Saturday, March 14, 2020


A precedent for Clearview?
LinkedIn Appeals Important CFAA Ruling Regarding Scraping Public Info Just As Concerns Raised About Clearview
Last fall we were happy to see the 9th Circuit rule against LinkedIn in its CFAA case against HiQ. If you don't recall, the CFAA is the "anti-hacking" law that has been widely abused over the years to try to shut down perfectly reasonable activity. At issue is whether "scraping" information violates a terms of service, and thus, the CFAA. A few years back, the same court ruled in favor of Facebook against Power Ventures, saying that even though Power's users gave permission to Power and handed over their login credentials, Power was violating the CFAA in scraping Facebook, because the information was behind a registration wall -- and because Facebook had sent a cease-and-desist.
In the HiQ case, despite what seemed to be a similar fact pattern, the court ruled against LinkedIn, saying it could not block HiQ's scraping via a CFAA claim, with the main "difference" being that LinkedIn information was publicly viewable, and therefore should be open to scraping.
Of course, one thing that's notable since the 9th Circuit ruling came down -- all of the attention that Clearview AI has received over the last few months, for its frightening facial recognition app, built of of scraping "public" social media images and profiles. This use of scraping has convinced some -- even some who seemed to support the HiQ ruling -- that perhaps there should be limits on scraping. I think that's a kneejerk reaction, and focusing in too narrowly on the wrong issue. The issue there is not with scraping, but with the specific use of the data as an attack on privacy going well beyond the internet itself (i.e., tracking and identifying people out in the real world). It's one thing to focus on that issue, as opposed to saying that's an argument against free scraping.




A good ‘bad example?’
Sunshine Behavioral Health Group Faces Class Action Under CCPA After Data Breach Affecting 3,500 Patients
Linn F. Freedman of Robinson & Cole LLP writes that Sunshine Behavioral Health Group is facing a potential class action lawsuit. The case is Fuentes v. Sunshine Behavioral Health Group LLC and it was filed this week in the Central District of California. The case is drawing some attention because it it one of the first suits to be filed under California’s new Consumer Privacy Act (CCPA). As Freedman explains, if the plaintiff can show he was injured and the injury was due to the defendant violating the law, the plaintiff might survive a motion to dismiss.
The plaintiff, Hector Fuentes, claims that since the data breach, which the complaint alleges began on March 1, 2017:
someone has attempted to fraudulently open a credit card in Mr. Fuentes’ name. Since the Data Breach, Mr. Fuentes has begun receiving magazine subscriptions in his name that he did not purchase and receiving invoices for those magazine subscriptions. Since learning of the Data Breach, Mr. Fuentes has become worried that he will become a victim of identity theft or other fraud which is causing him stress and anxiety. Since learning of the Data Breach, Mr. Fuentes has spent in excess of 10 hours of his own time trying to make sure he has not and does not become victimized because of the Data Breach.
So Fuentes is alleging damages, and claims that the damages were due to Sunshine not having adequate security in place, despite having been put on notice by federal law enforcement and HHS about the risk of hacks. As Freedman notes, however, it is not clear from the complaint whether Fuentes provided 30 days notice to Sunshine to implement security measures before he filed suit seeking to require them to implement security measures.
But there also appear to be other problems with the plaintiff’s complaint.
As regular readers may recall, DataBreaches.net broke the story of the data leak after being tipped to it by a researcher. This site first notified Sunshine of their leak on September 4, 2019 and followed up when they did not take immediate action. The second phone call resulted in them taking some steps to protect the data. But when Sunshine did not disclose the breach by 60 days after this site notified them, DataBreaches.net went public about the leak and what this site found in the data. This site also reported the fact that in November, it notified Sunshine again after realizing that their files were still available for download without any login required if one had already noted the urls for the files during the initial leak. Given that Sunshine Behavioral Health deals with the treatment of alcohol and drug addiction, its patient population and patient records are very sensitive.
Was the exposed data exfiltrated, as the Fuentes’s complaint alleges? Certainly it must have been exfiltrated by at least one party, as this site had been provided a copy of the data by the whitehat researcher who had discovered the leak. But how many other entities accessed, viewed, and/or exfiltrated their data? Sunshine Behavioral Health did not respond to inquiries by DataBreaches.net until their external counsel got involved and contacted this site to inquire as to whether we would destroy any data and certify that we had destroyed it. It was only then that this site was able to get statements confirming that Sunshine Behavioral Health had reported the incident to HHS/OCR and to affected patients, but no other information was provided.
From a quick skim of the complaint, it appears that a lot of the complaint seems to be premised on treating this as a hacking case resulting from the defendant’s’s negligence, but this wasn’t a hacking case. Not to minimize the seriousness of a leak of sensitive information, but this was a data leak or help yourself situation, and the risk of becoming a fraud victim or identity theft victim from a leak may not be the same as the risks of those outcomes from a hack situation.
The complaint also raises the issue that Sunshine’s notification to patients was not timely under either HIPAA or California’s Confidentiality of Medical Information Act (CMIA). And also of concern to the plaintiff, Sunshine allegedly did not offer those affected any fraud insurance or mitigation for those who might become fraud victims. According to the complaint, Sunshine (only) offered those affected 24 months of credit monitoring, which is not the same thing.
The complaint is confusing in that regard, because Sunshine’s notification on their website dated January 21 (well before the complaint was filed), includes this statement:
If we have confirmed that your personal information was affected by the incident, we are offering MyIDCare protection through ID Experts for 24 months at no cost.
MyIDCare does appear to include the kind of mitigation help the plaintiff is asking for– identity recovery and assistance and $1 million ID theft insurance.
Sunshine Behavioral Health was asked if they wished to comment on the litigation but did not respond at all by publication time.




Some exemptions will become commonplace?
Privacy Advocates and Businesses Take Issue With India’s New Data Protection Law
India’s long-awaited national data protection law, the Personal Data Protection Bill, is under inspection by a joint parliamentary committee. The bill has yet to be adopted as a law, and could potentially change in form before it is, but at the moment looks to become one of the world’s strongest pieces of legislation of this nature. At least in terms of the way it regulates private companies; privacy advocates are voicing opposition to the fact that it makes broad exceptions for government agencies, such that they would have essentially unfettered access to personal data with little oversight. Private companies are also objecting to the terms, which stipulate fines and costs they feel are too high.




Nice to know China is taking care of its US customers.
Chinese billionaire Jack Ma to send 500K coronavirus test kits, 1 million face masks to US


(Related) It would be nice if our most famous (just ask him) billionaire also did something useful. “I know more than the Google!”
Trump says Google is building a site to help people find coronavirus tests
messaging from Alphabet reps, after President Donald Trump and others described the effort at a White House press conference, stressed that the project the company is working on is in its early stages and will initially be offered to residents in and around San Francisco and Silicon Valley.
At the press conference, Trump said Google had “1,700 engineers working on this right now.”




Anything to get rid of my students find my students jobs!
Future-Proof Your Career With This FREE Ebook
In this free copy of Career Leap, worth $16, Michelle Gibbings answers these questions, showing you “what you need to know, how you need to change and how you can prepare for the inevitable tides of change.”
This free offer expires 24 March 2020.



No comments: