Friday, January 23, 2009

Draft Guidelines for Data Protection

With everyone focused on the inauguration and then being blindsided by the breathtaking breach of credit card transactions from Heartland Payment Systems, this notice went largely overlooked. I saved it to run here. I have been writing a lot about the convergence of different state and federal identity theft prevention and reporting laws for some time now. Massachusetts has enacted a law that mandates compliance to the points laid out in the FACTA Red Flags Rule, and GLB. This new law goes into effect on May 1st of this year and affects any business that does commerce within the Commonwealth or has at least one customer who resides in Mass. This appears to be the toughest identity theft prevention law on the books anywhere in the country.

Our federal government is now considering a national policy to mandate certain business practices and procedures that will take into account all of the recommendations of current rules, and add a national breach reporting component to assure that potential victims are notified in a timely manner that their information may be at an increased risk of identity theft. The NIST report has concluded that government agencies and private businesses that provide goods and services to the government also adhere to the same set of rules. This seems to make very clear that businesses that have government contract arrangements will have their information security practices scrutinized for compliance or face losing that contract. This is also outlined in the Red Flags Rule as a compliance component. Oversight of the practices of all outsourced work to contractors and 3rd party service providers is critical to a sound program. All you government contractors watch your mail for updated RFIs coming your way soon!

NIST releases draft guidelines for data protection
Angela Moscaritolo SC Magazine

January 15 2009
The National Institute of Standards and Technology (NIST) this month released preliminary recommendations that federal agencies -- and their contractors -- should follow to protect the confidentially of personally identifiable information (PII). U.S. government agencies should take a number of precautions when dealing with personal information residing in their organizations, according to the NIST
document. The recommendations are intended to be for U.S. federal government agencies, and companies with which they work, but NIST said that other verticals may also find value in it.The report states that organizations should store only PII necessary to conduct business, develop an incident response plan for the event of a breach and encourage coordination for data-loss incidents among CIOs, information security officers and legal counsel.Scott Larson, executive managing director of computer forensic consulting firm Stroz Friedberg, told on Thursday that he thinks the guidelines are timely and that there will be an increased focus on privacy protection once President-elect Obama takes office next week.“I think with a change in administration, a lot of these data privacy issues will be re-examined,” Larson said. There has been increased concern how federal agencies are storing, accessing and mining for data, he said.PII can include things such as names, personal identification numbers (Social Security number, passport number, driver's license number, credit card number), address information, and other personal characteristics (photos, fingerprints, retina scans).The report also recommends that organizations create policies for handling PII, with clearly defined consequences if they are not followed. Entities should provide education, training, and awareness to employees on protecting PII. The document contains exercises with scenarios involving PII and questions to build skills and teach employees how to handle it.Larson said organizations may struggle with one of the recommendations, which asks them to categorize data based on its level of confidentiality. Agencies simply may be unable to accomplish this because they don't have enough employees.“Sometimes it comes down to resources,” Larson said.Larson said encryption or obfuscation are the most effective ways to protect data.The draft report is open to public comment until March 13. The final version will be released after the authors have reviewed the public feedback and made changes to the report based on the number and type of comments received, Erika McCallister, a computer scientist at NIST who co-authored the report, said in an email to Thursday