CONTACT .
Jul 30, 2010
CONTACT .
Jul 30, 2010
IN THIS ISSUE:
• In the Spotlight: Reducing Risks to People, Process & Technology in 2010, by David A. Linsky
• Business Continuity & Disaster Recovery Planning,
by Michael Wanik, CPP, CBCP
• Demanding Economy Causes Increase in Fraud,
by Michael Wanik, CPP, CBCP & Sara Sibley, CPA, CFE
• Importance of Thorough Background Checks,
by Maribeth DiIulio
• Social Networking Sites: An Investigator's Hidden Camera,
by Sara Sibley, CPA, CFE
• National Standard for Data Protection,
by Michael Wanik, CPP, CBCP
QUICK LINKS:
• www.sscintel.com
• www.securessc.com
National Standard for Data Protection & Breach Notification Headed to Senate
by Michael Wanik, CPP, CBCP
Conference News
Add as Trusted Sender
New National Standard for Data Protection and Breach Notification Headed to Senate
by Michael W. Wanik, CPP, CBCP
The Senate Judiciary Committee approved the Personal Data Privacy and Security Act of 2009 (S.1490) by a vote of 15-5 on November 5, 2009. The bill that would implement a national standard for data protection and breach notification is now headed to the full Senate for consideration. The bill was introduced by Sen. Patrick Leahy (D-VT).
If the bill becomes law, it would require companies and government agencies to follow specific rules for protecting sensitive and personally identifiable data.
Under the proposed law, all private and government entities handling sensitive data would be required to implement specific risk assessment and vulnerability testing measures. They also would be required to deploy measures for controlling access to sensitive data, detecting and logging unauthorized accesses to the data, and protecting data while it is in transit and at rest.
The bill would introduce a federal breach-notification standard under which companies would be required to notify, not just individuals affected by a data breach, but also, in some cases, credit reporting agencies and the U.S. Secret Service. It would establish a new Office of Federal Identity Protection within the Federal Trade Commission and stiffen penalties for identity theft and related fraud.
The law would also provide notification exemptions for companies that have taken adequate measures -- such as encryption -- to protect sensitive data. Companies would also not be required to immediately disclose a breach if it would hinder a criminal investigation. But such exemptions would need to be vetted by the Secret Service. The law provides for penalties against executives of companies that willfully conceal a data breach.
If approved, S.1490 would likely preempt similar data-protection laws that have already been passed in 46 states such as Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth. The Massachusetts law was mentioned in the October 2009 publication of SSC’s Security Matters e-zine along with information on the HITECH Act (health information) and the Federal Trade Commission’s Red Flags Rule.
Many security analysts have been arguing that it would be easier for companies to comply with one national law rather than a patchwork of 46 state laws. Several attempts at passing similar federal legislation over the past three years have failed; however and it remain unclear whether S.1490's fate will be any different. Growing concerns related to identity theft and the criminalization of cyberspace has added an element of urgency to the bill.
SSC can help you in identifying gaps and providing solutions to the new requirements surrounding compliance with the new laws as well as assist with best practice guidance.
© 2010 SSC, Inc.
Experienced, pro-active, and dedicated to your business. Contact SSC for a confidential Security Consultation. Our e-Newsletter: SSC Security Matters.