Tuesday, March 27, 2007

What do the Leaders Do Differently

The IT Policy Compliance Group has published a useful research report describing best practices for decreasing the incidence of sensitive data loss. One particularly interesting feature of the report is their comparison of what makes leading firms (i.e., those with the fewest lost data incidents) unique. Specifically, the report shows that leading organizations are uniquely employing multiple IT controls to help protect sensitive data and monitoring and measuring controls and procedures to protect data once every four days. The report also shows that leading firms consider two types of non-core business data (IT security data and regulatory audit and reporting data) to be among their most sensitive data. Thus, the report provides not only good comparative data, but also guidance for improving existing practices, and should be considered recommended reading for any organization interested in reducing data loss.

Thursday, March 22, 2007

IM Best Practices

Symantec has put out a white paper which discusses some of the compliance issues related to instant messaging. A particularly useful aspect of the paper is a handy (though not exhaustive) list of regulations which are related to corporate instant messaging.

Wednesday, March 21, 2007

Best Practices For Security Breaches

How important is it for businesses to safeguard data? This article from ComputerWorld cites a study which pegs the cost at $182 for each record lost or exposed. Of course, costs can easily rise beyond that level, as happened in the case of ChoicePoint, which lost $720,000,000 in market capitalization as a result of a breach which compromised 145,000 customer accounts.

Happily, such costs are not a foregone conclusion, and there are some steps which businesses can take to help limit the risk of a breach. The ComputerWorld article advises measures such as establishing a culture of control, categorizing data in terms of risk, and educating employees about security precautions in order to minimize the chance of losses. While the article's recommendations make sense, since it is simply unrealistic to expect that any security policy will be foolproof I would add damage mitigation measures to the list as well. For example, laws such as California's security breach notification law do not treat all breaches equally, and an organization which designs its data storage policies with those laws in mind will be in better shape than one which simply hopes that a breach will never happen.

Monday, March 12, 2007

Private Sector Responding to Data Privacy and Security Concerns

While my last post discussed whether federal data security legislation was inevitable, it seems that industry isn't waiting for Congress to act before implementing measures which should be welcome news for anyone concerned with the security of their personal information. First, on the 12th, Seagate Technology announced that a manufacturer would begin selling laptops with built in encryption technology. According to this article, Seagate the new machines
will include a chip that makes it impossible for anyone to read data off the disk, or even boot up a PC, without some form of authentication.
thus (hopefully) making the scares following loss or theft of laptops containing sensitive information a thing of the past. Also, coming fast on the heels of the Seagate announcement, Google has announced that it will revise its data retention policies to protect user privacy. According to this article, Google will begin implementing a policy to anonymize user search records 18-24 months after their creation. When some privacy advocates, such as the electronic privacy information center's executive director, Mark Rotenberg, say that Google's new policy doesn't go far enough, it should be a welcome improvement from Google's current policy of maintaining identifying information in search records indefinitely.

Thursday, March 8, 2007

Are Federal Data Privacy Laws Inevitable?

The possibility of a federal data privacy law being enacted is once again in the news as Bill Gates said that there was a critical need for such legislation at a dinner hosted by the Center for Democracy and Technology. According to this article from CNET the Microsoft co-founder argued that the key was to put in place

explicit policies about where information can be used while at the same time having enough information to track down egregious behavior
and Senator Patrick Leahy stated that he was ready to re-introduce his Personal Data Privacy Act to try and achieve that goal.
However, the big issue, which neither Gates nor Leahy addressed, was whether there was a realistic likelihood that any data privacy legislation from Washington would improve data privacy practices, or whether the primary effect of such legislation would be to preempt tough state laws on the books today, such as California's SB-1386. While there is no sure way to know what will happen in Congress, my guess is that, if Washington enacts data privacy legislation, protections such as those afforded by California's law will be a thing of the past.

Wednesday, March 7, 2007

Federal Data Security Bill Still At An Impasse

Lobbyists for the financial services industry are expressing concern that the Democratically controlled Congress may produce a data security bill that is more onerous than what the industry had been hoping for, and that gives state attorneys general more enforcement authority than they would like to see. The difficulty that has stymied an agreement on legislation thus far has been the inability of the financial services industry to work out jurisdictional issues with states, as advocated by the House Energy and Commerce Committee. That Committee would subject banks to rules written and enforced by the FTC and state attorneys general, and has reintroduced a bill to that effect that was approved in committee last year. The Financial Services Committee, on the other hand, hopes to work out the jurisdictional issues with the E&C Committee in order to introduce a compromise bill. On the Senate side, the chairman of the Judiciary Committee, Senator Patrick Leahy, has reintroduced a far-reaching data security bill approved by his committee last year, that also defers to the authority of the state attorneys general. Joining this Senate bill are two other Senate bills introduced by Senator Dianne Feinstein, one outlawing the sale of Social Security numbers, and the other a data breach notification bill. The American Bankers Association supports a data security bill, but opposes the involvement of state attorneys general. It is concerned with the regulatory burden of multiple state standards, and has been lobbying for a single national standard. Thus, lobbyists for the financial industry state that the industry would not be disappointed if the bills, as currently written, do not move forward during this session of Congress.

Friday, March 2, 2007

More Pressure for Data Retention from Washington

According to this article from CNET, the Department of Justice is pushing for more data retention from Internet service providers. The purported justifications for this new push are combating child pornography and (of course) anti-terrorism. The problem (or one of them) in this is that longer and more extensive data retention is, from a security standpoint, a policy which should be discouraged, not mandated. For example, section 3.1 of the payment card industry data security standard (available here, though you have to agree to a license) mandates that as little cardholder data as possible be retained, since the more data is retained the more data could potentially be stolen and/or used for unauthorized purposes. Whether such concerns will have any impact at all in Washington remains to be seen, but they indicate that the more involvement the government has in determining data retention policies, the more potential risks consumers will face.