The Cyber Security Research and Development Act of 2009 (HR 4061) would create new research and education programs at the National Science Foundation and the National Institute of Standards and Technology to promote research in cybersecurity and to attract more teachers and students to the field.

“This bill will help improve the security of cyberspace by ensuring federal investments in cybersecurity are better focused, more effective, and that research into innovative, transformative security technologies is fully supported,” said Symantec CTO Mark Bregman. “HR 4061 represents a major step forward towards defining a clear research agenda that is necessary to stimulate investment in both the private and academic worlds, resulting in the creation of jobs in a badly understaffed industry.”

Aside from the scholarly aspect, the new bill would develop an awareness program to help consumers, organizations and government bodies to keep their computers secure. The National Institute of Standards and Technology has been tasked with improving development of new identity management systems used to control access to buildings, networks and data.

If the bill becomes law, NIST would have one year to develop a plan for Congress about how it would participate in creating International cybersecurity standards and would have 90 days for a plan on its cybersecurity awareness program.

Via CNet & opencongress

The Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.

The “Red Flags” Rule, which went into effect on January 1, 2008, requires many businesses and organizations (”creditors” and “financial institutions”) to implement a written Identity Theft Prevention Program. This program should detect early warning signs (red flags) of identity theft, take steps to prevent the crime, and mitigate damage that could be caused by it. The Red Flags Rule applies to “financial institutions” and “creditors,” though those terms apply more broadly than in typical use.

Check out the FTC site to determine if the Red Flags Rule applies to your organization, to get practical tips on spotting identity theft, and to learn how to put your ID Theft Prevention program into place. Based on this revised effort, the FTC will begin enforcement of the “Red Flags” rule on November 1, 2009.

Hat tip to Hunton & Williams

The new data breach notification law would require that individuals be notified when their personal information were breached. The new law has broadly defined personal information to include not just financial information or Social Security numbers, in combination with names, but also any unique electronic identifier or medical information.

The new law requires that the Missouri Attorney General and national consumer reporting agencies be notified if the breach affects more than 1,000 individuals. Civil penalties for violating the statue may reach up to $150,000 per breach.

Via digestible law

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart

The new law, SB-20, would require that companies tell customers what type of personal information was breached and when the breach occurred. The previous law required only that companies say that a breach had occurred.

“No one likes to get the news that information about them has been stolen, but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next. The premise is simple. What you don’t know can hurt you. Ignorance is not bliss. And you can’t protect yourself if you don’t know you’re at risk.”

Over 40 states currently have breach notification laws, though this is just one added step that California has taken to protect consumer information. Simitian argues that requiring detailed notifications is not just important for consumers, but also for law enforcement in order to get an understanding of the patterns associated with data theft.

SB-20 was introduced by Democrat Senator Joe Simitian. The new bill is up for approval by the state Assembly before it is finalized. Learn more about SB-20 here. Computrace can help you identify what information was breached. Find out how Computrace can help

Via SC Magazine, CSO Online ; Image: Clip Art

The new cybersecurity legislation proposes additional changes to address issues of cyber crime, global cyber espionage and cyber attacks.

“I believe Congress must bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cybersecurity efforts in the 21st century.” – Senator Rockefeller

The Rockefeller-Snow initiative would include provisions for:

• Raising the profile of cybersecurity within the Federal government, including the aforementioned Office plus a comprehensive national strategy, a quadrennial cybersecurity review and a threat and vulnerability assessment
• Promoting public awareness and protecting civil liberties, including a legal review of the statutory and regulatory framework applicable, changes required, and a report on identity management and civil liberties
• Remaking the relationship between government and the private sector on cybersecurity, including a public-private clearinghouse for cyber threat and vulnerability information sharing, an Advisory Panel, enforceable cybersecurity standards, licensing for cybersecurity professionals, State and regional cybersecurity centers for small and medium-sized businesses, and more
• Fostering innovation and creativity in cybersecurity to develop long-term solutions, including increased recruitment for students into cybersecurity, increased funding for R&D, and an attempt to place a dollar value on cybersecurity risk

Read more about the new cybersecurity legislation being proposed here.

Via SecurityFocus ; Image: clipart

1. It’s polite to tell someone if you lose something of theirs
2. It provides stats to security researchers about the scope of the issue
3. It forces companies to improve security

The third point is based upon the premise is that companies who are forced to bear the costs of data breaches (both intangible in loss of trust and tangible in costs of notification) would take extra steps to protect said data. Schneier references a study done by researchers at the Carnegie Mellon University that seeks to determine if data breach disclosure laws have reduced identity theft. The study found that there was only a 2% decrease, on average, in identity theft for states with disclosure laws vs those without disclosure laws.

Bruce Schneier points out that the study can’t be relied on for this type of data. Since more data breaches are being reported now vs five years ago, notification laws or not, it’s difficult to compare “before and after” data. However, he also brings up a number of other issues: ineffective security improvements, types of data breaches, the reduction of the ’shaming’ effect, and more.

A recent study by the Ponemon Institute, which was sponsored by PGP, now puts the cost of a data breach at $202 per record. However Schneier believes that the hard cost to breach notification is not as effective an incentive as it used to be. Yet he argues that the other points still merit the law:

“Disclosure is important, but it’s not going to solve identity theft… The reason theft of personal information is common is that the data is valuable once stolen. The way to mitigate the risk of fraud due to impersonation is not to make personal information difficult to steal, it’s to make it difficult to use.”

Breach notification laws only deal with one side of the identity theft problem. Schneier argues that further laws are necessary to prevent financial institutions from granting credit to someone with minimal personal information.

—

And if you’ve ever left your computer on while you stepped away from it, or if you’ve ever forgotten to log out of secure systems, this should stop you from that habit. Someone like Jeff may be nice enough to teach you a hard lesson – but more than likely, someone will do something far worse.

Image: xenia / morguefile

The e-Rate program provides discounts for schools of 20-90% for telecommunication services including Internet access. The proposed Broadband Data Improvement Act, introduced by Senate Commerce Committee Chairman Daniel Inouye, has a provision that would require the Federal Trade Commission (FTC) to establish a nationwide campaign to “increase public awareness and provide education regarding strategies to promote the safe use of the Internet by children.”

Originally, a separate bill entitled ‘Protecting Children in the 21st Century Act’, was proposed to congress. The Senate Commerce Committee merged the language of this bill into the Broadband Data Improvement Act, which has now become law. The new law recognizes that education must go hand-in-hand with technology to protect children from online predators.

The Online Safety and Technology Working Group was established, under the legislation, to evaluate online safety education efforts, parental control technologies, and much more. In addition, a section of the Act requires that schools create an Internet safety policy that educates minors “about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms and cyberbullying awareness and response.”

I think it is great that steps are being taken to increase the awareness of online safety issues for children.

Via eschoolnews, eweek, consumer affairs, cnet ; Image: Microsoft Office Clipart / iStockphoto.com

This month, President Bush signed into law a bill that will make it easier for prosecutors to go after cybercriminals, and for identity theft victims to be compensated. The Identity Theft Enforcement and Restitution Act of 2008 [HR 5938], which passed the Senate in July, would remove the $5000 damages floor that was previously required for prosecutors to charge individuals under the federal cybercrime laws.

Identity Theft Enforcement and Restitution Act (HR 5938) would:

• Give identity theft victims the ability to seek restitution
• Ensure cyber criminals posing as businesses can be prosecuted
• Make it a felony to employ spyware or keyloggers that damage 10+ computers
• Extend cybercrime definitions to include cyberextortion cases
• Allow prosecution when cybercriminal and victim live in the same state

In other legislative news, the Massachusetts Office of Consumer Affairs and Business Regulation has released a new set of rules requiring companies to encrypt personal data on laptops and monitor employee access to data. These new rules apply to credit card information and Social Security Numbers. Companies and government agencies are required to comply with the new regulations by January 1, 2009.

In August, Governor Patrick signed an identity theft prevention law that requires the reporting of data breaches to the Office of Consumer Affairs and Business Regulation. Since then, 320 breaches have been reported, affecting 625,365 Massachusetts residents. A report outlining the incidents has been released here [PDF].

Via i’ve been mugged, 2, boston globe, washington post ; Image: clip art

The Consumer Data Protection Act would have required retailers and businesses in California to take more strict steps to protect credit and debit card data, and to disclose more details about data breaches to those affected. The State Assembly and Senate both approved the bill for the second time in 12 months, after modifications had brought it back to a vote.

Governor Schwarzenegger says that he has rejected the bill for the same reasons as before, the belief that legislature should not interfere with business, and that the bill attempts:

“to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers,” he wrote.”

Schwarzenegger believes the payment card industry (PCI) is in a better position to set standards in technology and the marketplace, and believes legislation would create a conflict with private sector standards.

According to Visa, only 45% of large retailers are compliant with current PCI standards, so I would think that the private sector needs some assistance with enforcement.

What’s your opinion on legislation like this? Good or bad?

Thanks to Charles for the tip! Via computerworld, IT business, Washington Post Image: gov.ca.gov