Group items tagged

The US Department of Justice has asked for yet another extension to the judicial oversight of Microsoft's antitrust compliance in order to give the company more time to update its technical documentation. The original judgment had already been extended once to late 2009, but now the DOJ wants it extended again for another 18 months. The sanctions on Microsoft, which were agreed to in 2002 and originally set to expire in November 2007, are aimed at preventing the company from retaliating against hardware vendors that ship computers with alternatives to Microsoft's software products. An additional set of sanctions mandating interoperability API licensing had already been extended for another two years. When it came time for the decree to be lifted, however, Judge Colleen Kollar-Kotelly decided that Microsoft failed to provide protocol specification documents to competitors as required by the agreement. Because of this, she extended the oversight until November of 2009. In a document filed with Judge Colleen Kollar-Kotelly on Thursday, the DOJ requested another extension to her oversight of Microsoft's antitrust settlement, apparently because it feels Microsoft still has a ways to go before meeting the requirements. At the same time, a joint status report from Microsoft and the plaintiffs states that all parties seem to think that things are almost ready. "It is clear to Plaintiffs that Microsoft has made substantial progress in improving the technical documentation over the last two years," reads the report. "While the entire project has taken longer than any of the parties anticipated, the project is nearly complete." The request marks a reversal of the DOJ's previous position that it took in 2007 when it decided not to ask for an extension of the settlement while the attorneys general of ten states (the so-called California and New York Groups) pushed for extensions. At that time, the DOJ stated that it didn't believe that the standard for such an extension had b

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009. The Red Flags Rule is an anti-fraud regulation, requiring "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect, and respond to the warning signs, or "red flags," that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA's definition of "creditor" includes any entity that regularly extends or renews credit - or arranges for others to do so - and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. "Financial institutions" include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

A new report from the Progress & Freedom Foundation says that officials in some states want to pass legislation that would extend the Children Online Privacy Protection Act (COPPA) from covering children under 13 to covering teens until they're 18. COPPA, which became law in 1998, requires verifiable parental consent before a child under 13 can provide personally identifiable information to a Web site that caters to children. Expanding the law to cover teens till they're 18, according to the report, would "require Web sites to obtain more information about both minors and their parents, which runs counter to the original goal of the Act: protecting the privacy of minors." Ultimately, say the authors, "this would actually make minors less 'safe online.'" In this podcast, the report's co-author, PFF Senior Fellow Adam Thierer, explains the original COPPA law and why, in his opinion, the expanded law could have a chilling effect on the free speech rights of minors. The podcast runs 11:30

This year was an interesting year in privacy and information security, and by looking back, we can clearly discern trends that will likely be a major part of the security management landscape in 2009. More and more states passed breach-notification laws and several enhanced or extended existing legislation. Software-as-a-Service (SaaS) and virtualization really took off, and compliance's looming presence grew with PCI DSS version 1.2 and some actual enforcement of HIPAA. Of particular note was Massachusetts' data breach law 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. This is to date the most comprehensive law of its kind, setting a new standard for what breach-notification laws should look like; it covers both paper and electronic records, it mandates appropriate security awareness training as well as security and risk assessments and, most importantly, requires companies to make changes to their security programs in accordance with the findings of those risk assessments. Similarly, California enhanced the well-known CA-1386 to include not just traditional financial information, but also health care and health insurance data as well. With new mandates popping up all the time, it's no wonder compliance was one of the biggest focus areas for enterprise information security teams in the past year, and this trend will clearly continue in 2009; there will be more regulation on both the state and federal levels, and stronger enforcement of existing regulations. Fines and other penalties for violations of PCI DSS and HIPAA will continue to rise, along with the inevitable rise in discoveries of malfeasance. As a result, there will be an even larger focus on compliance by upper management, which also means decreased time and budget for necessary security controls that don't clearly fall under a compliance umbrella.

Jan 15, 2009 There may be only a handful of days left in the Bush administration, but the brouhaha over White House e-mail retention policies promises to continue right up to the last day. A federal court yesterday extended a preservation order to ensure that the outgoing administration does everything it can to recover any missing White House e-mails. The White House IT staff now has five days to scour workstations for missing e-mail before administration data records are archived on Jan. 20. The ruling, by U.S. District Judge Henry Kennedy Jr., also orders staff of the Executive Office of the President (EOP) to relinquish any digital media that may contain e-mails from March 2003 and October 2005. The legal action is the latest resulting from a lawsuit filed in September 2007 by the National Security Archive against the EOP, seeking to preserve and restore White House e-mails it alleged were missing. "There is nothing like a deadline to clarify the issues," Tom Blanton, the National Security Archive's director, said in a statement. "The White House will complain about the last-minute challenge, but this is a records crisis of its own making." The Archive, an independent nongovernmental research institute based at George Washington University, is a repository of government records and does not receive U.S. government funding. The Citizens for Responsibility and Ethics in Washington (CREW), a left-wing public advocacy group, also filed suit, but its legal action was subsequently consolidated with the Archive's legal action, which is taking place in the U.S. District Court for the District of Columbia. Last May, the White House's top tech staffer acknowledged that three months of data were missing from backup tapes. In earlier testimony before a congressional committee, White House technical staff said millions of e-mails from the past eight years could potentially have been erased. Also yesterday, Magistrate Judge John M. Facciola held an emergency status con

With the Federal Trade Commission (FTC) promising to begin enforcing the "Red Flags Rules" on May 1, the FTC launched on Thursday a website aimed at helping entities adhere to the requirements. The rules, designed to reduce identity theft, requires that creditors and financial institutions create and implement an identity theft prevention program. The website describes the entities covered by the rule and provides information, articles and guidance to help entitles develop ID theft prevention programs, the FTC said in a news release. One of the resources on the site is a how-to guide that provides tips for identifying and stopping ID theft. The rules became effective Nov. 1 but will not be enforced by the FTC until May 1. Last October, the FTC extended the original Nov. 1 enforcement deadline because many companies were not prepared to meet the original requirements, the FTC said. Eduard Goodman, general counsel and chief privacy officer for vendor Identity Theft 911, told SCMagazineUS.com Friday that the FTC has been tight-lipped about how the rule is going to be enforced -- likely because they don't want companies looking for ways to get around it. Goodman said that based on his conversations with those in the industry, the FTC will likely enforce the rule on a case-by-case basis. The FTC maintains a database that tracks all identity theft cases reported to the agency. If they hear of instances of identity theft associated with a company, the FTC may ask for a copy of the company's identity theft prevention program, if any, Goodman said. If the entity has a program in place, the FTC will make a determination of whether it's adequate. The May 1 enforcement deadline extension applies to entities under the FTC's jurisdiction, which includes state-chartered credit unions. The extension did apply to the the majority of the estimated 11 million businesses that must comply with the requirements, Goodman has said

Physician groups press FTC for exemption from Red Flag Rules With a May 1 deadline for compliance looming, the American Medical Association (AMA) has asked the Federal Trade Commission (FTC) to suspend the application of the Red Flag Rules to physicians and publish a new rule so that physicians have an opportunity to provide comments. In a March 9 letter to the FTC, AMA Executive Vice President Michael D. Maves wrote that the AMA "strongly believes that the FTC did not provide physicians with an opportunity to review and comment on this Rule." Controversy. Under the Red Flag Rules, which were finalized in October 2007 under the Fair and Accurate Credit Transactions Act (FACTA), financial institutions and creditors must develop and implement written identity theft prevention programs. FACTA provides a broad definition of "creditor" as "any entity that regularly extends, renews or continues credit." The FTC has interpreted this definition to include health care providers and physicians. The AMA and several other medical trade associations have taken the position that physicians were not intended to be subject to the Red Flag Rules, but the FTC has held firm in its interpretation, in spite of the objections. In a Feb. 4 letter to the AMA, the FTC reiterated its position that "the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services." The FTC also has taken the position that application of the Red Flag Rules to physicians will reduce the incidence of medical identity theft and will not impose a heavy burden on health care professionals. Rulemaking process. In addition to its claim that health care providers should not be classified as creditors, the AMA also has argued that the physician community was not informed that it would be subject to the Red Flag Rules.

The discipline known as governance, risk, and compliance (GRC) management has come a long way in a short time. Results from Business Finance's 2009 GRC Maturity Study suggest that the majority of companies with formal GRC programs are beginning to derive strategic benefits from their efforts: Two-thirds of survey respondents say that the primary benefit of the GRC programs extends beyond mere compliance to "strategic risk management and decision-making insights" (55 percent) and "superior resilience and long-term shareholder value" (11 percent). Additionally, 81 percent of survey respondents describe their company's GRC capabilities as "strong" (15 percent) or "acceptable" (66 percent); only 18 percent of respondents say that their programs are "in need of improvement." What's more, a remarkable 83 percent of survey respondents (see the "Methodology" side bar) say that their corporate GRC programs were somewhat to very helpful in enabling their organizations to anticipate and respond to the current economic downturn. At many companies, GRC is about much more than compliance these days.

CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include: New requirements that widen the definition of what Personal Health Information (PHI) information must be protected and extend accountability from healthcare providers to their business associates; Lower thresholds, shorter timelines, and stronger methods for data breach victim notification; Effective immediately, increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million; More aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates. No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.

As if banks didn't have enough on their plates with compliance and regulation on the federal front, come May 1, they will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope. During a teleconference, attorneys from the privacy and data security practice of the law firm Goodwin Procter (Boston) described this very detailed, all-encompassing set of rules designed to keep consumers' personal data safe. They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information. "Personal information," for the purposes of the regulation, is described as someone's first and last name or first initial and last name, in combination with Social Security Number, driver's license number or financial account number. At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules. According to partner Deborah Birnbach, this is some of the most intrusive legislation as it relates to the operation of businesses. "It requires

The federal government would subsidize up to 65% of COBRA health insurance payments for many individuals who have lost their jobs since Sept. 1, 2008, under an $825 billion stimulus package unveiled by House Democrats. COBRA provisions are supported by health insurance groups, including America''s Health Insurance Plans and the National Business Group on Health. However, AHIP said other parts of the plan tying increased investment in health information technology to stricter scrutiny of how health IT records are handled would make it more difficult for plans to coordinate care and streamline administrative costs. Dubbed the American Recovery and Reinvestment Act, the House bill allocates $39 billion to aid individuals attempting to continue paying health insurance premiums through the 23-year-old Consolidated Omnibus Budget Reconciliation Act program. COBRA allows employees who are terminated or leave their jobs voluntarily to remain in their former employer''s group health plan for up to 18 months, which can be extended to 36 months for those with extenuating life circumstances. However, because COBRA enrollees can be charged up to 102% of the full cost of coverage, many find the plans prohibitively expensive and, according to Hewitt Associates Inc., only about 20% enroll. A recent report by the consumer group Families USA found monthly COBRA premiums for family coverage were $1,069, or 83.6% of the average monthly unemployment insurance benefit of $1,278. In nine states, average COBRA payments exceeded unemployment benefits, the group found. Health groups have been largely supportive of the proposal, with AHIP President Karen Ignagni writing in a letter to House Speaker Nancy Pelosi that the group believes the move would "help ensure continuity of coverage and serve as an important lifeline for many workers who do not qualify for Medicaid, but still need help paying their health insurance premiums."