Group items tagged

US senators have drafted legislation that would give the federal government unprecedented authority over the nation's critical infrastructure, including the power to shut down or limit traffic on private networks during emergencies. The bill would also establish a broad set of cybersecurity standards that would be imposed on the government and the private sector, including companies that provide software, IT work or other services to networks that are deemed to be critical infrastructure. It would also mandate licenses for all individuals administering to strategically important networks. The bill, which is being co-sponsored by Senate Commerce Committee chairman John Rockefeller IV and Senator Olympia Snowe, was expected to be referred to a senate committee on Wednesday. Shortly after a working draft of the legislation began circulating, some industry groups lined up to criticize it for giving the government too much control over the internet and the private companies that make it possible. "This gives the president too much power and there's too little oversight, if there's any at all," said Gregory Nojeim, senior counsel at the Center for Democracy and Technology. "It gives him the power to act in the interest of national security, a vague term that has been broadly defined." Nojeim was pointing to language in the bill that permits the president to "order the limitation or shutdown of internet traffic to and from any compromised federal government or United States critical infrastructure information system or network" after first declaring a national cybersecurity emergency. A separate provision allows the executive in chief to "order the disconnection of any federal government or United States critical infrastructure information systems or networks in the interest of national security." "It applies to any critical infrastructure," Nojeim added. "Surely, the internet is one." The bill would also require NIST, or the National Institute of Standards and Techn

The Federal Trade Commission had some sharp words for Internet advertising companies Thursday, saying that they simply are not disclosing how they collect information about users well enough. And the agency threatened that the industry had better get its act together - or else. Or else what? Well, that's a bit harder. The commission has limited ability to issue binding regulations on advertising practices, and the process is cumbersome. But if the agency were to say that its attempt over the last few years to have Internet companies voluntarily bolster their privacy standards has failed, it could encourage Congress to pass online privacy legislation. Indeed, two members of the commission - Pamela Jones Harbour, an independent, and Jon Leibowitz, a Democrat - issued statements saying that while they support the commission's action, they hope for further regulation and possibly legislation on the issue. What the commission issued Thursday was the final version of its principles for online behavioral advertising - that is, ads shown to you based on something you did in the past. The agency issued its first draft of these at the end of 2007 and spent more than a year digesting comments. These principles were meant to spur various Internet groups to create self-regulatory standards for their members. And one group, the Network Advertising Initiative, did publish new rules. The top recommendation was that users should be given clear notice about what information was collected and an easy way to tell sites to stop watching them. "What we observe is that, with rare exception, is not the rule for any Web sites," said Eileen Harrington, the acting director of the commission's bureau of consumer protection, in an interview Thursday. "It is far more commonplace to put the information in the midst of lengthy and hard-to-understand privacy policies."

This week, the Government Accountability Office issued a report related to privacy and security issues at FDA and another report about the agency's plans to modernize its IT systems, Government Health IT reports. Privacy and Security Report On Monday, GAO released a report suggesting that FDA has not included sufficient privacy and security protections in its plans for a medical product safety monitoring system called the Sentinel Initiative. The system would use data from insurance companies, academic institutions, government agencies and health care providers to track the performance of medications and medical devices. According to the FDA Amendments Act of 2007, the initiative would have access to data from 25 million people by mid-2010 and 100 million people by mid-2012 (Foxhall, Government Health IT, 6/2). For the report, GAO conducted an audit of FDA's planning process for Sentinel from May 2008 to May 2009.

Companies in the technology, media and telecommunications industries (TMT) significantly reduced investment in security spending in 2008, according to a new survey from Deloitte Touche Tohmatsu. The third edition of the Deloitte TMT Global Security Survey reveals that 32 percent of respondents reduced their information security budgets, while 60 percent of respondents believe they are "falling behind" or still "catching up" to their security threats -- a significant increase from 49 percent over the previous year. "This year's results indicate companies are explicitly scaling back. With funding decreasing and the threats increasing, it is more important than ever for TMT companies to be highly cost efficient in addressing their security risks," said Irfan Saif, a principal in Deloitte & Touche LLP's Audit and Enterprise Risk Services practice. "Companies that do not have a sound understanding of their security risk profile, or who under-invest in security now, may find themselves exposed to significant and increasingly sophisticated threats that they are not equipped to mitigate." With the proliferation of digitized assets, security should claim a significant portion of a company's overall IT budget. However, only 6 percent of respondents allocate 7 percent or more of their total budget to IT security. This year represents a significant decline from the previous edition of the survey, which showed that 36 percent of the respondents allocated 7 percent or more of their budget to IT security. The survey also indicates that declining security investment is hindering adoption of new security technologies, with only 53 percent of respondents considering their organizations to be early adopters, or part of the early majority, down from 67 percent in 2007. Companies are focusing more effort on optimizing solutions that are already in place rather than investing in cutting-edge technology that can be capitalized upon during economic recovery.

Indianapolis - New developments suggest another drug store giant may face punishment for trashing your privacy. Now, Walgreens wants to settle its case - whether the state wants to or not. 13 Investigates discovered personal information in drugstore dumpsters in Indiana and across the country. WTHR exposed the problem at CVS and Walgreens pharmacies three years ago, and the Indiana attorney general's office has been investigating ever since. Walgreens says it finally has a settlement with the state - or does it? "We reached an agreement on the material terms of a settlement agreement," Walgreens attorney Stacy Cook told the Indiana Pharmacy Board Monday morning. The attorney general's office disagreed. "There was never an agreement that was reached," said Deputy Attorney General Morgan Wills. The attorneys met with the pharmacy board at Walgreen's request because the nation's second-largest drug store retailer says it had a deal the attorney general's office backed out on. "It's simply that they've changed their mind," Cook said. The attorney general's office admits it had started to negotiate terms of a settlement with Walgreens in January, but the state later decided to halt its settlement negotiations when the federal government announced a $2.25 million settlement with Walgreens' rival CVS.

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. The company said it took a $2.5 million loss for the quarter as a result of spending more than $12.6 million in legal bills, fines from MasterCard and Visa and administrative costs. The announcement was made during the company's financial earnings call, where Carr said the costs associated with the breach could continue to climb. "Our defense of the claims regarding the processing system intrusion remains ongoing," he said. "Much of the legal work remains to be done and it is difficult to anticipate when these matters will come to a conclusion." Carr also admitted for the first time that since the Princeton, N.J.-based processing giant announced a breach of its systems, some of the payment processor's clients have switched to competitors as a result of the breach. He said some competing processors resorted to scare tactics. "We have had many competitors that have been very supportive and professional, and we certainly don't want to tar all of our competitors with the same brush," Carr said. "We have had some competitors telling merchants falsely that they would be fined $10,000 a day if they stay with Heartland. We think we're through the worst of that." Car said less than $1 million of the breach costs were fines levied by MasterCard and Visa against the company's sponsored banks. The fines are being contested, he said. More than $500,000 relates to a fine assessed by MasterCard against the sponsored banks in which the card company said Heartland failed to take appropriate action upon learning that a breach was suspected. Carr said the fine is in direct violation of both the MasterCard rules and law.

We've all heard the argument before: "Why should you worry about the government looking into your personal records if you have nothing to hide?" Daniel J. Solove, an associate professor of law at The George Washington University Law School, analyzes that argument in a recently published paper titled "I've Got Nothing to Hide and Other Misunderstandings of Privacy." Solove argues that "the question assumes faulty assumptions about privacy and its value." Those who make the "nothing to hide" argument fail to understand the chilling effect that surveillance has on public discourse, the fact that small bits of private data (which an individual may not object to being uncovered) when put together form a larger and more intimate profile (which an individual may object to), and the mistake of having one's profile mistakenly associated with a group that is labeled as threatening. Here's an excerpt from the paper, which was published in the latest issue of the San Diego Law Review: [T]he problem with the "nothing to hide" argument is that it focuses on just one or two particular kinds of privacy problems - the disclosure of personal information or surveillance - and not others. It assumes a particular view about what privacy entails, and it sets the terms for debate in a manner that is often unproductive. It is important to distinguish here between two ways of justifying a program such as the NSA surveillance and data mining program. First is to not recognize a problem. This is how the "nothing to hide" argument works. It denies even the existence of a problem. The second manner of justifying such a program is to acknowledge the problems but contend that the benefits of the NSA program outweigh the privacy harms. The first justification influences the second, for the low value given to privacy is based upon a narrow view of the problem. The key misunderstanding is that the "nothing to hide" argument views privacy in a particular way - as a

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers' privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information." Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.

A disconnect exists between federal government CIOs, CISOs and IT hiring managers and the human resources professionals charged with finding qualified candidates with cybersecurity skills, according to a just-published report. The report, Cyber In-Security: Strengthening the Federal Cybersecurity Workforce from the Partnership for Public Service, concludes that IT managers are less satisfied than their HR counterparts with the quality of cybersecurity recruits and the time it takes to hire IT security personnel. "The human capital management process is broken; operations and HR people should be joined at the hip and collaborate across the government," the report quotes Norman Lorentz, former chief technology officer at the White House Office of Management and Budget. Indeed, one third of chief information officers, chief information security officers and IT hiring managers surveyed for the report expressed unhappiness with candidate quality vs. 10 percent for HR managers. Sixty-one percent of HR managers vs. 40 percent of IT managers expressed satisfaction with candidate quality (see chart).

A New Jersey credit-card processor disclosed a data breach that analysts said may rank among the biggest ever reported. Heartland Payment Systems Inc. said Tuesday that cyber criminals compromised its computer network, gaining access to customer information associated with the 100 million card transactions it handles each month. The company said it couldn't estimate how many customer records may have been improperly accessed, but said the data compromised include the information on a card's magnetic strip -- card number, expiration date and some internal bank codes -- that could be used to duplicate a card. Heartland, of Princeton, N.J., processes transactions for more than 250,000 businesses nationwide, including restaurants and smaller retailers. Avivah Litan, an analyst at research company Gartner, called it the largest card-data breach ever, based on her conversations with industry executives. Previously, the largest known breach occurred when around 45 million card numbers were stolen from retail company TJX Cos. in 2005 and 2006. Robert Baldwin, Heartland's president and chief financial officer, said it was too early to say how many records were accessed and that calling it the largest-ever breach would be "speculative." Representatives of Visa Inc. and MasterCard Inc. alerted Heartland to a pattern of fraudulent transactions on accounts the processor handled sometime last fall, Mr. Baldwin said. But an internal investigation and audits failed to detect a security breach. Last week, however, a forensic investigator discovered evidence of the breach. Mr. Baldwin said Heartland was targeted with malicious software that was "light-years more sophisticated" than malevolent programs commonly downloaded from the Internet.

Google has released a more detailed privacy policy for its Google Books product, a move demanded in recent weeks by several critics of its settlement with publishers and authors. The company announced the new policy in a blog post late Thursday afternoon, saying it developed the policy following conversations with the U.S. Federal Trade Commission. Google had previously said it was unable to release a detailed policy because the Google Books product was incomplete due to the fact that the settlement allowing its Book Search project to display certain types of books has yet to be formally approved. However, criticism of Google's lack of detailed information on the subject appears to have forced its hand. "To provide all users with a clear understanding of our practices, and in response to helpful comments about needing to be clearer about the Books product from the FTC and others, we wanted to highlight key provisions of the main Google Privacy Policy in the context of the Google Books service, as well as to describe privacy practices specific to the Google Books service," wrote Jane Horvath, general privacy counsel for Google, in a blog post.

A privacy researcher is urging Netflix to cancel its next research contest, before it results in potentially millions of dollars in damages for invasion of its customers' privacy. "Netflix should cancel this new, irresponsible contest," Paul Ohm wrote in a blog affiliated with Princeton University's Center for Information Technology Policy. On Monday, the company awarded $1 million to the winners of its first competition, aimed at developing technology to improve its ability to predict what movies its customers will like. Ohm worries the information the company is about to release as test data for the second contest isn't as anonymous as Netflix may think.

Things to think about for auditors during a downturn

As IT environments are becoming more complex, enterprises are relying on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, told attendees at an ISACA CACS audit and compliance conference. He identified 10 areas in which complexity makes IT more difficult to monitor. "This list is designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate this risks," Juergens said. "The list is in no particular order, is by no means a comprehensive list, and will vary by environment. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors," he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. A key risk for compliance is simply keeping track of the data and recovering it if part of the cloud goes down. IT administrators must have insight into the cloud to enable forensics if an investigation is required. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds. The key issue is finding and tracing data, which can move to different servers within a virtualized environment. During this economic downturn, many companies will face disgruntled employees and will need to be able to control their access. "Specific attention items should be: timely removal of access, periphery security, internal security architecture, physical security and badge location, help desk procedures, workstation security and IDS management," Juergens said. Layoffs can harm an organization even without disgruntled employees. Many help desks and incident response teams will be understaffed, and Juergens advised that now is a good time to re-examine security procedures. A related risk could occur if an employee takes on the responsibilities of another, combining tasks that were previously segregated for compliance purposes. En

It was only a matter of time! Auditor accuracy being examined in lawsuit may signal change in PCI and other compliance processes.

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor's report. In theory, CardSystems should have been safe. The industry's primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems' auditor, Savvis Inc, had just given them a clean bill of health three months before. Yet, despite those assurances, 263,000 card numbers were stolen from CardSystems, and nearly 40 million were compromised. More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices. They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies. "We're at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it," says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania's Wharton School who specializes in information security issues. "For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits." The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secur

If you can't measure it, you can't manage it. If you don't even know what it is...

Even IT professionals are confused about what constitutes Web 2.0, according to a survey released Wednesday by web security vendor Websense and research firm Dynamic Markets. According to the survey, of 1,300 information technology managers across 10 countries, 17 percent of respondents correctly identified all the items on the survey that can be considered Web 2.0. IT administrators commonly identified the "obvious" Web 2.0 sites -- such as the social networking sites Facebook and LinkedIn, Dave Meizlik, director of product marketing at Websense, told SCMagazineUS.com on Tuesday. They also commonly identified blogs and micro blogs, such as Twitter, as Web 2.0. But, respondents less frequently identified other sites as Web 2.0, including iGoogle and Wikipedia, Meizlik said. Only half of respondents identified video uploading sites, such as YouTube, as part of Web 2.0, the survey found. David Lavenda, vice president of marketing and product strategy at security vendor Worklight, told SCMagazineUS.com on Wednesday that IT administrators know they need to secure the enterprise from Web 2.0 threats, but are not always sure what those threats are. "When you go to organizations where security is really important -- financial and government organizations -- and ask, 'What's your fear of Web 2.0?,' they say, 'I really don't know, but we hear enough stories of people being compromised that we don't want to take a chance.' That's the most common answer." Lavenda said.

Hunch.com helps users search for answers -- but first, it performs a detailed search on the users themselves. Launching today after a year in development, Hunch aims to supply users with computer-generated advice on thousands of lifestyle and consumer questions: What kind of dog should I buy? What should I get dad for Father's Day? Which book by George Orwell would I like? Most important, though, Hunch is not a search engine. Rather than scouring the open Web for information, as Google, Microsoft's new Bing and scores of others do, or collating written opinions, as Amazon.com does, Hunch computes answers by comparing what it knows about you to what it knows about people like you. "Ultimately, what we're doing is providing a kind of shortcut through human expert systems," said Hunch founder Caterina Fake, who also started Flickr.com, the popular photo-sharing site that was acquired by Yahoo in 2005. By first inviting users to answer as many as 1,500 questions about themselves -- an addictive kind of personality test that involves such diverse questions as political orientation, relationship status and whether you believe in UFOs and keep your closet organized -- Hunch looks to assemble a demographic profile whose depth could rival anything in the commercial universe. The New York company also believes that users stand to benefit from this kind of large-scale data farming -- not just from getting better answers, but also from discovering the many microdemographics to which they belong. Hunch also says it will not sell user data to marketers. But this promise, written into the site's privacy policy, is not precisely a legal contract, said Siva Vaidhyanathan, a new-media scholar at the University of Virginia, and the difference leaves the data it collects in a fuzzy domain.

"The inspector general of the National Archives and Records Administration is investigating a potential data breach affecting tens of millions of records about U.S. military veterans, Wired.com has learned. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. The incident was reported to NARA's inspector general by Hank Bellomy, a NARA IT manager, who charges that the move put 70 million veterans at risk of identity theft, and that NARA's practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America's record-keeping agency."

"* To pay all costs tied to administration of settlement * To pay class members' attorney costs Dec 21 (Reuters) - Credit card processor Heartland Payment Systems Inc (HPY.N) said it would settle consumer cardholder class actions tied to claims arising from breach of its system by cyber thieves, and pay up to $2.4 million to class members submitting valid claims. Heartland agreed to pay a minimum of $1 million to class members and take up settlement-related administration costs, including up to $1.5 million for the cost of notice to the settling class. The company will pay up to $760,000 of the costs of attorneys representing the class members. Heartland said it could terminate the deal if costs of notice exceeded $1.5 million, or if it received more than 2,500 requests for exclusion from the settlement class. The deal settles all intrusion-related proceedings by consumers who used the payment cards between Dec. 6, 2007 and Dec. 31, 2008, including those who may allege to have suffered losses, the company said in a statement. Heartland, which agreed to pay $3.6 million last week to settle claims with American Express Co (AXP.N) related to the criminal breach, reported in January this year that cyber thieves hacked its payment system and stole credit card information. Shares of the New Jersey-based company were down 18 cents at $13.29 Monday morning on the New York Stock Exchange. "

"On October 6, 2009, the Federal Trade Commission ("FTC") announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program. In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed. The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program. The six enforcement actions are significant as they mark a considerable uptick in the FTC's enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action. The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide "adequate" protection for personal data. Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU. To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU's adequacy standard. To maintain its certification to the Safe Harbor

Heartland Payment Systems Inc., which announced a breach of potentially millions of credit and debit cards last month, said it plans to vigorously defend itself against lawsuits filed as a result of the data breach. In a filing with the Securities and Exchange Commission, Heartland Chairman and CEO Robert Carr acknowledged the claims that cardholders, card issuers, the credit card brands, regulators, and others have asserted, or may assert, against the payment processor as a result of the breach and the impact it could have on the business. Several class action lawsuits have been filed against Heartland, claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems. Carr He said the company could not "reasonably estimate the potential impact of the breach on the day-to-day operations" of the business. "We intend to vigorously defend any such claims and we believe we have meritorious defenses to those claims that have been asserted to date," Carr said. "At this time we do not have information that would enable us to reasonably estimate the amount of losses we might incur in connection with such claims." The Princeton, N.J.-based payment processor announced Jan. 20 that its systems were breached last year when intruders installed malware to pilfer data crossing the company's network. Since then, Sherriff's authorities in Tallahassee, Fla. arrested three suspects for using stolen credit card numbers to make purchases at local Wal-Mart stores. The credit card numbers used by the trio were allegedly stolen from the Heartland processing center in New Jersey. Carr said the company's sales force was doing well despite the obvious challenges caused by the combination of the downturn in the economy and the data security breach. The payment processor's current customer base has responded positively, he said. "In the weeks since our announcement of the breach, we have installed more margin, and have a bit