Tuesday, June 28, 2011

2011 US Information Security Related Measures

So far, in the first 6 months of 2011, there have been 9 different Information Security related proposals put forward by different Senators that would create new laws or reform existing ones.

February 20 2011 – Rep. Rush (D-Ill) reintroduces BEST PRACTICES Act

April 7 – SEC Regulation S-P mandates that financial firms safeguard confidential info

April 12, 2011 – Senators Kerry and McCain introduce Privacy Bill of Rights

April 13,2011 – Stearns introduces Consumer Privacy Protection Act of 2011

May 9, 2011 – Rockefeller Introduces Do-Not-Track Online Act of 2011

May 12, 2011 – White House Proposes Cybersecurity Legislation

June 7, 2011 – Senator Leahy reintroduces Personal Data Privacy and Security Act of 2011

June 13 2011 – SAFE Data Act

June 15 2011 – Location Privacy Protection Act

By my count, in 2009, there were approximately 18 different Health Care Proposals in 2009 before the House and Senate both adopted their own proposals. Comparing such a hotly debated and controversial issue, it seems difficult to accept that there is such a lack of consensus on what the next steps are or should be for Information Security legislation at the Federal Level. With the dramatic increase in hacking related incidents since the Sony DDOS and subsequent compromise, it seems likely that other groups will add their proposals to the mix.

Does this mean that the time is right for legislation to finally be passed? Does this mean that the different interest groups will begin working together? Does this mean that there is a lack of understanding of the issues and that further inaction can be expected until this is a larger issue with constituents? The issue with any legislation will be that it is difficult to mandate how a particular industry or company implements security in their environment. The Credit Card industry has been very successful in coming up with their own design, but typically this is one one part of a whole company's structure, and as we saw with Sony and more recently Citigroup, even big companies have trouble being compliant.

Whatever it does mean, it is still a very positive thing that so many individuals are putting their ideas forward. It may be that multiple laws could be passed, each on their own or all of these proposals could be refined down to one larger law.

Thursday, June 23, 2011

Senator Leahy Introduces the Personal Data Privacy and Security Act of 2011

According to Senator Leahy's website, the Personal Data Privacy and Security Act would:

•Increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data;

•Giving individuals access to, and the opportunity to correct, any personal information held by commercial data brokers;

•Requiring entities that maintain personal data to establish internal policies that protect the personal data of Americans;

•Requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data; and

•Requiring the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.

The Senator has introduced this act several times before. Interestingly, they didn’t bother to change the stats from 9,300,000 victims of computer fraud (from the original version in 2007). The actual number for 2010 would have been more like 16,167,542 as reported by the Identity Theft Resource Center.

The only major change to the act since 2007 is the inclusion of section 103 which, in summary, changes the federal laws for computer fraud to include conspiracy to commit computer fraud. The most interesting part of this bill is that it makes the concealment of a breach a felony punishable by up to 5 years in prison.

Also, just like in the Privacy Bill of Rights and the Do-Not-Track acts previously discussed, this act imposes limitations on Civil Actions by the Attorneys General for states. In this case, the states are limited to $5,000 per day up to $500,000. This act does not specify whether this is a per-state limitation or whether as a whole this is a limitation for all of the states collectively. If so this particular legislation is definitely a step backward from the other two proposals enacted earlier this year. I’m still not certain whether it would be better to consolidate the three bills, or whether portions of the three bills could stand on their own. Will this be the year some legislation is finally enacted? Certainly there has been a lot of hacking so far in 2011, but it remains to be seen how much legislation can be done in the remainder of this year.

Tuesday, June 14, 2011

Market Forces in Identity Theft

There can be real economic damages to an individual who is the victim of identity theft. The FTC has ruled that it is the individual’s responsibility to check their credit card statements for unauthorized statements. If a victim of credit card theft, for example, notifies the credit card company within 60 days of receipt of the statement, then the consumer’s liability is limited to $50.

Much of the literature on identity theft assumes that the value of an online identity has a fixed price. Say $.10 for an email password. $20 for a credit card number, etc. What this fails to take into account is that there is both supply and demand. Demand, most likely, is fixed. There are only so many possible 'fences' for stolen data. When a breach like TJ Max, Heartland, or Sony happens, the supply of stolen identities goes up by an order of magnitude while the demand remains the same. With this assumption, it is likely that the value of an online identity also goes down by an order of magnitude.

Maybe this is good for identity theft overall. What it could do is lower the risk/reward quotient for future identity thieves. If they knock over a small credit card merchant and only get 10,000 credit card numbers...then they may only be able to make 1/10th of what they would have before, while the risk of getting caught remains the same. Economically speaking, this might actually help deter future identity theft.

Wednesday, June 8, 2011

“Do-not-track Online Act of 2011”

This month, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) introduced the “Do-not-track Online Act of 2011”.

Some interesting highlights from the proposed bill: there would be a fine of up to $16,000 per day that you are in violation with a maximum of $15,000,000 in civil damages available for all civil actions under the bill. The $16,000 maximum is on a per state basis. That means that a vendor could have been exposing your personal information for 19 days before they hit the ceiling.

While that’s a big number, it is relatively low compared to the damages that could be done. Credit monitoring alone for a breach of a million accounts could meet that number. It also removes the incentive to address a breach after the 19th day because there would be no further penalty. A company like Facebook, who has been under enormous pressure to protect the privacy of its users for years, wouldn’t be concerned at all with such a low penalty. (At that point, doesn’t it become a $15 million license to violate privacy?)

This is an improvement, however, over the Privacy Bill of Rights introduced earlier this year by Senators Kerry and McCain. Their bill contained a very similar section, but the limit was $16,500 per day but capped at only $3 million.

I think if there is any privacy benefit to this rule, it would be that at least there was some stigma associated with a particular exposure, which might have a greater sting for companies like Facebook.