Archive for the ‘Uncategorized’ Category

U.S. Energy and Commerce Committee Today Approved the Data Accountability and Trust Act

Wednesday, March 29th, 2006

Today the House Energy and Commerce Committee had a unanimous 41-0 vote in favor of H.R. 4127, the Data Accountability and Trust Act.  Let’s walk through the major portions of this bill; it:

  • Requires "each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information."
  • Requires the policies and procedures to cover the collection, use, sale, other dissemination, and maintenance personal information.
  • Requires the identification of an officer with responsibility for the management of information security.
  • Requires a process for identifying and assessing "any reasonably foreseeable vulnerabilities in the system" that contains personal information.
  • Requires a process for taking preventive and corrective action to mitigate against any vulnerabilities "which may include encryption of such data, implementing any changes to security practices and the architecture, installation, or implementation of network or operating software."
  • Requires information brokers to annually submit their information security policies to the FTC.
  • Requires the FTC to perform audits of information brokers who have experienced a breach.
  • Requires information brokers to allow individuals to view their corresponding information and to communicate on their website how indiiduals can accomplish this.
  • Requires information brokers to maintain documentation for when individuals dispute the accuracy of their information.
  • Requires "any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information"  following a security breach to:
    (1) notify U.S. citizens "whose personal information was acquired by an unauthorized person as a result of such a breach of security" of the breach
    (2) notify the FTC;
    (3) place a conspicuous notice about the breach on their website
    (4) in the case of a breach of financial account information of a merchant, notify the financial institution when financial account information is breached.
  • Requires notifications to "be made as promptly as possible and without unreasonable delay following the discovery of a breach of security of the system and any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system."
  • Allows for either written or email notification (if the individual has consented to receive notification via email).
  • Requires the content of the direct notification to include "(i) a description of the personal information that was acquired by an unauthorized person;  (ii) a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the security breach or the information the person maintained about that individual; (iii) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and  (iv) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft."
  • Allows for substitute notification in lieu of direct notification if the direct notification  will be "(i) excessive cost to the person required to provide such notification relative to the resources of such person, as determined in accordance with the regulations issued by the Commission"  or "(ii) lack of sufficient contact information for the individual required to be notified."
  • Require the content of substitute notification to be "in print and broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside. Such notification shall include a telephone number where an individual can, at no cost to such individual, learn whether or not that individual’s personal information is included in the security breach."
  • Requires the FTC to establish the criteria for substitute notification and general guidance for compliance with the law within 270 days after the law is enacted.
  • Requires the person required to give notification to provide consumer credit reports to each impacted individual, at no cost to the individuals, consumer credit reports from at least one of the "major credit reporting agencies beginning not later than 2 months following a breach of security and continuing on a quarterly basis for a period of 2 years thereafter."
  • Requires the FTC to post a notice of each reported security breach in a conspicuous location on the FTC website.

It is important to know the definitions of key terms within this bill; they follow:

"(1) BREACH OF SECURITY- The term `breach of security’ means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised.

(2) COMMISSION- The term `Commission’ means the Federal Trade Commission.

(3) DATA IN ELECTRONIC FORM- The term `data in electronic form’ means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.

(4) ENCRYPTION- The term `encryption’ means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

(5) IDENTITY THEFT- The term `identity theft’ means the unauthorized assumption of another person’s identity for the purpose of engaging in commercial transactions under the name of such other person.

(6) INFORMATION BROKER- The term `information broker’ means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not customers of such entity for the sale or transmission of such information or the provision of access to such information to any third party, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.

(7) PERSONAL INFORMATION-

(A) DEFINITION- The term `personal information’ means an individual’s first and last name in combination with any 1 or more of the following data elements for that individual:

(i) Social Security number.

(ii) Driver’s license number or other State identification number.

(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

(B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule, modify the definition of `personal information’ under subparagraph (A) to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.

(8) PERSON- The term `person’ has the same meaning given such term in section 551(2) of title 5, United States Code."

Also important to note are the ways in which this law would preempt the state level laws:

"(a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly–

(1) requires information security practices and treatment of personal information similar to any of those required under section 2; and

(2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of their personal information.

(b) Additional Preemption-

(1) IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.

(2) PROTECTION OF CONSUMER PROTECTION LAWS- This subsection shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State.

(c) Protection of Certain State Laws- This Act shall not be construed to preempt the applicability of–

(1) State trespass, contract, or tort law; or

(2) other State laws to the extent that those laws relate to acts of fraud."

The law would take effect 1 year after enactment, and, interestingly, cease to be in effect 10 years from the date of enactment. 

There is so much to say and discuss about this bill.  It is certainly getting closer to including the types of data protection requirements found in non-U.S. laws. 

However, some general comments about this bill…

  • It is great there a data protection (privacy) law finally being proposed that would be applicable to all businesses
  • Would help support the establishment of formal information security positions and programs in all industries/businesses
  • Why are data brokers the only businesses required to allow individuals to see their corresponding information that the business posssesses?  Probably to avoid what the lawmakers would view as an undue-burden on all businesses.  However, healthcare and financial organizations already must allow for this.
  • Requiring breach notification when personal information "has been acquired" could be a huge potential loophole…what does acquired mean?  This could be debatable, even with the provided definitions…it can mean many things depending on who is arguing for or against it.
  • Limiting notification to only "each individual of the U.S." is curious; organizations would be unwise not to treat all their customers equally with regard to notification no matter where they are located.
  • It will be interesting to see what the FTC determines is "excessive cost"  for direct notification.
  • Very importantly, if data is strongly encrypted and the encryption is managed appropriately, then the breach would not need to be reported.  More reason for organizations to use encryption…it’s a great security tool!  This also helps to ensure notices are truly only given when there is real risk to the electronic data.
  • The bill only covers eletronic data.  Too bad; many incidents have occurred with printed documents.
  • Notice this bill would preempt the state level breach notification laws.
  • I don’t know why the law would cease to be in effect 10 years after enactment; why is this?  Will there no longer be personal information breaches in 10 years for some reason the general public does not know about?   Very curious indeed…

Technorati Tags










HIPAA, hospitals and law enforcement

Tuesday, March 28th, 2006

I found a story in The News & Observer interesting in its reference to HIPAA.

Apparently a man charged with second-degree murder and felony death by vehicle was sent to the hospital following the accident last October.  However, the hospital released him without notifying law enforcement.  The article reported that the Highway Patrol Sgt. indicated his belief that hospitals do not inform law enforcement of such releases because of HIPAA…that they are afraid of being in noncompliance.  The hospital indicated, however, that law enforcement did not provide the hospital with the man’s name and a copy of his arrest warrant when he was admitted, as is their policy, so they did not know law enforcement wanted to be contacted.  UNC Health Care spokesperson "Crayton added that she is not aware of any cases at UNC where HIPAA rules have gotten in the way of officials being notified of a criminal defendant’s discharge."

Interesting…so is law enforcment trying to use HIPAA as a scapegoat for why the criminal (who was later caught, by the way) was released without their knowledge?  Or, was it just a miscommunication?  I have not read about a tendency for hospitals to not contact law enforcement when criminal patients are released before this printed opinion.

Technorati Tags



Interesting Laptop Thefts Story

Tuesday, March 28th, 2006

The Twin Cities Pioneer Press had an interesting story about the rise in laptop thefts.  The thieves are apparently targetting rental cars by upscale and trendy restaurants, knowing the probability that executives theft their laptops in the car while they dine.   

Since January 2005… "Palo Alto police have fielded 65 reports of stolen laptops." 

WOW!   65 in one city alone…makes you wonder how many are stolen throughout the U.S. and in cities throughout the world…gotta see if there is a way to find this information…

It also referenced the laptop containing HP employee data that was stolen from Fidelity (discussed on this blog on March 23); "The HP employee data was imported onto the laptop for the software demonstration."

Okay…another information security snafu; using live production data for test and demo purposes.  Yes, I know most companies still use production data for testing and demo purposes.  However, there are a growing number of products that can be used to scrub or de-identify data…yes, it takes a bit more time to do than just using live data…but using dummy data for situations such as this is a safeguard that will help keep incidents like this from being even worse than the loss of the hardware.  Plus, it is against the law in some countries to use production data in this manner.

Does your organization have strong mobile computing device security measures in place…and effective training and awareness for the people using them?  Do you have procedures in place for using dummy data for demo and test purposes?

Technorati Tags






The Eyes in the Skies Are Upon You

Monday, March 27th, 2006

A friend of mine (thanks Alec!) notified me of a site, Windows Live Local, that gives quite a close-up ariel view of people’s homes, in addition to public areas, in growing numbers of locations. 

I have few problems with surveillance in public areas…after all, they are public, and they have led to the capture of some very heinous criminals. 

However, peering into backyards and over privacy fences and projecting the images out for the world to see on the Internet is another issue altogether…a huge invasion of privacy, but a sad reality of the largely unregulated-image-use technology that floats everywhere above us.

Technorati Tags


The Perils of P2P

Monday, March 27th, 2006

On March 22 there were many reports about the Winny "virus" in Japan.   The Antinny worm infects Winny, a P2P file sharing program.  Winny is apparently widely used in Japan.

"Top-secret military information, business documents of hundreds of corporate firms , personal and confidential data related to thousands of patients, complete information of Yahoo shopping mall, high profile information of Liberal Democratic Party and thousands more are all floating currently on the internet, creating an enormous flood of information leakage in Japan. "

The Japanese Miliatary were ordered to uninstall Winny to address the vulnerability. 

"The Self Defense Force of Japan estimates that information drainage has been on, for a staggering two full years!"

An earlier Winny incident was reported March 15; PINs used to enter restricted Japan airports were posted on the Internet using the Winny file-sharing software from an All Nippon Airways airline pilot’s personal computer, on which, for some reason, he had loaded all the PINs.

"In a similar case, PINs stored on a private computer belonging to a pilot of Japan Airlines who had used Winny were inadvertently put on the Internet in December."

How are organizations controlling the P2P software?  Are they even?

Also, why are there continuing to be so many reports of such large volumes of highly confidential information being stored on laptops and other mobile computing devices? 

And not having PINs encrypted both at rest (storage) and in motion (while being transmitted) is simply a bad business decision.

Technorati Tags





Compliance Is Tough…PIPEDA Compliance Blog

Sunday, March 26th, 2006

I ran across the blog of someone who is apparently trying to comply with some of Canada’s PIPEDA regulation.  If he adds any details to this, it should make interesting reading!

Technorati Tags




Thought Provoking Paper on Privacy

Saturday, March 25th, 2006

Daniel J. Solove has written a thought-provoking paper, "A Taxonomy of Privacy," available for free download.  I encourage you to download it and think about your own organization’s privacy practices as you read it.

Technorati Tags





Website operator breaks privacy promises

Friday, March 24th, 2006

A privacy breach incident reported by the Associated Press shows that even with the best security and privacy technology, humans are the weakest, and most unpredictable, link.  Some choose to break legally binding promises, such as those made in website privacy policies.  Gratis Internet sold personal information they gathered at their website even though they promised in their privacy policy that they would not.  "Gratis wrongfully shared as many as 7 million "user records," creating the largest deliberate breach of a privacy policy discovered by U.S. law enforcement."

Interestingly enough, there is currently no privacy policy posted on the Gratis website.

Technorati Tags




Interesting Statistics on Compliance Costs

Friday, March 24th, 2006

There were some interesting statistics in a Sarbanes Oxley Compliance Journal article yesterday regarding the costs of compliance for various regulations.

"According to Gartner, the average company spends $2 million on SOX, and Accenture says the average bank will spend $61 million on Basel II over the next couple of years."

"Despite the investment being made in compliance, companies are still failing to meet requirements. In fact, only 18% of hospitals and health systems can prove compliance with HIPAA security regulations, according to the AHIMA, and Gartner says two-thirds of all companies found material weakness in controls this year, with audit deficiencies expected to double until 2008."

"Each case of fraud costs companies an average of $15,000, and IT departments spend about 175 hours on remediation after a security incident. Corporations can be held liable, leading to legal debt and other related expenses. Additionally, brand damage resulting from waning consumer trust can cause huge losses in revenue. According to Gartner, by 2006, 20-30% of Global 1000 companies will suffer exposure due to privacy mismanagement. The costs to recover from these mistakes could range from $5-20 million per incident. In addition to legal risks, intellectual property leakage, such as shared trade secrets or pre-announced products, can cost companies millions in lost profits."

Technorati Tags


Basel II




The List Keeps Growing…Fidelity Investments Laptop Stolen

Thursday, March 23rd, 2006

My list of laptops stolen or lost keeps growing.  Everyday I find a report (no I have not been blogging about each instance, but they are added to my list), but this one was noteworthy.  A Fidelity Investments laptop containing confidential information on around 200,000 of their customers, those in HP’s pension fund and 401K, was stolen on March 15th.   

"Fidelity says there is no evidence that the data has been misused."  There is rarely evidence within 8 days that bad people are doing bad things with confidential personal information.  The smarter bad people typically wait a while, or do bad things in ways that are not readily identified…usually taking advantage of poor security practices within the various organizations where they want to use the personal information fraudulently.

These incidents continue…why can’t organization’s learn from the mistakes and incidents of others?  Why do companies allow clear text confidential information to be stored on mobile computing devices that have already been demonstrated to be easily lost and stolen?  Probably to save money…and because no law specifically requires them to, verbatim, "encrypt data on mobile computing devices."  I have heard too many lawyers within organizations say that if the letter of the law does not specifically require a safeguard such as encryption, then they should not do it if it will save the company money.

"It is unusual to have so much information on one laptop, Fidelity spokeswoman Anne Crowley said, but the computer in question was brought to a business meeting by a team of employees."

What does this mean?  No one was accountable?  A group of people are sharing a laptop…why?  Probably to save money.  No accountability to any one person for the security of the laptop that way, either.

"William G. Duserick, vice president and chief privacy officer for Fidelity, recommended in a letter to Hewlett-Packard participants that those affected remain vigilant for the next 12 to 24 months, regularly review account activity and obtain a credit report from one or more of the national credit reporting companies, according to the Worcester Telegram & Gazette, which obtained a copy of the letter." 

So…instead of the company being vigilent and implementing proper security, it is easier to ask the impacted customers to be vigilent.  It is also pretty sad that they are not even purchasing the credit monitoring service for those impacted…I guess that *is* another cost savings, though.  Maybe they will, but you would think this significant tidbit would have been reported.

"Fidelity said the license to the software that contained the data has expired and, as a result, the scrambled data is difficult to interpret. The data is also in a form that is generally "unusable," Fidelity said." 

Well, so many things to say about the expired license issue, but that’s a different topic…

Similar cop-out statements like this are increasingly being used when mobile computing devices are lost and stolen.  The data was not encrypted, it was "difficult to interpret."  If the software used with it is something widely available, then it will likely be very easy to access.  However, it was not reported what software was used, so we don’t know. 

*  Implement security for mobile computing devices
*  Strongly encrypt data on the devices
*  Train people how to protect the devices

Oh, yes, and don’t have group laptops…that’s an incident waiting to happen.

Technorati Tags