A Microsoft Corp lawsuit aimed at striking down a law preventing companies from telling customers the government is seeking access to their data has been joined by a number of heavy hitters including: the US Chamber of Commerce, the National Association of Manufacturers, Delta Air Lines Inc, BP America, the Washington Post, Fox News, the National Newspaper Association, Apple, Google, Amazon and others.
Microsoft maintains that the law – which allows the government to seize data located on third party computers, without the targets’ permission, or even notice – is unconstitutional.
The Department of Justice argues that Microsoft has no standing to bring the case and that the public has “a compelling interest in keeping criminal investigations confidential”. It also maintains that procedural safeguards are in place to protect constitutional rights.
Over at Out-Law.com, data protection lawyer Kathryn Wynn sets out her views on why IP addresses are best treated as personal information, regardless of which way the European Court of Justice rules in a pending case in Germany.
The ECJ has been asked to rule on whether website operators’ collection of IP addresses automatically qualifies as the collection of personal information, by virtue of the fact that additional information in the hands of third party ISPs could be used to identify individuals based on those IP addresses.
CBC has an interesting article on face-reading technology and its potential applications in “bricks and mortar” retail stores. The article also links to a report (PDF) on automated facial recognition from The Office of the Information Privacy Commissioner of Canada. There’s plenty to think about here for any retailer looking to optimise their marketing and sales strategies using information gleaned from in-store tracking or monitoring of any kind.
Hat Tip: Barry Sookman
The Federal Trade Commission (FTC) has settled a claim against Henry Schein Practice Solutions Inc (Shein), a provider of office management software for dental practices. The FTC claimed that Shein falsely advertised the level of encryption in software provided to protect patient data.
Shein marketed a database to dental practices with claims that the software was compliant with Advanced Encryption Standard (AES) encryption required to protect patient data under healthcare regulations in the US. However, rather than “encryption”, the software used a less secure algorithm of “data camouflage” which was more vulnerable to attack.
Under the settlement, Shein will be required to notify all customers that the software does not provide industry-standard encryption. Shein will also pay USD$250,000 as disgorgement – a common provision in FTC advertising cases, but the first for marketing claims specifically related to data security.
Link (FCC): FCC press release
A feature by Monte Reel and Jordan Robertson for Bloomberg Business looks at the world of security vulnerabilities in medical devices. The authors look at the findings of a research carried out for the Mayo Clinic on the security of devices used on its premises. The results are sobering:
“For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
‘Every day, it was like every device on the menu got crushed,’ Rios says. ‘It was all bad. Really, really bad.’ The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.
The Mayo Clinic emerged from those sessions with a fresh set of security requirements for its medical device suppliers, requiring that each device be tested to meet standards before purchasing contracts were signed. Rios applauded the clinic, but he knew that only a few hospitals in the world had the resources and influence to pull that off, and he walked away from the job with an unshakable conviction: Sooner or later, hospitals would be hacked, and patients would be hurt. He’d gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve.’
Link: Full article on Bloomberg Business
The new Trans-Pacific Partnership was signed last week, and includes a chapter on electronic commerce. The full details of the agreement are not yet available, but New Zealand’s Ministry of Foreign Affairs and Trade (MFAT) has released a summary.
The chapter on electronic commerce promises to be of particular interest to privacy and data protection practitioners. In its summary of chapter 14, MFAT states:
“TPP Parties commit to ensuring free flow of the global information and data that drives the Internet and the digital economy, subject to legitimate public policy objectives such as personal information protection. The 12 Parties also agree not to require that TPP companies build data centres to store data as a condition for operating in a TPP market, and, in addition, that source code of software is not required to be transferred or accessed.”
Link: TPP Ministerial Summary (MFAT)
Credit ratings agency Standard & Poor’s has recently signalled that “cybersecurity as an emerging threat … has the potential to pose a higher risk to financial institutions in the future, and possibly result in [credit] downgrades.”
The ratings agency has gone so far as to say that if a bank or other financial institution is ill-prepared to withstand an IT security breach, it could be downgraded even without suffering an actual attack. And (more conventionlly) a downgrade may also be warranted after a breach, if the breach causes significant reputational issues with the potential to result in a major loss of customers, or if the financial or legal losses significantly affects the bank’s balance sheet.
With that in mind, Standard & Poor’s notes that it has begun to ask a range of questions regarding financial institutions’ preparedness against IT security breaches, including:
- Do you have a robust, well-documented program to monitor IT security risks?
- Does the financial institution have any third-party vendor oversight? If so, what kind and how much?
- How long has it typically taken to detect an attack?
- What containment procedures are in place if the financial institution is breached?
- Are emergency scenarios test-run?
- What software or other techniques are used to monitor attacks?
- What kind of expertise about IT security exists on the board of directors?
- How much does the financial institution spend on IT security, and what resources does it devote? What is the total tech budget this year versus last?
- Does the financial institution have any insurance to compensate for an IT security breach?
Link: Standard & Poor’s article