Yahoo! data breach litigation to proceed

Yahoo! data breach litigation to proceed

On 9 March 2018, the United States District Court for the Northern District of California, San Jose Division, granted in part and denied in part Yahoo! Inc. (‘Yahoo’) and Aabaco Small Business, LLC’s (‘Aabaco’) (collectively, ‘the Defendants’) motion to   dismiss the putative class litigation brought by nine named individuals (‘the Plaintiffs’) over the way the Defendants handled several data breaches that occurred between 2013 and 2016.  See discussion at:

http://cecileparkmedia.com/cyber-security-practitioner/article_template.asp?Contents=Yes&from=cslp&ID=348o

California Updates and Tries to Strengthen Some Privacy Protections

California’s Updates on Breach and Security

Gov. Jerry Brown signed legislation beefing up California’s breach notification law. The new law, effective January 1, 2015, requires companies that suffer a breach to offer free identity theft prevention and mitigation services to consumers for at least a year if their Social Security or driver’s license number was compromised. The consumer will still be responsible for taking some action to accept those services.

The Governor signed other bills that also attempt to provide additional privacy and security protections, including restrictions on the paparazzi, laws addressing “revenge porn,” and a prohibition on the state from helping federal intelligence agencies collect telephone records without warrants:

  • SB 1177 – Prohibits the creation and distribution of “profiles” of minor students; prohibits applications from targeting K-12 students
  • AB 928 – Requires each state agency and department to conspicuously post its privacy policy on its website
  • AB 1256 and AB 2306 – Expand existing law regarding invasion of privacy (type of activity protected from unwarranted capturing of images or photographs; establishes zones of privacy around schools and medical facilities; eliminating the existing physical trespass requirement for invasion of privacy; renders illegal the use of drones and other electronic devices to capture images of individuals in their homes)
  • AB 1356 – Expands legal recourse for stalking victims (allows plaintiffs to plead “substantial emotional distress” as an alternative to the existing standard of “reasonable fear”)
  • AB 2643 – Creates private legal recourse against a person who intentionally distributes a sexually explicit image or video of another without his or her consent (allows plaintiffs to file a civil suit for damages against a defendant who posted intimate photos or videos of the plaintiff without consent)
  • SB 828 – Prohibits state agencies from assisting the federal government in the collection of personal, electronically stored data, except under certain circumstances (that the state knows to be illegal or unconstitutional)
  • SB 1255 – Expands existing law regarding the distribution of a sexually explicit image or video of another with the intent to cause serious emotional distress

Brazil’s SPI: 45.2…Whatever That Means

Nate Silver’s Five Thirty Eight blog is featuring an algorithm versus the marketplace bracket mechanism.  While Brazil is heavily favored to win the World Cup, FiveThirtyEight favors them even more than the betting shops — based on “real math.”  Nate describes the system as such:

Today we’re launching an interactive that calculates every team’s chances of advancing past the group stage and eventually winning the tournament. The forecasts are based on the Soccer Power Index (SPI), an algorithm I developed in conjunction with ESPN in 2010. SPI has Brazil as the heavy favorite, with a 45 percent chance of winning the World Cup, well ahead of Argentina (13 percent), Germany (11 percent) and Spain (8 percent).

The overwhelming factor in this scoring is Brazil’s dominance at home.

Also, relative good news for Team USA — the betting line has them at a .3% chance of winning the World Cup while FiveThirtyEight’s SPI has them at .4%.

Good luck #USMNT – indeed!

Go to:

http://fivethirtyeight.com/features/its-brazils-world-cup-to-lose/

And:

http://www.ussoccer.com/stories/2014/06/09/19/44/140609-mnt-travel-to-brazil-feature

And, just in time, Symantec releases its 96-page report: “Latin American + Caribbean Cyber Security Trends.”  The report includes individual country reports, which provides details on government capabilities for dealing with cyber security and cybercrime, including any relevant statistics released by the governing authorities regarding sectors affected by cybercrime.  Symantec likewise provides some quick country stats, for example:

Brazil:

Population: 201,033,000

Internet Penetration: 49.8%

Fixed Broadband Subscribers: 9.2%

And, Symantec, along with its co-sponsor, Organization of American States, sounds the alarm bell for scams and potential vulnerabilities in relation to the World Cup.  From the report:

The 2014 FIFA World Cup in Brazil is expected to be one of the largest sporting events of this century.  While the world comes together to celebrate and compete in sport, cybercriminals have unfortunately identified vulnerabilities and may be plotting attacks against critical infrastructure.  In fact, members of international hacking groups such as Anonymous have recently made threats against official websites operated by FIFA, the Brazilian Government and corporate sponsors of the games.

Several malware operations, phishing attacks, and email scams linked to the World Cup have already been discovered.

See the report at:

http://www.symantec.com/content/en/us/enterprise/other_resources/b-cyber-security-trends-report-lamc.pdf

braziliStock_000032665550Small

UPDATE:
US defeats Ghana in opening match (despite cramping and a bash to the nose):
USA-Soccer-
Back to Five Thirty Eight – chances of a team advancing: U.S. at 63% (I think).  And, significantly, Brazil SPI now at 91.3.  (The commenters suggest the model does not favor a tie).

 

And now, Belgium:

Belgium is dangerous, but not as dangerous as tournament favorites Brazil, Germany and Argentina. Meanwhile, the Netherlands, France, Chile and Colombia also look more threatening than Belgium based on the things SPI looks at: pre-tournament resumes, form so far in the World Cup and, in the case of Chile and Colombia, games closer to home.

Our match-prediction algorithm gives the U.S. about a 42 percent chance of winning a knockout-stage game against Belgium based on each team’s SPI rating as of Thursday morning.

http://fivethirtyeight.com/datalab/the-u-s-s-odds-of-beating-belgium-and-every-other-world-cup-opponent/


UPDATE:

So, by now, we know the real SPI belongs to Germany.  Cool graphic re: Twitter traffic during World Cup Final:

http://cartodb.com/v/worldcup/match/?TC=x&vis=30acae6a-0a51-11e4-8918-0e73339ffa50&h=t&t=Germany,B40903%7CArgentina,5CA2D1&m=7%2F13%2F2014%2016:00:00%20GMT,7%2F12%2F2014%2018:35:00GMT&g=147%7C#/2/-11.7/-8.4/0

FiveThirtyEight’s revised analysis:

Germany didn’t begin the World Cup as the favorite. That honor belonged to (ahem) Brazil. But that’s a slightly deceptive measure. This was a top-heavy World Cup; not only Brazil but also Germany, Argentina and Spain would have been the front-runners in many past editions of the tournament.

By the end of the World Cup, Germany left little doubt it is the best team in the world. In fact, it may be the best national soccer team ever assembled.

http://fivethirtyeight.com/datalab/germany-may-be-the-best-national-soccer-team-ever/

 

 

 

 

Once Again, California…on Privacy, Do Not Track

AG Kamala Harris Issues Guide on Privacy Policies/Do-Not-Track Disclosures

calstampiStock_000016159030Medium

In  a press release issued May 21, 2014, the Attorney General for California, Kamala Harris, issued a series of recommendations for businesses that address changes to California privacy law.  Key recommendations include:

  • Prominent labeling for sections dealing with online tracking, e.g., “California Do Not Track Disclosures”
  • Describe how you respond to a browser’s Do Not Track signal (or similar mechanisms)
  • Are third parties collecting personally identifiable information?  If yes, say so
  • Explain uses of personally identifiable information
  • Describe what you collect, how you use it, how long you retain it
  • Describe choices the consumer has regarding use/sharing of PII
  • Use plain language – use graphics/icons

The guide includes summaries of relevant CA statutes (CalOPPA, – broad requirement for privacy policies; AB 370 – tracking transparency).  And, while there are no new regulations or enforcement mechanisms provided in the “guide,” obviously, entities doing business in California, and those entities previously under scrutiny by the AG (e.g.,g Amazon, Apple, Facebook, etc.) will likely pay close attention to ensure compliance.    The guide is called, Making Your Privacy Practices Public  and you can see it at:

https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf

calcubeiStock_000013476441Large

Data Breach: Michaels Stores

Accessories for paintingMichaels Stores, Inc. is now reporting that two separate 8-month long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.  The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.  Reportedly, the security firms Michaels hired to investigate the “break-ins” found nothing but the ultimate analysis confirmed the attacks “using highly sophisticated malware that had not been encountered previously by either of the security firms.”  In a press release dated April 17, 2014, the company states: “The Company has now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brother.”  Following the disclosures regarding Target and Neiman Marcus, in January of this year, Michaels Stores had previously reported that it was investigating a potential security breach involving customers’ credit card information.

The Target breach involved thieves planting malware on cash registers; the malware was designed to siphon card data when customers swiped the cards at the cash register.  According to the information released by Michaels, it appears that the affected systems contained certain payment card information, card number and expiration date, but that there was no evidence that other customer personal information (name, address, debit card PIN) was at risk.

See press release: http://www.businesswire.com/news/home/20140417006352/en/Michaels-Identifies-Previously-Announced-Data-Security-Issue#.U1Fa8fldV1Z

See information regarding nature/scope of breach:

https://krebsonsecurity.com/2014/04/3-million-customer-credit-debit-cards-stolen-in-michaels-aaron-brothers-breaches/

 

michaels

Data and Security – Balancing Use and Oversight

Using Anonymous Patient Data 

patient recordsiStock_000011715450Small (1)

The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute.  This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act.  The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry.  The PCORI network is supposed to identify patients who could be invited to join clinical trials.  The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations.  Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.

Go to: http://www.washingtonpost.com/national/health-science/scientists-embark-on-unprecedented-effort-to-connect-millions-of-patient-medical-records/2014/04/15/ea7c966a-b12e-11e3-9627-c65021d6d572_print.html


The FTC Can Seek to Enjoin

Hotel

In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers.  In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents.  The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.”  The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.”  Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices.  Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court.  The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.”  Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco).  Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.

Wyndham also challenged the FTC’s deception claim.  The FTC cited the Defendants’ privacy policy and alleged that the Defendants did not implement reasonable and appropriate measures to protect personal information from unauthorized access.  The FTC argued that the privacy policy representations therefore were false or misleading and constituted deceptive practices.  Wyndham argued that the FTC failed to meet a higher burden when alleging unlawful deception.  The Court rejected Wyndham’s arguments finding that a reasonable customer would have understood that the policy makes statements about data-security practices at the hotels, to the extent that the hotels control personally identifiable information.

There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches.  The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises.  However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring  additional enforcement actions.  More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.

See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14

Copy of case at: http://image.exct.net/lib/fefd167774640c/d/1/4.8%20Alert%20Wyndham%20Opinion.pdf

 

    ftc_logo_430-centennial

FTC Logo

Report on Healthcare – Increase in Threats

Image
IoT and Healthcare

A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.”  The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.

Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised.  These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers.  The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”

Notable Devices/Applications:-

  • Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
  • Internet facing personal health data (example: web-based call center for medical supply entity);
  • Security systems and edge devices (example: enterprise network controllers).

The report details the findings of a study that reviewed the largest sources of malicious traffic.

To get a copy of the report, go to:http://norse-corp.com

Image

Snapchat Vulnerability Exposed

Now you see it…. and then maybe…

Snapchat, another messaging service that is supposed to delete content once it has been sent, recently suffered a “breach,” of sorts.  No sensitive information was released but security researchers wanted to “expose” the vulnerabilities in the service so they gained access to data and then posted user names and phone numbers on a site called SnapchatDB.info and made the data available for download.

The security researchers stated on this website: “This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”

They also cautioned that they redacted part of the info: “For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.”

Snapchat reportedly is going to update its applications to secure the data; from their website:

“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”

http://blog.snapchat.com/post/72013106599/find-friends-abuse

Security experts have been concerned by the false sense of security that some of these messaging services purport to provide their users.

See NYT blog for more info:

http://bits.blogs.nytimes.com/2014/01/02/snapchat-breach-exposes-weak-security/

UPDATE:

Snapchat reports of customer complaints of an increase in spam but denies that the activity is related to the “Find Friends” breach.

http://blog.snapchat.com/post/73216178814/snap-spam-update

iStock_000022547339Small

 

UPDATE:

–Snapchat settled with the FTC – May 8, 2014–

From the FTC’s Press release:

According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to  how the app actually worked.

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez.  “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information.  In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.

It appears the settlement was for corrective and compliance actions but no monetary payment.

Read more: http://www.digitaltrends.com/mobile/your-incriminating-selfies-on-snapchat-werent-deleted/#ixzz31WFRFzn6

See also, critique of Snapchat –

http://www.informationweek.com/software/social/5-ways-snapchat-violated-your-privacy-security/d/d-id/1251175

snapchatphoto-8-650x0