Wednesday, July 03, 2013

Interesting contract twist.

As I’ve noted before, the Vendini breach, reported previously on this blog, appears to fairly large, but has generally flown under national mainstream media attention. Instead, I see bits and pieces in local media or on organizations’ web sites as entities report that their patrons or members were affected (cf, reports involving Purple Rose Theatre, Baldwin Theatre, Stagecrafters, The Farmington Players , Lexington Children’s Theatre, Caterpillar Visitors Center, Touchstone Theatre, Cedar Crest College, Lehigh Valley Charter High School for the Arts , Valdosta State University, East Central College (notice), Ashville Community Theatre, St. Louis Classical Guitar Society, Winchester Little Theatre, Thalian Hall, Butler University, Wildey Theatre, Pacific Aviation Museum, The Arts & Science Center for Southeast Arkansas, Wartburg College, Oregon University System (Southern Oregon University Foundation, Western Oregon University, and Oregon State University), The Friends of Chamber of Music (cached), , and University of Michigan). And there are undoubtedly more that are not listed above.
Vendini’s reports to New Hampshire and California are available online, but I recently sent a FOI request to North Carolina, which requires entities to report breaches to the state.
In response, they sent me the breach notifications they’ve received so far, which I am uploading here:
Butler University – 411 affected
Asheville Community Theatre – approximately 20,000 North Carolina residents affected
Kirby Cultural Arts Complex – 147 affected
Central Piedmont Community College – approximately 12,000 affected
South Orange Performing Arts Center – 6,619 affected
Thalian (part 1), part 2 – 6,000 affected
Why Vendini is allowing this to dribble out instead of just being more upfront about the numbers involved escapes me. But significantly, a number of their clients were unpleasantly surprised to discover that their contracts with Vendini did not require Vendini to make the patron notifications and that it was on them to do so. [Surely someone read the contract before signing? Bob] This serves as a useful reminder to check your contracts to ensure that if a vendor or contractors has a breach, they are responsible for notifying your customers or paying for you to do so.
Update to the update: I’ll just add other organizations as I come across them:

A “don't hire these people” database?
Gov. Jay Nixon vetoed a workers’ compensation bill on Tuesday that he said would have “invaded Missourians’ privacy, required creation of new government database.”
The rhetoric came in the midst of a battle between Nixon and a Republican-led opposition critical of his administration’s Department of Revenue’s former practice of scanning personal documents, where Republicans accused Nixon of doing essentially the same thing.
The bill, Senate Bill 34 which was sponsored by Sen. Mike Cunningham, would have called on the government to establish a database of all Missouri workers who have filed for workers’ compensation claims for on the job injuries. The database would have been accessible to Missouri employers.
Read more on PoliticMo.

This is a bit aggressive, isn't it? Is it an act of war? Isn't it like invading an embassy? Would we do that to Putin's plane?
Bolivia angered by search of president's plane, no sign of Snowden
VIENNA (Reuters) - Bolivia accused Austria of an act of aggression by searching President Evo Morales' plane on Wednesday and blamed Washington for its forced landing in Vienna over suspicions that former U.S. spy agency contractor Edward Snowden was on board.
Morales' plane was stranded at Vienna airport for several hours after Portugal and France abruptly canceled air permits for it to fly through their airspace, but eventually resumed its flight home form an energy meeting in Moscow.

CRS – Criminal Prohibitions on the Publication of Classified Defense Information
Criminal Prohibitions on the Publication of Classified Defense Information – Jennifer K. Elsea, Legislative Attorney, June 24, 2013
“The publication of classified information related to National Security Agency (NSA) surveillance activity is the latest in a series of leaks to the press that has riveted Congress’s attention. Press reports describing classified U.S. operations abroad have led to calls from Congress for an investigation into the source of the leaks, and Attorney General Holder appointed two special prosecutors to look into the matter. The online publication of classified defense documents and diplomatic cables by the organization WikiLeaks and subsequent reporting by the New York Times and other news media had already focused attention on whether such publication violates U.S. criminal law. The suspected source of the WikiLeaks material, Army Private Bradley Manning, has been charged with a number of offenses under the Uniform Code of Military Justice (UCMJ), including aiding the enemy, while a grand jury in Virginia is deciding whether to indict any civilians in connection with the disclosure. A number of other cases involving charges under the Espionage Act, including efforts to extradite Edward Snowden in connection with the leak of NSA documents pertaining to certain surveillance programs, demonstrate the Obama Administration’s relatively hardline policy with respect to the prosecution of persons suspected of leaking classified information to the media. This report identifies some criminal statutes that may apply to the publication of classified defense information, noting that these have been used almost exclusively to prosecute individuals with access to classified information (and a corresponding obligation to protect it) who make it available to foreign agents, or to foreign agents who obtain classified information unlawful while present in the United States.”

As long as we're talking about surveillance... This expands on my “We can, therefore we must!” meme.
Commentary – Technology, Not Law, Limits Mass Surveillance
“Recent revelations about the extent of surveillance by the U.S. National Security Agency come as no surprise to those with a technical background in the workings of digital communications. The leaked documents show how the NSA has taken advantage of the increased use of digital communications and cloud services, coupled with outdated privacy laws, to expand and streamline their surveillance programs. This is a predictable response to the shrinking cost and growing efficiency of surveillance brought about by new technology. The extent to which technology has reduced the time and cost necessary to conduct surveillance should play an important role in our national discussion of this issue. The American public previously, maybe unknowingly, relied on technical and financial barriers to protect them from large-scale surveillance by the government. These implicit protections have quickly eroded in recent years as technology industry advances have reached intelligence agencies, and digital communications technology has spread through society. As a result, we now have to replace these “naturally occurring” boundaries and refactor the law to protect our privacy. The ways in which we interact has drastically changed over the past decade. The majority of our communications are now delivered and stored by third-party services and cloud providers. E-mail, documents, phone calls, and chats all go through Internet companies such as Google, Facebook, Skype, or wireless carriers like Verizon, AT&T, or Sprint. And while distributed in nature, the physical infrastructure underlying the World Wide Web relies on key chokepoints which the government can, and is, monitoring. This makes surveillance much easier because the NSA only needs to establish relationships with a few critical companies to capture the majority of the market they want to observe with few legal restrictions. The NSA has the capability to observe hundreds of millions of people communicating using these services with relatively little effort and cost.

Who expects the government to be smarter on social media than they are on foreign policy?
State Department bureau spent $630,000 on Facebook 'likes'
State Department officials spent $630,000 to get more Facebook "likes," prompting employees to complain to a government watchdog that the bureau was "buying fans" in social media, the agency's inspector general says.
… "Many in the bureau criticize the advertising campaigns as 'buying fans' who may have once clicked on an ad or 'liked' a photo but have no real interest in the topic and have never engaged further," the inspector general reported.
… Despite the surge in likes, the IG said the effort failed to reach the bureau's target audience … Only about 2 percent of fans actually engage with the pages by liking, sharing or commenting.

For my Data Analysis students. Read free online...
Report – Frontiers in Massive Data Analysis
“From Facebook to Google searches to bookmarking a webpage in our browsers, today’s society has become one with an enormous amount of data. Some internet-based companies such as Yahoo! are even storing exabytes (10 to the 18 bytes) of data. Like these companies and the rest of the world, scientific communities are also generating large amounts of data-—mostly terabytes and in some cases near petabytes—from experiments, observations, and numerical simulation. However, the scientific community, along with defense enterprise, has been a leader in generating and using large data sets for many years. The issue that arises with this new type of large data is how to handle it—this includes sharing the data, enabling data security, working with different data formats and structures, dealing with the highly distributed data sources, and more. Frontiers in Massive Data Analysis presents the Committee on the Analysis of Massive Data’s work to make sense of the current state of data analysis for mining of massive sets of data, to identify gaps in the current practice and to develop methods to fill these gaps. The committee thus examines the frontiers of research that is enabling the analysis of massive data which includes data representation and methods for including humans in the data-analysis loop. The report includes the committee’s recommendations, details concerning types of data that build into massive data, and information on the seven computational giants of massive data analysis.”

No comments: