January 5, 2007 by tim.

In an article posted to www.TechNewsWorld.com on 1/4/07, Ed Moyle writes that there have now been roughly 100 million notifications sent to individuals in the US notifying them that their personal information has been compromised. He does point out that there is no way to know how many unique individuals have been impacted, since there could be some overlap. According to Mr. Moyle, “Looking ahead, it won’t be long before the majority of Americans will have been notified about a breach affecting their data.”

The article also provide practical tips for monitoring your personal records to watch out for fraud as well as action steps to take in the event that you receive a notification of a data breach.

Posted in Data Breach Regulations, Electronic Payment Security - General | No Comments »

November 16, 2006 by tim.

Network World’s 11/6/06 edition features an article that focuses on the costs of data breaches. The headline is “Average data breach costs companies $5 million” which clearly summarizes the entire article. The article is based on results from a study conducted by the Ponemon Institute.

According to the Privacy Rights Clearinghouse, there have been 254 data-breach incidents this year. The Ponemon study found that it costs an average of $182 for each compromised data record, which is up from $138 last year, an increase of over 30%.

At first glance, these numbers seem exorbitant. According to Andrew Krcik with PGP, “By not connecting the dots, companies are not seeing the true costs and, therefore, the true value of preventative measures.” So the old adage, an ounce of prevention is worth a pound of cure, certainly rings true regarding data security.

Posted in Data Breach Regulations | No Comments »

November 13, 2006 by tim.

According to an article on TechWeb on November 10, 2006, an estimated 49 million adults in the US have been notified “that their personal information has been lost, stolen, or improperly disclosed” during the past three years. The survey concludes that data breaches have affected 1 in 5 adults in the US. The survey was conducted by Harris Interactive in October.

The Fraud Update column in the November 2006 issue of Transaction World addresses several pertinent data security topics, including the impact of version 1.1 of the PCI Data Security Standard. Bryan Sartin, Managing Principal of CyberTrust in Herndon, VA, emphasizes how important it is for merchants to know where sensitive customer data (such as cardholder information) is stored and who has access to it. “Companies need to have a data retention plan and a data control policy in place.” He also makes a very significant assertion: “There’s no record of any merchant being compromised who’s PCI compliant.”

As one who has been through the PCI certification process, it is comforting to know that no PCI compliant company has been hacked. However, the real key is that PCI compliance is NOT a one-time event — it dictates a constant, methodical process to ensure that data is always secure.

Posted in Data Breach Regulations | No Comments »

October 26, 2006 by tim.

This week’s Information Week has an excellent overview of data breach and privacy legislation that is under consideration by both the House and Senate. One bill, HR 4127, the Financial Data Protection Act, is ready for a House vote when Congress reconvenes after the November elections. It would require organizations to protect personal data and provide nationwide notice in the event of a data breach.

Here are some of the other key bills:

HR 6163 - Federal Agency Data Breach Protection Act

HR 3997 - Data Accountability and Trust Act

S 2169 - Financial Data Protection Act

See my previous post for an overview of existing data breach legislation.

Posted in Data Breach Regulations | No Comments »

October 20, 2006 by tim.

Given the complexity of Payment Card Industry (PCI) compliance, many organizations may conclude that complying with the PCI DSS will then ensure compliance with the myriad of state and federal laws and regulations that address privacy and data security (see Payment Card Industry Compliance and Data Breach Laws). Dr. Heather Mark addresses the relationship between PCI compliance and privacy in this month’s edition of Transaction World magazine.

She specifically addresses the legal requirement to provide a Notice, which is usually covered in the Privacy Policy on a website. She says that future articles will “attempt to answer the questions surrounding the intersection of privacy and security.” This should be a very helpful source of information for organizations trying to navigate these treacherous waters.

Posted in Data Breach Regulations, Payment Card Industry / Credit Card Security | No Comments »

October 3, 2006 by tim.

As if complying with the Payment Card Industry requirements, including the newly revised Data Security Standard, were not already challenging enough, any entity that stores sensitive personal information must also comply with a myriad of regulations such as data breach laws. About.com has an excellent section about identity theft and data breach disclosure.

Currently, there is no federal law that directly addresses data breaches, but numerous states have enacted their own legislation. Unfortunately, these laws are very diverse, with little consistency on even fundamental components like the definitions of key terms such as breach, personal information, and risk. Furthermore, since these laws protect residents of each of these states, an entity that stores personal information is subject to that resident’s state laws, even if the entity does not have a location in that state.

One of the best sources that I have found for concise information about state laws regarding data breaches is the Security Breach page on the VigilantMinds site. They provide an executive summary of state legislation as well as a matrix that compares key provisions of all of the state laws. In addition, they provide links to the actual legislation of each state. While this is certainly not a substitute for seeking legal advice on this matter, their site can save you and possibly even your attorney a lot of time.

Earlier this year, a draft bill was debated by the House of Representatives. The bill was called the Data Accountability and Trust Act (DATA), and if passed, it would have preempted all existing state laws. For now, the bill has been tabled. Dr. Heather Mark published an article entitled The Ever Changing Challenge of Compliance that gives an excellent overview of the provisions of this bill.

If your organization stores personal information, I hope that the links above will help you better understand the maze of regulations related to data breaches.

Posted in Data Breach Regulations, Payment Card Industry / Credit Card Security | No Comments »

September 22, 2006 by tim.

Several of the IT trade publications can provide you with very good information on data security topics. As I come across articles of note, I will try to post them to this blog. Patrick R. Mueller wrote an article for Network Computing entitled Strategic Security: How to Survive Data Breach Laws. He emphasizes the importance of assessing the risks of a data breach for your organization — basically, taking a proactive approach instead of ignoring the laws and potential liabilities. The article also has links to other resources.

Posted in Data Breach Regulations | No Comments »