The 20 | data privacy Archives

If you’re in the U.S. and concerned about data privacy, you can now breathe a sigh of relief. The nation’s highest court ruled last week that cellphone location data is protected by the 4th Amendment of the U.S. Constitution.

In the 5-4 decision, the court ruled that police must obtain a valid search warrant before obtaining location data on a suspect from cellular carriers. So, you do have some expectation of privacy while using your phone, despite the objections of law enforcement.

Origin of the Data Privacy Case

The case was brought by Michigan man, Timothy Carpenter, who was convicted of a string of robberies at both Radio Shack and T-Mobile stores. FBI agents obtained several months of location data from Carpenter’s cellular carrier, thus proving he was in the vicinity of each robbery. This piece of evidence was key in his conviction, but Carpenter’s lawyers appealed on the grounds that law enforcement didn’t get a warrant for the location data. As a result, they argued that the evidence and conviction should be thrown out.

Lower courts ruled against Carpenter, arguing that people have no reasonable expectation of privacy in their location data because they voluntarily submit it to 3rd parties (wireless service providers) and so no warrant is necessary.

The high court disagreed, however, stating:

Given the unique nature of cell phone location records, the fact that the information is held by a 3rd party does not by itself overcome the user’s claim to 4th Amendment protection… we hold that an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI. The location information obtained from Carpenter’s wireless carriers was the product of a search.

For context: As you go about your everyday life, your mobile phone regularly connects to the nearest cell tower – when you make calls, check your email, or look something up on the web; when an app running in the background makes a connection that you didn’t initiate; and every few minutes just to tell the cell tower, “Here I am, if you need to find me to send messages or connect calls.”

Data Privacy Regarding Cellphone Companies

Some cellphone companies record the date, time and which tower your phone connected to for every one of those contacts; other companies track everything except the “Here I am” check-ins. Either way, your cell company has stored in its databases an elaborate record of what cell towers your phone connected to and when, covering 24 hours a day, 365 days a year. The cell companies retain that information for as long as 5 years. It’s more than enough data to reconstruct where you were – or rather, where your phone was – anytime in that 5-year period. It can pinpoint a physical location pretty closely within a city, and within a couple of miles in a rural area.

The question before the Supreme Court in this case, Carpenter v. United States, was how hard it should be for police to get that information from a cellphone company.

Exactly what this ruling means for privacy in the internet age remains to be seen – and litigated in future cases. These days, people’s most private information doesn’t reside on pieces of paper locked in office or home desk drawers; it lives on internet servers operated by private companies. The federal government has claimed sweeping power to get documents and emails from those companies without a warrant.

The Carpenter ruling has made clear that, at least some of the time, a warrant is needed. The 4th Amendment was designed, the court explained, “to place obstacles in the way of a too permeating police surveillance.” That means that it can’t merely protect people’s physical homes from search. Sometimes it also limits the government’s ability to demand personal information in the hands of 3rd parties.

To be continued…

I thought I had a bad weekend. Then I heard about the Chili’s Data Breach.

Turns out Brinker International had issues that far outweigh the problems from sleeping on a 10-year-old mattress. The parent company of the Dallas-based Chili’s Bar & Grill said it learned of a data breach on Friday that included payment card information possibly being compromised between March and April of this year.

Brinker International responds to the Chili’s data breach

According to a press release on Brinker International’s website, the company said the following:

Based on the details of the issue currently uncovered, we believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants. Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident.

Chili’s does not collect certain personal information (such as social security number, full date of birth, or federal or state identification number) from Guests. Therefore, this personal information was not compromised.

Brinker apologized to those who may be affected and said it is working with third-party forensic experts to investigate. “We sincerely apologize to those who may have been affected and assure you we are working diligently to resolve this incident,” Brinker said in a written statement on its website.

Additional information about the breach can be found on the Brinker International site.

Brinker International shares so far are down 0.87% as a result.

Upon further investigation, I found that Brinker International recently brought on a company called Red Hat solutions to offer support for its guests across its mobile app, website, in-restaurant table kiosks, and curbside dining. By using Red Hat solutions, according to their website, “Brinker built a unified e-commerce environment to support faster development and deployment, scale to meet peak traffic demands, and ensure the protection of guest data.”

Red Hat published a Brinker International case study shortly thereafter and stated that, “This is a guest-facing platform that takes credit card transactions, so it’s got to be highly secure… with a Red Hat-based container, we know it’s from a trusted partner and know it meets all PCI [Payment Card Industry] requirements, while letting developers and other internal users to spin up environments quickly.”

Could the Chili’s data breach have been prevented?

Not to place blame, and this is highly speculative, but did Brinker International or Chili’s themselves drop the ball by not fully utilizing its tools? With Red Hat meeting the requirements of PCI compliance, did Brinker or Chili’s overlook something? Too many false positives? How vulnerable were they? Was payment information shared and stored somewhere it shouldn’t have been? Obviously without any information provided from the forensic investigation, it’s all speculation at this point. But it just goes to show how important it is to have all of your ducks in a row. There is no substitute for having your I’s dotted and your T’s crossed when it comes to data protection. I’m sure there’s another cliché I could come up with, but I think you get the point.

Data breaches have been all too common in today’s cybersphere. A series of notable ― and massive ― data breaches occurred last year. Equifax, Uber, the Dallas emergency siren network and state election systems were just a few of the targets of successful hacks.

The title seems a bit obvious, right? Of course data privacy is important. I mean, how could not keeping your data private be a good thing? Spoiler alert: it can’t. There’s only a downside.

Well what “data” are we speaking of, first off? That seems pretty vague…

For us as individuals, data can simply refer to what makes us all identifiable. This can include our address, our Social Security number; health and medical records to take it a step further. For the business sector, it can mean proprietary research and development data, or financial information that shows how a company is spending and investing its money.

And all of this information should be guarded based on relative importance. An example being that you probably wouldn’t think too much about sharing your name with someone you’ve never met before, while introducing yourself to them at a party. But then there’s other information you wouldn’t share with them, at least not initially, until you got to know that person a lot better. If you’re opening a new bank account, however, you’ll probably be asked to share quite a bit of personal information, that goes well beyond your name, and that’s okay.

Digital everything amplifies the importance of data privacy

But in 2018, everything is digital. We’ve digitized everything. This may not technically apply to everyone (shout out to all the senior citizens out there!), but by and large, it does. And if you’re reading this blog, it absolutely does.

When data that should be kept private gets in the wrong hands, bad things can happen. A data breach at a government agency can put top secret information in the hands of the enemy. A breach at a corporation can put proprietary data in the hands of a competitor. And so on and so forth; you get the point.

The Online Trust Alliance (OTA) in 2016 found that 34% of data breaches happen through external means. This is the traditional idea of hacking, where a perpetrator gains access to a system from the outside. About 7% of breaches occurred because of lost or stolen devices, and another 9% occurred because of lost, stolen or misplaced documents. While some of these issues happen by accident, others are planned attacks by hackers to acquire data.

Securing information is key to data privacy

Data security can only work in concert with strong preventative policies to back up the technology. While data security measures can be quite effective, important strategies such as keeping up with patches and utilizing encryption can help ensure that the technology actually works.

Securing information will continue to play a massive role in not only our personal lives, but in business and government. At The 20, our IT Management Platform, 24/7 Help Desk, and Network Operations Center (NOC) are 100% US-based so client information stays secure and in compliance with federal and industry regulations. Our nationwide group of IT companies support almost any technology we come across in the field, which gives us a competitive advantage that no other IT company can touch.

What are you doing to keep your data private?

The 20 Small Business Data Security Infographic

IS YOUR #SMALLBIZ SAFE?

Small businesses are the target of almost two-thirds of all cyber attacks.

Download our infographic on the negative effects data breaches can bring to a company.