Sunday, February 22, 2009

A Quick Reminder: If you want legal advice, get a lawyer

As it says in the disclaimer at the bottom of the page (which you should definitely read): "This site is provided for informational purposes only...This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state."

Data privacy and information security is governed by a patchwork of state laws, and there is massive variation from jurisdiction to jurisdiction. For example, my home state, Ohio, has a data security notification law (ORC 1349.19). However, if I drive 10 minutes south from my office, I'm in Kentucky, which doesn't have an equivalent law (a handy table of what states do and do not have such laws can be found here). Tort remedies, such as trespass to chattels, breach of contract, negligence and intentional infliction of emotional distress (to name 4) are also governed by state law.

This web site does discuss the law surrounding information security and data privacy. However, anyone who has a question about their own information security or data privacy situation should get a lawyer who can apply the law as it exists in their jurisdiction to the facts as it exists in their case - not rely on a web site (this one, or any other).

Monday, February 16, 2009

Massachusetts Extends Compliance with Data Security Rules

We've written previously (e.g., here) about Massachusetts' new data security rules. Briefly, they would have required anyone who owns, stores or maintains the personal data about a resident of Massachusetts who stores data electronically to encrypt the data before transmitting it wirelessly or over a public network. The rules would also have required encryption of data stored on mobile devices. I say "would have" because because their implementation deadline, which had been previously set at May 1, 2009 has been extended till January 1, 2010 (see article here).

Of course, this isn't a big surprise, since regulations having to do with privacy (both strengthening, like the red flag rules and weakening, like Real ID) have a history of getting delayed.

Tuesday, February 10, 2009

Even More Limitations on Private Rights of Action

Previously, I've written about problems with protecting privacy through private civil suits, such as transaction costs, difficulty of proving damages, and a generally hostile court system. However, a recent breach notification by as indicated that even when those factors aren't present, people (or, in this case, businesses) still aren't that interested in enforcing their rights. The story, according to this article from Computer World is that the web site was victimized by an SQL injection attack, and the operators eventually entered into a settlement with the FTC wherein they agreed to undergo audits and not to make any further misleading claims about privacy. So far not particularly notable. However, as the article says, unlike most security breaches:

The breach was notable because the site prominently displayed a "Hacker Safe" seal provided to companies by McAfee Inc. as part of its ScanAlert vulnerability scanning service. However, McAfee officials said at the time that the Hacker Safe certification — since renamed McAfee Secure — had been withdrawn from on multiple occasions during 2007 after scans found vulnerabilities in its systems.

To me this is shocking. Not because a supposedly secure site was compromised, but because they were improperly displaying the "Hacker Safe" seal.

Where was McAfee?

Didn't it care about its good name? I would guess that would have taken down the "Hacker Safe" seal if McAfee simply asked them to. I doubt even a sternly worded letter would have been necessary. Still, if it had been, there are any number of attorneys who could have written it, and who would have been happy to go to court to get the seal removed if wouldn't take it down otherwise. Happily, the FTC stepped up in this case. However, it's a little surprising that they were the ones who ended up doing it, rather than the private actor who one would think would have had both the incentive and opportunity to have taken action earlier.

Sunday, February 1, 2009

A view from the dark side

Via Bruce Schneier, we have a fascinating interview with an adware author. From a technical perspective, it's fascinating - he gives a programmer's eye view of the various mechanisms he used to make sure his adware couldn't be uninstalled or stopped. From a privacy standpoint it's disturbing. When asked the question of whether people had any security or privacy at all, his answer was (essentially) no, but it doesn't matter because most people aren't criminals so you're probably ok.

From a legal standpoint, it had two interesting takeaways. First: End User License Agreements are trouble. The interviewee's opinion was that people don't read EULAs, so you can put anything in them, including agreements by the user that the adware company can install whatever software they want on the user's computer. In the coming years, I would expect to see some limits placed on this (e.g., by the FTC under its authority to police unfair or deceptive trade practices). Second, the legal system can work to curb bad practices, but only once the bad practices are known. The company the interviewee worked for, Direct Revenue, was sued by Elliot Spitzer. The problem is, the suit only happened after the company made the poor business decision to start branding their adware. If they hadn't done that, it's anyone's guess as to whether they even would have shown up on the (now disgraced) attorney general's radar screen.

Also, one final takeaway from the interview: if you want to reduce your susceptibility to adware (or various forms of viruses or other malware) switch off Microsoft products. The interviewee was openly contemptuous of Microsoft products. The money quote: "If you’re using IE [Internet Explorer], then either you don’t care or you don’t know about all the vulnerabilities that IE has." I'm not sure I agree with him, but it's interesting to see how an insider views the world at large.