US Senate to consider Data-Breach Bill

Just before the 2005 Thanksgiving holiday the Senate Judiciary Panel approved a Personal Data Privacy and Security Act, authored by Specter and Leahy. The soon-to-be-called “Specter-Leahy Act”, also known as the SLA, has some exceptionally vague language even compared to laws (already in effect) at the state level:

  • Giving individuals access to, and the opportunity to correct, any personal information held by data brokers;
  • Requiring entities that maintain personal data to establish internal policies that protect such data and vet third-parties they hire to process that data;
  • Requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data;
  • In my experience the use of the word “reasonable” in California’s AB1950 law has been remarkably useful in discussions about how to comply. Unfortunately, I do not see anything comparable here that would help clarify when law enforcement should be contacted or how to measure the internal policies for effectiveness (it is easier to draw a line for “reasonable encryption”, for example, than “protective policies”). Enforcement, on the other hand, seems to be very precise:

  • Section 103 makes it a crime for a person who knows of a security breach requiring notice to individuals under Title IV of this Act to intentionally and willfully conceal the fact of, or information related to, that security breach. Punishment is either a fine under Title 18, or imprisonment of up to 5 years, or both.
  • Any person who, during and in relation to a felony violation of the computer fraud law, knowingly obtains, accesses or transmits a means of identification of another person without lawful authority, may be imprisoned for up to 2 years in addition to the punishment provided for such felony.
  • Rumor had it that a Representative from Oklahoma was lobbying to delay consideration of the bill by talking turkey, which caused some to suggest that Cole might stop the SLA from being passed. Ha, just kidding.

    Visa provides free PCI scanning service

    After months of negotiating contracts and fees in the US for Visa PCI compliance assessments, I just ran into this odd bit of news from Canada that Visa has offered to provide free scans indefiniately. Does this mean there is no need for a certified PCI assessor if you are a Tier 2 merchant or smaller?

    According to Visa, the free service, which uses a U.S. vendor but is available across the Asia-Pacific, will be provided “indefinitely” at this point to all merchants that accept Visa cards for payment of goods and services.

    Lodens [Visa’s head of third-party assurance] said Visa’s main message, that merchants and third-party processors should not be storing card information, remains unchanged.

    “If there is a need for that, then [merchants] need to protect the information,” he said, adding that card-holder data should not be stored. “Where we see incidents of compromise is because merchants are unnecessarily storing information.”

    Yes, please do encrypt if you must store the data. And please do protect the keys if you must encrypt…but free security scans from the Payment Card Industry? More research required.

    Ethnography and Security

    Since 2000 I have been actively integrating anthropological perspectives, methods and theory into business practices in order to enhance information security policies and procedures. Many companies say that this approach has been uniquely successful in both uncovering the true source of risk and giving them a handle on how to achieve better information security.

    For example, the recent TSSI ‘Dishonest Britain’ Survey provides exactly the kind of data that a security practitioner needs to be aware of before s/he engages in an identity management project:

    Dishonesty and fraud are widespread in the UK, with nearly half of people admitting to forgery and one in ten to low level identity fraud. A quarter of Britons confessed to exaggerating their educational qualifications to gain employment.

    Worryingly, with the prevalent terrorist threat, 10 per cent had misused ID access control systems by impersonating someone else or had assisted someone else to do so, and 32 per cent admitted conning their way past security personnel. 21 per cent owned up to having used fake identity cards.

    The survey sample was 1,000 people and, perhaps most relevant to general security, one in seven (140 people) confessed to spying on people entering PINs, pass codes and passwords.

    While some initially react to Anthropology as an esoteric branch of learning, the practical application or exercise of ethnography in a corporate setting can have very real rewards including significant savings related to solutions that have a much higher rate of adoption and success. Personally I have found controls are significantly weaker when cultural differences have not been considered. This is especially true in groups that are either highly diverse or that have not had sufficient time to develop a common understanding around “safety” or “reasonable” security.

    I find great promise in the fact that some major corporations are starting to take cultural relativism seriously and have hosted an Ethnographic Praxis in Industry Conference (EPIC), which claimed “By understanding people; what they do, how they do it, and how these change over time, we can create better corporate strategies, processes, and products, as well as enhance and simplify people’s lives.” Yes, exactly.

    A presentation called “The Worst Technology for Girls?” reportedly gave insight into “how teen girls use technology in relation to privacy practices in their everyday lives”. This sounds like it might have been related to the news about a British teenage girl’s ankle-tag dilemma, as reported earlier this year.

    Perhaps next year there will be an information security track to explore topics like what constitutes “dishonesty”, “spying” or “borrowing” for different groups and why these “violations” are far more common than we might like to admit.

    OldBoy

    A strange and sometimes violent movie, OldBoy sprinkles dark humor in among the scenes of torture and fist-fights to lighten things up now and again. I couldn’t help but chuckle when a man found three chopsticks on his meal tray and opined (roughly translated):

      All I could think now
      was that my neighbor next door
      ate with one chopstick

    The production is Korean, but it’s definitely a Japanese story. Perhaps most interesting, at least from a security perspective, is that the protagonist is suddenly free from solitary confinement after fifteen years but entirely unsure about who or why he was imprisoned in the first place. Like Kafka’s Joseph K, he sets out to figure out what his crime might have been and in the process continuously stumbles into the question of whether to trust anything or anyone.

    the poetry of information security