Wednesday, April 17, 2019


An update.
Norsk Hydro Delays Financial Report Due to Cyberattack
Norwegian aluminum giant Norsk Hydro last week announced that its financial report for the first quarter of 2019 will be delayed by over one month due to the recent cyberattack that caused significant disruptions to the company’s operations.
The company has been transparent regarding the impact of the cyberattack, but it could not share too many technical details due to the ongoing law enforcement investigation. It revealed recently that the incident had caused losses of up to $41 million in the first week after the intrusion was uncovered.




File this under “less than adequate response?”
On April 5, Metrocare Services in Texas notified HHS that it was notifying 5,290 clients of a breach. A notice on their web site explains:
On February 6, 2019, we learned an unauthorized third party gained access into some Metrocare employees’ email accounts beginning on January 2019. We immediately took steps to secure the accounts and began an investigation. The investigation determined the unauthorized access occurred and could not rule out whether emails containing individuals’ information were accessed by the third party. We determined information of some individuals were in the affected email accounts, and may have included individuals’ names, dates of birth, health insurance information, driver’s license information, health information related to services received connected to Metrocare, and in some cases, Social Security numbers.
You can read the full notice on their site, which includes steps they have taken to prevent a recurrence. It’s a shame they didn’t take all of these steps in November, 2018 when they had what sounds like an identical breach, but did not follow up by implementing multifactor authentication. At that time, they wrote:
To help prevent something like this from happening in the future, Metrocare is taking steps to add additional security measures to its current information technology infrastructure, including strengthening its email system, and providing additional information security training to its employees.
That incident has no closing summary on HHS’s public breach, so it may still be under investigation.
This time, they write:
To help prevent something like this from happening in the future, we are taking steps to add additional security measures to our current information technology infrastructure, including strengthening the security of our e-mail system and have implemented multi-factor authentication on its email systems.
The breach in 2018 affected more than 1,800 patients. The more recent breach, which was also discovered within a month after it started, affected more than 5,200 patients. Will OCR find Metrocare’s actions reasonable? And what happens if this happens again?




More concerns.
GDPR, CCPA, LGDP and More: Staying Afloat in the Sea of Global Privacy Regulations
The global privacy legislation landscape continues to be a complex sea to navigate. To date we have seen 117 omnibus laws (GDPR) and another 28 sectoral laws (CCPA) come into play. We are expecting more amendments to the CCPA and LGDP, and there seems to be no end in sight to countries and regions bringing their own legislation into effect over the coming months.


(Related)
The EDPB’s Narrow View of Contractual Necessity
According to the EDPB, processing must be necessary for the particular contract at issue to be carried out.


(Related) Thank you Harvard! A new term and the need for Privacy Audits.
Don’t Acquire a Company Until You Evaluate Its Data Security
When Marriott International acquired Starwood in 2016 for $13.6 billion, neither company was aware of a cyber-attack on Starwood’s reservation system that dated back to 2014. The breach, which exposed the sensitive personal data of nearly 500 million Starwood customers, is a perfect example of what we call a “data lemon” — a concept drawn from economist George Akerlof’s work on information asymmetries and the “lemons” problem. Akerlof’s insight was that a buyer does not know the quality of a product being offered by a seller, so the buyer risks purchasing a lemon — think of cars.
We are extending that concept to M&A activity. In any transaction between an acquiring company and a target company (seller), there is asymmetric information about the target’s quality. While managers have long understood this concept, recent events shed light on an emerging nuance in M&A — that of the data lemon. That is, a target’s quality may be linked to the strength of its cybersecurity and its compliance with data privacy regulation. When an acquirer does not protect itself against a data lemon and seek sufficient information about the target’s data privacy and security compliance, the acquirer may be left with a data lemon — a security breach, for example — and resulting government penalties, along with brand damage and loss of trust.




Will the survey show that Facebook is bad or that its users are ignorant? How would you run this survey?
State Launches Online Data Survey as Part of Facebook Probe
Democratic Gov. Andrew Cuomo announced Tuesday that information provided through an online consumer data privacy survey will help state regulators make policy decisions regarding the internet marketplace and how personal data is used by companies.
Among the questions on the state survey are how many smart devices are in a respondent’s household and whether they know how to access privacy settings.




Sounds like they suspect a source of bias…
The artificial intelligence field is too white and too male, researchers say
The artificial intelligence industry is facing a “diversity crisis,” researchers from the AI Now Institute said in a report released today, raising key questions about the direction of the field.
Women and people of color are deeply underrepresented, the report found, noting studies finding that about 80 percent of AI professors are men, while just 15 percent of AI research staff at Facebook and 10 percent at Google are women.


(Related) Sometimes you need bias.
Uber launched a Saudi Arabia-only feature that lets female drivers avoid taking male passengers




Because it impacts everything?
The Consumer Protection Ecosystem: Law, Norms, and Technology
Bradley, Christopher G., The Consumer Protection Ecosystem: Law, Norms, and Technology (March 8, 2019). Denver Law Review, Vol. 97, 2019. Available at SSRN: https://ssrn.com/abstract=3349190 or http://dx.doi.org/10.2139/ssrn.3349190
Consumer law provokes fierce policy debate on issues from identity theft to online privacy, from arbitration clauses and class action lawsuits to Americans’ accumulation of debt and the unsavory practices sometimes used to collect. Pervasive technology in every aspect of consumer transacting has opened up many new fronts in these battles. Scholars, policymakers, and advocates have responded in kind, devoting increased energy to this area of law, which affects every single one of us, every single day. Despite its prominence, however, confusion persists regarding what consumer protection really is or does. The realities of social and technological change have not been integrated into legal analyses of consumer transactions.
This Article constructs a novel and comprehensive model of the consumer protection ecosystem by contextualizing purely legal constraints amid the other realities of commercial relationships. Drawing on scholarship in the areas of technology, social change, and the law, the model lays out three basic types of constraints on the activities of participants in consumer commercial transactions: legal, technical, and social constraints. This model provides a basis for exploring how those constraints interact and shape behavior.
The model has significant ramifications for scholars, policymakers, and advocates. The model underscores why the area of consumer-facing commerce defies one-size-fits-all solutions; instead, it demands refined and layered consideration of consumers, merchants, and the commercial relationships they pursue, as well as the changes in the social and technological contexts of those relationships. This Article’s model provides a framework for that future research and debate.”




Simple, free, useful? Do you have an old spreadsheet lying around?
Glide - Make Your Own App by Just Making a Spreadsheet
Glide is an amazing free tool that I featured in a presentation during yesterday's TLA Tech Glamp. Glide enables anyone who can make a spreadsheet in Google Sheets to create his or her own mobile app. If that sounds simple, that's because it is just that simple. The headers that you put into your spreadsheet and the data that you enter into your spreadsheet is used by Glide to generate a mobile app for you that will work on Android and iOS devices.
To get started making your first app with Glide you will need to create a spreadsheet in Google Sheets. Your spreadsheet's column headers are what will become the sections your app. The information that you enter into your spreadsheet's columns is what will be displayed within each section your app. You can include links to videos, images, and maps in your spreadsheet and those items will be included in your app too.
After you have created your spreadsheet in Google Sheets, go to Glideapps.com and connect to your Google account. That connection will allow you to import your Google Sheet. Once your spreadsheet is imported you will be able to see a preview of your app. You can change the layout and color scheme of your app in the Glide editor. When you're happy with how it looks, hit the share button to publish your app for others to see. You can share your app publicly via QR code and public URL or you can share your app privately via email.




For my geeks.
10 Algorithms Every Machine Learning Enthusiast Should Know



No comments: