IT Compliance Advisor


February 27, 2012  9:58 PM

Buy-in needed for Consumer Privacy Bill of Rights to have any teeth

Ben Cole Ben Cole Profile: Ben Cole

On the heels of proposed data protection reforms in Europe and the recently unveiled Cybersecurity Act of 2012, President Obama hopped on the bandwagon and last week proposed a Consumer Privacy Bill of Rights to protect personal information online.

Previous online consumer privacy legislation (and many other Internet-related laws, for that matter) have faced much of the same criticism: They either do not do enough to protect online privacy, or when they do it is at the expense of businesses that will spend too much time, money and resources trying to comply with the new rules. The White House promises that its proposal takes into account both sides of the equation by protecting online consumer privacy and economic growth.

The White House’s bill of rights pushes for consumer control over what personal data organizations collect and how they use it; transparency surrounding privacy and security practices; and “reasonable limits” on the personal data that companies collect and retain. In addition, a White House statement accompanying the Consumer Privacy Bill of Rights announcement noted that companies representing the delivery of nearly 90% of online behavioral advertisements — including Google, Yahoo, Microsoft and AOL — have agreed to comply with “Do Not Track” technology.

Buy-in from big names such as these will be essential to any online consumer privacy effort. The New York Times already reported that a mandatory “Do Not Track” mechanism may not stop as much online tracking as some may think. Until hard and fast rules with legal ramifications are implemented surrounding online consumer privacy, it will largely be left up to online businesses to decide how much their customers’ privacy means to them. If consumer privacy concerns are outweighed by the effects on the bottom line? One can only guess which side of the debate they would land.

One other big question surrounding the White House’s Consumer Privacy Bill of Rights proposal is that, well, it’s just a proposal. Congress would have to pass legislation to implement the rules as a law, and this would require time-consuming back and forth to debate the issue. It will be interesting to see what happens if large Internet-based companies realize business will be negatively affected by the new rules and decide to use lobbying influence to fight them. If they do, it’s an easy bet that any new online consumer privacy rules would end up watered down and leave room for more still more targeted rules to be proposed in the future.

February 15, 2012  9:18 PM

Cybersecurity Act of 2012 forges new path but faces old criticism

Ben Cole Ben Cole Profile: Ben Cole

After three years of hearings and negotiations, a group of Senate Committee leaders unveiled the Cybersecurity Act of 2012.

Under the new Cybersecurity Act, the Department of Homeland Security would assess the cyber-related risks and vulnerabilities of “critical infrastructure systems” to determine which should be required to meet a set of risk-based security standards. This would include those systems that, should they be disrupted, would cause mass death, evacuation or major damage to the economy and national security.

The Cybersecurity Act outlines several characteristics that stress it’s a public/private partnership, including:

  • DHS would work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements.
  • The owners of a covered system would themselves determine how best to meet the performance requirements and then verify that they were compliant.
  • The private sector and the federal government would actively share information surrounding threats, incidents, best practices and fixes, “while maintaining civil liberties and privacy.”

The senators were definitely not working in a vacuum — they made a conscious effort to curb criticism that plagued previous online security measures. The senators stressed that the Cybersecurity Act of 2012 “in no way” resembles the Stop Online Piracy Act (SOPA) or the Protect Intellectual Property Act (PIPA), and instead focuses on the “essential services that keep our nation running.” The Senators also omitted emergency authorities for the president, likely because of the backlash around the Internet “kill switch” proposed in an earlier version of the Cybersecurity Act.

But despite efforts to distance it from previous online security legislation, the new Cybersecurity Act is already facing criticism — some of it very familiar.

Opponents — including the Financial Services Roundtable and the U.S. Chamber of Commerce — have decried the act’s provisions and say it would create yet another burdensome, costly regulatory compliance mandate. Others are still concerned about the potential privacy implications the Cybersecurity Act could create — likely a hangover from the lengthy debate surrounding SOPA and PIPA from earlier this year.

So will the Cybersecurity Act of 2012 strike the right balance between protecting data and not hurt the companies it’s designed to help? The debate will begin in earnest tomorrow, when the Homeland Security & Governmental Affairs Committee will hold its first hearing on the Cybersecurity Act. The hearing is likely to address these questions and more, as it begins the latest chapter in the ongoing cybersecurity debate.


February 13, 2012  7:13 PM

EPIC pushes for more investigation surrounding Google privacy policy

Ben Cole Ben Cole Profile: Ben Cole

Since January, the Electronic Privacy Information Center (EPIC) has pushed for further Federal Trade Commission (FTC) investigation into Google’s online consumer privacy practices. The sometimes testy back and forth got testier last week, when EPIC sued the FTC in an unusual effort to prevent implementation of a new Google privacy policy.

EPIC requested a federal judge issue a temporary restraining order and injunction requiring the FTC to enforce a consent order that Google agreed to last year. The issue has a sense of urgency, considering the new Google privacy policy (which EPIC says violates the consent order) is scheduled to go into effect March 1.

To speed the process, a federal district court judge has ordered an accelerated briefing schedule in response to EPIC’s complaint. The court gave the FTC until Friday to respond to EPIC’s complaints, and EPIC is required to respond to that by Feb. 21.

But Google has already started defending its compliance with the FTC’s original consent order: In a lengthy January self-assessment submitted to the FTC, Google’s legal counsel reported the company “is acting in a manner consistent with its public representations regarding the privacy and confidentiality of its covered information.”

So the question remains: Are the efforts surrounding the new Google privacy policy on the up-and-up, or a case of bait and switch?

Google insists the new privacy policy increases transparency and user control surrounding information tracking. EPIC and other critics, however, contend the privacy policy changes will end up helping Google’s bottom line: They say the new policy allows Google to comb user data without consent, and will unethically assist Google’s advertising by violating online consumer privacy.

What do you think? Is the new Google privacy policy more of the same, making user information available to outside parties without proper user consent? Or is Google taking the necessary steps to comply with FTC mandates to protect online consumer privacy? Or is it somewhere in between, with Google taking steps in the right direction on its privacy policy, but steps that are not nearly big enough?

Until these questions are answered, the questions surrounding Google’s online privacy practices remain.


February 6, 2012  9:42 PM

Like SOPA, Anti-Counterfeiting Trade Agreement draws ire

Ben Cole Ben Cole Profile: Ben Cole

After shooting down the Stop Online Piracy Act (SOPA), protesters opposing broad online antipiracy legislation have a new target: the Anti-Counterfeiting Trade Agreement. And this time, the protests are on a global scale.

The Anti-Counterfeiting Trade Agreement is designed to establish international standards for intellectual property rights enforcement. It establishes legal frameworks for targeting counterfeit goods, generic medicines and Internet copyright infringement. The agreement was signed by Australia, Canada, Japan, Morocco, New Zealand, Singapore, South Korea and the United States in late 2011. Last month, the European Union and 22 of its member states joined them.

But protesters — perhaps bolstered by the shelving of SOPA of Project IP — are not allowing the Anti-Counterfeiting Trade Agreement to go through without a fight. The international citizens group Avaaz is seeking 2 million signatures for a petition to drop the agreement (it already has 1.75 million). Last weekend, thousands of people marched in the Slovenian capital of Ljubljana to protest it. The worldwide protests have led some countries, including Poland, to delay the agreements ratification process.

Supporters of the Anti-Counterfeiting Trade Agreement say it would decrease pirating of copyrighted works. Intellectual property-based organizations such as the Motion Picture Association of America helped with its development. Protesters, however, say it is an assault on freedom of expression and that opinions from all sides were not considered in the negotiation process.

Do these traits sound familiar?

Protesters showed what can be done after legislators backed off of SOPA and Project IP following public outcry. Now, with the whole world watching, they’re trying to get their voices heard again.


January 30, 2012  6:36 PM

Online privacy policies take over antipiracy as top Internet headline

Ben Cole Ben Cole Profile: Ben Cole

After weeks of nonstop talk (including a lot of criticism) of SOPA and other antipiracy legislation, protecting online privacy is back in the news. The switch in focus came as the European Union announced sweeping changes to its data protection rules and Google released details of its new privacy policy, which goes into effect March 1.

Both the EU and Google insist that they are making the changes to streamline online privacy policies. The European commission said its 27 member states have implemented its data protection rules differently, “resulting in divergences in enforcement.” The EU changes incorporate a single set of data protection rules that will be valid across all member countries. The changes to the online privacy policy will reduce unnecessary administrative requirements, saving businesses around €2.3 billion a year, according to the EU.

When announcing its changes, Google said it was replacing 60 different privacy policies with “one that’s a lot shorter and easier to read.” Under the new policy, for the first time Google Account users could have their information cross-referenced among several of Google’s sites. By treating users as a single entity across Google products, Google said it can provide better search results, ads and other content.

Of course, like everything else surrounding big online security and privacy changes, these two announcements were not without controversy. Critics of the EU’s new data protection rules say complying would hinder Internet innovation and create expensive, unnecessary new regulations for companies. (These criticisms were similar to those surrounding SOPA and antipiracy legislation, and we all know how well that turned out.)

Speaking of legislators, some were quick to point out detriments to Google’s new privacy rules. Reps. Edward J. Markey (D-Mass) and Joe Barton (R-Texas) have already sent a letter to the FTC saying Google’s new policy violates the agreement the company came to last year after privacy questions arose around Google Buzz.

So it sounds like these two big announcements are just the start of what will likely be a lengthy discussion of the best way to protect online privacy. In both the EU data protection revamp and Google’s new privacy policy, the two entities are trying to bolster business while at the same time protecting online privacy. It will be interesting to see if online privacy regulators and business can meet in the middle and best protect both commerce and the personal information of users. It definitely won’t be easy.


January 20, 2012  6:51 PM

Did protests of SOPA and other antipiracy legislation work?

Ben Cole Ben Cole Profile: Ben Cole

It was an eventful week for Internet-related antipiracy legislation, to say the least. After threatening for weeks, Internet giants such as Wikipedia and Google participated in a day-long “blackout” Wednesday in protest of the House of Representative’s Stop Online Piracy Act (SOPA) legislation and its Senate counterpart, PROTECT IP.

But did it work? After all, it’s not like the sites were completely shut down for 24 hours. Users could still access most of the sites participating in the protest; they just had to bypass literature outlining why the protesting sites equate SOPA and PIPA compliance with Internet censorship.

It definitely brought more attention to the controversial legislation, if nothing else. The blacked-out sites encouraged users to contact their legislators to protest the bills, and many did. Following the blackout, approximately 10 senators and nearly 20 House members announced their opposition to the antipiracy legislation as written, according to the New York Times. Among the flipped was Sen. Marco Rubio (R-Florida), one of the co-sponsors of PROTECT IP.

Today, Senate Majority Leader Harry Reid announced he was delaying a PROJECT IP vote scheduled for Jan. 24. House Judiciary Committee Chairman Lamar Smith (R-Texas) also announced a postponement of moving forward with SOPA antipiracy legislation “until there is wider agreement on a solution.” To help create this wider agreement, Christopher Dodd, chairman of the Motion Picture Association of America (MPAA), has called for a summit meeting between Internet companies and content distributors, in an effort to reach a compromise.

Until then, the protests keep coming: After the federal government shut down the website Megaupload and charged seven people with Internet piracy, the protest group Anonymous threw its weight around, briefly attacking and shutting down the websites of the Department of Justice, the MPAA and the Recording Industry Association of America.

So, it’s clear that the online antipiracy legislation fight is far from over. Legislators need to strike the right balance between the needs of critics who contend the legislation is unconstitutional, and the rights of those who want to protect their intellectual property.

Both sides (each with huge influence, by the way) have a valid argument designed to protect the way they do business. It will be interesting to see how legislators respond.


January 13, 2012  7:44 PM

EPIC letter questions Google’s online consumer privacy

Ben Cole Ben Cole Profile: Ben Cole

Just last April, Google Inc. settled Federal Trade Commission (FTC) charges that it used “deceptive tactics and violated its own privacy promises” to consumers when it launched Google Buzz in 2010. Now, some critics claim Google still hasn’t learned from its online consumer privacy mistakes.

In a letter to the FTC, the Electronic Privacy Information Center (EPIC) is pushing for an investigation because of more Google Search changes. EPIC said the inclusion in Google Search results of personal data, such as photos and contact details gathered from Google Plus, raises “concerns related to both competition and the implementation of the commission’s consent order.”

Under the settlement reached with the FTC in April, Google was required to implement a comprehensive privacy program and submit regular, independent privacy audits for the next 20 years.

“Google allows users to opt out of receiving search results that include personal data, but users cannot opt out of having their information found by their Google+ contacts by Google Search,” EPIC Executive Director Marc Rotenberg wrote in the letter to the FTC. “In contrast, Google allows content owners to remove pages from Google’s public search results.”

The EPIC letter also contends Google’s changes create potential antitrust violations because the company prioritizes its own content when returning search results.

In Google’s official blog earlier this week, Google fellow Amit Singhal wrote a lengthy post outlining and explaining the benefits of Google Search Plus Your World. Singhal touted what he called the new feature’s “unprecedented” security, transparency and control. The company has also posted accolades from analysts and consumers touting Google’s Search Plus Your World.

The FTC has yet to comment publicly on EPIC’s letter and call for another investigation into Google’s online consumer privacy practices. But it’s worth noting that the last couple of times EPIC made similar complaints against high-profile Internet companies, it resulted in privacy-related FTC settlements for both Google and Facebook with the FTC.


January 6, 2012  7:49 PM

Big online business ‘open’ to Stop Online Piracy Act alternative

Ben Cole Ben Cole Profile: Ben Cole

Internet giants — including eBay, Google, Facebook and Twitter — reportedly are considering a simultaneous “blackout” of their sites in protest of the Stop Online Piracy Act. Now they are throwing their weight behind an alternative bill.

The Stop Online Piracy Act has been slammed publicly by Internet companies since it was released a few months ago. Under the act, the U.S. Department of Justice and copyright holders could seek court orders against websites accused of copyright infringement. Those orders could include bans on networks and payment facilitators that would prevent them from doing business with the allegedly infringing websites, barring search engines from linking to them, and requiring that Internet service providers block access.

The (very vocal) opponents of the Stop Online Piracy Act say compliance amounts to Internet censorship and would increase compliance costs for organizations dramatically.

A compromise could be on the horizon, however: The Online Protection and Enforcement of Digital Trade (OPEN) Act has been introduced by Rep. Darrell Issa (R-Calif.) and Sen. Ron Wyden (D-Ore.) as an alternative to the Stop Online Piracy Act and its Senate counterpart PROTECT IP.

The OPEN Act would allow intellectual property holders to petition the International Trade Commission to investigate whether a foreign website’s only real purpose is to infringe on U.S. copyrights and trademarks. Proponents say OPEN takes a narrower and more targeted approach to combating online infringement than other proposed legislation does.

The OPEN Act ensures that only legitimate cases are pursued, and provides clear standards for companies to follow in enforcing intellectual property rules, supporters add. AOL, eBay, Facebook, Google, LinkedIn, Mozilla, Twitter, Yahoo and Zynga have written a joint letter announcing their support. The Internet companies say OPEN correctly targets “rogue sites” rather than law-abiding Internet companies.

And of course, OPEN has the support of — rather than vitriol from — such Internet giants as Google and Facebook. That’s likely to be a major factor as the infringement laws move through the ranks in the next several months. But OPEN has powerful critics as well: The entertainment industry, for one, says OPEN would not effectively prevent piracy, which was one of the major drivers of SOPA. Stay tuned.


December 8, 2011  8:26 PM

Push for Dodd-Frank Act regulations continues — at least for now

Ben Cole Ben Cole Profile: Ben Cole

With Chris Dodd already in Hollywood, Sen. Barney Frank’s retirement announcement last month led some to speculate the push for Dodd-Frank Act regulations would retire with him. The controversial financial regulation act has faced criticism and pushes for its repeal since it was proposed. With Frank’s retirement, its backers are losing their most outspoken supporter.

A Politico headline stated that Dodd-Frank (officially called the Dodd-Frank Wall Street Reform and Consumer Protection Act) now has “a murky future” due to Frank’s announcement. The article went on to say that despite Frank’s retirement having little impact on the act in the short term, “Republicans are salivating” at the chance to repeal it.

Two Senate Banking Committee hearings showed pushing through Dodd-Frank Act regulations is still a goal in some circles. On Dec. 6, the committee held an oversight hearing on the implementation of Dodd-Frank, with representatives from the Treasury, Federal Reserve and the SEC testifying. The hearing was designed to examine progress in implementing the act, and to explore how it could ultimately improve the stability of the U.S. financial system.

Senate Banking Committee Chairman Tim Johnson noted that some of the most complex Dodd-Frank Act regulations remain under consideration, and that he would like a timely resolution of these rules.

“I recognize that these rulemakings are difficult, but this is the time when tough decisions have to be made by our regulators,” Johnson said during opening statements at Tuesday’s hearing. “While our economy is starting to show signs of recovery from the financial crisis, the ongoing turmoil in Europe is a stark reminder that we must continue to monitor threats to financial stability.”

The financial regulation theme continued the following day, when the committee hosted another hearing titled “Enhanced Supervision: A New Regime for Regulating Large, Complex Financial Institutions.” Just the sound of it invoked thoughts of the overarching goals established by Dodd-Frank Act regulations. Also this week, Johnson released a scathing statement lambasting Senate Republicans after they voted to block Richard Cordray’s nomination to be the first director of the Consumer Financial Protection Bureau.

Frank is not likely to spend his last year in office quietly preparing for private life. He will no doubt spend a good portion of it loudly pushing for his namesake bill’s implementation. But implementing the sweeping Dodd-Frank Act regulations has already faced several delays, mostly due to its complexity. What if the financial crisis continues and Dodd-Frank detractors convince more people its rules would hinder job creation? What if President Obama is not re-elected and cannot veto a repeal of the act? If these delays continue, will it be held up long enough for its detractors to water it down in order to pacify the financial institutions the rules are designed to reign in?

With the attention paid to it this week, it at least shows that the Dodd-Frank Act is not going to fall by the wayside. But for it to have any teeth, Democrats and supporters will have to get moving … or find another (loud) voice to replace Barney Frank’s push for financial reform. Tim Johnson, are you listening?


December 6, 2011  7:27 PM

The top 10 compliance risk management questions you should be asking

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

When it comes to IT governance, it’s one thing to have staff completing compliance risk management processes; it’s quite another to be confident that everything is indeed in line and secure. Understanding your level of compliance and how it relates to business risk is more than simply asking IT staff: “How are things?” or “Are we secure?”

The best way to ensure that you’re getting good information surrounding compliance risk management is to trust but verify. Asking the right questions and getting involved with the security management process are sure ways to bring light to some issues that have been shrugged off or even undetected — sometimes for years. Here are some pointed questions you can ask of those responsible for day-to-day network and system administration to ensure that you’re not creating a monster by making high-risk assumptions:

1.       What high-priority items were found during our most recent Web application penetration test? What’s the plan for fixing these issues?

2.       What patches were missing during our last vulnerability scan?

3.       Why are patches continually showing up as missing on our Windows servers and database systems?

4.       How are we managing event logs and correlating potential security incidents? How long are these logs being kept?

5.       Our passwords seem pretty secure for our main network logons, but what about for our Web applications, firewalls and all the random database servers scattered around the network?

6.       Given our current configurations, what’s the business risk of someone losing a laptop or having their smartphone or iPad stolen?

7.       What security incidents have been prevented over the past “X” number of months?

8.       How do we know our traditional desktop antivirus software is actually keeping our endpoints secure?

9.       What are we doing to proactively prevent data from leaking out of the network unnoticed?

10.   Have you seen any protocol anomalies on the network recently when compared with your known baseline? Are any odd systems like workstations, smartphones and rarely-used servers showing up as top talkers on the network?

This is hardly an exhaustive list, but these are some of the major security oversights and risks I see on a consistent basis. If everything appears to be hunky-dory in IT, odds are you need to probe further. Complacency, poor time management and the desire for job security often get in the way of what’s really going on.

One of your main goals for compliance risk management should be to ensure you’re getting the right information at the right time so you, your peers and your executives can make the right decisions. Anything short of this will merely set your compliance program up for failure in the long term.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: