Happy Data Privacy Day

dataprivacyiStock_000019536561XSmallThe Ponemon Institute has released its list of Most Trusted Companies for Privacy.  Spoiler alert, they include:

Amazon
American Express
PayPal
Hewlett Packard
IBM

http://www.ponemon.org/blog/ponemon-institute-announces-results-of-2014-most-trusted-companies-for-privacy-study

You might also celebrate by joining IAPP and getting access to the Prudence the Privacy Pro comic strip.

https://privacyassociation.org/news/a/guess-what-its-data-privacy-day/

In related news, the FTC has released a Report on the Internet of Things.  The report includes the following recommendations for companies developing Internet of Things devices:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

http://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices

And, finally, a move to update ECPA;

• Proponents of updating ECPA, or the Electronic Communications Privacy Act, are using today to renew their call for reform.

“The statute governing access to electronic communications was written in 1986, well before most Americans relied on email and mobile devices to communicate,” said Ed Black, president and CEO of the Computer & Communications Industry Association (CCIA), in a statement. “After nearly 30 years on the books, it’s long overdue for an update.”

An update is what reform legislation, which will reportedly be re-introduced in “the coming weeks” by Sens. Patrick Leahy, D-Vermont, and Mike Lee, R-Utah, would provide. The bill would require a warrant before authorities could search email or other online communications. Under today’s ECPA, no warrants are required for such content that’s older than 180 days.

http://www.siliconbeat.com/2015/01/28/data-privacy-day-canada-spying-ecpa-reform-ubers-god-view-protecting-info/

President Proposes Federal Breach Notification Law

ftc_logo_430-centennialIn advance of the State of the Union, President Obama appeared at the Federal Trade Commission today to preview a couple of administration proposals, which will be addressed in the upcoming speech to the nation.  The President addressed a potential federal breach notification statute:

…we’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused. Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas.

So, the proposal is to standardize breach notification to 30 days (Personal Data Notification & Protection Act; Florida is 30 days; some states say as soon as practicable).

Some express the concern (which is typically voiced by state Attorneys General) that a federal statute would dilute the effectiveness of the consumer protections in place. http://www.washingtonpost.com/blogs/the-switch/wp/2015/01/12/privacy-advocates-a-national-data-breach-notification-standard-might-actually-make-things-worse/

The political pundits comment that it is not clear whether such legislation would make it through Congress.  This is due to certain industry resistance to tackling a new federal statute having absorbed the various state rules; and then there are consumer groups, who worry about preemption on the issue. See comments at:

https://privacyassociation.org/news/a/obama-announces-legislation-on-student-id-consumer-privacy/

Another new proposal is the Student Digital Privacy Act.  This legislation would require that data gathered about students through educational programs can be used only in an educational context, not sold to third parties (similar to the recent California law).

The Administration is also going to revive its 2012 Consumer Privacy Bill of Rights, which lays out principles for online data collection (revised proposal to come out in 45 days).

sotu2015_logo_blog_0

UPDATE:

The President also took up the challenge of “precision medicine:”

I want the country that eliminated polio and mapped the human genome to lead a new era of medicine — one that delivers the right treatment at the right time. In some patients with cystic fibrosis, this approach has reversed a disease once thought unstoppable. Tonight, I’m launching a new Precision Medicine Initiative to bring us closer to curing diseases like cancer and diabetes — and to give all of us access to the personalized information we need to keep ourselves and our families healthier.

This is part of the movement toward tailored therapies and treatments for diseases and chronic conditions.  The example referenced in administration materials was that of a cystic fibrosis patient, given the medicine Kalydeco (developed by a company called Vertex).  Reportedly this is the first drug designed to counter the genetic cause of the life-threatening chronic lung disease.  The medicine targets the underlying cause of the disease for a small subset of patients.

Providing such targeted treatments likewise requires collection of more personalized medical information from patients.  Costs of collecting data and personalizing treatment is noted in reaction to such initiatives but its promoters also hope that “[m]ore research will allow clinicians to make more-precise diagnoses, which in turn drive better treatments.” http://www.modernhealthcare.com/

See also, The Patient-And Her Data-Will See You Now,

http://www.rwjf.org/en/blogs/

“Personalized medicine has the potential to transform our health care system, which consumes almost $3 trillion a year, 80 percent of it for preventable diseases,” Dr. Snyderman said.

Although the new tests and treatments are often expensive, he added, personalized medicine can save money while producing better results. “It focuses therapy on individuals in whom it will work,” he said. “You can avoid wasting money on people who won’t respond or will have an adverse reaction.”

California Updates and Tries to Strengthen Some Privacy Protections

California’s Updates on Breach and Security

Gov. Jerry Brown signed legislation beefing up California’s breach notification law. The new law, effective January 1, 2015, requires companies that suffer a breach to offer free identity theft prevention and mitigation services to consumers for at least a year if their Social Security or driver’s license number was compromised. The consumer will still be responsible for taking some action to accept those services.

The Governor signed other bills that also attempt to provide additional privacy and security protections, including restrictions on the paparazzi, laws addressing “revenge porn,” and a prohibition on the state from helping federal intelligence agencies collect telephone records without warrants:

  • SB 1177 – Prohibits the creation and distribution of “profiles” of minor students; prohibits applications from targeting K-12 students
  • AB 928 – Requires each state agency and department to conspicuously post its privacy policy on its website
  • AB 1256 and AB 2306 – Expand existing law regarding invasion of privacy (type of activity protected from unwarranted capturing of images or photographs; establishes zones of privacy around schools and medical facilities; eliminating the existing physical trespass requirement for invasion of privacy; renders illegal the use of drones and other electronic devices to capture images of individuals in their homes)
  • AB 1356 – Expands legal recourse for stalking victims (allows plaintiffs to plead “substantial emotional distress” as an alternative to the existing standard of “reasonable fear”)
  • AB 2643 – Creates private legal recourse against a person who intentionally distributes a sexually explicit image or video of another without his or her consent (allows plaintiffs to file a civil suit for damages against a defendant who posted intimate photos or videos of the plaintiff without consent)
  • SB 828 – Prohibits state agencies from assisting the federal government in the collection of personal, electronically stored data, except under certain circumstances (that the state knows to be illegal or unconstitutional)
  • SB 1255 – Expands existing law regarding the distribution of a sexually explicit image or video of another with the intent to cause serious emotional distress

Not-So-Cyber Monday

shutterstock_102061732

Or, is it just a mobile smoothing?

Retailers are reporting that the Black Friday shopping events and the historic Cyber Monday follow up event may be on the decline.  This does not necessarily signal an overall decline in holiday season shopping trends but a shift in the habits and tools utilized by shoppers.  A retail consulting firm is publishing fresh results from the 2014 holiday shopping “opening weekend:”

Online shopping was up almost 20% in Thanksgiving 2014 compared to Thanksgiving 2013, driven by mobile shopping and promotions.
Despite this growth, Thanksgiving – contrary to some predictions – is nowhere near Black Friday or Cyber Monday in terms of online shopping. Revenue on Black Friday 2013 was almost 2.5X higher than Thanksgiving 2014, and revenue on Cyber Monday was three times as high.

http://blog.custora.com/2014/11/turkey-football-and-online-shopping-the-stars-of-thanksgiving-2014/

http://www.siliconbeat.com/2014/12/01/cyber-monday-may-be-fading/

Krebs On Security advises to be wary of on-line phantom stores.  He warns that it is not uncommon for bargain basement, phantom Web sites to materialize during the holiday season.  https://krebsonsecurity.com/2014/11/black-friday-cyber-monday-for-crooks-too/

Meanwhile, the cyber event reporting from the weekend so far is that the Syrian Electronic Army “hacked” some pop-up ads for retailers over the Thanksgiving weekend but no consumer account or personally identifiable information was affected – instead of seeing ads, the SEA logo was substituted on Web sites for Forbes, The Chicago Tribune, CNBC, PC World, the NHL and Canadian broadcaster CBC.  It’s believed that the SEA’s route of attack was through the popular commenting platform Gigya.

Read more: http://www.digitaltrends.com/web/syrian-electronic-army-celebrates-thanksgiving-widespread-ad-hack/#ixzz3Kg7VCSLb
Follow us: @digitaltrends on Twitter | digitaltrendsftw on Facebook

http://www.digitaltrends.com/web/syrian-electronic-army-celebrates-thanksgiving-widespread-ad-hack/

Tracking the Injury in Personal Injury

A Canadian law firm is utilizing wearable technology to provide information in assessing a personal injury client’s loss and potential damages.  McLeod Law in Calgary states on its website that it is using “Vivametrica’s Functional Activity Assessment tool provides a method for the early assessment of the strength of a client’s case. The Functional Activity Assessment closes the gap between what a client perceives and what is objectively verifiable.”   Vivametrica  states that it analyzes data from wearable sensor devices for the assessment of health and wellness.  While not exactly using Fitbit data directly, reportedly the technology “uses public research to compare a person’s activity data with that of the general population.”  As noted on the Vivametrica website, this technology also allows caregivers to engage on a more specific level with the wearers.  In the Canadian case, reportedly this is the first time such technology will be used directly in a court case.

This will be an interesting test case in terms of not only presenting the plaintiff’s case for damages but it will be interesting to see how defendants and juries respond to the introduction of such evidence and whether this presents a new standard for such cases.

http://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/

https://www.mcleod-law.com/news/vivametricas-analytics-platform-supports-personal-injury-claims

fitbitdownload

Forget Me Not

As noted in an earlier post, in May, the European Court of Justice ruled in favor of an individual’s right to have Google delete certain links about that individual. The decision was based in part on a finding by the court that Google is a data controller.

In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper with the national Data Protection Agency and against Google Spain and Google Inc. The citizen complained that an auction notice of his repossessed home on Google’s search results infringed his privacy rights because the proceedings concerning him had been fully resolved for a number of years and hence the reference to these proceedings was entirely irrelevant. He requested, first, that the newspaper be required either to remove or alter the pages in question so that the personal data relating to him no longer appeared; and second, that Google Spain or Google Inc. be required to remove the personal data relating to him, so that it no longer appeared in the search results.  The ECJ agreed.

http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf

Google set up a form on its site allowing people to request which links should be taken down.  Google has fielded about a hundred and twenty thousand requests for deletions and granted roughly half of them. Other search engines that provide service in Europe, like Microsoft’s Bing, have set up similar systems.

http://www.newyorker.com/magazine/2014/09/29/solace-oblivion

And Google, at last count, reportedly rejects 59% of the requests.

http://money.cnn.com/2014/10/10/technology/google-forgotten/

The ruling has been criticized, primarily by news gathering organizations and certain free speech advocates.  The New York Times editorial: “The court’s decision is both too broad and curiously narrow. It is too broad in that it allows individuals to impede access to facts about themselves found in public documents. This is a form of censorship, one that would most likely be unconstitutional if attempted in the United States.”

Now, the BBC will begin – in the “next few weeks” – publishing the list of removed URLs it has been notified about by Google.

http://www.bbc.com/news/technology-29658085

The editorial staff of the BBC felt that some of its articles had been wrongly hidden.

 European Union flags outside the European Commission headquarters in Brussels

Florida Updates Breach Law

-Effective July 1, 2014-

 On June 20, 2014, Florida Governor Rick Scott signed into law the Florida Information Protection Act of 2014. The legislation beefs up the definition of what will trigger a notification response. The definition of personal information is now defined as an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of these data elements:

-SSN

-DL number or ID number, passport number, military ID number or other similar number issued on a government document

-Financial account number or credit/debit card number in combination with security/access code or password

-Any information regarding a person’s medical history, mental/physical condition or treatment/diagnosis

-Health insurance policy number or subscriber number

-User name or email address, in combination with a password or security question (that would permit access)

The law requires notification following a breach “without unreasonable delay,” and no later than 30 days following the determination of a breach (with certain exceptions). If the notification affects more than 1,000 persons at a single time, notice must also be given to consumer reporting agencies. The act now uses the definition “covered entity” to describe the organizations impacted; covered entity includes a sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial entity that acquires, maintains, stores, or uses personal information. (For certain purposes, this includes governmental entities). The act addresses customer records and data (electronic format). Notice is to be provided to the Department of Legal Affairs of any breach affecting 500 or more individuals, no later than 30 days after the determination of a breach (or reason to believe there was a breach).

In addition to describing the incident and who was affected, the reporting entity must include a police or incident report or computer forensics report, a copy of policies in place regarding breaches, and steps taken to rectify the breach.

The law provides quite a few more rigorous requirements involving security and how entities are to provide a breach response. The Attorney General “thanked” the Governor for enacting the law quoting other legislators who commented that the act “will better protect the confidential personal information of Floridians and hold accountable those who attempt to compromise the security of that information.” The AG notes that the law also requires covered entities “to take reasonable measures to protect Floridians’ personal information and [to] properly dispose of customer records.”

See text at:

http://www.flsenate.gov/Session/Bill/2014/1524

See also commentary about why this law could be model for a comprehensive federal law (reasonable data protection; secure disposal; unauthorized access triggers notification; scale of notification requirements; PII includes medical history, insurance ID; 30-day notification deadline; documentation of investigation; schedule for penalties).

http://www.idt911.com/KnowledgeCenter/NewsRoom/NewsRoomDetail.aspx?a=6E04A83A-6EE4-4806-AA26-6623B82FAB65

 

 

floridaiStock_000002848277Medium

Brazil’s SPI: 45.2…Whatever That Means

Nate Silver’s Five Thirty Eight blog is featuring an algorithm versus the marketplace bracket mechanism.  While Brazil is heavily favored to win the World Cup, FiveThirtyEight favors them even more than the betting shops — based on “real math.”  Nate describes the system as such:

Today we’re launching an interactive that calculates every team’s chances of advancing past the group stage and eventually winning the tournament. The forecasts are based on the Soccer Power Index (SPI), an algorithm I developed in conjunction with ESPN in 2010. SPI has Brazil as the heavy favorite, with a 45 percent chance of winning the World Cup, well ahead of Argentina (13 percent), Germany (11 percent) and Spain (8 percent).

The overwhelming factor in this scoring is Brazil’s dominance at home.

Also, relative good news for Team USA — the betting line has them at a .3% chance of winning the World Cup while FiveThirtyEight’s SPI has them at .4%.

Good luck #USMNT – indeed!

Go to:

http://fivethirtyeight.com/features/its-brazils-world-cup-to-lose/

And:

http://www.ussoccer.com/stories/2014/06/09/19/44/140609-mnt-travel-to-brazil-feature

And, just in time, Symantec releases its 96-page report: “Latin American + Caribbean Cyber Security Trends.”  The report includes individual country reports, which provides details on government capabilities for dealing with cyber security and cybercrime, including any relevant statistics released by the governing authorities regarding sectors affected by cybercrime.  Symantec likewise provides some quick country stats, for example:

Brazil:

Population: 201,033,000

Internet Penetration: 49.8%

Fixed Broadband Subscribers: 9.2%

And, Symantec, along with its co-sponsor, Organization of American States, sounds the alarm bell for scams and potential vulnerabilities in relation to the World Cup.  From the report:

The 2014 FIFA World Cup in Brazil is expected to be one of the largest sporting events of this century.  While the world comes together to celebrate and compete in sport, cybercriminals have unfortunately identified vulnerabilities and may be plotting attacks against critical infrastructure.  In fact, members of international hacking groups such as Anonymous have recently made threats against official websites operated by FIFA, the Brazilian Government and corporate sponsors of the games.

Several malware operations, phishing attacks, and email scams linked to the World Cup have already been discovered.

See the report at:

http://www.symantec.com/content/en/us/enterprise/other_resources/b-cyber-security-trends-report-lamc.pdf

braziliStock_000032665550Small

UPDATE:
US defeats Ghana in opening match (despite cramping and a bash to the nose):
USA-Soccer-
Back to Five Thirty Eight – chances of a team advancing: U.S. at 63% (I think).  And, significantly, Brazil SPI now at 91.3.  (The commenters suggest the model does not favor a tie).

 

And now, Belgium:

Belgium is dangerous, but not as dangerous as tournament favorites Brazil, Germany and Argentina. Meanwhile, the Netherlands, France, Chile and Colombia also look more threatening than Belgium based on the things SPI looks at: pre-tournament resumes, form so far in the World Cup and, in the case of Chile and Colombia, games closer to home.

Our match-prediction algorithm gives the U.S. about a 42 percent chance of winning a knockout-stage game against Belgium based on each team’s SPI rating as of Thursday morning.

http://fivethirtyeight.com/datalab/the-u-s-s-odds-of-beating-belgium-and-every-other-world-cup-opponent/


UPDATE:

So, by now, we know the real SPI belongs to Germany.  Cool graphic re: Twitter traffic during World Cup Final:

http://cartodb.com/v/worldcup/match/?TC=x&vis=30acae6a-0a51-11e4-8918-0e73339ffa50&h=t&t=Germany,B40903%7CArgentina,5CA2D1&m=7%2F13%2F2014%2016:00:00%20GMT,7%2F12%2F2014%2018:35:00GMT&g=147%7C#/2/-11.7/-8.4/0

FiveThirtyEight’s revised analysis:

Germany didn’t begin the World Cup as the favorite. That honor belonged to (ahem) Brazil. But that’s a slightly deceptive measure. This was a top-heavy World Cup; not only Brazil but also Germany, Argentina and Spain would have been the front-runners in many past editions of the tournament.

By the end of the World Cup, Germany left little doubt it is the best team in the world. In fact, it may be the best national soccer team ever assembled.

http://fivethirtyeight.com/datalab/germany-may-be-the-best-national-soccer-team-ever/

 

 

 

 

Once Again, California…on Privacy, Do Not Track

AG Kamala Harris Issues Guide on Privacy Policies/Do-Not-Track Disclosures

calstampiStock_000016159030Medium

In  a press release issued May 21, 2014, the Attorney General for California, Kamala Harris, issued a series of recommendations for businesses that address changes to California privacy law.  Key recommendations include:

  • Prominent labeling for sections dealing with online tracking, e.g., “California Do Not Track Disclosures”
  • Describe how you respond to a browser’s Do Not Track signal (or similar mechanisms)
  • Are third parties collecting personally identifiable information?  If yes, say so
  • Explain uses of personally identifiable information
  • Describe what you collect, how you use it, how long you retain it
  • Describe choices the consumer has regarding use/sharing of PII
  • Use plain language – use graphics/icons

The guide includes summaries of relevant CA statutes (CalOPPA, – broad requirement for privacy policies; AB 370 – tracking transparency).  And, while there are no new regulations or enforcement mechanisms provided in the “guide,” obviously, entities doing business in California, and those entities previously under scrutiny by the AG (e.g.,g Amazon, Apple, Facebook, etc.) will likely pay close attention to ensure compliance.    The guide is called, Making Your Privacy Practices Public  and you can see it at:

https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf

calcubeiStock_000013476441Large