Wednesday, September 30, 2015

A most interesting trend.
Ryan M. Martin of Winston & Strawn LLP writes:
The U.S. District Court for the Southern District of Illinois recently denied the retail grocery chain Schnuck Markets’ motion to dismiss various claims arising from a December 2012 data breach in which hackers gained access to Schnucks’ credit/debit card processing systems. By mid-March 2013, both customers’ banks and Schnucks’ own payment processor had notified Schnucks that the breach had resulted in fraudulent charges to customer cards.
Read more on Lexology.
So… Neiman Marcus. Flowers Hospital. Schnuck. Do my eyes deceive me, or are we seeing a possible trend with data breach lawsuits surviving motions to dismiss for lack of standing? Of course, that doesn’t mean the plaintiffs will be able to prove they suffered harm, but are courts becoming a tad more plaintiff-friendly? We’ll have to watch and wait….

What has happened to “management?” One would think senior management, the legal department and probably several other business departments would be very interested in accurate information. Why did they fail to deliver?
Fiat Chrysler is in trouble again with the NHTSA
Fiat Chrysler Inc. is in hot water again with regulators after under-reporting a “significant” amount of deaths, injuries and legal claims, according to The Financial Times.
The FT cited the National Highway Traffic Safety Administration as saying Fiat Chrysler had discovered “deficiencies” in the way it reports faults.

(Related) “We don't need no stinking laws/regulations/policies/procedures/management!”
Benjamin Krause writes:
VA OIG just reported that Palo Alto VA Health Care System unlawfully gave patient data to a private IT company despite employees not having cleared background checks.
The watchdog investigated allegations that the Palo Alto VA informatics chief entered into an illegal agreement with a health care company called Kyron.
VA OIG confirmed allegations that the patient data was given to Kyron prior to its employees getting background checks. It also confirmed that patient data was loaded into the Kyron’s extraction software prior to receiving approval from VA information security officers.

Another privacy trend. How useful/accurate are they?
Apple debuts new privacy website
Apple debuted a new website on Tuesday aimed at informing customers on how the company uses their data.
The company has been positioning itself as a bastion of digital privacy as user data in the industry is increasingly being shared with advertisers and, sometimes, law enforcement.
“When you pay for groceries, message a friend, track a workout, or share a photo, you shouldn’t have to worry about your information falling into the wrong hands,” the company says on the website. “The personal data on your devices should be protected and never shared without your permission.”
The website explains, at a level more granular than many of its competitors, the privacy protections that Apple says are built into its applications.
… Google has its own website explaining how it uses user data.

For my Ethical Hacking students. You can't build a full dossier without complete medical information.
Re-identification is just too damned easy sometimes – and if your state is selling your “de-identified” health information, don’t be reassured – be worried.
Here’s the abstract of a study by Latanya Sweeney:
Alice goes to the hospital in the United States. Her doctor and health insurance company know the details ― and often, so does her state government. Thirty-three of the states that know those details do not keep the information to themselves or limit their sharing to researchers [1]. Instead, they give away or sell a version of this information, and often they’re legally required to do so. The states turn to you as a computer scientist, IT specialist, policy expert, consultant, or privacy officer and ask, are the data anonymous? Can anyone be identified? Chances are you have no idea whether real-world risks exist. Here is how I matched patient names to publicly available health data sold by Washington State, and how the state responded. Doing this kind of experiment helps improve data-sharing practices, reduce privacy risks, and encourage the development of better technological solutions.
Results summary: The State of Washington sells a patient-level health dataset for $50. This publicly available dataset contained virtually all hospitalizations occurring in the state in a given year, including patient demographics, diagnoses, procedures, attending physician, hospital, a summary of charges, and how the bill was paid. It did not contain patient names or addresses (only five-digit ZIPs, which are U.S. postal codes). Newspaper stories printed in the state for the same year that contain the word “hospitalized” often included a patient’s name and residential information and explained why the person was hospitalized, such as a vehicle accident or assault. A close analysis of four archival news sources focused on Washington State activities from a single searchable news repository studied uniquely and exactly matched medical records in the state database for 35 of the 81 news stories found in 2011 (or 43 percent), thereby putting names to patient records. An independent third party verified that all of the matches were correct. In response to the re-identification of patients in its data, Washington State changed its way of sharing these data to create three levels of access. Anyone can download tabular summaries. Anyone can pay $50 and complete a data-use agreement to receive a redacted version of the data. However, access to all the fields provided prior to this experiment are now limited to applicants who qualify through a review process.
Sweeney L. Only You, Your Doctor, and Many Others May Know. Technology Science. 2015092903. September 29, 2015.
The full paper is available for free download at that url.

Erika Morphy reports:
With little fanfare or formality, Adam Smith, associate professor of computer science and engineering in Penn State’s School of Electrical Engineering and Computer Science, and Vitaly Shmatikov, a professor at Cornell University, are going to try to tackle a looming issue that will, if it is not addressed, have consequences for just about anyone who has every used the Internet, sent an email, received medical attention or otherwise made his or her presence known on the Grid that is our online society.
Read more on Computerworld.

Perspective. “There's gold in them thar ads!”
Google’s most expensive search keywords are for ambulance-chasing lawyers
Chances are, if you’ve watched television in the US, you’ve seen myriad advertisements for local lawyers that want to save you money after an injury—no win, no fee. Perhaps you’ve even memorized their bizarre jingles, or seen a program based on their exploits. And it seems that the internet is no different than television: Accident lawyers dominate the most expensive keyword search terms on Google AdWords—the adverts that pop up next to search results on Google.
… The report, which was released last month, was created by WebpageFX, a digital marketing company, and SEMrush, a digital marketing analytics firm. They found that the vast majority of the most expensive keyword search terms were for legal issues, most of which were localized to certain US cities or states. The single most expensive paid search term so far in 2015 is: “San Antonio car wreck attorney,” which costs advertisers $670.44 every time a person searching on Google clicks on that term.

Yes, but... Kind of a big but!
Andrew Crocker writes:
When it comes to the highest court in Massachusetts, it sometimes seems like entire battles are won and lost in the footnotes. In a seemingly straightforward new case, the Supreme Judicial Court has managed to add a wrinkle on top of the already complicated patchwork of law surrounding cell phone location tracking. The court’s opinion today in Commonwealth v. Estabrook sets out what it calls a “bright-line rule” and reaffirms that, in general, the Massachusetts constitution requires a warrant for tracking a person’s location using cell site location information (CSLI). That’s worth celebrating, but cynical readers who are already wondering about the “in general” in the previous sentence should take a look at footnote twelve in the opinion. Meanwhile, all readers should probably buckle in for a somewhat detailed tale of judicial incrementalism.
Read more on EFF.
[Footnote 12:
This exception to the warrant requirement for CSLI applies only to "telephone call" CSLI, which is at issue in this case, and not to "registration" CSLI. "Telephone call" CSLI indicates the "approximate physical location . . . of a cellular telephone only when a telephone call is made or received by that telephone. "Augustine, 467 Mass. at 258-259 (Gants, J., dissenting). By contrast, "registration" CSLI "provides the approximate physical location of a cellular telephone every seven seconds unless the telephone is 'powered off,' regardless of whether any telephone call is made to or from the telephone." Id . at 259 (Gants, J., dissenting).

Perspective. No answers here, only questions. I still want to teach a drone piloting class.
1 Million Drones Will Be Sold This Christmas, and the FAA Is Terrified
Any ideas what you'll be getting for the holidays? According to the FAA, about 1 million of you will be getting drones, whether that's a high-end quadcopter or low-end $20 knockoffs from Walmart. Regardless, the FAA is very, very worried about what happens when 1 million new aircraft enter the airspace.

Perspective. How the Internet of Things is growing.
GE Predicts Predix Platform Will Generate $6B In Revenue This Year
Like many big companies, GE has been in the process of trying to reinvent itself, and Predix, its Industrial Internet of Things platform has been a big part of that.
Today, at its annual Minds + Machine conference in San Francisco, GE announced that the Predix platform had grown into a big business with $5 billion in revenues and $6 billion in orders expected this year.

The future of part-time work?
Amazon’s new ‘Flex’ delivery scheme is like Uber for packages
Amazon has just launched an Uber-like delivery system offering regular folks the chance to deliver packages using their own cars for $18 to $25 an hour.
… On Tuesday, the company unveiled the new scheme, called Amazon Flex.
Flex works with Amazon’s super-speedy Prime Now offering where customers can get one- and two-hour delivery on tens of thousands of items, with drivers able to choose between two-, four-, and eight-hour shifts. Besides a car, workers must also have an Android phone for managing deliveries via the Flex app (no iOS version yet), and pass a background check.

Something for everyone?
14 Effective Home & Self Defense Gadgets For Women Living Alone

This is useful! (Tweets for Twits!) Also something for business (marketing) students.
Twitter Has A 136-Page Handbook For Politicians' 140-Character Tweets
Twitter seems simple — just type in 140 characters and hit enter, right? But Twitter can be tough. Building an audience. Keeping that audience. Finding a voice. Cutting through all the chatter. It's a lot, especially if you're a busy elected official.
Well, elected officials, fear not! Twitter itself is here to help. NPR recently discovered that the social media giant has a very special handbook just for people running for elected to office. And it's 136 pages long.
The manual has been "wildly popular," said Bridget Coin, a manager on Twitter's Government and Elections Partnership Team who helped put the manual together (see below for more of our interview with her). "We don't want to make assumptions. We want to make sure that people feel empowered with the full story of what Twitter is."

No comments: