Thursday, October 29, 2009

The FBI Favors A National Breach Notification Standard

The Federal Bureau of Investigation is in favor of a national data breach notification standard, reports Nextgov.com. Agency officials say it would help law enforcement fight cybercrime, the report states. During a cybersecurity discussion in Washington yesterday, the head of the FBI's Cyber Criminal Section said such a standard "would help us tremendously, particularly in terms of efficiency in conducting investigations." Troy said that widespread reporting would help cyber cops discover links and potentially prevent similar attacks. Senator Leahy's Personal Data Privacy and Security Act, introduced in July, and a Senate cybersecurity bill to be introduced this year includes or will include breach-notification rules.
Full Story

I've long said that unless the states can get together and pass comprehensive legislation to enforce data breach notification then the Federal government will.

Then there is this from Javelin Research,

Breach Notifications Fall Flat on Consumers

The Credit Union Times reports on study findings that suggest consumers do not understand the importance of data breach notifications and, as a result, fail to protect themselves from fraud. Javelin Strategy and Research says that consumers who have been notified of a breach of their data were four times more likely than the public at large to experience fraud, the report states. The firm said that 19 percent of consumers who received a data breach notification over the past year have become the victims of fraud within a year of the notification. Full Story

Perhaps federal regulations will also help to improve public awareness. In my experience almost no one is aware of the breadth of identity theft and its various permutations until they get some honest education on the subject. Then almost to a person they see the beauty of notifications and what than can mean as an early warning. They also usually see the great benefit of having a good service in place ahead of time.

When you are a victim of identity theft what do you really want in a service? Do you want an "Insurance Policy" , or do you want comprehensive restoration? Since insurance can ONLY replace out of pocket expenses incurred when trying to perform your own restoration what is the point of underwritten insurance?

How about credit monitoring? Is that of any real help if there isn't any follow up to work with the victim to clear the erroneous notations and record entries? Again, without restoration no monitoring service is of any substantial value.

Wednesday, October 28, 2009

Red Flags Exemptions for Small Businesses

This is very important for all business owners to read.

The U.S. House of Representatives this week unanimously passed legislation that would exempt certain small organizations from complying with the Red Flags Rules.

H.R. 3763 unanimously passed the U.S. House of Representatives this week, and would amend FACTA and the component Identity Theft Red Flags Rule to exclude health care, accounting, and legal practices with 20 or fewer employees from having to comply with the regulations, set to be enforced starting next month.

Also, the bill would create a provision to enable other businesses to apply for exemption. To be exempt from complying with the regulation, the bill stipulates that a business would have to meet at least one of the following guidelines:
It must know all of its customers or clients individually;
It must only perform services in or around the residences of its customers; or
It must not have experienced incidents of identity theft, and identity theft must be rare for businesses of its type.
The bill now will move to the U.S. Senate Committee on Banking, Housing, and Urban Affairs for a vote.

It is not yet known at this time if this pending bill will further delay the FTC's enforcement of the Red Flags Rule, which is still currently set to begin on 1 November, 2009. Read more:
New ID theft rules may not pertain to small businesses
by: Angela Moscaritolo, SCMagazine.com