Archive
Repeat Data Loss Offenders…
I was doing some data mining this week on the excellent DataLossDB.com site and it occurred to me to dig a little deeper into where the risky places to give your PII/PHI to are. I was hoping to find that some segments are cleaning up their act, but it seems not. The fact we’re seeing multiple entries by people could have two possible meanings: Read more…
Think Like A Spy…
Recently John Sileo spoke at the Department Of Defense’s Joint Family Readiness Conference on the topic of identity protection and theft. As a two time victim of identity theft, John is well placed to speak from the heart about the practical, factual, and emotional aspects of this problem, and though I was not able to attend his presentation the writeup on his presentation is well worth a read.
John advocates a couple of thought processes which I’ll let you read the details of directly from the transcript, but to summarize he encourages us all to “Think Like A Spy” – to question the validity of the request for information at every stage, and with every person. Read more…
Missouri’s new Data Protection Disclosure Law.
Although maybe unnoticed, a month ago Missouri finally joined that heady club called “States which have Data Privacy Laws”.
On 28th August, the “Missouri Data Breach Notification Law”, or House Bill 62 took effect, not protecting, but at least enforcing care and attention of residents personal information (Social Security Numbers, Driver’s Licence Numbers, and information which could be used to access a residents financial accounts). Note I use the word “resident”, because, as with the other 47 or so State laws, this one applies to the Residents of Missouri, not to the businesses. If you have Missouri resident information in your datacenter in Tinbuktoo, you are still required (under civil and actual damages) to comply. Read more…
Army National Guard shows how much it cares about 131,000 identities…
National Guard Website
A busy week in the world of data loss, with the report from the Army National Guard Leaders that a personal laptop containing the records of 131,000 former and current guard members was stolen from a contractor on 27th July 2009. The information included the usual culprits – Name, Address, Social Security Number etc.
What this information was doing on a contractors personal device, and not locked up and restricted is undisclosed, but the important thing is that the Army Guard is showing it’s eagerness to resolve the situation and protect its members. Read more…
Changes to PII and PCI regulations in Nevada
This week Linda McGlasson talked on BankInfo security about some changes to Nevada’s data protection stance. Nevada’s laws are no less complex than other states, but interestingly they have a few which, when combined, give a tighter than usual position.
The interesting bills are CHAPTER 603A – SECURITY OF PERSONAL INFORMATION, which deals with the regulations of Business Practices. This law puts the state teeth behind the PCI regulations, enforcing things which the payment card industry require as part of PCI compliance with state-driven criminal and financial penalties. Read more…
TJX (T.J. Maxx) reaches settlement with states on Data Loss
For those who were included in the January 2007 94 million record loss of credit card numbers from TJX (Still the highest loss by number of records ever reported), You may be interested to know that they have agreed a settlement with the 41 various states on the fine. Around $5.5 million of the settlement was for data and consumer protection, and $1.75 million to reimburse the states costs of the investigation.
You can read the details of the deal struck with the FTC from their website. Read more…
Cornell University looses 45,000 records..
datalossdb.org entry / Cornell University Entry
Another typical notification of data loss by an educational establishment. In summary, the personal details of around 45,000 current and former students and staff were lost when the laptop containing them was stolen.
Cornell have been very open with the facts of the matter, their site talks about what they have, and will do about it, and the help they are offering people affected. They also mentioned that their policy is that such data should be either encrypted, or in a secure location. Two things they admit this particular member of staff violated. Read more…
Something is Rotten in the State of Data…
To encrypt, or not to encrypt: that is the question.
Whether ’tis nobler in the mind to suffer
The slings and arrows of user nonacceptance,
Or to take arms against a sea of exploits,
And by opposing end them? To encrypt: to authenticate;
No more; and by authenticate to say we end Read more…
Data Loss Goes Personal…
Today I received yet another of those annoying “We may have lost your personal information…” letters from my bank. No information on how it happened, or what they are doing to stop it happening again. It’s almost as though this was an inevitable and repeatable condition of doing business….
Yet again I’m going to get another bank card, yet again I’m going to have to change the numbers in my Blockbuster, Amazon, etc. accounts, and (again) I have yet another free 12 month subscription to “Identity Theft Monitoring.”
Great news indeed, but I suspect many readers of this blog have also been through this a few times as well.
Lose One Customers data, tell EVERY customer?
For the last few weeks I’ve been traveling around the country presenting at our Security Innovation Alliance roadshow. It’s been great meeting and presenting alongside some of the 60+ companies who’ve chosen to integrate their security products into McAfee’s ePO platform. Looking at the portfolio it seems that soon it might actually be possible to service any IT security need through one pane-of-glass management interface.
One question that came from the audience during one of the sessions surprised me, as it wasn’t about IT at all. The question was “What laws apply to PII in printouts?”
Well, unfortunately the simple and unfortunate answer is – all of them. Read more…
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments