Interesting
hacker strategy. Delay reporting, increase the number of cards
stolen?
DQ
Breach? HQ Says No, But Would it Know?
Sources
in the financial industry say they’re seeing signs that Dairy Queen
may be the latest retail chain to be victimized by cybercrooks bent
on stealing credit and debit card data. Dairy Queen says it has no
indication of a card breach at any of its thousands of locations, but
the company also acknowledges that nearly all stores are franchises
and that there is no
established company process or requirement that franchisees
communicate security issues or card breaches to Dairy Queen
headquarters.
…
The situation apparently developing with Dairy Queen is reminiscent
of similar
reports last month from multiple banks about card fraud traced
back to dozens of locations of Jimmy John’s, a
nationwide sandwich shop chain that also is almost entirely
franchisee-owned. Jimmy John’s has said it is investigating the
breach claims, but so far it has not confirmed reports of card
breaches at any of its 1,900+ stores nationwide.
Might
be fun (i.e. Cruel and usual) to have my Computer Security students
create a US version of this guide.
The
Office of the Australian Information Commissioner has released Data
breach notification guide: A guide to handling personal information
security breaches. Some excerpts:
Preventing data breaches — obligations under the Privacy
Act
Security is a basic element of information privacy.4 In Australia,
this principle is reflected in the Privacy Act in the APPs
Agencies and organisations are required to take reasonable steps to
protect the personal information they hold from misuse, interference
and loss, and from unauthorised access, modification or disclosure.
This requirement is set out in APP 115 (see Appendix A for APP 11).
Sections 20Q and 21S of the Privacy Act imposes equivalent
obligations on credit reporting agencies and all credit providers.
Similarly, guideline 6.1 of the statutory TFN guidelines6 requires
TFN recipients to protect TFN information by such security safeguards
as are reasonable in the circumstances.
Depending on the circumstances, those reasonable steps may include
the preparation and implementation of a data breach policy and
response plan. Notification of the individuals who are or may be
affected by a data breach, and the OAIC, may also be a reasonable
step (see page 9).
[…]
Responding to data breaches: four key steps
Data breaches can be caused or exacerbated by a variety of factors,
affect different types of personal information and give rise to a
range of actual or potential harms to individuals, agencies and
organisations.
As such, there is no single way of responding to a data breach. Each
breach will need to be dealt with on a case-by-case basis,
undertaking an assessment of the risks involved, and using that risk
assessment as the basis for deciding what actions to take in the
circumstances.
There are four key steps to consider when responding to a breach or
suspected breach:
Step 1: Contain the breach and do a preliminary assessment
Step 2: Evaluate the risks associated with the breach
Step 3: Notification
Step 4: Prevent future breaches
Step 2: Evaluate the risks associated with the breach
Step 3: Notification
Step 4: Prevent future breaches
Each of the steps is set out in further detail below.
You
can access the guide (49 pp, pdf) here.
Is
it possible to write evidence gathering guidelines in the form: “You
need a warrant or subpoena for all evidence except: … ”
Seems to me that would be simpler.
Drones
at Home: Domestic Drone Legislation – A Survey, Analysis and
Framework
by
Sabrina I.
Pacifici on Aug 26, 2014
Zoldi,
Dawn M. K., Drones at Home: Domestic Drone Legislation — A Survey,
Analysis and Framework (July 9, 2014). Available at for download
SSRN: http://ssrn.com/abstract=2486259
“Can
the government employ drones domestically without running roughshod
over personal privacy? In an effort to preemptively rein in
potential government overreach, most states have proposed legislation
that restricts or forbids government drone use. The intent is to
prevent drone use for warrantless information and evidence
collection. Ironically, many of these proposals will have the
opposite affect intended. State-by-state drone legislation may lead
to consequences such as the erosion of Fourth Amendment
jurisprudential principles, losses of life and property, procedural
windfalls to criminals, and deleterious effects on the military.
Lawmakers should take a nuanced approach to government drone use
rather than selectively revising constitutional protections. A
nuanced approach would allow the federal government to use drones to
their full potential while also protecting personal privacies. There
are four principles that should guide drone legislation:
(1) apply the Fourth Amendment agnostically;
(2) ensure operational purpose language
distinguishes between law enforcement and non-law enforcement
professionals;
(3) focus new regulations focus on information
collection, dissemination, and retention;
(4) develop narrowly tailored remedies that
deter specific behavior consistent with their historical purpose.
Drone
legislation drafted with these principles in mind will protect our
national security and our civil liberties.”
Is
there anything here we really didn't expect? Details are “secret”
only to avoid public backlash.
Ben
Grubb reports:
It’s the secret
industry consultation paper the federal government didn’t want
you to see.
Produced by the Attorney-General’s Department and distributed to
telecommunications industry members on
Friday, the nine-page
document attempts to clarify what customer internet and phone
records the government wants companies such as Telstra, Optus and
iiNet to store for the purpose of law enforcement and
counterterrorism.
The requirement is part of a proposed data retention regime, which
has been given “in principle” approval by the Abbott government.
It seeks to continue to allow law enforcement and spy agencies to
access customer identifiable data without a warrant as prescribed by
law, but would ensure the data is not deleted for a mandated period
of two years.
The paper, stamped “confidential” and marked for “preliminary
consultation only” raises more questions than it solves.
Read
more on Sydney
Morning Herald.
Insurance
companies creating specific exclusions suggests they have some idea
what each of those scenarios costs them. Can I get that information
for my classes on risk? Worth exploring.
Hunton
& Williams write:
On August 7, 2014, the United States District Court for the Eastern
District of Virginia held in Travelers
Indemnity Company of America v. Portal Healthcare Solutions, LLC,
No. 1:13-cv-917 (E.D. Va. Aug. 7, 2014), that online
posting of patient medical information constituted “publication,”
whether or not it was viewed by a third party, and
therefore triggered the insurer’s duty to defend its insured
against a class action seeking damages for breach of privacy claims.
Read
more on Lexology.
But
do note that Law360 reports:
Insurers are rushing to tack on recently released data breach
exclusions to commercial general liability policies, hoping to
substantially narrow their exposure to privacy risks. Here, experts
provide policyholders the essentials on these game-changing
provisions.
The Insurance Services Office Inc., which develops standard insurance
contract language, in May unveiled an exclusion that is aimed at
wiping out coverage for personal and advertising injuries stemming
from the disclosure of personal information. The exclusion applies
to a variety of damages, including notification costs, credit
monitoring expenses and public…
Law360′s
full
story is behind a paywall.
To
me, Labor Law is “a whole 'nother country.”
Scott
McIntyre and Erika Spears write:
The grocery business may be “fresh and easy,” but drafting a
confidentiality and data protection policy that withstands the
scrutiny of the current National Labor Relations Board (NLRB) is not.
The NLRB, in its recent 2-1 Fresh
& Easy Neighborhood Market and United Food and Commercial Workers
International Union decision, 361 NLRB No. 8 (July 31, 2014),
ruled that the company’s “confidentiality and data protection”
rule violated Section 8(a)(1) of the National Labor Relations Act
(the Act). This decision is a reminder that businesses acting
proactively to avoid data breaches and comply with privacy laws must
also consider the NLRB’s view of employee rights if an employee may
be implicated in wrongdoing, regardless of the context or label
placed on the workplace rule.
Read
more on Baker Hostetler Data
Privacy Monitor.
[From
the article:
The
Code’s section entitled “Confidentiality and Data Protection”
mandated that employees:
Keep customer and employee information secure. Information must be
used fairly, lawfully and only for the purpose for which it was
obtained.
In
May 2012, charges were filed by the United Food and Commercial
Workers International Union challenging the data protection rule,
alleging that it was unlawful because employees could reasonably
construe it as prohibiting the sharing of information by employees to
improve terms and conditions of employment.
Making
Law School cheaper? Interesting idea. I wonder if the Math Club
would be interested in creating a “Guide to Math” online
textbook?
Open
Intellectual Property Casebook
by
Sabrina I.
Pacifici on Aug 26, 2014
“Duke’s
Center for the Study of the Public Domain is announcing the
publication of Intellectual
Property: Law & the Information Society—Cases and Materials
by James Boyle and Jennifer Jenkins. This book, the first in a
series of Duke Open Coursebooks, is available for free
download under a Creative
Commons license. It can also be purchased in a glossy
paperback print edition for $29.99,
$130 cheaper than other intellectual property casebooks. This book
is an introduction to intellectual property law, the set of private
legal rights that allows individuals and corporations to control
intangible creations and marks—from logos to novels to drug
formulae—and the exceptions and limitations that define those
rights. It focuses on the three main forms of US federal
intellectual property—trademark, copyright and patent—but many of
the ideas discussed here apply far beyond those legal areas and far
beyond the law of the United States. The book is intended to be a
textbook for the basic Intellectual Property class, but because it is
an open coursebook, which can be freely edited and customized, it is
also suitable for an undergraduate class, or for a business, library
studies, communications or other graduate school class. Each chapter
contains cases and secondary readings and a set of problems or
role-playing exercises involving the material. The problems range
from a video of the Napster
oral argument to counseling clients about search engines and
trademarks, applying the First Amendment to digital rights management
and copyright or commenting on the Supreme Court’s new rulings on
gene patents. Intellectual Property:
Law & the Information Society is
current as of August 2014. It includes discussions of such issues as
the Redskins trademark cancelations, the Google Books case and the
America Invents Act. Its illustrations range from graphs showing the
growth in patent litigation to comic book images about copyright.
The best way to get some sense of its coverage is to download
it. In coming weeks, we will provide a separate fuller webpage with
a table of contents and individual downloadable chapters. The Center
has also published an accompanying supplement of statutory and treaty
materials that is available for free
download and low
cost print purchase.”
For
my Ethical Hackers: How can we selectively flip this switch? How can
we flip the switches on all phones of a given manufacturer? (This
could be so much fun I'm already starting to giggle.)
California
Requires All Smartphones to Have a Kill Switch
California
has just passed a law that will require all smartphones to be
equipped with a function that can allow users to wipe their data if
their phone is stolen or lost.
The
new law will go into effect on July 1, 2015 and applies to phones
manufactured after this date.
…
Not only will the kill switch be able to wipe users data but it will
also lock the phone, rendering it useless. Only the owner of the
phone will have control over the switch however the police can also
use the tool. [So, “only”
every cop in California and the phone's owner? Bob]
This
means that the police could cut off phone service in certain
situations however, this would require a court order unless their is
an emergency that poses immediate danger of death.
Should
work for Math lectures as well as those rocky-roll songs.
–
is a Digital Video Recorder (DVR) that records MP3s of your favorite
YouTube videos and SoundCloud tracks. Peggo’s packed with great
features like integrated search, automatic silence removal, audio
normalization, subtrack offsets, and artist and title tags. In
addition, Peggo also normalizes the volume of every recording to the
same, comfortable level.
…
For users in the United States, and countries with similar laws,
Peggo is perfectly legal.
Peggo
is a Digital Video Recorder (DVR) that lets you make personal
recordings of publicly available online media for later use, also
known as time-shifting, and is protected by the Supreme Court's
Betamax ruling (Sony Corporation of America vs Universal City
Studios).
No comments:
Post a Comment