Mark Sullivan reports: A new report from the Department of Homeland Security’s Office of Inspector General (OIG) says that the U.S. Coast Guard holds plenty of personally identifiable health information in its servers but lacks a strong approach to dealing with privacy issues. The report grew from a DHS audit that focused on practices and procedures for…
Category: Commentaries and Analyses
If the FTC comes to call
Mark Eichorn of the FTC writes: It’s a question we’re asked a lot. “What happens if I’m the target of an FTC investigation involving data security?” We understand – no one wants to get that call. But we hope we can shed some light on what a company can expect. First things first. All of…
Dentrix vulnerability still poses risk to patient data: researcher
In early 2014, and over on PHIprivacy.net, I published some posts expressing concern about a vulnerability in Dentrix software, Dentrix’s claims at the time that its G5 product incorporated “encryption,” and their subsequent decision that the firm would not individually notify all customers that what the customers had been sold as “encryption” was not encryption. Following up on the public posts,…
‘Millions’ of routers open to absurdly outdated NetUSB hijack
Darren Pauli reports: SEC Consult Vulnerability Lab Stefan Viehbock says potentially millions of routers and internet of things devices using KCodes NetUSB could be exposed to remote hijacking or denial of service attacks. The packet fondler says the vulnerability (CVE-2015-3036) hits the Linux kernel module in scores of popular routers which serves to provide network…
Airplane hacking panic! Why it’s a surely a storm in a teacup
There has been much media coverage of Chris Robert’s alleged claims about controlling an airplane in-flight. I haven’t bothered to link to them as they generally just re-hash what is already known and not known. But Iain Thomson got a more detailed response from those who are skeptical about Roberts’ claims: At last year’s…
The Data Breach Notification That Cried Wolf: How Connecticut’s Overbroad Data Breach Notification Statute Undermines the Effectiveness of Consumer Protection
Jackson Raymond Schipke, Connecticut, 3L Roger Williams University Law School writes: Connecticut’s data breach statute is a wolf in sheep’s clothing. That statute’s definition of “breach of security” is overbroad, encourages over-notification, and undermines the goal of protecting consumers from identity theft. In Connecticut, notification is triggered by mere access of personal information, a statutory…