by Doug Pollack

PriceWaterhouseCoopers recently published a survey on the information security sector titled “Safeguarding the new currency of business“. Given the continued grow in corporate data breach events, the survey is particularly timely and provides valuable insights to corporate security and privacy officers.

One key conclusion surrounds the investment being made in security technologies during 2008. They noted “double digit advances in implementing new security technologies across virtually every security domain, from prevention to detection.”

Given this, it still begs the question of “why enterprise-wide visibility into the crucial details of actual security incidents is so clouded?” Not only is it difficult to clearer assess data breach events, but technology still does not stem data breaches caused by human error. The proverbial “lost laptop”.

They note appropriately that “the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security’s value such as: (1) many of the critical business and security processes that support technology, and (2) the people who administer them.”

This may presage the priorities that we may see taken on in corporate America to address the on-going security breach issues that continue to be so commonplace.

by Doug Pollack

This week Ben Worthen of the Wall Street Journal published an article titled “New Data Privacy Laws Set for Firms” describing new laws that will affect business of all shapes and sizes in terms of how they protect the personal information of their customers and clients.

Law related to data privacy enforcement have been enacted by several states including Massachusetts and Nevada thus far, and numerous other states are considering similar laws. Mr. Worthen notes that:

“While it isn’t clear if state authorities intend to crack down on mom-and-pop businesses — the attorney general in Massachusetts is still developing an enforcement policy, a spokeswoman said — the laws establish a liability that could be used in civil suits against businesses following a data breach, privacy lawyers said.”

Over 40 US states have already enacted breach notification laws that speak to an organizations requirements to notify individuals that may be affected by a loss of data, a data breach. These new laws are intended to speak to how companies are required to protect personal information.

While existing Red Flag laws mandate financial institutions to take certain measures to protect the personal information of account holders, these laws do not cover the broader base of businesses and government organizations that also maintain databases that include personal information on employees, customers, vendors and the like.

As noted by Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation “Breach notification laws deal with what happens after the horse leaves the barn. The new regulation in his state “is intended to prevent the horse from getting out of the barn in the first place.”

by Doug Pollack

This week President Bush signed into law the Identity Theft Enforcement and Restitution Act of 2008.  As reported in the Washington Post, this law will:

“make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains.”

It can take the victim of ID crime hundreds of hours to restore themselves to pre-theft condition. This law enables them to be compensated for this time at a level:

“equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense.”

The FBI has set up a clearinghouse for addressing cybercrime complaints called the Internet Crime Complaint Center. It works closely with a range of law enforcement agencies and private sector organizations.