Costly “errors?”
It’s been an interesting few weeks
for those who have followed the Cord Blood Registry (CBR) data
breach.
As background: back in February 2011,
CBR disclosed that backup
tapes with 300,000 people’s information had been stolen from an
employee’s unattended vehicle in December 2010. CBR offered
those affected one year of free credit monitoring and indicated that
they had improved their security. That didn’t satisfy everyone,
it seems, as a potential class action lawsuit was filed
(Johansson-Dohrmann v. CBR Systems, Inc.).
Then on January 28, the
FTC announced that it
had settled charges against CBR, which was the first anyone knew
that the FTC had opened a case against CBR. The FTC had
charged that CBR had not lived up to its privacy policy:
Cbr did not have
reasonable policies and procedures to protect the security of
information it collected and maintained. In addition, Cbr allegedly
created unnecessary risks to personal information by, among other
things, transporting backup tapes, a thumb drive, and
other portable data storage devices containing personal information
in a way that made the information vulnerable to theft.
The settlement included putting CBR
under monitoring for 20 years and barred any misrepresentation of
their privacy and security protections.
Now today, a judge gave preliminary
approval to the class-action lawsuit. Thomson Reuters reports:
Under terms of the
proposed settlement, reached last November, CBR will have to provide
credit monitoring and identity theft insurance to each affected class
member [for up to two years], as well as cash
reimbursements for any losses resulting from identity theft.
Plaintiff’s
lawyer Patrick Keegan estimated that the credit monitoring package
was worth up to $112 million to the class members, according to court
documents. The settlement also provides up to $600,000 in payment to
the plaintiff’s lawyers.
I wonder how much this breach cost CBR,
in total. Investigating the breach to determine who had what
information on the devices and who required notification, defending
against the lawsuit and the FTC, having to hire auditors, the cost of
ID theft insurance and credit monitoring, and improvements to its
security are not cheap, even though the majority of class members
will likely not even sign up for the free credit monitoring.
And all because devices with
unencrypted PII were left in an unattended vehicle.
I bet they won’t do
that again. [I'll take that bet. Bob] Or at least, I
hope they won’t. The FTC cannot fine first offenders, but if
there’s another incident, the FTC could seek heavy monetary
penalties.
And I bet they breathed a sigh of
relief that they are not a HIPAA-covered entity, or HHS/OCR would
have been investigating them, too. As it is, it is still possible
that states attorney general could take action, although if we
haven’t seen any such press releases by now about investigations, I
tend to doubt we will.
“Those who do not study
history are doomed to repeat it.”
"Michael Geist reports that a
coalition of Canadian industry groups, including the Canadian Chamber
of Commerce, the Canadian Marketing Association, the Canadian
Wireless Telecommunications Association and the Entertainment
Software Association of Canada, are demanding
legalized spyware for private enforcement purposes.
The potential scope of coverage is breathtaking: a software program
secretly installed by an entertainment software company designed to
detect or investigate alleged copyright infringement would be covered
by this exception. This exception could potentially cover programs
designed to block access to certain websites (preventing the
contravention of a law as would have been the case with SOPA),
attempts to access wireless networks without authorization, or even
keylogger programs tracking unsuspecting users (detection and
investigation)."
(Related)
"Sony's next-generation PS4
unveil is just two weeks away, which means leaks concerning both it
and Microsoft's
next-generation Xbox Durango (sometimes referred to as the Xbox
720), are at an all-time high as well. Rumors continue to swirl that
the next iteration of Xbox will lock
out used games entirely and require a constant Internet
connection. New games would come with a one-time activation code to
play. Use the code, and the game is locked to the particular console
or Xbox Live account it's loaded on. Physical games will still be
sold (the Durango reportedly supports 50GB Blu-ray Discs), but the
used game market? Kiboshed. If this is true, it's an ugly move on
Microsoft's part. Not only does it annihilate
the right of first sale, it'll eviscerate any game store or business
that depends on video game rentals for revenue."
Interesting...
"According to an Al-Jazeera
report, 'Charlottesville, Virginia is the
first city in the United States to pass an anti-drone resolution.
The writing of the resolution coincides
with a leaked memo outlining the legal case for drone
strikes on U.S. citizens and a Federal Aviation Administration
plan to allow the deployment of some 30,000
domestic drones.' The finalized resolution is fairly weak, but
it's a start. There is also some anti-drone legislation in the
Oregon state Senate, and it has much bigger teeth. It
defines
public airspace as anything above your shoelaces,
and the wording for 'drone' is broad enough to include
RC helicopters and the like."
If people keep publishing
guides for the clueless, it is going to be difficult to claim you
were unable to find “Best Practices.”
Today, the ACLU released a new guide
for tech companies: ACLU
Guide: Tips for Companies on Protecting User Privacy and Free Speech
in 2013
Nicole Ozer writes:
Last
year was jam-packed with stories of companies making costly mistakes
on user privacy and free speech. To help companies get a
fresh start in 2013, the ACLU of California has just released the new
edition of Privacy
and Free Speech: It’s Good for Business. This primer (and
companion website) is a practical, how-to guide illustrating how
businesses can build privacy and free speech protections into their
products and services – and what can happen if they
don’t.
The guide features
dozens of real-life
casestudies from A(mazon)
to Z(ynga)
and updated recommendations for policies and practices to take the
guesswork out of avoiding expensive lawsuits, government
investigations, and public relations nightmares. It walks companies
through essential questions and lays out steps to spot potential
privacy and free speech issues in products and business models and
address these issues head-on.
Motherhood and Apple pie?
Over 40,000 firms,
including energy providers, banks and hospitals could be required to
report cyber-break-ins under new rules proposed by the EU.
It is part of a
move to intensify global efforts to fight cybercrime.
Digital agenda
commissioner Neelie Kroes said that Europe needed to improve how it
dealt with cybersecurity.
But firms are
concerned that reporting online attacks and security breaches might
damage their reputations.
Read more on BBC.
The European Commission has issued a
Proposed
Directive on Network and Information Security – frequently asked
questions. From the FAQ, examples of companies that
would be required to report significant breaches:
[Hard to read page image here
Bob]
Read the full memo here.
(Related) Apparently not. Is this the
“Official US Position?”
Matt Grainger reports:
A US diplomat has
warned of a ‘trade war’ if the EU continues with proposals that
would give people the right to demand that companies delete their
private data.
According to the
Register, John Rodgers, who is an economic officer with the US
Foreign Service told a conference in Berlin that “things could
really explode” if the proposals are put through.
“We
have a right to privacy in our Constitution, but this does not mean a
fundamental right to data protection,” said Rodgers. [Huh? Bob]
Read more on PCR.
Perhaps Mr. Rodgers should turn around
and warn Congress that if the U.S. doesn’t become more privacy and
data protective, U.S. businesses will really suffer when EU citizens
decline to do business here.
The UK strikes back?
"The MPAA and other
entertainment industry groups have been locked for years in a legal
struggle against Newzbin2,
a Usenet-indexing site. Since Newzbin2 profited from making it
easier for users to find pirated movies online, the MPAA contends
they can sue to take those profits on behalf of members who produced
that content in the first place. But a British court has rejected
that argument."
I'm
stunned that Dogbert would actually quote my students.
No comments:
Post a Comment