In U.S. Regulators, Legislators Fill Privacy Void

Over the last few years privacy, and the lack of comprehensive protection, have made numerous headlines. From overly inquisitive mobile applications that fail to disclose how cell photo data is accessed and shared (Path) to handset manufacturers failures to properly inculcate privacy in the design and manufacturing process (HTC) to security lapses at government databases resulting in exposure of sensitive personal information (South Carolina), consumers, regulators and legislators are waking up to privacy issues.

Recent developments highlight the trend in Privacy

In the U.S. we lack a single comprehensive privacy law, although many state and federal laws address various aspects of collecting, storing and sharing personal information. In the absence of a single, over-arching, mandate, legislators and regulators are stepping into fill at perceived need.

GPS, Location & Privacy

The Geolocation Privacy and Surveillance (GPS) Act addresses use of location data by law enforcement. The bill (not yet law) requires police to obtain a warrant based on probable cause whenever it seeks “location information.” Unfortunately, the term “location information” is very broadly defined, does not distinguish requests for access based on the level of precision, time period, or whether the information is for past or future conduct.

Proposed Federal Privacy Standards

Two bills introduced this year aim to create a baseline level of privacy protection at the federal level. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced S. 799, the Commercial Privacy Bill of Rights Act of 2011, to create a regulatory framework for the comprehensive protection of personal data for individuals, enforceable by the Federal Trade Commission (FTC). Similarly, Rep. Cliff Stearns (R-FL) is promoting a Consumer Privacy Protection Act (H.R.1528), directed at consumers and focused on restricting the sale or disclosure of personal information.

FTC Protects Privacy Under Mantle of Consumer Protection

As a result of alleged data security failures that led to three data breaches at Wyndham hotels in less than two years, the Federal Trade Commission filed suit against hospitality company Wyndham Worldwide Corporation. The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.

Wyndham’s web site privacy policy claimed that, “We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program …”

The FTC complaint alleges that Wyndham failed to maintain adequate and industry standard security measures by storing credit-card information in unencrypted format, allowing servers to remain unpatched, and failing to use firewalls.

The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.

Most notably, the lawsuit will test whether the Federal Trade Commission has the jurisdiction to compel companies to provide a certain level of cybersecurity in order to safeguard consumer personal information.

Privacy Remains Top Concern

Many companies across many industries, financial services, higher education and healthcare, just to name a few, are facing a wide range of security and privacy concerns, scrambling to implement A defensible security framework and demonstrate compliance. It’s alarming, considering the significant consequences associated with not complying.

Organizations can lose contracts, customers and their reputation. That could put some out of business.

Compliance Preparation & Best Practices

Large organizations can spend many months and millions of dollars on compliance. Your business need not go to such extremes. To prevent getting caught by surprise and to prepare for the compliance journey, I’ve listed below some suggested best practices.

Periodic risk assessments. Evaluate potential damage and disruption caused by unauthorized access, use, disclosure, modification, or destruction of data or systems.

Policies and procedures. Incorporate procedures for detecting, reporting, and responding to security incidents, as well as business continuity plans.

Standardize. Set standards of acceptable information security for networks, facilities, and information systems.

Train Employees. Awareness training for employees, contractors, and other users of information systems is critical. Articulate the security risks associated with activities and define users’ responsibility for complying with policies and procedures.

Test & Evaluate. Periodic assessment of the effectiveness of information security policies, procedures, practices, and controls helps determine weak spots. At a minimum they should be conducted annually, according to Ford.

Respond & Repair. Have a pre-defined process for planning, implementing, evaluating, and documenting remedial actions designed to address legal, PR, HR and related risks in the event of a breach.

THIS IS NOT LEGAL ADVICE. The procedures outlined above are merely suggestions and there is no guarantee that implementation will reduce risk or mitigate liability.

Please contact Leavens, Strand, Glover & Adler at 866-734-2568 for a free consultation to learn how LSGA can help meet your specific needs.

Cybersecurity, information & Privacy News Roundup

Cybersecurity, and insecurity, vexes nations
Minneapolis Star Tribune

Cybersecurity, the subject of this month’s Minnesota International Center’s “Great Decisions” dialogue, is a hot topic in the Beltway, Silicon Valley and on Wall Street. It’s also an important subject in Foggy Bottom and Turtle Bay.

CIO Magazine Cybersecurity News Roundup: MyAgent Trojan; Virus Infects Saudi Oil Giant

Cybersecurity News Roundup: MyAgent Trojan; Virus Infects Saudi Oil Giant; and Pro-Censorship Hackers. This week’s IT security news roundup features stories on the newly discovered MyAgent Trojan; malware that forced a Saudi Oil Giant to shut down.

What you should know about cybersecurity
Minneapolis Star Tribune

Congress is now in recess. But before its members left town, back on Friday, Aug. 3, they rejected a bipartisan bill that would have established optional “cybersecurity” standards for the computer systems that operate the country’s power grids, dams.

A Cybersecurity Dream Act Alternative
BankInfoSecurity.com (blog)

Will Obama use the Dream Act model of bypassing Congress to advance his cybersecurity agenda? Obama’s counterterrorism adviser John Brennan hints that such an order could come [see Cat Out of Bag on Infosec Regulation?].

Cyber security and disaster planning go hand in hand
Colorado Springs Business Journal

When the Waldo Canyon fire roared closer to Colorado Springs on June 26, Jeff Beauprez, president and CEO of Colorado Networks, started getting frantic phone calls from businesses along the Garden of the Gods Road corridor.

The Battelle CyberAuto Challenge encourages students to pursue cybersecurity.
LiveScience.com

Today’s cars have grown vulnerable to the threat of computer viruses or hackers — security researchers have even shown how to remotely unlock a vehicle or start a car’s engine using simple text messages. But a group of U.S. students who attended the …

Obama may bypass lawmakers with cybersecurity executive order
Leader and Times

Senate Republicans recently blocked cybersecurity legislation, but the issue might be revived by the White House, a federal law enforcement official told the Law Enforcement Examiner on Monday.

Cyber security boot camp to educate potential cyber spooks
ComputerWeekly.com

Stephanie Daman, CEO at the Cyber Security Challenge UK, said the cyber camp concept is something completely new for this year’s Challenge: “It represents a great opportunity for our expert sponsors to work closely with a group of young talent.”

Baltimore-area colleges win $4.7M in cyber security grants
Bizjournals.com

Harford Community College will receive $74000 to put toward its work with the Regional Cybersecurity Education Initiative. HCC, University of Delaware and Delaware Technical and Community College formed the education initiative with industry partners …

Blank Rome Lobbying for Motorola Solutions on Cybersecurity, Tax Reform
The BLT: Blog of Legal Times (blog)

The lobby shop is advocating for the Schaumburg, Ill.-based telecommunications company on “[i]ssues related to public safety/D block spectrum; issues related to cybersecurity; issues related to tax reform legislation,”

Collaborative Cybersecurity: Why the private sector is essential.
By Paul Nicholas – TwC

The official Microsoft Security Blog provides in-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance.

The Cybersecurity Blame Game Continues
The stalling, bickering, almost-breakthrough, and eventual demise of cybersecurity legislation in the United States Senate was a sad thing to watch.