Wednesday, January 30, 2013

So would this automatically suggest negligence?
"Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule."


The models for 'Best practices' or simply the 'Least Bad?' Most likely, neither...
From their Executive Summary:
Ponemon Institute’s Most Trusted Companies for Privacy Study is an objective study that asks consumers to name and rate organizations they believe are most committed to protecting the privacy of their personal information. This annual study tracks consumers’ rankings of organizations that collect and manage their personal information.
More than 100,000 adult-aged consumers were asked to name up to five companies they believe to be the most trusted for protecting the privacy of their personal information. Consumer responses were gathered over a 15-week period concluding in December 2012 and resulted in a final sample of 6,704 respondents who, on average, provided 5.4 discernible company ratings that represent 25 different industries.
Following are our most salient findings:
  • American Express (AMEX) continues to reign as the most trusted company for privacy among 217 organizations rated in our most trusted companies list.
  • New entrants to this year’s top 20 most trusted list includes: Microsoft (ranked 17), United Healthcare (ranked 18) and Mozilla (ranked 20).
  • Healthcare, consumer products, and banking are the industry segments considered by consumers to be the most trusted for privacy (among 25 industry categories). In contrast, Internet and social media, non-profits (charities) and toys are viewed as the least trusted for privacy.
  • Seventy-eight percent of respondents continue to perceive privacy and the protection of their personal information as very important or important to the overall trust equation. Further, the importance of privacy has steadily trended upward over seven years.
  • While most individuals say protecting the privacy of their personal information is very important, 63 percent of respondents admit to sharing their sensitive personal information with an organization they did not know or trust. Of those who admit to sharing, 60 percent say they did this solely for convenience such as when making a purchase.
  • Fifty-nine percent of respondents believe their privacy rights are diminished or undermined by disruptive technologies such as social media, smart mobile devices and geo-tracking tools. Fifty-five percent say their privacy has been diminished by virtue of perceived government intrusions.
  • Only 35 percent of respondents believe they have control over their personal information and this result has steadily trended downward over seven years.
  • Less than one-third (32 percent) of respondents admit they do not rely on privacy policies or trust seal programs when judging the privacy practices of organizations they deal with. When asked why, 60 percent believe these policies are too long or contain too much legalese.
  • Forty-nine percent of respondents recall receiving one or more data breach notifications in the past 24 months. Seventy percent of these individuals said this notification caused a loss of trust in the privacy practices of the organization reporting the incident.
  • Seventy-three percent of respondents believe the substantial security protections over their personal information is the most important privacy feature to advancing a trusted relationship with business or government organizations. Other important privacy features include: no data sharing without consent (59 percent), the ability to be forgotten (56 percent) and the option to revoke consent (55 percent).
  • The number one privacy-related concern expressed by 61 percent of respondents is identity, closely followed by an increase in government surveillance (56 percent).
Read the full report here.


So all the contract language needs to change?
Helpful write-up by Dena Feldman on the final HITECH rule as it applies to business associates and subcontractors includes:
Direct Liability under the Security Rule. The final rule alters the regulations to expressly subject business associates to the administrative, physical, and technical safeguard requirements of the Security Rule. HHS commented that, because business associates previously had to agree in their business associate agreements with covered entities to appropriately protect and safeguard PHI, business associates and subcontractors “should already have in place” security practices that are compliant with the rule or need only “modest improvements.” HHS recognized, however, that many business associates will not have engaged in the “formal administrative safeguards” required by the rule.
Direct Liability under the Privacy Rule. The final regulations modify the Privacy Rule to extend direct liability for disclosures of PHI by business associates. However, the rule does not subject business associates to liability for all aspects of the Privacy Rule. Business associates are liable for:
  • uses or disclosures of PHI in a manner not in accord with the business associate agreement or the Privacy Rule;
  • failure to disclose PHI when required by HHS for an investigation and/or determination of the business associate’s compliance with HIPAA;
  • failure to disclose PHI to the covered entity, an individual (to whom the information pertains), or the individual’s designee with respect to an individual’s request for an electronic copy of the information;
  • failure to make reasonable efforts to limit PHI uses, disclosures, and requests to the minimum necessary amount; and
  • failure to enter into a business associate agreement with a subcontractor that creates or receives PHI on their behalf.
Read more on InsidePrivacy.


I have visions of teachers discovering communications with lawyers about abuse by school officials. Things could go south really quickly.
The Fourth Amendment question here is not about the seizure, but the search that came afterward.
A Berne parent grew outraged after a school principal confiscated his son’s phone earlier this week after being caught texting in class. It’s not the confiscation of the 14-year-old’s iPhone 5 that caused the ire, but rather the searching of it, which revealed inappropriate photos of his 14-year-old ex-girlfriend. The principal, Brian Corey, contacted the Albany County Sheriff’s Department.
Law enforcement and legal experts agree schools have a greater right to search students and their property than do police among the general public, where the Fourth Amendment protects against unreasonable searches and seizures. The question is the line where it becomes too invasive given the circumstances.
Read more on the Albany Times-Union.
Does your teen understand that their school administrator might not only confiscate, but scroll through their images and emails? I’m not saying administrators should – indeed, I think they generally shouldn’t unless there’s an imminent threat of danger to the student or others — but it could happen. And as in this case, inappropriate images could result in the police being called for child pornography.
Are you ready for that? Is your child?
Talk with your kids. Again and again and again.
But also ensure you understand your school district’s policies on this. If you’re not sure, ask under what conditions they might not only confiscate, but search your child’s mobile devices.
And then talk with your child again.
[From the article:
Technically, since the ex-girlfriend sent the images, both youths could face child pornography charges for the photos. The sheriff's department is in the process of obtaining a search warrant for the phone, but at this point it doesn't appear any charges, which would go to Family Court, will be filed.
"We've spoken to the district attorney's office," Sheriff Craig Apple said. "Right now, they don't want to go forward with the information they have.
… Apple … said, he believes students can't have an expectation of privacy on school grounds.

(Related) Another area where the constitution does not apply?
Brothel Patrons Have No Legal Expectation of Privacy, Judge Rules
Brothel patrons have no expectation of privacy, a Maine judge has ruled while dismissing 49 criminal counts against a man accused of secretly filming illicit sexual encounters at his Zumba studio that authorities claim was a bordello.
A local judge dropped the counts against Mark Strong, Sr., who was accused of breaching the privacy of those who paid to have sex with his female business partner at a Kennebunk, Maine dance studio he managed.
The 57-year-old defendant’s attorney, Dan Lilley, successfully argued that the state law protecting the privacy of people in dressing rooms, locker rooms and restrooms did not apply to those having illegal sex with a prostitute.
That law, Lilley argued, “does not apply to bordellos, whorehouses and the like.” He said “those places are to commit crime. There is no expectation to privacy.”


Dude, don't mess with the Mouse! It's clear from this letter that they carefully introduced the program – nothing happens haphazardly in the Magic Kingdom.
Dominic Patten reports:
Bob Iger today told a Massachusetts congressman that his privacy issue concerns about new technology being introduced at Disney theme parks are bunk. “We are offended by the ludicrous and utterly ill-informed assertion in your letter dated January 24, 2013, that we would in any way haphazardly or recklessly introduce a program that manipulates children, or wantonly puts their safety at risk,” the Disney chairman and CEO wrote in a letter (read it in full below) Monday to Ed Markey.
Read more on Deadline.com


New features equals new concerns for management.
"Microsoft's release of Office 2013 represents the latest in a series of makeover moves, this time aimed at shifting use of its bedrock productivity suite to the cloud. Early hands-on testing suggests Office 2013 is the 'best Office yet,' bringing excellent cloud features and pay-as-you-go pricing to Office. But Microsoft's new vision for remaining nimble in the cloud era comes with some questions, such as what happens when your subscription expires, not to mention some gray areas around inevitable employee use of Office 2013 Home Premium in business settings."
Zordak points to coverage of the new Office model at CNN Money, and says "More interesting than the article itself is the comments. The article closes by asking 'Will you [pay up]?' The consensus in the comments is a resounding 'NO,' with frequent mentions of the suitability of OpenOffice for home productivity." Also at SlashCloud.


For my literate friends who will no doubt say, “Bob you idiot, you forgot...”


Worth reading. Here are some bits...
Eight Brilliant Minds on the Future of Online Education
Why this disruption is happening:
Peter Thiel, partner, Founders Fund
"In the United States, students don't get their money's worth. There's a bubble in education as out of control as the housing bubble and the tech bubble in the 1990s.
Bill Gates, chairman of Microsoft
Our whole notion of 'credential', which means you went somewhere for a number of hours, needs to move to where you can prove you have the knowledge and the quality of these online courses need to improve.
Rafael Reif
"Can you hire MIT professors who know that they need to teach 150,000 people and not 150?

No comments: