Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

GUEST BLOG: Do you know which 2 states don’t have data breach notification laws?

Posted in Cyber, eCommerce

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Eddie Block Dec 2 2016

Breach notification laws: Better privacy or the 10th circle?

Now only Alabama and South Dakota do not have a notification law on the books since on April April 19, 2017 New Mexico became the 48th state to enact a data breach notification law. .

On the one hand this is good news for the privacy on New Mexicans.  They are now ensured they will have notice of a breach of their personally identifying information.  They will have the opportunity to mitigate the damage resulting from such a personal exposure.

For security and privacy folks, though, there is a different perspective.  We now have 48 distinct regulations to track.  If I have a client that does business across the country, I have to ensure I am able to help them comply with 48 different (and sometimes contradictory) regulations.  As an example, assume I have a client doing business in Texas, Oklahoma, and Colorado:

  • In Texas and Oklahoma consider a drivers license an element of personally identifying information; Colorado does not.
  • Colorado requires notification to the credit reporting agencies (CRA) if more than 1000 records are breached.  CRA reporting is required in Texas if more than 10,000 records are breached.  Oklahoma does not require CRA reporting at all.
  • Oklahoma allows for electronic communications if the cost of written communication exceeds $50,000; in Texas and Colorado it is only allowable if the costs exceed $250,000.

Add the other 45 states to the mix and the mapping becomes complex.  I won’t comment on whether there is a “better” rule, but the hodgepodge of requirements makes it more difficult for everyone.   This is the type of conflict that is ripe for a federal rule to unify requirements.  Unfortunately the attempts to do so over the past few years have failed to garner much attention.

BTW:  For the curious, there are at least 89 different counties with breach or privacy laws.  A breach at a multi-national corporation can be very complex.

Do you believe China’s new cyber laws are for real?

Posted in Cyber, eCommerce

Reuters reported that a new Chinese law “would require firms exporting data to undergo an annual security assessment law….[and] would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.” The April 11, 2017 Reuters report entitled “China draft cyber law mandates security assessment for outbound data”included these comments about the new law which is open for public comment until May 11:

Any business transferring data of over 1,000 gigabytes or affecting over 500,000 users will be assessed on its security measures and on the potential of the data to harm national interests, showed the draft from the Cyberspace Administration of China.

The law would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.

The proposed law, which focuses on personal information security, comes just a day after state media reported government rewards of $1,500 to $73,000 for citizens who report suspected spies.

Skeptics have criticized the proposed cyber law “calling rules “vague” and claiming they unfairly target foreign companies with stringent requirements.”

Everything on the Dark Web is not illegal, only half!

Posted in Cyber, eCommerce

A recent interview with Terbium CEO Danny Rogers he reported that his research about the Dark Web that he “found that actually half the content floating around on [the Dark Web] is perfectly legal and benign…It’s the other half you really have to worry about – a lot of it is illegal drugs; a lot of it is stolen credit cards, other stolen data, and those are the parts that one specifically has to worry about.”  The interview entitled “The Dark Web: 5 Things to Know” included these comments about topic three about legal considerations:

Then, just storing and accessing other kinds of stolen information – technically, it’s always important to remember that when you’re looking at this data breach stuff, you’re touching stolen property.

How do you provide this search capability, or how do you search this part of the internet without accidentally trafficking in stolen goods, whether that’s through bit torrents, or just in the process of indexing these parts of the internet?

It is really important because I think more and more there’s going to be attention paid and enforcement activity around accidentally both proliferating this material and incentivizing the people who are doing the stealing to put it out there.

Here are all 5 of the topics included in Mr. Rogers’ interview:

  1. What’s required to access the dark web?
  2. Given the mythology about the dark web, how do you separate fact from fiction?
  3. What are the legal considerations they need to weight?
  4. What about technical and even trade craft considerations?
  5. The dark web is constantly changing. Why is this a key bit of information for users to know?

Every business needs to understand these Dark Web critical issues!

GUEST BLOG: It’s time to wake up and figure out how GDPR affects you!

Posted in Internet Privacy

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Eddie Block Dec 2 2016

You’ve heard about the GDPR, right?

As I’ve spoken with people (security people and “civilians”), I’ve found many who had no idea that the GDPR was a thing.  I know Americans tend to have a very US-centric view of the world, but the GDPR is critical for any business with a presence, customers, or clients in or from the EU.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC with an effective date of 25 May 2018 (so about a year to get ready).

The GDPR clearly expresses the central difference between the views of American and EU.  The GDPR “[p]rotects [the] fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.”

In the US, personal data is typically seen as the property of the holder of the data.  The EU expressly views personal data as the property of the person.  This difference makes the GDPR distinct from US data breach notification laws.

There are a number of key items to review in the GDPR:

  • Increases extra-territorial applicability
  • Conditions for consent strengthened
  • Privacy policies may “no longer be able to use long illegible terms and conditions full of legalese . . . the request for consent must be given in an intelligible and easily accessible form. . .”
  • Breach notification must be made within 72 hours
  • The GDPR guarantees the Data Subjects’ Right to Access.  The Data Subject may:
  • “Obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. . .
  • Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.”“Data Subjects have the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”So, get ready folks.  You don’t have much time to explore and internalize the GDPR.
  • Non EU companies that do business in the EU or have customers that are citizens of the EU or live in the EU will have to comply with these regulations for their EU data subject.  Any non-compliant organizations will face heavy fines.
  • The GDPR also formalizes the “Right to be Forgotten”

“Data Subjects have the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”

Non EU companies that do business in the EU or have customers that are citizens of the EU or live in the EU will have to comply with these regulations for their EU data subject.  Any non-compliant organizations will face heavy fines.

So, get ready folks.  You don’t have much time to explore and internalize the GDPR.

 

HIPAA data risk in IoTs among 10 security risks with Wearables

Posted in Internet Privacy

CSOonline reported that most IoT (Internet of Things) wearable companies that collection personal data “don’t carefully anonymize health-related data have effectively acquired what’s known as electronic Protected Health Information (ePHI), ‘which puts you squarely in the HIPAA world.’” The March 29, 2017 report entitled “10 security risks of wearables” included these 10 security risks, many of which include HIPAA concerns:

1. Wearable security is a legitimate concern
2. In the scheme of things, wearable security may not be a huge concern
3. It’s important to anonymize data
4. Segregate wearables on a different network
5. Do your due diligence
6. Educate users
7. Limit access to employee fitness and wellness data
8. Get a clear picture of everything connecting to the enterprise network
9. Require multi-factor authentication
10. Prepare for security and privacy risks, especially in the short-term

This should not come as any big surprise, what will IoT companies do deal with this HIPAA risk?

Net Neutrality in jeopardy one more time!

Posted in Net Neutrality

The New York Times reported that Trump Administration plans to “roll back the regulation of broadband internet service companies…which were intended to ensure that no online content is blocked and that the internet is not divided into pay-to-play fast lanes for internet and media companies that can afford it and slow lanes for everyone else.” The March 30, 2017 article entitled “Net Neutrality Is Trump’s Next Target, Administration Says” explained that the Federal Communications Commission in 2015 put the net neutrality rules to in place because:

Supporters of net neutrality have insisted the rules are necessary to ensure equal access to content on the internet.

I’ve been blogging about Net Neutrality since 2008, and it continues to morph as the party in the White House changes!

IBM Watson using Blockchain to protect Electronic Medical Records (EMRs)!

Posted in Internet Privacy

Computerworld announced that “IBM’s Watson Health artificial intelligence unit has signed a two-year joint-development agreement with the U.S. Food and Drug Administration (FDA) to explore using blockchain technology to securely share patient data for medical research and other purposes.” The January 11, 2017 article entitled “IBM Watson, FDA to explore blockchain for secure patient data exchange” included this plan for blockchain:

IBM Watson Health and the FDA will explore the exchange of patient-level data from several sources, including electronic medical records (EMRs), clinical trials, genomic data, and health data from mobile devices, wearables and the “Internet of Things.” The initial focus will be on oncology-related information.

Given the importance of ERMs this is significant and helps promote the value of blockchain.

Cybercriminals demand ransomware from Apple, or else they will wipe 300 million iPhones!

Posted in Cyber, eCommerce

Forbes reported that “a hacker group calling itself Turkish Crime Family…reported having access to 300 million Apple accounts” and demanded “$75,000 in crypto-currency (either Bitcoin or Ethereum) or $100,000 in iTunes gift cards, and the data would be deleted.”  The March 22, 2017 report entitled “Hackers Threaten To Wipe 300M iPhones, iCloud Accounts Unless Apple Pays” included these comments from Apple:

There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.

This may be the beginning of the end if Apple cybercriminals succeed!

Blockchain is what makes Bitcoin work, and is the real deal to change the world!

Posted in eCommerce, IT Industry

McKinsey’s interviewed Don Tapscott who defined Blockchain as an “immutable, unhackable distributed database of digital assets” which is a “giant, global spreadsheet that runs on millions and millions of computers.”  The May 2016 article entitled “How blockchains could change the world” included these comments about Bitcoin:

Most blockchains—and Bitcoin is the biggest—are what you call permission-less systems.

We can do transactions and satisfy each other’s economic needs without knowing who the other party is and independent from central authorities.

These blockchains all have a digital currency of some kind associated with them, which is why everybody talks about Bitcoin in the same breath as the blockchain, because the Bitcoin blockchain is the biggest.

Tapscott offered that Blockchain could change the music industry:

What if the new music industry was a distributed app on the blockchain, where I, as a songwriter, could post my song onto the blockchain with a smart contract specifying how it is to be used?

Maybe as a recording artist posting my music on a blockchain music platform, I’ll say, “You listen to the music, it’s free. You want to put it in your movie? It’s going to cost you this much, and here’s how that works. You put it in the movie, the smart contract pays me.” Or how about using it for a ring tone? There’s the smart contract for that.

This is not a pipe dream. Imogen Heap, who’s a brilliant singer-songwriter in the United Kingdom, a best-selling recording artist, has now been part of creating Mycelia, and they’re working with an amazing company called Consensus Systems, that’s all around the world, blockchain developers, using the Ethereum platform; Ethereum is one blockchain. She has already posted her first song onto the Internet. I fully expect that many big recording artists will be seriously investigating a whole new paradigm whereby the musicians get compensated for the value that they create.

Bitcoin is important, but clearly all businesses need to understand the prospects of Blockchain!

Electronic Health Record (EHR) databases worth $500,000 to cybercriminals!

Posted in Cyber, eCommerce

Trend Micro’s conducted a study to learn more about “how stolen medical records are monetized after a breach, what types of data are stolen, how much they are sold for on the underground markets, and how cybercriminals make use of them” and use “Shodan scan data which reveals what healthcare-related devices and networks are connected to the internet and are visible to everyone, including cybercriminals.”  The February 21, 2017 report entitled “Cybercrime and Other Threats Faced by the Healthcare Industry” explained why EHR is better for cybercriminals than stealing credit cards which “can only use the stolen credit cards before the card expires, is maxed out or cancelled”:

…an EHR database containing PII that do not expire—such as Social Security numbers—can be used multiple times for malicious intent. Stolen EHR can be used to acquire prescription drugs, receive medical care, falsify insurance claims, file fraudulent tax returns, open credit accounts, obtain official government-issued documents such as passports, driver’s licenses, and even create new identities.

A DarkingReading article about the Trend Micro Report entitled “Stolen Health Record Databases Sell For $500,000 In The Deep Web” included these observations:

Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims including medical and health insurance data were selling for under $1. Meanwhile, fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.

Unfortunately this cyber vulnerability is not news, which the healthcare community is well aware.