Sunday, December 14, 2014
I rarely get a tip from Professor Soma at the DU Law School, so pay attention! This could be an important precedent for Computer Security Managers who notice (or fail to notice?) a breach in an organization like theirs. He also reminds me that I frequently (constantly?) quote the case of the T. J. Hooper (http://itlaw.wikia.com/wiki/T.J._Hooper) and this time I might even be correct to do so! Imagine me, correct!
Has the standard of care for retailers handling consumer data shifted in the last 9 months? As analysts compare the recent Home Depot data breach to the data breach of the credit card processing system at Target last December, the similarities may be more than just interesting: the software and websites used to perpetrate the hacks are so astonishingly parallel that the recently filed complaint (Kelsey O’Brien v. Home Depot Inc.) specifically cites the earlier and widely publicized incident at Target to make its case that Home Depot had been negligent in protecting customer information.
The complaint claims that, after it became known that a program called BlackPOS, described bysecurity firm McAfee Inc. as “an ‘off-the-shelf’ exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality,” was the method used in the Target attack, “many retailers, banks and card companies” responded “by adopting the use of microchips in U.S. credit and debit cards, technology that helps make transactions more secure…” (Complaint, Pg.6). Home Depot did not adopt this new standard. It was only after suffering their own data breach that they decided to quickly implement chip-enabled checkout terminals at all US stores by the end of 2014 (Complaint, Pg 6).
Plaintiffs will urge that Target’s travails set a new standard of care — what the Complaint calls “reasonable security standards” based on “industry best practices concerning data theft,” showing “negligence in preventing such data theft from occurring…” (Complaint, Pg. 17).
Whether the factual allegations hold up and whether Plaintiffs can adequately allege and prove damages remains to be seen. But the legal underpinnings for liability rest on established principles negligence, notice and failing to implement an available fix. See In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942 (S. D. Cal. 2014)(duty to employ “reasonable” security measures to protect private data). Indeed, Plaintiffs’ allegations echo the calculus of negligence, or “Hand formula,” established in United States v. Carroll Towing Co. 159 F.2d 169 (2d. Cir. 1947), holding that a legal duty of care is breached whenever the damages resulting from a foreseeable loss is greater than the burden (i.e. cost) of taking precautions against that loss.
For my Ethical Hackers. See? It works! Oops, I mean of course there is no evidence, it never happened.
Russian Legal Information Agency (RAPSI) reports:
The Supreme Court of Germany has yet to uncover any tangible evidence supporting the claim that Chancellor Angela Merkel phone was tapped by American intelligence services, according to Attorney General of Harald Range.
At a press conference on Thursday, Range said that German authorities had no official NSA documents on ordering any surveillance. NSA refused to make any comment on the situation.
Read more on RAPSI
Expands the “space and time” limits I posted yesterday. Continuous surveillance would reveal things not of interest to the police? Would the decision have gone the same way if the cops had simply watched the house?
Hanni Fakhoury writes:
The public got an early holiday gift today when a federal court agreed with us that six weeks of continually video recording the frontyard of someone’s home without a search warrant violates the Fourth Amendment.
In United States v. Vargas local police in rural Washington suspected Vargas of drug trafficking. In April 2013, police installed a camera on top of a utility pole overlooking his home. Even though police did not have a warrant, they nonetheless pointed the camera at his front door and driveway and began watching every day. A month later, police observed Vargas shoot some beer bottles with a gun and because Vargas was an undocumented immigrant, they had probable cause to believe he was illegally possessing a firearm. They used the video surveillance to obtain a warrant to search his home, which uncovered drugs and guns, leading to a federal indictment against Vargas.
Read more about the case and minute order on EFF.
This is the straw that broke the camel's back. (Compare and contrast with Kim Dotcom's experience.)
Google Puts MPAA On Ignore After Receiving Snarky Response To Anti-Piracy Efforts
Google's efforts to thwart piracy and appease organizations like the Motion Pictures Association of America (MPAA) are pretty much non-stop. It involves removing millions of infringing links from search on a weekly basis, and more recently, Google tweaked its search algorithm to be better at downranking sites that receive a large number of valid DMCA notices.
… Google shared the news with the MPAA the day before the changes took effect, no doubt looking for a public affirmation that it's doing a good job.
… Rather than outright praise Google for its voluntary efforts, the MPAA issued an unnecessarily snarky response.
"Everyone shares a responsibility to help curb unlawful conduct online, and we are glad to see Google acknowledging its role in facilitating access to stolen content via search," the MPAA stated in a press release.
… It's understandable that Google is ticked off at the MPAA's public response. More than just angry, Google is now ignoring the MPAA, refusing to "speak or do business" with the movie group. It's choosing instead to deal with the movie studios directly, as "at least three" said they "were very happy about the new features."
… In one email started in January, Sony takes part in "Project Goliath" with the MPAA.
… Project Goliath is a move by the film industry to hurt Google, or all search engines. The intent is to make new laws to stop piracy and actively hurt Google's reputation through investment in advertising and make the search engine cooperate through legislation.
Implications for Russia?
Opec willing to push oil price to $40 says Gulf oil minister
Opec's most influential producers are willing to allow oil prices to fall to $40 per barrel before discussing whether the cartel should hold an emergency meeting to discuss cutting output.
Some background for my Intro to IT students.
What’s Inside Your Computer: The Story Of Every Component You Need To Know
I can see some of my students doing this in class, with me on the short chain.
ROOM ESCAPE ADVENTURES
You have minutes to escape the room. There is hungry zombie chained to the wall. Every minutes a buzzer sounds & the chain is released another foot from the wall!