Tuesday, May 29, 2007

Additional Stakeholders to Get Voice In Defining Payment Card Industry Data Security Standard

According to this article from Computer World, future developments in the Payment Card Industry Data Security Standard (PCI DSS) will be decided, not only by credit card companies, but also by an advisory board made up of other stakeholders, such as representatives of major retailers. Retailers, unsurprisingly, see this as a positive development, given that being PCI compliant can be a significant burden, and those who need to achieve that compliance (e.g., retailers) would like to have some say in how the standard develops. However, even with the new advisory board, there are still some serious complaints about the standard. For example, Avivah Litan, an analyst at Gartner explained that
Currently, each of the five credit card brands has its own implementation, auditing and enforcement practices, and it’s a huge challenge for businesses to keep up with all of them, Litan said. What’s really needed, she said, is a way to rationalize the implementation of the PCI standard.
Whether such rationalization will ever come is anyone's guess. However, at this point, even without rationalization, the PCI standard is likely to become a bit less onerous and a bit more helpful for those who are actually responsible for implementing it.

Wednesday, May 23, 2007

I-Spy Act Clears House

Yesterday, the House of Representatives voted to approve the Internet Spyware (I-SPY) Prevention Act of 2007. As a quick summary, the bill does not actually prevent, or even target, most spyware. The proposed legislation has two main substantive portions. The first of those substantive provisions, section 1030A(a) adds an additional five year prison term for anyone who makes unauthorized access to a protected computer in furtherance of another Federal criminal offense. In other words, it does not have any effect whatsoever on behavior which is not otherwise a crime. The second of the substantive provisions, section 1030A(b), makes it a crime to make unauthorized access to a protected computer and install software on that computer "with the intent to defraud or injure a person or cause damage to a protected computer." There is no indication in the bill that installing software on a computer which simply monitors the user's behavior and reports to a third party for purposes other than to defraud, injure, or damage a protected computer would come within the reach of the act. Thus, a significant portion of spyware which reports Internet user's browsing habits for commercial gain would arguably be outside of the scope of the so-called Spyware Prevention Act.

Of course, it should be kept in mind that I-SPY has only passed the House, and so it is impossible to know what provisions will be included in the bill if it goes through the Senate and becomes law. However, to the extent that the act is passed in its current form, it will likely have little real effect on the prevalence of spyware on the internet.

Thursday, May 17, 2007

Keep an Eye on Contractors

According to this article from Computer World, IBM has announced that, due to a "transportation incident" with one of its vendors, two tapes containing sensitive employment data have been lost. This is a particularly embarassing failure for IBM, because that company touts its own security and privacy services as a way to stay "one step ahead of hackers and other threats," though it should be a reminder for all companies that good data security isn't limited to internal systems, it involves taking responsibility for your data regardless of where (or with who) it is physically stored.

Saturday, May 12, 2007

New Data Laws Percolating Through House

According to this article from CNET two bills are slowly wending their way through the house commitee structure on their way to a floor vote. The first of those bills, the SPY Act is intended to prohibit certain practices commonly used by online advertisers that place additional data or programs on user's computers. The second of those bills, the Social Security Number Protection Act would ban the sale of social security numbers, though the bill does carve out exceptions to the ban, and raises some concerns among privacy advocates because it preempts potentially more stringent state laws.

The biggest question with both of these bills, of course, is what will happen to them as they reach the house floor, and what compromises will be made trying to get them through the senate. However, whatever compromises are made, it seems likely that, in the near future there will be (at least) one more set of federal requirements to worry about for entities which store, collect or distribute information abou third parties.

Wednesday, May 9, 2007

Planning for the Morning After

Computerworld has an interesting article up about what to do when your company's data security has been breached. Some key points in the article include a to-do list (rely on your plan, work with the right people, identify the problem and dig deeper, communicat with stakeholders, connect with colleagues, support your people, move the organization ahead, and take a final look back) as well as a not-to-do list (don't create a power vacuum, don't promise what you can't deliver, don't push too much change too fast, and don't be too hands on) for companies seeking to survive a data security breach. Definitely recommended reading for anyone interested in practical advice for what to do when something inevitably goes wrong.

Sunday, May 6, 2007

Don't Forget the Laptops

While it's easy to focus on the threats posed by hackers, simple physical theft should also be a major source of concern for anyone seeking to minimize the risk of unauthorized information access. As if to provide an object lesson on this point, the TSA (yes, the same people who make you take your shoes off when you need to board a plane) has reported that a lost external hard drive has put social security numbers, and bank and payroll data for about 100,000 current and former employees at risk (see article here and the TSA's public statement here). This is exactly the kind of incident that a good security policy which was designed with more than just hackers in mind could have prevented. Indeed, TSA's security policy ideally would have prohibited such sensitive data from being stored in unencrypted form on such an easily lost (or stolen) device. However, apparently, the TSA either didn't have, or didn't enforce, such a policy and, as a result, they'll be paying for a year of free credit monitoring for potentially effected employees.

Wednesday, May 2, 2007

Google to Assist State Governments with Making Records Accessible

The clash of government watchdogs' wish for open access to government information versus privacy advocates' efforts to protect the public's personal information has intensified as a result of Google's agreement to assist in making public records more readily available online. Google has offered two technologies at no cost to state governments wishing to simplify the online search process for government records. Four states -- Virginia, Arizona, California and Utah -- have accepted Google's offer and have enhanced the search engines on their government websites with Google's technology. Privacy advocates expressed concern that the information being made more readily available is often of a confidential nature. They point to the less than stellar record state governments have compiled with respect to protecting their residents' confidential information, and the increased risk of identity theft should records with information like Social Security numbers become more readily available. State governments need to take steps to identify those government onlline records tha may contain confidential personal information and encrypt such records.

Tuesday, May 1, 2007

Printing Firm Fired After Security Breach

The frequent press reports of new security breaches tend to focus on the number of customers or employees affected by the breaches and the potential for identity theft or other malfeasance resulting from the breach. However, a recent report in the Boston Globe reveals another casualty of a security breach -- the termination of the printing service contract with the company responsible for the security breach. The Boston Globe reported that the State of Massachusetts has cancelled its contract with Indianapolis-based Allison Payment Systems, worth $235,000 in income per year, for mailing forms to taxpayers that contained their neighbors' Social Security numbers. Allison acknowledged the error, and blamed it on a computer system malfunction. However, the Massachusetts Department of Revenue performed an audit of Allison's automated operations after the breach concluded that the copany did not have adequate internal controls in place. Boston Globe