Previous month:
April 2019
Next month:
July 2019

11 posts from June 2019

Fracking Companies Lost on Trespassing, but a Court Just Gave Them a Different Win

[Editor's note: today's guest post by ProPublica discusses business practices within the fracking industry. It is reprinted with permission.]

By Ken Ward Jr., The Charleston Gazette-Mail

A week after the West Virginia Supreme Court unanimously upheld the property rights of landowners battling one natural gas giant, the same court tossed out a challenge filed by another group of landowners against a different natural gas company.

In the latest case, decided earlier this month, the court upheld a lower court ruling that threw out a collection of lawsuits alleging dust, traffic and noise from gas operations were creating a nuisance for nearby landowners.

Charlie Burd, executive director of the Independent Oil and Gas Association of West Virginia, said the latest ruling lets “Wall Street know capital investment in oil and natural gas is welcome in West Virginia” and increases the possibility of more such investments in drilling and in so-called “downstream” chemical and manufacturing plants related to the gas industry.

In the property rights case last week, the justices set a clear legal standard that natural gas companies can’t trespass on a person’s land, without permission, to tap into gas reserves from neighboring tracts. In Monday’s case, the justices didn’t articulate a new legal precedent.

The mixed messages of the two cases show that “this is new litigation and the theories are evolving,” said Anthony Majestro, a lawyer who represented residents who lost their nuisance action before the Supreme Court.

“As the Marcellus shale drilling has expanded, there have been conflicts between surface owners and the companies that are drilling,” Majestro said. “Absent some legal requirement to require the industry to be good neighbors, I’m afraid we’ll continue to have these situations.”

Majestro’s clients were a group of residents in the Cherry Camp area of Harrison County, in north-central West Virginia. They wanted Antero Resources, the state’s largest gas company, to compensate them for unbearable traffic, “constant dust” that hangs in the air and settles on homes and vehicles, disruptive heavy equipment noise and bright lights that shine into their homes day and night.

The case focused on two dozen wells and a compressor station on six pads. The plaintiffs argued that their lives were being interfered with by Antero’s production of gas from beneath their property, even though the wells were on neighboring land, not on their own properties.

Across West Virginia’s gas-producing region, many residents own the surface of the land where they live, but don’t hold the minerals located beneath. Often, rights to the natural gas were signed over decades ago, long before drilling and gas production of the size and scope now conducted was even dreamed of.

The two court cases were featured last year as part of a series of stories by the Gazette-Mail and ProPublica that explored the impacts of the growth of natural gas on West Virginia communities.

In some ways, the Antero case was more complex than the earlier matter, in which the state court ruled clearly for Doddridge County residents Beth Crowder and David Wentz in their dispute with EQT Corp., West Virginia’s second-largest gas producer.

EQT had built a well pad and pipelines on Crowder and Wentz’s property to reach natural gas not located beneath their farm, but under neighboring tracts, including some that were thousands of feet away. Modern natural gas drilling uses horizontal drilling to use smaller numbers of larger wells to reach much greater amounts of gas.

Justice John Hutchison wrote the court’s 5-0 decision against EQT, including a new point of law that sets a precedent that calls what the company did trespassing and forbids it from being done in the future.

The ruling in the Antero case was a split, 3-2 decision, and the opinion by Justice Evan Jenkins included no new points of law setting precedent for future cases.

Instead, his opinion was based on the view that Antero had gas leases that created a right for it to do whatever was “reasonably necessary” to get at its mineral holdings.

Antero spokeswoman Stephanie Iaquinta said, “We appreciate the court’s thorough review of this important matter and its decision.”

Chief Justice Beth Walker wrote a concurring opinion, pointing out that the majority decision wasn’t necessarily getting to the heart of the matter: whether the kinds of gas industry impacts complained about by the Harrison County residents constitute a legal nuisance.

And Justice Margaret Workman wrote a strongly worded dissent, saying that the court had not only ducked the central legal issue in the case, but that it had usurped the authority of a jury to decide if the facts of how Antero operates should be deemed to be “reasonably necessary” to produce natural gas.

“For a century, the tenor of our mineral easement case law, in each temporal and technological ideation, has been that there must be a balance of the rights of surface owners and mineral owners,” Workman wrote. “Rather than making any attempt to establish legal guidance for that goal in this new context, the majority endorses a gross inequity that effectively gives this new industrialization carte blanche to operate without any regard for the rights of those who live on the land.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

 


Walmart To Pay $282 Million To Settle Bribery Charges By Regulators In The United States

Walmart logo The U.S. Securities And Exchange Commission (SEC) announced on June 20th a settlement agreement to resolve charges that Walmart violated:

"... the Foreign Corrupt Practices Act (FCPA) by failing to operate a sufficient anti-corruption compliance program for more than a decade as the retailer experienced rapid international growth... According to the SEC’s order, Walmart failed to sufficiently investigate or mitigate certain anti-corruption risks and allowed subsidiaries in Brazil, China, India, and Mexico to employ third-party intermediaries who made payments to foreign government officials without reasonable assurances that they complied with the FCPA. The SEC’s order details several instances when Walmart planned to implement proper compliance and training only to put those plans on hold or otherwise allow deficient internal accounting controls to persist even in the face of red flags and corruption allegations."

Walmart agreed to pay more than $144 million to settle the SEC’s charges and about $138 million to resolve parallel criminal charges by the U.S. Department of Justice (DOJ), for a combined total of more than $282 million. The settlements cover activities by the retailer's foreign subsidiaries in Brazil, China, India, and Mexico.

United States Department of Justice logo The DOJ announcement on June 20th stated:

"According to Walmart’s admissions, from 2000 until 2011, certain Walmart personnel responsible for implementing and maintaining the company’s internal accounting controls related to anti-corruption were aware of certain failures involving these controls, including relating to potentially improper payments to government officials in certain Walmart foreign subsidiaries, but nevertheless failed to implement sufficient controls that, among other things, would have ensured: (a) that sufficient anti-corruption-related due diligence was conducted on all third-party intermediaries (TPIs) who interacted with foreign officials; (b) that sufficient anti-corruption-related internal accounting controls concerning payments to TPIs existed; (c) that proof was required that TPIs had performed services before Walmart paid them; (d) that TPIs had written contracts that included anti-corruption clauses; (e) that donations ostensibly made to foreign government agencies were not converted to personal use by foreign officials; and (f) that policies covering gifts, travel and entertainment sufficiently addressed giving things of value to foreign officials and were implemented. Even though senior Walmart personnel responsible for implementing and maintaining the company’s internal accounting controls related to anti-corruption knew of these issues, Walmart did not begin to change its internal accounting controls related to anti-corruption to comply with U.S. criminal laws until 2011... In a number of instances, insufficiencies in Walmart’s anti-corruption-related internal accounting controls in these foreign subsidiaries were reported to senior Walmart employees and executives. The internal control failures allowed the foreign subsidiaries in Mexico, India, Brazil and China to open stores faster than they would have with sufficient internal accounting controls related to anti-corruption. Consequently, Walmart earned additional profits through these subsidiaries by opening some of its stores faster..."

So, to fast-track store openings company executives allegedly made secret payments to "third-party individuals" who passed the money on to specific government officials who approve permits. CBS News reported:

"... the payments to the intermediary were recorded as payments to a construction company, even though there were numerous "red flags" to indicate that the intermediary was actually a government official... The federal agreement does not identify the intermediary, but describes her in some detail: It says she became known inside Walmart Brazil as a "sorceress" or "genie" for her "ability to acquire permits quickly by 'sort(ing) things out like magic.' " The plea agreement also includes a provision barring the Brazilian subsidiary from making public claims or issuing press releases contradicting the facts outlined under the plea agreement."

United States Securities And Exchange Commission logo Walmart is not alone regarding FCPA violations. According to the SEC, several companies agreed to settlement agreements and payments during 2019:

Readers of this blog may remember, Fresenius paid $3.5 million last year to resolve HIPAA violations from 5 small data breaches during 2012. And, last week a whistleblower report discussed Cognizant's content moderation work as a Facebook subcontractor.

Notable companies with SEC settlement agreements and payments during 2018:


Facebook Announced New Financial Services Offering Available in 2020

On Tuesday, Facebook announced its first financial services offering which will be available in 2020:

"... we’re sharing plans for Calibra, a newly formed Facebook subsidiary whose goal is to provide financial services that will let people access and participate in the Libra network. The first product Calibra will introduce is a digital wallet for Libra, a new global currency powered by blockchain technology. The wallet will be available in Messenger, WhatsApp and as a standalone app — and we expect to launch in 2020... Calibra will let you send Libra to almost anyone with a smartphone, as easily and instantly as you might send a text message and at low to no cost. And, in time, we hope to offer additional services for people and businesses, like paying bills with the push of a button, buying a cup of coffee with the scan of a code or riding your local public transit..."

Long before the announcement, consumers crafted interesting nicknames for the financial service, such as #FaceCoin and #Zuckbucks. Good to see people with a sense of humor.

On a more serious topic, after multiple data breaches and privacy snafus at Facebook (plus repeated promises by CEO Zuckerberg that his company will do better), many people are understandably concerned about data security and privacy. Facebook's announcement also addressed security and privacy:

"... Calibra will have strong protections... We’ll be using all the same verification and anti-fraud processes that banks and credit cards use, and we’ll have automated systems that will proactively monitor activity to detect and prevent fraudulent behavior... We’ll also take steps to protect your privacy. Aside from limited cases, Calibra will not share account information or financial data with Facebook or any third party without customer consent. This means Calibra customers’ account information and financial data will not be used to improve ad targeting on the Facebook family of products. The limited cases where this data may be shared reflect our need to keep people safe, comply with the law and provide basic functionality to the people who use Calibra. Calibra will use Facebook data to comply with the law, secure customers’ accounts, mitigate risk and prevent criminal activity."

So, the new Calibra subsidiary promised that it won't share users' account information with Facebook's core social networking service, except when it will -- to "comply with the law." The announcement encourages interested persons to sign up for email updates. This leaves Calibra customers to trust Facebook's wall separating its business units. "Provide basic functionality to the people who use Calibra" sounds like a huge loophole to justify any data sharing.

Tech and financial experts quickly weighed in on the announcement and its promises. TechCrunch explained why Facebook created a new business subsidiary. After Calibra's Tuesday announcement:

"... critics started harping about the dangers of centralizing control of tomorrow’s money in the hands of a company with a poor track record of privacy and security. Facebook anticipated this, though, and created a subsidiary called Calibra to run its crypto dealings and keep all transaction data separate from your social data. Facebook shares control of Libra with 27 other Libra Association founding members, and as many as 100 total when the token launches in the first half of 2020. Each member gets just one vote on the Libra council, so Facebook can’t hijack the token’s governance even though it invented it."

TechCrunch also explained the risks to Calibra customers:

"... that leaves one giant vector for abuse of Libra: the developer platform... Apparently Facebook has already forgotten how allowing anyone to build on the Facebook app platform and its low barriers to “innovation” are exactly what opened the door for Cambridge Analytica to hijack 87 million people’s personal data and use it for political ad targeting. But in this case, it won’t be users’ interests and birthdays that get grabbed. It could be hundreds or thousands of dollars’ worth of Libra currency that’s stolen. A shady developer could build a wallet that just cleans out a user’s account or funnels their coins to the wrong recipient, mines their purchase history for marketing data or uses them to launder money..."

During the coming months, hopefully Calibra will disclose the controls it will implement on the developer platform to prevent abuses, theft, and fraud.

Readers wanting to learn more should read the Libra White Paper, which provides more details about the companies involved:

"The Libra Association is an independent, not-for-profit membership organization headquartered in Geneva, Switzerland. The association’s purpose is to coordinate and provide a framework for governance for the network... Members of the Libra Association will consist of geographically distributed and diverse businesses, nonprofit and multilateral organizations, and academic institutions. The initial group of organizations that will work together on finalizing the association’s charter and become “Founding Members” upon its completion are, by industry:

1. Payments: Mastercard, PayPal, PayU (Naspers’ fintech arm), Stripe, Visa
2. Technology and marketplaces: Booking Holdings, eBay, Facebook/Calibra, Farfetch, Lyft, Mercado Pago, Spotify AB, Uber Technologies, Inc.
3. Telecommunications: Iliad, Vodafone Group
4. Blockchain: Anchorage, Bison Trails, Coinbase, Inc., Xapo Holdings Limited
5. Venture Capital: Andreessen Horowitz, Breakthrough Initiatives, Ribbit Capital, Thrive Capital, Union Square Ventures
6. Nonprofit and multilateral organizations, and academic institutions: Creative Destruction Lab, Kiva, Mercy Corps, Women’s World Banking"

Yes, the ride-hailing company, Uber, is involved. Yes, the same ride-hailing service which which paid $148 million to settle lawsuits and a coverup from a data breach in 2016. Yes, the same ride-hailing service with a history of data security, compliance, cultural, and privacy snafus. This suggests -- for better or worse -- that in the future consumers will be able to pay for Uber rides using the Libra Network.

Calibra hopes to have about 100 members in the Libra Association by the service launch in 2020. Clearly, there will be plenty more news to come. Below are draft screen images of the new app.

Early version of screen images of the Calibra mobile app. Click to view larger version


Medical Collections Vendor Files For Bankruptcy Protection

Things have become complicated regarding American Medical Collection Agency (AMCA), a collections firm used by several medical testing firms. After breach announcements by Quest Diagnostics and LabCorp earlier this month, more healthcare firms announced breach notices.

So, more than 20 million persons have been affected. ZD Net reported the patient totals by healthcare firm:

"Quest Diagnostics (11.9 million patients), LabCorp (7.7 million patients), BioReference Laboratories (Opko Health subsidiary, 422,600 patients), Carecentrix (500,000 patients), and Sunrise Laboratories (undisclosed number of patients)."

Now, we learn that AMCA has filed for bankruptcy protection:

"According to the Chapter 11 declaration (.PDF), filed with the court for the Southern District of New York, AMCA first became aware of a potential security incident when a disproportionate number of credit cards that interacted with the company's web portal were linked to fraudulent transactions... Cybersecurity forensics bills of roughly $400,000, IT support costs, severe restrictions that were put in place to protect AMCA's network from further intrusion, looming court cases, and the loss of valuable business partners have all taken their toll."

A "Chapter 11" bankruptcy means a reorganization, compared to a total liquidation under "Chapter 7." So, AMCA executives expect their company to survive.

ZD Net also reported that AMCA has paid more than:

"... $3.8 million to inform over seven million people who have potentially been impacted via mail. This figure alone is more than the company had to hand, forcing AMCA to take out a loan from the CEO and founder, Russell Fuchs, just to meet this expense. By filing for bankruptcy protection, the business will continue on as usual as AMCA seeks to pay off its creditors."

The costs highlight the consequences when companies fail to protect consumers' sensitive personal and payment data. The bankruptcy filing begs the next question: continue operating how effectively? Reportedly, AMCA has already cut its workforce from 155 to 25 employees. Usually under bankruptcy protection, a court decides which creditors get paid and whether they are paid in full -- including employees.

This scenario makes one wonder if AMCA can afford the ongoing expenses and resources necessary to harden its computer systems against intrusions, pay its employees, fully support data breach victims, and pay any post-breach fines. If AMCA can't pay its employees, it is probably already dead.


Several States Strengthened Their Data Breach Notification Laws in 2019

Legislatures in several states are improving their existing data breach notification laws to provide stronger protections for consumers.

To fully appreciate the changes requires an understanding of the current legal status. The National Conference of State Legislatures summarized the current status:

"All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/information brokers, government entities, etc.); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information)."

The increased legislative activity comes in the aftermath of the massive Equifax breach in 2017 affecting 145.5 million persons. 2018 was a terrible year with more than one billion consumer accounts affected by multiple data breaches.

Many of the improvements across states requires sooner notice to affected persons, so consumers can check their bank/card statements for fraudulent activity, and take other security actions. Without sooner notice, fraud can perpetuate with more money stolen.

Now, the legislative activity in selected states.

First, legislators amended the requirements in the Maryland Personal Information Protection Act (MPIPA), or House Bill 1154. Maryland Governor Larry Hogan approved of the changes, which will go into effect on October 1, 2019. A summary of the changes:

  • Requires businesses that own or license "computerized data that includes personal information of an individual residing in the State" to conduct a good-faith breach investigation to determine data abuse when they discover or are notified of a data breach,
  • Requires notification of affected persons within 45 days, and
  • Requires businesses to maintain records of the breach for three years of its breach investigation and determination that notification of affected persons is not required.

Second, Massachusetts Governor Charlie Baker signed legislation in January which went into effect on April 11, 2019. Changes in the new law: no fees for consumers to place, lift, or remove Security Freezes; credit monitoring required when Social Security numbers disclosed during the breach; and an expanded list of requirements when businesses provide notice to the Massachusetts Attorney General and to the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR).

Third, New Jersey amended its breach law. SC Magazine summarized the changes:

"The new law expands the definition of what constitutes personal information that, if exposed in a breach, would require a company to issue a notification. Once S-52 takes effect on Sept. 1, 2019, personal information will also include a “user name, email address, or any other account holder identifying information, in combination with any password or security questions and answer…” the law states."

Fourth, Oregon Governor Kate Brown signed into law Senate Bill 684 on May 24, 2019. The JD Supra site reported:

"The most significant changes are around service providers, who will take on an independent obligation to notify the state Attorney General (AG) about data security breaches. A handful of other, more subtle changes are also included in the amendments, which take effect January 1, 2020... The obligation that service providers notify the AG is triggered by breaches affecting the personal information of over 250 Oregon consumers, or when the number cannot be determined... The new obligation increases the number of parties involved in incident response and notice decisions... This round of amendments adds user names, combined with password or other means of authentication, to the list of notice-triggering personal information... One other amendment also touches service providers. Where previously service providers had to notify business customers “as soon as practicable” after discovering a breach, the amendments set a deadline of 10 days."

Many companies outsource back-office work to vendors. So, the Oregon law keeps pace with common business practices. Readers wanting to learn more can read this blog's Outsourcing section.

A new, separate bill in Oregon covers internet-connected devices, also called the Internet of Things (IoT). Many consumers have installed IoT devices in their homes. According to JD Supra:

"The Oregon connected device security law is largely consistent with California’s new connected device security law, and both take effect January 1, 2020. Both require that manufacturers equip IoT devices with reasonable security features. Under either statute that can mean setting unique passwords for each unit shipped, or requiring end users to set a new password when they first access the device, in order to access the devices remotely from outside the devices’ local area network. This is a floor, not a ceiling, and both laws leave room for other security features..."

When manufacturers sell IoT devices all configured with the same universal password, it is a huge security problem. Bad actors can remotely access consumers' IoT devices to commit identity theft, fraud, and more. Consumers require greater protection, and the new IoT law is a good first step. Readers wanting to learn more can read this blog's Internet of Things section.

Fifth, Washington Governor Jay Inslee signed signed HB 1071 on May 7) which expanded the state’s data breach notification law. The changes become effective March 1, 2020. The National Law Review reported that breach:

"... notices must be provided no more than thirty days after the organization discovers the breach. This applies to notices sent to affected consumers as well as to the state’s Attorney General. The threshold requirement for notice to the Attorney General remains the same—it is only required if 500 or more Washington residents were affected by the breach."

The new law in Washington also expanded the list of sensitive data elements comprising "personal information" when combined with a person's name: birth date; "unique private key used to authenticate" electronic records; passport, military, and student ID numbers; health insurance policy or identification number; medical history, health conditions, diagnoses, and treatments; and biometric data (e.g., fingerprints, retina scans, voiceprints, etc.).

As more states announce amended breach notification laws, this blog will cover those actions.


Leading Manufacturer Reverses Its Position on Paperless Voting Machines

A leading manufacturer of electronic voting machines has reversed its position on election security. Tom Burt, the CEO of Election Systems & Software (ES&S), said his company will no longer sell paperless voting machines. Mr Burt wrote in Roll Call:

"... we must have physical paper records of votes. Our company, Election Systems & Software, the nation’s leading elections equipment provider, recently decided it will no longer sell paperless voting machines as the primary voting device in a jurisdiction. That’s because it is difficult to perform a meaningful audit without a paper record of each voter’s selections. Mandating the use of a physical paper record sets the stage for all jurisdictions to perform statistically valid post-election audits."

A 2017 study by researchers found 11 states where the majority of voters use paperless voting machines that store votes electronically -- without printed ballots or other paper-based backups to double-check the balloting. A report in March, 2018 by the Brennan Center For Justice found little progress since 2016 to replace old, vulnerable voting machines in the United States.

In his comments, Burt called upon Congress to act to improve the testing of voting machines. Burt also cited the challenges. First:

"There are about 10,000 jurisdictions in America that manage nearly 117,000 polling locations and utilize more than 560,000 voting machines (manufactured by multiple suppliers) on Election Day. That’s what you call a highly distributed and differentiated infrastructure..."

Second, jurisdictions have varying financial resources. Besides testing, it will cost money to replace obsolete and paperless voting machines. TechCrunch provided important context to Burt's comments:

"Senator Ron Wyden introduced a bill a year ago that would mandate voter-verified paper ballots for all election machines... Burt’s remarks are a sharp turnaround from the company’s position just a year ago, in which the election systems maker drew ire from the security community for denouncing vulnerabilities found by hackers at the annual Defcon conference. Security researchers at the conference’s Voting Village found a security flaw in an old but widely used voting machine in dozens of states. Their findings prompted a response by senior lawmakers on the Senate Intelligence Committee..."

So, the change in position by ES&S is a small start (and arguably late). What matters more will be action by ES&S and other voting-machine makers; and action by Congress.

Since a democracy relies upon elections, voting machine upgrades and testing could be considered an infrastructure issue. Both Congress and voting machine makers need to do their jobs. What are your opinions?


CBP Breach Disclosed Images Of Travelers' Faces And Vehicle License Plates. Many Unanswered Questions

United States Customs and Border Patrol logo A security breach at a vendor used by U.S. Customs & Border Patrol (CBP) has disclosed the images of both travelers and vehicles license plates. The Washington Post reported:

"Customs officials said in a statement Monday that the images, which included photos of people’s faces and license plates, had been compromised as part of an attack on a federal subcontractor. CBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facial-recognition program designed to track the identity of people entering and exiting the United States. Fewer than 100,000 people were impacted, said CBP... Officials said the stolen information did not include other identifying information, and no passport or other travel document photos were compromised..."

Reportedly, CBP learned about the breach on May 31. The newspaper also reported:

"CBP said copies of “license plate images and traveler images collected by CBP” had been transferred to the subcontractor’s company network, violating the agency’s security and privacy rules. The subcontractor’s network was then attacked and breached. No CBP systems were compromised, the agency said."

A reporter posted on Twitter the brief statement by CBP, which was sent to selected news organizations:

"On May 31, 2009, CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.

Initial information indicates that the subcontractor violated mandatory security and privacy controls outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response. CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the contractor..."

Well, that brief statement is a start... a small start. This security breach is very troubling for several reasons.

First, it seems that CBP was unaware of the contractual violation (e.g., downloaded images) until it was informed of the data breach. That suggests an inadequate contractual agreement between the vendor and CBP; or failures by CBP to monitor and enforce its contracts. That also raises more questions:

  • When and which executives at the vendor will be reprimanded for this violation?
  • Why did CBP fail to identify the download violation?
  • What changes are underway to prevent future violations?
  • Why is CBP continuing to use a vendor known to have severely violated its contractual agreement?
  • What other vendors have violated CBP contracts?

Second, CBP refused to disclose the name of the vendor. Why? What would this accomplish? Its statement described the breach as a "malicious cyberattack." That seems to warrant disclosure. Were CBP executives caught unprepared?

Thankfully, reporters at the Washington Post continued investigating:

"... a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.” Perceptics representatives did not immediately respond to requests for comment... reporters at The Register, a British technology news site, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web."

So, we don't know for sure if Perceptics was the CBP vendor. However, the May 23rd article in The Register indicates that Perceptics executives were already aware of the breach. CBP executives should have known about the breach on May 23, too, since the article mentioned both entities. Then, why did the CBP statement say it learned of the breach on May 31st? Something here smells -- arrogance, incompetence, or both.

Third, a check at press time of the CBP website and newsroom failed to find any mentions of the security breach. CBP executives have had since May 31st (or since May 23rd), so why send a statement only to select news organizations? Why not publish that statement on its website, too? Were CBP executives caught unprepared and then rushed a haphazard response? When will the breach investigation report be released?

This is troubling. It suggests either arrogance or unpreparedness. As a taxpayer, my money funds CBP activities. I want to know that my money is being spent effectively.

Fourth, the lack of a detailed breach announcement means many related questions remain unanswered:

  • When will CBP notify affected persons? If the vendor will notify affected persons, then CBP must disclose the vendor's name in advance.
  • What assistance (e.g., free credit monitoring) will CBP provide affected persons?
  • What is the status of the post-breach investigation? It helps to know how attackers broke in so effective fixes can be implemented.
  • What other data elements were accessed/stolen? Metadata (e.g., image date and timestamp, border crossing GPS location, entering or exiting USA, vehicle brand and model, number and ages of any passengers in vehicles, etc.) attached to the images can be just as damaging.
  • Were any data elements encrypted? If not, why not?
  • Can facial images be matched to vehicle plate images, and/or to other data elements? If so, this creates more problems for impacted persons.
  • When will fixes be implemented so this doesn't happen again?
  • Exactly how many persons were affected, and in what states? Local states' breach notification laws may apply.
  • How many of the affected persons are U.S. citizens? If the 100,000 estimate applies to only affected U.S. citizens, then we need to know the true total number of persons impacted by the breach.
  • Does the 100,000 estimate refer to facial images only? If so, then exactly how many vehicle license plate images were disclosed?

The statement of "fewer than 100,000 persons impacted" seems vague. A breach investigation should determine two fairly precise items: the number of facial images accessed/stolen, and the number of license plate images accessed/stolen.

Plus, it seems wise to assume more data was stolen during the breach. Why? Consider this report by The Atlantic:

"I would be cautious about assuming this data breach contains only photo data," said Chad Loder, the CEO of Habitu8, a cybersecurity firm that trains other companies on security awareness. The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. "If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data..."

If social media passwords were stolen, then affected persons need to know so they can change online passwords. And, elected officials are also asking questions. The Hill reported:

"House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP... Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that "the agency is ill-equipped to handle emerging cyberthreats"... Representative Cedric Richmond (D-La.), the chairman of the House Homeland Security subcommittee on cybersecurity, also called for more answers about the breach, which he said would inform Congress's next steps... Senator Brian Schatz (D-Hawaii), the ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation and the Internet, said he thinks the breach merits an investigation by the Office of the Inspector General."

Good suggestion by Senator Schatz. Clearly, there's plenty more news to come. Plenty.


Court to Big Fracking Company: Trespassing Still Exists — Even For You

[Editor's note: today's guest post by ProPublica discusses business practices within the fracking industry. It is reprinted with permission. Readers may also be interested in this blog post from February.]

By Kate Mishkin and Ken Ward Jr., The Charleston Gazette-Mail

Seven years ago this month, Beth Crowder and David Wentz told natural gas giant EQT Corp. that it did not have permission to come onto their West Virginia farm to drill for the natural gas beneath neighboring properties.

EQT Corporation logo EQT had a lease that entitled the company to the gas directly beneath their farm, but it also wanted to use a new, 20-acre well pad to gather gas from 3,000 acres of adjacent or nearby leases. The company ignored their warnings. It built roads and drilled a well, and it put in horizontal pipes stretching for miles in all directions.

Crowder and Wentz sued — and they’ve been fighting EQT in court ever since. On Wednesday, the West Virginia Supreme Court ended the matter with a surprisingly straightforward and unanimous conclusion: Going onto someone else’s land without their permission is trespassing.

Gas and other mineral companies must obtain permission from surface owners in order to use their land to reach reserves under other properties, Justice John Hutchison wrote for the court. "The right must be expressly obtained, addressed, or reserved in the parties’ deeds, leases, or other writings," he wrote.

Attorney Dave McMahon, who represented Crowder and Wentz, broke the news to them by phone. "The short answer is, we won. And we won big time," he said.

On the other end of the line in Doddridge County, Crowder and Wentz shouted and laughed. "I think I’m feeling kind of numb," Crowder said. "I’ve been used to being in limbo forever."

Kristina Whiteaker, another lawyer for Crowder and Wentz, told them, "You guys really made some good law for the whole state."

EQT said in a statement issued Thursday afternoon that the company was "disappointed in the court’s ruling” but didn’t “expect the decision to have a significant impact on our operations in West Virginia."

"We intend to maintain cooperative and mutually beneficial relationships with our customers, our partners, and residents in the regions where we do business," EQT said.

The West Virginia Oil and Natural Gas Association, an industry trade association, said it is analyzing the ruling to determine how it may impact its member companies.

In a statement, Charlie Burd, the executive director of the Independent Oil and Gas Association of West Virginia, said the industry group would have preferred a ruling that encouraged horizontal drilling, but planned to comply with it. “IOGAWV members like to have good relationships with property owners,” Burd said.

Crowder and Wentz’s saga was chronicled last year by the Gazette-Mail and ProPublica, in an investigation that detailed how the natural gas industry had gained an upper hand on the state’s residents.

The 22-page court ruling Wednesday represents a rare victory for residents in a state where economics and politics are increasingly controlled by the natural gas business after decades of domination by the coal industry. Making it more gratifying for Crowder and Wentz, the court that ruled in their favor has been under the microscope because of connections to the gas industry.

Much of the land in mineral-producing parts of West Virginia has split ownership. Someone might own the surface land, while someone else owns the coal, oil or gas underneath. Gas is generally produced under leases, in which gas owners or their ancestors granted a production company the right to drill. But often, the leases are so old the current owners didn’t sign them, and certainly the advanced types of gas-production techniques used today were not anticipated.

Compounding the matter, gas producers now use a process called hydraulic fracturing, which pumps huge amounts of water and chemicals underground to loosen up gas reserves, and drill extensive horizontal holes to suck in gas from much wider areas. They bring in fleets of heavy trucks and install tanks and pipelines. The entire process has brought an influx of vibrations, noise and traffic. Though bills have been introduced year after year that are designed to mitigate the impacts on residents, West Virginia lawmakers have repeatedly refused to act.

Crowder and Wentz moved to their 300-acre farm on Brush Run in 1975, part of the “back-to-the-land” movement, seeking to live simply and be left alone. They divorced in 2005 and split the land, but both still live there on separate tracts.

There had been small gas wells on the property for years, but they were nothing like the noise, traffic and disturbance that EQT brought with it when it drilled nine new wells that would take in gas through nearly 10 miles of underground bores.

In February 2016, a local judge ruled that EQT had trespassed, and in September 2017, a jury awarded Crowder and Wentz about $200,000 in damages. EQT appealed.

The case is one of two major gas property-rights and drilling cases this term in which the industry is pressing for rulings that support its current method and scope of operations.

In the other case heard before the West Virginia Supreme Court in January, Harrison County residents said Antero Resources’ operations were creating a nuisance. A ruling on that hasn’t been issued yet.

At the heart of these cases is the fact that, economically and technologically, gas production today is all about what industry officials call “laterals.” These horizontal holes are drilled out in all directions from a vertical well. They can pull in natural gas from several miles away.

Industry officials say horizontal drilling allows them to minimize environmental impacts by building one well pad for multiple wells. But in doing so, it has magnified the impact for those residents who happen to live near — or on — the tracts chosen for those pads.

The Independent Oil and Gas Association had warned in a court brief that a ruling against EQT in the case would have “significant negative implications upon future and existing natural gas development in West Virginia.” EQT lawyers made similar warnings at trial.

Joshua Fershee, a West Virginia University law professor who has followed the case, said that the court’s decision won’t stop gas drilling. It will, however, make it more expensive for companies to secure the needed rights.

In concluding the court’s opinion, Hutchison said the justices didn’t aim to “challenge or constrain the drilling methods chosen by the oil and gas industry.”

“The industry has shown that horizontal drilling and hydraulic fracturing techniques are evolving at a rapid pace and are an economical and efficient tool for producing hydrocarbons,” Hutchison wrote. “Our opinion only affirms a classical rule of property jurisprudence: it is trespassing to go on someone’s land without the right to do so.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

 


How Google Tracks All Of Your Online Purchases. Its Reasons Are Unclear

Google tracks all of your online purchases. How? ExpressVPN reported:

"Initially stumbled across by a CNBC reporter, a "Google Purchases" page keeps track of all digital receipts sent to your Gmail account from as far back as 2012. The page is not limited to purchases made directly from Google, either. From flight tickets to Amazon purchases to food delivery services, if the receipt went to your Gmail, it’s on the list. Google takes the name, date, and other specifics surrounding the purchase and records them in a list on the page."

The tracking is a reminder of the special place Internet service providers (ISPs) enjoy with access to all of users' online activities. Consumers' purchase receipts can include very sensitive information such as foods, medicine, and medical devices -- for parents and/or their children; or bookings for upcoming travel indicating when a home will be vacant; or purchases of medical marijuana, D-I-Y guns, and/or internet-connected adult toys. The bottom line: some consumers may not want their purchase data collected (nor shared with other companies by Google).

Now that you're aware of the tracking, something to consider the next time a cashier at a brick-and-mortar retail store asks: paper or email receipt? I always choose paper. You might, too.

To view your Google Purchase page, visit http://myaccount.google.com/purchases and sign in. Only you can view your purchases page.

Privacy solutions appear ugly. One option is to switch to an email provider that doesn't track you. If you decide to stay with Gmail, the only fix is a manual process which will cost you several hours or days to wade through your archive and delete emails:

"... the only way to remove a purchase from the list is to find and manually delete the email that contains the original receipt. Worse still, you can’t turn off tracking, and there’s no way to delete the list en masse. This process is incredibly tedious... Even more perplexing is that there’s no clear purpose for the collection of this data... the logic behind this reasoning is strange, the info is hiding in Google’s Account page, and it’s not exactly easy to access for users who want to “view and keep track of purchases.” And seeing as this page isn’t really being promoted to its users..."

Google said it is doing more for its customers regarding privacy. Last month, The Washington Post reported:

"... One executive after another at Google’s I/O conference in its hometown of Mountain View, California emphasized new privacy settings in products like search, maps, thermostats and updated mobile phone software. "We strongly believe that privacy and security are for everyone, not just a few," Google CEO Sundar Pichai said.

Said product manager Stephanie Cuthbertson, who introduced a new version of the Android mobile operating system: "You should always be in control of what you share and who you share it with."... Google also committed to improved privacy controls of its Nest-connected home devices, including the ability of users to delete their audio files. Some users have reported having hackers eavesdropping through their Nest devices."

Hmmm. It seems more privacy and control does not extend to Gmail users' purchase data. What are your opinions?

[Editor's note: this page was revised Monday evening to fix a typo and to include the link the Google Purchases page.]


Two Data Breaches At Collections Vendor Used By Healthcare Testing Firms Affect About 19 Million Persons

Two healthcare data breaches have affected about 19 million persons, so far.

First, a data breach at a third-party collections firm has affected about 11.9 million patients at Quest Diagnostics, a medical testing firm. Quest announced in a June 3rd news release that American Medical Collection Agency (AMCA) notified it of data breach affecting Quest patients:

"... an unauthorized user had access to AMCA’s system...AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter. AMCA first notified Quest and Optum360 on May 14, 2019 of potential unauthorized activity on AMCA’s web payment page. On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results."

Quest said that AMCA hasn't yet provided it with details about the data breach. The news release did not state when AMCA or Quest would directly notify affected patients. Hopefully, future news releases will provide dates when the breach occurred, how the attackers broke in, and the fixes underway so this doesn't happen again.

Second, a data breach at the same third-party collections firm has also affected about 7.7 million customers of LabCorp, another medical testing firm. LabCorp disclosed in a filing with the U.S. Securities and Exchange Commission that AMCA notified it of data breach which occurred between August 1, 2018 and March 30, 2019. The filing did not state the date when AMCA notified LabCorp. The filing did state:

"AMCA is an external collection agency used by LabCorp and other healthcare companies. LabCorp has referred approximately 7.7 million consumers to AMCA... AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA... AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers."

LabCorp said in the filing that it didn't provide patients' ordered tests, laboratory results, or diagnostic information to AMCA. AMCA is currently notifying about 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. Also:

"AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them. AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data. LabCorp takes data security very seriously, including the security of data handled by vendors. AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months."

Given the ongoing investigation and breach notification, more news seems likely. Both breaches suggest other AMCA clients may have been affected. A check of the AMCA website at press time failed to find any news releases or mentions of both data breaches. C/Net reported:

"LabCorp also said that as a result of the breach, it's stopped sending new collection requests to the AMCA and suspended the AMCA's work on any pending requests related to LabCorp customers... LabCorp declined to comment beyond its SEC filing. AMCA said it conducted an internal audit after being notified of the breach by an outside security compliance firm and took down its web payments page. The company has also hired a third-party forensics firm to investigate the breach and has notified law enforcement."

The Krebs On Security blog reported:

"... AMCA also does business under the name “Retrieval-Masters Credit Bureau,” a company that has been in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed. A search on the company’s name at the complaints page of the Consumer Financial Protection Bureau (CFPB) turns up almost 700 complaints for Retrieval-Masters. The company has an abysmal “F” rating from the Better Business Bureau, with 60 complaints closed against it in the last three years. Reviewing a number of those complaints reveals some of the AMCA’s other current and/or previous clients, including New Jersey’s EZPass system.

Both data breaches reminder patients that when companies outsource collections activities, patients' sensitive healthcare and payment information are often shared with outsource vendors. The lack of breach details makes one wonder if AMCA executives were caught unprepared with both inadequate data security on its payments website, and post-breach responses. Hopefully, future news reports will clarify things.


After Pleading Guilty To Continued Pollution And Trying To Hide It, Carnival Corporation Fined An Additional $20 Million Fine

[Editor's note: I'm back from my break. Thanks to readers for your patience. That break included a vacation on a different cruise line sailing from New Zealand to Canada via Polynesia, Tasmania, southern Australia, French Polynesia, and the Hawaiian Islands. So, this news story caught my attention.]

On Monday, Carnival Corporation acknowledged violating its probation terms from a 2016 pollution case. Government prosecutors fined the company an additional $20 million for the continuing violations. The New York Times reported:

"In 2016, Princess Cruise Lines agreed to pay a $40 million penalty for illegally dumping oil-contaminated waste into the sea and acts by employees to try to cover it up. It was the largest criminal penalty ever imposed for intentional vessel pollution... The new violations included discharging plastic into waters in the Bahamas, falsifying records and interfering with court supervision of ships... Vessel pollution is just one of the many human-caused hazards facing ocean life today. Ship traffic and noise can cause the death of sea creatures; marine animals routinely turn up dead with plastic in their stomachs; and rising sea temperatures, stemming from climate change caused by human activity, are destroying the framework of many ocean ecosystems."

Based in Miami, Carnival Corporation operates several cruise lines including Princess Cruises, Carnival Cruise Line, Holland America Line, P&O Cruises (UK), Cunard, Seabourn, AIDA Cruises (Germany), and Costa Cruises (Italy). It's website states a combined fleet of 102 ships with 19 new ships to be delivered between 2017 and 2022. The company employs about 120,000 people worldwide, and 11.5 million guests sail in its ship each year. In 2018, Carnival Corporation generated after-tax profits of $3.15 billion on revenues of $18.88 billion.

Government regulators focused upon the company after:

"... Princess agreed, in 2016, to plead guilty to felony charges and pay the hefty $40 million penalty. In that case... the Caribbean Princess ship, had used several means, including a device called a magic pipe, to circumvent water-cleaning mechanisms... Officials said that four other Princess ships had also been found to have engaged in illegal practices to discharge waste. The discharged waste included gray water — water that has been contaminated with food particles, grease and fat — and water found in the ship’s bilge, the bottom part of the ship where oil waste from engines can accumulate. A whistleblower employee alerted the authorities and certain engineers ordered a coverup, including directing subordinates to lie, according to prosecutors."

In an announcement on Monday, the U.S. Department of Justice (DOJ) listed in detail the violations by Carnival Corporation and its executives:

"1. Failing to establish a senior corporate officer as a corporate compliance manager with responsibility and sufficient authority for implementing new environmental measures required during probation;
2. Contacting the Coast Guard seeking to re-define the definition of what constitutes a major non-conformity under the ECP without going through the required process and after the government had rejected the proposal and told the company to file a motion with the court if it wanted to pursue the issue;
3. Deliberately falsifying environmental training records aboard two cruise ships; and
4. Deliberately discharging plastic in Bahamian waters from the Carnival Elation and failing to accurately record the illegal discharges. Prosecutors advised the Court that this particular instance was an example of a more widespread problem, identified by the external audits, in failing to segregate plastic and non-food garbage from waste thrown overboard from numerous cruise ships."

The DOJ announcement also listed the terms of the settlement agreement, which requires Carnival Corporation:

"i) Pay a $20 million criminal penalty;
ii) Issue a statement to all employees in which Carnival’s CEO accepts management’s responsibility for the probation violations;
iii) Restructure the company’s corporate compliance efforts, including appointing a new chief Corporate Compliance Officer, creating an Executive Compliance Committee across all cruise lines, adding a new member to the Board of Directors with corporate compliance expertise, and train its Board of Directors;
iv) Pay up to $10 million per day if it does not meet deadlines for submitting and implementing needed changes to its corporate structure;
v) Pay for 15 additional independent audits per year conducted by the third-party auditor and Court Appointed Monitor (on top of approximately 31 ship audits and 6 shore-side audits currently performed annually);
vi) Comply with new reporting requirements, including notifying the government and court of all future violations, and specifically identifying foreign violations and the country impacted; and
vii) Make major changes in how the company uses and disposes of plastic and other non-food waste to urgently address a problem on multiple vessels concerning illegal discharges of plastic mixed with other garbage."

Plus, Princess Cruise Line will remain on probation for three more years. The third-party auditor suggests that the court doesn't trust the company and its executives to accurately report progress and corrective actions toward the deadlines. That's good given the light fines (as a percentage of the company's profits).

Cruise customers have already shared their views. According to the Cruise Critic website:

"... SO DISAPPOINTED IN Carnival/Princess... NOT acceptable!!! I just went on a 12 day cruise on the Star Princess last month. I feel betrayed reading this. I had such a great time too. To intentionally break pollution laws means no integrity and shoddy business practice. I want to slap someone."
-- Marykay8

" Well now we know why they have increased some pricing, including some drink packages by 40%. Got to get more from the passengers to pay their fine. The customer always pays more in these scenarios."
-- KYwildcatfanone

"Let's hope this will finally get Carnival Corp. to ensure all of its ships adhere to environmental regulations. But in the big scheme of things, $20 million is just a minuscule amount on a company that had $3.2 billion in net income."
-- GeoHerb

More discussion by customers is available here. Clearly, cruise customers want the pollution stopped, executives held accountable, and the company to change its behavior.

A search of both the Carnival Corporation and Princess Cruises websites at press time failed to find any press releases or mention of the latest fine. The Miami Herald published a brief statement by Arnold Donald, the company's Chief Executive Officer, who appeared in court:

"Donald spoke on behalf of Carnival Corp. "I sincerely regret this case," he said. "In my role as CEO I do take responsibility for the problems we have. I am extremely disappointed that we’ve had them. I know you have reservations about our commitment and who we are. I want you to know we are fully committed." Donald was the only executive who spoke at the hearing."

Fully committed? The proof will be in the company's future actions -- not words -- to fully, consistently, and faithfully comply with the latest settlement agreement and clean up its pollution mess. Will it? What action will the board of directors take? Which executives will be disciplined? Which senior executives will resign? Will more whistle blowers come forward? Lots more news to come.