Tuesday, March 21, 2017
I posted this last Friday, with some of the same questions.
The largest group of reports
focuses on acquiring data from mobile devices.
The St. Charles Health System may think they’ve met all their obligations in their handling of an insider snooping incident, but Deschutes County District Attorney John Hummel says the matter should have been reported to them for criminal investigation.
Now that’s interesting to think about. If a covered entity is convinced that an employee snooped just out of curiosity and not for any intended misuse of information for tax fraud, etc., should the covered entity be referring the matter to law enforcement for criminal investigation?
Would employees be more hesitant about snooping if they knew their employer could not just handle an incident internally and their name and actions would be referred for a criminal investigation?
And would employers/covered entities be even more motivated to prevent insider snooping if they knew they had to refer incidents for criminal investigation if more than X number of patients were involved?
Probably true in this case, but what happens if someone really does forget? How could I prove it? Should I have to?
Thomas Claburn reports:
The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against a chap who claimed he couldn’t remember the password to decrypt his computer’s hard drives.
In so doing, the appeals court opted not to address a lower court’s rejection of the defendant’s argument that being forced to reveal his password violated his Fifth Amendment protection against self-incrimination.
Read more on The Register.
Something for my Computer Security students to research!
Hacking Tools Get Peer Reviewed, Too
In September 2002, less than a year after Zacarias Moussaoui was indicted by a grand jury for his role in the 9/11 attacks, Moussaoui’s lawyers lodged an official complaint about how the government was handling digital evidence. They questioned the quality of the tools the government had used to extract data from some of the more than 200 hard drives that were submitted as evidence in the case—including one from Moussaoui’s own laptop.
When the government fired back, it leaned on a pair of official documents for backup: two reports produced by the National Institute of Standards and Technology (NIST) that described the workings of the software tools in detail. The documents showed that the tools were the right ones for extracting information from those devices, the government lawyers argued, and that they had a track record of doing so accurately.
It was the first time a NIST report on a digital-forensics tool had been cited in a court of law. That its first appearance was in such a high-profile case was a promising start for NIST’s Computer Forensics Tool Testing (CFTT) project, which had begun about three years prior. Its mission for nearly two decades has been to build a standardized, scientific foundation for evaluating the hardware and software regularly used in digital investigations.
… Today, the CFTT’s decidedly retro webpage—emblazoned with a quote from an episode of Star Trek: The Next Generation—hosts dozens of detailed reports about various forensics tools. Some reports focus on tools that recover deleted files, while others cover “file carving,” a technique that can reassemble files that are missing crucial metadata.
There is a place for my Computer Security students in law firms, but will the lawyers listen?
Lia Marie Brooks and Peter A. Nelson have an article on Harleysville Insurance Co. v. Holding Funeral Home, Inc. that I nearly skipped. I’m glad I didn’t, because it may have some applicability to cases where entities leave confidential or protected health information on public FTP servers without any password protection and then try to claim they were “hacked” when someone copies the data.
From their article:
The court found that the disclosure was “inadvertent” under state law because the insurer “unknowingly provided access to information by failing to implement sufficient precautions to maintain its confidentiality.” Further, the court held that the insurer waived any claim of privilege because the site was not password protected and the information “was available for viewing by anyone, anywhere who was connected to the internet and happened upon the site by use of the hyperlink or otherwise.”
“In essence,” the court held, the insurer had conceded that its actions were “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imag[in]e [sic] an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”
The court found that disqualifying defense counsel would serve no practical purpose, as any replacement counsel would be entitled to receive the same claims file in discovery. The court also chastised defense counsel for downloading the claims file because a confidentiality notice was displayed on the email message that was produced with the hyperlink. “[B]y using the hyperlink contained in the email containing a Confidentiality Notice … defense counsel should have realized that the Box Site might contain privileged or protected information.”
You can read their full article on Patterson Belknap Data Security Law Blog.
For my Computer Security students.
Erich Falke writes:
Then there were two.
On March 16, 2017, the New Mexico state legislature passed a bill requiring that New Mexico residents be notified if their “personal identifying information” was affected by a breach of electronic data. Upon signature of the bill, New Mexico will join 47 other states requiring such notification, and the only states remaining without notification laws will be Alabama and South Dakota.
Read more on Baker Hostetler Data Privacy Monitor.
This could be amusing.
New Bill Forces Cybersecurity Responsibility Into the Boardroom
A new bill introduced to the Senate seeks to change this by requiring a board level statement of cyber security expertise or practice in annual SEC filings.
S536, cited as the 'Cybersecurity Disclosure Act of 2017', is sponsored by Democrats Mark Warner of Virginia and Jack Reed of Rhode Island, and Republican Susan Collins of Maine. Its purpose is to promote transparency in the oversight of cybersecurity risks at publicly traded companies.
The bill (PDF) defines a cyber security threat as any action not protected by the First Amendment that "may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system..."
The bill then proposes just three requirements under the aegis of the Securities and Exchange Commission (SEC): that annual reports to the SEC must disclose the level of cyber security expertise of the board; or, if none exists, what "other cybersecurity steps taken by the reporting company were taken into account"; and that the definition of what constitutes that expertise should come from the SEC in consultation with NIST.
… The effect of the bill will be to make the board legally and transparently responsible for cyber security. It is not the first regulation to seek this effect in 2017. On 1 March, the New York Department of Financial Services' 23 NYCRR 500 regulation came into force. That regulation imposes a responsibility for regulated organizations to name a 'CISO' who will provide an annual cyber security report to be submitted and signed off by the board to the regulator.
Taken together, these two examples of new regulations suggest that regulatory authorities are no longer satisfied to make recommendations about board-level security responsibility, but are now ready to mandate and legally require it.
A wacky idea that might have some attraction. I have several students with military experience. I’ll be interested to see how they would structure something like this. Perhaps a non-military version?
Experts divided on value of Cyber National Guard
This past weekend at SXSW, two Congressmen suggested that the U.S. create a cybersecurity reserves system, similar to the National Guard, but the idea has received a mixed welcome from the cybersecurity community.
According to House Rep. Will Hurd, a Republican from Texas, a national cybersecurity reserve could help strengthen national security and bring in a diversity of experience.
… "We have military reserves for all the traditional branches of the armed services, but nothing for the cyber realm, largely because of restrictive military hiring policies that discourage information security professionals from joining up," he said.
… For example, typical reservists are trained to shoot a rifle, or pilot a helicopter, he said, but cyber professionals are already trained. Plus, there's the culture gap, he added. "Being forced to cut their hair, having to work out, being deployed away from their families."
"There are plenty of patriots in the ranks of the cybersecurity elite, but not many who are going to leave lucrative corporate and consulting gigs to join the military," said Jonathan Sander, vice president of product strategy at Lieberman Software. "However, offer them an option to keep their income but be on call to come to the national defense when it’s needed and you may have a winning formula."
Tools for small businesses? But not at the Mom & Pop level.
Foursquare is launching an analytics platform to help retailers understand foot traffic
While Foursquare started as a social check-in app, the company has always said there is a bigger picture — mainly related to unique ways of leveraging its database of check-ins at nearly 100 million public places.
There’s no better example than when Foursquare predicted that Chipotle same-store sales would fall 29 percent after the Mexican chain was hit with E. coli outbreaks. The actual decline announced by Chipotle ended up being a spot-on 30 percent.
As you can imagine, these analytics can be very valuable to retailers, allowing them to better understand customers’ habits as well as predict store traffic.
So today the company is announcing Foursquare Analytics, a foot-traffic dashboard for brands and retailers. The platform is available for retailers with any number of stores, no matter how small. Previously the only way for companies to access this data was through one-off deals with Foursquare.
Retailers will be able to use the dashboard to see foot-traffic data across metrics like gender, age and new versus returning customers — on a national or citywide scale. They also can compare their foot traffic against a set of competitors and their category as a whole.
As long as they don’t screw this up too…
Samsung has a plan to turn Google into a dumb tube
Samsung has decided to wade into a massive battle over the future of computing — and it has a huge potential advantage.
On Monday, the South Korean electronics company announced "Bixby": A voice-controlled AI assistant that lives inside your smartphone.
It now joins Google, Amazon, and Apple, who are all betting that these virtual assistants will be the next major frontier in how people interact with their devices. (They have Google Assistant, Alexa, and Siri, respectively.)
Thanks to Samsung's vast range of appliances, which are already sitting in consumers' homes, it has a massive potential head start on its competitors, just waiting to be leveraged. And it could also help it lessen its long-running dependence on Google.
(Related). Is this the start of a ‘personal assistant’ war?
Amazon Using Trojan Horse Approach To Go After Smartphone Voice Market
… Here we'll look at the latest steps the e-commerce giant is taking to go beyond its own device and have Alexa embedded in its competitors' devices.
This is important because the number of users of Apple's iPhone and smartphones using Google's Android is very high. To go after that market while seeking to have itself part of the home experience puts its competitors on the defensive as they have to not only try to grow their own market share but defend themselves from being overtaken in their own back yards.
In a way, with voice virtual assistants becoming a major growth market segment of the future in tech, it's probably good for Amazon that its attempt to introduce a smartphone failed. Like it does in retail, now it can compete without a physical presence, focusing primarily on invading existing hardware ecosystems. In other words, it doesn't have to defend against its own smartphone devices as any success with its competitors' devices will make it harder to root the company out of them as it expands its presence into further devices and smart home appliances.
Interesting but not (yet) alarming.
5 reasons why China will rule tech, 2017 edition
I never would have thought of this. I wonder if my students have a different perspective?
Now There's a Netflix-Like Service for Cadillacs
… Back in January, GM launched Book by Cadillac, a “luxury vehicle subscription service” that the company says is ideal for drivers that don’t want to “worry about insurance premiums, taxes, maintenance or mileage restrictions and no long-term commitment.”
Since its launch at the beginning of the year, 5,000 people have signed up for Book by Cadillac. It’s currently only available in the New York City area, but the company has plans to expand the program to other parts of the country.
Membership is on a month-to-month basis, and for a one-time fee of $500 then $1500 each month, participants have access to 10 different current-year car models and can swap for a new one up to 18 times during the course of the year.
I must ask my students how many social media sites they visit on a given day.
Keeping on top of your social networks is no easy feat. In an ideal world, there’d be one social network to keep up with. Perhaps the next best thing is a platform that consolidates several of your social accounts and feeds into one place.
Hootsuite has stood the test of time. It’s not perfect, but it’s by far the best option. You won’t be able to use it for all of your social needs, but it can definitely help you stay up to date with more social networks, both via your browser and on mobile.
Something to watch for…
MIT SMR and MIT Press Announce Book Publishing Partnership
… it is with great excitement that I share the news that MIT Sloan Management Review and MIT Press are joining forces to launch two new book series exploring the digital frontiers of management. One series will feature original titles. The other series will collect the best MIT SMR articles on key digital topics.
… Look for more information about the series and how to submit proposals on our website coming soon.