Tuesday, April 23, 2019


Perhaps this explains why management does not see a breach coming.
Erin Smith Aebel of Shumaker, Loop & Kendrick, LLP writes:
Health care providers and others who must comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have specific requirements under the Security Rule to HIPAA when it comes to their maintenance of electronically held protected health information. One of those requirements is to conduct a Security Risk Assessment and to update it periodically.1 The HIPAA Security Rule defines a risk analysis as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”2
In my practice as a board certified health lawyer representing health care providers of all sizes in business and compliance, I regularly see providers either fail to create a HIPAA Security Risk Assessment or they have one that the Office for Civil Rights (“OCR”), the government agency responsible for enforcing HIPAA, would deem inadequate. It is, in fact, one of the most frequently investigated HIPAA compliance issue by the OCR.3 This can lead to monetary penalties and can also create risks that result in expensive security breaches that must be reported under HIPAA or state privacy laws such as the Florida Information and Protection Act of 2014 (“FIPA”).4
Read more on JDSupra.




China’s version of the GDPR?
China’s Ministry of Public Security Issues New Personal Information Protection Guideline
On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”). A previous version of the Guideline was released for public comments on November 30, 2018.
The Guideline aims to protect personal information collected by “personal information holder[s],” a term defined as entities or individuals who “control and process personal information” during the information life cycle. The Guideline does not distinguish personal information controller and processor and thus will apply to both types of entities.




Leave it to the FTC?
Will the United States Finally Enact a Federal Comprehensive Privacy Law?
with this Congress, I think that a comprehensive privacy law is unlikely.
Preemption alone will be a very complicated issue.




Perspective.
Coffee with Privacy Pros: Three Constants of Privacy
… “Privacy was becoming the new black long before the GDPR,” Zefo admits. “I saw privacy as an opportunity for another career disruption.” Zefo is now the chief privacy officer for Uber, a company that has become a household name in under a decade and could possibly move toward a major public offering as early as this year.
Zefo is thoughtful, funny and to the point. She breaks down privacy into three pillars of challenge and constant consideration that should serve as a simple, recyclable reminder of what this profession is all about: laws, customers and technology. As she gets into the weeds of these three segments of the discipline, she illuminates potential opportunities for professionals looking to get ahead in the continuously competitive landscape of privacy.




Breach laws are the flip side of Privacy laws. (Says the non-lawyer.) Note the addition of many “ID numbers” which are used in place of Social Security numbers,
From the Washington Attorney General’s Office yesterday, a press release on an expansion of the breach notification requirements. Of special note, under the new law, a hacker acquiring a name in combination with a student ID would trigger notification obligations, but only if the information was not secured or made unusable (e.g., by encryption) AND the breach is reasonably likely to subject consumers to a risk of harm. If there’s no reasonably likely risk of harm, then there is still no notification obligation, it seems — unless I’m reading the bill text incorrectly. I expect a number of law firms will be blogging about these amendments to the state law.
OLYMPIA — Today, with a unanimous, bipartisan vote, state legislators passed a bill requested by Attorney General Ferguson that strengthens data breach notification laws.
The bill expands consumer data breach notification requirements to include more types of consumer information. It also reduces the deadline to notify consumers to 30 days from 45 days.
The new law requires organizations to also notify consumers if a hacker accesses a consumer’s name in combination with the following:
Full birth dates
Health insurance ID numbers
Medical history
Student ID numbers
Military ID numbers
Passport ID numbers
Usernames and passwords
Biometric data, such as DNA profiles or fingerprints
Electronic signatures
Data breaches affected nearly 3.4 million Washingtonians between July 2017 and July 2018, a 26 percent increase over the previous year, according to the Attorney General’s Office third annual data breach report.




This is interesting. Broader application to warrantless surveillance?
Orin Kerr writes:
In a new case, Taylor v. City of Saginaw, the Sixth Circuit has ruled that the common practice of parking enforcement officers “chalking” a tire to see if the car has been moved violates the Fourth Amendment. I’m not sure the decision is correct. But it’s plausible on current law, and it raises some really interesting conceptual issues.
Here’s an overview of the new case and some thoughts on whether it’s right.
Read more on Reason.
[From the article:
First, the court reasons that the chalking is a search of the car because it is a trespass on to the car to obtain information under United States v. Jones. It's a trespass under Jones, the court says, because it satisfies the common law trespass test
Next, it is an act conducted to obtain information, as Jones requires:
Having concluded that the chalking was a search, the court then concludes that it was unreasonable and therefore unconstitutional. The basic idea here is that no exceptions to the warrant requirement apply, so by default the warrantless search is unlawful.




All your base are belong to us.”
Hunton Andrews Kurth writes:
Earlier this month, the U.S. Department of Justice (“DOJ”) published a white paper entitled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act” (“White Paper”). The Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) was enacted in March 2018 by the U.S. government to aid foreign and U.S. investigators in obtaining access to electronic information related to serious crimes and held by service providers. The CLOUD Act authorizes the U.S. to enter into bilateral agreements with foreign countries that abide by a baseline standard for rule-of-law, privacy and civil liberties protections to streamline processes for obtaining electronic evidence. The CLOUD Act also codifies the principle that a company subject to U.S. jurisdiction “can be required to produce data the company controls, regardless of where it is stored at any point in time.”
Update: Joe Cadillic submitted additional material in response to this post, and I’m moving it up here so everyone is sure to see it:
The Cloud Act Is Not a Tool for Theft of Trade Secrets:
After last year’s passage of the Clarifying Lawful Overseas Use of Data Act (Cloud Act), officials and journalists in the European Union have ramped up criticism of the American desire for extraterritorial access to electronic evidence, with some accusing the United States of being motivated by the desire to conduct economic espionage for the benefit of U.S. economic interests. A February piece from the French paper Les Echos said that “[m]any observers feel that American justice could be deploying [the Cloud Act] for purposes of economic espionage.” The article quotes the CEO of a French service provider as saying that some of his French clients come to his company specifically to avoid handing payroll information to the U.S. government or other services under U.S. control.




Perspective. What does Facebook gain?
Facebook’s new chief lawyer helped write the Patriot Act
Jennifer Newstead, a Trump appointee who served in the Justice Department under President Bush, will soon be taking over as general counsel of Facebook, the company announced in a press release on Monday afternoon. Newstead will take over from Colin Stretch, who announced plans to retire last year.
Jennifer is a seasoned leader whose global perspective and experience will help us fulfill our mission,” Sheryl Sandberg said in a statement included with the release.
But many are already troubled by Newstead’s
history lobbying and legislating for more powerful electronic surveillance. As The Hill points out a 2002 Justice Department press release describes her as “helping craft” the legislation. Notorious Bush administration lawyer John Yoo described her as the “day-to-day manager of the Patriot Act in Congress” in his 2006 book.




An update to a very strange incident.
Former US Marine arrested in connection to raid on North Korean embassy in Spain
U.S. authorities have arrested a former U.S. Marine who is a member of a group that allegedly raided the North Korean embassy in Madrid in February and stole electronics, two sources familiar with the arrest said on Friday.
… Spanish investigators have said the intruders removed computers and hard drives from the embassy before fleeing to the United States, where they handed over the material to the FBI.
A Spanish judicial source said this week the material had been returned by Spanish authorities to Pyongyang's mission after being returned two weeks previously by the FBI to the Spanish court investigating the raid.




For my Computer Security geeks.
Excellent Analysis of the Boeing 737 Max Software Problems
This is the best analysis of the software causes of the Boeing 737 MAX disasters that I have read.
Technically this is safety and not security; there was no attacker. But the fields are closely related and there are a lot of lessons for IoT security – and the security of complex socio-technical systems in general – in here.




The perception of those in the trenches?



No comments: