Tag Archives: Business

Free Web Security Books, Whitepapers, and Reports

Posted by Steven Swafford on November 21, 2011

The Shortcut Guide to Business Security Measures Using SSL

This guide examines current information security threats to business and describes techniques for developing a security management strategy that leverages established best practices. Designed for IT professionals and business managers, this guide provides an overview of security threats, their impact on businesses, and, perhaps most importantly, practices and technologies for controlling security risks. The first chapter begins with a discussion of cybercrime and the business resources targeted by increasingly sophisticated and organized attackers. The second chapter moves to examine how common weaknesses in business processes, such as insufficient use of SSL, leave organizations vulnerable to data breaches and compromised systems. The final two chapters address how to create a high impact security strategy and implement best practices, including multiple uses of SSL technologies, to protect your business.

Request Now

A Prescription for Privacy: What You Need To Know About Security Requirements for Electronic Health Records

Learn the measures that organizations need to start taking right now to prepare for the upcoming changes in the healthcare industry. As organizations implement EHRs–or as they ramp up their existing systems to make them more robust–concerns about patient privacy will move to the forefront. This report looks at the challenges surrounding the new world of EHR technology, including the requirements that govern protecting confidential patient data online, as well as security breaches and other risks that come with storing and accessing that information with web-based systems.

Request Now

Beginners Guide to Digital SSL Certificates

Whether you are an individual or a company, you should approach online security in the same way that you would approach physical security for your home or business. This guide will de-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.

Request Now

Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway

The way to address Web 2.0 threats that combine the best aspects of traditional security and control techniques is with new technology designed specifically to address the dynamic, real-time nature of Web 2.0. This paper describes how the Websense Web Security Gateway enables you to quickly and effectively implement a best practices approach to making Web 2.0 secure and effective.

Request Now

Mobile Device Management and Security

How to benefit business users with secure mobile access to corporate data systems and the solutions that work. The evolution of mobile networks and devices has changed the way we communicate, with people increasingly able to stay in touch through greater mobility and flexibility than ever before. This evolution is also changing the way people work. Time and money can both be saved when mobile employees have easy access to information and their corporate IT infrastructure. At the same time, the security of that information as well as the ability to manage access to it has never been more important. Learn about the fundamentals of security and device management and how you can provide secure mobile access to corporate data systems and benefit business users.

Request Now

Financial Industry Modern Day Privacy Policies

Posted by Steven Swafford on November 16, 2011

 

Financial Privacy & Electronic Commerce: Who’s In My Business, this is the question. The financial industry whether banking, investments, or credit card services face an ever changing landscape when it comes to privacy and if they are to safeguard themselves and their consumers a proper plan must be implemented. There are a number of challenges surrounding privacy in terms of data protection, consumer confidence, supplier partnerships, and of course laws and regulations. The financial industry is particularly at risk because of the nature of business as well as the utter amount of transactions and the sizable customer base. Not only does the Internet pose what is likely the single largest risk in the realm of privacy but also traditional communications must accurately address privacy.

To set the stage of what privacy exemplifies the Webster dictionary defines privacy as the quality or state of being apart from company or observation. Now that the definition of privacy is clear, the financial industry must account for laws and regulations in order to both safeguard themselves and their customers. To address privacy it is imperative to establish a policy, which outlines the steps of how a bank manages and shares personal information. Many banks will use personal information to increase partnerships, provide a good or service, or even to assist in protection against fraud and identity theft. At this point, the scope of privacy begins to take form.

Over the years, a business typically used paper-based statements and communications to convey information but modern day, the Internet has improved the legacy business model. While the Internet has not entirely substituted the legacy model, it does offer convince for consumers and at the same time helps to diminish cost for a business, at least in terms of traditional mailers. Of course, the Internet opens the door to hackers who can exploit vulnerabilities as well as take advantage of the population that does not practice concrete security practices. In order to properly address privacy then the financial industry must abide by laws and regulations while also sharing in the responsibility of education for suppliers, partners, and consumers.

This article will take a deeper dive into the financial industry in terms of a comparison and contrast as well as recommendations in the area of change that must occur.

Organization and Mission

The banking industry exists to serve customers from individuals, corporations, and groups. The role of a bank is to facilitate in the end goal of financial freedom and investments. The banking industry also serves a staple in both the United States and global economies that in turn drive a robust need of regulations and laws. Typically, a mission statement may include:

  1. Provides best of breed financial services
  2. Accountability to shareholders and customers

By nature the banking industry is at abundant risk solely due to the utter amount of sensitive data from the customer is enormous. The details of personal information and daily transactions drive stout concerns from customers from both a privacy and security point of view.

Privacy Policy and Laws

The Federal Deposit Insurance Corporation (FDIC) is in place to aid in the protection of the privacy of participants and the overall banking industry. The FDIC commonly provides both high and low level guidance in the area of financial activities and operations, and in other limited circumstances such as where required for law enforcement and public disclosure activities. In addition, the minimum necessary information will be used, except in limited situations specified by applicable law. Other uses and disclosures of financial transactions will not occur unless the customer authorizes them. Customers will have the opportunity to inspect, copy, and amend their privacy elections as required by both existing laws and regulations. Privacy is extremely important within the financial industry. Customers may also exercise the rights granted to them under these same laws and regulations free from any intimidating or punitive acts. The public in general is becoming much more educated and aware of the risk of personal information as well how all facets of business and how they share information, because of this there are two fundamental principles:

  1. Establish both initial and annual privacy policies
  2. Provide a mechanism for customers to opt in or opt out with information sharing

There are established acts that allow banks to share customer information and once such act is the Gramm-Leach-Bliley Banking Modernization Act of 1999. Oddly enough, the Gramm-Leach-Bliley Banking Modernization Act is rooted in a case from Victoria’s Secret. In this case, Representative Joe Barton of Texas felt that his credit union had disclosed his address to Victoria’s Secret even though he had not established a business relationship with Victoria’s Secret. As we turn our attention to the scope of technology and the variety of usage it brings to the table, it becomes apparent that technology helps in everyday life activities but at the same time, this same technology has unmistakably broken down other aspects of privacy.

Policy and Law Changes

Amazon Image The single largest challenge within the financial industry may be how privacy is addressed in terms of business and the end consumers. While there are both modern and historical laws and regulations, they often conflict one another or worse leave open opportunities that are easily exploited or maybe even entirely overlooked. The banking industry as a whole is doing a much better job surrounding privacy but as technology and business partnerships continue to evolve, so does the need to address current policies and laws.

Data collection and sharing has become ever so important in terms of conducting business to the degree that ethics becomes center place. Over two decades ago, four issues of ethics arose from the information age and a new acronym was born called PAPA which calls out privacy, accuracy, property, and accessibility. The challenge is to take all existing laws, whether at state or federal level and balance these laws across the banking industry while keeping in mind the needs of the business and most importantly the customers.

Individual Rights

All consumers must have the right to access, inspect, and copy his or her information within accordance to policy and laws. The banking industry generally must honor these rights, except in certain circumstances when the information may result is a breach of privacy that a spouse or family member is allowed to under applicable laws. Once consumers begin to understand their rights, only then will they be in a better position to both protect them and self-police the banking industry. Of course, this is easier said than done. Most consumers are provided privacy information from the financial vendor in which they conduct business but the information is confusing at best. Stop and consider for a moment the process a consumer undergoes when opening a checking account with a bank. The bank adheres to laws and provides a privacy statement but more often than not, these same privacy statements are written in legal terms rather that common everyday language. The Federal Trade Commission (FTC) plays a vital role between consumers and industries. Overall, the FTC performs as to expectations in terms of consumer protection and one such example is the Fair Information Practice Act of 1997. This act outlines five core principles:

  1. Notice and Awareness
  2. Choice and Consent
  3. Access and Participation
  4. Integrity and Security
  5. Enforcement and Redress
  6. Liability

Should banks not conform to laws and regulations the results it can be disastrous to the industry itself but more importantly it has the potential to destroy personal financial freedoms. For example, Chase Manhattan Bank was charged with selling their customers purchase history and an agreement was reached in 2000 with the New York State Attorney General’s office. There are many other cases, which relate directly to the Chase Bank infraction that driven the need for strong penalties when the area of privacy is violated. To better understand the liabilities surrounding privacy, one must first understand the measures of protection, which may include:

  1. Implement a clean desk practice. Personal Identifiable Information (PII) must be put away if the employee is away from his or her desk throughout the day and PII will be placed in closed and locked drawers or cabinets when the employee is not in the office.
  2. PII in paper format will be destroyed when it is obsolete or is not required to be retained for storage purposes, with shredding the preferred method of destruction.
  3. Limit the substance of PII in conversations with partners and other outside vendors to the required minimum necessary.
  4. Implement reasonable measures to prevent other individuals from overhearing conversations, e.g., using speakerphone only when in a closed office.
  5. Limit remote access to systems to secure methods.

By starting with these five points, the groundwork starts to take shape and a clear understanding of risks begins to bubble up to the surface. As risks are identified and categorized only then can the liability start to be reduced by taking these risks and build out strong policies and procedures. In the case where a bank is conducting business over the Internet, The Federal Reserve Board (FRB) has established guidelines where additional disclosure rules are needed to both protect consumers and reduce the liability of the company in question.

Risk Management

The areas of managing risks are mutual by both the financial industry as well as consumers and each must participate in certain risk management activities to ensure compliance. The business has the greatest responsibility and because of this, there are numerous opportunities when it comes to reducing risk.

  1. Workforce training on the Policies and Procedures
  2. Developing a complaint process for individuals to file complaints
  3. Designing a system of written disciplinary policies and sanctions
  4. Mitigating damages resulting from improper use or disclosure
  5. Retaining copies of its Policies and Procedures, written communications, and actions

Some of these risk management rules require stakeholders to design processes affecting employees under their control.

Complaints

Banks must have an established process to process a person’s complaint about the privacy policies and procedures, practices, and compliance. The resolution of complaints depends on the varying facts and circumstances of the complaint. Examples of viable complaint resolution include:

  1. Educating the consumer
  2. Implementing changes in the policies, procedures, and practices
  3. Providing appropriate training for employees
  4. Issuing new communication materials both to the company and consumers

This process will assist in properly addressing consumer concerns as well as assisting banks in terms of legal obligations.

Security Implications

At the end of the day, privacy is much more than just protecting information. When a bank’s information is breached by hackers or even by the everyday nature of business, the results are extremely damaging. The criminal act of stolen identities is a billion dollar criminal enterprise and it all starts with improper privacy practices. While many countries have defined agencies that oversee privacy, the reality is these same agencies tend to be rooted in existing laws that are outdated or even must advocate the need for new laws.

Conclusion

At this point, the gravity of privacy as applied to both the banking industry and consumers should be a call to action. Banks must make every reasonable effort to protect the privacy rights and interests of consumers in the collection, use, transfer, or retention of information to prevent inappropriate or unnecessary disclosures of information.

In closing, the following is instrumental to continually understanding and measuring privacy concerns. The financial industry must make every reasonable effort to protect the privacy rights and interests of consumers and their partners to include unnecessary disclosures of information. The industry must further comply with all existing laws and regulations. Since technology has become commonplace the online privacy aspect opens another area of concern that warrants a drastic change is regulations. Of course, the challenge is the ever-changing technology landscape that typically drives parties who enact laws to move quickly but often do not fully comprehend the challenges surrounding modern day technology.

References

  1. Burton, R. N. (2000). Discussion of information technology-related activities of internal auditors. Journal Of Information Systems, 14(1), 57. Retrieved from http://www.atypon-link.com
  2. Earp, J., & Payton, F. (2006). Information privacy in the service sector: an exploratory study of health care and banking professionals. Journal Of Organizational Computing & Electronic Commerce, 16(2), 105-122. doi:10.1207/s15327744joce1602_2
  3. FDIC. (2001). Privacy Rule Handbook. Federal Deposit Insurance Corporation (FDIC). Retrieved on November 13, 2011 from http://www.fdic.gov
  4. Hale, R. (2001). Federal privacy regulation of Internet credit card advertising and solicitation. Journal Of Internet Law, 4(7), 16. Retrieved from http://www.aspenpublishers.com
  5. Hoofnagel, C. & Honig, E. (2005). Victoria’s Secret and financial privacy. Retrieved from http://epic.org/privacy/glba/victoriassecret.html
  6. Mason, R. (1986). Four ethical issues of the information age. MIS Quarterly, 10(1), 5-12. Retrieved from http://www.jstor.org
  7. Nilakanta, S., & Scheibe, K. (2005). The digital persona and trust bank: A privacy management framework. Journal of Information Privacy & Security, 1(4), 3-21. Retrieved from http://www.ivylp.com
  8. Warren, A. (2007). Stolen identity: Regulating the illegal trade in personal data in the ‘Data-Based Society’. International Review of Law, Computers & Technology, 21(2), 177-190. doi:10.1080/13600860701492187

Regulatory Requirements And PCI Standards

Posted by Steven Swafford on October 9, 2011

Attacks on the all facets of business emphasizes the importance of cyber security to all businesses. It is an important reminder that many businesses see the threat of cybercrime as too remote to be worth the high cost and effort. Restaurants and retail outlets are particularly vulnerable, because their point-of-sales systems are usually connected to the Internet.  Small businesses that execute transactions online also expose merchant transaction to would-be attackers. The variety and scope of strategies that are available to cyber criminals are too great. These strategies include website compromise, email/spamming, social engineering, and viruses obtained from social networking sites. The typical anti-malware programs and a few personal identification numbers are no longer effective protections for small businesses against cybercrime.

In most facets of business, a large percentage of financial transactions occur electronically either by credit card or debit cards. Since these types of transactions provide an inherit security risk, the need to define acceptable standards were established. Many businesses fail to follow Payment Card Industry Standards (PCI). Many business owners could avoid intrusions if they make sure that their point-of-sales software was up to these standards. PCI standards include a variety of measures that are particularly relevant for business owners, but which are often overlooked. These security measures include employee security awareness training, policies and procedures, transaction security measures (such as encryption standards and PIN codes), and frequent vulnerability scans. According to PCI Security Standards, most network invasions of a small business database take place in businesses that fail to meet PCI standards. The Payment Card Industry Data Security Standards (PCI DSS) outlines requirements to enforce proper measures in terms of processing, storing, and transmitting data in a secure mechanism. PCI DSS provides a purpose, however, many believe this regulation is nothing more than a hurdle to the true problem of security and because of the controversy the PCI Standards Council has begun addressing a number of updates. The proposed changes begin to tackle the use of technology to determine vulnerabilities as well as secure coding fundamentals early in the Software Development Life Cycle (SDLC). While PCI DSS addresses the issue of security, it does not remove the responsibility a business has, in fact, Bob Russo of the PCI Security Standards Council stated:

Ultimately, it is the merchant’s responsibility to make sure that they have the right contracts in place, and make certain that their providers are working in a compliant manner.

Still business and industry experts are speaking out saying that PCI DSS often is to slow to adapt with the constant change of technology. For example, in 2006, TJX Companies fell victim to a breached via wireless technology and the PCI Security Council did not produce guidance in this area until mid-2009.

In the context of achieving PCI DSS, comes the task of additional components of security that are applicable at all levels of business. While regulations provide the direction as to expectation, they do not address how to achieve compliance. Because of this, a business must define internal processes that will ensure compliance by accounting for training, policy, communications, and planning. Therefore, many argue that regulations lead to conflict within the day-to-day operations of Information Technology (IT) in the aspect of true security. While many would like a solution that clearly defines expected behaviors and outcomes this is not realistic. Every business must define processes, which work best in their given circumstances.

While many companies may feel like regulations place an undue burden upon them, the reality often is security breaches typically decrease. It is a proven fact that businesses that adopt PCI DSS and takes on the challenges are much more secure than those who do not. To support this assertion, a recent 2011 PCI DSS Compliance Trends Study depicts the value of organizations that adopt PCI DSS.

What is probably most alarming is the fact that the businesses that suffered one or less breaches were non-compliant. Could it be true that PCI DSS is nothing more than a hindrance? To answer this question it is important to note that those businesses who suffered two breaches or more; breaches increased over those business that were compliant. The lesson to take away here is that regulations were never intended to be the final solution but rather they are intended to provide assistance and direction.

U.S. Government Cybersecurity Role in Private Industry

Posted by Steven Swafford on September 21, 2011

What is the U.S. Government Cybersecurity Role in Private Industry? At the epicenter of cybersecurity resides the difficult task of how organizations tackle security in every sense of the term.  While many groups may argue, the United States Government has an obligation to enact laws and regulation that both assists and provides guidance in the cyber world; this is a highly debatable subject.  In reality, the business conducted via electronic means, has advanced so quickly over the last ten years that legislation have fallen behind to a point that today the risk are vast.  National Security is at risk and electronic cyber warfare is increasingly important and similar to the traditional responsibility of the United States Military in the area of protection of citizens from both domestic and foreign threats.  To put the urgency of this matter into perspective within the private sector all that is required is to reference the cyber-attacks upon Sony and their Play Station network in early 2011.  Once the smoke cleared, the estimated financial impact cost was $170 million dollars.  Outside the obvious financial impact to a business is the concern about consumers.  It is clear that while security education is on the rise, basic security measures are ignored from many organizations for reasons that are not clear.

What better way to begin addressing the relationship of the United States Government and the private sector than turning to the Chief Executive Officer (CEO) of Northrop Grumman and his remarks on cyber-attacks.  In September 2011, Wes Bush was addressing an audience at the Aerospace and Defense Summit and made the statement that further regulations are warranted to address cyber security (Wutkowski, 2011).  In today’s political climate, this statement clearly is in the minority where many are now calling for less regulation.  The need for regulations may be questionable but it does set the stage for the debate to combat the problem at a level where a variety of interested parties will have a voice in the matter.

There have been partnerships that span the across the government to include cabinet level departments, states, international countries, and over sixty private sector organizations.  This partnership called Cyber Storm has the purpose is to identify threats, establish procedure, address information sharing, and lessons learned (Homeland Security, 2011).  Cyber threats are not isolated to the private or public sector therefore; partnerships such as Cyber Storm bring these sectors together to best address the ever-growing cyber threat.

Over the last decade, more and more regulations become law that levels the playing field and protects both business and consumers.  Many individuals claim that the federal government has done nothing but intrudes into private business to a degree that the business often believes the federal government has crossed the line (Fisch, 2004).

High Level Threat Overview

Cyber threats stem from a wide range of technologies as well as arguably the greatest challenge being the individual.  Once these threats are defined and understood, only then does the bigger picture come into focus.  Verizon Security publishes a security finding each year and figure 1 demonstrates the mechanisms on how security differ as well as outlining the landscape in which they occur (Baker, 2011).

Government Responsibility

While I understand the role of the government, the concern is that many regulations may not have been completely and appropriately addressed because technology is both complex and a moving target.  For example, the U.S. Congress has taken up a bill that addresses personal data privacy and security, which on the surface sounds like a noble cause.  The issue may be that Congress is not entirely capable of instituting the details, which will be executed within the effected entities across the nation.  While this bill outlines legal authority and defines the roles clearly, it is not entirely clear in the details of implementation and execution.  The most alarming part of this bill is that Internet Service Providers (ISP) are mandated to keep 18 months of history when it comes to their customers.  While the bill speaks to security, it does not provide meaningful and clear guidance and if we continue to see data breaches that have occurred in 2011 private data in this case a break will become the single greatest risk.

Often regulations lay the framework but they fall short in properly addressing the underlying problem and security is a moving target.  To overcome this, the government should partner with business experts to address the shortcomings of regulations.

Businesses typically do a good job with protecting themselves, employees, and their infrastructure, but often turn up short in protecting consumers.  In fact, consumers depend upon entirely too much on the organization that they are conducting business with to the degree that proper security measures are established and provided (Crews, 2007).  Obviously, this dependency is fundamentally flawed when Sony Play Station fell victim to a substantial cyber-attack.

This bill, as well as past and future regulations, will begin addressing both privacy and security as organizations begin to understand the scope of the risk.  One argument is that anonymity contributes to the security problem and there are those who believe individuals must be clearly identified similar to proper identification to a driver’s license for example (Crews, 2007).  A modern day example of taking identity seriously is Google+ and the restriction they require when it comes to real and verifiable names, which in its own right has been surrounded with controversy.  In order for the Internet to become a safer environment, we must undergo change and there will be growing pains.  While no one desires the “big brother” effect, our government is responsible to protect its citizens.

Private Industry Responsibility

As a deeper dive into the private sector occurs, it becomes evident that this sector burdens a large responsibility in terms national security.  In reality, the private sector provides services to the government and in many cases possess information that if fell into the wrong hands would substantially affect a number of areas.  Take the military as an example, the dependency and relationship between the government and private is very clear.  The military secures aircraft, ships, weapons, and much more all from private industry.  Clearly, this industry must protect national security as well as work closely with the government to ensure this is accomplished.

Private Industry and Government Partnership

The private industry clearly is the sole largest stakeholder in terms of finances and the government falls into public safety (Lin et al., 2007).  In terms of roles and responsibility, the decision would vary depending who is speaking.  At the end of the day, private industry should burden the largest responsibility with government regulations to assist.  To drive home this point, direction from the National Research Council (NRC) published a paper that out outlines five key steps that address barriers to cybersecurity (Lin et al., 2007).  From this publication came a proposal in terms of regulation titled the Cybersecurity Bill of Rights (CBoR).  Should you ask if cybersecurity is at the point that government intervention is required, the answer is yes!  According to Harry D. Raduege (2009),

Nearly every day our nation is discovering new threats and attacks against our country’s networks.  Inadequate cybersecurity and loss of information has inflicted unacceptable damage to U.S. economic and national security.  (p. 37)

The threat surrounding the nation’s cyber infrastructure is rooted in reality and the future of cyber warfare is quickly becoming painfully disturbing.  The lack of urgency will result in a detriment to the economy and national security.  At the end of the day, the real issue comes down to that companies do not believe that the government can help is resolving the problems that they face within the business segment (Homeland Security, 2005).

Real Word Examples

Arguably, 2011 should be labeled as the year of the hacker.  Data breaches came from all types of private industries as well as government across the globe.  At the end of the third quarter of 2011 contains large names which fell victim to cyber-attacks which include McAfee, Sony, Central Intelligence Agency (CIA) and many more (The Guardian, 2011). Taking a deeper look into the scope of organizations that were impacted emerges the fact that no one is safe. What is likely most distressing is the top 3 which include hospitality, retail, and financial services.  These three areas of business play an enormous role in the economy and the associated risk is critical to an immense audience.  In fact, the financial services group could potentially cause damage across the globe not to mention the possibility of destroying individual investment opportunities or even retirement plans.

Challenges

In order for private sectors and the government to provide the much needed security measures all sectors must work together in a coordinated effort.  The last thing that should occur is the government disappears behind closed doors and emerges on the other side with a bill that addresses a problem.  In reality, the private sector is willing to work with the government body.  When it comes down to policy, the language must be clear and concise.  Often arguments may be that policy is over demanding and problematic to implement at any level due the complexity of technology.  In fact, a well-meaning policy may start off strong but as it moves through the government body and eventually becoming law it may result lacking the initial desired effect (Armstrong,  2010).

Conclusion

In today’s political environment, one could make the argument that the government has our best interest at heart.  At the end of the day, the government is doing the best possible job to combat cyber-attacks and the needed level of protection in the cyber world for its citizens.  On the other hand, with the state of the national debt one could argue that this is a way to generate revenue or an argument can be made that the government does not provide the necessary expertise to drive the technical aspects of security.  To substantiate this point that the government is incapable of properly dealing with security resides the Federal Information Security Management Act of 2002 (FISMA).  This act could serve as a perfect example and it has come under fire over the years.  Critics have argued that FISMA has become nothing more than an annoyance and that organizations simply check the boxes without truly dealing with the problems that law originally intended to address.

In any case, it is clear that cyber security is paramount to protecting this great nation and its citizens.  The common denominator comes back to regulation and the voiced needs for the Federal Government to take an active role to deliver expectations and guidance within the cyber world.  In fact, once the public and private sectors begin working closely together then and only then may a real change occur.  The positive is that government regulations also have positive impacts in term of decision making and best practices that can assist to protect all interested parties (Fisch, 2004).  In closing, just like other aspects of business change will always be good and bad therefore, with technology plays a larger role with each passing day and the importance to cybersecurity regulations will become fundamental to all.

References

  1. Wutkowski, K. (2011). Northrop CEO urges more regulation. Reuters. Retrieved on September 14, 2011 from http://www.reuters.com/article/2011/09/07/us-aero-arms-summit-regulation-idUSTRE7865GX20110907
  2. Crews Jr., C. (2007). Cybersecurity and authentication: The marketplace role in rethinking anonymity – before regulators intervene. Knowledge, Technology & Policy, 20(2), 97-105. doi:10.1007/s12130-007-9010-z
  3. Lin, H. S., Spector, A. Z., Neumann, P. G., & Goodman, S. E. (2007). Toward a safer and more secure cyberspace. Communications of the ACM, 50(10), 128. Retrieved from http://www.acm.org.ezproxy.umuc.edu
  4. Swartz, N. (2005). Cybersecurity report reveals weaknesses. Information Management Journal, 39(3), 19. Retrieved from http://www.arma.org
  5. Raduege, H. (2009). Cyber threats may be hazardous to your privacy. Policy & Practice, 67(2), 24. Retrieved from http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_ps_CyberThreatsMayBeHazardoustoYourPrivacy_Technology%20Speaks%20_061509.pdf
  6. Homeland Security, (2005). Homeland Security Advisory Council private sector information sharing task force on Homeland Security information sharing between government and the private sector final report. United States Department of Homeland Security. Retrieved from https://www-hsdl-org.ezproxy.umuc.edu/?view&did=462311
  7. Homeland Security, (2011). Fact Sheet: Cyber Storm III: National cyber exercise. United States Department of Homeland Security. Retrieved on September 17, 2011 from http://www.dhs.gov/files/training/cyberstorm-iii.shtm
  8. The Guardian, (2011). Biggest series of cyber-attacks in history uncovered. The Guardian. Retrieved on September 15, 2011 from http://www.guardian.co.uk/technology/2011/aug/03/biggest-series-cyber-attacks-uncovered
  9. Baker, W. (2011).  2011 Data Breach Investigations Report released. Verizon Security. Retrieved on September 13, 2011 from http://securityblog.verizonbusiness.com/2011/04/19/2011-data-breach-investigations-report-released/
  10. Armstrong, I. (2010). Following FISMA. SC Magazine: For IT security professionals (15476693), 21(2), 36-39. Retrieved on September 14, 2011 from http://www.scmagazineus.com
  11. Fisch, J. E. (2004). The new federal regulation of corporate governance. Harvard Journal of Law & Public Policy, 28(1), 39-49. Retrieved from http://www.law.harvard.edu/studorgs/jlpp/

U.S. Federal Government Solves Personal Data Privacy And Security Or Do They

Posted by Steven Swafford on September 14, 2011

The U.S. Federal Government has decided that it is time to take personal data privacy and security which on the surface sounds like a noble. This leads to the question, is the Federal Government capable of instituting the details, or is the private sector better equipped to handle the job?

To understand the severity of cybercrime all you have to do is look at the Sony and the PlayStation attack earlier this year. When you frame the discussion in the context of the attack on Sony, Central Intelligence Agency (CIA), and Booz Allen Hamilton the issue begins to take shape and defines the problems that can arise in terms of consumer confidence, national security, and of course profit.

S.1151 Abstract

Personal Data Privacy and Security Act of 2011 – Amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of personally identifiable information (in electronic or digital form) a predicate for racketeering charges, and (2) prohibit concealment of security breaches involving sensitive personally identifiable information. Sets penalties for attempts and conspiracies to commit fraud and related activity in connection with computers.

Requires a data broker to: (1) disclose to an individual, upon request, personal electronic records pertaining to such individual maintained or accessed for disclosure to third parties; (2) disclose adverse actions by third parties against an individual; and (3) maintain procedures for correcting inaccuracies and incompleteness in such records. Defines a “data broker” as a business entity that collects, transmits, or provides access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity for purposes of providing such information to non-affiliated third parties on an interstate basis.

Establishes standards for developing and implementing safeguards to protect the security of sensitive personally identifiable information. Imposes upon data brokers and business entities civil penalties for violations of such standards. Requires business entities to notify: (1) any individual whose information has been, or is reasonably believed to have been, accessed or acquired, (2) all nationwide consumer reporting agencies if an agency or entity is required to notify more than 5,000 such individuals, and (3) the United States Secret Service and the Federal Bureau of Investigation (FBI) if the number of individuals involved exceeds 10,000.

Authorizes the Attorney General and state attorneys general to bring civil actions against business entities for violations of this Act.

Requires the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000, to evaluate: (1) the data privacy and security program of a data broker, (2) program compliance, (3) the extent to which databases and systems have been compromised by security breaches, and (4) data broker responses to such breaches.

Requires federal agency information security programs to include procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the agency information systems or operations involving personally identifiable information and for ensuring remedial action to address any significant deficiencies.

Requires federal agencies to conduct a privacy impact assessment before purchasing personally identifiable information from a data broker.

Reaction and Thoughts

Within the first 12 pages of this proposed bill the punishment is outlined to the extent that that anyone who has knowledge of a breach in security and hides this fact can be punished under the law. Furthermore, this breach is defined as economic impact to one or more individuals, which results in a fine or imprisonment for no more than five years with authority given to the United States Secret Service for investigations.

Those entities that are collecting data on individuals will have to institute measures where an individual can request the data they have collected and the broker my turn this information over to the requester all at a reasonable cost. This is a positive step however how many data brokers are out there? For example, say you conduct business with Google and Microsoft would a $25.00 fee be reasonable? Now consider that you also have a Facebook, FourSquare, Twitter, and any other of numbered services you may utilize then you begin to see that you can spend hundreds of dollars for such a request when it is all said and done. Could the answer reside in the credit reporting model where there are a limited number of agencies?

Finical Impact

Remember that pesky financial penalty I eluded to earlier? This penalty comes in at $1,000.00 per violation and for every day that the violation is not corrected. So if you have five violations and it takes fourteen days to resolve the issue the price tag comes in at $70,000.00 and twenty-eight days would result in $140,000.00 in fines. The good news is there is a cap of $250,000.00 per violation but this will be an expensive lesson to business should they find themselves in this precarious position.

If this is not enough to get business to take security seriously and invest then I am not sure what other incentives may help.

Conclusion

In today’s political environment, one could make the argument that the government has our best interest at heart and I believe at the end of the day the government is doing the best possible job to provide a level of protection. On the other hand, with the state of the national debt one could argue that this is a way to generate revenue. In either case, it is clear that cyber security is paramount to protecting this great nation and its citizens.

References

  1. Personal Data Privacy and Security Act of 2011
  2. Applying Information Security and Privacy Principles
  3. Congress wants answers from Sony on PlayStation hack
  4. August 2011 Cyber Attacks Timeline

 

Pages:12345»