Interesting. Does the FTC have a
procedure for finding these disconnects or do they rely on the
occasional “pop up” to determine who they go after? Since they
are ignoring hundreds of similar situations, I suspect the latter...
Note too, this is a case of BYOT coming back to bite the
organization...
FTC
Finalizes Settlements with Two Businesses that Exposed Consumers
Sensitive Information Over P2P Networks
October 27, 2012 by Dissent
From the FTC:
Following a public
comment period, the Federal Trade Commission has accepted as final
settlements with two operations it charged with illegally exposing
the sensitive personal information of thousands of consumers by
allowing peer-to-peer file-sharing software to be installed on their
corporate computer systems. Settlements with Utah-based debt
collector EPN, Inc.,
and Georgia auto dealer Franklin
Budget Car Sales, Inc.,
will bar misrepresentations about the privacy, security,
confidentiality, and integrity of any personal information collected
from consumers. Both companies also must establish and maintain
comprehensive information security programs.
Franklin
Budget Car Sales
also dba Franklin
Toyota/Scion and
Franklin Toyota.
According to the complaint, as a result of Franklin’s
failure to implement adequate privacy and security policies and
practices:
customers’
personal information was accessed and disclosed on peer-to-peer
(“P2P”) networks by a P2P application installed on a computer
that was connected to respondent’s computer network.
Information for
approximately 95,000 consumers, including, but not limited to, names,
Social Security numbers, addresses, dates of birth, and drivers’
license numbers (“customer files”) was made available on a P2P
network. Such information can easily be misused to commit identity
theft and fraud.
Debt collection business EPN also dba
Checknet, Inc. , and their clients include hospitals
and medical providers. In their case, the complaint alleges that as
a result of their failure to implement adequate
security policies and practices:
EPN’s
chief operating officer was able to install a P2P application on her
desktop computer, which was connected to EPN’s computer
network. Respondent is unaware of the date the application was
installed; it was disabled in April 2008 when EPN was informed by a
client that two files containing personal information about the
client’s debtors were available on a P2P network (“breached
files”). EPN had no business need for the P2P
application. [But this falls under the BYOT trend... Bob]
The breached files
contained personal information about approximately 3,800 consumers,
including each consumer’s name, address, date of birth, Social
Security number, employer name, employer address, health insurance
number, and a diagnosis code. Such information, among other things,
can easily be used to facilitate identity theft (which also could
result in medical histories that are inaccurate because they include
the medical records of identity thieves) and exposes sensitive
medical data.
The affected hospital was not named in
the complaint, and there is no entry in HHS’s breach tool that
appears to correspond to this breach.
Significantly, I do not see any
allegations that the breaches or exposure actually resulted in ID
theft or harm to consumers, but the potential for harm was certainly
there and the FTC took the position that these were unfair
business practices under the FTC Act. The message, again, is that if
you have boilerplate policies that assure consumers of privacy and
data security, you’d better live up to them. And if you don’t
have policies and practices in place that conform to requirements for
annual privacy notices and assessments, etc., you’d better put them
in place.
In both cases, the businesses were put
under 20-year monitoring and reporting plans but, consistent with the
law and available remedies, there is no monetary fine (FTC cannot
fine entities for first offenses). The consent decrees also contain
no admission of guilt or wrong-doing.
Related Files:
In
the Matter of Franklin’s Budget Car Sales, Inc., also doing
business as Franklin Toyota/Scion
FTC File No. 102 3094
FTC File No. 102 3094
In
the Matter of EPN, Inc., also doing business as Checknet,
Inc.
FTC File No. 112 3143
FTC File No. 112 3143
Do you tie your security budget to
revenue or to risk?
"As budgets are pinched by
reduced tax collection, many U.S. states are facing a possibility of
not
being able to handle the ever-increasing number of data breaches.
70% of state chief information security
officers (CISOs) reported a data breach this year,
each of which can cost up to $5M in some states. 'Cybersecurity
accounts for about 1 to 2 percent of the overall IT budget in state
agencies. ... 82 percent of the state CISOs point to phishing and
pharming as the top threats to their agencies, a threat they say will
continue in 2013, followed by social engineering, increasingly
sophisticated malware threats, and mobile devices.' The full 2012
Deloitte-National Association of State Chief Information Officers
(NASCIO) Cybersecurity Study is available
online (PDF)."
I'll keep repeating this, even if it
seems repetitious and redundant, because somewhere there is a manager
who will say, “Nobody told me!”
"CoDeSys, a piece of software
running on industrial control systems from hundreds
of vendors, has been revealed
to be easily hackable by security researchers, giving rise to a
scenario where computer hacking could cross the line into the
physical world. Worse, many of these systems
are unneccessarily connected to the Internet, which
is a terrible, terrible idea."
A growing concern...
"Last year
a Slashdot
story mentioned the case of Daniel David Rigmaiden, or 'the
Hacker.' With the help of an IMSI-catcher device, law enforcement
had been able to locate and arrest the elusive 'Hacker,' leading to
U.S. v. Rigmaiden. But far more elusive than
the 'Hacker,' is the IMSI-catcher device itself — particularly the
legalities governing its use. The secrecy and unconstitutionality of
these Man In The Middle devices, i.e. 'stingrays,' has caught some
attention. The EFF and ACLU have submitted
an amicus brief in the Rigmaiden case; and EPIC, after filing an
FOIA request in February and receiving
a grossly redacted 67 out of 25,000 (6,000 classified) pages on the
"stingray" devices, has now requested a district judge
expedite disclosure of all documents. Some Judges also seem wary of
the 'stingray,' having expressed concerns that their use violates the
Fourth Amendment; and additionally, that information explaining how
the technology is used remains too obscure. Perhaps the most
controversial aspect of ISMI-catchers is their several-kilometer
range. When a "stingray" is used to spoof a cellphone
tower, thousands of innocent users may be collaterally involved. And
while the government claims to delete all gathered data unrelated to
the target, it also means no one else can know what that data really
was. The government claims that because only
attributes of calls — but not their content — are captured in the
attack, search warrants aren't necessary." (More, below.)
Penurious Penguin continues, "The
use of a pen-register (outgoing) and trap & trace (incoming)
device, requires little more than a mewl of penal curiosity before a
court, and no warrant or follow-up on the case is needed. The
pen/trap seems unwieldy enough, as
the EFF explains:
"Most
worrisome, we've heard some reports of the government using pen/trap
taps to intercept content that should require a wiretap order:
specifically, the content of SMS text messages, as well as
"post-cut-through dialed digits"
(digits you dial after your call is connected, like your banking PIN
number, your prescription refill numbers, or your vote for American
Idol). intercept information about your Internet communications as
well."
Precisely what data these "stingrays"
collect will hopefully be soon revealed through such efforts as those
of EPIC. It should be noted that the Stingray is one of multiple
devices with the same application. The Stingray and several others
are trademarks of the Harris Corporation. Some are quite
pricey ($75,000), and others are, as mentioned last year by a
Slashdot reader, peculiarly
affordable — and available. For a more comprehensive overview
of the subject, see this
Wall Street Journal article."
An interesting question. After you
blow the whistle, how do you ensure the “fix” goes beyond a
cosmetic patch to keep you quiet? No clear direction from the
Comments, yet.
"A few months ago I stumbled
across an interesting security hole with my webhost. I was able
access any file on the server, including those of other users. When
I called the company, they immediately contacted the server team and
said they would fix the problem that day. Since all you need when
calling them is your username, and I was able to list out all 500
usernames on the server, this was rather a large security breach. To
their credit, they did patch the server. It wasn't a perfect fix,
but close enough that moving to a new web host was moved down on my
list of priorities. Jump a head to this week: they experienced
server issues, and I asked to be moved to a different server. Once
it was done, the first thing I did was run my test script, and I was
able to list out everyone's files again. The
hosting company only applied the patch to old server.
I'm now moving off this web host all together. However, I do fear
for the thousands of customers that have no clue about this security
issue. With about 10 minutes of coding, someone could search for the
SQL connection string and grab the username/password required to
access their hosting account. What's the best way to handle this
type of situation?"
I fail to see the logic in lots of
“Labor Law” (Unless you recall organized crime's close
connection)
NC:
Court exempts union bosses from laws against identity theft
October 27, 2012 by Dissent
Mark Mix, President of National Right
to Work., has an OpEd in Washington
Examiner that is somewhat disturbing, because even allowing for
bias, if two courts really ruled that unions can get away with
posting workers’ Social Security numbers online or disseminating
SSN, that’s just plain unhelpful on so many levels.
Mark writes, in part:
both the trial
court and the North Carolina Court of Appeals found that the unions
are entitled to a special exemption from being penalized for
revealing employees’ personal information. Both courts ruled that
such trampling of employee rights is an activity that can
be covered only by the National Labor Relations Act, or NLRA, and
consequently may not be punished by state authorities.
Imagine that.
North Carolina’s courts have held that federal labor law pre-empts
a completely unrelated state identity theft law, even though the U.S.
Supreme Court has long held that a state retains jurisdiction where
the conduct to be regulated touches deeply rooted local interests.
In a last ditch
effort to help these workers seek justice, National Right to Work
Foundation staff attorneys appealed the case to the U.S. Supreme
Court, but the court announced earlier this month that it will not
hear the case.
Read more on Washington
Examiner.
Is there any question why this is
causing a flap in New Zealand? If so, note that this article links
to related articles that appear almost daily...
Police
got Dotcom’s bank details without a warrant
October 27, 2012 by Dissent
David Fisher reports:
Police got
personal banking details of Kim Dotcom and his staff without getting
a search warrant in a move that has implications for bank customers.
Banks, including
the ANZ, BNZ and Westpac, turned the information over
after deciding there was no Privacy Act reason not to.
The police request
referred the banks to a Privacy Act principle which allowed them to
release information to “avoid prejudice to the maintenance of the
law by any public sector agency including the prevention, detection,
investigation, prosecution, and punishment of offences”.
The mechanism led
to banks releasing – without a legal warrant – the name of the
account holder, the account number and home address.
Read more on New
Zealand Herald.
[From the article:
Dotcom was charged with
money-laundering when arrested - the only charge he faces on which he
can be extradited. Criminal copyright violation charges are not
serious enough for extradition. If they are dismissed, then the
money laundering charge also collapses.
Assistant Privacy Commissioner Katrine
Evans said it was up to agencies asked for information to form a
"reasonable belief".
"They need to make their own
judgment calls but simply because the request comes from the police
isn't necessarily enough."
She said police needed to specify a
reason - and general descriptions of "money
laundering" could be enough.
Perspective Back when I was a kid, we
couldn't count that high...
"Last
night, the Internet Archive threw a party; hundreds of Internet
Archive supporters, volunteers, and staff celebrated that the site
had
passed the 10,000,000,000,000,000 byte mark for archiving the
Internet. As the non-profit digital library, known for its
Wayback Machine service, points out, the organization has thus now
saved
10 petabytes of cultural material."
The announcement coincided with the
release of an
80-terabyte dataset for researchers and, for the first time, the
complete literature of a people: the
Balinese.
For my Data Mining and Data Analytics
students... I'll just mention one... (Okay, one and a half)
Big
Data Right Now: Five Trendy Open Source Technologies
Big Data is on every CIO’s mind this
quarter, and for good reason. Companies will have spent $4.3 billion
on Big Data technologies by the end of 2012.
But here’s where it gets interesting.
Those initial investments will in turn trigger a domino
effect of upgrades and new initiatives that are valued at $34
billion for 2013, per Gartner. Over a 5 year period, spend is
estimated
at $232 billion.
… R [ http://www.r-project.org/
] is an open source statistical programming language. It is
incredibly powerful. Over two million (and counting) analysts use R.
It’s been around since 1997 if you can believe it. It is a modern
version of the S language for statistical computing that originally
came out of the Bell Labs. Today, R is quickly becoming the new
standard for statistics.
… To keep an eye on: Julia
is an interesting and growing alternative to R, because it combats
R’s notoriously slow language interpreter problem.
I'm looking for a “Music to take
tests by” channel...
The first thing you should know about
SomaFM is that it’s free. There are no
commercials or ads, it is supported by donations from loyal
listeners, and it streams hand-picked music 24/7.
This is interesting. Think I'll print
up a few hundred and pass them to students and faculty...
No comments:
Post a Comment