Category: Regulations

Lawyers speaking at the Law Seminars International event on Monday offered advice about the types of research companies should do before signing up for cloud services to make sure they can protect themselves from potential legal fallout.

One of the most important issues facing companies that wish to store or process data in the cloud is determining which legal systems have jurisdiction over the data. A company using a cloud service could have users all over the world and those users’ information could be shifted to facilities around the globe. “So there are four possible legal locations for the information at any moment,” James said. Laws applicable to the location of the company’s headquarters, the location of the servers, the location of the consumer and the location of the communications equipment transmitting the information between the user and the provider could all potentially apply.

On the federal level, legislation like the Health Insurance Portability and Accountability Act and the Children’s Online Privacy Protection Act defines how businesses handle certain kinds of data like information related to health and children.

In addition, 45 states have laws covering how companies must secure customer data. “Although many state statutes are similar, there are enough outliers that you need to think about them,” said Reingold. For instance, some states define personally identifiable information as including a mother’s maiden name, biometrics and birth dates while others only include more basic information like name, Social Security number and driver’s licence number.

“The reason we can have this service that is inexpensive is because [cloud providers] can put their servers anywhere and can shift loads based on things like where the cost of energy is lower,” said Francoise Gilbert, a lawyer with IT Law Group.

Some companies may initially think it’s a good strategy to find a provider with data centers in countries that have no data protection laws. Europe and a few countries that have adopted a similar model including Tunisia, Morocco and Uruguay have clear laws covering what kinds of personal data companies can store and whether they can move that data in and out of the country. In the U.S., companies may collect some of that information to look for diversity in their workforce. But if they use a cloud provider with data centers in Europe, European law prohibits them from storing that kind of data.

“The legal system has been far, far outpaced by technology,” said Reingold.

http://www.pcworld.com/businesscenter/article/196578/cloud_service_users_face_confusing_legal_landscape.html

When things go wrong, a security breach can cause real harm and great distress to thousands of people,” said Information Commissioner Christopher Graham at the time. “UK businesses should take note of the new rules and ensure they have effective data protection compliance measures in place to meet the ICO’s standards,” he added.

Nugent suggested that the new powers may also pave the way for other measures under consideration, including potential prison sentences for criminal offences involving the misuse of personal data.

However, William Malcolm, an information law expert at international lawfirm Pinsent Masons, warned that the new powers represent a “step change” for the ICO that many firms may not be aware of. While this is a significant deterrent now, they need to make sure they carry out reviews of how personal data is handled, and implement sensible controls to ensure that data is protected,” he said.

The ICO has stepped up enforcement in recent years, and would undoubtedly have used the powers to deal with some of the cases it has dealt with over the past six months had they been available.”

Richard Turner, chief executive of data security firm Clearswift, agreed that education efforts need to be stepped up. “The ICO will have a wide scope of interpretation when applying its new regime, as the fines can be levied for breaches of principles, rather than against the underlying detailed legal requirements…The first few fines the ICO levies will therefore set the tone,” he said.

“While the largest fines may only be dealt out to larger companies for serious breaches of the DPA, all organisations are now faced with a very real threat of significant financial penalties over and above any existing operational clean up costs and reputational damage should they suffer a breach.”

http://www.v3.co.uk/v3/analysis/2260796/firms-warned-guard-ico-powers

Olympia Snowe (R-Maine), was introduced last April and then re-introduced last week with some key changes. Notably, it no longer gives the president unilateral power to disconnect networks from the Internet in the event of a major cyberattack. The bill also includes amendments for how the president and private sector can work together to help secure critical infrastructure.

During the hearing, senators expressed how important it is that the Senate passes the legislation quickly, as it’s long overdue. “The government hasn’t gotten its act together; the private sector has had problems getting its act together,” he said. Bill Nelson (D-Florida) said that might even be too much time in light of potential cyber threats.

The House last month passed its own cybersecurity bill, the Cybersecurity Enhancement Act of 2009 (HR 4061), first introduced by Rep. Daniel Lipinski (D-IL) last year.

http://www.darkreading.com/security/government/showArticle.jhtml?articleID=224200245&cid=RSSfeed

Dr Hadif bin Jowan Al Dhaheri, speaking on the sidelines of the third International Cyber Crimes Conference in the Capital on Tuesday, also said UAE’s Cyber Law will be amended to match the sophistication of online crimes that are being committed everyday. “The law governing cyber crime needs to be updated in order to match the progress in cyber technology,” Dr Al Dhaheri said.

The cyber crime court in Sharjah will follow similar courts already established in Dubai and Abu Dhabi.

“We are also working now to establish a special court related to cyber crime similar to that which deals with labour matters,” Dr Al Dhaheri said.

Major General Ahmed Nassir Alraisi, general director of Central Operations at the Abu Dhabi Police General Headquarters, the estimated loss of reported cyber crime cases in the Gulf Cooperation Council (GCC) is between $550-735 million per annum.

Abdul Aleem Sayed, chief information security architect at the Abu Dhabi Police stated that it is the responsibility of the organisations that handle sensitive client information to protect them. Sayed said that in the US, corporations and financial organisations are bound by law to protect their clients’ information, failing which would mean a 10-year imprisonment of the company chief executives or chief financial officers and a million dollar fine. The government’s role is to put this law through, they should take a proactive role on this,” he stressed.

He also noted the lack of available statistics on cyber crime especially relating to finances.

During the conference, experts discussed the procedural conflicts in applying the law of cyber crimes. He added that many hackers use pseudonyms, making it difficult to track them down.

http://www.tmcnet.com/usubmit/-sharjah-nemirates-get-cyber-crime-court-/2009/12/15/4534187.htm

Agnes Bundy Scanlan, a lawyer at Boston’s Goodwin Procter, and a board member of the International Association of Privacy Professionals (IAPP), says that while in general the Massachusetts data protection law is “pretty complicated,” it has gone through revisions and extensions. “But as it stands today, businesses that have Massachusetts residents’ information will have to have a comprehensive written security program, and heightened security procedures, including encryption.” “Even if there wasn’t a recession, this regulation still would be something that businesses would be reluctant to comply with,” Holland says.

The Massachusetts regulation was prompted by several high-profile data breaches that impacted residents, including the TJX case that first made headlines in 2007.

“Clearly, the Massachusetts government didn’t believe that data breach notification alone was sufficient to protect its citizens,” Bundy Scanlan says.

The Massachusetts law is breaking new ground in data protection requirements, just as the California state data breach notification law that was passed in 2003 did for state data breach notification laws. CA-1386 was passed by California state legislators after a 2002 data breach affected thousands of state workers, including some of the legislators themselves.

In the January public hearing held by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) the room was packed with businesses and representatives from other entities calling for more time. Representatives of the Greater Boston Chamber of Commerce, Massachusetts Business Coalition, various nonprofits, colleges and universities and others at the January meeting testified the near impossibility of complying with the encryption standards, as well as the enormous investment of time, energy, and scarce cash required by this undertaking. By mid-February, the Massachusetts government made a decision to push back the date for compliance with the new regulations, says OCABR undersecretary Daniel Crane because of the recession and to give entities more time to comply.

Still, the regulations require that companies limit the amount of data they collect, have and maintain written security policies and keep a detailed inventory of all personal data and where it is stored, whether on electronic media or on paper. The regulations require any business that handles sensitive personal information on citizens of the Commonwealth of Massachusetts to encrypt that data as it is transmitted over the Internet or stored on external mobile devices such as laptops, flashdrives and other mobile storage equipment. “They should do as much as they possibly can; then if it is a systems problem with encryption, they will at least show they are doing their due diligence for the regulator.”

http://www.bankinfosecurity.com/articles.php?art_id=1261

When faced with a standard as robust as PCI DSS, many companies, particularly the smaller merchants, need help deciding which risks they should address first, de Veyra told SCMagazineUS.com on Friday.

Rated by order of criticality, the milestones are: Limit data retention, secure the perimeter, secure applications, control system access, protect stored cardholder data and finalize remaining compliance efforts, ensuring all controls are in place.

Several major breaches in the last few years, including Heartland Payment Systems and TJX, were caused by hackers who were able to seize sensitive credit card data by taking advantage of protection shortfalls across private networks and wireless access points.

De Veyra said the new tool likely will help small companies — designated as tier-four merchants by Visa and MasterCard — get started on their compliance efforts. “Prioritization doesn’t mean much if you have to do everything at once,” she said.

The new guidance comes at a time when PCI DSS is fielding widespread criticism over the high-profile Heartland breach, where potentially a record number of card numbers were stolen.

http://www.scmagazineus.com/PCI-council-offering-milestones-for-compliance/article/128078/