* Name Compliance Week * Location Boston, MA * Web http://www.compli... * Bio Compliance Week is an information service on corporate compliance and risk. Twitterers include editor-in-chief Matt Kelly and publisher Scott Cohen.

With the ink barely dry on headlines about what could be the biggest security breach in history (identity thieves hacked into payment processor Heartland Payment Services, possibly gaining access to the credit-card information of millions of consumers) signing up for a credit-monitoring service may have jumped a few notches on your to-do list. After all, paying $12 or so a month seems like a small price to pay for the peace of mind that -- through regular alerts about activity on your credit reports and other monitoring services -- you'll be protected from identity theft. Right? Think again.

THE Government is looking to develop a way to protect individuals' personal data that can 'best address' three issues. These are privacy concerns, commercial requirements and national interest. An inter-ministry committee is already reviewing the issue, said Minister for Information, Communications and the Arts Lee Boon Yang. 'As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time,' he said. He said this in a written reply to a question posed by Ms Lee Bee Wah of Ang Mo Kio GRC in Parliament on Monday. She had asked if his ministry will consider a comprehensive privacy law, and wanted to know what laws there are to protect people from spam mail and the unauthorised sale of personal information. Also, what about those whose photographs have been posted on blogs and other new media platforms without their authorisation, she had asked. This would be considered a 'civil matter', said Dr Lee. 'The aggrieved persons could first ask the site's webmaster to remove the pictures,' he said. 'As with matters relating to online libel and personal defamation, they could also seek professional legal advice to determine the most appropriate legal recourse.' As for the protection of personal data, the minister said that although no generic data protection law exists, such data is still protected. He listed the various measures that are already in place. For instance, there are 'strict provisions' in sectoral laws such as the Banking Act, and codes for medical professionals to protect sensitive financial and health information, he said. There are also other industry codes of practices against the unauthorised use of personal information, he added. For example. the Telecom Competition Code requires licensees to take 'reasonable measures' to prevent the unauthorised use of consumers' information. In addition, there is a voluntary privacy code, which has been adopted by many companies in the private sector, said Dr

As they play in the global information economy, U.S companies stash away more data than they can handle effectively. The six-part 2009 New Data Center series opens with a look at how they're coping with the escalating problem.

Cloud services are now vulnerable to malicious use, a security company has suggested, after a techie worked out how Amazon's EC2 service could be used as a BitTorrent file harvester and host. Amazon's Elastic Compute Cloud (EC2) is a web service software developers can use to access computing, compilation and software trialling power on a dynamic basis, without having to install the resources locally. Now a developer, Brett O'Connor, has come up with a step-by-step method for using the same service to host an open source BitTorrent application called TorrentFlux. Getting this up and running on Amazon would require some technical know-how, but would be within the reach of a moderately experienced user, right down to following O'Connor's command line low-down on how to install the public TorrentFlux app straight to Amazon's EC2 rather than a user's local machine. Finding an alternative way of using BitTorrent matters to hardcore file sharers because ISPs and admins alike are increasingly keen to block such bandwidth-eating traffic on home and business links, and O'Connor's EC2 guide was clearly written to that end - using the Amazon service would make such blocking unlikely. "I created a web-based, open-source Bittorrent 'machine' that liberated my network and leveraged Amazon's instead," says O'Connor. He then quips "I can access it from anywhere, uploading Torrent files from wherever, and manage them from my iPhone." However, security company GSS claims the guide shows the scope for possible abuse, using EC2 to host or 'seed' non-legitimate BitTorrent file distribution. "This means, says Hobson, that hackers and other interested parties can simply use a prepaid (and anonymous) debit card to pay the $75 a month fee to Amazon and harvest BitTorrent applications at high speed with little or no chance of detection," said David Hobson of GSS. "The danger here is that companies may find their staff FTPing files from Amazon EC2 - a completely legitimate domain -

Washington insiders say that the Obama administration will be more aggressive with actions to protect consumers online. Two consumer advocacy groups, the Center for Digital Democracy and the U.S. Public Interest Research Group, have asked the Federal Trade Commission to investigate behavioral targeting practices aimed at mobile phone users. The day the FTC received the request and one week before the Obama administration took office, four marketing and advertising associations announced their intent to create an enhanced set of self-regulatory principles for online behavioral advertising. The American Association of Advertising Agencies, Association of National Advertisers, Direct Marketing Association and Interactive Advertising Bureau are said to be reviewing the areas for self-regulation set forth in the FTC's proposed self-regulatory principles issued in December 2007. As marketers, our boundaries for targeting campaigns continue to widen as technology improves. We collect more information than ever before. This, along with the fear of federal regulation, may create a trend for more marketers to take on a dual role as a privacy professional. The International Association for Privacy Professionals (IAPP, https://www.privacyassociation.org/) provides privacy education and certification for privacy professionals.

January 26, 2009 - As a presidential candidate, Barack Obama made his position on abortion very clear. During his campaign, he stated that he would sign the Freedom of Choice Act and that he opposed restrictions on Partial Birth Abortions. Now as President, Obama used the 36th anniversary of the Supreme Court's Roe v. Wade decision to reiterate his quite extreme position. Obama made several statements about "ensuring that our daughters have the same rights and opportunities as our sons...." However, his key statement appears to demonstrate an utter misunderstanding of the legal aspects of abortion, was that government "should not intrude on our most private family matters." An Associated Press subheader put it as "the ruling legalizing abortion represented a broader principle that government should not intrude on private family matters." Obama seemingly fails to understand three things about the "right to privacy." First, in that as far as it has been applied to abortion and contraception (Griswold vs. Connecticut); it is not a principle about "family matters." It is a principle purely about individual choice. Under Roe, no one else in the "family" has any say about the abortion decision. If the woman is not married to the father of the baby, he is not "family" anyway. Second, the right to privacy is not absolute. Third and most important, that under Roe, the "right to privacy" is secondary to two considerations about the unborn child: whether or not the unborn child is a "person," or at least "potential life." For these last two, we can turn to Roe itself. The "Right to Privacy" The majority opinion of Roe admits that, "The Constitution does explicitly mention any right of privacy." Majority author Harry Blackmun cites various past court decisions which recognize personal rights that are "fundamental" or "implicit in the concept of ordered liberty." Since these private rights had been found to have extension to areas such as marriage, procreation, contraception

Eight years ago, a woman we'll call Sarah discovered that she was not biologically related to the father she had known all her life. Sarah, her mother revealed, was "donor-conceived." Her parents, after trying without success for a pregnancy of their own in the late 1970s, turned to a fertility center, where Sarah's mother was artificially inseminated with sperm from an anonymous donor. At the time sperm banks did not offer detailed donor profiles. Upon discovering the truth, Sarah was told what her parents had been told about her biological father: He was a medical student, possibly of Scandinavian ancestry. Sarah, who describes her family as "loving and stable," was shocked. Today she is also sick. A year before finding out about her conception, she began to experience severe, unexplained bladder problems. She has been seeing doctors at Johns Hopkins; so far they haven't figured out the cause. Recently married, Sarah worries that she may pass the illness on to future children. The medical history of her biological father could provide a crucial piece of the diagnostic puzzle. But in the early days of artificial insemination, clinics often shredded or burned files to ensure donor anonymity and client privacy. Sarah's father's identity may be locked away in storage somewhere, or it may have been destroyed. Although aware of the likely futility of her search, Sarah still continues-writing the clinic, nurses, her doctor-in the hope that someone can help. Faced with stories like this, the fertility industry and a few state governments are trying to come up with a way to ensure that future donor-conceived children will have access to their fathers' medical files. A national registry, for example, could allow banks to monitor how many times a man donates semen and how many children are born from his seed, to share updates about medical issues and to facilitate long-term research on health outcomes. But any such registry poses a threat to the p

Twitter Inc. has launched a comprehensive review of the defenses in its popular social network and microblogging service after hackers hijacked the accounts of several high-profile users on Monday. In interviews this week, analysts said they were surprised that sites such as Twitter, which are potentially hot targets for hackers and phishers, had long avoided such major attacks, and thus strong scrutiny by its corporate users. Since the widely publicized hack of Twitter, analysts said they are closely watching how the site and especially its corporate customers respond to the security breach.

The largest threat to online advertising is growing as the economy declines. More individuals will turn criminal, purchasing products or generating income through fraudulent means. Billions of dollars are stolen from businesses each year, and in 2009 companies will fight fraud with fewer resources.According to CyberSource, an estimated $4 billion dollars was lost to fraud in 2008 up from $3.7 billion in 2007, and 87% of merchants must fight fraud with the same or less staff in 2009. The increase in eCommerce fraud from 2007 to 2008 (and one can expect, in 2009) follows the advertisers' shift to spend more of their budget online. Much like crime statistics, one has to wonder how much fraud is not being reported because, among many reasons, commission-driven employees are not motivated or your company lacks resources.In early 2008, I was approached by our CEO to start a new division that would address our partners' fraud concerns-both real and perceived. He said, "I'm not going to lie to you. It's a SOB job." I was sold, and the Best Practices Division began.My team establishes best practices (measurable, repeatable events, processes, and procedures) and applies them internally and externally (to our partners' online marketing practices). At its core, best practices (BPs) are a set of standards that provide transparency and clear expectations of behavior and results to everyone involved in the business process. This accountability will drive the long-term performance of the online advertising industry while maintaining profitability without additional federal regulation.The BP approach can be applied to every business model and used to fight fraud-wherever you find it. Industry norm places the onus on the advertiser to successfully qualify inbound leads as well as identify fraudulent traffic. In the past, advertisers had only two options: become an online fraud expert, or hire a vendor.Only a small percentage of companies will be successful with the

The dark figure of fraud drove the development of best practices at Memolink. I harnessed the fear of the unknown and used basic change management to gather support internally. I knew the approach would indefinitely change how we did business and alter our company's culture. Like many dot coms, my company has an entrepreneurial spirit, and like not-so-many dot coms, we have been in business for 15 years. The culture is well established and the work we do is exciting and fun. Would a company with an innovative and "don't-box-me-in" mentality openly receive a new set of standards and expectations? The implementation of the Best Practice approach required two important change management tactics: consistent messaging and constant and varied communication. It was not enough to tell associates that the proposed transition, which included separating processes that traditionally had been managed by a sales team, would benefit the company in the long term. The main component of the message had to be the "What's in it for me?" value proposition. At the time, the sales associates had nothing to gain, and, in fact, they would lose commission. For example, when my department rolled out the Best Practice approach to partner vetting, fewer partners would meet the standard and be accepted, which meant incremental commission loss for the sales team. Money matters create major stress and tension, so it was important that this conflict be addressed early in the implementation process. Management responded by restructuring commissions so that employee motivations were aligned with business goals. This move also made the adoption period for other processes and procedures shorter and less chaotic. In essence, align the money motivators and people will buy in more quickly. Associates were not reeling about their payment structure, but were they and other stakeholders, who were originally unaffected by the commission structure, truly behind the idea? In order to gain the

In October 2001, the Bush administration took an administrative action that would prove sadly symptomatic of its rule. John Ashcroft, then the attorney general, issued a memorandum warning against casual release of information to the public under the Freedom of Information Act. Such releases, Ashcroft said, should be made "only after full and deliberate consideration of the institutional, commercial and personal privacy interests that could be implicated." In case anyone missed the point, Ashcroft added that any bureaucrat who said no to such a request could "be assured that the Department of Justice will defend your decisions unless they lack a sound legal basis." It goes without saying that Ashcroft did not promise any such defense of government employees who released information under the terms of the act. If cavalier disregard of the law and the public's right to hold its government accountable were hallmarks of the recently departed administration, we can only hope that President Obama's response signals a new approach. One of his first presidential acts was to issue a memo to federal agencies on the Freedom of Information Act. It opens by quoting former Supreme Court Justice Louis Brandeis' pronouncement that sunlight is the "best of disinfectants" and continues by trumpeting the act as "the most prominent expression of a profound national commitment to ensuring an open government." Where Ashcroft searched for excuses to withhold information, Obama directed all agencies to "adopt a presumption" in favor of releasing it.

As I'm sure you know, former NSA analyst Russell Tice revealed that the agency spied on journalists and ordinary Americans - not just communications between the U.S. and overseas. Speaking on the Keith Olbermann show on MSNBC, Tice said: "The National Security Agency had access to all Americans' communications," he said. "Faxes, phone calls and their computer communications. … They monitored all communications." He made a further appearance on Olbermann Thursday (view above), in which he said that the NSA combined these illegal wiretaps with credit card and financial data. ""This [information] could sit there for ten years and then potentially it marries up with something else and ten years from now they get put on a no-fly list and they, of course, won't have a clue why," Tice said. "This is garnered from algorithms that have been put together to try to just dream-up scenarios that might be information that is associated with how a terrorist could operate," Tice said. "And once that information gets to the NSA, and they start to put it through the filters there . . . and they start looking for word-recognition, if someone just talked about the daily news and mentioned something about the Middle East they could easily be brought to the forefront of having that little flag put by their name that says 'potential terrorist'." Why were they monitoring reporters? New York Times reporter James Risen told Olbermann he thought it was a plot "to have a chilling effect on potential whistleblowers in the government to make them realize that there's a Big Brother out there that will get them if they step out of line."

Legal woes may be next for Heartland Payment Systems, a payment processor that reported a major security breach this week. Depending on the results of the ongoing investigation, Heartland is likely to face the threat of litigation from issuing banks, merchants and consumers, says Scott Vernick, an attorney with Fox Rothschild LLP in Philadelphia, who specializes in data theft cases. "The businesses that use Heartland as a credit card processor, as well as thousands of consumers, will be anxiously watching for any negative impact, including harm to their business reputations, and the real possibility of identity theft or fraud," says Vernick. The fact that Heartland's systems were certified as being fully in compliance with data handling rules, called the PCI standards, raises questions about the efficacy of such standards. Hannaford Brothers grocery chain was likewise fully PCI compliant when it had 300 stores hacked and 4.3 million record swiped..... "This latest incident shows how, despite companies being compliant with regulations such as PCI, they are still a long way from being secure," says Mike Rothman, senior vice president of strategy at elQnetworks.

Canadians who travelled to the United States in 2008 are being advised to check their credit-card statements and watch for signs of identity theft after a massive security breach at a U. S.-based company that processes millions of credit cards. Canada's Privacy Commissioner said yesterday she was shocked to learn that New Jersey-based Heartland Payment Systems, which processes credit-card transactions for more than 250,000 businesses in the United States, had found "malicious software" in its operating system. "I'm amazed to see something this significant can still happen with the importance that not only privacy commissioners, but experts everywhere, are placing on security," Jennifer Stoddard said. "I was concerned to see this going on and the size of it." Tech experts say the hack could be one of the largest ever credit-or debit-card data breaches, and that Canadians should watch closely for signs of identity theft.

The federal government has a key role to play in researching and organizing a national response to the problem of medical identity theft, authors of a government-funded study have concluded. Patients, providers, payers and other members of the healthcare community also must join in the effort to combat a problem that is serious, although as yet its scope is not fully known, the report stated. Contractor Booz Allen Hamilton released the report last week. It represents the final phase of the $450,000 study funded last year by the Office of the National Coordinator at HHS. The study consisted of three parts, the first being to review existing knowledge about medical identity theft as well as policies and practices to prevent it. Those findings were included in a research paper on the subject released last October. The second phase involved a public meeting Oct. 15, 2008, the same day the paper was released, to "open a dialogue about medical identity theft within the healthcare industry. The final phase, the 26-page report, includes 31 "potential actions," which are recommendations that could form a national policy on medical identity theft. While medical identity theft "may be categorized as healthcare fraud," according to the report, "there are unique and important distinctions of medical identity theft that need to become more commonly understood to address this issue effectively." One difference, the report authors noted, is that the primary motive behind healthcare fraud "is most often monetary gain, such as when fraudulent providers bill for more expensive services than those rendered. However, medical identity theft tends to be focused on the use of someone else's information to gain goods, services and healthcare." IT could hurt, help Therefore, undetected medical identity theft poses medical risks to its victims, since their medical records may contain inaccurate and potentially harmful information that may cause them not to be con

In May 2008, the Office of the National Coordinator for Health Information Technology (ONC) awarded an approximately $450,000 contract to Booz Allen Hamilton to assess and evaluate the scope of the medical identity theft problem in the U.S. Medical Identity Theft Medical identity theft is a specific type of identity theft which occurs when a person uses someone else's personal health identifiable information, such as insurance information, Social Security Number, health care file, or medical records, without the individual's knowledge or consent to obtain medical goods or services, or to submit false claims for medical services. There is limited information available about the scope, depth, and breadth of medical identity theft. Dr. Robert Kolodner, National Coordinator for Health Information Technology, has noted that medical identity theft stories are being documented at an increasing rate, bringing to light serious financial, fraud, and patient care issues. ONC recognizes that health IT is an important tool to combat the threat of medical identity theft. We are seeking input from the public and other government agencies to better understand how health IT can be utilized to prevent and detect medical identity theft as well as build consumer trust in electronic health information exchange. ONC believes it is imperative to obtain a more comprehensive understanding of this issue from a variety of perspectives, and to create an open forum for dialogue to work proactively to address medical identity theft. Medical Identity Theft final report. The report summarizing health IT and medical identity theft issues raised at the town hall was completed January 15, 2009 and sets forth potential actions the Federal government and other stakeholders can undertake in working toward prevention, detection, and remediation of medical identify theft.

The key points of the plan closely mirror recommendations offered late last year by a bipartisan commission of computer security experts, which urged then president-elect Obama to set up a high-level post to tackle cyber security, consider new regulations to combat cyber crime and shore up the security of the nation's most sensitive computer networks. The strategy, as outlined in a broader policy document on homeland security priorities posted on the Whitehouse.gov Web site Wednesday, states the following goals: * Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy. * Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure. * Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience. * Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate. * Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime. *

According to Mandiant's Kevin Mandia, retailers are being compromised by one attack in particular: SQL injection. In this keynote speech from Information Security Decisions 2008, Mandia takes you through a common retail hack and points out the attack tools being used to gain domain credentials and credit card numbers.

Yesterday, the U.S. Supreme court announced its refusal to hear appeals against the banning of the Child Online Protection Act (COPA), effectively killing the bill. The American Civil Liberties Union called it "a clear victory for free speech," having fought the bill for ten years claiming it infringed on a website's freedom of speech. I've always advocated that it is the responsibility of parents to monitor their children's online activity. There are a ton of Web filtering and parental control applications available, many for free such as Blue Coat's K9 Web Protection. Especially with the country in the shape it's in now, my personal opinion is that the government has more pressing issues to attend to than babysitting children online. COPA was first passed in 1998, and made it illegal to display any pornographic material on a Web site without an access code or proof of age message. However, state courts began challenging the bill immediately, claiming it was unconstitutional and violated the First Amendment. Instead, it was ruled that parental controls should be used by individual families to block unwanted content, rather than the government determining what can and cannot be seen by all. (COPA was killed, not COPPA - Children's Online Privacy Protection Act)