I normally skip small ones like this,
but on occasion I like to remind you that dumb still exists in the
security/privacy arena. What was an employee doing storing
(unencrypted?) backup files in his car?
By Dissent,
August 28, 2012
Jill Disis reports:
Information on
55,000 patients and employees at an Indianapolis-based cancer center
practice is missing.
A spokesman for
Cancer Care Group, 6100 W. 96th St., confirmed today
that someone stole a computer bag belonging to a Cancer Care Group
employee on July 19.
The bag contained
information such as names, birth dates, social security numbers,
insurance information and addresses.
Read more on IndyStar.
At the time of this posting, the
incident is not up on HHS’s breach tool. An article in the
Indianapolis
Business Journal states that the bag was stolen
from an employee’s locked, but unattended vehicle.
According to the group’s statement:
The bag contained the “Cancer Care
Group’s computer server’s back-up media, which contained some
patient demographic information, such as name, address, date of
birth, Social Security number, medical record number, insurance
information, and/or minimal clinical information used for billing
purposes only,” the group said.
The bag also reportedly contained
similar information about the group’s employees.
(Related) I suppose it could be
worse... This is a BYOD organization.
Dakota
County medical examiner investigator’s laptop stolen
August 28, 2012 by admin
Sarah Homer reports:
A computer
containing photographs of crime scenes and dead bodies was stolen
earlier this month from a medical examiner investigator, according to
Roseville police.
The personal
Toshiba laptop belongs to 25-year-old Navid Amini, a medical examiner
investigator for Regina Medical Center, home to the Minnesota
Regional Medical Examiner’s Office, which conducts medical examines
in Dakota, Chisago and Goodhue counties.
It was stolen from
Amini’s Toyota Rav4 when his car was parked in Roseville’s
Central Park parking lot Aug. 8, according to Roseville Police Lt.
Lorne Rosand. The laptop is not password protected,
Rosand said. [No encryption either Bob]
Read more on Pioneer
Press.
[From the article:
The investigators
use personal computers to do their work, she said, adding that as far
as she knows, Regina Medical Center has no policy in
place that mandates that employees secure their computers with
passwords.
"I would
have thought everyone had a password on their personal computer but I
don't know that there is a policy on that ... it certainly seems like
a good idea, though," Thomas said.
… In
addition to lacking a password, Amini told police he did not have
tracking software installed in his computer nor could it be remotely
disabled.
It took a while, but was probably
inevitable. The hack was last summer, wasn't it?
Second
Ariz. man charged in Sony Pictures hack
August 28, 2012 by admin
Associated Press reports:
A second suspected
member of the LulzSec hacking group was arrested Tuesday in Phoenix
for his alleged role in a computer breach at Sony Pictures
Entertainment last year, authorities said.
An indictment
filed in Los Angeles and unsealed Tuesday charged Raynaldo Rivera,
20, of Tempe, Ariz., with one count each of conspiracy and
unauthorized impairment of a protected computer.
Rivera was known
as “Neuron” and “Royal.”
Read more on The
Mercury News.
It might be fun to link this to the
various laws...
Imation
Compliance Heat Map
August 28, 2012 by admin
From Imation:
To help businesses
and IT pros navigate the compliance landscape and develop secure and
functional infrastructures for data storage and protection, Imation
created a Compliance Heat Map to depict the
strictness of data breach laws and resulting penalties for breaches
by state. Based on first-hand experience working with
companies that face compliance challenges, Imation evaluated laws on
record at the state level in the 50 United States, the District of
Columbia, Puerto Rico and the U.S. Virgin Islands, and reviewed
publicly available analyses created by other companies to develop the
Compliance Heat Map. The map graphic contains a grid that depicts
each state’s compliance score and a color scale – which ranges
from light yellow to dark red – to denote the strictness of each
state’s compliance laws and regulations.
Download
the full Compliance Heat Map for additional information.
Back in New Jersey, “lip service”
consisted of grabbing a lower lip and pulling it up and over their
head. This sounds like a big fine, but will it be as memorable?
Might be worth a read...
Paying
Lip Service to Privacy
August 29, 2012 by Dissent
Jeffrey Roman writes:
News of Google’s
$22.5 million settlement with the Federal Trade
Commission has come and gone, yet privacy issues reflected in the
case remain a concern. Where are the gaps and how can companies fill
them? Attorney Francoise Gilbert offers details.
“Many companies
just pay lip service to privacy,” says Gilbert of the IT Law Group
in an interview
with Information Security Media Group’s Tom Field
[transcript below]. “They have a privacy policy on their website
because that’s what’s expected from them, but they don’t go
beyond that.”
Two aspects of the
Google case that fascinate Gilbert are that Google misrepresented its
practices in its privacy
policy, and the company misrepresented its compliance with
the Self-Regulatory Code of Conduct of the Network Advertising
Initiative.
Read more on BankInfoSecurity.
[From the article:
In an interview about the legal
ramifications of the Google case, Gilbert discusses:
- The FTC's message in cracking down on Google;
- How organizations need to respond to this case;
- The important takeaways for privacy professionals.
The briefs sum up the argument
reasonably well.
Can
Magistrate Judges Deny Statutory Surveillance Orders Based on
Prospective Fourth Amendment Concerns?
August 29, 2012 by Dissent
Orin Kerr writes:
On October 2, the
Fifth Circuit will hold oral argument in case No. 11–20884, In
Re Applications of the United States for Historical Cell-Site Data.
In this case, the United States applied for a court order under the
Stored Communications Act to compel cell phone providers to disclose
location information about particular phones suspected in criminal
investigations. The magistrate judge denied
the applications on the ground that he expected that
the orders would be executed in ways that will violate the Fourth
Amendment. The government has appealed the denial of the
orders, arguing that the orders will be executed in ways that comply
with the Fourth Amendment. Although the government is the only party
to the litigation, several amici have chimed in on the merits to
defend the denial of the applications on the ground that the
magistrate judge was right to fear that the orders would be
implemented in ways that would violate the Fourth Amendment. You can
read the various briefs here,
and the government’s reply to the amicus briefs is here.
Read more on The
Volokh Conspiracy.
For my Statistics students. No, this
is not what I meant when I said Statistics is used in business! (But
note that the probability is correct.)
No comments:
Post a Comment