Archive for the ‘Privacy & Security Laws’ Category

The Obama administration has declassified and published part of its cybersecurity plan. Saying that Obama has “identified cybersecurity as one of the most serious economic and national security challenges” faced in the US, appointing Howard A. Schmidt as cybersecurity coordinator last year. Schmidt made the declassification announcement at the RSA Security Conference.

Schmidt says there are about 40 legal questions surrounding the cybersecurity initiative that the government is working on. The initiative was set to protect US networks – military, civilian and government networks as well as infrastructure systems – and to combat cyberwarfare.

The declassified plan includes information on Einstein 2 and 3, intrusion detection systems on federal networks that would detect potential threats. Wired does a great job discussing the privacy and civil liberty issues surrounding these deployments. The plan outlines several initiatives that are a part of the Comprehensive National Cybersecurity Initiative (CNCI) – see the outline here.

The U.S. House of Representatives has passed a new cybersecurity research bill that would enable the US government to better deal with cyberattacks.

The Cyber Security Research and Development Act of 2009 (HR 4061) would create new research and education programs at the National Science Foundation and the National Institute of Standards and Technology to promote research in cybersecurity and to attract more teachers and students to the field.

“This bill will help improve the security of cyberspace by ensuring federal investments in cybersecurity are better focused, more effective, and that research into innovative, transformative security technologies is fully supported,” said Symantec CTO Mark Bregman. “HR 4061 represents a major step forward towards defining a clear research agenda that is necessary to stimulate investment in both the private and academic worlds, resulting in the creation of jobs in a badly understaffed industry.”

Aside from the scholarly aspect, the new bill would develop an awareness program to help consumers, organizations and government bodies to keep their computers secure. The National Institute of Standards and Technology has been tasked with improving development of new identity management systems used to control access to buildings, networks and data.

If the bill becomes law, NIST would have one year to develop a plan for Congress about how it would participate in creating International cybersecurity standards and would have 90 days for a plan on its cybersecurity awareness program.

Via CNet & opencongress

Sephen Watt, the 25-year-old man who has admitted to providing the “sniffer” program used to hijack the credit card numbers associated with the TJX breach, has been sentenced to 2 years in prison and 3 years of supervised release. In addition, he will have to pay over $170 million in restitution.

Watt was not the leader of the attack that was perpetrated against TJX. That man, Albert Gonzalez, is awaiting his sentence, which could be more than 17 years in prison. Gonzalez and Watt, however, were known friends. The code that Watt created was found stored on a server leased by Gonzalez. The server contained 16.3 million stolen card numbers with another 27.5 million found on an alternate server.

Do you think that Watt received a fair sentencing for his role in one of history’s largest data breaches? Do you think that the fines / sentences associated with data breaches are adequate?

Via SC Magazine, CGI Security, Wired

Last week, Eric Schmidt, who is the CEO at Google, made some comments that raised more than a few eyebrows.  During a recent interview with CNBC, Schmidt was asked whether it is a good idea for users to share their information with Google.  His response was: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

While I can appreciate his intention, it is a pretty risky thing to say when you are the CEO of a search engine.  His comments seem particularly unreasonable when you consider how upset Schmidt was when CNET reporters found out about his salary, donations and other personal information and included their findings in a published article. 

In response to this, Schmidt blacklisted the reporters from Google.  The ironic thing is that they obtained all of their information by searching Google.

Bruce Schneier, security technologist and author, has an well thought out response that’s worth reading. It touches on differences between “security versus privacy” and “liberty versus control”.  In my opinion, privacy isn’t just about not sharing things that I’ve done wrong, but it can also be about ruining surprises, revealing embarrassing facts and other, more benign things.  It isn’t just about things that we want to hide for fear of punishment.  Look at Schmidt’s reaction to having his own information shared without his express permission.  Not everyone wants the details of their salary known to everyone and why should they not have any control over that?

What do you think about what he said and how it relates to Google’s understanding of privacy? 

image: Google

Many of us think about protecting our data against the strangers of the world who might be trying to find a way to use our information to their benefit.  It can be surprising, therefore, when the breach occurs within our company (or circle of friends, family, etc…).  Unfortunately, DuPont is learning that insider theft is becoming more and more common.

The industrial manufacturing company discovered that one of their employees, a senior research chemist, transferred confidential files containing trade secrets from his company-issued laptop to an external hard drive.

Immediately, I couldn’t help but wonder why DuPont wouldn’t have some sort of alert in place in case someone tried to attach a hard drive to company computers.  I was further baffled when I learned that this isn’t the first time they’ve been through this. 

After 10 years with DuPont, an employee gathered information from thousands of documents and scientific abstracts.  His mission?  To sell the information to rival company, Victrex.  He ended up being sentenced to 18 months of jail time.

Aside from setting up some sort of alert system for when data breaches occur and using laptop security products like Computrace, DuPont (and other companies) has to find a way to work around the fact that even people with legitimate access to their information need to be considered potential threats. 

image: www.sxc.hu

In August, we wrote that the Canadian Government had given Facebook 30 days to comply with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act or enforcement by the Federal Court may be requested.

On August 27, the Office of the Privacy Commissioner held a news conference to announce progress in the Facebook investigation. Facebook has also released a news brief.

Facebook has announced that it will be making changes to its API, the interface third-party services use to request information from Facebook and its users. The changes would require application developers to specify which pieces of information they would like to access in a user profile and why. Users will also be able to deny access to specific pieces of information. Up until now, the nearly 1 million application developers had almost unrestricted access to profile information.

As many have rightly pointed out, it seems contradictory to participate in a social network and to then attempt to restrict access to some or all of your personal information.

To us at the Office, users should have the chance to find out what information is being collected by the social networking site or a third-party application, and for what reason. Third-party applications have long been a concern to members of the privacy advocacy community, since they have had relatively free access to the information stored in your Facebook profile.

I’m incredibly happy that the Canadian government undertook this privacy investigation. After all, the changes that Canada is requiring of Facebook will not only make the site safer for Canadians but for all Facebook users. These changes, and others requested by the Commissioner, may take months to implement. That said, the Privacy Commissioner is “satisfied Facebook is on the right path to addressing the privacy gaps on its site.”

For a full outline of the issues that the Canadian government brought up, and Facebook’s response, read here.

At the end of July, the Federal Trade Commission (FTC) put out a press release announcing that they would be extending the enforcement of the “Red Flags” Rule by another three months. This extension was granted based upon continued confusion from businesses about this new rule, particularly small businesses and entities.

The Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.

The “Red Flags” Rule, which went into effect on January 1, 2008, requires many businesses and organizations (”creditors” and “financial institutions”) to implement a written Identity Theft Prevention Program. This program should detect early warning signs (red flags) of identity theft, take steps to prevent the crime, and mitigate damage that could be caused by it. The Red Flags Rule applies to “financial institutions” and “creditors,” though those terms apply more broadly than in typical use.

Check out the FTC site to determine if the Red Flags Rule applies to your organization, to get practical tips on spotting identity theft, and to learn how to put your ID Theft Prevention program into place. Based on this revised effort, the FTC will begin enforcement of the “Red Flags” rule on November 1, 2009.

Hat tip to Hunton & Williams

Last month, Canada’s Privacy Commissioner released a statement about Facebook and its compliance with Canadian privacy laws. The statement is the result of a study into allegations by the Canadian Internet Policy and Public Interest Clinic that Facebook was not complying with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act. These aspects included default privacy settings, collection and use of personal information, and disclosure of personal information to third parties. Some of the findings concluded that the allegations were not well-founded, while others were supported.

As a result of the report, Canada has released its Report of Findings and its request that Facebook strengthen its privacy protections. The press briefing included some praise for Facebook’s current privacy measures, though many areas were identified for improvement.

Areas of requested improvement include:

• Improving information about privacy practices (example: information on deactivating vs deleting an account)
• Improving safeguards that restrict outside developers from accessing unnecessary profile information
• Deleting personal information after it is no longer necessary to meet appropriate needs (to comply with Canadian law)

Facebook made some improvements to their privacy measures when provided with an interim report; they now have 30 days (from July 16) to respond to the full report.

Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.

The Privacy Commissioner is empowered to go to Federal Court to seek that the recommendations be enforced. So, it may be that Canada’s report helps to strengthen Facebook privacy standards for all Facebook users!

Via internet evolution

Missouri has become the 45th state to enact data breach notification legislation! On July 9th, Missouri Governor Jay Nixon signed House Bill 62 into law; the law will go into effect on August 28, 2009. Though House Bill 62 deals with a number of different provisions in one law, it contains a section of security breaches.

The new data breach notification law would require that individuals be notified when their personal information were breached. The new law has broadly defined personal information to include not just financial information or Social Security numbers, in combination with names, but also any unique electronic identifier or medical information.

The new law requires that the Missouri Attorney General and national consumer reporting agencies be notified if the breach affects more than 1,000 individuals. Civil penalties for violating the statue may reach up to $150,000 per breach.

Via digestible law

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February 2009, will come into effect on February 17, 2010. This new Act, in addition to encouraging doctors and hospitals to use electronic health care records systems, changes privacy requirements. The new privacy requirements strengthen those requirements already mandated by HIPAA.

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart