Group items tagged

FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the "Red Flags" Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance. "Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule - and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift," FTC Chairman Jon Leibowitz said. "As an agency we're charged with enforcing the law, and endless extensions delay enforcement." The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities - known as "red flags" - that could indicate identity theft. The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize leg

"At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the 'Red Flags' Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule.  Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance….

The three-month extension, coupled with this new guidance, should enable businesses to gain a better understanding of the Rule and any obligations that they may have under it. These steps are consistent with the House Appropriations Committee's recent request that the Commission defer enforcement in conjunction with additional efforts to minimize the burdens of the Rule on health care providers and small businesses with a low risk of identity theft problems. Today's announcement that the Commission will delay enforcement of the Rule until November 1, 2009, does not affect other federal agencies' enforcement of the original November 1, 2008, compliance deadline for institutions subject to their oversight.

More enforcement coming SOX 404(b) will matter FCPA compliance Focus on risk management

"The Need for Risk-Based FCPA Compliance Assessments How To Deal With Increasing FCPA Risks In a Time of Shrinking Budgets In a time of dwindling funds, growing risks, and increased government targeting of companies that cut compliance budgets, a proper anti-corruption assessment is a vital first step in creating a cost-effective compliance program When a warning comes straight from the mouth of the U.S. Government's lead prosecutor in a field directly affecting their bottom line, it is wise for businesses to pay heed. In an interview earlier this year with PBS's investigative journal, "Frontline," Mark Mendelsohn, the Deputy Chief of the U.S. Department of Justice's Fraud Section, which is charged with enforcing the Foreign Corrupt Practices Act ("FCPA"), offered advice to all American businesses dealing with the current global recession. "I think that companies need to be especially vigilant in this economic climate to not cut back [on FCPA compliance]," Mendelsohn said. "Our law enforcement efforts are not going to be scaled back, and so it would be, I think, a grave mistake for a company to take that path.""

Notifications can be delayed if law enforcement determines it could hinder a criminal investigation

A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.

"Eight months after the state's tough, new data privacy regulations went into effect, many businesses are still sorting through the rules and working to bring their firms into compliance. "

CERT'S PODCASTS: SECURITY FOR BUSINESS LEADERS: SHOW NOTES Tackling Tough Challenges: Insights from CERT's Director Rich Pethia Key Message: Rich Pethia reflects on CERT's 20-year history and discusses how he is positioning the program to tackle future IT and security challenges. Executive Summary CERT's vision is a securely connected world. CERT's mission is to enable informed trust and confidence in the use of information technology. To achieve this vision and mission, CERT has broadened its perspective to include the full system/software engineering and operations life cycle and is reaching out to thought leaders in the global IT and security community. In this podcast, Rich Pethia, director of the CERT Program at Carnegie Mellon University's Software Engineering Institute, discusses the past, current, and future state of Internet security and CERT's role in tackling future challenges as CERT celebrates its 20th anniversary. PART 1: LOOKING BACK, LOOKING FORWARD: THE GOOD, THE BAD, AND THE UGLY CERT's Vantage Point CERT's vision is a securely connected world, supported by CERT's mission of enabling informed trust and confidence in the use of information technology. As the director of CERT, Pethia has unique access to government, commercial, and industry leaders. The Good News Internet use continues to grow, not just in size (number of people, volume of traffic) but also in utility, for example: * the increasing amount of real government and business operations * the introduction of new applications * the growing use of new mobile appliances User awareness of the need to address security is increasing along with increasing attention from service providers (firewalls, virus protection, anti-spyware, data backup). Developers are paying more attention to building security into their products. Vendors have more mature processes for providing cost-effective, timely updates for software vulnerabilities. Users are more willing

MOUNTAIN VIEW, Calif. - August 4, 2010 - Symantec Corp. (Nasdaq: SYMC) today released the findings of its 2010 Information Management Health Check Survey, which highlights that a majority of enterprises are not following their own advice when it comes to information management. Eighty-seven percent of respondents believe in the value of a formal information retention plan, but only 46 percent actually have one. Survey results also found that too many enterprises save information indefinitely instead of implementing policies that allow them to confidently delete unimportant data or records, and therefore suffer from rampant storage growth, unsustainable backup windows, increased litigation risk and expensive and inefficient discovery processes.

Information security professionals face mounting threats, hoping some mix of technology, education, and hard work will keep their companies and organizations safe. But lately, the specter of failure is looming larger. "Pay no attention to the exploit behind the curtain" is the message from product vendors as they roll out the next iteration of their all-powerful, dynamically updating, self-defending, threat-intelligent, risk-mitigating, compliance-ensuring, nth-generation security technologies. Just pony up the money and the manpower and you'll be safe from what goes bump in the night.

"Research finds while most employees believe they understand their company's security policies, a large number have never received any formal policy education or training. How can an organization really ensure people understand risk?"

Another development affecting hospitals will be the nationwide implementation of the Medicare Recovery Audit Contractor (RAC) Audit program, Jesson noted. After testing the program in three states over the past three years, RAC auditors will begin auditing hospitals in Minnesota and other states for Medicare or Medicare fraud.

In many cases, banks or merchant service providers are now sending letters to organizations that have smaller payment card transaction levels and asking them to prove they are compliant by completing a self-assessment questionnaire, he explains.