The St. Charles Health System may think they’ve met all
their obligations in their handling of an
insider snooping incident, but Deschutes County District Attorney John
Hummel says the matter should
have been reported to them for criminal investigation.
Now that’s interesting to think about. If a covered entity is convinced that an
employee snooped just out of curiosity and not for any intended misuse of
information for tax fraud, etc., should the covered entity be referring the
matter to law enforcement for criminal investigation?
Would employees be more hesitant about snooping if they
knew their employer could not just handle an incident internally and their name
and actions would be referred for a criminal investigation?
And would employers/covered entities be even more
motivated to prevent insider snooping if they knew they had to refer incidents
for criminal investigation if more than X number of patients were involved?
Probably true in this case, but what happens if someone
really does forget? How could I prove it? Should I have to?
Thomas Claburn reports:
The US Third Circuit Court of
Appeals today upheld a lower court ruling of contempt against a chap who
claimed he couldn’t remember the password to decrypt his computer’s hard
drives.
In so doing, the appeals court opted not to address a lower court’s
rejection of the defendant’s argument that being forced to reveal his password
violated his Fifth Amendment protection against self-incrimination.
Read more on The
Register.
Something for my Computer Security students to research!
Hacking Tools Get Peer Reviewed, Too
In September 2002, less than a year after Zacarias
Moussaoui was indicted by a grand jury for his role in the 9/11 attacks,
Moussaoui’s lawyers lodged an official complaint about how the government was
handling digital evidence. They
questioned the quality of the tools the government had used to extract data
from some of the more than 200 hard drives that were submitted as evidence in
the case—including one from Moussaoui’s own laptop.
When the government fired back, it leaned on a pair of
official documents for backup: two reports produced by the National Institute
of Standards and Technology (NIST) that described the workings of the software
tools in detail. The documents showed
that the tools were the right ones for extracting information from those
devices, the government lawyers argued, and that they had a track record of
doing so accurately.
It was the first time a NIST report on a digital-forensics
tool had been cited in a court of law. That
its first appearance was in such a high-profile case was a promising start for
NIST’s Computer Forensics Tool Testing (CFTT) project, which had begun about
three years prior. Its mission for
nearly two decades has been to build a standardized, scientific foundation for
evaluating the hardware and software regularly used in digital investigations.
… Today, the
CFTT’s decidedly retro webpage—emblazoned
with a quote from an episode of Star Trek: The Next Generation—hosts dozens of
detailed reports about various forensics tools. Some reports focus on tools that recover
deleted files, while others cover “file carving,” a technique that can
reassemble files that are missing crucial metadata.
There is a place for my Computer Security students in law
firms, but will the lawyers listen?
Lia Marie Brooks and Peter A. Nelson have an article on Harleysville
Insurance Co. v. Holding Funeral Home, Inc. that I nearly skipped. I’m glad I didn’t, because it may have some
applicability to cases where entities leave confidential or protected health
information on public FTP servers without any password protection and then try
to claim they were “hacked” when someone copies the data.
From their article:
The court found that the
disclosure was “inadvertent” under state law because the insurer “unknowingly
provided access to information by failing to implement sufficient precautions
to maintain its confidentiality.” Further, the court
held that the insurer waived any claim of privilege because the site was not
password protected and the information “was available for viewing by anyone,
anywhere who was connected to the internet and happened upon the site by use of
the hyperlink or otherwise.”
“In essence,” the court held, the
insurer had conceded that its actions were “the cyber world equivalent of
leaving its claims file on a bench in the public square and telling its counsel
where they could find it. It is hard to
imag[in]e [sic] an act that would be more contrary to protecting the
confidentiality of information than to post that information to the world wide
web.”
The court found that
disqualifying defense counsel would serve no practical purpose, as any replacement
counsel would be entitled to receive the same claims file in discovery. The court
also chastised defense counsel for downloading the claims file because a
confidentiality notice was displayed on the email message that was produced
with the hyperlink. “[B]y
using the hyperlink contained in the email containing a Confidentiality Notice
… defense counsel should have realized that the Box Site might contain
privileged or protected information.”
You can read their full article on Patterson Belknap Data
Security Law Blog.
For my Computer Security students.
Erich Falke writes:
Then there were two.
On March 16, 2017, the New Mexico
state legislature passed a bill requiring
that New Mexico residents be notified if their “personal identifying
information” was affected by a breach of electronic data. Upon signature of the bill, New Mexico will
join 47 other states requiring such notification, and the only states remaining without notification laws will be Alabama and
South Dakota.
Read more on Baker Hostetler Data
Privacy Monitor.
This could be amusing.
New Bill Forces Cybersecurity Responsibility Into the
Boardroom
A new bill introduced to the Senate seeks to change this
by requiring a board level statement of cyber security expertise or practice in
annual SEC filings.
S536, cited as the
'Cybersecurity Disclosure Act of 2017', is sponsored by Democrats Mark Warner
of Virginia and Jack Reed of Rhode Island, and Republican Susan Collins of
Maine. Its purpose is to promote
transparency in the oversight of cybersecurity risks at publicly traded
companies.
The bill (PDF)
defines a cyber security threat as any action not protected by the First
Amendment that "may result in an unauthorized effort to adversely impact
the security, availability, confidentiality, or integrity of an information
system or information that is stored on, processed by, or transiting an
information system..."
The bill then proposes
just three requirements under the aegis of the Securities and Exchange
Commission (SEC): that annual reports to the SEC must disclose the level of
cyber security expertise of the board; or, if none exists, what "other
cybersecurity steps taken by the reporting company were taken into account";
and that the definition of what constitutes
that expertise should come from the SEC in consultation with NIST.
… The effect of
the bill will be to make the board legally and transparently responsible for
cyber security. It is not the first
regulation to seek this effect in 2017. On 1 March, the New York Department of
Financial Services' 23 NYCRR 500
regulation came into force. That
regulation imposes a responsibility for regulated organizations to name a
'CISO' who will provide an annual cyber security report to be submitted and
signed off by the board to the regulator.
Taken together, these
two examples of new regulations suggest that regulatory authorities are no longer satisfied to make recommendations
about board-level security responsibility, but are now
ready to mandate and legally require it.
A wacky idea that might have some attraction. I have several students with military
experience. I’ll be interested to see
how they would structure something like this.
Perhaps a non-military version?
Experts divided on value of Cyber National Guard
This past weekend at SXSW, two Congressmen suggested that
the U.S. create a cybersecurity reserves system, similar to the National Guard,
but the idea has received a mixed welcome from the cybersecurity community.
According to House Rep. Will Hurd, a Republican from
Texas, a national cybersecurity reserve could help strengthen national security
and bring in a diversity of experience.
… "We have
military reserves for all the traditional branches of the armed services, but
nothing for the cyber realm, largely because of restrictive military hiring
policies that discourage information security professionals from joining
up," he said.
… For example,
typical reservists are trained to shoot a rifle, or pilot a helicopter, he
said, but cyber professionals are already trained. Plus, there's the culture gap, he added. "Being forced to cut their hair, having
to work out, being deployed away from their families."
"There are plenty of patriots in the ranks of the
cybersecurity elite, but not many who are going to leave lucrative corporate
and consulting gigs to join the military," said Jonathan Sander, vice
president of product strategy at Lieberman Software. "However, offer them an option to keep
their income but be on call to come to the national defense when it’s needed
and you may have a winning formula."
Tools for small businesses? But not at the Mom & Pop level.
Foursquare is launching an analytics platform to help
retailers understand foot traffic
While Foursquare started as a social check-in
app, the company has always said there is a bigger picture —
mainly related to unique ways of leveraging its database of check-ins
at nearly 100 million public places.
There’s no better example than when Foursquare predicted that Chipotle same-store sales would fall 29
percent after the Mexican chain was hit with E. coli outbreaks. The actual decline announced by Chipotle ended
up being a spot-on 30 percent.
As you can imagine, these analytics can be
very valuable to retailers, allowing them to better understand customers’
habits as well as predict store traffic.
So today the company is announcing Foursquare Analytics,
a foot-traffic dashboard for brands and retailers. The platform is available for retailers with
any number of stores, no matter how small. Previously the only way for companies to
access this data was through one-off deals with Foursquare.
Retailers will be able to use the dashboard to see
foot-traffic data across metrics
like gender, age and new versus returning customers — on a national
or citywide scale. They also can compare
their foot traffic against a set of competitors and
their category as a whole.
As long as they don’t screw this up too…
Samsung has a plan to turn Google into a dumb tube
Samsung has decided to wade into a massive battle over the
future of computing — and it has a huge potential advantage.
On Monday, the
South Korean electronics company announced "Bixby": A
voice-controlled AI assistant that lives inside your smartphone.
It now joins Google, Amazon, and Apple, who are all
betting that these virtual assistants will be the next major frontier in how
people interact with their devices. (They have Google Assistant, Alexa, and Siri,
respectively.)
Thanks to Samsung's vast range of appliances, which are
already sitting in consumers' homes, it has a massive potential head start on
its competitors, just waiting to be leveraged. And it could also help it lessen its
long-running dependence on Google.
(Related). Is this
the start of a ‘personal assistant’ war?
Amazon Using Trojan Horse Approach To Go After Smartphone
Voice Market
… Here we'll look
at the latest steps the e-commerce giant is taking to go beyond its own device
and have Alexa embedded in its competitors' devices.
This is important because the number of users of Apple's
iPhone and smartphones using Google's Android is very high. To go after that market while seeking to have
itself part of the home experience puts its competitors on the defensive as
they have to not only try to grow their own market share but defend themselves
from being overtaken in their own back yards.
In a way, with voice virtual assistants becoming a major
growth market segment of the future in tech, it's probably good for Amazon that
its attempt to introduce a smartphone failed. Like it does in retail, now it can compete
without a physical presence, focusing primarily on invading existing hardware
ecosystems. In other words, it doesn't
have to defend against its own smartphone devices as any success with its
competitors' devices will make it harder to root the company out of them as it
expands its presence into further devices and smart home appliances.
Interesting but not (yet) alarming.
5 reasons why China will rule tech, 2017 edition
I never would have thought of this. I wonder if my students have a different
perspective?
Now There's a Netflix-Like Service for Cadillacs
… Back in January,
GM launched Book by Cadillac, a
“luxury vehicle subscription service” that the company says is ideal for
drivers that don’t want to “worry about insurance premiums, taxes, maintenance
or mileage restrictions and no long-term commitment.”
Since its launch at the beginning of the year, 5,000
people have signed up for Book by Cadillac. It’s currently only available in the New York
City area, but the company has plans to expand the program to
other parts of the country.
Membership is on a month-to-month basis, and for a
one-time fee of $500 then $1500 each
month, participants have access to 10 different current-year car
models and can swap for a new one up to 18 times during the course of the year.
I must ask my students how many social media sites they
visit on a given day.
Keeping on top of your social networks is no easy
feat. In an ideal world, there’d be one
social network to keep up with. Perhaps
the next best thing is a platform that consolidates several of your social
accounts and feeds into one place.
Hootsuite
has stood the test of time. It’s not
perfect, but it’s by far the best option. You won’t be able to use it for all of
your social needs, but it can definitely help you stay up to date with more
social networks, both via your browser and on mobile.
Something to watch for…
MIT SMR and MIT Press Announce Book Publishing Partnership
… it is with great
excitement that I share the news that MIT Sloan Management Review
and MIT Press are joining forces to launch two new book series exploring the
digital frontiers of management. One
series will feature original titles. The
other series will collect the best MIT SMR articles on key digital
topics.
… Look for more
information about the series and how to submit proposals on our website coming
soon.
No comments:
Post a Comment