Archive for the ‘Privacy & Security Laws’ Category

Many of us think about protecting our data against the strangers of the world who might be trying to find a way to use our information to their benefit.  It can be surprising, therefore, when the breach occurs within our company (or circle of friends, family, etc…).  Unfortunately, DuPont is learning that insider theft is becoming more and more common.

The industrial manufacturing company discovered that one of their employees, a senior research chemist, transferred confidential files containing trade secrets from his company-issued laptop to an external hard drive.

Immediately, I couldn’t help but wonder why DuPont wouldn’t have some sort of alert in place in case someone tried to attach a hard drive to company computers.  I was further baffled when I learned that this isn’t the first time they’ve been through this. 

After 10 years with DuPont, an employee gathered information from thousands of documents and scientific abstracts.  His mission?  To sell the information to rival company, Victrex.  He ended up being sentenced to 18 months of jail time.

Aside from setting up some sort of alert system for when data breaches occur and using laptop security products like Computrace, DuPont (and other companies) has to find a way to work around the fact that even people with legitimate access to their information need to be considered potential threats. 

image: www.sxc.hu

In August, we wrote that the Canadian Government had given Facebook 30 days to comply with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act or enforcement by the Federal Court may be requested.

On August 27, the Office of the Privacy Commissioner held a news conference to announce progress in the Facebook investigation. Facebook has also released a news brief.

Facebook has announced that it will be making changes to its API, the interface third-party services use to request information from Facebook and its users. The changes would require application developers to specify which pieces of information they would like to access in a user profile and why. Users will also be able to deny access to specific pieces of information. Up until now, the nearly 1 million application developers had almost unrestricted access to profile information.

As many have rightly pointed out, it seems contradictory to participate in a social network and to then attempt to restrict access to some or all of your personal information.

To us at the Office, users should have the chance to find out what information is being collected by the social networking site or a third-party application, and for what reason. Third-party applications have long been a concern to members of the privacy advocacy community, since they have had relatively free access to the information stored in your Facebook profile.

I’m incredibly happy that the Canadian government undertook this privacy investigation. After all, the changes that Canada is requiring of Facebook will not only make the site safer for Canadians but for all Facebook users. These changes, and others requested by the Commissioner, may take months to implement. That said, the Privacy Commissioner is “satisfied Facebook is on the right path to addressing the privacy gaps on its site.”

For a full outline of the issues that the Canadian government brought up, and Facebook’s response, read here.

At the end of July, the Federal Trade Commission (FTC) put out a press release announcing that they would be extending the enforcement of the “Red Flags” Rule by another three months. This extension was granted based upon continued confusion from businesses about this new rule, particularly small businesses and entities.

The Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.

The “Red Flags” Rule, which went into effect on January 1, 2008, requires many businesses and organizations (”creditors” and “financial institutions”) to implement a written Identity Theft Prevention Program. This program should detect early warning signs (red flags) of identity theft, take steps to prevent the crime, and mitigate damage that could be caused by it. The Red Flags Rule applies to “financial institutions” and “creditors,” though those terms apply more broadly than in typical use.

Check out the FTC site to determine if the Red Flags Rule applies to your organization, to get practical tips on spotting identity theft, and to learn how to put your ID Theft Prevention program into place. Based on this revised effort, the FTC will begin enforcement of the “Red Flags” rule on November 1, 2009.

Hat tip to Hunton & Williams

Last month, Canada’s Privacy Commissioner released a statement about Facebook and its compliance with Canadian privacy laws. The statement is the result of a study into allegations by the Canadian Internet Policy and Public Interest Clinic that Facebook was not complying with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act. These aspects included default privacy settings, collection and use of personal information, and disclosure of personal information to third parties. Some of the findings concluded that the allegations were not well-founded, while others were supported.

As a result of the report, Canada has released its Report of Findings and its request that Facebook strengthen its privacy protections. The press briefing included some praise for Facebook’s current privacy measures, though many areas were identified for improvement.

Areas of requested improvement include:

• Improving information about privacy practices (example: information on deactivating vs deleting an account)
• Improving safeguards that restrict outside developers from accessing unnecessary profile information
• Deleting personal information after it is no longer necessary to meet appropriate needs (to comply with Canadian law)

Facebook made some improvements to their privacy measures when provided with an interim report; they now have 30 days (from July 16) to respond to the full report.

Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.

The Privacy Commissioner is empowered to go to Federal Court to seek that the recommendations be enforced. So, it may be that Canada’s report helps to strengthen Facebook privacy standards for all Facebook users!

Via internet evolution

Missouri has become the 45th state to enact data breach notification legislation! On July 9th, Missouri Governor Jay Nixon signed House Bill 62 into law; the law will go into effect on August 28, 2009. Though House Bill 62 deals with a number of different provisions in one law, it contains a section of security breaches.

The new data breach notification law would require that individuals be notified when their personal information were breached. The new law has broadly defined personal information to include not just financial information or Social Security numbers, in combination with names, but also any unique electronic identifier or medical information.

The new law requires that the Missouri Attorney General and national consumer reporting agencies be notified if the breach affects more than 1,000 individuals. Civil penalties for violating the statue may reach up to $150,000 per breach.

Via digestible law

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February 2009, will come into effect on February 17, 2010. This new Act, in addition to encouraging doctors and hospitals to use electronic health care records systems, changes privacy requirements. The new privacy requirements strengthen those requirements already mandated by HIPAA.

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart

The California State Senate has approved a new law requiring companies to provide victims of a data breach with additional information.

The new law, SB-20, would require that companies tell customers what type of personal information was breached and when the breach occurred. The previous law required only that companies say that a breach had occurred.

“No one likes to get the news that information about them has been stolen, but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next. The premise is simple. What you don’t know can hurt you. Ignorance is not bliss. And you can’t protect yourself if you don’t know you’re at risk.”

Over 40 states currently have breach notification laws, though this is just one added step that California has taken to protect consumer information. Simitian argues that requiring detailed notifications is not just important for consumers, but also for law enforcement in order to get an understanding of the patterns associated with data theft.

SB-20 was introduced by Democrat Senator Joe Simitian. The new bill is up for approval by the state Assembly before it is finalized. Learn more about SB-20 here. Computrace can help you identify what information was breached. Find out how Computrace can help

Via SC Magazine, CSO Online ; Image: Clip Art

Melissa Hathaway, who was appointed earlier this year to conduct a 60-day review of the cyber security efforts of the U.S. Government, presented at the RSA Conference on information security, with the report set to be released in a few days.

Melissa notes that our global digital infrastructure is neither secure nor resilient, driven by interoperability and efficiency rather than security. She notes that previous attempts at cybersecurity have been made in isolation and have failed; the Federal government is not organized to address this growing issue because responsibilities for cyberspace are distributed widely across federal departments and agencies.

During the 60-day review, the cybersecurity team identified 250 needs, tasks and recommendations for a national cyber security plan. The recommendation outlines a top-down approach to cyber security, with the White House leading the way and overseeing and working with other government agencies, State and local stakeholders, as well as those in academia and the industry.

Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. We need to demonstrate abroad and here at home that the United States takes cyberspace issues, policies, and activities seriously. Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society.

Here’s a video of Melissa’s speech:

The speech, if somewhat repetitive and littered with political fluff, does hint at many changes to come. Almost nothing was specified yet, and many are critical of it. Let’s hope the report released in a few days will specify a bit more. Attempting to muster resources on the National and International level, across the government and private sectors, won’t be an easy task!

Download Melissa Hathaway’s prepared remarks here [PDF]

A new National cybersecurity bill is currently being introduced to legislation by Senator Rockefeller (Chairman for the Committee on Commerce, Science, and Transportation) and Senator Snowe. The bill would create the Office of the National Cybersecurity Advisor within the Executive Office of the President, an advisory position that would report directly to the President and serve as lead on all cyber matters. This position would co-ordinate with the intelligence community as well as civilian agencies.

The new cybersecurity legislation proposes additional changes to address issues of cyber crime, global cyber espionage and cyber attacks.

“I believe Congress must bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cybersecurity efforts in the 21st century.” – Senator Rockefeller

The Rockefeller-Snow initiative would include provisions for:

• Raising the profile of cybersecurity within the Federal government, including the aforementioned Office plus a comprehensive national strategy, a quadrennial cybersecurity review and a threat and vulnerability assessment
• Promoting public awareness and protecting civil liberties, including a legal review of the statutory and regulatory framework applicable, changes required, and a report on identity management and civil liberties
• Remaking the relationship between government and the private sector on cybersecurity, including a public-private clearinghouse for cyber threat and vulnerability information sharing, an Advisory Panel, enforceable cybersecurity standards, licensing for cybersecurity professionals, State and regional cybersecurity centers for small and medium-sized businesses, and more
• Fostering innovation and creativity in cybersecurity to develop long-term solutions, including increased recruitment for students into cybersecurity, increased funding for R&D, and an attempt to place a dollar value on cybersecurity risk

Read more about the new cybersecurity legislation being proposed here.

Via SecurityFocus ; Image: clipart

Bruce Schneier has put together an excellent post about why we need Federal breach notification laws (something I stand behind as well). His post opens up with 3 reasons why we should have breach notification laws:

1. It’s polite to tell someone if you lose something of theirs
2. It provides stats to security researchers about the scope of the issue
3. It forces companies to improve security

The third point is based upon the premise is that companies who are forced to bear the costs of data breaches (both intangible in loss of trust and tangible in costs of notification) would take extra steps to protect said data. Schneier references a study done by researchers at the Carnegie Mellon University that seeks to determine if data breach disclosure laws have reduced identity theft. The study found that there was only a 2% decrease, on average, in identity theft for states with disclosure laws vs those without disclosure laws.

Bruce Schneier points out that the study can’t be relied on for this type of data. Since more data breaches are being reported now vs five years ago, notification laws or not, it’s difficult to compare “before and after” data. However, he also brings up a number of other issues: ineffective security improvements, types of data breaches, the reduction of the ’shaming’ effect, and more.

A recent study by the Ponemon Institute, which was sponsored by PGP, now puts the cost of a data breach at $202 per record. However Schneier believes that the hard cost to breach notification is not as effective an incentive as it used to be. Yet he argues that the other points still merit the law:

“Disclosure is important, but it’s not going to solve identity theft… The reason theft of personal information is common is that the data is valuable once stolen. The way to mitigate the risk of fraud due to impersonation is not to make personal information difficult to steal, it’s to make it difficult to use.”

Breach notification laws only deal with one side of the identity theft problem. Schneier argues that further laws are necessary to prevent financial institutions from granting credit to someone with minimal personal information.

—

And if you’ve ever left your computer on while you stepped away from it, or if you’ve ever forgotten to log out of secure systems, this should stop you from that habit. Someone like Jeff may be nice enough to teach you a hard lesson – but more than likely, someone will do something far worse.

Image: xenia / morguefile