Posted in Information Security

Privacy Dispatches

How Do You Engineer Privacy? NIST Seeks Answers

Last week, the National Institute of Standards and Technology (NIST) hosted a workshop to discuss and develop the concept of privacy engineering. Although a great deal was covered, three topics recurred throughout the workshop and appeared to be of special interest to NIST, most notably the lack of technical standards concerning privacy,the role engineers can play in protecting privacy and the role NIST should play in the privacy field going forward.

Cybersecurity

SEC and Cybersecurity—What Publicly-Traded Companies Need to Know

With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention.

From the Wire

Tuning the Privacy/Customer Service Dial

By Jedidiah Bracy, CIPP/US, CIPP/E

Twitter handles can be valuable commodities, and no story better demonstrates that than one described by web developer Naoki Hiroshima. Originally published on his personal blog and then republished with permission by TheNextWeb, “How I lost my $50,000 Twitter username” describes the ordeal he went through when a hacker decided he wanted Hiroshima’s Twitter handle @N—registered to Hiroshima since 2007.

In a nutshell, a hacker decided he wanted @N and was going to do just about anything to get it—without paying any money, of course. To do so, according to the hacker himself (someone call “Ripley’s Believe It or Not”), he socially engineered his way into Hiroshima’s GoDaddy account, which controlled several of his website domains, in order to wrest control of @N from Hiroshima. Give up the Twitter handle and the hacker would take his hands off the throat of Hiroshima’s websites.

Extortion at its finest.

More from Jedidiah Bracy

From the Regulator

Living in Interesting Times—A View from the New Zealand Privacy Office

One of the dubious delights of being a privacy regulator is the unexpected things that crop up during every working week. It doesn’t matter how I plan and prioritise work—some headline-grabbing issue or urgent demand for time and attention will come across the desk and force a rethink. It can be a challenge, but it certainly keeps the job interesting.

More from Katrine Evans

Practical Privacy

How to Lose Your Data In 10 Days

By Heather Federman, CIPP/US

It’s no longer an “if” you’re the target of a data breach; it’s just a matter of “when.” Data loss incidents are becoming an unfortunate rite of passage. More and more businesses have found themselves exposed and ill-prepared to manage the fallout. While the average cost of a breach equals $5.5 million, the public reaction fosters graver implications. The resulting “business shock” not only paralyzes operations, but it also damages relationships with regulators, partners and consumers.

How can you best prepare and defend your organization? How can we all make 2014 the year of “data stewardship?”

More from Heather Federman

Privacy Profession

Engineers and Lawyers in Privacy Protection: Can We All Just Get Along?

By Peter Swire, CIPP/US

In March 2013 we participated in a panel titled “Re-Engineering Privacy Law” at the IAPP Privacy Summit. The topic of the panel closely matches the topic of this book, how to bring together and leverage the skill sets of engineers, lawyers, and others to create effective privacy policy with correspondingly compliant implementations. As a software engineering professor (Antón) and a law professor (Swire), we consider four points: (1) how lawyers make simple things complicated; (2) how engineers make simple things complicated; (3) why it may be reasonable to use the term “reasonable” in privacy rules but not in software specifications; and (4) how to achieve consensus when both lawyers and engineers are in the room.

More from Peter Swire

Trending

The Supreme Court Is Scared of Technology. This Is How Privacy Pros Can Help

By Jedidiah Bracy, CIPP/US, CIPP/E

This was a big week for emerging technology—particularly the Internet of Things (IoT)—as was showcased during the annual Consumer Electronics Show in Las Vegas, NV. Cisco’s CEO made headlines after saying the IoT has the potential to become a $19 trillion market and much of mainstream media reported on all the emerging technology: smart cars, wearable sensors and digestible computers—stuff we’ve been reporting on pretty regularly in the past year.

So it seemed fitting—and concerning—that the Associated Press reported on the wariness felt by Supreme Court justices on judges weighing in on technology and privacy issues. As Justice Elena Kagan said last summer, “The justices are not necessarily the most technologically sophisticated people.”  And the court may face it’s biggest challenge yet, if, as many suspect, it eventually weighs in on the NSA’s metadata collection programs. Justice Antonin Scalia told a group of technology experts last July that elected branches of government are better equipped to grapple with security requirements and privacy protections.

More from Jedidiah Bracy

Opinion

Is the Congressional Response to the Target Breach Off-Target?

In the aftermath of the Target breach announced last month, there has been understandable anxiety on the part of consumers and understandable concern by lawmakers about how to respond to large-scale breaches of this type.

In recent weeks, there have been calls by members of Congress for hearings on the Hill. Several Senators have demanded an investigation by the Federal Trade Commission (FTC) and have discussed legislation beefing up the FTC’s enforcement powers—although as I’ve written here previously , the FTC has not exactly needed an engraved invitation to investigate data breaches in recent years and does not seem to have been inhibited at all by the lack of clear (some might say any) authority to do so. And just this week, Sen. Patrick Leahy (D-VT) reintroduced the Personal Data Privacy and Security Act, which among other things would create a national breach notification standard.

More from Jason Weinstein