BreachExchange mailing list archives
Big Data, national data breach standard among issues government may soon tackle
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 9 May 2014 13:36:29 -0600
http://www.insidecounsel.com/2014/05/09/big-data-national-data-breach-standard-among-issue A new report released by White House science and technology advisors has addressed some important privacy issues given the increasing prominence of Big Data. Called “Big Data: A Technological Perspective,” the report – developed by the Council of Advisors on Science and Technology (PCAST) – points out that gathering, analyzing, disseminating, and preserving data raise “new concerns about the nature of privacy and the means by which individual privacy might be compromised or protected,” according to a statement from the White House. Among the issues addressed in the report are concerns about protection of data in the cloud. The report provides some recommendations, too. These include: - Federal agencies should strengthen research in privacy-related technology and in relevant areas of social science. - There should be more education and training on privacy protection. - And the nation should adopt policies that “stimulate the use of practical privacy-protecting technologies.” When it comes to the recent White House report, Paul Luehr, managing director at Stroz Friedberg, and former attorney with the U.S. Department of Justice and the Federal Trade Commission, said it gave many examples which show how complex data impacts people each day. “And while the report left many difficult questions about privacy open, it was clear about data security – all businesses need to protect personal or sensitive information, no matter how it is used or where it is stored,” he added. In a related issue, Luehr says it is time for the setting of a national data breach standard. “Companies currently struggle to comply with 47 complex, overlapping, evolving, and sometimes contradictory state data breach notification laws,” Luehr said in a statement sent to InsideCounsel. “In our incident response work, we’ve seen examples where companies with customers in 24 states had to research, draft and approve 17 different versions of the same basic notification letter to comply with different laws, which is clearly a time-consuming and costly process.” But a single, comprehensive federal law would provide “more consistent protection to consumers, provide greater clarity for businesses, and still allow vigorous enforcement by both federal and state officials,” he added. He has also called for a mandatory 60-day period for reporting and notifying parties of a data breach. “Individual consumers deserve to know if their data has been compromised, but that notice should be based on a scientific assessment by forensic experts, not political pressures or concerns about the daily news cycle,” Luehr said. He explained that some proposals call for notification within 24 to 72 hours. “But we know that data from compromised servers is often not even preserved in that period of time, much less analyzed. It often takes several weeks to conduct a thorough investigation and determine if a breach occurred, what damage ensued, and who was affected,” he added. “Therefore, we recommend following the reasonable 60-day deadline already established by HIPAA in the healthcare industry.” In addition, InsideCounsel reported that after the Target data breach, many members of Congress focused their attention on data security and data breaches. The Target data breach exposed personal information of some 110 million customers late last year – and the company’s CEO recently resigned. Since the breach, hearings were held in Congress on preventing data breaches, improving data security standards, improving protection of consumers’ personal data, and providing more notice to consumers when a compromise takes place.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Big Data, national data breach standard among issues government may soon tackle Audrey McNeil (May 16)