Posts Tagged ‘compliance’

Earlier this year, we posted about one of the largest data breaches to ever come to light: the Heartland Payment Systems breach that affected as many as 100 million and cost the company $12.6 million in legal costs and fines from MasterCard and Visa.

Heartland CEO, Robert Carr, is now opening up about the security breach, hoping other companies can learn from their experiences.

Carr believes that PCI compliance auditors failed the company, that they believe it was right to inform customers of the breach before the media, and how other companies can learn from all these issues.

Essentially, Carr says the QSA (Quality Security Assessor) audits of their systems were of no value, since they were unable to detect the security holes that were exploited.

“To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware.”

Carr was surprised to learn that others knew of this attack vector and that the information had not been shared. Carr says he now understands the “limitations of PCI” and the assessment process. The problem with any set of standards, in any industry, is that it can lead companies to a false sense of security, meeting those compliance measures, if those measures are not kept up to date. Heartland learned the hard way that “PCI compliance doesn’t mean secure.”

In the rest of the interview, Carr shares how Heartland has spent $32 million to upgrade their security at all levels, making sure that data is secure and encrypted wherever it resides. Heartland shares that their best advice to other companies experiencing a breach is to be up front with customers. After their breach, all Heartland employees were advised to tell customers what the breach meant for them, to be the point of contact for customers (vs the press). “Being candid has been key.”

Image: clipart

At the end of July, the Federal Trade Commission (FTC) put out a press release announcing that they would be extending the enforcement of the “Red Flags” Rule by another three months. This extension was granted based upon continued confusion from businesses about this new rule, particularly small businesses and entities.

The Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.

The “Red Flags” Rule, which went into effect on January 1, 2008, requires many businesses and organizations (”creditors” and “financial institutions”) to implement a written Identity Theft Prevention Program. This program should detect early warning signs (red flags) of identity theft, take steps to prevent the crime, and mitigate damage that could be caused by it. The Red Flags Rule applies to “financial institutions” and “creditors,” though those terms apply more broadly than in typical use.

Check out the FTC site to determine if the Red Flags Rule applies to your organization, to get practical tips on spotting identity theft, and to learn how to put your ID Theft Prevention program into place. Based on this revised effort, the FTC will begin enforcement of the “Red Flags” rule on November 1, 2009.

Hat tip to Hunton & Williams

In addition to the Kent SD case study highlighted here last week, Absolute Software is profiling how a US Federal Government Agency uses Computrace to protect their assets.

In 2006, a Federal agency realized that its higher profile meant that they needed to increase existing data and computer security measures. Government regulations require that data breaches be reported with, and dealt with, quickly. With these two considerations in mind, the agency began a pilot project in 2007 with 3,500 computers. After the success of the pilot project, they purchased 30,000 licenses of Computrace to protect their entire laptop population.

The agency can now inventory computers in the field, report on installed software, and delete classified data if computers go missing. For more information about Computrace, read here.

For more case studies from Absolute Software, check out here.

Health Care Compliance Strategies (HCCS) announced this week three new versions of its online compliance courses.

HCCS is a provider of online healthcare compliance and competency training. The three courses they provide are:

• HCCS Professional Compliance
• Corporate Compliance
• HIPAA for Health Plans

The courses are aimed at physicians, billing staff and other employees. They teach fraud awareness, coding and documentation, risk areas, how to build a compliance program, provider relationships, HIPAA awareness, electronic transactions and enforcement.

The courses change whenever rules, regulations, laws or other information is updated. Given that employees form one of the largest “issues” in any security program, online and interactive courses are a great way to enhance your training program. Also visit Absolute Software’s website to learn how we can help with healthcare computer security.

—-

And in other news, Absolute Software has added another conference to its schedule – the ASIS 2008 conference in Atlanta, Georgia.

Meet Absolute at the Booth

Location: Booth 2425
Dates: Monday – Wednesday, September 15-17, 2008
Time: 9:00 am – 4:30 pm

The IT Policy Compliance Group (IT PCG) has published its annual report on IT Governance, Risk and Compliance. The 2008 Report, which can only be downloaded by members, looks at research conducted with more than 2600 organizations.

According to the published brief, security and compliance spending can lead to higher profits, lower expenses and improved customer satisfaction. Although many companies dread spending on compliance and security, even with the risks associated with cost-cutting methodologies, the report indicates that companies that move up the IT governance, risk and compliance (IT GRC) maturity scale are seeing a high return on their efforts.

IT GRC encompasses practices to deliver greater business value from IT strategy, investment and alignment, as well as mitigating risk and conforming to compliance mandates. What the data shows us is that IT GRC mature companies enjoy higher revenues & profits while spending less on regulatory compliance. These best practices also lead to a reduced risk if a data loss were to occur – from .4% of revenue in mature organizations vs 9.6% for less mature companies.

Those companies considered most mature were not necessarily large business, but businesses that have effectively adapted security process frameworks to their businesses. Less-mature companies tend to over-focus on operational process frameworks.

You can continue reading about this report from Network world, where there’s a great overview.