shift change 2024 - 5
2024 01 05
Welcome to shift change, reports from the off-going watch to the oncoming on anything interesting in privacy, security, or intelligence.
1. Lawyers and law firms have an ethical responsibility to protect their clients data. In other news, Orrick experienced a breach…
Lawyers are terrible risk managers, this makes me remember the time I was discussing cybersecurity with an attorney who told me I didn’t know what I was talking about and all law firms and lawyers needed was a basic insurance plan.
…yeah, lawyers are terrible risk managers.
What did the threat actor extract from Orrick? A lot:
Orrick said that the breach of its systems involved its clients’ data, including individuals who had vision plans with insurance giant EyeMed Vision Care and those who had dental plans with Delta Dental, a healthcare insurance network giant that provides dental coverage to millions of Americans. Orrick also said it notified health insurance company MultiPlan, behavioral health giant Beacon Health Options (now known as Carelon) and the U.S. Small Business Administration that their data was also compromised in Orrick’s data breach.
Orrick said the stolen data includes consumer names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. The data also includes medical treatment and diagnosis information, insurance claims information — such as the date and costs of services — and healthcare insurance numbers and provider details.
Orrick said that the breach includes online account credentials and credit or debit card numbers.
2. The Markup continues its series on easy-to-implement privacy protections continues with: use Brave.
People re-use passwords for convenience, which is why ease-of-use and practicality need to be critical security considerations when designing controls. Everyone in security knows the average user re-uses their passwords, and even today most of the best practices involve holding on to a long, complex password over frequent password roll overs (hopefully supported by a enterprise password manager and multi-factor authentication). Phrased another way—23andMe knew or should have known that this is a common practice for the user, and should have taken its own reasonable steps to prevent an avenue for a malicious actor to use such a common user habit as an attach surface.
Also is 23andMe is worried about password re-use from prior non-23andMe breaches, well, that is also something 23andMe has the ability to address.
Attribution matters, including attributing who is the responsible party—its 23andMe.
4. Another (state) consumer privacy law goes into effect—congrats, Utah!; Congress remains nowhere to be seen on federal privacy protections.
What does Utah’s protection look like:
-the right to access and delete data provided by the user.
-right to opt-out of collection of personal information (sometimes, not always)
-the right to get a copy of the data a collector has about you.
…and that’s about it. No right to correct inaccurate information, no right to opt out of profiling or inference, no right to access or delete information about the user other than that provided by the user, but it’s more than most places and way more than what Congress has gotten done.
Thanks for reading, as usual a few stories I saw that maybe you would find interesting or may pop into your work week. Happy Friday!