•Data Breach Notification Act, S 139, would normalize the 46 state data breach laws into one national umbrella. It may be expanded to include more than personal identifiable information. "One issue with this bill is that it would consolidate all reporting to the U.S. Secret Service, which is not helpful for broader information sharing with industry or across government."
•Data Accountability and Trust Act, HR 2221, was approved by the House in December and requires internet service providers to make victims aware of infections if they see a breach across their networks. "It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone."
•International Cybercrime Reporting and Cooperation Act, S 1438 and HR 4692, requires the president to produce an annual report to Congress providing an assessment of every country's level of information and communications technology utilization and development; assesses how each country's legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. "This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated five years of 'bad behavior.'"
•Cybersecurity Enhancement Act, HR 4061, which passed the House in February. Among its key provisions: creating an office for a national coordinator for IT security research and development. "While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, it's not clear how the new office will interact with the current [White House Office of Science and Technology Policy] responsibilities."
•FISMA II, S. 921 - also known as the United States Information and Communications Enhancement Act or U.S. ICE - updates the Federal Information Security Management Act of 2002 from compliance driven (check-list) to measures that are performance based and could address IT procurement reform.
•Intelligence Authorization Act, HR 2071, strengthens America's intelligence capabilities, and improves congressional oversight of our intelligence agencies. The measure also contains multiple congressionally directed actions for the Comprehensive National Cybersecurity Initiative. "It provides our intelligence community with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts and more effectively prevent the spread of weapons of mass destruction."
•Cybersecurity Act of 2009, S 773, combines audits, industry-developed and government-backed standards, increased information-sharing and other mechanisms to bolster private-sector cybersecurity. The measure also known as the Rockefeller-Snowe Bill, establishes a presidential-level cybersecurity advisory panel and a national clearinghouse for information sharing as well as extend the Scholarship for Service program and increases the National Science Foundation's budget for R&D.
•The Grid Reliability and Infrastructure Defense Act, HR 5026, amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to require measures to protect against system vulnerabilities if it finds that the North American Electricity Reliability Corp. standards are insufficient. If enacted, the legislation would provide a security framework for the smart grid.
•Energy and Water Appropriations Act 2010 has already been signed by President Obama. It appropriates $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, that will be used to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.
Monday, May 24, 2010
Thursday, April 22, 2010
The Ten Immutable Laws of Security
1. If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
2. If a bad guy can alter the operating system on your computer, it's not your computer anymore.
3. If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
4. If you allow a bad guy to upload programs to your web site, it's not your web site any more.
5. Weak passwords trump strong security.
6. A machine is only as secure as the administrator is trustworthy.
7. Encrypted data is only as secure as the decryption key.
8. An out of date virus scanner is only marginally better than no virus scanner at all.
9. Absolute anonymity isn't practical, in real life or on the web.
10. Technology is not a panacea.
Source - www.microsoft.com/technet
2. If a bad guy can alter the operating system on your computer, it's not your computer anymore.
3. If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
4. If you allow a bad guy to upload programs to your web site, it's not your web site any more.
5. Weak passwords trump strong security.
6. A machine is only as secure as the administrator is trustworthy.
7. Encrypted data is only as secure as the decryption key.
8. An out of date virus scanner is only marginally better than no virus scanner at all.
9. Absolute anonymity isn't practical, in real life or on the web.
10. Technology is not a panacea.
Source - www.microsoft.com/technet
Monday, April 5, 2010
GLBA and HIPAA Quiz
1. What is GLBA?
2. GLBA in an acronym for what?
3. What is HIPAA?
4. HIPAA is an acronym for what?
5. What is the difference between the two regulations?
6. What should you be aware of when you visit a medical facility?
7. With GLBA, what is defined as a financial institution?
8. How does our service work with both of these rules and regulations?
Send your answers to: safepcsolutions@gmail.com
2. GLBA in an acronym for what?
3. What is HIPAA?
4. HIPAA is an acronym for what?
5. What is the difference between the two regulations?
6. What should you be aware of when you visit a medical facility?
7. With GLBA, what is defined as a financial institution?
8. How does our service work with both of these rules and regulations?
Send your answers to: safepcsolutions@gmail.com
Thursday, April 1, 2010
Internet Security Specialist vs. Computer Tech
By Frances Gollahon
Before I can begin to explain the differences, it’s important to get the term straight:
• SOC, Security Operations Center, which is an organization that delivers Information Technology (IT). It offers continuous risk analysis and guarantees protection against intrusion. (More on the ability to “guarantee” anything later). The SOC also monitors and analyzes firewall activity, IDS (Intrusion Detection Systems). These technologies are ever-changing and require techs to keep abreast of the latest developments.
• IT, Information Technology, the study, design, development and implementation of computer systems, software and hardware. According to the Information Technology Association of America (ITAA), “IT deals with the use of electronic computers and computer software to convert, store, protect, process, transmit and securely retrieve information.
• IDS, Intrusion Detection Systems, which is an application that monitors network or system activity which are violations or imminent threats to computer security policies or standard security policies, and deterring individuals from violating security policies. Intrusion Detection Systems have become a necessary part of the security infrastructure of most organizations.
• Vulnerability Assessment – searches for known weaknesses within the computer systems and/or software installed. Risk assessment.
• Penetration Test – is performed to isolate and expose known or unknown weaknesses in systems, services and web applications.
• Technical Assistance/Internet tech/computer tech can provide assistance for any issue regarding the computer system, any violations, updates to hardware and software.
• Trojan – is a malware that the user doesn’t see and therefore unknowingly allows unauthorized access to the their computer system. The term is derived from the Trojan Horse story in Greek mythology. It allows a hacker remote access to another’s computer.
• Malware – malicious software designed to become part of your computer system without your consent and includes viruses, worms, trojans, spyware, adware, crimeware and root-kits, to name a few.
• Worm - is a self-replicating malware. It independently networks itself to other computers and causes some type of harm or corruption.
• Spyware – a type of malware that collects information about the user without their knowledge or consent and collects various types of personal information; installs software and redirects browser activity; changes computer settings. Is also known as “privacy-invasive” software.
• Adware – Advertising-Supported software – it automatically plays or downloads advertisements to your computer. Some are also privacy-invasive software.
• Crimeware is used to steal identities through “social engineering”. Most often associated with identity theft in order to gain access to online accounts at financial companies. Crimeware is best described by security consultant Kevin Mitnick (former computer criminal) who points out “it is much easier to trick someone into giving a password for a system than to spend the effort to hack into the system.” He claims it was the single most effective method in his arsenal. He coined the term “social engineering.”
• Zombie – just as the name describes, a computer that’s been hacked in to and is used for malicious tasks under remote control. The computer owner is unaware, which led to the name “zombie.” Used extensively with email scams and spams and helps spread trojan horses, since they are not self-replicating.
• Botnet – a collection of zombies that run autonomously and automatically, usually for damaging and malicious use.
• Rootkit – is a means of access to your computer for control over your system. Rootkits take a lot of skill and effort to be completely removed from a system.
• Keylogging or keystroke logging – tracking keystrokes so personal data can be accessed. There are many keylogging modalities, including electromagnetic and acoustic analysis.
• Computer forensics - a branch of forensic science that deals with examining information on computer systems for use as legal evidence or to recover data lost due to failure, or to analyze how a hacker gained access.
• Computer Security Audit – technical assessment of a system which may include interviewing staff, reviewing operating system access controls, running vulnerability scans, analyzing physical access to the system…just to name a few.
Now for that word “guarantee.” Bruce Schneier, American cryptographer, computer security specialist and author (he has written several books on computer security and cryptography) criticized computer security approaches that try to prevent or guarantee any malicious intrusion and instead argues that we might be better off focusing on designing systems that “fail well”.
A system that fails badly is a catastrophic failure. One single failure can bring down the whole system.
A system that fails well compartmentalizes or contains failure. For example, the hulls of watercraft are compartmentalized ensuring that a breach in one compartment will not flood and sink the entire vessel.
This is the best we can “guarantee.”
Computer technology specialist vs. Internet security specialist
A computer technologist – are non-degree certifications given to those who have achieved qualifications specified by a certifying body. The certification qualifies the holder to obtain certain types of positions within the field of study.
IT, Information technology, is the study of computer-based information systems, focusing on software application and computer hardware. According to the Information Technology Association of America (ITAA). IT deals “with the use of electronic computers and computer software to convert, store, protect, process, transmit and securely retrieve information.”
Today’s IT professionals are highly training and skilled individuals with a variety of duties including in designing computer networks and databases to data management, networking, software design, application installations, database design, management and administration of entire systems.
Computer science has many sub-fields, but is basically the study of theory and practical application of that theory in computer systems. Computer science is the study of understanding the “properties of the programs used to implement software.” (Wikipedia)
In researching Information Technology Degrees that can be studied online I found that this is the foundational pursuit that leads to other subfields for IT professionals.
The higher degrees of Bachelor of Information Technology with concentration in Internet Security or a Master’s degree is required to pursue careers used in business today to examine, define and develop policies to maintain security and manage Internet security risks in a business environment. Security practices that should be in place in any organization to comply with federal and state regulations and laws.
So the difference between the two is education. For a business to assume their highly skilled and greatly valued IT techs can keep them in compliance with federal regulations like the Red Flags Rule is like playing Russian roulette with 5 chambers filled.
Visit her blog at: cybercrimandsecuritytaskforce.blogspot.com
Monday, March 29, 2010
Business Surveys Quiz
Eight Question Survey
1. What is the purpose of the Eight Question Survey?
2. Why are the questions in this survey important to ask the prospect?
3. Once the survey has been taken, how do you ascertain whether the business must comply with security regulations?
4. If the business only answers yes to question number seven (Accept credit cards as a form of payment) what should you do?
Security and Privacy Scorecard
1. What is the purpose of the Security and Privacy Scorecard?
2. What is the difference between the Eight Question Survey and the Security and Privacy Scorecard?
3. What are the two major areas covered in the scorecard?
4. What do you do with a business that is low or medium risk?
1. What is the purpose of the Eight Question Survey?
2. Why are the questions in this survey important to ask the prospect?
3. Once the survey has been taken, how do you ascertain whether the business must comply with security regulations?
4. If the business only answers yes to question number seven (Accept credit cards as a form of payment) what should you do?
Security and Privacy Scorecard
1. What is the purpose of the Security and Privacy Scorecard?
2. What is the difference between the Eight Question Survey and the Security and Privacy Scorecard?
3. What are the two major areas covered in the scorecard?
4. What do you do with a business that is low or medium risk?
Wednesday, March 24, 2010
ABC's Of Red Flags Rule
On June 1, 2010 The Red Flag Rule goes into effect. If you are a small business owner and this is the first you’ve heard of it, you are not alone. Most small business owners either have no idea that there are compliance issues they need to be aware of, or they have taken to hiding their heads in the sand believing it has nothing to do with them because they are too small, or their CPA/lawyer/exorcist would have told them something about it if it was true, or the dog ate their homework…whatever.
But this new law will affect most businesses regardless of size.
These businesses (especially small and mid sized) are targeted for their sensitive customer and employee information like names, SS#, drivers license numbers, medical info, bank info, 401k plans etc. All the goodies that identity thieves sell in their now thriving criminal enterprises. Last year’s identity theft losses to businesses and financial institutions totaled $47.6 billion, and consumer victims reported $5 billion in out-of-pocket expenses.
So What Is The Red Flags Rule?
In a nutshell, it applies to any entity that extends credit by granting loans or arranging for loans, like car dealerships, finance companies, mortgage brokers, real estate agents, and any other retailer that offers financing or provides help to consumers in getting financing by processing credit applications. This includes utility companies, health care providers and telecommunication companies. The Rule requires a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts.
The Rule also applies to businesses that defer payments, offer installment plans or provide goods and/or services and bills/invoices a customer/client/patient later, or a business that issues a store credit card is a creditor under the Rule.
However, simply accepting credit cards as a form of payment does not make a business a creditor under the Rule. The Payment Card Industry (PCI) regulates itself in regards to credit card fraud and has regulations for merchants completely separate from the FTC Red Flags Rule.
The “Red Flags” Rule is a regulation issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act (FACTA), a federal law passed in 2003 to strengthen protection against identity theft. The FTC published the Rule October 31, 2007 and it became effective January 1, 2008, but its implementation date (after which companies would be responsible for complying) has been repeatedly delayed, from November 1, 2008 to May 1, 2009, to August 1, 2009 and to November 1, 2009 and finally to June 1, 2010, when enforcement will commence.
At this point, one cannot assume that the FTC will further delay implementation, meaning that businesses and organizations need to begin working on compliance now if they have not already done so.
The Red Flags Rule Mandates Include:
1. Administrative Safeguards: Appointing an administrator to put a written plan together showing how a business will detect and act upon “Red Flags” (suspicious documents, changes of address, warnings from credit agencies, or notices from victims or law enforcement) with reasonable responses when any “red flags” are detected. This includes monitoring or closing accounts, not opening an account or notifying potential victims of a problem.
The administrator is also responsible for implementing an ongoing training program for employees on how to recognize and act upon these “red flags.” These trainings must be documented by the administrator and signed by the employees when they finish to show they participated in the training and understand the rule.
2. Physical Safeguards: Securing physical business surroundings to safeguard as well as properly dispose of information stored on hard copy files (or disks) as well as insuring that a company laptop doesn’t go “missing.” You would be amazed at how much information is stolen or lost due to a business owner or employee leaving information out in the open, such as medical files, loan applications or a business laptop.
3. Technical Safeguards: Finally, there are technical safeguards that need to be implemented to lock down data on computers and keep them invisible to hackers, using professional-grade security antivirus and antispyware and a bi-directional firewall for every computer in your business. Other safeguards include file encryption for both stored and transmitted files and records, regular vulnerability assessments to identify any security holes in your computer network and permanent deletion of individual electronic records, files, and hard drive information prior to disposing of a computer or hard drive.
4. Living Law: There is no one-time implementation and now “you’re set” with regards to Red Flags Rule compliance. Sorry, the rule is a living law and subject to change as the trends in identity theft change. Every program must be evaluated and updated regularly and ignorance of the changes as they occur will not be seen as a valid excuse for not being in compliance.
How Will The Rule Be Enforced?
The FTC does not conduct routine compliance audits. But the FTC can conduct investigations to determine if a business within its jurisdiction has taken appropriate steps to develop and implement a written Program, as required by the Rule.
The FTC may ask the target of the investigation to produce copies of its Program and other materials related to compliance. The FTC also may interview officers, employees, or others who are familiar with the company’s practices. If the FTC has reason to believe the Rule has been violated, it can bring an enforcement action.
There is no private consumer right of action, only certain federal and state government agencies can enforce the Rule. However businesses should know that consumers may be encouraged to file complaints with the FTC about a company’s identity theft Program or lack of and that the FTC uses these complaints (filed at https://www.ftccomplaintassistant.gov/) to target its law enforcement efforts.
The Fines And Other Spankings For Non Compliance:
These trying economic times are difficult enough for a business owner to deal with just going about the business of doing business. But having to now deal with the epidemic of business data breaches that put each and every business and their customers and employees in peril of identity theft has added yet another burden upon their precious time and resources, but non compliance can be far more costly than you think.
Federal: The penalty per single identity lost or stolen is $3,500.
State: Up to $1,000. Per individual violation (plus attorney fees).
Warned: If a business is warned by a regulatory agency of non-compliance then found to remain in non-compliance during a follow up, the fine jumps to $11,000. Per individual incident.
Law Suits: There are also allowances for individuals who’ve been victimized to seek damages from the businesses.
Any one of these can cripple or even kill a business, all of them together and you may as well say adios to all your hard work and sacrifices…bye bye business!
Examples Of Entities That Must Comply:
Health Care Practices – Because most bill later or defer payment through insurance.
Retail Stores – The only exception is if a store deals exclusively in credit cards and/or cash.
Services/Utilities – Phone companies, cell phones, power companies etc.
Auto Dealerships – This includes motor cycles, boats, RVs, etc.
Financial institutions – Banks, credit unions, credit card companies and mortgage brokers.
Non-Profits - entities that defer payment for goods or services.
Schools – Any school, college or university who provides or accepts financial aid.
A Few Helpful Definitions:
Red Flags Rule: The Red Flags Rule is a law that will be enforced on June 1, 2010 that requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs or “red flags” of identity theft in their day-to-day operations.
FTC: The Federal Trade Commission (FTC) was established as an independent administrative agency pursuant to the Federal Trade Commission Act of 1914. The purpose of the FTC is to enforce the provisions of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in commerce,” and serves an important function as a protector of both consumer and business rights.
FACTA: The Fair and Accurate Credit Transactions Act of 2003.This law applies to businesses and individuals who maintain, or otherwise possess, consumer information for a business purpose and requires businesses to develop and implement a written privacy and security program.
Financial Institution: A State or national bank, a State or federal savings and loan association, a mutual savings bank, a State or federal credit union, or any entity that holds a “transaction account” belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
Creditor: An entity that regularly extends, renews, or continues credit or regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Non-profit and government entities that defer payment for goods or services are also considered creditors.
Covered Account: An account used mostly for personal, family, or household purposes, and involves multiple payments or transactions. These accounts include credit cards, mortgage loans, automobile loans, margin accounts, cell phone, utility, checking and savings accounts.
For more information go to: www.ftc.gov/redflagsrule
Monday, March 22, 2010
PCI Compliance Quiz
2. Who does it apply to?
3. Is PCI compliance a law?
4. Who regulates PCI compliance?
5. Is PCI compliance applicable to home-based businesses?
6. When do merchants have to become PCI compliant?
7. How does a merchant become PCI compliant?
8. Does Invisus certify PCI compliance?
9. How can Invisus help make a merchants certified PCI compliant?
10. What if a merchant tells you he is PCI compliant, what then?
Copy and past quiz into a word doc. and send your quiz answers to: safepcsolutions@gmail.com
Tuesday, March 16, 2010
Red Flags Rule Quiz
1. Who does the “Red Flag Rules” apply to?
2. When are the “Red Flag Rules” slated to take effect?
3. When were the “Red Flag Rules” originally slated to take effect?
4. What is a “Red Flag?”
5. What is a covered account?
6. Why is there a need for the “Red Flag Rules?”
7. What government agency regulates the “Red Flag Rules?”
8. Is the “Red Flag Rules” a law?
9. What are the penalties for a business that does not comply with the “Red Flag Rules?”
10. What size must a business be to fall under the “Red Flag Rules?”
11. What percent of small and mid-sized businesses that were hit with easy to perform cybercrime?
12. Explain how the “Red Flag Rules” will be enforced.
Copy and past quiz into a word doc. and send your quiz answers to: safepcsolutions@gmail.com
Wednesday, March 10, 2010
Red Flags Rule: Oh Nurse, A Little Help Here...
May I Have Your Attention Please?
Ahem, down here guys...OK, here we go.
Identity theft is a monolithic problem in the world today. Anyone from the savviest of business CEO’s to youngest babes in our society are at risk; this includes any entity such as a government or non profit agency. Not even the deceased are safe (so to speak) from this crime.
In fact ID theft it is the fastest growing white collar crime in America, and why not, most of the bad guys never get caught and nearly all consumers continue to go about their daily lives as unwary as sheep to a sheering only to find out to late that they have been misled to a financial slaughterhouse in the aftermath of having their Identity stolen.
More than ten million victims fall prey to identity theft in the United States each year and the number of victims who report this crime continues to explode every year. The reported lost or stolen personal data since 2005 is now more than 346,512,902 and this is estimated to be only 20% of what the actual numbers truly are.
What this really breaks down to is more than half of all U.S. citizens (including small children) have had their personal information stolen. And the FTC says that Every Credit Card ever issued (including Bankcards) has been compromised…Yikes, each and every one!
Is it no wonder then that the Payment Card Industry (PCI) has decided it has had enough of covering the financial losses for credit fraud (in the billions) or that the Federal Trade Commission has decided to finally step in and take action in order help stop the devastating effects of this crime by putting the liability for these breaches onto businesses through the Red Flags Rule?
Now keep in mind that credit fraud is only 33% of the problem. The other 67% is due to other nefarious practices not the least of which are data breaches from within a company i.e. a disgruntled employee or negligent security practices or (heaven forbid) no security at all, or outside breaches from cybercriminals known as black hat hackers who take advantage of the low hanging fruit due to poor security . This brings us back to the new federal laws and regulations known as the Red Flags Rule.
To whom do these laws and regulations apply?
The Red Flags Rule is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft.
The General Rule of thumb is that if a business or entity collects, uses, transmits or stores any identifiable information about customers and or employees such as name, address, phone number, SS#, driver’s license, birth dates, medical information, Tax ID# etc. and then “credits” them for the payments they are subject to the Red Flags Rule.
The FTC uses the term “creditor” broadly so even if a business may not view itself as a “creditor” in the traditional sense of say a bank or mortgage company, the red flags rule does define “creditor” to include any entity that regularly defers payment for goods or services or arranges for the extension of credit.
However, simply accepting credit cards as a form of payment does not make a business a creditor under the Rule, credit cards have their own set of scary rules and regulations under the payment card industry.
What is a Red Flag?
A Red Flag is potential sign that Identity Theft may be occurring and businesses are required by the FTC to spot and act upon any red flags that may be a telltale sign of identity theft. Some of the requirements for compliance include:
• Developing a written red flags program to include: identifying potential red flags, detecting red flags, and a protocol to respond to red flags.
• Educating your employees on these protocols.
• Maintaining and updating your company red flags plan (this is a living law and is subject to changes, it is up to you to know what these are).
Enforcement of the Red Flag Rules begins November 1st 2009, and ignorance of this law is no excuse. Be aware that States can enforce these laws as well and many states have put their own special spin on what is required for a business to be compliant.
Who is a Candidates for Red Flag Rule?
• Doctors, dentists, acupuncturist, chiropractors, massage therapists, nutritionists, mental health providers etc.
•Lawyers (Lawyers weasel out)
•CPA's
•Contractors
• Utilities
• Retailers
• Telecommunications companies
• Debt collectors
• Employee benefit plans that sponsor a flexible spending account when the arranged using a debit card.
What if I don’t comply?
Businesses subject to Red Flags Rule must comply by June 1, 2010 or face the possibility of enforcement action by the FTC in the form of fines or other legal actions. The penalty alone per name stolen or leaked is a staggering $3,500! Your business will come to a halt while the forensic investigators are looking into the cause of the data breach. And here’s a fun stat for you - 50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately…fun stuff!
Moving right along, your business name by this time is more than likely “Mud” and in most states you are required to inform each and every customer that your company’s data breach has put their good names in jeopardy (ouch); and if that isn’t enough, the law also allows the consumer/victim the right to recoup their losses from you... I’m talking civil and in some cases even criminal suits here people...do I have your attention now?
Not enough you say? OK, how about losing 65% of your customers once they know that your business suffered a security breach that put their identity at risk...count on it!
So what can a business owner do to protect their business data from being harvested by a cyber crook out on the take?
1. Education. Go to the FTC’s website at: FTC Red Flags Rule and learn the facts straight from the horse’s mouth and how they apply to your businesses.
2. Get the best internet protection you can for all of your company’s computers along with a cracker jack team of IT professionals: Safe PC Solution
3. Develop and start implementing your Company’s Red Flags Rules protocol.
4. A simpler way to do this is to have a team of experts work hand in hand with you to certify that your business is following all of the Best Practices so that your company’s important personal information doesn’t fall prey to bad guys looking to sell it for a nickel a name!
In conclusion:
The US Dept of Homeland Security released a statement in September of 2009 that says that “87% of breaches could be thwarted by simple to intermediate preventative measures.”
WOW! Is that all?
Ahem, down here guys...OK, here we go.
Identity theft is a monolithic problem in the world today. Anyone from the savviest of business CEO’s to youngest babes in our society are at risk; this includes any entity such as a government or non profit agency. Not even the deceased are safe (so to speak) from this crime.
In fact ID theft it is the fastest growing white collar crime in America, and why not, most of the bad guys never get caught and nearly all consumers continue to go about their daily lives as unwary as sheep to a sheering only to find out to late that they have been misled to a financial slaughterhouse in the aftermath of having their Identity stolen.
More than ten million victims fall prey to identity theft in the United States each year and the number of victims who report this crime continues to explode every year. The reported lost or stolen personal data since 2005 is now more than 346,512,902 and this is estimated to be only 20% of what the actual numbers truly are.
What this really breaks down to is more than half of all U.S. citizens (including small children) have had their personal information stolen. And the FTC says that Every Credit Card ever issued (including Bankcards) has been compromised…Yikes, each and every one!
Is it no wonder then that the Payment Card Industry (PCI) has decided it has had enough of covering the financial losses for credit fraud (in the billions) or that the Federal Trade Commission has decided to finally step in and take action in order help stop the devastating effects of this crime by putting the liability for these breaches onto businesses through the Red Flags Rule?
Now keep in mind that credit fraud is only 33% of the problem. The other 67% is due to other nefarious practices not the least of which are data breaches from within a company i.e. a disgruntled employee or negligent security practices or (heaven forbid) no security at all, or outside breaches from cybercriminals known as black hat hackers who take advantage of the low hanging fruit due to poor security . This brings us back to the new federal laws and regulations known as the Red Flags Rule.
To whom do these laws and regulations apply?
The Red Flags Rule is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft.
The General Rule of thumb is that if a business or entity collects, uses, transmits or stores any identifiable information about customers and or employees such as name, address, phone number, SS#, driver’s license, birth dates, medical information, Tax ID# etc. and then “credits” them for the payments they are subject to the Red Flags Rule.
The FTC uses the term “creditor” broadly so even if a business may not view itself as a “creditor” in the traditional sense of say a bank or mortgage company, the red flags rule does define “creditor” to include any entity that regularly defers payment for goods or services or arranges for the extension of credit.
However, simply accepting credit cards as a form of payment does not make a business a creditor under the Rule, credit cards have their own set of scary rules and regulations under the payment card industry.
What is a Red Flag?
A Red Flag is potential sign that Identity Theft may be occurring and businesses are required by the FTC to spot and act upon any red flags that may be a telltale sign of identity theft. Some of the requirements for compliance include:
• Developing a written red flags program to include: identifying potential red flags, detecting red flags, and a protocol to respond to red flags.
• Educating your employees on these protocols.
• Maintaining and updating your company red flags plan (this is a living law and is subject to changes, it is up to you to know what these are).
Enforcement of the Red Flag Rules begins November 1st 2009, and ignorance of this law is no excuse. Be aware that States can enforce these laws as well and many states have put their own special spin on what is required for a business to be compliant.
Who is a Candidates for Red Flag Rule?
• Doctors, dentists, acupuncturist, chiropractors, massage therapists, nutritionists, mental health providers etc.
•Lawyers (Lawyers weasel out)
•CPA's
•Contractors
• Utilities
• Retailers
• Telecommunications companies
• Debt collectors
• Employee benefit plans that sponsor a flexible spending account when the arranged using a debit card.
What if I don’t comply?
Businesses subject to Red Flags Rule must comply by June 1, 2010 or face the possibility of enforcement action by the FTC in the form of fines or other legal actions. The penalty alone per name stolen or leaked is a staggering $3,500! Your business will come to a halt while the forensic investigators are looking into the cause of the data breach. And here’s a fun stat for you - 50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately…fun stuff!
Moving right along, your business name by this time is more than likely “Mud” and in most states you are required to inform each and every customer that your company’s data breach has put their good names in jeopardy (ouch); and if that isn’t enough, the law also allows the consumer/victim the right to recoup their losses from you... I’m talking civil and in some cases even criminal suits here people...do I have your attention now?
Not enough you say? OK, how about losing 65% of your customers once they know that your business suffered a security breach that put their identity at risk...count on it!
So what can a business owner do to protect their business data from being harvested by a cyber crook out on the take?
1. Education. Go to the FTC’s website at: FTC Red Flags Rule and learn the facts straight from the horse’s mouth and how they apply to your businesses.
2. Get the best internet protection you can for all of your company’s computers along with a cracker jack team of IT professionals: Safe PC Solution
3. Develop and start implementing your Company’s Red Flags Rules protocol.
4. A simpler way to do this is to have a team of experts work hand in hand with you to certify that your business is following all of the Best Practices so that your company’s important personal information doesn’t fall prey to bad guys looking to sell it for a nickel a name!
In conclusion:
The US Dept of Homeland Security released a statement in September of 2009 that says that “87% of breaches could be thwarted by simple to intermediate preventative measures.”
WOW! Is that all?
Do We Certify For PCI?
This is going to be a separate charge for the client by 'Security Metrics' who will assess them for what they need based on what they are currently using (phone, swipe machine(s), computer(s) etc.) to take credit card information with. The client should expect to fill out a questionnaire (likely sent via email) as well as a scan performed on their IP address by the vendor.
When they pass they will be issued a certificate (via email) that they can display at their place of business or online if they are an e commerce merchant. They will be scanned automatically every quarter after that and they will be charged yearly for this service.
Home businesses are especially vulneralbe to hackers, arguably the most vulnerable simply because they are usually not well protected. Intruders will zero-in on home users because it is easy and requires very little work on their part to do so.
Would you leave the curtains open to a window facing a busy street while you change clothes or bathe? Would you tuck your precious children into bed at night and leave the window open with a ladder leading down to the backyard? Of course not, but most home businesses are blindly using their computers with a false sense of security that literally leaves their sensitive information exposed. cyber-crooks sneak in unseen and start exploiting a home business computers 'always on' broadband connections and the typical home use programs such as chat rooms, Internet games and file sharing applications.
And once a bad guy is in they have no problem installing hacker tools specifically developed to log every key stroke a user types. So your banking passwords and any credit card information being typed on an infected computer (theirs or a customers) are easily in the hands of a criminal faster than a bull frog can zap a fly!
Being in compliance is not voluntary, if a merchant wants to keep their privilege of taking credit card payments they must follow the rules of compliance in accordance with The PCI Security Standards Council.
Check out the link for the company site for more information about Security Metrics.
Tuesday, March 9, 2010
Is PCI DSS Compliance a Law? If not why should I care?
PCI Compliance is NOT a law. It is a set of data security standards that the Payment Card Industry (you know, Visa, MC, Am Ex, Discover and JCB) have put together in order to tighten the reigns on credit card fraud by implementing these regulations on to the merchants and the acquiring banks that provide merchant accounts.
You see, a few years back these big boys got together and said "We are sick and tired of eating it on all these fraudulent charges...its costing us BILLIONS! I know, lets pass the onus onto the banks and merchants who are going around willy-nilly without using the proper security in the first place." They all agreed this was a bang up idea, and so on September 7, 2006 The Payment Card Industry Security Standards Council (PCI SSC) was born.
Since that time ALL companies that process, store or transmit credit card information are required to maintain a secure environment. The payment brands and acquirers are responsible for enforcing compliance and if you haven't heard from your acquiring bank yet you soon shall.
A copy of the PCI DSS is available here.
Think of it this way, being able to take credit cards for payment is NOT a right it IS a privilege that the Payment Card Industry can give'th or take'th away. It's like when you walk into a store that has a sign that reads "No Shirt, No Shoes, NO SERVICE!" that means they require their customers to come in with foot wear and a covered torso.
They reserve the right to NOT do business with you based on this rule. It is the proprietors store and those are the rules, if they don't want to look at your bare feet and and whatever tattoo you may be sporting on your latissimus dorsi they can toss you out... PERIOD.
So it goes with PCI Compliance, if you want to play ball (do business) with these guys on their playing field you need to follow THEIR rules or they will simply take their ball and go home.
Now for goodness sake, put your dang clothes on and get your business certified PCI DSS compliant...
Subscribe to:
Comments (Atom)
Posts
