You are here

data security

Wyndham Settles Data Breach Charges in Precedent-Setting Agreement With FTC

The hotel chain Wyndham Worldwide Corp. has settled data breach charges with the Federal Trade Commission, Reuters' Jonathan Stempel reports. The case was precedent setting because it was a test of the FTC's power to regulate data breaches as unfair or deceptive trade practices.

In the settlement, Wyndham must "establish a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates," Stempel reports. The regulatory action was taken for breaches in which customers' credit card numbers were stolen.

Fines Rare for Healthcare Data Breaches

ProPublica's Charles Ornstein reports that federal regulators are rarely fining health care organizations for data breaches. There have been more than 1,140 large breaches affecting more than 41 million people in the last 5.5 years. But there have been fines levied just 22 times, even though the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act, has required healthcare providers to report breaches involving at least 500 patients since 2009.

FCC Enters Data Security Realm for First Time With $10 Mil. Fine

The Federal Communications Commission has entered the realm of data security for the first time--with a $10 million fine no less, the Washington Post's Brian Fung reports. The fine was levied against "two telecom companies that allegedly stored personally identifiable customer data online without firewalls, encryption or password protection. The two companies, YourTel America and TerraCom, share the same owners and management. From September 2012 to April 2013, the FCC said, the companies collected information online from applicants to Lifeline, the government's telephone subsidy program for poor Americans."

The data was discovered by reporters for the Scripps Howard News Service doing a simple Google search, Fung also reports.

What Laws Are Needed for the Internet of Things?

Jeff John Roberts, writing in GigaOM, writes about how we don't have rules yet to govern the Internet connections that have been brought to physical devices--the so-called "internet of things": "The first murder through the internet of things will likely take place in 2014, police service Europol warned this month. The crime could be carried out by a pacemaker, an insulin dosage device, a hacked brake pedal or myriad others objects that control life-and-death functions and are now connected to the internet." He notes that there are completely open questions on whether manufacturers of Internet-connected devices are going to face liability for privacy breaches: "In the future, judges may start asking if the concept of 'privacy by design' should become a safety standard, and even require internet companies to adopt the same pre-cautions as auto makers or playground designers."

Hacking of Health Records Only a Matter of Time

A series of data breaches have put higher pressure on Corporate America, including retailers like Target, to tighten its cybersecurity. But the health care sector is not engaged on the security of electronic health records and faces the risk of hackers exposing sensitive patient information, Politico reports: "As health data become increasingly digital and the use of electronic health records booms, thieves see patient records in a vulnerable health care system as attractive bait, according to experts interviewed by POLITICO. On the black market, a full identity profile contained in a single record can bring as much as $500."

Politico also points out that information in a patient's health record, including medical history and family contacts, can't be undone.

Risk of Hackers to Corporate America Extends to Law Firms

Submitted by Amaris Elliott-Engel on Thu, 05/29/2014 - 19:04

The Connecticut Law Tribune published my piece this week about the risk law firms, including small ones, face from data breaches:

In recent months, corporate America has been shaken by several headline-grabbing data breaches.

Retailer Target's first quarter profits were down 16 percent after credit card and personal information of millions of its customers was stolen. Daily-deal website LivingSocial was hacked with more than 50 million users impacted. Last week, hackers gained access to the personal data of 145 million of online eBay's customers.

Lawyers are among the specialists called in to help with these security crises. But data breach risk doesn't belong to clients alone. Law firms of all sizes risk having client data and other sensitive materials exposed, legal and technical experts say.

In Massachusetts, state officials felt so strongly about the threat to law firms that they've planned a seminar for May 29. In an email pitching the program to the state's lawyers says: "Hackers are now targeting small law firms because of the wealth of info in client files that can be used for identity theft – in family law, estate planning, real estate, elder law and other matters. And Mass. law requires you to notify clients of a data breach – do you really want to have to do that?"

Anthony Minchella says Connecticut lawyers shouldn't feel any more comfortable.

The owner of Minchella & Associates in Middlebury and the vice-chair of the Connecticut Bar Association's small firm practice management section, said in an email that "small firms or solos sometimes feel safe from cybersecurity threats, but that is completely false. No business is safe. Practices that obtain sensitive information, such as credit card numbers, often have the entire package of information a cyber-thief would need to steal an identity."

Monique Ferraro, a general practitioner in Waterbury who also runs a forensic technology business and lectures on IT security, said data breaches can be as simple as the loss of a lawyer's laptop or smartphone that isn't protected by a password. "I see a lot of lawyers who are not securing their data appropriately," Ferraro said.

Connecticut has put businesses of all types on notice that they have to take safeguards to prevent data breaches. Unfair trade practice charges can be brought against companies and organizations if they expose personal information like social security numbers, credit card numbers and driver's license numbers. And lawyers must provide notice to their clients and the Office of the Attorney General if they've suffered a data security breach.

There are at least three other ways that data breaches can occur, says Ellen Giblin, lead privacy and data security counsel with the Ashcroft Law Firm in Boston and manager of the data breach response teams for clients.

Hackers can keep pinging away at a law firm's information security apparatus until they break in. They can use an insider to provide them with sensitive information. Or they can "socially engineer" their way past IT security protocols by using phishing scams that entice lawyers to respond to fraudulent e-mails which, in turn, provide entree to their firms' electronic data.

Under the law, law firms are considered to be vendors, and vendors are required to have the appropriate "administrative, physical and technological safeguards in place" to ensure data security, Giblin said.

"It's important for law firms to always safeguard and keep confidential their client information, whether it's to protect attorney-client privilege" or to follow federal, state or other laws enacted to protect privacy and confidential information.

Not even the experts agree on how to best protect client data.

Lawyers Dan Siegel and Molly Gilligan, whose company, Integrated Technology Services, advises small and mid-sized law firms, said the best practice is to store client data with a cloud vendor on the web and on a hard drive in one's legal office.

It's the practice they use in their own businesses. Siegel, who is based in the Philadelphia suburbs, and Gilligan, a Quinnipiac University School of Law graduate now based in Maine, are using a remote case management system so they can work together in a law practice as well as in their technology business.

Cloud vendors can provide better security than a smaller law firm typically can come up with on its own, Siegel said.

But lawyers must do their due diligence and ensure that the vendor's terms of service acknowledges that the data belongs to the client, and not the vendor or the law firm, Siegel said. Lawyers should only use vendors that store the data in the U.S., he said.

The agreement with a cloud vendor also should cover what happens if the vendor goes out of business, Siegel said. If a vendor does go out of business, Siegel's firm has the encrypted data backed up on a hard drive, he said.

Connecticut bar officials have not issued an ethics opinion on whether its appropriate for lawyers to entrust client data to a cloud computing service where the data is accessed over the Internet via a web browser, according to a tally by the American Bar Association. New York and Massachusetts have released ethics opinions on the topic; both jurisdictions require that lawyers exercise reasonable care in putting client data on the cloud.

Ferraro, however, does not recommend using cloud vendors, saying that law firms should be leery about trusting an outside company with such sensitive client information. "If you have control of your data," she said, "you have control over your data."

If lawyers choose to go the cloud route, Ferraro says they should get client consent before storing their data remotely. She prefers that lawyers stores their own files, making sure they are encrypted. She recommends that attorneys install a self-encrypting hard-drive on their computers.

Heidi Alexander, a law practice advisor with the Massachusetts Law Office Management Assistance Program, said that Dropbox, one of the most popular cloud providers, may not be the safest and most secure vendor to use because it has experienced some data breaches of its own. She, too, said that encryption is the best way to protect documents. She added that attorneys should make sure that passwords are strong and unique.

Both Ferraro and Giblin recommend a number of other data security policies. They said law firms should have policies that forbid the use of computers for personal purpose. Along the same lines, Ferraro said lawyers should have separate business and personal smartphones. Those phones should be password-controlled and include features that allow their digital contents to be erased from a remote location in case they are lost or stolen.

A law firm is going to be experience a data breach and get into hot water, Ferraro and Giblin predicted.

Even though lawyers are supposed to notify their clients of data breaches under Connecticut law, "they don't do it and it's just a matter of time before this implodes upon itself," Ferraro said. There will be a class action lawsuits or criminal investigations, she said.

Giblin predicts federal action at some point against a law firm. The Federal Trade Commission has prosecuted data security breaches as an unfair trade practice, she said. "If they haven't gone after a law firm, they will," Giblin said.

Gilligan said that there is a balance to be struck between security and efficiency with technology. Lawyers need to take reasonable steps to use technology to protect their clients' data, Gilligan said, but technology also is about "making your office more efficient and better able to serve your clients. There is a trade-off."

 

 

FTC's Power to Sue Over Data Security Upheld

The Federal Trade Commission has the authority to sue companies that neglect to secure their customers' data, U.S. District Judge Esther Sales of New Jersey ruled this week, according to a report in the National Journal. " If the court had sided with Wyndham [Hotels], it would have stripped the federal government of oversight of data security practices just as hackers begin to pull off more and more high-profile attacks," the Journal further reports. Wyndham argued that weak data security practices aren't an unfair business practice, which the FTC is authorized to regulate.

Panel: Disclosure, Not Consent, Will Protect Privacy in Era of Big Data

Submitted by Amaris Elliott-Engel on Tue, 03/18/2014 - 10:10

Consent does not protect privacy in the era of big data because it is not meaningful in an era of giving permission through clicks on a screen, said Kate Crawford, a researcher at Microsoft Research and MIT, at the Social, Cultural & Ethical Dimensions of 'Big Data' held last night.

Big data analytics are being sliced and diced to create personalization and segmentation, Crawford said. But predictive analytics can create "predictive privacy harms" under the "rubric of personalization," Crawford said.

Instead of using consent to cure potential harms, there should be a data due process framework "placing accountability at the very end of the chain," Crawford argues. When data about a person is being used to make a decision that would affect their lives, disclosure should be mandated so that he or she can have the opportunity to respond, she further argues.

There should be more protection when the decisions involve important matters like health and employment, and there could be weaker protection when the decisions involve less weighty matters like advertising, Crawford said.

Even the most sophisticated systems can leak privacy information, Crawford said. The combination of private signals with public signals can be combined so that people's privacy is deeply violated, Crawford said.

"We need to be a little bit more skeptical when people tell us data is going to be secure," Crawford said. 

 

Steven Hodas, a consultant who has worked on data projects for educational systems, said that the backlash against the InBloom, the company trying to collect, store and share student data with the support of the Gates Foundation, was because parents felt that their kids were being reduced to algorithms and they did not want teaching reimagined as educating a cohort.

Personalization does not mean more human interaction, but better data configuration, he said. We are "headed for dissonance with dissidence not too far behind," he said.

Parents want teachers to be "analog craftsmen, not maker bots," Hodas said.

The blowback against InBloom might have been averted if there had been portals for parents to access parent-oriented data, Hodas added.

Columbia University scholar Alondra Nelson said that data about genetics is a disproportionate issue for minorities because more minorities are arrested or convicted and have their DNA uploaded into criminal justice system databases. Blacks make up 13 percent of the American population, but they are 40 percent of felony convictions, she said. Even innocent people who are not ultimately convicted have their DNA included in the databases, she added.

In another example of how genetic data implicates privacy, sequencing the genome of the HeLa cell line and uploading it on-line meant that personal information about Henrietta Lacks, the woman from whose cervical cancer cells the cell line was developed, and her family could be identified, Nelson said. That included genetic markers for physical appearance and disposition for diseases.

The event was cohosted by the Data & Society Research Institute, the White House Office of Science and Technology Policy, and New York University's Information Law Institute. 

Nicole Wong, a former legal director at Twitter and now a deputy U.S. chief technology offer working in the White House' big data workgroup, said we need to "lean into those hard questions" about the issues of technology, privacy and individual liberties.

Federal Trade Commission Set to Regulate Your Spying Coffee Pot

The Federal Trade Commission is set to regulate connected devices that share consumer data. Or as GigaOm more pithily says it: the Internet of Things. Why does this matter? GigaOm reports: "There are two issues at play here, one being the privacy of consumer data and the other being the security of the networks delivering that data. The privacy issue, however, also contains a security dimension since the devices can share things that affect a person’s safety — such as where they live and whether or not they are home."

Moreover," EPIC, the Electronic Privacy Information Center, argues that the privacy implications of connectivity start with the devices, which could allow a person to be tracked continuously across a variety of networks," GigaOm also reports.

GigaOm's Stacey Higginbotham argues for a middle ground between stifling a new industry and consumer privacy.

California Court Rejects Private Cause of Action for Stolen Medical Data Without Proof of Harm

Drug and Device Blog reports on a California Court of Appeal decision in which an intermediate appellate panel held that the California Confidentiality of Medical Information Act does not allow for plaintiffs to sue over the negligent maintenance of their confidential medical information unless their information was accessed wrongfully or without authorization.

In the underlying case, a doctor took home a hard drive containing the personal health information for 16,000 patients. The hard drive, as well as the encryption passcodes, were stolen, but no one knows if the thief viewed or tried to view the patients' personal health information.

Drug and Device Blog said the case has "broad appeal because the fact pattern is so typical of 'data security breach' lawsuits: Private information resides on a stolen hard drive or is sent off into the ether with nary an indication that anyone received, reviewed, used, or otherwise paid any attention to the information. At another level, such lawsuits (which are usually class actions) almost never articulate any credible basis that the plaintiffs suffered any actual harm."

Pages

Subscribe to RSS - data security