jump to navigation

“You Can’t Unring That Bell!” – What is a”Data Breach” and When Should I Notify? August 21, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
add a comment

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more.  I frequently find myself working with companies on data breach notification plans.  One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”.  More interesting is when I ask them to define a “suspected data breach”.  Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example.  You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes?  Maybe, maybe not.  It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc.  In short, it is not easy to decipher yet it is critical to be as accurate as possible.

Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan.  The reason it is so critical is in the titled of this article.  Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’.  The genie is out of the proverbial bottle and things start moving quickly.  Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.).   It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach.  Here are some basic definitions to use as a starting point.  (check with your legal council and don’t simply use these…there..that should protect me!;)

Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset.  This includes systems, personnel, applications, services, etc.

Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.

Suspected Data Breach– In the absence of  direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.

Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do 😉  If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com

graphic by Hippacartoons.com

“Bow-Chicka-Bow-Wow!” – Privacy Failure of Photobucket Can Make You a Porn Star! August 13, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , ,
add a comment

For those who like to use the popular photo sharing site Photobucket to share (ahem)..”private” pictures may want to take action immediately.  According to an article on CNN, a privacy flaw in the way Photobucket allows users to share photos resulted in hackers gaining access to numerous R rated and even explicit photos of users.  Photobucket allows users to share photos using direct links.  This means that even if the user does not intend to share a photo, if a person can deduce the URL then the unencrypted file can be directly accessed.   This is a hack known as “Fuscking” and it has been used to access numerous files.  (more…)

“Pinky and the Brain” – Chris & Heather Mark’s Articles in Transaction World Magazine June 21, 2012

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

I heard yesterday from the EIC of Transaction World Magazine that they will be publishing one of my articles in their August 2012 issue.  Stay tuned!  I have written for TW numerous times over the past 7 years or so and Heather has written for them consistently since about 2005.  You can read her current article here and see archives of Heather’s articles at this link.  If you are not in the payments industry and want to know about the exciting world of credit card issues, check out TransactionWorld.  It has great articles covering everything from compliance, to security, interchange, and more.  Here are two links to a couple of my previous TW articles..1) Why Regulation Cannot Prevent CyberCrime and 2) Lessons from the Heartland Breach…clearly in this relationship Heather is the Brain and I am Pinky 😉

“See, Hear & Speak no Evil”- Google Censorship Requests June 18, 2012

Posted by Chris Mark in Industry News, privacy.
Tags: , , , , , , , ,
1 comment so far

Google today released information related to the censorship requests by Governments around the Globe.  While many are familiar with China and other nations restricting access, it is interesting to see so many “Western” countries requesting censorship.  An interesting example is the Canadian Government requesting the removal of “…YouTube video of a Canadian citizen urinating on his passport and flushing it down the toilet. “  To their credit, Google did NOT comply with this request.  In another request, Google “…received a request from the Central Police in Italy to remove a YouTube video that satirized Prime Minister Silvio Berlusconi’s lifestyle.”  Again, Google did not comply.  The interesting part of these requests is that they request removal of material that is typically considered a right of free speech and protest.  Satire has been used as a form of protest in West for centuries (look at Voltare, Oscar Wilde…etc.etc.) and civil disobedience (urinating on a passport, is a good example) has certainly been used as form of protest.  One has to wonder whether how much more information ‘free’ governments have kept from the public.  You can see the Google removal requests here.

Social Media as a Privacy Tool? June 14, 2012

Posted by Heather Mark in privacy.
Tags: , , , , ,
add a comment

As one that closely follows the intersection of privacy and technology I read with great interest a paper released by Google entitled “Vanity or Privacy? Social Media as a Facilitator of Privacy and Trust.”  The paper is to be presented at the  2012 ACM Conference on Computer Supported Cooperative Work.  The paper is relatively short and presented as though it was undertaken in the nature of academic research.  I doubt I need to replay for the reader Google’s recent privacy issues and its recent changes to the company’s privacy policy.  With that in mind, it is difficult to read the short paper as anything other than a justification for these recent changes.   Unfortunately for Google, the paper is patently one-sided and the premises themselves are flawed, to put it mildly. It should be noted that the authors of the paper do include the following caveat: “While these examples offer no judgment on whether social media is good for privacy in any absolute sense, they do support our contention that it is possible to design social media systems that are engaging and supportive of privacy and trust.”

Before I delve into the paper itself, it is important to provide some baseline definitions for privacy and trust, particularly with respect to the online environment.  Privacy has traditionally been defined as the right to be let alone.   (more…)

%d bloggers like this: