Tuesday, August 04, 2015

There are Best Practices for dealing with a breach. Ignore them at your own risk.
On August 1, I noted some media reports about a breach at the Siouxland Pain Clinic. As I mentioned, the reports raised more questions than they answered. Mike Bell of the Sioux City Journal now has a few more details:
Siouxland Pain Clinic sent letters Friday to more than 13,000 patients that their medical and other personal information may have been exposed in a hacking attack, a lawyer for the clinic said Monday.
“We never did prove that any information was taken, but we could not disprove that, either,” said Lonnie Braun, an attorney in Rapid City, S.D.
Braun said patients’ names, medical information, Social Security numbers and addresses may have been compromised when the clinic’s server was hacked between March 26 and April 2.
As to how the clinic learned of the breach, well, it’s still not clear who notified them. Bell reports:
The clinic was notified of the breach June 26. Braun said the firm that discovered it said the investigation showed the hackers were Chinese.
So it was an external party that alerted them to the breach on June 26? If so, the patients are lucky that the breach didn’t go undetected for even longer.
Read more on Sioux City Journal.
As of this morning, there is still no notice linked from the clinic’s home page, and the incident is not yet up on HHS’s public breach tool. Nor can I find any substitute notices, although Google is not great about indexing classifieds/legal notices, so it may have appeared in local media already.
It is somewhat surprising that the clinic is not offering patients free credit monitoring services if Social Security numbers were involved. Although not all entities do that, it seems like a good litigation defense in terms of mitigation and it’s better from a public relations perspective to do something to help patients instead of just leaving them to arrange for monitoring at their own expense.




Another organization (the whole federal government) in need of some Best Practices education. Was this package addressed to “Benjamin Krause or current resident?” No signature required?
Benjamin Krause, an investigative reporter, Veterans law attorney, and a disabled veteran of the US Air Force, has a site called DisabledVeterans.org. One of his posts showed up in one of my searches, and I thought it was worth noting here.
In the context of discussing a recent VA breach and government accountability, Benjamin writes:
I personally had VA VocRehab mistakenly mail an entire copy of my file to my old address from two years earlier – a large apartment complex in a major American city. There is no telling where the files ended up.
Veterans Affairs indignantly declined to proactively retrieve the documents and told me to call the cops if I was worried about it. I repeat, the agency made me do the leg work to try to recover my files that were mistakenly delivered to the wrong address.
I did call the cops. They were confused why VA would not take charge of the recovery of my files and said their was little they could do unless a crime was committed.
VA offered me one year of identity protection. That was it. Meanwhile, over 1,000 pages of files containing everything about me were misplaced and now floating around somewhere in the United States.
Did anyone get reprimanded for the cockup? No. Did I get the records back? No.
What a crock. How is it that we live in a country where the Federal government is not held accountable?
It’s an excellent question. All a-flutter over the OPM breach, Congress is trying to enact legislation that will provide longer credit monitoring and greater liability protection to those affected by that breach, but as Benjamin notes, after-the-fact credit monitoring is often not sufficient nor satisfactory.
Should the VA have gone to the apartment complex or attempted to track down Benjamin’s errant files if they erred by not updating his mailing address? According to the VA’s monthly reports to Congress, mailing errors happen (there were 161 paper mis-mailing incidents in June, 2015). Indeed, paper incidents account for the bulk of VA breaches that result in the exposure of personally identifiable or protected health information.
But if the VA sends out literally millions of mailings each month (over 7 million in June, 2015), is 161 an acceptable error rate? If not, should the VA reduce paper mailings where electronic transmission is a viable alternative? Or should it use a more costly mailing system – of requiring a signature for delivery – when a veterans’ files with sensitive information are being mailed?
Mistakes will happen either way, and Benjamin raises a valid question: what should the VA do to mitigate or remediate? Could they have at least initiated a trace request with the post office? Why should Benjamin – or any other veteran – have the burden and worry of trying to track down their personal and sensitive information when the VA makes a mistake? Don’t our veterans have enough problems without being told that the VA won’t even try to track down their mis-mailed records?




A “we really screwed up” reaction or something else? Best Practices don't come overnight.
Linn Foster Freedman of Robinson & Cole provided this update on their Data Privacy + Security Insider blog:
The Senate Appropriations Committee has approved funding to provide the 22 million individuals affected by the OPM data breaches with 10 years of credit monitoring services and $5 million in liability protection for damages, extending the OPM’s offer of three years of services for those affected by the background check breach and 18 months for those affected by the breach of personnel records.
OPM also requested an appropriation of $37 million to beef up its security, but the request was rejected by the Committee.
The voice vote approval must move through both the House and the Senate before the protections can become available to affected individuals.
If this passes, will it raise the bar for breach remediation/mitigation in other cases, or will defenders argue, “Well, this was unusual because it was a foreign government getting information on government employees and so is riskier?”




Looks like all those “rumors” were true. About the name I mean, the spying was a given.
On The Register:
Special ReportDuncan Campbell has spent decades unmasking Britain’s super-secretive GCHQ, its spying programmes, and its cosy relationship with America’s NSA. Today, he retells his life’s work exposing the government’s over-reaching surveillance, and reveals documents from the leaked Snowden files confirming the history of the fearsome ECHELON intercept project. This story is also published simultaneously today by The Intercept, and later today we’ll have video of Duncan describing ECHELON and related surveillance matters.
Read more on The Register.




Wasn't this the DHS's idea in the first place? Oh I get it now, they want total control.
Dennis Fisher reports:
A major information-sharing bill that’s in the Senate right now would allow private organizations to share threat data with any government agency, something that the Department of Homeland Security says could have severe privacy implications and cause confusion and inefficiencies inside the federal government.
The bill, known as the Cybersecurity Information Sharing Act, would allow private companies and other organizations to share vulnerability information and threat indicators with government agencies under most circumstances.
Read more on ThreatPost.
[From the article:
The letter, written in response to a letter last month from Franken to DHS Secretary Jeh Johnson, also says that if organizations are trying to share information through many different agencies, it could be come confusing and inefficient.


(Related) Three words: Total Information Awareness
Joe Cadillic takes a look at the relationship between some companies and the Department of Homeland Security and raises the question as to whether students’ biometric data may be in the hands of DHS “fronts.”
Do you know enough about the vendors or software your child’s school or university may be using to collect biometric data?
Is Joe just paranoid or haven’t we looked closely enough at some ties?




Could be amusing.
From EFF:
San Francisco – Responding to a troubling rise in law enforcement’s use of high-tech surveillance devices that are often hidden from the communities where they’re used, the Electronic Frontier Foundation (EFF) today launched the Street-Level Surveillance Project (SLS), a Web portal loaded with comprehensive, easy-to-access information on police spying tools like license plate readers, biometric collection devices, and “Stingrays.’’
The SLS Project addresses an information gap that has developed as law enforcement agencies deploy sophisticated technology products that are supposed to target criminals but that in fact scoop up private information about millions of ordinary, law-abiding citizens who aren’t suspected of committing crimes. Government agencies are less than forthcoming about how they use these tools, which are becoming more and more sophisticated every year, and often hide the facts about their use from the public. What’s more, police spying tools are being used first in low-income, immigrant, and minority communities — populations that may lack access to information and resources to challenge improper surveillance.
“Law enforcement agencies at the federal, state, and local level are increasingly using sophisticated tools to track our cell phone calls, photograph our vehicles and follow our driving patterns, take our pictures in public places, and collect our fingerprints and DNA. But the public doesn’t know much about those tools and how they are used,’’ said EFF Senior Staff Attorney Jennifer Lynch. “The SLS Project provides a simple but in-depth look at how these surveillance technologies work, who makes and uses them, and what kind of data they are collecting. We hope that community groups, advocacy organizations, defense attorneys, and individuals all take advantage of the information we’ve gathered.”
The SLS Project website went live today with extensive information on biometric technologies which collect fingerprints, DNA, and face prints as well as on automated license plate readers (ALPRs)—cameras mounted on patrol cars and on city streets that scan and record the plates of millions of cars across the country. Each topic includes explainers, FAQs, infographics, and links to EFF’s legal work in courts and legislatures. Information about “Stingrays’’—devices that masquerade as cell phone towers and trick mobile phones into connecting with them to track phone locations in real time—drones, and other surveillance technologies will be added in the coming months.
“The public has heard or read so much about NSA spying, but there’s a real need for information and resources about surveillance tools being used by local law enforcement on our home turf. These technologies are often adopted in a shroud of secrecy, but communities deserve to understand these technologies and how they may be violating our rights,’’ said EFF Activist Nadia Kayyali. “The SLS Project is a much-needed tool that can help communities under surveillance start a conversation about how to advocate for limiting or stopping their use.’’
For Street-Level Surveillance Project: https://www.eff.org/sls




Amazon probably self-insures, but what risks do they see? Aside from getting shot down in Kentucky.
Caitlin Bronson reports:
As new privacy laws governing the use of commercial drones begin to take effect, independent insurance agents are finding difficulty adequately sourcing the risk of privacy-related litigation against drone users.
According to Jason Riley, vice president of aviation wholesale broker Halton Hall, many insurers are willing to offer aircraft liability policies or aviation CGLs for drones. Components coverage, though expensive, is also available for cameras, gimbles and other accessories.
What’s harder to find is coverage for potential privacy violations.




Defining “Harm.”
Since the Seventh Circuit revived the class action lawsuit, Remijas v. Neiman Marcus, there has been a lot of buzz about how the opinion will make it easier for consumers going forward. The opinion (appended to this file), addresses Article III standing, which has been a major stumbling block in the majority of lawsuits.
But skip on over to the Third Circuit for a minute, where it appears that the FTC submitted a filing on July 24th that tries to use the Neiman Marcus opinion to support its case against Wyndham. The FTC argues, in part:
… The court there held that even though the victims were reimbursed for fraudulent charges, plaintiffs had alleged “identifiable costs associated with the process of sorting things out,” including “the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.” Slip Op. 7. Those alleged harms were sufficient to give plaintiffs standing.
Wyndham’s lawyers fired back that the FTC’s contention is incorrect:
As an initial matter, Remijas is inconsistent with other databreach cases, including this Court’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). More importantly, Remijas did not address the consumer-injury requirements of Section 5—only the less rigorous standing requirements of Article III.
While the test for constitutional standing is exceedingly low, see, e.g., Blunt v. Lower Marion Sch. Dist., 767 F.3d 247, 278 (3d Cir. 2014) (requiring only “some specific, identifiable trifle of injury”), the FTC Act contains two additional requirements: the injury must be (1) “substantial,” which, to have any meaning, must be something more than the injury required by Article III; and, (2) not “reasonably avoidable by consumers themselves.” 15 U.S.C. § 45(n). Those requirements mean that time and money spent resolving fraudulent charges cannot satisfy Section 5(n), even if they might confer standing under Article III.




“We haven't got a law yet” is the equivalent of “We just invented a new sin!” Your guide to infinite riches.
Wendy Davis reports:
Shutterfly is asking a federal judge in Illinois to dismiss a lawsuit accusing the company of violating a state privacy law by compiling a database of “faceprints.”
“Helping a user re-identify his own friends within his own digital photo album does not violate any law,” Shutterfly writes in a dismissal motion filed on Friday with U.S. District Court Judge Charles Norgle in Illinois.
Shutterfly’s papers come in response to a lawsuit filed in June by Illinois resident Brian Norberg.
Read more on MediaPost.


(Related) The Internet of Things is a lawless zone. Think “Jeep hack.”
W. David Stephenson writes:
Could this be the incident that finally gets everyone in the IoT industry to — as I’ve said repeatedly in the past — make privacy and security Job 1 — and to drop the lobbying groups’ argument that government regulation isn’t needed?
I hope so, because the IoT’s future is at stake, and, frankly, not enough companies get it.




Interesting
Americans’ Attitudes About Privacy, Security and Surveillance
by Sabrina I. Pacifici on Aug 3, 2015
Pew – Americans’ Views About Data Collection and Security By Mary Madden and Lee Rainie: “Contrary to assertions that people “don’t care” about privacy in the digital age, this survey suggests that Americans hold a range of strong views about the importance of control over their personal information and freedom from surveillance in daily life. As earlier studies in this series have illustrated, Americans’ perceptions of privacy are varied in important ways and often overlap with concerns about personal information security and government surveillance. In practice, information scholars have noted that privacy is not something one can simply “have,” but rather is something people seek to “achieve” through an ongoing process of negotiation of all the ways that information flows across different contexts in daily life. The data from the new Pew Research surveys suggest that Americans consider a wide array of privacy-related values to be deeply important in their lives, particularly when it comes to having a sense of control over who collects information and when and where activities can be observed. When they are asked to think about all of their daily interactions – both online and offline – and the extent to which certain privacy-related values are important to them, clear majorities believe every dimension below is at least “somewhat important” and many express the view that these aspects of personal information control are “very important.” The full range of their views is captured in the chart below and more detailed analysis is explored after that.”




This could never happen here, could it? Oh the horror!
Porn ban could cost Indian ISPs, telcos 30-70% of data revenue
… “Through our discussions with the various Internet Service Providers (ISPs), we have been able to estimate that as much as 30-70% of the total browsing in the country is related to pornography,” a senior executive at an Internet industry body said. “It’s very difficult to be any more specific than that since putting together a data packet specific inspection of what users are browsing could be seen as a breach of privacy,” added this person who asked not to be identified.




Perspective. The future according to Harvard.
The Age of the Robot Worker Will Be Worse for Men
Many economists and technologists believe the world is on the brink of a new industrial revolution, in which advances in the field of artificial intelligence will obsolete human labor at an unforgiving pace. Two Oxford researchers recently analyzed the skills required for more than 700 different occupations to determine how many of them would be susceptible to automation in the near future, and the news was not good: They concluded that machines are likely to take over 47 percent of today’s jobs within a few decades.
This is a dire prediction, but one whose consequences will not fall upon society evenly. A close look at the data reveals a surprising pattern: The jobs performed primarily by women are relatively safe, while those typically performed by men are at risk.
… Many of the jobs held by men involve perception and manipulation, often in conjunction with physical exertion, such as swinging a hammer or trimming trees. The latest mobile robots combine advanced-sensory systems with dexterous manipulators to successfully perform these sorts of tasks.
Other, more cerebral male-dominated professions aren’t secure either. Many occupations that might appear to require experience and judgment—such as commodity traders—are being outdone by increasingly sophisticated machine-learning programs capable of quickly teasing subtle patterns out of large volumes of data.




For my students, just in case they were asleep in class.
34 Tech Tools Small Business Owners Rely on Most


(Related) Extensions like these are available in every browser.
10 Awesome Social Media Add-ons You’ll Love for Opera




For my students who look up!
Put a Planetarium in Your Web Browser
Planetarium by Neave Interactive is a website on which you can specify your current location and it will show you a map of the night sky based upon your location and the date. You can also use Planetarium without specifying your location and instead explore the night sky from any place on Earth. For Google Chrome users, Planetarium offers a Chrome Web App that you can add to your browser.




For all my students.
WixED Teaches You How to Build a Website...on Wix
Wix is a popular DIY website creation tool. They claim to have more than 63 million registered users (source: CrunchBase). To help those 63 million users and anyone else who wants to build a website, last month Wix launched WixEd.
WixEd is a free online course all about building and maintain a website through Wix. The course has three sections, but first section is the only section teachers will need. The other two sections are about ecommerce and business development through websites. Each section of the course is comprised of a series of short videos followed by "homework" assignments.




Google demonstrates its free Translate App. I wonder if the speech translate works as well?
Google Translate vs. “La Bamba”


No comments: