Does
“finding malware” set the bar for notification higher? This is
really “an abundance of caution.” Where would you draw the line?
St. Mark’s Medical Center in
LaGrange, Texas notified 2,988 patients of a breach. From their
notice
of December 31, 2012:
On November 15,
2012, we learned that on May 21, 2012, one of our
employee’s computers had become infected with malware
that appears to have been designed to look for
personal information stored on the computer. We
immediately began an investigation and engaged a computer forensic
investigation firm to examine the computer. Although the firm could
not rule out the possibility, they did not find any
evidence to confirm that any unauthorized person removed
the personal information stored on the computer. If an unauthorized
person did gain access to files stored on the computer, they would
have been able to view billing files that contained patient names,
account numbers, medical record numbers, dates of birth, gender,
Social Security numbers, treatment dates, insurance provider names,
and account balances. No medical records were accessed in the
incident.
How do you secure your computers?
"For the second time in a row,
Microsoft's Security Essentials failed
to earn certification from AV-Test, the independent German
testing lab best known for evaluating the effectiveness of antivirus
software. Out of 25 different security programs tested by AV-Test,
including software from McAfee, Norman, Kaspersky, and others,
Microsoft's Security Essentials was just one out of three that failed
to gain certification. These results are
noteworthy because Microsoft Security Essentials is currently (as of
December) the most popular security suite in North America and the
world."
Facebook,
the phone company?
The Washington Post (among many others)
reports on a development from Facebook that may excite many more
users than does the much-hyped announcement about richer
search capabilities: after launching a Canadian
trial balloon not long ago, Facebook is expanding
the reach of its free in-app VoiP communications with free voice
comms via the company's smartphone app.
(Related)
Frequent contributor Bennett Haselton
writes with some strong cautions on a Facebook "feature"
that lets you search for random phone numbers and find the accounts
of users who have registered that number on their Facebook profile.
This has privacy implications that are more serious than searching by
email address.
Anonymous ain't?
By Dissent,
January 18, 2013 8:38 am
Gina Kolata reports:
The genetic data
posted online seemed perfectly anonymous — strings of billions of
DNA letters from more than 1,000 people. But all it took was some
clever sleuthing on the Web for a genetics researcher to identify
five people he randomly selected from the study group.
Not only that, he found their entire families, even
though the relatives had no part in the study —
identifying nearly 50 people.
Read more on The
New York Times.
Hummm.
Translating from the Queen's English is confusing.
On January 9, I had
some concerns about a U.K. injunction that blocked The Sun
from publishing pictures of actress Kate Winslet’s husband. Now
Mr. Justice Briggs’ written
judgement is available online. The ruling provides a nice recap
of the multi-prong test being applied by the court in trying to
determine, and balance, an individual’s Article 8 rights against
the press’s Article 10 rights.
One of the points that I thought
Justice Briggs made well concerned what should happen
when material has already been disclosed on Facebook. In
this case, he held that even though the material had been viewed by
people, it was not so widely available as to make it comparable to a
situation in which commercial trade secrets, once widely disclosed,
have lost their confidential nature. Additional
reproduction or dissemination of photos to new groups would provide
new opportunities for harm or embarrassment to the
individual and so preventing such future publication is appropriate
when publication of the pictures is only to titillate the public or
give them a chance to snigger at someone’s immature behavior.
See what you think of the ruling.
Mobile
Apps are caught in their “We can, therefore we must” logic.
Bob Sullivan reports:
The element of
surprise causes hard feelings when it comes to privacy violations,
and mobilephone apps are ambushing consumers far too often, according
to researchers at Carnegie Mellon University.
Researchers at the
school’s Human-Computer Interaction Institute studied both the data
gathered by the 100 most popular programs in Google’s Android app
store, and how surprised users were when told what the apps were
doing. On Tuesday they released a list of the 10 worst offenders in
terms of transparency.
Read more on The
Red Tape Chronicles.
[The 10 worst
offenders:
Brightest
Flashlight (device ID, location)
Toss It game
(device ID, location)
Angry Birds game
(device ID, location)
Talking Tom
virtual pet (device ID)
Backgrounds HD
Wallpapers (device ID, contacts)
Dictionary.com
(device ID, location)
Mouse Trap game
(device ID)
Horoscope (device
ID, location)
Shazam music
(device ID, location)
Pandora Internet
Radio (device ID, contacts)
(Related) How come my congressman
never introduces privacy bills? How many technology gernerations
behind is Congress?
new draft
bill published today aims to increase privacy for mobile app
users.
Led by U.S. Rep.
Hank Johnson (D-Ga.), the bill aims to legally require app developers
to publicize how they gather information and also let users request
deletion of their stored data.
Read more on CNET.
412 pages should cover it (if not we
can use the report to crush it)
The IRISS
(Increasing Resilience in Surveillance Societies) project, funded by
the EC under the 7th Framework Programme, has just published a major
412-page report entitled Surveillance,
Fighting Crime and Violence. The report analyses the factors
underpinning the development and use of surveillance systems and
technologies by both public authorities and private actors, their
implications in fighting crime and terrorism, social and economic
costs, protection and infringement of civil liberties, fundamental
rights and ethical aspects.
The IRISS
consortium has identified the following trends: (1) a substantial
growth of public
sector demand for surveillance bolstered by the
adoption of identity schemes and terrorist detection technologies and
markets, (2) an increase in the demand for civil and commercial
surveillance, (3) the development of a global industry in
surveillance, (4) an increase in integrated surveillance solutions,
and (5) a rise in the government use of cross-border surveillance
solutions.
Read more on IRISS
Project.
(Related) This complicates their
assurance that “everything is safe and private” doesn't it?
"The Transportation Security
Administration (TSA) has ended a contract with Rapiscan, a unit of
OSI Systems Inc., manufacturer of about half of all of the
controversial
full-body scanners used on air passengers. TSA officials claim
that Rapiscan failed to deliver software that
would protect the privacy of passengers, but the contract termination
happened immediately after the TSA finally got around to studying
the health effects of the scanners, and
Congress had a hearing on TSA's 'Scanner
Shuffle'."
(Related) Just so we're clear...
TSA
to Remove Naked-Image Scanners From US Airports
The Transportation Security
Administration has announced that it will remove the controversial
"naked image" body scanners from US airports because
developers can't write software to make the images less revealing.
Excerpts from a very long post...
From their press
release:
The U.S.
Department of Health and Human Services (HHS) moved forward today to
strengthen the privacy and security protections for health
information established under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).
The final omnibus
rule greatly enhances a patient’s privacy protections, provides
individuals new rights to their health information, and
strengthens the government’s ability to enforce the law.
… “These
changes not only greatly enhance a patient’s privacy rights and
protections, but also strengthen the ability of my office to
vigorously enforce the HIPAA privacy and security protections,
regardless of whether the information is being held by a health plan,
a health care provider, or one of their business associates.”
The Rulemaking announced today may be
viewed in the Federal Register at
https://www.federalregister.gov/public-inspection.
The rule is currently available only in
.pdf format, and it’s a staggering 563 pp:
Modifications
to the HIPAA Privacy, Security, Enforcement, and Breach Notification
Rules
… Entities will need to perform a
risk assessment that incorporates four factors:
(1) the nature and extent of the
protected health information involved, including the types of
identifiers and the likelihood of re-identification; (2) the
unauthorized person who used the protected health information or to
whom the disclosure was made; (3) whether the protected health
information was actually acquired or viewed; and (4) the extent to
which the risk to the protected health information has been
mitigated.
… In skimming, I also noticed that
HHS estimates that, based on their experience, approximately 6.71
million individuals will be affected by the 19,000 breaches reported
to HHS each year, which is, on average, roughly 353 affected
individuals per breach.
I suppose it fits the “Safeguard and
secure cyberspace” part of their mission.
"The Department of Homeland
Security has taken charge of pushing medical device manufacturers to
fix vulnerable medical software and devices after
researchers popped yet another piece of hospital hardware. It
comes after the agency pushed Philips to move to fix critical
vulnerabilities found in its popular
medical management platform that is used in a host of services
including assisting surgeries and generating patient reports. To
date, no agency has taken point on forcing the medical manufacturers
to improve the information security profile of their products, with
the FDA even dubbing
such a risk unrealistic (PDF)."
Does this reduce the possibility of
abuse?
"Congresswoman Zoe Lofgren
proposes a
change to the Computer Fraud and Abuse Act (CFAA) which would
remove the felony criminal penalty for violating the terms of service
of a website and return it to the realm of contract law where it
belongs. This would eliminate the potential for prosecutors to abuse
the CFAA in pursuit of criminal convictions for simple violations of
a website's terms of service."
Is
this another indication that the case is bogus or just that DoJ is
too heavy handed? “Gimme everything and I'll tell you what I think
you should know.”
Timothy B. Lee reports:
An Ontario judge
has refused
a US request for unfettered access to the data on Megaupload servers
hosted in Canada. The ruling is another sign that overseas courts
are not giving US officials the degree of deference they’ve grown
accustomed to in this case under US law.
Read more on Ars
Technica.
Now if U.S. judges would just stop
being so deferential to DOJ, too…
[From Ars Technica:
Instead, she ordered the United States
and Megaupload to negotiate about which information the government
should get access to under court supervision. If the parties are
unable to reach an agreement, Justice Pardu herself will make the
decision.
(Related)
"Kim
Dotcom on Thursday used Twitter
to reveal some interesting new tidbits in regards to his upcoming
Mega service, which will be hosted at the New Zealand-based domain
Mega.co.nz. Two days before the service is to go live, Doctom
says he plans to offer 50GB of free storage to all members and is
also working on bringing over users' Megaupload files and data, but
has so far run into legal issues."
To say that Kim Dotcom has "run
into legal issues" is like saying that Julian Assange is having
a sleepover at the Ecuadorian embassy.
In
one swell foop, Dilbert explains things for my Statistics, Business
and Discrete Math students!
I
have some students who should take this.
Take
Mensa’s Free Test and Find Out If You’re a Genius
Mensa—the club for people who know
they're smarter than you—is offering its home
test for free during the month of January. It's an IQ test that
takes 32 minutes to complete and at the end it'll tell you whether
you're Mensa material.
No comments:
Post a Comment