Monday, December 7, 2009
New Massachussets Regulations go into Effect in March
Now is the time to start gearing up for compliance with the Bay State's strict new data protection regulations, reports the Boston Herald. The rules take effect in March. Businesses that ignore them "could be at risk," said Bob Baker of the Smaller Business Association of New England. The regulations are widely considered the strictest in the nation. They require entities that possess personal information on any Massachusetts resident to employ certain measures to protect that data. According to Barbara Anthony of the Massachusetts Office of Consumer Affairs, the goal of the law is to "create a culture of security consciousness with respect to the handling of personal information." Editor's note: Privacy Tracker subscribers, for a compliance guide on the Mass. data protection regulations, visit the Privacy Tracker Web site.
Full Story
All covered businesses should follow these guidelines carefully. What will happen within the next 12 months is that this will become a federal set of regulations, and at that point there will be no time to argue over compliance and exemptions. Smart companies will put this sort of program in effect prior to that.
Thursday, December 3, 2009
Two Important Stories
These two stories although seemingly unrelated, point out two aspects of identity theft that are very much related. In January of this year the Kaiser Permanente Group headquarters in Oakland Ca. experienced a breach of employee personal information from its’ Human Resources offices. The person charged with the theft was a temporary worker in that office.
We see in these stories the relationship between the current economic climate, a crime of opportunity that will generate cash for the thief, temporary workers who have no real sense of responsibility the employer, and the irrefutable fact that while we can be diligent with our personal information, it is mostly in the hands of businesses and governments, and out of our control.
Business owners and Privacy specialists need to take stock of company risk by assessing their internal systems, and putting in place policy guidelines for employees to deal with sensitive information, and procedures for handling breaches when they occur.
All individuals need to be reminded that their ultimate information security policy should include tools to deal with these corporate breaches that result in identity theft. One cannot correct their own insurance or SSA files, their DMV records, and other databases once corrupted by identity theft fallout. We need that help of professionals in the business of restoring identities of fraud victims.
Medical ID Theft on the Rise
The recession has contributed to a rise in medical identity theft, and as health records move online, the problem is expected to worsen, reports the Wall Street Journal. "Medical identity theft is the fastest-growing form of identity theft," says Jim Quiggle of the Coalition Against Insurance Fraud. Most of the fraud occurs at the hands of healthcare workers who are paid to sell patients' information, the report states. Incidents of medical identity fraud are highest in states with large retiree populations. Experts advise consumers to monitor their medical and credit records, keep insurance cards private and avoid providing personal information over the phone.
Full Story
'Tis the season to keep an eye on temporary workers, according to the general manager of the Payment Card Industry Security Standards Council. "Vigilance is key," Bob Russo told Computerworld, adding that it's a good time of year for managers to "hover over" workers. Russo says that temps, especially, can pose a data security risk to businesses. He recommends that organizations conduct background checks and training, and says they should take care to get their access controls in place. Other tips include monitoring the use of handheld scanners, reviewing log data daily and implementing "hard" firewall policies.
Full Story
Monday, November 30, 2009
Data breached Records Skyrockets
Forbes reports on the numbers of data breaches during the first 11 months of 2009. According to the Identity Theft Resource Center, government agencies and businesses reported 435 breaches as of November 17, the report states. But that number, which would indicate a 50 percent reduction from last year's statistics, is deceiving, says Forbes. "In fact, the number of personal records that were exposed...has skyrocketed to 220 million records...compared with 35 million in 2008." The report highlights two of this year's major breaches--Heartland Payment Systems and the National Archive and Records Administration.
If anyone is still of the impression that data breach is a fading issue needs to understand this.
The people that are actively seeking to steal and sell sensitive personal information are getting better at it. This is large-scale international crime and the profits are tremendous.
Often times the persons responsible for the collection of these data are not the identity thieves. The lists and files are sold as many times as is feasible to anyone who can pay. Organizations from al Qaeda, to international underground immigration rings have been linked to the use of stolen identifiable information to further their operations.
In the speaking engagements I do I always advocate the use of common sense when it comes to safeguarding your personal information, but also that most all identity theft is the result of large scale data theft and therefore cannot be protected by us as individuals.
If there is any one lesson I hope everyone gets from this is to understand the scope of data theft and identity theft. To understand it is to be able to secure ourselves much as we do for our health, by having a mitigating protection such as we do with healthcare insurance. But keep in mind that identity theft "insurance" per se cannot replace money lost to identity theft, only out of pocket expenses incurred by you the victim in pursuit of clearing up an identity theft episode. Only a restoration service can clear up records and reinstate the victim to pre-theft status.
If anyone is still of the impression that data breach is a fading issue needs to understand this.
The people that are actively seeking to steal and sell sensitive personal information are getting better at it. This is large-scale international crime and the profits are tremendous.
Often times the persons responsible for the collection of these data are not the identity thieves. The lists and files are sold as many times as is feasible to anyone who can pay. Organizations from al Qaeda, to international underground immigration rings have been linked to the use of stolen identifiable information to further their operations.
In the speaking engagements I do I always advocate the use of common sense when it comes to safeguarding your personal information, but also that most all identity theft is the result of large scale data theft and therefore cannot be protected by us as individuals.
If there is any one lesson I hope everyone gets from this is to understand the scope of data theft and identity theft. To understand it is to be able to secure ourselves much as we do for our health, by having a mitigating protection such as we do with healthcare insurance. But keep in mind that identity theft "insurance" per se cannot replace money lost to identity theft, only out of pocket expenses incurred by you the victim in pursuit of clearing up an identity theft episode. Only a restoration service can clear up records and reinstate the victim to pre-theft status.
Wednesday, November 25, 2009
Keeping Personal Data Private
| The Personal Data Privacy and Security Act of 2009 went to the full Senate earlier this month and a New York Times editorial says that Senate leaders should find the time to vote on it. Sponsored by Vermont Senator Patrick Leahy, the bill "would put more protections in place for personal data" and would fill the gap in federal data protection legislation. "There are many important issues competing for Congress's attention," the editors state, "but keeping people's personal information safe should rank high on the list." The bill would criminalize the concealment of security breaches and mandate encryption, among other requirements. full Story Happy Thanksgiving everyone! |
Monday, November 16, 2009
Another Suit Filed Over Red Flags Rule
The American Institute of CPAs (AICPA) has filed a lawsuit against the Federal Trade Commission (FTC) over the Red Flags Rule, reports WebCPA.com. AICPA says the FTC is wrong to interpret that the rule should apply to accountants. The Red Flags Rule requires that financial institutions and creditors take certain measures to prevent and recognize identity theft. "We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered," said AICPA president and CEO Barry Melancon. Late last month a U.S. District Court judge granted an American Bar Association motion to prevent the FTC from holding practicing attorneys accountable to the rule.
Full Story
Anyone who has read or even scanned the Red Flags legislation cannot help but to see that this is intended to lower the incidents of identity theft through a sensitivity and understanding of what some of the causes are. Attorneys seem to be sensitive more to having oversight from outside their ranks than to stopping identity theft. I am pretty certain however that when an attorney suffers at the hand of identity thieves they want to know what the company whose compromise caused the theft had done to safeguard their information prior to the breach. Not wanting to lose their own thunder the lobbyists for CPAs feel the need for their own exemption. That is evident in the statement by Mr. Melancon who mistakenly links billing to theft. It isn't the billing Mr. Melancon, it's the data lying about in your company waiting for someone to walk out with it on a CD, or to hack your servers and get it.
Again, "When you safeguard the information you keep on others you are protecting them. When someone else does it they are protecting you."
Monday, November 2, 2009
Red Flags Delayed Until June 1, 2010
At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the "Red Flags" Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.
Read the FTC Announcement:
http://www.ftc.gov/opa/2009/10/redflags.shtm
And in a related story I am sorry to report;
The American Bar Association is celebrating a ruling by the U.S. District Court for the District of Columbia barring the Federal Trade Commission (FTC) from applying the requirements of the Red Flags Rule to attorneys.
"This ruling is an important victory for American lawyers and the clients we serve," ABA President Carolyn B. Lamm said in a written statement. "The court recognized that the Federal Trade Commission's interpretation of the Fair and Accurate Credit Transactions Act (FACTA) over-reaches and its application to lawyers is unreasonable. By voiding the FTC's interpretation of a statue that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."
The FTC is expected to appeal the Court's ruling. FTC General Counsel Willard Tom said, "It's safe to assume the Commission is going to consider its options very seriously. We think there is no reason lawyers should be exempt."
Read more:
Ruling bars application of FTC 'Red Flags Rule' to legal profession
http://www.wisbar.org/AM/Template.cfm?Section=News&Template=/CM/ContentDisplay.cfm&ContentID=87099
I hope the legal profession is aware that a lot of people (including me), are going to pay close attention to the security practices of law firms. This means of course that law firms will no longer be tossing paper client records into dumpsters as has happened several times in the last year, and if police reports are accurate seems to be a favorite way for law firms to dispose of old records. As I reported last year I also had two encounters where a County Superior court judge handed out materials on recycled paper containing personal and banking information that had been previously entered into evidence. The way I see this the legal profession has shown itself to be not only ignorant of the intention of the laws and due perhaps to industry hubris cannot bear to be regulated by an outside authority.
When your or my identity is misused by thieves as the result of a law firms lax information security practices will we really care that they successfully lobbied for exemption to a procedure that might well have prevented the crime from even happening? What are they celebrating, a win?
Read the FTC Announcement:
http://www.ftc.gov/opa/2009/10/redflags.shtm
And in a related story I am sorry to report;
The American Bar Association is celebrating a ruling by the U.S. District Court for the District of Columbia barring the Federal Trade Commission (FTC) from applying the requirements of the Red Flags Rule to attorneys.
"This ruling is an important victory for American lawyers and the clients we serve," ABA President Carolyn B. Lamm said in a written statement. "The court recognized that the Federal Trade Commission's interpretation of the Fair and Accurate Credit Transactions Act (FACTA) over-reaches and its application to lawyers is unreasonable. By voiding the FTC's interpretation of a statue that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."
The FTC is expected to appeal the Court's ruling. FTC General Counsel Willard Tom said, "It's safe to assume the Commission is going to consider its options very seriously. We think there is no reason lawyers should be exempt."
Read more:
Ruling bars application of FTC 'Red Flags Rule' to legal profession
http://www.wisbar.org/AM/Template.cfm?Section=News&Template=/CM/ContentDisplay.cfm&ContentID=87099
I hope the legal profession is aware that a lot of people (including me), are going to pay close attention to the security practices of law firms. This means of course that law firms will no longer be tossing paper client records into dumpsters as has happened several times in the last year, and if police reports are accurate seems to be a favorite way for law firms to dispose of old records. As I reported last year I also had two encounters where a County Superior court judge handed out materials on recycled paper containing personal and banking information that had been previously entered into evidence. The way I see this the legal profession has shown itself to be not only ignorant of the intention of the laws and due perhaps to industry hubris cannot bear to be regulated by an outside authority.
When your or my identity is misused by thieves as the result of a law firms lax information security practices will we really care that they successfully lobbied for exemption to a procedure that might well have prevented the crime from even happening? What are they celebrating, a win?
Thursday, October 29, 2009
The FBI Favors A National Breach Notification Standard
The Federal Bureau of Investigation is in favor of a national data breach notification standard, reports Nextgov.com. Agency officials say it would help law enforcement fight cybercrime, the report states. During a cybersecurity discussion in Washington yesterday, the head of the FBI's Cyber Criminal Section said such a standard "would help us tremendously, particularly in terms of efficiency in conducting investigations." Troy said that widespread reporting would help cyber cops discover links and potentially prevent similar attacks. Senator Leahy's Personal Data Privacy and Security Act, introduced in July, and a Senate cybersecurity bill to be introduced this year includes or will include breach-notification rules.
Full Story
I've long said that unless the states can get together and pass comprehensive legislation to enforce data breach notification then the Federal government will.
Then there is this from Javelin Research,
Breach Notifications Fall Flat on Consumers
The Credit Union Times reports on study findings that suggest consumers do not understand the importance of data breach notifications and, as a result, fail to protect themselves from fraud. Javelin Strategy and Research says that consumers who have been notified of a breach of their data were four times more likely than the public at large to experience fraud, the report states. The firm said that 19 percent of consumers who received a data breach notification over the past year have become the victims of fraud within a year of the notification. Full Story
Perhaps federal regulations will also help to improve public awareness. In my experience almost no one is aware of the breadth of identity theft and its various permutations until they get some honest education on the subject. Then almost to a person they see the beauty of notifications and what than can mean as an early warning. They also usually see the great benefit of having a good service in place ahead of time.
When you are a victim of identity theft what do you really want in a service? Do you want an "Insurance Policy" , or do you want comprehensive restoration? Since insurance can ONLY replace out of pocket expenses incurred when trying to perform your own restoration what is the point of underwritten insurance?
How about credit monitoring? Is that of any real help if there isn't any follow up to work with the victim to clear the erroneous notations and record entries? Again, without restoration no monitoring service is of any substantial value.
Full Story
I've long said that unless the states can get together and pass comprehensive legislation to enforce data breach notification then the Federal government will.
Then there is this from Javelin Research,
Breach Notifications Fall Flat on Consumers
The Credit Union Times reports on study findings that suggest consumers do not understand the importance of data breach notifications and, as a result, fail to protect themselves from fraud. Javelin Strategy and Research says that consumers who have been notified of a breach of their data were four times more likely than the public at large to experience fraud, the report states. The firm said that 19 percent of consumers who received a data breach notification over the past year have become the victims of fraud within a year of the notification. Full Story
Perhaps federal regulations will also help to improve public awareness. In my experience almost no one is aware of the breadth of identity theft and its various permutations until they get some honest education on the subject. Then almost to a person they see the beauty of notifications and what than can mean as an early warning. They also usually see the great benefit of having a good service in place ahead of time.
When you are a victim of identity theft what do you really want in a service? Do you want an "Insurance Policy" , or do you want comprehensive restoration? Since insurance can ONLY replace out of pocket expenses incurred when trying to perform your own restoration what is the point of underwritten insurance?
How about credit monitoring? Is that of any real help if there isn't any follow up to work with the victim to clear the erroneous notations and record entries? Again, without restoration no monitoring service is of any substantial value.
Subscribe to:
Posts (Atom)
