Tag Archives: Privacy

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

Posted on by

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare

  • Rules of Engagement
  • Offensive and defensive approaches
  • Responses to state actors
  • Engagement of non-state actors
  • Distinguishing corporate espionage from national defense
  • Proportionality and critical infrastructure
  • Cyber diplomacy
  • Cold War footing and concerns of human rights implications

Front Lines for Industry

  • Role of regulators such as FERC
  • Legacy systems and modern threats
  • NIST guidelines
  • NIST Cybersecurity Framework
  • Engaging Dept. of Homeland Security
  • Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities)
  • Health and safety issues
 Global Perspectives

  • Concepts of cyber engagement in Europe
  • Perception of Internet and social media as threat to national soverignty
  • Rules of engagement outside U.S. and NATO
  • Implications for privacy and human rights
  • Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon
  • Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement

 

Corporate Governance

  • Confidentiality and disclosure obligations
  • Responsibilities of the board of directors
  • Staffing, structures and responses
  • Data protection & obligations regarding data breaches
  • Corporate duty to stop phishing and other attacks for non-critical industries
  • Investment and threat assessment
  • Litigation and third party liability

 

Other Issues

  • Executive orders and legislative process
  • Lawyer responsibility in the face of potential threats
  • Practical implications of government notices
  • Perspective on the true nature of the threat

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: September 1, 2013
  • Submission Deadline for First Draft of Manuscripts: January 1, 2014
  • Submission Deadline for Completed Articles: February 1, 2014
  • Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
  • Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Beyond Google’s Looking Glass – The Internet of Things is Already Here

Posted on by
Seal of the United States Federal Trade Commis...

(photo: Wikipedia)

Perhaps triggered by the New York Times coverage of Google Glass, The FTC announced both a call for submissions and a workshop related to the Internet of Things and its implications on privacy, fair trade practice, and security implications for both data and people. The FTC announcement highlights both the benefits and risks of device connectivity.

Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, healthcare providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.  The devices can provide important benefits to consumers:  they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable, pose privacy and security risks.

The issue is not new. The ITU released a 2005 study discussing the implications of the Internet of Things. The ITU described a near, technological future in which “industrial products and everyday objects will take on smart characteristics and capabilities. … Such developments will turn the merely static objects of today into newly dynamic things, embedding intelligence in our environment, and stimulating the creation of innovative products and entirely new services.”

I have previously described some of these concerns in an article, Mortgaging the Meme.[1]

In each of these situations, an automated and consumer-defined relationship will replace the pre-existing activities. In many situations, this will create efficiency and convenience for the consumer, but it will also reduce the opportunities for human interaction and subtly rewrite the engagement between customer and company. Those that understand this change will adjust their technologies to improve the service and increase the customer‘s reliance on its systems. Companies that do not understand how this engagement will occur, risk alienating customers and losing markets quickly.

Beyond consumer interactions, other uses may arise. Ethical and privacy concerns regarding misuse tend to focus on government, business and organized crime. These include unwarranted surveillance, profiling, behavioral advertising and target pricing campaigns. As a result, as companies increasingly rely on these tools, they also bear a responsibility to do so in a socially positive manner that increases the public‘s estimation of the company.

Timing for the FTC submissions and workshop are overdue. Reading the New York Times quote regarding app developers, there is a sense that unlike the technology giants such as Microsoft and Google, the developers are thinking more about the technology’s potential than its potential impact. One such example from the Times: “‘You don’t carry your laptop in the bathroom, but with Glass, you’re wearing it,’ said Chad Sahlhoff, a freelance software developer in San Francisco. ‘That’s a funny issue we haven’t dealt with as software developers.’”

Many fields will benefit from increased device connectivity. Just a few:

  • Public transportation systems designed around real-time usage and traffic patterns.
  • Prescription monitoring to help patients take the right medications at the correct time.
  • Fresher, healthier produce.
  • Protection of pets and children.
  • Social connectivity, with photo-tagging and group-meeting moving into the real world.
  • Interactive games played on a real-world landscape.

There are also law enforcement uses that must be carefully considered. After the Boston Marathon attack, for example, calls for public surveillance will undoubtedly increase, including calls for adding seismic devices and real-time echo-location. Gunshots, explosions, and even loud arguments could become self-reporting.

Common household products sometimes become deadly in large quantities. RFID technology could be used to monitor quantity concentration of potentially lethal materials and provide that data to the authorities.

The consumer use, public use, and law enforcement use must be thoughtfully reviewed to balance the benefits of the technology with the intrusions into privacy and the legacy of retrievable information that such technology creates.

FTC staff will accept submissions through June 1, 2013, electronically through iot@ftc.gov or in written form. The workshop will be held on November 21st. These are the questions posed by the FTC thus far:

  • What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
  • What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve healthcare decision making or to promote energy efficiency?
  • Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

While the FTC has asked some good questions, they are only the beginning. Please submit your thoughts and join the FTC conversation.

[1] Jon M. Garon, Mortgaging the Meme: Financing and Managing Disruptive Innovation, 10 NW. J. TECH. & INTELL. PROP. 441 (2012).

New York Times disclosure of cyber-attacks should pave way for greater corporate engagement and a critical infrastructure executive order

Posted on by
Seal of the White House Office of Homeland Sec...

Seal of the White House Office of Homeland Security, which was formed by executive order on October 8, 2001,http://www.whitehouse.gov/news/releases/2001/10/20011008-2.html and later grew into the United States Department of Homeland Security. (Photo credit: Wikipedia)

With the lead story in the New York Times focused on its own failure to defend from Chinese political computer hacking, there is a renewed concern regarding the vulnerability of domestic computer systems, particularly those that are part of the critical national infrastructure. Homeland Security describes critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.”

While the Communications Sector is one of the 18 Sectors identified as part of the critical infrastructure, the focus is on the telecommunications network rather than the content itself. Nonetheless, the continuing attack which lasted over four months raises serious questions regarding the ability of organizations to effectively defend themselves against a serious professional attack.

Among the facts that stood out was the failure of commercial antivirus software. According to the Times, “[o]ver the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.”

The nature of the exposure has also changed. Instead of attacks targeted at firewalls, the campaign is not conducted through phishing – bogus links in innocuous emails that open the firewall to allow installation of “remote access tools” — or RATs.

Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

To meet this threat the Department of Homeland Security established the Office of Infrastructure Protection in 2002. It has its hands full.

This is a complex mission. Critical infrastructure ranges from the nation’s electric power, food and drinking water to its national monuments, telecommunications and transportation systems, chemical facilities, and much more. The vast majority of critical infrastructure in the United States is privately owned and operated; thus, public-private partnerships are essential to protect and boost the resilience of critical infrastructure and respond to events.

The attacks are real.  The Washington Post has reported on an overseas attacks which target utilities, including one which gained control of a Texas water utility.

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers. … From October to April, the DHS received 120 incident reports, about the same as for all of 2011. But no one knows how often breaches have occurred or how serious they have been. Companies are under no obligation to report such intrusions to authorities.

Congress flirted with new legislation to update the obligation of companies in the 18 sectors which provide our critical infrastructure but it was ultimately unable to agree on legislative action. In its place, President Obama is expected to issue an executive order which will highlight the obligation to respond to a notice of imminent threat or to update the capacity to respond to a cyber-attack by any organization within one of the sectors which receives a governmental notice.  A possible draft of the order is available here.

While business is reluctant to embrace these new obligations, the acknowledgment by the New York Times of the vulnerability companies face should change the dialogue about the executive order and the need to plan for cyber-defense rather than complain about its costs. After all, the cost of inaction will be much, much higher.

Health Information Omnibus Rule adds will empower the patient – finally

Posted on by

The U.S. Department of Health and Human Services (HHS) has updated the data privacy and security rules involving electronic health records by finalizing the omnibus rule regarding these increasing protections.

First enacted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and expanded under the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, these rules have created both incentives for health care providers to digitize health records and obligations to protect the data from loss or misuse.

In the 2013 omnibus rule, HHS has moved to increase the individual patient’s interest in the health data system by expanding the patient’s rights regarding their health records.

  • Patients can ask for a copy of their electronic medical record in an electronic form.
  • When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.
  • Parents and guardians should find it easier to give permission to share proof of a child’s immunization with a school.
  • Patients must give permission before that individual’s health information is sold under an expanded number of conditions.

Digitization has swept most industries in the fifteen years since HIPAA was first enacted. Nonetheless, the cost of record conversion, concerns over privacy, and competitive issues that incentive health organizations to avoid cooperation have slowed the transition to electronic health records. The incentives of the HITECH Act and the new rule should continue pushing to complete the conversion.

The HHS press release added this observation:

 “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Full implement of the new rules will take 12-18 months, providing health care providers time to adjust their processes to meet the new obligations. The 563 page rule can be viewed here. HHS’s announcement of the rule is found here.

Netflix Wins Congressional Protection to go Social in US under New Law

Posted on by

An amendment to the 1988, Video Privacy Protection Act provides videotape services the ability to allow their customers to opt in for video rental and viewing data. Under the new legislation, companies such as Netflix, Hulu, and Crackle will be able to let their users share what they have been watching through their social media services.

President Obama is expected to sign the bill into law this week.

netflix1Video companies will use the new law to encourage their users to post what they are watching to their friends and family – encouraging greater viewership on that platform. Netflix already provides this option on its European platform, but concerns over the reach of the Video Privacy Protection Act limited the company’s use of social media in the U.S.

Earlier this year, Hulu lost a claim in which it argued the Video Privacy Protection Act did not extend to online content suppliers. The California District Court hearing the case disagreed, stating “a plain reading of a statute that covers videotapes and “similar audio visual materials” is about the video content, not about how that content was delivered (e.g. via the Internet or a bricks-and-mortar store).” The decision to allow the class action against Hulu to proceed (and a settlement by Netflix in a similar situation) set the stage for legislative action.

The law was originally enacted in response to the disclosure of Supreme Court Nominee Robert Bork’s videotape records. The law extended similar protections for library records. (The American Library Association reports that 48 of the 50 states have such statutes.) In addition to the federal law, many states also have laws protecting rental and viewership records, so compliance at the state level may somewhat deter the roll-out of the automated “frictionless sharing” of viewership data.

At the heart of the privacy rules stand a constitutional assertion that free speech often starts with unmonitored access to information. The freedom to read divergent, controversial, or even antisocial and seditious materials is essential to develop an open, robust and unfettered political debate. To punish a person merely for accessing controversial content will ultimately stifle expression, creating a far greater evil than the content being discouraged.

Perhaps because this form of privacy is rooted in First Amendment protections, it was the one privacy rule in which U.S. residents had greater legal protections than their European counterparts.

The law provides consumers the ability to withdraw consent at any time. Nonetheless, expect to see a great many status updates about your acquaintances’ viewing habits by the end of the year. Opting out of those might not be as easy.

ITU Treaty rejected by US and Western nations but ratified by majority

Posted on by

Earlier this Month, the U.S. and many Western nations rejected a proposed revision to the World Conference on International Telecommunications (WCIT) organized by the International Telecommunications Union of the United Nations. The White House issued a statement on Dec. 21st in which it explained the rejection of the proposed treaty amendments because the ITU regulation of Internet governance would lead to greater governmental regulation of access to the Internet and the content available online. As the statement explained, “the Internet’s social and economic benefits come from the free flow of information and ideas and that the technical innovation enabling this information flow comes from the full engagement of civil society, industry, and governments in the process.”

At the same time, however, it is important to recognize that the treaty was adopted, 89 states did sign onto the revised treaty, signaling a strong split among nations regarding the nature of Internet governance. Mohamed al-Ghanim, chairman of the WCIT commented “I hope that the 55 states that said do not want to sign the treaty, or need to hold consultations, to think again.” Ghanim is the chief of the UAE’s Telecommunications Regulatory Authority. The treaty is not binding on the non-signatory countries.

The tension over the ITU treaty amendments which had been focused on expanding broadband to greater parts of the globe highlight the growing tension over the role of Internet access as part of human rights protections. Countries such as Russia and China see control over Internet content within their borders as a fundamental issue of sovereignty while U.S., E.U. and other government coalitions view Internet content as a fundamental human right. In July of this year, for example, the U.N. Human Rights Council passed a resolution that “affirms that the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice.”

The ITU vote suggests a growing of the Cyber Cold War in which historical East/West divisions are reemerging behind firewalls rather than the physical walls of the twentieth century. As in the past, the various U.N. bodies and commissions are split as to their allegiance and ineffectual in their pronouncements.

While the constant threat of cyber-attacks against governmental computers has become a constant occurrence in almost every country, the ITU vote signals a more explicit acknowledgement of the regulatory rift among nations. For governments seeking to manage the information available to their citizens or control the publications by their citizens, the open nature and growing penetration of the Internet represents a fundamental challenge to governmental control. The ITU vote reflects this tension and provides a roll call for the nations seeking greater transparency and those seeking greater control. Transparency is behind in the vote – 55 to 89.

Beyond debunking the Facebook Notice

Posted on by

In response to the widespread posting of copyright warnings on Facebook, David Pogue wrote a short blog “You Can Stop Spreading That Facebook Notice Now” which correctly attempted to get people to stop repeating the useless post. His advice was correct – the post doesn’t have any effect – but perhaps there is more to the hoax than his article suggests.

The post quoted by Mr. Pogue is presented as follows:

     In response to the new Facebook guidelines, I hereby declare that my copyright is attached to all of my personal details, illustrations, comics, paintings, crafts, professional photos and videos, etc. (as a result of the Berner Convention).

For commercial use of the above my written consent is needed at all times!

Facebook is now an open capital entity. All members are recommended to publish a notice like this, or if you prefer, you may copy and paste this version.

Snopes, the anti-misinformation site, has already debunked this hoax. It cites two other variations. In them, they add some privacy constraints as well:

The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law.

UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE.

Mr. Pogue explains why he considers the post a hoax, then sites to a Facebook statement and to Snopes for confirmation. He is absolutely right that the post is ineffective. He may not, however, be accurate in other regards.

For example, Facebook explained the falsity as follows: “There is a rumor circulating that Facebook is making a change related to ownership of users’ information or the content they post to the site. This is false. Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.”

First, the actual terms of the Facebook policy are a bit more nuanced: “For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”

  • The Facebook user owns the copyright in everything she uploads.
  • Facebook gets full use of that content.
  • If the user account is terminated, Facebook can still use the content so long as “your content has been shared with others, and they have not deleted it” – which means most content is never deleted.

So Facebook is completely correct that the posting does not affect the copyright in the posted content, but it fails to completely explain the consequences of the contract.

Second, this is a contract rather than a policy. This is important since contracts can be amended. But only according to the contract terms. In the case of Facebook, this means that only Facebook can propose changes to the contract – not the user – and users agreed that “Your continued use of Facebook following changes to our terms constitutes your acceptance of our amended terms.” This means the language cannot be used as a contractual modification.

Still on contract law, there is the curious reference to the Uniform Commercial Code (UCC). Since the UCC applies to the sale of goods, it has no bearing on a social media user website. Moreover, UCC 1-103 merely recites the proposition that the statute does not eliminate additional common law protections such as “capacity to contract, principal and agent, estoppel, fraud, misrepresentation, duress, coercion, mistake, Bankruptcy, or other validating or invalidating cause[s]….” UCC 1-308 is a bit closer to the issue. If the contract had not already been formed, then reserving one’s rights means that the performance under the contract does not automatically mean the contract has been accepted.

The posting may not be a “hoax” so much as a failed attempt to react to the unequal bargaining power between a web site provider and an individual user. That it fails does not make it a joke. The frustration may be very real.

The privacy statements of the attempted reservation of rights similarly fails. Something posted publicly does not become private through a disclaimer. If one’s settings are entirely private and posts are limited to a select group of people, some limited privacy might survive. This statement will not help in that regard.

One final note about Mr. Pogue’s column should also be noted. He chides the hoax author for describing the “Berner Convention.” Mr. Pogue reminds his readers that “you’re already protected by copyright law” – which is true, but ignores the contractual waivers that have limited its scope. He then goes on to say “there’s no such thing as the Berner Convention. There’s a Berne Convention, which covers literary works.”

I am hoping that Mr. Pogue – a journalist who makes his living as a writer and columnist focusing on law and technology – understands that literary works under U.S. and international law include the following under copyright law:

  1. literary works;
  2. musical works, including any accompanying words;
  3. dramatic works, including any accompanying music;
  4. pantomimes and choreographic works;
  5. pictorial, graphic, and sculptural works;
  6. motion pictures and other audiovisual works;
  7. sound recordings; and
  8. architectural works.

The Berne Convention coverage is slightly different than the U.S. law (quoted above) in this regard, but it certainly includes all the photographs, music files, videos, poems, and pictures that a person uploads. It is not limited to fictional works of book length or any other more limited definition of literary works.

Mr. Pogue did not say anything of the sort. But the tone and the inference suggest he thinks the reference to the Berner Convention was much more egregious than a typo in the title. And while this doesn’t affect his advice to stop using the clause on Facebook, it makes one wonder – at least a little bit.

So stop using the Facebook disclaimer. Don’t negotiate a contract after you have agreed to its terms. Don’t expect that Facebook’s acknowledgement of user copyrights will actually change the company’s use of the uploaded content. And finally, don’t expect most journalists to understand the difference between copyright, patent, and trademark – they’re just in the business of creating content after all.

Lack of Network Diligence Will Cost Dearly

Posted on by

Northwest Florida State College acknowledged on Oct. 10, 2012 that it has been the subject of a data breach. The announcement explained the attack included “Northwest Florida State College student data on 76,500 current and past students as well as student data on approximately 200,000 Bright Futures scholars across the State of Florida” as well as 3200 employees.

The breach seems to have been identified and corrected approximately two weeks prior to this announcement, around Sept. 24th. But the report acknowledges that the break-in began May 21st and continued unabated for three months.

The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006-07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised.

The Chronicle of Higher Education reports that “cases of identity theft have already been reported, with information used to take out loans or open store accounts and make purchases.”

An update by the university regarding the intrusion added details regarding the attack:

At this point in time, the personal information of employees includes name, birthdate, employee Direct Deposit bank routing and account number information, and Social Security number. Approximately 50 employees to date have reported issues with identity theft, including the college president, faculty and staff.

For universities struggling in a weak economy, high tuition, and questions on the return in investment, failures to protect the information of prospective or current students could prove disastrous. Senior university leadership should learn from the obligations under HIPAA and Sarbanes-Oxley to stay very informed and engaged in the security of their students – both offline and online. That the president of the university was personally targeted by the attackers makes the need for diligence even more important.

It is also a good reminder that all of us receiving funds via direct deposit need to become more diligent checking our accounts.

The university has set up a website at http://www.nwfsc.edu/security/.

Join over 300 professionals before space runs out at NKU Security Symposium

Posted on by
 The NKU Security Symposium with the inclusion of the legal track takes place this Friday. It will be a great opportunity to cross-train with security and privacy professionals, programmers, IT specialists and legal specialists. The legal track announcement is below:

2012 NKU Security Symposium

Friday, Oct. 12, 2012
NKU METS Center in Erlanger, KY

Register Now!

The 2012 Security Symposium, for the 6th year in a row, will bring together security professionals for a multi-track conference focused on the various aspects of security in information technology today. The symposium will focus on IT security challenges, best practices, and professional discussions, and will include a legal track focusing on the intersection of law and security. The symposium is presented by the Center for Applied Informatics, NKU Chase Law & Informatics Institute and CincyIP. Four hours of Kentucky, Ohio and Indiana CLE credits are anticipated.  This conference is free, but space is limited. Register now!

The Security Symposium is organized into five tracks:

  • Information Security Governance
    This informational track focuses on the understanding and implementation of management policy, procedures, IT audits, continuity planning, and security awareness and training.
  • Software Security
    This track incorporates knowledge about how identity theft is being fought and information
    integrity is being secured by industry ingenuity.
  • Mobile & Computer Forensics
    Learn the latest methods and tools to process and understand digital evidence.
  • Current Topics in Security
    Explore security topics focused around cloud computing, virtualization, mobile, and much more.
  • Legal Issues in Privacy and Security
    This year marks the first year with an additional legal track, enabling the legal professionals to engage with security professionals and those involved with implementation of software security.


Legal Track Presenters:

•  Prof. Jon M. Garon, director of the NKU Chase Law + Informatics Institute
•  Prof. Jack Harrison, NKU Chase College of Law
•  Craig Hoffman, Esq., partner of Baker Hostetler
•  Curtis Scribner, an attorney in the Global Privacy and Digital Legal group at Procter & Gamble
Agenda

7:30 - 8:00 AM:  Breakfast

8:15 – 8:30 AM:  Welcome Address

8:30 – 9:30 AM:  General Session I

9:30 – 9:40 AM:  Break

9:40 – 10:40 AM:  LEGAL TRACK: Curtis Scribner on “Issues in Data Privacy”

10:40 – 11:10 AM:   Refreshments and Networking

11:10 – 12:10 PM:  LEGAL TRACK: Prof. Jon M. Garon on “Navigating Through the Cloud – 
                            Legal and Regulatory Management for Software as a Service”

12:10 – 12:45 PM:  Lunch

12:45 – 1:45 PM:  General Session II

1:45 – 2:00 PM:  Break

2:00 – 3:00 PM:  LEGAL TRACK: Craig Hoffman, Esq. on “The Legal Implications of Data Breach”

3:00 – 3:30 PM:  Refreshments and Networking

3:30 – 4:30 PM:  LEGAL TRACK: Prof. Jack Harrison on “E-Discovery – 
                         Legal Issues, Strategies, and Management”

4:30 – 5:30 PM:  Reception

Learn More:
Law + Informatics Blog

Law + Informatics Facebook

Another Hidden Cost of Rent-to-Own: Your Privacy

Posted on by

Although I normally try to add context to commentary about the legal issues covered in this blog, this FTC press release speaks for itself: Secretly Installed Software on Rented Computers Collected Information, Took Pictures of Consumers in Their Homes, Tracked Consumers’ Locations

Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers.

The software design firm collected the data that enabled rent-to-own stores to track the location of rented computers without consumers’ knowledge according to the FTC complaint.  The settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers.

“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, Chairman of the FTC.  “The FTC orders today will put an end to their cyber spying.”

“There is no justification for spying on customers.  These tactics are offensive invasions of personal privacy,” said Illinois Attorney General Madigan.

The FTC named DesignerWare, LLC, a company that licensed software to rent-to-own stores to help them track and recover rented computers.  The FTC also reached settlements with seven companies that operate rent-to-own stores and licensed software from DesignerWare, including franchisees of Aaron’s, ColorTyme, and Premier Rental Purchase.

According to the FTC, DesignerWare’s software contained a “kill switch” the rent-to-own stores could use to disable a computer if it was stolen, or if the renter failed to make timely payments.  DesignerWare also had an add-on program known as “Detective Mode” that purportedly helped rent-to-own stores locate rented computers and collect late payments.  DesignerWare’s software also collected data that allowed the rent-to-own operators to secretly track the location of rented computers, and thus the computers’ users.

When Detective Mode was activated, the software could log key strokes, capture screen shots and take photographs using a computer’s webcam, the FTC alleged.  It also presented a fake software program registration screen that tricked consumers into providing their personal contact information.

Data gathered by DesignerWare and provided to rent-to-own stores using Detective Mode revealed private and confidential details about computer users, such as user names and passwords for email accounts, social media websites, and financial institutions; Social Security numbers; medical records; private emails to doctors; bank and credit card statements; and webcam pictures of children, partially undressed individuals, and intimate activities at home, according to the FTC.

In its complaint against DesignerWare, the FTC charged that licensing and enabling Detective Mode, gathering personal information about renters, and disclosing that information to the rent-to-own businesses was unfair, and violated the FTC Act.  The agency also alleged that DesignerWare’s use of geolocation tracking software without first obtaining permission from the computers’ renters and notifying the computers’ users was unfair and illegal.  It charged that providing the rent-to-own operators the means to break the law was unfair, and providing the fake registration forms to obtain consumer data was deceptive.

The seven rent-to-own companies were charged with breaking the law by secretly collecting consumers’ confidential and personal information and using it to try to collect money from them.  Use of the bogus “registration” information was deceptive, the FTC alleged.

The proposed settlement orders will ban the software company and the rent-to-own stores from using monitoring software like Detective Mode and will ban them from using deception to gather any information from consumers.  They also will prohibit the use of geolocation tracking without consumer consent and notice, and bar the use of fake software registration screens to collect personal information from consumers.  In addition, DesignerWare will be barred from providing others with the means to commit illegal acts, and the seven rent-to-own stores will be prohibited from using information improperly gathered from consumers in connection with debt collection.  All the proposed settlements contain record keeping requirements to allow the FTC to monitor compliance with the orders for the next 20 years.

Those named in the FTC’s complaints include DesignerWare, LLC; its principals,  Timothy Kelly and Ronald P. Koller, individually and as officers of DesignerWare, LLC.; Aspen Way Enterprises, Inc.; Watershed Development Corp.; Showplace, Inc., d/b/a Showplace Rent-to-Own; J.A.G. Rents, LLC, d/b/a ColorTyme; Red Zone, Inc., d/b/a ColorTyme; B. Stamper Enterprises, Inc., d/b/a Premier Rental Purchase; and C.A.L.M. Ventures, Inc., d/b/a Premier Rental Purchase.

The Office of the Illinois Attorney General partnered with the FTC in this investigation.  Today General Lisa Madigan announced the filing of an action against one of the rent-to-own companies that used Detective Mode and that is located in Illinois, Watershed Development Corp.

The Commission vote to accept the consent agreement packages containing the proposed consent orders for public comment was 4-0-1, with Commissioner J. Thomas Rosch abstaining.