Archive
Mexico Passes data-leak prevention law…
Effective as of July 6th 2010, the new la Ley Federal de Protección de Datos Personales en posesión de los particulares, or “Federal Law for Protection of Personal Data held by Private Persons” enforces obligations of disclosure, and has penalties and fines. Companies must act on requests for information about personal data held, and can deny transfer of data and request deletion.
A great writeup by Roumiana Deltcheva can be found on MessageingArchitects.com, and you can get the full text of the law from the Senado site (though in Spanish of course).
European Commission requests the UK to strengthen Data Protection Regulation…
This week the European Commission requested the UK to strengthen its data protection legislation to align with the EU Data Protection Directive. Claiming the UK regulations offered less protection than those required under EU rules, the UK has two months to consider the opinion and respond with measures to bring them into line.
The EU highlighted the following points:
1. The ICO cannot monitor third party country data protection rules – assessments which should come before international transfer of personal information
2. The ICO can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks.
The full writeup can be found on the Europe EU Law press release page.
New China encryption rules won’t pose headaches for U.S Vendors?
This week, Jaikumar Vijayan at Computerworld posted an interesting article about new Chinese rules designed to control the import of non-domestic encryption products.
Many people have infered that these new rules will mean products imported into China will be somehow compromised, or unsafe, because their details will have been released to the Chinese Government.
Nothing could be further from the truth.. Read more…
TJX Hacker gets 20 years…
Last week, Albert Gonzalez, the “brains” behind the TJX hack , Heartland Payment Systems, 7-Eleven and many other notable cybercrimes was sentenced to 20 years. Part of his punishment is the forfit of $1m he buried in his parents garden, a condo in Miami, a car, diamond ring and several expensive watches (Gonzalez was reported to have stolen $200m by some sources, much of which was returned).
The sentence was severe because some of the attacks were carried out while Gonzalez was working as a Secret Service informant, earning $75k per year.
You can read more on the BBC News website.
French Internet Piracy law ineffective..
Perhaps uniquely, the French legal system has the means to ban people from the internet in what’s known as the “Three Strikes Law”. Passed in September 2009, it allows for a new government agency, HADOPI ( The Haute Autorite pour la Diffusion des Oeuvres et la Protection des droits sur internet, or Hight Authority fro the Diffiusion of Works and the Protection of Rights on the internet) to forcefully have individuals who flout copyright laws disconnected, and even take measures against people with “insecure connections” who allow them to be used in this manner. Read more…
CSO Executive Seminar Series on Data Protection and Encryption…
Just a reminder that tomorrow I will be speaking at the CSO Executive Seminar at the Hilton, Tysons Corner VA – http://public.cxo.com/conferences/index.html?conferenceID=64. The topic will be “5 practical steps for data protection”. I don’t expect it to be a McAfee sales push, I’ll be talking about technologies in general.
If you’re a reader of my blog(s) please come and say hello.
NIST 800-111. Practical Advice for Data Protection Projects
This week I want to take an opportunity to remind readers of the excellent NIST publication 800-111.
Yes, I know, another complex government sponsored report, but 800-111, for those implementing any kind of data protection project, is one of the best reports on the subject, dealing with technology, practical use of, and risk analysis. It’s really (for NIST publications anyway) a very good read.
The other reason to pay attention to 800-111, is quite simply it’s the document regulations mention when talking about “Good Practice”, “Industry Standard processes”, “Accepted Best Practice” etc. This document contains the advice that you’ll be measured against if you ever end up in court defending your Security Policy against something like Massachusetts 201 CMR 17.00. Read more…
HITECH Name-And-Shame goes up a gear…
Not content with naming-and-shaming companies who break the HIPAA/Hitech health regulations through the normal press, The U.S. Department of Health and Human Services is now reporting companies who lose control of more than 500 people’s records on their site.
A duty to do this comes via section 13402(e)(4) of the HITECH act .
4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.
For those not in the know – HITECH is U.S act which enforces some duty of care on people’s health information. “Covered Entities” like Health Plan providers, Care Providers (hospitals, doctors etc) need to put safeguards in place to ensure that our individual health information is not seen or accessible by unauthorized people. You can find out about HITECH on their excellent consumer web site. Read more…
Speaking at the “Security: The New Business Imperative” Event
For those in the area, I will be speaking next week (on the 23rd Feb) at the Security: The New Business Imperative event at the Westin Diplomat Golf Resort & Spar, Hallandale Beach FL.
The topic will be a review of current regulations, and practical steps you can take not to fall foul of them.
You can reserve a seat by contacting Tricia_Brown@mcafee.com, or (678) 653 9606
MA 201 CMR 17 Revisited..
Though the deadline for MA 201 compliance has been extended until the end of the quarter, it’s a good time NOW to review what this regulation means to you and your business.
I must start with the usual “ask Gary” disclaimer – I’m not a lawyer, but the regulation is pretty easy to read (compared to many others) and I reccomend anyone subject to it prints it out and pays attention.
So, how do you know if you’re subject to MA 201 CMR 17 or not? Lets start from the top of the regulation itself: Read more…
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments