Posts Tagged ‘legislature’

At the end of July, the Federal Trade Commission (FTC) put out a press release announcing that they would be extending the enforcement of the “Red Flags” Rule by another three months. This extension was granted based upon continued confusion from businesses about this new rule, particularly small businesses and entities.

The Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.

The “Red Flags” Rule, which went into effect on January 1, 2008, requires many businesses and organizations (”creditors” and “financial institutions”) to implement a written Identity Theft Prevention Program. This program should detect early warning signs (red flags) of identity theft, take steps to prevent the crime, and mitigate damage that could be caused by it. The Red Flags Rule applies to “financial institutions” and “creditors,” though those terms apply more broadly than in typical use.

Check out the FTC site to determine if the Red Flags Rule applies to your organization, to get practical tips on spotting identity theft, and to learn how to put your ID Theft Prevention program into place. Based on this revised effort, the FTC will begin enforcement of the “Red Flags” rule on November 1, 2009.

Hat tip to Hunton & Williams

Missouri has become the 45th state to enact data breach notification legislation! On July 9th, Missouri Governor Jay Nixon signed House Bill 62 into law; the law will go into effect on August 28, 2009. Though House Bill 62 deals with a number of different provisions in one law, it contains a section of security breaches.

The new data breach notification law would require that individuals be notified when their personal information were breached. The new law has broadly defined personal information to include not just financial information or Social Security numbers, in combination with names, but also any unique electronic identifier or medical information.

The new law requires that the Missouri Attorney General and national consumer reporting agencies be notified if the breach affects more than 1,000 individuals. Civil penalties for violating the statue may reach up to $150,000 per breach.

Via digestible law

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February 2009, will come into effect on February 17, 2010. This new Act, in addition to encouraging doctors and hospitals to use electronic health care records systems, changes privacy requirements. The new privacy requirements strengthen those requirements already mandated by HIPAA.

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart

The California State Senate has approved a new law requiring companies to provide victims of a data breach with additional information.

The new law, SB-20, would require that companies tell customers what type of personal information was breached and when the breach occurred. The previous law required only that companies say that a breach had occurred.

“No one likes to get the news that information about them has been stolen, but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next. The premise is simple. What you don’t know can hurt you. Ignorance is not bliss. And you can’t protect yourself if you don’t know you’re at risk.”

Over 40 states currently have breach notification laws, though this is just one added step that California has taken to protect consumer information. Simitian argues that requiring detailed notifications is not just important for consumers, but also for law enforcement in order to get an understanding of the patterns associated with data theft.

SB-20 was introduced by Democrat Senator Joe Simitian. The new bill is up for approval by the state Assembly before it is finalized. Learn more about SB-20 here. Computrace can help you identify what information was breached. Find out how Computrace can help

Via SC Magazine, CSO Online ; Image: Clip Art

A new National cybersecurity bill is currently being introduced to legislation by Senator Rockefeller (Chairman for the Committee on Commerce, Science, and Transportation) and Senator Snowe. The bill would create the Office of the National Cybersecurity Advisor within the Executive Office of the President, an advisory position that would report directly to the President and serve as lead on all cyber matters. This position would co-ordinate with the intelligence community as well as civilian agencies.

The new cybersecurity legislation proposes additional changes to address issues of cyber crime, global cyber espionage and cyber attacks.

“I believe Congress must bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cybersecurity efforts in the 21st century.” – Senator Rockefeller

The Rockefeller-Snow initiative would include provisions for:

• Raising the profile of cybersecurity within the Federal government, including the aforementioned Office plus a comprehensive national strategy, a quadrennial cybersecurity review and a threat and vulnerability assessment
• Promoting public awareness and protecting civil liberties, including a legal review of the statutory and regulatory framework applicable, changes required, and a report on identity management and civil liberties
• Remaking the relationship between government and the private sector on cybersecurity, including a public-private clearinghouse for cyber threat and vulnerability information sharing, an Advisory Panel, enforceable cybersecurity standards, licensing for cybersecurity professionals, State and regional cybersecurity centers for small and medium-sized businesses, and more
• Fostering innovation and creativity in cybersecurity to develop long-term solutions, including increased recruitment for students into cybersecurity, increased funding for R&D, and an attempt to place a dollar value on cybersecurity risk

Read more about the new cybersecurity legislation being proposed here.

Via SecurityFocus ; Image: clipart

Bruce Schneier has put together an excellent post about why we need Federal breach notification laws (something I stand behind as well). His post opens up with 3 reasons why we should have breach notification laws:

1. It’s polite to tell someone if you lose something of theirs
2. It provides stats to security researchers about the scope of the issue
3. It forces companies to improve security

The third point is based upon the premise is that companies who are forced to bear the costs of data breaches (both intangible in loss of trust and tangible in costs of notification) would take extra steps to protect said data. Schneier references a study done by researchers at the Carnegie Mellon University that seeks to determine if data breach disclosure laws have reduced identity theft. The study found that there was only a 2% decrease, on average, in identity theft for states with disclosure laws vs those without disclosure laws.

Bruce Schneier points out that the study can’t be relied on for this type of data. Since more data breaches are being reported now vs five years ago, notification laws or not, it’s difficult to compare “before and after” data. However, he also brings up a number of other issues: ineffective security improvements, types of data breaches, the reduction of the ’shaming’ effect, and more.

A recent study by the Ponemon Institute, which was sponsored by PGP, now puts the cost of a data breach at $202 per record. However Schneier believes that the hard cost to breach notification is not as effective an incentive as it used to be. Yet he argues that the other points still merit the law:

“Disclosure is important, but it’s not going to solve identity theft… The reason theft of personal information is common is that the data is valuable once stolen. The way to mitigate the risk of fraud due to impersonation is not to make personal information difficult to steal, it’s to make it difficult to use.”

Breach notification laws only deal with one side of the identity theft problem. Schneier argues that further laws are necessary to prevent financial institutions from granting credit to someone with minimal personal information.

—

And if you’ve ever left your computer on while you stepped away from it, or if you’ve ever forgotten to log out of secure systems, this should stop you from that habit. Someone like Jeff may be nice enough to teach you a hard lesson – but more than likely, someone will do something far worse.

Image: xenia / morguefile

The Broadband Data Improvement Act (S.1492) was recently signed into Federal law. The legislation that would improve the collection of data on broadband availability and fund greater access to high-speed Internet access. As part of the new legislation, schools receiving the e-Rate discounts on telecommunications services will soon be required to teach students about online safety.

The e-Rate program provides discounts for schools of 20-90% for telecommunication services including Internet access. The proposed Broadband Data Improvement Act, introduced by Senate Commerce Committee Chairman Daniel Inouye, has a provision that would require the Federal Trade Commission (FTC) to establish a nationwide campaign to “increase public awareness and provide education regarding strategies to promote the safe use of the Internet by children.”

Originally, a separate bill entitled ‘Protecting Children in the 21st Century Act’, was proposed to congress. The Senate Commerce Committee merged the language of this bill into the Broadband Data Improvement Act, which has now become law. The new law recognizes that education must go hand-in-hand with technology to protect children from online predators.

The Online Safety and Technology Working Group was established, under the legislation, to evaluate online safety education efforts, parental control technologies, and much more. In addition, a section of the Act requires that schools create an Internet safety policy that educates minors “about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms and cyberbullying awareness and response.”

I think it is great that steps are being taken to increase the awareness of online safety issues for children.

Via eschoolnews, eweek, consumer affairs, cnet ; Image: Microsoft Office Clipart / iStockphoto.com

There are two pieces of news to report in terms of various consumer data protection acts at the state and national levels.

This month, President Bush signed into law a bill that will make it easier for prosecutors to go after cybercriminals, and for identity theft victims to be compensated. The Identity Theft Enforcement and Restitution Act of 2008 [HR 5938], which passed the Senate in July, would remove the $5000 damages floor that was previously required for prosecutors to charge individuals under the federal cybercrime laws.

Identity Theft Enforcement and Restitution Act (HR 5938) would:

• Give identity theft victims the ability to seek restitution
• Ensure cyber criminals posing as businesses can be prosecuted
• Make it a felony to employ spyware or keyloggers that damage 10+ computers
• Extend cybercrime definitions to include cyberextortion cases
• Allow prosecution when cybercriminal and victim live in the same state

In other legislative news, the Massachusetts Office of Consumer Affairs and Business Regulation has released a new set of rules requiring companies to encrypt personal data on laptops and monitor employee access to data. These new rules apply to credit card information and Social Security Numbers. Companies and government agencies are required to comply with the new regulations by January 1, 2009.

In August, Governor Patrick signed an identity theft prevention law that requires the reporting of data breaches to the Office of Consumer Affairs and Business Regulation. Since then, 320 breaches have been reported, affecting 625,365 Massachusetts residents. A report outlining the incidents has been released here [PDF].

Via i’ve been mugged, 2, boston globe, washington post ; Image: clip art

Despite the indications that the Consumer Data Protection Act [PDF] would be passed by California’s Governor Arnold Schwarzenegger, it has been vetoed for the second time. Read the veto here [PDF].

The Consumer Data Protection Act would have required retailers and businesses in California to take more strict steps to protect credit and debit card data, and to disclose more details about data breaches to those affected. The State Assembly and Senate both approved the bill for the second time in 12 months, after modifications had brought it back to a vote.

Governor Schwarzenegger says that he has rejected the bill for the same reasons as before, the belief that legislature should not interfere with business, and that the bill attempts:

“to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers,” he wrote.”

Schwarzenegger believes the payment card industry (PCI) is in a better position to set standards in technology and the marketplace, and believes legislation would create a conflict with private sector standards.

According to Visa, only 45% of large retailers are compliant with current PCI standards, so I would think that the private sector needs some assistance with enforcement.

What’s your opinion on legislation like this? Good or bad?

Thanks to Charles for the tip! Via computerworld, IT business, Washington Post Image: gov.ca.gov