Information Security Standards and Certifications in Contracting
When organizations contract for outsourced IT services, they look for assurances that the vendor will provide adequate security, often in the form of a security schedule or annex to the contract, or by reference to a widely accepted information security standard. In some cases, the customer insists as well on a certification or audit by an expert third party.
Business managers and lawyers often have only the vaguest notions of what these schedules, standards, and certifications mean. They rely on the organization’s IT staff or consultants for “the technical stuff.” But in the end it is the business managers and lawyers who determine what the organization needs, operationally and contractually. To do that well, they should have at least a basic understanding of the more common information security standards and certifications.
Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days:
- How can we harmonize the EU Data Protection Directive and EU member country privacy laws with the flow of data in today's global economy? It is unfortunate that a number of IAPP participants from the EU will not make it to DC for the Summit this year due to the Icelandic volcano. Nonetheless, I expect active dialogue regarding cross-border data transfers, safe harbor v. standard contractual clauses v. binding corporate rules, and, in particular, the impact of the growth of cloud computing and other outsourcing arrangements (or, at least, the growth of the hype around cloud computing). It would also be nice to hear more about the EU Cookie Consent law - there is a panel scheduled to take place, but unknown if that will happen in light of the volcano debacle.
- HIPAA/HITECH and Medical Identity Theft: Health care privacy topics are hotter than ever, especially with the growing number of reported security breaches affecting more than 500 individuals under the new HHS breach notification rules promulgated pursuant to the HITECH Act.
- "Reasonable Security": What does Massachusetts think? What does the FTC think? What in the world is it and how in the world can organizations comply?
- On a related note, FTC Enforcement, with a focus on behavioral marketing issues and evolving notions of notice and consent. What trends will we see over the next several years, particularly with the growth of social media and online behavioral advertising?
- Social media: how it affects the workplace, corporate policies and procedures, and "reasonable expectations" of privacy.
- The forecast for federal legislation - not just on breach notification, but security requirements, online behavioral marketing and, getting lots of media attention these days, potential revisions to ECPA (being driven, once again, by the cloud computing explosion).
- Breaches, breaches, and more breaches. Of course.
A few things that appear to be missing from this year's agenda - the FTC's current review of the rules under the Children's Online Privacy Protection Act (COPPA), enforcement of the Red Flags Rule (the FTC will start enforcing the Rule June 1), and the growing number of state laws (Washington, Nevada, Minnesota) requiring compliance with the PCI Standard.
Stay tuned, I will endeavor to post developments on a daily basis.
Nevada's Security of Personal Information Law Post Four: Encryption and PCI Compliance Requirements
The following FAQs address the encryption and PCI compliance requirements of Nevada's Security of Personal Information Law, which were added pursuant to a recent amendment to the law. The rest of the FAQ is linked to here.
Continue Reading...FAQ on Nevada's Security of Personal Information Law (NRS 603A)
InfoSecCompliance ("ISC") was recently asked by a prospective client to provide a summary of Nevada's Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard ("PCI"). ISC decided to try something new and create a Frequently Asked Questions document around the PCI requirements contained in the Security Law. For better or worse (after sinking in 15 - 20 hours) ISC ended up doing FAQs for the entireNevada Security Law. This turned out to be a much bigger work than originally anticipated, so ISC is going to do a five-part blog post series breaking down the Nevada Security Law into (hopefully) digestible parts.
Continue Reading...
Nevada Law Incorporates PCI and Provides a Liability Safe Harbor
Nevada appears to be the second State to incorporate the Payment Card Industry Data Security Standard (PCI) into its personal information security law. Minnesota is the other State that incorporated part of PCI into its law.
Continue Reading...Credit Card Theives So Good They Have Too Much Data...
Some interesting statistics from a new report from Verizon Business. The Washington Post security writer sums it up nicely in terms of the payment card data market:
[Verizon] said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of breached records from cases the company investigated from 2004 to 2007. Breaches at banks and financial institutions were responsible for 93 percent of all such records compromised last year, Verizon found.
This has resulted in a huge decrease in the price per credit card in the black market:
As a result, the stolen identities and credit and debit cards for sale in the underground markets is outpacing demand for the product, said Bryan Sartin, director of investigative response at Verizon Business. Verizon found that profit margins associated with selling stolen credit card data have dropped from $10 to $16 per record in mid-2007 to less than $0.50 per record today.
Ruiz v. Gap: Increased Risk of ID Theft Not Damages
In a previous post this blog noted that a California Federal District Court denied a motion to dismiss a data breach negligence claim based on a lack of "damages." Despite the partial "victory," the Court had also suggested that the damages issue might not survive a motion for summary judgment. Well, the Court made its own prediction come true in a recent ruling.
On April 4, 2009, the court issued a decision indicating that an increased risk of identity theft did not rise to the level of harm necessary to maintain a negligence claim. This was true despite evidence from experts indicating an increase risk that the plaintiff's personal information was exposed. Without evidence of actual significant exposure of the plaintiff's personal information, the Court indicated that analogies to "medical monitoring" damages were not supported.
This case is another in a line of case establishing that, absent identity theft, it is uncertain whether a consumer plaintiff of a data breach can win in court.
Who is Minding the Legal Risk Around PCI?
An article I did for the ISSA Journal: Who is Minding the Legal Risk Around PCI?
More Companies Validated as PCI Compliant Breached
Despite the changes to PCI that went into effect in October 2008, more PCI-compliant entities are suffering security breaches. Added to the list of Hannaford, Best Western and Forever 21 are Heartland Payment Systems and RBS Worldpay.
Continue Reading...Correction Re: Connecticut Retailer Liability Law
All, I have to issue a correction concerning my reference to a Connecticut law in the article entitled "The Legal Implications of PCI." In that article I indicated that Connecticut had passed a law allowing banks to sue retailers. I received information from a source that turned out to be erroneous. In fact, Connecticut considered a bill with retailer liability in it, but ultimately the provisions providing for retailer liability were stricken. The only State with a specific law providing relief to financial institutions for a security breach involving cardholder data is Minnesota. The updated/corrected article is here: Legal Implications of PCI. I apologize for the mistake.
