OPM Data Breach Fallout, Fingerprints, and Other Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

OPM Fallout

By Daniel J. Solove

Co-authored by Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. For a PDF version of this post, and for archived issues of previous posts, click here. We cover health issues in a separate post.

general devels

News

Mayer Brown survey of executives: 25% of organizations lack both a CPO and CIO (March 2015)

stats

Mayer Brown survey of executives: 49% don’t know if they have a written data protection plan (March 2015)

Mayer Brown survey of executives: 63% say that breach of confidential PII is biggest threat to the company; only 9% say theft of trade secrets (March 2015)

pie chart

Daniel J. Solove, Boards of Directors Must Grapple with Privacy and Cybersecurity (June 2015)
“[N]ot enough boards are adequately engaged with these issues. According to a survey last year, 58% of members of boards of directors believed that they should be actively involved in cyber security. But only 14% of them stated that they were actively involved.”

Frameworks

NIST Draft Privacy Risk Management Framework (2015)
A session at the Privacy+Security Forum will focus on this framework

The Privacy and Security Profession

Women in security make 30% more than men but only 14% of security professionals such as CISOs are women (June 2015)

 Shortage of security pros worsens (June 2015)

Daniel J. Solove, Security Professionals in High Demand (July 2015)
Salaries are rapidly increasing for security professionals

chart

TRUSTe’s Privacy Ecosystem Map (June 2015)

TRUSTe

Conferences

Privacy + Security Forum (October 21-23, 2015 in Washington, DC)
— Sessions with rigor and practical takeaways.
100+ speakers
— Organized by Daniel Solove and Paul Schwartz
PDF conference brochure with full speaker lineup + session descriptions
— CLE and CPE credit available

Symposium On Usable Privacy and Security (July 22-24, 2015 in Ottawa, Canada)
Brings together “an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy.”

Cornell University’s Internet Culture, Policy and Law ICPL Conference (Sept. 15-17 in Ithaca, NY)
— Celebrating its 20th anniversary as the oldest running program of its kind
— Speakers include Anne Kenney, Cliff Lynch, Margie Hodges-Shaw, Steve Worona, Robert Post, Bob Hamilton, Steve McDonald, David Sherry, Anne Manning, Doug Lederman, Dipayan Ghosh.
— Full schedule is here.

privacy and the media

Revenge Porn

Google will honor requests to remove revenge porn from search results (June 2015)
Google: “we’ll honor requests from people to remove nude or sexually explicit images shared without their consent from Google Search results.”

IAPP, Revenge Porn: A Serious Issue Is Finally Being Taken Seriously (June 2015)

Mary Ann Franks, How to Defeat ‘Revenge Porn’: First, Recognize It’s About Privacy, Not Revenge) (June 2015)
— “As many as 3,000 websites feature nonconsensual pornography, and the material is also distributed through emails, text messages, social media applications, and hard copies.”
— “Nonconsensual pornography is not always about revenge, but it is always about privacy. It is for good reason that privacy laws, from trespass laws to confidentiality requirements to prohibitions against voyeurism, do not require that perpetrators be motivated by intent to harm or harass the victim. The knowing violation of privacy is the substance of the harm.”

Danielle Citron on HBO’s Last Week Tonight with John Oliver: Online Harassment (June 2015)

BBC lists its stories that Google removed from search results to comply with the EU right to be forgotten (June 2015)

Kashmir Hill’s coverage of Hulk Hogan’s $100 million lawsuit against Gawker for publicizing his sex tape (June 2016)
— Hill’s earlier story with additional background

priv and law enforcement

Fourth Amendment

City of Los Angeles v. Patel — Supreme Court strikes down L.A. law permitting police to check guest registries at motels and hotels at any hour (June 2015)

SCOTUS opinion

“Nothing to Hide” Argument

Edward Snowden on the Nothing to Hide Argument (June 2015)
— Edward Snowden: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
— For Daniel Solove’s critique of the Nothing to Hide Argument, see his book: Nothing to Hide: The False Tradeoff Between Privacy and Security
.

nothing to hide

MIT security experts: Government backdoor access to encrypted info is a very bad idea (July 2015)
— Report is called Keys Under Doormats: Mandating Insecurity by Requiring Government Access to all Data and Communications
— Experts include Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, and Daniel J. Weitzner
— According to the report, proposals for government backdoor access “are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”

Court Records

Judge unsealed Cosby records b/c Cosby’s holding himself out as a “public moralist” lessened his privacy rights (July 2015)
— Responding to a request by the Associated Press, federal Judge Eduardo Robreno unsealed a 2005 deposition of Bill Cosby in a civil case brought by Andrea Constand
— In the deposition, Cosby admitted to drugging women before having sex with them.
— Judge: “He has voluntarily narrowed the zone of privacy that he is entitled to claim.”
— Judge: “By joining the debate about the merits of the allegations against him, he has further diminished his entitlement to a claim of privacy.”

OPM Data Breach

See the Data Security section for links about the breach.

PCI

 Jon Neiditz on the new chipped payment cards and the payment liability shift (July 2015)
As of October 1, all merchants in the United States will be liable for losses and expenses resulting from credit and debit card fraud at the point of sale if they have not upgraded their payment systems to deploy the chip card technology.”

Bankruptcy

When a company goes bankrupt with personal data (June 2015)
— Also see the commentary by Daniel Solove

FCC Enforcement

Paul Pittman on FCC’s expanding enforcement (July 2015)
— Since the revised Open Internet rules of 2010, the FCC has expanded enforcement authority to cover broadband ISPs.
— “Under this expanded authority the FCC is expected to continue to pursue enforcement actions against telecommunications service providers not only for deceptive business practices, but increasingly to enforce data privacy and security principles against telecommunications service providers that collect certain data on their customers, as illustrated by the $35M in aggregate fines issued by the FCC against TerraCom, Inc., YourTel America, Inc., and a global telecommunications company in the past year.”
— “Consumer groups are calling for the FCC’s authority to be expanded even further to those companies that offer services, products, and applications over broadband Internet service – ‘edge providers’ – such as Facebook, Google, and Amazon.”

TerraCom, Inc. and YourTel America, Inc. to Pay $3.5 Million For Failing to Protect Consumers’ Personal Information (July 2015)
— The FCC reached a settlement with TerraCom, Inc. and YourTel America, Inc., requiring the two companies to pay $3.5 million for failing to protect personal data of over 300,000 consumers.  An Enforcement Bureau investigation revealed that both organizations used a vendor that allowed consumers’ sensitive information, including Social Security numbers, driver’s licenses, names, and addresses, to be stored on unsecure servers.  Anyone with Internet access could locate this personal data.
— In addition to the civil penalty, the companies will offer free credit monitoring for all affected people and revise their practices to prevent future harm to their consumers.

OPM Breach

OPM data breach affects 21.5 million people (July 2015)
Washington Post: “U.S. officials said the breaches rank among the most potentially damaging cyber heists in U.S. government history because of the abundant detail in the files. Officials said hackers accessed not only personnel records of current and former employees but also extensive information about friends, relatives and others listed as references in applications for security clearances for some of the most sensitive jobs in government.”

Fingerprint records compromised in OPM breach (July 2015)

Daniel J. Solove, OPM Data Breach: Harm Without End (June 2015)
The law should recognize risk of future harm in data breach cases

Big risk of spear phishing attacks to follow in the wake of the OPM hack (June 2015)

Krebs on the OPM breach (June 2015)

The OPM Breach: Timeline of a Hack (June 2015)

Nuala O’Connor, Why the OPM Data Breach is Unlike Any Other (June 2015)
— “OPM didn’t have the most basic data map or a simple inventory list of its servers and databases, nor did it have an accounting of all the systems connecting to its network.”
— “Common-sense privacy and security practices don’t need to be expensive or disruptive. Many of the most successful hacks, including Anthem’s, occur for one reason: human beings. Hackers often gain access not by circumventing encryption or through cleverly designed viruses – they gain access by stealing credentials, as in the OPM breach, via laptops, or bad passwords.”
— “Information sharing is not the silver bullet of cybersecurity for commercial entities nor for the government, but common-sense security measures can make a difference:  Imposing data-retention limits, regularly reviewing and updating systems, using two-factor authentication, and providing added security for IT staff can all mitigate data breaches.”

Daniel J. Solove, Cybersecurity: Leviathan vs. Low-Hanging Fruit (June 2015)
— “Cybersecurity is a garden of mostly low-hanging fruit. “
— “The best way to protect data security is to get rid of all the humans.  Plan B is to train them.”
— “Data inventories are a key component of a privacy program — a perfect illustration of how privacy and security go hand-in-hand.  To know oneself, one must know one’s data.”

MLB St. Louis Cardinals “Hack”

Cardinals administration officials investigated for hacking into Astros computer system (June 2015)

Daniel J. Solove, Baseball’s “Hacking” Case: Are You a Hacker Too? (June 2015)

Other Data Breaches

Harvard University suffers data breach (June 2015)
Breach exposed email passwords of faculty, staff, and students

Hackers access 100,000+ tax returns via IRS website (May 2015)
— “The I.R.S. said the attackers exploited data, like email addresses and passwords gleaned from other breaches, to answer basic authentication questions about subjects like birth dates or the names of family members. After recent breaches at the health insurer Anthem and Home Depot, security experts note that users’ personal information is now widely available to hackers, who can buy it from criminal websites.
— “This is a wake-up call that breaches have a compounding effect and the stakes are getting higher,” said Eric Chiu, a security expert who is the president of HyTrust, a cloud computing security company. “Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals.”

Data Breach Déjà vu – Heartland Payment Systems (June 2015)

FTC

FTC says it looks more favorably on companies that report data breaches than on those that don’t (June 2015)

FTC’s Start with Security: A Guide for Business (June 2015)
— 10 lessons to learn from the FTC’s 50+ data security settlements

Breach Notification Laws

Update on new forms of PII that states are adding to their breach notification laws as triggers for notification (July 2015)
Some elements being added include medical data, health insurance data, biometric data, digital or electronic signature, birth date, parent’s surname before marriage, among other things.

Wyoming’s Expanded Data Breach Notification Law (June 2015)

Conn. Gov. signs data breach security bill into law (July 2015)
— effective Oct. 1
— contractors that receive confidential information from state agencies must have a comprehensive data security program that includes ongoing employee training; confidential data cannot be stored on portable computers or devices
— health insurers must have a data security program, including training
Text of the law

Canada introduces mandatory breach notification (June 2015)

Other News

10 terrifying hacks (June 2015)

Malware attacks yield 1,425% return on investment (June 2015)

The 10 costliest cyberattacks (June 2015)

Digital Guardian’s Top 50 Info Security Blogs (June 2015)

This year, cybersecurity is the 2nd highest business risk concern. Last year, it ranked 5th. (June 2015)

Insider threats on the rise (June 2015)
— “The “Insider Threat Spotlight Report” (registration required) found that 62 percent of respondents believe that insider threats had risen in the last 12 months. However, only 34 percent expected additional budget to take measures to address the problem, and fewer than 50 percent of organizations have appropriate controls to prevent attacks from people inside the company, according to the report.”
— Seems like every data security story is the same: (1) threats are on the rise; (2) organizations are unprepared.

Law Firm Data Security

Why law firms need cyber insurance (June 2015)

Daniel J. Solove, Law Firm Cyber Security and Privacy Risks (April 2015)
Post from a few months ago about law firms and security risks

Clients demanding heightened data protection from law firms (June 2015)
— “[F]irms viewing such demands “as a differentiator when competing for business”

Reports and Studies

Customers Value Trust the Most, Says Direct Marketing Association (June 2015)
— Consumers value transparency above all else when it comes to what data brands collect, how they do so, and why.
— Only 8% of consumers believe they will obtain better benefits if they provide more data.

One in 25 malicious emails are clicked on (June 2015)
ProofPoint, The Human Factor 2015 (June 2015)
— Study finds that 4% of malicious messages are clicked on – 1 out of 25
— Of those that click a malicious email, 66% click within the first day of receiving it; 96% click within the first week.

Ceasing to rely on PII for authentication (June 2015)
“What is more disconcerting, though, is that the hackers made 200,000 attempts at getting into the system — and succeeded 100,000 times. That’s because the IRS was using a series of personal questions to authenticate identity. Unfortunately, these days, the hackers often know more of our personal details than we know ourselves — does anyone actually remember the street they lived on five moves ago?”

“In the first quarter (Q1) of 2015, McAfee Labs registered a 165% increase in new ransomware” (May 2015)

CT Supreme Ct: General and umbrella liability policies don’t cover notification costs for data breach (2015)

Troublesome password statistics and practices (June 2015)
— 73% of accounts use duplicate passwords.
— Nearly half of consumers have a password they haven’t changed in 5+ years
— “Consumers have an average of 24 online accounts, but use only 6 unique passwords.”
— “Only 30 percent of consumers are confident that their passwords will protect the security of their online accounts.”

80% of consumers worry about online security. (June 2015)

Many US consumers have had a recent data security incident or notification (June 2015)
— Within the past year, 50% of US consumers experienced a security incident
— 32% of consumers received a data breach notice last year

45% of people are concerned about their accounts being hacked (June 2015)

There are more than 1 million unique mobile malware threats (June 2015)

“2014 saw more mobile malware development in a single year than any year.” (June 2015)

Let the CISO’s head roll — Survey 1000+ folks at RSA – 38.8% say CISO to blame for a breach, CEO (24%), CIO (26%) (2015)

Daniel J. Solove, Use of Encryption Is Increasing — Albeit Slowly (June 2015)

Baker Hostetler Report on data security incidents – human error is the biggest source of mishaps (May 2015)

EducationCounsel LLC and Nelson Mullins Riley & Scarborough LLP, The Evolution of the Student Data Privacy and Security Paradigm (May 2015)
Extensive guide and recommendations for education policymakers and practitioners about privacy and security

EU data breach notification requirements are likely on the way (June 2015)

Vienna District Court Dismisses Suit Against Facebook’s Data Collection Policies (July 2015)
— Vienna District Court dismissed a class action against Facebook due to a lack of jurisdiction. Max Schrems, an Austrian privacy advocate and the leader of the lawsuit, filed in Vienna court with seven other individuals, claiming that Facebook’s terms of services and data collection policies transgressed the EU law. Soon after filing suit, 25,000 additional Facebook users joined Schrem’s class action, which sought €10 million.
— The court ruled that because Schrems used the platform for private as well as professional purposes, he did not solely have a private interest in the litigation, which is required under Austrian consumer law. Because Schrems is a data privacy campaigner, Judge Margot Slunsky-Jost found that he profited from his case against Facebook, in the sales of his book and growth of his career, and thus was not a “consumer” in the legal sense. Schrems plans to appeal the court’s decision.

British Columbia Court of Appeal rules that Facebook’s terms of service control over B.C. privacy law (June 2015)
“The court ruled that the Facebook terms [that lawsuits be filed in California] were “valid, clear, and enforceable”. It then fell to the plaintiff to demonstrate why the court should decline to enforce the forum selection clause. The court cites as a possible example evidence that the case could not be heard in the California court (which would have the effect of creating a limitation of liability for Facebook). Without such evidence, the court ruled that the Facebook terms were binding. Moreover, it rejected the argument that the B.C. Privacy Act is intended to trump valid contracts.”

Canada introduces mandatory breach notification (June 2015)

****

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.

Privacy Security Forum Ad 22Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
 LinkedIn Influencer blog
*
 Twitter
*
 Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
*
HIPAA Privacy & Security
*
Education Privacy and Data Security