Wednesday, January 15, 2014
...and the suits go on, la de da de da de da....
Target Faces Nearly 70 Lawsuits Over Breach
Still reeling from the hit to its reputation from last month’s massive data breach, Target Corp. faces nearly 70 class-action lawsuits.
… Gregory Little, an attorney at White & Case LLP who defends companies against class actions, said retail companies are at “significant risk” of facing class actions as large data breaches become more common. “As technology makes it easier to harm larger numbers of individuals, there is greater likelihood that class actions are going to be brought,” said Mr. Little.
… Some small banks are also seeking damages from Target for the costs they are incurring because of the breach. Alabama State Employees Credit Union, which leads a class action case of affected banks, said in its complaint that it has been “swamped by customers and its members needing to close accounts” to prevent fraudulent activity, forcing the small bank to spend time and money creating new cards and refunding lost deposits.
Target's Payment Processors Could Face Hefty Fines Due to Data Breach
Payment processing firms that have been assisting retailer Target, which recently suffered a major data breach, could face millions of dollars in fines and costs due to the issue.
Target's partners could face consumer lawsuits and fines that payment networks such as Visa Inc and MasterCard Inc often levy after cyber security incidents, Reuters has reported.
… Reuters noted that a similar hacking in the mid-2000s at retailer TJX Companies resulted in penalties of $880,000 (£536,000, €644,000) for Fifth Third Bancorp of Ohio, which processed transactions for TJX.
Any electronic purchase from a store like Target involves several companies. They include the banks that issue credit or debit cards, the "merchant acquirer" who handles the payment for the store when the card is swiped and companies such as Visa and MasterCard who operate the networks through which payment request and confirmation are sent.
(Related) Target must calculate that with 110,000,000 records compromised, they might as well offer monitoring to all of their 110,000,002 customers. Great PR target.
JPMorgan’s Dimon: Target breach is a wake-up call
More Target-sized security breaches will happen if banks and retail stores don’t start working together to further protect customers’ data, JPMorgan Chase’s CEO Jamie Dimon said Jan. 14.
JPMorgan has replaced 2 million credit and debit cards as a result of the Target breach, Dimon said. That number is expected to rise. JPMorgan is the world’s largest issuer of credit cards.
… “Target has taken the extraordinary step to offer free credit monitoring to all of its customers, not just those affected by the breach. This is an opportunity Target customers may want to take advantage of, depending on individual circumstances,” Wasden said.
As I've been saying...
In case you missed it earlier today, the Senate Judiciary Committee held a hearing on the Report of the President’s Review Group on Intelligence and Communications Technologies (the PRGICT Report), where the Group members testified regarding their proposed reforms and recommendations for U.S. national security surveillance programs. If you were unable to catch the hearing today, a full video is available on C-SPAN (unfortunately, an embeddable version is not yet available, but we’ll update this post accordingly once one is up).
… In the C-SPAN video at around the 20:50 mark, Senator Leahy asks Morell whether Americans should be concerned about Section 215, given that only metadata is collected under the program. Here was Morell’s response:
“I’ll say one of the things that I learned in this process, that I came to realize in this process, Mr. Chairman, is that there is quite a bit of content in metadata. When you have the records of phone calls that a particular individual made, you can learn an awful lot about that person. And that’s one of the things that struck me. There is not, in my mind, a sharp distinction between metadata and content. It’s more of a continuum.”
I would never for a second believe that France was not already doing this. Are they now worried about appearances?
Winston Maxwell writes:
France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs). Under the new law, airlines are required to send PNRs to authorities in accordance with a yet to be adopted government decree. The data may be held for up to five years and may not contain sensitive data (i.e., data relating to the passenger’s racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, health, or sexual orientation. The French data protection authority, the CNIL, was consulted in connection with these new PNR provisions).
The second and more controversial government data collection provision is article 20 of the December 18 law that permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers, including in real time.
Read more on Hogan Lovells Chronicle of Data Protection.
Might be an interesting seminar topic again, if the rules have changed.
Erica Gann Kitaev writes:
One hot area of data privacy litigation over the past several years has been data breach class actions brought under the California Confidentiality of Medical Information Act (“CMIA”), which provides that a person may recover $1,000 “nominal” damages against a healthcare provider who has negligently “released” the person’s medical information. Until recently, no California appellate court had directly analyzed what constitutes a “release” of medical information under the CMIA. The court in The University of California v. Superior Court (Platter) addressed this question for the first time in 2013 and held that the mere loss of possession of computer equipment containing medical information was not sufficient to constitute a release of the information itself.
Read more about notable cases of 2013 and their implications on Data Privacy Monitor.
Looks like a job for Ethical Hacker Man!
Thanks for watching that YouTube video! That will be 50 cents, please.
Sound unrealistic? It's actually a distinct possibility, after a Federal appeals court on Tuesday struck down an FCC ruling meant to prevent an Internet service provider -- the company you pay for online access -- from prioritizing some website traffic over others.
And because that rule was wiped off the books, those ISPs are suddenly able to do just that. With service providers suddenly able to charge based on the type of content you watch or the sites you visit, it's easy to imagine a system like that of today's cable television market. Want HBO? It's an extra $5. Want our streaming video package, with YouTube, Hulu, TV.com, and more? That's $5 too.
Don't pay and you can't watch. Period.
… “A broadband provider like Comcast might limit its end-user subscribers’ ability to access The New York Times website if it wanted to spike traffic to its own news website,” the ruling notes.
“We don't need no stinking jurisdiction/authorization/budget/management!” After all, we're all chasing the same people, right?
Customs & Border Protection Loaned Predator Drones to Other Agencies 700 Times in Three Years According to “Newly Discovered” Records
Jennifer Lynch writes:
Customs & Border Protection recently “discovered” additional daily flight logs that show the agency has flown its drones on behalf of local, state and federal law enforcement agencies on 200 more occasions more than previously released records indicated.
Last July we reported, based on daily flight log records CBP made available to us in response to our Freedom of Information Act lawsuit, that CBP logged an eight-fold increase in the drone surveillance it conducts for other agencies. These agencies included a diverse group of local, state, and federal law enforcement—ranging from the FBI, ICE, the US Marshals, and the Coast Guard to the Minnesota Bureau of Criminal Investigation, the North Dakota Bureau of Criminal Investigation, the North Dakota Army National Guard, and the Texas Department of Public Safety.
Read more on EFF.
Department of Horrendous Spending? A 30% increase so far.
Rising Costs and Delays in Construction of New DHS Headquarters
by Sabrina I. Pacifici on January 14, 2014
Reality Check Needed: Rising Costs and Delays in Construction of New DHS Headquarters at St. Elizabeths. U.S. House of Representatives Committee on Homeland Security, January 2014, Prepared by Majority Staff of the Committee on Homeland Security.
“Rep. Jeff Duncan (R-SC), Chairman of the Subcommittee on Oversight and Management Efficiency, released a…report examines the Department of Homeland Security’s (DHS) planning process for its new headquarters and details how taxpayer dollars have been spent on the project to date. Originally founded in 1852 as a government-run hospital for the mentally ill, St. Elizabeths is a national historic landmark. In 2006, the hospital was chosen as the future site of a consolidated headquarters complex for DHS, in an effort to build cohesiveness among Department components. The project has received $1.3 billion in funding to date and only the U.S. Coast Guard headquarters complex has been completed. The 26-page report reviews the potential areas of cost growth, selection and planning issues, and the effects of green initiatives and the site’s historic status on construction costs, among other concerns. Specifically, the report found that it remains unclear how active DHS officials were in choosing the site of their future headquarters. Furthermore, DHS has pushed final completion to fiscal year 2026, 10 years beyond the original schedule, and delays in construction have increased costs by 30% – about $1 billion. The report questions why DHS has not conducted a major reassessment nor considered a new approach to headquarters consolidation…” The expanded use of technology has changed the paradigm of the workspace requirements by allowing a greater emphasis on working from home as a way to reduce square footage requirements. This allows for more shared work spaces… With statements made by senior leadership, the morale concerns, the $1 billion cost increase, and slippage of the completion date to FY 2026, the Committee questions why there has not been a major reassessment of the headquarters consolidation project now with a ten year extension to the project’s deadline and why DHS has not considered a new approach to headquarters consolidation.”
[From the report:
When it was originally proposed and approved, the St. Elizabeths project had a price tag of $3.45 billion; however, in the Department’s most recent update on the project, DHS and GSA submitted cost projections of $4.5 billion with a completion date of 2026.
Tools for techies?
4 Best Tools For Creating Screenshots Compared