At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the "Red Flags" Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.
Read the FTC Announcement:
http://www.ftc.gov/opa/2009/10/redflags.shtm
And in a related story I am sorry to report;
The American Bar Association is celebrating a ruling by the U.S. District Court for the District of Columbia barring the Federal Trade Commission (FTC) from applying the requirements of the Red Flags Rule to attorneys.
"This ruling is an important victory for American lawyers and the clients we serve," ABA President Carolyn B. Lamm said in a written statement. "The court recognized that the Federal Trade Commission's interpretation of the Fair and Accurate Credit Transactions Act (FACTA) over-reaches and its application to lawyers is unreasonable. By voiding the FTC's interpretation of a statue that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."
The FTC is expected to appeal the Court's ruling. FTC General Counsel Willard Tom said, "It's safe to assume the Commission is going to consider its options very seriously. We think there is no reason lawyers should be exempt."
Read more:
Ruling bars application of FTC 'Red Flags Rule' to legal profession
http://www.wisbar.org/AM/Template.cfm?Section=News&Template=/CM/ContentDisplay.cfm&ContentID=87099
I hope the legal profession is aware that a lot of people (including me), are going to pay close attention to the security practices of law firms. This means of course that law firms will no longer be tossing paper client records into dumpsters as has happened several times in the last year, and if police reports are accurate seems to be a favorite way for law firms to dispose of old records. As I reported last year I also had two encounters where a County Superior court judge handed out materials on recycled paper containing personal and banking information that had been previously entered into evidence. The way I see this the legal profession has shown itself to be not only ignorant of the intention of the laws and due perhaps to industry hubris cannot bear to be regulated by an outside authority.
When your or my identity is misused by thieves as the result of a law firms lax information security practices will we really care that they successfully lobbied for exemption to a procedure that might well have prevented the crime from even happening? What are they celebrating, a win?
Monday, November 2, 2009
Thursday, October 29, 2009
The FBI Favors A National Breach Notification Standard
The Federal Bureau of Investigation is in favor of a national data breach notification standard, reports Nextgov.com. Agency officials say it would help law enforcement fight cybercrime, the report states. During a cybersecurity discussion in Washington yesterday, the head of the FBI's Cyber Criminal Section said such a standard "would help us tremendously, particularly in terms of efficiency in conducting investigations." Troy said that widespread reporting would help cyber cops discover links and potentially prevent similar attacks. Senator Leahy's Personal Data Privacy and Security Act, introduced in July, and a Senate cybersecurity bill to be introduced this year includes or will include breach-notification rules.
Full Story
I've long said that unless the states can get together and pass comprehensive legislation to enforce data breach notification then the Federal government will.
Then there is this from Javelin Research,
Breach Notifications Fall Flat on Consumers
The Credit Union Times reports on study findings that suggest consumers do not understand the importance of data breach notifications and, as a result, fail to protect themselves from fraud. Javelin Strategy and Research says that consumers who have been notified of a breach of their data were four times more likely than the public at large to experience fraud, the report states. The firm said that 19 percent of consumers who received a data breach notification over the past year have become the victims of fraud within a year of the notification. Full Story
Perhaps federal regulations will also help to improve public awareness. In my experience almost no one is aware of the breadth of identity theft and its various permutations until they get some honest education on the subject. Then almost to a person they see the beauty of notifications and what than can mean as an early warning. They also usually see the great benefit of having a good service in place ahead of time.
When you are a victim of identity theft what do you really want in a service? Do you want an "Insurance Policy" , or do you want comprehensive restoration? Since insurance can ONLY replace out of pocket expenses incurred when trying to perform your own restoration what is the point of underwritten insurance?
How about credit monitoring? Is that of any real help if there isn't any follow up to work with the victim to clear the erroneous notations and record entries? Again, without restoration no monitoring service is of any substantial value.
Full Story
I've long said that unless the states can get together and pass comprehensive legislation to enforce data breach notification then the Federal government will.
Then there is this from Javelin Research,
Breach Notifications Fall Flat on Consumers
The Credit Union Times reports on study findings that suggest consumers do not understand the importance of data breach notifications and, as a result, fail to protect themselves from fraud. Javelin Strategy and Research says that consumers who have been notified of a breach of their data were four times more likely than the public at large to experience fraud, the report states. The firm said that 19 percent of consumers who received a data breach notification over the past year have become the victims of fraud within a year of the notification. Full Story
Perhaps federal regulations will also help to improve public awareness. In my experience almost no one is aware of the breadth of identity theft and its various permutations until they get some honest education on the subject. Then almost to a person they see the beauty of notifications and what than can mean as an early warning. They also usually see the great benefit of having a good service in place ahead of time.
When you are a victim of identity theft what do you really want in a service? Do you want an "Insurance Policy" , or do you want comprehensive restoration? Since insurance can ONLY replace out of pocket expenses incurred when trying to perform your own restoration what is the point of underwritten insurance?
How about credit monitoring? Is that of any real help if there isn't any follow up to work with the victim to clear the erroneous notations and record entries? Again, without restoration no monitoring service is of any substantial value.
Wednesday, October 28, 2009
Red Flags Exemptions for Small Businesses
This is very important for all business owners to read.
The U.S. House of Representatives this week unanimously passed legislation that would exempt certain small organizations from complying with the Red Flags Rules.
H.R. 3763 unanimously passed the U.S. House of Representatives this week, and would amend FACTA and the component Identity Theft Red Flags Rule to exclude health care, accounting, and legal practices with 20 or fewer employees from having to comply with the regulations, set to be enforced starting next month.
Also, the bill would create a provision to enable other businesses to apply for exemption. To be exempt from complying with the regulation, the bill stipulates that a business would have to meet at least one of the following guidelines:
It must know all of its customers or clients individually;
It must only perform services in or around the residences of its customers; or
It must not have experienced incidents of identity theft, and identity theft must be rare for businesses of its type.
The bill now will move to the U.S. Senate Committee on Banking, Housing, and Urban Affairs for a vote.
It is not yet known at this time if this pending bill will further delay the FTC's enforcement of the Red Flags Rule, which is still currently set to begin on 1 November, 2009. Read more:
New ID theft rules may not pertain to small businesses
by: Angela Moscaritolo, SCMagazine.com
The U.S. House of Representatives this week unanimously passed legislation that would exempt certain small organizations from complying with the Red Flags Rules.
H.R. 3763 unanimously passed the U.S. House of Representatives this week, and would amend FACTA and the component Identity Theft Red Flags Rule to exclude health care, accounting, and legal practices with 20 or fewer employees from having to comply with the regulations, set to be enforced starting next month.
Also, the bill would create a provision to enable other businesses to apply for exemption. To be exempt from complying with the regulation, the bill stipulates that a business would have to meet at least one of the following guidelines:
It must know all of its customers or clients individually;
It must only perform services in or around the residences of its customers; or
It must not have experienced incidents of identity theft, and identity theft must be rare for businesses of its type.
The bill now will move to the U.S. Senate Committee on Banking, Housing, and Urban Affairs for a vote.
It is not yet known at this time if this pending bill will further delay the FTC's enforcement of the Red Flags Rule, which is still currently set to begin on 1 November, 2009. Read more:
New ID theft rules may not pertain to small businesses
by: Angela Moscaritolo, SCMagazine.com
Friday, October 16, 2009
Which Story to Post? Payroll company loses PII, and Underreporting losses
It isn't often I am faced with a decision as to which story to post here. I generally shy away from reporting specific breaches unless the particular story reinforces a point I am trying to stress regarding employee training perhaps or simple gross negligence in the face of what should be common knowledge amongst the business community.
In this case however, I found two such stories on the same day and have them here for you.
The Washington Post reports that, for the second time in a month, hackers have gained the login credentials of PayChoice clients. The company sent a notice to customers yesterday to let them know that thieves had exploited a weakness in the password-change component of the company's online payroll portal, the report states. PayChoice has since disabled the site and modified logins. In its e-mail alert to clients, PayChoice said "...we determined that valid user credentials...were used in an unauthorized manner to...have payments made to fraudulent bank accounts." Full Story
There is simply no excuse for a payroll company to have such an incident in light of the laws in effect (FACTA Red Flags Rules specifically), that require them to take specific precautions to prevent just such a breach.
This next item shows clearly that giving discretion to breached entities as to whether and when to report breaches serves no one. People who have had their information mishandled or lost while it is in the trust of an organization have the right to know about their increased risk so that they might take appropriate steps to protect themselves. That is the problem that I and others have issues with the reporting laws that give wide discretion to not report or delay reporting information losses.
The results of an audit involving the loss of Connecticut taxpayers' data show the state took too long to determine whether confidential information was compromised, reports The Day. The names and Social Security numbers of 106,000 Connecticut taxpayers were exposed when a Department of Revenue Services (DRS) employee's laptop was stolen from a parked car. "DRS botched its initial response to the theft," said AG Richard Blumenthal who took part in the audit. "Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets." But Blumenthal hailed DRS for tightening access controls, encrypting data and developing data breach procedures since then. Full Story
In this case however, I found two such stories on the same day and have them here for you.
The Washington Post reports that, for the second time in a month, hackers have gained the login credentials of PayChoice clients. The company sent a notice to customers yesterday to let them know that thieves had exploited a weakness in the password-change component of the company's online payroll portal, the report states. PayChoice has since disabled the site and modified logins. In its e-mail alert to clients, PayChoice said "...we determined that valid user credentials...were used in an unauthorized manner to...have payments made to fraudulent bank accounts." Full Story
There is simply no excuse for a payroll company to have such an incident in light of the laws in effect (FACTA Red Flags Rules specifically), that require them to take specific precautions to prevent just such a breach.
This next item shows clearly that giving discretion to breached entities as to whether and when to report breaches serves no one. People who have had their information mishandled or lost while it is in the trust of an organization have the right to know about their increased risk so that they might take appropriate steps to protect themselves. That is the problem that I and others have issues with the reporting laws that give wide discretion to not report or delay reporting information losses.
The results of an audit involving the loss of Connecticut taxpayers' data show the state took too long to determine whether confidential information was compromised, reports The Day. The names and Social Security numbers of 106,000 Connecticut taxpayers were exposed when a Department of Revenue Services (DRS) employee's laptop was stolen from a parked car. "DRS botched its initial response to the theft," said AG Richard Blumenthal who took part in the audit. "Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets." But Blumenthal hailed DRS for tightening access controls, encrypting data and developing data breach procedures since then. Full Story
Thursday, October 15, 2009
Extroadinary Quote
"The more people who have your data, the greater likelihood that either they're going to lose it or a rogue employee will abuse it," said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.
We could use more people like Fred Cate
We could use more people like Fred Cate
Wednesday, October 14, 2009
IRS Personal Identity Security Issues
The Internal Revenue Service says that efforts to help protect taxpayers from identity fraud, spearheaded by the agency's Online Fraud Detection and Prevention Office, are paying off. The agency points to more than 3,000 suspected phishing and fraud-related Web sites being shuttered since the office opened in 2007. However, Government Computer News reports that the IRS also struggles with internal data security, and that hundreds of taxpayers were affected by 149 breaches last year. A Government Accountability Office report said the "IRS has information security weaknesses that increase the likelihood of IRS employees committing identify theft," which the IRS attributes to weakness in authorization and authentication.Full Story
Every federal agency is struggling with these issues. This is yet another reminder that information security is a paramount problem. Personal information is fast becoming the most valuable asset within any enterprise. Not just company secrets but personal information on employees and customers. Our information is in many places where we have no control over its' security. Even the agencies and enterprises have no absolute control as you see here. At last count in 2008 approximately 62% of all breaches were the result of employees taking the data out of the office for the purpose of selling it or using it themselves for financial gain.
Every federal agency is struggling with these issues. This is yet another reminder that information security is a paramount problem. Personal information is fast becoming the most valuable asset within any enterprise. Not just company secrets but personal information on employees and customers. Our information is in many places where we have no control over its' security. Even the agencies and enterprises have no absolute control as you see here. At last count in 2008 approximately 62% of all breaches were the result of employees taking the data out of the office for the purpose of selling it or using it themselves for financial gain.
Friday, October 9, 2009
So Much for Red Flags?
A Maryland Bank Tosses Personal Records in the Trash.
I am shocked but frankly not surprised to see this story. Even though Banks were among the businesses that were supposed to be Red Flags compliant prior to Nov of 2008 I can guarantee that many are not. it is just as obvious that they do not take the intention of training seriously as is outlined in the FACT Act (where the Red Flags Rule comes from). FACTA supplemental material from the FTC makes training an important component of any data protection program. I don't think anyone who reads this column would have done something as irresponsible as to toss out personal records so haphazardly. The reason is that you are aware of the risks. Prepare the bank employees with the same sensitivity and this story would not have needed to be written. Its not as much about signing off on a compliance document as it is to understand why compliance needs to be done. Since it is the rank and file employee who handles personal information on the job it is not sufficient for banks and other businesses to orient only management staff. Security is only as good as the weakest link.
A number of customers in Rodgers Forge, Maryland were upset to learn that the institution which recently took over the local branch of the former Bradford Bank has been less than protective of their personal and banking information. Baltimore television station ABC2 reports that pages of documents were found discarded and unshredded in a trash bin outside the bank. Among them were bank statements and security-related information, days-old cancelled checks and photocopied driver's licenses. IAPP past president Chris Zoladz, CIPP, founder of the privacy consultancy Navigate LLC, comments on the breach Full Story
Subscribe to:
Posts (Atom)
