  | | Responsibility Ducked | 02/14/2007 10:34:36 am by Dan Krohn | |  |
| Previously the blog discussed the recent loss of personal data by the VA, noting that tens of thousands of people might have had their privacy compromised.
Now it appears that the VA really played down the problem in two respects: It seems that tens of thousands was a great understatement. Data may have been lost on as many as 1,800,000 people. Whew!
Second, the VA seems to have wanted to give any identity thieves a leg up. It seems to have waited about three weeks after learning of the security breach before beginning to notify people of the risk. This is utterly unacceptable.
Previously this blog has discussed the pressures on government officials (including the president) to avoid admitting mistakes. The delay in notification and underestimating of the problem are symptomatic of the pervasive avoidance of responsibility in our government - and perhaps society as a whole. The citizens of the U.S. should not tolerate this. Yet, that would require a change in attitude by all; and we don't seem to be up to the task. After all, we cannot expect those in government to behave any better than we would ourselves in similar circumstances.
Unfortunately, errors which are not admitted cannot be corrected. So the refusal to admit mistakes guarantees repetition.
| | |
| | Growing Virus Threat | 02/28/2007 09:20:15 pm by Dan Krohn | | |
| Variations of the "storm virus" which whirled its way across the Internet a few weeks ago are reportedly at it again. This time they are being rapidly apread by some popular instant messaging systems, and users are often fooled into trusting as the infected messages can appear in already opened boxes which appear to be from known friends.
To make matters worse, whoever is behind this effort seems to know how to change things up with enough frequency to make life difficult.
And now, variations of that virus are appearing on blogs and across the Web. The virus seems to be able to add itself to email messages and blog posts as well as posts to Web based forums. Users are cautioned not to click on any links without reason.
The virus seems to be designed to recruit as many machines as possible to use for spam or denial of service attacks.
| | |
| | Data Lost Again | 02/09/2007 10:01:45 am by Dan Krohn | | |
| It has been announced that Johns Hopkins has lost personal information on a large number of people: specifically 52,000 employees and 83,000 patients. The story is that backup tapes that had been sent to an outside company to create microfiche copies never got to the intended destination. For the time being, Johns Hopkins is taking the position that the tapes were probably destroyed and no personal data released to unscrupulous actors.
So here we have yet another massive slip up on personal confidential data. This time because patient records are included, there might be HIPAA implications. However, readers should note that traditionally the federal government has not vigorously enforce patient privacy provisions of HIPAA - rather than impose appropriately large penalties it has largely just required remedial procedures to be put in place.
So following up the previous blog entry on this topic, the U.S. clearly needs much tougher enforcement regarding individuals' personal data. It would not be too much to require that entities storing personal data on more than say 10,000 individuals encrypt that data.
Unfortunately, the government thus far has chosen to relieve much of the cost of data security from corporations and place the cost on those individuals whose identities get stolen. Given the relative costs of prevention and correction, this is not an eonomically sound decision. | | |
| | Compromised Personal Data | 02/06/2007 03:46:19 pm by Dan Krohn | | |
| Again, it has been announced that the VA has lost personal data on some tens of thousands of veterans. This is the VA’s second major lost data event in recent times. It has become almost routine to read about some governmental agency or corporation experiencing some slip that lets tremendous amounts of personal data escape into the virtual world.
So where is this leading? Several companies are now selling insurance products to consumers offering some assistance in identity theft situations. Identity theft is very expensive costing individuals not only money but considerable time. Ben Franklin opined that “Time is money”. And nothing has happened since his day to question that truth. The overall loss to society of having otherwise productive individuals distracted to deal with identity theft is substantial. And for some individuals the inconvenience is enormous.
But what can be done to improve this situation? Clearly when individuals are careless with their own data, they have to bear some brunt of the problem. However, something should be done about companies (and governments) whose sloppiness subjects thousands to risk. Legislation requiring notification of security breaches is pretty much the limit in terms of assistance so far, and that is grossly inadequate. Legislation requiring entities which are negligent or which fail to maintain certain standards (which could be determined by regulation) to reimburse injured parties would start to get the attention of those in charge. With no financial incentive to maintain adequate security, one cannot expect companies to dedicate the resources needed. Alternatively, attorneys general could be authorized to bring actions against those responsible with penalties sufficiently high to provide incentive.
People will argue that in this technical arena it is too difficult to define negligence. Sorry, but that dog won’t hunt, as negligence theory has been applied to any number of technical arenas in the past. And finding fault with leaving a laptop with thousands of persons information on the back seat of an unlocked car is not a tough technical judgment. And there will be those who oppose regulation because they oppose every government regulation as a matter of principle. That dog won’t hunt very well either.
Frankly, this writer does not expect many current governments to have the guts to address this problem. So justice in the area of identity theft may have to wait.
There is one other possibility. It would be great to see a company advertise that they take care of their customers data - as opposed to XYZ who compromised the data on 60,000 of its customers. But, alas, I could not advise a client to place such an ad. For it would in essence be throwing down the gauntlet to the world’s hackers - and no system is totally safe.
So we must rely on our legislators to understand the problem and create incentives for decision makers to put resources on data security. Something else to consider as we approach the next elections.
| | |
| | Law in the Virtual World | 02/03/2007 04:56:44 pm by Dan Krohn | | |
| The latest issue of The SciTech Lawyer includes an intriguing article by S. Gregory Boyd and Matthew Moersfelder dealing with some of the interesting legal issues which are bound to arise at the boundary of the real and virtual worlds. Specifically, the article discusses some issue arising from the fact that increasingly large numbers of people are maintaining a second existence online in some virtual world where they are immersed in role playing games.
In such games players acquire equipment and properties, create businesses and empires, and do it all under a set of rules somewhat like but not really matching those of the “real” world. For example, behavior which might land a person in prison in the U.S. might just be part of the game in a virtual world. Certainly more violence is often accepted. And it is that contrast which creates an interesting issue.
A rather large market in real dollars has developed where people trade in virtual world currencies or assets. Some player wanting to acquire a monster laser tank might find it available online in an auction or otherwise for a given amount in real world dollars. Once paid for, the seller transfers the asset inside the game’s virtual world to the buyer’s virtual persona. But what if the seller takes the money and does not deliver? In the real world that leads to a lawsuit for breach of contract. But what if the virtual world applying to that game has rules permitting lying, fraud and deception? In that case does the buyer have any legitimate complaint? Would a real world lawsuit survive a motion to dismiss? To be determined.
The authors point to another more insidious opportunity created by the trading markets between real and virtual currencies - international money laundering. Governments, concerned with the wars on terror and drugs, have increasingly enacted laws to enable them to track the flow of substantial sums of money. But how can this be done when there are informal international currency markets where real and virtual moneys can be traded and transferred online. Tracking becomes a nightmare.
There are a host of other legal issues which can arise from this blurring of worlds. And it is all far too new for any useful precedents to be established. But stay tuned, for the conservative estimates put the size in real dollars of trade in virtual online game assets at $200,000,000 plus. | | |
|
| February 2007
|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| | | | | 1 |
2 |
3 |
| 4 |
5 |
6 |
7 |
8 |
9 |
10 |
| 11 |
12 |
13 |
14 |
15 |
16 |
17 |
| 18 |
19 |
20 |
21 |
22 |
23 |
24 |
| 25 |
26 |
27 |
28 |
|
|
|
| Jan
|
| Mar |
|
|
