Cleaning up data breach costs more than encryption

Finally, the ROI you need to get data encryption in place.

Gartner analyst Avivah Litan testified on identity theft at a Senate hearing held after the Department of Veterans Affairs lost 26.5 million vet identities. "A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined," Litan said. "Compare [that] with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach," she added.

 

Deleting Online Predators Act of 2006

The Deleting Online Predators Act ammends the Communications Act of 1934 with the following:

Enforcing a policy of Internet safety for minors that includes monitoring the online activities of minors and the operation of a technology protection measure with respect to any of its computers with Internet access that—

• protects against access through such computers to visual depictions that are— obscene; child pornography; or harmful to minors; and
• prohibits access to a commercial social networking website or chat room through which minors— may easily access or be presented with obscene or indecent material; may easily be subject to unlawful sexual advances, unlawful requests for sexual favors, or repeated offensive comments of a sexual nature from adults; or may easily access other material that is harmful to minors;

The term ‘commercial social networking website’ means a commercially operated Internet website that— allows users to create web pages or profiles that provide information about themselves and are available to other users; and offers a mechanism for communication with other users, such as a forum, chat room, email, or instant messenger.
The term ‘chat rooms’ means Internet websites through which a number of users can communicate in real time via text and that allow messages to be almost immediately visible to all other users or to a designated segment of all other users.

BusinessWeek writes:

For starters, it's got too general a definition of sites that should be banned, says Markham Erickson, general council of the Net Coalition, a Washington lobby representing Internet companies. The Deleting Online Predators Act (DOPA) defines the restricted areas as those that allow "users to create Web pages or profiles that provide information about themselves and are available to other users" and offer "a mechanism of communication with other users, such as a forum, chat room, e-mail, or instant messenger."

That could rule out content from any number of Internet companies, including Yahoo! and Google. What's more, DOPA would prohibit sites that enable users to create their own content and share it. That covers a wide swath of the online world, known colloquially as Web 2.0, where users actively create everything from blogs to videos to news-page collections.

Comments from the Huffington Post say:

This is like passing a law to forbid cities from having alleys because muggings, rapes and drug deals happen in them.

 

Data Compromise Disclosure Bill

Long ago CA started the trend with SB 1386 and in 2005 a similar data privacy bill was proposed. This is the one to set national law with the Cybersecurity Enhancement and Consumer Data Protection Act.

A new proposal in Congress would force anyone who possesses electronic personal data to report "major" security breaches to federal authorities before alerting consumers–or face hefty fines and even imprisonment.

The 11-page House of Representatives bill aims to deter identity thieves and dismantle cybercrime operations, such as phishing scams, that swipe personal information. It was introduced this week by House Judiciary Committee Chairman James Sensenbrenner and backed by three Republicans and one Democrat.

…

The bill defines "major breach" as any incident that involves the personal information of 10,000 or more individuals, databases owned by the federal government or personal data about federal employees or contractors involved in "national security matters or law enforcement."

Refusing to comply with the rules could result in up to five years in prison or fines of $50,000 for each day that the intrusion is not reported–an idea endorsed by the Justice Department.

 

Visa PCI report from ETA

I didn't attend the infamous Electronic Transaction Association (ETA) show this year but others did and they send their regards. ETA is the geek get together where all the whos-who of electronic transactions show up. It's very "clicky" because the industry (like others) is very incestuous and the players have all worked together at one company or another.

Friends of mine were there, some spoke and some had vendor booths, but they all know each other. This year was all about partnerships. Finding out who hired who and what company was partnered with what other company. It seems like partnerships mostly followed the path of people you know rather than anything else. It was just interesting to see these social networks evolve organically.

On the O'Reilly Radar, Marc quotes John Gall in saying the following. I think the same is true of social networks.

A complex system that works is invariably found to have evolved from a simple system that worked….A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over, beginning with a working simple system.

So James DeLuccia at Optimal Security reports on his experience at ETA.

I have had the privilege to speak with dozens of companies and sit through several discussions on the payment industry and the PCI DSS requirements. This entry contains my notes and takeaways from the first day. These take aways include:

• PCI DSS program Updates (new version, changes!)
• Threats, Trends, and Analysis
• Safe harbor for Small Merchants
• PCICo
• Top Reasons for Compromises
• Top Actions to mitigate compromises