Group items tagged

The PCI DSS standard was released back in December 2004 and was quickly hailed as one of the most important private-industry data security standards ever developed. Over the past few years, however, amid a steady stream of news about breaches and thefts, the PCI DSS standards has been roundly criticized. At a congressional hearing this month, one congresswoman said, "I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure." Many would agree. A case in point noted by Network World: The breach at Hannaford Brothers, where hackers installed malware on the grocery store chain's internal servers to seize card numbers as they were swiped by customers. Hannaford was certified a PCI DSS-compliant company as the scam was in progress. Heartland Payment Systems, before its scam broke in the news, was also certified compliant by Visa. Visa defends the standard as a way to minimize theft if properly implemented, and you certainly can't blame PCI DSS entirely for recent thefts. For all we know, there would have been many more if not for the standard. Still, the general view is that the PCI DSS standard has become overly complex and has done little thus far to stop fraud, as fraud artists get sophisticated technologically.

"The Identity Theft Resource Center (ITRC) reported its annual breach data for 2009 last week, and for the first time malicious attacks were more frequently identified as the source of those breaches than human error. In its "2009 Data Breach Report," the ITRC found 498 publicly disclosed breaches last year, down from 657 the year before. The downturn could have resulted from changes in breach disclosure, rather than a real drop-off in system compromises, the organization says. Interestingly, paper breaches now account for 26 percent of data leaks, up 46 percent compared to 2008. Malicious attacks outnumbered breaches attributed to human error for the first time in the three years the report has been compiled. The business sector accounted for 41 percent of data breaches, up from 21 percent the year before. Approximately 222 million records were compromised, the organization says -- and about 130 million of those came from the single breach at Heartland Payment Systems. Out of 498 breaches, only six reported they had either encryption or other strong security features protecting the exposed data, the ITRC says . "

Expect more action from the FTC on data privacy breeach

Federal regulators on Tuesday met to hear about whether the benefits of cloud computing justify increased regulation, as privacy activists claim, or whether such an approach would do more harm than good. "We need to be smarter about dealing with technology, and cloud computing is posing (a) risk for us," said Hugh Stephenson, deputy director for international consumer protection at the Federal Trade Commission's Office of International Affairs. The FTC convened the two-day meeting in its offices here, which follows a series of similar workshops held in previous years on topics like spam, privacy, and behavioral advertising. The agency may file lawsuits to halt "unfair or deceptive acts or practices," meaning that if cloud computing is not unfair or deceptive, the FTC would likely not have jurisdiction. To secure personal information on the cloud, regulators may have to answer questions such as which entities have jurisdiction over data as it flows across borders, whether governments can access that information as it changes jurisdiction, and whether there is more risk in storing personal information in data centers that belong to a single entity rather than multiple data centers. The current panoply of laws at the state, national, and international level have had insufficient results; FTC Commissioner Pamela Jones Harbour cited a 2008 PricewaterhouseCoopers information security survey (PDF) in which 71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored. With data management practices that are not always clear and are subject to change, companies that offer cloud-computing services are steering consumers into dangerous territory, said Marc Rotenberg, executive director of the Electronic Privacy Information Center. Already, problems of identity theft are skyrocketing, he said, and without more regulation, data management services may experience a collapse analogous to that

CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include: New requirements that widen the definition of what Personal Health Information (PHI) information must be protected and extend accountability from healthcare providers to their business associates; Lower thresholds, shorter timelines, and stronger methods for data breach victim notification; Effective immediately, increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million; More aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates. No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.

Legal woes may be next for Heartland Payment Systems, a payment processor that reported a major security breach this week. Depending on the results of the ongoing investigation, Heartland is likely to face the threat of litigation from issuing banks, merchants and consumers, says Scott Vernick, an attorney with Fox Rothschild LLP in Philadelphia, who specializes in data theft cases. "The businesses that use Heartland as a credit card processor, as well as thousands of consumers, will be anxiously watching for any negative impact, including harm to their business reputations, and the real possibility of identity theft or fraud," says Vernick. The fact that Heartland's systems were certified as being fully in compliance with data handling rules, called the PCI standards, raises questions about the efficacy of such standards. Hannaford Brothers grocery chain was likewise fully PCI compliant when it had 300 stores hacked and 4.3 million record swiped..... "This latest incident shows how, despite companies being compliant with regulations such as PCI, they are still a long way from being secure," says Mike Rothman, senior vice president of strategy at elQnetworks.

Canadians who travelled to the United States in 2008 are being advised to check their credit-card statements and watch for signs of identity theft after a massive security breach at a U. S.-based company that processes millions of credit cards. Canada's Privacy Commissioner said yesterday she was shocked to learn that New Jersey-based Heartland Payment Systems, which processes credit-card transactions for more than 250,000 businesses in the United States, had found "malicious software" in its operating system. "I'm amazed to see something this significant can still happen with the importance that not only privacy commissioners, but experts everywhere, are placing on security," Jennifer Stoddard said. "I was concerned to see this going on and the size of it." Tech experts say the hack could be one of the largest ever credit-or debit-card data breaches, and that Canadians should watch closely for signs of identity theft.

Johns Hopkins is alerting more than 10,000 of its hospital patients that they may have been victims of identity theft. An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia, according to this letter from Baltimore-based Hopkins to the Maryland attorney general's office. Most of the patients are at very low risk, the letter says - they're included because the former employee accessed their records in the course of her work. But a few dozen have already been identified as likely victims, and a few hundred who have Virginia mailing addresses and whose records were accessed by the former employee may also be at risk. Hopkins is offering those patients credit monitoring, fraud resolution and identity-theft reimbursement for certain expenses.

Internet scams, phishing, identity theft and other attacks that exploit your personal data are always a threat when you shop online, set up an email account, use a credit card, manage an online bank account or carry your Social Security card. There is hope, however, for fighting these threats, and you can start by taking back control of all of your personal data. The 50 tips and tools in this list will help you understand how these scams originate, how to protect yourself online and offline, and how to track down your personal data on the Internet. Web Privacy Protect yourself and your data online by choosing a secure Web browser, understanding the dos and don'ts of wireless security, and correctly managing passwords.

Monster.com is advising its users to change their passwords after data including e-mail addresses, names and phone numbers were stolen from its database. The break-in comes just as the swelling ranks of the unemployed are turning to sites like Monster.com to look for work. The company disclosed on its Web site that it recently learned its database had been illegally accessed. Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday. USAJobs.com, the U.S. government Web site for federal jobs, is hosted by Monster.com and was also subject to the data theft. USAJobs.com also posted a warning about the breach. Monster.com has been checking for misuse of the stolen information but hasn't yet found any, it said. It has made changes since discovering the break-in but won't discuss them because it doesn't discuss security procedures publicly and because it is still investigating the incident, Richardson said. She also would not disclose the volume of data stolen, but said the company decided it would be prudent to alert all of its users via its Web site.

The Veterans Affairs Department has agreed to pay up to $20 million to veterans for exposing them to possible identity theft in 2006 after losing their sensitive personal information. In court filings Tuesday, lawyers for the VA and the veterans said they had reached agreement to settle the veterans' lawsuit alleging invasion of privacy. The money will be used to pay for veterans who suffered actual harm, such as emotional distress or expenses incurred for credit monitoring. The lawsuit came after a VA data analyst in 2006 admitted that he had lost a laptop and external drive containing the names, birth dates and Social Security numbers of up to 26.5 million veterans and active-duty troops. The laptop was later recovered intact.

There is pervasive fear of identity theft. Victims spend an extraordinary amount of time and money recovering from it. The government is doing something about it, but businesses may not be pleased to hear that the government's latest action is another unfunded mandate. New rules concerning identity theft prevention at financial companies go into effect on Friday May 1, 2009, but for most organizations, complying with the FTC's Red Flags Rule could be as simple as writing down rules and procedures already in place and having them certified by the Board. The rules are about procedures, not about data security, said Tiffany George, attorney for the division of privacy and identity protection at the FTC. She spoke on Tuesday at the FTC's workshop for businesses held on the campus of Fordham University in New York City. "The Red Flags Rule covers what to do when, despite our best efforts, thieves steal data," she said. As new regulations go, the FTC's Red Flags Rule will be less painful than many other recently enacted rules. For example, while Sarbanes-Oxley is considered a burden to many public companies, requiring several full-time staff, the Red Flags Rule can likely be handled by legal or compliance staff already in place.

U.S. authorities announced what they believed to be the largest hacking and identity theft case ever prosecuted on Monday in a scheme in which more than 130 million credit and debit card numbers were stolen. Three men were indicted on charges of being responsible for five corporate data breaches in a scheme in which the card numbers were stolen from Heartland Payment Systems, 7-Eleven Inc and Hannaford Brothers Co, federal prosecutors said in a statement. The suspects also hacked two unidentified corporate victims, the U.S. attorney's office in New Jersey said in the statement. Prosecutors allege Albert Gonzalez, 28, of Miami, and two unnamed Russian coconspirators targeted large corporations by scanning the list of Fortune 500 companies and exploring corporate websites before setting out to identify vulnerabilities. The suspects would seek to sell the data to others who would use it to make fraudulent purchases, the statement said.

The state's highest court told Bergen County yesterday to release 8 million pages of real estate documents -- including mortgage information -- to fulfill a request filed under the state's public records law, but that Social Security numbers included in them must be kept private. The justices also said the company requesting the information should pay the $460,000 it will cost the county to remove the Social Security numbers from records spanning more than two decades. The court unanimously agreed that the documents, requested by a business that wants to sell electronic access to this information, are public records under the state's Open Public Records Act. But it stressed some of the personal information, if released, would hurt residents. "The request was made on behalf of a commercial business planning to catalogue and sell the information by way of an easy-to-search computerized database. Were that to occur, an untold number of citizens would face an increased risk of identity theft," Chief Justice Stuart Rabner wrote for the court. Bergen County officials called the decision a victory for all New Jersey residents concerned about identity theft.

The recent U.S. stimulus bill includes $18 billion to catapult the health industry toward the world of electronic health records. This is sure to light a fire under every hungry security vendor to position itself as the essential product or service necessary to achieve HIPAA compliance. It should also motivate healthcare IT professionals to learn where their sensitive data is located and how it flows. To be sure, with federal money allocated through 2014 for the task of modernizing the healthcare industry there will be many consultant and vendor businesses that will thrive on stimulus money. Healthcare is unique in that storage of electronic health records is highly distributed between primary care physicians, specialist doctors, hospitals, and insurance/HMO organizations. Information has to be efficiently shared among these entities with great sensitivity towards patient privacy and legitimate claims processing. Patients want to prevent over zealous employers from performing unauthorized background checks on medical history; claim processors want to prevent paying fraudulent claims arising from targeted patient identity theft. The bill has two provisions which turn this into a tremendously challenging plan, and a daunting task for securing patient data: * Citizens will have the right to monitor and control use of their own health data. This implies a large centralized identity and access control service, or perhaps a federated network of patient registration directories. Authenticated users will be able to reach into the network of health databases audit use of their data and payment history. * Health organizations suffering loss of more than 500 patient records must publicly disclose the breach, starting with postings on the government's Health and Human Services website. This allows related organizations to trace the impact of the breach throughout the healthcare network, but care must be taken not to disclose vulnerabilities in the system to intruders

Don't expect a letter from Monster or Heartland Payment Systems letting you know they've lost your data. The breaches at Monster.com and Heartland Payment Systems are raising questions about the efficacy of data-loss disclosure laws enacted in at least 45 states. Back in 2007 we wrote about how the financial services industry lobbied hard to block proposed federal rules requiring organizations to notify individuals whose data they lose, and to permit consumers to freeze their credit histories. States such as California and Massachusetts have passed laws giving consumers these rights. But the Monster and Heartland capers have brought weaknesses in the legislation to center stage. I asked Lisa Sotto, head of privacy and information management at law firm Hunton & Williams, about this: Q: Heartland and Monster told me they intend to comply with all state laws. That said, they have not announced plans to notify individual victims. Is that OK? A: In the state breach notification laws, it is permissible to delay notification if a law enforcement agency determines that notification would impede a criminal investigation. If such a delay is requested by law enforcement, notification must be made after the law enforcement agency determines that notice would not compromise the investigation. I do not know if these companies received a delay request from a law enforcement agency. Q: Monster says it chose not to email individual victims because the bad guys could then replicate that message and use it as a phishing template. That makes sense. But is that allowed by state consumer protection laws? A: There are now 45-plus state laws and they are not uniform. Typically, notice is provided via first class mail, but there are provisions in the state laws allowing for electronic notice as well. Q: The only official notices from Heartland and Monster so far has been one-page disclosures posted on a web site. Does that cover them? A: There are provisions in the state laws al

As your day ticks by, it seems that everything you do can leave a data trail. From your purchases online to the resumes you post, to health care transactions made with your insurance cards, you probably are exposing your own personal data to possible snooping, fraud, or identify theft. "Having so much sensitive information available makes it even more difficult for other organizations to release information that is effectively anonymous," says Latanya Sweeney, associate professor of computer science, technology and policy, and director of Carnegie Mellon's Data Privacy Lab. Sweeney demonstrated that birth date, gender and 5-digit ZIP code is enough to identify 87 percent of people in the U.S. One year ago, Sweeney started to pull together a group of faculty who were looking at issues relating to privacy and security, and working toward possible solutions. In the Internet age, few areas of our private lives-and what U.S. Supreme Court Justice Louis Brandeis called "the right to be left alone"- remain untouched by technology. Lorrie Cranor, associate research professor in the School of Computer Science, and director of Carnegie Mellon's Usable Privacy and Security Laboratory, describes Carnegie Mellon as "the place to be for privacy research." She explains, "There's a concentration of researchers and experts here that you just don't find at any other university." So how do these Carnegie Mellon experts suggest you protect yourself when you find the information technology that drives your everyday life to be more sophisticated than you are? Here is a sample of some of their creative solutions-your wake-up call for keeping your data "self" both private and secure.

There were only two of us on the graveyard shift. "If it's not locked up," a colleague at my first newspaper declared as he snatched a folder of papers from our boss' desk and strode towards the office copying machine, "Xerox it." (Old-tongue for photocopy.) That was long before CDs, and USB drives and, certainly, iPods, but the lesson was the same. If you are stupid about protecting company information, shame on you. I guess that's the message behind the "revelation" released in a survey this week that the majority of people who leave their jobs, voluntarily or otherwise, are taking company information with them. Lots of it. My reaction was the same as when I watched my fellow journalist grab and copy whatever it was that had been so carelessly left in the open. I shrugged. (We are by nature an overly curious species, and that overrides our normally dominant ethics gene.) Data Loss Risks During Downsizing conducted by the Ponemon Institute and sponsored by Symantec, was apparently designed to test the hypothesis that in this dire economy (ominous music in background), former employees are going to take important company information out the door. And, in fact, the poll of 945 former employees who left their jobs or were dismissed in the last 12 months showed that 59% stole company data. What kind of data? Email lists, non-financial business information and customer information, including contact lists. Not the secret formula for Coke, not the clinical trial reports on a cure for cancer, no insider information on proposed mergers and acquisitions. Not even a few thousand credit card numbers. Hardly worthy of shock and dismay. This is what a lot of people do when they leave jobs. Are they supposed to? No. Is it wrong? Yeah, but it's sort of like cheating on taxes. Folks rationalize it in a variety of ways, or it just doesn't weigh heavily enough on their conscience to set off an internal alarm. Most of the people who took data - 79% â

"In light of a spike in identity theft and the frequency with which personal information is stored on portable devices, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) have expanded Generally Accepted Privacy Principles (GAPP) to include protocols for securing and disposing of personal information. "Safeguarding personal information is one of the most challenging responsibilities facing an organization, whether such information pertains to employees or customers," said Everett C. Johnson, CPA, chair of AICPA/CICA Privacy Task Force and a past international president of ISACA, a global information technology association. "We've updated the criteria of our privacy principles to minimize the risks to personal information." GAPP offers guidance and best practices on securing portable devices, breach management and ensuring continued effectiveness of privacy controls. The guidance additionally covers disposal and destruction of personal information. The principles are designed for chief privacy officers, executive management, compliance officers, legal counsel, CPAs and CAs offering technology advisory services. "Portable tools such as laptops and memory sticks provide convenience to employees but appropriate measures must be put in place to secure them and the data they contain," said Donald Sheehy, CA.CISA, CIPP/C, associate partner with Deloitte (Canada) and a member of the AICPA/CICA Privacy Task Force. "We must stay abreast of technological advances to assure that proper measures are put into place to defend against any new threats." Created by the AICPA/CICA Privacy Task Force, GAPP is designed to help an organization's management team assess an existing privacy program or address privacy obligations and risks. The principles provide a framework for CPAs and CAs to offer privacy services to their clients and employers, such as advisory services, privacy risk assessments and attestation or

Up to 21,000 Floridians may have been affected by a data breach at Wyndham Hotels & Resorts last year, prompting Attorney General Bill McCollum to ask consumers to keep a close eye on their credit statements. According to a statement released today, Wyndham reported to the Attorney General's Office that it contacted affected consumers in December and notified them that unauthorized access to Wyndham systems had potentially compromised their personal data on their debit and credit cards. The data breach has since been disabled. McCollum encouraged consumers to report any suspicious activity on their accounts to law enforcement. Affected consumers are encouraged to take precautionary steps, including obtaining a free fraud alert from one of the credit reporting agencies. Anyone who believes they may be a victim of identity theft should also request that the national credit bureaus place a fraud alert on their credit reports. Consumers should notify banks and creditors involved of questionable charges or accounts, keep records of all telephone calls and follow up in writing with credit bureaus, banks and creditors.

Some American Express card members' accounts may have been compromised by an employee's recent theft of data, the company said Thursday. American Express Co. spokeswoman Susan Korchak said a "relatively small portion" of card members was involved, but declined to be more specific. The former employee has been arrested and the company is investigating how the data was obtained, she said. The company is in the process of notifying affected card members by letter. In one such letter sent last week, American Express Privacy Officer Alfred Silipigni said he was informing the member of "an unfortunate issue" concerning his card. "We recently learned that certain account data was acquired without authorization by an employee who is no longer with the company," he wrote. "The former employee has been arrested, and we are cooperating with law enforcement authorities with their ongoing investigation." American Express declined to disclose any more details about the incident beyond what was in the letter. The company has put additional fraud monitoring and protection controls on the accounts at issue, Korchak said. American Express has about 39 million corporate, small business and consumer cards in force in the United States.