Another (relatively) trivial breach
that illustrates some common perceptions. The fact that the files
were found in Vietnam is of little concern. Sure the “owners” of
the files had bad security if the FBI could locate the data, but with
4.25 million people in Harris County and 7 Billion elsewhere on the
globe, the odds were it was taken by someone outside of the county.
Brian Collister reports
that the personal information of approximately 16,000 former and
current Harris County employees was found in two electronic files in
Vietnam. The information included names, Social Security numbers,
and dates of birth. One of the files was from 2005 and another was
from 2007, both before the county changed its system to minimize use
of SSN.
The county learned of the breach when
the FBI notified them of the discovery.
Not surprisingly at this point, the
county does not know how the breach occurred, but has sent a
letter
to those affected.
Oh the horror, the horror! A $60+
Billion company fined a mere $1.7 Million (0.028% of revenue) is like
me being fined $20. Hardly rises to the level of “Irritating”
Perhaps if the law (or the Board of Directors) required the fine to
be paid from executive bonuses we might get their attention?
From HHS:
The managed care
company WellPoint Inc. has agreed to pay the U.S. Department of
Health and Human Services (HHS) $1.7 million to settle potential
violations of the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) Privacy and Security Rules.
This
case sends an important message to HIPAA-covered entities [“See
what you can get away with!” Bob] to take caution when
implementing changes to their information systems, especially when
those changes involve updates to Web-based applications or portals
that are used to provide access to consumers’ health data using the
Internet.
… OCR’s
investigation indicated that WellPoint did not implement appropriate
administrative and technical safeguards as required under the HIPAA
Security Rule.
The investigation
indicated WellPoint did not:
- adequately implement policies and procedures for authorizing access to the on-line application database
- perform an appropriate technical evaluation in response to a software upgrade to its information systems
- have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.
As a result,
beginning on Oct. 23, 2009, until Mar. 7, 2010, the investigation
indicated that WellPoint impermissibly disclosed the ePHI of 612,402
individuals by allowing access to the ePHI of such individuals
maintained in the application database.
Imagine what the penalty would have
been if HHS had also taken Wellpoint’s previous and long-running
exposure breach into account? That situation, which was reported on
PogoWasRight.org in 2008, was extremely similar, if not actually
identical, to this one.
Now what? It's illegal in France, but
apparently not important enough to have the police do this.
Lawsuits? A sudden increase in fatal “accidents?”
The Local reports:
Twitter has handed
over data to French authorities to help identify [The
person owning the account is not necessairily the author of the
Tweets. Bob] the authors of anti-Semitic tweets following
a complaint from a Jewish students’ group, AFP reported on Friday.
Twitter said in a
statement that it had given information to judicial authorities
“enabling the identification of some authors” of anti-Semitic
tweets..
A French court in
January ordered the company to provide the data after the complaint
from France’s Union of Jewish Students (UEJF).
Read more on The
Local (FR)
What I've been saying, only smarter...
The
NSA's Surveillance Is Unconstitutional
Due largely to unauthorized leaks, we
now know that the National Security Agency has seized from private
companies voluminous data on the phone and Internet usage of all U.S.
citizens. We've also learned that the United States Foreign
Intelligence Surveillance Court has approved the constitutionality of
these seizures in secret proceedings in which only the government
appears, and in opinions kept secret even from the private companies
from whom the data are seized.
If this weren't disturbing enough, the
Consumer Financial Protection Bureau, created by the 2010 Dodd-Frank
financial reform, is compiling a massive database of citizens'
personal information—including monthly credit-card, mortgage, car
and other payments—ostensibly to protect consumers from abuses by
financial institutions.
All of this dangerously violates the
most fundamental principles of our republican form of government.
… As other legal scholars, most
notably Yale law professor Akhil Reed Amar, have pointed out, when
the Fourth Amendment was ratified in 1791 as part of the Bill of
Rights, government agents were liable for damages in
civil tort actions for trespass.
… With the NSA's surveillance
program, the Foreign Intelligence Surveillance Court has apparently
secretly approved the blanket seizure of data on every American so
this "metadata" can later provide the probable cause for a
particular search. Such indiscriminate data seizures are the epitome
of "unreasonable," akin to the "general warrants"
issued by the Crown to authorize searches of Colonial Americans.
… The secrecy of these programs
makes it impossible to hold elected officials and appointed
bureaucrats accountable.
Been there. Done that.
Got the T-shirt.
Bruce Schneier’s blog points us to a
recent article by Penica Cortez and David Hay. Here’s the
Abstract:
This paper reports
an exploratory study of privacy breaches in the U.S. from 2005-2011
to explore potential benefits of data privacy
auditing. Privacy auditing is a mechanism to help
organisations to be vigilant in protecting information privacy, and
to avoid penalties or damage to reputation and losing customer trust.
Recently, privacy audits have been imposed on several high-profile
organizations, but little is known about the benefits of privacy
audits. We examined whether companies with privacy disclosures in
their audited financial statements (as a proxy for privacy audits)
were more or less likely to incur subsequent privacy breaches, and
whether companies incurring breaches were more or less likely to make
privacy disclosures. The results show that there are empirical
regularities consistent with the privacy disclosures in the audited
financial statements having some effect. Companies
disclosing privacy risks are less likely to incur a breach of privacy
related to unintentional disclosure of privacy information;
while companies suffering a breach of privacy related to credit cards
are more likely to disclose privacy risks afterwards. Disclosure
after a breach is negatively related to privacy breaches related to
hacking, and disclosure before a breach is positively related to
breaches concerning insider trading. These results may be related to
the risk of privacy breaches. Privacy disclosure in the regulatory
risks section of a 10K report is associated with a larger number of
records affected by a breach of privacy. We also examined the extent
of damages arising from privacy breaches, but there are not enough
observations to draw a conclusion.
You can download the full article from
SSRN.
An article for my students and my
lawyer friends (is the NSA reading your correspondence with your
clients?)
… I’d like to offer a few easy
ways that you can encrypt your webmail to at least try and maintain
some semblance of email privacy in a world filled with snoops and
spies.
Not sure if my students
will like this, but I find things like “Fantasy SCOTUS” amusing
and JD Supra “obvious in retrospect.” Let's hope the like
the technology that enables the law firm Robot, Robot &
Hwang LLP.
Fastcase
50 for 2013
“2013 was the Year of Reinvention,
with innovators gathering at several national conferences pushing the
boundaries of the business of law, using software, algorithms, and
new pricing models for lawyers as a way to better provide legal
services to the middle class. New companies challenged our
assumptions about legal research, and established challengers hit
their stride as much larger enterprises. Bar associations and law
professors sought to change some of the most traditional legal
organizations serving law students and lawyers. The Fastcase 50
classes of 2011
and 2012
were an inspiration. This year, you submitted a record number of
nominations, and we are pleased to honor the Fastcase
50 Class of 2013.”
For my fellow teachers (and my
students)
Share My Screen Pro is a handy
cost-effective software solution that lets you share your screen with
anyone online via browser. It is aimed at people who work remotely
and located in different geographical locations. Using it you can
run meetings and presentations over the Internet from single user
presentations up to 300 viewer webinars. It is easy to set up and
run and doesn’t require the viewer to download any software. Your
viewers can access your screen via Windows PCs and devices running
Android and iOS platforms.
Related tools – ScreenView,
ScreenLeap.
Another potentially useful tool (you
can't have too many)
Quickly record
a video of what you’re doing on your computer, or take a
precise screenshot. Free app oCam makes this process easy for
Windows users, and is completely free.
I post a lot of free (and I hope
useful) tools, but this one really grabbed my attention. If you have
an eReader, watch the demo video and be amazed...
Calibre
Calibre is a free and open source
e-book library management application developed by users of e-books
for users of e-books.
No comments:
Post a Comment