The U.S. government data breach announced last week began a year ago, giving the perpetrators plenty of time to access federal employees’ personal information, according to the NSA. Also in recent GRC news: A new bill would give Europeans the same data protection rights as American citizens, and a flaw in popular mobile apps could leave billions of data records vulnerable.
NSA: U.S. security clearance data hack began a year ago
The recently discovered breach into the security clearance computer system of the Office of Personnel Management (OPM) began a year ago, according to new information disclosed by the National Security Agency (NSA).
The substantial amount of time between the start of the breach in the summer of 2014 and its discovery earlier this month allowed hackers the ability to accomplish a far-reaching cyberattack, NSA general counsel Stewart Baker told The Washington Post.
The OPM’s security clearance network contains personal and financial information on millions of current, former and prospective federal employees.
The White House has not publicly disclosed whom they suspect executed the breach, but unidentified U.S. officials speculate the perpetrators were hackers sponsored by the Chinese government, according to the Post. Senior U.S. officials say that in the past 12 to 18 months, the Chinese government has started building large databases containing Americans’ information for counterintelligence purposes.
Bill extends U.S. data protection rights to Europeans
A bipartisan bill introduced last week in the U.S. Senate will, if passed, extend to Europeans the same rights American citizens have under the Privacy Act of 1974. The Senate bill would allow Europeans to take legal action against U.S. agencies that misuse their private data. Some members of the European Parliament said that the legislation will not only restore the trust of both American and European citizens in the wake of Edward Snowden’s revelations, but also kick off future data-sharing deals between the E.U. and U.S. governments, according to Politico.
One detail that needs to be cleared up before the bill is put to a vote is whether everyone in the EU — and not just citizens — would be covered under the new law.
Mobile app flaw could leave billions of records vulnerable
German security researchers have discovered a flaw in the way thousands of popular mobile apps store information online, leaving about 56 million pieces of unprotected data vulnerable to attackers. The exposed information includes passwords, addresses and location data. Researchers declined to name the vulnerabile applications, but said they include popular ones available from the Apple and Google app stores.
The issue lies in the way most mobile app developers authenticate users when storing their data online. Most app developers use a default option that allows hackers easy access to the app — and a user’s private data, the security researchers reported.
“In almost every category we found an app which has this vulnerability in it,” Siegfried Rasthofer, one of the researchers, told Reuters. Those categories include messaging, gaming, social networking and bank transfer apps. The researchers predicted that the number of records affected will likely be in the billions.
Feds probe Cardinals for hacking into private Astros network
The FBI and the U.S. Department of Justice are investigating officials from the St. Louis Cardinals for hacking into the private computer system of the Houston Astros to steal information on Astro players. Data stored in the Astros’ internal network included trade discussions, player evaluations and scouting methods.
Law enforcement officials believe a Cardinals staffer accessed the Astros database by trying out passwords that Jeff Luhnow — a former Cardinals executive who is now an Astros general manager — used during his stint in St. Louis. Federal officials are uncertain on who committed the act.
Experts say that while cyberespionage is common among U.S. companies, this is the first known occurrence in the professional sports world. It could also result not only in disciplinary measures by Major League Baseball, but also criminal charges for the violation of the Computer Fraud and Abuse Act of 1986, a federal law.
(This blog post was written by Aislyn Fredsall, an editorial assistant for the TechTarget CIO media group through Northeastern University’s co-op program.)
Is security no longer a major concern for the Internet of Things? Judging from an IoT panel discussion during the 2015 MIT Sloan CIO Symposium, this statement might not be as outlandish as it sounds.
The panel, titled “The Internet of Things: Challenges for a Connected World,” focused on some of the issues facing IoT, including the development of IoT technology and the obstacles of introducing it in the enterprise. Unsurprisingly, security was also among the problems discussed.
“Security’s huge and just like the rest of IT, no one is investing enough in it,” said Michael Chui, a partner of the McKinsey Global Institute and former CIO of the City of Bloomington, Ind. “IoT both increases the attack surface, or creates more vectors, [and] increases the consequences of a breach.”
But besides a few superficial references, the discourse did not actually focus on security until members of the audience specifically asked about it. It is possible that the panel planned to talk about IoT security and just did not get to it within the allotted time, but the fact that security was not a priority discussion topic is telling.
While no one would argue that security is no longer a problem at all for IoT, maybe it is not as big of an issue as it once was.
Fellow panelist Richard Soley, executive director of the Industrial Internet Consortium, placed importance on IoT security when he described how “one of the first two groups created” for the Industrial Internet Consortium was “focused on creating security use cases and applying those security use cases to all the test beds that we develop.”
However, Soley also downplayed how much progress is still needed regarding IoT security by suggesting that it is a problem that can never completely be solved. He voiced this sentiment with his mantra of “it’s going to happen” concerning security breaches.
“First of all, we need to preface any answer [about IoT security] with: It’s going to happen,” he said. “It doesn’t make sense to say we’re not going to do this because of increasing attack surface. It’s going to happen.”
Soley made it clear that breaches are inevitable but that this is not a reason to avoid or postpone adopting IoT technology. In fact, the inevitability should be embraced with IoT adoption.
“The point is we’re going to take advantage of Internet technology because it’s cheap and because we have ubiquitous connectivity,” Soley said. “If we’re going to provide any kind of data privacy we’re going to have to solve the security issues, but you’re never going to get them 100% [solved] and you shouldn’t expect to get them 100% because we don’t have it in the physical world either.”
At least for Soley, it seems that security was not discussed more during the panel because there was nothing new to say on the topic. Enterprises don’t need to develop new security innovations to confront the problems they’re facing with IoT security; they just need to fully utilize already available technology.
“I think that current security technology is perfectly up to the task; it’s just that most of us don’t bother,” he said.
Aislyn Fredsall is an editorial assistant for the TechTarget CIO media group through Northeastern University’s co-op program. She is currently in her third year at Northeastern, where she studies English.
U.S. officials say the recent hack of government computer systems affects 4 million current and former federal employees, but the breach could have impacted private citizens, too. Also in the news: Apple hyped new privacy protections as it updates Siri, while U.S. and EU officials moved closer to Safe Harbor revisions.
Concern for private citizens’ data after U.S. government hack
U.S. officials announced last week that hackers breached the computer system of the Office of Personnel Management (OPM) in December 2014, compromising the personal information of about 4 million current and former federal employees. The intrusion is the largest known U.S. federal data breach in recent years, according to The Washington Post.
The U.S. government suspects that the breach was sponsored by the Chinese government, but China has denied its involvement. The hackers’ goal was to use the stolen personal data to recruit spies, access weapon plans and obtain other confidential information.
Sources told ABC News that federal investigators are now looking into whether the hack affected more than just the reported 4 million former and current employees, including private citizens who have never worked for the U.S. government.
At the G7 Summit in Germany earlier this week, President Barack Obama said that his administration will strengthen the nation’s cyberdefenses in the wake of the breach. “In the case of state actors, they’re probing for intelligence or in some cases trying to bring down systems in pursuit of their various foreign policy objectives,” he said at a news conference at the summit. He also encouraged Congress to pass cybersecurity legislation.
Apple updates Siri, extols user privacy
At Apple’s Worldwide Developers Conference (WWDC) earlier this week, the company unveiled new “Siri” personal assistant features, including capabilities to scour through emails, correlate contacts and extract contextual data from private texts.
Despite how reliant these services are on user data, Apple VP of software engineering Craig Federghi stressed that the company keeps culled data as anonymous as possible and does not share it with third parties. He also said that Apple isolates that data to the user’s device, and that all the information stays under the user’s control.
“All of this is done on-device and it stays on-device under your control. We don’t mine your email, your photos or your contacts,” Federghi said during a speech at the WWDC. He also underscored that Apple has never used search queries to mine personal emails or photos, or to build user profiles.
U.S., EU officials move forward on Safe Harbor revisions
After allegations surfaced that American companies were spying on European citizens, U.S. and European Union officials announced they are finally closing in on updating the Safe Harbor agreement, according to The Wall Street Journal. Safe Harbor is a 15-year-old pact that regulates the way that U.S. companies export and handle European citizens’ personal data.
European officials are giving the U.S. another month to reach an accord on reforming the pact. EU Justice Commissioner Vera Jourova told the WSJ that disagreements remain between the two sides, particularly around the extent of how U.S. security authorities are legally allowed to access consumer data collected by U.S. companies.
(This blog post was written by Jeff Whited, senior manager of education development at ARMA International.)
By leveraging big data as an asset, organizations are tapping new business efficiencies and revenue streams. Credit card companies, for instance, sell data on customers’ buying habits. Healthcare systems aggregate data on treatment regimens and outcomes in an effort to trim costs. Urban planners and other constituencies use government information to advance their goals.
But organizations that allow their data stores to grow into “big data” — which Gartner Inc. defines as “high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making” — must be vigilant in protecting that data against the privacy concerns of customers, patients and the public at large.
Every few months the headlines scream about a massive data breach— the Home Depot, Target, Anthem and Sony incidents come easily to mind. While it’s tough to account for the reputational damage of such breaches, the actual dollar costs are often graspable. According to an October 2014 article by Brian Nichols of The Motley Fool, Target’s stock fell 7.5% in the first year after the breach was made public. In the first six months, Target’s costs related directly to the security breach hit $378 million.
By retaining vast quantities of data– including so-called dark data, which Gartner defines as “information assets that organizations collect, process and store in the course of their regular business activity, but generally fail to use for other purposes”–organizations are increasing the opportunities for personally identifiable information (PII) to be exposed.
So, it becomes a matter of balancing the risk of retaining big data vs. the reward of monetizing it.
According to the Nichols article, Target has spent at least $100 million to protect itself from future attacks by investing in a new technology infrastructure with enhanced security measures.
Such a step is reasonable, of course. But the best tools and technologies are worth little if they’re not part of a carefully planned initiative. The smartest way to address these security issues is to implement an enterprise-wide information governance (IG) program that is aligned with the organization’s mission, goals and culture. Such a strategic initiative brings together senior stakeholders to make sure the organization’s data is governed in a manner that increases business efficiencies and complies with all laws and regulations.
At the heart of good IG is good recordkeeping, and therefore the senior records manager must be a key player in the IG initiative. Also vital to the program are compliance officers to help ensure the recordkeeping practices are satisfying the demands of such laws as Sarbanes-Oxley for the financial industry and the Health Insurance Portability and Accountability Act; IT executives to provide the right tools and to help effect proper protection policies; legal counsel to help assure the defensibility of the program; and senior managers from the business units to provide realistic guidance on how the information is created and used.
Organizations wishing to monetize their big data should work to mitigate the security risks by implementing an IG program that treats records as the strategic assets they really are. Such a program will help identify gaps in the business processes, minimize legal and compliance risk, and potentially save enormous sums of money in discovery and litigation.
Jeff Whited is senior manager of education development at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.
If recent headlines are any indication, Wall Street banks and other financial institutions continue to garner poor marks when it comes to regulatory compliance: Earlier this month, several major global banks pleaded guilty to federal accusations regarding the rigging of foreign exchange rates. Also in recent GRC news: Finance professionals believe unethical behavior persists in Wall Street, and foreign companies don’t view the chief compliance officer role as important.
Five large global banks charged of foreign currency manipulation
Last week, four major global banks pleaded guilty to U.S. Department of Justice charges of conspiring to manipulate foreign exchange rates. Traders at Barclays, Citigroup, JPMorgan Chase and the Royal Bank of Scotland created online chat rooms to collude over the price-fixing scheme that took place from at least 2007 to 2013.
Another large bank, UBS, was also accused of manipulating foreign currencies. Although it was not criminally charged for the wrongdoing, the bank’s nonprosecution agreement stemming from a previous manipulation of a financial benchmark was voided.
The five banks agreed to pay $5.6 billion in penalties.
The lack of government oversight, combined with pressure to wrest profits out of a market that is generally less profitable than others, laid the framework for this scheme, reported The New York Times. In the wake of the 2008 financial crisis, Congress passed rules to better regulate Wall Street trading operations, but the Treasury Department exempted parts of the foreign market from these new rules, according to NYT.
The regulatory divide has begun to narrow in the aftermath of the rigging scandal, with financial regulators monitoring currency trading at higher levels than other fixed businesses, NYT reported.
Community banks face more enforcement actions
The number of enforcement actions against banks and credit unions rose 30% from Q4 of 2014 to Q1 of 2015, according to the Banking Compliance Index from compliance services provider Continunity. Sixty percent of these actions were taken against institutions with assets of $250 million or less, almost 20% more than in the previous quarter.
This increase in regulatory oversight is due to two factors, reported The Wall Street Journal: more Dodd-Frank rules coming into effect, and greater emphasis on Basel III anti-money laundering violations. Pam Perdue, Continuity’s executive vice president of regulatory operations, told WSJ that a lack of familiarity with Dodd-Frank rule changes, coupled with external pressures to stay competitive, are causing these small banks to cut corners, particularly in compliance.
Survey: Unethical culture persists in Wall Street
Despite new regulations such as Dodd-Frank and increased regulatory scrutiny of Wall Street firms, a recent study has found that many financial professionals in the U.S. and U.K. believe unethical behavior and wrongdoing persist in the workplace.
A survey conducted by law firm Labaton Sucharow LLP found that about 47% of the 1,200 respondents think it is likely that their competitors have engaged in illegal or unethical activity to gain a competitive edge, a 39% jump from 2012. Over one-third of survey respondents who make at least $500,000 annually reported witnessing, or knowing firsthand about, wrongdoing in the workplace.
The following are some of the more worrying findings: About one in five respondents believe they must at least sometimes engage in illegal or unethical activity to be successful; 32% believe the existing compensation structures and bonus plans at their companies impel employees to “compromise ethics or violate the law”; and one-third of respondents think that the financial industry hasn’t improved since the 2008 financial crisis.
The report’s findings should be taken with caution, said Andrew Ross Sorkin of The New York Times, because Labaton Sucharow often represents whistleblowers in cases against financial institutions. Still, Sorkin pointed to concerns that were also voiced by William C. Dudley, the president of the Federal Reserve Bank of New York, in a speech last year: “The pattern of bad behavior did not end with the financial crisis, but continued despite the considerable public sector intervention that was necessary to stabilize the financial system.”
One big problem, said Sorkin, is that not many people who work in finance are willing to report bad actors, despite the whistleblower program developed by the Securities and Exchange Commission.
Large foreign companies forgo chief compliance officer
Although large U.S. companies and U.S. regulators both view the chief compliance officer (CCO) role as highly important, some large foreign companies don’t see the need for the position, WSJ reports. These foreign companies include Italian oil and gas company Eni S.p.A., Russian energy company OAO Gazprom and Japanese car manufacturer Toyota Motor Corp. Instead, Toyota and Eni have committees that handle compliance, and Gazprom distributes its internal compliance function among multiple divisions that report to various top managers.
Governance experts strongly advise companies to have a single individual overseeing compliance operations, according to WSJ, and some believe lacking a CCO makes companies vulnerable to more risk. Others disagreed, saying a coherent compliance program is what matters.
The Securities and Exchange Commission (SEC) is pushing to provide U.S. shareholders with better metrics to compare executive pay against company performance. In other GRC headlines from recent weeks: A new law moving through Congress could allow breached companies to keep intrusions under wraps; and the U.S. Justice Department plans to reveal details about secret phone tracking.
SEC votes on rules comparing executive pay and company performance
The SEC wants to give U.S. company shareholders more information on executive pay and company performance. The regulatory agency last week proposed new rules that would require companies to disclose the relationship between how their top executives are compensated and the companies’ financial returns. The rules, which would put into practice a requirement outlined in The Dodd-Frank Act, aim to provide greater transparency to the public and a better gauge for shareholders to compare pay and performance, according to the SEC’s press announcement.
The rules would also require companies to standardize how they report this information in their publicly filed annual proxy statements so that shareholders can better compare performance across various industries.
Some lawyers and compensation experts, however, view the new rules as unnecessary, reported The New York Times. Critics say that many corporations, especially banks, already compare executive compensation with performance in their proxy statements. Some also claim that the proposed rules intend to shame companies and their executives. “The real purpose of these rules was to embarrass corporate America,” Alan Johnson, managing director of New York consulting firm Johnson Associates, told the NYT.
Proposed law would let firms keep breaches under wraps
Proposals moving through both chambers of Congress would allow companies that have experienced a consumer data breach to withhold notifying customers if they believe that there’s no risk the breach would lead to serious identity theft or fraud. If there’s a reasonable chance a system intrusion could harm customers, however, companies will be required to quickly notify them.
If passed, the legislation would overrule existing state laws on notification, many of which require companies to inform customers of any unauthorized access of their personal data, according to The Wall Street Journal.
“Too much notification undercuts the value of useful notification,” a spokesman for Rep. Marsha Blackburn, a sponsor for one of the proposals, told the WSJ. The bill focuses on “what impacts consumers most, and that is identity theft and payment fraud,” the spokesman added.
This proposal comes at the heels of another bill making the rounds in Congress that has some privacy advocates up in arms. Last month, the House voted to pass cybersecurity legislation that would legally protect companies that share threat intelligence with the U.S. government.
U.S. Justice Department to divulge more on secret cellphone tracking
The U.S. Justice Department is pushing for more transparency over how secret cellphone tracking services are used. Justice officials told the WSJ that they have launched a review of how government agencies are deploying these technologies, which search for criminal suspects based on their cellphone location.
According to the WSJ, the FBI has been using the tracking devices for years without warrants. In recent months, they’ve started obtaining search warrants from judges to use the devices.
The announcement arrives in the midst of controversy over the Justice Department’s own use of such technology. For instance, some tracking devices are deployed in airplanes to scan the phones of thousands of U.S. citizens who aren’t targets of investigations, the WSJ reported last year. Furthermore, there were many occurrences in which law enforcement agencies within the Justice Department, such as the FBI and the Drug Enforcement Agency, did not obtain warrants before using these devices, according to the WSJ.
Much to the chagrin of privacy advocates, U.S. legislators have been pushing to pass a bill to improve cyberthreat intelligence sharing before discussing National Security Agency (NSA) surveillance reforms. In other recent news: Privacy proponents are also up in arms about an NSA proposal that would force tech companies to allow government access to encrypted consumer devices; and security experts warn about the increasing number of medical data thefts in recent years.
U.S. Congress hastens to pass cybersecurity bill ahead of NSA reform debate
U.S. lawmakers are rushing to pass a major cybersecurity bill before beginning the debate over reforming the National Security Agency’s surveillance programs. The NSA programs must be reauthorized by June 1. Backers of the security bill, which strives to improve companies’ cyberthreat information sharing with the government, insist that it is a separate issue from NSA surveillance. Privacy advocates, however, worry that the cybersecurity bill will allow the NSA to further collect American citizens’ sensitive data.
The cybersecurity bill is a joint effort between both the House of Representatives’ and the Senate’s intelligence committees, and appears to have garnered approval from Republicans, Democrats and the White House, The Hill reports. The Obama administration stated recently that it considers cybercrime a national emergency, and that information sharing programs are a major part of its cyberdefense strategy, according to The Wall Street Journal.
The House Intelligence Committee’s bill prohibits cyberthreat intelligence from going directly to the NSA, but privacy groups want NSA surveillance programs to be reformed before cybersecurity legislation passes to give the government more access to data, according to The Hill.
NSA director seeks front door access to encrypted devices
The debate over whether the U.S. government should have guaranteed access to encrypted data on U.S. consumer devices has reached another impasse. Adm. Michael S. Rogers, director of the NSA, is offering a “technical solution” to the problem, reported The Washington Post: legally requiring technology companies to create a digital key that can open any locked device to access the data inside, but splitting the key into pieces among multiple agencies so that not one entity could use it.
“I don’t want a back door. I want a front door. And I want the front door to have multiple locks,” Rogers said in a recent speech at Princeton University, where he outlined the proposal.
Law enforcement and intelligence officials who support the proposal warn that the growing use of data and device encryption could seriously obstruct criminal and national security investigations.
Members of the technology industry and privacy advocates, however, argue that granting government and law enforcement access to people’s private communications threatens their Constitutional right to free speech. Security experts also believe that the split-key approach creates weaknesses that hackers and foreign intelligence agencies can try to exploit. Opponents of the NSA’s proposal also argue that the scope of encryption technology usage has exceeded the reach of government control, according to the Post.
Medical data theft on the rise
The growth in the number of digital medical records has led to an increase in the theft of those records, industry experts say. This type of theft has also evolved, according to Dwayne Melancon, CTO of software company TripWire: Hackers previously stole payment card and bank information inside medical records, but now they target personal information, he told Marketplace.
Unlike payment card theft, victims of medical data theft often don’t find out that their data is for sale to the highest bidder until after a year or more has passed, healthcare information security expert Bernard Peter Robichau told Marketplace.
There’s also the risk that this stolen medical data could end up on predictive consumer scores. These scores use data collected by devices and apps to predict individuals’ likelihood to spend on healthcare, to commit fraud, to adhere to medication prescriptions and other data points highly sought after by many companies, reported Marketplace.
Following the recent streak of high-profile cyberattacks on U.S. companies, the Obama administration last week unveiled a program that would impose sanctions on individuals or groups overseas that are potential sources of cyberthreats. Also in the news: Facebook’s privacy practices face growing scrutiny in Europe; banks shed high-risk customers to avoid penalties; and more.
U.S. sanctions program aims at foreign cyberattackers
President Barack Obama last week issued an executive order that deems destructive cyberattacks a “national emergency” and allows the U.S. Treasury Department to freeze the assets and bar the financial transactions of individuals and groups that engage in such activities. The sanctions target entities outside the United States who threaten its national security, foreign policy and economy through malicious cyberactivities, according to the executive order.
The program grants the administration use of the same penalties it applies on other threats, such as the crises in the Middle East and Ukraine, Reuters reported. According to a report from Reuters, security and legal experts consider the move a promising step in light of the persistent string of attacks on U.S. computer networks. However, expert Mark Rasch, former Justice Department trial attorney, said that the breadth of power the program gives the executive branch could result in a “compliance nightmare for companies.” Additionally, security experts cited the difficulty of identifying hackers responsible for these attacks.
Facebook faces mounting heat from the EU over privacy
Facebook is facing mounting probes into its privacy practices from various European authorities, reported The Wall Street Journal. In recent weeks, data privacy regulators from France, Italy and Spain have joined a group of regulators from Belgium, Germany and the Netherlands that is investigating the social networking giant’s data handling practices. The group is looking into how Facebook is integrating data from its various services, including Instagram and WhatsApp, to target advertising, as well as how the company is tracking users’ browsing habits through its “like” button.
Typically, Facebook’s privacy compliance in Europe falls under the purview of the data protection authority in Ireland, where the company’s European headquarters is located. However, in advance of impending changes to the EU’s data protection regulations, European regulators from other countries have increasingly been taking on big U.S. technology companies in addition to Facebook, including Amazon, Apple and Google, according to WSJ.
Some of the regulators launching the probes say that the “right to be forgotten” ruling, made by the European Court of Justice (the top court in the EU) last year, is a precedent that justifies their right to investigate Facebook. Others, such as the Information Commissioner’s Office in the U.K., which hasn’t joined the effort, says it recognizes the role of the Irish data protection regulator over Facebook’s privacy compliance in Europe.
Regulators tell banks to rein in widespread closures of risky accounts
Banks are closing down the accounts of high-risk customers in response to a record number of penalties imposed by U.S. regulators in recent years regarding inadequate risk controls, according to The Wall Street Journal‘s Risk & Compliance blog. Moreover, some U.S. authorities have previously urged banks to stop transacting with certain customers. Now, regulators are growing concerned that the entire lines of business these banks are cutting off are turning to less regulated or underground institutions, particularly in the areas of money-transfer services and foreign-correspondent banking.
Officials ranging from Comptroller of the Currency Tom Curry to Adam Szubin, the U.S. Treasury Department’s acting undersecretary for terrorism and financial intelligence, are now advising banks to be more discerning in their decisions to leave or not take on a customer relationship because it is considered at high risk for money laundering.
It’s doubtful that regulators’ shift in tone will prompt these banks to immediately reverse their decision regarding whole categories of high-risk customers, some experts told WSJ. One reason is the vagueness of recent guidelines around risk controls; another reason, according to Rich Riese, senior vice president of the American Bankers Association’s Center for Regulatory Compliance, is that banks are unlikely to take back the high-risk customers they’ve recently shed.
U.S. Justice Department deems HSBC slow on compliance changes
British multinational bank HSBC, which in 2012 was charged with laundering money on behalf of Mexican cartels and transferring money for nations blacklisted by the U.S., such as Iran and Sudan, has been slow in meeting the requirements of its $1.9 billion deferred-prosecution agreement (DPA), according to a court filing made by federal prosecutors as part of a quarterly update on the bank’s progress.
In the filing, which summarizes the findings of Michael Cherkasky, the independent monitor who has been following HSBC’s progress for over a year, the U.S. Justice Department commends HSBC’s progress in areas such as risk assessment and compliance monitoring and testing; however, it also highlighted two areas in which the bank has been “too slow” with its progress and must do more: its corporate culture and its compliance technology.
According to the filing, the bank’s overhaul was initially met with resistance, pointing to pushback from the managers at HSBC’s U.S. unit for global banking and markets, which resulted in an internal audit report that the filing said was “more favorable to the business than it would otherwise have been,” The New York Times reported.
The filing also docks the bank’s technology systems as needing further improvement, saying it continues to “suffer from fragmentation and lack of connectivity.” These weaknesses, the filing said, could sacrifice the quality of customer data collected and analyzed by the bank. They also inhibit auditors’ view into customers’ banking history to look into potentially suspicious activity, the filing said.
The FBI’s quest to expand its hacking authority moved forward last week: A judicial advisory panel approved a rule change regarding how flexible judges can be in granting search warrants outside the bounds of their geographical jurisdiction. Also in the news recently: The Pentagon launched a research program to protect personal data while making it available to third parties to analyze; a report finds most companies fall short of PCI DSS compliance; and a House of Representatives security committee unveils a major cyber bill.
U.S. Justice Department approves rule change that could broaden FBI’s hacking authority
A judicial advisory committee voted to approve a rule change last week that would grant federal judges more leeway in how they approve search warrants for electronic records, according to the Justice Department. The panel voted to modify Rule 41, which currently allows judges to approve search warrants but limits the warrants to material that is physically located within their judicial district. Under the proposed modification, judges would be allowed to grant search warrants for data in computers located either outside their district or in unknown locations. The committee’s vote is only the first of several steps to passing the proposal; the Supreme Court has until May 1, 2016 to review and accept the change, and then Congress would have another seven months to reject, modify or defer the amendment.
The U.S. government defended the rule change, saying that the provision needed to be updated to keep up with today’s digital realities. According to National Journal, expanding its powers would allow the FBI to more easily penetrate computer networks to install tracking software and monitor suspected criminals.
Various privacy advocacy and technology groups, however, have spoken out against the ruling. The American Civil Liberties Union, Google and others warn that the change amounts to a significant rewriting of the provision that could threaten constitutional protections as well as the sovereignty of foreign countries.
Pentagon rolls out new research program to protect personal data online
The Defense Advanced Research Projects Agency (DARPA), the Pentagon’s high-tech research agency, is launching a new program that aims to protect the personal data Americans knowingly provide to companies, health care providers and the government while also making that data accessible to those third parties for analysis. The program, called Brandeis, aims to “restructure our relationship with data by shifting the mechanisms for data protection to the data owner rather than the data user,” according to a document published by DARPA. The agency will spend four and a half years on the program.
Brandeis will look at four major research areas. The first, privacy-preserving computation, involves reducing the limits to the range of privacy-preserving data mining programs so that personal data can be both protected and shared on a larger scale, outlined USA Today. The second area, human-data interaction, will focus on developing technologies to help data owners make choices about how their information is being used. The third research area, experimental systems, will provide platforms to test the success of privacy-preserving computation and human-data interaction work. Lastly, Brandeis will focus on metrics and analysis to enable systems to determine exactly how private the data is; one way to determine this is by quantifying the privacy tax, which refers to “the increase in computational time, memory and storage requirements against the degradation of accuracy of results for any given level of privacy,” according to the DARPA document.
Report finds majority of companies fail PCI compliance tests
Eighty percent of companies fail interim assessments for compliance with the Payment Card Data Security Standard (PCI DSS), according to a report released by Verizon Communications earlier this month. Verizon’s forensics team discovered that of all the data breaches it investigated over the last 10 years, not one company was compliant with all 12 requirements of PCI DSS at the time each breach occurred.
Still, compliance is up overall, rising in every PCI requirement area between 2013 and 2014, except for Requirement 11 (testing security systems), which had the lowest compliance. Additionally, almost twice as many companies were found compliant at interim assessment in 2014 versus 2013 (20% vs. 11.1%); however, the report warns that this is not necessarily good news because of the large percentage of companies that still fail. Plus, sustainability is low: The study found that less than a third of companies were still fully compliant within a year of validation.
The Verizon report also offers guidance on how companies can sustain PCI compliance and improve data security, including fully integrating compliance into their larger governance, risk and compliance strategies, as well as implementing network segmentation and data masking, according to the Wall Street Journal.
House security panel releases cybersharing bill
The Homeland Security Committee in the House of Representatives last week released a bill that would provide legal liability protections to companies that share cyberthreat information with the Department of Homeland Security (DHS). The measure, called the National Cybersecurity Protection Advancement Act, designates the DHS as the “primary interface” for any intelligence sharing between private companies and public agencies, opening the possibility of exchanges with the likes of the National Security Agency (NSA) or the Treasury Department, while not explicitly authorizing them, reported The Hill. The bill also permits sharing among government agencies.
According to the Hill, the committee’s former staff director, Alex Manning, said the language of the bill has been changed from previous iterations to reflect a stronger stance on privacy in order to appease privacy advocates. These changes include specific guidelines on how the DHS privacy office will monitor the sharing program, as well as bolstering the sections that require companies to redact personal information from the data before sharing it with the government.
While the American Civil Liberties Union backed a version of the bill last year, some privacy advocates may still have objections regarding certain gaps in the current version, such as the possibility of sharing within the government or with the NSA, The Hill speculated.
Data breaches have been intensifying in recent years, but security expert Benjamin Dean argues that many companies still lack motivation to invest in more robust information security. Also in headlines from the past few weeks: The U.S. and European governments set their sights on data processing and consumer privacy; and Forrester Research predicts that a stricter governance, risk and compliance (GRC) environment will result in more regulatory failures for companies.
Companies lack incentives for stronger cybersecurity
Despite numerous high-profile cyberattacks, there is little motivation for companies to invest in better information security, according to Benjamin Dean, a Fellow for Internet Governance and Cybersecurity at Columbia University’s School of International and Public Affairs.
Dean examined the net expenses that Sony Pictures, Target and Home Depot incurred in response to recent data breaches, taking insurance reimbursements and tax deductions into account. In the case of Sony, Dean also factored in investigation and remediation costs. Dean found that these breach-related expenses amounted to 0.9%, 0.1% and 0.01%, respectively, of the companies’ total 2014 revenue. Investments in cybersecurity are also slight even among financial institutions like JPMorgan Chase that rely heavily on robust information security, he said.
Dean attributes these companies’ failure to adequately invest in information security to “moral hazard,” or when one person or organization takes greater risks because others bear the brunt and costs of these risks. For instance, credit and debit card providers sustained most of the costs related to the Home Depot breach, spending some $60 million replacing customer cards in September 2014 alone.
Moral hazard, combined with insurance reimbursements and tax deductions, weaken companies’ incentives to make large cybersecurity investments, Dean argues. As a result, greater government intervention is needed, he said. While there are currently policy proposals that address data breach protection, most of them don’t focus on moral hazard or providing incentives to these companies. Instead, these proposals focus on information sharing with intelligence agencies, something Dean and other infosec experts contend will not significantly reduce breaches.
U.S., European governments target consumer data processing
The Obama administration released draft legislation in late February that would give consumers greater control of how their personal information is collected and used by companies. The proposed bill aims to fill the gaps among already existing federal laws that address how consumer information is used, including the Fair Credit Reporting Act and the Video Privacy Protection Act.
The legislation will allow industries to create their own codes of conduct on how to handle consumer data. The Federal Trade Commission will enforce the bill by making sure these codes fulfill the baseline data-processing requirements of the bill, such as furnishing consumers with notices about how their personal information will be collected, used and shared.
The draft has already encountered opposition from privacy rights advocates, who say it does not go far enough to protect consumers and gives companies too much latitude. One of these advocates, Sen. Edward J. Markey, argues that instead of these industries developing varying codes of conduct, U.S. policy makers need to draft legislation that is uniform and legally enforceable.
In the meantime, European legislators are proposing a new data protection law that would require U.S. companies like Google and Facebook to embed data privacy standards in their products and Internet services before being able to sell them in the European market.
The new rules, which are being negotiated in the European Parliament, could include stricter requirements around the processing of personal data, which could involve re-engineering data collection processes and applications, according to one U.K. data privacy expert.
Forrester forecasts more corporate regulatory failures in 2015
A new report by Forrester Research predicts that in 2015 there will be more corporate failures to address regulatory enforcement and customer-facing risks than in 2014. The report predicts that these failures will lead to losses that could amount to $20 billion.
Sizable regulatory settlements by top banks such as Bank of America ($16.7 billion), Citigroup ($7 billion) and JPMorgan Chase ($13 billion) were among the grievous “corporate mistakes” the report cited. It also pointed to failures by companies like Borders and RadioShack to keep up with digital and consumer technology trends, both of which Forrester said”violate customer trust or fail to meet changing customer expectations.” One of the reasons these corporate blunders keep getting worse, according to Forrester, is because of a gap between many of these companies’ customer-centric business strategies and the risks associated with them.
The firm advises companies to review their current risk registers and incorporate language on how relevant risks will impact customers. Companies not only need to understand these risks — which include privacy breaches, payment fraud and product failures — but also make mitigation plans a high priority and collaborate with marketing to mitigate customer-facing exposure to these risks, Forrester recommends. The report also urges companies to continuously monitor the software market for opportunities to improve how they implement GRC platforms.