By all accounts, 2020 was a challenging year, and it was no less interesting from a cyber and privacy perspective. It started off with fears of a major cyber intrusion of our critical infrastructures. But that soon faded into the background as the COVID-19 pandemic took center-stage. The nationwide shift to remote work led to an exponential increase in phishing and ransomware attacks, as well as an appreciable increase in nation-state intrusions targeting academic, governmental, and private sector entities seeking intelligence on vaccine development efforts. And of course, who can forget Russia’s cyber finale to the year, better known as the SolarWinds hack.
2020 was also the year that third-party providers took a more prominent place in our collective consciousness. . . .
“MBL Technologies, Inc., a Service Disabled Veteran-Owned Small Business headquartered in the Washington, DC metro area and a leading provider of cybersecurity and privacy consulting services to federal government and commercial clients, proudly announces the addition of two senior leaders to support our continued growth and expansion of service offerings.”
“Joel Schwarz, J.D., CIPP, will serve as MBL’s Privacy and Data Protection Lead supporting +government and commercial clients in the development, growth, and implementation of privacy and data protection programs, as well as compliance oversight. . . . "
Remote (virtual) Learning -Fox 5 TV Dad's Panel
Interview with local dad's and members of the Montgomery County PTA Safe-Tech Committee about how remote learning is working in the D.C., Maryland and Virginia area.
Loudoun County parents are outraged after the school district said some virtual classes were interrupted by pornographic images and inappropriate language, including racial slurs.
Mom Christine Hoyle said that in one of her daughter’s classes at Potomac Falls High School, a picture of male genitalia briefly appeared on screen.
“I was outraged, outraged, because the kids have already been through so much, they’re starting school, and we want to trust the school system has them safe and then this happens,” Hoyle said. . . .
Riddle me this: Which is more binding, the Student Privacy Pledge or a pinky promise?
Sadly, as of today, the answer is the pinky promise.
With the most recent “Trolls” movie – “Trolls World Tour” – prominently highlighting the binding significance of the “pinky promise,” the same cannot be said of the Student Privacy Pledge — a pledge taken by 400-plus educational technology (Ed Tech) companies stating a commitment to “carry out responsible stewardship and appropriate use of student personal information.”
Consider the recent Consumer Reports story about the College Board tracking students and sharing that information with Adobe, Facebook, Google, Microsoft, Snapchat, Yahoo, and advertising network AdMedia — despite the pledge’s commitment to “[n]ot use or disclose student information collected through an educational/school service . . . for behavioral targeting of advertisements to students.” . . .
On July 16, 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield (colloquially known as the “Schrems II” decision), due to concerns about U.S. governmental access to data using intelligence authorities, like the Foreign Intelligence Surveillance Act's Section 702, Presidential Policy Directive 28 and Executive Order 12333. Also of concern was the lack of adequate redress for EU citizens.
The day after "Schrems II," the European Data Protection Board clarified that while it still considers Standard Contractual Clauses (SCCs) for exchanging data with the EU to still be valid, an exporter must undertake a fact-specific assessment to determine whether the country to which data is sent offers adequate protection. Which brings us to the million-dollar question: What steps can an organization take to address the concerns raised?
That's where this article picks up, providing practical tips for transparency that most companies can engage in to put them in a better position to continue working with EU partners....
Article - Part 1
Over the last decade, educational institutions have come increasingly to rely on Educational Technology (Ed Tech). With the advent of the COVID-19 pandemic, the entire nation jumped into remote learning and mass adopted Ed Tech solutions. In addition to the established Ed Tech vendors, many new players entered the space, enabling a host of new remote learning options, both static and interactive. This rapid increase in the availability and adoption of technology for education is challenging the already limited resources available to educational institutions and educators.
Exacerbating these challenges is that fact that many of the laws designed to protect student data privacy, such as the Federal Education Right to Privacy Act (FERPA), were designed in the 1970s, well before the Internet even existed. Information that was previously available only in hardcopy form, to a small, local audience - such as student directories, often handed out at the beginning of the school year – now exist indefinitely online, within the reach of the entire world, potentially being repurposed for everything from targeted advertising, to training AI facial recognition programs. The rapid movement to online, remote learning, has also had an impact on other areas of FERPA. For example, school officials operating with limited resources and even more limited privacy expertise have struggled to apply FERPA’s requirement that “school officials” maintain “direct oversight” of outsourced vendors, given the difference in size and bargaining power between small school systems and large Ed Tech providers (such as Apple, Microsoft, Google, and Verizon).
This webinar - available HERE - explored this strange new world from multiple perspectives, to include the regulators, schools, and vendors, as well as the parents whose children’s data is at the heart of the discussion.
Legal, Constitutional and Technological Challenges Presented by the Internet of Things and Emergent Technology Devices
In one of the most famous science fiction novels of all time – 2001 A Space Odyssey – Arthur C. Clarke painted a picture of a future filled with live streaming face to face phone calls, and a variety of other electronic devices used in daily life, all while orbiting the earth in a space station. While we don’t yet have that space station, we do have Internet-connected lights and refrigerators capable of live streaming music and face to face calls, and remotely accessible thermostats, baby monitors, and door locks and the like (i.e., the Internet of Things, or IoT). But with such convenience comes a cost in terms of vulnerabilities. Among the topics covered in this Webinar and paper (click here to download) are:
- How IoT devices work, and the range of vulnerabilities that IoT devices present
- The unique issues create through IoT collection of sensitive information, and how such information is used
- Important technology-specific cases of the past decade, focusing on how courts have applied the 4th Amendment and some of the related doctrines and exceptions in the IoT space
- Laws governing the IoT, including those that may apply to government and/or private access to IoT records.
Minimizing the COVID-19 Pandemic's Impact Through Access to Location Data
During these unique times, when we read almost daily about the government and private sector's interest in our location data, with little detail or transparency on the what (what data), where (where is it collected from) or how (how is this being accessed and shared, legally ) of it, hopefully this article on the types of location data created/captured by various technology and IoT devices we use, and the different laws that govern access to that data (to include the potential privacy protections under those laws), will be of help.
Interview with the San Francisco Chronicle on recent student data privacy breaches, the risks to students, and how best to minimize these cybersecurity and privacy risks for student data during these challenging times, to include providing support for school systems that often lack the resources and expertise needed to really dig into the privacy issues and robustly protect and preserve student data privacy.
Secure Telecommuting During Social Distancing
Due to “social distancing” requirements that arose from the 2020 coronavirus pandemic, a large part of the American workforce traded in their cars and train seats for makeshift home offices. This sudden shift to telecommuting caught the attention of cybercriminals and state-sponsored actors . . .
But how would good cybersecurity look in this new paradigm?
**Reproduced with permission. Published April 2020. Copyright ©2020 The Bureau of National Affairs, Inc. (800.372.1033). www.bloomberg.com
On Feb. 18, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about a ransomware attack on a natural gas compression facility that resulted in the business shutting down for 2 days. The fact is critical infrastructure being targeted wasn’t newsworthy, . . . neither was the fact that the gas facility fell victim to a ransomware attack.
No, the newsworthy piece of the story is that the unnamed company hadn’t taken steps to implement basic cybersecurity controls
While “Internet of Things” (IoT) devices open up new worlds of convenience, they’ve also introduced new security vulnerabilities. At the risk of overgeneralizing, many of these vulnerabilities stem from the ease of set-up and use that make these singular-purpose devices so attractive. They tend to be scaled down, with little internal memory, and lack strong out-of-the-box security, often shipped with default accounts and passwords enabled.
Yet despite their small stature, IoT devices punch above their weight class when it comes to threats. For example, . . . .
Concerned about Big Brother surveillance of students? Check out my latest article, published in "The Hill," on almost 40 schools in the country using an App to track student attendance/absence (appears that the App was developed by a former asst coach at Univ of Missouri, and initially used primarily for tracking sports’ teams student attendance, which is often mandatory in order to stay on the team).
"Late last month, soon after University of Missouri-Columbia students returned to school from winter break, stories began appearing about the university’s expansion of a program to track student attendance using an app owned by Arick LLC called “SpotterEDU,” which the university previously used in its sports programs." . . .
In the past year, we have seen story after story that detail breaches of educational technology vendors' system security. These troubling incidents in which sensitive student data is compromised will only become more frequent until both technology companies and public school districts make student privacy and security a greater priority.
On Oct. 21, 2019, the Supreme Court of Georgia answered the question of whether the Fourth Amendment protects a right to privacy in the air bag safety devices installed in vehicles. These devices, which record for a period of time before, during and after a crash or on a continuous loop until a vehicle is in a crash, have been analogized to the black boxes found on airplanes and are becoming increasingly common in vehicles. According to one estimate, they’ve been installed in about 96% of cars manufactured since 2013.
Why should anyone care whether the Fourth Amendment applies? For the most part, they needn't. That is, until they get into an accident . . .
Two weeks ago, the name Qassem Soleimani was not widely known in the U.S.; today, many people know him as the Iranian general killed in a U.S. drone strike on Jan. 3. In part, that’s because Iran — in response — launched missiles against U.S. bases in Iraq on Jan. 8, making war between the U.S. and Iran seem — for a time at least — imminent. Fortunately, both sides have carefully deescalated, stepping back from the brink.
But that doesn’t necessarily mean hostilities will cease . . .
Joel Schwarz is interviewed by Rick Ungar on Iranian cyber capabilities, and potential threats to the U.S. posed by Iran and its allies (and how those capabilities compare to other nation-state cyber actors)
Consider the following: Summer is over, and the first day after school your high schooler tells you about a new electronic hall pass system that requires input of student PII to leave class, including to use the bathroom. Days later, your elementary schooler presents a form seeking parental consent for use of a gaggle of apps, a third of which are only appropriate for 13 and above (elementary school children are usually under 13). The following week, your middle-schooler tells you about a new college-prep tool he used at school; delving further, you find that the questions included the ethnic, geographic or socio-economic diversity desired of a college, interest in attending a denominational college, etc.
Yes, there are a variety of privacy laws to protect PII . . . But if you read the fine print, you find that many share student PII with third parties, and within their larger corporate conglomerates, creating growing dossiers about our children, starting in elementary school, through High School.
Periodically, we read stories criticizing the intelligence community for lacking commitment to privacy, the constitution and the rule of law. While the IC has rightly received its share of criticism about certain programs, I’d like to provide a perspective that’s not often covered. And given a recent article in The Privacy Advisor aiming to demystify the Office of the Director of National Intelligence, this seemed like an opportune time to demystify the privacy rubric built into the DNI’s National Counterterrorism Center.
The key to helping organizations understand when a breach is actually against the law requires a great deal of outreach and consumer/business education, says Joel Schwarz, a trial attorney with the Ü.S. Department of Justice's Computer Crime and Intellectual Property Section in Washington D.C.
"I think it's a very important ruling," said Joel Michael Schwarz, New York's assistant attorney general. "It's precedent-setting in terms of where the gambling takes place physically."
In a precedent-setting decision, New York State Assistant Attorney General Joel Schwarz secures the first decision in the U.S. holding that internet gambling conducted using offshore servers, but which are made available to citizens with the U.S. - including New York - violates New York State and Federal gambling prohibitions.