7-11 May 2016

Biometrics

US – Federal Judge Says Facebook Photo-Tagging Suit Can Continue

A San Francisco federal judge is allowing a case against Facebook’s facial recognition, photo-tagging feature to proceed. Plaintiffs have argued the feature violates users’ privacy, as the facial recognition technology goes against Illinois’ Biometric Information Privacy Act, which requires companies to obtain explicit consent from users before gathering biometric data. While Facebook argued the feature is covered in its terms of service, and that the suit should be dismissed, U.S. District Judge James Donato disagreed. “Trying to cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology,” Donato wrote in his ruling. [USA Today] See also: [Facial-recognition tech used for anti-theft initiatives] and [Italy’s Data Protection Authority has mandated that Facebook disclose details of an instance of trolling in a case where the user claims the social network responded unsatisfactorily, International Business Times reports]

EU – EU Proposes Minority Report-Style Facial Recognition for Refugees 

In its attempts to bring the refugee crisis to heel, the European Commission wants to expand its fingerprint database, introduce facial recognition software, store the information for even longer than before and include minors in the process. The EU is planning wholesale changes to the bloc’s asylum law. In addition to a “fairer” distribution system for refugees and an extension of border controls within the Schengen area, the Eurodac fingerprint database, which is currently used to identify asylum seekers and irregular migrants, is to be enlarged. The system is set to be supplemented with facial recognition software and personal data will be stored for a longer period of time, with the aim of ensuring that irregular migrants stay on the authorities’ radar; the information of underage refugees will also be kept. The upgrade will cost some E30 million. [Source]

US – Illinois Anger Over Elementary School Student Thumbprint Scanner

Privacy advocates are concerned about what looks to them like Big Brother overreach in an Illinois elementary school. The Harrison Street Elementary School in Geneva has installed a new thumbprint scanner for students to pay for their meals and keep track of their accounts. The thumb scanners replaced another biometric device by PushCoin Inc. that the school used last year. These types of devices are growing in popularity and other districts are looking to implement the scanners. But not everyone thinks they are a good idea. Parents are able to opt out and use a card if they want to. [Source] [Daily Herald]

Canada

CA – OIPC SK Releases Guidance Regarding Access to Personal Information of a Child Under the Age of 18

The Office of the Saskatchewan Information and Privacy Commissioner has released guidance relating to obtaining personal information of a child under the age of 18 years: Included is a list of common questions and responses. Unless otherwise ordered by a Court or a custodial agreement, the Children’s Law Act, FOIP, LA FOIP and HIPA confer the right or power of a legal custodian to request access to personal information of a child under the age of 18; trustees need to exercise discretion when determining if the disclosure is reasonable or will constitute as an invasion of the child’s privacy, such as when the child expresses they don’t want a parent to know or if the information is highly sensitive. [Office of the Saskatchewan Information and Privacy Commissioner – Who Signs for a Child?]

Consumer

NZ – Privacy Commissioner Survey Finds Privacy a Major Concern

New Zealanders are becoming increasingly worried about their privacy, according to a new survey. In the new UMR public opinion survey, commissioned by the Privacy Commissioner, 46% of the 751 people questioned said they were growing more worried about individual privacy, and their online information in particular. That is especially the case for young people and those with a university education. Privacy Commissioner John Edwards said there was a high level of concern about identity theft as well as financial and health information. About 80% of those surveyed were worried about identity theft and their credit card and banking details being stolen. Nearly all respondents – 87% – were concerned about the personal information children upload to the internet. The survey also found that 62% felt personal data should not be shared between government organisations, as the risk to people’s privacy and security outweighed the benefits. But they were more open to data sharing when safeguards were put in place, with a small majority willing to share data as long as they could opt out if they chose, of if there were strict controls on who could access the data and how it was used. [Source] [Survey]

WW – Snowden’s Surveillance Leaks Made People Less Likely to Read About Surveillance

A new Oxford University study has published empirical evidence showing that government mass surveillance programs like those exposed by Edward Snowden make us significantly less likely to read about surveillance and other national security-related topics online. The study looks at Wikipedia traffic before and after Snowden’s surveillance revelations to offer some new insight into the phenomenon of “chilling effects,” which privacy advocates frequently cite as a damaging consequence of unchecked government surveillance. What it found is that traffic on “privacy-sensitive” articles dropped significantly following what author Jon Penney describes as an “exogenous shock” caused by revelations of the NSA’s mass surveillance programs and the resulting media coverage. The articles were chosen based on keywords from a list of terms flagged by the Department of Homeland Security, used for monitoring social media for terrorism and “suspicious” activity. For example, Wikipedia articles containing the 48 terrorism-related terms the DHS identified—including “al-Qaeda,” “carbomb” and “Taliban”—saw their traffic drop by 20%. The results also mirror a similar MIT study from last year which found that users were less likely to run Google searches containing privacy and national security-related terms that might make them suspicious in the eyes of the government. Perhaps even more alarmingly, the study seems to show a long-term drop in article views on these topics that lasts well past the initial shock of Snowden’s revelations, suggesting that people’s’ calculations about what to read on Wikipedia may have been permanently affected. [Source]

Encryption

US – Former Officer Is Jailed Months Without Charges, Over Encrypted Drives  

A former police sergeant has been held without charges in a federal detention cell in Philadelphia, part of an effort by the authorities to pressure him to decrypt two computer hard drives believed to contain child pornography. The case reveals yet another battle line for law enforcement and digital privacy advocates over encryption, this time on an Apple computer, not an iPhone. The sergeant, Francis Rawls, was ordered by a federal court last August to hand over the two hard drives, which were seized from his home because they were suspected to contain the illegal pornography. When he refused to decrypt the drives, claiming he could not remember the passwords, he was taken into custody, and this week he started his eighth month in a federal detention center, all without ever being charged with a crime. Mr. Rawls’s case is the latest in a growing number of legal battles over digital privacy in the United States. The challenges are playing out in courts across the country, propelling a national debate over when the government can compel individuals or companies to disclose codes or passwords giving access to private data. “Not only is he presently being held without charges, but he has never in his life been charged with a crime,” Keith M. Donoghue, his federal public defender, wrote in a motion last week seeking his client’s release. [Source]

EU Developments

EU – GDPR, Directive 2016/680, PNR Officially Published

It’s finally final for three separate pieces of privacy legislation in the EU. On 4 May, the Official Journal of the European Union published the texts of the General Data Protection Regulation, officially Regulation 2016/679; Directive 2016/680, governing the handling of data in law enforcement situations; and the Passenger Name Record Directive, officially Directive 2016/681. This creates something of a countdown clock for privacy professionals. As the GDPR goes into effect two years and 20 days following its publishing in the Official Journal, 25 May 2018, takes on new portent. [Lex-Europea] See also: [The European Parliament is struggling to set a date for a plenary vote on the EU-U.S. Privacy Shield] [The US Supreme Court has updated Rule 41, allowing federal judges to issue warrants for computers outside of their jurisdiction, potentially threatening the EU-U.S. Privacy Shield.]

UK – Employers Vicariously Liable for Data Breaches Caused by Rogue Employees

In April 2016, the High Court of England and Wales issued its judgment in Axon v Ministry of Defence [2016] EWHC 787 (QB). The court emphasised (albeit obiter) the fact that employers can be liable for data breaches caused by rogue employees (in the present case, an employee who had passed on certain information to journalists without the permission of her employer). The impact of this decision on employers is potentially significant, and it serves as another reminder to employers to implement proper data protection processes and procedures, and to ensure that employees receive appropriate training on these issues. [Source] [PDF]

EU – CJEU to Rule on Test Data Case

The Supreme Court of Ireland has referred to the Court of Justice of the European Union to decide whether a man’s accounting exam is considered personal data under the Data Protection Act. After being denied access to his test by both his school and the Data Protection Commissioner, plaintiff Peter Nowak argued in the Circuit Court and then appealed to the High Court that his handwritten test qualified as biometric, and therefore personal data, the report states. He further argued that as exam results are “considered personal,” the test and exam comments ought to be too. [Independent]

Facts & Stats

WW – UNCTAD Publishes Report on Data Flows, International Trade

Late last month, the United Nations Conference on Trade and Development released a new study on privacy law, trans-border data flow and their implications on international trade and development. The in-depth and substantive report also places a focus on developing nations. “The study reviews the current landscape and analyzes possible options for making data protection policies internationally more compatible,” the report states. Contributors to the report include international organizations, government bodies, the private sector and civil society. “The findings of the study should help to inform the much needed multi-stakeholder dialogue on how to enhance international compatibility in the protection of data and privacy,” the report adds. [UNCTAD]

FOI

CA – BC Makes Changes to Freedom of Information Law

B.C. cabinet’s travel receipts, calendars to automatically be made public: Finance Minister Mike de Jong has issued a rare order under B.C.’s Freedom of Information law to ensure that travel receipts and daily calendars for cabinet ministers and their senior officials are automatically made public. The change was part of a series of directives issued by Mr. de Jong to respond to criticism that his government has deliberately thwarted the release of information to the public through the practice of triple-deleting e-mails within government and relying on oral reports to avoid the creation of documents that could be accessed. Vincent Gogolek, executive director of the BC FIPA, said Mr. de Jong’s changes are both minimal and long overdue. “They are not doing nothing, but they are doing the least possible,” Mr. Gogolek predicted one of Mr. de Jong’s new initiatives will be counterproductive. Starting this month, the government will publish all active access-to-information (FOI) requests, a measure that Mr. de Jong said will provide more transparency on government response times. However, Mr. Gogelek said the change could discourage access requests. “This is exposing FOI requesters. The privacy commissioner has asked for anonymity for those making information requests, and this seems to be going in the opposite direction.” [Source]

CA – B.C. Privacy Commissioner Mainly Positive Toward New FOI Policies

British Columbia’s Information and Privacy Commissioner is praising the province’s expansion of its Access-to-Information policies, but she’s also concerned about the potential “unintended consequences” of a decision to post information requests as they are received. Elizabeth Denham issued a statement on Tuesday that offered a largely positive assessment of the changes, which were announced a day earlier, but singled out the disclosure of Freedom-of-Information (FOI) requests as a potential concern. “I wish to examine all possible implications, including any unintended consequences, of publicly disclosing a description of an applicant’s request for records before they have received those records,” Ms. Denham said in her statement. [Source]

CA – OIPC BC Finds Ministry Properly Withheld Information Relating to Tolling Framework

The OIPC BC reconsidered Order F14-20, pursuant to a court order, where the Ministry of Transportation and Infrastructure refused to disclose information requested under the Freedom of Information and Protection of Privacy Act. Disclosure of the information would reveal the substance of the Ministry’s deliberations because it contained financial implications of the framework, and a presentation that formed the basis of the Priorities and Planning Committee’s deliberations; although the decision to impose a toll was made public and implemented, the information should not be disclosed because it related directly to the issues the Committee considered. OIPC BC – Order F16-22 – Ministry of Transportation and Infrastructure [Re-consideration Order – F16-22] [Original Order – F14-20]

US – ODNI Releases Documents as Part of FOIA Pilot Program

The US Office of the Director of National Intelligence released several documents as part of a pilot program with the Freedom of Information Act. The ODNI is one of seven federal agencies contributing to the program, with the goal of making FOIA record requests available to the public. During the program, the ODNI will announce the release of “proactive disclosures.” Among the first group of documents released include, “Unlocking the Secrets: How to Use the Intelligence Community“ and “Semiannual Report to the Director of National Intelligence – Office of the Inspector General of the Intelligence Community.” [Full Story]

Genetics

CA – Looking for an ‘Internet of DNA’

The Star reports on calls by some researchers to create an “Internet of DNA” to help treat rare genetic diseases and psychological disorders. “If we’re looking to 2025, I see a kind of World Wide Web for health, a true Internet for health, which doesn’t exist today,” said Dr. Tom Hudson, a genomics researcher and president of the Ontario Institute for Cancer Research. “We are transforming a lot of information into digital bits and that information is huge,” he added. Such a DNA network could transform medicine and how diseases are cured, researchers argue. Currently, valuable medical data is contained in silos, “while legal, technical and cultural barriers prevent scientists from easily sharing their data troves,” the report states. “If nothing is done, there is a risk that balkanized systems will soon become established,” the Global Alliance’s website points out. [Full Story]

Health / Medical

CA – Northern Canadian Hospital Confirms Staff Wrongly Accessed Patient Records

Security experts emphasize that organizations have to limit access to databases with sensitive information. However, they also have to carefully design information systems themselves so sensitive data doesn’t appear on screens users have legitimate reasons to see. That appears to have failed at a health authority in Canada’s far north, which confirmed that employees inappropriately accessed patient health records through an online scheduling system in what appears to be a case of employee snooping. CBC News reported that some staff the Beaufort-Delta Health and Social Services Authority, which serves 6,700 residents of the Beaufort Delta Region in the Northwest Territories including the Inuvik Regional Hospital have been disciplined for wrongly accessing records of  67 patients. The information “had been inappropriately accessed by staff outside a legitimate scope of duties,” Arlene Jorgensen, CEO of the Inuvik Health Authority, was quoted as saying. The institution’s scheduling system includes expected information such as appointment times and check-out dates. But it also lists the reason patients were at the hospital. Several staff members who had accessed this information did not need it to do their jobs, according to the health authority. The authority emphasized that detailed information, such as diagnoses were not accessed during the breach. [Source]

CA – Ontario Appeals Board Finds Regulatory Committee Failed to Adequately Investigate Complaint Alleging Physician Inappropriately Accessed Patient Files

The Board reviewed the decision of the Inquiries, Complaints and Reports Committee of the College of Physicians and Surgeons regarding a complaint made against a physician. The regulatory committee failed to properly examine whether the access took place after the physician left a clinic, may have improperly concluded that the access was due to the nature of the filing system (computer logs may support a different conclusion), and failed to consider that the alleged breach is a serious matter under PHIPA; mandatory further investigation should include direct questioning of the physician, examining how the electronic filing system operates, and determining what system access is allowed a non-treating professional. [F.J.S., MD v. S.S.E., MD – 2016 CanLII (ON HPHARB) – Health Professions Appeal and Review Board]

CA – Ontario Appeal Board Upholds Verbal Caution to Pharmacist Regarding Confidentiality

the Health Professions Appeal and Review Board reviewed an investigation of the Inquiries, Complaints and Reports Committee of the Ontario College of Pharmacists, into a pharmacist’s solicitation of new business. The pharmacist obtained patient information from his previous employer and used it to establish clientele for his new business; the Committee found that this active solicitation of business was inappropriate, and warned the pharmacist that he must maintain patient confidentiality, not use patient information for improper purposes, demonstrate professionalism and ethical principles, and respect patients’ right of self-determination. [J.J. v G.C., 2016 CanLII 21553 (ON HPARB) – File#15-CRV-0181]

US – OCR Cautions Hospitals to Prepare for Breaches at Business Associates

With many healthcare organizations questioning their data security arrangements with business partners, the Office of Civil Rights (OCR) of the Department of Health and Human Services, sent out an alert suggesting steps to mitigate damage from breaches resulting from those associations. The alert OCR sent last week said that following the 2015 hack of U.S. Office of Personnel Management (OPM), many healthcare organizations believe the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have not stopped breaches and have not allayed their fears. “Not only do a large percentage of HIPAA covered entities believe they will not be notified of security breaches or cyberattacks by their HIPAA business associates, they also think it is difficult to manage security incidents involving business associates, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach,” the alert said. As a result, HIPAA-covered organizations and their HIPAA business associates should consider how they will confront a breach at their business associates or subcontractors. [Source] See also: [Ontario’s legislature has passed the Health Information Protection Act in its third reading. The act aims to improve privacy, accountability and transparency in health care, according to a news release]

US – Brookings Calls Out OCR on HIPAA Audits, Offers Security Tips for Healthcare Organizations  

With the healthcare industry suddenly accounting for nearly 25% of all data breaches, a new study from The Brookings Institution suggests some new cybersecurity strategies are needed. Niam Yaraghi, a Brookings fellow, conducted in-depth interviews with 22 healthcare organizations – providers, payers and business associates – that had each experienced at least one  data breach. He found some things in common across them, and some differences. But his biggest takeaway was that guidance and enforcement from the federal government isn’t doing enough to keep patient data safe, and that a more concerted private-sector strategy is needed to help ensure security best practices. In his report, “Hackers, phishers, and disappearing thumb drives: Lessons learned from major healthcare data breaches,” Yaraghi offered a series of suggestions for both the HHS Office of Civil Rights and those working in the healthcare trenches. [Source] See also: [Status report: OCR’s effort to guide HIPAA compliance in mobile health] [Earlier HIPAA Audits Help Healthcare Data Breach Prevention]

Horror Stories

CA – Two Convicted of Snooping on Rob Ford

An Ontario court has convicted two health care workers for unauthorized access to the late mayor Rob Ford’s medical records, the first such conviction under the province’s health privacy law. Both workers pleaded guilty under PHIPA to “willfully collecting, using or disclosing personal health information,” the report states. The former employees have also each been fined $2,505 for the incident. There is no evidence the workers shared the health records they accessed. [The Star] SEE ALSO College of Nurses of Ontario disciplines nurse who snooped into patient records. Mandy Gayle Edgerton – Results of Past Hearings – College of Nurses of Ontario Results of Past Hearings | Toronto Star ]

UK – London HIV Clinic Fined £180,000 for ‘Serious’ Data Breach

A London HIV clinic that leaked data on 781 of its patients has been fined £180,000. 56 Dean Street, based in London’s Soho, sent an email newsletter with all patient email addresses in the ‘To’ field, rather than the ‘Bcc’ field. The email addresses allowed for the identification of the patients – 730 of the 781 contained people’s full names – and constituted a “serious breach” of data protection rules, the Information Commissioner’s Office (ICO) said. The Option E newsletter was intended for people using the clinic’s sexual health services and gave general details for treatment and support. The ICO said the breach was “likely to have caused substantial distress” to those who were included on the list. Under data protection rules, information about a person’s health or sexual life is deemed as sensitive and the organisation issued the monetary penalty after an investigation. “It is clear that this breach caused a great deal of upset to the people affected,” Information Commissioner Chris Graham said in a statement. “We recalled/deleted the email as soon as we realised what happened. If it is still in your inbox please The NHS Trust can appeal the decision but if it decides to pay the fine before June 2 it will be reduced to £144,000. Medical director and caldicott guardian Zoe Penn, from the clinic, said that it “fully accept[s]” the decision of the ICO and that the organisation had made changes to its procedures. [Source]

Internet / WWW

WW – Twitter Bans US Spying Agencies from Terrorism Early Alert Service

In the growing fury over terrorism, surveillance and privacy, Twitter has shoved the US government further away by closing down US spy agencies’ access to a data-mining service that spots terror attacks. The company hadn’t announced the news as of Monday morning. Rather, a senior official in the intelligence community, along with others privy to the matter, told the Wall Street Journal about it. The service in question is Dataminr: a real-time information discovery service that analyzes the output of Twitter’s firehose of real-time public tweets, geolocation data, traffic data, news wires and other data streams, to turn up breaking news such as natural disasters, political unrest and terror attacks. [Source]

Law Enforcement

US – Digital Rights Group Challenges Legality of ‘Thematic Warrants’

Privacy International has filed a judicial review challenging a decision regarding the sanctioned use of “thematic warrants.” The digital rights group sent the review to the U.K. High Court, appealing an earlier decision by an oversight tribunal of the security agencies in the U.K. over the use of the warrants. Privacy International is arguing the legality of the “thematic warrants” — orders giving the government major invasive investigatory powers covering wide classes of people and property. The group first challenged the use of the warrants in 2014, saying they violate Articles 8 and 10 of the European Convention on Human Rights. In related news, the Guardian reports on another privacy advocacy group using an interesting face to don on their campaign against the Investigatory Powers Bill: North Korean leader Kim Jong-un. [TechCrunch]

US – New Hampshire State Claims that Secret Recording of Police Is a Crime

New Hampshire outlaws recording conversations when any party to the conversation “has a reasonable expectation that the communication is not subject to interception, under circumstances justifying such expectation,” thus requiring the knowledge of all parties before such a conversation can be recorded. Most states require only “one-party consent,” under which you can record a conversation to which you are a party, because you consent to the recording, even if the others don’t. But some states — including New Hampshire — require “all-party consent,” or at least all-party knowledge, that the conversation is being recorded. And New Hampshire authorities read this as applying even when someone is recording his conversation with the police. Indeed, Alfredo Valentin is under indictment for recording such a conversation, between himself and the police officers who were searching his home. The U.S. Court of Appeals for the 1st Circuit, which is in charge of cases from New Hampshire, has held (Glik v. Cunniffe) that a similar Massachusetts law violates the First Amendment; but that case involved someone openly recording the police, and the court stressed that fact in the Fourth Amendment portion of the Glik opinion. New Hampshire authorities appear to take the view that secret recording of the police can be banned, even if open recording cannot be. [Source] See also: [New Jersey Governor Chris Christie has approved a bill making it illegal to surreptitiously record or photograph a person’s undergarments.]

Privacy (US)

US – FTC and FCC Join Forces to Examine Mobile Security

The FTC and the FCC are working together to examine the current state of mobile security. The FTC is issuing orders to eight mobile device manufacturers, requiring them to give the agency information on their procedures for issuing security updates to remedy device vulnerabilities. Among the companies receiving orders include Apple, Google, Microsoft and Samsung. The eight companies must provide details such as “the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device” and “detailed data on the specific mobile devices they have offered for sale to consumers since August 2013.” The FCC issued a press release announcing their cooperation with the FTC, and how they will send letters to mobile companies on how they evaluate and deliver security updates. [FTC] See also: [The Senate Judiciary Committee’s subcommittee on Privacy, Technology and the Law will host a May 11 hearing on the Federal Communications Commission’s proposed privacy rules] and [The New Privacy Cop Patrolling the Internet And it’s armed with new data-privacy rules]

US – Neopets, Global Email Addresses Among this Week’s Biggest Breaches

A dataset from JumpStart’s online game Neopets was posted online, with Motherboard reporting that the number of customers affected allegedly numbered more than 70 million. The information compromised varied from customer to customer, but no credit card or home addresses were breached, said JumpStart’s Jim Czulewicz. While the dataset appeared to be dated before JumpStart acquired Neopets in 2014, the company planned to alert customers regardless. Independent.ie reports that out of the recent global breach of more than 272.3 million email accounts, an estimated 42,000 accounts are Irish. [NextGov]

US – Lyft, Uber Among EFF Data-Sharing Report Top Scorers

The Electronic Frontier Foundation awarded Uber and Lyft with perfect scores on the group’s sharing economy data protection study. When grading organizations, the EFF considered whether they published transparency reports and if companies required government agencies to provide a warrant before they shared user data, the report states. “Consumers should be able to understand their privacy rights by reading the policies of the companies that hold their data,” EFF’s study states. [Fortune]

WW – Bark Helps Parents Keep Kids Safe Online Without Invading Their Privacy

Launching today at TechCrunch Disrupt NY 2016 is a new service called Bark, aimed at parents who want to keep their kids safe online. Unlike traditional “parental control” software or net nanny-type watchdog applications, Bark’s goal is to strike the correct balance between respecting a child’s right to privacy and protecting them from online predators and cyberbullying, while also looking out for issues like sexting or mental health concerns. To use the service, parents sign up online at the Bark website, add their kids, then work with the children to connect their social accounts. Once set up and configured, Bark uses machine learning techniques to look for incidents of dangerous activity, whether that’s cyberbullying, sexting, a child interacting with an older stranger who could be grooming them (as online predators do) or even signals that the child could be experiencing a mental health concern like depression or suicidal thoughts. When Bark finds something questionable, it sends an alert to the parent that not only contains the relevant conversation, when and where it took place, but also recommended ways of handling the issue appropriately. Bark competes with a handful of other solutions, including VISR, more traditional software programs and cyberbullying-specific solutions like ReThink or STOPit. [Source]

Security

WW – Stop Resetting Your Passwords, Says UK Govt’s Spy Network

The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. “In 2015, we explicitly advised against [the practice],” a post by GCHQ’s Communications-Electronics Security Group (CESG) notes. “This article explains why we made this unexpected recommendation, and why we think it’s the right way forward.” As tech advice goes, this is one that people will actually want to hear, and the CESG has put out a 16-page document called “Simplifying Your Approach” that explains what you should do to get your information secure without driving your users crazy. Those in favor of automatically and regularly resetting passwords believe it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers. “The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember.” The problem is our rubbish brains: “While we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.” The result, according to CESG, is that we are more likely to write our password down. Or forget the password altogether, forcing service desks to reset them, chewing up time and resources. As a result, CESG “now recommend organisations do not force regular password expiry.” Instead, it says, companies should introduce system monitoring tools such as showing a user the last time they logged in to flag if someone else is using their account. [Source] See also: [Don’t do it! 5 ways to upgrade your passwords this PasswordDay]

WW – Security Defenses Improving at Many Firms, Study Reveals 

Many organizations have made significant improvements in IT security preparedness and effectiveness, taking steps to improve their security posture, according to new research from SolarWinds, a provider of IT management software. The company’s survey of IT professionals in North America showed that more than half (55%) said their organizations did not experience any security breaches in 2015. About 30% said they had experienced a breach. Half of the respondents said their organizations were less vulnerable than they were a year ago, compared with 12% who said they are more vulnerable. “The most surprising finding of the survey is just how many organizations are less vulnerable today than they were a year ago, and, on a related note, how many have implemented security technologies and better security training,” said SolarWinds. [2016 IT Security Survey, North America] [Source] See also: [Microsoft has published the 20th edition of its Security Intelligence Report covering the period July 2015 to December 2015]

Surveillance

US – Justice Department Building Wearable Camera Catalog for Police

The Justice Department is crafting a catalog to assist police departments buying wearable cameras, including information on the devices’ privacy capabilities. Fears surrounding hackers infiltrating body cameras will be addressed in the catalog, with data protection and privacy controls among the characteristics listed in the guide. Each device will have five areas of information to properly inform departments of what they are purchasing, covering vendor, camera, video storage software, ease of use, and installation. Included within those five categories are details on facial recognition, “privacy masking” to blur out certain images and protect personal privacy, and encryption features to protect data from cyberattacks. Sheila Jerusalem, a spokeswoman for the Justice Department’s National Institute of Justice, said the organization wants the guide available by December 2016. [Nextgov]

US Legislation

US – California Bill Would Dictate What Happens to Digital Footprint Post-Death

A new California bill could set a national precedent for the handling of an individual’s digital footprint after they pass away, Fusion reports. The Revised Uniform Fiduciary Access to Digital Assets Act would create rules for how companies can share a deceased person’s digital records. The rules first defer to the late party’s directions for how those records would be handled, then look toward a will. If no instructions have been left, all decisions will be made by the site’s terms of service. Despite revisions being made to the bill, privacy advocates are still concerned. “Is it possible that they might make mistakes both by releasing too much information or releasing it to the wrong person?” said Kevin Baker, legislative director for the ACLU of Northern California. “We think the history of the treatment of digital records shows that there likely will be mistakes.” [Full Story]

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: