Category: Regulations

Dr Hadif bin Jowan Al Dhaheri, speaking on the sidelines of the third International Cyber Crimes Conference in the Capital on Tuesday, also said UAE’s Cyber Law will be amended to match the sophistication of online crimes that are being committed everyday. “The law governing cyber crime needs to be updated in order to match the progress in cyber technology,” Dr Al Dhaheri said.

The cyber crime court in Sharjah will follow similar courts already established in Dubai and Abu Dhabi.

“We are also working now to establish a special court related to cyber crime similar to that which deals with labour matters,” Dr Al Dhaheri said.

Major General Ahmed Nassir Alraisi, general director of Central Operations at the Abu Dhabi Police General Headquarters, the estimated loss of reported cyber crime cases in the Gulf Cooperation Council (GCC) is between $550-735 million per annum.

Abdul Aleem Sayed, chief information security architect at the Abu Dhabi Police stated that it is the responsibility of the organisations that handle sensitive client information to protect them. Sayed said that in the US, corporations and financial organisations are bound by law to protect their clients’ information, failing which would mean a 10-year imprisonment of the company chief executives or chief financial officers and a million dollar fine. The government’s role is to put this law through, they should take a proactive role on this,” he stressed.

He also noted the lack of available statistics on cyber crime especially relating to finances.

During the conference, experts discussed the procedural conflicts in applying the law of cyber crimes. He added that many hackers use pseudonyms, making it difficult to track them down.

http://www.tmcnet.com/usubmit/-sharjah-nemirates-get-cyber-crime-court-/2009/12/15/4534187.htm

Agnes Bundy Scanlan, a lawyer at Boston’s Goodwin Procter, and a board member of the International Association of Privacy Professionals (IAPP), says that while in general the Massachusetts data protection law is “pretty complicated,” it has gone through revisions and extensions. “But as it stands today, businesses that have Massachusetts residents’ information will have to have a comprehensive written security program, and heightened security procedures, including encryption.” “Even if there wasn’t a recession, this regulation still would be something that businesses would be reluctant to comply with,” Holland says.

The Massachusetts regulation was prompted by several high-profile data breaches that impacted residents, including the TJX case that first made headlines in 2007.

“Clearly, the Massachusetts government didn’t believe that data breach notification alone was sufficient to protect its citizens,” Bundy Scanlan says.

The Massachusetts law is breaking new ground in data protection requirements, just as the California state data breach notification law that was passed in 2003 did for state data breach notification laws. CA-1386 was passed by California state legislators after a 2002 data breach affected thousands of state workers, including some of the legislators themselves.

In the January public hearing held by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) the room was packed with businesses and representatives from other entities calling for more time. Representatives of the Greater Boston Chamber of Commerce, Massachusetts Business Coalition, various nonprofits, colleges and universities and others at the January meeting testified the near impossibility of complying with the encryption standards, as well as the enormous investment of time, energy, and scarce cash required by this undertaking. By mid-February, the Massachusetts government made a decision to push back the date for compliance with the new regulations, says OCABR undersecretary Daniel Crane because of the recession and to give entities more time to comply.

Still, the regulations require that companies limit the amount of data they collect, have and maintain written security policies and keep a detailed inventory of all personal data and where it is stored, whether on electronic media or on paper. The regulations require any business that handles sensitive personal information on citizens of the Commonwealth of Massachusetts to encrypt that data as it is transmitted over the Internet or stored on external mobile devices such as laptops, flashdrives and other mobile storage equipment. “They should do as much as they possibly can; then if it is a systems problem with encryption, they will at least show they are doing their due diligence for the regulator.”

http://www.bankinfosecurity.com/articles.php?art_id=1261

When faced with a standard as robust as PCI DSS, many companies, particularly the smaller merchants, need help deciding which risks they should address first, de Veyra told SCMagazineUS.com on Friday.

Rated by order of criticality, the milestones are: Limit data retention, secure the perimeter, secure applications, control system access, protect stored cardholder data and finalize remaining compliance efforts, ensuring all controls are in place.

Several major breaches in the last few years, including Heartland Payment Systems and TJX, were caused by hackers who were able to seize sensitive credit card data by taking advantage of protection shortfalls across private networks and wireless access points.

De Veyra said the new tool likely will help small companies — designated as tier-four merchants by Visa and MasterCard — get started on their compliance efforts. “Prioritization doesn’t mean much if you have to do everything at once,” she said.

The new guidance comes at a time when PCI DSS is fielding widespread criticism over the high-profile Heartland breach, where potentially a record number of card numbers were stolen.

http://www.scmagazineus.com/PCI-council-offering-milestones-for-compliance/article/128078/

In response to queries from ZDNet Asia, a spokesperson from the Ministry of Information, Communication and the Arts (Mica), said the inter-ministry committee involves public sector agencies including the Infocomm Development Authority, the Ministry of Trade and Industry, the Ministry of Finance, the Ministry of Home Affairs and the Attorney-General’s Chambers.

According to him, the committee is reviewing various approaches including those of the United States, the European Union and Canada, as there currently is no established, uniform method to deal with data protection.

“In shaping Singapore’s own data protection regime, we will take into account such international perspectives, where relevant, as well as views from the public. “Mica will share the details of the proposed framework at the appropriate juncture,” the spokesperson added.

Joshua Chua, Deloitte & Touche’s security and privacy leader for risk consulting in Southeast Asia, concurred. According to Chua, there is currently no specific data breach notification legislation in Singapore, which mandates that companies notify regulators and the public in the event of a privacy breach, or leakage of personal customer information.

Last year in the United Kingdom and Australia, there were some debate and momentum in handling data breaches. News of an impending data breach notification law surfaced in July when the Information Commissioner’s Office said that the European Union’s ePrivacy Directive would be a catalyst for such legislation in the country. The Hong Kong Monetary Authority, for example, issued a customer data protection circular to all authorized financial institutions on Jul. 10, 2008, he noted. The document contained guidelines requiring banks in the Special Administrative Region to have specific data breach management procedures in place, and also to appoint a senior official responsible for incident management. Instead, data protection and privacy is regulated via industry-specific laws and enforced by industry regulatory bodies, he explained.

Companies, on the other hand, need to ensure they have incident response procedures in place, as poor handling of data breaches can cause further damage.

http://www.zdnetasia.com/news/security/0,39044215,62050547,00.htm

Under current law, federal courts only have jurisdiction if the thief uses interstate communication to access the victim’s PC.

Some ID theft victims can spend thousands of dollars and months or years dealing with credit bureaus and debtors from accounts fraudulently opened in their names, but the law doesn’t appear to take into account lost opportunities associated with identity theft.

http://voices.washingtonpost.com/securityfix/2008/10/new_federal_law_targets_id_the.html?nav=rss_blog

Scotland has devolved authority in areas such as computer crime law, so measures such as the clear criminalisation of denial of service attacks entered the statue books north of the border a year ago in October 2007. First up, the maximum penalty for unauthorised access to a computer system (the least serious of three hacking offences covered in the original act) has been raised from six months to two years in prison, making the offence serious enough that an extradition request can be filed.

Requests to introduce changes along these lines were made repeatedly by industry representatives during parliamentary hearings on UK computer crime laws, but are nonetheless controversial in some circles.

Spyblog describes the changes as “ill-defined” and duplicated in the Identity Cards Act 2006 as far as attacks on the planned National Identity Register centralised database are concerned.

Politicians initially suggested an outright ban on so-called hacking tools, which would have made possession of dual-use software package such as Nmap a criminal offence.

Following industry lobbying the measures were modified but still include provisions that criminalise the distribution or creation of “hacking tools” where criminal intent can be established, modifications that have failed to satisfy security experts.

http://www.theregister.co.uk/2008/09/30/uk_cybercrime_overhaul/