Category: Regulations

In response to queries from ZDNet Asia, a spokesperson from the Ministry of Information, Communication and the Arts (Mica), said the inter-ministry committee involves public sector agencies including the Infocomm Development Authority, the Ministry of Trade and Industry, the Ministry of Finance, the Ministry of Home Affairs and the Attorney-General’s Chambers.

According to him, the committee is reviewing various approaches including those of the United States, the European Union and Canada, as there currently is no established, uniform method to deal with data protection.

“In shaping Singapore’s own data protection regime, we will take into account such international perspectives, where relevant, as well as views from the public. “Mica will share the details of the proposed framework at the appropriate juncture,” the spokesperson added.

Joshua Chua, Deloitte & Touche’s security and privacy leader for risk consulting in Southeast Asia, concurred. According to Chua, there is currently no specific data breach notification legislation in Singapore, which mandates that companies notify regulators and the public in the event of a privacy breach, or leakage of personal customer information.

Last year in the United Kingdom and Australia, there were some debate and momentum in handling data breaches. News of an impending data breach notification law surfaced in July when the Information Commissioner’s Office said that the European Union’s ePrivacy Directive would be a catalyst for such legislation in the country. The Hong Kong Monetary Authority, for example, issued a customer data protection circular to all authorized financial institutions on Jul. 10, 2008, he noted. The document contained guidelines requiring banks in the Special Administrative Region to have specific data breach management procedures in place, and also to appoint a senior official responsible for incident management. Instead, data protection and privacy is regulated via industry-specific laws and enforced by industry regulatory bodies, he explained.

Companies, on the other hand, need to ensure they have incident response procedures in place, as poor handling of data breaches can cause further damage.

http://www.zdnetasia.com/news/security/0,39044215,62050547,00.htm

Under current law, federal courts only have jurisdiction if the thief uses interstate communication to access the victim’s PC.

Some ID theft victims can spend thousands of dollars and months or years dealing with credit bureaus and debtors from accounts fraudulently opened in their names, but the law doesn’t appear to take into account lost opportunities associated with identity theft.

http://voices.washingtonpost.com/securityfix/2008/10/new_federal_law_targets_id_the.html?nav=rss_blog

Scotland has devolved authority in areas such as computer crime law, so measures such as the clear criminalisation of denial of service attacks entered the statue books north of the border a year ago in October 2007. First up, the maximum penalty for unauthorised access to a computer system (the least serious of three hacking offences covered in the original act) has been raised from six months to two years in prison, making the offence serious enough that an extradition request can be filed.

Requests to introduce changes along these lines were made repeatedly by industry representatives during parliamentary hearings on UK computer crime laws, but are nonetheless controversial in some circles.

Spyblog describes the changes as “ill-defined” and duplicated in the Identity Cards Act 2006 as far as attacks on the planned National Identity Register centralised database are concerned.

Politicians initially suggested an outright ban on so-called hacking tools, which would have made possession of dual-use software package such as Nmap a criminal offence.

Following industry lobbying the measures were modified but still include provisions that criminalise the distribution or creation of “hacking tools” where criminal intent can be established, modifications that have failed to satisfy security experts.

http://www.theregister.co.uk/2008/09/30/uk_cybercrime_overhaul/

The lawmakers decided to propose the legislation after the Department of Homeland Security failed to provide adequate information about the searches or the limitations on the power, Feingold said in a statement.

The legislation is the second bill to tackle the controversial issue of laptop border searches.

http://www.securityfocus.com/brief/832?ref=rss

Not surprisingly, the proposal for such a technology was first suggested by a Chinese official, who has long tried to control the use of the internet in that country.

Also, as the article notes, the ITU has no power over the internet these days, but has been pushing to get more power, which is why it’s worth following what they’re discussing behind the scenes.

http://www.techdirt.com/articles/20080912/1602272259.shtml

The controls have been a recommended best practice for nearly two years now, but starting June 30, they will become a mandatory requirement under PCI — especially for so-called Level 1 companies that handle more than 6 million payment card transactions a year.

Under the requirement (PCI Section 6.6), merchants can choose to implement a specialized firewall to protect their Web applications, or to perform an automated or manual application code review and fix any flaws found. Companies also have the option of performing either a manual or an automated vulnerability assessment scan of their Web application environment, fixing any problems that are discovered during that process.

The controls are supposed to protect Web applications from common threats like SQL Injection attacks, buffer overflows and cross-site scripting vulnerabilities. For instance, excess-inventory retailer Overstock.com chose to install a Web application firewall from Breach Security Inc. rather than take any of the other options. Going that route was considerably cheaper than doing an application code review, said Bear Terburg, manager of network engineering at Overstock.com. The tool was “much easier” to implement that any of the other compliance options available under PCI 6.6, said John Halamka, CIO at Harvard Medical School. “The effort of going through application code every time a new vulnerability is discovered would be a far more daunting task.” The firewall also makes ongoing recommendations for tuning or adding new signatures when a new vulnerability is discovered or to block out specific Web threats, he said.

Bob Russo, general manager of the PCI Security Council, said that so far his organization does not have a clear indication of what companies are doing in terms of complying with PCI 6.6.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9104118&source=NLT_AM&nlid=1