There has been so much news swirling in the data privacy and security world in the last few days, that it has been difficult to keep up. We’ll give you a roundup here for your Friday and weekend reading.
Heartbleed – Where Are We?
By now, you should know whether your web-facing applications (customer log-in, secure web portals, shopping carts) were affected by the Heartbleed vulnerability, and patches should have been applied. If you have not checked into this yet, you can test your URL at any number of sites, but here is one. Test it now!
- Upgrade any software using OpenSSL to the latest, patched version. (should be done)
- Communicate with any hardware and software vendors to ensure they’ve also upgraded.
- Once that is secured, have everyone within your company change their passwords, or notify customers that passwords should be changed.
- Explain to employees and customers what you are doing and what you have done to take precautions against this bug.
The second bullet was the biggest nut to crack for many this week. Make sure that your network appliances (routers, conferencing, any hardware/software that connects to the Internet) are all checked. SANS (the security institute) has been keeping a running list of Heartbleed vendor patches and communications. Many vendor sites also are posting technical communications with updates and notices regarding the availability of upgrades, patches or hotfixes. Further, many enterprises don’t know how many sites they own, such as external cloud-hosted sites, sites acquired via mergers and acquisitions – and temporary sites that everyone forgot about. All of those should be checked for the Heartbleed vulnerability, because if the door is open, it could allow malicious intruders in. Just ask Canada’s Revenue Agency or the UK’s popular site, Mumsnet.
Michaels Stores Confirms (finally…) Breach of Cardholder Data
For the second time in three years, Michaels Stores has found itself the victim of a point-of-sale cardholder data breach. A statement this week on the company’s website finally alerts customers to what has been talked about in the press since January — that nearly 3 million customer credit and debit cards were apparently stolen from Michaels Stores and its subsidiary, Aaron Brothers. The company estimates that the breach was from June, 2013 through February, 2014. In other words, well after the Target breach had been disclosed, Michaels had an ongoing breach that was not closed off until February. Read more here.
RECENT STATE DEVELOPMENTS
Kentucky Becomes Number 47 (with a twist)
The list of states requiring notice in the event of a data breach has grown by one. Kentucky’s Governor has signed a bill adding his state to the other 46. Starting in July, companies that hold information about Kentucky residents and who suffer a data breach—defined in that state as an unauthorized acquisition of “unencrypted and unredacted computerized data” that compromises the security of that data or is likely to lead to identity theft—will now be required to notify state residents. Data that triggers the laws’ requirements (if breached) is name and social security number, driver’s license number, or account number/credit card number in combination with any required security code to permit access to a person’s financial account. Notification to impacted individuals can be delayed if a law enforcement agency determines that it would “impede a criminal investigation.” The Kentucky notification requirement does contain a “risk of harm” trigger: A “breach of the security of the system” is defined as the unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that causes or leads the information holder to believe has caused or will cause identity theft or fraud against a Kentucky resident.
Now, for the Kentucky twist (hint: it’s not part of a mint julep): Section 2 of the new data breach notification law is aimed at how cloud computing service providers, such as Google, Facebook, or Microsoft and most online learning management systems delivering their products via cloud, should handle the increasing amount of student data school districts maintain in the cloud, particularly in light of recently published findings from a Fordham Law School study highlighting security risks to cloud-based student data.
Specifically, Section 2 prohibits cloud computing service providers from processing “student data” for any purpose other than providing, improving, developing, or maintaining the integrity of their cloud computing services unless they receive express permission from the student’s parent. H.B. 232 also prohibits cloud computing service providers from using student data in advertising and from selling, disclosing, or otherwise processing student data for any commercial purpose. “Student data” is defined broadly as any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services or by an employee or agent of an educational institution, including a student’s name, e-mail address, e-mail messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student. The term “processing” is also defined broadly to include use, access, collection, manipulation, scanning, modification, analysis, transformation, disclosure, storage, transmission, aggregation, or disposal of student data. H.B. 232 does allow cloud computing service providers to assist educational institutions with research permitted under FERPA. Look for a full discussion of this next week and how this law, and a few others, can impact the “ed tech” providers.
Iowa Amends State Data Breach Notification Law
Iowa’s Governor has signed an amendment to the state’s data breach notification law requiring notice to that state’s Attorney General in the event of an incident requiring notice to Iowa residents. The amendment, effective July 1, requires notification to the AG within five business days of notice to affected individuals if the breach affects more than 50 Iowans. The scope of “personal information” has also been expanded t beyond coverage for breaches affecting unencrypted computerized data to now include personal information in any form, including paper.