Tuesday, February 26, 2019

Everybody’s doing it. Not just evil hackers.
Huawei Frightens Europe's Data Protectors. America Does, Too
A foreign power with possible unbridled access to Europe’s data is causing alarm in the region. No, it’s not China. It’s the U.S.
As the U.S. pushes ahead with the “Cloud Act” it enacted about a year ago, Europe is scrambling to curb its reach. Under the act, all U.S. cloud service providers from Microsoft and IBM to Amazon – when ordered – have to provide American authorities data stored on their servers regardless of where it’s housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the U.S. the right to access information on large swaths of the region’s people and companies.
… The Cloud Act (or the “Clarifying Lawful Overseas Use of Data Act”) addresses an issue that came up when Microsoft in 2013 refused to provide the FBI access to a server in Ireland in a drug-trafficking investigation, saying it couldn’t be compelled to produce data stored outside the U.S.
The act’s extraterritoriality spooks the European Union – an issue that’s become more acute as trans-Atlantic relations fray and the bloc sees the U.S. under Trump as an increasingly unreliable ally.




For my Computer Security students.
Practitioner’s Guide for Assessing the Maturity of IoT System Security
The Industrial Internet Consortium® (IIC™), now incorporating OpenFog, announces the Security Maturity Model (SMM) Practitioner’s Guide, which provides detailed actionable guidance enabling IoT stakeholders to assess and manage the security maturity of IoT systems.


(Related)
European Telecommunications Standards Institute Publishes New IoT Security Standard
On February 19, the European Telecommunications Standards Institute (ETSI) published the ETSI TS 103 645 V1.1.1 – or more simply, a high-level outcome-focused standard (PDF) for cybersecurity in the consumer-oriented Internet of Things (IoT).
The cybersecurity provisions are provided in section 4 of the standard. There are thirteen in total, some being simple statements and others comprising multiple subsections. For example, the total of provision 4.1 requires little more than its heading: "No universal default passwords."




Too useful to stop, so we’d best figure out how to do it correctly.
Jeffrey C. Skinner and Craig A. Newman of Patterson Belknap write:
The use of biometric technology is fast becoming the next big thing in privacy litigation. There was last month’s decision by the Illinois Supreme Court that upheld a consumer’s right to sue companies for collecting biometric data – such as fingerprints and iris scans – without first disclosing how such information will be used. See our blog on that ruling here.
And now, the debate surrounding the use and collection of biometric data has expanded beyond challenging the biometric collection practices in the private sector, to challenging the practices of state and local governments including law enforcement.
In Center for Genetics and Society v. Becera, a lawsuit filed late last year in California state court, two nonprofit organizations and an individual sued the state of California, challenging its DNA Fingerprint, Unsolved Crime and Innocence Protection Act (the “DNA Act”). The DNA Act authorizes the retention of DNA samples collected from people arrested on suspicion of a felony.
Read more on Data Security Law Blog.




What would a few thousand carefully worded discovery requests do to a small firm?
Californians could sue companies over privacy violations
State officials proposed a new amendment to the California Consumer Privacy Act (CCPA) on Monday that would allow consumers to sue companies that violate the new law. Currently, consumers can only file a lawsuit if they're victims of a data breach and only when the state's department of justice has decided not to sue on consumers' behalf.
… James P. Steyer, CEO of Common Sense, a non-profit organization that promotes safe technology use, said the amendment will take some of the burden of enforcing and monitoring violations off the attorney general's plate.
"Companies with endless resources will do everything they can to make it difficult for the AG," Steyer said in a statement. "By allowing consumers their own right to take action to hold bad actors accountable for violating their privacy, this law adds needed enforcement teeth to CCPA and Common Sense is firmly in support."
The amendment would also remove the current waiting period that gives businesses 30 days to attempt to remedy a violation and retract any exposed data from public view to avoid penalties.
… This new amendment follows legislation proposed on Thursday that would require companies to notify California residents when their passport, passport card or green card numbers are compromised in data breaches. It would also require customers be notified of compromised biometric information such as fingerprints.


(Related) Some topics that need discussion?
You’re Invited to an In-Person Event: CCPAnow: Understanding the Challenge Ahead And What You Should Be Doing Now
A few key topics that will be addressed are:
  • How should you interpret key definitions like “personal information,” “sale,” “third party,” and “business” when operationalizing the CCPA?
  • How far does a business have to go to implement a consumer’s opt-out of sales to third parties?
  • How will the financial incentives and anti-discrimination provisions actually work when consumers exercise their rights?
  • What is happening in the California Office of the Attorney General’s rulemaking process once the March 8th deadline for written comments has passed?


(Related)
How important is your privacy?
Axios: “…A full 81% of consumers say that in the past year they’ve become more concerned with how companies are using their data, and 87% say they’ve come to believe companies that manage personal data should be more regulated, according to a survey out Monday by IBM’s Institute for Business Value. Yes, but: They aren’t totally convinced they should care about how their data is being used, and many aren’t taking meaningful action after privacy breaches, according to the survey. Despite increasing data risks, 71% say it’s worth sacrificing privacy given the benefits of technology…”




Lawyers recommending surveillance?
Joe Cadillic writes:
Arizona State University (ASU) which spent $307 million to renovate Sun Devil Stadium has learned a lot about Smart City surveillance.
ASU used facial recognition to spy on alumni, students, faculty and families. And now they want to share what they learned by bringing it to a stadium or city near you.
An article in the Tech Republic revealed that Sun Devil Stadium and Croke Park in Ireland used facial recognition cameras to spy on fans.
Read more on MassPrivateI.




My students would never make such an assumption!


No comments: