Group items tagged

The U.S. Supreme Court Monday accepted an appeal by several groups that brought a constitutional challenge to the Public Company Accounting Oversight Board created by 2002 changes in federal accounting laws. The free-enterprise groups and a Nevada accounting firm sued to stop the Securities and Exchange Commission from naming members of the accounting board, set up by Congress to oversee public-company accountants. "In creating the board, Congress deliberately sought to test the outer boundaries of its ability to reduce presidential power," the groups said in the appeal. The groups, in their lawsuit, claimed the U.S. Constitution required board members to be appointed by the president or the SEC chairman, rather than the entire commission for the securities agency. The Supreme Court's decision to hear the appeal breathes new life into the case, which didn't get much traction in lower courts. The U.S. Solicitor General's office, in court briefs, had urged the high court to reject the appeal, calling it a "poor vehicle" to resolve the constitutional issues raised by the challengers. "The president's control over the SEC is constitutionally sufficient and the act in turn grants the SEC complete and pervasive control over every aspect of the board's authority," Solicitor General Elena Kagan wrote. A U.S. federal judge dismissed the lawsuit in 2007 and the Washington-based U.S. Federal Circuit Court of Appeals also rejected the challenge in a 2-1 decision last year. The private, nonprofit board is charged with inspecting and disciplining public company accountants. The case is the Free Enterprise Fund vs. the Public Company Accounting Oversight Board, 08-861. Oral arguments will be held in the fall, and a decision is expected by July 2010.

At last, my summer reading list is complete!

In what it described as an historic document, the National Institute for Standards and Technology issued a special report entitled Recommended Security Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of a continuing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for national security and non-national security systems in its latest revision, No. 3, of Special Publication 800-53. "The important changes described (in the publication) are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the nation," Ron Ross, NIST's Federal Information Security Management Act implementation project leader, said in a message incorporated into the 220-page report. According to the document, the updated security control catalogue incorporates best practices in information security from the Department of Defense, intelligence community and civilian agencies to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.

Data classification is a cornerstone of good privacy & security management. If you can measure it, you can manage it, right? First you have to know where it is.

Why classify data? Classifying data can help make data more accessible (or less accessible) to the users in your environment who need it. For example, suppose the Human Resources department created a folder on the file server within their department called Litigation. In this folder they place files that are needed for any litigation the company is associated with. The permissions on the folder are configured so that HR employees can edit the contents of the folder and add documents. Senior management can read the documents in the litigation folder, and the HR manager can remove documents that are no longer needed. The question is, how is it determined that a document is no longer needed and how do we apply these criteria to existing files in such a way that minimizes user interaction with them? The new classification feature in Windows Server 2008 R2 makes it possible to automatically assign classification information to files on file servers and apply policy to them based on that information. Classification in Windows Server 2008 R2 consists of several elements: properties, rules, and a policy segment including reporting and file management. Properties are the fields that you wish to assign a value for, and the rules are the criteria that set these values. There are other methods of classification available as well, including applications and scripts. More detailed examination of the methods of configuring the File Classification Infrastructure will follow in a future post. For the above example, a rule would be used to label a set of files in the Litigation folder. Adding a label such as Litigation-Case Number X (where X is the number of the case) can allow easy organization of files for each litigation case. When the classification rule is run against the specified folder, all files meeting the rule conditions would be classified with an appropriate label. You could use an expiration date here, but doing that might require reclassification of files if the ex

Identity thieves are getting more clever and are increasingly using stolen information to get driver's licenses, employment and government assistance, according to a new report. The survey by the Identity Theft Resource Center also found that the greater awareness of this problem by the public has led to more people discovering they are victims themselves, through monitoring of their bank accounts and credit card statements. Typically, victims learned of their identity theft when they were denied a job or credit or were informed by law enforcement. "Most of our information is beyond our control," said Linda Foley, co-founder of the Identity Theft Resource Center, which surveys victims each year to see how identity theft is changing. "If a thief wants to get it, he will find a way to get it." The report covers the experiences of around 100 of the 1,500 people who were victimized in 2008 and contacted the center, a nonprofit that helps people recover from identity theft. Stolen personal information is now cheap - identities may sell on the black market for as little as 60 cents each - and thieves churn through them quickly to lower their chances of getting caught, Foley said. Rather than opening 10 or 20 credit card accounts in a victim's name, they now open two or three, charge as much as they can and move on to the next person. This raises the cost of identity theft to businesses, whose average loss to fraud nearly doubled last year to $90,107, up from $48,941 the year before.

With identity theft on the upswing, Aram Langhans thought he was simply being prudent when he asked the Yakima Heart Center to remove his Social Security number from its files. "They had my insurance card and my driver's license. What else did they need?" said Langhans, a retired public school teacher insured by Group Health. Langhans said he was initially hooked up to a portable heart monitor that he was to wear for 24 hours, but the disagreement over his Social Security number prompted upper-level personnel to change their minds. He said moments after the device was attached, he was sent to a restroom to remove it and turned away. Shawnie Haas, administrator of the Heart Center, an independent outpatient group practice, declined to discuss the incident. But she said in an e-mail statement that the practice protects patients' privacy. "The Yakima Heart Center is careful to collect data pertinent to ensuring accuracy of our patient's medical record. Routine information collected for all patients includes name, address, date of birth, Social Security number, gender, and other specific information that helps us verify that individual's identity and insurance enrollment or coverage data. We are careful to maintain confidentiality of all patient information in our system." According to state and federal regulators, private insurance companies have moved away from using Social Security numbers for patient identification. But health-care providers in the Yakima Valley say they routinely collect them as "backup" in the event that patients' insurance doesn't pay the claim.

Indianapolis - New developments suggest another drug store giant may face punishment for trashing your privacy. Now, Walgreens wants to settle its case - whether the state wants to or not. 13 Investigates discovered personal information in drugstore dumpsters in Indiana and across the country. WTHR exposed the problem at CVS and Walgreens pharmacies three years ago, and the Indiana attorney general's office has been investigating ever since. Walgreens says it finally has a settlement with the state - or does it? "We reached an agreement on the material terms of a settlement agreement," Walgreens attorney Stacy Cook told the Indiana Pharmacy Board Monday morning. The attorney general's office disagreed. "There was never an agreement that was reached," said Deputy Attorney General Morgan Wills. The attorneys met with the pharmacy board at Walgreen's request because the nation's second-largest drug store retailer says it had a deal the attorney general's office backed out on. "It's simply that they've changed their mind," Cook said. The attorney general's office admits it had started to negotiate terms of a settlement with Walgreens in January, but the state later decided to halt its settlement negotiations when the federal government announced a $2.25 million settlement with Walgreens' rival CVS.

Social networking sites are often used by government ministers as an example of the profound way attitudes to privacy have changed. They argue that the young generation invade their own privacy to a far greater extent than the government ever would. The implication is that the older people who object to government intrusion are living in the past. The response to this is that people who use social networking sites voluntarily reveal things about themselves and have a degree of control of over how long information and photographs stay in the public domain, while the government collects and stores information without permission and allows the subject no access to the data held. There is no obvious comparison between the two activities. But this doesn't let the social networking sites off the hook. Most internet companies claim a kind of morality free status when it comes to such issues as privacy and copyright, and Web 2.0 sites are no different. A study published this week by Cambridge PhD students shows that nearly half of all social networking sites retain copies of photographs after being "deleted" by users. The study examined 16 popular websites that host user-uploaded photos, including social networking sites, blogging sites and dedicated-photo-sharing sites. Seven of the 16 sites surveyed were still maintaining copies of users' photos after they had been deleted by the user. The researchers - Jonathan Anderson, Andrew Lewis, Joseph Bonneau and lecturer Frank Stajano - found that by keeping a note of the URL where the photo is actually stored in a content delivery network, it was possible for them to access the photo even after it had been deleted.

Heartland Payment Systems CEO discusses breach, previews speech Not a week had passed after the announcement of what some have described as the largest data breach ever, when the CEO of Heartland Payment Systems, Robert Carr, began calling for better industry cooperation and new efforts directed at preventing future breaches. Recently, Carr announced that trials will begin late this summer on an end end-to-end encryption system Heartland is developing with technology partners. It is expected to be the first system of its kind in the U.S. The company is also pushing for an end-to-end encryption standard. At the upcoming Practical Privacy Series in Silicon Valley, Carr will discuss the Heartland breach and the role industry, including privacy professionals, must play to prevent future breaches. Here's a preview: IAPP: Many companies have experienced breaches. What made yours different? Ours was different because we are a processor and had passed six years of PCI audits with no problems found. Yet, within days of the most recent audit, the damage had begun. IAPP: Did you have a chief privacy office or a privacy professional on staff before your breach? Do you now? Ironically, when we learned of the Hannaford's breach, we hired a Chief Security Officer who started just three weeks before the breach began. IAPP: In the era of mandatory breach reporting, what is the trajectory of consumer reaction? As a processor it is difficult to really know this. Our customers are merchants who accept card payments. IAPP: Do you think consumers will become numb to breach notices? I believe that many are numb to so many intrusion notices. IAPP: Are breach notices good public policy? Do the notices provide an incentive for companies to change or improve practices? I don't think so. Nobody wants to get breached and the damage caused by a breach is sufficient reason for most of us to do everything we can to prevent them. IAPP: What has Heartland done differentl

A majority of business executives believe that they have a right to know what their employees are doing on social-networking sites, but most workers say it's none of their bosses' business, according to a new survey by Deloitte. The survey was conducted in April with about 2,000 U.S. adults. Of the 500 respondents with managerial job titles (vice president, CIO, partner, board member, etc.), 299, or 60%, agreed that businesses have a right to know how employees portray themselves or their companies on sites like Facebook and MySpace. But 53% of employee respondents said their profiles are none of their employers' business, and 61% said that they wouldn't change what they were doing online even if their boss was monitoring their activities. That disagreement, says Sharon Allen, chairman of Deloitte's board and the sponsor of the survey, is one that companies need to address, particularly as these sites have become part of younger workers' lives. "It does, in fact, tee up the challenging debate or discussion that needs to take place to try to resolve both of their concerns," she said. Few businesses are having that conversation, according to the survey, though many executives indicated that it was on their minds. When asked what their company's policy was regarding social-networking use, roughly a quarter (26%) of employees said they knew of specific guidelines as to what they could and couldn't post. Similar numbers said their office didn't have a policy or they didn't know if their company had a policy - 23% and 24%, respectively.

The owner of a website onto which a purportedly stolen Goldman Sachs Group Inc computer code was downloaded has declined to say whether or not other people accessed the code while it was on the site. Roopinder Singh, who runs file storage website xp-dev.com, told Reuters in London on Friday that computer files show whether or not the valuable code -- which U.S. prosecutors have charged former Goldman employee Sergey Aleynikov with stealing -- was viewed by others, but he declined to say what they show due to the scale of the case. According to Singh, accounts at xp-dev.com initially have a privacy setting that only lets the user see them. However, users can change that setting to allow other people to view files. "Private is the default," he said. "You then have the option ... You can explicitly either share it (or keep it private)." He declined to say what the settings on Aleynikov's account were.

Following complaints from Republicans, the White House has shut down a two-week-old e-mail tip line launched to take reports from citizens of "disinformation about health insurance reform." "An ironic development is that the launch of an online program meant to provide facts about health insurance reform has itself become the target of fear-mongering and online rumors that are the tactics of choice for the defenders of the status quo," wrote White House new media director Macon Phillips in announcing the change. "The White House takes online privacy very seriously," he added. The e-mail tip line, flag@whitehouse.gov, was launched Aug. 4 as part of the White House's Health Insurance Reform Reality Check effort, a campaign-style rapid-response effort reminiscent of the war room Obama for America launched in the summer of 2008 to fight online rumors about the then-senator's patriotism and religion. But coming from the head of state, rather than a political candidate, the new effort quickly sparked concern among Republicans about the propriety of government collecting information on private citizens' political speech.

Joshua Corman would seem an unlikely critic of IT security vendors. After all, he works for one. Yet Corman, principal security strategist for IBM's Internet Security Systems division, is speaking out about what he sees as eight trends undermining the ability of IT security practitioners to mount an effective defense against online outlaws. Having worked for the vendor side, Corman says he is uniquely positioned to grasp its weaknesses up close. And so, with a PowerPoint presentation on the "8 Dirty Secrets" of the market in hand, he has traveled to seminars and worked the phones, hoping to motivate a change for the better. Here is the breakdown of those 8 dirty secrets and what Corman sees as practical ways to keep the vendors honest. [Related podcast: The Dark Side of the Security Market] Click here to find out more! Dirty Secret 1: Vendors don't need to be ahead of the threat, just the buyer This is the problem that leads to the seven "dirty secrets" that follow. In essence, Corman said, the goal of the security market is to make money, not to ensure the customer's security. Tom Vredenburg, regional IM manager for Houston-based Wartsila Corp., said Corman's take is consistent with what he has experienced in the trenches. "Not only has security become a phantom deliverable, but the vendors themselves have become equally tough to pin down and evaluate. Are they software sellers or risk managers? Are they service providers or network designers? Am I buying partnerships or licenses? Most of them don't know themselves what they are -- only that they need to sell something that most people don't really want to buy in the first place -- insurance."

It's been repeatedly said that one of the biggest issues our culture is facing right now, and will continue to face in the years to come, is defining and coming to terms with the legality behind privacy issues. As our lives become increasingly wired, connected and monitored privacy becomes an increasingly pressing concern, especially since technology changes much faster than laws can keep up with. While privacy issues are important for adults to be aware of right now, from access to medical records to who can see into our houses, it's probably even more important for the next generation to know what the issues are and how it does and will affect them in the future. Prying Eyes: Privacy in the Twenty-First Century by Betsy Kuhn is a book written for teens and older kids about privacy issues today in America. It looks at new and developing technologies from cameras to RFID chips, the significant laws and court cases throughout our history that have dealt with privacy issues, and how it affects each of us. Kuhn does an excellent job of keeping her subject relevant, but not too focused. Kuhn manages to show how all of these issues matter and affect us without being scary. She never turns technology, corporations or even the government into something frightening. When this is a topic that could easily have been made scary, it's nice that Kuhn managed to walk that line and make this serious without being something to obsess over.

Has your management team asked the following four questions about your organization's internal controls? 1) Have we identified the meaningful risks to our objectives? 2) Which controls are "key controls" that will best support a conclusion regarding the effectiveness of internal control in a particular process? 3) What information will be persuasive in assessing whether the controls are continuing to operate effectively? 4) Are we presently performing effective monitoring that is not unnecessary and costly testing? These questions appear in a white paper, "Effective Internal Control Systems for Rapidly Changing Markets: A New Opportunity," packed with answers for GRC professionals wondering if there is a better way to operate. The paper, authored by the GRC experts at advisory firm SMART Group, clearly lays out how controls monitoring processes can and should align with the "Guidance on Monitoring" COSO published earlier this year to help organizations strengthen the effectiveness and efficiency of their internal controls frameworks. Among other useful how-to information, the 12-page paper includes a five-step "Implementation Guide" for creating a better controls-monitoring program.

As protests in Iran last month drew the world's attention, the top executives at a large global industrial goods company held a teleconference to consider their options. The meeting was hastily called, but the participants were not starting from scratch. In fact, the events unfolding in the country were strikingly similar to a scenario that they had developed, along with a handful others, in a 2008 offsite meeting focused on potential changes in their competitive environment. The workshop, the output, and the eventual impact on decision making represents a perfect illustration of how so-called scenario planning techniques can be utilized to help managers navigate in complex and uncertain environments. In the meeting the industrial company held last year, executives had discussed each scenario they developed, the potential triggers for each of them, and how the company should respond to each of these situations if it were to arise. Pulling out the notes from these discussions, they already knew their options and had a view on how they would like to respond. In many ways, they were prepared -- and already one step ahead of some other companies.

CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include: New requirements that widen the definition of what Personal Health Information (PHI) information must be protected and extend accountability from healthcare providers to their business associates; Lower thresholds, shorter timelines, and stronger methods for data breach victim notification; Effective immediately, increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million; More aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates. No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.

A law designed to keep college students' grades private often is used for a much different purpose -- to shield universities from potentially embarrassing situations. Some critics say a number of schools are deliberately misreading the Family Educational Rights and Privacy Act in order to keep scandals and other unflattering news from hitting the media. "Some schools have good-faith misunderstandings of the law, but there are others that simply see this as a handy excuse to hide behind," says Frank LoMonte, executive director of the Student Press Law Center, which provides student journalists with legal help. Legal experts say part of the problem is that the law is loosely defined. In addition, the potential consequences of violating the law -- namely, that schools would lose their federal funding -- prompt university officials to be conservative in their decisions about releasing information. Those complaints rankle advocates of student privacy, who say that, if anything, the three-decade-old law should be expanded. "Most of these kids are adults, and they should be able to make their own decisions," says Daren Bakst, president of the Council on Law in Higher Education. Congress already reworked the law to clarify when universities can disclose student information, especially involving health and safety matters. Those changes, adopted in January, followed the 2007 shooting rampage at Virginia Tech by a mentally troubled student.

Burger King's wildly popular Facebook application "Whopper Sacrifice," which rewards you with a free Whopper when you drop 10 friends, has been shut down. Social networking just got healthier. Last week, Burger King announced it was teaming up with social networking powerhouse Facebook for a special promotion: If you removed 10 people from your network of friends, the fast-food company would reward you with a coupon for a free Whopper. The story became an Internet sensation, but it's only now getting meatier. As it turns out, a notification feature on the "Whopper Sacrifice" application that lets your friends know they have been replaced by a shot at a free hamburger violates Facebook's privacy policy. "We encourage creativity from developers and companies using Facebook platform, but we also must ensure that applications follow users' expectations and privacy," the company said in a statement. "After extensive discussions with the developer, we've made some changes to the application's behavior to assure that users' expectations of privacy are maintained. The application remains active on Facebook."

You have an unlisted phone number, you guard your personal information, you shred your financial papers- so everything is private and safe, right? Would you be alarmed to know that even when you think things are private, a perfect stranger can look you up online, see your address, birth date, past addresses, and even see a photo of your home, down to the detail of your child's play set out in the back yard? Alarmed yet? You should be. Take a look at this website: www.zabasearch.com. Simply plug your name in, and you are likely to be surprised, and probably a bit distressed to see all the information that is readily available online. How could this happen? Easy. Virtually every major change in your life is recorded somewhere in a government document. When you are born, a birth certificate is issued. When you obtain a driver's license, get married, buy a house, file a lawsuit ' all of these events are recorded in public documents easily available to you and to others. Government records are intentionally public in order to enable citizens to monitor the government and to ensure accountability in our society. The challenge is to balance the public's right to information with the individual's right to privacy.

Privacy is Dead. Long Live Privacy? at the 2007 Battle of Ideas conference hosted by the Institute of Ideas.New technology seems to have changed the meaning of privacy, affording individuals the possibility of sharing details of their hitherto private lives in unprecedented ways, from personal blogs to picture sharing and even 'social bookmarking'. For many of us, divulging intimate details of our private lives via social networking websites like MySpace and Facebook has become the norm. But information and communication technologies have also facilitated surveillance and data gathering by government and big businesses. While in some contexts we seem so ready to give up our privacy, in others we seem increasingly anxious to protect it.To what extent are new technologies responsible for the death of privacy? Are privacy concerns simply technophobic, or are we right to worry about a loss of control over personal information? Have new technologies and our enthusiastic adoption of them actually transformed our notions of public and private, and blown apart the wall dividing the two? Why do we worry about Tesco monitoring what we buy, when, according to Sun Microsystems CEO Scott McNealy: 'You have zero privacy anyway. Get over it'? - IoI