Monday, January 07, 2013

I'll believe they mean “excess of caution” when their actions occur before the breach – like encrypting their sensitve data.
Over on, I was entering a security breach notification sent by Atlanta-based Oldcastle APG, Inc. They had informed the New Hampshire Attorney General’s Office that a laptop containing over 5,000 employees’ names, Social Security numbers, and bank account information had been stolen from an employee’s car. As required by the state. they had attached a copy of the notification letter they were sending to employees, and I read it to see it provided any additional details not included in their cover letter. It didn’t.
But then I came to this statement in their notification to employees:
Okay, maybe programs that wipe data if the stolen laptop connects to the Internet are of value. But if a thief simply powers up without connecting, then there’s all that valuable unencrypted data just waiting to be misused, isn’t there?
So is it really an “excess of caution” to notify people that their SSN’s and bank account information are in the wild? Especially when the law requires you to notify them?
I don’t think so. Do you?

More than I thought...
By Dissent, January 7, 2013 10:07 am
Infographics are getting as overused as PowerPoint, but occasionally I see one that catches my eye with an interesting finding. Case in point: this infographic with the results of a U.S. patient survey conducted in 2011 by FairWarning (open in new window and click to enlarge).
Some of the data were pretty much what I expected to see based on experience in covering breaches, but how far patients might drive because of privacy concerns surprised me. And what surprised me more was that how patients learn about a breach might make even more of a difference in whether they leave the provider or stay following a breach than I would have thought. If patients find out from the provider, 19.1% said they would leave, but if they find out through the media, 64% said they’d leave. FairWarning’s finding is consistent with what I’ve always advised entities: get out ahead of the story. Of course, what patients say they would do and what they actually do once in they are in a situation is not necessarily the same, but a subset of their sample had experienced breaches, and their most dramatic finding not included in the infographic was the following (emphasis added by me):
6 percent of patient respondents indicated they had been alerted their medical records had been compromised. As a result of the breach, 60 percent indicated they no longer seek care from that provider.
Of course, FairWarning’s sample is not a truly random sample and is based on 1,265 online responses to 10,000 requests that were sent out, so we’re talking about 6% of 1265 respondents having been notified of a breach, and 60% of those patients changing providers. Even so, that’s a surprisingly high statistic, isn’t it?
While FairWarning’s findings may serve as incentive to invest in privacy and security controls, it may also serve as an incentive to cover up a breach and hope that the truth never comes out. And although the consequences of a coverup can be huge, I can understand how an entity might not want to risk losing 19% of their patients even if they notify immediately and fully.
I think we really, really need more external audits.
You can read the full U.S. survey report on, where you’ll also find survey reports from other countries. Some of the reports are remarkably consistent across countries.

Is this a security breach or a privacy violation or failure to leave a modern will?
Life and Death Online: Who Controls a Digital Legacy?
Alison Atkins died on July 27 at age 16. Online, her family is losing its hold on her memory.
Three days after the Toronto teen lost a long battle with a colon disease, her sister Jaclyn Atkins had a technician crack Alison's password-protected MacBook Pro. Her family wanted access to Alison's digital remains: Facebook, Twitter, Tumblr, Yahoo and Hotmail accounts that were her lifeline when illness isolated her at home.
But using Alison's passwords violated some of those websites' terms of service, and possibly the law. None of the services allow the Atkins family—or any others—to retrieve the passwords of the deceased. Their argument is that it would violate Alison's privacy.
Since then, Ms. Atkins's attempts to recover Alison's online life have begun falling apart. The websites that previously logged in automatically on Alison's laptop began locking out Ms. Atkins as part of their standard security procedures. Her attempts to guess or reset her sister's passwords backfired. Some of the accounts have been shutting themselves down.
… U.S. and Canadian laws, which are similar for the most part, don't treat digital assets like physical ones that can be distributed according to wills. In 1986, Congress passed a law forbidding consumer electronic-communications companies from disclosing content without its owner's consent or a government order like a police investigation. Although that law predates the rise of the commercial Internet, courts and companies have largely interpreted it to mean that the families can't force companies to let them access the deceased's data or their accounts.

Contrast this with stories about schools using RFID or thumbprints to pay for lunch. What percentage of parents complain or refuse to use the system? Would Disney prosper if everyone went to Knotts Berry Farm instead?
At Disney Parks, a Bracelet Meant to Build Loyalty (and Sales)
Imagine Walt Disney World with no entry turnstiles. Cash? Passé: Visitors would wear rubber bracelets encoded with credit card information, snapping up corn dogs and Mickey Mouse ears with a tap of the wrist. Smartphone alerts would signal when it is time to ride Space Mountain without standing in line.
Fantasyland? Hardly. It happens starting this spring.
… The ambitious plan moves Disney deeper into the hotly debated terrain of personal data collection. Like most major companies, Disney wants to have as much information about its customers’ preferences as it can get, so it can appeal to them more efficiently. The company already collects data to use in future sales campaigns, but parts of MyMagic+ will allow Disney for the first time to track guest behavior in minute detail.
… Disney is aware of potential privacy concerns, especially regarding children. The plan, which comes as the federal government is trying to strengthen online privacy protections, could be troublesome for a company that some consumers worry is already too controlling.
But Disney has decided that MyMagic+ is essential. The company must aggressively weave new technology into its parks — without damaging the sense of nostalgia on which the experience depends — or risk becoming irrelevant to future generations, Mr. Staggs said.

It is hard to know you can do something that benefits you (automagically find stolen cars or cars of interest) and yet refrain from doing it. Of course it would be much simpler to just shoot anyone caught committing a crime, thereby saving us taxpayers milliions in court costs each year.
David T. S. Fraser writes:
Victoria lawyer Michael Mulligan has an interesting opinion piece in today’s Victoria Times Colonist about the recent fuss over the city police’s disregard of privacy laws.
For those who are just tuning in, the Information and Privacy Commissioner recently did a review of the practice of automated license plate scanning. She found that the collection, retention and possible re-use of the data violated the Freedom of Information and Protection of Privacy Act.
Read more on Canadian Privacy Law Blog. It seems that law enforcement deciding that they can do what they want to despite the rule of law knows no national bounds. At least in Canada, the police seem to be upfront about it. Here, we have “secret laws” and may have no idea how we are being surveilled. They’re both unacceptable, but which is worse?

Another apparent case of “Police are NOT second class citizens”
I’ve recently posted a few lawsuits out of Minnesota concerning improper access to the state’s driver’s license database. One of them involved a police officer whose colleagues improperly accessed her records on numerous occasions. Now there’s also a case in Florida, where law enforcement personnel improperly accessed a fellow officer’s records – but not just out of idle curiosity, perhaps.
Ed Krayewski reports:
Did you hear the one about the state trooper who pulled over a cop car speeding at more than 120 miles per hour on the Florida Turnpike? (Full video here, excerpts below) The incident happened back in 2011; Donna Watts, a Florida state trooper, pulled over Miami police officer Fausto Lopez, who was off-duty and headed for a second job in his patrol car. His colleagues at the Miami Police Department jumped to his defense, with one union official calling the trooper’s actions “completely unprofessional and very reckless.” Retaliations began soon after. Almost a year later Officer Lopez was finally fired for the incident.
Now, the Sun Sentinel reports that the state trooper has filed a lawsuit related to the retaliation she experienced after the incident.
Read more on Reason. The Sun Sentinel uploaded the complaint here.
One of the issues raised in the complaint concerns access to and security of the D.A.V.I.D. database the defendants allegedly accessed. The complaint alleges that the officers viewed Watts’ private and highly-restricted personal information
including her home address, color photograph or image, social security number, date of birth, state of birth, detailed vehicle registration information and description, prior and current home and mailing addresses, emergency contacts and those contacts private and highly-restricted personal information.
So who is responsible for ensuring the security of that database and access to it? According to Watts’ complaint, both the DHSMV and FDLE have responsibility for the D.A.V.I.D system.
When law enforcement personnel abuse access to a database that contains a lot of personal information, it raises serious questions about privacy and the rule of law. When states fail to adequately protect and secure such databases, it poses serious risks of identity theft as well as issues of civil liberties.
I asked what Minnesota is going to do about the repeated breaches involving its database of driver’s license information. We need to ask Florida the same question.

Look at it logically. Could he be right?
Why We Won’t Stop Mass Killings: We Like Them Too Much
Forgive me if I’ve already offended you with the title of this piece, but I’m an economist. As such, I tend to weigh up the costs and benefits of just about anything when trying to figure out what it means for society. And when it comes to mass killings, my analysis suggests we have some reason for introspection.
… A couple of dozen people died, and their friends and families will never be the same. But on the other side of the ledger, hundreds of millions of people around the world spent a few hours wallowing in some wonderful emotions. And who knows – if those debates are productive, society may even end up changing for the better as a result.
Taking the analysis to the extreme, you could say that mass killings are much more beneficial to society than, say, traffic deaths.
… On this basis, an economist might decide that it was much more important to curtail traffic deaths than to stop mass killings.

Maybe that's e-Ethics, maybe it's e-Thics – either way make an Evernote on your iPad...
January 06, 2013
New on LLRX - Legal ethics and retention of electronic data
Via - Legal ethics and retention of electronic data: Lawyers are increasingly shifting their day to day operations to applications and operations that leverage the convenience and affordability offered by the concept of a paperless office. Attorney Nicole Black talks about how doing so can raise an assortment of ethical issues, since the confidentiality of client information must always be maintained, regardless of the format in which it is stored or distributed.

January 06, 2013
New on LLRX - 2012: The year of the mobile lawyer?
Via - 2012: The year of the mobile lawyer? - Attorney Nicole Black discusses the rise in the number of lawyers using mobile devices, the growing number of apps developed specifically for lawyers, and how these apps increasingly support lawyers at every stage of the litigation process.

This is a tool I might find useful, except it requires a Facebook or Twitter user account to logon. And who decided that an Infrgraphic was the best formet for a user guide?

This does look handy...
Sunday, January 6, 2013
Handy New Diigo Browser Extension Features
Over the last month I've started using Diigo as my primary tool for bookmarking links. Yesterday, Diigo released a new version of their browser extension. The updated extension includes some features that are quite handy.
The most significant of the updates is a streamlined screenshot process. Now you can click the browser extension to take a screenshot of the page that you're viewing. You can capture all or part of a page in your screenshot. Your screenshot can be annotated with the integrated Diigo drawing and typing tools. All screenshots can be saved as individual files in your Diigo account or attached to the URL that you're bookmarking.
Why I'm now using Diigo more often than Evernote:
I'm sure that some people will be wondering why I've started using Diigo more than Evernote. The answer is simple, over the last month Evernote was annoying me with little quirks like significant lags in synchronization time and the browser bookmarklet not opening correctly on the first try.
If you've never tried Diigo, watch the video below for an overview of its features.
Click here for a list of the browser and mobile tools that Diigo offers.

For all my students
Sunday, January 6, 2013
Use Wolfram Alpha to Create a Strong Password
The next time you need to create a strong password try Wolfram Alpha. If you enter "password" or "generate password" into Wolfram Alpha it will give you a random eight character password as well as some alternate passwords.

No comments: