With the Federal Trade Commission (FTC) promising to begin enforcing the "Red Flags Rules" on May 1, the FTC launched on Thursday a website aimed at helping entities adhere to the requirements. The rules, designed to reduce identity theft, requires that creditors and financial institutions create and implement an identity theft prevention program. The website describes the entities covered by the rule and provides information, articles and guidance to help entitles develop ID theft prevention programs, the FTC said in a news release. One of the resources on the site is a how-to guide that provides tips for identifying and stopping ID theft. The rules became effective Nov. 1 but will not be enforced by the FTC until May 1. Last October, the FTC extended the original Nov. 1 enforcement deadline because many companies were not prepared to meet the original requirements, the FTC said. Eduard Goodman, general counsel and chief privacy officer for vendor Identity Theft 911, told SCMagazineUS.com Friday that the FTC has been tight-lipped about how the rule is going to be enforced -- likely because they don't want companies looking for ways to get around it. Goodman said that based on his conversations with those in the industry, the FTC will likely enforce the rule on a case-by-case basis. The FTC maintains a database that tracks all identity theft cases reported to the agency. If they hear of instances of identity theft associated with a company, the FTC may ask for a copy of the company's identity theft prevention program, if any, Goodman said. If the entity has a program in place, the FTC will make a determination of whether it's adequate. The May 1 enforcement deadline extension applies to entities under the FTC's jurisdiction, which includes state-chartered credit unions. The extension did apply to the the majority of the estimated 11 million businesses that must comply with the requirements, Goodman has said

Government Information Security Podcasts Credit Eligible As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Lessons Learned from TJX: Eric Fiterman, Cyber Crime Expert August 13, 2008 Interview with Cyber Crime Expert Eric Fiterman In the wake of the arrests of 11 hackers tied to the TJX data breach, security experts everywhere are warning of bigger, bolder threats to come. So, what should banking institutions have learned from TJX-style breaches, and what can they do now to protect their customers and critical financial/informational assets? In this interview, former FBI agent Eric Fiterman, founder of Methodvue, offers: Insights on the TJX and other breach investigations; How banking institutions can better protect their assets; The types of crimes institutions need to look out for in the months ahead.

A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers. Judge D. Brock Hornby heard arguments on Wednesday at U.S. District Court. Attorneys for Hannaford asked the judge to dismiss the lawsuit, which was filed against the Scarborough-based company last year. Attorneys for the plaintiffs said Hornby should certify the case as a class-action suit and let it proceed toward trial. The upcoming ruling will determine whether parts or all of the suit will go forward. The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen? "These are fascinating and difficult issues," Hornby said after hearing the arguments Wednesday. "I'll get a written decision out to you as soon as I can." Between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. The grocery chain operates more than 200 stores under various names in New England, New York and Florida. More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made.

US senators have drafted legislation that would give the federal government unprecedented authority over the nation's critical infrastructure, including the power to shut down or limit traffic on private networks during emergencies. The bill would also establish a broad set of cybersecurity standards that would be imposed on the government and the private sector, including companies that provide software, IT work or other services to networks that are deemed to be critical infrastructure. It would also mandate licenses for all individuals administering to strategically important networks. The bill, which is being co-sponsored by Senate Commerce Committee chairman John Rockefeller IV and Senator Olympia Snowe, was expected to be referred to a senate committee on Wednesday. Shortly after a working draft of the legislation began circulating, some industry groups lined up to criticize it for giving the government too much control over the internet and the private companies that make it possible. "This gives the president too much power and there's too little oversight, if there's any at all," said Gregory Nojeim, senior counsel at the Center for Democracy and Technology. "It gives him the power to act in the interest of national security, a vague term that has been broadly defined." Nojeim was pointing to language in the bill that permits the president to "order the limitation or shutdown of internet traffic to and from any compromised federal government or United States critical infrastructure information system or network" after first declaring a national cybersecurity emergency. A separate provision allows the executive in chief to "order the disconnection of any federal government or United States critical infrastructure information systems or networks in the interest of national security." "It applies to any critical infrastructure," Nojeim added. "Surely, the internet is one." The bill would also require NIST, or the National Institute of Standards and Techn

Reform legislation is expected to be introduced this spring to update the Federal Information Security and Management Act, known as FISMA. A major complaint about FISMA is that complying with its rules does not necessarily guarantee departmental and agency information systems are secure. In this exclusive interview, Sen. Tom Carper, chairman of the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, discusses: Key provisions in the bill to improve ways to measure and determine the security of federal government information systems; Efforts to create a government-wide Chief Information Security Officer Council; His views on the most pressing cybersecurity challenges facing the nation: identity theft and the viability of financial institutions and threats by foreign nations to federal information systems.

Physician groups press FTC for exemption from Red Flag Rules With a May 1 deadline for compliance looming, the American Medical Association (AMA) has asked the Federal Trade Commission (FTC) to suspend the application of the Red Flag Rules to physicians and publish a new rule so that physicians have an opportunity to provide comments. In a March 9 letter to the FTC, AMA Executive Vice President Michael D. Maves wrote that the AMA "strongly believes that the FTC did not provide physicians with an opportunity to review and comment on this Rule." Controversy. Under the Red Flag Rules, which were finalized in October 2007 under the Fair and Accurate Credit Transactions Act (FACTA), financial institutions and creditors must develop and implement written identity theft prevention programs. FACTA provides a broad definition of "creditor" as "any entity that regularly extends, renews or continues credit." The FTC has interpreted this definition to include health care providers and physicians. The AMA and several other medical trade associations have taken the position that physicians were not intended to be subject to the Red Flag Rules, but the FTC has held firm in its interpretation, in spite of the objections. In a Feb. 4 letter to the AMA, the FTC reiterated its position that "the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services." The FTC also has taken the position that application of the Red Flag Rules to physicians will reduce the incidence of medical identity theft and will not impose a heavy burden on health care professionals. Rulemaking process. In addition to its claim that health care providers should not be classified as creditors, the AMA also has argued that the physician community was not informed that it would be subject to the Red Flag Rules.

Though Facebook has sometimes been criticized for sacrificing the privacy of its users in order to monetize the service, Chris Kelly, Facebook's chief privacy officer, has presided over the social network's efforts to build out the most sophisticated privacy options in the industry. On a granular level, Facebook users can now control what bits of information they share with each individual friend, group or network. Facebook users have taken notice. According to an annual study by the Ponemon Institute, a privacy research firm, Facebook ranks within the top 20 (15th) most trusted companies for privacy as rated by U.S. consumers. Kelly's job sometimes appears tricky, however. He must ensure that users feel they have control over their information, while weighing that need against Facebook's business model, which relies heavily on a culture of openness and sharing. Here is the full interview CIO conducted with Kelly during our reporting for a special feature on social networks and privacy. Kelly talked about what constitutes Facebook's overall view towards privacy, and how that affects its ability to serve up ads.

SAN JUAN, Puerto Rico-An identity-theft ring that catered to illegal immigrants seeking to establish themselves in the U.S. stole the personal data of 7,000 public school children in Puerto Rico, officials said Tuesday. Members of the ring broke into about 50 schools across the U.S. island territory over the past two years to steal birth certificates and Social Security numbers to sell to the illegal immigrants, the FBI and other agencies announced at a news conference. The victims were largely unaware their information had been stolen-and likely would not have learned of the thefts until they became adults and tried to buy something on credit, said assistant U.S. Attorney Julia Diaz Rex. "A kid is going to have a perfect credit history," Diaz said. "They reach 18, 20 years of age. They go buy a car and their credit is damaged." The authorities did not disclose how they uncovered the ring but said seven people have been arrested and one more is being sought. At least some of them were illegal immigrants from the Dominican Republic. Investigators determined the birth certificates and Social Security numbers were sold as a package in a number of states including Texas, Alaska and California, for up to $250, authorities said. Two suspects are accused of possessing nearly 6,000 birth certificates and Social Security cards. One was accused of intending to sell 40 Social Security cards for nearly $3,000, while another was seeking the same amount for 12 cards. The suspects in custody were being held on charges that include aggravated identity theft and social security fraud and face up to 15 years in prison, said U.S. Attorney Rosa Emilia Rodriguez. One suspect had been previously arrested for the kidnapping of a Dominican man last year that led to the shooting of a police officer during an FBI raid, said Luis Fraticelli, special FBI agent in charge of Puerto Rico. It is unclear if other members of the ring are at large, and whether they received help from sch

Premier Election Solutions (formerly Diebold Election Systems) admitted in a state hearing Tuesday that the audit logs produced by its tabulation software miss significant events, including the act of someone deleting votes on election day. The company acknowledged that the problem exists with every version of its tabulation software. The revelation confirmed that a problem uncovered by Threat Level in January, and reiterated in a report released two weeks ago by the California secretary of state's office, has widespread implications for election jurisdictions around the country that use any version of the company's Global Election Management System (GEMS) software to tabulate votes. "Today's hearing confirmed one of my worst fears," said Kim Alexander, founder and president of the non-profit California Voter Foundation. "The audit logs have been the top selling point for vendors hawking paperless voting systems. They and the jurisdictions that have used paperless voting machines have repeatedly pointed to the audit logs as the primary security mechanism and 'fail-safe' for any glitch that might occur on machines. To discover that the fail-safe itself is unreliable eliminates one of the key selling points for electronic voting security."

Hundreds of medical records kept by a longtime Acton family doctor who abruptly closed his practice last year are about to be destroyed, leaving patients without crucial information and exposing a gap in state law about who owns abandoned medical records. On April 8, a Lynn storage company is scheduled to discard the records and auction the equipment left by Dr. Ronald T. Moody, who was evicted from his office last September as state regulators pursued him, saying he was practicing without a license. Many of Moody's former patients have no idea that their records are slated for destruction: None has been notified, nor does the law require such notice. "We throw people's lives away on a daily basis, and, believe me, we go out of our way to try and find someone" to salvage belongings, said Jim Appleyard, owner of the storage company that was hired by Moody's former landlord to clean out the office and store the items for six months, as required by law. But the idea of dumping hundreds of patients' files without them knowing about it bothered Appleyard. Unable to find Moody, he contacted the state Board of Registration in Medicine and pleaded to take the dozens of boxes of records. The board regulates doctors and administers rules governing medical records of physicians in private and group practices.

1:53:26 - Jun 29, 2007 Recorded at the 8th www.ToorCon.org Information Security Conference, Sept 30th and Aug 1st, 2006 in San Diego, California. Content produced by www.MediaArchives.com --- PRIVACY IS DEAD - GET OVER IT, with Steven Rambam. This talk will include numerous examples of actual data and investigative online resources and databases, and will include an in-depth demonstration of an actual online investigation done on a volunteer subject. (The subject is Rick Dakan, a noted author, who will be present.) (From CNN: "...Rambam was scheduled to discuss how he dug up -- in just over four hours of searching private and public databases -- more than 500 pages worth of data on Rick Dakan, who was attending the conference and had agreed to participate in the project. "All I had given him was my e-mail and name," Dakan said. "He knew everywhere I'd lived, every car I had driven, and even someone else in Alabama who was using my Social Security number since 1983.Emphasis will be placed on discussing the "digital footprints" that we all leave in our daily lives, and how it is now possible for an investigator (or government Agent) to determine a person's likes and dislikes, religion, political beliefs, sexual orientation, habits, hobbies, friends, family, finances, health and even the person's actual physical whereabouts at any given moment, solely by the use of online data and related activity

(March 31, 2009) First Data Corp. announced on Tuesday it will use technology from Inside Contactless, a French chipmaker, for its Go-Tag product, a sticker that can be affixed to mobile phones to make them work like contactless-payment devices. Under the three-year agreement, Inside Contactless will supply so-called prelams, or chip-and-antenna elements, that card manufacturers can use to manufacture the stickers for First Data. Up to now, Go-Tags have been proprietary devices for use in so-called closed-loop networks involving individual merchants, but with Inside Contactless's technology the product will likely be usable by mid-year on the payWave and PayPass contactless platforms operated by Visa Inc. and MasterCard Inc., pending certification on those systems, according to industry sources. A First Data spokesperson will not comment beyond Tuesday's announcement concerning the company's arrangement with Inside Contactless to provide prelams for Go-Tags. In addition, CPI Card Group, a card manufacturer based in Littleton, Colo., last fall said it expected to ship millions of contactless stickers based on prelams from Inside Contactless (Digital Transactions News, Oct. 15, 2008). CPI's customers are financial institutions interested in using the stickers to permit contactless transactions on payWave and PayPass. CPI is a manufacturer of Go-Tags, but will not comment on any plans for that product. First Data's deal with Inside Contactless follows by one day an announcement by Blaze Mobile Inc., an Alameda, Calif.-based provider of applications for mobile devices, that it is introducing a similar sticker that will work on the PayPass platform. The product works with the Blaze Mobile Wallet, a service the 4-year-old company launched a year ago when it was known as Mobile Candy Dish Inc. (Digital Transactions News, April 10, 2008). The stickers link to prepaid accounts managed by MetaBank, a Storm Lake, Iowa-based unit of Meta Financial Group Inc. Devel

Welcome to GovInfoSecurity.com We have a new President, a new Administration, a new session of Congress ... and a new national mission throughout government to secure personal data and protect our borders from cyber threats. Information security has never been more important to the federal government - or to all of us, as we conduct personal and professional business in this electronic world. To track the progress of this new security-savvy Administration - and to give you the information and opportunity to present your opinions - we're pleased to introduce GovInfoSecurity.com, a new site dedicated to providing interactive news, views and training on all facets of federal government security.

Privacy Issues and Education: Peter Kosmala, International Association of Privacy Professionals April 1, 2009 From the Heartland data breach to the new Massachusetts data protection law, privacy is the hot topic in business and government. In an exclusive interview, Peter Kosmala, assistant director of the International Association of Privacy Professionals (IAPP), discusses: The top privacy topics in business and government; How organizations are tackling these issues; The potential impact of state and federal privacy legislation; The value of the Certified Information Privacy Professional (CIPP) credential. Kosmala oversees product management for the IAPP with specific oversight of distance learning products, privacy certifications and industry awards programs. He also manages business development efforts between the IAPP and peer organizations in the information security, information auditing and legal compliance arenas as well as organizations based in the Asia-Pacific region. The IAPP, based in York, Maine, was founded in 2000 with a mission to define, promote and improve the privacy profession globally.

Anatomy of a Data Breach Investigation: Alain Sheer, FTC Attorney February 17, 2009 The Heartland Payment Systems data breach is on everyone's mind, and the case is in the hands now of the Federal Trade Commission (FTC) if it chooses to investigate. While the FTC will neither confirm nor deny a Heartland investigation, staff attorney Alain Sheer does offer his insight on: How the FTC investigates data breaches like Heartland's; The timeline and milestones of such an investigation; Details of the CardSystems data breach - which closely resembles Heartland's.

Government Information Security Podcasts As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Insights on the Insider Threat: Randy Trzeciak of Carnegie Mellon's CERT February 25, 2009 We all know the risk of the insider threat is high, but what are the specific vulnerabilities for which organizations should be particularly vigilant? In an exclusive interview, Randy Trzeciak of Carnegie Mellon's CERT program discusses recent insider threat research, including: Patterns and trends of insider crimes; Motives and means displayed in real insider cases; What employers and staffs can do to prevent and detect crimes. Trzeciak is currently a Senior Member of the Technical Staff for the Threat and Incident Management Team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. He is a member of a team in CERT focusing on insider threat research, including insider threat studies being conducted with the US Secret Service National Threat Assessment Center, DOD's Personnel Security Research Center (PERSEREC), and Carnegie Mellon's CyLab.

Government Information Security Podcasts Credit Eligible As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Heartland Breach -- What it Means to Banking Institutions: James Van Dyke, Javelin Strategy & Research January 29, 2009 The Heartland Payment Systems data breach - it's the first major security incident of 2009. But how big is it really? What are the key takeaways for banking institutions left explaining this breach to their customers? In an exclusive interview, James Van Dyke, Founder and President of Javelin Strategy & Research, discusses the implications of the Heartland case, offering insight on: Conclusions we can draw from the Heartland breach; How banking institutions should communicate with their customers; Vulnerabilities we should watch to avoid the next big breach. Van Dyke is founder and president of Javelin Strategy & Research. Javelin is the leading provider of independent, quantitative and qualitative research for payments, multi-channel financial services, security and fraud initiatives. Javelin's clients include the largest financial institutions, card issuers and technology vendors in the industry.

Data Privacy Trends: Randy Sabett, Information Security Attorney March 26, 2009 Activity at the State Level Points Toward a Federal Data Breach Notification Law Data privacy legislation -- the trend started in California and is being discussed heatedly in Massachusetts today. Data breach notification and privacy laws have now been enacted in 40 separate states, and government observers think we're close to seeing federal legislation proposed. In an exclusive interview, Randy Sabett, a noted privacy/information security attorney, discusses: Trends in state data privacy legislation; What these laws mean to businesses; The Obama Administration's approach to data privacy; Trends to keep an eye on throughout 2009. Randy V. Sabett, CISSP, is a partner in the Washington, D.C. office of Sonnenschein Nath & Rosenthal LLP, where he is a member of the Internet, Communications & Data Protection Practice. He counsels clients on information security, privacy, IT licensing, and patents, dealing with such issues as Public Key Infrastructure (PKI), digital and electronic signatures, federated identity, HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley, state and federal information security and privacy laws, identity theft and security breaches. He served as a Commissioner for the Commission on Cyber Security for the 44th Presidency.

Government Information Security Podcasts As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Probing Federal IT Security Programs: Gregory Wilshusen, GAO February 23, 2009 Government Accountability Office auditors will have a busy spring, examining a number of federal government programs aimed at securing government information systems and data. In an interview with GovInfoSecurity.com, Gregory Wilshusen discusses how the GAO is looking at how private industry and two dozen federal agencies employ metrics to measure the effectiveness of information security control activities. Other current GAO information security investigations he discusses include: Federal Desktop Core Configuration intended to standardize security features on personal computers purchased by the government. Trusted Internet Connection initiative aimed at slashing government Internet connections to fewer than 100 from more than 2,000. Einstein automated networking monitoring program run by U.S Computer Emergency Readiness Team. Gregory Wilshusen is director of information security issues at GAO, where he leads information security-related studies and audits of the federal government. He has more than 26 years of auditing, financial management and information systems experience. Before joining GAO in 1997, Wilshusen served as a senior systems analyst at the Department of Education as well as the controller for the North Carolina Department of Environment, Health and Natural Resources.

As health care providers determine how they will take advantage of the $19 billion allocated in the stimulus package to help jumpstart advances in health information technology (HIT), consumer appetite for electronic health records (EHRs), online tools and services is also growing, according to the results of the 2009 Deloitte Survey of Health Care Consumers (www.deloitte.com/us/2009consumersurvey). While only 9 percent of consumers surveyed have an electronic personal health record (PHR), 42 percent are interested in establishing PHRs connected online to their physicians. Fifty-five percent want the ability to communicate with their doctor via email to exchange health information and get answers to questions. Fifty-seven percent reported they'd be interested in scheduling appointments, buying prescriptions and completing other transactions online if their information is protected. Technologies that can facilitate consumer transactions with providers and health plans, like integrated billing systems that make bill payment faster and more convenient, are also appealing to nearly half (47 percent) of consumers surveyed. The survey of more than 4,000 U.S. consumers 18 and over was released today at the Healthcare Information and Management Systems Society (HIMSS) Annual Conference held in Chicago. It is the second annual study examining health care consumers' attitudes, behaviors and unmet needs conducted by the Deloitte Center for Health Solutions offering health care industry leaders and policymakers a timely look at how health care consumerism is evolving. "Consumers are increasingly embracing innovations that enhance self-care, convenience, personalization and control of personal health information," said Paul H. Keckley, Ph.D., executive director, Deloitte Center for Health Solutions. "Consumers want a bigger say in their health care decisions. Consumer demand for HIT and its potential impact on reforming the system has never been stronger." Despite strong con