Group items tagged

When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources. "Data leakage is an area that doesn't get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it," the IT director says. But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team's security practices. (Read a related story on the most common violations encountered.) The audit, conducted by Networks Unlimited in Hudson, Mass., examined outbound e-mail, FTP and Web communications. The targets were leaks of general financial information, corporate plans and strategies, employee and other personal identifiable information, intellectual property and proprietary processes. Networks Unlimited placed one tap between the corporate LAN and the firewall and a second tap between the external e-mail gateway and the firewall. Networks Unlimited used WebSense software on two servers to monitor unencrypted traffic. Then it analyzed the traffic with respect to company policy. Specifically, Networks Unlimited looked for violations of the pharmaceutical firm's internal confidentiality policy, corporate information security policy, Massachusetts Privacy Laws (which go into effect in 2010), Health Insurance Portability and Accountability Act (HIPAA), and Security and Exchange Commission and Sarbanes-Oxley regulations. Auditor Jason Spinosa, senior engineer at Networks Unlimited, says that while he selected the criteria for this audit, he usually recommends that companies take time to determine their policy settings based on their risk

Consumer Watchdog has sent the U.S. Justice Department a Google document presenting the best corporate arguments for why Google should not be viewed as monopolistic, along with a duplicate of the presentation marked up with comments from an expert countering the claims. The nonprofit consumer group received both documents from an anonymous industry insider. In the presentation, Google seeks to deflate increasing criticism that it is too big and powerful by spin meant to minimize the notion its search and advertising businesses are virtual monopolies. Commentary surrounding the presentation in the second document delivered to Consumer Watchdog presents information countering Google's contentions in what is described as a "Charm Offensive." "As the Justice Department examines the Google book deal and other Google enterprises it deserves to see the play book Google has prepared to deflect scrutiny and insider commentary on how many Google myths lack a basis in reality," said Consumer Watchdog President Jamie Court. "Google's charm and spin should not be allowed to deter anti-trust regulators from seeing the real problems with Google's dominance and setting appropriate limits to protect users."

New rules will protect consumers, harmonize regulation, and enshrine net neutrality. But a late amendment left the legislation in limbo The European Parliament has voted through a massive tranche of reforms for the European telecommunications sector, including a significant net-neutrality amendment. The 'Telecoms Package' of laws was voted into force on Wednesday with a large majority, and must now be ratified by the Council of Telecoms Ministers. The vote marks the first time that internet access has been recognised in European law as a fundamental right on a par with freedom of expression. The legislation also compels European telecoms and internet service providers (ISPs) to notify their customers of any personal data breaches, the first time they have been required to do so.

There is pervasive fear of identity theft. Victims spend an extraordinary amount of time and money recovering from it. The government is doing something about it, but businesses may not be pleased to hear that the government's latest action is another unfunded mandate. New rules concerning identity theft prevention at financial companies go into effect on Friday May 1, 2009, but for most organizations, complying with the FTC's Red Flags Rule could be as simple as writing down rules and procedures already in place and having them certified by the Board. The rules are about procedures, not about data security, said Tiffany George, attorney for the division of privacy and identity protection at the FTC. She spoke on Tuesday at the FTC's workshop for businesses held on the campus of Fordham University in New York City. "The Red Flags Rule covers what to do when, despite our best efforts, thieves steal data," she said. As new regulations go, the FTC's Red Flags Rule will be less painful than many other recently enacted rules. For example, while Sarbanes-Oxley is considered a burden to many public companies, requiring several full-time staff, the Red Flags Rule can likely be handled by legal or compliance staff already in place.

The Federal Trade Commission, continuing its focus on behavioral advertising practices and online consumer privacy, has hired Harvard researcher Christopher Soghoian as a technical consultant. Soghoian, currently with Harvard's Berkman Center for Internet & Society and a noted researcher and blogger on online privacy, will work with the FTC's Bureau of Consumer Protection, Division of Privacy and Identity Protection. He has been particularly critical about the length of time major Internet service providers and companies keep and use customer data Last month, several marketing and advertising industry associations, including the Direct Marketing Association and the American Association of Advertising Agencies, issued self-regulatory principles to govern the online practices of their members, in an attempt to stave off federal regulation of behaviorally targeted advertising.

On a side table in his Washington offices, Federal Trade Commission Chairman Jon Leibowitz keeps a framed image of Arnold Schwarzenegger from the 1984 film The Terminator. It was given to Leibowitz a couple of years ago by one of the FTC's regional offices, an homage to his crackdown on spyware that surreptitiously gathers information on Web users' surfing habits. Now, Leibowitz wants to terminate-or at least rein in-a different practice he finds no less harmful to consumers: delivering ads to individuals based on the Web pages they visit and searches they carry out. Appointed by President Barack Obama in February to run the country's top consumer watchdog, Leibowitz has made so-called behavioral targeting a top priority. How far he goes in regulating the practice could have big implications for a host of companies that depend on Web advertising and engage in some form of targeting. These include Google (GOOG), Facebook, and Microsoft (MSFT), which on July 29 announced a plan to partner with Yahoo! (YHOO) in the area of Internet search. It would also affect the way legions of companies and advertisers craft marketing campaigns. Behavioral targeting has become more prevalent as it gets easier and cheaper to use software to track online behavior and then use the data to pitch Web users related goods and services. These ads are more likely to induce a customer to make a purchase or otherwise respond to a pitch, researchers say.

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009. The Red Flags Rule is an anti-fraud regulation, requiring "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect, and respond to the warning signs, or "red flags," that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA's definition of "creditor" includes any entity that regularly extends or renews credit - or arranges for others to do so - and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. "Financial institutions" include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

In all of 2008, 40 banking institutions failed - 25 banks and 15 credit unions. So far in 2009, 72 institutions have either been closed or taken over by regulators, including 7 banks just this past weekend. The Federal Deposit Insurance Corporation (FDIC)'s troubled bank list, now at 305, has more than doubled from last year's total, when 117 banks were listed. Which begs the questions: Where and why are all these institutions failing, and how many more closures will we see by year's end? Failures by the Numbers Analysis of this year's bank/credit union failures (see interactive map) reveals some interesting facts: * Total Failed Banks: 64 * Total Failed Credit Unions: 8 o Top States For Failures: o Georgia - 16 banks o Illinois - 12 banks o California - 8 banks, 3 credit unions o Florida - 3 banks * Largest Failure BankUnited, Coral Gables, FL., $12.8 billion in assets, * Total Cost to FDIC Insurance Fund: $13.553 billion

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers' privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information." Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.

CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include: New requirements that widen the definition of what Personal Health Information (PHI) information must be protected and extend accountability from healthcare providers to their business associates; Lower thresholds, shorter timelines, and stronger methods for data breach victim notification; Effective immediately, increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million; More aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates. No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.

TSA terrorist watchlist changes affect travel industry, document coordination requirements, security & privacy concerns. Over-strengthening one set of regulations and ignoring others simply means that the terrorists will move to safer (for them) modes of attack.

The Transportation Security Administration is getting ready to take over responsibility from the airlines for checking passengers' names against terrorist watch lists, and is advising travelers to start booking airline tickets using their full name as it appears on their driver's license or passport.

Federal Communications Commission Chairman Julius Genachowski will unveil in a speech on Monday new proposals that would force Internet providers to treat the flow of content equally, sources familiar with the speech said on Friday. The concept, referred to as net neutrality, pits open Internet companies like Google Inc against broadband service providers like AT&T Inc, Verizon Communications Inc, and Comcast Corp, which oppose new rules governing network management. Advocates of net neutrality say Internet service providers must be barred from blocking or slowing traffic based on content. Providers say the increasing volume of bandwidth-hogging services like video sharing requires active management of their networks and some argue that net neutrality could stifle innovation. "He is going to announce rulemaking," said one source familiar with his speech about broadband, to be delivered at the Brookings Institution, a public policy think tank. "The commission will have to codify into new regulations the principle of nondiscrimination." The FCC could formally propose the rules aimed at applying to wireless and landline platforms at an open meeting in October.

A few weeks ago, I was very relieved to find out I had passed the IAPP exam to be a "Certified Information Privacy Professional" or CIPP. I got this certificate and even a pin, which is more than I ever got for passing the bar exams of New York and California. So what exactly did I need to know to become a CIPP? To be certified in corporate privacy law, you're expected to know what's covered in the CIPP Body of Knowledge, primarily major U.S. privacy laws and regulations and "the legal requirements for the responsible transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions." You're also expected to pass the Certification Foundation, required for all three certifications offered by IAPP. That covers basic privacy law, both in the U.S. and abroad, information security principles and practices, and "online privacy," which includes an overview of the technologies used by online companies to collect information and the particular issues to be considered in this context. So what do you think? Should you be able to pass an all-objective, 180 question, three-hour exam (counting the CIPP and Certification Foundation exams together) on the above topics and be able to call yourself a "privacy professional"?

Americans are about to re-learn that bank deposit insurance isn't free, even as Washington is doing its best to delay the coming bailout. The banking system and the federal fisc would both be better off in the long run if the political class owned up to the reality. We're referring to the federal deposit insurance fund, which has been shrinking faster than reservoirs in the California drought. The Federal Deposit Insurance Corp. reported late last week that the fund that insures some $4.5 trillion in U.S. bank deposits fell to $10.4 billion at the end of June, as the list of failing banks continues to grow. The fund was $45.2 billion a year ago, when regulators told us all was well and there was no need to take precautions to shore up the fund.

"As Congress makes headlines on healthcare and financial industry oversight reform, online data privacy watchdogs are hammering away behind the scenes on the Hill. A joint hearing on online and offline data collection scheduled for later this week, and a planned series of Federal Trade Commission data privacy events have advocacy groups from as far away as California visiting Washington to make sure their voices are heard. "What we're concerned about is the amount of surveillance and tracking going on without consumer consent," said Lee Tien, senior staff attorney at the San Francisco-based Electronic Frontier Foundation. Though often skeptical of government regulation, EFF recently joined lobbying groups including Center for Digital Democracy in recommending that Congress pass clear consumer privacy legislation. "

"I heard a rumor that I hope isn't true. Specifically, I heard that opting out of behavioral profiling may not stop advertising companies from tracking you as you travel across the Web. Rather, according to the rumor, in many cases you merely opt out of seeing the tailored ads your web history might otherwise trigger. The ability to opt out of behavioral profiling essentially underpins the argument for self-regulation by the industry. The idea is that (1) people like tailored ads and (2) those that worry about the practice, for instance, from a privacy perspective, can opt out of it. Setting aside the apparent frailty of cookie-based opt out (when you delete your cookies, you delete your opt out as well) and the availability of other means to track users (like flash cookies), this seems pretty straightforward and convincing. But what does "opting out" mean, exactly? A close look at the Network Advertising Initiative website, which offers an opt out tool on behalf of most major online advertisers, turns up no guarantee that opting out will stop a company from logging where a user has traveled."

The rise and fall of PRBC is a case study of the growing market for our personal financial data, where the incentives for helping consumers and making profits don't always align.

"State regulators may consider requiring utilities and other firms to provide customers clear information regarding how their data may be used, if consumers authorize such use, and guaranteeing that customers have the ability to select the purposes for which their data may be used."

In my last post, Behavioral Targeting, I mentioned that I used a home-grown form of customer tracking when I worked on Wall Street. I explain a bit more about that in this post. I will describe more about the process in a second part to this post.
Early Adopters
The competition in the financial se

This post is one in a series on Privacy & Security, and covers some of the intersections of these domains for those who are not practitioners with in-depth understanding of the associated disciplines.
Behavioral Targeting
The tracking of consumers as they surf the Web to deliver targeted a