I'll believe they mean “excess of
caution” when their actions occur before the breach –
like encrypting their sensitve data.
Over on DataLossDB.org,
I was entering a security breach notification sent by Atlanta-based
Oldcastle APG, Inc. They had informed the New
Hampshire Attorney General’s Office that a laptop containing over
5,000 employees’ names, Social Security numbers, and bank account
information had been stolen from an employee’s car. As required by
the state. they had attached a copy of the notification letter they
were sending to employees, and I read it to see it provided any
additional details not included in their cover letter. It didn’t.
But then I came to this statement in
their notification
to employees:
Okay, maybe programs that wipe data if
the stolen laptop connects to the Internet are of value. But if a
thief simply powers up without connecting, then there’s all that
valuable unencrypted data just waiting to be misused, isn’t there?
So is it really an “excess of
caution” to notify people that their SSN’s and bank account
information are in the wild? Especially when the law requires you to
notify them?
I don’t think so. Do you?
More than I thought...
By Dissent,
January 7, 2013 10:07 am
Infographics are getting as overused as
PowerPoint, but occasionally I see one that catches my eye with an
interesting finding. Case in point: this infographic with the
results of a U.S. patient survey conducted in 2011 by FairWarning
(open in new window and click to enlarge).
Some of the data were pretty much what
I expected to see based on experience in covering breaches, but how
far patients might drive because of privacy concerns surprised me.
And what surprised me more was that how patients learn about
a breach might make even more of a difference in whether they leave
the provider or stay following a breach than I would have thought.
If patients find out from the provider, 19.1% said they would
leave, but if they find out through the media, 64% said they’d
leave. FairWarning’s finding is consistent with what I’ve
always advised entities: get out ahead of the story. Of course, what
patients say they would do and what they actually do once in they are
in a situation is not necessarily the same, but a subset of their
sample had experienced breaches, and their most dramatic finding not
included in the infographic was the following (emphasis added by me):
6 percent of patient respondents
indicated they had been alerted their medical records had been
compromised. As a result of the breach, 60 percent indicated
they no longer seek care from that provider.
Of course, FairWarning’s sample is
not a truly random sample and is based on 1,265 online responses to
10,000 requests that were sent out, so we’re talking about 6% of
1265 respondents having been notified of a breach, and 60% of those
patients changing providers. Even so, that’s a surprisingly high
statistic, isn’t it?
While FairWarning’s findings may
serve as incentive to invest in privacy and security controls, it may
also serve as an incentive to cover up a breach and hope that the
truth never comes out. And although the consequences of a coverup
can be huge, I can understand how an entity might not want to risk
losing 19% of their patients even if they notify immediately and
fully.
I think we really, really need more
external audits.
You can read the full U.S.
survey report on FairWarning.com,
where you’ll also find survey reports from other countries. Some
of the reports are remarkably consistent across countries.
Is this a security breach or a privacy
violation or failure to leave a modern will?
Life
and Death Online: Who Controls a Digital Legacy?
Alison Atkins died on July 27 at age
16. Online, her family is losing its hold on her memory.
Three days after the Toronto teen lost
a long battle with a colon disease, her sister Jaclyn Atkins had a
technician crack Alison's password-protected MacBook Pro. Her family
wanted access to Alison's digital remains: Facebook,
Twitter, Tumblr, Yahoo
and Hotmail accounts that were her lifeline when illness isolated her
at home.
But using Alison's passwords
violated some of those websites' terms of service, and possibly the
law. None of the services allow the Atkins family—or any
others—to retrieve the passwords of the deceased. Their argument
is that it would violate Alison's privacy.
Since then, Ms. Atkins's attempts to
recover Alison's online life have begun falling apart. The websites
that previously logged in automatically on Alison's laptop began
locking out Ms. Atkins as part of their standard security procedures.
Her attempts to guess or reset her sister's passwords backfired.
Some of the accounts have been shutting themselves down.
… U.S. and Canadian laws, which are
similar for the most part, don't treat digital assets like physical
ones that can be distributed according to wills. In 1986, Congress
passed a law forbidding consumer electronic-communications companies
from disclosing content without its owner's consent or a government
order like a police investigation. Although that law predates the
rise of the commercial Internet, courts and companies have largely
interpreted it to mean that the families can't force companies to let
them access the deceased's data or their accounts.
Contrast this with stories about
schools using RFID or thumbprints to pay for lunch. What percentage
of parents complain or refuse to use the system? Would Disney
prosper if everyone went to Knotts Berry Farm instead?
At
Disney Parks, a Bracelet Meant to Build Loyalty (and Sales)
Imagine Walt
Disney World with no entry turnstiles. Cash? Passé: Visitors
would wear rubber bracelets encoded with credit card information,
snapping up corn dogs and Mickey Mouse ears with a tap of the wrist.
Smartphone alerts would signal when it is time to ride Space
Mountain without standing in line.
Fantasyland? Hardly. It happens
starting this spring.
… The ambitious plan moves Disney
deeper into the hotly debated terrain of personal data collection.
Like most major companies, Disney wants to have as much information
about its customers’ preferences as it can get, so it can appeal to
them more efficiently. The company already collects data to use in
future sales campaigns, but parts of MyMagic+ will allow Disney for
the first time to track guest behavior in minute detail.
… Disney is aware of potential
privacy concerns, especially regarding children. The plan, which
comes as the federal government is trying to strengthen online
privacy protections, could be troublesome for a company that some
consumers worry is already too controlling.
But Disney has decided that MyMagic+ is
essential. The company must aggressively weave new technology into
its parks — without damaging the sense of nostalgia on which the
experience depends — or risk becoming irrelevant to future
generations, Mr. Staggs said.
It is hard to know you can do something
that benefits you (automagically find stolen cars or cars of
interest) and yet refrain from doing it. Of course it would be much
simpler to just shoot anyone caught committing a crime, thereby
saving us taxpayers milliions in court costs each year.
David T. S. Fraser writes:
Victoria lawyer
Michael Mulligan has an interesting opinion piece in today’s
Victoria Times Colonist about the recent fuss over the city police’s
disregard of privacy laws.
For those who are
just tuning in, the Information and Privacy Commissioner recently did
a review of the practice of automated license plate scanning. She
found that the collection, retention and possible re-use of the
data violated the Freedom of Information and Protection of Privacy
Act.
Local Sannich
police stopped the practice. The Mayor of Victoria urged
the police to follow the OIPC’s ruling, but the police board
met in secret and decided
to continue the practice.
Read more on Canadian
Privacy Law Blog. It seems that law enforcement deciding that
they can do what they want to despite the rule of law knows no
national bounds. At least in Canada, the police seem to be upfront
about it. Here, we have “secret laws” and may have no idea how
we are being surveilled. They’re both unacceptable, but which is
worse?
Another apparent case of “Police are
NOT second class citizens”
I’ve recently posted a few lawsuits
out of Minnesota concerning improper access to the state’s driver’s
license database. One of them involved a police officer whose
colleagues improperly accessed her records on numerous occasions.
Now there’s also a case in Florida, where law enforcement personnel
improperly accessed a fellow officer’s records – but not just out
of idle curiosity, perhaps.
Ed Krayewski reports:
Did you hear the
one about the state trooper who pulled over a cop car speeding at
more than 120 miles per hour on the Florida Turnpike? (Full video
here,
excerpts below) The incident happened
back in 2011; Donna Watts, a Florida state trooper, pulled over
Miami police officer Fausto Lopez, who was off-duty and headed for a
second job in his patrol car. His colleagues at the Miami Police
Department jumped to his
defense, with one union official calling the trooper’s actions
“completely unprofessional and very reckless.” Retaliations
began soon
after. Almost a year later Officer Lopez was finally fired
for the incident.
Now, the Sun
Sentinel reports
that the state trooper has filed a lawsuit related to the retaliation
she experienced after the incident.
One of the issues raised in the
complaint concerns access to and security of the D.A.V.I.D. database
the defendants allegedly accessed. The complaint alleges that the
officers viewed Watts’ private and highly-restricted personal
information
including her home
address, color photograph or image, social security number, date of
birth, state of birth, detailed vehicle registration information and
description, prior and current home and mailing addresses, emergency
contacts and those contacts private and highly-restricted personal
information.
So who is responsible for ensuring the
security of that database and access to it? According to Watts’
complaint, both the DHSMV and FDLE have responsibility for the
D.A.V.I.D system.
When law enforcement personnel abuse
access to a database that contains a lot of personal information, it
raises serious questions about privacy and the rule of law. When
states fail to adequately protect and secure such databases, it poses
serious risks of identity theft as well as issues of civil liberties.
I asked what Minnesota is going to do
about the repeated
breaches involving its database of driver’s license
information. We need to ask Florida the same question.
via Loss
of Privacy
Look at it logically. Could he be
right?
Why
We Won’t Stop Mass Killings: We Like Them Too Much
Forgive me if I’ve already offended
you with the title of this piece, but I’m an economist. As such, I
tend to weigh up the costs and benefits of just about anything when
trying to figure out what it means for society. And when it comes to
mass killings, my analysis suggests we have some reason for
introspection.
… A couple of dozen people died,
and their friends and families will never be the same. But on the
other side of the ledger, hundreds of millions of people around the
world spent a few hours wallowing in some wonderful emotions. And
who knows – if those debates are productive, society may even end
up changing for the better as a result.
Taking the analysis to the extreme, you
could say that mass killings are much more beneficial to society
than, say, traffic deaths.
… On this basis, an economist might
decide that it was much more important to curtail traffic deaths than
to stop mass killings.
Maybe that's e-Ethics, maybe it's
e-Thics – either way make an Evernote on your iPad...
January 06, 2013
New
on LLRX - Legal ethics and retention of electronic data
Via LLRX.com
- Legal
ethics and retention of electronic data: Lawyers are
increasingly shifting their day to day operations to applications and
operations that leverage the convenience and affordability offered by
the concept of a paperless office. Attorney Nicole
Black talks about how doing so can raise an assortment of ethical
issues, since the confidentiality of client information must always
be maintained, regardless of the format in which it is stored or
distributed.
(Related)
January 06, 2013
New
on LLRX - 2012: The year of the mobile lawyer?
Via LLRX.com
- 2012:
The year of the mobile lawyer? - Attorney Nicole
Black discusses the rise in the number of lawyers using mobile
devices, the growing number of apps developed specifically for
lawyers, and how these apps increasingly support lawyers at every
stage of the litigation process.
This is a tool I might find useful,
except it requires a Facebook or Twitter user account to logon. And
who decided that an Infrgraphic was the best formet for a user guide?
This does look handy...
Sunday, January 6, 2013
Over the last month I've started using
Diigo as my primary
tool for bookmarking links. Yesterday, Diigo released a new version
of their browser extension. The updated extension includes some
features that are quite handy.
The most significant of the updates is
a streamlined screenshot process. Now you
can click the browser extension to take a screenshot of the page that
you're viewing. You can capture all or part of a page in your
screenshot. Your screenshot can be annotated with the
integrated Diigo drawing and typing tools. All screenshots can be
saved as individual files in your Diigo account or attached to the
URL that you're bookmarking.
Why I'm now using Diigo more often
than Evernote:
I'm sure that some people will be
wondering why I've started using Diigo more than Evernote. The
answer is simple, over the last month Evernote was annoying me with
little quirks like significant lags in synchronization time and the
browser bookmarklet not opening correctly on the first try.
If you've never tried Diigo, watch the
video below for an overview of its features.
Click
here for a list of the browser and mobile tools that Diigo
offers.
For all my students
Sunday, January 6, 2013
The next time you need to create a
strong password try Wolfram
Alpha. If you enter "password" or "generate
password" into Wolfram Alpha it will give you a random eight
character password as well as some alternate passwords.
No comments:
Post a Comment