The Federal Trade Commission has again extended the enforcement deadline for the Red Flags Rule, according to an agency press release. Creditors and financial institutions now have until November 1, 2009 to come into compliance with the rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003. Meanwhile, the commission will redouble efforts to educate businesses affected by the rule on what they must do to comply. The Red Flags Rule requires entities to implement programs for identifying, detecting and responding to harbingers of identity theft, or "red flags."
Go to www.ftc.gov/redflagsrule for more information regarding your business.
Wednesday, July 29, 2009
Friday, July 24, 2009
Will the Third Try be a Charm for Federal Breach Notification Law?
The following article was in today's privacy bulletin. Since the first state breach notification law went into effect in 2003 in California, 43 other states have enacted their own versions creating a worthwhile but patched together set of regulations that are at best vague, and contain huge lapses so that a company experiencing a breach can likely get away without any sort of notification to potential victims. Hopefully this legislation will contain enough bite to be effective. Only when we see transcripts of the bill will we know if we are headed in the right direction or for another legislative compromise. Thresholds for notification need to include not only electronic breaches and large scale hacks of computer servers, but also theft and misuse of paper records, and need to provide for smaller incidents. Only by creating effective notification laws can businesses be held accountable to the public who expect their information to be reasonably safe.
Vermont Senator Patrick Leahy (D) has reintroduced the Personal Data Privacy and Security Act, the third attempt by Congress to pass a federal data breach law that would pre-empt the 44 individual state data breach laws and create a single response and notification standard in the U.S. InternetNews reports that in a statement, Leahy said the bill addresses serious consumer privacy and data security issues and vowed that, "Passing this comprehensive data privacy legislation is one of my highest legislative priorities as chairman of the Judiciary Committee."Full Story
Vermont Senator Patrick Leahy (D) has reintroduced the Personal Data Privacy and Security Act, the third attempt by Congress to pass a federal data breach law that would pre-empt the 44 individual state data breach laws and create a single response and notification standard in the U.S. InternetNews reports that in a statement, Leahy said the bill addresses serious consumer privacy and data security issues and vowed that, "Passing this comprehensive data privacy legislation is one of my highest legislative priorities as chairman of the Judiciary Committee."Full Story
Monday, July 13, 2009
Who Needs High Tech Information Security Measures?
Whenever I see articles about the latest high tech "solution" for data loss I can't help but to think about the vast number of data breaches that result from situations such as the one below.
Just as there is no one form of data theft there is no one type of solution.
Medical records, including names, credit card numbers, Social Security numbers and cancelled checks were found in a dumpster behind a Salt Lake City shoe distribution center last week, reports KUTV News. At least some of about 20 boxes that Salt Lake City police confiscated appear to have come from a now-closed chiropractic office. KUTV reports that surveillance footage showing two people unloading materials into the dumpster exists. Disposing of medical records in this way is a violation of state law, according to the Utah Attorney General's office, and could lead to a $2,500 fine per patient record.
Full Story
Train your staff, train your staff, train your staff. This kind of an incident happens too often due to a lack of understanding of the law and simple common sense in protecting records from falling into the wrong hands.
Most ID theft that results from breaches of information at companies occurs when an employee walks out with the data with the intention of selling it, not to open credit card accounts. While the thief may be caught the data is long gone with other parties. Once the information is sold it can proliferate in a matter of days across the world.
A lack of understanding of the value of employee personal information as well as customer information has led to more identity theft incidents than any other cause.
Just as there is no one form of data theft there is no one type of solution.
Medical records, including names, credit card numbers, Social Security numbers and cancelled checks were found in a dumpster behind a Salt Lake City shoe distribution center last week, reports KUTV News. At least some of about 20 boxes that Salt Lake City police confiscated appear to have come from a now-closed chiropractic office. KUTV reports that surveillance footage showing two people unloading materials into the dumpster exists. Disposing of medical records in this way is a violation of state law, according to the Utah Attorney General's office, and could lead to a $2,500 fine per patient record.
Full Story
Train your staff, train your staff, train your staff. This kind of an incident happens too often due to a lack of understanding of the law and simple common sense in protecting records from falling into the wrong hands.
Most ID theft that results from breaches of information at companies occurs when an employee walks out with the data with the intention of selling it, not to open credit card accounts. While the thief may be caught the data is long gone with other parties. Once the information is sold it can proliferate in a matter of days across the world.
A lack of understanding of the value of employee personal information as well as customer information has led to more identity theft incidents than any other cause.
Friday, July 10, 2009
What is a privacy policy, and what is an identity theft policy? What's the difference?
Good morning all. I have been noticeably absent from my column duties while I took care of some other projects, and fitting in a short vacation.
Very often when I speak with business owners especially in the small to mid-sized organizations I find that a lot of them either confuse a company privacy policy with identity theft, or believe that an identity theft policy is an outgrowth of a privacy policy or statement.
In very general terms the two are not the same and in fact address two different issues. A privacy policy deals with either company intellectual property or customer information. Any business that collects customer information in the course of doing business must have a privacy policy that informs the customer as to how their information is used and protected, and encryption procedures for transactions. That falls largely under the direction of the Payment Card Initiative, PCI DSS rules to protect the public from fraud resulting from purchase transactions. Also, customers are protected by other state and federal laws suchas the FTC Act and FCRA that prohibit companies from distributing personal information without regard to personal privacy without first notifying the client of their intent. That issue is being hotly debated again due to the proliferation of social networking websites. Another area of privacy policy is the protection of company secrets, proprietary information regarding how a business operates and its plans and strategies. While the distribution and misuse of personally identifiable information (PII) is highly regulated by consumer law, protecting company secrets are internal policies. Businesses engaged in technological and scientific research and development often have non-disclosure agreements with employees to protect that kind of information. Employees who violate those agreements are subject to termination, and possible prosecution as a breach of contract.
Identity Theft policy addresses the area of PII data loss, a definition of what is considered by the company to be PII, the various forms the company uses to store and use PII, and finally the procedure a company has put into place to respond to breaches and to protect the individuals who might be affected and are at increased risk of identity theft resulting from a company breach. This policy must address not only the data it keeps on its clients but also of the employees personnel records, and also must address the identity theft policies of any contractor or service provider who might have access to that information. Vendors can include not only outsourced HR, payroll, insurance and Benefits brokers, but also cleaning services, construction contractors, and even parking services, any business that has the potential of obtaining PII.
It isn’t my intention to delineate what the law is or provide legal advice in these areas but instead to provoke thought on the part of businesses. With new legislation such as GLB, FACTA, and now the Red Flags Rule under FACTA, the banking regulators and the FTC have made it clear that in order to stem the tide of identity theft and the company data breaches that result in the majority of identity theft, business needs to take certain steps proactively to prevent breaches and to respond quickly and effectively when they do occur.
Every company is different and therefore needs to take the steps that are most effective for that organization. It all begins with an honest risk assessment on the part of each company to find the weak links in information security, and to train the staff on their responsibilities. Establishing a clear identity theft policy is the roadmap every responsible business uses to lay out everyone’s duties, and how the business will handle data breaches. The FTC auditors investigating companies who have experienced these breaches are most interested in seeing what a business did to protect the information before the breach. A proactive identity theft policy is good policy, and good business.
Very often when I speak with business owners especially in the small to mid-sized organizations I find that a lot of them either confuse a company privacy policy with identity theft, or believe that an identity theft policy is an outgrowth of a privacy policy or statement.
In very general terms the two are not the same and in fact address two different issues. A privacy policy deals with either company intellectual property or customer information. Any business that collects customer information in the course of doing business must have a privacy policy that informs the customer as to how their information is used and protected, and encryption procedures for transactions. That falls largely under the direction of the Payment Card Initiative, PCI DSS rules to protect the public from fraud resulting from purchase transactions. Also, customers are protected by other state and federal laws suchas the FTC Act and FCRA that prohibit companies from distributing personal information without regard to personal privacy without first notifying the client of their intent. That issue is being hotly debated again due to the proliferation of social networking websites. Another area of privacy policy is the protection of company secrets, proprietary information regarding how a business operates and its plans and strategies. While the distribution and misuse of personally identifiable information (PII) is highly regulated by consumer law, protecting company secrets are internal policies. Businesses engaged in technological and scientific research and development often have non-disclosure agreements with employees to protect that kind of information. Employees who violate those agreements are subject to termination, and possible prosecution as a breach of contract.
Identity Theft policy addresses the area of PII data loss, a definition of what is considered by the company to be PII, the various forms the company uses to store and use PII, and finally the procedure a company has put into place to respond to breaches and to protect the individuals who might be affected and are at increased risk of identity theft resulting from a company breach. This policy must address not only the data it keeps on its clients but also of the employees personnel records, and also must address the identity theft policies of any contractor or service provider who might have access to that information. Vendors can include not only outsourced HR, payroll, insurance and Benefits brokers, but also cleaning services, construction contractors, and even parking services, any business that has the potential of obtaining PII.
It isn’t my intention to delineate what the law is or provide legal advice in these areas but instead to provoke thought on the part of businesses. With new legislation such as GLB, FACTA, and now the Red Flags Rule under FACTA, the banking regulators and the FTC have made it clear that in order to stem the tide of identity theft and the company data breaches that result in the majority of identity theft, business needs to take certain steps proactively to prevent breaches and to respond quickly and effectively when they do occur.
Every company is different and therefore needs to take the steps that are most effective for that organization. It all begins with an honest risk assessment on the part of each company to find the weak links in information security, and to train the staff on their responsibilities. Establishing a clear identity theft policy is the roadmap every responsible business uses to lay out everyone’s duties, and how the business will handle data breaches. The FTC auditors investigating companies who have experienced these breaches are most interested in seeing what a business did to protect the information before the breach. A proactive identity theft policy is good policy, and good business.
Friday, June 26, 2009
35 days until the enforcement phase of the Red Flags Rule, Are you ready?
The deadline for non-banking entities to comply with the Fair Credit Reporting Act Red Flags Rule is August 1. Joel Winston and his colleagues at the Federal Trade Commission have spent the last several months helping businesses understand the requirements. Winston is associate director of the Division of Privacy and Identity Protection at the commission's Bureau of Consumer Protection. In this interview with GovInfoSecurity.com, he discusses the Red Flags Rule, the greatest information security risks for consumers, privacy implications of new technologies and his team's work to help prevent identity theft, among other topics.
Full Story
Full Story
Thursday, June 25, 2009
Privacy Blunders Foster a New Era of Accountability
By Don Peppers and Martha Rogers, Ph.D.
The following was in my daily privacy download. It is hard to add any editorial comments as the article spells it out very well. So, without further ado here is today's thought on privacy.
In the early days of mandatory data breach disclosures, which in the U.S. began in 2005, notifications followed a now predictable pattern: Organizations issued a press release expressing contrition, mailed notification letters, strategically released details on the scale of the breach, and emphasized the strides they were taking to mend and prevent. What was perhaps most notable was what didn't happen: At the senior-executive level, no heads rolled. Overall, corporate accountability for lost data seemed slight, at best.
Lately, however, a number of episodes suggest that we may be entering a new culture of senior-level accountability--over privacy, abuses of "secrecy," and for the data-related misdeeds of subordinates. The events seem to suggest a broader cultural shift toward increased transparency and accountability for whoever's in charge, and a growing realization that when it comes to collecting data, "more is better" isn't always best. The privacy buck stops where? The misdeeds of subordinates in several organizations have recently led to the chief's ouster. Last month, discount supermarket chain Lidl sacked its head of German food operations, Frank-Michael Mros, after documents recovered from a dumpster showed that throughout 2008 and 2009, the company illegally collected confidential information on employees (noting such state-of-health information as "operated on for a tumor" and "wants to get pregnant"). In March, the head of Deutsche Bahn, Hartmut Mehdorn, resigned after revelations that the state-owned rail operator had spied on its employees. As part of an internal fraud investigation, managers accessed confidential information on hundreds of thousands of employees and illegally monitored employee e-mail.
That same month, a student journalist at Binghamton University found an unlocked storeroom containing boxes full of documents containing students' and parents' personal information, the third breach in less than a year. While the administration threatened to charge the reporter with trespassing, students circulated a petition to sack Terry Dylewski, the chief information security officer. Those calls were renewed after a fourth privacy breach in April. In December, the Ohio Department of Job and Family Services fired its Deputy Director of Child Support for authorizing database checks on a state resident for no legitimate purpose. Two other department employees associated with the checks also no longer work with the department due to their involvement in a breach of the records of Samuel J. Wurzelbacher, better known as "Joe the Plumber."
Swiss bank secrecy under fire Calls for accountability--and with it, transparency--are becoming the new norm, and the financial services industry is on the frontline, given the furor over bonuses for bailed-out bank executives, and President Obama's pledge to crack down on international tax havens. Not even Swiss banks, legendary for their secrecy, are immune. Last year, federal authorities charged several cross-border private banking executives at UBS, Switzerland's largest bank, with helping American citizens hide an estimated $20 billion in offshore accounts. That, plus the recent threat of indictment for all of the bank's executives, saw UBS, the largest bank in Switzerland, recently admit to defrauding the IRS. The bank agreed to pay a $780 million fine and release the names of American accountholders.
Parliament expenses scandal Perhaps the lesson is this: With notions of transparency and accountability on the rise, companies hide behind secrecy laws at their peril. In the UK, members of Parliament (MPs) learned that the hard way, after details of their expenses revealed that many had abused the system to pay for things not related to their duties as an MP, such as moat cleaning and tennis court repairs. The expenses, which the Labor majority in Parliament battled for five years to keep private, came to light after courts upheld a journalist's right to obtain the information under Britain's relatively new Freedom of Information Act. The irony of MPs who abused and hid their expenses--during a recession, no less--while pushing a national ID card, building a network of millions of CCTV cameras, and regularly losing large amounts of sensitive or classified data has brought British voters to the boiling point. The government and even forms of representational government are facing their biggest shakeup in more than 100 years, with citizens demanding further transparency and accountability, including proportional representation.
Life after "keep everything" Interestingly, resistance is also growing to the UK government's "collect and keep everything" approach to data. One recent study branded the country as a "database state," and estimated that 25 percent of all government databases contained illegal information and should be scrapped. Likewise, courts recently ruled that the UK police practice of photographing everyone who attends a demonstration violated people's liberty, and instructed police to cease such practices and purge all such images from their databases. The UK offers an insightful case study: If a society has gone to the brink of the "more is better" approach to collecting and retaining private data, while demanding little accountability from those in power, what happens next? In fact, the outgoing UK Information Commissioner Richard Thomas recently predicted that collecting less personal information will become the new norm, to better balance security and liberty when government agencies collect and share data to do everything from spotting child abuse to discovering potential terrorists. "If you're looking for a needle in a haystack, it does not make sense to make the haystack bigger," he said. Collect data, but collect it smarter, and retain only what you need? And know that your job is on the line if improper data gets collected, abused, or lost, or if people's rights get trampled? Those are words to live by in what is arguably our new culture of accountability.
The following was in my daily privacy download. It is hard to add any editorial comments as the article spells it out very well. So, without further ado here is today's thought on privacy.
In the early days of mandatory data breach disclosures, which in the U.S. began in 2005, notifications followed a now predictable pattern: Organizations issued a press release expressing contrition, mailed notification letters, strategically released details on the scale of the breach, and emphasized the strides they were taking to mend and prevent. What was perhaps most notable was what didn't happen: At the senior-executive level, no heads rolled. Overall, corporate accountability for lost data seemed slight, at best.
Lately, however, a number of episodes suggest that we may be entering a new culture of senior-level accountability--over privacy, abuses of "secrecy," and for the data-related misdeeds of subordinates. The events seem to suggest a broader cultural shift toward increased transparency and accountability for whoever's in charge, and a growing realization that when it comes to collecting data, "more is better" isn't always best. The privacy buck stops where? The misdeeds of subordinates in several organizations have recently led to the chief's ouster. Last month, discount supermarket chain Lidl sacked its head of German food operations, Frank-Michael Mros, after documents recovered from a dumpster showed that throughout 2008 and 2009, the company illegally collected confidential information on employees (noting such state-of-health information as "operated on for a tumor" and "wants to get pregnant"). In March, the head of Deutsche Bahn, Hartmut Mehdorn, resigned after revelations that the state-owned rail operator had spied on its employees. As part of an internal fraud investigation, managers accessed confidential information on hundreds of thousands of employees and illegally monitored employee e-mail.
That same month, a student journalist at Binghamton University found an unlocked storeroom containing boxes full of documents containing students' and parents' personal information, the third breach in less than a year. While the administration threatened to charge the reporter with trespassing, students circulated a petition to sack Terry Dylewski, the chief information security officer. Those calls were renewed after a fourth privacy breach in April. In December, the Ohio Department of Job and Family Services fired its Deputy Director of Child Support for authorizing database checks on a state resident for no legitimate purpose. Two other department employees associated with the checks also no longer work with the department due to their involvement in a breach of the records of Samuel J. Wurzelbacher, better known as "Joe the Plumber."
Swiss bank secrecy under fire Calls for accountability--and with it, transparency--are becoming the new norm, and the financial services industry is on the frontline, given the furor over bonuses for bailed-out bank executives, and President Obama's pledge to crack down on international tax havens. Not even Swiss banks, legendary for their secrecy, are immune. Last year, federal authorities charged several cross-border private banking executives at UBS, Switzerland's largest bank, with helping American citizens hide an estimated $20 billion in offshore accounts. That, plus the recent threat of indictment for all of the bank's executives, saw UBS, the largest bank in Switzerland, recently admit to defrauding the IRS. The bank agreed to pay a $780 million fine and release the names of American accountholders.
Parliament expenses scandal Perhaps the lesson is this: With notions of transparency and accountability on the rise, companies hide behind secrecy laws at their peril. In the UK, members of Parliament (MPs) learned that the hard way, after details of their expenses revealed that many had abused the system to pay for things not related to their duties as an MP, such as moat cleaning and tennis court repairs. The expenses, which the Labor majority in Parliament battled for five years to keep private, came to light after courts upheld a journalist's right to obtain the information under Britain's relatively new Freedom of Information Act. The irony of MPs who abused and hid their expenses--during a recession, no less--while pushing a national ID card, building a network of millions of CCTV cameras, and regularly losing large amounts of sensitive or classified data has brought British voters to the boiling point. The government and even forms of representational government are facing their biggest shakeup in more than 100 years, with citizens demanding further transparency and accountability, including proportional representation.
Life after "keep everything" Interestingly, resistance is also growing to the UK government's "collect and keep everything" approach to data. One recent study branded the country as a "database state," and estimated that 25 percent of all government databases contained illegal information and should be scrapped. Likewise, courts recently ruled that the UK police practice of photographing everyone who attends a demonstration violated people's liberty, and instructed police to cease such practices and purge all such images from their databases. The UK offers an insightful case study: If a society has gone to the brink of the "more is better" approach to collecting and retaining private data, while demanding little accountability from those in power, what happens next? In fact, the outgoing UK Information Commissioner Richard Thomas recently predicted that collecting less personal information will become the new norm, to better balance security and liberty when government agencies collect and share data to do everything from spotting child abuse to discovering potential terrorists. "If you're looking for a needle in a haystack, it does not make sense to make the haystack bigger," he said. Collect data, but collect it smarter, and retain only what you need? And know that your job is on the line if improper data gets collected, abused, or lost, or if people's rights get trampled? Those are words to live by in what is arguably our new culture of accountability.
Wednesday, June 24, 2009
45,000 Cornell University Records Exposed
Retailer TJX will pay $9.75 million to settle charges related to its 2007 data breach that exposed the financial details of thousands of customers, reports consumeraffairs.com. It is the farthest-reaching data breach settlement to date.
As stunning a piece of news as that is I am even more saddened by the following news from Cornell University. After years of hammering the point, laws passed, all of the white papers, and articles written about personal data safety and enterprize liability, why are we still seeing this kind of news? EVERY entity that maintains personal data of ANY kind needs to take care of business. There are no excuses and no arguments to the contrary. Business owners, what more do you need? Cornell just offered to pay at least $1,125,000 for credit monitoring alone at the current going rate. That is a small fraction of what this breach will eventually cost the school.
Cornell University announced that police are investigating the theft of a school laptop containing the personal information--including Social Security numbers--of approximately 45,000 students, alumni, faculty and staff. The Associated Press reports that the laptop was stolen from a Cornell technician and there are, so far, no known misuses of the data. The university sent a letter to those individuals whose records were on the computer, offering a free year of credit services. It has also set up an FAQ page on the Cornell Web site. Full Story
As stunning a piece of news as that is I am even more saddened by the following news from Cornell University. After years of hammering the point, laws passed, all of the white papers, and articles written about personal data safety and enterprize liability, why are we still seeing this kind of news? EVERY entity that maintains personal data of ANY kind needs to take care of business. There are no excuses and no arguments to the contrary. Business owners, what more do you need? Cornell just offered to pay at least $1,125,000 for credit monitoring alone at the current going rate. That is a small fraction of what this breach will eventually cost the school.
Cornell University announced that police are investigating the theft of a school laptop containing the personal information--including Social Security numbers--of approximately 45,000 students, alumni, faculty and staff. The Associated Press reports that the laptop was stolen from a Cornell technician and there are, so far, no known misuses of the data. The university sent a letter to those individuals whose records were on the computer, offering a free year of credit services. It has also set up an FAQ page on the Cornell Web site. Full Story
Subscribe to:
Posts (Atom)
