Welcome to cissp CISSP training Certified Information Systems Security Professional
Nickname Password Security Code Security Code Type Security Code  

CompTIA Security+ Tutorial CBT quiz cram


Where do you find the best price for books?

The ISC2 webstore
At a physical book store
Other (Please leave a comment with name of site)


Votes 2253

Who's Online

There are currently, 76 guest(s) and 3 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
cissp CISSP training Certified Information Systems Security Professional: Law & Legalities

Search on This Topic:   
[ Go to Home | Select a New Topic ]

BYODs: Fair Game for Litigation?
Posted by boss on Sunday, 17 February 2013 @ 09:31:03 CET (2238 reads)
Topic Law & Legalities

cdupuis writes "

See below a blog post from ComputerWorld Mobile Blog where CCCure's long time friend and author of the best CISSP Cram Study, Mr. Michael Overly is being reference.   Micheal is really one of the most knowledgeable lawyer I know when it comes to IT and it's many Legal Issues such as Bring Your Own Devices (BYOD).   Companies only think about saving money in the short term but there are many legal issues that can bite you back very quickly in the longer term.  See a few examples below:

Blog post by Joanie Wexler, Community Manager , Feb 15 2013

Trying to protect the rights of both employees and the enterprise in a BYOD environment can be a mind-numbing exercise. First, there are so many situations that can crop up that it’s hard to anticipate – and thus have a policy for – them all. Another issue is that precedent hasn’t been set yet for many situations. 

We all know that the protection of corporate data is paramount. At the same time, most organizations don’t want to be liable for eliminating personal content from a user’s device. Or to get sued for invasion of privacy because location-tracking is activated and the company is perceived as following BYOD users around on their personal time. 

Michael Overly, an attorney at Foley & Lardner LLP in Los Angeles, points out a few other situations to consider that might not automatically jump to mind, too. For example, if the workplace can now be anywhere and everywhere, does workmen’s comp kick in if someone falls down a manhole while sending a work-related text?  Unclear. 

My favorite, perhaps, is the story of the employee who had (allegedly) written a novel on his BYOD laptop and hadn’t backed it up. When his employer remotely wiped all data from the laptop for security reasons, the only copy of the would-be Great American Novel went with it. The employee sued, and the company settled, Overly tells me. 

Some other points to ponder: 

Forwarded email liability: If your policy is to keep, say, 60 days worth of emails at a time, and data created earlier than that time period is subpoenaed, the CIO may tell authorities that the data isn’t available. But what if an employee has been forwarding email to a personal account? The user’s device might be subject to discovery and litigation, Overly warns. 

Software licensing: If a user has licensed an application - say, Microsoft Office Home - for personal use and uses it at work, should there be another software license? The same question could be asked if the employee is using Microsoft Office at work and he or a family member or friend uses it for personal use. The answer is “probably.” 

Border patrol search and seizure: Overly also points out that border patrols have full rights to search and seizure of any devices. This could be an argument for using cloud services in some companies to make sure data isn't lost, Overly says.

Have you run into any seemingly unanswerable questions about BYOD liability or experienced ground-breaking BYOD outcomes or precedent that you can share for the EMH community’s education? The EMH welcomes your input.

Join and participate in this great discussion at:


(Read More... | Score: 0)

SOPA and PIPA -- What`s in it for you
Posted by boss on Thursday, 19 January 2012 @ 13:20:31 CET (2614 reads)
Topic Law & Legalities

cdupuis writes "

As seen on one of my hosting company mailing list:

Greetings Site5 Customers!

The U.S. Congress is currently considering two bills -- one in the House of Representatives called SOPA (Stop Online Piracy Act) and another in the Senate called PIPA (Protect IP Act). These bills both attempt to use similar methods to further criminalize and police intellectual property infringement. Although protecting intellectual property is important, these bills would use heavy-handed tactics that would censor and splinter the Internet.

SOPA and PIPA would grant the U.S. government the ability to block almost any website on the Internet if the site is perceived to be an "infringing site." Search engines would be required to remove the site from their search listings, payment processors and advertisement networks would be forbidden from doing business with the site, and ISPs could be forced to block access to the site for Americans. The bill provides little detail about what would constitute an infringing site, which makes the potential for abuse far greater. We have already seen how these kind of systems can be abused. In 2010, ICE (Immigration and Customs Enforcement) mistakenly seized a domain name belonging to a music blog and labeled it as a "rogue site" — the domain name was not returned until a year later (source: http://nyti.ms/uF73mZ). If you would like to see a video explanation of how the bill works and its dangers, please go here: http://vimeo.com/31100268

Site5 has publicly declared our opposition to both bills, and we encourage you to do the same. Contact your representatives in Congress to let your opposition to these bills be known! To locate the contact information for your representatives, visit one of the following websites:


If you're located outside the United States, you can let your voice be heard as well by sending your thoughts via this website:


Another way to get involved in the fight against SOPA and PIPA is to join in on the blackouts. Many well-known websites such as Wikipedia, Google, and Reddit are demonstrating their opposition, and you can too. Site5 has sponsored a WordPress plugin for participating in blackouts, and it features an easy setup and configuration options within the WordPress admin area:


We feel very strongly that the future of the Internet is at stake, and we urge everyone to get involved!


The Site5 Management Team


(Read More... | Score: 0)

Obama Offers Breach Notification Bill Federal Law Would Supersede State Laws
Posted by boss on Friday, 13 May 2011 @ 10:23:27 CEST (3554 reads)
Topic Law & Legalities

cdupuis writes "
As seen on the www.bankinfosecurity.com website:

Obama Offers Breach Notification Bill
Federal Law Would Supersede State Laws
Howard Anderson, Executive Editor, HealthcareInfoSecurity.com
May 12, 2011

The Obama administration has proposed adoption of a federal data breach notification policy that would supersede the divergent laws now in effect in most states. The policy is a component of a comprehensive cybersecurity legislative agenda that the White House unveiled Wednesday.

The proposed policy would not apply to healthcare organizations and their business associates that already must comply with the HITECH Act breach notification rule, which has similar requirements. Otherwise, the policy would apply to for-profit and not-for-profit business entities that engage or affect interstate commerce and use, access, transmit, store, dispose of or collect sensitive personally identifiable information about more than 10,000 individuals during any 12-month period.

The policy would require the reporting of security breaches to the Federal Trade Commission, and the individuals affected, within 60 days unless there is no reasonable risk of harm or fraud. The FTC can grant a business entity an extension of up to 30 days to allow time for the entity to conduct further investigation. The proposal defines a breach as a "compromise of the security, confidentiality or integrity of, or the loss of, computerized data" that results in "unauthorized acquisition of sensitive personally identifiable information or access to that information that is for an unauthorized purpose."

The proposed policy would include two major exemptions, or safe harbors. A business would be exempt from the notification requirements if it conducted a risk assessment that concluded that there is no reasonable risk that a security breach has harmed individuals whose sensitive personally identifiable information was subject to the breach. Also, a breach would not have to be reported if the data were rendered unusable, unreadable or indecipherable through a security technology or methods generally accepted by IT security experts.

The president's proposal also includes a financial fraud prevention exemption in which a business would be exempt if it participates in a security program that effectively blocks the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual and provides for notice to affected consumers after a security breach that has resulted in fraud or unauthorized transactions.

Enforcement The FTC would be responsible for enforcement, along with state attorneys general, who could take civil action against violators. Civil penalties would total up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct is found to be intentional.

Besides notifying the FTC and individuals affected, businesses would have to notify the local news media if more than 5,000 individuals were affected by the breach within any state. For these larger breaches, businesses also would have to notify national credit reporting agencies.

Certain breaches also must be reported to an entity designated by the Secretary of Homeland Security. These include: cases affecting more than 5,000 individuals; breaches involving a database containing information on more than 500,000 individuals nationwide; breaches involving databases owned by the federal government; or breaches involving employees or contractors to the federal government involved in national security or law enforcement.

In addition to the White House proposal, Rep. Cliff Stearns R-Fla, and Rep. Jim Matheson, D-Utah, introduced this week H.R. 1841, the Data Accountability and Trust Act of 2011. An aide to Stearns says the measure is similar to earlier legislation that passed the House Energy and Commerce Committee in 2006. Like the White House proposal, the bill would require institutions to notify consumers of security breaches unless there is no reasonable risk of identity theft.


(Read More... | Score: 0)

EU proposes online right 'to be forgotten'
Posted by boss on Wednesday, 10 November 2010 @ 20:49:49 CET (2034 reads)
Topic Law & Legalities

stwilke81 writes "

Users could sue websites for invading their privacy and would have a right to be “forgotten” online, under new proposals from the European Union. It has drafted potential legislation that would include new, unprecedented privacy rights for citizens sharing personal data.

Aimed in particular at the users of social networks such as Facebook and major sites such as Google, the move marks another step in the ongoing battle between information commissioners and major websites. Google in particular has been criticised recently by privacy groups around the world for collecting Wi-Fi data while it was mapping roads for its Street View service.

The proposed EU rules are called "A comprehensive approach on personal data protection in the European Union", and suggest that an online "right to be forgotten" and to privacy could be enshrined in criminal law.

The “right to be forgotten” would give users the power to tell websites to permanently delete...



(Read More... | Score: 0)

£2.28 million fine for Zurich Insurance's data loss
Posted by boss on Monday, 30 August 2010 @ 06:03:38 CEST (1925 reads)
Topic Law & Legalities

cdupuis writes "

Zurich Insurance's UK branch has been fined £2.27 million by the Financial Services Authority (FSA) as punishment for losing the details of 46,000 customers.

Zurich lost an unencrypted backup tape which contained the data while it was being transferred to a South African data storage centre in 2008. The records included customer identities, bank account, credit card and other financial information.

The company did not become aware of the loss until a year later. The fine is, to date, the largest company fine for a single data loss although HSBC were fined £3 million in 2009 for a number of separate losses of customer data.

Because the company agreed to settle early on in the investigation by the FSA, the fine was reduced by 30%.

Without that cooperation the fine would have been £3.25 million. Margaret Cole, the FSA's director of enforcement and financial crime said the company had "let it's customers down badly" noting that the company failed to effectively oversee its outsourcing and lacked full control of the data being processed in South Africa.

"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made" added Cole. The FSA say that, according to Zurich UK, there is no evidence that the lost data has been misused.


(Read More... | Score: 0)

Bank fined 9.7 Millions over poor Governance
Posted by boss on Sunday, 29 August 2010 @ 23:41:56 CEST (2089 reads)
Topic Law & Legalities

cdupuis writes "Note from Clement:

This shows clearly that IT security is NOT only a technical issue.  If management fail to exercise due care and due diligence and play the role they are supposed to, they will be find guilty and will pay the price dearly.  In this case it is the law that caught them but the next time it might be a large scale compromise.   You have to implement proper security and that include audit, enforcement, and constant review.  See the article below:

Bank fined $9.7m over poor IT governance

Liam Tung | Aug 5, 2010 9:22 AM

RBS' IT systems could have let fraud go unmonitored.

UK financial services regulator the Financial Services Authority [FSA] has fined the Royal Bank of Scotland (RBS) £5.6 million (A$9.7 million) for implementing shoddy IT systems which left it in breach of the country’s money laundering laws.

The bank had implemented its treasury IT system in 2006, which was meant to screen incoming and outgoing cross-border payments.

According to the FSA, RBS neglected to check the accuracy of the systems since its implementation.

“After the initial set up, the results produced by the screening filters were not routinely reviewed or monitored by RBSG to ensure that they were appropriate.

"This meant that over time the ‘fuzzy matching’ parameters initially set by RBSG became significantly less effective at identifying potential matches,” the authority said in its decision notice this week.

For two years the bank failed to screen a single incoming payment from a foreign source. It also missed the bulk of outgoing payments by its customers, except those destined for the US.

“RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA.

Under UK laws financial institutions are meant to match customer transactions to the government’s treasury list, known as Her Majesty’s Treasury. The Treasury’s Asset Freezing Unit (AFU) maintains a list of people identified by the United Nations, the European Union and the UK. If the financial institution identifies a transaction that may correlate to a person on that list, it must stall the payment until it determines whether it is an exact match. If it is the bank should alert the AFU.

The FSA said it could have fined RBS $13.8 million, but offered RBA a 30 percent discount for not challenging its decision.


(Read More... | Score: 0)

Melissa Hathaway's Nine Cybersecurity Bills to Watch
Posted by boss on Saturday, 29 May 2010 @ 11:10:07 CEST (2525 reads)
Topic Law & Legalities

cdupuis writes "
As seen on the great GovInfoSecurity web site at:

A nice report was created by Melissa Hathaway on current cybersecurity bills to watch.  It is definitively a nice high level overview of the many acts, laws, and bills related to cybersecurity.   Do get a copy of the report in PDF format.  You have the link below:

May 21, 2010 - Eric Chabrow
Melissa Hathaway probably knows more about what's going on with cybersecurity legislation before Congress than even the lawmakers who sponsor these bills; heck, she likely understands more about these measure than the key staffers who are the brains behind them.

Since leaving the White House last summer, Hathaway - who led President Obama's 60-day cyberspace review last year - has become involved in a variety of IT security ventures, including becoming a senior adviser at the Belfer Center for Science and International Affair at Harvard University's Kennedy School of Government. There she conducts research and writes about IT security. One of her projects is to track cybersecurity legislation before Congress.

Hathaway this past week completed a 31-page report documenting some 40 IT security bills before Congress. The report provides an analysis on the wide range of topics they address including organizational responsibilities; compliance and accountability; data accountability, personal data privacy, data breach handling and identity theft; cybersecurity education, research and development and grants; critical electric infrastructure protection and vulnerability analysis; international cooperation on cybercrime; and procurement, acquisition and supply-chain integrity.

Here are nine bills Hathaway characterized as "legislation to watch," along with her analysis of them:

  • Data Breach Notification Act, S 139, would normalize the 46 state data breach laws into one national umbrella. It may be expanded to include more than personal identifiable information. "One issue with this bill is that it would consolidate all reporting to the U.S. Secret Service, which is not helpful for broader information sharing with industry or across government."
  • Data Accountability and Trust Act, HR 2221, was approved by the House in December and requires internet service providers to make victims aware of infections if they see a breach across their networks. "It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone."
  • International Cybercrime Reporting and Cooperation Act, S 1438 and HR 4692, requires the president to produce an annual report to Congress providing an assessment of every country's level of information and communications technology utilization and development; assesses how each country's legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. "This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated five years of 'bad behavior.'"
  • Cybersecurity Enhancement Act, HR 4061, which passed the House in February. Among its key provisions: creating an office for a national coordinator for IT security research and development. "While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, it's not clear how the new office will interact with the current [White House Office of Science and Technology Policy] responsibilities."
  • FISMA II, S. 921 - also known as the United States Information and Communications Enhancement Act or U.S. ICE - updates the Federal Information Security Management Act of 2002 from compliance driven (check-list) to measures that are performance based and could address IT procurement reform.
  • Intelligence Authorization Act, HR 2071, strengthens America's intelligence capabilities, and improves congressional oversight of our intelligence agencies. The measure also contains multiple congressionally directed actions for the Comprehensive National Cybersecurity Initiative. "It provides our intelligence community with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts and more effectively prevent the spread of weapons of mass destruction."
  • Cybersecurity Act of 2009, S 773, combines audits, industry-developed and government-backed standards, increased information-sharing and other mechanisms to bolster private-sector cybersecurity. The measure also known as the Rockefeller-Snowe Bill, establishes a presidential-level cybersecurity advisory panel and a national clearinghouse for information sharing as well as extend the Scholarship for Service program and increases the National Science Foundation's budget for R&D.
  • The Grid Reliability and Infrastructure Defense Act, HR 5026, amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to require measures to protect against system vulnerabilities if it finds that the North American Electricity Reliability Corp. standards are insufficient. If enacted, the legislation would provide a security framework for the smart grid.
  • Energy and Water Appropriations Act 2010 has already been signed by President Obama. It appropriates $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, that will be used to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.

Hathaway concludes her report, calling on congressional leaders to set legislative priorities for cyberspace.


(Read More... | Score: 0)

White House Updates Cybersecurity Orders - Stop wasting money and paper
Posted by boss on Sunday, 25 April 2010 @ 22:47:40 CEST (2900 reads)
Topic Law & Legalities

Anonymous writes "

As seen on the great Infowarrior mailing list from Attrition.org:

White House Updates Cybersecurity Orders

The three-pronged approach should help federal agencies do away with wasteful compliance spending and encourage improved security, say White House officials.

By J. Nicholas Hoover


The White House issued new cybersecurity marching orders to government agencies Wednesday, which top officials say will help redirect government efforts from wasteful paperwork compliance toward continuous monitoring and patching and more effective cybersecurity spending.

Many observers both inside and outside government have come to the conclusion that the government’s cybersecurity reporting requirements, as currently implemented, have created an environment in which expensive annual compliance reports that cut into real cybersecurity have become the norm. “These reports ended up being more secure in the cabinets they were living in than were the systems they were meant to protect,” federal CIO Vivek Kundra said in a conference call with reporters and White House cybersecurity coordinator Howard Schmidt.

Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act. The Department of State alone has spent $133 million in the last six years just on FISMA compliance. However, numerous questions continue to arise about the effectiveness of agencies’ cybersecurity efforts. That kind of waste has led to simultaneous moves by the White House, the National Institute for Standards and Technology (which has power to set FISMA standards), and Congress to overhaul or refocus FISMA and other federal cybersecurity requirements.

The new policy outlines what Kundra described as a “significant departure” from the way cybersecurity has been measured and managed in government. It is contained in an Office of Management and Budget memo penned by federal chief performance officer Jeffrey Zients, Kundra, and Schmidt, and developed with input from federal CIOs.

Kundra and Schmidt said on the conference call that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats.

The guidance takes a “three-tiered approach” to FISMA that includes automatic reporting of cybersecurity data feeds directly from agency security and management tools to a tool hosted by the Department of Homeland Security; government-wide benchmarking on agencies’ security postures; and agency-specific interviews to help determine the needs and proper metrics for individual agencies.

First, agencies will be required to feed cybersecurity information directly and in near real-time from their own security management tools into the recently implemented Cyberscope security reporting tool, which DHS is now operating. The White House is convening with agencies on May 7 to discuss how they will move forward with this plan, and what new metrics will be included in the new reporting.

This automated reporting should both decrease the amount of money agencies are spending on cybersecurity reporting, and also help the White House best determine where and how resources should be spent on cybersecurity across government, said Kundra and Schmidt. “Capital can and should be used to invest in systems that will be actually enhancing security,” Kundra said.

Agencies will begin feeding this data to Cyberscope by June of this year, but Kundra admitted that some agencies will have to make investments in order to get tools like asset management systems and security information management systems in place to feed data to Cyberscope. Some agencies, like the Departments of Justice, Treasury, State, Veterans Affairs, and NASA are already able to report to Cyberscope, and will be among the first to do so. The due date for reporting through Cyberscope is November 15, and those agencies which can’t yet directly feed information into Cyberscope will be able to provide a data feed as an XML upload to Cyberscope.

Along with this new reporting structure will also come new metrics for agencies to use. Those metrics have been developed in concert with the private sector, academic community, and federal CIOs and CISOs. The new data feeds will include summary information about inventory, systems and services, hardware, software, external connections, security training, and identity management and access.

In terms of government-wide benchmarking, CyberScope will be asking agencies a set of questions on their security posture online, rather than in the submission of an annual signed letter to do the same task. The White House will also be carrying out agency-by-agency interviews on cybersecurity. “We recognize not all agencies perform the same mission and function,” Kundra said. “Historically it was just a lowest common denominator approach, but the nature of the threat can be unique to each agency.”

Finally, in addition to the three-pronged approach to overhauling FISMA reporting, the White House memo answers dozens of potential agency questions about FISMA, including some issues outside the scope of the new approach, like whether national security systems fall under this guidance (not typically), who should have the ultimate say over an agency’s security posture (the agency head), and whether SAS 70 compliance audits often used by private sector to determine whether third-party systems are secure is sufficient for FISMA compliance (it depends).
Infowarrior mailing list
[email protected]


(Read More... | Score: 0)

SANS founder slams 'terribly damaging' US cyber security law
Posted by boss on Tuesday, 30 March 2010 @ 11:15:05 CEST (2353 reads)
Topic Law & Legalities

cdupuis writes "


As seen at computerweekly.com at:
Ian Grant
Thursday 25 March 2010 08:05

Federal guidelines on how to protect computer systems did just the opposite, a US congressional committee heard.

In a scathing attack on the Federal Information Security Management Act (Fisma), Alan Paller, founder of the Sans Institute, told the subcommittee on government management organisation and procurement, part of the committee on oversight and government reform, that Fisma slowed down every security process and took away key resources from projects that would allow agencies to act and react quickly to cyber attacks.

Paller welcomed government plans for continuous monitoring of IT systems. "This is the single most important element [of cyber security] you will write into the new law," he said.

'); //--> Paller said protecting IT systems was like an arms race. "Each time the defenders build a new wall, the attackers create new ways to scale that wall," he said.

He said four "terribly damaging" provisions in federal law had led to wasteful processes that slowed down US defences and "threw away billions of dollars that were acutely needed to protect systems".

The law required clear audit trails, but these had led to "reports that answered the wrong questions", said Paller.

"[They] rewarded ineffective behaviour and created a cadre of people who call themselves security professionals but who proudly admit they cannot implement security settings on systems and network devices or find a programming flaw," he said.

Fisma had created and rewarded a culture of compliance rather than security," Paller said. Federal and state governments were "radically short of money", but they were forced to spend it on reporting rather than security, he said. "Writers who know how a few words about security and federal regulations now make 50% to 80% more money than the people who actually secure systems and networks and applications," he said. "It is as if we paid the compliance staff at a hospital more than the surgeons.

"The four processes that had led to this situation were the federal information security controls and audit manual, the annual report implemented by federal CIOs and inspectors-general, the certification and accreditation report-writing process and the security controls assessment under Special Publications 800-53, Paller said.

"The people who wrote Fisma, and the people who set up these wasteful processes did not know, and do not know, how the attacks are being carried out and how the threat is changing, so they ask the wrong questions," Paller said.

He said the audit missed key steps in the Centre for Strategic and International Studies' Consensus Audit Guidelines. These steps were critical in the eyes of the National Security Agency, US-CERT, the Department of Energy Labs, the Department of Defense Cyber Crime Center, and forensic IT security specialists "who clean up after attacks and who actively penetrate systems on behalf of the nation".

He said the nation's attention should be on real-time monitoring of its information systems and networks to prevent or mitigate attacks as they happened. "Oversight must be focused on the effectiveness of the agencies' real time defences," he said. "Anything less continues to waste scarce resources and leaves us unacceptably vulnerable." he said.



(Read More... | Score: 0)

Security breach notification law by state
Posted by boss on Thursday, 23 July 2009 @ 06:15:22 CEST (3893 reads)
Topic Law & Legalities

cdupuis writes "NOTE FROM CLEMENT:

I very often get asked in class about which state has or does not have breach notification law.  It seems we are doing well and only a few states have not enacted such law.

The following states does not have laws as of this writing:

Alabama, Kentucky, Mississippi, New Mexico, and South Dakota

Missouri has just passed a law.  See below for a summary and some links to each of that state law. As I was looking at the announcement of the Missouri law, I have found other interesting informaiton as well presented below.

1.  The New Missouri law

Missouri has become the 45th state to enact data breach notification legislation. Governor Jay Nixon signed House Bill 62 into law on July 9, 2009. The new law goes into effect on August 28, 2009.

The law contains a broad definition of personal information. In addition to the more common elements of first name or initial and last name in combination with unencrypted Social Security Number, driver’s license number, financial account number, or credit or debit card number, the statute also includes in the definition of personal information first name or initial and last name in combination with an unencrypted:

  • Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
  • Medical information, which includes any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and
  • Health insurance information, which includes an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual.

Other provisions of interest:

  • If an entity must notify more than 1000 residents, it must notify the Missouri Attorney General’s office and the nationwide consumer reporting agencies of the breach.
  • Civil penalties for violating the statute may reach up to $150,000 per breach of the security of the system.

The full text of the bill is available here.

Original article at:  http://www.digestiblelaw.com/datasecurity/blogQ.aspx?entry=6064&id=34


2. Chart showing details of laws enacted in different states.  From the Perkins Coe Web site:



3.  A nice table with a summary of the laws in different states.  You can find it online on the NCSL website at:


State Security Breach Notification Laws

As of May 26, 2009

Forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. 

Alaska 2008 H.B. 65 


Ariz. Rev. Stat. § 44-7501


Ark. Code § 4-110-101 et seq.


Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.291798.82 


Colo. Rev. Stat. § 6-1-716


Conn. Gen Stat. 36a-701(b)


Del. Code tit. 6, § 12B-101 et seq.


Fla. Stat. § 817.5681


Ga. Code §§ 10-1-910, -911


Haw. Rev. Stat. § 487N-2


Idaho Code §§ 28-51-104 to 28-51-107


815 ILCS 530/1 et seq.


Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq., 2009 H.B. 1121

Iowa Iowa Code § 715C.1 (2008 S.F. 2308)


Kan. Stat. 50-7a01, 50-7a02


La. Rev. Stat. § 51:3071 et seq. 


Me. Rev. Stat. tit. 10 §§ 1347 et seq., 2009 Public Law 161


Md. Code, Com. Law § 14-3501 et seq.


Mass. Gen. Laws § 93H-1 et seq. 


Mich. Comp. Laws § 445.72


Minn. Stat. §§ 325E.61, 325E.64


Mont. Code § 30-14-1701 et seq., 2009 H.B. 155, Chapter 163


Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807


Nev. Rev. Stat. 603A.010 et seq. 

New Hampshire

N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21

New Jersey

N.J. Stat. 56:8-163

New York

N.Y. Gen. Bus. Law § 899-aa

North Carolina

N.C. Gen. Stat § 75-65

North Dakota

N.D. Cent. Code § 51-30-01 et seq.


Ohio Rev. Code §§ 1347.121349.19, 1349.191, 1349.192


Okla. Stat. § 74-3113.1 and 2008 H.B. 2245


2007 S.B. 583, Chapter 759


73 Pa. Stat. § 2303

Rhode Island

R.I. Gen. Laws § 11-49.2-1 et seq.

South Carolina 2008 S.B. 453, Act 190


Tenn. Code § 47-18-2107


Tex. Bus. & Com. Code § 48.001 et seq.


Utah Code §§  13-44-101, -102, -201, -202, -310


Vt. Stat. tit. 9 § 2430 et seq.

Virginia Va. Code § 18.2-186.6 


Wash. Rev. Code § 19.255.010

West Virginia W.V. Code §§ 46A-2A-101 et seq.


Wis. Stat. § 134.98  et seq. 


Wyo. Stat. § 40-12-501 to -501

District of Columbia

D.C. Code § 28- 3851 et seq.

Puerto Rico 10 Laws of Puerto Rico § 4051 et. seq.
Virgin Islands V.I. Code § 2208

(Read More... | Score: 0)

Senate Legislation Would Federalize Cybersecurity
Posted by boss on Thursday, 02 April 2009 @ 09:48:11 CEST (2600 reads)
Topic Law & Legalities

cdupuis writes "

As seen in the Washington Post online:

Senate Legislation Would Federalize Cybersecurity
Rules for Private Networks Also Proposed

By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04

Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.

The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.

Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.

How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the "third rail of cybersecurity policy." Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.

The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.

Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.

Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.

A 60-day federal review of the nation's defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.

"People say this is a military or intelligence concern, but it's a lot more than that," Rockefeller, a former intelligence committee chairman, said in an interview. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."

U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

The proposal would also mandate an ongoing, quadrennial review of the nation's cyberdefenses. "It's not a problem that will ever be completely solved," Rockefeller said. "You have to keep making higher walls."

Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.

"The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber," he said.

Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is "not being used to gather private information."

Posting can be seen at:


(Read More... | Score: 0)

FISMA compliance made easier with OpenFISMA
Posted by boss on Tuesday, 28 October 2008 @ 18:30:12 CET (3564 reads)
Topic Law & Legalities

FISMA compliance made easier with OpenFISMA
Scott Sidel, Contributor

Managing security in a large corporation can be daunting, which is why the U.S. government has made a concerted effort to standardize best security practices. The Federal Information Security Management Act (FISMA) not only mandates the processes for information systems used by federal agencies and by contractors working with the government, but also provides an excellent security baseline for any large organization.

From an information security perspective, the first step in implementing FISMA guidelines involves gaining an understanding of the processes FISMA mandates, Then, practitioners typically rely on NIST publications, which guide security personnel through the baseline security requirements, detailing the more specific technical and operational controls needed to meet those requirements. Managing the compliance process can quickly become a challenge, however, because working with multiple parties on a broad range of controls overwhelms the typical spreadsheet and manual tracking process.

OpenFISMA can help: it automates the compliance process by using a platform-independent OSS Web application framework (Apache, MySQL, PHP) to manage the workflow. OpenFISMA also guides requirements-gathering activities, such as verifying compliance with requirements, security assessments and vulnerability remediation.

To better understand how OpenFISMA can improve security, one example is the processes associated with a plan of actions and milestones (POA&M), which are the activities used for tracking and fixing security vulnerabilities. OpenFISMA provides a Web-based centralized repository to manage and track vulnerability reporting and remediation activities. Users log in to their role-based accounts to work through or oversee the compliance processes. Typical users would be the security officer (CSO or CISO), technical operations staff and the independent verifiers.

OpenFISMA's business rules provide guidance for the submission of remediation evidence and sign-off for the work performed. The user controls protect the integrity of the audit information from unauthorized access, modification and deletion. Timestamps support the ability to audit and account for each of the steps, and a reporting engine helps track performance against stated completion goals.

Learn how penetration testing can aid compliance efforts

Find out about open-source IDS audit tools

When using OpenFISMA, information about security weaknesses can be entered manually or ingested from automated sources by using popular vulnerability assessment scanners that output their results in XML, CSV or XLS formats. A known vulnerability then follows one of three typical paths: a) the finding is remediated, b) the finding is demonstrated to be a false positive, or c) the risk is accepted. A risk level can be assigned to help prioritize the level of threat to the organization and the mitigation strategy can be reviewed and approved by independent third parties. After the work to remediate the weakness is done, evidence for the remediation can be analyzed by third-party verifiers. Finally, assuming the remediation is accepted, the verifiers would close out the weakness.

Implementing government standards for security can be a huge task, but OpenFISMA provides structure and automation to help manage the process.

About the author:
Scott Sidel is an ISSO with Lockheed Martin.
For more recommendations from the author, check out Scott Sidel's Downloads

(Read More... | Score: 5)

Nevada Deadline on E-Mail Encryption Looming
Posted by boss on Monday, 22 September 2008 @ 10:22:26 CEST (2921 reads)
Topic Law & Legalities

cdupuis writes "

Friday, September 19, 2008 2:14 PM/EST

What happens in Vegas, may stay locked down in Vegas.

On October 1, the state of Nevada will be requiring the encryption of all transmissions, like email, for all businesses that send personal identifiable information over the Internet. The statute was signed in to law in 2005, and is about to kick in as an enforceable law next month. Three years flies when your raking in chips at casinos and enjoying the rising popularity of poker.

The Nevada law is stated as such:

NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

As with any law about to go in effect, this one could be bound to catch many Nevada businesses off guard. In parallel, a few IT security vendors who sell encryption software and hardware are lining up to tell the technology media about it.

Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect. Not to mention all the businesses--the vice-ridden ones legal to Nevada-only and otherwise--that incorporate in the tax-friendly state. Nevada is the West's version of Delaware (albeit a much sexier state, sorry Delaware).

Beyond the infrastructure impact, the statute itself looks like swiss cheese. Bryce K. Earl, a Las Vegas-based attorney with Santoro, Driggs, Walch, Kearney, Holley & Thompson has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely, the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.

"The statutes lack of specificity with regard to penalties will perhaps create the unintended consequence of opening up more liability," said Earl. That doesn't sound good, but again, nothing has happened just yet.

Earl explained why the broad definition of "encryption" by the state is potentially problematic. Here is the definition from the state's website:

NRS 205.4742 "Encryption" defined. "Encryption" means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

Earl said an argument could be made that a password-protected document sent in an email might be good enough to hold up with the state's broad definition of encryption here. Is that good enough?

Moreover, how the heck will Nevada enforce this?

Earl said at this time it was unclear, but he thinks that the state--who holds legislative session every other year--could address the statute for more clarity next year when the Nevada state government reconvenes. A possible-pending lawsuit may also help to better define the law for clearer interpretation, but as Earl hinted, that doesn't necessarily mean it will help that potential lawsuit.

The challenge for Nevada is that its intentions were good in trying to stem the tide of identity theft and criminal behavior online. But once again, the legal system and the IT industry are faced with potentially bigger compliance and liability issues than they probably intended. The disconnection is real.

As of posting time, representatives of the state had not gotten back to me with comment.

What should business do about this issue?

UPDATE: A spokesman for the state has directed me to a state assemblyman (who I will follow up with), but more interestingly, has pointed out this provision in the law:

NRS 193.170 Prohibited act is misdemeanor when no penalty imposed. Whenever the performance of any act is prohibited by any statute, and no penalty for the violation of such statute is imposed, the committing of such act shall be a misdemeanor.

CLICK HERE to see original posting on the Baseline Magazine website


(Read More... | Score: 0)

Aussies follow Canadian lead on breach notification
Posted by boss on Tuesday, 29 April 2008 @ 13:03:05 CEST (3130 reads)
Topic Law & Legalities

cdupuis writes "
Both New Zealand and Australia have modeled their guidelines for telling customers about IT security incidents on a jointly-created British Columbia and Ontario privacy document. Is Ottawa paying attention?
By: Rafael Ruffolo
ComputerWorld Canada (22 Apr 2008)

Canadian Data breach notification guidelines – jointly created by the Information and Privacy Commissioners for British Columbia and Ontario – have made their way to the land down under.

Last week, Australian Privacy Commissioner Karen Curtis released the Voluntary Information Security Breach Notification Guide, which aims to assist organizations in effectively responding to information security breaches. The draft guide credits voluntary guidelines by both the Privacy Commissioners of Canada and New Zealand.

“We had worked with the New Zealand privacy commissioner and showed her our breach notification assessment tool,” Ann Cavoukian, Information and Privacy Commissioner of Ontario, said. “She took it and developed one in New Zealand similar to ours. It’s great to see Australia follow suit.” The jointly created Canadian breach notification guide was created in December 2006 and outlines steps on when and how to notify affected individuals.

“When you’re notifying somebody of a breach relating to their data, you’ve got to be perfectly clear and concise,” Cavoukian said. “In regards to the preferred method of notification, we think direct contact either by phone, letter or in person are the most effective methods.”

As for what to include in the notification, the assessment tool advises organizations provide a general description of what happened without a lot of legal jargon, outline the steps taken thus far (and will be taken in the future) to control or reduce the harm, and the steps the individual can take to further protect themselves.

“You’ve got to be practical and do things as quickly as possible,” Cavoukian said. “You need to contain the damages, get the notices out, fix the problem and prevent it from reoccurring. You’ve also have to be practical about it and notify people in a way that’s not full of legal legalese and provides clear notice as to what you’re doing.”

Currently, Australia’s privacy legislation does not specifically require an agency or organization to notify individuals, or even the privacy commissioner, of a data breach. However, an amendment to the Australian Privacy Act to require mandatory data breach notification is under way.

The same story is playing out in Canada. Last year, the federal government recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach.

Cavoukian hopes the breach notification assessment tool, along with the influence it is having on the other side of globe, will inspire the federal government to implement an effective and common sense approach on breach notification.

“They’re certainly aware of our guidelines, so I’m sure it’s food for fodder for them,” she said. “We’ve had very good feedback on our guidelines and I’m sure it’ll be one of the things that they take into consideration.”

But some organizations such as the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) want the government to go even further. Responding to an Industry Canada request for public consultation on data security laws earlier this year, CIPPIC recommended that mandatory reporting of data breaches to a publicly-accessible electronic registry is the most effective way to persuade corporations to shore up their potential security risks.

“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, told ComputerWorld Canada earlier this year. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”

Lawson said that while the government’s interest in drafting better data breach notification laws is positive, Ottawa needs to take it a step further and require mandatory public reporting as well.

“There’s two ways that you can create incentives for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”

David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California, which mandates organizations to reveal to customers that personal data has been compromised.

“Organizations in this country don't fear the repercussions of PIPEDA,” Senf said earlier this year. “Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection.”

Cavoukian, however, disagreed on taking such a punitive approach. As a regulator, she said, her concern is to ensure when something happens that it’s addressed immediately and as quickly as possible to benefit the affected individuals.

“You can almost take as a given that over time, virtually every company is going to make an oversight or a mistake and have some kind of data breach,” Cavoukian said. “My experience in working with organizations is that as soon as they know there’s a breach, they’re really motivated to cure the harm and prevent it. If you create a database of who did what and how many times they did it, I just don’t know how effective it would be.”

Copyright © 2007

Click HERE to see original article on IT World Canada web site


(Read More... | Score: 0)

Online Libel & Google Reputation
Posted by boss on Friday, 25 April 2008 @ 23:10:51 CEST (2584 reads)
Topic Law & Legalities

cdupuis writes "A very low technology end to business and career.

Reputation is what others say about you.

Character is what you really are as evidenced by your actions when no one is observing.

IMPORTANT DISCLAIMER: Readers are advised that this essay be considered as common sense advice, not legal advice. For that you need to go to a lawyer.

IT security is a multibillion dollar industry which has necessitated new and constantly revised laws in almost every state on earth. These laws address the criminal aspects of aggressive and deliberate business or personal privacy invasion and information disruption or destruction via various technology mediums; commonly referred to as “hacking”, or more accurately “cracking”.

So what is the “low” technology threat that goes largely unnoticed by the community, ignored by criminal prosecutors and yet the cause of billions of dollars in irreparable damage to business goodwill, personal reputation, and very significantly to the emotional well being of the human victims? The threat is called “LIBEL”; a form of the ancient legal theory of “SLANDER” with origins in Roman jurisprudence.

This issue is close to my heart because I have had a very frustrating and bitter experience therein. I have purposed to collaborate with experts from various fields including psychology, technology, legal and public relations to produce resources to assist victims in their efforts to remedy the wrongs and for potential victims to mitigate the risks. These resources will be made available for free as they become available through the Mile2 website. Victims of online libel are invited to contact me if they would like access to templates, resources and specific advice.

"Defamation" is the term used internationally to generally describe an injury to reputation. “Slander” and “Libel” are false or malicious claims that may harm someone's reputation. Slander and libel both require publication with the fundamental distinction between the two lying solely in the form in which the defamatory material is published. If published in some fleeting form, such as spoken words or sounds, sign language, gestures and the like, then this would be slander. If it is published in more durable form, such as in written words, film, data disc (CD or DVD), blogging, web sites and the like, then it is considered libel. The key to these definitions is that the statements must be false. If someone published the truth about a person, it IS NOT slander or libel. Slander and libel are not protected forms of free speech under the US First amendment.

In law, defamation is the communication of a statement that makes a false or deceptive claim, expressively stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation. Most jurisdictions allow legal actions, civil and/or criminal, to deter various kinds of defamation and retaliate against groundless criticism. Related to defamation is public disclosure of private facts where one person reveals information which is not of public concern and the release of which would offend a reasonable person. Unlike libel or slander, truth is not a defense for invasion of privacy.

See the full essay here: Michael Roberts of Mile2 IT Security Discusses Libel & Google Reputation


(Read More... | Score: 5)

Highly Recommended

There isn't content right now for this block.

Login here



Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

CCCure Partners


Logical IT

Best Security Training in Brazil

São Paulo
Rio de Janeiro
Belo Horizonte


Contact us if you need training in the USA
Send an email to: [email protected]


CISSP Montreal
CISSP Ottawa
CISSP Toronto
CISSP Quebec City
CISSP Vancouver
CISSP Winnipeg


CISSP Abu Dhabi
CISSP Kuwait

Send us an email if you have any needs for training

Email us at:  [email protected]


CISSP Dublin, Ireland
CISSP London, UK
CISSP Edinburgh, Scotland

Best security training you can get in Ireland


Kudelski Security
Cyber Academy

Preparation Program

Lausanne, Switzerland

Geneva, Switzerland

Kudelski Security


Lagos, Nigeria
CISSP and Security Training

Send us an email if you have any needs for training

Email us at:  [email protected]

Most Active Members

· 1: side_winder
Total points: 15492
· 2: webplu9
Total points: 15228
· 3: Lopezco
Total points: 8514
· 4: cdupuis
Total points: 8262
· 5: cissp_newbie
Total points: 7593
· 6: mikeyoung_fla
Total points: 5536
· 7: Vladimir
Total points: 4613
· 8: damoose
Total points: 3539
· 9: MMM
Total points: 2969
· 10: educk
Total points: 2619

Today's Big Story

There isn't a Biggest Story for Today, yet.

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.

  • Career
  • Magazines
  • Conferences
  • Study Books
  • Certifications
  • Training
  • Tutorials
  • Quizzes
  • Forums

  • Page Generation: 0.73 Seconds