IT Compliance Advisor

June 12, 2015  6:27 PM

Panel offers C-level temperature on security as IoT gains steam

Ben Cole Ben Cole Profile: Ben Cole

(This blog post was written by Aislyn Fredsall, an editorial assistant for the TechTarget CIO media group through Northeastern University’s co-op program.)

Is security no longer a major concern for the Internet of Things? Judging from an IoT panel discussion during the 2015 MIT Sloan CIO Symposium, this statement might not be as outlandish as it sounds.

The panel, titled “The Internet of Things: Challenges for a Connected World,” focused on some of the issues facing IoT, including the development of IoT technology and the obstacles of introducing it in the enterprise. Unsurprisingly, security was also among the problems discussed.

“Security’s huge and just like the rest of IT, no one is investing enough in it,” said Michael Chui, a partner of the McKinsey Global Institute and former CIO of the City of Bloomington, Ind. “IoT both increases the attack surface, or creates more vectors, [and] increases the consequences of a breach.”

But besides a few superficial references, the discourse did not actually focus on security until members of the audience specifically asked about it. It is possible that the panel planned to talk about IoT security and just did not get to it within the allotted time, but the fact that security was not a priority discussion topic is telling.

While no one would argue that security is no longer a problem at all for IoT, maybe it is not as big of an issue as it once was.

Fellow panelist Richard Soley, executive director of the Industrial Internet Consortium, placed importance on IoT security when he described how “one of the first two groups created” for the Industrial Internet Consortium was “focused on creating security use cases and applying those security use cases to all the test beds that we develop.”

However, Soley also downplayed how much progress is still needed regarding IoT security by suggesting that it is a problem that can never completely be solved. He voiced this sentiment with his mantra of “it’s going to happen” concerning security breaches.

“First of all, we need to preface any answer [about IoT security] with: It’s going to happen,” he said. “It doesn’t make sense to say we’re not going to do this because of increasing attack surface. It’s going to happen.”

Soley made it clear that breaches are inevitable but that this is not a reason to avoid or postpone adopting IoT technology. In fact, the inevitability should be embraced with IoT adoption.

“The point is we’re going to take advantage of Internet technology because it’s cheap and because we have ubiquitous connectivity,” Soley said. “If we’re going to provide any kind of data privacy we’re going to have to solve the security issues, but you’re never going to get them 100% [solved] and you shouldn’t expect to get them 100% because we don’t have it in the physical world either.”

At least for Soley, it seems that security was not discussed more during the panel because there was nothing new to say on the topic. Enterprises don’t need to develop new security innovations to confront the problems they’re facing with IoT security; they just need to fully utilize already available technology.

“I think that current security technology is perfectly up to the task; it’s just that most of us don’t bother,” he said.

Aislyn Fredsall is an editorial assistant for the TechTarget CIO media group through Northeastern University’s co-op program. She is currently in her third year at Northeastern, where she studies English.

June 11, 2015  4:51 PM

U.S. government breach could have accessed private citizens’ data

Fran Sales Fran Sales Profile: Fran Sales
Apple, Apple iOS, cybersecurity, Data breach, Data privacy, Hack, Safe Harbor

U.S. officials say the recent hack of government computer systems affects 4 million current and former federal employees, but the breach could have impacted private citizens, too. Also in the news: Apple hyped new privacy protections as it updates Siri, while U.S. and EU officials moved closer to Safe Harbor revisions.

Concern for private citizens’ data after U.S. government hack

U.S. officials announced last week that hackers breached the computer system of the Office of Personnel Management (OPM) in December 2014, compromising the personal information of about 4 million current and former federal employees. The intrusion is the largest known U.S. federal data breach in recent years, according to The Washington Post.

The U.S. government suspects that the breach was sponsored by the Chinese government, but China has denied its involvement. The hackers’ goal was to use the stolen personal data to recruit spies, access weapon plans and obtain other confidential information.

Sources told ABC News that federal investigators are now looking into whether the hack affected more than just the reported 4 million former and current employees, including private citizens who have never worked for the U.S. government.

At the G7 Summit in Germany earlier this week, President Barack Obama said that his administration will strengthen the nation’s cyberdefenses in the wake of the breach. “In the case of state actors, they’re probing for intelligence or in some cases trying to bring down systems in pursuit of their various foreign policy objectives,” he said at a news conference at the summit. He also encouraged Congress to pass cybersecurity legislation.

Apple updates Siri, extols user privacy

At Apple’s Worldwide Developers Conference (WWDC) earlier this week, the company unveiled new “Siri” personal assistant features, including capabilities to scour through emails, correlate contacts and extract contextual data from private texts.

Despite how reliant these services are on user data, Apple VP of software engineering Craig Federghi stressed that the company keeps culled data as anonymous as possible and does not share it with third parties. He also said that Apple isolates that data to the user’s device, and that all the information stays under the user’s control.

“All of this is done on-device and it stays on-device under your control. We don’t mine your email, your photos or your contacts,” Federghi said during a speech at the WWDC. He also underscored that Apple has never used search queries to mine personal emails or photos, or to build user profiles.

U.S., EU officials move forward on Safe Harbor revisions

After allegations surfaced that American companies were spying on European citizens, U.S. and European Union officials announced they are finally closing in on updating the Safe Harbor agreement, according to The Wall Street Journal. Safe Harbor is a 15-year-old pact that regulates the way that U.S. companies export and handle European citizens’ personal data.

European officials are giving the U.S. another month to reach an accord on reforming the pact. EU Justice Commissioner Vera Jourova told the WSJ that disagreements remain between the two sides, particularly around the extent of how U.S. security authorities are legally allowed to access consumer data collected by U.S. companies.

June 5, 2015  5:11 PM

Data as currency: Balancing risk vs. reward

Ben Cole Ben Cole Profile: Ben Cole
Compliance, Data-security, Information governance

(This blog post was written by Jeff Whited, senior manager of education development at ARMA International.)

By leveraging big data as an asset, organizations are tapping new business efficiencies and revenue streams. Credit card companies, for instance, sell data on customers’ buying habits. Healthcare systems aggregate data on treatment regimens and outcomes in an effort to trim costs. Urban planners and other constituencies use government information to advance their goals.

But organizations that allow their data stores to grow into “big data” — which Gartner Inc. defines as “high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making” — must be vigilant in protecting that data against the privacy concerns of customers, patients and the public at large.

Every few months the headlines scream about a massive data breach— the Home Depot, Target, Anthem and Sony incidents come easily to mind. While it’s tough to account for the reputational damage of such breaches, the actual dollar costs are often graspable. According to an October 2014 article by Brian Nichols of The Motley Fool, Target’s stock fell 7.5% in the first year after the breach was made public. In the first six months, Target’s costs related directly to the security breach hit $378 million.

By retaining vast quantities of data– including so-called dark data, which Gartner defines as “information assets that organizations collect, process and store in the course of their regular business activity, but generally fail to use for other purposes”–organizations are increasing the opportunities for personally identifiable information (PII) to be exposed.

So, it becomes a matter of balancing the risk of retaining big data vs. the reward of monetizing it.

According to the Nichols article, Target has spent at least $100 million to protect itself from future attacks by investing in a new technology infrastructure with enhanced security measures.

Such a step is reasonable, of course. But the best tools and technologies are worth little if they’re not part of a carefully planned initiative. The smartest way to address these security issues is to implement an enterprise-wide information governance (IG) program that is aligned with the organization’s mission, goals and culture. Such a strategic initiative brings together senior stakeholders to make sure the organization’s data is governed in a manner that increases business efficiencies and complies with all laws and regulations.

At the heart of good IG is good recordkeeping, and therefore the senior records manager must be a key player in the IG initiative. Also vital to the program are compliance officers to help ensure the recordkeeping practices are satisfying the demands of such laws as Sarbanes-Oxley for the financial industry and the Health Insurance Portability and Accountability Act; IT executives to provide the right tools and to help effect proper protection policies; legal counsel to help assure the defensibility of the program; and senior managers from the business units to provide realistic guidance on how the information is created and used.

Organizations wishing to monetize their big data should work to mitigate the security risks by implementing an IG program that treats records as the strategic assets they really are. Such a program will help identify gaps in the business processes, minimize legal and compliance risk, and potentially save enormous sums of money in discovery and litigation.

Jeff Whited is senior manager of education development at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.

May 28, 2015  1:31 PM

Wall Street, small banks still plagued by regulatory compliance enforcement

Fran Sales Fran Sales Profile: Fran Sales
Banking industry, Chief Compliance Officer, Compliance, Dodd-Frank, Financial fraud, Financial industry, Financial regulations, grc, regulatory compliance

If recent headlines are any indication, Wall Street banks and other financial institutions continue to garner poor marks when it comes to regulatory compliance: Earlier this month, several major global banks pleaded guilty to federal accusations regarding the rigging of foreign exchange rates. Also in recent GRC news: Finance professionals believe unethical behavior persists in Wall Street, and foreign companies don’t view the chief compliance officer role as important.

Five large global banks charged of foreign currency manipulation

Last week, four major global banks pleaded guilty to U.S. Department of Justice charges of conspiring to manipulate foreign exchange rates. Traders at Barclays, Citigroup, JPMorgan Chase and the Royal Bank of Scotland created online chat rooms to collude over the price-fixing scheme that took place from at least 2007 to 2013.

Another large bank, UBS, was also accused of manipulating foreign currencies. Although it was not criminally charged for the wrongdoing, the bank’s nonprosecution agreement stemming from a previous manipulation of a financial benchmark was voided.

The five banks agreed to pay $5.6 billion in penalties.

The lack of government oversight, combined with pressure to wrest profits out of a market that is generally less profitable than others, laid the framework for this scheme, reported The New York Times. In the wake of the 2008 financial crisis, Congress passed rules to better regulate Wall Street trading operations, but the Treasury Department exempted parts of the foreign market from these new rules, according to NYT.

The regulatory divide has begun to narrow in the aftermath of the rigging scandal, with financial regulators monitoring currency trading at higher levels than other fixed businesses, NYT reported.

Community banks face more enforcement actions

The number of enforcement actions against banks and credit unions rose 30% from Q4 of 2014 to Q1 of 2015, according to the Banking Compliance Index from compliance services provider Continunity. Sixty percent of these actions were taken against institutions with assets of $250 million or less, almost 20% more than in the previous quarter.

This increase in regulatory oversight is due to two factors, reported The Wall Street Journal: more Dodd-Frank rules coming into effect, and greater emphasis on Basel III anti-money laundering violations. Pam Perdue, Continuity’s executive vice president of regulatory operations, told WSJ that a lack of familiarity with Dodd-Frank rule changes, coupled with external pressures to stay competitive, are causing these small banks to cut corners, particularly in compliance.

Survey: Unethical culture persists in Wall Street

Despite new regulations such as Dodd-Frank and increased regulatory scrutiny of Wall Street firms, a recent study has found that many financial professionals in the U.S. and U.K. believe unethical behavior and wrongdoing persist in the workplace.

A survey conducted by law firm Labaton Sucharow LLP found that about 47% of the 1,200 respondents think it is likely that their competitors have engaged in illegal or unethical activity to gain a competitive edge, a 39% jump from 2012. Over one-third of survey respondents who make at least $500,000 annually reported witnessing, or knowing firsthand about, wrongdoing in the workplace.

The following are some of the more worrying findings: About one in five respondents believe they must at least sometimes engage in illegal or unethical activity to be successful; 32% believe the existing compensation structures and bonus plans at their companies impel employees to “compromise ethics or violate the law”; and one-third of respondents think that the financial industry hasn’t improved since the 2008 financial crisis.

The report’s findings should be taken with caution, said Andrew Ross Sorkin of The New York Times, because Labaton Sucharow often represents whistleblowers in cases against financial institutions. Still, Sorkin pointed to concerns that were also voiced by William C. Dudley, the president of the Federal Reserve Bank of New York, in a speech last year: “The pattern of bad behavior did not end with the financial crisis, but continued despite the considerable public sector intervention that was necessary to stabilize the financial system.”

One big problem, said Sorkin, is that not many people who work in finance are willing to report bad actors, despite the whistleblower program developed by the Securities and Exchange Commission.

Large foreign companies forgo chief compliance officer

Although large U.S. companies and U.S. regulators both view the chief compliance officer (CCO) role as highly important, some large foreign companies don’t see the need for the position, WSJ reports. These foreign companies include Italian oil and gas company Eni S.p.A., Russian energy company OAO Gazprom and Japanese car manufacturer Toyota Motor Corp. Instead, Toyota and Eni have committees that handle compliance, and Gazprom distributes its internal compliance function among multiple divisions that report to various top managers.

Governance experts strongly advise companies to have a single individual overseeing compliance operations, according to WSJ, and some believe lacking a CCO makes companies vulnerable to more risk. Others disagreed, saying a coherent compliance program is what matters.

May 6, 2015  4:44 PM

SEC calls for more executive pay transparency; proposed law could allow hacked firms to keep mum

Fran Sales Fran Sales Profile: Fran Sales
Cell phones, CIO, Compliance, Customer data, Data breach disclosure, Data breach notification laws, Data privacy, Dodd-Frank, FBI, gps, Hacking, SEC, tracking

The Securities and Exchange Commission (SEC) is pushing to provide U.S. shareholders with better metrics to compare executive pay against company performance. In other GRC headlines from recent weeks: A new law moving through Congress could allow breached companies to keep intrusions under wraps; and the U.S. Justice Department plans to reveal details about secret phone tracking.

SEC votes on rules comparing executive pay and company performance

The SEC wants to give U.S. company shareholders more information on executive pay and company performance. The regulatory agency last week proposed new rules that would require companies to disclose the relationship between how their top executives are compensated and the companies’ financial returns. The rules, which would put into practice a requirement outlined in The Dodd-Frank Act, aim to provide greater transparency to the public and a better gauge for shareholders to compare pay and performance, according to the SEC’s press announcement.

The rules would also require companies to standardize how they report this information in their publicly filed annual proxy statements so that shareholders can better compare performance across various industries.

Some lawyers and compensation experts, however, view the new rules as unnecessary, reported The New York Times. Critics say that many corporations, especially banks, already compare executive compensation with performance in their proxy statements. Some also claim that the proposed rules intend to shame companies and their executives. “The real purpose of these rules was to embarrass corporate America,” Alan Johnson, managing director of New York consulting firm Johnson Associates, told the NYT.

Proposed law would let firms keep breaches under wraps

Proposals moving through both chambers of Congress would allow companies that have experienced a consumer data breach to withhold notifying customers if they believe that there’s no risk the breach would lead to serious identity theft or fraud. If there’s a reasonable chance a system intrusion could harm customers, however, companies will be required to quickly notify them.

If passed, the legislation would overrule existing state laws on notification, many of which require companies to inform customers of any unauthorized access of their personal data, according to The Wall Street Journal.

“Too much notification undercuts the value of useful notification,” a spokesman for Rep. Marsha Blackburn, a sponsor for one of the proposals, told the WSJ. The bill focuses on “what impacts consumers most, and that is identity theft and payment fraud,” the spokesman added.

This proposal comes at the heels of another bill making the rounds in Congress that has some privacy advocates up in arms. Last month, the House voted to pass cybersecurity legislation that would legally protect companies that share threat intelligence with the U.S. government.

U.S. Justice Department to divulge more on secret cellphone tracking

The U.S. Justice Department is pushing for more transparency over how secret cellphone tracking services are used. Justice officials told the WSJ that they have launched a review of how government agencies are deploying these technologies, which search for criminal suspects based on their cellphone location.

According to the WSJ, the FBI has been using the tracking devices for years without warrants. In recent months, they’ve started obtaining search warrants from judges to use the devices.

The announcement arrives in the midst of controversy over the Justice Department’s own use of such technology. For instance, some tracking devices are deployed in airplanes to scan the phones of thousands of U.S. citizens who aren’t targets of investigations, the WSJ reported last year. Furthermore, there were many occurrences in which law enforcement agencies within the Justice Department, such as the FBI and the Drug Enforcement Agency, did not obtain warrants before using these devices, according to the WSJ.

April 22, 2015  4:30 PM

Lawmakers race to pass cybersecurity bill; NSA wants front door into encrypted devices

Fran Sales Fran Sales Profile: Fran Sales
cybersecurity, Cybersecurity legislation, Data Encryption, Hackers, Health IT, Mobile encryption, NSA, NSA Data Collection

Much to the chagrin of privacy advocates, U.S. legislators have been pushing to pass a bill to improve cyberthreat intelligence sharing before discussing National Security Agency (NSA) surveillance reforms. In other recent news: Privacy proponents are also up in arms about an NSA proposal that would force tech companies to allow government access to encrypted consumer devices; and security experts warn about the increasing number of medical data thefts in recent years.

U.S. Congress hastens to pass cybersecurity bill ahead of NSA reform debate

U.S. lawmakers are rushing to pass a major cybersecurity bill before beginning the debate over reforming the National Security Agency’s surveillance programs. The NSA programs must be reauthorized by June 1. Backers of the security bill, which strives to improve companies’ cyberthreat information sharing with the government, insist that it is a separate issue from NSA surveillance. Privacy advocates, however, worry that the cybersecurity bill will allow the NSA to further collect American citizens’ sensitive data.

The cybersecurity bill is a joint effort between both the House of Representatives’ and the Senate’s intelligence committees, and appears to have garnered approval from Republicans, Democrats and the White House, The Hill reports. The Obama administration stated recently that it considers cybercrime a national emergency, and that information sharing programs are a major part of its cyberdefense strategy, according to The Wall Street Journal.

The House Intelligence Committee’s bill prohibits cyberthreat intelligence from going directly to the NSA, but privacy groups want NSA surveillance programs to be reformed before cybersecurity legislation passes to give the government more access to data, according to The Hill.

NSA director seeks front door access to encrypted devices

The debate over whether the U.S. government should have guaranteed access to encrypted data on U.S. consumer devices has reached another impasse. Adm. Michael S. Rogers, director of the NSA, is offering a “technical solution” to the problem, reported The Washington Post: legally requiring technology companies to create a digital key that can open any locked device to access the data inside, but splitting the key into pieces among multiple agencies so that not one entity could use it.

“I don’t want a back door. I want a front door. And I want the front door to have multiple locks,” Rogers said in a recent speech at Princeton University, where he outlined the proposal.

Law enforcement and intelligence officials who support the proposal warn that the growing use of data and device encryption could seriously obstruct criminal and national security investigations.

Members of the technology industry and privacy advocates, however, argue that granting government and law enforcement access to people’s private communications threatens their Constitutional right to free speech. Security experts also believe that the split-key approach creates weaknesses that hackers and foreign intelligence agencies can try to exploit. Opponents of the NSA’s proposal also argue that the scope of encryption technology usage has exceeded the reach of government control, according to the Post.

Medical data theft on the rise

The growth in the number of digital medical records has led to an increase in the theft of those records, industry experts say. This type of theft has also evolved, according to Dwayne Melancon, CTO of software company TripWire: Hackers previously stole payment card and bank information inside medical records, but now they target personal information, he told Marketplace.

Unlike payment card theft, victims of medical data theft often don’t find out that their data is for sale to the highest bidder until after a year or more has passed, healthcare information security expert Bernard Peter Robichau told Marketplace.

There’s also the risk that this stolen medical data could end up on predictive consumer scores. These scores use data collected by devices and apps to predict individuals’ likelihood to spend on healthcare, to commit fraud, to adhere to medication prescriptions and other data points highly sought after by many companies, reported Marketplace.

April 8, 2015  1:43 PM

New U.S. sanctions target foreign hackers; Facebook battles EU over privacy

Fran Sales Fran Sales Profile: Fran Sales
Banking industry, CIO, Compliance, Cyberattacks, Data privacy, Data protection, European Data Protecion legislation, Facebook, grc, risk

Following the recent streak of high-profile cyberattacks on U.S. companies, the Obama administration last week unveiled a program that would impose sanctions on individuals or groups overseas that are potential sources of cyberthreats. Also in the news: Facebook’s privacy practices face growing scrutiny in Europe; banks shed high-risk customers to avoid penalties; and more.

U.S. sanctions program aims at foreign cyberattackers

President Barack Obama last week issued an executive order that deems destructive cyberattacks a “national emergency” and allows the U.S. Treasury Department to freeze the assets and bar the financial transactions of individuals and groups that engage in such activities. The sanctions target entities outside the United States who threaten its national security, foreign policy and economy through malicious cyberactivities, according to the executive order.

The program grants the administration use of the same penalties it applies on other threats, such as the crises in the Middle East and Ukraine, Reuters reported. According to a report from Reuters, security and legal experts consider the move a promising step in light of the persistent string of attacks on U.S. computer networks. However, expert Mark Rasch, former Justice Department trial attorney, said that the breadth of power the program gives the executive branch could result in a “compliance nightmare for companies.” Additionally, security experts cited the difficulty of identifying hackers responsible for these attacks.

Facebook faces mounting heat from the EU over privacy

Facebook is facing mounting probes into its privacy practices from various European authorities, reported The Wall Street Journal. In recent weeks, data privacy regulators from France, Italy and Spain have joined a group of regulators from Belgium, Germany and the Netherlands that is investigating the social networking giant’s data handling practices. The group is looking into how Facebook is integrating data from its various services, including Instagram and WhatsApp, to target advertising, as well as how the company is tracking users’ browsing habits through its “like” button.

Typically, Facebook’s privacy compliance in Europe falls under the purview of the data protection authority in Ireland, where the company’s European headquarters is located. However, in advance of impending changes to the EU’s data protection regulations, European regulators from other countries have increasingly been taking on big U.S. technology companies in addition to Facebook, including Amazon, Apple and Google, according to WSJ.

Some of the regulators launching the probes say that the “right to be forgotten” ruling, made by the European Court of Justice (the top court in the EU) last year, is a precedent that justifies their right to investigate Facebook. Others, such as the Information Commissioner’s Office in the U.K., which hasn’t joined the effort, says it recognizes the role of the Irish data protection regulator over Facebook’s privacy compliance in Europe.

Regulators tell banks to rein in widespread closures of risky accounts

Banks are closing down the accounts of high-risk customers in response to a record number of penalties imposed by U.S. regulators in recent years regarding inadequate risk controls, according to The Wall Street Journal‘s Risk & Compliance blog. Moreover, some U.S. authorities have previously urged banks to stop transacting with certain customers. Now, regulators are growing concerned that the entire lines of business these banks are cutting off are turning to less regulated or underground institutions, particularly in the areas of money-transfer services and foreign-correspondent banking.

Officials ranging from Comptroller of the Currency Tom Curry to Adam Szubin, the U.S. Treasury Department’s acting undersecretary for terrorism and financial intelligence, are now advising banks to be more discerning in their decisions to leave or not take on a customer relationship because it is considered at high risk for money laundering.

It’s doubtful that regulators’ shift in tone will prompt these banks to immediately reverse their decision regarding whole categories of high-risk customers, some experts told WSJ. One reason is the vagueness of recent guidelines around risk controls; another reason, according to Rich Riese, senior vice president of the American Bankers Association’s Center for Regulatory Compliance, is that banks are unlikely to take back the high-risk customers they’ve recently shed.

U.S. Justice Department deems HSBC slow on compliance changes

British multinational bank HSBC, which in 2012 was charged with laundering money on behalf of Mexican cartels and transferring money for nations blacklisted by the U.S., such as Iran and Sudan, has been slow in meeting the requirements of its $1.9 billion deferred-prosecution agreement (DPA), according to a court filing made by federal prosecutors as part of a quarterly update on the bank’s progress.

In the filing, which summarizes the findings of Michael Cherkasky, the independent monitor who has been following HSBC’s progress for over a year, the U.S. Justice Department commends HSBC’s progress in areas such as risk assessment and compliance monitoring and testing; however, it also highlighted two areas in which the bank has been “too slow” with its progress and must do more: its corporate culture and its compliance technology.

According to the filing, the bank’s overhaul was initially met with resistance, pointing to pushback from the managers at HSBC’s U.S. unit for global banking and markets, which resulted in an internal audit report that the filing said was “more favorable to the business than it would otherwise have been,” The New York Times reported.

The filing also docks the bank’s technology systems as needing further improvement, saying it continues to “suffer from fragmentation and lack of connectivity.” These weaknesses, the filing said, could sacrifice the quality of customer data collected and analyzed by the bank. They also inhibit auditors’ view into customers’ banking history to look into potentially suspicious activity, the filing said.

March 26, 2015  1:36 PM

FBI takes a step toward broader hacking authority; most companies fail PCI compliance tests

Fran Sales Fran Sales Profile: Fran Sales
Compliance, Compliance Assessment, Cybersecurity legislation, Data privacy, FBI, NSA, online privacy, PCI compliance, PCI DSS, Privacy Protection

The FBI’s quest to expand its hacking authority moved forward last week: A judicial advisory panel approved a rule change regarding how flexible judges can be in granting search warrants outside the bounds of their geographical jurisdiction. Also in the news recently: The Pentagon launched a research program to protect personal data while making it available to third parties to analyze; a report finds most companies fall short of PCI DSS compliance; and a House of Representatives security committee unveils a major cyber bill.

U.S. Justice Department approves rule change that could broaden FBI’s hacking authority

A judicial advisory committee voted to approve a rule change last week that would grant federal judges more leeway in how they approve search warrants for electronic records, according to the Justice Department. The panel voted to modify Rule 41, which currently allows judges to approve search warrants but limits the warrants to material that is physically located within their judicial district. Under the proposed modification, judges would be allowed to grant search warrants for data in computers located either outside their district or in unknown locations. The committee’s vote is only the first of several steps to passing the proposal; the Supreme Court has until May 1, 2016 to review and accept the change, and then Congress would have another seven months to reject, modify or defer the amendment.

The U.S. government defended the rule change, saying that the provision needed to be updated to keep up with today’s digital realities. According to National Journal, expanding its powers would allow the FBI to more easily penetrate computer networks to install tracking software and monitor suspected criminals.

Various privacy advocacy and technology groups, however, have spoken out against the ruling. The American Civil Liberties Union, Google and others warn that the change amounts to a significant rewriting of the provision that could threaten constitutional protections as well as the sovereignty of foreign countries.

Pentagon rolls out new research program to protect personal data online

The Defense Advanced Research Projects Agency (DARPA), the Pentagon’s high-tech research agency, is launching a new program that aims to protect the personal data Americans knowingly provide to companies, health care providers and the government while also making that data accessible to those third parties for analysis. The program, called Brandeis, aims to “restructure our relationship with data by shifting the mechanisms for data protection to the data owner rather than the data user,” according to a document published by DARPA. The agency will spend four and a half years on the program.

Brandeis will look at four major research areas. The first, privacy-preserving computation, involves reducing the limits to the range of privacy-preserving data mining programs so that personal data can be both protected and shared on a larger scale, outlined USA Today. The second area, human-data interaction, will focus on developing technologies to help data owners make choices about how their information is being used. The third research area, experimental systems, will provide platforms to test the success of privacy-preserving computation and human-data interaction work. Lastly, Brandeis will focus on metrics and analysis to enable systems to determine exactly how private the data is; one way to determine this is by quantifying the privacy tax, which refers to “the increase in computational time, memory and storage requirements against the degradation of accuracy of results for any given level of privacy,” according to the DARPA document.

Report finds majority of companies fail PCI compliance tests

Eighty percent of companies fail interim assessments for compliance with the Payment Card Data Security Standard (PCI DSS), according to a report released by Verizon Communications earlier this month. Verizon’s forensics team discovered that of all the data breaches it investigated over the last 10 years, not one company was compliant with all 12 requirements of PCI DSS at the time each breach occurred.

Still, compliance is up overall, rising in every PCI requirement area between 2013 and 2014, except for Requirement 11 (testing security systems), which had the lowest compliance. Additionally, almost twice as many companies were found compliant at interim assessment in 2014 versus 2013 (20% vs. 11.1%); however, the report warns that this is not necessarily good news because of the large percentage of companies that still fail. Plus, sustainability is low: The study found that less than a third of companies were still fully compliant within a year of validation.

The Verizon report also offers guidance on how companies can sustain PCI compliance and improve data security, including fully integrating compliance into their larger governance, risk and compliance strategies, as well as implementing network segmentation and data masking, according to the Wall Street Journal.

House security panel releases cybersharing bill

The Homeland Security Committee in the House of Representatives last week released a bill that would provide legal liability protections to companies that share cyberthreat information with the Department of Homeland Security (DHS). The measure, called the National Cybersecurity Protection Advancement Act, designates the DHS as the “primary interface” for any intelligence sharing between private companies and public agencies, opening the possibility of exchanges with the likes of the National Security Agency (NSA) or the Treasury Department, while not explicitly authorizing them, reported The Hill. The bill also permits sharing among government agencies.

According to the Hill, the committee’s former staff director, Alex Manning, said the language of the bill has been changed from previous iterations to reflect a stronger stance on privacy in order to appease privacy advocates. These changes include specific guidelines on how the DHS privacy office will monitor the sharing program, as well as bolstering the sections that require companies to redact personal information from the data before sharing it with the government.

While the American Civil Liberties Union backed a version of the bill last year, some privacy advocates may still have objections regarding certain gaps in the current version, such as the possibility of sharing within the government or with the NSA, The Hill speculated.

March 11, 2015  5:51 PM

Will weak incentives for security investment force regulatory intervention?

Fran Sales Fran Sales Profile: Fran Sales
CIO, Compliance, Consumer data, cybersecurity, Data breach, Data privacy, Data protection, Forrester, FTC, Governance, grc, GRC strategy, Information security, personal data, Risk assessment, Risk management

Data breaches have been intensifying in recent years, but security expert Benjamin Dean argues that many companies still lack motivation to invest in more robust information security. Also in headlines from the past few weeks: The U.S. and European governments set their sights on data processing and consumer privacy; and Forrester Research predicts that a stricter governance, risk and compliance (GRC) environment will result in more regulatory failures for companies.

Companies lack incentives for stronger cybersecurity

Despite numerous high-profile cyberattacks, there is little motivation for companies to invest in better information security, according to Benjamin Dean, a Fellow for Internet Governance and Cybersecurity at Columbia University’s School of International and Public Affairs.

Dean examined the net expenses that Sony Pictures, Target and Home Depot incurred in response to recent data breaches, taking insurance reimbursements and tax deductions into account. In the case of Sony, Dean also factored in investigation and remediation costs. Dean found that these breach-related expenses amounted to 0.9%, 0.1% and 0.01%, respectively, of the companies’ total 2014 revenue. Investments in cybersecurity are also slight even among financial institutions like JPMorgan Chase that rely heavily on robust information security, he said.

Dean attributes these companies’ failure to adequately invest in information security to “moral hazard,” or when one person or organization takes greater risks because others bear the brunt and costs of these risks. For instance, credit and debit card providers sustained most of the costs related to the Home Depot breach, spending some $60 million replacing customer cards in September 2014 alone.

Moral hazard, combined with insurance reimbursements and tax deductions, weaken companies’ incentives to make large cybersecurity investments, Dean argues. As a result, greater government intervention is needed, he said. While there are currently policy proposals that address data breach protection, most of them don’t focus on moral hazard or providing incentives to these companies. Instead, these proposals focus on information sharing with intelligence agencies, something Dean and other infosec experts contend will not significantly reduce breaches.

U.S., European governments target consumer data processing

The Obama administration released draft legislation in late February that would give consumers greater control of how their personal information is collected and used by companies. The proposed bill aims to fill the gaps among already existing federal laws that address how consumer information is used, including the Fair Credit Reporting Act and the Video Privacy Protection Act.

The legislation will allow industries to create their own codes of conduct on how to handle consumer data. The Federal Trade Commission will enforce the bill by making sure these codes fulfill the baseline data-processing requirements of the bill, such as furnishing consumers with notices about how their personal information will be collected, used and shared.

The draft has already encountered opposition from privacy rights advocates, who say it does not go far enough to protect consumers and gives companies too much latitude. One of these advocates, Sen. Edward J. Markey, argues that instead of these industries developing varying codes of conduct, U.S. policy makers need to draft legislation that is uniform and legally enforceable.

In the meantime, European legislators are proposing a new data protection law that would require U.S. companies like Google and Facebook to embed data privacy standards in their products and Internet services before being able to sell them in the European market.

The new rules, which are being negotiated in the European Parliament, could include stricter requirements around the processing of personal data, which could involve re-engineering data collection processes and applications, according to one U.K. data privacy expert.

Forrester forecasts more corporate regulatory failures in 2015

A new report by Forrester Research predicts that in 2015 there will be more corporate failures to address regulatory enforcement and customer-facing risks than in 2014. The report predicts that these failures will lead to losses that could amount to $20 billion.

Sizable regulatory settlements by top banks such as Bank of America ($16.7 billion), Citigroup ($7 billion) and JPMorgan Chase ($13 billion) were among the grievous “corporate mistakes” the report cited. It also pointed to failures by companies like Borders and RadioShack to keep up with digital and consumer technology trends, both of which Forrester said”violate customer trust or fail to meet changing customer expectations.” One of the reasons these corporate blunders keep getting worse, according to Forrester, is because of a gap between many of these companies’ customer-centric business strategies and the risks associated with them.

The firm advises companies to review their current risk registers and incorporate language on how relevant risks will impact customers. Companies not only need to understand these risks — which include privacy breaches, payment fraud and product failures — but also make mitigation plans a high priority and collaborate with marketing to mitigate customer-facing exposure to these risks, Forrester recommends. The report also urges companies to continuously monitor the software market for opportunities to improve how they implement GRC platforms.

February 26, 2015  3:28 PM

AT&T’s high-speed service comes with a privacy fee; Google bows to privacy spot checks

Fran Sales Fran Sales Profile: Fran Sales
AT&T, Data privacy, Data-security, Encryption, Fiber optic networking, Google, samsung, Smart machines

AT&T’s has begun rollout of a fiber-optic Internet service that furnishes customers with high-speed access, but they must pay an extra monthly charge if they want to keep their browsing habits private. In other data privacy news, Google accepted the terms of an agreement drawn up by an Italian data privacy regulator, and U.K. security experts found that older Samsung smart TVs don’t encrypt voice-related data.

AT&T charges privacy fee for fiber-optic Internet service

AT&T’s fiber-optic Internet service, called GigaPower, touts access speeds of up to 1 gigabyte per second, but it comes with a catch: Customers must pay a monthly fee to opt out of being monitored by the company and keep their browsing habits private.

Online monitoring expert Jonathan Mayer told the Wall Street Journal that the service’s privacy option was “troubling” because it allows AT&T to perform relatively wide-ranging user tracking, while customers aren’t necessarily in a position to prevent it. Furthermore, Mayer questioned whether the fee was really a penalty meant to discourage customers from opting out of tracking, particularly because many online companies allow their users to do so free of charge.

An AT&T spokeswoman claimed that this was not the case, however. “We can offer a lower price to customers participating in AT&T Internet Preferences because advertisers will pay us for the opportunity to deliver relevant advertising and offers tailored to our customer’s interests,” she said.

Google agrees to privacy inspections by Italian regulators

Last week, Google accepted the terms of an agreement outlined by a European data privacy regulator that lays out how Google will comply with Italy’s privacy laws. Google agreed to comply with an order to improve its privacy policy, including allowing opt-outs for targeted advertising and to reveal how long it keeps user data. The agreement, with which Google will have until Jan. 15, 2016 to comply, includes regular spot checks at the company’s U.S. headquarters to monitor its progress.

The agreement is the latest development in a series of European investigations that began in 2012, when Google released a single privacy policy that encompassed its various services, such as Gmail and YouTube. The EU privacy regulators found the policy to be in violation of European law because it blended together user data collected from across those services to create a fuller profile of users. Those investigations culminated in orders to comply with national privacy laws and fines from Spain and France.

Older Samsung smart TVs do not encrypt voice data

After U.K.-based cybersecurity experts disclosed that some of Samsung’s smart TVs upload users’ voices online without encrypting the data, Samsung told the BBC that it will equip its latest models with data encryption. A software update will also be available for download on previous models.

Samsung’s oversight, according to the experts, makes it easier for hackers to spy on users. The cybersecurity experts made the discovery during their testing of one of Samsung’s older smart TV models. They found that the TVs were uploading audio files of their voice commands in an unencrypted form, along with data about the TVs and their MAC addresses, which could function as an identifier. The transcription of the voice commands, which was sent back to the TVs so their screens could act on the commands, was also unencrypted. According to the experts, the flaw was serious because intercepting those communications could be done over Wi-Fi, or be carried out by Internet service providers, governments and law enforcement.

This news comes at the heels of Samsung announcing an update to its privacy policy earlier this month. The policy’s old language implied that Samsung smart TVs’ voice command feature captured personal or sensitive information and transmitted them to third parties.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: