July 1, 2011
Mississippi’s data breach law, enacted in 2010, comes into effect today (July 1, 2011), and brings to 46 the number of U.S. states that have data breach notification laws in effect. The District of Columbia, Puerto Rico and the U.S. Virgin Islands also have such laws. The only states that remain without data breach notification laws are Alabama, Kentucky, New Mexico and South Dakota.
Mississippi’s statute on the matter is similar to that of most of the other states that address data breaches. Notification is required if there is a covered data breach by an entity or person doing business in the state, with exceptions for encrypted data or an incident that has been reasonably determined after an appropriate investigation to not be likely to result in harm to the affected individuals.
July 1, 2011
It’s not often that matters that fall into the techy-wonk category make the editorial page of the NY Times. So, it’s noteworthy that the lead editorial in yesterday’s Times expressed many of the commonly cited security and privacy concerns and risks associated with cloud computing. The commentary was by no means of the doom-and-gloom variety and could be viewed as both a validator that the cloud is now just about as mainstream as any technology phenomenon — if the recent fanfare around Apple’s announcement of iCloud or the seemingly ubiquitous “Cloud with Confidence” commercials by Cisco, among many other things, hasn’t already made that evident — and a harbinger of even more regulatory focus on ensuring online privacy and security, which has been simmering now for quite a while.
Photo Credit: Mammatus Storm Clouds, by Derrich, Wikimedia Commons
June 22, 2011
As the business and consumer worlds migrate their activities to the cloud, it’s logical that participants in the payment cards ecosystem are also part of that inexorable movement toward all things cloud. Relevant legal rules and industry best practices standards are still catching up to this shift. In keeping with this, after ruminating on related considerations for some time, the PCI Security Standards Council last week issued a supplement to its PCI Data Security Standard focused on the peculiar risks associated with virtualized computing environments and resources, including cloud computing. Not surprisingly, the general rule of thumb is that if a security feature is required in a non-virtual computing environment that feature is also required in the virtual environment. However, the PCI document, entitled Information Supplement: PCI DSS Virtualization Guidelines, recognizes that assessing and addressing the security risks posed by virtualization technologies presents more daunting challenges than is the case with non-virtual resources.
While there is good discussion within the Guidelines about many technologies, I found the cloud computing discussion most interesting. The Guidelines recognize that each cloud service needs to be evaluated for its specific security and processing attributes in relation to PCI DSS compliance. However, because of the generally comprehensive functions performed by many SaaS cloud providers as opposed to user organizations, the Guidelines make clear that greater PCI compliance burdens will likely be the responsibility of the cloud service provider and, as a result, the Guidelines outline a variety of matters for which a cloud services user should seek assurance from the provider.
Link to Supplement
June 9, 2011
Starting June 15, 2011, audits of the internal controls of a service provider for several key service areas will be based on a new audit standard, SSAE 16, promulgated by the American Institute of Certified Public Accountants (AICPA) rather than the currently prevailing SAS 70 standard, which was originally introduced in 1992. Along with this new standard are new associated report standards — Service Organization Control (SOC) Reports, of which there are three: SOC1, SOC 2 and SOC3.
The increased attention in recent years given to an organization’s internal controls has somewhat naturally extended to the internal controls of service providers and support partners. This is based partly on the simple notion that any given control environment is only as strong as its weakest link, so validation of controls implemented by significant service providers makes sense. It’s long been customary where service provider controls are sought to be confirmed that a SAS 70 report would be requested from the service provider. SAS 70 is principally a standard that allows an auditor to confirm that its clients’ service providers have adequate controls in place to the extent those controls have an impact on client financial statements. While SAS 70 is not truly focused on specific controls or whether controls can be said to have been effective over a stated period, in the absence of anything more tailored the SAS 70 report was made to do double duty as a rough proxy for service provider security controls. SSAE 16 and the new SOC reports were specifically intended to address this shortcoming. Read the rest of this entry »
March 15, 2011
In January of this year the National Institute of Standards and Technology (NIST) released two draft publications that both provide additional useful information to better understanding the issues raised by cloud computing.
The NIST Definition of Cloud Computing (Special Pub. No. 800-145) sets forth five essential characteristics that define cloud computing, which are:
- On-Demand Self-Service
- Broad Network Access
- Resource Pooling
- Rapid Elasticity
- Measured Service
Three principal cloud service models are also described: (i) Software as a Service (SaaS), (ii) Platform as a Service (PaaS), and (iii) Infrastructure as a Service (IaaS). Because the term “cloud computing” is used so loosely to refer to many variations on the central characteristics, these definitions should assist businesses and other organizations to have more meaningful discussions with organizational stakeholders and service providers about cloud services.
The NIST Guidelines on Security and Privacy in Public Cloud Computing (Special Pub. No. 800-144) provides a useful overview and discussion of key security and privacy concerns. Although this document is written as a set of guidelines for public procurement officials and managers involved with technology implementation, many of the considerations identified in the Guidelines are equally applicable to businesses. Particularly helpful are the contract negotiation aspects sprinkled throughout the discussion.
February 3, 2011
In December 2010, the Federal Trade Commission issued an extensive staff report outlining a proposed new framework for consumer privacy protections for use by businesses. The report, a copy of which is available here, results from an extensive review and a series of public roundtables conducted by the FTC over the past year on evolving privacy issues.
The framework contemplates three core principles: (i) so-called “privacy by design”, which requires an organization to promote sound privacy practices throughout all aspects of their operations and product or service offerings, (ii) simplified consumer choice, and (iii) greater transparency about data practices. The report is useful in providing extensive background on the FTC’s enforcement activities in the privacy area.
Because the FTC plans to sort through the public comments solicited on the report (the comment deadline was recently extended from January 31 to February 18) and to decide later in 2011 what further recommendations it might make based on that feedback, it is too early to assess whether the proposed framework will, in fact, result in a notable shift in the FTC’s approach to enforcement of offline and online privacy practices.