Girl Scouts Issue Cybersecurity Badges for Girls in K-12

If you have a daughter in K-12 who is in the Girl Scouts, check out the fact that they can now earn cybersecurity badges if they demonstrate a mastery of Internet security. Brilliant! What a great way to get girls interested in cybersecurity and provide them with a hot career path at the same time.

The Girl Scouts has announced that in collaboration with Palo Alto Networks, it is now offering cybersecurity badges for youngsters in training to become white hat hackers. They can earn 18 new badges, offered from daisies to ambassadors, which will include hackathons.

One of my missions is to get more women in cybersecurity. This is right on target.

I love this—both to encourage girls to enter a male dominated field and also to give girls tools to protect themselves online. A win-win.

Trans Union Hit with Largest FCRA Verdict to Date

Trans Union, LLC, one of the largest credit reporting agencies in the United States has been hit with a verdict by a California jury for $60 million, which is the largest verdict under the Fair Credit Reporting Act (FCRA) to date.

The class action complaint was filed in 2012 and alleged that Trans Union credit reports were checking consumers against the U.S. Department of Treasury’s Office of Foreign Assets Control database (OFAC), which mistakenly linked consumers to terrorists and criminals with the same name.

The jury found that Trans Union violated the FCRA when it failed to assure accuracy for its credit reporting results, to notify consumers of OFAC results in writing, and to provide them with notice of their rights under FCRA, including correcting mistakes on their credit report.

The verdict provides that the 8,185 class members will receive $984 in statutory damages under FCRA and $6,353 in punitive damages, which totals $60 million.

Trans Union has publicly stated that it is reviewing its options following the jury verdict.

CoPilot Provider Support Services Settles with NYAG for $130,000 for Late Breach Notification

CoPilot Provider Support Services, Inc. (CoPilot), which provides health care companies with billing and insurance support services, has settled allegations by the New York Attorney General of failing to notify individuals of a data breach in a reasonable time for $130,000.

CoPilot began investigating an unauthorized access to, and downloading of its reimbursement records through its website in October of 2015. The information that was compromised included the names, addresses, dates of birth, gender, telephone numbers, medical insurance card numbers, and some Social Security numbers of 220,000 patients, including 25,561 New York residents.

Although the New York breach notification statute says that individuals must be notified of a data breach “as soon as possible,” CoPilot did not notify the individuals of the data breach until January of 2017.

In addition to the fine, CoPilot has agreed to improve its breach notification and legal compliance program, including implementing a company-wide training program on breach notification.

CoPilot alleged that the delay in notification was at law enforcement’s request, as the law enforcement was investigating the incident, but the NYAG stated that “a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.” In this case, law enforcement did not request a delay of notification in writing. The lesson of this case is the importance of implementing a breach notification program, as well as obtaining written confirmation from law enforcement if it is seeking a delay in notification for investigative purposes.

1 Million Individuals’ Personal Data on Backup Drive is Stolen from Washington State University

File this story in the category of even locking data up in a safe is not secure.

Washington State University (WSU) has begun to notify approximately 1 million individuals that their personal data was compromised when a back-up drive that contained the information was stolen from a safe located in the IT Department. The individuals notified included adults and parents of minors.

On April 21, 2017,  WSU learned that a hard drive that contained backup files of WSU’s Social & Economic Science Research Center was compromised when the safe in which it was located was stolen. The hard drive contained 1 million adult and minors’ names, addresses, Social Security numbers, and “other types of information” that was provided in surveys from Washington State agencies, colleges and school districts to WSU.

It is unclear why Social Security numbers were included in the survey results or why the back-up drive was not encrypted while being stored in the safe, both of which would have mitigated the loss suffered by WSU. This is an important reminder that addressing physical security is as important as assessing electronic security to protect personal data.


North Dakota Medicaid Recipients’ Data Found in Dumpster

The North Dakota Department of Human Services (NDDHS) is notifying 2,452 Medicaid recipients that their protected health information has been compromised when their records were discovered in a dumpster.

On May 19, 2017, a member of the public discovered sensitive information in a dumpster and contacted NDDHS. The documents that were discovered included Medicaid worksheets, which contained Medicaid recipients’ first and last names, Medicaid provider numbers, Medicaid ID numbers, a code associated with their county of residence, dates of insurance, amounts billed and allowed, diagnosis codes, and dental information.

The records were placed in the dumpster on May 8, 2017. Because the records may have been accessed, NDDHS is offering credit monitoring and identity theft services for the affected individuals, is implementing a training program for staff , and reviewing policies and procedures for safeguarding and disposing of personal data Medicaid recipients.

General Data Protection Regulation (GDPR) Series Part #2: The Importance of Self-Assessment

The General Data Protection Regulation (GDPR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next twelve (12) months, several European Union law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.

Part #2 of this GDPR Series is brought to you by Mills & Reeve, a United Kingdom law firm. Other blog entries in this series will be brought to you by the law firms of Graf von Westphalen (Germany), FIDAL, (France) and VanBenthem & Keulen (Netherlands) as well as Robinson+Cole (United States).

In any major project there is an analysis phase – involving a careful examination of your organization’s current set-up and what needs to be done to deliver the project successfully. Preparing for the GDPR is no exception. Depending on the structures and practices of your organization, compliance could require a significant allocation of resources to ensure that you are ready by the implementation date: 25 May 2018.

So what can be done to get started?

Perhaps the best first step is to conduct a self-assessment audit. This will help organizations map the likely impacts of the changes in data protection law on their activities.

A few key points are worth looking at in detail: Continue Reading

DOJ Reports on Drones Flying Contraband to Prisons

While drone delivery services are certainly on the agendas of large retailers like Amazon, inmates in jails across the U.S. are already using drones to receive their own aerial contraband shipments. Through a Freedom of Information Act (FOIA) request, the Department of Justice (DOJ) revealed that there have been many attempts over the past five years to transport contraband to prisoners in the U.S. from mobile phones, to drugs, and even pornography. State facilities have also reported similar incidents over the years. Drone expert and drone legislation advocate, Troy Rule, of Arizona State University, says, “Civilian drones are becoming inexpensive, easy to operate and powerful. A growing number of criminals seem to be recognizing their potential value as tools for bad deeds.” And the problem is that current anti-drone technologies fail to protect prisons against these drone deliveries. While smuggling contraband into prison through any method violates federal law, no statute currently prohibits drones from flying near correctional facilities (aside from some newly implemented local laws) – this is yet another loophole in the legislation layout of drone laws. Continue Reading

New Statistics Predict Drone Production Will Soar to $73.5 Billion Over Next 10 Years

According to recent studies and statistics, unmanned aerial systems (or drones) promise to have the most dynamic growth of any sector in the aerospace industry. With the ease of airspace regulations and operational limitations set by the Federal Aviation Administration (FAA) (for the most part), the flood of investments, and the introduction of new drone services and technology, the stage is set for very rapid growth. The Teal Group, an aerospace and defense market analysis firm in Fairfax, Virginia, said in its recent report that over the next ten years drone production (for non-military purposes) will total $73.5 billon, rising from a $2.8 billion worldwide market in 2017. This will include the production of commercial, consumer and civil government systems. Specifically, commercial use will be the fastest growing segment, growing from $512 million in 2017 to $6.5 billion over the next ten years. Companies in traditional aerospace, data analysis, semi-conductors, and telecommunications are all jumping into this market.

Even technology companies have poured over $1 billion in to investments in drone startups over the last few years. The Teal Group says that the construction industry will lead the commercial drone market, and agriculture will rank second worldwide over the next decade. And as the technology gets better, low-cost, high-altitude, long endurance drones will hit the skies promising to create an entirely new segment of the market – drones to bring the Internet to areas of the world currently without any service.  Lastly, according to this new report, energy, general photography (e.g. for real estate marketing) and insurance, will also become important commercial segments of the drone industry. The sky’s the limit.

Privacy Tip #93 – Electronic Frontier Foundation Privacy Badger

I am from Wisconsin, so I am a Badger fan. Actually a double Badger fan, as I am a big fan of the Electronic Frontier Foundation’s (EFF) Privacy Badger.

According to the EFF’s website, Privacy Badger “is a browser extension that automatically blocks hidden third-party trackers that would otherwise follow you around the web and spy on your browsing habits.”

Third-party tracking by advertisers and websites is wide spread and is done with “cookies.” This is when they track your browsing activity without your consent, knowledge or control.

Privacy Badger is designed “to end non-consensual browser tracking and promote responsible advertising…[and] encourages advertisers to treat users respectfully and anonymously.” The goal is for participating sites to agree not to retain any information about users who have said they don’t want to be tracked.

I am going to heed their advice and “[D]ownload Privacy Badger now to take a stand against tracking and join the movement to build a more privacy-friendly web.” You might consider using it as well, if you want to limit the tracking of your browsing history.

NJ Gov. Chris Christie Seeks to Ease HIPAA Restrictions in Cases of Opioid Overdose

Last week, New Jersey Governor Chris Christie told reporters that he is in talks with representatives from the U.S. Department of Health and Human Services and the U.S. Department of Justice about easing HIPAA restrictions in situations where individuals have experienced an opioid overdose. Gov. Christie chairs the presidential commission on opioid abuse. Speaking to reporters, Gov. Christie expressed an interest in letting “parents and loved ones know when people have been reversed with Narcan,” referring to a prescription medicine that can be used to reverse an overdose. HIPAA generally prohibits the disclosure of health information to a patient’s family or friends without the consent of the patient, meaning that an individual’s parents or family might not be aware of situations where an individual has overdosed. A proposal to ease HIPAA restrictions is expected to be included in the commission’s interim report, which is scheduled to be released within the next few weeks.