Jan 12
27

Forget Me Not?

Europe is hot in the headlines with its proposed way to significantly reduce the risks associated with storing old data: One-Size-Fits-All and Forget It!

According to ZDNet, here are a few highlights:

One regulation, less fragmentation
The current Data Protection Directive had to be implemented into the legal system of Europe’s 27 member states. This led to all countries having the same framework, but some legal systems having stronger and more protective rules than others. Germany’s data protection laws have the same elements as every other European country, but are far stricter than the ‘lenient’ UK’s laws, as an example.

The new Data Protection Regulation is a ‘one-size-fits-all’ legal instrument, and removes the need for member states to interpret the laws. It also makes way for better cross-border data transfers between European countries, and will save around €2.3 billion ($3.1bn) each year in ‘administrative’ costs.

The new Criminal Justice Directive will cover all matters pertaining to law enforcement, investigation, detection, or prosecution of criminal offences.

Right to be forgotten
This one is a tricky one, and details are still yet to be finalised. This ‘pet project’ of the European Justice Commissioner, Viviane Reding, will in effect allow European users to wipe their online slate clean. It will allow users to have their photos, details, and other data removed from websites, social networks, and search engines.

Users will have the right to demand that data held on them be deleted if there are “no legitimate grounds” for it to be kept. This includes if a user leaves a service or social network, like Google or Facebook, the company will have to permanently delete any data that it retains.

Search engines will also have to comply with this rule. The practicalities of search giants like Google complying, which has already warned that this may harm innovation, remains unclear.

ZDNet’s Zack Whittaker also summarized what US businesses need to know in terms of the reaching affects:

A European Commission spokesperson confirmed to ZDNet that the proposed measures are “focused on younger people”, particularly teenagers, students and young adults, in a bid to “protect the consequences of putting photos and other information on social network websites”.

It does not guarantee the right to have data held by local and European law enforcement agencies deleted, however.

But the proposed “right to be forgotten” laws have already been met with harsh criticism from the wider Web industry. It will create a right that will not only be difficult to implement, but could have a detrimental effect on the use of the Web in Europe.

Sheryl Sandberg, Facebook’s chief operating officer, gave an insight on what the wider argument could be amongst businesses and European regulators. While Web companies provide employment and spur on economic growth — such as seen with Facebook’s impact on the European economy — governments should not get in the way.

The Sony breach is a reference point for this, particularly because of the impact level it had on consumers and businesses alike:

Businesses are expected to lobby heavily for amendments that benefit them, and reduce the long-term workload that would be expected as part of the new Regulation’s finer details.
Details of data breaches — something every company will have to deal with at some point — also takes a high standing in the Regulation. Since the Sony breach, where over 70 million user accounts were hacked, Europe is responding by enforcing a “24-hour rule”.

“Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay. As a general rule, without undue delay means for me ‘within 24 hours’,” Reding said in a speech earlier this week.

But should a company not be aware of a hack, a breach, or a data loss for 24 days, let alone 24 hours, it applies more pressure on companies to be aware of their own internal security matters and data protection policies.

Businesses will have a two or three year grace period with compliance, but nonetheless, the European data reforms are sparking a global shake-up. We’ll be watching this one closely…

Tags: , , , , , , , ,
Posted in Breach Data Masking European Data Reform Industry by Mike Logan. No Comments
<?php include (ABSPATH . '/wp-content/plugins/featured-content-gallery/gallery.php'); ?>

Jan 12
12

David & Goliath- A PCI Story

There are many people who feel PCI is ultimately a thinly-veiled credit card company scheme that makes businesses police themselves- when really, it’s to pass on the liability when credit card companies’ lax security results in a breach. This pass-the-buck-for-blame policy often leads to major fines and priceless damages for smaller businesses, and the case of Cisero’s Ristorante and Nightclub in Park City, Utah is no different. Except for one twist- Cisero’s is fighting back.

According to a Wired article by Kim Zetter:

U.S. Bank seized about $10,000 from the McCombs’ account to pay $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines.

But in their countersuit against U.S. Bank, the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.

If this case proceeds, it could unravel the PCI structure:

Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School says the system of fining merchants could prove to be a problem for the payment card industry if the court views them as punitive in this case.

“In general, contract law does not like punitive damages being included in contracts,” she says. “If you argue that these fines are punitive and unrelated to actual losses suffered, courts could deem your contract to be overreaching and conclude that its intent is to punish rather than to compensate harm.”

Matwyshyn also says the fact that merchants are liable for a third-party agreement their banks make with Visa and MasterCard is also problematic because it disempowers merchants and prevents them from being able to “negotiate the kinds of balanced provisions we would expect to see between two parties to a contract.”

“We should see some interesting contract analysis from the court [on this],” she said.

This will be one to watch, though it’s hard to imagine the banks will let this go to court. My bet is they will probably settle. Interestingly enough, TJX made a similar argument which resulted in a TJX settling and avoiding fines in its own breach case several years ago.

Tags: , , , , ,
Posted in Breach Data Masking encryption PCI Uncategorized by Mike Logan. No Comments

Nov 11
22

eWeek: Axis Weighs In on the Attempted AT&T Breach

Hackers unsuccessfully attempted to break into AT&T’s customer information database via its website with an automated script. I took some time to share my thoughts on what the intentions of the hackers might have been in terms of the type of data they were seeking. You can read Fahmida Rashid’s full article here, but here’s my “two cents”:

The incident could be an example of hackers trying to get “inference data,” or information that can be combined with other pieces of information to “infer something useful,” Mike Logan, president of Axis Technology, told eWEEK. Since the type of sensitive information being inferred is usually protected at a higher security level, the breach attempt illustrates the importance of protecting all types of customer data, according to Logan.

Tags: , , , , , , , , ,
Posted in Breach Data Masking by Mike Logan. Comments Off

Nov 11
15

Webinar Tomorrow: Managing Sensitive and Confidential Data

Join the Axis Team for a Webinar tomorrow, November 16th:

Managing Sensitive and Confidential Data in Development & Test Environments

Does your organization have production data in development & test environments?

Do you worry about the privacy of your test data?

Do you share your production data with off-shore vendors?

If you answered “Yes” or “I don’t know” to any of these, you need to learn about data masking!

Date:
Wednesday, November 16, 2011

Time:
12:00 PM – 1:00 PM PST

After registering you will receive a confirmation email containing information about joining the Webinar.

Click here to register now! Space is limited…

Tags: , , , , , , , , , ,
Posted in Data Masking encryption Events Webinar by Mike Logan. Comments Off

Nov 11
10

Live From Vegas: National Workers’ Compensation and Disability Conference

Axis is on the move again! This week we’re exhibiting at the National Workers’ Compensation and Disability Conference & Expo in Las Vegas:

What: Handling healthcare claims and benefits can be challenging enough. A data breach or loss of private information can literally cripple a business. Check out the pioneering data masking product, DMsuite, and learn about how it can meet all of your data security needs. Don’t count on network security or encryption alone—especially when your business is trying to keep up with ever-changing privacy regulations or working with multiple organizations and contractors.

Where: Las Vegas Convention Center

Why: The data security landscape is constantly changing with more and more threats emerging every day. The Axis team will guide you through the ins and outs of safe-guarding your sensitive data so you can go about running your business with secure confidence.

It’s been a steady event for us so far, and yesterday we announced our latest DMsuite news:

Axis Technology Announces Comprehensive Applications Support

DMsuite™ Data Masking Increases Roster of Secured Applications; Provides Dedicated Sensitive Data Protection for Insurance Industry

Boston, MA & National Workers’ Compensation and Disability Conference & Expo, Las Vegas, November 9, 2011 – Axis Technology Software, LLC, the leading provider of enterprise data masking solutions proven to save businesses hundreds of thousands in costs, today announced that DMsuite™, the industry’s premier and most effective data masking platform, provides dedicated support to applications most used by businesses including PeopleSoft, SAP, Oracle, SalesForce, and custom applications. In particular, DMsuite is a critical component in securing data used by insurance providers, especially in processing claims.

By masking data with DMsuite, insurance providers sharply reduce their risk by eliminating a number of vulnerable data sources. Additionally, DMsuite automatically identifies sensitive data across databases, copybooks, and files. DMsuite allows insurance companies to easily and safely share masked data with partners, third parties, and outside vendors.

“Doing business in the insurance field requires accessing and sharing tremendous amounts of private consumer data. There’s just no way to avoid it,” said Mike Logan, President of Axis Technology Software, LLC. “With the increasing incidents of data loss, both by theft or unintended negligence, it’s more important than ever for businesses to execute multiple data security measures. Data masking is rapidly becoming a key level of defense for at-rest data, which is a very vulnerable source of sensitive information. If that data is lost it can prove costly, both from business and legal standpoints, as evidenced by recent data losses experienced by TRICARE in which reports are saying a class action suit could cost nearly 5 billion dollars.”

To learn more about data masking with DMsuite, visit the Axis team at the National Workers’ Compensation and Disability Conference & Expo in booth #443, from November 9 to 11, 2011.

DMsuite™ secures development, quality assurance, and third-party testing environments by removing confidential data and replacing it with realistic, fictitious data. Because the masking transformation is executed in memory, production data is not accessible within DMsuite or anywhere in the target environment, making DMsuite the most secure and effective data masking offering on the market today. It maintains referential integrity across business lines and different platforms, including InterSystems Caché, Oracle, IBM DB2, SQL Server, Sybase, Teradata, Netezza, MySQL, Adabas, Informix, flat files, and mainframe. It also supports file formats that include VSAM, Excel, delimited, and XML. DMsuite can be used straight out of the box, offering self-service provisioning functionality. DMsuite is web-based and its central point of control enables easy operation, administration, logging, and auditing.

Tags: , , , , , ,
Posted in Company News Data Masking encryption Events HIPAA by Mike Logan. Comments Off

Older posts