There was an interesting short piece published on CNET News today, "Tech titans lobby for national consumer privacy laws."  Basically the tech giants are pushing for a single unified privacy law to apply to all businesses.  Gee, makes sense, doesn’t it?  Too bad congress has been creating hodge-podge data protection (privacy) legislation for the past couple of decades.  Well, it’s better than not having anything. 

The meeting took place today with a group from the U.S. House of Representatives, the Subcommittee on Consumer Protection.

Well…the news item whetted my curiosity whistle…but I like to go to the source for the full details.  The meeting is currently available via a webcast but (RATS!) not yet the full transcript.  Arrggghhh…it is too late in the evening for me to listen to all of this…something to add to my to-do list for tomorrow.

The Witness List & Prepared Testimony came from Meg Whitman, President and CEO, eBay Inc, Dr. Thomas M. Lenard Ph.D., Senior Vice President for Research, The Progress & Freedom Foundation, Peter Swire ,  Professor, C. William O’Neill Professor of Law Moritz College of Law, The Ohio State University, Scott Taylor, Chief Privacy Officer, Hewlett-Packard Company, Evan Hendricks, Editor/Publisher, Privacy Times.

Their prepared statement, quite short, is also endorsed by Google, Microsoft and several other tech leaders, and pushes for a:

"comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework. The legislation should provide protection for consumers from inappropriate collection and misuse of their personal information and also enable legitimate businesses to use information to promote economic and social value. In principle, such legislation would address businesses collecting personal information from consumers in a transparent manner with appropriate notice; providing consumers with meaningful choice regarding the use and disclosure of that information; allowing consumers reasonable access to personal information they have provided; and protecting such information from misuse or unauthorized access. Because a national standard would preempt state laws, a robust framework is warranted."

Such a law truly would start to coincide with all the non-U.S. data protection laws currently in effect.  Harmonization is a great idea, and I urge companies to use that concept with their compliance efforts.  There are many commonalities and overlaps among existing laws, both U.S. and non-U.S.  It would be interesting to see how such a comprehensive law would impact the existing U.S. laws…or vice versa.

One of the subcommittee members, Cliff Stearns (or Joe Barton; it’s hard to tell the way the document is labelled) appears to support such legislation.

This will be something to keep an eye on…hopefully this is not just activity coming at a time to placate the public’s concerns with the glut of privacy/security incidents occurring in the past couple of years.  Both businesses and the public need a strong data protection law to help provide security and privacy, as well as provide a legal framework around which organizations can build strong privacy/security programs.  Will congress be brave enough to pass such a strong law with teeth and no loopholes?  Time will tell.  At least one eye will keep on this issue…

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
government
data protection law
privacy law
privacy

Over the past few weeks I have been intrigued with semantic web and the impact of it upon privacy and security.  I was at CSI’s NetSec in Scottsdale, AZ last week (followed by a wonderful first visit to the Grand Canyon…and then some hardware problems…AARRRRGGGGHHHHH!!!!!…thus my lack of blog postings), and I was surprised that no one I spoke with (admittedly a small fraction of the total number of attendees) had heard of semantic web.

Semantic web has actually been in the news lately.  For example,

• NSA Looking At Social-Networking Spaces – "Bajarin also mentioned that the NSA searches are also tying into a time when the Internet is evolving towards what’s known as the "semantic Web." With simple code revisions to major Web sites, the Internet’s content becomes far easier to search through and index, larger systems and search engines seeing the structure of the Internet in a more logical, easily searchable way. "While it (the "semantic Web") might help surveillance, it helps make searches more accurate," Bajarin said. "It would have to help data mining and surveillance efforts to some degree. If you want serious data mining done for lower-level access, you’d need legal access to the back end."  Others have wondered about the NSA’s logic in tracking terrorist connections through social-networking sites such as MySpace.com and Facebook.com."
• Pentagon datamines social networks – "New Scientist reports that the Pentagon is datamining social networks.  This is to allow the US government to draw up detailed personal profiles of individuals, according to what they post to the internet.  It is also intended to work out which individuals are connected to blacklisted organisations, either directly, or through people they interact with online.  Ironically, attempts by the W3C to make the web more interaccessible via different data formats – the so-called semantic web, using the Resource Description Framework (RDF) – will expedite this process. "
• Inventor of ‘Semantic Web’ hired as RPI professor – "He is recognized as one of the inventors of the "Semantic Web," which is the development of a language for the Internet that can be understood by computers. Such a system can allow far fuller use of the Web, Hendler said. "As a simple example, imagine being able to search the Web for ‘the scene where the guy throws his hat at a statue and its head falls off’ and finding the right clip from the movie Goldfinger to download to your hand-held video device," Hendler said in a statement released by Rensselaer."

Several web sites are devoted to semantic web, such as W3C and the Semantic Web Community portal.

Much has been written about semantic web in various universities.  For example, just a few include:

• Standford
• Purdue
• MIT

It certainly has great potential…imagine the computing power! 

However, when delving into the possibilities, there are certainly significant privacy issues to consider in the way it is used, and the impact of incorrect labelings and codings. 

Consider a 1000 piece jigsaw puzzle of a blue lake and blue sky…looking at just one piece at a time would not tell someone what the completed puzzle would look like.  Even looking at a few connected pieces would not tell much more of significance.  However, by putting together significant portions of the puzzle, eventually leading to puzzle completion, everything about the picture becomes clearly obvious.  The semantic web holds that same potential for piecing together the private lives of people; taking a piece from here and a piece from there to form the complete picture about an individual.  A huge risk is when the semantic web does not interpret the pieces correctly, makes vastly inaccurate conclusions, and subsequent mistakes are made that negatively impact lives.  Similar to the profiling programs used by the TSA that have resulted in a few incorrect interpretations of travellers that resulted in significant impacts to their otherwise comparatively normal lives, only on a potentially larger scale.

There is much more to say about this…more research first, however…

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
semantic web
privacy

There are many resources throughout various locations on the Internet that have listings of state level breach notice laws.  Unfortunately most are not up-to-date, and often they are not presented in a format that can serve as a quick reference.  I have found it most helpful to have a basic listing of all the state breach notice laws, along with the effective date for each.  As of June 7, 2006, I have found 32 state-level breach notice bills that have been signed into law, with the exception of the bill in Hawaii, which has been enrolled to the governor. I have created a table to serve as a handy reference to these laws and their corresponding effective dates.  My goal is to keep this up-to-date and repost whenever new laws are signed.

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
regulatory enforcement
breach notice laws
privacy

Businesses must always be vigilant about data security and privacy, particularly in the global information-based economy.  The need for security and privacy has never before been more apparent, with a new incident occurring practically every day. Businesses are dependent upon information technology (IT), not only to be successful in business, but also to be successful in protecting and controlling electronic data.

The risks that are an inherent part of IT make it necessary for IT leaders and IT personnel to know the data protection laws and regulations more than ever before. It is with this knowledge that they can incorporate information security and privacy within all the IT processes, throughout the entire systems development life cycle (SDLC). 

There are many commonalities between the regulatory, contractual and policy requirements for protecting data.  By realizing these commonalities IT can more successfully address compliance in a unified manner throughout the enterprise, and not try to address compliance issues in a piecemeal manner (which is typical but leads to significant compliance gaps). 

I discuss these issues, the IT issues within a wide range of U.S. and international laws and regulations, and clearly list the IT requirements to demonstrate the commonalities, in a new article I posted on my site, "What IT Needs to Know About Compliance."

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
regulatory enforcement
privacy

Today a story ran in the Washington Post about how no fines have yet been given for HIPAA noncompliance.  So far close to 20,000 complaints regarding HIPAA compliance have been with the Department of Health and Human Services (HHS) oversite agencies, the Office for Civil Rights, responsible for the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services, responsible for the HIPAA Security Rule.

The article indicates 73% of the complaints (over 14,000) were found to have no violation involved, or the HHS required the covered entities (CEs) involved to fix the problems.  This really is not at all surprising.  Back when HIPAA went into effect the HHS indicated that they would address HIPAA compliance by complaint-driven activities and investigations, and work with the CEs by working with them to fix the problems. 

On February 16 of this year, the HHS released the "HIPAA Administrative Simplification: Enforcement; Final Rule" that became effective March 16 2006 to more clearly define their compliance and enforcement plans.  Within this Enforcement Rule it is specifically stated:

"§ 160.410 Affirmative defenses.
(a) As used in this section, the following terms have the following meanings:
Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision
violated.
Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
(b) The Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violation, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d–6;
(2) The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation, determined in accordance with the federal common law of agency, and, by exercising reasonable diligence, would not have known that the violation occurred; or
(3) The violation is—
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the date the covered entity liable for the penalty knew, or by exercising reasonable diligence would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
§ 160.412 Waiver.
For violations described in § 160.410(b)(3)(i) that are not corrected within the period described in § 160.410(b)(3)(ii), the Secretary may waive the civil money penalty, in whole or in part, to the extent that payment of
the penalty would be excessive relative to the violation."

So, you can see this is still apparently the planned course of action.

What does this mean with regard to HIPAA having teeth?  Hmm…well…this pretty much leaves HIPAA gumming the noncompliance meat.

I agree with many of the viewpoints at the end of the Washington Post article.  Many, if not most, CEs, knowing that they will only get in trouble with HIPAA noncompliance if 1) someone complains, and then 2) they are not cooperative, after the fact, with the HHS oversight agencies, will choose to stay their current course and take no compliance actions.  The CEs I’ve spoken to have told me this, and they’ve even blogged about it and discussed it in maillists and discussion groups.  The motivators for compliance have basically been removed. 

The only real motivators now are the penalties for criminal noncompliance, which have been applied twice so far.  Too bad crimes have to occur before actions are taken…isn’t it better to prevent the crimes to begin with by applying security and privacy safeguards? 

It is also really too bad that the government, which is more aggressively pursuing compliance for other regulations, such as SOX and the FTC Act, has taken such a milquetoast attitude with patient information privacy and security.  If HIPAA enforcement is to be effective, it appears that the public will need to be more vocal in their calls to have the regulation enforced.  And, it would be good if the CEs would just do the right thing to protect the privacy and security of protected health information (PHI) and follow the regulations now instead of waiting until their hand is caught in the noncompliance cookie jar.  One alternative may be the FTC Act…most CEs have posted privacy policies on their websites…notice of privacy practices (NPPs) are a requirement of HIPAA.  If CEs do not follow them, couldn’t they be found to be guilty of commiting unfair and deceptive business practices? 

We know the FTC and SEC are diligent in pursuing noncompliance cases…maybe the FTC and SEC heads should have lunch with the HHS head and discuss this issue.

The HIPAA Privacy Rule has been in force since 2003…it’s time the honeymoon period is over.  If the HHS would look at the increasingly large numbers of incidents occurring every week…heck, every day…they should realize enforcement and associated penalties are necessary for compliance and PHI protection.

Which brings me to wonder…how will the VA laptop/hard drive theft be handled through an HHS HIPAA violation investigation?  E&Y was a VA business associate (BA) who lost PHI about 26.5 million individuals…certainly seems something should be done.  Others think so as well…see "Health-privacy coalition seeks HIPAA review of VA." 

Technorati Tags
information security
IT compliance
corporate governance
government oversight
HIPAA
FTC Act
personal data breach
Department of Health and Human Services
regulatory enforcement
privacy

On May 17 I wrote in this blog about how Information Security and Privacy Professionals MUST Work Together to be Successful and told about the workshop addressing this that Christopher Grillo and I will be teaching June 10 and 11 just before the upcoming CSI NetSec conference in Scottsdale, AZ. 

I’m very happy to learn from CSI today that you can get a discount to attend this workshop.  When registering use the code PRIV06 to get $100 off the workshop price.

We have created a huge amount of reference material for the attendees…according to CSI more than any other workshop they have sponsored…plus tools that took Chris and I literally 100s of hours to create.  If you can make it please join us; the more the merrier!  Plus, the more depth in our sharing of experiences, thoughts and opinions during the workshop.

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
privacy

I am concerned when I am at conferences and professional meetings and I hear presenters telling the attendees, from any industry, that there is really nothing that they need to do to address the requirements of the USA PATRIOT Act, and I’ve heard this communicated several times since the law was enacted in 2001.  Here is a good example that yes, indeed, doing nothing can come back to haunt you…and negatively impact your business with penalties and bad press.

It is rare that you see the USA PATRIOT Act, the follow-up for which is the USA PATRIOT Improvement and Reauthorization Act of 2005, being referenced as being part of actions taken by law enforcement for surveillance, or by regulators as part of the basis for fines.  However, I just ran across a story on the government’s FinCEN site that talks about how noncompliance with the USA PATRIOT Act was used in determining a $600,000 penalty against Liberty Bank of New York…I need to check that site more often, don’t I?

In brief, the Financial Crimes Enforcement Network (FinCEN), Federal Deposit Insurance Corporation (FDIC), and New York State Banking Department (NYSBD) assessed a $600,000 penalty against Liberty Bank of New York for violations of federal and state anti-money laundering laws and regulations. Liberty Bank consented to payment of the civil money penalties without admitting or denying the allegations (this is pretty common with regulatory noncompliance situations).

What did Liberty Bank do…or not do?  FinCEN, FDIC, and NYSBD found they:

• Failed to implement an adequate Bank Secrecy Act/anti-money laundering program with internal controls and appropriate measures to detect and report money laundering and other suspicious activity in a timely manner.
• Did not have an anti-money laundering program that complied with information sharing requests from law enforcement under section 314(a) of the USA PATRIOT Act.

I anticipate seeing more, and probably more aggressive/costly, actions taking place with regard to the USA PATRIOT Acts as time goes on…companies need to take notice and be aware; not only for section 314(a), but for all the sections, some of which apply to more businesses than just those considered by the law as a financial institution.

Wonder what section 314(a) is all about?  Here you go:

"SEC. 314. COOPERATIVE EFFORTS TO DETER MONEY LAUNDERING.

(a) COOPERATION AMONG FINANCIAL INSTITUTIONS, REGULATORY AUTHORITIES, AND LAW ENFORCEMENT AUTHORITIES-

(1) REGULATIONS- The Secretary shall, within 120 days after the date of enactment of this Act , adopt regulations to encourage further cooperation among financial institutions, their regulatory authorities, and law enforcement authorities, with the specific purpose of encouraging regulatory authorities and law enforcement authorities to share with financial institutions information regarding individuals, entities, and organizations engaged in or reasonably suspected based on credible evidence of engaging in terrorist acts or money laundering activities.

(2) COOPERATION AND INFORMATION SHARING PROCEDURES- The regulations adopted under paragraph (1) may include or create procedures for cooperation and information sharing focusing on–

(A) matters specifically related to the finances of terrorist groups, the means by which terrorist groups transfer funds around the world and within the United States, including through the use of charitable organizations, nonprofit organizations, and nongovernmental organizations, and the extent to which financial institutions in the United States are unwittingly involved in such finances and the extent to which such institutions are at risk as a result;

(B) the relationship, particularly the financial relationship, between international narcotics traffickers and foreign terrorist organizations, the extent to which their memberships overlap and engage in joint activities, and the extent to which they cooperate with each other in raising and transferring funds for their respective purposes; and

(C) means of facilitating the identification of accounts and transactions involving terrorist groups and facilitating the exchange of information concerning such accounts and transactions between financial institutions and law enforcement organizations.

(3) CONTENTS- The regulations adopted pursuant to paragraph (1) may–

(A) require that each financial institution designate 1 or more persons to receive information concerning, and to monitor accounts of individuals, entities, and organizations identified, pursuant to paragraph (1); and

(B) further establish procedures for the protection of the shared information, consistent with the capacity, size, and nature of the institution to which the particular procedures apply.

(4) RULE OF CONSTRUCTION- The receipt of information by a financial institution pursuant to this section shall not relieve or otherwise modify the obligations of the financial institution with respect to any other person or account.

(5) USE OF INFORMATION- Information received by a financial institution pursuant to this section shall not be used for any purpose other than identifying and reporting on activities that may involve terrorist acts or money laundering activities."

Technorati Tags
information security
IT compliance
corporate governance
Patriot Act
government
awareness and training
privacy

Yesterday I posted a new paper to my site, "Privacy, Compliance and International Data Flows."

In today’s technology and business environment, computers are more mobile and more powerful than ever before. Information is shared more easily, more quickly, and in more ways than previously possible.  One voice-activated command can send a message or document to many different locations throughout the world in milliseconds.  Huge amounts of data can be downloaded onto small mobile computing and storage devices more easily than ever before…and we’ve seen by the ongoing incidents how these mobile devices put data at great risk.

This advanced technology revolution certainly has improved business efficiency and expediency. However, it has also created potential threats to the privacy of personal information and violations of new and emerging data protection laws. In this article I discuss privacy, related laws around the world, compliance and international data flow issues, what organizations need to think about with regard to international data protection, and what they need to do to address the wide range of issues.

Technorati Tags
information security
personal information protection
corporate governance
IT compliance
international data flow
data protection laws
privacy

Much has been written over the past two days about the theft of the laptop from a government worker’s home that contained SSNs, birthdates and names for 26.5 million U.S. veterans. 

What concerns me is a recurring, almost a lackadaisical…and in some cases flippant or dismissive…attitude about these types of incidents.

One in particular on CNET News, "Veterans’ data swiped in theft" captures the essence of some of the recurring themes in these incident reports.  For example:

"The good news for Veterans Affairs is that the crooks may not know what they have.  "It is possible that (the thieves) remain unaware of the information which they posses or of how to make use of it," Veterans Affairs said on the Web site.  Gartner’s Litan agrees. Studies have shown that thefts of computers storing sensitive data have resulted in only a small percentage of identity theft, she says. And she added that information on millions of veterans would not necessarily yield much loot.  "Frankly, veterans don’t have a lot of money," Litan said. "They aren’t typically wealthy people. Criminals aren’t going to be taking out 26 million loans (in the names of the veterans whose information was stolen). That’s a lot of information, and the thieves have time constraints just like everybody else. They want information on the wealthiest individuals.""

Wow, this certainly is good spin from the PR department.

I don’t believe such studies of computers stolen provide any type of conclusive evidence.  SSNs, names and birthdates could potentially be used YEARS after a theft to do bad things.  Just because nothing bad has BEEN DETECTED YET does not mean bad things will never be done with that information. 

Additionally, there are so many ways that this type of information can be misused by the crooks and fraudsters who have this information in hand that it is very possible that the people about whom the information applies will not find about about nefarious activity until years later.  And it doesn’t matter how much money the people involved make…this seems a rather insulting statement to the victims, doesn’t it?  You’re too poor to worry about anyone wanting to do crime with your information?  C’mon now…individuals don’t need to make anything to have their lives made a mess by identity theft!

A great example is a story I read recently in Reader’s Digest about child identity theft.

"Seventeen-year-old Randy Waldron, Jr., was shocked when he applied for his first credit card and was denied. He was even more shocked by the reason: He was delinquent in repaying thousands of dollars in debt.  Waldron’s identity had been stolen by his estranged father, who left when Randy was a toddler. From 1982 to 1999, Randy Waldron, Sr., used his son’s Social Security number to obtain credit from various merchants and lenders, then racked up tens of thousands of dollars in debts. He declared bankruptcy in his son’s name, which resulted in default judgments against the younger Waldron. It has taken Randy Jr., now a 24-year-old flight attendant, years to untangle the mess."

This identity theft…criminal use of another’s SSN and name…occurred for around 18 years without the victim’s knowledge!  And then, the victim, who was not even making money during this criminal activity, was severely impacted for years.  And apparently this type of crime is not uncommon.

The fact is, there are no time constraints on using this type of information.  The fact is, most people are not going to change their names, SSNs or birthdates to make the data invalid.  The fact is, if nothing bad has happened within a few weeks, many, perhaps most, of the organizations that caused the mess…by poor data handling practices, lack of encryption, lack of controls, lack of awareness and training, lack of policies…are not going to step up and do what they should to protect the individuals, which at the least is to enroll them into credit monitoring services.

The fact is, once this much information has been stolen, chances are the culprits are not going to perform the crimes themselves…they possess very valuable information that they can sell…to 1000’s and perhaps millions of other criminals throughout the world…to use at their own leisure.

This particular statement hit a nerve: 

"Criminals aren’t going to be taking out 26 million loans (in the names of the veterans whose information was stolen). That’s a lot of information, and the thieves have time constraints just like everybody else. They want information on the wealthiest individuals.""

What?  Crime with personal information can occur in so many other ways than just taking out loans.  The names, SSNs and birthdates are valuable items…they can be exploited in many ways, and over a course of time by many, many criminals.  It’s just not true that criminals only want information on the wealthiest individuals.  What data supports this?  If you know someone who has been a victim, or at least read the news on a daily basis, you know this.  The most frequently scammed and violated people are those that are not wealthy.  Very rarely do you read about the wealthy that have been victims.  According to various FTC studies and reports this is a widespread problem, and definitely not limited to only the wealthy.  The September 2003 Federal Trade Commission ‚Äì Identity Theft Survey Report indicates that identity theft, and other criiminal use of personal information, impacts people of all income levels.

When an incident occurs, organizations need to be pro-active, not reactive…not waiting until bad things happen to the individuals involved.

Of course, prevention is the best course of action.

• Encrypt mobile data
• Implement strong policies that are enforced
• Provide training…awareness…more training…more awareness…more awareness…more awareness…almost all incidents involve people who did not know any better, but should have.

Technorati Tags
identity theft
information security
personal data protection
corporate governance
laptop theft
awareness and training
IT compliance
privacy

There was a widely reported Reuters story today, "Data on 26.5 million veterans stolen from home" about yet another laptop theft with massive amounts of personal information stored upon it. The theft took place sometime this month.  Data included names, social security numbers and birthdates.

The Department of Veterans Affairs spokesperson indicated the employee took home this large amount of data in violation of "rules and regulations and policies."

Well, it is good they had these policies in place.   Policies cannot prevent people from doing the wrong things, but they are necessary to establish the expectations for appropriate business activities, and the security framework for an information handling and processing environment.

Hopefully there are some strong sanctions policies also in place.  The employee was put on administrative leave during the investigation.

Policies, though, without communicating them to personnel will be ineffective…people cannot be expected to do the right thing if they are not told what the right thing is to do.  Is there a strong information security education program in place at these companies where such incidents are occurring?  I think of the oft-quoted Rumsfeld quote when these incidents occur and I question whether or not there is adequate awareness and training in place, "But there are also unknown unknowns – the ones we don’t know we don’t know."  Your personnel don’t know that they don’t know about information security risks if you have not been communicating with them.  This is a huge risk…ignorance is definitely not bliss for your organization.  Companies need to start beefing up their awareness and training efforts or these types of senseless and avoidable incidents will continue to occur.

Technorati Tags
information security
personal information protection
government
corporate governance
IT compliance
laptop theft
awareness and training
privacy