There are Best Practices for dealing with a
breach. Ignore them at your own risk.
On August 1, I noted some media reports about a
breach at the
Siouxland
Pain Clinic. As I
mentioned,
the reports raised more questions than they answered. Mike Bell of
the
Sioux City Journal now has a few more details:
Siouxland Pain Clinic sent letters Friday
to more than 13,000 patients that their medical and other personal
information may have been exposed in a hacking attack, a lawyer for
the clinic said Monday.
“We never did prove that any
information was taken, but we could not disprove that, either,”
said Lonnie Braun, an attorney in Rapid City, S.D.
Braun said patients’ names, medical
information, Social Security numbers and addresses may have been
compromised when the clinic’s server was hacked between March 26
and April 2.
As to how the clinic learned of the breach, well,
it’s still not clear who notified them. Bell reports:
The
clinic was notified of the breach June 26. Braun said the firm that
discovered it said the investigation showed the hackers were Chinese.
So it was an external party that alerted them to
the breach on June 26? If so, the patients are lucky that the breach
didn’t go undetected for even longer.
As of this morning, there is still no notice
linked from the clinic’s home page, and the incident is not yet up
on HHS’s public breach tool. Nor can I find any substitute
notices, although Google is not great about indexing
classifieds/legal notices, so it may have appeared in local media
already.
It is somewhat surprising that the clinic is not
offering patients free credit monitoring services if Social Security
numbers were involved. Although not all entities do that, it
seems like a good litigation defense in terms of mitigation and it’s
better from a public relations perspective to do something
to help patients instead of just leaving them to arrange for
monitoring at their own expense.
Another organization (the whole federal
government) in need of some Best Practices education. Was this
package addressed to “Benjamin Krause or current resident?” No
signature required?
Benjamin Krause, an investigative reporter,
Veterans law attorney, and a disabled veteran of the US Air Force,
has a site called DisabledVeterans.org. One of his posts showed up
in one of my searches, and I thought it was worth noting here.
In the context of discussing a recent VA breach
and government accountability, Benjamin
writes:
I personally had VA VocRehab mistakenly
mail an entire copy of my file to my old address from two years
earlier – a large apartment complex in a major American city.
There is no telling where the files ended up.
Veterans Affairs indignantly declined to
proactively retrieve the documents and told me to call the cops if I
was worried about it. I repeat, the agency made me do the leg work
to try to recover my files that were mistakenly delivered to the
wrong address.
I did call the cops. They were confused
why VA would not take charge of the recovery of my files and said
their was little they could do unless a crime was committed.
VA offered me one year of identity
protection. That was it. Meanwhile, over 1,000 pages of files
containing everything about me were misplaced and now floating around
somewhere in the United States.
Did anyone get reprimanded for the
cockup? No. Did I get the records back? No.
What a crock. How is it that we live in
a country where the Federal government is not held accountable?
It’s an excellent question. All a-flutter over
the OPM breach, Congress is trying to enact legislation that will
provide longer credit monitoring and greater liability protection to
those affected by that breach, but as Benjamin notes, after-the-fact
credit monitoring is often not sufficient nor satisfactory.
Should the VA have gone to the apartment complex
or attempted to track down Benjamin’s errant files if they erred by
not updating his mailing address? According to the VA’s monthly
reports to Congress, mailing errors happen (there were 161 paper
mis-mailing incidents in June, 2015). Indeed, paper incidents
account for the bulk of VA breaches that result in the exposure of
personally identifiable or protected health information.
But if the VA sends out literally millions of
mailings each month (over 7 million in June, 2015), is 161 an
acceptable error rate? If not, should the VA reduce paper mailings
where electronic transmission is a viable alternative? Or should it
use a more costly mailing system – of requiring a signature for
delivery – when a veterans’ files with sensitive information are
being mailed?
Mistakes will happen either way, and Benjamin
raises a valid question: what should the VA do to mitigate or
remediate? Could they have at least initiated a trace request with
the post office? Why should Benjamin – or any other veteran –
have the burden and worry of trying to track down their personal and
sensitive information when the VA makes a mistake? Don’t our
veterans have enough problems without being told that the VA won’t
even try to track down their mis-mailed records?
A “we really screwed up” reaction or something
else? Best Practices don't come overnight.
Linn Foster Freedman of Robinson & Cole
provided
this
update on their
Data Privacy + Security Insider blog:
The Senate Appropriations Committee has
approved funding to provide the 22 million individuals affected by
the OPM data breaches with 10
years of credit monitoring services and $5 million in liability
protection for damages, extending the OPM’s offer of
three years of services for those affected by the background check
breach and 18 months for those affected by the breach of personnel
records.
OPM
also requested an appropriation of $37 million to beef up its
security, but the request was rejected by the Committee.
The voice vote approval must move through
both the House and the Senate before the protections can become
available to affected individuals.
If this passes, will it raise the bar for breach
remediation/mitigation in other cases, or will defenders argue,
“Well, this was unusual because it was a foreign government getting
information on government employees and so is riskier?”
Looks like all those “rumors” were true.
About the name I mean, the spying was a given.
On The Register:
Special ReportDuncan
Campbell has spent decades unmasking Britain’s super-secretive
GCHQ, its spying programmes, and its cosy relationship with America’s
NSA. Today, he retells his life’s work exposing the government’s
over-reaching surveillance, and reveals documents from the leaked
Snowden files confirming the history of the fearsome ECHELON
intercept project. This story is also published simultaneously today
by The
Intercept, and later
today we’ll have video of Duncan describing ECHELON and related
surveillance matters.
Wasn't this the DHS's idea in the first place? Oh
I get it now, they want total control.
Dennis Fisher reports:
A major information-sharing bill that’s
in the Senate right now would allow private organizations to share
threat data with any government agency, something that the Department
of Homeland Security says could have severe privacy implications and
cause confusion and inefficiencies inside the federal government.
The bill, known as the Cybersecurity
Information Sharing Act, would allow private companies and other
organizations to share vulnerability information and threat
indicators with government agencies under most circumstances.
[From
the article:
The
letter,
written in response to a letter last month from Franken to DHS
Secretary Jeh Johnson, also says that if organizations are trying to
share information through many different agencies, it could be come
confusing and inefficient.
(Related) Three words: Total Information
Awareness
Joe Cadillic takes a look at the relationship
between some companies and the Department of Homeland Security and
raises the question as to whether students’ biometric data may be
in the hands of DHS “fronts.”
Do you know enough about the vendors or software
your child’s school or university may be using to collect biometric
data?
Is Joe just paranoid or haven’t we looked
closely enough at some ties?
Could be amusing.
From EFF:
San Francisco – Responding to a troubling rise
in law enforcement’s use of high-tech surveillance devices that are
often hidden from the communities where they’re used, the
Electronic Frontier Foundation (EFF) today launched the
Street-Level
Surveillance Project (SLS), a Web portal loaded with
comprehensive, easy-to-access information on police spying tools like
license plate readers, biometric collection devices, and
“Stingrays.’’
The SLS Project addresses an information gap that
has developed as law enforcement agencies deploy sophisticated
technology products that are supposed to target criminals but that in
fact scoop up private information about millions of ordinary,
law-abiding citizens who aren’t suspected of committing crimes.
Government agencies are less than forthcoming about how they use
these
tools,
which are becoming more and more sophisticated every year, and often
hide the facts
about their use from the public. What’s more, police spying tools
are being used first in low-income, immigrant, and minority
communities — populations that may lack access to information and
resources to challenge improper surveillance.
“Law enforcement agencies at the federal, state,
and local level are increasingly using sophisticated tools to track
our
cell
phone calls,
photograph
our vehicles and follow our driving patterns, take our pictures
in public places, and collect our fingerprints and
DNA.
But the public doesn’t know much about those tools and how they
are used,’’ said EFF Senior Staff Attorney Jennifer Lynch. “The
SLS Project provides a simple but in-depth look at how these
surveillance technologies work, who makes and uses them, and what
kind of data they are collecting. We hope that community groups,
advocacy organizations, defense attorneys, and individuals all take
advantage of the information we’ve gathered.”
The SLS Project
website
went live today with extensive information on
biometric
technologies which collect fingerprints, DNA, and face prints as
well as on automated license plate readers (ALPRs)—cameras mounted
on patrol cars and on city streets that scan and record the plates of
millions of cars across the country. Each topic includes explainers,
FAQs, infographics, and links to EFF’s legal work in courts and
legislatures. Information about “Stingrays’’—devices that
masquerade as cell phone towers and trick mobile phones into
connecting with them to track phone locations in real time—drones,
and other surveillance technologies will be added in the coming
months.
“The public has heard or read so much about
NSA
spying, but there’s a real need for information and resources
about surveillance tools being used by local law enforcement on our
home turf. These technologies are often adopted in a shroud of
secrecy, but communities deserve to understand these technologies and
how they may be violating our rights,’’ said EFF Activist Nadia
Kayyali. “The SLS Project is a much-needed tool that can help
communities under surveillance start a conversation about how to
advocate for limiting or stopping their use.’’
Amazon probably self-insures, but what risks do
they see? Aside from getting shot down in Kentucky.
Caitlin Bronson reports:
As new privacy laws governing the use of
commercial drones begin to take effect, independent insurance agents
are finding difficulty
adequately sourcing the risk of privacy-related litigation against
drone users.
According to Jason Riley, vice president
of aviation wholesale broker Halton Hall, many insurers are willing
to offer aircraft liability policies or aviation CGLs for drones.
Components coverage, though expensive, is also available for cameras,
gimbles and other accessories.
What’s harder to find is coverage for
potential privacy violations.
Defining “Harm.”
Since the Seventh Circuit revived the class action
lawsuit,
Remijas v. Neiman Marcus, there has been a lot of
buzz about how the opinion will make it easier for consumers going
forward. The opinion (appended to
this
file), addresses Article III standing, which has been a major
stumbling block in the majority of lawsuits.
But skip on over to the Third Circuit for a
minute, where it appears that the FTC submitted a filing on July 24th
that tries to use the Neiman Marcus opinion to support its case
against Wyndham. The FTC
argues,
in part:
… The court there held that even though the
victims were reimbursed for fraudulent charges, plaintiffs had
alleged “identifiable costs associated with the process of sorting
things out,” including “the aggravation and loss of value of the
time needed to set things straight, to reset payment associations
after credit card numbers are changed, and to pursue relief for
unauthorized charges.” Slip Op. 7. Those alleged harms were
sufficient to give plaintiffs standing.
Wyndham’s lawyers
fired
back that the FTC’s contention is incorrect:
As an initial matter, Remijas is
inconsistent with other databreach cases, including this Court’s
decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir.
2011). More importantly, Remijas did not address the
consumer-injury requirements of Section 5—only the less rigorous
standing requirements of Article III.
While the test for constitutional standing is
exceedingly low, see, e.g., Blunt v. Lower Marion Sch. Dist.,
767 F.3d 247, 278 (3d Cir. 2014) (requiring only “some specific,
identifiable trifle of injury”), the FTC Act contains two
additional requirements: the injury must be (1) “substantial,”
which, to have any meaning, must be something more than the injury
required by Article III; and, (2) not “reasonably avoidable by
consumers themselves.” 15 U.S.C. § 45(n). Those requirements mean
that time and money spent resolving fraudulent charges cannot satisfy
Section 5(n), even if they might confer standing under Article III.
“We haven't got a law yet” is the equivalent
of “We just invented a new sin!” Your guide to infinite riches.
Wendy Davis reports:
Shutterfly is asking a federal judge in
Illinois to dismiss a lawsuit accusing the company of violating a
state privacy law by compiling a database of “faceprints.”
“Helping a user re-identify his own
friends within his own digital photo album does not violate any law,”
Shutterfly writes in a dismissal motion filed on Friday with U.S.
District Court Judge Charles Norgle in Illinois.
Shutterfly’s papers come in response to
a lawsuit filed
in June by Illinois resident Brian Norberg.
(Related) The Internet of Things is a lawless
zone. Think “Jeep hack.”
W. David Stephenson writes:
Could this be the incident that finally
gets everyone in the IoT industry to — as
I’ve said repeatedly in the past — make privacy and security
Job 1 — and to drop the lobbying groups’ argument that government
regulation isn’t needed?
I hope so, because the IoT’s future is
at stake, and, frankly, not enough companies get it.
Interesting
Americans’
Attitudes About Privacy, Security and Surveillance
Pew –
Americans’
Views About Data Collection and Security By Mary Madden and Lee
Rainie: “Contrary to assertions that people “
don’t
care” about privacy in the digital age, this survey suggests
that Americans hold a range of strong views about the importance of
control over their personal information and freedom from surveillance
in daily life. As earlier studies in this series have illustrated,
Americans’
perceptions
of privacy are varied in important ways and often overlap with
concerns about personal information security and government
surveillance.
In practice,
information scholars have
noted that privacy is not something one can simply “have,”
but rather is something people seek to “achieve”
through an ongoing process of negotiation of all the ways that
information flows across different contexts in daily life. The data
from the new Pew Research surveys suggest that Americans consider a
wide array of privacy-related values to be deeply important in their
lives, particularly when it comes to having a sense of control over
who collects information and when and where activities can be
observed. When they are asked to think about all of their daily
interactions – both online and offline – and the extent to which
certain privacy-related values are important to them, clear
majorities believe every dimension below is at least “somewhat
important” and many express the view that these aspects of personal
information control are “very important.” The full range of
their views is captured in the chart below and more detailed analysis
is explored after that.”
This could never happen here, could it? Oh the
horror!
Porn ban
could cost Indian ISPs, telcos 30-70% of data revenue
… “Through our discussions with the various
Internet Service Providers (ISPs), we have been able to estimate that
as much as 30-70% of the total browsing in the country is related to
pornography,” a senior executive at an Internet industry body said.
“It’s very difficult to be any more specific than that since
putting together a data packet specific inspection of what users are
browsing could be seen as a breach of privacy,” added this person
who asked not to be identified.
Perspective. The future according to Harvard.
The Age of
the Robot Worker Will Be Worse for Men
Many economists and technologists believe the
world is on the brink of a new industrial revolution, in which
advances in the field of artificial intelligence will obsolete human
labor at an unforgiving pace. Two Oxford
researchers
recently analyzed the skills required for more than 700 different
occupations to determine how many of them would be susceptible to
automation in the near future, and the news was not good: They
concluded that machines are likely to take over 47 percent of today’s
jobs within a few decades.
This is a dire prediction, but one whose
consequences will not fall upon society evenly. A close look at the
data reveals a surprising pattern: The jobs performed primarily by
women are relatively safe, while those typically performed by men are
at risk.
… Many of the jobs held by men involve
perception and manipulation, often in conjunction with physical
exertion, such as swinging a hammer or trimming trees. The latest
mobile robots combine advanced-sensory systems with dexterous
manipulators to successfully perform these sorts of tasks.
Other, more cerebral male-dominated professions
aren’t secure either. Many occupations that might appear to
require experience and judgment—such as commodity traders—are
being outdone by increasingly sophisticated machine-learning programs
capable of quickly teasing subtle patterns out of large volumes of
data.
For my students, just in case they were asleep in
class.
34 Tech
Tools Small Business Owners Rely on Most
(Related) Extensions like these are available in
every browser.
10 Awesome
Social Media Add-ons You’ll Love for Opera
For my students who look up!
Put a
Planetarium in Your Web Browser
Planetarium
by Neave Interactive is a website on which you can specify your
current location and it will show you a map of the night sky based
upon your location and the date. You can also use Planetarium
without specifying your location and instead explore the night sky
from any place on Earth. For Google Chrome users,
Planetarium
offers a Chrome Web App that you can add to your browser.
For all my students.
WixED
Teaches You How to Build a Website...on Wix
Wix
is a popular DIY website creation tool. They claim to have more than
63 million registered users (source:
CrunchBase).
To help those 63 million users and anyone else who wants to build a
website, last month Wix launched WixEd.
WixEd
is a free online course all about building and maintain a website
through Wix. The course has three sections, but first section is the
only section teachers will need. The other two sections are about
ecommerce and business development through websites. Each section of
the course is comprised of a series of short videos followed by
"homework" assignments.
Google
demonstrates its free Translate App. I wonder if the speech
translate works as well?
Google
Translate vs. “La Bamba”