Category: Regulations

For companies that do business nationally or in various states, the smorgasbord of state laws poses a growing problem, because the measures often specify different triggers for notifications and set varying requirements on what needs to be disclosed, to whom and when, said Kirk Herath, chief privacy officer at Nationwide Mutual Insurance Co. in Columbus, Ohio.

In addition, some states require companies to provide credit-monitoring services to affected customers, whereas others don’t, Herath said.

http://www.networkworld.com/news/2006/010606-data-breaches-law.html

In March, DSW found that credit, debit and checking account numbers of customers in 25 states had been stolen by hackers breaking into the company’s database. In its complaint, the FTC charged that DSW unnecessarily held on to sensitive customer data it no longer needed and stored the information in multiple files, increasing the risks to consumers.

Some DSW customers have reported fraudulent charges to their accounts, and others with checking accounts have asked the company to pay the cost of closing accounts and ordering new checks, the FTC said. DSW noted that when the theft was discovered, it took immediate steps to notify customers and put in measures to prevent future thefts.

http://www.latimes.com/technology/la-fi-dsw2dec02,1,733532.story?coll=la-headlines-technology&ctrack=1&cset=true

[Microsoft’s senior vice president and general counsel Brad] Smith described four core principles that Microsoft believes should be the foundation of any federal legislation on data privacy:

– Create a baseline standard across all organizations and industries for offline and online data collection and storage. This federal standard should pre-empt state laws and, as much as possible, be consistent with privacy laws around the world.
– Increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and features that permit individuals to access and manage their personal information collected online.
-Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals’ consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice.
-Ensure a minimum level of security for personal information in storage and transit. A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information.

http://www.itu.int/osg/spu/newslog/Microsoft+Calls+For+US+National+Privacy+Law.aspx

Part of the 1,724-page energy bill that President Bush signed last week calls for federal bureaucrats to create an “electric reliability organization” that would draft mandatory standards–including cybersecurity guidelines–for electric power system operations.

The Federal Energy Regulatory Commission, or FERC, would be tasked with setting standards to prevent system instability or failures that can be tied to a “sudden disturbance, including a cybersecurity incident.”

FERC may impose penalties for violations and has 180 days to begin the process of certifying the reliability organization.

The new regulations come about three months after a Government Accountability Office report cited “a general consensus–and increasing concern” among officials that systems controlling utility infrastructures face real threats of attack.

A visit from the Slammer worm, for instance, may have been in part to blame for failures at a nuclear power plant in 2003, the report said.

And in March, electric industry security consultants reported numerous intrusions into control systems.

No serious damage was done, they said, but the activity “heightened concerns” about future foul play.

One of the reasons why the control systems are so vulnerable is that they’re increasingly being connected to private networks that use the Internet, so that they can be managed remotely, the GAO report said.

The current computer system used by utilities and public transportation facilities was not designed with the Internet in mind, said Clarence Morey, senior manager for product strategy at Internet Security Systems, a company that counts public utilities among its clients.

“As companies connect these systems to the Net to allow remote access or drive efficiency, they’re opening themselves up to risk,” Morey said.

Morey said his company supported the new legislation, adding that a “three-legged stool” composed of technology, legislation and good policy is the way to fend off attacks.

Right now, no mandatory cybersecurity standards exist for power grid operators, but many of them adhere to voluntary ones set by the North American Electric Reliability Council, said council spokeswoman Ellen Vancko.

The council, which first adopted 24 pages of cybersecurity guidelines in 2003, is on its third draft of permanent, “more defined” standards, she said.

Vancko said she expects that FERC will certify the council as its official Electric Reliability Organization.

The U.S. Department of Energy has already designated the council as coordinator of infrastructure protection for the electric sector, and the council works closely with Homeland Security.

FERC did not return calls for comment on Tuesday.

“We pushed the legislation through, and we’re the only entity out there developing reliability standards,” Vancko said.

“So we’re really the only entity out there qualified to perform such a role.”

New law may tighten power plant security

It also helps protect consumers by giving them the information they need to head off possible identity theft when sensitive details such as Social Security, driver’s license and credit card numbers become exposed.

The Information Security Breach and Notification Act in New York is broadly similar to security breaches laws enacted in California more than two years ago.

Legislation requiring consumer notification of data security breaches has been approved in at least 15 states since then.

New York’s decision to go ahead with its legislation follows a series of high profile consumer data security breaches involving US firms including data mining firm ChoicePoint, payment processing firm CardSystems Solutions and others.

http://www.xatrix.org/article4032.html

The Wall Street Journal reported recently that security breaches exposing customer data have triggere
d lawsuits across the country. The Federal Trade Commission says 9 million Americans had their identities stolen last year, costing businesses and consumers $50 billion a year in fraudulent spending.

Last month, U.S. Rep. Artur Davis, D-Birmingham, co-sponsored the Consumer Data Security and Notification Act of 2005, along with Democratic Reps. The bill provides stronger consumer protections and enforcement against credit-card fraud and identity theft by expanding federal protections against improper collection and sale of sensitive consumer information. It also provides consumers with advance warning when their personal information is at risk. Davis was joined at a recent press conference at Birmingham Police headquarters by several attorneys general who outlined the challenges they face fighting ID theft. Among Davis’ supporters was Birmingham Police Chief Annetta Nunn, who said someone recently stole a credit card mailed to her home and ran up thousands of dollars in charges. “Congress needs to strengthen federal standards to provide more rigorous safeguards against the rising problem of identity theft,” Davis said.

Also in July, a Senate Commerce Committee unanimously approved a bill that would clamp down on how corporations handle consumers’ personal information. The Identity Theft Protection Act would require nonfinancial companies, such as data brokers, that handle sensitive personal information to ensure its security and confidentiality with safeguards specified by the Federal Trade Commission. If the security is breached and the company determines it creates a “reasonable risk” of identity theft, the company would have to notify affected consumers or face fines of up to $11,000 per consumer. Ted Stevens, R-Alaska, who chairs the commerce committee, said the full Senate will not vote on the Identity Theft Protection Act until he completes negotiations on a jurisdictional dispute with Senate Banking Committee Chairman Richard Shelby, R-Tuscaloosa.

The Alabama Republican has asserted jurisdiction over sections of the Senate Commerce bill that deal with the Fair Credit Reporting Act. The American Banker recently reported that Shelby is drafting a bill that sources speculate may bar financial services companies from using service providers that do not follow strict data security standards. Gardner said recent high-profile data security breaches have exposed the vulnerability at many U.S. companies. “Identity theft is a major problem and businesses must adjust to prevent it,” he said.

http://www.al.com/business/birminghamnews/index.ssf?/base/business/11243568066180.xml&coll=2