixable) or HOW MANY accounts were compromised (Enough to create a material financial event?)
Breach notification done right?
November 17, 2012 by admin
I spend a lot of time criticizing breach notifications, so it’s nice when I can occasionally point to a positive example.
Without considering whether the breach could have been prevented, consider this notification letter from Nationwide Insurance, dated November 16:
We want to make you aware that a portion of our computer network was criminally attacked and we believe that the attack compromised some of your information. We are very sorry that this situation has occurred. Protecting the privacy and security of your information is a top priority for us, and we want to assure you that we have taken steps that will prevent this type of attack from happening again. Although we are not aware of any misuse of your information at this time, we want to inform you about the situation and encourage you to take the steps below, including taking advantage of the credit monitoring and identity theft protection product we are providing to you at no charge.
On October 3, 2012, a portion of our computer network that is used by Nationwide Insurance agents and Allied Insurance agents was criminally intruded upon by an unidentified criminal perpetrator. We discovered the attack that day, and took immediate steps to contain the intrusion. We believe that we successfully contained the attack through our responsive actions.
We promptly initiated an investigation of the attack and on October 16, 2012, we determined that the criminal perpetrator had likely stolen some personal information from our systems. On November 2, 2012, we received confirmation of the identities and addresses of the individuals whose personal information we believe was compromised. Although we are still investigating the incident, our initial analysis has indicated that the compromised information included your name and [Social Security number, driver’s license number, date of birth] and possibly your marital status, gender, and occupation, and the name and address of your employer. At this time, we have no evidence that any medical information or credit card account information was stolen in the attack.
You can read the full letter on the California AG site.
I realize that there are some states where notification 6 weeks after the discovery of the incident would violate a timeliness provision in reporting, but overall, they detected the breach quickly, secured it quickly, and within one month, were able to construct a list of affected individuals. Could they have gotten the actual letter out faster than two weeks from confirmation of identities and addresses? Probably, but overall, I’m favorably impressed. Your mileage may vary.
If your organization “permits” Google Docs, it will be difficult to block this communication.
"Windows 8 may block most malware out of the box, but there is still malware out there that thwarts Microsoft's latest and greatest. A new Trojan variant, detected as Backdoor.Makadocs and spread via RTF and Microsoft Word document marked as Trojan.Dropper, has been discovered that not only adds a clause to target Windows 8 and Windows Server 2012, but also uses Google Docs as a proxy server to phone home to its Command & Control (C&C) server."
Today, forcing ISPs to comply. Tomorrow, forcing parents to comply?
First time accepted submitter fustakrakich writes with news reported in The Telegraph of new anti-pornography regulations ordered by UK Prime Minister David Cameron:
"The new measures will mean that in future anyone buying a new computer or signing up with a new internet service provider (ISP) will be asked, when they log on for the first time, whether they have children. If the answer is "yes", the parent will be taken through the process of installing anti-pornography filters, as well as a series of questions on how stringent they wish the restrictions to be, according to a newspaper."
[From the article:
The options include allowing parents to impose timed access limits on explicit material, or preventing children from viewing social networking sites such as Facebook during particular hours of the day.
Ministers will also tell ISPs to impose "appropriate measures" to make sure that those setting the controls are over 18, according to the Daily Mail.
… Ministers are expected to tell ISPs that they must bring in the new rules or face legislation
Interesting Why? Are clients tighter with a buck or “We don't need no stinking research?” Or maybe, “Hey, Google is free!”
November 18, 2012
New surveys indicate sea change in legal research billing costs to clients
Rachel M. Zahorsky, ABA Journal: "More and more billing partners are knocking research costs off invoices before they’re even submitted to clients, legal consultant Rob Mattern of Mattern & Associates recently told me... This trend is apparent at firms that negotiate deals with research providers but historically haven’t passed along discounts they received to their clients, sometimes as a means to collect on other, nonbillable items, Mattern added. Mattern's firm’s 2012 Cost Recovery survey reported an influx of firms with clients who either balked at or outright refused to pay for legal research. While some firms have adopted policies to charge clients only the hard costs billed to them, others are adding legal research charges to the cost of doing business. In fact, 43 percent of law firm respondents said they absorb more of their legal research costs today than in 2010, according to a recent Bloomberg Law survey of 97 law firms, ranging from 50 to more than 400 attorneys. And transactional matters are less likely to recover legal research costs than litigation."