I was semi-impressed yesterday when I visited a global retail chain, signed up for a new credit card and they handed me back the application form for me to destroy.  Retail stores that manage payment card information must abide by strict rules governed by PCI — the Payment Card Industry standard developed to protect card [...]

I mentioned in my blog in late November that the cost to Health Net over loss of an unencrypted hard drive containing 450,000 patient records (revised down from 1.5m) would be much greater than the cost of securely controlling and protecting their information assets. Health Net will begin the process of emptying their wallets in [...]

The national Data Accountability and Trust Act, H.R. 2221 passed within the House of Representatives earlier this month (Dec. 8th, 2009).  The Bill — as with 201 CMR 17.00, the Massachusetts Protection for Personal Information — seeks to protect consumer personal information and requires notification to individuals in the event of a breach, albeit from [...]

 A huge chink in the armor of end-to-end encryption took a big hit last week when the US-CERT reported that a man-in-the-middle exploit code against SSL and TLS is publicly available.   The exploit allows a malicious attacker to insert themselves into an SSL or TLS conversation during a client or server initiated renegotiation of their [...]

In CPP’s June Podcast, we discussed a security breach that occurred a few years ago and the steps my team took to detect, respond and remediate the incident.  Here are the five things I learned from that breach.
1).  Planning your response to a disaster or security incident is just as important as the safeguards you [...]

As many of you are aware, the new Massachusetts Standards for the Protection of Personal information (201 CMR 17.00) will hit the books on January 1, 2010.  The law establishes protection standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts in both [...]

Important update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that [...]

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) this week pushed back the compliance date for its Standards for the Protection for Personal Information from May 1, 2009 to January 1, 2010.  This is the second delay to the Mass. legislation which was initially scheduled for January 2009. 
The revision was filed on Thursday, [...]

201 CMR 17.00 — Massachusetts’ New Privacy Law Sets Strict Standards for the Protection of Personal Information

Most of the clients that we work with are just starting to breathe a little more easy having put the appopriate compliance measures in place to statisfy the last regulation that was mandated.  SOX, PCI, state-specific data privacy acts, HIPAA, GBLA.  The undertone to all of these regulations is confidentiality, availability, and integrity and includes [...]