Information Security Policy News
Information Shield brings you the following news and incidents that relate to information security policies and may impact organizations that develop and maintain an information security policy or privacy policy program.
April 15, 2008 - Study Validates the Business Impact of a Privacy Breach
A new study released by the Ponemon Institute indicates that customer data breaches
have real, measurable impact on the organizations customer retention.
The survey was done on customers who had received a data breach notification
from an organization that handled their personal information. Of those respondents,
63% were extremely dissatisfied with the way they were notified and many were confused
as to the next steps to take. Even more telling, the study indicated that 57% of
those notified of a breach of their personal information lost confidence in the
organization, and 31% ceased doing business with the organization altogether after the incident.
Comments from the study indicate that organizations tend to focus on compliance issues,
rather than a real respect for the customer during these breaches.
(Note: Lost customer revenue is just one of the many factors included within the Privacy
Breach Impact Calculator included within the Privacy Management Toolkit.)
March 19, 2008 - FFEIC Issues New Business Continuity Guidance
The Federal Financial Institutions Examination Council (FFIEC) recently issued updated guidance for
examiners, financial institutions, and technology service providers to identify business continuity risks
and evaluate controls and risk management practices for effective business continuity planning.
The guidance is an update to the "Business Continuity Planning Booklet," which was issued in March 2003. The update includes increased focus on business impact analysis and testing, as well as new emphasis on pandemic planning. It also incorporates lessons learned from the massive disruption caused by hurricanes Katrina and Rita. The guidance outlines roles and responsibilities of the board and senior management,
as well as specific "action summaries" for each phase of the BCP process.
The updated BCP booklet is one in a series of booklets that comprise the Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook. Both the updated BCP IT Examination Handbook and the Information Security Handbook (published July 2006) provide guidance for information security controls required to protect sensitive financial information. The new IT Examination Handbook is available for free at the FFEIC web site.
January 15, 2008 - FERC Approves Cybersecurity Standards
The Federal Energy Regulatory Commission (FERC), the U.S. agency responsible for overseeing electric rates and natural gas pricing, recently approved eight mandatory cyber-security
standards that extend to all entities connected to the nation's power grid.
The standards were developed by the North American Electric Reliability Corp. (NERC) in 2006.
The mandatory reliability standards require certain users, owners and operators of the bulk power system to establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents, and to be prepared to recover from a cyber incident. The standards govern asset identification, management controls, personnel and training, perimeters, physical security, systems management, incident response and reporting and disaster recovery. Written information security policies and quarterly employee security awareness are both required elements of standard.
December 15, 2007 - Study indicates that many workers ignore security policies
A recent survey of 800 IT professionals by the Ponemon Institute indicated that a large
percentage of workers do not follow company security policies, even when they are aware of them.
For example, more than half of the respondents in the survey said they had personally copied
confidential company information into USB memory sticks; though more than 87% admitted that
company policy forbids them from doing so. About 46% said they routinely share passwords with
colleagues, even though two-thirds of the respondents said their company's security policies
prohibit them from doing so. While blatant disregard for policies is one aspect of the study,
the results indicated that many organizations still do not have polices in place or if they do,
employees are not aware of them. For instance, despite widespread concerns about data leaks
resulting from insider abuse or negligence, 60% of respondents said their companies have no stated
policy forbidding the installation of personal software on company computers. See the ComputerWorld coverage
for more details.
November 15, 2007 - FACTA Update Requires Written Identity Theft Plan
The FTC and other federal agencies (OCC, FDIC, OTS, NCUA) are jointly issuing final
rules and guidelines for implementing various sections of the Fair and Accurate Credit Transactions Act
of 2003 (FACTA). The update, entitled Identity Theft Red Flags and Address Discrepancies Under the
Fair and Accurate Credit Transactions Act of 2003; Final Rule is available on the Federal Registry.
Among the provisions for section 114 is the requirement that financial institutions implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection in connection with certain types of accounts. The rules also provide clarification on what types of accounts are covered under the act.
A critical part of any written identity theft program will include policies and procedures for protecting sensitive information related to accounts that may be subject to identity theft. Information Security Policies Made Easy provides over 1500 pre-written information security policies covering over 123 different security topics, including data privacy.
October 19, 2007 - Phishing email targets EEOC Complaints
Phishers are coming up with increasingly sophisticated ways to encourage corporate users to open emails.
The most recent involves a fake email to employers, supposedly from the
Equal Employment Opportunity Commission (EEOC), which contains the subject
"Harassment Complaint Update For." The fake e-mail's contents include an EEOC logo under the subject
line and contain purported language from the EEOC under a subject heading, "Employer Liability for Harassment."
The email contains links where the respondent can allegedly access details of a fake discrimination claim. However, according to a warning from the EEOC, clicking on the link actually unleashes a harmful computer virus if opened. To defend against this growing threat, organizations are encouraged to update their information security policies to prevent employees from responding to any request for sensitive information via email. Because of the increasing sophistication of these attacks, phishing attacks should also be part of ongoing security awareness training.
September 10, 2007 - Employee Fired for Personal Online Activity
A recent case involving an Arizona police officer illustrates how an employee's online behavior outside of
work hours can trigger a termination. Ronald Dible was fired from the Chandler, AZ police department after
rumors of his online sex business began circulating. The attempted defense was that statements made d
uring his personal online activity were protected under "Free Speech." The U.S. Court of Appeals for the Ninth Circuit ruled Sept. 5 that he failed to show
that his First Amendment or privacy rights were violated.
Although all three Ninth Circuit judges agreed that the city of Chandler was justified in terminating Dible, they disagreed over whether his online sex business was protected employee speech. While this might be an extreme case of employee behavior, it does bring up some interesting security and privacy policy considerations. Are employees prohibited from engaging in personal online activity that may reflect poorly on their employer or on their profession in general? Issues related to personal online activity are bound to grow with the exponential increase of personal blogs and social networking sites.
August 6, 2007 - Court ruling could impact policy change notification
A recent court ruling could indicate an important shift in the way that corporations notify customers
of privacy policy changes. U.S. Court of Appeals for the Ninth Circuit ruled July 18 that a
telecommunications service provider did not effectively change its terms of service when it
posted a revised contract on its Web site and did not give customers further notice. Many
organizations update their online privacy policies at will, assuming that customers will go to the web site and observe the new terms of service. While this practice is common, it is certainly not in the spirit of "open" communication with customers. This ruling came as part of a class-action lawsuit where customers sued for terms of service
changes that were applied automatically to their account.
Several years ago an appeals court ruled that a simple email notification was not enough to notify employees of important policy changes. In other words, it is up to the organization to be proactive in notifying individuals of policy changes that would affect their relationship with the organization in any way. Organizations should avoid this risk by explicitly notifying customers of changes to policy.
July 9, 2007 - Contractors fined for not upholding data protection measures
Several contractors of Los Alamos National Laboratory are being fined a total of $3.3 million for
failing to adequately protect data
as required in their contracts. The Department of Energy (DOE) initiated formal enforcement actions
against specific current and former contractors, said that its investigations revealed that the contractors failed to prevent "a subcontractor employee's unauthorized reproduction of and removal of classified matter from the site." The DOE also issued a Compliance Order to Los Alamos, requiring corrective action to increase physical protection and cyber-security to safeguard classified information. This is another example that illustrates the importance of monitoring of all third-party contractors for compliance with
information security policies.
June 28, 2007 - OECD updates privacy guidelines to help privacy law enforcement
The member countries of the Organization for Economic Cooperation and Development (OECD) have agreed to new updates to the 25-year old privacy principles. An update was needed in order to guard against the privacy risks of the increasing amounts of personal data currently being sent from country to country. The recommendation encourages better communication and cooperation between member countries on privacy
enforcement and the bolstering of each country's internal privacy laws.
June 12, 2007 - Personal data on 17,000 Pfizer employees exposed via P2P
A Pfizer Inc. employee who installed unauthorized peer-to-peer file-sharing software
on a company laptop used at home has exposed the Social Security
numbers and other personal data belonging to about 17,000 current and former
employees at the drug maker. According to data released by the company, about 15,700 of the
individuals actually had their data accessed and copied by an unknown number of persons on a
peer-to-peer network. The incident coincided with a new study from
Dartmouth College's Tuck School of Business, which examined searches conducted on
peer-to-peer networks and found a significant amount of financial data being exposed
inadvertently by users of common file sharing programs.
Due to the alarming number of breaches involving the personal use of company-issued computers, organizations must consider developing a specific remote-worker information security policy that covers the use of corporate resources at home and on the road.
May 10, 2007 - Union takes action after data breach
Data breaches are always costly for an organization that loses customer data, but now organized
labor is jumping on the bandwagon to hold the organization more responsible for the impact on
lost employee data.
The American Federation of Government Employees has filed a class action lawsuit against the
Transportation Safety Administration (TSA) on behalf of TSA employees whose personal information
was on a stolen hard drive. The suit seeks stronger security precautions within the organization
as well as reimbursement by the company for any financial loss to employees as a result
of the breach.
May 1, 2007 - State sues retailers for improper disposal of personal records
States are taking a larger role in data privacy legislation, including prosecuting corporations for
violations related to security and privacy. In two recent cases, Texas attorney general
Greg Abbott (R)
has sued both CVS and Radio Shack for alleged violations of the
2005 Identity Theft Enforcement and Protection Act
when customer records containing sensitive data where found in dumpsters. Texas may seek penalties of up to $50,000 per violation for CVS's alleged breach.
In one response, CVS claimed that they do have policies and procedures to prevent improper disposal of
consumer records, and that the action was done by an employee who didn't follow corporate policies.
This is another in the endless of examples of why it is critical to provide
training and awareness of current security policies.
April 20, 2007 - HHS Launches New HIPAA web site focused on privacy
The Department of Health and Human Services (HHS) announced the launch of a new web site focused
on compliance and enforcement actions related to HIPAA Privacy. According a statement by the HHS,
the Web site "provides information for consumers, health care providers, health plans and others
in the health care industry about HHS's compliance and enforcement efforts. The new
information describes HHS activities in enforcing the Privacy Rule, the results of those
enforcement activities, and statistics showing which types of complaints are received
most frequently and the types of entities most often required to take corrective
[action] as a result of consumer complaints."
April 5, 2007 - Court rules no expectation of privacy for personal computers at work.
An Oklahoma man was sentenced to six years in prison for possession of child pornography which was discovered on a personal computer he had brought to work. The pornography was discovered while a network administrator was attempting to solve a problem being traced to his personal computer. In the appeal, the man claimed that he expected the personal data on his computer to remain private. However, the appeals court ruled otherwise. Among the many policy implications here is that employees who bring personal computing devices to work should not expect to keep the data private, especially if the computer is connected in any way to the corporate network. Organizations be proactive by publishing explicit policies that prohibit employees from bringing personal computers. Security policies should also state that any personal computing device brought to work may be
inspected by the information security department.
April 5, 2007: FCC moves to increase protection of customer call data
The Federal Trade Commission (FTC) has released a proposed rule for the protection and privacy of customer records. The proposed rule addresses pretexting, protection of phone records, and notification in the event of a breach of phone records. In related news, the FTC recently proposed over $100,000 in fines for two telecommunications carriers that "apparently" failed to adequately protect the personal data of subscribers. The cases involve the protection of "customer proprietary network information," or CPNI, which is information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service. Under current rules, a telecommunications carrier must have an officer sign a compliance certificate on an annual basis stating that the officer has personal knowledge that the company has established operating procedures that are "adequate" to ensure compliance with commission rules.
February 25, 2007: FTC Reports on effectiveness of COPPA
The Children's Online Privacy Protection Act (COPPA), which became effective in APril 2000, is designed to protect the privacy of children below age 13. Since it began enforcement of COPPA in 2001, the FTC has filed eleven civil penalty actions that illustrate
different core violations of COPPA and the Rule, and obtained more than $1.8 million in civil penalties. The FTC recently released a report to Congress on the Effectiveness of COPPA called Implementing the Children’s Online Privacy Protection Act. The report provides valuable information for businesses that must comply with COPPA. Organizations that routinely collect sensitive information from children or young adults should be familiar with COPPA and the FTC guidelines for compliance with this privacy law.
January 25, 2007: NIST updates XCCDF Standard
The National Institute of Standards (NIST) has recently updated the schema for The Extensible Configuration Checklist Description Format (XCCDF). According to NIST, "The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices."
The XCCDF helps implement the Open Vulnerability Assessment Language (OVAL), which aims to standardize the language and methods for assessing vulnerabilities on various systems. If widely adopted, these standards could significantly help automated security policy compliance efforts.
January 15, 2007: 30 Percent of Large UK Companies still lax in privacy policies
A study of EU Directive on Privacy and Electronic Communications compliance among large UK companies found that 31 percent of those companies do not provide "non-customers the opportunity to actively opt-in or otherwise consent to further marketing emails when their details were recorded as the result of a promotion or enquiry." See the full story.
January 12, 2007: Fifty-Seven Percent of Irish Companies Have No eMail and Internet Use Policies
Ireland's Small Firms Association (SFA) says that 57 percent of Irish companies have not implemented email and Internet use policies despite the fact that companies can be held liable for employees' activities. See the full story.
December 15, 2006: New Civil Procedures Require Updates to Data Retention Policies
The updated Federal Rules of Civil Procedure, which took effect in December 2006, place a greater burden on organizations to maintain digital data in the event it is required in legal proceedings. Section V, Depositions and Discovery, Rule 34 of the Federal Rules of Civil Procedure reads, "Any party may serve on any other party a request to produce and permit the party making the request, […] to inspect, copy, test or sample any designated documents or electronically stored information - including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained ..." Organizations should review their information security policies, particularly those related to data storage and retention, in light of these new requirements. See the Cornell Law Library for a summary of the new ruling.
