Yahoo! data breach litigation to proceed

Yahoo! data breach litigation to proceed

On 9 March 2018, the United States District Court for the Northern District of California, San Jose Division, granted in part and denied in part Yahoo! Inc. (‘Yahoo’) and Aabaco Small Business, LLC’s (‘Aabaco’) (collectively, ‘the Defendants’) motion to   dismiss the putative class litigation brought by nine named individuals (‘the Plaintiffs’) over the way the Defendants handled several data breaches that occurred between 2013 and 2016.  See discussion at:

http://cecileparkmedia.com/cyber-security-practitioner/article_template.asp?Contents=Yes&from=cslp&ID=348o

Biometric Data: Watching the Watchers

As Illinois and other jurisdictions seek limitations, those limits get tested.

In 2008, the Illinois legislature passed the Illinois Biometric Information Privacy Act (BIPA).  The Act requires entities to develop written policies, made available to the public, which establish a retention schedule and guidelines for permanently destroying identifiers.  Private entities that collect, capture, purchase, receive or otherwise obtain a biometric identifier or information must inform the subject in writing, inform the subject of the purpose and length of time the data will be stored, and receive a written release.  As of 2018, there were in excess of twenty-five actions filed in Cook County Circuit Court (Illinois) with other litigation pending in federal courts in Illinois, California and one case on remand from the Second Circuit, where Plaintiffs have alleged violations of BIPA.

See link to discussion of these cases and status of challenges to use of biometric data in commercial settings.

-Biometric Data: Watching the Watchers

Happy Bicentennial, Illinois!

Eighteen-eighteen saw your founding, Illinois, Illinois,

And your progress is unbounding, Illinois, Illinois…

HiRes

Illinois State Song

200 YEARS AGO, ON DECEMBER 3, 1818, ILLINOIS BECAME THE 21ST STATE IN THE UNION.  

HHS Issues Guidance on Processor Vulnerabilities

In a follow up to an earlier alert regarding the critical problems in modern processors recently reported by Google, HHS issued its own “Technical Report.”  In Google’s “white papers,” they explain that their teams and other analysts and academics discovered and reported on vulnerabilities dubbed “Spectre” and “Meltdown.”  These are described as vulnerabilities that affect nearly every computer chip manufactured in the last 20 years. Recently, the patches also have come under scrutiny as Intel reports reboot problems and slowdowns following implementation.  Microsoft then reported new updates for Windows 10 to resolve such issues.

The fault arises from features built into chips that are supposed to help them run faster.  There is no evidence that the flaws have been exploited but reportedly such exploits may be difficult to detect.

HHS cautions in its alert that the vulnerabilities have the potential to expose sensitive information, such as protected health information (PHI), which is processed on these chips.  HHS warns that entities should employee risk management processes to address the vulnerabilities and ensure the security of medical records.  HHS list the major concerns as:

  • Challenges identifying vulnerable medical devices and accessory medical equipment and ensuring patches are validated to prevent impacts to the intended use.
  • Cloud Computing: Potential PHI or Personally Identifiable Information (PII) data leakage in shared computing environments
  • Web browsers: Possible PHI/PII data leakage
  • Patches: Potential for service degradation and/or interruption from patches

 

Searching medical

Privately disclosed to chipmakers in June 2017, the bugs became public after a series of leaks in early January 2018.  Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. HHS notes that although medical devices and support equipment may not resemble PCs, their operating systems (Windows, Linux) run on processors that could be vulnerable.  HHS states: “The risks of PHI data leakage is especially acute in shared infrastructure like cloud computing instances.”  Amazon Web Services, Google Cloud and Microsoft Azure all immediately deployed patches against the Meltdown attack.  HHS cautions that while the major platforms handled the response in a timely way, there are other cloud managed service providers and institutional or private cloud instances that may not have known about the vulnerabilities before January 3, 2018.

The HHS alert provides technical details and mitigation tactics.  The alert includes links to various references, support pages and press reports.  Technical Report on Widespread Processor Vulnerabilities

For more information on the vulnerabilities: The Meltdown and Spectre security flaws.  One congressman from California has sent a letter to Intel, AMD and ARM requesting  briefing on the vulnerabilities and the companies’ handling of them.  Congressman Requests Briefing

 

Bitcoin – “The Second Age” and Other News

Idea, solution, money
Idea, solution, money

For an update on the state of the online payment exchange landscape see Techcrunch article:

The Mt.Gox Arrest Is The End Of The First Age Of Bitcoin

Looking to move on from Bitcoin is the Winklevoss exchange, Gemini.  There is a dedicated website, which notes that their exchange operates (will operate) fully in the U.S., exclusively with American banks and the dollars never leave the country.  Although not yet operational, the twins filed an application with the New York State Department of Financial Services in July 2015 seeking approval to operate as a trust company.  The approval process may take months.  

http://moneymorning.com/2015/07/27/gemini-bitcoin-exchange-from-the-winklevoss-twins-is-one-step-closer-to-launch/

Back to hacking cars and now guns – what could possible go wrong? It seems like every week there is a new attempt to call out car companies by attempts to hack into remote services  …

http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/

…and now there are high tech firearms that reportedly can be altered.

Husband and wife hackers claim that high-tech sniper rifles can be hacked. The duo will present their findings at the Black Hat annual conference starting in early August.

http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/

iStock_000054011980_Small

Illinois AG Proposes Updates to Breach Law

HiResIllinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute.  In her press release, she states:

Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.

Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions.  The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly.  The report outlines three principles the updated legislation should address:

1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.

2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.

3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.

News reports suggest the legislation will go to the Illinois General Assembly shortly.

Tracking the Injury in Personal Injury

A Canadian law firm is utilizing wearable technology to provide information in assessing a personal injury client’s loss and potential damages.  McLeod Law in Calgary states on its website that it is using “Vivametrica’s Functional Activity Assessment tool provides a method for the early assessment of the strength of a client’s case. The Functional Activity Assessment closes the gap between what a client perceives and what is objectively verifiable.”   Vivametrica  states that it analyzes data from wearable sensor devices for the assessment of health and wellness.  While not exactly using Fitbit data directly, reportedly the technology “uses public research to compare a person’s activity data with that of the general population.”  As noted on the Vivametrica website, this technology also allows caregivers to engage on a more specific level with the wearers.  In the Canadian case, reportedly this is the first time such technology will be used directly in a court case.

This will be an interesting test case in terms of not only presenting the plaintiff’s case for damages but it will be interesting to see how defendants and juries respond to the introduction of such evidence and whether this presents a new standard for such cases.

http://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/

https://www.mcleod-law.com/news/vivametricas-analytics-platform-supports-personal-injury-claims

fitbitdownload

Brazil’s SPI: 45.2…Whatever That Means

Nate Silver’s Five Thirty Eight blog is featuring an algorithm versus the marketplace bracket mechanism.  While Brazil is heavily favored to win the World Cup, FiveThirtyEight favors them even more than the betting shops — based on “real math.”  Nate describes the system as such:

Today we’re launching an interactive that calculates every team’s chances of advancing past the group stage and eventually winning the tournament. The forecasts are based on the Soccer Power Index (SPI), an algorithm I developed in conjunction with ESPN in 2010. SPI has Brazil as the heavy favorite, with a 45 percent chance of winning the World Cup, well ahead of Argentina (13 percent), Germany (11 percent) and Spain (8 percent).

The overwhelming factor in this scoring is Brazil’s dominance at home.

Also, relative good news for Team USA — the betting line has them at a .3% chance of winning the World Cup while FiveThirtyEight’s SPI has them at .4%.

Good luck #USMNT – indeed!

Go to:

http://fivethirtyeight.com/features/its-brazils-world-cup-to-lose/

And:

http://www.ussoccer.com/stories/2014/06/09/19/44/140609-mnt-travel-to-brazil-feature

And, just in time, Symantec releases its 96-page report: “Latin American + Caribbean Cyber Security Trends.”  The report includes individual country reports, which provides details on government capabilities for dealing with cyber security and cybercrime, including any relevant statistics released by the governing authorities regarding sectors affected by cybercrime.  Symantec likewise provides some quick country stats, for example:

Brazil:

Population: 201,033,000

Internet Penetration: 49.8%

Fixed Broadband Subscribers: 9.2%

And, Symantec, along with its co-sponsor, Organization of American States, sounds the alarm bell for scams and potential vulnerabilities in relation to the World Cup.  From the report:

The 2014 FIFA World Cup in Brazil is expected to be one of the largest sporting events of this century.  While the world comes together to celebrate and compete in sport, cybercriminals have unfortunately identified vulnerabilities and may be plotting attacks against critical infrastructure.  In fact, members of international hacking groups such as Anonymous have recently made threats against official websites operated by FIFA, the Brazilian Government and corporate sponsors of the games.

Several malware operations, phishing attacks, and email scams linked to the World Cup have already been discovered.

See the report at:

http://www.symantec.com/content/en/us/enterprise/other_resources/b-cyber-security-trends-report-lamc.pdf

braziliStock_000032665550Small

UPDATE:
US defeats Ghana in opening match (despite cramping and a bash to the nose):
USA-Soccer-
Back to Five Thirty Eight – chances of a team advancing: U.S. at 63% (I think).  And, significantly, Brazil SPI now at 91.3.  (The commenters suggest the model does not favor a tie).

 

And now, Belgium:

Belgium is dangerous, but not as dangerous as tournament favorites Brazil, Germany and Argentina. Meanwhile, the Netherlands, France, Chile and Colombia also look more threatening than Belgium based on the things SPI looks at: pre-tournament resumes, form so far in the World Cup and, in the case of Chile and Colombia, games closer to home.

Our match-prediction algorithm gives the U.S. about a 42 percent chance of winning a knockout-stage game against Belgium based on each team’s SPI rating as of Thursday morning.

http://fivethirtyeight.com/datalab/the-u-s-s-odds-of-beating-belgium-and-every-other-world-cup-opponent/


UPDATE:

So, by now, we know the real SPI belongs to Germany.  Cool graphic re: Twitter traffic during World Cup Final:

http://cartodb.com/v/worldcup/match/?TC=x&vis=30acae6a-0a51-11e4-8918-0e73339ffa50&h=t&t=Germany,B40903%7CArgentina,5CA2D1&m=7%2F13%2F2014%2016:00:00%20GMT,7%2F12%2F2014%2018:35:00GMT&g=147%7C#/2/-11.7/-8.4/0

FiveThirtyEight’s revised analysis:

Germany didn’t begin the World Cup as the favorite. That honor belonged to (ahem) Brazil. But that’s a slightly deceptive measure. This was a top-heavy World Cup; not only Brazil but also Germany, Argentina and Spain would have been the front-runners in many past editions of the tournament.

By the end of the World Cup, Germany left little doubt it is the best team in the world. In fact, it may be the best national soccer team ever assembled.

http://fivethirtyeight.com/datalab/germany-may-be-the-best-national-soccer-team-ever/

 

 

 

 

Data and Security – Balancing Use and Oversight

Using Anonymous Patient Data 

patient recordsiStock_000011715450Small (1)

The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute.  This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act.  The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry.  The PCORI network is supposed to identify patients who could be invited to join clinical trials.  The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations.  Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.

Go to: http://www.washingtonpost.com/national/health-science/scientists-embark-on-unprecedented-effort-to-connect-millions-of-patient-medical-records/2014/04/15/ea7c966a-b12e-11e3-9627-c65021d6d572_print.html


The FTC Can Seek to Enjoin

Hotel

In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers.  In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents.  The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.”  The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.”  Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices.  Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court.  The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.”  Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco).  Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.

Wyndham also challenged the FTC’s deception claim.  The FTC cited the Defendants’ privacy policy and alleged that the Defendants did not implement reasonable and appropriate measures to protect personal information from unauthorized access.  The FTC argued that the privacy policy representations therefore were false or misleading and constituted deceptive practices.  Wyndham argued that the FTC failed to meet a higher burden when alleging unlawful deception.  The Court rejected Wyndham’s arguments finding that a reasonable customer would have understood that the policy makes statements about data-security practices at the hotels, to the extent that the hotels control personally identifiable information.

There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches.  The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises.  However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring  additional enforcement actions.  More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.

See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14

Copy of case at: http://image.exct.net/lib/fefd167774640c/d/1/4.8%20Alert%20Wyndham%20Opinion.pdf

 

    ftc_logo_430-centennial

FTC Logo