There are Best Practices for dealing with a
breach. Ignore them at your own risk.
On August 1, I noted some media reports about a
breach at the Siouxland
Pain Clinic. As I mentioned,
the reports raised more questions than they answered. Mike Bell of
the Sioux City Journal now has a few more details:
Siouxland Pain Clinic sent letters Friday to more than 13,000 patients that their medical and other personal information may have been exposed in a hacking attack, a lawyer for the clinic said Monday.
“We never did prove that any information was taken, but we could not disprove that, either,” said Lonnie Braun, an attorney in Rapid City, S.D.
Braun said patients’ names, medical information, Social Security numbers and addresses may have been compromised when the clinic’s server was hacked between March 26 and April 2.
As to how the clinic learned of the breach, well,
it’s still not clear who notified them. Bell reports:
The clinic was notified of the breach June 26. Braun said the firm that discovered it said the investigation showed the hackers were Chinese.
So it was an external party that alerted them to
the breach on June 26? If so, the patients are lucky that the breach
didn’t go undetected for even longer.
Read more on Sioux
City Journal.
As of this morning, there is still no notice
linked from the clinic’s home page, and the incident is not yet up
on HHS’s public breach tool. Nor can I find any substitute
notices, although Google is not great about indexing
classifieds/legal notices, so it may have appeared in local media
already.
It is somewhat surprising that the clinic is not
offering patients free credit monitoring services if Social Security
numbers were involved. Although not all entities do that, it
seems like a good litigation defense in terms of mitigation and it’s
better from a public relations perspective to do something
to help patients instead of just leaving them to arrange for
monitoring at their own expense.
Another organization (the whole federal
government) in need of some Best Practices education. Was this
package addressed to “Benjamin Krause or current resident?” No
signature required?
Benjamin Krause, an investigative reporter,
Veterans law attorney, and a disabled veteran of the US Air Force,
has a site called DisabledVeterans.org. One of his posts showed up
in one of my searches, and I thought it was worth noting here.
In the context of discussing a recent VA breach
and government accountability, Benjamin writes:
I personally had VA VocRehab mistakenly mail an entire copy of my file to my old address from two years earlier – a large apartment complex in a major American city. There is no telling where the files ended up.
Veterans Affairs indignantly declined to proactively retrieve the documents and told me to call the cops if I was worried about it. I repeat, the agency made me do the leg work to try to recover my files that were mistakenly delivered to the wrong address.
I did call the cops. They were confused why VA would not take charge of the recovery of my files and said their was little they could do unless a crime was committed.
VA offered me one year of identity protection. That was it. Meanwhile, over 1,000 pages of files containing everything about me were misplaced and now floating around somewhere in the United States.
Did anyone get reprimanded for the cockup? No. Did I get the records back? No.
What a crock. How is it that we live in a country where the Federal government is not held accountable?
It’s an excellent question. All a-flutter over
the OPM breach, Congress is trying to enact legislation that will
provide longer credit monitoring and greater liability protection to
those affected by that breach, but as Benjamin notes, after-the-fact
credit monitoring is often not sufficient nor satisfactory.
Should the VA have gone to the apartment complex
or attempted to track down Benjamin’s errant files if they erred by
not updating his mailing address? According to the VA’s monthly
reports to Congress, mailing errors happen (there were 161 paper
mis-mailing incidents in June, 2015). Indeed, paper incidents
account for the bulk of VA breaches that result in the exposure of
personally identifiable or protected health information.
But if the VA sends out literally millions of
mailings each month (over 7 million in June, 2015), is 161 an
acceptable error rate? If not, should the VA reduce paper mailings
where electronic transmission is a viable alternative? Or should it
use a more costly mailing system – of requiring a signature for
delivery – when a veterans’ files with sensitive information are
being mailed?
Mistakes will happen either way, and Benjamin
raises a valid question: what should the VA do to mitigate or
remediate? Could they have at least initiated a trace request with
the post office? Why should Benjamin – or any other veteran –
have the burden and worry of trying to track down their personal and
sensitive information when the VA makes a mistake? Don’t our
veterans have enough problems without being told that the VA won’t
even try to track down their mis-mailed records?
A “we really screwed up” reaction or something
else? Best Practices don't come overnight.
Linn Foster Freedman of Robinson & Cole
provided this
update on their Data Privacy + Security Insider blog:
The Senate Appropriations Committee has approved funding to provide the 22 million individuals affected by the OPM data breaches with 10 years of credit monitoring services and $5 million in liability protection for damages, extending the OPM’s offer of three years of services for those affected by the background check breach and 18 months for those affected by the breach of personnel records.
OPM also requested an appropriation of $37 million to beef up its security, but the request was rejected by the Committee.
The voice vote approval must move through both the House and the Senate before the protections can become available to affected individuals.
If this passes, will it raise the bar for breach
remediation/mitigation in other cases, or will defenders argue,
“Well, this was unusual because it was a foreign government getting
information on government employees and so is riskier?”
Looks like all those “rumors” were true.
About the name I mean, the spying was a given.
On The Register:
Special ReportDuncan Campbell has spent decades unmasking Britain’s super-secretive GCHQ, its spying programmes, and its cosy relationship with America’s NSA. Today, he retells his life’s work exposing the government’s over-reaching surveillance, and reveals documents from the leaked Snowden files confirming the history of the fearsome ECHELON intercept project. This story is also published simultaneously today by The Intercept, and later today we’ll have video of Duncan describing ECHELON and related surveillance matters.
Read more on The
Register.
Wasn't this the DHS's idea in the first place? Oh
I get it now, they want total control.
Dennis Fisher reports:
A major information-sharing bill that’s in the Senate right now would allow private organizations to share threat data with any government agency, something that the Department of Homeland Security says could have severe privacy implications and cause confusion and inefficiencies inside the federal government.
The bill, known as the Cybersecurity Information Sharing Act, would allow private companies and other organizations to share vulnerability information and threat indicators with government agencies under most circumstances.
Read more on ThreatPost.
[From
the article:
The letter,
written in response to a letter last month from Franken to DHS
Secretary Jeh Johnson, also says that if organizations are trying to
share information through many different agencies, it could be come
confusing and inefficient.
(Related) Three words: Total Information
Awareness
Joe Cadillic takes a look at the relationship
between some companies and the Department of Homeland Security and
raises the question as to whether students’ biometric data may be
in the hands of DHS “fronts.”
Do you know enough about the vendors or software
your child’s school or university may be using to collect biometric
data?
Is Joe just paranoid or haven’t we looked
closely enough at some ties?
Could be amusing.
From EFF:
San Francisco – Responding to a troubling rise
in law enforcement’s use of high-tech surveillance devices that are
often hidden from the communities where they’re used, the
Electronic Frontier Foundation (EFF) today launched the Street-Level
Surveillance Project (SLS), a Web portal loaded with
comprehensive, easy-to-access information on police spying tools like
license plate readers, biometric collection devices, and
“Stingrays.’’
The SLS Project addresses an information gap that
has developed as law enforcement agencies deploy sophisticated
technology products that are supposed to target criminals but that in
fact scoop up private information about millions of ordinary,
law-abiding citizens who aren’t suspected of committing crimes.
Government agencies are less than forthcoming about how they use
these tools,
which are becoming more and more sophisticated every year, and often
hide the facts
about their use from the public. What’s more, police spying tools
are being used first in low-income, immigrant, and minority
communities — populations that may lack access to information and
resources to challenge improper surveillance.
“Law enforcement agencies at the federal, state,
and local level are increasingly using sophisticated tools to track
our cell
phone calls, photograph
our vehicles and follow our driving patterns, take our pictures
in public places, and collect our fingerprints and DNA.
But the public doesn’t know much about those tools and how they
are used,’’ said EFF Senior Staff Attorney Jennifer Lynch. “The
SLS Project provides a simple but in-depth look at how these
surveillance technologies work, who makes and uses them, and what
kind of data they are collecting. We hope that community groups,
advocacy organizations, defense attorneys, and individuals all take
advantage of the information we’ve gathered.”
The SLS Project website
went live today with extensive information on biometric
technologies which collect fingerprints, DNA, and face prints as
well as on automated license plate readers (ALPRs)—cameras mounted
on patrol cars and on city streets that scan and record the plates of
millions of cars across the country. Each topic includes explainers,
FAQs, infographics, and links to EFF’s legal work in courts and
legislatures. Information about “Stingrays’’—devices that
masquerade as cell phone towers and trick mobile phones into
connecting with them to track phone locations in real time—drones,
and other surveillance technologies will be added in the coming
months.
“The public has heard or read so much about NSA
spying, but there’s a real need for information and resources
about surveillance tools being used by local law enforcement on our
home turf. These technologies are often adopted in a shroud of
secrecy, but communities deserve to understand these technologies and
how they may be violating our rights,’’ said EFF Activist Nadia
Kayyali. “The SLS Project is a much-needed tool that can help
communities under surveillance start a conversation about how to
advocate for limiting or stopping their use.’’
For Street-Level Surveillance Project:
https://www.eff.org/sls
Amazon probably self-insures, but what risks do
they see? Aside from getting shot down in Kentucky.
Caitlin Bronson reports:
As new privacy laws governing the use of commercial drones begin to take effect, independent insurance agents are finding difficulty adequately sourcing the risk of privacy-related litigation against drone users.
According to Jason Riley, vice president of aviation wholesale broker Halton Hall, many insurers are willing to offer aircraft liability policies or aviation CGLs for drones. Components coverage, though expensive, is also available for cameras, gimbles and other accessories.
What’s harder to find is coverage for potential privacy violations.
Read more on InsuranceBusinessAmerica.
Defining “Harm.”
Since the Seventh Circuit revived the class action
lawsuit, Remijas v. Neiman Marcus, there has been a lot of
buzz about how the opinion will make it easier for consumers going
forward. The opinion (appended to this
file), addresses Article III standing, which has been a major
stumbling block in the majority of lawsuits.
But skip on over to the Third Circuit for a
minute, where it appears that the FTC submitted a filing on July 24th
that tries to use the Neiman Marcus opinion to support its case
against Wyndham. The FTC argues,
in part:
… The court there held that even though the
victims were reimbursed for fraudulent charges, plaintiffs had
alleged “identifiable costs associated with the process of sorting
things out,” including “the aggravation and loss of value of the
time needed to set things straight, to reset payment associations
after credit card numbers are changed, and to pursue relief for
unauthorized charges.” Slip Op. 7. Those alleged harms were
sufficient to give plaintiffs standing.
Wyndham’s lawyers fired
back that the FTC’s contention is incorrect:
As an initial matter, Remijas is
inconsistent with other databreach cases, including this Court’s
decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir.
2011). More importantly, Remijas did not address the
consumer-injury requirements of Section 5—only the less rigorous
standing requirements of Article III.
While the test for constitutional standing is
exceedingly low, see, e.g., Blunt v. Lower Marion Sch. Dist.,
767 F.3d 247, 278 (3d Cir. 2014) (requiring only “some specific,
identifiable trifle of injury”), the FTC Act contains two
additional requirements: the injury must be (1) “substantial,”
which, to have any meaning, must be something more than the injury
required by Article III; and, (2) not “reasonably avoidable by
consumers themselves.” 15 U.S.C. § 45(n). Those requirements mean
that time and money spent resolving fraudulent charges cannot satisfy
Section 5(n), even if they might confer standing under Article III.
“We haven't got a law yet” is the equivalent
of “We just invented a new sin!” Your guide to infinite riches.
Wendy Davis reports:
Shutterfly is asking a federal judge in Illinois to dismiss a lawsuit accusing the company of violating a state privacy law by compiling a database of “faceprints.”
“Helping a user re-identify his own friends within his own digital photo album does not violate any law,” Shutterfly writes in a dismissal motion filed on Friday with U.S. District Court Judge Charles Norgle in Illinois.
Shutterfly’s papers come in response to a lawsuit filed in June by Illinois resident Brian Norberg.
Read more on MediaPost.
(Related) The Internet of Things is a lawless
zone. Think “Jeep hack.”
W. David Stephenson writes:
Could this be the incident that finally gets everyone in the IoT industry to — as I’ve said repeatedly in the past — make privacy and security Job 1 — and to drop the lobbying groups’ argument that government regulation isn’t needed?
I hope so, because the IoT’s future is at stake, and, frankly, not enough companies get it.
Read more on David
Stephenson’s blog.
Interesting
Americans’
Attitudes About Privacy, Security and Surveillance
by Sabrina
I. Pacifici on Aug 3, 2015
Pew – Americans’
Views About Data Collection and Security By Mary Madden and Lee
Rainie: “Contrary to assertions that people “don’t
care” about privacy in the digital age, this survey suggests
that Americans hold a range of strong views about the importance of
control over their personal information and freedom from surveillance
in daily life. As earlier studies in this series have illustrated,
Americans’ perceptions
of privacy are varied in important ways and often overlap with
concerns about personal information security and government
surveillance. In practice,
information scholars have
noted that privacy is not something one can simply “have,”
but rather is something people seek to “achieve”
through an ongoing process of negotiation of all the ways that
information flows across different contexts in daily life. The data
from the new Pew Research surveys suggest that Americans consider a
wide array of privacy-related values to be deeply important in their
lives, particularly when it comes to having a sense of control over
who collects information and when and where activities can be
observed. When they are asked to think about all of their daily
interactions – both online and offline – and the extent to which
certain privacy-related values are important to them, clear
majorities believe every dimension below is at least “somewhat
important” and many express the view that these aspects of personal
information control are “very important.” The full range of
their views is captured in the chart below and more detailed analysis
is explored after that.”
This could never happen here, could it? Oh the
horror!
Porn ban
could cost Indian ISPs, telcos 30-70% of data revenue
… “Through our discussions with the various
Internet Service Providers (ISPs), we have been able to estimate that
as much as 30-70% of the total browsing in the country is related to
pornography,” a senior executive at an Internet industry body said.
“It’s very difficult to be any more specific than that since
putting together a data packet specific inspection of what users are
browsing could be seen as a breach of privacy,” added this person
who asked not to be identified.
Perspective. The future according to Harvard.
The Age of
the Robot Worker Will Be Worse for Men
Many economists and technologists believe the
world is on the brink of a new industrial revolution, in which
advances in the field of artificial intelligence will obsolete human
labor at an unforgiving pace. Two Oxford researchers
recently analyzed the skills required for more than 700 different
occupations to determine how many of them would be susceptible to
automation in the near future, and the news was not good: They
concluded that machines are likely to take over 47 percent of today’s
jobs within a few decades.
This is a dire prediction, but one whose
consequences will not fall upon society evenly. A close look at the
data reveals a surprising pattern: The jobs performed primarily by
women are relatively safe, while those typically performed by men are
at risk.
… Many of the jobs held by men involve
perception and manipulation, often in conjunction with physical
exertion, such as swinging a hammer or trimming trees. The latest
mobile robots combine advanced-sensory systems with dexterous
manipulators to successfully perform these sorts of tasks.
Other, more cerebral male-dominated professions
aren’t secure either. Many occupations that might appear to
require experience and judgment—such as commodity traders—are
being outdone by increasingly sophisticated machine-learning programs
capable of quickly teasing subtle patterns out of large volumes of
data.
For my students, just in case they were asleep in
class.
34 Tech
Tools Small Business Owners Rely on Most
(Related) Extensions like these are available in
every browser.
10 Awesome
Social Media Add-ons You’ll Love for Opera
For my students who look up!
Put a
Planetarium in Your Web Browser
Planetarium
by Neave Interactive is a website on which you can specify your
current location and it will show you a map of the night sky based
upon your location and the date. You can also use Planetarium
without specifying your location and instead explore the night sky
from any place on Earth. For Google Chrome users, Planetarium
offers a Chrome Web App that you can add to your browser.
For all my students.
WixED
Teaches You How to Build a Website...on Wix
Wix
is a popular DIY website creation tool. They claim to have more than
63 million registered users (source: CrunchBase).
To help those 63 million users and anyone else who wants to build a
website, last month Wix launched WixEd.
WixEd
is a free online course all about building and maintain a website
through Wix. The course has three sections, but first section is the
only section teachers will need. The other two sections are about
ecommerce and business development through websites. Each section of
the course is comprised of a series of short videos followed by
"homework" assignments.
Google
demonstrates its free Translate App. I wonder if the speech
translate works as well?
Google
Translate vs. “La Bamba”
No comments:
Post a Comment