702 hearing: Gavels swinging and questions lingering
Despite Congress’ repeated request for information from the intelligence community over its primary counterterrorism surveillance tool, a June 27 hearing on reauthorizing Section 702 of the FISA Act indicated that information isn’t any closer to surfacing.
Frustrations over lingering questions on the amount of Americans’ data swept up in the provision’s application came to a head when Sen.
Lindsay Graham, R-S.C., demanded to know whether his conversations overseas had been surveilled and his identity unmasked, a question he said he'd asked the intelligence community to respond to months ago.
The Senate Judiciary Committee, aiming to determine whether to reauthorize 702, also heard from witnesses on whether to include a sunset provision if 702 is reauthorized, and whether a warrant should be required to query 702’s database if seeking information on U.S.
citizens who aren’t considered a national security threat.
Angelique Carson, CIPP/US, has the story.
Eternal Blue exploited once again, despite patch
Even though Microsoft has issued a patch for the vulnerability exploited by NSA hacking tool Eternal Blue, a global ransomware attack still managed to exploit it yesterday, affecting hundreds of government agencies and companies, The New York Times reports.
Believed to be the ransomware virus Petya, or a variant thereof, which is freely available on the dark web, the attack infected Ukranian institutions first, and affected firms that include DLA Piper, Merck, Russian oil company Rosneft, and German railway company Deutsche Bahn.
If the patch is out there, why has the ransomware been effective? “Just because you roll out a patch doesn’t mean it’ll be put in place quickly,” said Carl Herberger, vice president for security at Radware.
“The more bureaucratic an organization is, the higher chance it won’t have updated its software.”
ICO fines game rental site 60,000 GBP
Boomerang Video, an operator of a video game rental site, was fined 60,000 GBP this week after the U.K.
Information Commissioner's Office found the company "failed to take appropriate technical measures against the unauthorised or unlawful processing of personal data." After a third-party vendor left a vulnerability in the company's WordPress login page, a hacker was able to penetrate the site's back end and then download the cardholder details of more than 26,000 customers.
The ICO fined Boomerang because it failed to conduct regular penetration testing on its own site, failed to have a sufficiently complex password for its WordPress back end login, and failed to keep its decryption key secure.
Up-to-date breach notification laws in a single repository
An innovative new tool developed in partnership between the IAPP and RADAR provides an efficient and streamlined way to stay current with complex and ever-changing data breach notification laws.
Keep up with shifting jurisdictional requirements for regulatory compliance, stay informed of breach reporting obligations, and access current overviews of breach notification laws — including GDPR.
Free for IAPP members.
Request this Free Tool
Report: Companies underestimate 'slow burn' of cyberattacks
According to a Lloyd's of London report written with consultants KPMG and law firm DAC Beachcroft, European companies underestimate the long term effects of cyberattacks.
"There is a lack of understanding as to what cyberattacks can mean," Lloyd's of London Chief Executive Inga Beale told Reuters, adding, "Businesses need to prepare for the full costs of a cyberattack." In addition to short-term costs like notification, companies need to prepare for potential loss of customers, devalued share prices and other consequences, the report states.
INTERNET OF THINGS
Infographic: Data and the Connected Car
The Future of Privacy Forum has published an infographic that "represents devices that may be employed in today's connected cars," to coincide with an U.S.
Federal Trade Commission workshop on connected cars, happening today.
The image offers information on types of wireless connectivity, the types of data that may be shared, the other devices and services that may receive the data, and the devices within cars that transmit and receive data.
While "no single vehicle will have all of these features ...
most new vehicles have some," the infographic notes, adding, "Much connected car data is protected by technical controls, laws, self-regulatory commitments, privacy policies, and other emerging mechanisms or controls."
Facebook's content review guidelines under the microscope
In an extensive piece, ProPublica reviewed internal documents regarding the guidelines Facebook uses to distinguish between hate speech and legitimate political expression, exploring the way Facebook operates as a global platform.
The documents found Facebook content reviewers are trained to delete posts directed toward “protected categories,” such as race, sex, gender identity, religious affiliation, national origin, ethnicity, sexual orientation and disabilities.
They are not tasked to delete posts if they are aimed at “subsets” of protected categories.
University of Maryland Law Professor Danielle Citron said Facebook’s approach will “protect the people who least need it and take it away from those who really need it.” “The policies do not always lead to perfect outcomes,” said Monika Bickert, head of global policy management at Facebook.
“That is the reality of having policies that apply to a global community where people around the world are going to have very different ideas about what is OK to share.”
Half-day local workshops for privacy pros across EU and US — 4.5 IAPP CPE credit hours
A new global series of free local workshops has been announced to meet the demands of privacy professionals requesting focused, hands-on time diving into the operational details, best practices and tools associated with GDPR, privacy program management, DPIAs and Data Mapping.
These workshops qualify for 4.5 CPE credit hours.
RSVP Today at SmartPrivacy.com
Illinois Houses pass Geolocation Privacy Protection Act
The Illinois House and Senate have passed the Geolocation Privacy Protection Act.
The act states an entity may not “collect, use, store, or disclose geolocation information from a location-based application on a person's device” unless first receiving express consent.
Anyone affected under the act can recover the greater sum between liquidated damages suffered, or $1,000, and reasonable attorney’s fees and costs.
Under an amendment from the House, the definition of “geolocation information” means data sufficient to determine or infer the precise location, rather than just the location of the device.
The bill still needs the signature of Gov.
Bruce Rauner, R-Ill.
Op-Ed: US, EU need a data security trans-Atlantic charter
In an op-ed for the Chatham House, Christopher Smart writes about the need for a trans-Atlantic charter for data security and mobility.
As cross-border data flows continue to rapidly grow, developing policies to protect privacy and security are challenging.
Add the different ideologies between the U.S.
and the EU, and the need for a charter seems crucial for future business.
“This makes more determined efforts by U.S.
and European policymakers to agree [on] basic principles that will guide the usage and protection of personal and commercial data all the more important,” Smart writes.
“While common regulations or even greater alignment among regulators seem out of reach, a 'Transatlantic Charter for Data Security and Mobility’ would provide a set of principles for more specific rules amid political landscapes and technological developments that are evolving rapidly.”
Police generate facial composite using suspect's DNA
Police in Maryland have generated a facial composite of a suspect using DNA evidence obtained after he allegedly broke into the same woman's home, twice, and raped her, WJLA reports.
The same suspect broke into four other homes, according to Montgomery County Police, and committed the same crime four additional times.
No arrest has been made in the seven years since the first crime occurred, prompting police to consult DNA-phenotyping company Parabon NanoLabs.
The lab used the suspect's DNA, obtained from the first two instances of rape, to create a facial image predicting his traits.
The lab's composite indicates a black male of western African-descent with dark brown eyes and black hair.
Editor's Note: At the IAPP's Navigate event in 2013, Heather Dewey-Hagborg spoke about her work using DNA as a catalyst for art and how it can be used to create portraits of the DNA owners.
Is your data working for another company?
Osterman Research reports that 87 percent of employees who leave a job take company IP with them.
One in five has sent your data to the cloud — and out of your control.
And departing employees can easily end up working for one of your competitors.
Download the Osterman report, “Best Practices for Protecting Your Data When Employees Leave Your Company.” And close the door on exiting data.
FOIA docs: DEA paid to train law enforcement on social media data mining
Motherboard reports on information it obtained via the Freedom of Information Act outlining U.S.
Drug Enforcement Agency funding to train other law enforcement on exploiting social media platforms to mine data.
According to a statement of work, the DEA "is responsible for keeping up with the increasing use of emerging technologies as a means of communications used by the Drug Trafficking Organization's [sic] and to provide viable solutions to the field on how to exploit such technologies." The document adds that the training is open to other law enforcement within the DEA's purview, and that the DEA
paid a training company $20,000 last year for two training sessions on various topics, including how to "locate hidden information" and "uncovering image metadata," according to the report.
License-plate scanner bill draws controversy over data storage, sharing
A bill involving automated license plate scanning on Rhode Island highways is the subject of some controversy, WPRI reports.
The bill, which would see the installation of scanners aimed at catching out-of-state drivers without insurance, was approved by the state's House of Representatives Monday and now heads to the Senate.
Violators would be fined a maximum of $120, and half of that would go to the state, half to the third-party organization running the cameras.
Robert Jacquard, D-Cranston, sponsored the bill and said the data collected would be erased within one minute of being reviewed by law enforcement, but Marcela Betancur of the ACLU said it's not yet explained how the data will be stored or safely shared with both law enforcement and the third-party organization.
Run-down of privacy developments in Trump's first 150
In a post for Law360, IAPP member and Lazare Potter & Giacovas Partner Jaipat Jain provides a quick and well-referenced overview of privacy developments in the United States over the course of the Trump Administration's first 150 days.
Included is an overview of Trump's executive order regarding the Privacy Act, an extensive look at the broadband privacy rules rollback at the U.S.
Federal Communications Commission, and a summary of Privacy Shield developments.
He also takes notes of broadband privacy law developments in 28 U.S.