Posts Tagged ‘Personally identifiable information’

President Obama’s cybersecurity plan – Part 2 Data Breach Notification Act

Published by pratyushkp on May 19th, 2011 - in Uncategorized

Image via Wikipedia

Following up on yesterday’s post outlining the proposed changes to RICO and the Computer Fraud and Abuse Act, today I will dissect the White House’s proposal for the National Data Breach Notification Act.

Currently 47 states have data breach notification laws with varying rules and requirements. This makes it very difficult for national and multinational organizations to understand when they must report lost or stolen data and how they must report it. The idea of a national law in the US has been debated for a couple of years now, and this proposal seems to strike a nice balance.

First, the definition of Personally Identifiable Information, or PII:

  1. Full name plus any two of the following
    1. Address and phone number
    2. Mother’s maiden name
    3. Month, day, and year of birth
  2. Social Security Number (SSN), driver’s license number, passport number, alien registration number, or other government issued identification number
  3. Biometric data such as fingerprints, retinal scans, etc.
  4. Unique account numbers, financial account numbers, credit card numbers, debit card numbers, electronic IDs, user names or routing codes
  5. Any combination of the following
    1. First and last name or first initial and last name
    2. See item four above
    3. Security codes, access codes, passwords or source codes used to derive the aforementioned

The new rules would apply to any business possessing the PII of 10,000 or more individuals in a 12-month period. They would supersede any existing state laws, creating one unified national standard.

Organizations discovering lost or stolen PII would have 60 days to notify affected customers unless law enforcement or national security concerns intervene. If there are extenuating circumstances, organizations can provide proof to the Federal Trade Commission (FTC) that they require up to an additional 30 days.

The proposal includes a “safe harbor” provision when measures are in place to protect data (encryption). Organizations must still report the data loss to the FTC within 45 days, including a professional risk assessment, logs of access to the data and a complete list of users who had access to the protected data.

If data is determined to be properly protected and evidence is submitted on time, individual notifications would be unnecessary. Financial institutions who only lose account numbers are also exempt if other protective measures are in place to prevent fraud.

After a data loss incident, organizations would be required to notify individuals by letter, phone or email.

Notices would include what information was compromised and a toll-free number to contact the company responsible to obtain more information. If a third party lost the data, the notice must include the name of the original collector (direct business relationship) of the PII.

States may pass laws requiring notifications to include information about identity theft/fraud prevention.

When more than 5,000 victims are involved, organizations would be required to do the following:

  • Place advertisements in mass media ensuring potential victims are aware of the risk they are being exposed to.
  • Notify all consumer credit reporting agencies of the victims within 60 days of discovery.

Businesses would be required to notify the Department of Homeland Security for law enforcement purposes when any of the following are true:

  • The breach contains, or is believed to contain, PII on 5,000 or more individuals.
  • The breach involves a database or network of databases that contain PII on 500,000 or more individuals.
  • The breach involves a database owned by the United States government.
  • The breach involves PII of employees or contractors of the United States government involved in law enforcement or national security.

Notice to DHS must occur 72 hours before individual notices are served, or 10 days after discovery of the incident, whichever comes first.

The proposed rules would be enforced by the FTC after consultation with the US Attorney General to ensure there is no interference with ongoing criminal investigations. State Attorneys General would also be able to enforce the rules within their jurisdiction after notifying the FTC.

Penalties for non-compliance would be $1000 per person affected per day, for a maximum of $1 million. There would not be a maximum penalty if it is determined the non-compliance was willful or intentional.

Organizations that are required to comply with HIPAA or HITECH data protection laws are exempt from this legislation.

It appears the Obama Administration and Howard Schmidt, the President’s Cyber-Security Coordinator, have taken careful notes from the different laws passed by individual states. This proposal is a great start to making data security a priority and contains provisions to make adjustments after implementation.

Why not download the “The State of Data Security” report we published today? It covers the most prominent data loss incidents and details the actions you can take to prevent you from being the next company to have to notify your customers.

Source :- http://nakedsecurity.sophos.com

  • White House Seeks National Data-Breach Notification Law (informationweek.com)
  • The U.S. Cyber Policy Blitz (technologyreview.in)
  • White House Wants Mandatory 3-Year Sentence for Critical Infrastructure Hackers (wired.com)
  • Does Obama Really Have an Internet Kill Switch? (pcworld.com)
  • How security chief’s bank details leaked (theage.com.au)
  • How big was the Epsilon data breach? (superconductor.voltage.com)
  • Five things companies must do to protect customer data (news.consumerreports.org)
  • U.S. Cybersecurity Proposal – A Plan about Plans: We Need More Action and Talent If We’re Serious about Securing Our Nation’s Data (lumension.com)
  • White House Releases Cybersecurity Plans (informationweek.com)
  • Is Sony Getting a Bad Rap on Its Data Breach? (pcworld.com)

How Mother’s Day Facebook celebrations can lead to identity theft

Published by pratyushkp on May 9th, 2011 - in Social, Technology
Image representing Facebook as depicted in Cru...

Image via CrunchBase

A couple of weeks ago Sophos explained why you shouldn’t reveal your Royal Wedding guest name. Now Sophos have to warn you that celebrating Mother’s Day can lead to you giving away too much personal information about your children.

Here’s a message which has been passed around on Facebook for a few days:

In honor of Mother's Day...If you are a proud mother re post with the name, birth date, & birth weight of your child/children!

Mother's Day post on Facebook

See what they’ve done? They’ve told me the name of their children and their precise date of birth. And I’m not even friends with them, they’ve left their profiles open for the entire world to see because they haven’t followed best practice guidelines for Facebook privacy settings.

And – don’t forget – when you share a piece of information with everyone on Facebook, that actually means the entire internet for ever. This information by itself may not be enough to commit identity theft against your child, but it’s a stepping stone for fraudsters which can help them.

You shouldn’t post this kind of personal information onto the internet – tell people you love your children and are proud of them without revealing their full names or dates of birth.

If you use Facebook and want to learn more about threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Source :- http://nakedsecurity.sophos.com

  • What Would TV Do? Mother’s Day Edition (buddytv.com)
  • ‘Happy Mother’s Day’ From Child Fund International (huffingtonpost.com)
  • My Mother’s Day (caregiving.com)
  • PHOTOS: New Celeb Moms Celebrating Their First Mother’s Day (huffingtonpost.com)
  • Happy Mother’s Day from Mama Raider to All Raiders’ Mothers (bleacherreport.com)
  • Happy Mother’s Day (ncbookbunch.wordpress.com)
  • Happy Mother’s Day to Our Favorite Fit Celebrity Moms! (fitsugar.com)
  • Identity Theft (pastoralyn.wordpress.com)
  • Epic Meal of the (Mother’s) Day (thedailywh.at)
  • How Mother’s Day Facebook celebrations can lead to identity theft (nakedsecurity.sophos.com)
Tags: Birth mass, , Child, , Identity theft, , , Royal Wedding

Sony admits breach larger than originally thought, 24.5 million SOE users also affected

Published by pratyushkp on May 4th, 2011 - in Social, Technology
Image representing Sony as depicted in CrunchBase

Image via CrunchBase

Sony disclosed today that the breach affecting its PlayStation Network (PSN) that saw 77 million records lost was larger than they originally thought. Not only were the details of PSN users stolen, but another 24.5 million records related to users of Sony Online Entertainment were stolen as well.

Sony Online Entertainment logoSony Online Entertainment (SOE) is the division of Sony responsible for many of their popular online role-playing games like DC Universe Online and Star Wars: Clone Wars Adventures. As in the PSN breach, the lost information included names, addresses (city, state, zip, country), email addresses, gender, birthdates, phone numbers, login names and hashed passwords.

In news perhaps worse than the disclosure from two weeks ago, Sony is saying that 12,700 credit and debit cards and expiration dates of non-US customers and 10,700 direct debit accounts (bank account numbers) for users in Germany, Austria, Netherlands and Spain may also have been stolen.

SOE email

Unlike the credit cards from PSN, which Sony assured the public were encrypted, no mention was made in Sony’s press release about the information from SOE being protected.

Sony was quick to note that the passwords had been hashed, but has not disclosed which hashing algorithm was used and whether they used a salt when calculating the hashes.

Sony mentioned that the lost credit/debit card information and direct debit banking information was stored in an “outdated database from 2007.”

WHAT??!?! How many locations on your network are housing other “lost” financial data? Do you even know where my information is to check whether it has been stolen?

Whether Sony’s bad practices are an act of hubris or simply gross incompetence is hard to discern. Let’s hope for the sake of Sony’s customers and the poor souls in their public relations department that this is the last disclosure they will need to make related to this incident.

It is important to remember that Sony is a victim as well, not just the 101.5 million customers whose personal information have been disclosed. Malicious attacks like this are a serious crime, it is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe.

For more information on how to keep your data safe, visit our Data Loss and Regulations site to download free tools, papers and other advice on keeping your data safe.

Source :- http://nakedsecurity.sophos.com

  • Sony admits breach larger than originally thought, 24.5 million SOE users also affected (nakedsecurity.sophos.com)
  • Sony says data for 25 million more customers stolen (go.theregister.com)
  • Sony Breach Gets Worse: 24.6 Million Compromised Accounts At SOE (yro.slashdot.org)
  • “Sony Online Entertainment Promises PSN Network Back Online This Week” and related posts (news.lalate.com)
  • What Next? Sony Admits An Even Bigger Security Breach: 25 Million Accounts (paidcontent.org)
  • Sony Online Entertainment explains backtracking on safety of user data (joystiq.com)
  • Sony Reports 24.5 Million More Accounts Hacked (informationweek.com)
  • First PSN, now SOE: Sony’s Wounds Deepen (blogcritics.org)
  • PlayStation Network Not The Only Breach, Says Sony (webpronews.com)
  • You: 25m extra user detail theft: Sony (nation.com.pk)
Tags: Clone Wars Adventures, , DC Universe Online, , PlayStation Network, Sony, Sony Online Entertainment, Special Operations Executive
© Social Media Blog
CyberChimps WordPress Themes