Thursday, June 13, 2019


Regular reports of “who can access” and “who did access” should go to every manager of people or data. And they should look at them!
Brian Higgins reports:
P.E.I.’s privacy watchdog wants Health PEI to keep closer tabs on one of its employee’s use of patient health records, following a privacy breach last year at Queen Elizabeth Hospital.
That’s according to a new report by Information and Privacy Commissioner Karen Rose, posted May 30.
According to the report, in March 2018, a patient received a copy of their electronic patient chart from Health PEI. That chart included a log showing who had accessed the patient’s health information, and when.
Read more on CBC.ca.
[From the article:
The commissioner recommended Health PEI introduce regular auditing of the employee's access to patient records, with particular attention to the personal health information of the patient whose privacy was breached.




If you offer a tool to anyone potentially threatening the state, the state will react. (Best description of DDoS I have ever seen!)
Telegram Hit by Cyber-attack, CEO Points to HK Protests, China
Encrypted messaging service Telegram suffered a major cyber-attack that appeared to originate from China, the company's CEO said Thursday, linking it to the ongoing political unrest in Hong Kong.
Many protesters in the city have used Telegram to evade electronic surveillance and coordinate their demonstrations against a controversial Beijing-backed plan that would allow extraditions from the semi-autonomous territory to the mainland.
"Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram)," he tweeted.
"This case was not an exception."
"Imagine that an army of lemmings just jumped the queue at McDonald's in front of you -– and each is ordering a whopper," it said, referring to the flagship product of Burger King.
"The server is busy telling the whopper lemmings they came to the wrong place -– but there are so many of them that the server can't even see you to try and take your order."




It’s a mess.
Senators Question FBI on Russian Hack of Voting Firm
In a letter sent to FBI Director Christopher Wray, Democratic Sens. Ron Wyden of Oregon and Amy Klobuchar of Minnesota, who is the ranking member of the committee with jurisdiction over federal elections, asked for answers by July 12 regarding steps the agency has taken in response to the breach of VR Systems’ computer servers.
Robert Mueller’s report on Russia’s interference in the 2016 election describes how Kremlin-backed spies installed malware on the network of an unnamed company that “developed software used by numerous U.S. counties to manage voter rolls.”
VR Systems has said it believes it is the company referred to in the report. The Tallahassee, Florida-based company has maintained, however, that its system was never penetrated. It told Wyden in a letter last month that the cybersecurity firm Fire Eye conducted a security audit and found no evidence of a breach.
The Department of Homeland Security said last week that its computer experts will examine North Carolina polling equipment supplied by VR Systems , at the state’s request. The forensic analysis will look at laptops and replicas of computer hard drives that were used in heavily Democratic Durham County to determine whether hacking was responsible for malfunctions on election day in 2016.
State and local officials said previously they found no indication that the software system, used for voter registration and check-in, had been targeted by hackers, but they never did a forensic examination. VR Systems has blamed the trouble on poorly trained poll workers and inadequate computer maintenance. A report by a security consultant hired by Durham County’s elections board supported that claim.


(Related) ...and it’s going to get worse.
Mitch McConnell is Making the 2020 Election Open Season for Hackers
Senator Ron Wyden, the Oregon Democrat who sits on the Intelligence Committee, predicts that the 2020 election will make what happened in 2016 “look like small potatoes.” “It’s not just the Russians,” he told me. “There are hostile foreign actors who are messing with two hundred years’ worth of really precious history.” Wyden recently reintroduced the pave Act, a wish list of election-security provisions that failed to get through the Senate last year. The measure includes the use of hand-marked paper ballots and a prohibition on wireless modems and other kinds of Internet connectivity, all of which have been advocated by computer scientists and other election experts for years.
But with the Senate Majority Leader, Mitch McConnell, making it clear that he will not advance any election-security legislation




Interesting discussion.
Profiling and the GDPR: An interview with Mark Singer and Raf Sanchez




Let the lawsuits begin!”
This is huge. Warwick Ashford reports:
The Austrian Supreme Court has rejected all attempts by Facebook to block a lawsuit in Vienna on fundamental privacy issues.
Facebook had attempted to block the case by Austrian lawyer and privacy activist Max Schrems by questioning whether it is possible to bring a case about rights under the EU’s General Data Protection Regulation (GDPR) before the courts.
Facebook argued that only the Irish data protection commissioner has jurisdiction in this case, while the Vienna Regional Court declared that it did not have jurisdiction.
However, the Appellate Court and the Austrian Supreme Court have now made it clear that everyone has a right to file a lawsuit based on the GDPR.
Read more on ComputerWeekly.




Allow me to clearly state my obfuscation with the simplest of bemused befuddlement. (Amusing graphic)
We Read 150 Privacy Policies. They Were an Incomprehensible Disaster.
Only Immanuel Kant’s famously difficult “Critique of Pure Reason” registers a more challenging readability score than Facebook’s privacy policy.
Google’s privacy policy evolved over two decades — along with its increasingly complicated data collection practices — from a two-minute read in 1999 to a peak of 30 minutes by 2018.
The policy became more readable at the expense of brevity after the introduction of the General Data Protection Regulation, the European Union data privacy protection framework that went into effect a year ago. The regulation includes a clause requiring privacy policies to be delivered in a “concise, transparent and intelligible form, using clear and plain language.”
And if states continue to draft their own data protection laws, as California is doing with its Consumer Privacy Act, privacy policies could balloon with location-specific addendums.




For my summer Security Compliance class.
Regulating Big Tech: Legal Implications
CRS Legal Sidebar via LC – Regulating Big Tech: Legal Implications. June 11, 2019. “Amidst growing debate over the legal framework governing social media sites and other technology companies, several Members of Congress have expressed interest in expanding current regulations of the major American technology companies, often referred to as “Big Tech.” This Legal Sidebar provides a high-level overview of the current regulatory framework governing Big Tech, several proposed changes to that framework, and the legal issues those proposals may implicate. The Sidebar also contains a list of additional resources that may be helpful for a more detailed evaluation of any given regulatory proposal…”



No comments: