Internet of Things

Connected Car Security Vulnerabilities – Part 1

October 31, 2018 | Stephen S. Wu

The Internet of Things connects machines to other machines in a wide variety of fields and industries. In our digital lives, we are connecting devices to our networks at work and at home. In addition to work and home, however, we spend much of our waking time in transit from one place to another, often in our private automobiles. The Internet of Things is extending our digital lives to our cars, trucks, and other road vehicles. With this new integration comes privacy, security, and other legal issues.

A 2015 episode of the CBS television show “60 Minutes” vividly illustrates what can happen when we connect cars with information technology networks. In the show, reporter Lesley Stahl sat behind the wheel of a nondescript dark gray sedan while driving through a tree-lined suburban parking lot. She appeared on a 60 Minutes segment aired on February 8, 2015. In the driver’s seat next to her was Kathleen Fisher, a veteran of the Defense Advanced Research Projects Agency or “DARPA” for short. As Stahl navigated one end of the cleared parking lot, two men stood at the other end – Karl Koscher, a University of Washington Ph.D. student, and Dan Kaufman, who was then Director of DARPA’s Information Innovation Office. Koscher used a laptop sitting on black boxes of what appeared to be equipment, while Kaufman provided instructions.

Kaufman told Koscher, “You wanna hit the fluids?” Koscher typed something on the laptop and suddenly the windshield wiper fluid sprayed onto the windshield on Stahl’s car and the wipers started moving back and forth. Stahl said “I did nothing” to turn on the spray. And yet, without Stahl doing anything, Koscher had taken control of the wipers and fluid. In a cut-away scene, Stahl explained that hackers had contacted the car’s emergency communications system, flooded it with sound data, and inserted a piece of code, which reprogrammed the car’s software so the researchers could take complete remote control of the car. Further demonstrating this control, Koscher caused the horn to sound, again without Stahl’s knowledge or action.

Meetup on Lessons Learned from the Equifax Data Breach

October 13, 2017 | Silicon Valley Law Group

SVLG Shareholder Stephen Wu will host a conference call program on the recent Equifax data breach on October 25, 2017 at 10 am Pacific/1 pm Eastern. While the Equifax is not the largest ever in terms of the total number of records affected, by some estimates, it affected about half of the population in the United States. With a breach that large, legislators and regulators are considering what new policies may help to prevent future large-scale breaches.

For businesses that create, receive, maintain, and transmit personal data, the Equifax breach raises the question of what changes are necessary to keep up with evolving data security threats. According to news reports, the breach occurred because of a failure in patch management — a failure to implement a publicly available patch to a known security vulnerability for a period of months. Are there emerging threats that warrant changes in patch management practices? Or did the Equifax breach occur because of the company’s failure to take care of the basic patch management steps. We will explore these questions in this program.

The program will generally explore the technical and legal ramifications of the breach. What are the prospects for liability? What compliance challenges does the breach highlight? Are there changes in documented practice and procedure that the breach would suggest?

Stephen Wu’s New HIPAA Book and 9/28/16 Presentation

September 16, 2016 | Silicon Valley Law Group

Silicon Valley Law Group is pleased to announce the publication of Attorney Stephen S. Wu’s new book: “A Guide to HIPAA Security and the Law – Second Edition.” The American Bar Association published his book last month. The book provides detailed information about healthcare information technology security legal requirements and how covered entities and business associates can comply with them.

Also, please join us for a special Meetup presentation, in which Steve Wu will share his thoughts on an important topic covered in one of his book’s chapters: the impact of emerging technologies on HIPAA security compliance. The program is on September 28, 2016 at 10:00 a.m. Pacific Time at SVLG’s offices. A dial-in is available for those unable to attend in person.

The Department of Health and Human Services issued the HIPAA Security Rule in 2003 to impose information technology security requirements on HIPAA covered entities: healthcare providers, health plans, and healthcare clearinghouses. Later legislation and regulation also imposed HIPAA security requirements on various “business associates” of these covered entities. Despite some changes in coverage and the breach notification rule, the core HIPAA security requirements have remained unchanged since 2003. Nonetheless, technology trends such as cloud computing, social media, and mobile computing required applying the existing rules to new technologies. Moreover, we are now facing dramatic and sweeping changes with augmented and virtual reality systems, Big Data, 3D printing, healthtech, the Internet of Things, robots, and artificial intelligence systems.