Thursday, February 07, 2013

Costly “errors?”
It’s been an interesting few weeks for those who have followed the Cord Blood Registry (CBR) data breach.
As background: back in February 2011, CBR disclosed that backup tapes with 300,000 people’s information had been stolen from an employee’s unattended vehicle in December 2010. CBR offered those affected one year of free credit monitoring and indicated that they had improved their security. That didn’t satisfy everyone, it seems, as a potential class action lawsuit was filed (Johansson-Dohrmann v. CBR Systems, Inc.).
Then on January 28, the FTC announced that it had settled charges against CBR, which was the first anyone knew that the FTC had opened a case against CBR. The FTC had charged that CBR had not lived up to its privacy policy:
Cbr did not have reasonable policies and procedures to protect the security of information it collected and maintained. In addition, Cbr allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.
The settlement included putting CBR under monitoring for 20 years and barred any misrepresentation of their privacy and security protections.
Now today, a judge gave preliminary approval to the class-action lawsuit. Thomson Reuters reports:
Under terms of the proposed settlement, reached last November, CBR will have to provide credit monitoring and identity theft insurance to each affected class member [for up to two years], as well as cash reimbursements for any losses resulting from identity theft.
Plaintiff’s lawyer Patrick Keegan estimated that the credit monitoring package was worth up to $112 million to the class members, according to court documents. The settlement also provides up to $600,000 in payment to the plaintiff’s lawyers.
I wonder how much this breach cost CBR, in total. Investigating the breach to determine who had what information on the devices and who required notification, defending against the lawsuit and the FTC, having to hire auditors, the cost of ID theft insurance and credit monitoring, and improvements to its security are not cheap, even though the majority of class members will likely not even sign up for the free credit monitoring.
And all because devices with unencrypted PII were left in an unattended vehicle.
I bet they won’t do that again. [I'll take that bet. Bob] Or at least, I hope they won’t. The FTC cannot fine first offenders, but if there’s another incident, the FTC could seek heavy monetary penalties.
And I bet they breathed a sigh of relief that they are not a HIPAA-covered entity, or HHS/OCR would have been investigating them, too. As it is, it is still possible that states attorney general could take action, although if we haven’t seen any such press releases by now about investigations, I tend to doubt we will.


Those who do not study history are doomed to repeat it.”
"Michael Geist reports that a coalition of Canadian industry groups, including the Canadian Chamber of Commerce, the Canadian Marketing Association, the Canadian Wireless Telecommunications Association and the Entertainment Software Association of Canada, are demanding legalized spyware for private enforcement purposes. The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception. This exception could potentially cover programs designed to block access to certain websites (preventing the contravention of a law as would have been the case with SOPA), attempts to access wireless networks without authorization, or even keylogger programs tracking unsuspecting users (detection and investigation)."

(Related)
"Sony's next-generation PS4 unveil is just two weeks away, which means leaks concerning both it and Microsoft's next-generation Xbox Durango (sometimes referred to as the Xbox 720), are at an all-time high as well. Rumors continue to swirl that the next iteration of Xbox will lock out used games entirely and require a constant Internet connection. New games would come with a one-time activation code to play. Use the code, and the game is locked to the particular console or Xbox Live account it's loaded on. Physical games will still be sold (the Durango reportedly supports 50GB Blu-ray Discs), but the used game market? Kiboshed. If this is true, it's an ugly move on Microsoft's part. Not only does it annihilate the right of first sale, it'll eviscerate any game store or business that depends on video game rentals for revenue."


Interesting...
"According to an Al-Jazeera report, 'Charlottesville, Virginia is the first city in the United States to pass an anti-drone resolution. The writing of the resolution coincides with a leaked memo outlining the legal case for drone strikes on U.S. citizens and a Federal Aviation Administration plan to allow the deployment of some 30,000 domestic drones.' The finalized resolution is fairly weak, but it's a start. There is also some anti-drone legislation in the Oregon state Senate, and it has much bigger teeth. It defines public airspace as anything above your shoelaces, and the wording for 'drone' is broad enough to include RC helicopters and the like."


If people keep publishing guides for the clueless, it is going to be difficult to claim you were unable to find “Best Practices.”
Today, the ACLU released a new guide for tech companies: ACLU Guide: Tips for Companies on Protecting User Privacy and Free Speech in 2013
Nicole Ozer writes:
Last year was jam-packed with stories of companies making costly mistakes on user privacy and free speech. To help companies get a fresh start in 2013, the ACLU of California has just released the new edition of Privacy and Free Speech: It’s Good for Business. This primer (and companion website) is a practical, how-to guide illustrating how businesses can build privacy and free speech protections into their products and services – and what can happen if they don’t.
The guide features dozens of real-life casestudies from A(mazon) to Z(ynga) and updated recommendations for policies and practices to take the guesswork out of avoiding expensive lawsuits, government investigations, and public relations nightmares. It walks companies through essential questions and lays out steps to spot potential privacy and free speech issues in products and business models and address these issues head-on.


Motherhood and Apple pie?
Over 40,000 firms, including energy providers, banks and hospitals could be required to report cyber-break-ins under new rules proposed by the EU.
It is part of a move to intensify global efforts to fight cybercrime.
Digital agenda commissioner Neelie Kroes said that Europe needed to improve how it dealt with cybersecurity.
But firms are concerned that reporting online attacks and security breaches might damage their reputations.
Read more on BBC.
The European Commission has issued a Proposed Directive on Network and Information Security – frequently asked questions. From the FAQ, examples of companies that would be required to report significant breaches:
[Hard to read page image here Bob]
Read the full memo here.

(Related) Apparently not. Is this the “Official US Position?”
Matt Grainger reports:
A US diplomat has warned of a ‘trade war’ if the EU continues with proposals that would give people the right to demand that companies delete their private data.
According to the Register, John Rodgers, who is an economic officer with the US Foreign Service told a conference in Berlin that “things could really explode” if the proposals are put through.
We have a right to privacy in our Constitution, but this does not mean a fundamental right to data protection,” said Rodgers. [Huh? Bob]
Read more on PCR.
Perhaps Mr. Rodgers should turn around and warn Congress that if the U.S. doesn’t become more privacy and data protective, U.S. businesses will really suffer when EU citizens decline to do business here.


The UK strikes back?
"The MPAA and other entertainment industry groups have been locked for years in a legal struggle against Newzbin2, a Usenet-indexing site. Since Newzbin2 profited from making it easier for users to find pirated movies online, the MPAA contends they can sue to take those profits on behalf of members who produced that content in the first place. But a British court has rejected that argument."


I'm stunned that Dogbert would actually quote my students.

No comments: