FTC Delay of Identity Theft Rules A Reprieve For Businesses
The Federal Trade Commission has once again delayed enforcing new regulations that would require lawyers, accountants, and a sweeping number of other businesses to have procedures for detecting possible identity theft. The agency said it will not begin enforcing its so-called “red-flag rules” until December 31, six months after they were supposed to go into effect. The delay gives business owners and others some breathing room while the FTC sorts out exactly who would be covered by the rules. Read the full Portfolio article here.

Data Breaches Persist in Healthcare
In September 2009, the Obama administration’s Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect, requiring hospitals and other health care organization to beef up client data protections. Despite this, a recent study found that health care data is still hemorrhaging from peer to peer networks. A peer-to-peer, commonly abbreviated to P2P, is any distributed network architecture composed of participants that make a portion of their resources (such as processing power, disk storage or network bandwidth) directly available to other network participants, without the need for central coordination instances (such as servers or stable hosts). Read the full CIO post here.

Community Hospital of San Bernardino Fined for Data Breach
For violations of patient confidentiality, the state Department of Public Health fined Community Hospital of San Bernardino $325,000. The hospital was assessed a $250,000 fine for unauthorized access of 204 patients’ medical information by one employee. A fine of $75,000 was added after the facility failed to prevent the unauthorized access of three patients’ medical information in a separate case. Diane E. Nitta, the hospital’s administrator, said the hospital has “enhanced staff education efforts around patient privacy (and) put in place expensive security measures that guard against inappropriate access to our patients’ records. Read the full article from The Sun here.

Government Pushing to Control Internet
For the past decade, the federal government has been moving to gain effective control over the internet. Now, thanks to legislation just crafted by Sen. Joseph Lieberman of Connecticut, the government may finally realize its goal of being able to control virtually all aspects of the vast internet, including private internet systems. The decade-long process began in earnest in 2001, when the Bush Administration secured passage of legislation giving it jurisdiction to prosecute computer hackers anywhere in the world if the packets of information traveled through a U.S. computer or router and affected a “federal interest computer.” Read the full AJC post here.

U.S. Hampered in Fighting Cyber Attacks, Report Says
The U.S. government’s ability to counter cyber attacks against its nonmilitary computer systems is largely ineffective, according to a report from an internal watchdog released last week. The Homeland Security Department branch that monitors cyber attacks can’t force other agencies to protect their systems, is woefully understaffed and its ability to manage responses to cyber attacks has been hindered by constant turnover, said the department’s inspector general. The department’s U.S. Computer Emergency Readiness Team, known as US-CERT, also withheld data from other federal agencies that could have helped them address security breaches, the report found. Read the full WSJ post here.

Wanted: Young Cyber Experts to Defend Internet
Nationwide campaigns to steer youthful techies into careers defending the Internet are gaining steam. The federal government, education officials and giant military contractors are collaborating to recruit a new class of tech professional specifically trained to battle data thieves, online scammers and cyberspies. The recruitment tool of choice: competitions that pit tech-savvy youths in mock warfare against professional hackers. This year, the Collegiate Cyber Defense Competition drew teams from 83 colleges and universities, up from five schools in 2005. Boeing hired seven contestants to help defend its internal networks, which are prime targets for corporate and military spies. Read the full USA Today post here.

The Unreadiness Team
THE REPORT is chilling. Optimistically titled “U.S. Computer Emergency Readiness Team Makes Progress in Securing Cyberspace, but Challenges Remain,” it paints a disturbing picture of a national security disaster waiting to happen. The U.S. Computer Emergency Readiness Team, or CERT, established in 2003 to coordinate national cyber-defense efforts, is an arm of the Department of Homeland Security (DHS) tasked with “analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating cyber incident response activities.” But this vast responsibility has come with little and confusing authority. Read the full Washington Post Op-Ed here.

ID Theft Rule Still Applies to Physicians, FTC Says
The Federal Trade Commission rejected organized medicine’s request to exempt physicians and other health care professionals from an identity theft prevention regulation, despite a recent court decision excluding attorneys from the rule. A 2009 ruling by the U.S. District Court for the District of Columbia found that the FTC exceeded its authority in enforcing its “red flags” rule against lawyers. But in a March 25 letter to the American Medical Assn. and other health care organizations, the commission said it was unclear whether the ruling, if upheld, would apply outside of the legal profession. The FTC is appealing the decision in the case, brought by the American Bar Assn. Read the full American Medical News article here.

Paradise Lost: A Decade of Data Breaches
Do you think the moat around Australia extends around your business and hackers won’t target you? It doesn’t, and research says data breaches will be the elephant-in-the-conference-room at your next IT meet. Australia has to date been sheltered from much of the painful data breach disclosure laws sweeping the world, and organizations here appear to have avoided the high-profile hacks that have plagued others over the last decade. But are we as lucky as it would appear? Read the full Network World article here.

Data breached? Culprit Could be a Former Employee
So your data are encrypted, and you have access controls on your computer systems to prevent outside attacks from hackers. But you’re still not totally protected from unauthorized outside access. Your former employees may be able to get back into your system. Many practices and hospitals focus on how to prevent current employees from snooping or stealing information, but they forget about people who have left the organization and still could do damage. Read the full American Medical News article here.

Senators Question Cyber Command Nominee
The Obama administration’s candidate to lead the U.S. effort against cyber warfare assured lawmakers Thursday he can successfully balance the strategic military, technological, and cooperative aspects of the job he hopes to take on. In his confirmation hearing last week before the Senate Armed Services Committee, Lt. Gen. Keith Alexander fielded questions about how he would perform in a position created only last year to perform a task some lawmakers themselves admittedly don’t quite understand. Read the full InformationWeek story here.

Targeted Cyberattacks Testing IT Managers
Targeted cyberattacks of the sort that hit Google Inc. earlier this year are testing enterprise security models in new ways, and they represent an imminent threat to sensitive corporate data. State-sponsored groups with deep technical skills and computing resources have long been directing such attacks against government and military targets. However, Google’s disclosure in January that its network was attacked by China-based hackers stoked long-standing fears that cybercrooks would expand their horizons and start aiming targeted attacks at commercial networks. Read the full Computerworld story here.

UN Split on Cybercrime Conventions
A United Nations committee on international crime prevention is split on how to deal with cybercrime. Some countries want the existing European convention to be adopted worldwide, while others want a completely new agreement to be created. At the UN Congress on Crime Prevention and Criminal Justice in Brazil last week nations debated how to tackle what they agreed was a major and growing problem. Delegates identified the main problems as computer-based fraud and forgery, illegal interception of private communications, interference with data and misuse of electronic devices, according to a UN-published account of the meeting. Read the full Register article here.

Happy Monday!

According to this article from CMIO, The FTC’s interpretation of the regulation imposes an unfunded mandate on healthcare professionals for detecting and responding to identity theft, according to the organizations. In the letter, they asked the FTC to make it clear that the rule will not apply to their members given the result of recent litigation brought by the American Bar Association against the FTC where the U.S. District Court for the District of Columbia ruled that lawyers should be excluded from the requirements imposed by the “red flags” rule.

What do you all think about this? George Hulme the Healthcare blogger for InformationWeek had this to say: Step up and protect your customers from identity theft.

We believe that George has a valid point. Healthcare providers deal with sensitive customer information that can easily be compromised. Even though the Red Flags rule may be cumbersome to meet the requirements, what is the alternative? Having patients accept the responsibility when they become victims of identity theft? Wouldn’t it be better to have steps in place to ensure that this data is protected? We welcome all thoughts and feedback!

In early July 2009, BITS, the technology and operations division of the Financial Services Roundtable, submitted a comment letter to the OCC revealing significantly higher compliance burden estimates. The letter is based on the results of a June 2009 survey of eleven Roundtable/BITS member companies representing a diverse mix of banking, brokerage, consumer finance, and insurance products, responded to the survey.  The average amount of time spent on a “red flags” program was 2,650 hours with a low of 250 hours and 5,000 hours.  To view the comment letter, click here.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires financial institutions that hold critical customer information to develop identity theft “red flags” programs for new and existing accounts by November 2008.  Since the agencies issued the proposed rule in 2006, BITS has worked with member financial institutions and regulators to understand the new regulation and to develop cost effective compliance strategies.  Our efforts include:
•    Submitting a detailed comment letter in 2007 to the regulatory agencies on a proposed regulation.
•    Convening a dozen conference calls with members and regulators to understand the rule and discuss compliance strategies.
•    Submitting questions for the Frequently Asked Question document (FAQ) in 2008.
•    Engaging credit bureaus, U.S. Postal Service and others on address discrepancy requirements.
•    Conducting two member surveys on implementation challenges and compliance burden.

An integral part of identity theft red flags programs is reliance on the Identity Theft Assistance Center (ITAC).  Federal financial regulators have begun examinations of financial institutions and the early indications are that financial institutions have developed robust and acceptable ID Theft Red Flags programs.

John Carlson is Senior Vice President of BITS/Financial Services Roundtable where he manages relationships with regulatory agencies and engages experts from financial institutions on information security, operational risk, vendor management, fraud risk, and business continuity planning. BITS is the technology and operations division of the Financial Services Roundtable. On June 11, the federal financial regulators and the Federal Trade Commission jointly issued answers to 37 frequently asked questions (FAQs) on the ID Theft “Red Flags” regulation. The FAQs are available on all of the agencies websites and here is a link to the FDIC’s website.

John Carlson, Senior Vice President of Regulatory Affairs for BITS/Financial Services Roundtable, was able to sit down for a video interview with with SearchFinancialSecurity.com to discuss compliance and the key elements for building an identity theft prevention program. In addition, check out this Q&A we did with Mr. Carlson back in May.

You can view the video interview with Mr. Carlson here.