California Federal Court Weighs In (Again) on Social Media Scraping
Social media sites such as Facebook and LinkedIn have collected personal information on hundreds of millions of subscribers. They have also promised those subscribers that their data will only be shared or used for particular purposes—agreements that are not only enforceable but also are required to be upheld under various ... Read More
Hang up the Phone: MFA’s Insecure Reliance on SMS
It’s hard enough to get people to use multi-factor authentication (MFA)—you know, something you know, you have and you are. Most websites, email accounts and other devices are secured (if at all) with a simple user ID (or email address) and password—and frequently with insecure, reusable, stored and retransmitted credentials ... Read More
Court Greenlights Accenture/Marriott Breach Suit
A court has ruled that Accenture, as a service provider to Starwood, owed a duty to prevent data breaches to Starwood’s customers In September 2018, Bethesda, Maryland-based Marriott International’s subsidiary chain Starwood learned it had been the victim of a massive data breach involving millions of customer records. The data ... Read More
VA High Court: License Plate Database Not Personal Data
Regulations related to the collection, storage and use of personal data don’t apply to the collection of license plate readings, a court has found, calling privacy regs into question As you drive to George Mason University in Fairfax, Virginia, you may very well pass a blue and grey Fairfax County ... Read More
Incident Response: Pay a Ransom, Go to Jail
Companies that find their files, data or networks locked by a malicious actor demanding an extortion payment now have a new worry in their incident response: The U.S. Department of Treasury. On Oct. 1, the Treasury Department’s Office of Foreign Asset Control (OFAC) issued an advisory warning companies affected by ... Read More
The High Cost of Reporting a Non-Reportable Data Breach
Can a company be sued for reporting a data breach in which the data was never used and destroyed? In May, cloud provider Blackbaud was the victim of a ransomware attack designed to lock it out of accessing its own data and servers. The company notified law enforcement, used its ... Read More
U.S. Requires Servers to Ban TikTok, WeChat Traffic
On Sunday, Sept. 20, Chinese company ByteDance’s TikTok and WeChat die. President Trump’s executive order, which prohibits any “transactions” with ByteDance thereafter, has now been clarified to note that “transactions” include both the transfer of data to and from TikTok, as well as the hosting or downloading of the applications ... Read More
Is a Ransomware Attack a Reportable Data Breach?
One question that vexes security engineers, incident responders and lawyers is whether a ransomware attack constitutes a reportable data breach under any of the various data breach disclosure laws, regulations or other requirements. As with anything else in the law, the simple answer is, “it depends.” Once More Into the ... Read More
Garbage In, Gospel Out: The Security Problem of Data Accuracy
The accuracy or integrity of data is only as good as its source In two separate incidents, one in Colorado and one in Washington, D.C., police at gunpoint stopped people who were not committing any crimes, ordered young families out of their cars at gunpoint and further ordered them to ... Read More
TikTok and National Security: The Need for a Comprehensive U.S. Privacy Law
Last week, President Donald Trump threatened to ban the popular social media platform TikTok, whose corporate owner is a Chinese company with alleged ties to the Chinese Communist Party. Trump’s stated grounds for seeking to ban the popular application was that the app threatens U.S. national security. But exactly how? ... Read More
