In March, Facebook passed Google as the most visited website on the internet. As a result of the site’s rapidly increasing popularity, many businesses have begun incorporating it into their marketing or customer service strategy. However, employees in the past had been able to sidestep normal regulatory compliance by using it, relaying information that could otherwise be problematic. New compliance regulations have changed this avenue for enterprises now, Bank Investment Consultant reports.
The United States Financial Industry Regulatory Authority recently announced that all companies reporting to it must archive all posts and other correspondence on social media websites. This has disturbed a lot of enterprises, as most do not have an archiving system in place. Financial holding company Raymond James, for example, has told its advisors that until it develops a systematized method for doing such, it will steer clear of social media.
“Maybe half [of compliance officers] had a policy that advisors aren’t allowed to use it,” said Harry Chaffee, director of Renaissance Regulatory Services in Boca Raton, Florida. “None of the larger [bank] firms permitted it. Smaller firms with less than 30 advisors have a better chance because people know one another better.”
View Source…
The Russian Federation is considering amending the country’s data protection law, according to BNA’s Privacy Law Watch.
Businesses have long complained that the law contains restrictions on data processing that are extremely difficult to meet. For example, the law requires affirmative written consent for most types of data processing. In the online context, this provision has been interpreted to require a consumer’s digital signature. A check box, which is an acceptable mechanism for expressing consent in the EU, for example, is deemed unacceptable in Russia. In practice, this and other requirements of the data protection law have been widely ignored, even by Russia’s biggest Internet businesses.
Not surprisingly, Russia’s data protection regulator – the Russian Federal Service for Oversight of Communications, Information Technology and Mass Media (“Roscomnadzor”) – has found the rate of noncompliance with the law to be high. Roscomnadzor has reported that over 400 audits conducted in 2009 revealed 86 incidents of noncompliance.
In connection with the proposed amendments to the law, the regulator already has received over 100 recommendations from businesses and data protection professionals aimed at improving the law and implementing regulations.
View source…
The 2009 financial meltdown has resulted in new lawsuits and the possibility of increased regulation for many financial firms. Pending legislation that will boost regulation of big banks and hedge funds are two recent examples of this trend. Similarly, legal action against Wall Street firms such as Goldman Sachs, Lehman Brothers and others illustrate the increasing need to be able to respond to an increase in both civil and criminal legal inquiries.
These trends are driving a trend toward the corporate legal departments at financial institutions taking a unified approach on the mission critical functions of internal investigations, eDiscovery, audit and compliance. This has now become a boardroom-level issue.
Internal investigations can include issues involving human resource, fraud, unauthorized network access and intellectual property theft. eDiscovery can include both civil and criminal evidence collections as well as regulatory inquiries. Compliance covers data audit (personal identifiable information, record management enforcement, etc.), data security, HIPAA, Sarbanes-Oxley (SOX) fraud investigations, to name a few.
Traditionally, these types of investigations have been conducted by separate corporate departments and rarely have they been brought under one roof from a technology or departmental resource point of view.
Read more…
While these survey results are from a vendor that sells identity protection services – and they have a vested interest in painting as bad a picture as possible: if the survey results are halfway on target we’ve witnessed what as a significant problem become an abysmal failure in the past were 0 when it comes to hospitals protecting patient information.
Consider these results from the survey, Spring 2010 National Survey of Hospital Compliance Executives:
PROBLEMS ARE WORSENING DESPITE MAJOR REGULATORY EFFORTS 41.5% of hospitals have TEN OR MORE data breaches each year – a 120.7% increase over last year’s survey. Currently, over 20% percent of hospitals have twenty or more breaches annually.
INSIDERS NOT OPTIMISTIC HEALTHCARE REFORM WILL HELP
56.3% of hospital compliance officers believe that the new health care reform law will either have no change or will increase medical identity theft at their institutions.
INVESTIGATION OF FRAUD IS SURPRISINGLY LOW
Despite the fact that medical identity theft is the fastest growing form of identity fraud, 71.4% of hospitals on average investigate fewer than 50 cases of possible misuse of identity annually, and over 34% still do not keep good patient ID records.
TIMELINESS OF COMPLIANCE IS POOR
To date, only 15.7% of hospitals feel they are in compliance with the HITECH Act, which went into effect in February 2010. This lack of compliance mirrors last year’s slow compliance efforts regarding the FTC’s Red Flags Rule.
Read more…
A new report by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate comprises 62 percent of a given company’s data assets, security programs are focused on compliance rather than data protection.
The report highlights a number of key findings, that provide a number of things to think about if you are remotely involved in the security of corporate data:
* Secrets comprise two-thirds of the value of firms’ information portfolios
* Compliance, not security, drives security budgets
* Firms focus on preventing accidents, but theft is where the money is
* The more valuable a firm’s information, the more incidents it will have
* CISOs do not know how effective their security controls actually are
According to Forrester, corporate security programs are typically divided into two main categories of data types to protect: secrets and custodial data.
Secrets–that can confer long-term competitive advantage such as product plans, earnings forecasts, and trade secrets.
Secrets refer to information that the enterprise creates and wishes to keep under wraps. Secrets tend to be messily and abstractly described in Word documents, embedded in presentations, and enshrined in application-specific formats like CAD.
Read more…
If you own a bank account or use credit cards, chances are you’ve heard the term “PCI compliant.” But you probably don’t know what it means.
The term is heard more and more frequently these days as data breaches at merchants like TJX, parent of TJMaxx, and payment processors Heartland Payment Systems and RBS WorldPay land millions of card records in the hands of hackers. Criminals are using the data to make purchases and withdraw money from accounts of unsuspecting victims who did nothing wrong; they just owned a card.
It’s a huge and growing problem. More than 80 percent of data stolen in breaches is payment card data, according to the 2009 Verizon Business Data Breach Report.
CNET asked Bob Russo, general manager of the PCI Security Standards Council, to explain what is being done to keep criminals from accessing consumer payment card data.
Q: So, what does the PCI Security Standards Council do?
Russo: The council was formed in September 2006 by the five major credit card brands, Visa, MasterCard, American Express, Discover, and JCB [Japanese Credit Bureau]. It was formed because each one of the brands has their own compliance programs and they still do, but they all use this standard as the foundation for their programs. There was a time when you could pick up the phone and call one brand and ask a security question and get one answer and call another brand and ask the same question and get a different answer. They all now use these standards that we manage as the foundation for those compliance questions.
What is the standard exactly?
Russo: It’s the PCI, which stands for Payment Card Industry, data security standard. It’s a set of 12 specific requirements that cover six different goals. It’s very prescriptive. It says not only that you need to be secure but it tells you how to become secure. It’s more about security than compliance. The goals are things like build and maintain a secure network, protect card holder data and regularly monitor and test the networks. That’s the main standard. We manage three different standards. The first one covers everything from the physical security to logical security.
Read more…
As businesses face a March deadline under an oft-delayed state law to protect customer and employee personal information, data breaches affecting Massachusetts residents remain strikingly frequent.
More than 1 million Massachusetts residents were hit by 807 data breach instances from Nov. 1, 2007, to Oct. 31 of this year, according to a report by the Massachusetts Office of Consumer Affairs and Business Regulation, which monitors and enforces state data breach regulations. In the six weeks since, 59 additional breaches have been reported to the state.
Yet tight finances and the perceived high cost of compliance with technical aspects of the rules make full compliance with the impending deadline unlikely for at least some firms, business leaders say, clouding the full impact regulations may have on stemming the tide of breaches.
An examination of some of the more recent filings with the state show businesses from the largest financial institutions to the smallest nonprofits have been hit by data breaches, some of them likely preventable.
For example:
- Three separate breaches at State Street Corp. affecting 42 Massachusetts residents involved State Street employees accidentally sending personal information of a customer to the wrong client or financial adviser and a Web site glitch that disclosed account information to the wrong customer.
- An outside attack on Lexington-based Scottish Rite Charities Web server that, unbeknownst to the nonprofit, held the credit card information of 481 customers, including 47 Massachusetts residents.
Read more…
Federal agencies may have to report a number of new cybersecurity metrics to the Office of Management and Budget, according to a draft of proposed cybersecurity performance metrics posted this week by the OMB and the National Institute of Standards and Technology.
The new metrics have a strong emphasis on real-time monitoring. Critics have long faulted the government’s cybersecurity compliance efforts under the Federal Information Security Management Act as focusing too heavily on metrics that have little to with actual operational security, like whether an agency has tested its contingency plan.
“These metrics represent a new approach, which focuses on improving security, not just compliance,” NIST said in a statement on its Web site. “These metrics should encourage agencies to take concrete steps to improve their security posture.”
There are four new categories of metrics, including remote access management, data-level controls, identity and access management, and real-time security awareness and management, as well as a focus on monitoring tools.
Read more…
Organizations can use this assessment to get a better understanding of where unstructured data resides on the network and what types of content are out there. This information can be used to assess an organization’s e-discovery readiness, to help launch or enforce retention/disposition policies, or find caches of sensitive information that may be subject to PCI or compliance rules.
A service engineer comes onsite with a StoredIQ appliance that can connect to various content sources, including production and archive e-mail stores, ECM platforms, disk and tape storage systems, and PCs. The StoredIQ software indexes and categorizes the data. Then a variety of pre-built and custom reports are delivered as part of the service.
As with DLP products that seek out sensitive content such as credit card and social security numbers, this service operates under the premise that organizations can’t manage what they don’t know about.
This is a sensible premise. Companies may have an accurate picture of the volume of data sitting on file shares, user laptops, NAS filers and archives, but they don’t always have a clear idea of what it is, what value it has to the enterprise, and whether they can get rid of it, move it to a lower-cost storage tier, or pack it off to a well-policed repository to meet regulatory requirements.
Read more…
There is a lot of focus today on regulatory compliance involving financial reporting, security and data privacy. Organizations are facing increased scrutiny from customers, staff and regulators of the way in which they deal with personal and other business data.
Today, almost all of the data and information security survey reports highlight rising number of data breaches and increasing impact of data breach costs. The cost impact is higher for the organizations that experience data breaches for the first time. Data breaches can happen via different ways & means such as accidental exposure of Information by error, abuse of employee privileges, stolen laptops, hacker attacks, viruses, worms, spam, phishing and other types of threats.
Before we take a look at some of the critical privacy and data protection issues, let
U.S. District Court Judge Reggie Walton recently dealt what many in the legal profession hope is the death blow to the Federal Trade Commission
It’s been one year since federal regulators started examining banks and credit unions for compliance with the Identity Theft Red Flags Rule. How have institutions fared?
So far, so good, regulators say. The majority of institutions examined have been in compliance, with a minority failing to either implement or document their ID theft prevention programs.
“Overall our institutions are doing pretty well in their exams,” says April Breslaw, Director of Consumer Regulation at the Office of Thrift Supervision (OTS). “The vast majority is taking ID Theft Red Flags seriously and has implemented the program as required.”
FAQ’s Helped
The Red Flags rule was adopted in late 2007, and regulators started examining for compliance last Nov. 1.
Read more…
