Not-So-Cyber Monday

shutterstock_102061732

Or, is it just a mobile smoothing?

Retailers are reporting that the Black Friday shopping events and the historic Cyber Monday follow up event may be on the decline.  This does not necessarily signal an overall decline in holiday season shopping trends but a shift in the habits and tools utilized by shoppers.  A retail consulting firm is publishing fresh results from the 2014 holiday shopping “opening weekend:”

Online shopping was up almost 20% in Thanksgiving 2014 compared to Thanksgiving 2013, driven by mobile shopping and promotions.
Despite this growth, Thanksgiving – contrary to some predictions – is nowhere near Black Friday or Cyber Monday in terms of online shopping. Revenue on Black Friday 2013 was almost 2.5X higher than Thanksgiving 2014, and revenue on Cyber Monday was three times as high.

http://blog.custora.com/2014/11/turkey-football-and-online-shopping-the-stars-of-thanksgiving-2014/

http://www.siliconbeat.com/2014/12/01/cyber-monday-may-be-fading/

Krebs On Security advises to be wary of on-line phantom stores.  He warns that it is not uncommon for bargain basement, phantom Web sites to materialize during the holiday season.  https://krebsonsecurity.com/2014/11/black-friday-cyber-monday-for-crooks-too/

Meanwhile, the cyber event reporting from the weekend so far is that the Syrian Electronic Army “hacked” some pop-up ads for retailers over the Thanksgiving weekend but no consumer account or personally identifiable information was affected – instead of seeing ads, the SEA logo was substituted on Web sites for Forbes, The Chicago Tribune, CNBC, PC World, the NHL and Canadian broadcaster CBC.  It’s believed that the SEA’s route of attack was through the popular commenting platform Gigya.

Read more: http://www.digitaltrends.com/web/syrian-electronic-army-celebrates-thanksgiving-widespread-ad-hack/#ixzz3Kg7VCSLb
Follow us: @digitaltrends on Twitter | digitaltrendsftw on Facebook

http://www.digitaltrends.com/web/syrian-electronic-army-celebrates-thanksgiving-widespread-ad-hack/

Tracking the Injury in Personal Injury

A Canadian law firm is utilizing wearable technology to provide information in assessing a personal injury client’s loss and potential damages.  McLeod Law in Calgary states on its website that it is using “Vivametrica’s Functional Activity Assessment tool provides a method for the early assessment of the strength of a client’s case. The Functional Activity Assessment closes the gap between what a client perceives and what is objectively verifiable.”   Vivametrica  states that it analyzes data from wearable sensor devices for the assessment of health and wellness.  While not exactly using Fitbit data directly, reportedly the technology “uses public research to compare a person’s activity data with that of the general population.”  As noted on the Vivametrica website, this technology also allows caregivers to engage on a more specific level with the wearers.  In the Canadian case, reportedly this is the first time such technology will be used directly in a court case.

This will be an interesting test case in terms of not only presenting the plaintiff’s case for damages but it will be interesting to see how defendants and juries respond to the introduction of such evidence and whether this presents a new standard for such cases.

http://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/

https://www.mcleod-law.com/news/vivametricas-analytics-platform-supports-personal-injury-claims

fitbitdownload

Forget Me Not

As noted in an earlier post, in May, the European Court of Justice ruled in favor of an individual’s right to have Google delete certain links about that individual. The decision was based in part on a finding by the court that Google is a data controller.

In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper with the national Data Protection Agency and against Google Spain and Google Inc. The citizen complained that an auction notice of his repossessed home on Google’s search results infringed his privacy rights because the proceedings concerning him had been fully resolved for a number of years and hence the reference to these proceedings was entirely irrelevant. He requested, first, that the newspaper be required either to remove or alter the pages in question so that the personal data relating to him no longer appeared; and second, that Google Spain or Google Inc. be required to remove the personal data relating to him, so that it no longer appeared in the search results.  The ECJ agreed.

http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf

Google set up a form on its site allowing people to request which links should be taken down.  Google has fielded about a hundred and twenty thousand requests for deletions and granted roughly half of them. Other search engines that provide service in Europe, like Microsoft’s Bing, have set up similar systems.

http://www.newyorker.com/magazine/2014/09/29/solace-oblivion

And Google, at last count, reportedly rejects 59% of the requests.

http://money.cnn.com/2014/10/10/technology/google-forgotten/

The ruling has been criticized, primarily by news gathering organizations and certain free speech advocates.  The New York Times editorial: “The court’s decision is both too broad and curiously narrow. It is too broad in that it allows individuals to impede access to facts about themselves found in public documents. This is a form of censorship, one that would most likely be unconstitutional if attempted in the United States.”

Now, the BBC will begin – in the “next few weeks” – publishing the list of removed URLs it has been notified about by Google.

http://www.bbc.com/news/technology-29658085

The editorial staff of the BBC felt that some of its articles had been wrongly hidden.

 European Union flags outside the European Commission headquarters in Brussels

Florida Updates Breach Law

-Effective July 1, 2014-

 On June 20, 2014, Florida Governor Rick Scott signed into law the Florida Information Protection Act of 2014. The legislation beefs up the definition of what will trigger a notification response. The definition of personal information is now defined as an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of these data elements:

-SSN

-DL number or ID number, passport number, military ID number or other similar number issued on a government document

-Financial account number or credit/debit card number in combination with security/access code or password

-Any information regarding a person’s medical history, mental/physical condition or treatment/diagnosis

-Health insurance policy number or subscriber number

-User name or email address, in combination with a password or security question (that would permit access)

The law requires notification following a breach “without unreasonable delay,” and no later than 30 days following the determination of a breach (with certain exceptions). If the notification affects more than 1,000 persons at a single time, notice must also be given to consumer reporting agencies. The act now uses the definition “covered entity” to describe the organizations impacted; covered entity includes a sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial entity that acquires, maintains, stores, or uses personal information. (For certain purposes, this includes governmental entities). The act addresses customer records and data (electronic format). Notice is to be provided to the Department of Legal Affairs of any breach affecting 500 or more individuals, no later than 30 days after the determination of a breach (or reason to believe there was a breach).

In addition to describing the incident and who was affected, the reporting entity must include a police or incident report or computer forensics report, a copy of policies in place regarding breaches, and steps taken to rectify the breach.

The law provides quite a few more rigorous requirements involving security and how entities are to provide a breach response. The Attorney General “thanked” the Governor for enacting the law quoting other legislators who commented that the act “will better protect the confidential personal information of Floridians and hold accountable those who attempt to compromise the security of that information.” The AG notes that the law also requires covered entities “to take reasonable measures to protect Floridians’ personal information and [to] properly dispose of customer records.”

See text at:

http://www.flsenate.gov/Session/Bill/2014/1524

See also commentary about why this law could be model for a comprehensive federal law (reasonable data protection; secure disposal; unauthorized access triggers notification; scale of notification requirements; PII includes medical history, insurance ID; 30-day notification deadline; documentation of investigation; schedule for penalties).

http://www.idt911.com/KnowledgeCenter/NewsRoom/NewsRoomDetail.aspx?a=6E04A83A-6EE4-4806-AA26-6623B82FAB65

 

 

floridaiStock_000002848277Medium

Brazil’s SPI: 45.2…Whatever That Means

Nate Silver’s Five Thirty Eight blog is featuring an algorithm versus the marketplace bracket mechanism.  While Brazil is heavily favored to win the World Cup, FiveThirtyEight favors them even more than the betting shops — based on “real math.”  Nate describes the system as such:

Today we’re launching an interactive that calculates every team’s chances of advancing past the group stage and eventually winning the tournament. The forecasts are based on the Soccer Power Index (SPI), an algorithm I developed in conjunction with ESPN in 2010. SPI has Brazil as the heavy favorite, with a 45 percent chance of winning the World Cup, well ahead of Argentina (13 percent), Germany (11 percent) and Spain (8 percent).

The overwhelming factor in this scoring is Brazil’s dominance at home.

Also, relative good news for Team USA — the betting line has them at a .3% chance of winning the World Cup while FiveThirtyEight’s SPI has them at .4%.

Good luck #USMNT – indeed!

Go to:

http://fivethirtyeight.com/features/its-brazils-world-cup-to-lose/

And:

http://www.ussoccer.com/stories/2014/06/09/19/44/140609-mnt-travel-to-brazil-feature

And, just in time, Symantec releases its 96-page report: “Latin American + Caribbean Cyber Security Trends.”  The report includes individual country reports, which provides details on government capabilities for dealing with cyber security and cybercrime, including any relevant statistics released by the governing authorities regarding sectors affected by cybercrime.  Symantec likewise provides some quick country stats, for example:

Brazil:

Population: 201,033,000

Internet Penetration: 49.8%

Fixed Broadband Subscribers: 9.2%

And, Symantec, along with its co-sponsor, Organization of American States, sounds the alarm bell for scams and potential vulnerabilities in relation to the World Cup.  From the report:

The 2014 FIFA World Cup in Brazil is expected to be one of the largest sporting events of this century.  While the world comes together to celebrate and compete in sport, cybercriminals have unfortunately identified vulnerabilities and may be plotting attacks against critical infrastructure.  In fact, members of international hacking groups such as Anonymous have recently made threats against official websites operated by FIFA, the Brazilian Government and corporate sponsors of the games.

Several malware operations, phishing attacks, and email scams linked to the World Cup have already been discovered.

See the report at:

http://www.symantec.com/content/en/us/enterprise/other_resources/b-cyber-security-trends-report-lamc.pdf

braziliStock_000032665550Small

UPDATE:
US defeats Ghana in opening match (despite cramping and a bash to the nose):
USA-Soccer-
Back to Five Thirty Eight – chances of a team advancing: U.S. at 63% (I think).  And, significantly, Brazil SPI now at 91.3.  (The commenters suggest the model does not favor a tie).

 

And now, Belgium:

Belgium is dangerous, but not as dangerous as tournament favorites Brazil, Germany and Argentina. Meanwhile, the Netherlands, France, Chile and Colombia also look more threatening than Belgium based on the things SPI looks at: pre-tournament resumes, form so far in the World Cup and, in the case of Chile and Colombia, games closer to home.

Our match-prediction algorithm gives the U.S. about a 42 percent chance of winning a knockout-stage game against Belgium based on each team’s SPI rating as of Thursday morning.

http://fivethirtyeight.com/datalab/the-u-s-s-odds-of-beating-belgium-and-every-other-world-cup-opponent/


UPDATE:

So, by now, we know the real SPI belongs to Germany.  Cool graphic re: Twitter traffic during World Cup Final:

http://cartodb.com/v/worldcup/match/?TC=x&vis=30acae6a-0a51-11e4-8918-0e73339ffa50&h=t&t=Germany,B40903%7CArgentina,5CA2D1&m=7%2F13%2F2014%2016:00:00%20GMT,7%2F12%2F2014%2018:35:00GMT&g=147%7C#/2/-11.7/-8.4/0

FiveThirtyEight’s revised analysis:

Germany didn’t begin the World Cup as the favorite. That honor belonged to (ahem) Brazil. But that’s a slightly deceptive measure. This was a top-heavy World Cup; not only Brazil but also Germany, Argentina and Spain would have been the front-runners in many past editions of the tournament.

By the end of the World Cup, Germany left little doubt it is the best team in the world. In fact, it may be the best national soccer team ever assembled.

http://fivethirtyeight.com/datalab/germany-may-be-the-best-national-soccer-team-ever/

 

 

 

 

Once Again, California…on Privacy, Do Not Track

AG Kamala Harris Issues Guide on Privacy Policies/Do-Not-Track Disclosures

calstampiStock_000016159030Medium

In  a press release issued May 21, 2014, the Attorney General for California, Kamala Harris, issued a series of recommendations for businesses that address changes to California privacy law.  Key recommendations include:

  • Prominent labeling for sections dealing with online tracking, e.g., “California Do Not Track Disclosures”
  • Describe how you respond to a browser’s Do Not Track signal (or similar mechanisms)
  • Are third parties collecting personally identifiable information?  If yes, say so
  • Explain uses of personally identifiable information
  • Describe what you collect, how you use it, how long you retain it
  • Describe choices the consumer has regarding use/sharing of PII
  • Use plain language – use graphics/icons

The guide includes summaries of relevant CA statutes (CalOPPA, – broad requirement for privacy policies; AB 370 – tracking transparency).  And, while there are no new regulations or enforcement mechanisms provided in the “guide,” obviously, entities doing business in California, and those entities previously under scrutiny by the AG (e.g.,g Amazon, Apple, Facebook, etc.) will likely pay close attention to ensure compliance.    The guide is called, Making Your Privacy Practices Public  and you can see it at:

https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf

calcubeiStock_000013476441Large

The Right to be Forgotten: EU Decision

euflagth4P2UWF78

Historic Decision by the European Union’s Highest Court

The European Court of Justice ruled in favor of an individual’s right to have Google delete certain links about that individual. The decision was based in part on a finding by the court that Google is a data controller, which apparently is at odds with earlier EU rulings – ECJ’s Advocate General decided in 2013 that Google did not need to delete the links because it was not the “controller” of data and that information should only be deleted when the personal information is either incomplete or inaccurate.

Some commentators question the basis for the decision: “Given that the EU has spent two years debating this right as part of the reform of EU privacy legislation, it is ironic that the ECJ has found it already exists in such a striking manner.” Richard Cumbley of Linklaters told The New York Times.

And, practitioners sound the alarm: Operationally, this will “put search engines in the extremely onerous position of having to take a view on how to comply with potentially millions of individual requests.”  (See more details at IAPP Newsletter, The Privacy Advisor, https://www.privacyassociation.org/publications)

Google and others will argue that this amounts to censorship; from Levi Sumagaysay’s blog:

* * * *

Does the right to be forgotten — or the right to privacy — outweigh censorship concerns? “[The decision] is one of the most wide-sweeping Internet censorship rulings that I’ve ever seen,” Wikipedia founder Jimmy Wales told the BBC. Wales said he expects Google to fight back hard. “If they have to start coping with everybody who whines about a picture they posted last week, it’s going to be very difficult for Google.”

http://www.siliconbeat.com/author/lsumagaysay/

Largest HIPAA Settlement: $4.8 mil

medicaldollariStock_000021393857SmallHHS issued a press release on May 7, 2014 announcing settlements with two healthcare organizations.  Following submission of a joint breach report by New York and Presbyterian Hospital (NYP) and Columbia University (CU), the HHS Office of Civil Rights (“OCR”) investigated the disclosure of ePHI of 6,800 individuals, which included patient status, vital signs, medications, and laboratory results.  NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.

In addition to the disclosure of ePHI, OCR’s investigation found that neither NYP or CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections; and neither entity had conducted a thorough risk analysis or had an adequate risk management plan.

NYP has paid $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.

HHS press release: http://www.hhs.gov/news/press/2014pres/05/20140507b.html

 

Costs of Data Breach: Benchmark Study Released

dollarsigniStock_000003198587Small

The Ponemon Institute and IBM have released their 2014 Cost of Data Breach Study for the U.S.  The notable results include:

  • Per record cost has increased from $188/record in 2013 to $201/record as of 2014
  • The indirect cost per record was $134/record; direct cost at $67/record (indirect=internal overhead; loss of brand value/reputation; customer “churn”)
  • 44% of those surveyed blamed breach on malicious or criminal attacks as compared to 31% blaming some human factor
  • Public sector and retail companies are more likely to have a breach (healthcare sector came in 8th place, financial sector in 10th place)
  • Healthcare industry had highest costs per capita ($316/record – authors cite regulation as factor)
  • Notification costs decreased
  • Companies are far more likely to have a small data breach than a mega breach

The authors also provide details regarding the factors that they found are influencing the costs – consultants engaged; mobile devices at issue; quick notification and the like.

For a copy of the report, go to:

http://www.ponemon.org/ dataprivacyiStock_000019536561XSmall

 

Oh the Sun Shines Bright in My Old Kentucky…

…Cloud?

Kentucky is now the 47th state to enact a data breach notification law.Fence Line and Lane

Identity Theft/Fraud Trigger

The bill was signed into law by Governor Steve Beshear earlier this month and requires notification following an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud.    Kentucky’s law defines “personally identifiable information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements (when not redacted):

  1. SSNs
  2. DL numbers
  3. Account number, credit or debit number, in combination with any required security code, access code or password permit[ing]access to an individual’s financial account.

The statute specifies that any “information holder” shall disclose any breach of the security system following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an authorized person.  The statute states disclosure “shall be made in the most expedient time possible…consistent with the legitimate needs of law enforcement.”  The notification provisions shall not apply to any person subject to the provisions of Gramm-Leach Bliley, HIPAA or any state or local governmental agency.

Student Protections

In addition, the statute requires express parental permission for a cloud computing service provider to process student data, for any purpose other than for providing, improving, developing, or maintaining the integrity of the cloud computing services (or if done connection with educational research, per federal statute).

The state auditor had promoted enacting such legislation and released a report stating:

“Although auditors didn’t identify any cyber security breaches, they did find instances of state agencies failing to take the necessary steps to protect confidential or sensitive information,” Auditor Edelen said. “This further illustrates the need for legislation to incentivize state and local government to better secure the data it holds on us, as well as require them to notify us when it’s
lost or stolen.”

http://www.wdrb.com/story/24272935/ky-auditor-says-a-data-breach-notification-law-is-needed

http://apps.auditor.ky.gov/Public/Audit_Reports/Archive/2013SSWAK-I-PR.pdf


 Just in time for the 140th “Run for the Roses”

My Old Kentucky Home by Stephen Foster

The sun shines bright in My Old Kentucky Home,

‘Tis summer, the people are gay;
The corn-top’s ripe and the meadow’s in the bloom
While the birds make music all the day.

The young folks roll on the little cabin floor,
All merry, all happy and bright;
By ‘n’ by hard times comes a knocking at the door,
Then My Old Kentucky Home, good night!

Chorus:

Weep no more my lady
Oh weep no more today;
We will sing one song
For My Old Kentucky Home
For My Old Kentucky Home, far away


http://allrecipes.com/recipe/mint-juleps/

mintjulepdownload

http://www.kentuckyderby.com/

“The Kentucky Derby is a Grade I stakes race for three year-old Thoroughbred horses, held annually in Louisville, Kentucky, on the first Saturday in May. The race is one and a quarter miles at Churchill Downs. The race is known in the United States as “The Greatest Two Minutes in Sports™” for its approximate duration, and is also called “The Run for the Roses” for the blanket of roses draped over the winner. It is the first leg of the United States Triple Crown of Thoroughbred Racing and is followed by the Preakness Stakes and Belmont Stakes.”

And, for some Data and The Derby – see:

http://helloracefans.com/handicapping/patterns/geek-out-mining-derby-data/

 kentuckyimages

 rosesimages