Wednesday, July 22, 2009

How much should a security breach cost an organization?

http://www.databreaches.net/?p=6353

HSBC fined for personal data loss

July 22, 2009 by admin Filed under Breach Incidents, Lost or Missing, Non-U.S., Of Note

Three HSBC firms have been fined more than £3m for failing to adequately protect customers’ confidential details from being lost or stolen.

The Financial Services Authority (FSA) said customer data had been lost in the post on two occasions.

The firms concerned are HSBC Life UK, HSBC Actuaries and Consultants, and HSBC Insurance Brokers.
[...]

The FSA identified two instances where unencrypted data had been lost in the post.

In April 2007, HSBC Actuaries lost a floppy disk containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.

And in February 2008, HSBC Life lost a CD containing the details of 180,000 policyholders.

“All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals,” said Margaret Cole, director of enforcement at the FSA.

Read more on BBC. Related - FSA Press Release



See how common “not knowing” is? Here's an idea. If you can't prove your laptop was “PII Free” then you must assume it contained data on every customer. (It'll never fly, but it would open some eyes.)

http://www.databreaches.net/?p=6349

Stolen laptop “may have” held customer data

July 21, 2009 by admin Filed under Breach Incidents, Business Sector, Theft

On July 8, a laptop that may have contained some customer information such as names and credit card numbers was stolen from an employee of Henry Schein, Inc. Although the laptop was password protected, the data were not encrypted.

By letter dated July 16 to the New Hampshire Attorney General’s Office, Kristen J. Mathews of Proskauer Rose indicated that the HSI, which distributes medical, dental, and veterinary supplies, was not even sure any customer data were on the laptop, writing “At this time HSI has no reason to believe that any personal information (if any was actually contained on the laptop) has been or will be accessed or misused. ”

So how do you notify customers when you’re not even sure any customer data were on a stolen device? Is this a “if there were data, then it would have to be _________’s data” thing?

Whenever I read such reports, I always wonder why there was no backup that could tell them definitively whether there were PII on a stolen device and if so, whose. I also wonder why any customer data would be on the device since it seems logical (to me, anyway) that the employee wasn’t working with the data or at the very least, hadn’t worked with it for long enough time that s/he could not longer remember or be sure what was on the laptop. So far, I haven’t come up with any good answers, but maybe there is a scenario that I haven’t considered. [Rampant stupidity? Bob]


(Related) If you don't have expertise in a niche area, ask the Internet. The first Comment provides a (free) answer. See how easy “knowing” can be?

http://tech.slashdot.org/story/09/07/21/218206/Best-Tools-For-Network-Inventory-Management?from=rss

Best Tools For Network Inventory Management?

Posted by kdawson on Tuesday July 21, @05:51PM from the IPs-and-users-and-boxes-oh-my dept. networking

jra writes

"Once every month or so, people ask here about backups, network management, and so on, but one topic I don't see come up too often is network inventory management — machines, serial numbers, license keys, user assignments, IP addresses, and the like. This level of tracking is starting to get out of hand in my facility as we approach 100 workstations and 40 servers, and I'm looking for something to automate it.



Hope for the “Privacy/Security Challenged?” (It is possible some of my students are already sending me their research papers using this tool...

http://it.slashdot.org/story/09/07/21/1522255/Vanish-Makes-Sensitive-Data-Self-Destruct?from=rss

'Vanish' Makes Sensitive Data Self-Destruct

Posted by Soulskill on Tuesday July 21, @12:14PM from the also-doesn't-appear-to-be-a-fire-hazard dept. security encryption

Hugh Pickens writes

"The NY Times reports on new software called 'Vanish,' developed by computer scientists at the University of Washington, which makes sensitive electronic messages 'self destruct' after a certain period of time. The researchers say they have struck upon a unique approach that relies on 'shattering' an encryption key that is held by neither party in an e-mail exchange, but is widely scattered across a peer-to-peer file sharing system. 'Our goal was really to come up with a system where, through a property of nature, the message, or the data, disappears,' says Amit Levy, who helped create Vanish. It has been released as a free, open-source tool that works with Firefox. To use Vanish, both the sender and the recipient must have installed the tool. The sender then highlights any sensitive text entered into the browser and presses the 'Vanish' button. The tool encrypts the information with a key unknown even to the sender. That text can be read, for a limited time only, when the recipient highlights the text and presses the 'Vanish' button to unscramble it. After eight hours, the message will be impossible to unscramble and will remain gibberish forever. Tadayoshi Kohno says Vanish makes it possible to control the 'lifetime' of any type of data stored in the cloud, including information on Facebook, Google documents or blogs."



Interesting approach. If the same information is available for the other state laws, we have the basis for a quick (and useful?) article.

http://www.databreaches.net/?p=6335

FAQ on Nevada’s Security of Personal Information Law (NRS 603A)

July 21, 2009 by admin Filed under Breach Laws, Legislation, State/Local

InfoSecCompliance (”ISC”) was recently asked by a prospective client to provide a summary of Nevada’s Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard (”PCI”). ISC decided to try something new and create a Frequently Asked Questions document around the PCI requirements contained in the Security Law. For better or worse (after sinking in 15 - 20 hours) ISC ended up doing FAQs for the entire Nevada Security Law. This turned out to be a much bigger work than originally anticipated, so ISC is going to do a five-part blog post series breaking down the Nevada Security Law into (hopefully) digestible parts.

This FAQ is broken down into six sections that will be posted over five posts over the next week or so. The postings will be broken down as follows:

Post One: The Basics of Nevada’s Security Law and Destruction of Records

Post Two: Security Breach Notice

Post Three: Required Security Measures

Post Four: Encryption and PCI Compliance

Post Five: Remedies, Penalties and Enforcement

Check the site for updates when the posts become available. Post One is available now.


(Related)

http://www.databreaches.net/?p=6358

Nevada’s Security of Personal Information Law Post Two: The Breach Notice Requirements

July 22, 2009 by admin Filed under Breach Laws, State/Local

From the FAQ provided by InfoSecCompliance:

What triggers the security breach notice obligations under the Security Law?

In order for the breach notice requirements to be triggered under the Security Law two general events must occur (with some sub-requirements discussed further below). First, there must have been a “breach of the security of the system data” discovered by a data collector or notified to a data collector. Second, “personal information” must have actually been acquired by an unauthorized person, or was “reasonably believed to have been acquired” by an unauthorized person.

Read more.


(Related) Perhaps not as detailed as the previous articles, but with some new ideas. Perhaps we need a website that analyzes new and modified laws to see how they are evolving. Provide a similar analysis of the breaches (what are the crooks doing) and it might allow legislatures to understand the issues. (Not that most politicians can actually read.)

http://www.databreaches.net/?p=6325

Missouri data breach notification law goes into effect soon

July 21, 2009 by admin Filed under Breach Laws, Legislation, State/Local

Perkins Coie has provided a short synopsis of key requirements of Missouri’s new data breach notification law, which goes into effect on August 28, 2009.

….. In addition to the more common elements of first name or initial and last name in combination with unencrypted Social Security Number, driver’s license number, financial account number, or credit or debit card number, the statute also includes in the definition of personal information first name or initial and last name in combination with an unencrypted:

  • Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;

  • Medical information, which includes any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and

  • Health insurance information, which includes an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual.

Other provisions of interest:

  • If an entity must notify more than 1000 residents, it must notify the Missouri Attorney General’s office and the nationwide consumer reporting agencies of the breach.

  • Civil penalties for violating the statute may reach up to $150,000 per breach of the security of the system.

The full text of the bill can be found at: http://www.house.mo.gov/billtracking/bills091/biltxt/truly/HB0062T.HTM.

Perkins Coie’s chart summarizing all of the states’ data breach notification laws can be found at: http://www.perkinscoie.com/statebreachchart/.

Source: Perkins Coie blog, Digestible Law.



Interesting that Iran only needs 3 months of data, but the US and the EU want several years.

http://www.pogowasright.org/?p=2052

Iran implements Internet data retention law

July 21, 2009 by Dissent Filed under Govt, Internet, Legislation, Non-U.S., Surveillance

Iranian President Mahmoud Ahmadinejad has implemented a law requiring the country’s Internet service providers to retain records of users’ incoming and outgoing data for at least three months, according to a Monday report by the state-run PressTV news agency. The government said the law is designed to help catch those who illegally steal others’ personal information from the Internet, and that the data would only be monitored under court order or in the interest of national security. [Riiight... Bob] Critics argue that the law will enable the government to monitor and censor the internet use [Al Jazeera report] of reporters and political dissidents, whose blogging and use of social networking websites have thus far been able to evade press restrictions.

Read more on JURIST.



Strategy: First start with someone who does not evoke sympathy. Then you have precedent to extend your program to everyone. “We've been doing this for years!”

http://www.pogowasright.org/?p=2055

Porn actress says state intruded on privacy

July 21, 2009 by Dissent Filed under Breaches, Court, Featured Headlines, Govt, U.S.

A porn film actress whose positive HIV test made news in June claims [pdf] state health officials violated her rights by demanding her medical records. Filing her complaint under the name “Patient Zero,” the woman sued California OSHA and the Adult Industry Medical Healthcare Foundation.

Zero claims that after she tested positive for HIV, the California Division of Occupational Safety and Health subpoenaed her health care provider for her records and personal information, in violation of her right to privacy.

She says that in June the Adult Industry Medical Healthcare Foundation (AIM), which provides health care to sex workers, told her she had preliminarily tested positive for HIV. She says the Foundation quarantined her and everyone known to have had sexual contact with her, and reported her case to the Los Angeles County Department of Public Health.

Cal/OSHA then conducted a surprise inspection of AIM and demanded the medical records of HIV patients, including Patient Zero, but AIM staff refused, she says.

After the inspection, she says, her attorney learned that Cal/OSHA was meeting with the medical facility’s staff to try to get the records of patients with HIV.

Read more on Courthouse News.



Does this mean I'll have to defend my Patent on “A device to measure thermodynamic changes in body temperature as a diagnostic tool? And won't be able to sue anyone who uses a thermometer?

http://yro.slashdot.org/story/09/07/21/1646216/Doctors-Fight-Patent-On-Medical-Knowledge?from=rss

Doctors Fight Patent On Medical Knowledge

Posted by kdawson on Tuesday July 21, @02:20PM from the no-not-patent-medicine dept. patents medicine

I Don't Believe in Imaginary Property writes

"Doctor's groups, including the AMA and too many others to list, are supporting the Mayo Clinic in the case Prometheus v. Mayo. The Mayo Clinic alleges that the patents in question merely recite a natural phenomenon: the simple fact that the level of metabolites of a drug in a person's body can tell you how a patient is responding to that drug. The particular metabolites in this case are those of thiopurine drugs and the tests are covered by Prometheus Lab's 6,355,623 and 6,680,302 patents. But these aren't the only 'observational' patents in medicine — they're part of a trend where patents are sought to cover any test using the fact that gene XYZ is an indicator for some disease, or that certain chemicals in a blood sample indicate something about a patient's condition. There are even allegations that certain labs have gone so far as to send blood samples to a university lab, order testing for patented indicators, then sue that university for infringement. Naturally, Prometheus Labs sees this whole story differently, arguing that the Mayo Clinic will profit from treating patients with knowledge patented by them.

They have their own supporters, too, such as the American Intellectual Property Law Association." Prometheus doesn't seem to be a classic patent troll; they actually perform the tests for which they have obtained patents.



Could they do this for other professions? Law, Medicine, Hacking?

http://www.wired.com/wiredscience/2009/07/wikipedia-training-scientists-on-wiki-culture/

Wikipedia Teaches NIH Scientists Wiki Culture

By Alexis Madrigal Email Author * July 21, 2009 | 1:03 pm



Adopt/Expand/Extend the business model

http://tech.slashdot.org/story/09/07/21/2026200/Applying-a-Music-Business-Model-To-a-Blog?from=rss

Applying a Music Business Model To a Blog

Posted by kdawson on Tuesday July 21, @05:07PM from the try-anything dept. internet business

An anonymous reader writes

"Many of you may be familiar with Mike Masnick, from the site Techdirt. Beyond just chronicling tech stories for years, he's also been following various music and media industry business models as well. While he's usually among the first (like Slashdot) to express dismay at silly activities from the recording industry, lately he's been cataloging numerous success stories, like business models from Trent Reznor, Amanda Palmer, and Josh Freese. Mike and Techdirt are now taking things a step further, and wondering what would happen if they took the lessons from those success stories and applied it to a media publication: their own Techdirt. The result is 'Connect with Fans + Reason to Buy.' Check out the very special offer for the RIAA."



God Bless Open Source! Business model: Put together all the hardware in a kit, sell grain & hops, sponsor contests and annual conventions, drink lots of free beer!

http://www.wired.com/beyond_the_beyond/2009/07/open-source-arduino-robot-beer-brewery/

Open-Source Arduino Robot Beer Brewery

By Bruce Sterling Email Author July 21, 2009 4:37 am |

You may have noticed that I’m something of a skeptic about small-scale urban agriculture interventions. But this one? This is different. ‘Cause it’s beer! Small-scale stills and illicit breweries have a history that is literally as long as the invention of alcohol, tobacco and firearms laws! A revenuer-unfriendly gizmo like this has got proven legs!

So the basic scheme of this device is: you read the instructions, get the hardware, wire it together, plug it in, dump in some grain, walk away and there’s beer later. Who can’t like that? It’s like having your own cool radio-controlled surveillance blimp, except you’re drunk!



Students: If you are going to steal (we call it plagiarism) be sure you can get past these five. (and the ones we don't tell you about)

http://www.makeuseof.com/tag/article-checkers-5-free-websites-to-catch-the-copycats/

Plagiarism Checkers: 5 Free Websites To Catch The Copycats

Jul. 21st, 2009 By Saikat Basu



1) Find a teacher you don't like. 2) Send all of his/her students a link to this site with the suggestion they form an orchestra. 3) Stand outside the computer lab and enjoy the fun!

http://www.makeuseof.com/dir/virtualkeyboard-play-virtual-instruments-online/

VirtualKeyboard: Play Virtual Instruments Online

VirtualKeyboard is another fun web application for the times when you bored. It provides you with virtual keyboard to play 9 different instruments online.

Simply choose your instrument from Piano, Organ, Saxophone, Flute, Pan Pipes, Strings, Guitar, Steel Drums or Double Bass, and start playing. All the keys are labeled so it is easier for beginners to learn. If you are not a big fan of clicking each key with the mouse, you can use keyboard instead.

www.bgfl.org

No comments: