Thursday, May 21, 2020


Move fast and break things.” It’s not just a Big Tech strategy, it’s an explanation of most “rush job” failures.
Ohioans’ and Coloradans’ personal info exposed in pandemic unemployment data breaches
    Two more states have reported breaches or issues with state portals to apply for pandemic-related unemployment benefits.
In Ohio, Maggy McDonel reports:
The personal information of Ohioans receiving pandemic unemployment assistance was recently exposed to a data breach, according to Ohio Department of Jobs and Family Services.
The information reportedly included names, Social Security numbers and street addresses.
ODJFS acknowledged what it described as the “data issue” in a release sent out Wednesday afternoon.
The department says Deloitte Consulting notified it last weekend that around two-dozen people were able “to view other PUA claimants’ correspondence.”
Read more on Fox19.
And in Colorado, Joe Rubino reports:
All 72,000 people signed up for pandemic unemployment assistance in Colorado are eligible for a year of free credit monitoring after a system error gave six people approved for benefits access to everyone else’s private information.
The Colorado Department of Labor and Employment was alerted to the problem Saturday. In a statement, the department referred to the situation as a “limited and intermittent data access issue.” State officials insist it was not a data breach.
Read more on Reporter Herald.
Ohio and Colorado are the third and fourth states we know of that have reported problems with state portals involved in filing for unemployment assistance. Arkansas was the first and Illinois was the second. At this point, it doesn’t seem like the states are all using the same program, but do not be surprised if more states report problems like these.




Saving face” at the expense of a few (million) deaths...
Data Leak Suggests China Had Hundreds of Thousands of Coronavirus Cases in 230 Cities
Jim Geraghty reports on a very significant data leak:
A dataset of coronavirus cases and deaths from the military’s National University of Defense Technology, leaked to 100Reporters, offers insight into how Beijing has gathered coronavirus data on its population. The source of the leak, who asked to remain anonymous because of the sensitivity of sharing Chinese military data, said that the data came from the university. . . .
While not fully comprehensive, the data is incredibly rich: There are more than 640,000 updates of information, covering at least 230 cities—in other words, 640,000 rows purporting to show the number of cases in a specific location at the time the data was gathered. Each update includes the latitude, longitude, and “confirmed” number of cases at the location, for dates ranging from early February to late April.
Read more on National Review.




Lots of questions. Was this an “authorized user” breach or could anyone do it?
Ron Hurtibise reports:
Hundreds of customers of ADT Security Services were spied on through security cameras installed inside and outside of their homes, two federal lawsuits filed Monday are claiming.
ADT, headquartered in Boca Raton, “failed to provide rudimentary safeguards” to prevent an employee from gaining remote access to the customers’ cameras over a seven-year period, a news release from the Dallas-based Fears Nachawati Law Firm states.
ADT notified customers of the breaches and then tried to pay them off if they agreed not to reveal them publicly, according to the suits filed in U.S. District Court in Fort Lauderdale.
Read more on Sun-Sentinel.




Worth reading and thinking about.
Verizon – 2020 Data Breach Investigations Report
Verizon 2020 Data Breach Investigations Report – “Here we are at another edition of the DBIR.
If you look closely you may notice that it has sprouted a few more industries here and there, and has started to grow a greater interest in other areas of the world. This year we analyzed a record total of 157,525 incidents. Of those, 32,002 met our quality standards and 3,950 were confirmed data breaches. The resultant findings are spread throughout this report. This year, we have added substantially more industry breakouts for a total of 16 verticals (the most to date) in which we examine the most common attacks, actors and actions for each. We are also proud to announce that, for the first time ever, we have been able to look at cybercrime from a regional viewpoint—thanks to a combination of improvements in our statistical processes and protocols, and, most of all, by data provided by new contributors—making this report arguably the most comprehensive analysis of global data breaches in existence…”




Is this the end of facial recognition? (Hint: Hell no!)
Kari Rollins and David Poell of SheppardMullin write:
The Seventh Circuit has recently ruled that plaintiffs have standing to enforce the Illinois Biometric Information Privacy Act’s informed consent requirements in federal court. As we have written before, BIPA regulates the collection, use, and retention of a person’s biometric information, e.g., fingerprints, face scans, etc. For years, federal trial courts have been split on whether a violation of BIPA’s informed consent provision is alone sufficient to confer Article III standing. The decision in Bryant v. Compass Group USA, Inc., — F.3d —-, 2020 WL 2121463 (7th Cir. May 5, 2020) removes that uncertainty and will drastically change the landscape of BIPA litigation going forward.
Read more on EyeOnPrivacy.




While we worry about a pandemic...
Papers, Please! writes:
Air travel in the US has been reduced by more than 90%, measured by the numbers of people passing through checkpoints at airports operated by the Transportation Security Administration (TSA) and its contractors.
And the Department of Homeland Security (DHS) has postponed its threat to start unlawfully refusing passage to travelers without ID credentials compliant with the REAL-ID Act of 2005 for another year, from October 1, 2020, to October 1, 2021.
So relatively little attention is being paid right now to air travel or TSA requirements — making it the ideal time for the TSA to try to sneak a new ID requirement for air travel (to take effect in 2021) into place without arousing public protest.
Read more on Papers, Please!




Try translating that for students!
Tackling Privacy by Design: Practical Advice Following Multiple Implementations
When advising clients on Privacy by Design (PbD) implementation, I often feel like the voice in his or her head is saying, “I see your lips moving, but all I hear is blah, blah, blah.” After experiencing those moments a few times, it occurred to me how professionals living in the PbD space are speaking a different language from business owners, product and service designers, and those in charge of privacy compliance for their organization. The purpose of this article is to demystify PbD (a bit), and to offer some practical advice for businesses looking to implement PbD in its products and services.




Sounds useful… Can we extract ‘Best Practices?’
Hogan Lovells Launches Global Privacy Guide to Support Businesses with COVID-19 Exit Plans
As the world focuses its efforts on the right strategy to beat the coronavirus and make normal life safe again, businesses are devising and implementing a variety of measures to deal with the COVID-19 crisis which rely on the collection, use and dissemination of personal data.
To assist with this challenge and ensure that privacy and cybersecurity aspects are appropriately addressed, Hogan Lovells has released today a detailed guide providing legal analysis and practical recommendations. The guide has been prepared by a team spanning its 45 offices around the world and led by the firm’s Global Regulatory practice.
To read COVID-19 Exit Strategy: A Global Privacy and Cybersecurity Guide, click here.




Reading for shut-ins.
Bart Gellman on Snowden
Bart Gellman's long-awaited (at least by me) book on Edward Snowden, Dark Mirror: Edward Snowden and the American Surveillance State, will finally be published in a couple of weeks. There is an adapted excerpt in the Atlantic.
It's an interesting read, mostly about the government surveillance of him and other journalists. He speaks about an NSA program called FIRSTFRUITS that specifically spies on US journalists. (This isn't news; we learned about this in 2006. But there are lots of new details.)




Inside every cloud, a silver lining.
Inside the Rise of a Hot New Industry: Social Distancing Consultants
Marker Medium: “…As shelter-in-place laws start to relax across the U.S., and businesses begin to reopen or at least to start thinking about it—everyone from retailers, restaurants, hairdressers, fashion boutiques, and building managers are desperate to overhaul their spaces with new safety protocols so they can protect employees and customers —and start making money again. The problem? No one really knows what they are doing. Federal guidelines cover the basics of hand-washing, sanitizing, and mask-wearing, but they lack specificity for different scenarios. For example, if you install a plexiglass screen, how large should it be? What’s the best way to redesign an office floor plan to limit interactions? Should employee temperatures be taken every shift? What about customer temperatures? Amid this uncertainty, a new cottage industry comprised of opportunists and pivoters has sprung up to fill the void: the social distancing consultant. From architects and designers to maintenance and marketing companies, these firms have recast themselves virtually overnight as experts in the new, high-demand art of keeping people six feet apart. Social distancing services have become a boon to the struggling architecture industry, as other projects have been put on hold...




The joy of face masks!



No comments: