Oh the Sun Shines Bright in My Old Kentucky…

…Cloud?

Kentucky is now the 47th state to enact a data breach notification law.Fence Line and Lane

Identity Theft/Fraud Trigger

The bill was signed into law by Governor Steve Beshear earlier this month and requires notification following an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud.    Kentucky’s law defines “personally identifiable information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements (when not redacted):

  1. SSNs
  2. DL numbers
  3. Account number, credit or debit number, in combination with any required security code, access code or password permit[ing]access to an individual’s financial account.

The statute specifies that any “information holder” shall disclose any breach of the security system following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an authorized person.  The statute states disclosure “shall be made in the most expedient time possible…consistent with the legitimate needs of law enforcement.”  The notification provisions shall not apply to any person subject to the provisions of Gramm-Leach Bliley, HIPAA or any state or local governmental agency.

Student Protections

In addition, the statute requires express parental permission for a cloud computing service provider to process student data, for any purpose other than for providing, improving, developing, or maintaining the integrity of the cloud computing services (or if done connection with educational research, per federal statute).

The state auditor had promoted enacting such legislation and released a report stating:

“Although auditors didn’t identify any cyber security breaches, they did find instances of state agencies failing to take the necessary steps to protect confidential or sensitive information,” Auditor Edelen said. “This further illustrates the need for legislation to incentivize state and local government to better secure the data it holds on us, as well as require them to notify us when it’s
lost or stolen.”

http://www.wdrb.com/story/24272935/ky-auditor-says-a-data-breach-notification-law-is-needed

http://apps.auditor.ky.gov/Public/Audit_Reports/Archive/2013SSWAK-I-PR.pdf


 Just in time for the 140th “Run for the Roses”

My Old Kentucky Home by Stephen Foster

The sun shines bright in My Old Kentucky Home,

‘Tis summer, the people are gay;
The corn-top’s ripe and the meadow’s in the bloom
While the birds make music all the day.

The young folks roll on the little cabin floor,
All merry, all happy and bright;
By ‘n’ by hard times comes a knocking at the door,
Then My Old Kentucky Home, good night!

Chorus:

Weep no more my lady
Oh weep no more today;
We will sing one song
For My Old Kentucky Home
For My Old Kentucky Home, far away


http://allrecipes.com/recipe/mint-juleps/

mintjulepdownload

http://www.kentuckyderby.com/

“The Kentucky Derby is a Grade I stakes race for three year-old Thoroughbred horses, held annually in Louisville, Kentucky, on the first Saturday in May. The race is one and a quarter miles at Churchill Downs. The race is known in the United States as “The Greatest Two Minutes in Sports™” for its approximate duration, and is also called “The Run for the Roses” for the blanket of roses draped over the winner. It is the first leg of the United States Triple Crown of Thoroughbred Racing and is followed by the Preakness Stakes and Belmont Stakes.”

And, for some Data and The Derby – see:

http://helloracefans.com/handicapping/patterns/geek-out-mining-derby-data/

 kentuckyimages

 rosesimages

Data Breach: Michaels Stores

Accessories for paintingMichaels Stores, Inc. is now reporting that two separate 8-month long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.  The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.  Reportedly, the security firms Michaels hired to investigate the “break-ins” found nothing but the ultimate analysis confirmed the attacks “using highly sophisticated malware that had not been encountered previously by either of the security firms.”  In a press release dated April 17, 2014, the company states: “The Company has now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brother.”  Following the disclosures regarding Target and Neiman Marcus, in January of this year, Michaels Stores had previously reported that it was investigating a potential security breach involving customers’ credit card information.

The Target breach involved thieves planting malware on cash registers; the malware was designed to siphon card data when customers swiped the cards at the cash register.  According to the information released by Michaels, it appears that the affected systems contained certain payment card information, card number and expiration date, but that there was no evidence that other customer personal information (name, address, debit card PIN) was at risk.

See press release: http://www.businesswire.com/news/home/20140417006352/en/Michaels-Identifies-Previously-Announced-Data-Security-Issue#.U1Fa8fldV1Z

See information regarding nature/scope of breach:

https://krebsonsecurity.com/2014/04/3-million-customer-credit-debit-cards-stolen-in-michaels-aaron-brothers-breaches/

 

michaels

Data and Security – Balancing Use and Oversight

Using Anonymous Patient Data 

patient recordsiStock_000011715450Small (1)

The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute.  This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act.  The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry.  The PCORI network is supposed to identify patients who could be invited to join clinical trials.  The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations.  Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.

Go to: http://www.washingtonpost.com/national/health-science/scientists-embark-on-unprecedented-effort-to-connect-millions-of-patient-medical-records/2014/04/15/ea7c966a-b12e-11e3-9627-c65021d6d572_print.html


The FTC Can Seek to Enjoin

Hotel

In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers.  In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents.  The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.”  The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.”  Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices.  Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court.  The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.”  Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco).  Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.

Wyndham also challenged the FTC’s deception claim.  The FTC cited the Defendants’ privacy policy and alleged that the Defendants did not implement reasonable and appropriate measures to protect personal information from unauthorized access.  The FTC argued that the privacy policy representations therefore were false or misleading and constituted deceptive practices.  Wyndham argued that the FTC failed to meet a higher burden when alleging unlawful deception.  The Court rejected Wyndham’s arguments finding that a reasonable customer would have understood that the policy makes statements about data-security practices at the hotels, to the extent that the hotels control personally identifiable information.

There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches.  The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises.  However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring  additional enforcement actions.  More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.

See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14

Copy of case at: http://image.exct.net/lib/fefd167774640c/d/1/4.8%20Alert%20Wyndham%20Opinion.pdf

 

    ftc_logo_430-centennial

FTC Logo