I
rarely get a tip from Professor Soma at the DU Law School, so pay
attention! This could be an important precedent for Computer
Security Managers who notice (or fail to notice?) a breach in an
organization like theirs. He also reminds me that I frequently
(constantly?) quote the case of the T. J. Hooper
(http://itlaw.wikia.com/wiki/T.J._Hooper)
and this time I might even be correct to do so! Imagine me, correct!
Has
the standard of care for retailers handling consumer data shifted in
the last 9 months? As analysts compare the recent
Home Depot data breach to the data breach of the credit card
processing system at
Target last December, the similarities may be more than just
interesting: the software and websites used to perpetrate the hacks
are so astonishingly parallel that the recently filed complaint
(Kelsey
O’Brien v. Home Depot Inc.) specifically cites the earlier
and widely publicized incident at Target to make its case that Home
Depot had been negligent in protecting customer information.
The
complaint claims that, after it became known that a program called
BlackPOS, described
bysecurity
firm McAfee Inc. as “an ‘off-the-shelf’ exploit kit for
sale that can easily be modified and redistributed with little
programming skill or knowledge of malware functionality,” was the
method used in the Target attack, “many retailers, banks and card
companies” responded “by adopting the use of microchips in U.S.
credit and debit cards, technology that helps make transactions more
secure…” (Complaint, Pg.6). Home
Depot did not adopt this new standard. It was only after
suffering their own data breach that they decided to quickly
implement chip-enabled checkout terminals at all US stores by the
end of 2014 (Complaint, Pg 6).
Plaintiffs
will urge that Target’s travails set a new standard of care
— what the Complaint calls “reasonable security standards”
based on “industry best practices concerning data theft,” showing
“negligence in preventing such data theft from occurring…”
(Complaint, Pg. 17).
Whether
the factual allegations hold up and whether Plaintiffs can adequately
allege and prove damages remains to be seen. But the legal
underpinnings for liability rest on established principles
negligence, notice and failing to implement an available fix. See
In re Sony Gaming Networks and Customer Data Security Breach
Litigation, 996 F. Supp. 2d 942 (S. D. Cal. 2014)(duty to employ
“reasonable” security measures to protect private data). Indeed,
Plaintiffs’ allegations echo the calculus
of negligence, or “Hand formula,” established in United
States v. Carroll Towing Co. 159 F.2d 169 (2d. Cir. 1947),
holding that a legal duty of care is breached whenever the damages
resulting from a foreseeable loss is greater than the burden (i.e.
cost) of taking precautions against that loss.
For
my Ethical Hackers. See? It works! Oops, I mean of course there is
no evidence, it never happened.
Russian
Legal Information Agency (RAPSI) reports:
The Supreme Court of Germany has yet to uncover any tangible evidence
supporting the claim that Chancellor Angela Merkel phone was tapped
by American intelligence services, according to Attorney General of
Harald Range.
At a press conference on Thursday, Range said that German authorities
had no official NSA documents on ordering any surveillance. NSA
refused to make any comment on the situation.
Read
more on RAPSI
Expands
the “space and time” limits I posted yesterday. Continuous
surveillance would reveal things not of interest to the police?
Would the decision have gone the same way if the cops had simply
watched the house?
Hanni
Fakhoury writes:
The public got an early holiday gift today when a federal court
agreed with us that six
weeks of continually video recording the frontyard of someone’s
home without a search warrant violates the Fourth Amendment.
In United
States v. Vargas local police in rural Washington suspected
Vargas of drug trafficking. In April 2013, police installed a camera
on top of a utility pole overlooking his home. Even though police
did not have a warrant, they nonetheless pointed the camera at his
front door and driveway and began watching every day. A month later,
police observed Vargas shoot some beer bottles with a gun and because
Vargas was an undocumented immigrant, they had probable cause to
believe he was illegally
possessing a firearm. They used the video surveillance to obtain a
warrant to search his home, which uncovered drugs and guns, leading
to a federal indictment against Vargas.
Read
more about the case and minute order on EFF.
This
is the straw that broke the camel's back. (Compare and contrast with
Kim Dotcom's experience.)
Google
Puts MPAA On Ignore After Receiving Snarky Response To Anti-Piracy
Efforts
Google's
efforts to thwart piracy and appease organizations like the Motion
Pictures Association of America (MPAA)
are pretty much non-stop. It involves removing millions of
infringing links from search on a weekly basis, and more recently,
Google tweaked
its search algorithm to be better at downranking sites that
receive a large number of valid DMCA
notices.
…
Google shared the news with the MPAA the day before the changes took
effect, no doubt looking for a public affirmation that it's doing a
good job.
…
Rather than outright praise Google for its voluntary efforts, the
MPAA issued an unnecessarily snarky response.
"Everyone shares a responsibility to help curb unlawful conduct
online, and we are glad to
see Google acknowledging its role in facilitating access to stolen
content via search," the MPAA stated in a press
release.
…
It's understandable that Google is ticked off at the MPAA's public
response. More than just angry, Google
is now ignoring the MPAA, refusing to "speak or do business"
with the movie group. It's choosing instead to deal with
the movie studios directly, as "at least three" said they
"were very happy about the new features."
(Related)
…
In one email started in January, Sony takes part in "Project
Goliath" with the MPAA.
…
Project Goliath is a move by the film industry to hurt Google, or
all search engines. The intent is to make new laws to stop piracy
and actively hurt Google's reputation through investment in
advertising and make the search engine cooperate through legislation.
Implications
for Russia?
Opec
willing to push oil price to $40 says Gulf oil minister
Opec's
most influential producers are willing to allow oil prices to fall to
$40 per barrel before discussing whether the cartel should hold an
emergency meeting to discuss cutting output.
Some
background for my Intro to IT students.
What’s
Inside Your Computer: The Story Of Every Component You Need To Know
I can see some of my students doing this in class, with me on the
short chain.
ROOM
ESCAPE ADVENTURES
You
have 60
minutes to escape the room. There is 1
hungry zombie chained to the wall. Every 5
minutes a buzzer sounds & the chain is released another
foot from the wall!
No comments:
Post a Comment