The state of Virginia's data breach notification law went into effect on July 1, 2008. It is similarly worded to other state legislation in that the use of data encryption software provides safe harbor from costly and embarrassing breach notifications. (Are you looking for Virginia's medical information breach notification law? Click here.) It differs in one crucial aspect. Unlike similar state laws, a provision for imposing financial penalties has been included. (Note: I'm not a lawyer, and you should consult with your legal representatives if you experienced a data breach).
The state of Virginia's data breach notification law went into effect on July 1, 2008. It is similarly worded to other state legislation in that the use of data encryption software provides safe harbor from costly and embarrassing breach notifications. (Are you looking for Virginia's medical information breach notification law? Click here.)
It differs in one crucial aspect. Unlike similar state laws, a provision for imposing financial penalties has been included. (Note: I'm not a lawyer, and you should consult with your legal representatives if you experienced a data breach).
Virginia Code § 18.2-186.6 was designed, like many such state legislation, to encourage entities to improve their customers' data security measures. As such, it provides safe harbor when encryption software is used to protect customer data: If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes...[it] shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay [my emphasis] This is one of the few laws I've seen where the use of encryption provides a direct relief from going public with a data breach. In most legislation I've seen, safe harbor seems to be provided by defining personal information as "unencrypted data." I think the reasoning might be, since encrypted personal information is not unecrypted data, by definition it's not personal information anymore--so, losing this encrypted information cannot be constituted as a data breach. A confusing and roundabout way, certainly, but it gets the job done. It's also one of the few laws that also specifies that encryption is not enough: ...disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft... Most state laws have not gone as far as taking into the possibility of the encryption keys (or passwords) being compromised as well. While it would be up to the courts to decide upon it, there are criticisms directed at the data breach laws because safe harbor is afforded regardless of whether the encryption in question really provides personal information security, unlike the above.
Virginia Code § 18.2-186.6 was designed, like many such state legislation, to encourage entities to improve their customers' data security measures. As such, it provides safe harbor when encryption software is used to protect customer data:
If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes...[it] shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay [my emphasis]
This is one of the few laws I've seen where the use of encryption provides a direct relief from going public with a data breach. In most legislation I've seen, safe harbor seems to be provided by defining personal information as "unencrypted data."
I think the reasoning might be, since encrypted personal information is not unecrypted data, by definition it's not personal information anymore--so, losing this encrypted information cannot be constituted as a data breach. A confusing and roundabout way, certainly, but it gets the job done.
It's also one of the few laws that also specifies that encryption is not enough:
...disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft...
Most state laws have not gone as far as taking into the possibility of the encryption keys (or passwords) being compromised as well. While it would be up to the courts to decide upon it, there are criticisms directed at the data breach laws because safe harbor is afforded regardless of whether the encryption in question really provides personal information security, unlike the above.
According to the law a "breach" is: "Breach of the security of the system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth. Note how the breach is relegated to computerized data only. There are states that are updating their data breach notification laws to include the breach of data stemming from paper documents as well, and barring the passage of a federal law governing data breach notifications, we may very well see an update to account for its absence. "Personal information" follows the conventional definition found in most state laws. It's the first name (or initial) and last name combined with: • Social security number• Driver's license information• Financial information, such as account numbers, credit card numbers, etc.
According to the law a "breach" is:
"Breach of the security of the system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.
Note how the breach is relegated to computerized data only. There are states that are updating their data breach notification laws to include the breach of data stemming from paper documents as well, and barring the passage of a federal law governing data breach notifications, we may very well see an update to account for its absence.
"Personal information" follows the conventional definition found in most state laws. It's the first name (or initial) and last name combined with:
• Social security number• Driver's license information• Financial information, such as account numbers, credit card numbers, etc.
The law is pretty straightforward. To quote it directly: Notice required by this section shall include a description of the following: (1) The incident in general terms; (2) The type of personal information that was subject to the unauthorized access and acquisition; (3) The general acts of the individual or entity to protect the personal information from further unauthorized access; (4) A telephone number that the person may call for further information and assistance, if one exists; and (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports. Also, if the breach involves more than 1,000 people, the Office of Attorney General must be alerted of the breach without unreasonable delay, as well as consumer reporting agencies. Notices can be via letter, telephone, "electronic" (meaning what? There is no definition), or a substitute notice. The last is only possible if the cost of notification exceeds $50,000; if more than 100,000 VA residents need to be notified; or if the company that experienced the breach doesn't have contact details for customers.
The law is pretty straightforward. To quote it directly:
Notice required by this section shall include a description of the following: (1) The incident in general terms; (2) The type of personal information that was subject to the unauthorized access and acquisition; (3) The general acts of the individual or entity to protect the personal information from further unauthorized access; (4) A telephone number that the person may call for further information and assistance, if one exists; and (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
(1) The incident in general terms; (2) The type of personal information that was subject to the unauthorized access and acquisition; (3) The general acts of the individual or entity to protect the personal information from further unauthorized access; (4) A telephone number that the person may call for further information and assistance, if one exists; and (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
Also, if the breach involves more than 1,000 people, the Office of Attorney General must be alerted of the breach without unreasonable delay, as well as consumer reporting agencies.
Notices can be via letter, telephone, "electronic" (meaning what? There is no definition), or a substitute notice. The last is only possible if the cost of notification exceeds $50,000; if more than 100,000 VA residents need to be notified; or if the company that experienced the breach doesn't have contact details for customers.
Virginia has given its AG the express ability to impose fines as a penalty (a maximum of $150,000 per incident): The Office of the Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. Nothing in this section shall limit an individual from recovering direct economic damages from a violation of this section. The above law, and many others like it, may not require the use of encryption software like AlertBoot; however, they do seem to be pushing hard towards their adoption where sensitive information is concerned. Why? Because encryption is probably one of the most cost-effective and effective ways of protecting sensitive information. However, as an entity that collects sensitive information, you must remember that encryption is not a cure-all for your data security needs. Just like the body experiences many ailments--and you have different medication for them--you'll find that your company needs different security prescriptions depending on your company's IT infrastructure.
Virginia has given its AG the express ability to impose fines as a penalty (a maximum of $150,000 per incident):
The Office of the Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. Nothing in this section shall limit an individual from recovering direct economic damages from a violation of this section.
The above law, and many others like it, may not require the use of encryption software like AlertBoot; however, they do seem to be pushing hard towards their adoption where sensitive information is concerned.
Why? Because encryption is probably one of the most cost-effective and effective ways of protecting sensitive information.
However, as an entity that collects sensitive information, you must remember that encryption is not a cure-all for your data security needs. Just like the body experiences many ailments--and you have different medication for them--you'll find that your company needs different security prescriptions depending on your company's IT infrastructure.
Related Articles and Sites:http://leg1.state.va.us/000/cod/18.2-186.6.HTMhttp://law.onecle.com/virginia/crimes-and-offenses-generally/18.2-186.6.htmlhttp://www.gentrylocke.com/showalert.aspx?Show=1034
TechTarget has a list of considerations that midmarket IT managers should take into account when it comes to "securing corporate data for users on the go." The use of disk encryption, such as Alertboot endpoint security, is included. More important, though, it also includes recommendations (some of them non-technical issues) that also require implementation for successfully securing corporate data. The recommendations, in no particular order, are: Education on the importance of laptop security and enforcement of policies Using full disk encryption to secure laptop data Impose login requirements Ensure that machines automatically apply security patches Be aware of non-compliant machines Interestingly enough, a number of these recommendations can be implemented by choosing the right encryption software. Take AlertBoot, for example. It's a full disk encryption software that's easily deployed over the internet and is centrally managed. An administrator can easily push policy updates, including login requirements such as password lengths; the inclusion of special characters, letters, and numbers in passwords; how often they should be changed, etc. Also, due to its integrated reporting, an administrator can easily see which computers have successfully installed the encryption package, and which ones have not. It's also possible to see how many times incorrect login attempts were made. By selecting AlertBoot or other similar encryption software, three of the five recommendations are already fulfilled. What's left? Applying security patches can be automated to an extent--just set your computer to apply any and all patches that are recommended by our OS. (Personally, I don't do this because I turn off my computer at the end of the day, and I've been caught unawares when a computer restarts automatically after applying patches. I religiously monitor for updates, though, and will apply them at the end of the day). Probably most important above all is educating employees about laptop security. Regardless of which encryption product you decide to use, it will require the cooperation of employees: ensuring they don't stick up passwords on their computer screens; share passwords; etc. Otherwise, the environment guarantees a data breach will eventually take place.
TechTarget has a list of considerations that midmarket IT managers should take into account when it comes to "securing corporate data for users on the go." The use of disk encryption, such as Alertboot endpoint security, is included. More important, though, it also includes recommendations (some of them non-technical issues) that also require implementation for successfully securing corporate data.
The recommendations, in no particular order, are:
Interestingly enough, a number of these recommendations can be implemented by choosing the right encryption software.
Take AlertBoot, for example. It's a full disk encryption software that's easily deployed over the internet and is centrally managed. An administrator can easily push policy updates, including login requirements such as password lengths; the inclusion of special characters, letters, and numbers in passwords; how often they should be changed, etc.
Also, due to its integrated reporting, an administrator can easily see which computers have successfully installed the encryption package, and which ones have not. It's also possible to see how many times incorrect login attempts were made.
By selecting AlertBoot or other similar encryption software, three of the five recommendations are already fulfilled. What's left?
Applying security patches can be automated to an extent--just set your computer to apply any and all patches that are recommended by our OS. (Personally, I don't do this because I turn off my computer at the end of the day, and I've been caught unawares when a computer restarts automatically after applying patches. I religiously monitor for updates, though, and will apply them at the end of the day).
Probably most important above all is educating employees about laptop security. Regardless of which encryption product you decide to use, it will require the cooperation of employees: ensuring they don't stick up passwords on their computer screens; share passwords; etc. Otherwise, the environment guarantees a data breach will eventually take place.
Related Articles and Sites:http://searchcio-midmarket.techtarget.com/tip/0,289483,sid183_gci1389674,00.html
One of the difficulties I have face when speaking to people about the need for better data security is denial, "because we're too small, it won't happen to us." "It" being a data breach. In other words, we're too small to be targeted (usually followed by the proclamation, "that kind of stuff only happens at the movies, anyway.") With such attitudes, it's always a little challenging to convince people that they should be using full disk encryption for securing their sensitive data on their laptops. But, as the following story shows, life imitates art.
One of the difficulties I have face when speaking to people about the need for better data security is denial, "because we're too small, it won't happen to us." "It" being a data breach. In other words, we're too small to be targeted (usually followed by the proclamation, "that kind of stuff only happens at the movies, anyway.")
With such attitudes, it's always a little challenging to convince people that they should be using full disk encryption for securing their sensitive data on their laptops. But, as the following story shows, life imitates art.
Criminals attached credit-card skimming devices inside gas pumps across Utah, according to darkreading.com. These devices were Bluetooth-enabled, meaning data could be collected from a distance, and was "the size of a cellular phone SIM card." If you're not aware, because you've been using, say, Verizon as you cellphone provider, a SIM card is about the size of a dime. Put a sticker over it--say, a warning message: "Please don't remove"--and you probably wouldn't. I mean, it's electronic, it's attached to the gas pump's internals...it's probably a doohickey of some sort; removing it might break the pump, or perhaps transport you to Middle Earth... Anyway, this way of pilfering data is not as uncommon as it appears: apparently, similar situations have cropped up across Europe, and California had its own situation. The case in Utah involved some 180 pumps. It's believed that the devices were in place for two months. They were removed in January.
Criminals attached credit-card skimming devices inside gas pumps across Utah, according to darkreading.com. These devices were Bluetooth-enabled, meaning data could be collected from a distance, and was "the size of a cellular phone SIM card."
If you're not aware, because you've been using, say, Verizon as you cellphone provider, a SIM card is about the size of a dime. Put a sticker over it--say, a warning message: "Please don't remove"--and you probably wouldn't. I mean, it's electronic, it's attached to the gas pump's internals...it's probably a doohickey of some sort; removing it might break the pump, or perhaps transport you to Middle Earth...
Anyway, this way of pilfering data is not as uncommon as it appears: apparently, similar situations have cropped up across Europe, and California had its own situation. The case in Utah involved some 180 pumps. It's believed that the devices were in place for two months. They were removed in January.
The thought that someone would go around not only installing stuff inside gas pumps (how do you even do this without the employees noticing?), but would take the time to buy 180 doodads, configure them, and install them (again, 180 times)...well, it's unheard of, right? The above sounds like something that would only happen in the movies (maybe it can be the script to Ocean's 14: Clooney & Co. Hits Bottom). But no, it's being done by some real criminal organization (in Utah, of all places). And, the gas stations are not being targeted because they've got money, or happen to be big business: my guess is that they've been targeted regardless of whether it's a franchisee or a corporate-owned one, whether the location is profitable or not (granted, you usually don't have too many of the latter when it comes to gas stations). What are the criminals after? They saw an opportunity to make a buck (illegally) and took it. Just because it doesn't happen often enough doesn't mean it doesn't happen, nor that it won't happen. Credit card skimming has been around for a long time, and this latest one is just an advanced twist on what used to happen at ATM machines with skimmers that were much, much bigger in size. Likewise with laptops and other data storage devices. People have this general feeling that their laptops will not be targeted for the data in them because they're not rich; or perhaps they do have money but they're not famous enough, so why would they be targeted; or whatever. The reasons are myriad. I've even had a discussion with a person who never stores any sensitive info on a particular laptop, but does use it for on-line banking. If the laptop gets stolen...well, so what? Passwords are not stored, so it doesn't matter. Here's one scenario I can think of: thief takes a look at the computer and notices the guy does on-line banking. He installs a keystroke logger and returns the laptop. Owner checks his balance on-line using compromised computer. On-line banking compromised. What are the chances of this happening? What are the chances your credit card number got compromised at a gas pump on your road trip to Vegas? Now, if the laptop in my scenario had been protected with disk encryption, there would have been no way of knowing what the laptop contained, so any harm real or imagined would have been prevented.
The thought that someone would go around not only installing stuff inside gas pumps (how do you even do this without the employees noticing?), but would take the time to buy 180 doodads, configure them, and install them (again, 180 times)...well, it's unheard of, right?
The above sounds like something that would only happen in the movies (maybe it can be the script to Ocean's 14: Clooney & Co. Hits Bottom). But no, it's being done by some real criminal organization (in Utah, of all places).
And, the gas stations are not being targeted because they've got money, or happen to be big business: my guess is that they've been targeted regardless of whether it's a franchisee or a corporate-owned one, whether the location is profitable or not (granted, you usually don't have too many of the latter when it comes to gas stations).
What are the criminals after? They saw an opportunity to make a buck (illegally) and took it. Just because it doesn't happen often enough doesn't mean it doesn't happen, nor that it won't happen. Credit card skimming has been around for a long time, and this latest one is just an advanced twist on what used to happen at ATM machines with skimmers that were much, much bigger in size.
Likewise with laptops and other data storage devices. People have this general feeling that their laptops will not be targeted for the data in them because they're not rich; or perhaps they do have money but they're not famous enough, so why would they be targeted; or whatever. The reasons are myriad.
I've even had a discussion with a person who never stores any sensitive info on a particular laptop, but does use it for on-line banking. If the laptop gets stolen...well, so what? Passwords are not stored, so it doesn't matter.
Here's one scenario I can think of: thief takes a look at the computer and notices the guy does on-line banking. He installs a keystroke logger and returns the laptop. Owner checks his balance on-line using compromised computer. On-line banking compromised.
What are the chances of this happening? What are the chances your credit card number got compromised at a gas pump on your road trip to Vegas?
Now, if the laptop in my scenario had been protected with disk encryption, there would have been no way of knowing what the laptop contained, so any harm real or imagined would have been prevented.
Related Articles and Sites:http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=223100233
The US Department of Health and Human Services (HHS) is charged, under the HITECH act, with collecting data breach notifications for any HIPAA-covered entities. Under the act, these entities are required to immediately send an official letter of notification if the breach involved more than 500 people (breaches where 500 or less people affected are reported annually. The use of data encryption like AlertBoot provides the equivalent of a safe harbor).
Thirty-six hospitals, clinics, private practices, and other medical facilities are listed in this first report. In the six months between September 2009 and January 2010, over 1 million people were affected in total. Types of Breaches The types of breaches listed are pretty straightforward. Theft: 27Unauthorized Access: 7Loss: 3Phishing Scam: 1Hacking/IT Incident: 1Incorrect Mailing: 1Misdirected E-mail: 1 The sum exceeds 36 because there are overlapping descriptions. Location of Breached Information Laptops: 9Desktops: 7Portable Electronic Devices/USB/Hard Drives: 6Network Servers/Computers: 3E-mail: 2Backup Tapes/CDs: 3Others (paper-based and such): 7 The sum also exceeds 36 because of overlapping devices/documents. I've also taken the liberty of combining certain categories together (e.g., portable electronic devices and portable USB devices).
Thirty-six hospitals, clinics, private practices, and other medical facilities are listed in this first report. In the six months between September 2009 and January 2010, over 1 million people were affected in total.
The types of breaches listed are pretty straightforward. Theft: 27Unauthorized Access: 7Loss: 3Phishing Scam: 1Hacking/IT Incident: 1Incorrect Mailing: 1Misdirected E-mail: 1 The sum exceeds 36 because there are overlapping descriptions.
The types of breaches listed are pretty straightforward.
Theft: 27Unauthorized Access: 7Loss: 3Phishing Scam: 1Hacking/IT Incident: 1Incorrect Mailing: 1Misdirected E-mail: 1
The sum exceeds 36 because there are overlapping descriptions.
Laptops: 9Desktops: 7Portable Electronic Devices/USB/Hard Drives: 6Network Servers/Computers: 3E-mail: 2Backup Tapes/CDs: 3Others (paper-based and such): 7 The sum also exceeds 36 because of overlapping devices/documents. I've also taken the liberty of combining certain categories together (e.g., portable electronic devices and portable USB devices).
Laptops: 9Desktops: 7Portable Electronic Devices/USB/Hard Drives: 6Network Servers/Computers: 3E-mail: 2Backup Tapes/CDs: 3Others (paper-based and such): 7
The sum also exceeds 36 because of overlapping devices/documents. I've also taken the liberty of combining certain categories together (e.g., portable electronic devices and portable USB devices).
It doesn't take a genius to see that the thefts and losses of computers and similar devices (laptops, desktops, servers, USB devices, etc.) is the leading cause of data breaches--at least, where HIPAA-covered entities are involved. In fact, it's more than the leading cause. They compromise well over the majority of reported data breaches. There's not much to analyze, actually. (Here's something to think about: are the thefts and losses of computers the real leading reason for data breaches, or are they just better reported? I'd notice if a laptop were stolen at my office. I'd probably never notice that a folder full of files was missing out of my file cabinet, which I haven't even peeked into in years. Hmph; why do I still have that thing around?). A further breakdown and analysis is done at this site, waynerino.com. The numbers over there are a little different from what I've reported, no doubt because I've taken the liberty of combining certain figures, but the conclusions are essentially the same. Something to note at waynerino.com is the breakdown by geographic location. The state with the leading number of reported breaches is California, with 28%. My guess is that this doesn't quite indicate that California is full of data thieves. Rather, it probably indicates that California entities are better informed about the notifying the HHS. This is the state that started the entire breach notification trend, after all. What I find most unfortunate about the above is that the use of encryption software would have prevented most of these breaches. Not the actual theft of the devices, mind you; I mean that it would have eliminated the chances of the thieves also accessing the patient information. The use of disk encryption, for example, on desktops and laptops would essentially prevent access to the computer--in fact, with pre-boot authentication, the thief wouldn't even be able to start up the computer. As an alternative, file encryption could also have been used, and may even have been the only option for files saved to backup tapes and CDs.
It doesn't take a genius to see that the thefts and losses of computers and similar devices (laptops, desktops, servers, USB devices, etc.) is the leading cause of data breaches--at least, where HIPAA-covered entities are involved. In fact, it's more than the leading cause. They compromise well over the majority of reported data breaches. There's not much to analyze, actually.
(Here's something to think about: are the thefts and losses of computers the real leading reason for data breaches, or are they just better reported? I'd notice if a laptop were stolen at my office. I'd probably never notice that a folder full of files was missing out of my file cabinet, which I haven't even peeked into in years. Hmph; why do I still have that thing around?).
A further breakdown and analysis is done at this site, waynerino.com. The numbers over there are a little different from what I've reported, no doubt because I've taken the liberty of combining certain figures, but the conclusions are essentially the same.
Something to note at waynerino.com is the breakdown by geographic location. The state with the leading number of reported breaches is California, with 28%. My guess is that this doesn't quite indicate that California is full of data thieves. Rather, it probably indicates that California entities are better informed about the notifying the HHS. This is the state that started the entire breach notification trend, after all.
What I find most unfortunate about the above is that the use of encryption software would have prevented most of these breaches. Not the actual theft of the devices, mind you; I mean that it would have eliminated the chances of the thieves also accessing the patient information.
The use of disk encryption, for example, on desktops and laptops would essentially prevent access to the computer--in fact, with pre-boot authentication, the thief wouldn't even be able to start up the computer.
As an alternative, file encryption could also have been used, and may even have been the only option for files saved to backup tapes and CDs.
Related Articles and Sites:http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.htmlhttp://www.waynerino.com/wordpress/2010/02/statistics-hhs-hitech-breache/http://www.phiprivacy.net/?p=2038
Anyone who's bothered to check any news sources over the weekend has probably heard of the situation at Lower Merion School District: the school was monitoring student activities at home. But it was something else that caught my eye today as I was reading computerworld.com's write-up of the situation, and why full disk encryption like AlertBoot may still be around for a while.
A student in the Lower Merion School District, Pennsylvania, was accused by a vice-principal of engaging in "improper activity" at the student's home, and produced a picture of him purportedly taking drugs. Turns out that the "drugs" were Mike & Ike candy. (Not familiar with it, so can't comment. I mean, do you snort it or something? Why did the school assume it was drugs? I mean, Tic-Tacs look like pills, too.) When I first read of the situation I told myself that the school was in deep doo-doo, drugs or no drugs: you can't go around monitoring what students do outside school. And if you're monitoring what they do at home, well...I was pretty sure that couldn't be legal. Also, besides the violations of privacy and wiretapping and whatnot, I was wondering "what if the kid was naked or something?" All around a bad idea to be monitoring a kid in his room. The school claims, of course, that they don't monitor kids. The cameras are only turned on when a laptop is reported lost or stolen, etc. Seeing how the candy-popping student never reported the laptop stolen, though, the school's explanation falls flat. I woke up today to find that the feds are now involved, since there may be violations of wiretapping and privacy laws. It was just a matter of time, really.
A student in the Lower Merion School District, Pennsylvania, was accused by a vice-principal of engaging in "improper activity" at the student's home, and produced a picture of him purportedly taking drugs. Turns out that the "drugs" were Mike & Ike candy. (Not familiar with it, so can't comment. I mean, do you snort it or something? Why did the school assume it was drugs? I mean, Tic-Tacs look like pills, too.)
When I first read of the situation I told myself that the school was in deep doo-doo, drugs or no drugs: you can't go around monitoring what students do outside school. And if you're monitoring what they do at home, well...I was pretty sure that couldn't be legal.
Also, besides the violations of privacy and wiretapping and whatnot, I was wondering "what if the kid was naked or something?" All around a bad idea to be monitoring a kid in his room.
The school claims, of course, that they don't monitor kids. The cameras are only turned on when a laptop is reported lost or stolen, etc. Seeing how the candy-popping student never reported the laptop stolen, though, the school's explanation falls flat.
I woke up today to find that the feds are now involved, since there may be violations of wiretapping and privacy laws. It was just a matter of time, really.
I wasn't really going to comment on the issue, since it was bound to be covered by everyone. Besides, I had noted in the past that security needs to come in layers, so using encryption doesn't mean tracking software can't be used, which definitely has its uses. For example, encryption software, while it can protect your data, cannot realistically do anything about recovering the stolen hardware (you could place a startup screen with your contact info and offer for its safe return...but how likely is it that someone will do so?) But then I found an article at computerworld.com that covered the story. In the article, it was noted that "Absolute [providers of LoJack-like services for stolen laptops] claims that it recovers about 75% of all laptops reported stolen." I've been looking for some stats on recovery rates, and there you have it. Seventy-five percent. It is an excellent recovery rate. I mean, without tracking software, recovery is like, what, 0.2%? I don't think anybody knows, really. On the other hand, the same stat shows why there needs to be different layers to security for the same machine. There's that 25% of the cases where your stolen computer can't be traced and recovered. Also, as I've noted in the past, you can't just rely on tracking software for your security needs even if the recovery rate is 100%: There is no guarantee that sensitive data will be stolen between the time your laptop disappears and the time it's recovered.
I wasn't really going to comment on the issue, since it was bound to be covered by everyone.
Besides, I had noted in the past that security needs to come in layers, so using encryption doesn't mean tracking software can't be used, which definitely has its uses. For example, encryption software, while it can protect your data, cannot realistically do anything about recovering the stolen hardware (you could place a startup screen with your contact info and offer for its safe return...but how likely is it that someone will do so?)
But then I found an article at computerworld.com that covered the story. In the article, it was noted that "Absolute [providers of LoJack-like services for stolen laptops] claims that it recovers about 75% of all laptops reported stolen."
I've been looking for some stats on recovery rates, and there you have it. Seventy-five percent. It is an excellent recovery rate. I mean, without tracking software, recovery is like, what, 0.2%? I don't think anybody knows, really.
On the other hand, the same stat shows why there needs to be different layers to security for the same machine. There's that 25% of the cases where your stolen computer can't be traced and recovered.
Also, as I've noted in the past, you can't just rely on tracking software for your security needs even if the recovery rate is 100%: There is no guarantee that sensitive data will be stolen between the time your laptop disappears and the time it's recovered.
Related Articles and Sites:http://www.computerworld.com/s/article/9160278/Software_maker_blasts_vigilantism_in_Pa._school_spying_case?taxonomyId=12&pageNumber=2http://www.philly.com/philly/news/homepage/84835492.html
And now for something completely different...from what I usually blog about. A Dutch group has created a site called pleaserobme.com (please rob me dot com) that essentially goes through twitter posts and plucks only those tweets that "check-in" using Foursquare. Essentially, you can tell when someone's not home, and that's great information for would-be burglars.
I've got to say this is the first time I've heard of Foursquare. According to Wikipedia, it's a "location-based social networking website, software for mobile devices, and game. Users "check-in" at venues using text messaging or a device specific application." I guess the idea is that, if you're at a particular bar or something, and a friend sees that he's also in the neighborhood, he can just kind of drop by and say hello. The problem, though, is that the act of checking in, and making the information public and easily available, also means that pretty much anyone can keep tabs on where you are. And how much more public or far-reaching can you get than Twitter?
I've got to say this is the first time I've heard of Foursquare. According to Wikipedia, it's a "location-based social networking website, software for mobile devices, and game. Users "check-in" at venues using text messaging or a device specific application."
I guess the idea is that, if you're at a particular bar or something, and a friend sees that he's also in the neighborhood, he can just kind of drop by and say hello.
The problem, though, is that the act of checking in, and making the information public and easily available, also means that pretty much anyone can keep tabs on where you are. And how much more public or far-reaching can you get than Twitter?
Nothing, and yet, everything. Obviously, it makes no sense to encrypt the above data: social media sites and services like Twitter and Foursquare are meant to be public. Sharing information is a given. On the other hand, it plays into the observation I made in yesterday's post about the "hidden dimension": Just because the information seems innocuous at first glance doesn't mean it cannot be easily tweaked and used for nefarious deeds. Consider e-mail addresses. No one really thinks of it as private, sensitive information. You'd be crazy to do so; I mean, if you kept your e-mail address truly private, you'd probably never receive any e-mail. However, consolidate 10,000 of the same, and suddenly there may be a way to use it for criminal purposes. Companies (OK, most companies) make it a policy to encrypt or hash client passwords, but don't extend the policy to other data such as e-mail addresses. The idea is that, if their security perimeter is breached, passwords are sensitive information while e-mail addresses are not. But, as I pointed out in yesterday's post, plain-vanilla e-mail addresses can be used for carrying out scams as well. It seems to me that anytime you've got a large enough database of any type of data identifying people, you should really take a look into securing it.
Nothing, and yet, everything. Obviously, it makes no sense to encrypt the above data: social media sites and services like Twitter and Foursquare are meant to be public. Sharing information is a given.
On the other hand, it plays into the observation I made in yesterday's post about the "hidden dimension": Just because the information seems innocuous at first glance doesn't mean it cannot be easily tweaked and used for nefarious deeds.
Consider e-mail addresses. No one really thinks of it as private, sensitive information. You'd be crazy to do so; I mean, if you kept your e-mail address truly private, you'd probably never receive any e-mail. However, consolidate 10,000 of the same, and suddenly there may be a way to use it for criminal purposes.
Companies (OK, most companies) make it a policy to encrypt or hash client passwords, but don't extend the policy to other data such as e-mail addresses. The idea is that, if their security perimeter is breached, passwords are sensitive information while e-mail addresses are not.
But, as I pointed out in yesterday's post, plain-vanilla e-mail addresses can be used for carrying out scams as well. It seems to me that anytime you've got a large enough database of any type of data identifying people, you should really take a look into securing it.
Related Articles and Sites:http://www.csmonitor.com/Innovation/Horizons/2010/0217/Please-Rob-Me-and-the-problem-with-social-mediahttp://news.bbc.co.uk/2/hi/technology/8521598.stm