Wednesday, August 27, 2014

Interesting hacker strategy. Delay reporting, increase the number of cards stolen?
DQ Breach? HQ Says No, But Would it Know?
Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.
… The situation apparently developing with Dairy Queen is reminiscent of similar reports last month from multiple banks about card fraud traced back to dozens of locations of Jimmy John’s, a nationwide sandwich shop chain that also is almost entirely franchisee-owned. Jimmy John’s has said it is investigating the breach claims, but so far it has not confirmed reports of card breaches at any of its 1,900+ stores nationwide.

Might be fun (i.e. Cruel and usual) to have my Computer Security students create a US version of this guide.
The Office of the Australian Information Commissioner has released Data breach notification guide: A guide to handling personal information security breaches. Some excerpts:
Preventing data breaches — obligations under the Privacy Act
Security is a basic element of information privacy.4 In Australia, this principle is reflected in the Privacy Act in the APPs
Agencies and organisations are required to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. This requirement is set out in APP 115 (see Appendix A for APP 11).
Sections 20Q and 21S of the Privacy Act imposes equivalent obligations on credit reporting agencies and all credit providers. Similarly, guideline 6.1 of the statutory TFN guidelines6 requires TFN recipients to protect TFN information by such security safeguards as are reasonable in the circumstances.
Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan. Notification of the individuals who are or may be affected by a data breach, and the OAIC, may also be a reasonable step (see page 9).
Responding to data breaches: four key steps
Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances.
There are four key steps to consider when responding to a breach or suspected breach:
Step 1: Contain the breach and do a preliminary assessment
Step 2: Evaluate the risks associated with the breach
Step 3: Notification
Step 4: Prevent future breaches
Each of the steps is set out in further detail below.
You can access the guide (49 pp, pdf) here.

Is it possible to write evidence gathering guidelines in the form: “You need a warrant or subpoena for all evidence except: … ” Seems to me that would be simpler.
Drones at Home: Domestic Drone Legislation – A Survey, Analysis and Framework
by Sabrina I. Pacifici on Aug 26, 2014
Zoldi, Dawn M. K., Drones at Home: Domestic Drone Legislation — A Survey, Analysis and Framework (July 9, 2014). Available at for download SSRN:
Can the government employ drones domestically without running roughshod over personal privacy? In an effort to preemptively rein in potential government overreach, most states have proposed legislation that restricts or forbids government drone use. The intent is to prevent drone use for warrantless information and evidence collection. Ironically, many of these proposals will have the opposite affect intended. State-by-state drone legislation may lead to consequences such as the erosion of Fourth Amendment jurisprudential principles, losses of life and property, procedural windfalls to criminals, and deleterious effects on the military. Lawmakers should take a nuanced approach to government drone use rather than selectively revising constitutional protections. A nuanced approach would allow the federal government to use drones to their full potential while also protecting personal privacies. There are four principles that should guide drone legislation:
(1) apply the Fourth Amendment agnostically;
(2) ensure operational purpose language distinguishes between law enforcement and non-law enforcement professionals;
(3) focus new regulations focus on information collection, dissemination, and retention;
(4) develop narrowly tailored remedies that deter specific behavior consistent with their historical purpose.
Drone legislation drafted with these principles in mind will protect our national security and our civil liberties.”

Is there anything here we really didn't expect? Details are “secret” only to avoid public backlash.
Ben Grubb reports:
It’s the secret industry consultation paper the federal government didn’t want you to see.
Produced by the Attorney-General’s Department and distributed to telecommunications industry members on Friday, the nine-page document attempts to clarify what customer internet and phone records the government wants companies such as Telstra, Optus and iiNet to store for the purpose of law enforcement and counterterrorism.
The requirement is part of a proposed data retention regime, which has been given “in principle” approval by the Abbott government. It seeks to continue to allow law enforcement and spy agencies to access customer identifiable data without a warrant as prescribed by law, but would ensure the data is not deleted for a mandated period of two years.
The paper, stamped “confidential” and marked for “preliminary consultation only” raises more questions than it solves.
Read more on Sydney Morning Herald.

Insurance companies creating specific exclusions suggests they have some idea what each of those scenarios costs them. Can I get that information for my classes on risk? Worth exploring.
Hunton & Williams write:
On August 7, 2014, the United States District Court for the Eastern District of Virginia held in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 1:13-cv-917 (E.D. Va. Aug. 7, 2014), that online posting of patient medical information constituted “publication,” whether or not it was viewed by a third party, and therefore triggered the insurer’s duty to defend its insured against a class action seeking damages for breach of privacy claims.
Read more on Lexology.
But do note that Law360 reports:
Insurers are rushing to tack on recently released data breach exclusions to commercial general liability policies, hoping to substantially narrow their exposure to privacy risks. Here, experts provide policyholders the essentials on these game-changing provisions.
The Insurance Services Office Inc., which develops standard insurance contract language, in May unveiled an exclusion that is aimed at wiping out coverage for personal and advertising injuries stemming from the disclosure of personal information. The exclusion applies to a variety of damages, including notification costs, credit monitoring expenses and public…
Law360′s full story is behind a paywall.

To me, Labor Law is “a whole 'nother country.”
Scott McIntyre and Erika Spears write:
The grocery business may be “fresh and easy,” but drafting a confidentiality and data protection policy that withstands the scrutiny of the current National Labor Relations Board (NLRB) is not. The NLRB, in its recent 2-1 Fresh & Easy Neighborhood Market and United Food and Commercial Workers International Union decision, 361 NLRB No. 8 (July 31, 2014), ruled that the company’s “confidentiality and data protection” rule violated Section 8(a)(1) of the National Labor Relations Act (the Act). This decision is a reminder that businesses acting proactively to avoid data breaches and comply with privacy laws must also consider the NLRB’s view of employee rights if an employee may be implicated in wrongdoing, regardless of the context or label placed on the workplace rule.
Read more on Baker Hostetler Data Privacy Monitor.
[From the article:
The Code’s section entitled “Confidentiality and Data Protection” mandated that employees:
Keep customer and employee information secure. Information must be used fairly, lawfully and only for the purpose for which it was obtained.
In May 2012, charges were filed by the United Food and Commercial Workers International Union challenging the data protection rule, alleging that it was unlawful because employees could reasonably construe it as prohibiting the sharing of information by employees to improve terms and conditions of employment.

Making Law School cheaper? Interesting idea. I wonder if the Math Club would be interested in creating a “Guide to Math” online textbook?
Open Intellectual Property Casebook
by Sabrina I. Pacifici on Aug 26, 2014
“Duke’s Center for the Study of the Public Domain is announcing the publication of Intellectual Property: Law & the Information Society—Cases and Materials by James Boyle and Jennifer Jenkins. This book, the first in a series of Duke Open Coursebooks, is available for free download under a Creative Commons license. It can also be purchased in a glossy paperback print edition for $29.99, $130 cheaper than other intellectual property casebooks. This book is an introduction to intellectual property law, the set of private legal rights that allows individuals and corporations to control intangible creations and marks—from logos to novels to drug formulae—and the exceptions and limitations that define those rights. It focuses on the three main forms of US federal intellectual property—trademark, copyright and patent—but many of the ideas discussed here apply far beyond those legal areas and far beyond the law of the United States. The book is intended to be a textbook for the basic Intellectual Property class, but because it is an open coursebook, which can be freely edited and customized, it is also suitable for an undergraduate class, or for a business, library studies, communications or other graduate school class. Each chapter contains cases and secondary readings and a set of problems or role-playing exercises involving the material. The problems range from a video of the Napster oral argument to counseling clients about search engines and trademarks, applying the First Amendment to digital rights management and copyright or commenting on the Supreme Court’s new rulings on gene patents. Intellectual Property: Law & the Information Society is current as of August 2014. It includes discussions of such issues as the Redskins trademark cancelations, the Google Books case and the America Invents Act. Its illustrations range from graphs showing the growth in patent litigation to comic book images about copyright. The best way to get some sense of its coverage is to download it. In coming weeks, we will provide a separate fuller webpage with a table of contents and individual downloadable chapters. The Center has also published an accompanying supplement of statutory and treaty materials that is available for free download and low cost print purchase.”

For my Ethical Hackers: How can we selectively flip this switch? How can we flip the switches on all phones of a given manufacturer? (This could be so much fun I'm already starting to giggle.)
California Requires All Smartphones to Have a Kill Switch
California has just passed a law that will require all smartphones to be equipped with a function that can allow users to wipe their data if their phone is stolen or lost.
The new law will go into effect on July 1, 2015 and applies to phones manufactured after this date.
… Not only will the kill switch be able to wipe users data but it will also lock the phone, rendering it useless. Only the owner of the phone will have control over the switch however the police can also use the tool. [So, “only” every cop in California and the phone's owner? Bob]
This means that the police could cut off phone service in certain situations however, this would require a court order unless their is an emergency that poses immediate danger of death.

Should work for Math lectures as well as those rocky-roll songs.
– is a Digital Video Recorder (DVR) that records MP3s of your favorite YouTube videos and SoundCloud tracks. Peggo’s packed with great features like integrated search, automatic silence removal, audio normalization, subtrack offsets, and artist and title tags. In addition, Peggo also normalizes the volume of every recording to the same, comfortable level.
… For users in the United States, and countries with similar laws, Peggo is perfectly legal.
Peggo is a Digital Video Recorder (DVR) that lets you make personal recordings of publicly available online media for later use, also known as time-shifting, and is protected by the Supreme Court's Betamax ruling (Sony Corporation of America vs Universal City Studios).

No comments: