All You Need to Know About Flying Your Drone During the Solar Eclipse

Next week, on August 21, a total solar eclipse (or the alignment of the sun, moon and earth), visible from the continental U.S., will take place for the first time in 38 years. The last time this cosmic event occurred, there were no battery-powered supercomputers—smartphones—in your hand to fly a self-stabilizing, GPS-guided aircraft with a camera and a broad spectrum wireless control system. Now, in 2017, flying a drone to capture this phenomenon will certainly be a common activity for both commercial and hobbyist drone operators.

But what if you (or your company) wants to be the absolute first to get footage of the shadow? Well, the first land-based point of contact with the path of totality (the shadow of the moon on the earth) will be at Lincoln Beach, Oregon at about 9:05 a.m. PT. But Lincoln Beach suffers some visibility problems as a coastal area, and if you don’t want to roll the dice, or better yet, you are flying commercially and the Federal Aviation Administration’s (FAA) Part 107 rules require a minimum of three miles of visibility (and you don’t have a waiver), you should have some other options. Over the 90-minute span of this solar eclipse, the path of totality will run through Oregon, Idaho, Wyoming, Montana, Nebraska, Iowa, Kansas, Missouri, Illinois, Kentucky, Tennessee, Georgia, North Carolina, and South Carolina. The total eclipse ends around 2:48 p.m. ET in Charleston, South Carolina.

Of course, you also have to remember that many of these states in the path of totality (or counties within these states) have their own drone regulations beyond that of the FAA. For example, Oregon requires any commercial aircraft to register before operating in Oregon; Idaho Falls, Idaho is almost all Class E airspace to the ground which means limited ability to fly without a waiver; Lincoln, Nebraska has a “responsible operator” law with a $100 fine for violations; Kansas prohibits harassing someone while using a drone (and if your filming of the eclipse is considered harassment you could have a problem); Tennessee has a few broad laws against certain drone operations like prohibitions from taking pictures or video without the consent of the individual who owns or lawfully occupies the real property in the image, and Nashville, Tennessee has a lot of no-fly zones; and North Carolina requires a permit from the North Carolina Department of Transportation –which requires passing another knowledge test in addition to the Part 107 FAA required remote pilot certification test.

And then there’s Wyoming, Montana, Iowa, Missouri, Illinois, Kentucky, Georgia, and South Carolina which do not have any specific prohibitions related to drone operations (local ordinances however may be in the mix but not widely known).

So while there are certainly many options for commercial and hobbyist drone operators across the country to capture this spectacular sight, it is important to remember that there are still some hurdles with state and local laws and ordinances, as well as FAA operational guidelines (like issues with “flying at night” even if it is high noon). And as always, it’s a solar eclipse, which means even one direct glimpse with the naked eye could leave you visually impaired or blind so be sure to check out NASA’s resources on eclipse safety before taking your drones (or your eyes) to the sky.

DJI Reports Enhanced Data Privacy for its Drones

We posted last week about the U.S. Army issuing a memorandum banning the use of DJI drones due to security concerns,  but now, this week DJI reports that it is developing a new local data mode that stops internet traffic to and from its drone flight control apps. DJI says that it is making this change in order to provide enhanced data privacy for sensitive government agencies and enterprise customers.

DJI reported that its drone flight control apps usually communicate over the internet because it allows the drone to access the most relevant local maps and geofencing data, the latest versions of the app, correct radio frequency and power requirements, as well as other information that helps the drones flight safety and functionality. However, DJI now plans to offer the ability for an operator to enable ‘local data mode’ which means that DJI’s apps will stop sending or receiving any data over the internet (and in turn, increase the privacy of the data collected through the drone).  The catch –because this local data mode blocks all internet data, DJI apps will not update maps or geofencing information, will not notify operators of newly issued flight restrictions or software updates, and could result in other performance limitations.

According to DJI, local data mode has been in development for several months and will be included in future versions of DJI apps, starting in the next several weeks. DJI’s apps include DJI GO, DJI GO 4, DJI XT Pro, DJI Pilot and Ground Station Pro. The local data mode feature may not be available in locations where an internet connection is required or highly advisable due to local regulations or requirements.

Privacy Tip #101 – A Recap of our Top 10 Privacy Tips

Last week, our Data Privacy + Cybersecurity Insider reached a milestone—we hit our 100th privacy tip! This week, we mark that milestone with a special edition Privacy Tip: the top 10 most-viewed privacy tips. Our readers can use this list as a refresher resource for some of the most important privacy tips to remember at work and at home. Here are the links to the top 10 tips:

1. Who is listening to your conversations through your smartphone microphone?
2. Know how apps are accessing and using your constant location
3. How teachers can assist students to be safe online
4. What are digital assets and why should I care?
5. Safety Tips for Using Twitter When Anonymity is Crucial to Your Safety
6. What do I do when I get a letter informing me of a data breach?
7. Beware of fake USB drives and phone chargers
8. Protecting seniors from scams
9. 10 Tips to Help Protect Your Senior Loved Ones
10. Payment Card Breaches – Both Sides of the Story

Be sure to check out next week’s Insider for a new privacy tip.

FTC Issues ‘Stick with Security’ Guidance Emphasizing Data Security Best Practices

The Acting Director of the FTC’s Bureau of Consumer Protection, Thomas B. Pahl, recently commenced a ‘Stick with Security’ series of blog posts that analyze the data security principles championed by the FTC in its Start with Security guidance. The posts are intended to impart lessons the FTC has learned via investigations and enforcement actions, and to highlight good/bad practices implemented by businesses, since the FTC’s issuance of its Start with Security guidance in June 2015.

In its first three posts (available here, here, and here), the FTC emphasized a number of straightforward best practices that can help businesses mitigate potential penalties in the event of a data security incident, including: Continue Reading

Connecticut Insurance Department Issues Bulletin on Data Security Requirements

We previously outlined the requirements of the Connecticut data breach law when it was amended in 2015, including the requirement to implement a comprehensive information security program (CISP).

The law requires that Third Party Administrators (TPAs) and Pharmacy Benefit Managers (PBMs) must implement a CISP by October 1, 2017, and certify to the Connecticut Insurance Department that they maintain a CISP in compliance with the statute.

The Connecticut Insurance Department has issued a Bulletin (MC-23) reminding those entities that fall under the law (including TPAs and PBMs) that they must have the CISP in place by October 1, 2017, and certify that it is in place using the certification attached to the Bulletin [access the certification here].

The October 1 deadline is approaching, so if you are a TPA or PBM, implementation of your CISP is high priority.

Siemens Medical Equipment Vulnerable to Cyber-Attacks

The Department of Homeland Security and Siemens Healthineers has identified cybervulnerabilities in the Windows 7-based versions of Siemens PET/CT systems, SPECT systems, SPECT/CT Systems and SPECT Workplaces/ and have issued a warning concerning the vulnerabilities.

Although Siemens is working on updates for the affected diagnostic imaging systems, it is recommending that customers operate the systems in a dedicated network segment and protected IT environment or disconnecting the devices from networks and reconnecting them after installing the provided patch.

According to the Industrial Control Systems Cyber Emergency Response Team, “Successful exploitation of these vulnerabilities may allow the attacker to remotely execute arbitrary code.”

The DHS warning can be accessed here.

Nevada Implements Law that Requires Notice for Collection of Personal Information

Nevada has become the third state in the Union to adopt a law that requires operators of websites and online services to provide notice to consumers who are Nevada residents of their practices around the collection and sharing of personal information, including consumers’ names, address, email address, telephone number, Social Security number or an identifier that can be used to contact the person physically or electronically.

The law requires operators to provide reasonable notice to consumers about the categories of information the operator collects and shares with third parties; provide the consumer with the opportunity to review and request changes to his or her personally identified information; describe the process that will be used to notify consumers of material changes to the notice; provides notice of whether a third party can collect personally identifiable information when the consumer uses the website or online service; and provide the effective date of the notice.

The new law goes into effect on October 1, 2017. Penalties for violation of the statute include an injunction or a civil penalty of $5,000 for each violation.

U.S. Army Issues Memorandum Banning Use of DJI Products Due to Cybersecurity Issues

Last week, the U.S. Army issued a memorandum discontinuing the use of DJI drone products due to cybersecurity concerns. The memorandum said, “Due to increased awareness of cyber vulnerabilities associated with DJI products, it is directed that the U.S. Army halt use of all DJI products. This guidance applies to all DJI UAS and any system that employs DJI electrical components or software including, but not limited to, flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations, or devices with DJI software applications installed.” It wasn’t long before this ban that the U.S. banned the use of closed circuit television (CCTV) cameras on critical infrastructure if the CCTV was manufactured in China.

DJI drones, especially with the launch of the Spark, can take off and land almost autonomously in your hand. They are easy to fly right out of the box, which is perhaps why they are the most popular drone on the shelf right now. But what happens with the drone’s flight log information, GPS positioning data, aerial sensor captured data and the data collected within coinciding apps on your device? Most of this data gets transmitted back to DJI’s servers. Specifically, DJI syncs your flight logs and images to their servers, and caches data from your app when offline and then re-syncs the data to their servers when online, including audio and video data. While these practices are mentioned in the DJI drone manuals, many drone operators are unaware of this constant data collection. And for many commercial drone operators, working as an independent contractor for a company, can’t firmly state that the set of data they provide to the company is the only single copy in existence—so what if you were gathering highly sensitive infrastructure data? The solution is closed systems which can better secure and protect the data collected during a drone operation.

In response to the U.S. Army’s memorandum, DJI said, “We are surprised and disappointed to read reports of the U.S. Army’s unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues. We’ll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by ‘cyber vulnerabilities’.” We will watch for an update on this front.

Privacy Tip #100 – Scary Statistics on Identity Theft of Children

It is one thing to steal our identity as an adult, but children are defenseless against this type of fraud. According to Experian, it handles 25,000-30,000 cases of identity theft and fraud every year and a whopping 17 percent affected children and the estimate is that it will affect up to 25 percent of children before they reach the age of 18. That is a disturbing statistic.

According to Michael Bruemmer of Experian, children can be targeted at birth when parents apply for Social Security numbers at the hospital, and children are vulnerable because most don’t have a credit file and aren’t checking their credit report.

Warning signs for parents to pay attention to include:

  • A child receiving a credit card offer in the mail that wasn’t requested
  • Receiving an IRS notice of delinquent taxes in the child’s name
  • Collection calls regarding unpaid bills for products or services

Tips for parents to use on protecting their children’s identity include:

  • Teach your children not to give their personal information to anyone
  • Monitor and teach your children the importance of being careful about sharing their personal information on line or on social media sites
  • Get a copy of your child’s credit report and monitor your child’s credit like you monitor your own
  • Push back on people and don’t allow your child’s Social Security number or other personal information to be shared with anyone who doesn’t have a need to have it (even if there is a blank on the form asking for a SSN, ask why and refuse to give it)
  • Teach your children the importance of their SSN and personal information and to keep it safe

Help your children combat identity theft and protect them from being one of the 25 percent who will be victims before they are 18.

What is the HIPAA Complaint Process?

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. Any person who believes that a covered entity or business associate is not complying with HIPAA may file a complaint with OCR (complaints may also be submitted directly to a covered entity). Here is a high-level overview of the OCR complaint process from intake and review through investigation and resolution:

Intake and Review. During this step, OCR reviews the complaint to determine whether it can or will take action. OCR may take action on a complaint if it meets the following conditions: Continue Reading