State Data Breach Laws: Mississippi Makes 46

July 1, 2011

Mississippi’s  data breach law, enacted in 2010, comes into effect today (July 1, 2011), and brings to 46 the number of U.S. states that have data breach notification laws in effect.   The District of Columbia, Puerto Rico and the U.S. Virgin Islands also have such laws.  The only states that remain without data breach notification laws are Alabama, Kentucky, New Mexico and South Dakota. 

Mississippi’s statute on the matter is similar to that of most of the other states that address data breaches.  Notification is required if there is a covered data breach by an entity or person doing business in the state, with exceptions for encrypted data or an incident that has been reasonably determined after an appropriate investigation to not be likely to result in harm to the affected individuals.

You Know Cloud Security Is An Issue When . . .

July 1, 2011

It’s not often that matters that fall into the techy-wonk category make the editorial page of the NY Times.  So, it’s noteworthy that the lead editorial in yesterday’s Times expressed many of the commonly cited security and privacy concerns and risks associated with cloud computing.   The commentary was by no means of the doom-and-gloom variety and could be viewed as both a validator that the cloud is now just about as mainstream as any technology phenomenon — if the recent fanfare around Apple’s announcement of iCloud or the seemingly ubiquitous “Cloud with Confidence”  commercials by Cisco, among many other things, hasn’t already made that evident — and a harbinger of even more regulatory focus on ensuring online privacy and security, which has been simmering now for quite a while.   

Photo Credit: Mammatus Storm Clouds, by Derrich, Wikimedia Commons

PCI DSS Guidelines Issued for Virtualized Environments, including Cloud Computing

June 22, 2011

As the business and consumer worlds migrate their activities to the cloud, it’s logical that participants in the payment cards ecosystem are also part of that inexorable movement toward all things cloud.  Relevant legal rules and industry best practices standards are still catching up to this shift.  In keeping with this, after ruminating on related considerations for some time, the PCI Security Standards Council last week issued a supplement to its PCI Data Security Standard focused on the peculiar risks associated with virtualized computing environments and resources, including cloud computing.  Not surprisingly, the general rule of thumb is that if a security feature is required in a non-virtual computing environment that feature is also required in the virtual environment.    However, the PCI document, entitled Information Supplement: PCI DSS Virtualization Guidelines, recognizes that assessing and addressing the security risks posed by virtualization technologies presents more daunting challenges than is the case with non-virtual resources. 

While there is good discussion within the Guidelines about many technologies, I found the cloud computing discussion most interesting.    The Guidelines recognize that each cloud service needs to be evaluated for its specific security and processing attributes in relation to PCI DSS compliance.  However, because of the generally comprehensive functions performed by many SaaS cloud providers as opposed to user organizations, the Guidelines make clear that greater PCI compliance burdens will likely be the responsibility of the cloud service provider and, as a result, the Guidelines outline a variety of matters for which a cloud services user should seek assurance from the provider. 

Link to Supplement

More Alphabet Soup for Internal Controls: SSAE 16, SOC 1, SOC 2 and SOC 3

June 9, 2011

Starting June 15, 2011, audits of the internal controls of a service provider for several key service areas will be based on a new audit standard, SSAE 16, promulgated by the American Institute of Certified Public Accountants (AICPA) rather than the currently prevailing SAS 70 standard, which was originally introduced in 1992.  Along with this new standard are new associated report standards — Service Organization Control (SOC) Reports, of which there are three:  SOC1, SOC 2 and SOC3.  


The increased attention in recent years given to an organization’s internal controls has somewhat naturally extended to the internal controls of service providers and support partners.  This is based partly on the simple notion that any given control environment is only as strong as its weakest link, so validation of controls implemented by significant service providers makes sense.  It’s long been customary where service provider controls are sought to be confirmed that a SAS 70 report would be requested from the service provider.  SAS 70 is principally a standard that allows an auditor to confirm that its clients’ service providers have adequate controls in place to the extent those controls have an impact on client financial statements.  While SAS 70 is not truly focused on specific controls or whether controls can be said to have been effective over a stated period, in the absence of anything more tailored the SAS 70 report was made to do double duty as a rough proxy for service provider security controls.  SSAE 16 and the new SOC reports were specifically intended to address this shortcoming. Read the rest of this entry »

Social Media and Debt Collectors

May 23, 2011

Under the Fair Debt Collection Practices Act (FDCPA), debt collectors are restricted in the manner in which they may seek to collect a debt.  Among those restrictions are strict limits on communications with debtors and avoiding deception in those communications.   An article on the use of social media by debt collectors that I read last week in the American Banker (article access may require a subscription), which does a pretty good job covering technology issues related to the financial and payments industry, focused my attention on this topic as an example of how business practices involving social media raise questions on what should be allowed. 

If we think of social media applications as simply variations of other communications tool, there should not be much difficulty in analyzing whether the FDCPA rules apply to social media when used by debt collectors  — generally speaking, the rules should apply.  Yet, the extent to which the FDCPA limits social media use by debt collectors is an open issue in some circles.  So, much so that as the American Banker article mentioned above reports that a court in Florida recently issued an order restraining a debt collector from contacting a debtor via Facebook.  As another example, see a story on The Consumerist website reports a particularly interesting and extensive use of Facebook by a debt collection agency to friend unsuspecting debtors and thereby collect information that might otherwise not be available to the collectors.   

Expect the states and the FTC to step into what appears to be something of a void — putting aside whether it should even be regarded as that.  On April 28, the FTC held a day-long public workshop entitled “Debt Collection 2.0:  Protecting Consumers As Technologies Change”, for which the period to submit additional public comments runs through May 27.   Given all this, it is likely that the FTC will either recommend a regulatory framework or step up its own enforcement actions based on its authority to investigate unfair and deceptive trade practices.

Graphics Credit: Terinea IT Support on Flickr

NIST Releases Cloud Computing Security and Privacy Guidelines

March 15, 2011

In January of this year the National Institute of Standards and Technology (NIST) released two draft publications that both provide additional useful information to better understanding the issues raised by cloud computing.  

The NIST Definition of Cloud Computing (Special Pub. No. 800-145) sets forth five essential characteristics that define cloud computing, which are:

  • On-Demand Self-Service
  • Broad Network Access
  • Resource Pooling
  • Rapid Elasticity
  • Measured Service

Three principal cloud service models are also described: (i) Software as a Service (SaaS), (ii) Platform as a Service (PaaS), and (iii) Infrastructure as a Service (IaaS).  Because the term “cloud computing” is used so loosely to refer to many variations on the central characteristics, these definitions should assist businesses and other organizations to have more meaningful discussions with organizational stakeholders and service providers about cloud services.

The NIST Guidelines on Security and Privacy in Public Cloud Computing (Special Pub. No. 800-144) provides a useful overview and discussion of key security and privacy concerns.  Although this document is written as a set of guidelines for public procurement officials and managers involved with technology implementation, many of the considerations identified in the Guidelines are equally applicable to businesses.   Particularly helpful are the contract negotiation aspects sprinkled throughout the discussion.

FTC Proposes New Privacy Framework

February 3, 2011

In December 2010, the Federal Trade Commission issued an extensive staff report outlining a proposed new framework for consumer privacy protections for use by businesses.  The report, a copy of which is available here, results from an extensive review and a series of public roundtables conducted by the FTC over the past year on evolving privacy issues.

The framework contemplates three core principles: (i) so-called “privacy by design”, which requires an organization to promote sound privacy practices throughout all aspects of their operations and product or service offerings, (ii) simplified consumer choice, and (iii) greater transparency about data practices.  The report is useful in providing extensive background on the FTC’s enforcement activities in the privacy area.

Because the FTC plans to sort through the public comments solicited on the report (the comment deadline was recently extended from January 31 to February 18) and to decide later in 2011 what further recommendations it might make based on that feedback, it is too early to assess whether the proposed framework will, in fact, result in a notable shift in the FTC’s approach to enforcement of offline and online privacy practices.