Information Security Policy News
October, 2010 - Gaps in Small Business Security Policies
A study of over 1500 organizations shows that most small to medium businesses have significant gaps in written security and privacy policies relative to their business needs. The National Small Business Cybersecurity Study was conducted online by Symantec in conjunction with the National Cybersecurity Awareness Alliance (NCSA) and the Department of Homeland Security.
The survey revealed that while US small businesses rely heavily on the internet, less than one third of these businesses have formal policies governing online security. Other gap areas include policies for protecting privacy, company data, and confidential personal information. While security policy gaps are not unusual, what was unusual is that 93% of these same businesses are confident that their security programs are adequate to protect them against a possible breach!
April, 2010 - Attorney Client Privilege Supersedes Company Policy
A recent ruling by the US Supreme court concluded that client-attorney privacy privileges extended to email communications made from company computers. The ruling stemmed from a discrimination case filed by an employee. During the case, attorneys for the company used emails sent from a secure Yahoo account between the employee and her attorney in preparing their case. The initial lower court ruling was overturned and the Supreme Court ruled that these communications should have been kept private.
While there was some speculation that this ruling could have a broad impact on acceptable use and privacy policies, the story seems to confine the area of risk to the use of emails between clients and attorneys. Nothing in the ruling challenged the company's right to have or enforce policies. The problem was in using these specific emails to build a case against the employee.
March 5, 2010 - Facebook Profile Used for Network Intrusion
As network intrusion defenses have become more sophisticated, attackers are increasingly moving toward the weakest link - human beings. Phishers are able to conduct research easily by sifting through the vast personal information posted on social networking profiles. This disturbing trend comes when a recent study showed that over 50% of individuals share their login credentials between web sites.
In one recent incident, a network penetration into a large US financial company was started with a compromised Facebook account. The attackers were able to take control of one employee's Facebook account and using information culled from that individual's friends' profiles, sent what appeared to be personal messages to several other company employees about pictures taken at a company event. One of these employees then clicked on a link and became infected with keystroke logging software. After the same employee logged into the corporate VPN, the attackers has access to the network.
This type of incident can be prevented with policies that prohibit users from sharing login credentials with public web sites. (This and many other social-networking related policies are available within Information Security Policies Made Easy.) To reduce risk in the modern IT organizations, organizations must begin to consider employee's personal online behavior for possible threats.
March 3, 2010 - Widespread Peer-to-Peer Network Data Breaches
The US Federal Trade Commission (FTC) announced a detailed investigation into sensitive data being leaked through peer-to-peer (P2P) file-sharing networks. The report indicates that over 100 public and private enterprises were contacted regarding sensitive customer or employee information found on public file sharing networks. Organizations subject to data protection of laws such as HIPAA/HiTECH may be required to notify customers if any of the information has been accessed. If your organization is concerned about these risks to sensitive data, our PolicyShield Security Policy Subscription Service contains a variety of pre-written security policies that will help dramatically reduce the chances of leaks via P2P file sharing networks.
January 9, 2010 - Bank Fraud Exploits ACH Transfers
The Internet Crime and Complaint Center recently issued a security bulletin warning businesses of the growing problem of online banking fraud, with total reported losses of at least $40 millions USD. Most of the crimes begin with an infection of malicious software that was downloaded in response to SPAM. Once a machine is compromised, the software can steal banking credentials for online accounts and then begin making unauthorized wire transfers out of the account. These wire transfers are made below the typical $10,000 limit that triggers fraud alerts. The crimes are especially effective against smaller businesses that have fewer accounting and security controls and also bank at smaller institutions.
This type of attack can be prevented with a combination of security policies. First, Email Acceptable Use policies must prohibit users from responding to SPAM in the first place, making it clear that no software be downloaded from the internet without approval. Second, desktop/laptop configuration policies should require that up-to-date protection software be maintained on all internet-accessible computers. Other helpful security-related procedures include creating email notices for everyone outgoing transaction with the company account. In some cases, banks allow the organization to block all outgoing wire transfers without approval. As with any security policy controls, user education and awareness of these new threats is essential to make the policies truly meaningful and effective.
October 9, 2009 - Growth in SMS Attacks Require Policy Considerations
A new cyber-security report from Cisco indicated that criminals are increasingly using SMS text messages to lure victims into scams. This technique, dubbed smishing, uses text messages with imbedded links sent to smart phones that enable users to click the links. SMS attacks are also being used to send messages that appear to come from financial institutions and ask the recipients to call a number and verify account information. While these attacks use new technology, they are simply variations of email-based social engineering attacks. Organizations can help reduce the risk of infected users by extending their electronic mail acceptable use policies to other messaging platforms including SMS and chat (IRC).
A recent survey of information security professionals involved in protecting the nations critical infrastructure indicate that the recently updated NERC cyber security standards are not adequate to protect the country's electric power grid. Every respondent agreed that simply being in compliance with NERC regulations does not ensure that their systems are secure. However, respondents said that having compliance requirements helps create visibly with senior management and helps generate funding for their budgets. This is similar to the issue plaguing the PCI-DSS standard as more "compliant" organizations suffer data breaches. Perhaps this is more a problem of perception, as most security professionals understand that organizations and threats evolve and a statement of compliance is merely a snapshot in time measured against a set of controls.
April 5, 2009 - Contractors Leak Technical Data
Several recent incidents highlight the risk of sensitive data disclosure through third-party contractors. Defense officials revealed that thousands of confidential files on the U.S. military's most technologically advanced fighter aircraft have been compromised by unknown computer hackers over the past two years. According to the report, the files were accessed on the networks of major defense contractors. In a related story, technical schematics from Marine One were found on peer-to-peer file sharing networks, apparently leaked from a defense contractor that has p2p software installed on the same system as the confidential files. These high-profile incidents not only highlight the risks of third-party access to sensitive data, but they demonstrate that governments and government-sponsored agents are routinely using file-sharing networks to perform espionage.
Organizations that wish to reduce the risks of similar incidents should consider Information Security Policies Made Easy, which included written policies covering third-party data security, protection of trade secrets, and peer-to-peer file sharing among over 200 security topics.
March 5, 2009 - Cost of Data Breaches on the Rise in 2008
The Ponemon Institute has released its 2008 study on the cost of a data breach. The study analyzed 43 separate large data breaches from 17 different industries. Both the number and cost of incidents increased from 2007. The average cost per record has risen to $202, while the average cost per incident has risen to $6.6 million. The study considers a wide range of cost factors, including notification, administrative costs, legal consequences and customer loss.
Among the key findings were the measured impact of the "insider threat" as more than 88% of all cases in this years study involved insider negligence. Another highlight was the growing risk of outsourcing, as third-party organizations accounted for more than 44 percent of all cases in the 2008 study and are also the most costly form of data breaches due to additional investigation and consulting fees. The Privacy Breach Calculator from the Privacy Management Toolkit can help estimate the true total cost of privacy breach.
February 15, 2009 - FTC Revises Online Privacy Guidelines
The US Federal Trade Commission (FTC) recently issued a report describing its ongoing examination of online behavioral advertising and announced revisions to its self-regulatory principles. The report addresses how online advertisers can best protect consumers' privacy while collecting information about their online activities, including the collection of behavioral information for targeted advertising. The report was generally critical of Internet privacy practices, saying that websites are for the most part not making clear to their users what information is being collected about them and how that information is used for advertising. A press release accompanying the report indicated that official regulation will be likely if companies do not do a better job of self-regulating.
January 15, 2009 - Reported Data Breaches up 50%
The latest data from the Identity Theft Resource Center shows that the number of reported data breaches increased 50% in 2008. A total of 656 breaches were reported in 2008 versus 447 reported in 2007. The study estimates that at least 35 million customer records were exposed in the breaches. The percentage of breaches involving employee theft more than doubled to nearly 16 percent in 2008, calling for renewed focus on the role of the insider threat. Other surprising highlights from the study indicate that less than 3% of organizations that experienced a breach used some form of encryption to protect the data.
As a point of comparison, the year-end summary from the Open Security Foundation reports a total of 487 incidents with a possible 83 millions records being exposed. According to the Open Security Foundation, stolen laptops account for the largest share of data breaches, at 22% of the total. This study also indicates that losses by third parties generally involve many more records than other breaches. While only 13% of the breaches involve a third party, over 34% of the records are lost in incidents involving third parties. (Note: Information Security Policies Made Easy has over 1400 pre-written security policies, including policies covering employee security, encryption, mobile devices, and third party data handling.)
December 9, 2008 - States Enact Specific Security Requirements
In addition to Federal data protection laws, an increasing number of states are enacting data protection laws with very prescriptive controls on the protection of resident's personal information. Most recently the state of Massachusetts has passed 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. The Massachusetts regulations apply to anyone that owns, licenses, stores or maintains personal information about Massachusetts residents.
In October 2008 the New York State Consumer Protection Board released a significant Privacy Guide focused on helping companies develop effective data security programs. The guidance urges all companies to have "written policies to protect the personal information of employees and consumers [that are] reviewed and updated regularly." With the passage of Senate Bill 8376, the state of New York has also opted for broader protections for employees by requiring employers to take steps to safeguard a broad range of personal identifying information including Social Security numbers.
Massachusetts and New York are joining Texas and a growing list of states that have data protection requirements in addition to the laws regarding data breach notification. As of November 2008, Forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted data breach legislation requiring notification of security breaches involving personal information. The information security implications are becoming unavoidable. Even the smallest organization must have a set of written policies in place to protect the security and privacy of both customer and employee data.
October 10, 2008 - People Beat Technology at Data Breach Detection
A recent study of over 500 data breaches by Verizon Business concluded that over 80% of organization discovered a data breach after notification by a third party. Usually the third party noticed suspicious activity from the compromised organization. The second largest factor was employee notifications, which accounted for 12%. So 92% of the breach reporting came from "human" channels. Ironically, less than 4% of the breaches were discovered by event monitoring technology such as intrusion prevention systems, even though the data was available within the systems. Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: information regarding the attack was neither noticed nor acted upon.
While these statistics are not surprising given the complex nature of some attacks, they may give pause to organizations that spend thousands of dollars on event monitoring software and intrusion prevention technology and yet do not have simple methods in place for employees and business partners to report security problems. The PolicyShield Security Policy Subscription contains over 40 policies relating to the reporting, management and disclosure of security incidents.
September 18, 2008 - Multiple Breaches from Employee Access
A recent string of data breaches by employees have brought renewed focus on the internal threat of trusted workers. In one incident, an employee of a large insurance agency used stolen customer data to commit identify theft and open up fraudulent credit card accounts. In another incident, an employee of large mortgage company used his account to download over 2 million customer records over a 2 year period and sold the data to competitors. In a third instance, a former chip manufacturer employee was charged with theft of trade secrets for allegedly stealing 13 top-secret documents relating to the design of processor chips. The former employee had resigned but was using accrued vacation time when he apparently downloaded the documents from a secure system. These incidents point to the increased importance of information security policies that both limit and monitor employee access.
July 18, 2008 - Healthcare Company Fined for HIPAA Violations
A recent enforcement action from the Department and Health and Human Services (HHS) illustrates the importance of following security policies for Health Insurance Portability and Accountability Act (HIPAA) compliance. In July, home health care services company Providence Health & Services of Seattle paid US $100,000 to resolve complaints about breaches of information privacy and security rules. One of the primary requirements of the settlement will be for the company to make changes to its policies and procedures to guard against similar incidents, and submit these written policies to HHS for review. According the report, laptop computers, disks and tapes that held patient health records taken from employees' parked cars five times in 2005 and 2006. The information on the devices is covered by HIPAA. Providence notified affected patients and the Department of Health and Human Services (HHS). More than 30 patients filed complaints with HHS. This first-of-its-kind "resolution agreement" came as a result of cooperation between the company and HHS, a drew some criticism from privacy advocates since the settlement allows Providence to avoid admitting that it actually violated HIPAA.
April 15, 2008 - Study Validates the Business Impact of a Privacy Breach
A new study released by the Ponemon Institute indicates that customer data breaches have real, measurable impact on the organizations customer retention. The survey was done on customers who had received a data breach notification from an organization that handled their personal information. Of those respondents, 63% were extremely dissatisfied with the way they were notified and many were confused as to the next steps to take. Even more telling, the study indicated that 57% of those notified of a breach of their personal information lost confidence in the organization, and 31% ceased doing business with the organization altogether after the incident. Comments from the study indicate that organizations tend to focus on compliance issues, rather than a real respect for the customer during these breaches. (Note: Lost customer revenue is just one of the many factors included within the Privacy Breach Impact Calculator included within the Privacy Management Toolkit.)
March 19, 2008 - FFEIC Issues New Business Continuity Guidance
The Federal Financial Institutions Examination Council (FFIEC) recently issued updated guidance for examiners, financial institutions, and technology service providers to identify business continuity risks and evaluate controls and risk management practices for effective business continuity planning. The guidance is an update to the "Business Continuity Planning Booklet," which was issued in March 2003. The update includes increased focus on business impact analysis and testing, as well as new emphasis on pandemic planning. It also incorporates lessons learned from the massive disruption caused by hurricanes Katrina and Rita. The guidance outlines roles and responsibilities of the board and senior management, as well as specific "action summaries" for each phase of the BCP process.
The updated BCP booklet is one in a series of booklets that comprise the Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook. Both the updated BCP IT Examination Handbook and the Information Security Handbook (published July 2006) provide guidance for information security controls required to protect sensitive financial information. The new IT Examination Handbook is available for free at the FFEIC web site.
January 15, 2008 - FERC Approves Cybersecurity Standards
The Federal Energy Regulatory Commission (FERC), the U.S. agency responsible for overseeing electric rates and natural gas pricing, recently approved eight mandatory cyber-security standards that extend to all entities connected to the nation's power grid. The standards were developed by the North American Electric Reliability Corp. (NERC) in 2006.
The mandatory reliability standards require certain users, owners and operators of the bulk power system to establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents, and to be prepared to recover from a cyber incident. The standards govern asset identification, management controls, personnel and training, perimeters, physical security, systems management, incident response and reporting and disaster recovery. Written information security policies and quarterly employee security awareness are both required elements of standard.
December 15, 2007 - Study indicates that many workers ignore security policies
A recent survey of 800 IT professionals by the Ponemon Institute indicated that a large percentage of workers do not follow company security policies, even when they are aware of them. For example, more than half of the respondents in the survey said they had personally copied confidential company information into USB memory sticks; though more than 87% admitted that company policy forbids them from doing so. About 46% said they routinely share passwords with colleagues, even though two-thirds of the respondents said their company's security policies prohibit them from doing so. While blatant disregard for policies is one aspect of the study, the results indicated that many organizations still do not have polices in place or if they do, employees are not aware of them. For instance, despite widespread concerns about data leaks resulting from insider abuse or negligence, 60% of respondents said their companies have no stated policy forbidding the installation of personal software on company computers. See the ComputerWorld coverage for more details.
November 15, 2007 - FACTA Update Requires Written Identity Theft Plan
The FTC and other federal agencies (OCC, FDIC, OTS, NCUA) are jointly issuing final rules and guidelines for implementing various sections of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The update, entitled Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule is available on the Federal Registry.
Among the provisions for section 114 is the requirement that financial institutions implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection in connection with certain types of accounts. The rules also provide clarification on what types of accounts are covered under the act.
A critical part of any written identity theft program will include policies and procedures for protecting sensitive information related to accounts that may be subject to identity theft. Information Security Policies Made Easy provides over 1500 pre-written information security policies covering over 123 different security topics, including data privacy.
October 19, 2007 - Phishing email targets EEOC Complaints
Phishers are coming up with increasingly sophisticated ways to encourage corporate users to open emails. The most recent involves a fake email to employers, supposedly from the Equal Employment Opportunity Commission (EEOC), which contains the subject "Harassment Complaint Update For." The fake e-mail's contents include an EEOC logo under the subject line and contain purported language from the EEOC under a subject heading, "Employer Liability for Harassment."
The email contains links where the respondent can allegedly access details of a fake discrimination claim. However, according to a warning from the EEOC, clicking on the link actually unleashes a harmful computer virus if opened. To defend against this growing threat, organizations are encouraged to update their information security policies to prevent employees from responding to any request for sensitive information via email. Because of the increasing sophistication of these attacks, phishing attacks should also be part of ongoing security awareness training.
September 10, 2007 - Employee Fired for Personal Online Activity
A recent case involving an Arizona police officer illustrates how an employee's online behavior outside of work hours can trigger a termination. Ronald Dible was fired from the Chandler, AZ police department after rumors of his online sex business began circulating. The attempted defense was that statements made d uring his personal online activity were protected under "Free Speech." The U.S. Court of Appeals for the Ninth Circuit ruled Sept. 5 that he failed to show that his First Amendment or privacy rights were violated.
August 6, 2007 - Court ruling could impact policy change notification
Several years ago an appeals court ruled that a simple email notification was not enough to notify employees of important policy changes. In other words, it is up to the organization to be proactive in notifying individuals of policy changes that would affect their relationship with the organization in any way. Organizations should avoid this risk by explicitly notifying customers of changes to policy.
July 9, 2007 - Contractors fined for not upholding data protection measures
Several contractors of Los Alamos National Laboratory are being fined a total of $3.3 million for failing to adequately protect data as required in their contracts. The Department of Energy (DOE) initiated formal enforcement actions against specific current and former contractors, said that its investigations revealed that the contractors failed to prevent "a subcontractor employee's unauthorized reproduction of and removal of classified matter from the site." The DOE also issued a Compliance Order to Los Alamos, requiring corrective action to increase physical protection and cyber-security to safeguard classified information. This is another example that illustrates the importance of monitoring of all third-party contractors for compliance with information security policies.
June 28, 2007 - OECD updates privacy guidelines to help privacy law enforcement
The member countries of the Organization for Economic Cooperation and Development (OECD) have agreed to new updates to the 25-year old privacy principles. An update was needed in order to guard against the privacy risks of the increasing amounts of personal data currently being sent from country to country. The recommendation encourages better communication and cooperation between member countries on privacy enforcement and the bolstering of each country's internal privacy laws.
June 12, 2007 - Personal data on 17,000 Pfizer employees exposed via P2P
A Pfizer Inc. employee who installed unauthorized peer-to-peer file-sharing software on a company laptop used at home has exposed the Social Security numbers and other personal data belonging to about 17,000 current and former employees at the drug maker. According to data released by the company, about 15,700 of the individuals actually had their data accessed and copied by an unknown number of persons on a peer-to-peer network. The incident coincided with a new study from Dartmouth College's Tuck School of Business, which examined searches conducted on peer-to-peer networks and found a significant amount of financial data being exposed inadvertently by users of common file sharing programs.
Due to the alarming number of breaches involving the personal use of company-issued computers, organizations must consider developing a specific remote-worker information security policy that covers the use of corporate resources at home and on the road.
May 10, 2007 - Union takes action after data breach
Data breaches are always costly for an organization that loses customer data, but now organized labor is jumping on the bandwagon to hold the organization more responsible for the impact on lost employee data. The American Federation of Government Employees has filed a class action lawsuit against the Transportation Safety Administration (TSA) on behalf of TSA employees whose personal information was on a stolen hard drive. The suit seeks stronger security precautions within the organization as well as reimbursement by the company for any financial loss to employees as a result of the breach.
May 1, 2007 - State sues retailers for improper disposal of personal records
States are taking a larger role in data privacy legislation, including prosecuting corporations for violations related to security and privacy. In two recent cases, Texas attorney general Greg Abbott (R) has sued both CVS and Radio Shack for alleged violations of the 2005 Identity Theft Enforcement and Protection Act when customer records containing sensitive data where found in dumpsters. Texas may seek penalties of up to $50,000 per violation for CVS's alleged breach. In one response, CVS claimed that they do have policies and procedures to prevent improper disposal of consumer records, and that the action was done by an employee who didn't follow corporate policies. This is another in the endless of examples of why it is critical to provide training and awareness of current security policies.
April 20, 2007 - HHS Launches New HIPAA web site focused on privacy
The Department of Health and Human Services (HHS) announced the launch of a new web site focused on compliance and enforcement actions related to HIPAA Privacy. According a statement by the HHS, the Web site "provides information for consumers, health care providers, health plans and others in the health care industry about HHS's compliance and enforcement efforts. The new information describes HHS activities in enforcing the Privacy Rule, the results of those enforcement activities, and statistics showing which types of complaints are received most frequently and the types of entities most often required to take corrective [action] as a result of consumer complaints."
April 5, 2007 - Court rules no expectation of privacy for personal computers at work.
An Oklahoma man was sentenced to six years in prison for possession of child pornography which was discovered on a personal computer he had brought to work. The pornography was discovered while a network administrator was attempting to solve a problem being traced to his personal computer. In the appeal, the man claimed that he expected the personal data on his computer to remain private. However, the appeals court ruled otherwise. Among the many policy implications here is that employees who bring personal computing devices to work should not expect to keep the data private, especially if the computer is connected in any way to the corporate network. Organizations be proactive by publishing explicit policies that prohibit employees from bringing personal computers. Security policies should also state that any personal computing device brought to work may be inspected by the information security department.
April 5, 2007: FCC moves to increase protection of customer call data
The Federal Trade Commission (FTC) has released a proposed rule for the protection and privacy of customer records. The proposed rule addresses pretexting, protection of phone records, and notification in the event of a breach of phone records. In related news, the FTC recently proposed over $100,000 in fines for two telecommunications carriers that "apparently" failed to adequately protect the personal data of subscribers. The cases involve the protection of "customer proprietary network information," or CPNI, which is information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service. Under current rules, a telecommunications carrier must have an officer sign a compliance certificate on an annual basis stating that the officer has personal knowledge that the company has established operating procedures that are "adequate" to ensure compliance with commission rules.
February 25, 2007: FTC Reports on effectiveness of COPPA
The Children's Online Privacy Protection Act (COPPA), which became effective in APril 2000, is designed to protect the privacy of children below age 13. Since it began enforcement of COPPA in 2001, the FTC has filed eleven civil penalty actions that illustrate different core violations of COPPA and the Rule, and obtained more than $1.8 million in civil penalties. The FTC recently released a report to Congress on the Effectiveness of COPPA called Implementing the Children’s Online Privacy Protection Act. The report provides valuable information for businesses that must comply with COPPA. Organizations that routinely collect sensitive information from children or young adults should be familiar with COPPA and the FTC guidelines for compliance with this privacy law.
January 25, 2007: NIST updates XCCDF Standard
The National Institute of Standards (NIST) has recently updated the schema for The Extensible Configuration Checklist Description Format (XCCDF). According to NIST, "The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices." The XCCDF helps implement the Open Vulnerability Assessment Language (OVAL), which aims to standardize the language and methods for assessing vulnerabilities on various systems. If widely adopted, these standards could significantly help automated security policy compliance efforts.
January 15, 2007: 30 Percent of Large UK Companies still lax in privacy policies
A study of EU Directive on Privacy and Electronic Communications compliance among large UK companies found that 31 percent of those companies do not provide "non-customers the opportunity to actively opt-in or otherwise consent to further marketing emails when their details were recorded as the result of a promotion or enquiry." See the full story.
January 12, 2007: Fifty-Seven Percent of Irish Companies Have No eMail and Internet Use Policies
Ireland's Small Firms Association (SFA) says that 57 percent of Irish companies have not implemented email and Internet use policies despite the fact that companies can be held liable for employees' activities. See the full story.
December 15, 2006: New Civil Procedures Require Updates to Data Retention Policies
The updated Federal Rules of Civil Procedure, which took effect in December 2006, place a greater burden on organizations to maintain digital data in the event it is required in legal proceedings. Section V, Depositions and Discovery, Rule 34 of the Federal Rules of Civil Procedure reads, "Any party may serve on any other party a request to produce and permit the party making the request, […] to inspect, copy, test or sample any designated documents or electronically stored information - including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained ..." Organizations should review their information security policies, particularly those related to data storage and retention, in light of these new requirements. See the Cornell Law Library for a summary of the new ruling.