Data Security Welcome Dealing with Data Security is a newsletter for IT Security Managers and those in the IT Security field, delivered straight to your inbox every week.

There’s certainly no shortage of IT Security information on the web. Our weekly newsletter cuts through the noise and delivers a selection of pertinent products, notable events, and recent information on new developments in the IT Security industry. Each update can be read in 10 minutes or less, which means you can take the pulse of the entire IT security industry over a cup of coffee.

Don’t waste time dodging spam – you get enough of that at work. Sign up today and stay informed.

If you haven't signed up yet to receive our newsletter, simply click the button below for your complimentary subscription:

Eye-Popping Stat of the Week

Data breaches are up internationally, as the Office of Data Protection in Ireland reports a 125% increase in complaints filed in Great Britain under the Privacy in Electronics Regulations over the last two years. The report, straight from the Data Protection Commissioner’s office, also reviewed additional information on audits that have been carried out on the INFOSYS database, a national data breach notification system run by the Department of Social Protection. The final report showed similar trends across a broad range of electronic intrusions, marking the largest twelve month increase in complaints on record.

Big Time Breach of the Week

As we discussed last week, the Scripps Howard News Service reported that low income phone service providers TerraCom Inc. YourTel America Inc. were responsible for a security breach that left over 150,000 customer record exposed to electronic theft. In a surprising twist, Terracom has issued a press statement claiming that individuals within Scripps News used “sophisticated computer techniques” to intentionally hack into their systems and view non-public information, an astounding and unprecedented counter-accusation. Terracom has accepted responsibility for the breach and is repairing the damage, while Scripps representatives have issued a flat denial of any wrongdoing. More details as they emerge.

Security Hole of the Week

Oracle has announced that a critical Java patch is arriving on June 18th, dovetailing with their existing once-every-four-months update cycle. This patch looks to be much bigger than normal, with at least 40 potential security holes being closed in the dated software platform. Not all the details have been released on what, specifically, this patch is addressing. As a result, some insiders believe that Oracle may have discovered a handful of zero day exploits that have, so far, remained dormant. Either way, be sure to download and install the patch this Tuesday morning – it sounds important.

Shiny New Object of the Week

US corporate security company Blue Coat Systems announced last month that it will acquire Solera Networks, a Utah-based analytic enterprise that specializes in security intelligence and big data security. The primary focus of the buyout was acquisition of the DeepSea platform, a comprehensive data forensic tool developed and improved by Solera over the last several years. Together, the two companies serve over 15,000 clients, including 85% of the companies listed on the Global Fortune 500 list. While not yet officially announced, the market is confident that a Blue Coat security package incorporating DeepSea functionality is on the way, one that will offer robust real-time attack tracking unlike anything presently available.

Current Featured Article

FTC v Wyndham


A mounting legal battle between the Wyndham Hotel chain and the FTC highlights a crucial lesson in data management. And if you travel regularly, for business or pleasure, it’s worth taking note of the details of this case.

According to the FTC, the Wyndham Hotel chain has been negligent in their efforts to provide data security for customers since 2008. At issue specifically is the encryption (or lack thereof) employed in the handling of sensitive consumer information, such as names, birthdates, and credit card numbers. This information could easily be used to forge an identity if it fell into the wrong hands, which is precisely why the FTC has charged Wyndham with failing to provide adequate data security measures for hotel customers.

In a surprise move, Wyndham has attempted to block further progress of the lawsuit by filing to dismiss based on lack of authority. According to legal representatives of the Wyndham chain, the FTC does not have the have right, the authority, or the mandate to force private enterprises to ensure any level of data protection when it comes to handling personal information. The FTC Act – there legal charter that outlines the governance of the FTC – says nothing about protecting data, therefore the FTC is overstepping their bounds, say Wyndham attorneys.

It should be noted that Wyndham’s track record on this issue is rather poor. The FTC brief shows that three major incidents of intrusion and identity theft can be blamed on lackluster data protection policies instituted by the hotel chain, and that the risk of future data breaches of existing customers is unacceptably high. However, the question of whether or not the FTC has the authority to compel private enterprises to meet minimum data security standards is a fair one, and it deserves a fair response.

Let’s review. First, the FTC Act was originally passed in 1913 – long before the advent of personal computers, credit cards, and electronic communication. At the time, the FTC was instituted as a trust-busting measure under President Wilson – the first of what would be many attempts by the American government to prevent large conglomerates and corporations from fleecing a growing consumer base by arbitrarily raising prices or lowering product quality. In spirit, this effort by the FTC is very similar – an attempt to prevent a large corporation from sticking it to the little guy.

More importantly, the reality is that the FTC is the only agency capable of watchdogging private companies and ensuring that a minimum level of electronic protection is used to safeguard customer information – the FTC already has a multitude of requirements for private enterprise when it comes to meeting a specific level of service in other areas, therefore it makes to empower the FTC to mandate the protection of data and to give them the authority they need to compel companies to fall in line – especially companies that regularly handle personal information, such as, for instance, large hotel chains.

The safe prediction is that the motion to dismiss will be appropriately dismissed, and that the resulting legal case will establish, once and for all, that the FTC can tell companies to jump, and how high. I know we might not always like to see federal agencies expand the number of regulations they can lay on private companies, but requiring a minimum level of data protection for sensitive information? Seems like a no-brainer to me.

-- Jubal McMillan, Editor

More Information:

http://blogs.wsj.com/cio/2013/05/30/wyndham-lawsuit-tests-ftc-cybersecurity-authority/

https://www.cdt.org/blogs/gs-hans/2105data-security-and-your-next-hotel-stay-how-ftc-encourages-strong-security-practice

http://en.wikipedia.org/wiki/Federal_Trade_Commission