Thursday, December 24, 2015

Must be easy to hack these systems.
Brian Krebs reports:
Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.
Hyatt’s notice to customers has very few details about the investigation, such as how long the breach lasted or how many consumers may have had their card data stolen as a result. Hyatt did say that it has taken steps to strengthen its systems, and that “customers can feel confident using payment cards at Hyatt hotels worldwide.”
[From the article:
Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging and the Trump Collection.

We live in a complicated world. (Don't you love it when one lawyer can confuse another?)
Yesterday morning, some of were following up on a ProPublica report about a New Jersey clinic who, when suing patients for overdue accounts, included their diagnostic codes in materials sent to their collection agency. Those records – containing the patients’ names, diagnostic codes, and treatment codes – became part of public court records.
There were some interesting questions raised by the case. The Short Hills Associates in Clinical Psychology provides its patients with its notice of privacy practices, but when an aggrieved patient filed a complaint with HHS over the disclosure of his diagnostic code, OCR closed the case without action because the clinic – using paper records for transactions – was not a HIPAA-covered entity.
But what about the collection agency? If the clinic was not a HIPAA-covered entity, was the collection then not a Business Associate under HIPAA? At first blush, it might seem unreasonable to think that they could still be a business associate and subject to HIPAA’s restrictions on only disclosing what is necessary to obtain payment.
But Texas attorney Jeff Drummond raised some very interesting points in our discussion, including one that if the collection agency was a BA for any other entity, then they might be covered by HIPAA to protect all clients’ patient records.
Jeff has blogged about the issues raised by this case on HIPAA Blog. It’s a post – and interpretation of HIPAA – that I found surprising, to say the least. I would love to see a panel discuss this issue at a conference. In the meantime, I may shoot a link to it over to HHS to ask for their reaction.
In the meantime, go read Jeff’s post.

Is the FAA encouraging more restrictions or looking for better wording?
FAA Issues Fact Sheet on State and Local UAS Laws
by Sabrina I. Pacifici on Dec 23, 2015
December 17, 2015 – “The Federal Aviation Administration’s (FAA) new fact sheet on state and local regulation of unmanned aircraft systems (UAS) provides information for states and municipalities considering laws or regulations addressing UAS use. The document outlines FAA’s safety reasons for federal oversight of aviation and airspace, and explains federal responsibility in this area. The fact sheet provides examples of state and local laws affecting UAS for which consultation with the FAA is recommended, such as restrictions on flight altitude or flight paths, regulation of the navigable airspace, and mandating UAS-specific equipment or training. The fact sheet also gives examples of UAS laws likely to fall within state and local government authority, such as requirements for police to obtain a warrant prior to using UAS for surveillance; prohibitions on the use of UAS for voyeurism; exclusions on using UAS for hunting or fishing, or harassing individuals engaged in those activities; and prohibitions on attaching firearms or other weapons to a UAS.”

So you don't have to get x-rayed, unless you do. Can you then opt-out? Probably not.
Full-body TSA scans are mandatory for 'some passengers'
… Now the Advanced Imaging Technologies (AIT) using Automatic Target Recognition (ATR) will be mandatory in certain cases. Slashgear notes that prior to this the scanners were opt-in, and one could go through a contactless, non-imaging scan instead. That option will exist, but security agents can insist on mandatory screening "for some passengers." The argument the DHS gives (PDF) is that these scanners are more capable of detecting prohibited, non-metallic items that could be hidden under a few layers of clothing than a metal detector wand would be.

Evan I might read a couple of these.
11 Exceptional Legal Tech White Papers from 2015
by Sabrina I. Pacifici on Dec 23, 2015
LexisNexis Business of Law Blog: “White papers are a place for deep thinking – deep thinking that is data-driven. Combine that data with innumerable client engagements, from small law firms to large – and from corporate legal departments to legal services bureaus – and we’re able to chronicle insights for the market in neatly packaged white papers. As part of our 2015 roundup series, here’s an at-a-glance listing of many of the white papers we’ve publish this year.”

Perspective. Free is not always trusted.
Facebook goes all out for saving Free Basics in India
NEW DELHI: Social media giant Facebook has started an aggressive campaign in India to gather public support for its free internet platform 'Free Basics.'
… The Telecom Regulatory Authority of India (Trai) has asked RCom to keep the service in abeyance till there is a decision on its consultation process around differential pricing of data by operators is sorted out. The last date for public comments on Trai's paper is December 30.
… The regulator has received close to 5.7 lakh [570,000 Bob] comments out which over 5.5 lakh comments are through Facebook's campaign.

I will not use this line on my students. I will not use this line on my students. I will not use this line on my students.

No comments: