This is very important for all business owners to read.
The U.S. House of Representatives this week unanimously passed legislation that would exempt certain small organizations from complying with the Red Flags Rules.
H.R. 3763 unanimously passed the U.S. House of Representatives this week, and would amend FACTA and the component Identity Theft Red Flags Rule to exclude health care, accounting, and legal practices with 20 or fewer employees from having to comply with the regulations, set to be enforced starting next month.
Also, the bill would create a provision to enable other businesses to apply for exemption. To be exempt from complying with the regulation, the bill stipulates that a business would have to meet at least one of the following guidelines:
It must know all of its customers or clients individually;
It must only perform services in or around the residences of its customers; or
It must not have experienced incidents of identity theft, and identity theft must be rare for businesses of its type.
The bill now will move to the U.S. Senate Committee on Banking, Housing, and Urban Affairs for a vote.
It is not yet known at this time if this pending bill will further delay the FTC's enforcement of the Red Flags Rule, which is still currently set to begin on 1 November, 2009. Read more:
New ID theft rules may not pertain to small businesses
by: Angela Moscaritolo, SCMagazine.com
Wednesday, October 28, 2009
Friday, October 16, 2009
Which Story to Post? Payroll company loses PII, and Underreporting losses
It isn't often I am faced with a decision as to which story to post here. I generally shy away from reporting specific breaches unless the particular story reinforces a point I am trying to stress regarding employee training perhaps or simple gross negligence in the face of what should be common knowledge amongst the business community.
In this case however, I found two such stories on the same day and have them here for you.
The Washington Post reports that, for the second time in a month, hackers have gained the login credentials of PayChoice clients. The company sent a notice to customers yesterday to let them know that thieves had exploited a weakness in the password-change component of the company's online payroll portal, the report states. PayChoice has since disabled the site and modified logins. In its e-mail alert to clients, PayChoice said "...we determined that valid user credentials...were used in an unauthorized manner to...have payments made to fraudulent bank accounts." Full Story
There is simply no excuse for a payroll company to have such an incident in light of the laws in effect (FACTA Red Flags Rules specifically), that require them to take specific precautions to prevent just such a breach.
This next item shows clearly that giving discretion to breached entities as to whether and when to report breaches serves no one. People who have had their information mishandled or lost while it is in the trust of an organization have the right to know about their increased risk so that they might take appropriate steps to protect themselves. That is the problem that I and others have issues with the reporting laws that give wide discretion to not report or delay reporting information losses.
The results of an audit involving the loss of Connecticut taxpayers' data show the state took too long to determine whether confidential information was compromised, reports The Day. The names and Social Security numbers of 106,000 Connecticut taxpayers were exposed when a Department of Revenue Services (DRS) employee's laptop was stolen from a parked car. "DRS botched its initial response to the theft," said AG Richard Blumenthal who took part in the audit. "Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets." But Blumenthal hailed DRS for tightening access controls, encrypting data and developing data breach procedures since then. Full Story
In this case however, I found two such stories on the same day and have them here for you.
The Washington Post reports that, for the second time in a month, hackers have gained the login credentials of PayChoice clients. The company sent a notice to customers yesterday to let them know that thieves had exploited a weakness in the password-change component of the company's online payroll portal, the report states. PayChoice has since disabled the site and modified logins. In its e-mail alert to clients, PayChoice said "...we determined that valid user credentials...were used in an unauthorized manner to...have payments made to fraudulent bank accounts." Full Story
There is simply no excuse for a payroll company to have such an incident in light of the laws in effect (FACTA Red Flags Rules specifically), that require them to take specific precautions to prevent just such a breach.
This next item shows clearly that giving discretion to breached entities as to whether and when to report breaches serves no one. People who have had their information mishandled or lost while it is in the trust of an organization have the right to know about their increased risk so that they might take appropriate steps to protect themselves. That is the problem that I and others have issues with the reporting laws that give wide discretion to not report or delay reporting information losses.
The results of an audit involving the loss of Connecticut taxpayers' data show the state took too long to determine whether confidential information was compromised, reports The Day. The names and Social Security numbers of 106,000 Connecticut taxpayers were exposed when a Department of Revenue Services (DRS) employee's laptop was stolen from a parked car. "DRS botched its initial response to the theft," said AG Richard Blumenthal who took part in the audit. "Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets." But Blumenthal hailed DRS for tightening access controls, encrypting data and developing data breach procedures since then. Full Story
Thursday, October 15, 2009
Extroadinary Quote
"The more people who have your data, the greater likelihood that either they're going to lose it or a rogue employee will abuse it," said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.
We could use more people like Fred Cate
We could use more people like Fred Cate
Wednesday, October 14, 2009
IRS Personal Identity Security Issues
The Internal Revenue Service says that efforts to help protect taxpayers from identity fraud, spearheaded by the agency's Online Fraud Detection and Prevention Office, are paying off. The agency points to more than 3,000 suspected phishing and fraud-related Web sites being shuttered since the office opened in 2007. However, Government Computer News reports that the IRS also struggles with internal data security, and that hundreds of taxpayers were affected by 149 breaches last year. A Government Accountability Office report said the "IRS has information security weaknesses that increase the likelihood of IRS employees committing identify theft," which the IRS attributes to weakness in authorization and authentication.Full Story
Every federal agency is struggling with these issues. This is yet another reminder that information security is a paramount problem. Personal information is fast becoming the most valuable asset within any enterprise. Not just company secrets but personal information on employees and customers. Our information is in many places where we have no control over its' security. Even the agencies and enterprises have no absolute control as you see here. At last count in 2008 approximately 62% of all breaches were the result of employees taking the data out of the office for the purpose of selling it or using it themselves for financial gain.
Every federal agency is struggling with these issues. This is yet another reminder that information security is a paramount problem. Personal information is fast becoming the most valuable asset within any enterprise. Not just company secrets but personal information on employees and customers. Our information is in many places where we have no control over its' security. Even the agencies and enterprises have no absolute control as you see here. At last count in 2008 approximately 62% of all breaches were the result of employees taking the data out of the office for the purpose of selling it or using it themselves for financial gain.
Friday, October 9, 2009
So Much for Red Flags?
A Maryland Bank Tosses Personal Records in the Trash.
I am shocked but frankly not surprised to see this story. Even though Banks were among the businesses that were supposed to be Red Flags compliant prior to Nov of 2008 I can guarantee that many are not. it is just as obvious that they do not take the intention of training seriously as is outlined in the FACT Act (where the Red Flags Rule comes from). FACTA supplemental material from the FTC makes training an important component of any data protection program. I don't think anyone who reads this column would have done something as irresponsible as to toss out personal records so haphazardly. The reason is that you are aware of the risks. Prepare the bank employees with the same sensitivity and this story would not have needed to be written. Its not as much about signing off on a compliance document as it is to understand why compliance needs to be done. Since it is the rank and file employee who handles personal information on the job it is not sufficient for banks and other businesses to orient only management staff. Security is only as good as the weakest link.
A number of customers in Rodgers Forge, Maryland were upset to learn that the institution which recently took over the local branch of the former Bradford Bank has been less than protective of their personal and banking information. Baltimore television station ABC2 reports that pages of documents were found discarded and unshredded in a trash bin outside the bank. Among them were bank statements and security-related information, days-old cancelled checks and photocopied driver's licenses. IAPP past president Chris Zoladz, CIPP, founder of the privacy consultancy Navigate LLC, comments on the breach Full Story
Wednesday, October 7, 2009
What is a Financial Institution or Creditor?
When I speak to business owners about the new Red Flags Rule, (FACTA), I am often confronted by a common response. "We are not a financial institution." I hear that from law firms, accountancys, stock brokerages, and many other types of businesses that by the definitions below are financial institutions.
In an attempt to clarify once and for all what the Federal Trade Commission considers to be a “creditor” or a “financial institution” the links below will hopefully provide a definitive explanation.
The FTC recently clarified that “creditors” covered under the Red Flags Rule are as defined by the Equal Credit Opportunity Act (ECOA). This broad ECOA definition of creditor includes any business that bills or invoices customers after products are delivered or services are rendered.
The ECOA definition includes many small businesses and professionals such as contractors, consultants, lawyers, doctors, retailers and a spectrum of clinics and practices in the health care industry including those that submit medical insurance claims on behalf of patients.
From my business experience, the ECOA definition covers most every business and many public and volunteer sector organizations too, because at least on occasion, most of them bill or invoice for goods or services after they are delivered. An FTC staff attorney said that if a business bills more than once every two years, they should consider the business covered.
In an attempt to clarify once and for all what the Federal Trade Commission considers to be a “creditor” or a “financial institution” the links below will hopefully provide a definitive explanation.
The FTC recently clarified that “creditors” covered under the Red Flags Rule are as defined by the Equal Credit Opportunity Act (ECOA). This broad ECOA definition of creditor includes any business that bills or invoices customers after products are delivered or services are rendered.
The ECOA definition includes many small businesses and professionals such as contractors, consultants, lawyers, doctors, retailers and a spectrum of clinics and practices in the health care industry including those that submit medical insurance claims on behalf of patients.
From my business experience, the ECOA definition covers most every business and many public and volunteer sector organizations too, because at least on occasion, most of them bill or invoice for goods or services after they are delivered. An FTC staff attorney said that if a business bills more than once every two years, they should consider the business covered.
Congress Seeks Repeal of HHS Breach Rule
Members of the House Committee on Energy and Commerce are concerned that the data breach notification provision included in the HITECH Act may have been undermined by a Health and Human Services rule, known as the "harm threshold," which gives breached companies leeway in deciding whether notice may be required. In a letter to HHS Secretary Kathleen Sebelius, committee chair Rep. Henry Waxman (D-CA) and other members of the committee urged the secretary to revise or repeal the provision, published in late September. Privacy watchdogs claim the HHS rule was drafted under pressure from the healthcare industry to eliminate possible financial repercussions stemming from a health information data breach.Full Story
I was heartened to see this news item. As I have said before harm thresholds give too much discretionary power to the breached entity in determining who and if to notify of a breach of NPI. The point of notification laws is twofold. To put teeth in the data protection legislation so that private and public enterprises will take heed, and also to give potential victims the advantage of an early warning when a breach does occur giving them the opportunity to respond and protect themselves.
While there needs to be a modicum of discretion on the part of investigators of data breaches to not reveal information that might compromise the discovery of evidence, it is the responsibility of the company or agency to make certain the victims are aware of the breach(es).
No business can really afford the fallout from a data breach, both in public confidence and the direct financial losses and fines. A proactive approach to information protection is essential including the identity theft awareness training of all staff regardless of job title.
I was heartened to see this news item. As I have said before harm thresholds give too much discretionary power to the breached entity in determining who and if to notify of a breach of NPI. The point of notification laws is twofold. To put teeth in the data protection legislation so that private and public enterprises will take heed, and also to give potential victims the advantage of an early warning when a breach does occur giving them the opportunity to respond and protect themselves.
While there needs to be a modicum of discretion on the part of investigators of data breaches to not reveal information that might compromise the discovery of evidence, it is the responsibility of the company or agency to make certain the victims are aware of the breach(es).
No business can really afford the fallout from a data breach, both in public confidence and the direct financial losses and fines. A proactive approach to information protection is essential including the identity theft awareness training of all staff regardless of job title.
Subscribe to:
Posts (Atom)
