Friday, August 16, 2013

Sometimes, it's what they don't say that speaks loudest. Would you not assume the worst, absent anything to the contrary? The employee was fired but not arrested. Was that because the data was not valuable in the DA's eyes? If they haven't recovered the drive, shouldn't they say, “no indication of misuse SO FAR?”
Alex Belser of KTEN reports that a computer drive containing medical records of nearly 3,000 patients was stolen from the North Texas Comprehensive Spine and Pain Center in Sherman, Texas. The law firm representing the center says that there’s no indication of any misuse of the data, but the stolen external hard drive contained patients’ names, Social Security numbers, dates of birth, addresses, and diagnoses.
The theft was reported to police back in June and the employee responsible for the theft was reportedly fired. The report does not indicate whether the drive was ever recovered.
There does not seem to be any substitute notice on the center’s web site at the time of this posting and they do not seem to have offered affected patients any free credit monitoring services even though they are advising them to check their bank statements and credit reports. sent the center an email inquiry as to whether the drive had been recovered and whether the data had been encrypted but the center did not reply by the time of this publication.

(Related) ...and local! Another “assume the worst?”
Anica Padilla of 7News reports that Janna Benkelman, a licensed professional counselor who has offices in Denver and Parker, Colorado, sent a breach notification to 7News after a laptop with unencrypted patient information was stolen from her office. Ms Padilla didn’t report when the theft occurred, whether it affected patients at both offices or just the Denver office, and what types of information were on the laptop. Nor did she reproduce the letter they were sent, so there’s no real information in The Denver Channel story other than the data weren’t encrypted and patients will be offered free credit monitoring. At this time, there’s no copy of the notification on Ms. Benkelman’s web site.

Surprise! Of course, if you don't like it you can try to find another insurance company...
If their insurer gets their way, the beleaguered Schnuck Markets will find itself without help from its insurance carrier in paying litigation costs and other data breach-related costs.
Liberty Mutual Insurance Company has informed Schnuck Markets that it is not responsible to cover costs of the eight lawsuits that were filed in the wake of a breach that impacted 2.4 million payment cards. Nor, it claims, is it responsible for other costs Schnuck incurred from banks and a payment services company.
This is not the first time we’ve seen an insurer claim that a general liability policy does not cover data breaches, and it can serve as a useful reminder of understanding your insurance coverage. has the details on this dispute.

Encryption is cheap and fast.
Google now encrypts cloud storage by default
Google's Cloud Storage service now automatically encrypts all its customer data for free, the company said Thursday.
The encryption has "no visible performance impact," Google Cloud Storage's product manager, Dave Barth, wrote in a blog post.
… New files added to Cloud Storage will be encrypted as they're uploaded and before they're saved to a drive. Older files will be migrated "in the coming months," Barth said. This is part of Google's emphasis on "forward secrecy," which many Internet companies have yet to adopt.

Context please. Is that 90% of the “surveillance events” NSA conducted or one in a million? Their definition of “query incident” seems to suggest these are “self reported.” Did they look for any others?
NSA violated privacy rules thousands of times, audit finds
The National Security Agency exceeded its legal authority and broke agency rules thousands of times since it was granted broader powers in 2008, according to an internal agency audit obtained by The Washington Post.
… The audit, dated May 2012, uncovered 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications, the Post reported.

What will happen when the government takes over?
David Lazarus reports on a rewards program that made me shudder when I read this story:
Since February, CVS Caremark has been pushing its pharmacists to enroll customers in a prescription-drug rewards program.
The benefit to customers is the opportunity to earn up to $50 a year in store credits that can be used to buy shampoo, toothpaste or other products.
The benefit to CVS is persuading pharmacy customers, through questionable means, to give up federal privacy safeguards for their medical information and permitting the company to share people’s drug purchases with others.
Read more on Los Angeles Times.

Isn't this a two edged sword? “We found this in the recycle bin. That's proof he was trying to conceal it!”
Kirsten Thompson writes:
Anyone who has watched Law and Order knows that the police, both here and in the U.S., do not need a warrant to rifle through someone’s curbside recycling bin. This is because that person has abandoned their privacy interest in the contents of the bin. Does the same hold true for items in someone’s computer desktop recycling bin?
Apparently not, according to the B.C. Court of Appeal in R. v. McNeice, 2013 BCCA 98. While putting something by the curb in the real world indicates an abandonment of a privacy interest, the B.C. Court of Appeal has held that doing the same thing in the virtual world is (emphasis added) “consistent with an intent to conceal, and thus to maintain a privacy interest”.

Undue reliance. The computer is never wrong and in any case, we gave up the ability to fix anything.
The Greatest British Work of Literature, Blocked at the Greatest British Library
Two Mondays ago, British author Mark Forsyth sat in the British Library, researching for his new book, and needed to check a quote in Hamlet. He knew that MIT had, on its website, the Bard's complete works, so he googled "Hamlet MIT," clicked on the first result, and, in his words...
A message came up from the British Library telling me that access to site was blocked due to "violent content".
Now, Hamlet is a violent play. I see that. When the curtain comes down here's a lot of bodies on the boards. But...
I tried it again. It told me that my attempts to access this violent content were being logged.
A Monday of tragicomic Shakespearean proportions ensues. He tells the story -- of unsympathetic librarians, of unhelpful IT specialists – in his blog post about the matter. "I asked them if they were surprised that Hamlet was now banned in the British Library," he writes of the library staff. "They shrugged." They were also, he says, unable to immediately unblock it for him, because they had outsourced the part of their filtering system responsible for the limitation.

How to read a Privacy Policy. (Who does this in your organization?)
… In this series of posts we’re going to take a closer look at some of the most popular VPN services. We will break down their privacy polices and see if they are really focused on protecting your personal data.

For my Computer Security students. Protect yourself from PDFs bearing gifts.
Via, the NSA/CSS published “Recommendations for Configuring Adobe Acrobat Reader XI in a Windows Environment.” You might want to check out the recommendations for your own use.

“This has been going on for years, give us a week or two and we'll fix evderything.”
Michelle Richardson of the ACLU has compiled a very helpful list of legislation proposed since the NSA leaks started in June:
Currently there are 19 bills pending in Congress with more expected to be introduced. The legislation can be broken down into four broad categories: 1) substantive reforms to the laws the NSA believes allow it to conduct its surveillance programs, 2) disclosure of the FISA Court opinions that determined the programs were legal, 3) general reporting of the number and types of surveillance orders received by recipients and how many users affected, and 4) reforms to the FISA Court.
See her chart that summarizes the key feature of each proposed law on ACLU.

For my website students.
– is a Google product which allows you to input a website URL and then for you to receive a score on how fast that website loaded on the desktop and on a mobile. You can then receive detailed instructions on how to increase that loading score with suggestions such as enabling compression, optimizing images, and leveraging browser caching.

For my 'power shopper' students. (Doesn't this look like one of those supermarket tabloid headlines? “Loose 200 pounds of ugly fat – divorce your husband!”)

Dilbert: Who knew Wally was a typical student?

No comments: