This document outlines an agenda for a conference on regulating privacy and software. It discusses:
- Federal laws and court cases that form the foundation of privacy regulation in the US.
- How various federal agencies like the FTC and HHS enforce privacy through cases against companies like HTC and penalties for violations.
- State privacy laws and enforcement by state attorneys general.
- Private enforcement through class action lawsuits and individual claims over data breaches and privacy violations.
- The costs of data breaches for companies.
- Approaches like "privacy by design" to incorporate privacy into the software development process.
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
Butler Rubin Partner, Dan Cotter discusses in detail the changes to the Model Rules of Professional Conduct that impact lawyers and their obligations to understand technology and safeguard against inadvertent data breaches.
This document provides an overview of data privacy for governmental organizations. It discusses what data privacy is, the risks associated with it such as identity theft, and common laws around data privacy including California state laws. It recommends that organizations take an inventory of their data, develop privacy policies and training, and ensure proper system monitoring and controls. The document emphasizes being proactive on data privacy issues.
NIST Cybersecurity Requirements for Government ContractorsUnanet
What is Controlled Unclassified Information (CUI)? What is NIST SP 800-171? How is my project management and accounting system impacted?
Navigating your way through these complex topics can be difficult for any government contractor, but protecting CUI in a non-federal environment is critical. Compliance is required by December 31, 2017.
Join us for this webinar to learn more about:
• What it means to be compliant with NIST SP 800-171
• Documenting your compliance status
• Preparing for audits and/or requests for compliance attestation/reports
• Key CUI requirements
• Suggested NIST processes
• How having the right system and team in place can help you remain compliant
Learn more at: https://www.unanet.com/news/demand-webinars
This document provides a response to a Request for Proposals (RFP) from the City of New Orleans for an information security and cybersecurity program. The response includes: research on the firm's qualifications; data analysis including RFP clarification questions and a review of technical requirements; a solution design outlining benefits of recommendations and a phased project approach; and an evaluation design with a high-level project plan outline. The response demonstrates the firm's capabilities and provides details on its proposed methodology to address the RFP requirements.
This chapter discusses computer and internet crime. It begins by outlining the objectives of understanding key ethical issues around data security, reasons for the rise in security incidents, common attack types, perpetrator objectives, and elements of a multilayer security process. It then discusses why incidents are so prevalent due to increasing complexity, user expectations, and reliance on commercial software with vulnerabilities. Common attack types like viruses, worms, Trojan horses, and phishing are also outlined. The chapter concludes by discussing prevention, detection, response, and establishing security policies and risk assessments to implement trustworthy computing.
Date Use Rules in Different Business Scenarios: It's All Contextual William Tanenbaum
The document provides an overview of 10 different business scenarios related to data use and privacy rules. Each scenario is summarized as follows:
1. Digital redlining involving banks using third-party data to offer different credit cards poses litigation risks if data is repurposed in ways inconsistent with its original collection.
2. Health clinics in big box retailers transferring limited medical records from hospitals must ensure the transfer complies with patient consent and HIPAA.
3. Posting patient health information to web-hosted databases raises issues of consent for third-party research use and ongoing chains of medical research.
4. The FCC and FTC have differing approaches to privacy rules, with the FCC requiring opt-in for
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
Butler Rubin Partner, Dan Cotter discusses in detail the changes to the Model Rules of Professional Conduct that impact lawyers and their obligations to understand technology and safeguard against inadvertent data breaches.
This document provides an overview of data privacy for governmental organizations. It discusses what data privacy is, the risks associated with it such as identity theft, and common laws around data privacy including California state laws. It recommends that organizations take an inventory of their data, develop privacy policies and training, and ensure proper system monitoring and controls. The document emphasizes being proactive on data privacy issues.
NIST Cybersecurity Requirements for Government ContractorsUnanet
What is Controlled Unclassified Information (CUI)? What is NIST SP 800-171? How is my project management and accounting system impacted?
Navigating your way through these complex topics can be difficult for any government contractor, but protecting CUI in a non-federal environment is critical. Compliance is required by December 31, 2017.
Join us for this webinar to learn more about:
• What it means to be compliant with NIST SP 800-171
• Documenting your compliance status
• Preparing for audits and/or requests for compliance attestation/reports
• Key CUI requirements
• Suggested NIST processes
• How having the right system and team in place can help you remain compliant
Learn more at: https://www.unanet.com/news/demand-webinars
This document provides a response to a Request for Proposals (RFP) from the City of New Orleans for an information security and cybersecurity program. The response includes: research on the firm's qualifications; data analysis including RFP clarification questions and a review of technical requirements; a solution design outlining benefits of recommendations and a phased project approach; and an evaluation design with a high-level project plan outline. The response demonstrates the firm's capabilities and provides details on its proposed methodology to address the RFP requirements.
This chapter discusses computer and internet crime. It begins by outlining the objectives of understanding key ethical issues around data security, reasons for the rise in security incidents, common attack types, perpetrator objectives, and elements of a multilayer security process. It then discusses why incidents are so prevalent due to increasing complexity, user expectations, and reliance on commercial software with vulnerabilities. Common attack types like viruses, worms, Trojan horses, and phishing are also outlined. The chapter concludes by discussing prevention, detection, response, and establishing security policies and risk assessments to implement trustworthy computing.
Date Use Rules in Different Business Scenarios: It's All Contextual William Tanenbaum
The document provides an overview of 10 different business scenarios related to data use and privacy rules. Each scenario is summarized as follows:
1. Digital redlining involving banks using third-party data to offer different credit cards poses litigation risks if data is repurposed in ways inconsistent with its original collection.
2. Health clinics in big box retailers transferring limited medical records from hospitals must ensure the transfer complies with patient consent and HIPAA.
3. Posting patient health information to web-hosted databases raises issues of consent for third-party research use and ongoing chains of medical research.
4. The FCC and FTC have differing approaches to privacy rules, with the FCC requiring opt-in for
Let Robert B. Fitzpatrick, principal of Robert B. Fitzpatrick, PLLC, walk you through the ins and outs of hiring (or being hired) and firing (or being fired) in the digital age. Employees and employers alike need to know their rights in this fast changing world, and technology adds a new twist to the old calculus. The best advantage that you can get is knowledge, and this presentation is packed with tips, tricks, and hints that will help you get hands on with the employment process, whatever your level of legal or technical sophistication.
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
Continuing legal education (CLE) presentation regarding data confidentiality, information security, computer forensics and legal ethics in light of technology-related changes made to the American Bar Association's Model Rules of Professional Conduct.
Date Use Rules in Different Business Scenarios:It's All Contextual William Tanenbaum
All privacy is contextual. Like that, the legal rules for collecting, aggregating, sharing and protecting data, including through IP, are specific to the context. One size does not fit all.
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
The document discusses computer law, investigations, and ethics. It covers reviewing computer crime laws and regulations, investigative techniques for determining if a crime was committed and gathering evidence, and ethical constraints. Specific topics covered include computer laws, computer crime, computer crime investigations, and computer ethics. Computer crime laws at both the federal and state levels are discussed.
Pli workplace privacy in the year 2013 2013-6-13mkeane
Addresses privacy issues associated with hiring in a social media world, privacy issues associated with BYOD programs; employee privacy rights associated with off-duty activity including Facebook postings and activity protected by lifestyle laws.
The document summarizes the key aspects of Massachusetts' privacy law for protecting personal information. It outlines the origins and scope of the law, what personal information it covers, entities to which it applies, and compliance deadlines. It then describes the steps organizations should take to achieve compliance, including assessing their environment and processes, creating a written security plan, encrypting data, assessing third party vendors, training employees, and monitoring compliance. Failure to comply could result in fines and civil penalties.
2010 Privacy in the Workplace: Electronic Surveillance under State and Federa...Charles Mudd
The document summarizes key issues regarding privacy and electronic surveillance in the workplace under state and federal law. It discusses trends in increasing workplace monitoring and highlights several applicable laws, including the Electronic Communications Privacy Act, Stored Communications Act, and Computer Fraud and Abuse Act. It also covers relevant state statutes and common law privacy torts, as well as more common surveillance issues like email monitoring.
Date Use Rules in Different Business Scenarios: It's All Contextual William Tanenbaum
Arent Fox LLP. Rules for data collection, aggregation, sharing, use and protection all depend on the business and legal context. One size does not fit all.
Privacy Implications of Biometric Data - Kevin NeviasKevin Nevias
This document discusses privacy implications of biometric data. It provides examples of how biometric authentication is used for fraud prevention at ATMs and for banking in Africa. Benefits include security, safety, ease of use and speed. Biometric data can be stored on or off devices. Off-device storage raises more privacy concerns as the data is transmitted and stored by vendors. Regulations for biometric data vary globally, with the EU having stricter laws. Disclosure of biometric data like fingerprints can impact individuals even if current misuse potential is limited, due to integrity and availability risks. Social and privacy concerns must be addressed for broad biometric adoption.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...William Tanenbaum
This document provides an overview of William Tanenbaum's presentation on data use rules in different business scenarios. It discusses 10 scenarios involving issues like digital redlining, health data privacy, data breaches, ransomware attacks, and the Internet of Things. For each scenario, it outlines the key legal and transactional risks, such as ensuring data is only used as intended and negotiating appropriate liability provisions. It emphasizes that privacy is contextual and that technology and litigation lawyers need to collaborate to properly address these evolving risks.
The complaint alleges that D-Link Corporation and D-Link Systems, Inc. engaged in unfair and deceptive practices by failing to take reasonable steps to secure routers and internet-protocol cameras designed for U.S. consumers, exposing sensitive personal information and networks to unauthorized access. Specifically, the complaint asserts that the defendants failed to address known software vulnerabilities, properly secure a private key, and protect mobile app login credentials, putting thousands of consumers at risk of harm through activities like identity theft, unauthorized surveillance, and distributed denial-of-service attacks. The Federal Trade Commission is seeking a permanent injunction and other equitable relief for violations of federal unfair and deceptive practices law.
The document discusses privacy laws in India related to digital data and personally identifiable information. It outlines key concepts around data privacy, categories of private data under Indian law, and relevant sections of the Information Technology Act 2000 regarding unauthorized access to data, compensation for failure to protect sensitive personal data, and criminal offenses for disclosure of private information. It also briefly mentions some global privacy laws like the Gramm–Leach–Bliley Act in the US.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?Resilient Systems
The document discusses recent changes to state data breach notification laws in Vermont, Connecticut, and Hawaii. Vermont revised its definition of a breach and added requirements for notification timeframes and reporting to the attorney general. Connecticut clarified its breach definition and added attorney general notification. Hawaii equated its law to HIPAA for health information to reduce regulatory burdens for healthcare providers.
Create Brainstorming Commandos for Creative Problem SolvingTechWell
Agile teams are solving real-world complex problems every day. These problems require creative problem solving by team members. In its truest sense, brainstorming is intended to be a practical approach to this task. Brainstorming entails “using the brain to storm a creative problem and to do so in commando fashion, with each 'stormer' audaciously attacking the same objective.” In this highly practical workshop, Pradeepa Narayanaswamy introduces you to a variety of brainstorming games that get the creative juices flowing to yield better collaboration and ideas among team members. Delegates practice and take back different ideas and concepts to facilitate a fun and effective brainstorming session. This session is targeted at ScrumMasters, agile coaches, managers, and any team members who are looking to add more facilitation tools to their tool belt.
Now That We're Agile, What's a Manager to Do?TechWell
We teach managers to foster agility by encouraging their teams to self-organize, stop assigning work, and telling them how to do it. Since the Product Owner defines the what and the team defines the how, what’s left for managers to do? Managers need to become servant leaders. It’s a key success factor for agile transformations. However, most managers have no idea what servant leadership is or what these leaders do. David Grabel teaches the true meaning of servant leadership—transforming it from a buzzword to a guiding principle. Learn how, as a leader, you can accelerate your team’s agile journey. Working in groups, participants discuss the challenges faced by an agile manager. As part of your learning, create artwork using Legos, clay, and pictures to illustrate how a servant leader meets the challenges of today. David defines the new job description for today’s managers in tomorrow’s agile culture. Come and prepare to take your part in it.
Let Robert B. Fitzpatrick, principal of Robert B. Fitzpatrick, PLLC, walk you through the ins and outs of hiring (or being hired) and firing (or being fired) in the digital age. Employees and employers alike need to know their rights in this fast changing world, and technology adds a new twist to the old calculus. The best advantage that you can get is knowledge, and this presentation is packed with tips, tricks, and hints that will help you get hands on with the employment process, whatever your level of legal or technical sophistication.
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
Continuing legal education (CLE) presentation regarding data confidentiality, information security, computer forensics and legal ethics in light of technology-related changes made to the American Bar Association's Model Rules of Professional Conduct.
Date Use Rules in Different Business Scenarios:It's All Contextual William Tanenbaum
All privacy is contextual. Like that, the legal rules for collecting, aggregating, sharing and protecting data, including through IP, are specific to the context. One size does not fit all.
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
The document discusses computer law, investigations, and ethics. It covers reviewing computer crime laws and regulations, investigative techniques for determining if a crime was committed and gathering evidence, and ethical constraints. Specific topics covered include computer laws, computer crime, computer crime investigations, and computer ethics. Computer crime laws at both the federal and state levels are discussed.
Pli workplace privacy in the year 2013 2013-6-13mkeane
Addresses privacy issues associated with hiring in a social media world, privacy issues associated with BYOD programs; employee privacy rights associated with off-duty activity including Facebook postings and activity protected by lifestyle laws.
The document summarizes the key aspects of Massachusetts' privacy law for protecting personal information. It outlines the origins and scope of the law, what personal information it covers, entities to which it applies, and compliance deadlines. It then describes the steps organizations should take to achieve compliance, including assessing their environment and processes, creating a written security plan, encrypting data, assessing third party vendors, training employees, and monitoring compliance. Failure to comply could result in fines and civil penalties.
2010 Privacy in the Workplace: Electronic Surveillance under State and Federa...Charles Mudd
The document summarizes key issues regarding privacy and electronic surveillance in the workplace under state and federal law. It discusses trends in increasing workplace monitoring and highlights several applicable laws, including the Electronic Communications Privacy Act, Stored Communications Act, and Computer Fraud and Abuse Act. It also covers relevant state statutes and common law privacy torts, as well as more common surveillance issues like email monitoring.
Date Use Rules in Different Business Scenarios: It's All Contextual William Tanenbaum
Arent Fox LLP. Rules for data collection, aggregation, sharing, use and protection all depend on the business and legal context. One size does not fit all.
Privacy Implications of Biometric Data - Kevin NeviasKevin Nevias
This document discusses privacy implications of biometric data. It provides examples of how biometric authentication is used for fraud prevention at ATMs and for banking in Africa. Benefits include security, safety, ease of use and speed. Biometric data can be stored on or off devices. Off-device storage raises more privacy concerns as the data is transmitted and stored by vendors. Regulations for biometric data vary globally, with the EU having stricter laws. Disclosure of biometric data like fingerprints can impact individuals even if current misuse potential is limited, due to integrity and availability risks. Social and privacy concerns must be addressed for broad biometric adoption.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...William Tanenbaum
This document provides an overview of William Tanenbaum's presentation on data use rules in different business scenarios. It discusses 10 scenarios involving issues like digital redlining, health data privacy, data breaches, ransomware attacks, and the Internet of Things. For each scenario, it outlines the key legal and transactional risks, such as ensuring data is only used as intended and negotiating appropriate liability provisions. It emphasizes that privacy is contextual and that technology and litigation lawyers need to collaborate to properly address these evolving risks.
The complaint alleges that D-Link Corporation and D-Link Systems, Inc. engaged in unfair and deceptive practices by failing to take reasonable steps to secure routers and internet-protocol cameras designed for U.S. consumers, exposing sensitive personal information and networks to unauthorized access. Specifically, the complaint asserts that the defendants failed to address known software vulnerabilities, properly secure a private key, and protect mobile app login credentials, putting thousands of consumers at risk of harm through activities like identity theft, unauthorized surveillance, and distributed denial-of-service attacks. The Federal Trade Commission is seeking a permanent injunction and other equitable relief for violations of federal unfair and deceptive practices law.
The document discusses privacy laws in India related to digital data and personally identifiable information. It outlines key concepts around data privacy, categories of private data under Indian law, and relevant sections of the Information Technology Act 2000 regarding unauthorized access to data, compensation for failure to protect sensitive personal data, and criminal offenses for disclosure of private information. It also briefly mentions some global privacy laws like the Gramm–Leach–Bliley Act in the US.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?Resilient Systems
The document discusses recent changes to state data breach notification laws in Vermont, Connecticut, and Hawaii. Vermont revised its definition of a breach and added requirements for notification timeframes and reporting to the attorney general. Connecticut clarified its breach definition and added attorney general notification. Hawaii equated its law to HIPAA for health information to reduce regulatory burdens for healthcare providers.
Create Brainstorming Commandos for Creative Problem SolvingTechWell
Agile teams are solving real-world complex problems every day. These problems require creative problem solving by team members. In its truest sense, brainstorming is intended to be a practical approach to this task. Brainstorming entails “using the brain to storm a creative problem and to do so in commando fashion, with each 'stormer' audaciously attacking the same objective.” In this highly practical workshop, Pradeepa Narayanaswamy introduces you to a variety of brainstorming games that get the creative juices flowing to yield better collaboration and ideas among team members. Delegates practice and take back different ideas and concepts to facilitate a fun and effective brainstorming session. This session is targeted at ScrumMasters, agile coaches, managers, and any team members who are looking to add more facilitation tools to their tool belt.
Now That We're Agile, What's a Manager to Do?TechWell
We teach managers to foster agility by encouraging their teams to self-organize, stop assigning work, and telling them how to do it. Since the Product Owner defines the what and the team defines the how, what’s left for managers to do? Managers need to become servant leaders. It’s a key success factor for agile transformations. However, most managers have no idea what servant leadership is or what these leaders do. David Grabel teaches the true meaning of servant leadership—transforming it from a buzzword to a guiding principle. Learn how, as a leader, you can accelerate your team’s agile journey. Working in groups, participants discuss the challenges faced by an agile manager. As part of your learning, create artwork using Legos, clay, and pictures to illustrate how a servant leader meets the challenges of today. David defines the new job description for today’s managers in tomorrow’s agile culture. Come and prepare to take your part in it.
Github revolutionized the coding world with their “social coding” approach. In doing so, Git, the source code repository behind Github, vaulted to the forefront of our industry. If Git hasn’t made its way into your, or your team’s, tool belt, Josh Anderson explains why it should. Learn how Git makes your job as a software engineer easier. Having made the migration to Git from source control systems like Team Foundation Server, Subversion, or Visual SourceSafe, Josh covers the mental and technical shifts needed to transition to Git. Learn how Git enables your team to collaborate and succeed at warp speed. Having led multiple agile adoptions (many powered by Git), Josh shares strategies and tips to help your engineers get up to speed and integrate Git into their processes. Regardless of your technology stack, Git may be the answer for your teams, and Josh preps you for a successful adoption.
Prevent Test Automation Shelfware: A Selenium-WebDriver Case StudyTechWell
Eid Passport had a suite of Selenium tests with a bad reputation—difficult to maintain, broken all the time, and just plain unreliable. A tester would spend more than four days to get through one execution and validation pass of these automated tests. Eid Passport was ready to toss these tests into the trash. Alan Ark volunteered to take a look at the tests with an eye toward showing that Selenium-based tests can, in fact, be reliable and used in the regression test effort. Alan shares techniques he used to transform a sick, test automation codebase into a reliable workhorse. These techniques include AJAX-proofing, use of the Page Object model, and pop-up handling. The test process that used to take more than four days to turnaround now finishes in under two hours. And this is just the beginning.
Agile Hacks: Creative Solutions for Common Agile IssuesTechWell
Whether you are just starting agile or have already made the transition to using agile in your organization, you may face the issues that Susan McNamara describes. Is your team not firing on all cylinders? Do people feel stuck or bored? Is your team having trouble getting to Done at the end of each sprint? Susan has booted up agile in three different organizations and has found valuable approaches that work across different environments. She covers topics including getting the most out of your product owners/product managers, dealing with organizational constraints in the agile group, encouraging good synergy between development and testers, and ways to keep the team mentally engaged. Based on her real-life experiences, Susan provides simple “agile hacks” that you and your team can use to solve these common problems and lift your team to the next level. Sometimes all you need are creative solutions to turn your team into agile heroes.
Large-Scale Agile Test Automation Strategies in PracticeTechWell
This document provides an overview of a presentation titled "Large-Scale Agile Test Automation Strategies in Practice" given by Geoff Meyer from Dell, Inc. The presentation covered key agile testing concepts, real-world examples from large-scale agile projects at Dell, organizational strategies for testing at scale, test automation strategies and tooling considerations, and lessons learned from Dell's experience with large agile projects. The document includes an agenda, background on Geoff Meyer, and details on test automation approaches for three example projects at Dell.
Build the Right Product Right: Transitioning Test from Critiquing to DefiningTechWell
Do you find yourself with limited influence over what gets shipped on products you test? Is your report card on product quality often ignored? Do you think you can contribute more? Join Gerard Meszaros as he describes ways to transition from approaching quality with brute force testing to an enlightened and strategic perspective that will have real impact on product quality. Instead of criticizing the product, become an integral part of the development process and learn how you can help define what should be built. Gerard explores design for testability concepts and describes key testability requirements that will afford better, more efficient testing. He explains test design techniques that describe software functionality in layers of plain language tests. Gerard shows how a collaborative approach for building the right product results in much better outcomes from both quality and schedule perspectives. Stop rushing through multiple test-and-fix cycles that result in a less than quality product. Be part of the solution!
The Adventures of a First-Time Test Lead: An Unexpected JourneyTechWell
When moving to a new position in your organization, you might not always feel confident—and that’s fine. If you have ever wondered how to change your mindset from “I need to learn from someone more experienced than I” to “I need to train and lead a team,” Ioan Todoran shares what he learned during his time as a first-time test team lead. Ioan shares lessons about recruitment (where and how to look for people), interviewing (forget the boring, interrogatory-style interviews; move toward a more conversational approach), training (how to prepare the new testers for work on a commercial project), and navigating through the daily management duties while keeping the automation work going on your project (stop micromanaging; help, but don't suffocate; learn to offer quick solutions.) Learn how to establish better connections and communication channels with upper management while strengthening the relationships with your clients through an honest and direct approach.
Technical debt is slowing your software development projects. Any developer who has gone beyond version 1 has encountered it. Technical debt takes different forms, has many different origins, and does not always equate to bad code quality. Much of it is incurred due to the passage of time and a rapidly evolving business environment. Some is in the form of hundreds of little cuts; some is massive and overwhelming, the result of a single poor design choice. Philippe Kruchten explains how to distinguish different types of technical debt, identify their root causes, objectively assess their impact, and develop strategies suitable in your context to limit or selectively reduce the technical debt you incur. Discover what debt you can happily live with. See when to declare bankruptcy. And learn that not all technical debt is bad. Just like in the real world, some technical debt can be a valuable investment for the future.
Implementing Agile in an FDA Regulated EnvironmentTechWell
Developing medical devices that are subject to FDA approval has traditionally followed the waterfall methodology, largely due to the structure of the regulations that govern development practices. But we know from myriad case studies in different industries that agile methodologies are far superior in providing the highest value to customers in the shortest time to market. Neal Herman shares how one developer of complex medical devices embraced agile software development practices and proved that it could not only develop software faster with higher quality but also meet all regulatory requirements. Convincing the internal quality management, systems engineering, and regulatory departments was difficult, but the software department was able to overcome these obstacles and fundamentally change the company’s philosophy on product development. Since 2012, software development productivity is up 100 percent, and quality is up 200 percent. Now, after seeing these gains from the software department, agile is being rolled out to all areas of R&D including hardware.
Sebastiano Armeli is an engineering manager at Spotify who presented on managing a software engineering team. As a manager, he helps his team follow best practices and standards to deliver high quality advertising products. He focuses on improving team engagement through agile practices and constant development. Armeli discussed the changes in priorities and responsibilities that come with transitioning from an individual contributor to a manager, including focusing on people management, career development, and enabling decision making.
Many organizations struggle to implement sustainable processes to drive their software and systems development work. This leaves their technology managers and teams to use whatever worked for them on the last project, often resulting in a lack of integration and poor communication and collaboration across the organization. Based on his new book Agile Application Lifecycle Management: Using DevOps to Drive Process Improvement, Bob Aiello explores how to use DevOps principles and practices to drive the entire application lifecycle management process including establishing agile development practices such as continuous integration and delivery that integrates directly with the operations IT controls. Defining and automating the application lifecycle requires that you include all stakeholders and integrate their processes to achieve success. Learn how to use DevOps approaches to iteratively define a pragmatic and real-world ALM framework that will evolve, scale, and help your organization achieve its software and business goals.
The Issues Agile Exposes and What To Do about ThemTechWell
Before the short iterations in agile, projects were segmented into large blocks of work taking many weeks or months. If problems emerged, it was relatively easy to hide them. Now, with agile, many of these problems and issues can’t be hidden for long. Lee Copeland exposes these issues—trust, organization, work, measurement, and change—and explores solutions. Leaders often distrust their teams; teams often distrust their leaders. Learn the symptoms and solutions to these trust issues. A key organizational issue is that organizations cannot give up their previous team structures. Explore your options. Work issues include our continued inability to estimate well, and our ongoing attempts to define all requirements up front. What can you do? Most organizations still have ineffective or dysfunctional metrics programs. Discover what works better. And learn why change is so difficult to accomplish—and uncover the little-known secret to change. It involves letting go.
Use Business Analysts for User Interface DesignTechWell
Have you experienced difficulties eliciting “what would you like the system to do” from customers and SMEs? Have you then delivered the system only to find that the users don’t like it, even though it meets their stated requirements exactly? Cathy Sargent shares a technique for using mockups early in the development process to help overcome the challenges of gathering complete functional and business requirements, and establishing a mutual understanding of what a system should do. Put a visual representation of the application in the hands of your SMEs, testers, trainers, and development team. This collaborative effort, driven by the business analyst, saves your application development from re-work due to poor requirements or incorrect interpretations of business needs. Generate better software solutions and gain end-user buy-in early in the SDLC. Teams can properly scope the solution using these mockups, resulting in better estimates and more accurate deadlines from your project manager. Provide your customers with exactly “what they would like the system to do.”
Developing a Rugged DevOps Approach to Cloud SecurityTechWell
This document summarizes a presentation by Tim Prendergast of Evident.io on developing a rugged DevOps approach to cloud security. It discusses how attackers have advantages over defenders due to their ability to automate attacks. It argues that in order to match attackers, security practices need to be automated and integrated into DevOps workflows through a DevSecOps model. This involves embracing principles like treating security as code, testing security at all stages of development, and ensuring security practices are collaborative rather than siloed. The goal is to minimize the time window attackers have to exploit vulnerabilities before they are detected and remediated.
Testing in a Super-Agile Software Development EnvironmentTechWell
Channel 4 broadcasting company in Finland provides live streams of sporting events on the Internet (Ruutu.fi). The software development is done by agile principles but even more straightforward and quicker than normal agile projects. Tomi Kaleva says they have changed the entire production environment and renewed all the mobile apps in the past year. As a result, the normal agile development speed wasn’t enough. The fast software development cycle makes software testing challenging as there isn’t sufficient time for test planning and testing execution. The solution was to precisely prioritize the testing, mostly ad hoc without test planning in advance. It was critical that the whole development team participate in the testing and that the software developers be ready to fix bugs. Since some tests were done by customers after the software was released to production, it was crucial to listen to customers’ feedback and to react quickly to repair problems. Super-agile is an effective process to quickly release software to market but the high risk of poor quality must be addressed.
From Unclear and Unrealistic Requirements to Achievable User StoriesTechWell
"What do you want the system to do?" can be a loaded question for agile teams. Ideally, the product owner gives you a product backlog with fully groomed user stories prioritized by business value, ready for team discussion and estimation. Instead, you may have the “big picture” product owner who can describe high level requirements but struggles to provide clear direction on specific system behavior, or the “aspiring developer” product owner who is more than happy to give you exact system implementation in intricate technical detail. You may have the “kid in a candy shop” product owner who wants everything under the sun as the highest priority or the “see-saw” product owner who constantly changes the priority of the requirements. Join Jamie Lynn Cooke for interactive demonstrations of twelve proven techniques for working with all these product owner types to understand what is really driving their requirements, to move them toward business value-driven prioritization, and to turn their abstract, impractical, or technically-loaded requirements into relevant and realistic invest-compliant user stories.
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
The document discusses privacy and data protection. It defines privacy as an individual's ability to control how and when personal information is shared with others. It outlines several international agreements that establish privacy as a universal human right. The document also discusses the three dimensions of privacy - personal, territorial, and informational - and basic privacy principles like transparency and purpose limitation.
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
Statement of Michelle Richardson, Director, Privacy & Data
Center for Democracy & Technology
before the
United States Senate Committee on the Judiciary
GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation
March 12, 2019
On behalf of the Center for Democracy & Technology (CDT), thank you for the
opportunity to testify about the importance of crafting a federal consumer privacy law that
provides meaningful protections for Americans and clarity for entities of all sizes and sectors.
CDT is a nonpartisan, nonprofit 501(c)(3) charitable organization dedicated to advancing the
rights of the individual in the digital world. CDT is committed to protecting privacy as a
fundamental human and civil right and as a necessity for securing other rights such as access to
justice, equal protection, and freedom of expression. CDT has offices in Washington, D.C., and
Brussels, and has a diverse funding portfolio from foundation grants, corporate donations, and
individual donations.1
The United States should be leading the way in protecting digital civil rights. This hearing
is an opportunity to learn how Congress can improve upon the privacy frameworks offered in
the European Union via the General Data Protection Regulation (GDPR) and the California
Consumer Privacy Act (CCPA) to craft a comprehensive privacy law that works for the U.S. Our
digital future should be one in which technology supports human rights and human dignity. This
future cannot be realized if people are forced to choose between protecting their personal
information and using the technologies and services that enhance our lives. This future depends
on clear and meaningful rules governing data processing; rules that do not simply provide
1 All donations over $1,000 are disclosed in our annual report and are available online at:
https://cdt.org/financials/.
2
people with notices and check boxes but actually protect them from privacy and security
abuses and data-driven discrimination; protections that cannot be signed away.
Congress should resist the narratives that innovative technologies and strong privacy
protections are fundamentally at odds, and that a privacy law would necessarily cement the
market dominance of a few large companies. Clear and focused privacy rules can help
companies of all sizes gain certainty with respect to appropriate and inappropriate uses of data.
Clear rules will also empower engineers and product managers to design for privacy on the
front end, rather than having to wait for a public privacy scandal to force the rollback of a
product or data practice.
We understand that drafting comprehensive privacy legislation is a complex endeavor.
Over the past year we have worked with partners in civil societ.
Does your organization take credit card information? Do you store personal information on your staff, clients or donors? Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
An Overview of the Major Compliance RequirementsDoubleHorn
In this blog, we will explore some of the US government’s compliance standards that are helpful for many federal, state and local agencies while procuring technology and related services.
The document summarizes identity theft compliance deadlines for organizations in Massachusetts and under federal regulations. The Massachusetts Standards for Protection of Personal Information now have a compliance deadline of January 1, 2010, extended from previous deadlines. The Federal Trade Commission's Red Flag Rules require organizations to implement identity theft prevention programs by May 1, 2009 if they are covered. Both regulations require organizations to perform risk assessments, implement security programs, train employees, and review programs periodically to protect personal information from identity theft.
Does your organization take credit card information? Do you store personal information on your staff, clients or donors. Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
Come learn the basics of these industry regulations, including:
-Who it applies to
-Requirements for compliance
-Penalties for noncompliance
Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
This document discusses data privacy fundamentals and attacks. It begins with definitions of data privacy and the need to protect personally identifiable information. It then outlines common data privacy threats like phishing, malware, and improper access. The document also examines access control models and regulations around data protection. Overall, it provides an introduction to key concepts in data privacy and security risks to consider.
This document summarizes a presentation on data breaches. It discusses the current breach landscape, with billions of records compromised annually worldwide. It provides tips for responding to breaches, including assembling a response team, conducting investigations, and effecting notices. It also covers developments in US and foreign data privacy laws, including the Massachusetts Data Security Requirements and new rules in India. Litigation and insurance issues related to data breaches are also summarized.
The New Massachusetts Privacy Rules (February 2, 2010)stevemeltzer
The document summarizes the key aspects of the Massachusetts Data Privacy Rules, including:
1) It outlines the scope, requirements, and compliance deadlines of the new rules regarding developing a comprehensive written information security program and heightened computer system security requirements.
2) It describes the rules around breach reporting requirements, including what constitutes a breach and who must be notified.
3) It provides an overview of actions organizations should take to ensure compliance, such as forming a compliance team, reviewing policies, encrypting devices, and training employees.
This document proposes legislation for proactive cyber security measures in the private sector. It summarizes and analyzes two existing bills, H.R. 1704 and H.R. 1584, which aim to address cyber security but are reactive in nature. The document finds gaps in these bills and proposes new legislation. It suggests designating the Federal Trade Commission as the regulatory authority for the private sector. The new legislation would mandate proactive requirements like regular cyber risk assessments and data classification policies to better protect confidential data prior to a breach.
When Past Performance May Be Indicative of Future Results - The Legal Implica...Jason Haislmaier
This document summarizes a presentation on the legal implications of using location-based services data and predictive analytics to predict future behavior. It discusses privacy issues under federal and state laws as well as industry self-regulation. It also examines potential tort liability from the misuse of personal data and location information. The presentation provides examples of privacy policies and controls in mobile apps and outlines considerations around law enforcement access to data.
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
The document summarizes key topics from a presentation on integrating federal regulatory initiatives related to data security laws and regulations. It discusses the FTC's authority to enforce reasonable security practices and outlines the SEC's transparency standards for releasing details about cyber incidents. The summary is:
The FTC enforces reasonable security standards through Section 5 of the FTC Act and establishes pillars of assessment, risk management, and response planning. The SEC provides disclosure guidelines requiring details on cyber risks, controls, and procedures, and may turn guidelines into standards for transparency. The presentation also reviewed responding to SEC inquiries regarding data breach policies.
250 words agree or disagreePlease discuss the various limitation.docxvickeryr87
250 words agree or disagree
Please discuss the various limitations involving the efficiency of the intelligence cycle. Do not make all your points about just one of the readings. Please ensure that you make appropriate use, in-text citation, and reference to available source information to support your perspective (be sure to include why you consider these issues important).
Intelligence Cycle
The Central Intelligence Agency (2013) has describe the intelligence cycle as the following:
Planning and Direction – essentially understanding what to do and how to do it
Collection – Collecting information overtly or covertly through different means
Processing – Put the collected intelligence into a report
Analysis and Production – Read and analyze the information and understand what is needed and what isn’t and produce a product in a way that will be easily read and understood by the customer (give assessments)
Dissemination – Give the final product to the requestor / customer and ensure that those who need to know receive it
National standards and guidelines vs policies and procedures of agencies
Carter, Chermak, McGarrell, Carter, and Drew (2012) indicated in their findings that
…respondents indicated that they were familiar with national standards and guidelines, they also expressed the belief that the policies and procedures within their agency have yet to reconcile with these requirements. Similarly, the respondents noted they were aware of the threats, but identified a need to build a capacity to better identify these threats and noted shortages in resources and personnel in accomplishing these goals. Also, they were aware of key civil rights and privacy issues, but respondents reported there is considerable work that needs to be done in their agencies to ensure agencies are fully compliant
Because of these setbacks, the intelligence cycle cannot be 100% efficient due to analysts attempting to understand which sets of policies to follow (will it be their respective agency’s ones or the national standards?). Also, this would also come into question as to there being any backlash if one set is followed but not the other due to the different policies. As well as agencies ensuring that civil rights and privacy issues are being protected.
Acts, Laws, and Entities
Due to different laws that exist, the efficiency of the intelligence cycle to collect information is hindered. Such acts and laws would include the USA PATRIOT Act, USA FREEDOM Act, and the Foreign Intelligence Surveillance Court. Law enforcement agencies before were able to wiretap conversations and obtain records regarding calls, telephone numbers, etc. that could be viable into stopping terrorist plots and gave LE agencies more tools to conduct counterintelligence (FBI, n.d.). However, due to the population not liking that LE agencies could conduct such activities, more laws and acts were passed to limit LE agencies ability to conduct such activities and required them to ob.
This document discusses the importance of protecting personally identifiable information (PII) and complying with relevant laws and regulations. It covers what constitutes PII, why protection is critical to avoid identity theft, financial penalties, and reputational damage. Key aspects of PII management discussed include the storage, sensitivity, encryption of data, multi-jurisdictional issues, data ownership, procedures, and system needs across the data lifecycle. Major US privacy laws like FCRA and GLBA that regulate how PII is collected and used are also summarized.
Consumers rely on businesses to keep their personal information safe. Too few of those businesses are actively protecting that data. Here’s what’s gone wrong, and how businesses should be responding. Full blog here: http://bit.ly/1Jtzym5
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Ted Myerson
Read our NTIA comment letter on ''Big Data'' Developments and How They Impact the Consumer Privacy Bill of Rights. Filed with the NTIA on August 5, 2014.
Anonos has been working for over two years on technology that transforms data at the data element level enabling de-identification and functional obscurity that preserves the value of underlying data. Specifically, Anonos de-identification and functional obscurity risk management tools help to enable data subjects to share information in a controlled manner, enabling them to receive information and offerings truly personalized for them, while protecting misuse of their data; and to facilitate improved healthcare, medical research and personalized medicine by enabling aggregation of patient level data without revealing the identity of patients.
The New Massachusetts Privacy Rules V4stevemeltzer
The document summarizes the key aspects of the new Massachusetts Data Privacy Rules, including the requirements for organizations to develop a comprehensive written information security program, computer system security requirements, and breach reporting requirements. It provides an overview of the scope and goals of the rules, as well as actions organizations should take to ensure compliance, such as forming an implementation team, reviewing policies, encrypting devices, and training employees.
The New Massachusetts Privacy Rules V4stevemeltzer
The document summarizes the key aspects of the new Massachusetts Data Privacy Rules, including the requirements for organizations to develop a comprehensive written information security program, implement computer system security measures, and report data breaches. It outlines the rules' scope, compliance deadlines, and enforcement consequences for non-compliance. Suggested next steps for organizations to achieve compliance are also provided.
Similar to Privacy and Data Security: Minimizing Reputational and Legal Risks (20)
Isabel Evans stopped drawing and painting after being told she was not very good at it, which led to a loss of confidence in her creative and professional abilities. However, she realized that attempting creative activities is important for cognitive and emotional development, and that making mistakes and learning from failures allows for growth. By reengaging with failure through art and with support from others, Isabel was able to regain confidence in her abilities and reboot her career. The document discusses different perspectives on failure and the importance of learning from mistakes.
Instill a DevOps Testing Culture in Your Team and Organization TechWell
The DevOps movement is here. Companies across many industries are breaking down siloed IT departments and federating them into product development teams. Testing and its practices are at the heart of these changes. Traditionally, IT organizations have been staffed with mostly manual testers and a limited number of automation and performance engineers. To keep pace with development in the new “you build it, you own it” environment, testing teams and individuals must develop new technical skills and even embrace coding to stay relevant and add greater value to the business. DevOps really starts with testing. Join Adam Auerbach as he explains what DevOps is and how it relates to testing. He describes how testing must change from top to bottom and how to access your own environment to identify improvement opportunities. Adam dives into practices like service virtualization, test data management, and continuous testing so you can understand where you are now and identify steps needed to instill a DevOps testing culture in your team and organization.
Test Design for Fully Automated Build ArchitectureTechWell
This document summarizes a half-day tutorial on test design for fully automated build architectures presented by Melissa Benua of mParticle at STAREAST 2018. The tutorial covered guiding principles for test design including prioritizing important and reliable tests, structuring automated pipelines around components, packages, and releases, and monitoring test results through code coverage, flaky test handling, and logging versus counters. It also included exercises mapping test cases to functional boundaries and categories of tests to pipeline stages.
System-Level Test Automation: Ensuring a Good StartTechWell
Many organizations invest a lot of effort in test automation at the system level but then have serious problems later on. As a leader, how can you ensure that your new automation efforts will get off to a good start? What can you do to ensure that your automation work provides continuing value? This tutorial covers both “theory” and “practice”. Dot Graham explains the critical issues for getting a good start, and Chris Loder describes his experiences in getting good automation started at a number of companies. The tutorial covers the most important management issues you must address for test automation success, particularly when you are new to automation, and how to choose the best approaches for your organization—no matter which automation tools you use. Focusing on system level testing, Dot and Chris explain how automation affects staffing, who should be responsible for which automation tasks, how managers can best support automation efforts to promote success, what you can realistically expect in benefits and how to report them. They explain—for non-techies—the key technical issues that can make or break your automation effort. Come away with your own clarified automation objectives, and a draft test automation strategy to use to plan your own system-level test automation.
Build Your Mobile App Quality and Test StrategyTechWell
Let’s build a mobile app quality and testing strategy together. Whether you have a web, hybrid, or native app, building a quality and testing strategy means (1) knowing what data and tools you have available to make agile decisions, (2) understanding your customers and your competitors, and (3) testing your app under real-world conditions. Jason Arbon guides you through the latest techniques, data, and tools to ensure the awesomeness of your mobile app quality and testing strategy. Leave this interactive session with a strategy for your very own app—or one you pretend to own. The information Jason shares is based on data from Appdiff’s next-gen mobile app testing platform, lessons from Applause/uTest’s crowd, text mining hundreds of millions of app store reviews, and in-depth discussions with top mobile app development teams.
Testing Transformation: The Art and Science for SuccessTechWell
Technologies, testing processes, and the role of the tester have evolved significantly in the past few years with the advent of agile, DevOps, and other new technologies. It is critical that we testing professionals evaluate ourselves and continue to add tangible value to our organizations. In your work, are you focused on the trivial or on real game changers? Jennifer Bonine describes critical elements that help you artfully blend people, process, and technology to create a synergistic relationship that adds value. Jennifer shares ideas on mastering politics, maneuvering core vs. context, and innovating your technology strategies and processes. She explores how new processes can be introduced in an organization, what the role of organizational culture is in determining the success of a project, and how you can know what tools will add value vs. simply adding overhead and complexity. Jennifer reviews critically needed tester skills and discusses a continual learning model to evolve your skills and stay relevant. This discussion can lead you to technologies, processes, and skills you can stake your career on.
We’ve all been there. We work incredibly hard to develop a feature and design tests based on written requirements. We build a detailed test plan that aligns the tests with the software and the documented business needs. And when we put the tests to the software, it all falls apart because the requirements were changed without informing everyone. Mary Thorn says help is at hand. Enter behavior-driven development (BDD), and Cucumber and SpecFlow, tools for running automated acceptance tests and facilitating BDD. Mary explores the nuances of Cucumber and SpecFlow, and shows you how to implement BDD and agile acceptance testing. By fostering collaboration for implementing active requirements via a common language and format, Cucumber and SpecFlow bridge the communication gap between business stakeholders and implementation teams. In this workshop, practice writing feature files with the best practices Mary has discovered over numerous implementations. If you experience developers not coding to requirements, testers not getting requirements updates, or customers who feel out of the loop and don’t get what they ask for, Mary has answers for you.
Develop WebDriver Automated Tests—and Keep Your SanityTechWell
Many teams go crazy because of brittle, high-maintenance automated test suites. Jim Holmes helps you understand how to create a flexible, maintainable, high-value suite of functional tests using Selenium WebDriver. Learn the basics of what to test, what not to test, and how to avoid overlapping with other types of testing. Jim includes both philosophical concepts and hands-on coding. Testers who haven't written code should not be intimidated! We'll pair you up to make sure you're successful. Learn to create practical tests dealing with advanced situations such as input validation, AJAX delays, and working with file downloads. Additionally, discover when you need to work together with developers to create a system that's more easily testable. This tutorial focuses primarily on automating web tests, but many of the same concepts can be applied to other UI environments. Demos and labs will be in C# and Java using WebDriver. Leave this tutorial having learned how to write high-value WebDriver tests—and stay sane while doing so.
DevOps is a cultural shift aimed at streamlining intergroup communication and improving operational efficiency for development and operations groups. Over time, inclusion of other IT groups under the DevOps umbrella has become the norm for many organizations. But even broadening the boundaries of DevOps, the conversation has been largely devoid of the business units’ place at the table. A common mistake organizations make while going through the DevOps transformation is drawing a line at the IT boundary. If that occurs, a larger, more inclusive silo within the organization is created, operating in an informational vacuum and causing operational inefficiency and goal misalignment. Sharing his experiences working on both sides of the fence, Leon Fayer describes the importance of including business units in order to align technology decisions with business goals. Leon discusses inclusion of business units in existing agile processes, benefits of cross-departmental monitoring, and a business-first approach to technology decisions.
Eliminate Cloud Waste with a Holistic DevOps StrategyTechWell
Chris Parlette maintains that renting infrastructure on demand is the most disruptive trend in IT in decades. In 2016, enterprises spent $23B on public cloud IaaS services. By 2020, that figure is expected to reach $65B. The public cloud is now used like a utility, and like any utility, there is waste. Who's responsible for optimizing the infrastructure and reducing wasted expenses? It’s DevOps. The excess expense, known as cloud waste, comprises several interrelated problems: services running when they don't need to be, improperly sized infrastructure, orphaned resources, and shadow IT. There are a few core tenets of DevOps—holistic thinking, no silos, rapid useful feedback, and automation—that can be applied to reducing your cloud waste. Join Chris to learn why you should include continuous cost optimization in your DevOps processes. Automate cost control, reduce your cloud expenses, and make your life easier.
Transform Test Organizations for the New World of DevOpsTechWell
With the recent emergence of DevOps across the industry, testing organizations are being challenged to transform themselves significantly within a short period of time to stay meaningful within their organizations. It’s not easy to plan and approach these changes considering the way testing organizations have remained structured for ages. These challenges start from foundational organizational structures and can cut across leadership influence, competencies, tools strategy, infrastructure, and other dimensions. Sumit Kumar shares his experience assisting various organizations to overcome these challenges using an organized DevOps enablement framework. The framework includes radical restructuring, turning the tools strategy upside down, a multidimensional workforce enablement supported by infrastructure changes, redeveloped collaborations models, and more. From his real world experiences Sumit shares tips for approaching this journey and explains the roadmap for testing organizations to transform themselves to lead the quality in DevOps.
The Fourth Constraint in Project Delivery—LeadershipTechWell
All too often, the triple constraints—time, cost, and quality—are bandied about as if they are the be-all, end-all. While they are important, leadership—the fourth and larger underpinning constraint—influences the first three. Statistics on project success and failure abound, and these measurements are usually taken against the triple constraints. According to the Project Management Institute, only 53 percent of projects are completed within budget, and only 49 percent are completed on time. If so many projects overrun budget and are late, we can’t really say, “Good, fast, or cheap—pick two.” Rob Burkett talks about leadership at every level of a team. He shares his insights and stories gleaned from his years of IT and project management experience. Rob speaks to some of the glaring difficulties in the workplace in general and some specifically related to IT delivery and project management. Leave with a clearer understanding of how to communicate with teams and team members, and gain a better understanding of how you can be a leader—up and down your organization.
Resolve the Contradiction of Specialists within Agile TeamsTechWell
As teams grow, organizations often draw a distinction between feature teams, which deliver the visible business value to the user, and component teams, which manage shared work. Steve Berczuk says that this distinction can help organizations be more productive and scale effectively, but he recognizes that not all shared work fits into this model. Some work is best handled by “specialists,” that is people with unique skills. Although teams composed entirely of T-shaped people is ideal, certain skills are hard to come by and are used irregularly across an organization. Since these specialists often need to work closely with teams, rather than working from their own backlog, they don’t fit into the component team model. The use of shared resources presents challenges to the agile planning model. Steve Berczuk shares how teams such as those providing infrastructure services and specialists can fit into a feature+component team model, and how variations such as embedding specialists in a scrum team can both present process challenges and add significant value to both the team and the larger organization.
Pin the Tail on the Metric: A Field-Tested Agile GameTechWell
Metrics don’t have to be a necessary evil. If done right, metrics can help guide us to make better forward-looking decisions, rather than being used for simply managing or monitoring. They can help us identify trade-offs between options for what to do next versus punitive or worse, purely managerial measures. Steve Martin won’t be giving the Top Ten List of field-tested metrics you should use. Instead, in this interactive mini-workshop, he leads you through the critical thinking necessary for you to determine what is right for you to measure. First, Steve explores why you want to measure something—whether it’s for a team, a portfolio, or even an agile transformation. Next, he provides multiple real-life metrics examples to help drive home concepts behind characteristics of good and bad metrics. Finally, Steve shows how to run his field-tested agile game—Pin the Tail on the Metric. Take back this activity to help you guide metrics conversations at your organization.
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsTechWell
A hierarchy is an organizational network that has a top and a bottom, and where position is determined by rank, importance, and value. A holarchy is a network that has no top or bottom and where each person’s value derives from his ability, rather than position. As more companies seek the benefits of agile, leaders need to build and sustain delivery capability while scaling agile without introducing unnecessary process and overhead. The Agile Performance Holarchy (APH) is an empirical model for scaling and sustaining agility while continuing to deliver great products. Jeff Dalton designed the APH by drawing from lessons learned observing and assessing hundreds of agile companies and teams. The APH helps implement a holarchy—a system composed of interacting organizational units called holons—centered on a series of performance circles that embody the behaviors of high performing agile organizations. Jeff describes how APH provides guidelines in the areas of leadership, values, teaming, visioning, governing, building, supporting, and engaging within an all-agile organization. Join Jeff to see what the APH is all about and how you can use it in your team and organization.
A Business-First Approach to DevOps ImplementationTechWell
DevOps is a cultural shift aimed at streamlining intergroup communication and improving operational efficiency for development and operations groups. Over time, inclusion of other IT groups under the DevOps umbrella has become the norm for many organizations. But even broadening the boundaries of DevOps, the conversation has been largely devoid of the business units’ place at the table. A common mistake organizations make while going through the DevOps transformation is drawing a line at the IT boundary. If that occurs, a larger, more inclusive silo within the organization is created, operating in an informational vacuum and causing operational inefficiency and goal misalignment. Sharing his experiences working on both sides of the fence, Leon Fayer describes the importance of including business units in order to align technology decisions with business goals. Leon discusses inclusion of business units in existing agile processes, benefits of cross-departmental monitoring, and a business-first approach to technology decisions.
Databases in a Continuous Integration/Delivery ProcessTechWell
The document summarizes a presentation about including databases in a continuous integration/delivery process. It discusses treating database code like application code by placing it under version control and integrating databases into the DevOps software development pipeline. This allows databases to be built, tested, and released like other software through continuous integration, delivery, and deployment.
Mobile Testing: What—and What Not—to AutomateTechWell
Organizations are moving rapidly into mobile technology, which has significantly increased the demand for testing of mobile applications. David Dangs says testers naturally are turning to automation to help ease the workload, increase potential test coverage, and improve testing efficiency. But should you try to automate all things mobile? Unfortunately, the answer is not always clear. Mobile has its own set of complications, compounded by a wide variety of devices and OS platforms. Join David to learn what mobile testing activities are ripe for automation—and those items best left to manual efforts. He describes the various considerations for automating each type of mobile application: mobile web, native app, and hybrid applications. David also covers device-level testing, types of testing, available automation tools, and recommendations for automation effectiveness. Finally, based on his years of mobile testing experience, David provides some tips and tricks to approach mobile automation. Leave with a clear plan for automating your mobile applications.
Cultural Intelligence: A Key Skill for SuccessTechWell
Diversity is becoming the norm in everyday life. However, introducing global delivery models without a proper understanding of intercultural differences can lead to difficulty, frustration, and reduced productivity. Priyanka Sharma and Thena Barry say that in our diverse world, we need teams with people who can cross these boundaries, communicate effectively, and build the diverse networks necessary to avoid problems. We need to learn about cultural intelligence (CI) and cultural quotient (CQ). CI is the ability to relate and work effectively across cultures. CQ is the cognitive, motivational, and behavioral capacity to understand and respond to beliefs, values, attitudes, and behaviors of individuals and groups. Together, CI and CQ can help us build behavioral capacities that aid motivation, behavior, and productivity in teams as well as individuals. Priyanka and Thena show how to build a more culturally intelligent place with tools and techniques from Leading with Cultural Intelligence, as well as content from the Hofstede cultural model. In addition, they illustrate the model with real-life experiences and demonstrate how they adapted in similar circumstances.
Turn the Lights On: A Power Utility Company's Agile TransformationTechWell
Why would a century-old utility with no direct competitors take on the challenge of transforming its entire IT application organization to an agile methodology? In an increasingly interconnected world, the expectations of customers continue to evolve. From smart meters to smart phones, IoT is creating a crisis point for industries not accustomed to rapid change. Glen Morris explains that pizzas can be tracked by the minute and packages at every stop, and customers now expect this same customer service model should exist for all industries—including power. Glen examines how to create momentum and transform non-IT-focused industries to an agile model. If you are struggling with gaining traction in your pursuit of agile within your business, Glen gives you concrete, practical experiences to leverage in your pursuit. Finally, he communicates how to gain buy-in from business partners who have no idea or concern about agile or its methodologies. If your business partners look at you with amusement when you mention the need for a dedicated Product Owner, join Glen as he walks you through the approaches to overcoming agile skepticism.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
SMS API Integration in Saudi Arabia| Best SMS API ServiceYara Milbes
Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.
What is Augmented Reality Image Trackingpavan998932
Augmented Reality (AR) Image Tracking is a technology that enables AR applications to recognize and track images in the real world, overlaying digital content onto them. This enhances the user's interaction with their environment by providing additional information and interactive elements directly tied to physical images.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Privacy and Data Security: Minimizing Reputational and Legal Risks
1. 10/27/2014
1
Agile Development &Agile Development &
Better Software Conference East 2014Better Software Conference East 2014
November 12 2014November 12 2014November 12, 2014November 12, 2014
Tatiana MelnikTatiana Melnik
Melnik Legal PLLCMelnik Legal PLLC
tatiana@melniklegal.com | 734tatiana@melniklegal.com | 734--358358--42014201
Tampa, FLTampa, FL
I. Regulating Privacy
Outline
II. Is Someone Regulating Software?
A. Federal Enforcement
B. State Enforcement
C. Private Enforcement
D. Costs of a Data Breach
III. Privacy by Design and the
Software Development Life Cycle
2
2. 10/27/2014
2
I. Regulating Privacy
Outline
II. Is Someone Regulating Software?
A. Federal Enforcement
B. State Enforcement
C. Private Enforcement
D. Costs of a Data Breach
III. Privacy by Design and the
Software Development Life Cycle
3
o Federal Laws
US C i i
The Foundation of Privacy
US Constitution
Statutes
Federal Trade Commission
Act (1914) - Section 5
Electronic
Communications Privacy
Act (1986)
Sarbanes-Oxley Act (2002)
Health Insurance
Portability and
Accountability Act (1996)
and the more recent
Computer Security Act
(1987)
Gramm-Leach-Bliley Act
(1999)
Health Information
Technology for Economic
and Clinical Health Act
(2009)
Many more…
3. 10/27/2014
3
U.S. Constitution
o Supreme Court Cases
Griswold v. Connecticut – emanations from
penumbras
Roe v. Wade – the right of women to
choose
Whalen v. Roe – privacy vs. the public
interest
U.S. Constitution
o Context Matters
“The Constitution does not explicitly mention“The Constitution does not explicitly mention
any right of privacy” - Roe v. Wade
“Zones of privacy” - Griswold v. Connecticut
First Amendment: Right of association
Third Amendment: Right not to have to quarter
soldiers
Fourth Amendment: Right against unreasonableg g
search and seizure (“expectation of privacy”)
Fifth Amendment: Right against self-incrimination
Ninth Amendment: Preservation of unenumerated
rights
4. 10/27/2014
4
U.S. Constitution
o Context Matters
Justice Potter Stewart’s famous quote,
holding that the Constitution protected all
obscenity except “hard-core pornography.”
U.S. Constitution
o Context Matters
Justice Potter Stewart’s famous quote,
holding that the Constitution protected all
obscenity except “hard-core pornography.”Stewart wrote:
“I shall not today attempt further to define the
kinds of material I understand to be embraced
within that shorthand description; and perhaps Ip ; p p
could never succeed in intelligibly doing so. But
I know it when I see it, and the motion picture
involved in this case is not that.”
5. 10/27/2014
5
o Context Still Matters
Federal Legislation
Targeted Information
Financial (GLBA)
Medical (HIPAA)
Targeted
Constituency
Segregation of
Super Private
Information
STDs
Mental health
Consumers (FTC
Section 5)
Children (COPPA
Obligations for
using particular
information
Substance abuse
State Laws
• Social Security Numbers
• Drivers licenses
• Protection of health care information
• Recordkeeping and data destruction
• Breach disclosure
6. 10/27/2014
6
State Laws
What is PII?
Social Security Number
Credit / Debit Card Number (with a pin no.)
What state are you in?
Medical history or treatment
Health insurance policy number
Username or e-mail address plus password
o EHNAC (Electronic Healthcare Network
A dit ti C i i )
Industry Standards
Accreditation Commission)
an independent, federally recognized, standards
development organization
o PCI DSS
o NIST
sets standards for U.S. federal agencies, which
often become the de-facto standards throughout
industry
7. 10/27/2014
7
o E.U. Privacy Directive 95/46/EC
International Laws
Addresses the collection, use, processing,
and movement of personal data
o E.U. Internet Privacy Law of 2002
(Directive 2002/58/EC)
Protects data in electronicProtects data in electronic
transactions
o Individuals countries have
their own laws
What do the Laws Cover?
What information can be collected
How it must be stored and secured
Under what circumstances it can be shared
Under what circumstances it can be disclosed
Responding to data breaches and data losses
Penalties for data breaches and data losses
8. 10/27/2014
8
I. Regulating Privacy
Outline
II. Is Someone Regulating Software?
A. Federal Enforcement
B. State Enforcement
C. Private Enforcement
D. Costs of a Data Breach
III. Privacy by Design and the
Software Development Life Cycle
15
o Who is Enforcing Privacy and Security?
Enforcement Landscape
Federal Trade
Commission
HHS Office of
Civil Rights
State’s
Attorneys’
General
SEC
Consumers
State Boards
Insurance Regulators
FFIEC
NYDFS
9. 10/27/2014
9
Works for consumers to
prevent fraudulent,
Federal Trade Commission
F d l T d
p
deceptive, and unfair
business practices
Section 5 – “unfair or
deceptive acts or
practices in or affecting
commerce ...are... declared
unlawful ”
Federal Trade
Commission
unlawful.
Has authority to pursue
any company
Has pursued companies
across a number of
industries
o Practices the FTC finds
bl ti
Federal Trade Commission
problematic
Improper use of data
Retroactive changes
Deceitful data collection
Unfair data security practicesUnfair data security practices
For a more detailed analysis, see Daniel J. Solove & Woodrow Hartzog, The FTC and the New
Common Law of Privacy, Columbia Law Review (2014)
10. 10/27/2014
10
o In the Matter of HTC America, Inc.
Federal Trade Commission
July 2013
Phone and software manufacturer, using
Android and Windows operating systems
Allegation:
company failed to take reasonable steps to
secure the software it developed for its
smartphones and tablet computers,
introducing security flaws that placed sensitive
information about millions of consumers at risk
o What did the FTC allege HTC did
wrong?
Federal Trade Commission
wrong?
respondent engaged in a number of practices
that, taken together, failed to employ
reasonable and appropriate security in the
design and customization of the software
on its mobile devices
Assess Security - failed to implement an
adequate program to assess the security ofadequate program to assess the security of
products it shipped to consumers
Provide Guidance and Training - failed to
implement adequate privacy and security
guidance or training for its engineering staff
11. 10/27/2014
11
Testing and auditing - failed to conduct
assessments, audits, reviews, or tests to
Federal Trade Commission
assess e ts, aud ts, e e s, o tests to
identify potential security vulnerabilities in its
mobile devices
Failed to follow standards - failed to follow
well-known and commonly-accepted secure
programming practices, including secure
practices that were expressly described in they
operating system’s guides for manufacturers
and developers, which would have ensured
that applications only had access to users’
information with their consent
No communication - failed to implement
a process for receiving and addressing
Federal Trade Commission
a process for receiving and addressing
security vulnerability reports from third-
party researchers, academics or other
members of the public, thereby delaying its
opportunity to correct discovered
vulnerabilities or respond to reported
incidentsincidents
HTC introduced numerous security
vulnerabilities in the process of
customizing its mobile devices
12. 10/27/2014
12
Introduced numerous permission re-
delegation vulnerabilities through its
Federal Trade Commission
delegation vulnerabilities through its
custom, pre-installed applications
Because no check, third party apps could
enable the device’s microphone; access the
user’s GPS-based, cell-based, and WiFi-based
location information; and send text messages --
ll ith t ti th ’ i iall without requesting the user’s permission
could have prevented this by including
simple, well-documented software code –
“permission check” code
Failed to use readily-available and
documented secure communications
Federal Trade Commission
docu e ted secu e co u cat o s
mechanisms in implementing logging
applications on its devices, placing sensitive
information at risk
Instead of using one of these well-known, secure
alternatives [(e.g., Android inter-process, secure
UNIX sockets)], HTC implemented
communication mechanisms (e g INET sockets)communication mechanisms (e.g., INET sockets)
that could not be restricted in a similar manner
Failed to implement other, additional security
measures (e.g., data encryption) that could have
secured these communications mechanisms
13. 10/27/2014
13
HTC failed to deactivate the debug code
before its devices shipped for sale to
Federal Trade Commission
before its devices shipped for sale to
consumers
HTC could have detected its failure to
deactivate the debug code in its CIQ
Interface had it had adequate processes and
tools in place for reviewing and testing the
it f it ft dsecurity of its software code
o HTC settled with the FTC – agreed to:
Establish implement and maintain a
Federal Trade Commission
Establish implement, and maintain, a
comprehensive security program that is
reasonably designed to
(1) address security risks related to the development and
management of new and existing covered devices, and
(2) protect the security, confidentiality, and integrity of
covered information, whether collected by respondent or
input into, stored on, captured with, accessed or
transmitted through a covered device.
• Such program, the content and implementation of which must
be fully documented in writing, shall contain administrative,
technical, and physical safeguards appropriate to
respondent’s size and complexity, the nature and scope of
respondent’s activities, and the sensitivity of the covered
device functionality or covered information, including:
14. 10/27/2014
14
designation of an employee or employees
to coordinate and be accountable for the
Federal Trade Commission
to coordinate and be accountable for the
security program
identification of material internal and
external risks to the security of covered
devices that could result in unauthorized
access to or use of covered deviceaccess to or use of covered device
functionality, and assessment of the
sufficiency of any safeguards in place to
control these risks
[in assessing and designing risk program,
consider] risks in each area of relevant
Federal Trade Commission
consider] risks in each area of relevant
operation, including, but not limited to:
(1) employee training and management;
(2) product design, development and research;
(3) secure software design and testing,
including secure engineering and defensiveg g g
programming; and
(4) review, assessment, and response to third-
party security vulnerability reports
15. 10/27/2014
15
[in assessing and designing risk program,
consider] risks in each area of relevant
Federal Trade Commission
consider] risks in each area of relevant
operation, including, but not limited to:
(1) employee training and management;
(2) product design, development and research;
(3) secure software design and testing,
including secure engineering and defensive
What kind of program
does your company
have for monitoring
and testing software
?
?
?
g g g
programming; and
(4) review, assessment, and response to third-
party security vulnerability reports
g
deficiencies?
? ?
o HTC has a 20 year compliance period
E er t o ears m st get a third part
Federal Trade Commission
Every two years, must get a third party
audit that
Evaluates its “administrative, technical, and
physical safeguards”
Certifies that its “security program is operating
with sufficient effectiveness to provide
reasonable assurance that the security ofreasonable assurance that the security of
covered device functionality and the security,
confidentiality, and integrity of covered
information is protected and has so operated
throughout the reporting period”
16. 10/27/2014
16
o GMR Transcription Services, Inc. & the
T P i i l O
Federal Trade Commission
Two Principal Owners
Providers of medical transcription services
Liability based on action of contractor
Company = 20 years compliance
o GMR Transcription Services, Inc. & the
T P i i l O
Federal Trade Commission
Two Principal Owners
Providers of medical transcription services
Liability based on action of contractor
Company = 20 years compliance
IT IS FURTHER ORDERED that respondents Prasad and
Srivastava [(the individual owners)], for a period of TEN (10)
YEARS after the date of issuance of the order, shall notify the
Commission of the following:
(a) Any changes to . . . residence, mailing addresses and/or
telephone numbers, within ten (l0) days of the date of such
change;
(b) Any changes in . . . employment status (including self-
employment), and any changes in ownership in any business
entity, within ten (10) days of the date of such change. Such
notice shall include: [lots of stuff]; and
(c) Any changes in . . . name or use of any aliases or
fictitious names, including “doing business as” names.
17. 10/27/2014
17
Enforces HIPAA
HITECH Act (2009)
HHS Office of Civil Rights
HHS Offi f HITECH Act (2009)
expanded the scope of
coverage to authorize
enforcement authority
over certain vendors
(BAs)
HHS Office of
Civil Rights
By OCR
Statement AGs
Mandatory penalties
Enforces HIPAA
HITECH Act (2009)
HHS Office of Civil Rights
HHS Offi f HITECH Act (2009)
expanded the scope of
coverage to authorize
enforcement authority
over certain vendors
(BAs)
HHS Office of
Civil Rights
By OCR
Statement AGs
Mandatory penalties
18. 10/27/2014
18
HHS Office of Civil Rights
Covered Entities
h lth id h lth l t
Business
Associate
IT
Management
Company
Business
Associate
EHR
Vendor
Business
Associate
Mobile App
Developer
Business
Associate
Integration
Specialist
healthcare providers, health plans, etc.
Company
Subcontra
ctorSubcontra
ctor
Subcontractor
Data
Destruction
Vendor
Subcontrac
torSubcontractor
Data Center
Subcontrac
torSubcontractor
Analytics Firm
Subcontrac
tor
Subcontractor
Interface
Developments
o Enforcement by HHS Office of
Ci il Ri ht
HHS Office of Civil Rights
Civil Rights
As of Aug. 7, 2014, 21 organizations have
paid out a total $22,446,500 in settlements
(with one fine)
o Cignet Health ($4.3M) (fine)
Blue Cross Blue Shield of TN
o WellPoint ($1.7M)
Massachusetts Eye and Earo Blue Cross Blue Shield of TN
($1.5)
o Phoenix Cardiac Surgery ($100K)
o Idaho State University ($400K)
o Alaska Dept. of Health & Human
Services ($1.7M)
o Massachusetts Eye and Ear
Infirmary ($1.5M)
o Skagit County, Washington
($215K)
o New York & Presbyterian Hospital
($3M) (settlement)
o Columbia University ($1.5M)
19. 10/27/2014
19
Enforcement under State
laws and because of
State’s Attorneys’ General
State’s laws and, because of
HITECH, under HIPAA
Can take action on
behalf of State or on
behalf of State residents
Most active areas
State s
Attorneys’
General
Healthcare
Mobile app developers
State’s Attorneys’ General
Indiana AG sued
WellPoint
Connecticut AG
sued HealthNet
California AG active
in mobile space
Also
settled
with OCR
for $1.7M
Vermont AG
sued HealthNet
Minnesota AG
sued Accretive
Massachusetts sued a
Rhode Island hospital
20. 10/27/2014
20
Private Enforcement
Class
Actions
Individual
ClaimsActions
Negligence
Breach of warranty
Claims
Negligence
Intentional infliction of
emotional distress
Consumers
False advertising
Unreasonable
delay in notification
/ remedying breach
Invasion of privacy
Negligent supervision
Private Enforcement
Class
Actions
Individual
ClaimsActions
Negligence
Breach of warranty
Claims
Negligence
Intentional infliction of
emotional distress
ConsumersAbigail E. Hinchy v. Walgreen Co. et al. (Indiana
Superior Ct., 2013)
• Pharmacist improperly accessed medical
records of one patient
• Patient reported the incident to Walgreens and
W l did t di bl th h i t’
False advertising
Unreasonable
delay in notification
/ remedying breach
Invasion of privacy
Negligent supervision
Walgreens did not disable the pharmacist’s
access
• Jury awarded $1.8 million, with $1.4M of that to
be paid by Walgreens
21. 10/27/2014
21
o Data breaches are expensive to handle
Costs of a Data Breach
Source: Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis (May 2014)
o Data breaches are expensive to handle
Costs of a Data Breach
Source: Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis (May 2014)
22. 10/27/2014
22
Costs of a Data Breach
$3.3M – Average lost business costs
$5.85M - Average total organizational cost of
data breach
$509,237 – Average data breach notification
costscosts
$1.6M – Average post data breach costs
Source: Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis (May 2014)
Software Matters
o Processed and analyzed over 100 terabytes of
traffic dailytraffic daily
49,917 unique malicious events
723 unique malicious source IP addresses
375 U.S.-based compromised health care-related
organizations
23. 10/27/2014
23
Software Matters
o Processed and analyzed over 100 terabytes of
traffic dailytraffic daily
49,917 unique malicious events
723 unique malicious source IP addresses
375 U.S.-based compromised health care-related
organizations
I. Regulating Privacy
Outline
II. Is Someone Regulating Software?
A. Federal Enforcement
B. State Enforcement
C. Private Enforcement
D. Costs of a Data Breach
III. Privacy by Design and the
Software Development Life Cycle
46
24. 10/27/2014
24
o “Privacy by Design”
Privacy by Design
Phrased first used in 1995, in a joint report
by the Dutch Data Protection Authority and
the Ontario Information Commissioner
A systems engineering approach that
advocates for “building in privacy up front -
i ht i t th d i ifi ti dright into the design specifications and
architecture of new systems and
processes”
o “Privacy by Design”
Privacy by Design
Phrased first used in 1995, in a joint report
by the Dutch Data Protection Authority and
the Ontario Information Commissioner
A systems engineering approach that
advocates for “building in privacy up front -
i ht i t th d i ifi ti d
“Privacy by Design advances the view that the future
of privacy cannot be assured solely by compliance
with regulatory frameworks; rather, privacy
assurance must ideally become an organization’sright into the design specifications and
architecture of new systems and
processes”
assurance must ideally become an organization s
default mode of operation.”
Dr. Ann Cavoukian, Information & Privacy Commissioner Ontario, Canada
25. 10/27/2014
25
Proactive not Reactive; Preventative not Remedial
Privacy by Design
Privacy as the Default Setting
Privacy Embedded into Design
Full Functionality — Positive-Sum, not Zero-Sum
End-to-End Security — Full Lifecycle Protection
Visibility and Transparency — Keep it Open
Respect for User Privacy — Keep it User-Centric
Privacy by Design
26. 10/27/2014
26
o FTC
Baseline Principle: Companies should
Privacy by Design
Baseline Principle: Companies should
promote consumer privacy throughout their
organizations and at every stage of the
development of their products and services.
“In calling for privacy by design, staff
advocated for the implementation of
substantive privacy protections – such as
data security limitations on data collectiondata security, limitations on data collection
and retention, and data accuracy – as well
as procedural safeguards aimed at
integrating the substantive principles into a
company’s everyday business operations.”
27. 10/27/2014
27
Agile Software Development
“Privacy by Design advances the view that the future
of privacy cannot be assured solely by compliance
with regulatory frameworks; rather, privacy assurance
must ideally become an organization’s default mode
of operation.”
Dr. Ann Cavoukian, Information & Privacy Commissioner Ontario, Canada
o How can the iterative and continuous
improvement Agile “mindset” help
privacy by design become
o Privacy is the responsibility of everyone,
not just the “security guy”
Agile Software Development
not just the security guy
Proactive
Use the iterative and flexible approach to
build security into the design on an iterative
and continuous basis
Always ask
Can my code be more secure?
Can I build in additional protections?
Do I need to protect user’s from themselves?
Is the default setting yes? Should it be no?
Do I really need to collect and store that information
or am I doing it because it’s ‘interesting’?
30. 10/27/2014
30
o Goal of Agile methodology – respond quickly
to change
Agile Software Development
to change
Security is always changing
But, how does that align with the goal of
developing software more quickly?
o Value - Working software over comprehensive
documentation
Is there a need to produce documentationIs there a need to produce documentation
regarding security?
YES!
How else do you demonstrate that you took the time to
implement “reasonable and appropriate security”
In the regulatory world, if you didn’t document, you
didn’t do it….
o Consider your most private secret…
Two Final Thoughts…
What if what you just designed
stored that information? Would
you use that technology?
What if your employer treated your
social security number the same way
you treat other peoples’ data?
31. 10/27/2014
31
This slide presentation is informational only
and was prepared to provide a brief overview
Disclaimer
and was prepared to provide a brief overview
of enforcement efforts related to data privacy
and security. It does not constitute legal or
professional advice.
You are encouraged to consult with an attorney
if you have specific questions relating to any ofif you have specific questions relating to any of
the topics covered in this presentation, and
Melnik Legal PLLC would be pleased to assist
you on these matters.
Any Questions?
Tatiana Melnik
Attorney, Melnik Legal PLLC
Based in Tampa, FL
734 358 4201734.358.4201
tatiana@melniklegal.com
32. 1
122 3049
UNITED STATES OF AMERICA
FEDERAL TRADE COMMISSION
COMMISSIONERS: Edith Ramirez, Chairmanwoman
Julie Brill
Maureen K. Ohlhausen
Joshua D. Wright
)
In the Matter of ) DOCKET NO. C-4406
)
HTC AMERICA Inc., )
a corporation. )
)
)
COMPLAINT
The Federal Trade Commission, having reason to believe that HTC America, Inc.
(“respondent”) has violated the provisions of the Federal Trade Commission Act, and it
appearing to the Commission that this proceeding is in the public interest, alleges:
1. Respondent HTC America Inc. (“HTC”) is a Washington corporation with its principal
office or place of business at 13920 SE Eastgate Way, Suite #400, Bellevue, WA 98005.
2. The acts and practices of respondent as alleged in this complaint have been in or affecting
commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act.
3. Respondent is a mobile device manufacturer that develops and manufactures smartphones
and tablet computers using Google Inc.’s (“Google”) Android operating system and
Microsoft Corporation’s (“Microsoft”) Windows Mobile and Windows Phone mobile
operating systems.
ANDROID’S PERMISSION-BASED SECURITY MODEL
4. Google’s Android operating system protects certain sensitive information (e.g., location
information or the contents of text messages) and sensitive device functionality (e.g., the
ability to record audio through the device’s microphone or the ability to take photos with
the device’s camera) through a permission-based security model. In order to access
sensitive information or sensitive device functionality, a third-party application must
declare the fact that it will access such information or functionality.
33. 2
5. Before a user installs a third-party application, the Android operating system provides
notice to the user regarding what sensitive information or sensitive device functionality
the application has declared it requires. The user must accept these “permissions” in
order to complete installation of the third-party application.
HTC’S FAILURE TO EMPLOY REASONABLE SECURITY IN THE
CUSTOMIZATION OF ITS MOBILE DEVICES
6. HTC has customized its Android-based mobile devices by adding and/or modifying
various pre-installed applications and components in order to differentiate its products
from those of competitors also manufacturing Android-based mobile devices. HTC has
also customized both its Android and Windows Mobile devices in order to comply with
the requirements of certain network operators, such as Sprint Nextel Corporation
(“Sprint”) and AT&T Mobility LLC (“AT&T”). Since the customized applications and
components are pre-installed on the device, consumers do not choose to install the
customized applications and components, and the device user interface does not provide
consumers with an option to uninstall or remove the customized applications and
components from the device.
7. Until at least November 2011, respondent engaged in a number of practices that, taken
together, failed to employ reasonable and appropriate security in the design and
customization of the software on its mobile devices. Among other things, respondent:
(a) failed to implement an adequate program to assess the security of products it shipped
to consumers; (b) failed to implement adequate privacy and security guidance or training
for its engineering staff; (c) failed to conduct assessments, audits, reviews, or tests to
identify potential security vulnerabilities in its mobile devices; (d) failed to follow well-
known and commonly-accepted secure programming practices, including secure practices
that were expressly described in the operating system’s guides for manufacturers and
developers, which would have ensured that applications only had access to users’
information with their consent; and (e) failed to implement a process for receiving and
addressing security vulnerability reports from third-party researchers, academics or other
members of the public, thereby delaying its opportunity to correct discovered
vulnerabilities or respond to reported incidents.
8. As a result of its failures described in Paragraph 7, HTC introduced numerous security
vulnerabilities in the process of customizing its mobile devices. Once in place, HTC
failed to detect and mitigate these vulnerabilities, which, if exploited, provide third-party
applications with unauthorized access to sensitive information and sensitive device
functionality. The following examples in paragraphs 9 to 15 serve to illustrate the
consequences of HTC’s failure to employ reasonable and appropriate security in the
design and customization of the software on its mobile devices.
PERMISSION RE-DELEGATION
9. HTC undermined the Android operating system’s permission-based security model in its
devices by introducing numerous “permission re-delegation” vulnerabilities through its
custom, pre-installed applications. Permission re-delegation occurs when one application
34. 3
that has permission to access sensitive information or sensitive device functionality
provides another application that has not been given the same level of permission with
access to that information or functionality. For example, under the Android operating
system’s security framework, a third-party application must receive the user’s permission
to access the device’s microphone, since the ability to record audio is considered
sensitive functionality. But in its devices, HTC pre-installed a custom voice recorder
application that, if exploited, would provide any third-party application access to the
device’s microphone, even if the third-party application had not requested permission for
that functionality.
10. HTC could have prevented this by including simple, well-documented software code -
“permission check” code - in its voice recorder application to check that the third-party
application had requested the necessary permission. Because HTC failed in numerous
instances to include permission check code in its custom, pre-installed applications, any
third-party application exploiting these vulnerabilities could command those HTC
applications to access various sensitive information and sensitive device functionality on
its behalf -- including enabling the device’s microphone; accessing the user’s GPS-based,
cell-based, and WiFi-based location information; and sending text messages -- all without
requesting the user’s permission.
11. Malware could exploit these vulnerabilities to, for example, surreptitiously record phone
conversations or other sensitive audio, to surreptitiously track a user’s physical location,
and to perpetrate “toll fraud,” the practice of sending text messages to premium numbers
in order to charge fees to the user’s phone bill. These vulnerabilities have been present
on approximately 18.3 million HTC devices running Android v. 2.1.x, 2.2.x, 2.3.x, and
3.0.x.
APPLICATION INSTALLATION VULNERABILITY
12. Relatedly, HTC pre-installed a custom application on its Android-based devices that
could download and install applications outside of the normal Android installation
process. Again, HTC failed to include appropriate permission check code to protect this
pre-installed application from exploitation. As a result, any third-party application
exploiting the vulnerability could command this pre-installed application to download
and install any additional applications from any server onto the device without the user’s
knowledge or consent. Because this would occur outside the normal installation process,
the user would not be presented with a permission screen that explained what sensitive
information or sensitive device functionality the additional application being installed
would be able to access. In effect, this vulnerability undermines all protections provided
by Android’s permission-based security model. This vulnerability has been present on
approximately 18.3 million HTC devices running Android v. 2.1.x, 2.2.x, 2.3.x, 3.0.x and
certain devices that were upgraded to Android v. 4.0.x.
INSECURE COMMUNICATIONS MECHANISMS
13. HTC failed to use readily-available and documented secure communications mechanisms
in implementing logging applications on its devices, placing sensitive information at risk.
35. 4
Logging applications collect information that can be used, for example, to diagnose
device or network problems. Because of the sensitivity of the information, as described
below, communications with logging applications should be secure to ensure that only
designated applications can access the information. Secure communications mechanisms
-- such as the Android inter-process communication mechanisms expressly described in
the Android developer guides, or secure UNIX sockets – could have been used to ensure
that only HTC-designated applications could access the sensitive information collected
by the logging application. Instead of using one of these well-known, secure alternatives,
HTC implemented communication mechanisms (e.g., INET sockets) that could not be
restricted in a similar manner. Moreover, HTC failed to implement other, additional
security measures (e.g., data encryption) that could have secured these communications
mechanisms. Because the communications mechanisms were insecure, any third-party
application that could connect to the internet could communicate with the logging
applications on HTC devices and access a variety of sensitive information and sensitive
device functionality, as described below.
a. HTC Loggers. Beginning in May 2010, HTC installed its customer support and
trouble-shooting tool HTC Loggers on approximately 12.5 million Android-based
mobile devices. Because HTC Loggers could collect sensitive information from
various device logs, it was supposed to have been accessible only to HTC and
certain network operators, and only after the user had consented to its use by
manually entering a special code into the mobile device. Moreover, the Android
permission-based security model normally requires a third-party application to
obtain the user’s consent before accessing the device logs. Because HTC used an
insecure communications mechanism, however, both of these intended protections
were undermined, and any third-party application on the user’s device that could
connect to the internet could exploit the vulnerability to communicate with HTC
Loggers without authorization and command it to collect and transmit information
from the device logs. This information could include, but was not limited to,
contents of text messages; last known location and a limited history of GPS and
network locations; a user’s personal phone number, phone numbers of contacts,
and phone numbers of those who send text messages to the user; dialed digits;
web browsing and media viewing history; International Mobile Equipment
Identity (“IMEI”) or Mobile Equipment Identifier (“MEID”); and registered
accounts such as Gmail and Microsoft Exchange account user names.
b. Carrier IQ. Beginning in 2009, HTC embedded Carrier IQ diagnostics software
on approximately 10.3 million Android-based mobile devices and 330,000
Windows Mobile-based mobile devices at the direction of network operators
Sprint and AT&T, who used Carrier IQ to collect a variety of information,
described in subparagraph (i) below, from user devices to analyze network and
device problems. In order to embed the Carrier IQ software on its mobile devices,
HTC developed a “CIQ Interface” that would pass the necessary information to
the Carrier IQ software. The information collected by the Carrier IQ software
was supposed to have been accessible only to the network operators, but because
HTC used an insecure communications mechanism, any third-party application on
36. 5
the user’s device that could connect to the internet could exploit the vulnerability
to communicate with the CIQ Interface, allowing it to:
i. Intercept the sensitive information being collected by the Carrier IQ
software. This information could include, but was not limited to, GPS-
based location information; web browsing and media viewing history; the
size and number of all text messages; the content of each incoming text
message; the names of applications on the user’s device; the numeric keys
pressed by the user; and any other usage and device information specified
for collection by certain network operators; and
ii. In the case of HTC’s Android-based devices, perform potentially
malicious actions, including, but not limited to, sending text messages
without permission. As described in Paragraph 11, malware could exploit
this vulnerability to perpetrate toll fraud. Moreover, in this case, the sent
text messages would not appear in the user’s outbox, making it impossible
for the user to verify that unauthorized text messages had been sent from
the device.
DEBUG CODE
14. During the development of an application, developers may activate “debug code” in order
to help test whether the application is functioning as intended. When developing its CIQ
Interface for its Android-based devices, HTC activated debug code in order to test
whether the CIQ Interface properly sent all of the information specified by the network
operator. The debug code accomplished this by writing the information to a particular
device log known as the Android system log, which could then be reviewed. However,
HTC failed to deactivate the debug code before its devices shipped for sale to consumers.
As a result of the active debug code, all information that the CIQ Interface sent to the
Carrier IQ software from a consumer’s device, including the information specified in
Paragraph 13(b)(i), was also written to the Android system log on the device. This
information was supposed to have been accessible only to the network operators, never
written to the system log. Because it ended up in the system log, this sensitive
information was:
a. Accessible to any third-party application with permission to read the system log.
Although users may provide third-party applications with permission to read the
system log for certain purposes -- for example, to trouble-shoot application
crashes -- those applications never should have had access to all the sensitive
information, such as the contents of incoming text messages, that the Carrier IQ
software was collecting.
b. Sent to HTC. The information in the system log is sent to HTC when a user
chooses to send HTC an error report through its “Tell HTC” error reporting tool,
described in Paragraph 20. Accordingly, in some cases, HTC also received this
sensitive information, including users’ GPS-based location information.
37. 6
15. HTC could have detected its failure to deactivate the debug code in its CIQ Interface had
it had adequate processes and tools in place for reviewing and testing the security of its
software code.
CONSUMERS RISK HARM DUE TO HTC’S SECURITY FAILURES
16. Because of the potential exposure of sensitive information and sensitive device
functionality through the security vulnerabilities in HTC mobile devices, consumers are
at risk of financial and physical injury and other harm. Among other things, malware
placed on consumers’ devices without their permission could be used to record and
transmit information entered into or stored on the device, including financial account
numbers and related access codes or personal identification numbers, medical
information, and personal information such as text messages and photos. Sensitive
information exposed on the devices could be used, for example, to target spear-phishing
campaigns, physically track or stalk individuals, and perpetrate fraud, resulting in costly
bills to the consumer. Misuse of sensitive device functionality such as the device’s audio
recording feature would allow hackers to capture private details of an individual’s life.
17. In fact, malware developers have targeted the types of sensitive information and sensitive
device functionalities that potentially are exposed through the security vulnerabilities in
HTC mobile devices. Text message toll fraud, for example, is one of the most common
types of Android malware. Security researchers have also found Android malware that
records and stores users’ phone conversations and that tracks users’ physical location.
18. Had HTC implemented an adequate security program, it likely would have prevented, or
at least timely resolved, many of the serious security vulnerabilities it introduced through
the process of customizing its mobile devices. HTC could have implemented readily-
available, low-cost measures to address these vulnerabilities – for example, adding a few
lines of permission check code when programming its pre-installed applications, or
implementing its logging applications with secure communications mechanisms.
Consumers had little, if any, reason to know their information was at risk because of the
vulnerabilities introduced by HTC.
HTC’S PRIVACY AND SECURITY REPRESENTATIONS
19. Since at least October 2009, user manuals for HTC’s Android-based mobile devices
contained the following statements, or similar statements, regarding Android’s
permission-based security model:
38. 7
. . .
20. Since at least June 2011, HTC has, in many of its Android-based mobile devices,
included the Tell HTC error reporting tool. The error reporting tool provides the user
with an opportunity to send a report to HTC when there is an application or system crash.
The report includes the information in the Android system log. The Tell HTC user
interface provides the user with the additional option of submitting location information
with the report by checking the button marked “Add location data,” as depicted below:
Through this user interface, HTC represents that the user’s location data will not be sent
to HTC if the user does not check the button marked “Add location data.”
HTC’S UNFAIR SECURITY PRACTICES
(Count 1)
21. As set forth in Paragraph 7-18, HTC failed to employ reasonable and appropriate security
practices in the design and customization of the software on its mobile devices. HTC’s
practices caused, or are likely to cause, substantial injury to consumers that is not offset
by countervailing benefits to consumers or competition and is not reasonably avoidable
by consumers. This practice was, and is, an unfair act or practice.
39. 8
HTC’S DECEPTIVE ANDROID USER MANUALS
(Count 2)
22. As described in Paragraph 19, HTC has represented, expressly or by implication, that,
through the Android permission-based security model, a user of an HTC Android-based
mobile device would be notified when a third-party application required access to the
user’s personal information or to certain functions or settings of the user’s device before
the user completes installation of the third-party application.
23. In truth and in fact, in many instances, a user of an HTC Android-based mobile device
would not be notified when a third-party application required access to the user’s
personal information or to certain functions or settings of the user’s device before the
user completes installation of the third-party application. Due to the security
vulnerabilities described in Paragraphs 8-15, third-party applications could access a
variety of sensitive information and sensitive device functionality on HTC Android-based
mobile devices without notifying or obtaining consent from the user before installation.
Therefore, the representation set forth in Paragraph 22 constitutes a false or misleading
representation.
HTC’S DECEPTIVE TELL HTC USER INTERFACE
(Count 3)
24. As described in Paragraph 20, HTC has represented, expressly or by implication, that, if a
user does not check the button marked “Add location data” when submitting an error
report through the Tell HTC application, location data would not be sent to HTC with the
user’s error report.
25. In truth and in fact, in some instances, if a user did not check the button marked “Add
location data” when submitting an error report through the Tell HTC application, location
data was nevertheless sent to HTC with the user’s error report. Due to the security
vulnerability described in Paragraph 14, in some instances, HTC collected the user’s
GPS-based location information through the Tell HTC error reporting tool even when the
user had not checked the button marked “Add location data” in the Tell HTC user
interface. Therefore, the representation set forth in Paragraph 24 constitutes a false or
misleading representation.
26. The acts and practices of respondent as alleged in this complaint constitute unfair or
deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the
Federal Trade Commission Act, 15 U.S.C. § 45(a).
40. 9
THEREFORE, the Federal Trade Commission this twenty-fifth day of June, 2013, has
issued this complaint against respondent.
By the Commission, Commissioner Ohlhausen recused.
Donald S. Clark
Secretary