Data Security Weekly

The recently released Data Protection and Breach Readiness Guide published by Online Trust Alliance, a non-profit organization dedicated to educating and empowering those who do business over the Internet, reports that over 740 million individual records have been compromised since last January, a staggering figure that marks 2013 as the year of the data breach. The report further shows that 89% of these breaches were fully preventable with up to date security policies, and that 76% of these attacks were [see more...]

Bell Canada suffered an attack on February 1st that compromised the accounts of as many as 40,000 telecom customers. Usernames, passwords, addresses, and an uncertain number of credit card numbers were all pilfered and uploaded to a publicly visible website frequented by hackers. Even though the information was promptly identified as stolen, and the website has subsequently been shut down, officials are uncertain whether or not the information was captured by identity thieves. Bell Canada customers are encouraged to keep [see more...]

A vulnerability in a third party database system has been identified as the root cause of the coordinated attack on Yahoo mail servers that compromised as-yet unknown number of Yahoo Mail accounts. The VP of Platform and Personalization Products for Yahoo, Jay Rossiter, states that the Yahoo tech team “took immediate action to protect our users, prompting them to reset passwords on impacted accounts.” While this will likely protect Yahoo accounts going forward, users who maintain similar login credentials across [see more...]

Newly announced from Dell, the Wyse Cloud Connect is the first managed, secure, and fully mobile cloud-access dongle available to the general public. Boasting quick and efficient end-to-end desktop virtualization capability, along with enterprise-grade customization and data protection options, the palm-sized device allows remote access to personal cloud services on any HDMI or MHL display. The Wyse Cloud Connect grants a tremendous amount of portability, and if it’s as secure as Dell claims, it sounds like a handy item to [see more...]

After facing down widespread data breaches throughout the retail sector, we all knew it was only a matter of time before legislation arrived. Whether that legislation will provide boon or boondoggle only time will tell, but there is good cause to be hopeful.

The most recent iteration of Washington’s solution for all things malware is a resurrection of the Data Security and Breach Notification Act, a bill that’s been sitting in limbo since June of last year. With all that’s happened in the last two months, Congress has dusted it off and decided to take another look.

The core of the bill revolves around two mandates: applying universal requirements for businesses to notify customers that their data has been compromised, and laying out new guidelines on minimum data security requirements for companies that collect, store, or build transactions around sensitive customer information.

The first portion of the SBN Act, universal requirements on notifying customers when their personal data has been compromised, is a move in the right direction. At present, there are no hard and fast rules that dictate to companies when (or sometimes even if) customers need to be notified in the wake of a data breach. It should be noted that larger corporations are often actually more likely to notify customers of a breach, simply because holding back such information can lead to a significant backlash in customer loyalty when the details finally do come out.

Smaller companies, and companies in the financial sector, are more likely to sit on a data breach and wait for an opportune moment to release the details to the public. This is good for the company, but bad for the individual – getting hit by an identity thief with no warning whatsoever can be catastrophic. For this reason alone, establishing firm rules on notification is a good thing.

Where the bill gets murky, however, is in establishing minimum levels of corporate security going forward. The Target breach is a galvanizing event that’s brought players from both the public and private sectors together to search for a workable way to protect our increasingly vulnerable tech sector, but the SBN Act throws all responsibility for establishing the new security guidelines at the feet of the FTC.

Sure, tasking the FTC with final oversight on security guidelines makes sense – the FTC already handles consumer protections on a wide range of issues. But this particular law is protecting both consumers and the businesses who sell to them. As such, there should be some level of input from the private sector on what kinds of minimum standards should be applied, what kind of time frame it will take to implement these changes, and what kinds of fines or reprimands will be levied against business that do not comply with these new rules.

The SBN Act is a tremendous opportunity for both lawmakers and leaders in the business community to step forward and assuage the fears of a nervous public, which would do much to rejuvenate our economy. Data security is a singular issue that transcends party lines, largely because effective data protection provides a universal benefit, not just a benefit to one party or the other.

As it stands, the SBN Act could be a landmark piece of legislation that earnestly improves our national data infrastructure, or it could be a dismal failure doomed to the dustbin of history. If lawmakers on both sides can come together – and if the private sector can get a word in sideways – it may well be the most important bill Congress passes this year.

-- Jubal McMillan, Editor

More Information:

http://thehill.com/blogs/hillicon-valley/technology/197161-lawmakers-mull-data-security-legislation

http://politicalnews.me/?id=26934&keys=DATA-BREACHES-LEGISLATION-PENALTIES

http://en.wikipedia.org/wiki/Federal_Trade_Commission