http://www.databreaches.net/?p=11638
Laptop stolen from VA contractor contains veterans’ personal data
May 13, 2010 by admin
Bob Brewin reports on a breach that I don’t think we knew about here:
A laptop belonging to a contractor working for the Veterans Affairs Department was stolen earlier this year and the personal data on hundreds of veterans stored on the computer was not encrypted, a violation of a VA information technology policy, said the top-ranking Republican on the House Veterans Affairs Committee.
The VA reported the theft of the laptop from an unidentified contractor to the committee on April 28 and informed members the computer contained personally identifiable information on 644 veterans, including data from some VA medical centers’ records, according to a letter Rep. Steve Buyer, R-Ind., sent to VA Secretary Eric Shenseki.
The VA declined to identify the contractor:
The laptop was stolen from a contractor employee’s car on April 22, and she notified local police within 10 minutes, said Roger Baker, chief information officer at VA, in an interview. Although the vendor had certified to VA that it had encrypted laptops that stored department data, Baker confirmed the data on the stolen laptop was unencrypted.
The vendor, who Baker declined to identify because he said it would make it more difficult for contractors to report future data breaches if they knew their name would be made public, reported the theft to VA on April 23. [“We can't think of any other way to get their cooperation.” Bob
So contractors for entities covered by HIPAA/HITECH have their names made public by HHS but the VA decides it can withhold the contractor’s identity? If that laptop contained any unprotected health information on the veterans (and the laptop had access to medical center data), then the contractor *will* be publicly identified on OCR’s site (unless it’s a “private practice” contractor), as over 500 individuals were affected. In any event, I firmly believe that all contractors who leave laptops with unencrypted PII or PHI in a vehicle for stealing should be publicly named, at the very least.
But the news is even worse:
After learning about the unencrypted laptop, Buyer investigated how many VA contractors might not be complying with the encryption requirement and learned that 578 vendors had refused to sign new contract clauses that required them to encrypt veteran data on their computers, an apparent violation of rules.
Buyer told Shinseki that the vendor had 69 contracts in more than half of the department’s 21 regional medical networks operated by the Veterans Health Administration, and 25 of those contracts, more than a third, did not have a clause that required data be encrypted.
Note that it’s not totally clear to me whether the vendor with 69 contracts is the same contractor that had the laptop stolen with 644 veterans’ info on it. Representative Buyer’s letter indicates that there were two breaches in Texas in the past two weeks and he prefaces the comments about the vendor with 69 contracts saying, “The most current breach involved a service disabled veteran owned business that had an unencrypted laptop stolen.” Was this the same laptop theft or the second one? It may be the second one alluded to. It really would help if they would name the vendors!
Read the full news coverage on Nextgov.
(Related) Just in case you thought it was an isolated incident.
http://www.databreaches.net/?p=11630
Stolen Laptop Exposes Personal Data on 207,000 Army Reservists
May 13, 2010 by admin
Brian Krebs reports:
A laptop stolen from a government contractor last month contained names, addresses and Social Security numbers of more than 207,000 U.S. Army reservists, Krebsonsecurity.com has learned.
The U.S. Army Reserve Command began alerting affected reservists on May 7 via e-mail. Col. Jonathan Dahms, chief public affairs for the Army Reserve, said the personal data was contained on a CD-Rom in a laptop that was stolen from the Morrow, Ga. offices of Serco Inc., a government contractor based in Reston, Va.
Read more on KrebsOnSecurity.com
(Related) It remains to be seen if this type of legislation would “cure” the problem
http://www.databreaches.net/?p=11628
Application of New Massachusetts Data Security Regulations to Out-of-State Businesses
May 13, 2010 by admin
Amy Crafts writes:
Massachusetts’s new data security regulations, effective as of March 1, 2010, currently set forth the country’s most stringent requirements for protecting data. Extending beyond what is required by other states, Massachusetts specifies that, for example, covered entities must implement a written information security program and must encrypt personal information that will be transmitted over the Internet, or that is kept on laptops and other portable devices. Massachusetts regulators and enforcement agencies would likely make the following three arguments that out of state entities must also comply with the new regulations….
Read more on Proskauer Privacy Law Blog.
[From the article:
First, Massachusetts would likely argue that, in order to determine whether an entity is subject to the regulations, the threshold inquiry involves an assessment of information owned or licensed by the entity – not an assessment of where that entity is located.
Second, based on discussions that occurred before the regulations went into effect, it is safe to expect that Massachusetts regulators will assert the right to enforce the regulations against out-of-state entities.
Third, Massachusetts would likely argue that owning or licensing personal information is sufficient for jurisdictional purposes.
The UK is changing (publicly) We'll see how much is “fulfilling campaign promises” and how much is real policy.
http://www.pogowasright.org/?p=10128
Coalition government to roll back privacy and civil liberties intrusions
May 13, 2010 by Dissent
The U.K.’s new coalition government has issued a statement of agreement on some key issues. What is sure to warm the cockles of privacy advocates’ hearts, here’s the section on civil liberties:
The parties agree to implement a full programme of measures to reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.
This will include:
A Freedom or Great Repeal Bill.
The scrapping of ID card scheme, the National Identity register, the next generation of biometric passports and the Contact Point Database.
Outlawing the finger-printing of children at school without parental permission.
The extension of the scope of the Freedom of Information Act to provide greater transparency.
Adopting the protections of the Scottish model for the DNA database.
The protection of historic freedoms through the defence of trial by jury.
The restoration of rights to non-violent protest.
The review of libel laws to protect freedom of speech.
Safeguards against the misuse of anti-terrorism legislation.
Further regulation of CCTV.
Ending of storage of internet and email records without good reason.
A new mechanism to prevent the proliferation of unnecessary new criminal offences.
Out-Law.com has a discussion of the agreement.
Probably, if you haven't been using Facebook for Months, it's too late.
How Facebook And Twitter Are Changing Business Models, Shaping Brand Identity [Video]
by Evelyn Rusli on May 13, 2010
… The keynote speaker, Jeremiah Owyang, a Partner of the Altimeter Group, offered four laws of social business: don’t fondle the hammer (don’t focus on the specific tools, think about your broader marketing agenda), live the 80% rule (get your company ready for social media, that’s “80% of success”), customers don’t care what department you’re in, and real time is not fast enough. You can access Owyang’s presentation, along with all the other Smash presentations, here.
(Related) The NYT graphic showing how simple it is to manage your privacy on Facebook.
http://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html
Facebook Privacy: A Bewildering Tangle of Options
To manage your privacy on Facebook, you will need to navigate through 50 settings with more than 170 options.
(Related)
http://www.pcworld.com/article/196212/kill_your_facebook_page_backlash_gains_speed.html
"Kill Your Facebook Page" Backlash Gains Speed
Calls for people to delete their Facebook accounts are gathering momentum. Critics cite privacy concerns and plummeting trust in the company and its leader, Mark Zuckerberg.
This should never happen in a modern (designed from the ground up) datacenter.
Car Hits Utility Pole, Takes Out EC2 Datacenter
Posted by timothy on Thursday May 13, @10:47PM
1sockchuck writes
"An Amazon cloud computing data center lost power Tuesday when a vehicle struck a nearby utility pole. When utility power was lost, a transfer switch in the data center failed to properly manage the shift to backup power. Amazon said a "small number" of EC2 customers lost service for about an hour, but the downtime followed three power outages last week at data centers supporting EC2 customers. Tuesday's incident is reminiscent of a 2007 outage at a Dallas data center when a truck crash took out a power transformer."
AH! I've been looking for a Mid Term Exam for my Hacking class. It will be even more fun when we attach a WiFi remote...
Hacking Automotive Systems
Posted by kdawson on Friday May 14, @08:55AM
alphadogg writes
"University researchers have taken a close look at the computer systems used to run today's cars and discovered new ways to hack into them, sometimes with frightening results. In a paper set to be presented at a security conference in Oakland, California, next week, the researchers say that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some nasty things, such as turning off the brakes, changing the speedometer reading, blasting hot air or music on the radio, and locking passengers in the car. The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes, and massive automotive recalls. It's to warn the car industry that it needs to keep security in mind as it develops more sophisticated automotive computer systems. Other experts describe the real-world risk of any of the described attacks as low."
Here is the researchers' site, and an image that could stand as a summary of the work.
For my website students
http://www.makeuseof.com/dir/cssdesk-css-sandbox
CSSDesk: Simple Online CSS Sandbox Tool
Working with CSS on your webpage can be quite tricky especially if you have to sort through a lot of code. Fortunately, CSSDesk is a handy CSS sandbox that lets you put in HTML and CSS codes and view the preview instantly. It is very useful for testing out codes before implementing them in your website permanently.
Similar Tools: CleanCSS, CSSColorEditor, and StyleNeat.
Not just for Math teachers...
http://www.ted.com/talks/dan_meyer_math_curriculum_makeover.html
Dan Meyer: Math class needs a makeover
Yesterday I posted an article about MS Word template sites. These are Open Office, but the two are compatible...
http://www.makeuseof.com/tag/free-open-office-templates-productive/
Useful Free Open Office Templates To Make You More Productive
If you need inspiration or want to produce a specific kind of document, never fear! Their free user-created Open Office templates are awesome, and can save you lots of time and money!
Education
Educators will find many of the OOO templates quite handy! Instead of purchasing expensive software or trying to create a tool on your own, you can instead peruse their repository of templates.
No comments:
Post a Comment