Archive for the ‘Privacy & Security Laws’ Category

The Broadband Data Improvement Act (S.1492) was recently signed into Federal law. The legislation that would improve the collection of data on broadband availability and fund greater access to high-speed Internet access. As part of the new legislation, schools receiving the e-Rate discounts on telecommunications services will soon be required to teach students about online safety.

The e-Rate program provides discounts for schools of 20-90% for telecommunication services including Internet access. The proposed Broadband Data Improvement Act, introduced by Senate Commerce Committee Chairman Daniel Inouye, has a provision that would require the Federal Trade Commission (FTC) to establish a nationwide campaign to “increase public awareness and provide education regarding strategies to promote the safe use of the Internet by children.”

Originally, a separate bill entitled ‘Protecting Children in the 21st Century Act’, was proposed to congress. The Senate Commerce Committee merged the language of this bill into the Broadband Data Improvement Act, which has now become law. The new law recognizes that education must go hand-in-hand with technology to protect children from online predators.

The Online Safety and Technology Working Group was established, under the legislation, to evaluate online safety education efforts, parental control technologies, and much more. In addition, a section of the Act requires that schools create an Internet safety policy that educates minors “about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms and cyberbullying awareness and response.”

I think it is great that steps are being taken to increase the awareness of online safety issues for children.

Via eschoolnews, eweek, consumer affairs, cnet ; Image: Microsoft Office Clipart / iStockphoto.com

There are two pieces of news to report in terms of various consumer data protection acts at the state and national levels.

This month, President Bush signed into law a bill that will make it easier for prosecutors to go after cybercriminals, and for identity theft victims to be compensated. The Identity Theft Enforcement and Restitution Act of 2008 [HR 5938], which passed the Senate in July, would remove the $5000 damages floor that was previously required for prosecutors to charge individuals under the federal cybercrime laws.

Identity Theft Enforcement and Restitution Act (HR 5938) would:

• Give identity theft victims the ability to seek restitution
• Ensure cyber criminals posing as businesses can be prosecuted
• Make it a felony to employ spyware or keyloggers that damage 10+ computers
• Extend cybercrime definitions to include cyberextortion cases
• Allow prosecution when cybercriminal and victim live in the same state

In other legislative news, the Massachusetts Office of Consumer Affairs and Business Regulation has released a new set of rules requiring companies to encrypt personal data on laptops and monitor employee access to data. These new rules apply to credit card information and Social Security Numbers. Companies and government agencies are required to comply with the new regulations by January 1, 2009.

In August, Governor Patrick signed an identity theft prevention law that requires the reporting of data breaches to the Office of Consumer Affairs and Business Regulation. Since then, 320 breaches have been reported, affecting 625,365 Massachusetts residents. A report outlining the incidents has been released here [PDF].

Via i’ve been mugged, 2, boston globe, washington post ; Image: clip art

Despite the indications that the Consumer Data Protection Act [PDF] would be passed by California’s Governor Arnold Schwarzenegger, it has been vetoed for the second time. Read the veto here [PDF].

The Consumer Data Protection Act would have required retailers and businesses in California to take more strict steps to protect credit and debit card data, and to disclose more details about data breaches to those affected. The State Assembly and Senate both approved the bill for the second time in 12 months, after modifications had brought it back to a vote.

Governor Schwarzenegger says that he has rejected the bill for the same reasons as before, the belief that legislature should not interfere with business, and that the bill attempts:

“to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers,” he wrote.”

Schwarzenegger believes the payment card industry (PCI) is in a better position to set standards in technology and the marketplace, and believes legislation would create a conflict with private sector standards.

According to Visa, only 45% of large retailers are compliant with current PCI standards, so I would think that the private sector needs some assistance with enforcement.

What’s your opinion on legislation like this? Good or bad?

Thanks to Charles for the tip! Via computerworld, IT business, Washington Post Image: gov.ca.gov

The Consumer Data Protection Act (AB 1656; PDF) has been put before California’s Governor Arnold Schwarzenegger once again. The bill was vetoed by him in October 2007, saying the costs for merchants would have been too prohibitive. He said that the bill had the “potential for California law to be in conflict with private sector data security standards.”

The bill has now been amended, approved by the Senate in a 74-1 margin, and is headed back to the Governor’s desk for approval. The Consumer Data Protection Act would require that retailers:

• Take more stringent protection measures
• Notify consumers about data breaches (provision to reimburse financial institutions for cost of breach removed from the bill)
• Specify a date range when the data breach was thought to have occurred
• Not store certain types of cardholder data, even if encrypted
• Develop data retention & disposal policies
• Encrypt data transmissions

Given that the financial reimbursement provision has been lifted, it is a much more conservative bill. Still, it is unclear if Governor Arnold Schwarzenegger will re-iterate his desire for added security measures to be the responsibility of private governing bodies, rather than by law. Analysts suspect the bill will be approved and that California will lead the way toward other states adopting similar statutes. 

Minnesota is currently the only state with law such as this – their Plastic Card Security Act is more strict than the proposed California bill.

—

In other security news, Roger Grimes has a very thorough analysis of Google’s new open source browser, Chrome, here.

Hat tip to PogoWasRight ; Via ComputerWorld

ConsumerReports.org posted to Yahoo Finance a great guide for consumers entitled “7 Online Blunders That Threaten Your Identity“. It’s a long article with common mistakes that lead to identity theft and things you can do to mitigate the risks. In summary, the 7 blunders are:

1. Assume your security software protects you
   • Software must be activated and updated regularly to be effective.
   • New software bundled with your computer may have an expiry, so be sure to renew.
2. Access an account via an email link
   • Clicking links embedded in emails is risky (fraud potential), particularly for anything that has to do with financial information. Don’t take the bait to update your password, account number or other information.
   • Forward suspect email to spam@uce.gov and reportphishing@antiphishing.org
3. Use a single password for all accounts
   • Use a variety of passwords, even variants, that mix letters, numbers & symbols of at least 10 characters in length (there are more sophisticated password options as well)
4. Download free software
5. Think your Mac shields you from all risk
   • Mac users fall to as many phishing scams. Use Firefox for phishing protection.
6. Click a pop-up ad that says your computer is insecure
   • 15% of survey respondents click pop-up ads that can take you to a spyware site or install malware to your computer
7. Shop online without precautions
   • Use a separate card for Internet shopping and look for https in the URL

All great tips to avoid identity theft and fraud. You can read more of the suggested precautions here.

Tags: id theft, identity theft, web security, browser security, phishing, security, online security

The Identity Theft Enforcement and Restitution Act (H.R. 5938) has been amended and was passed by the Senate on July 30, 2008. The bill, championed by Senate Judiciary Committee Chairman Patrick Leahy, was originally introduced and approved by the Senate in November. The bill stalled in the House, and was therefore amended and returned to the House for consideration.

Leahy, who has introduced a number of cyber crime bills (including S. 495, The Personal Data Privacy and Security Act), has combined HR 5938’s cyberattack & identity theft motives with an amendment that would give Secret Service protection to former US vice presidents. The revised bill has the support of the Department of Justice, the Secrete Service, and industry and consumer groups such as the US Chamber of Commerce and the AARP.

Identity Theft Enforcement and Restitution Act (HR 5938) would:

• Give identity theft victims the ability to seek restitution
• Ensure cyber criminals posing as businesses can be prosecuted
• Make it a felony to employ spyware or keyloggers that damage 10+ computers
• Extend cybercrime definitions to include cyberextortion cases

This legislation would not enact federal data breach notification standards, but it would be a first step in the right direction.

Via SC Magazine Tags: leahy, cybercrime, cyber crime, identity theft, id theft, legislation, hr 5938, federal legislation

The Privacy Commissioner of Canada, Jennifer Stoddart, has released the Annual Report to Parliament 2007, a Report on the Personal Information Protection and Electronic Documents Act (PIPEDA). The report details whether companies are complying with PIPEDA.

The Commissioner has called 2007 the “year of the data breach“, in Canada as well as the rest of the world. The report reminds us that PIPEDA imposes a legal obligation on businesses to safeguard personal data, and that human errors and a “cavalier approach to security” resulted in too many data breaches.

“Businesses recognize the value of personal information to themselves – for targeted marketing campaigns, for example. Unfortunately, this perception doesn’t always translate into security measures up to the job of protecting the information from criminals.”

The report indicates that half of the 37 voluntarily reported data breaches in Canada involved electronically stored data, often held in a format not secured with firewalls or encryption.

An important area in the report addresses global concerns where data breaches can be cross-border in an International, not just National sense. This has vast implications for privacy and the responses to data breaches. In a similar line, the trends of private-sector organizations (airlines, banks) collecting personal information for the state blur the lines between privacy and security.

“The way we address security needs to reflect our society’s fundamental values – including the right to privacy. We must constantly ask ourselves why we accept the growing shift towards security at the expense of privacy. Is it always justified? Is it irreversible?”

The report points out that information technology was a component of nearly every privacy issue and complaint in 2007, and that the privacy impacts of such technologies must be understood and mitigated by consumers and businesses alike.

Ms. Stoddart has laid out many recommendations in the report about how businesses should comply with the 10 “golden rules” of privacy set out in PIPEDA. In addition to great policy & procedure recommendations, the report urges the Canadian government to adopt breach notification legislation.

“Breach notification offers people a choice. Individuals can decide for themselves how to respond to a breach. One person could decide that it would be a good idea to check her credit report more often. Another person may feel no action is warranted.”

You can read the full report here.

hat tip to Jonathon ; via national post Tags: canada, legislation, privacy act, pipeda, government security, data security, data breaches, report, study, parliament

On May 10, Iowa enacted its own breach notification law, becoming the 42nd US state to do so. The bill will come into effect on July 1.

Bill S.F. 2308 requires businesses and government agencies to notify residents if their personal information has been accessed (if it is likely to do financial harm). Notice is not required if an investigation by the law enforcement agencies deems no financial harm can come of the risk. Encrypted information is not exempt from the notification requirement, unlike in many states. Given that many data breaches can be ruled out if they pose no risk for financial harm, it is my opinion that there will be a lot of public criticism of breaches when they do come to light. Such an investigation will likely delay the breach notification, which inevitably increases public scrutiny after a breach incident.

If you were to plot the adoption of data breach notification laws against time, the remaining states should all adopt their own law by some time in late 2011. Check out the graph here, realizing (of course) that statistics cannot be depended on to accurately gauge when (if ever) all states will adopt such a law.

I think it would be interesting, statistically speaking, to see if the trends in data breaches and legislative maneuvering could predict when one of the many data breach bills would pass at the national level.

Via emergent chaos, electran Tags: iowa, breach, breach notification, breach law, legislature, legal system, business, security, personal information

Tech News World has done a 2-part series about HIPAA. Part 1: Privacy vs. Portability and Part 2: Seeking Balance. It’s a very well-done examination of the state of the Health Insurance Portability and Accountability Act (HIPAA), some of which I will synthesize below. Given that HIPAA is often misunderstood in basics and in application, it’s a great refresher series.

HIPAA Concerns:

• There is a push for health information to become more liquid, but the privacy and security framework does not exist yet
• The technologies being designed now will have a huge impact on how health information is accessed, stored and shared
• Post-HIPAA privacy and security protections need to be adopted in law and in best practices
• HIPAA compliance was a heavy burden at initial inception, but there has been no proof that HIPAA has in any way had negative effects on patient care
• Staff training and education must be ongoing for new, and old, employees
• Continue reading about the concerns here.

HIPAA Myths:

• That it weakened, rather than strengthened, rights to health information privacy
• HIPAA is all we need in the digital age
• HIPAA “covered entities” cover every use of personal health information
• Check out the full examination of these myths here.

Logo: ; Tags: hipaa, health privacy, privacy information, health information, information, legislation, law, security

According to a new report from Gartner, many retailers have not reported data breaches to their customers. The study found that 21 of the 50 retailers interviewed have had a data breach, but only 3 of these 21 breaches had been disclosed to the public.

The sample size for the survey is too small to draw firm conclusions about the industry as a whole, but it does highlight a troubling pattern. Gartner analyst Avivah Litan says:

“Sensitive data is being stolen and most of the time it’s not being disclosed. There are a lot more breaches than we hear about.”

This not only touches on the importance of consumer trust, but also a lack of compliance with data breach regulations that require consumers to be notified. Companies have noticed the bad press to result from such data breach notifications, and they don’t want to call the same attention to themselves.

The survey did not make clear if the retailers surveyed had broken state laws by not informing customers, but Litan said it was a possibility. 4 companies have been fined by credit card companies for not meeting Payment Card Industry compliance requirements, and another 11 were threatened with fines.

In other retailer news, a survey shows that most retailers using card payment technology will not be ready to meet the PCI-DSS Section 6.6 deadline of 30th June. This deadline requires merchants to have a firewall to protect web applications or to have completed a web application software code review to ensure vulnerabilities are patched. The main reason behind the inability to meet the deadline is that retailers don’t understand what they need to be doing, which undermines the purpose of the new legislation.

Via PC World, Finance Week ; image: pindiyath100 @moreguefile ; Tags: retailers, retail industry, breach, data breach, data security, breach notification, pci dss, pci, compliance