EU data protection laws take toll on social networking
An EU committee of data protection regulators has recently announced that all social networking sites such as Facebook or MySpace are legally responsible for their users’ privacy. According to the Register, the European data watchdogs regard such sites as “data controllers”, thus they have to abide by all legal obligations such a status entails. Even if they are headquartered in a different country, social networking companies still are data controllers under EU laws.
Also, the site users hold a similar position, making them all legally responsible for all information posted on behalf of a club, society or company.
“SNS [Social Network Service] providers are data controllers under the Data Protection Directive,” it said. “They provide the means for the processing of user data and provide all the ‘basic’ services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes – including advertising provided by third parties.”
UK Governement says no to data breach notification law
Although the numbers of data breaches reported in the UK has been significant this year, the UK Government has recently announced it will not implement a compulsory data breach notification law for the private-sector companies. The decision was made after reviewing a recommendation made in July by information commissioner Richard Thomas.
On the other hand public-sector organizations are obligated to report any significant potential or actual data loss. Their private-sector counterparts should report the losses in the spirit of “good business practice”. So if your data is exposed by a public-sector institution and only 2 others have been affected, or if a private company looses thousands of private record but does not see reporting the incident as good practice, you will never find out.
“After considering the analysis of the experience of the US in the area of data-breach notification legislation, the government is not intending to implement similar legislation to that in operation in the US,” states the Response to the Data Sharing Review Report.
Private-sector companies are not clear of all consequences, as fines for organizations found in breach of data-protection laws will soon be raised. According to the same report, The Ministry of Justice is working with the Information Commissioner’s Office to determine the level of the maximum fine.
Is Sarbanes-Oxley Evil?
TechCrunch definitely seems to think so. So what’s Sarbanes-Oxley? Also known as Public Company Accounting Reform and Investor Protection Act of 2002, SOX or Sarbox, enacted on July 30, 2002. It’s purpose was to prevent major disasters such as Enron or WorldCom. Through its stipulation it also enforces some specific requirements on security policies, thus most endpoint security solutions try to help cover this aspect, some better than others.
While complying with SOX is mandatory in the US, it also works as a marketing tool for endpoint security solutions on other markets. This positioning, as legally and international standard compliant, helps developers sell their product easily.
So what’s wrong with SOX? According to TechCrunch, all flaws are related with business strategy aspects and not with security policies. The main problem is that SOX affects the way companies can prepare and have their initial public offering (IPO), fact that causes them to turn to either mergers instead of IPOs or to getting listed on foreign stock exchanges. They can always wait for 12 years to get listed or entirely give up the going public idea. All these because of huge compliance costs that most businesses can’t really afford.
It would be interesting to see if there other voices will rise agains SOX and how it will be changed in the future, business and security wise.
Data Breach Effects: Advice on How to Rebuild Credit Ratings
As more and more data breaches are revealed and debated online, the number of victims of such incidents increases. From never-ending sales calls to having items charged on your card to seeing credit ratings go down the drain to identity theft, these people are the ones who feel the most powerful consequences, not the companies where the breaches occur.
So what are these people to do to protect themselves and get back to how things were? In what credit ratings are concerned, UK victims are advised to use the Data Protection Act to rebuild them. According to E-Victims org, a former support group for cybercrime victims quoted by the Register, even after establishing fraud and absolving themselves of liability to fraudulent debt, data breach victims still have poor credit ratings.
As credit agencies rely on data from lenders, not on corrections communicated by those who borrow money, the organization says the Act could be used to force lenders to correctly communicate the status of fraud and data breach victims. Otherwise, even if they get a new credit, victims of such breaches will still have to pay higher interest rates. The Register also directs victims to a factsheet published by E-Victims.org aimed to help them with their credit reports.
Security, More Important than Recession
According to recently released data, US mid-sized companies are more concerned about information security than cutting down costs. The survey conducted by Arrow Electronics Inc collected data from 200 US companies with annual revenues from less than $ 100 million to over 1 billion. 80% identified security as a top business issue, while only 60% referred to cost reduction and 64% target improving their customer service.
Although they admit IT security is of utmost importance, few are satisfied with the level of security already implemented in their mid-sized businesses. Only 32 percent of respondents said their company is properly handling all threats. That leaves 68% of companies concerned, yet highly vulnerable.
Yet the 32% might also be quite vulnerable to all kinds of threats, as shown by David Vellante, co-founder and principal contributor of the Wikibon user group. His statement, quoted by Dark Reading, shown these respondents are only unaware of what’s really at stake.
”I believe that the 32 percent of respondents that are ‘very satisfied’ with how their company is addressing security concerns are deluding themselves — they should wake up and smell the coffee,” wrote Vellante. “As an industry, since 2000 we’ve spent billions on security in the form of virus protection, network security, firewalls and other infrastructure… do you feel more secure? No way!”
Endpoint Security Strategies for SMBs
SMBs have specific requirements when it come to IT security in general and endpoint security in particular: they need comprehensive policies, high-end technology, all downsized at a larger scale and a fair price. They don’t need cheap and unreliable solutions, they just need the best there is, adjusted to their size.
If you’d like to know more about what the IT security market has to offer, what challenges arise from the current business environment, which are the real threats SMBs face, how to properly asses the costs of a security breach, how easy it is to lose data or have it stolen, read the latest white paper published by CoSoSys, Easy Guide to Comprehensive IT Security Strategies for SMBs – High-End Endpoint Security, Data Loss Prevention and Portable Device Management at a Reduced Scale.
Data Watchdog Warns of Poor Data Protection in UK Institutions
Data protection watchdog, the Information Commissioner’s Office has recently confirmed that it has served enforcement notices on two UKgovernmental institutions, HM Revenue and Customs and the Ministry of Defence. The decision, made public in the Information Commissioner Richard Thomas’ annual report comes as a response to high profile data breaches occurring within the twe organizations.
According to IT Week, both departments will be compelled to provide progress reports detailing how they are improving data governance practices.
This piece of news comes shortly after the same office called for European data protection laws to be reformed to make them more business-friendly. The recommendation was made by the same Richard Thomas at the annual Privacy Laws and Business conference in Cambridge. Thomas said existing legislation was out-dated and increasingly ill-suited to the internet age.
Public Access vs. Private Records Protection
The European Data Protections Supervisor Peter Hustinx stated he was unhappy with the proposed law aimed at improving public access to EU documents. The European Commission proposed the law as a means to improve European government transparency.
Yet according to Computing.co.uk, Hustinx is concerned the security measures to protect personal data from public documents are inefficient. His concern was trigger when a reference to possible harm to “the privacy and the integrity” of the individual was deleted from the initial proposal.
“Public access on the one hand and privacy and data protection on the other are fundamental rights which represent key elements of good governance,” said Hustinx.
We’ll just have to wait and see what the will happen, and if the right to right to public access will win the battle, we could recommend some DLP solutions 
.
Stockbrokers Get Fine for Poor Security
The Financial Services Authority (FSA) has recently fined a firm of stockbrokers for failing to adequately protect their customers from the risk of identity fraud. FSA, quoted by the Register, said the company’s poor security included failing to manage, among others, the risks posed by staff using instant messaging and web-based email.
London-based Merchant Securities Group Limited also failed to verify the identities of customers contacting the firm by telephone. They instead relied on being able to recognize customers’ voices and informally asking them about personal matters such as holidays or hobbies. The firm also had the habit of including private account numbers in routine letters which could then lead to fraud or identity theft.
The FSA also found that back-up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff.
The London-based firm also failed to implement adequate controls “to mitigate the risk of customers’ personal data being transmitted outside the firm by failing to prevent the use of instant messaging and web-based email,” according to the penalty notice (pdf) served by the FSA.
DPS-contracted Company Breached
Private records of 826 state employees were recently stolen from a home office from Wichita Falls, Texas. An employee of L-1 Identity Solution was keeping the information in a lockbox, pending to do fingerprinting, as agreed with the Department of Public Safety.
All the affected individuals are being notified by mail that their names, home addresses, dates of birth, driver’s license and Social Security numbers are missing and they are exposed to identity theft and fraud. According to KXAN.com, about 100 of those affected work for the State Board of Education. The incident comes less than a year after the Texas Legislature mandated that all education employees submit their fingerprints for criminal background checks.
